diff --git a/_init.py b/_init.py
index 84a574b0f..216f47e15 100644
--- a/_init.py
+++ b/_init.py
@@ -7,40 +7,45 @@ from util.config.provider import get_config_provider
 
 ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
 CONF_DIR = os.getenv("QUAYCONF", os.path.join(ROOT_DIR, "conf/"))
-STATIC_DIR = os.path.join(ROOT_DIR, 'static/')
-STATIC_LDN_DIR = os.path.join(STATIC_DIR, 'ldn/')
-STATIC_FONTS_DIR = os.path.join(STATIC_DIR, 'fonts/')
-STATIC_WEBFONTS_DIR = os.path.join(STATIC_DIR, 'webfonts/')
-TEMPLATE_DIR = os.path.join(ROOT_DIR, 'templates/')
+STATIC_DIR = os.path.join(ROOT_DIR, "static/")
+STATIC_LDN_DIR = os.path.join(STATIC_DIR, "ldn/")
+STATIC_FONTS_DIR = os.path.join(STATIC_DIR, "fonts/")
+STATIC_WEBFONTS_DIR = os.path.join(STATIC_DIR, "webfonts/")
+TEMPLATE_DIR = os.path.join(ROOT_DIR, "templates/")
 
-IS_TESTING = 'TEST' in os.environ
-IS_BUILDING = 'BUILDING' in os.environ
-IS_KUBERNETES = 'KUBERNETES_SERVICE_HOST' in os.environ
-OVERRIDE_CONFIG_DIRECTORY = os.path.join(CONF_DIR, 'stack/')
+IS_TESTING = "TEST" in os.environ
+IS_BUILDING = "BUILDING" in os.environ
+IS_KUBERNETES = "KUBERNETES_SERVICE_HOST" in os.environ
+OVERRIDE_CONFIG_DIRECTORY = os.path.join(CONF_DIR, "stack/")
 
 
-config_provider = get_config_provider(OVERRIDE_CONFIG_DIRECTORY, 'config.yaml', 'config.py',
-                                      testing=IS_TESTING, kubernetes=IS_KUBERNETES)
+config_provider = get_config_provider(
+    OVERRIDE_CONFIG_DIRECTORY,
+    "config.yaml",
+    "config.py",
+    testing=IS_TESTING,
+    kubernetes=IS_KUBERNETES,
+)
 
 
 def _get_version_number_changelog():
-  try:
-    with open(os.path.join(ROOT_DIR, 'CHANGELOG.md')) as f:
-      return re.search(r'(v[0-9]+\.[0-9]+\.[0-9]+)', f.readline()).group(0)
-  except IOError:
-    return ''
+    try:
+        with open(os.path.join(ROOT_DIR, "CHANGELOG.md")) as f:
+            return re.search(r"(v[0-9]+\.[0-9]+\.[0-9]+)", f.readline()).group(0)
+    except IOError:
+        return ""
 
 
 def _get_git_sha():
-  if os.path.exists("GIT_HEAD"):
-    with open(os.path.join(ROOT_DIR, "GIT_HEAD")) as f:
-      return f.read()
-  else:
-    try:
-      return subprocess.check_output(["git", "rev-parse", "HEAD"]).strip()[0:8]
-    except (OSError, subprocess.CalledProcessError, Exception):
-      pass
-  return "unknown"
+    if os.path.exists("GIT_HEAD"):
+        with open(os.path.join(ROOT_DIR, "GIT_HEAD")) as f:
+            return f.read()
+    else:
+        try:
+            return subprocess.check_output(["git", "rev-parse", "HEAD"]).strip()[0:8]
+        except (OSError, subprocess.CalledProcessError, Exception):
+            pass
+    return "unknown"
 
 
 __version__ = _get_version_number_changelog()
diff --git a/active_migration.py b/active_migration.py
index 693bcaac6..c80e239ed 100644
--- a/active_migration.py
+++ b/active_migration.py
@@ -1,22 +1,30 @@
 from enum import Enum, unique
 from data.migrationutil import DefinedDataMigration, MigrationPhase
 
+
 @unique
 class ERTMigrationFlags(Enum):
-  """ Flags for the encrypted robot token migration. """
-  READ_OLD_FIELDS = 'read-old'
-  WRITE_OLD_FIELDS = 'write-old'
+    """ Flags for the encrypted robot token migration. """
+
+    READ_OLD_FIELDS = "read-old"
+    WRITE_OLD_FIELDS = "write-old"
 
 
 ActiveDataMigration = DefinedDataMigration(
-  'encrypted_robot_tokens',
-  'ENCRYPTED_ROBOT_TOKEN_MIGRATION_PHASE',
-  [
-    MigrationPhase('add-new-fields', 'c13c8052f7a6', [ERTMigrationFlags.READ_OLD_FIELDS,
-                                                      ERTMigrationFlags.WRITE_OLD_FIELDS]),
-    MigrationPhase('backfill-then-read-only-new',
-                   '703298a825c2', [ERTMigrationFlags.WRITE_OLD_FIELDS]),
-    MigrationPhase('stop-writing-both', '703298a825c2', []),
-    MigrationPhase('remove-old-fields', 'c059b952ed76', []),
-  ]
+    "encrypted_robot_tokens",
+    "ENCRYPTED_ROBOT_TOKEN_MIGRATION_PHASE",
+    [
+        MigrationPhase(
+            "add-new-fields",
+            "c13c8052f7a6",
+            [ERTMigrationFlags.READ_OLD_FIELDS, ERTMigrationFlags.WRITE_OLD_FIELDS],
+        ),
+        MigrationPhase(
+            "backfill-then-read-only-new",
+            "703298a825c2",
+            [ERTMigrationFlags.WRITE_OLD_FIELDS],
+        ),
+        MigrationPhase("stop-writing-both", "703298a825c2", []),
+        MigrationPhase("remove-old-fields", "c059b952ed76", []),
+    ],
 )
diff --git a/app.py b/app.py
index 33245bee1..677ab9f95 100644
--- a/app.py
+++ b/app.py
@@ -16,8 +16,14 @@ from werkzeug.exceptions import HTTPException
 
 import features
 
-from _init import (config_provider, CONF_DIR, IS_KUBERNETES, IS_TESTING, OVERRIDE_CONFIG_DIRECTORY,
-                   IS_BUILDING)
+from _init import (
+    config_provider,
+    CONF_DIR,
+    IS_KUBERNETES,
+    IS_TESTING,
+    OVERRIDE_CONFIG_DIRECTORY,
+    IS_BUILDING,
+)
 
 from auth.auth_context import get_authenticated_user
 from avatars.avatars import Avatar
@@ -35,7 +41,11 @@ from data.userevent import UserEventsBuilderModule
 from data.userfiles import Userfiles
 from data.users import UserAuthentication
 from data.registry_model import registry_model
-from path_converters import RegexConverter, RepositoryPathConverter, APIRepositoryPathConverter
+from path_converters import (
+    RegexConverter,
+    RepositoryPathConverter,
+    APIRepositoryPathConverter,
+)
 from oauth.services.github import GithubOAuthService
 from oauth.services.gitlab import GitLabOAuthService
 from oauth.loginmanager import OAuthLoginManager
@@ -62,13 +72,13 @@ from util.security.instancekeys import InstanceKeys
 from util.security.signing import Signer
 
 
-OVERRIDE_CONFIG_YAML_FILENAME = os.path.join(CONF_DIR, 'stack/config.yaml')
-OVERRIDE_CONFIG_PY_FILENAME = os.path.join(CONF_DIR, 'stack/config.py')
+OVERRIDE_CONFIG_YAML_FILENAME = os.path.join(CONF_DIR, "stack/config.yaml")
+OVERRIDE_CONFIG_PY_FILENAME = os.path.join(CONF_DIR, "stack/config.py")
 
-OVERRIDE_CONFIG_KEY = 'QUAY_OVERRIDE_CONFIG'
+OVERRIDE_CONFIG_KEY = "QUAY_OVERRIDE_CONFIG"
 
-DOCKER_V2_SIGNINGKEY_FILENAME = 'docker_v2.pem'
-INIT_SCRIPTS_LOCATION = '/conf/init/'
+DOCKER_V2_SIGNINGKEY_FILENAME = "docker_v2.pem"
+INIT_SCRIPTS_LOCATION = "/conf/init/"
 
 app = Flask(__name__)
 logger = logging.getLogger(__name__)
@@ -79,62 +89,75 @@ is_kubernetes = IS_KUBERNETES
 is_building = IS_BUILDING
 
 if is_testing:
-  from test.testconfig import TestConfig
-  logger.debug('Loading test config.')
-  app.config.from_object(TestConfig())
+    from test.testconfig import TestConfig
+
+    logger.debug("Loading test config.")
+    app.config.from_object(TestConfig())
 else:
-  from config import DefaultConfig
-  logger.debug('Loading default config.')
-  app.config.from_object(DefaultConfig())
-  app.teardown_request(database.close_db_filter)
+    from config import DefaultConfig
+
+    logger.debug("Loading default config.")
+    app.config.from_object(DefaultConfig())
+    app.teardown_request(database.close_db_filter)
 
 # Load the override config via the provider.
 config_provider.update_app_config(app.config)
 
 # Update any configuration found in the override environment variable.
-environ_config = json.loads(os.environ.get(OVERRIDE_CONFIG_KEY, '{}'))
+environ_config = json.loads(os.environ.get(OVERRIDE_CONFIG_KEY, "{}"))
 app.config.update(environ_config)
 
 # Fix remote address handling for Flask.
-if app.config.get('PROXY_COUNT', 1):
-  app.wsgi_app = ProxyFix(app.wsgi_app, num_proxies=app.config.get('PROXY_COUNT', 1))
+if app.config.get("PROXY_COUNT", 1):
+    app.wsgi_app = ProxyFix(app.wsgi_app, num_proxies=app.config.get("PROXY_COUNT", 1))
 
 # Ensure the V3 upgrade key is specified correctly. If not, simply fail.
 # TODO: Remove for V3.1.
-if not is_testing and not is_building and app.config.get('SETUP_COMPLETE', False):
-  v3_upgrade_mode = app.config.get('V3_UPGRADE_MODE')
-  if v3_upgrade_mode is None:
-    raise Exception('Configuration flag `V3_UPGRADE_MODE` must be set. Please check the upgrade docs')
+if not is_testing and not is_building and app.config.get("SETUP_COMPLETE", False):
+    v3_upgrade_mode = app.config.get("V3_UPGRADE_MODE")
+    if v3_upgrade_mode is None:
+        raise Exception(
+            "Configuration flag `V3_UPGRADE_MODE` must be set. Please check the upgrade docs"
+        )
 
-  if (v3_upgrade_mode != 'background'
-      and v3_upgrade_mode != 'complete'
-      and v3_upgrade_mode != 'production-transition'
-      and v3_upgrade_mode != 'post-oci-rollout'
-      and v3_upgrade_mode != 'post-oci-roll-back-compat'):
-    raise Exception('Invalid value for config `V3_UPGRADE_MODE`. Please check the upgrade docs')
+    if (
+        v3_upgrade_mode != "background"
+        and v3_upgrade_mode != "complete"
+        and v3_upgrade_mode != "production-transition"
+        and v3_upgrade_mode != "post-oci-rollout"
+        and v3_upgrade_mode != "post-oci-roll-back-compat"
+    ):
+        raise Exception(
+            "Invalid value for config `V3_UPGRADE_MODE`. Please check the upgrade docs"
+        )
 
 # Split the registry model based on config.
 # TODO: Remove once we are fully on the OCI data model.
-registry_model.setup_split(app.config.get('OCI_NAMESPACE_PROPORTION') or 0,
-                           app.config.get('OCI_NAMESPACE_WHITELIST') or set(),
-                           app.config.get('V22_NAMESPACE_WHITELIST') or set(),
-                           app.config.get('V3_UPGRADE_MODE'))
+registry_model.setup_split(
+    app.config.get("OCI_NAMESPACE_PROPORTION") or 0,
+    app.config.get("OCI_NAMESPACE_WHITELIST") or set(),
+    app.config.get("V22_NAMESPACE_WHITELIST") or set(),
+    app.config.get("V3_UPGRADE_MODE"),
+)
 
 # Allow user to define a custom storage preference for the local instance.
-_distributed_storage_preference = os.environ.get('QUAY_DISTRIBUTED_STORAGE_PREFERENCE', '').split()
+_distributed_storage_preference = os.environ.get(
+    "QUAY_DISTRIBUTED_STORAGE_PREFERENCE", ""
+).split()
 if _distributed_storage_preference:
-  app.config['DISTRIBUTED_STORAGE_PREFERENCE'] = _distributed_storage_preference
+    app.config["DISTRIBUTED_STORAGE_PREFERENCE"] = _distributed_storage_preference
 
 # Generate a secret key if none was specified.
-if app.config['SECRET_KEY'] is None:
-  logger.debug('Generating in-memory secret key')
-  app.config['SECRET_KEY'] = generate_secret_key()
+if app.config["SECRET_KEY"] is None:
+    logger.debug("Generating in-memory secret key")
+    app.config["SECRET_KEY"] = generate_secret_key()
 
 # If the "preferred" scheme is https, then http is not allowed. Therefore, ensure we have a secure
 # session cookie.
-if (app.config['PREFERRED_URL_SCHEME'] == 'https' and
-    not app.config.get('FORCE_NONSECURE_SESSION_COOKIE', False)):
-  app.config['SESSION_COOKIE_SECURE'] = True
+if app.config["PREFERRED_URL_SCHEME"] == "https" and not app.config.get(
+    "FORCE_NONSECURE_SESSION_COOKIE", False
+):
+    app.config["SESSION_COOKIE_SECURE"] = True
 
 # Load features from config.
 features.import_features(app.config)
@@ -145,65 +168,77 @@ logger.debug("Loaded config", extra={"config": app.config})
 
 
 class RequestWithId(Request):
-  request_gen = staticmethod(urn_generator(['request']))
+    request_gen = staticmethod(urn_generator(["request"]))
 
-  def __init__(self, *args, **kwargs):
-    super(RequestWithId, self).__init__(*args, **kwargs)
-    self.request_id = self.request_gen()
+    def __init__(self, *args, **kwargs):
+        super(RequestWithId, self).__init__(*args, **kwargs)
+        self.request_id = self.request_gen()
 
 
 @app.before_request
 def _request_start():
-  if os.getenv('PYDEV_DEBUG', None):
-    import pydevd
-    host, port = os.getenv('PYDEV_DEBUG').split(':')
-    pydevd.settrace(host, port=int(port), stdoutToServer=True, stderrToServer=True, suspend=False)
+    if os.getenv("PYDEV_DEBUG", None):
+        import pydevd
 
-  logger.debug('Starting request: %s (%s)', request.request_id, request.path,
-               extra={"request_id": request.request_id})
+        host, port = os.getenv("PYDEV_DEBUG").split(":")
+        pydevd.settrace(
+            host,
+            port=int(port),
+            stdoutToServer=True,
+            stderrToServer=True,
+            suspend=False,
+        )
+
+    logger.debug(
+        "Starting request: %s (%s)",
+        request.request_id,
+        request.path,
+        extra={"request_id": request.request_id},
+    )
 
 
-DEFAULT_FILTER = lambda x: '[FILTERED]'
+DEFAULT_FILTER = lambda x: "[FILTERED]"
 FILTERED_VALUES = [
-  {'key': ['password'], 'fn': DEFAULT_FILTER},
-  {'key': ['user', 'password'], 'fn': DEFAULT_FILTER},
-  {'key': ['blob'], 'fn': lambda x: x[0:8]}
+    {"key": ["password"], "fn": DEFAULT_FILTER},
+    {"key": ["user", "password"], "fn": DEFAULT_FILTER},
+    {"key": ["blob"], "fn": lambda x: x[0:8]},
 ]
 
 
 @app.after_request
 def _request_end(resp):
-  try:
-    jsonbody = request.get_json(force=True, silent=True)
-  except HTTPException:
-    jsonbody = None
+    try:
+        jsonbody = request.get_json(force=True, silent=True)
+    except HTTPException:
+        jsonbody = None
 
-  values = request.values.to_dict()
+    values = request.values.to_dict()
 
-  if jsonbody and not isinstance(jsonbody, dict):
-    jsonbody = {'_parsererror': jsonbody}
+    if jsonbody and not isinstance(jsonbody, dict):
+        jsonbody = {"_parsererror": jsonbody}
 
-  if isinstance(values, dict):
-    filter_logs(values, FILTERED_VALUES)
+    if isinstance(values, dict):
+        filter_logs(values, FILTERED_VALUES)
 
-  extra = {
-    "endpoint": request.endpoint,
-    "request_id" : request.request_id,
-    "remote_addr": request.remote_addr,
-    "http_method": request.method,
-    "original_url": request.url,
-    "path": request.path,
-    "parameters":  values,
-    "json_body": jsonbody,
-    "confsha": CONFIG_DIGEST,
-  }
+    extra = {
+        "endpoint": request.endpoint,
+        "request_id": request.request_id,
+        "remote_addr": request.remote_addr,
+        "http_method": request.method,
+        "original_url": request.url,
+        "path": request.path,
+        "parameters": values,
+        "json_body": jsonbody,
+        "confsha": CONFIG_DIGEST,
+    }
 
-  if request.user_agent is not None:
-    extra["user-agent"] = request.user_agent.string
-
-  logger.debug('Ending request: %s (%s)', request.request_id, request.path, extra=extra)
-  return resp
+    if request.user_agent is not None:
+        extra["user-agent"] = request.user_agent.string
 
+    logger.debug(
+        "Ending request: %s (%s)", request.request_id, request.path, extra=extra
+    )
+    return resp
 
 
 root_logger = logging.getLogger()
@@ -211,13 +246,13 @@ root_logger = logging.getLogger()
 app.request_class = RequestWithId
 
 # Register custom converters.
-app.url_map.converters['regex'] = RegexConverter
-app.url_map.converters['repopath'] = RepositoryPathConverter
-app.url_map.converters['apirepopath'] = APIRepositoryPathConverter
+app.url_map.converters["regex"] = RegexConverter
+app.url_map.converters["repopath"] = RepositoryPathConverter
+app.url_map.converters["apirepopath"] = APIRepositoryPathConverter
 
 Principal(app, use_sessions=False)
 
-tf = app.config['DB_TRANSACTION_FACTORY']
+tf = app.config["DB_TRANSACTION_FACTORY"]
 
 model_cache = get_model_cache(app.config)
 avatar = Avatar(app)
@@ -225,10 +260,14 @@ login_manager = LoginManager(app)
 mail = Mail(app)
 prometheus = PrometheusPlugin(app)
 metric_queue = MetricQueue(prometheus)
-chunk_cleanup_queue = WorkQueue(app.config['CHUNK_CLEANUP_QUEUE_NAME'], tf, metric_queue=metric_queue)
+chunk_cleanup_queue = WorkQueue(
+    app.config["CHUNK_CLEANUP_QUEUE_NAME"], tf, metric_queue=metric_queue
+)
 instance_keys = InstanceKeys(app)
 ip_resolver = IPResolver(app)
-storage = Storage(app, metric_queue, chunk_cleanup_queue, instance_keys, config_provider, ip_resolver)
+storage = Storage(
+    app, metric_queue, chunk_cleanup_queue, instance_keys, config_provider, ip_resolver
+)
 userfiles = Userfiles(app, storage)
 log_archive = LogArchive(app, storage)
 analytics = Analytics(app)
@@ -246,55 +285,99 @@ build_canceller = BuildCanceller(app)
 
 start_cloudwatch_sender(metric_queue, app)
 
-github_trigger = GithubOAuthService(app.config, 'GITHUB_TRIGGER_CONFIG')
-gitlab_trigger = GitLabOAuthService(app.config, 'GITLAB_TRIGGER_CONFIG')
+github_trigger = GithubOAuthService(app.config, "GITHUB_TRIGGER_CONFIG")
+gitlab_trigger = GitLabOAuthService(app.config, "GITLAB_TRIGGER_CONFIG")
 
 oauth_login = OAuthLoginManager(app.config)
 oauth_apps = [github_trigger, gitlab_trigger]
 
-image_replication_queue = WorkQueue(app.config['REPLICATION_QUEUE_NAME'], tf,
-                                    has_namespace=False, metric_queue=metric_queue)
-dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf,
-                                   metric_queue=metric_queue,
-                                   reporter=BuildMetricQueueReporter(metric_queue),
-                                   has_namespace=True)
-notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf, has_namespace=True,
-                               metric_queue=metric_queue)
-secscan_notification_queue = WorkQueue(app.config['SECSCAN_NOTIFICATION_QUEUE_NAME'], tf,
-                                       has_namespace=False,
-                                       metric_queue=metric_queue)
-export_action_logs_queue = WorkQueue(app.config['EXPORT_ACTION_LOGS_QUEUE_NAME'], tf,
-                                     has_namespace=True,
-                                     metric_queue=metric_queue)
+image_replication_queue = WorkQueue(
+    app.config["REPLICATION_QUEUE_NAME"],
+    tf,
+    has_namespace=False,
+    metric_queue=metric_queue,
+)
+dockerfile_build_queue = WorkQueue(
+    app.config["DOCKERFILE_BUILD_QUEUE_NAME"],
+    tf,
+    metric_queue=metric_queue,
+    reporter=BuildMetricQueueReporter(metric_queue),
+    has_namespace=True,
+)
+notification_queue = WorkQueue(
+    app.config["NOTIFICATION_QUEUE_NAME"],
+    tf,
+    has_namespace=True,
+    metric_queue=metric_queue,
+)
+secscan_notification_queue = WorkQueue(
+    app.config["SECSCAN_NOTIFICATION_QUEUE_NAME"],
+    tf,
+    has_namespace=False,
+    metric_queue=metric_queue,
+)
+export_action_logs_queue = WorkQueue(
+    app.config["EXPORT_ACTION_LOGS_QUEUE_NAME"],
+    tf,
+    has_namespace=True,
+    metric_queue=metric_queue,
+)
 
 # Note: We set `has_namespace` to `False` here, as we explicitly want this queue to not be emptied
 # when a namespace is marked for deletion.
-namespace_gc_queue = WorkQueue(app.config['NAMESPACE_GC_QUEUE_NAME'], tf, has_namespace=False,
-                               metric_queue=metric_queue)
+namespace_gc_queue = WorkQueue(
+    app.config["NAMESPACE_GC_QUEUE_NAME"],
+    tf,
+    has_namespace=False,
+    metric_queue=metric_queue,
+)
 
-all_queues = [image_replication_queue, dockerfile_build_queue, notification_queue,
-              secscan_notification_queue, chunk_cleanup_queue, namespace_gc_queue]
+all_queues = [
+    image_replication_queue,
+    dockerfile_build_queue,
+    notification_queue,
+    secscan_notification_queue,
+    chunk_cleanup_queue,
+    namespace_gc_queue,
+]
 
-url_scheme_and_hostname = URLSchemeAndHostname(app.config['PREFERRED_URL_SCHEME'], app.config['SERVER_HOSTNAME'])
-secscan_api = SecurityScannerAPI(app.config, storage, app.config['SERVER_HOSTNAME'], app.config['HTTPCLIENT'],
-                                 uri_creator=get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname),
-                                 instance_keys=instance_keys)
+url_scheme_and_hostname = URLSchemeAndHostname(
+    app.config["PREFERRED_URL_SCHEME"], app.config["SERVER_HOSTNAME"]
+)
+secscan_api = SecurityScannerAPI(
+    app.config,
+    storage,
+    app.config["SERVER_HOSTNAME"],
+    app.config["HTTPCLIENT"],
+    uri_creator=get_blob_download_uri_getter(
+        app.test_request_context("/"), url_scheme_and_hostname
+    ),
+    instance_keys=instance_keys,
+)
 
-repo_mirror_api = RepoMirrorAPI(app.config, app.config['SERVER_HOSTNAME'], app.config['HTTPCLIENT'],
-                                instance_keys=instance_keys)
+repo_mirror_api = RepoMirrorAPI(
+    app.config,
+    app.config["SERVER_HOSTNAME"],
+    app.config["HTTPCLIENT"],
+    instance_keys=instance_keys,
+)
 
 tuf_metadata_api = TUFMetadataAPI(app, app.config)
 
 # Check for a key in config. If none found, generate a new signing key for Docker V2 manifests.
 _v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME)
 if os.path.exists(_v2_key_path):
-  docker_v2_signing_key = RSAKey().load(_v2_key_path)
+    docker_v2_signing_key = RSAKey().load(_v2_key_path)
 else:
-  docker_v2_signing_key = RSAKey(key=RSA.generate(2048))
+    docker_v2_signing_key = RSAKey(key=RSA.generate(2048))
 
 # Configure the database.
-if app.config.get('DATABASE_SECRET_KEY') is None and app.config.get('SETUP_COMPLETE', False):
-  raise Exception('Missing DATABASE_SECRET_KEY in config; did you perhaps forget to add it?')
+if app.config.get("DATABASE_SECRET_KEY") is None and app.config.get(
+    "SETUP_COMPLETE", False
+):
+    raise Exception(
+        "Missing DATABASE_SECRET_KEY in config; did you perhaps forget to add it?"
+    )
 
 database.configure(app.config)
 
@@ -306,8 +389,9 @@ model.config.register_repo_cleanup_callback(tuf_metadata_api.delete_metadata)
 
 @login_manager.user_loader
 def load_user(user_uuid):
-  logger.debug('User loader loading deferred user with uuid: %s', user_uuid)
-  return LoginWrappedDBUser(user_uuid)
+    logger.debug("User loader loading deferred user with uuid: %s", user_uuid)
+    return LoginWrappedDBUser(user_uuid)
+
 
 logs_model.configure(app.config)
 
diff --git a/application.py b/application.py
index b7f478841..1a0c799fa 100644
--- a/application.py
+++ b/application.py
@@ -1,5 +1,6 @@
 # NOTE: Must be before we import or call anything that may be synchronous.
 from gevent import monkey
+
 monkey.patch_all()
 
 import os
@@ -17,6 +18,6 @@ import registry
 import secscan
 
 
-if __name__ == '__main__':
-  logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
-  application.run(port=5000, debug=True, threaded=True, host='0.0.0.0')
+if __name__ == "__main__":
+    logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
+    application.run(port=5000, debug=True, threaded=True, host="0.0.0.0")
diff --git a/auth/auth_context.py b/auth/auth_context.py
index 8cb57f691..375d3d62a 100644
--- a/auth/auth_context.py
+++ b/auth/auth_context.py
@@ -1,21 +1,25 @@
 from flask import _request_ctx_stack
 
+
 def get_authenticated_context():
-  """ Returns the auth context for the current request context, if any. """
-  return getattr(_request_ctx_stack.top, 'authenticated_context', None)
+    """ Returns the auth context for the current request context, if any. """
+    return getattr(_request_ctx_stack.top, "authenticated_context", None)
+
 
 def get_authenticated_user():
-  """ Returns the authenticated user, if any, or None if none. """
-  context = get_authenticated_context()
-  return context.authed_user if context else None
+    """ Returns the authenticated user, if any, or None if none. """
+    context = get_authenticated_context()
+    return context.authed_user if context else None
+
 
 def get_validated_oauth_token():
-  """ Returns the authenticated and validated OAuth access token, if any, or None if none. """
-  context = get_authenticated_context()
-  return context.authed_oauth_token if context else None
+    """ Returns the authenticated and validated OAuth access token, if any, or None if none. """
+    context = get_authenticated_context()
+    return context.authed_oauth_token if context else None
+
 
 def set_authenticated_context(auth_context):
-  """ Sets the auth context for the current request context to that given. """
-  ctx = _request_ctx_stack.top
-  ctx.authenticated_context = auth_context
-  return auth_context
+    """ Sets the auth context for the current request context to that given. """
+    ctx = _request_ctx_stack.top
+    ctx.authenticated_context = auth_context
+    return auth_context
diff --git a/auth/auth_context_type.py b/auth/auth_context_type.py
index 012222243..c35083f8d 100644
--- a/auth/auth_context_type.py
+++ b/auth/auth_context_type.py
@@ -16,422 +16,446 @@ from auth.scopes import scopes_from_scope_string
 
 logger = logging.getLogger(__name__)
 
+
 @add_metaclass(ABCMeta)
 class AuthContext(object):
-  """
+    """
   Interface that represents the current context of authentication.
   """
 
-  @property
-  @abstractmethod
-  def entity_kind(self):
-    """ Returns the kind of the entity in this auth context. """
-    pass
+    @property
+    @abstractmethod
+    def entity_kind(self):
+        """ Returns the kind of the entity in this auth context. """
+        pass
 
-  @property
-  @abstractmethod
-  def is_anonymous(self):
-    """ Returns true if this is an anonymous context. """
-    pass
+    @property
+    @abstractmethod
+    def is_anonymous(self):
+        """ Returns true if this is an anonymous context. """
+        pass
 
-  @property
-  @abstractmethod
-  def authed_oauth_token(self):
-    """ Returns the authenticated OAuth token, if any. """
-    pass
+    @property
+    @abstractmethod
+    def authed_oauth_token(self):
+        """ Returns the authenticated OAuth token, if any. """
+        pass
 
-  @property
-  @abstractmethod
-  def authed_user(self):
-    """ Returns the authenticated user, whether directly, or via an OAuth or access token. Note that
+    @property
+    @abstractmethod
+    def authed_user(self):
+        """ Returns the authenticated user, whether directly, or via an OAuth or access token. Note that
         this property will also return robot accounts.
     """
-    pass
+        pass
 
-  @property
-  @abstractmethod
-  def has_nonrobot_user(self):
-    """ Returns whether a user (not a robot) was authenticated successfully. """
-    pass
+    @property
+    @abstractmethod
+    def has_nonrobot_user(self):
+        """ Returns whether a user (not a robot) was authenticated successfully. """
+        pass
 
-  @property
-  @abstractmethod
-  def identity(self):
-    """ Returns the identity for the auth context. """
-    pass
+    @property
+    @abstractmethod
+    def identity(self):
+        """ Returns the identity for the auth context. """
+        pass
 
-  @property
-  @abstractmethod
-  def description(self):
-    """ Returns a human-readable and *public* description of the current auth context. """
-    pass
+    @property
+    @abstractmethod
+    def description(self):
+        """ Returns a human-readable and *public* description of the current auth context. """
+        pass
 
-  @property
-  @abstractmethod
-  def credential_username(self):
-    """ Returns the username to create credentials for this context's entity, if any. """
-    pass
+    @property
+    @abstractmethod
+    def credential_username(self):
+        """ Returns the username to create credentials for this context's entity, if any. """
+        pass
 
-  @abstractmethod
-  def analytics_id_and_public_metadata(self):
-    """ Returns the analytics ID and public log metadata for this auth context. """
-    pass
+    @abstractmethod
+    def analytics_id_and_public_metadata(self):
+        """ Returns the analytics ID and public log metadata for this auth context. """
+        pass
 
-  @abstractmethod
-  def apply_to_request_context(self):
-    """ Applies this auth result to the auth context and Flask-Principal. """
-    pass
+    @abstractmethod
+    def apply_to_request_context(self):
+        """ Applies this auth result to the auth context and Flask-Principal. """
+        pass
 
-  @abstractmethod
-  def to_signed_dict(self):
-    """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
+    @abstractmethod
+    def to_signed_dict(self):
+        """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
         form of signed serialization.
     """
-    pass
+        pass
 
-  @property
-  @abstractmethod
-  def unique_key(self):
-    """ Returns a key that is unique to this auth context type and its data. For example, an
+    @property
+    @abstractmethod
+    def unique_key(self):
+        """ Returns a key that is unique to this auth context type and its data. For example, an
         instance of the auth context type for the user might be a string of the form
         `user-{user-uuid}`. Callers should treat this key as opaque and not rely on the contents
         for anything besides uniqueness. This is typically used by callers when they'd like to
         check cache but not hit the database to get a fully validated auth context.
     """
-    pass
+        pass
 
 
 class ValidatedAuthContext(AuthContext):
-  """ ValidatedAuthContext represents the loaded, authenticated and validated auth information
+    """ ValidatedAuthContext represents the loaded, authenticated and validated auth information
       for the current request context.
   """
-  def __init__(self, user=None, token=None, oauthtoken=None, robot=None, appspecifictoken=None,
-               signed_data=None):
-    # Note: These field names *MUST* match the string values of the kinds defined in
-    # ContextEntityKind.
-    self.user = user
-    self.robot = robot
-    self.token = token
-    self.oauthtoken = oauthtoken
-    self.appspecifictoken = appspecifictoken
-    self.signed_data = signed_data
 
-  def tuple(self):
-    return vars(self).values()
+    def __init__(
+        self,
+        user=None,
+        token=None,
+        oauthtoken=None,
+        robot=None,
+        appspecifictoken=None,
+        signed_data=None,
+    ):
+        # Note: These field names *MUST* match the string values of the kinds defined in
+        # ContextEntityKind.
+        self.user = user
+        self.robot = robot
+        self.token = token
+        self.oauthtoken = oauthtoken
+        self.appspecifictoken = appspecifictoken
+        self.signed_data = signed_data
 
-  def __eq__(self, other):
-    return self.tuple() == other.tuple()
+    def tuple(self):
+        return vars(self).values()
 
-  @property
-  def entity_kind(self):
-    """ Returns the kind of the entity in this auth context. """
-    for kind in ContextEntityKind:
-      if hasattr(self, kind.value) and getattr(self, kind.value):
-        return kind
+    def __eq__(self, other):
+        return self.tuple() == other.tuple()
 
-    return ContextEntityKind.anonymous
+    @property
+    def entity_kind(self):
+        """ Returns the kind of the entity in this auth context. """
+        for kind in ContextEntityKind:
+            if hasattr(self, kind.value) and getattr(self, kind.value):
+                return kind
 
-  @property
-  def authed_user(self):
-    """ Returns the authenticated user, whether directly, or via an OAuth token. Note that this
+        return ContextEntityKind.anonymous
+
+    @property
+    def authed_user(self):
+        """ Returns the authenticated user, whether directly, or via an OAuth token. Note that this
         will also return robot accounts.
     """
-    authed_user = self._authed_user()
-    if authed_user is not None and not authed_user.enabled:
-      logger.warning('Attempt to reference a disabled user/robot: %s', authed_user.username)
-      return None
+        authed_user = self._authed_user()
+        if authed_user is not None and not authed_user.enabled:
+            logger.warning(
+                "Attempt to reference a disabled user/robot: %s", authed_user.username
+            )
+            return None
 
-    return authed_user
+        return authed_user
 
-  @property
-  def authed_oauth_token(self):
-    return self.oauthtoken
+    @property
+    def authed_oauth_token(self):
+        return self.oauthtoken
 
-  def _authed_user(self):
-    if self.oauthtoken:
-      return self.oauthtoken.authorized_user
+    def _authed_user(self):
+        if self.oauthtoken:
+            return self.oauthtoken.authorized_user
 
-    if self.appspecifictoken:
-      return self.appspecifictoken.user
+        if self.appspecifictoken:
+            return self.appspecifictoken.user
 
-    if self.signed_data:
-      return model.user.get_user(self.signed_data['user_context'])
+        if self.signed_data:
+            return model.user.get_user(self.signed_data["user_context"])
 
-    return self.user if self.user else self.robot
+        return self.user if self.user else self.robot
 
-  @property
-  def is_anonymous(self):
-    """ Returns true if this is an anonymous context. """
-    return not self.authed_user and not self.token and not self.signed_data
+    @property
+    def is_anonymous(self):
+        """ Returns true if this is an anonymous context. """
+        return not self.authed_user and not self.token and not self.signed_data
 
-  @property
-  def has_nonrobot_user(self):
-    """ Returns whether a user (not a robot) was authenticated successfully. """
-    return bool(self.authed_user and not self.robot)
+    @property
+    def has_nonrobot_user(self):
+        """ Returns whether a user (not a robot) was authenticated successfully. """
+        return bool(self.authed_user and not self.robot)
 
-  @property
-  def identity(self):
-    """ Returns the identity for the auth context. """
-    if self.oauthtoken:
-      scope_set = scopes_from_scope_string(self.oauthtoken.scope)
-      return QuayDeferredPermissionUser.for_user(self.oauthtoken.authorized_user, scope_set)
+    @property
+    def identity(self):
+        """ Returns the identity for the auth context. """
+        if self.oauthtoken:
+            scope_set = scopes_from_scope_string(self.oauthtoken.scope)
+            return QuayDeferredPermissionUser.for_user(
+                self.oauthtoken.authorized_user, scope_set
+            )
 
-    if self.authed_user:
-      return QuayDeferredPermissionUser.for_user(self.authed_user)
+        if self.authed_user:
+            return QuayDeferredPermissionUser.for_user(self.authed_user)
 
-    if self.token:
-      return Identity(self.token.get_code(), 'token')
+        if self.token:
+            return Identity(self.token.get_code(), "token")
 
-    if self.signed_data:
-      identity = Identity(None, 'signed_grant')
-      identity.provides.update(self.signed_data['grants'])
-      return identity
+        if self.signed_data:
+            identity = Identity(None, "signed_grant")
+            identity.provides.update(self.signed_data["grants"])
+            return identity
 
-    return None
+        return None
 
-  @property
-  def entity_reference(self):
-    """ Returns the DB object reference for this context's entity. """
-    if self.entity_kind == ContextEntityKind.anonymous:
-      return None
+    @property
+    def entity_reference(self):
+        """ Returns the DB object reference for this context's entity. """
+        if self.entity_kind == ContextEntityKind.anonymous:
+            return None
 
-    return getattr(self, self.entity_kind.value)
+        return getattr(self, self.entity_kind.value)
 
-  @property
-  def description(self):
-    """ Returns a human-readable and *public* description of the current auth context. """
-    handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
-    return handler.description(self.entity_reference)
+    @property
+    def description(self):
+        """ Returns a human-readable and *public* description of the current auth context. """
+        handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
+        return handler.description(self.entity_reference)
 
-  @property
-  def credential_username(self):
-    """ Returns the username to create credentials for this context's entity, if any. """
-    handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
-    return handler.credential_username(self.entity_reference)
+    @property
+    def credential_username(self):
+        """ Returns the username to create credentials for this context's entity, if any. """
+        handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
+        return handler.credential_username(self.entity_reference)
 
-  def analytics_id_and_public_metadata(self):
-    """ Returns the analytics ID and public log metadata for this auth context. """
-    handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
-    return handler.analytics_id_and_public_metadata(self.entity_reference)
+    def analytics_id_and_public_metadata(self):
+        """ Returns the analytics ID and public log metadata for this auth context. """
+        handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
+        return handler.analytics_id_and_public_metadata(self.entity_reference)
 
-  def apply_to_request_context(self):
-    """ Applies this auth result to the auth context and Flask-Principal. """
-    # Save to the request context.
-    set_authenticated_context(self)
+    def apply_to_request_context(self):
+        """ Applies this auth result to the auth context and Flask-Principal. """
+        # Save to the request context.
+        set_authenticated_context(self)
 
-    # Set the identity for Flask-Principal.
-    if self.identity:
-      identity_changed.send(app, identity=self.identity)
+        # Set the identity for Flask-Principal.
+        if self.identity:
+            identity_changed.send(app, identity=self.identity)
 
-  @property
-  def unique_key(self):
-    signed_dict = self.to_signed_dict()
-    return '%s-%s' % (signed_dict['entity_kind'], signed_dict.get('entity_reference', '(anon)'))
+    @property
+    def unique_key(self):
+        signed_dict = self.to_signed_dict()
+        return "%s-%s" % (
+            signed_dict["entity_kind"],
+            signed_dict.get("entity_reference", "(anon)"),
+        )
 
-  def to_signed_dict(self):
-    """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
+    def to_signed_dict(self):
+        """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
         form of signed serialization.
     """
-    dict_data = {
-      'version': 2,
-      'entity_kind': self.entity_kind.value,
-    }
+        dict_data = {"version": 2, "entity_kind": self.entity_kind.value}
 
-    if self.entity_kind != ContextEntityKind.anonymous:
-      handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
-      dict_data.update({
-        'entity_reference': handler.get_serialized_entity_reference(self.entity_reference),
-      })
+        if self.entity_kind != ContextEntityKind.anonymous:
+            handler = CONTEXT_ENTITY_HANDLERS[self.entity_kind]()
+            dict_data.update(
+                {
+                    "entity_reference": handler.get_serialized_entity_reference(
+                        self.entity_reference
+                    )
+                }
+            )
 
-    # Add legacy information.
-    # TODO: Remove this all once the new code is fully deployed.
-    if self.token:
-      dict_data.update({
-        'kind': 'token',
-        'token': self.token.code,
-      })
+        # Add legacy information.
+        # TODO: Remove this all once the new code is fully deployed.
+        if self.token:
+            dict_data.update({"kind": "token", "token": self.token.code})
 
-    if self.oauthtoken:
-      dict_data.update({
-        'kind': 'oauth',
-        'oauth': self.oauthtoken.uuid,
-        'user': self.authed_user.username,
-      })
+        if self.oauthtoken:
+            dict_data.update(
+                {
+                    "kind": "oauth",
+                    "oauth": self.oauthtoken.uuid,
+                    "user": self.authed_user.username,
+                }
+            )
 
-    if self.user or self.robot:
-      dict_data.update({
-        'kind': 'user',
-        'user': self.authed_user.username,
-      })
+        if self.user or self.robot:
+            dict_data.update({"kind": "user", "user": self.authed_user.username})
 
-    if self.appspecifictoken:
-      dict_data.update({
-        'kind': 'user',
-        'user': self.authed_user.username,
-      })
+        if self.appspecifictoken:
+            dict_data.update({"kind": "user", "user": self.authed_user.username})
 
-    if self.is_anonymous:
-      dict_data.update({
-        'kind': 'anonymous',
-      })
+        if self.is_anonymous:
+            dict_data.update({"kind": "anonymous"})
+
+        # End of legacy information.
+        return dict_data
 
-    # End of legacy information.
-    return dict_data
 
 class SignedAuthContext(AuthContext):
-  """ SignedAuthContext represents an auth context loaded from a signed token of some kind,
+    """ SignedAuthContext represents an auth context loaded from a signed token of some kind,
       such as a JWT. Unlike ValidatedAuthContext, SignedAuthContext operates lazily, only loading
       the actual {user, robot, token, etc} when requested. This allows registry operations that
       only need to check if *some* entity is present to do so, without hitting the database.
   """
-  def __init__(self, kind, signed_data, v1_dict_format):
-    self.kind = kind
-    self.signed_data = signed_data
-    self.v1_dict_format = v1_dict_format
 
-  @property
-  def unique_key(self):
-    if self.v1_dict_format:
-      # Since V1 data format is verbose, just use the validated version to get the key.
-      return self._get_validated().unique_key
+    def __init__(self, kind, signed_data, v1_dict_format):
+        self.kind = kind
+        self.signed_data = signed_data
+        self.v1_dict_format = v1_dict_format
 
-    signed_dict = self.signed_data
-    return '%s-%s' % (signed_dict['entity_kind'], signed_dict.get('entity_reference', '(anon)'))
+    @property
+    def unique_key(self):
+        if self.v1_dict_format:
+            # Since V1 data format is verbose, just use the validated version to get the key.
+            return self._get_validated().unique_key
 
-  @classmethod
-  def build_from_signed_dict(cls, dict_data, v1_dict_format=False):
-    if not v1_dict_format:
-      entity_kind = ContextEntityKind(dict_data.get('entity_kind', 'anonymous'))
-      return SignedAuthContext(entity_kind, dict_data, v1_dict_format)
+        signed_dict = self.signed_data
+        return "%s-%s" % (
+            signed_dict["entity_kind"],
+            signed_dict.get("entity_reference", "(anon)"),
+        )
 
-    # Legacy handling.
-    # TODO: Remove this all once the new code is fully deployed.    
-    kind_string = dict_data.get('kind', 'anonymous')
-    if kind_string == 'oauth':
-      kind_string = 'oauthtoken'
+    @classmethod
+    def build_from_signed_dict(cls, dict_data, v1_dict_format=False):
+        if not v1_dict_format:
+            entity_kind = ContextEntityKind(dict_data.get("entity_kind", "anonymous"))
+            return SignedAuthContext(entity_kind, dict_data, v1_dict_format)
 
-    kind = ContextEntityKind(kind_string)
-    return SignedAuthContext(kind, dict_data, v1_dict_format)
+        # Legacy handling.
+        # TODO: Remove this all once the new code is fully deployed.
+        kind_string = dict_data.get("kind", "anonymous")
+        if kind_string == "oauth":
+            kind_string = "oauthtoken"
 
-  @lru_cache(maxsize=1)
-  def _get_validated(self):
-    """ Returns a ValidatedAuthContext for this signed context, resolving all the necessary
+        kind = ContextEntityKind(kind_string)
+        return SignedAuthContext(kind, dict_data, v1_dict_format)
+
+    @lru_cache(maxsize=1)
+    def _get_validated(self):
+        """ Returns a ValidatedAuthContext for this signed context, resolving all the necessary
         references.
     """
-    if not self.v1_dict_format:
-      if self.kind == ContextEntityKind.anonymous:
-        return ValidatedAuthContext()
+        if not self.v1_dict_format:
+            if self.kind == ContextEntityKind.anonymous:
+                return ValidatedAuthContext()
 
-      serialized_entity_reference = self.signed_data['entity_reference']
-      handler = CONTEXT_ENTITY_HANDLERS[self.kind]()
-      entity_reference = handler.deserialize_entity_reference(serialized_entity_reference)
-      if entity_reference is None:
-        logger.debug('Could not deserialize entity reference `%s` under kind `%s`',
-                     serialized_entity_reference, self.kind)
-        return ValidatedAuthContext()
+            serialized_entity_reference = self.signed_data["entity_reference"]
+            handler = CONTEXT_ENTITY_HANDLERS[self.kind]()
+            entity_reference = handler.deserialize_entity_reference(
+                serialized_entity_reference
+            )
+            if entity_reference is None:
+                logger.debug(
+                    "Could not deserialize entity reference `%s` under kind `%s`",
+                    serialized_entity_reference,
+                    self.kind,
+                )
+                return ValidatedAuthContext()
 
-      return ValidatedAuthContext(**{self.kind.value: entity_reference})
+            return ValidatedAuthContext(**{self.kind.value: entity_reference})
 
-    # Legacy handling.
-    # TODO: Remove this all once the new code is fully deployed.
-    kind_string = self.signed_data.get('kind', 'anonymous')
-    if kind_string == 'oauth':
-      kind_string = 'oauthtoken'
+        # Legacy handling.
+        # TODO: Remove this all once the new code is fully deployed.
+        kind_string = self.signed_data.get("kind", "anonymous")
+        if kind_string == "oauth":
+            kind_string = "oauthtoken"
 
-    kind = ContextEntityKind(kind_string)
-    if kind == ContextEntityKind.anonymous:
-      return ValidatedAuthContext()
+        kind = ContextEntityKind(kind_string)
+        if kind == ContextEntityKind.anonymous:
+            return ValidatedAuthContext()
 
-    if kind == ContextEntityKind.user or kind == ContextEntityKind.robot:
-      user = model.user.get_user(self.signed_data.get('user', ''))
-      if not user:
-        return None
+        if kind == ContextEntityKind.user or kind == ContextEntityKind.robot:
+            user = model.user.get_user(self.signed_data.get("user", ""))
+            if not user:
+                return None
 
-      return ValidatedAuthContext(robot=user) if user.robot else ValidatedAuthContext(user=user)
+            return (
+                ValidatedAuthContext(robot=user)
+                if user.robot
+                else ValidatedAuthContext(user=user)
+            )
 
-    if kind == ContextEntityKind.token:
-      token = model.token.load_token_data(self.signed_data.get('token'))
-      if not token:
-        return None
+        if kind == ContextEntityKind.token:
+            token = model.token.load_token_data(self.signed_data.get("token"))
+            if not token:
+                return None
 
-      return ValidatedAuthContext(token=token)
+            return ValidatedAuthContext(token=token)
 
-    if kind == ContextEntityKind.oauthtoken:
-      user = model.user.get_user(self.signed_data.get('user', ''))
-      if not user:
-        return None
+        if kind == ContextEntityKind.oauthtoken:
+            user = model.user.get_user(self.signed_data.get("user", ""))
+            if not user:
+                return None
 
-      token_uuid = self.signed_data.get('oauth', '')
-      oauthtoken = model.oauth.lookup_access_token_for_user(user, token_uuid)
-      if not oauthtoken:
-        return None
+            token_uuid = self.signed_data.get("oauth", "")
+            oauthtoken = model.oauth.lookup_access_token_for_user(user, token_uuid)
+            if not oauthtoken:
+                return None
 
-      return ValidatedAuthContext(oauthtoken=oauthtoken)
+            return ValidatedAuthContext(oauthtoken=oauthtoken)
 
-    raise Exception('Unknown auth context kind `%s` when deserializing %s' % (kind,
-                                                                              self.signed_data))
-    # End of legacy handling.
+        raise Exception(
+            "Unknown auth context kind `%s` when deserializing %s"
+            % (kind, self.signed_data)
+        )
+        # End of legacy handling.
 
-  @property
-  def entity_kind(self):
-    """ Returns the kind of the entity in this auth context. """
-    return self.kind
+    @property
+    def entity_kind(self):
+        """ Returns the kind of the entity in this auth context. """
+        return self.kind
 
-  @property
-  def is_anonymous(self):
-    """ Returns true if this is an anonymous context. """
-    return self.kind == ContextEntityKind.anonymous
+    @property
+    def is_anonymous(self):
+        """ Returns true if this is an anonymous context. """
+        return self.kind == ContextEntityKind.anonymous
 
-  @property
-  def authed_user(self):
-    """ Returns the authenticated user, whether directly, or via an OAuth or access token. Note that
+    @property
+    def authed_user(self):
+        """ Returns the authenticated user, whether directly, or via an OAuth or access token. Note that
         this property will also return robot accounts.
     """
-    if self.kind == ContextEntityKind.anonymous:
-      return None
+        if self.kind == ContextEntityKind.anonymous:
+            return None
 
-    return self._get_validated().authed_user
+        return self._get_validated().authed_user
 
-  @property
-  def authed_oauth_token(self):
-    if self.kind == ContextEntityKind.anonymous:
-      return None
+    @property
+    def authed_oauth_token(self):
+        if self.kind == ContextEntityKind.anonymous:
+            return None
 
-    return self._get_validated().authed_oauth_token
+        return self._get_validated().authed_oauth_token
 
-  @property
-  def has_nonrobot_user(self):
-    """ Returns whether a user (not a robot) was authenticated successfully. """
-    if self.kind == ContextEntityKind.anonymous:
-      return False
+    @property
+    def has_nonrobot_user(self):
+        """ Returns whether a user (not a robot) was authenticated successfully. """
+        if self.kind == ContextEntityKind.anonymous:
+            return False
 
-    return self._get_validated().has_nonrobot_user
+        return self._get_validated().has_nonrobot_user
 
-  @property
-  def identity(self):
-    """ Returns the identity for the auth context. """
-    return self._get_validated().identity
+    @property
+    def identity(self):
+        """ Returns the identity for the auth context. """
+        return self._get_validated().identity
 
-  @property
-  def description(self):
-    """ Returns a human-readable and *public* description of the current auth context. """
-    return self._get_validated().description
+    @property
+    def description(self):
+        """ Returns a human-readable and *public* description of the current auth context. """
+        return self._get_validated().description
 
-  @property
-  def credential_username(self):
-    """ Returns the username to create credentials for this context's entity, if any. """
-    return self._get_validated().credential_username
+    @property
+    def credential_username(self):
+        """ Returns the username to create credentials for this context's entity, if any. """
+        return self._get_validated().credential_username
 
-  def analytics_id_and_public_metadata(self):
-    """ Returns the analytics ID and public log metadata for this auth context. """
-    return self._get_validated().analytics_id_and_public_metadata()
+    def analytics_id_and_public_metadata(self):
+        """ Returns the analytics ID and public log metadata for this auth context. """
+        return self._get_validated().analytics_id_and_public_metadata()
 
-  def apply_to_request_context(self):
-    """ Applies this auth result to the auth context and Flask-Principal. """
-    return self._get_validated().apply_to_request_context()
+    def apply_to_request_context(self):
+        """ Applies this auth result to the auth context and Flask-Principal. """
+        return self._get_validated().apply_to_request_context()
 
-  def to_signed_dict(self):
-    """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
+    def to_signed_dict(self):
+        """ Serializes the auth context into a dictionary suitable for inclusion in a JWT or other
         form of signed serialization.
     """
-    return self.signed_data
+        return self.signed_data
diff --git a/auth/basic.py b/auth/basic.py
index 926450ad6..49d0150a4 100644
--- a/auth/basic.py
+++ b/auth/basic.py
@@ -8,51 +8,54 @@ from auth.validateresult import ValidateResult, AuthKind
 
 logger = logging.getLogger(__name__)
 
+
 def has_basic_auth(username):
-  """ Returns true if a basic auth header exists with a username and password pair that validates
+    """ Returns true if a basic auth header exists with a username and password pair that validates
       against the internal authentication system. Returns True on full success and False on any
       failure (missing header, invalid header, invalid credentials, etc).
   """
-  auth_header = request.headers.get('authorization', '')
-  result = validate_basic_auth(auth_header)
-  return result.has_nonrobot_user and result.context.user.username == username
+    auth_header = request.headers.get("authorization", "")
+    result = validate_basic_auth(auth_header)
+    return result.has_nonrobot_user and result.context.user.username == username
 
 
 def validate_basic_auth(auth_header):
-  """ Validates the specified basic auth header, returning whether its credentials point
+    """ Validates the specified basic auth header, returning whether its credentials point
       to a valid user or token.
   """
-  if not auth_header:
-    return ValidateResult(AuthKind.basic, missing=True)
+    if not auth_header:
+        return ValidateResult(AuthKind.basic, missing=True)
 
-  logger.debug('Attempt to process basic auth header')
+    logger.debug("Attempt to process basic auth header")
 
-  # Parse the basic auth header.
-  assert isinstance(auth_header, basestring)
-  credentials, err = _parse_basic_auth_header(auth_header)
-  if err is not None:
-    logger.debug('Got invalid basic auth header: %s', auth_header)
-    return ValidateResult(AuthKind.basic, missing=True)
+    # Parse the basic auth header.
+    assert isinstance(auth_header, basestring)
+    credentials, err = _parse_basic_auth_header(auth_header)
+    if err is not None:
+        logger.debug("Got invalid basic auth header: %s", auth_header)
+        return ValidateResult(AuthKind.basic, missing=True)
 
-  auth_username, auth_password_or_token = credentials
-  result, _ = validate_credentials(auth_username, auth_password_or_token)
-  return result.with_kind(AuthKind.basic)
+    auth_username, auth_password_or_token = credentials
+    result, _ = validate_credentials(auth_username, auth_password_or_token)
+    return result.with_kind(AuthKind.basic)
 
 
 def _parse_basic_auth_header(auth):
-  """ Parses the given basic auth header, returning the credentials found inside.
+    """ Parses the given basic auth header, returning the credentials found inside.
   """
-  normalized = [part.strip() for part in auth.split(' ') if part]
-  if normalized[0].lower() != 'basic' or len(normalized) != 2:
-    return None, 'Invalid basic auth header'
+    normalized = [part.strip() for part in auth.split(" ") if part]
+    if normalized[0].lower() != "basic" or len(normalized) != 2:
+        return None, "Invalid basic auth header"
 
-  try:
-    credentials = [part.decode('utf-8') for part in b64decode(normalized[1]).split(':', 1)]
-  except (TypeError, UnicodeDecodeError, ValueError):
-    logger.exception('Exception when parsing basic auth header: %s', auth)
-    return None, 'Could not parse basic auth header'
+    try:
+        credentials = [
+            part.decode("utf-8") for part in b64decode(normalized[1]).split(":", 1)
+        ]
+    except (TypeError, UnicodeDecodeError, ValueError):
+        logger.exception("Exception when parsing basic auth header: %s", auth)
+        return None, "Could not parse basic auth header"
 
-  if len(credentials) != 2:
-    return None, 'Unexpected number of credentials found in basic auth header'
+    if len(credentials) != 2:
+        return None, "Unexpected number of credentials found in basic auth header"
 
-  return credentials, None
+    return credentials, None
diff --git a/auth/context_entity.py b/auth/context_entity.py
index 038624b0c..7c52dbe8d 100644
--- a/auth/context_entity.py
+++ b/auth/context_entity.py
@@ -4,200 +4,210 @@ from enum import Enum
 
 from data import model
 
-from auth.credential_consts import (ACCESS_TOKEN_USERNAME, OAUTH_TOKEN_USERNAME,
-                                    APP_SPECIFIC_TOKEN_USERNAME)
+from auth.credential_consts import (
+    ACCESS_TOKEN_USERNAME,
+    OAUTH_TOKEN_USERNAME,
+    APP_SPECIFIC_TOKEN_USERNAME,
+)
+
 
 class ContextEntityKind(Enum):
-  """ Defines the various kinds of entities in an auth context. Note that the string values of
+    """ Defines the various kinds of entities in an auth context. Note that the string values of
       these fields *must* match the names of the fields in the ValidatedAuthContext class, as
       we fill them in directly based on the string names here.
   """
-  anonymous = 'anonymous'
-  user = 'user'
-  robot = 'robot'
-  token = 'token'
-  oauthtoken = 'oauthtoken'
-  appspecifictoken = 'appspecifictoken'
-  signed_data = 'signed_data'
+
+    anonymous = "anonymous"
+    user = "user"
+    robot = "robot"
+    token = "token"
+    oauthtoken = "oauthtoken"
+    appspecifictoken = "appspecifictoken"
+    signed_data = "signed_data"
 
 
 @add_metaclass(ABCMeta)
 class ContextEntityHandler(object):
-  """
+    """
   Interface that represents handling specific kinds of entities under an auth context.
   """
 
-  @abstractmethod
-  def credential_username(self, entity_reference):
-    """ Returns the username to create credentials for this entity, if any. """
-    pass
+    @abstractmethod
+    def credential_username(self, entity_reference):
+        """ Returns the username to create credentials for this entity, if any. """
+        pass
 
-  @abstractmethod
-  def get_serialized_entity_reference(self, entity_reference):
-    """ Returns the entity reference for this kind of auth context, serialized into a form that can
+    @abstractmethod
+    def get_serialized_entity_reference(self, entity_reference):
+        """ Returns the entity reference for this kind of auth context, serialized into a form that can
         be placed into a JSON object and put into a JWT. This is typically a DB UUID or another
         unique identifier for the object in the DB.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    """ Returns the deserialized reference to the entity in the database, or None if none. """
-    pass
+    @abstractmethod
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        """ Returns the deserialized reference to the entity in the database, or None if none. """
+        pass
 
-  @abstractmethod
-  def description(self, entity_reference):
-    """ Returns a human-readable and *public* description of the current entity. """
-    pass
+    @abstractmethod
+    def description(self, entity_reference):
+        """ Returns a human-readable and *public* description of the current entity. """
+        pass
 
-  @abstractmethod
-  def analytics_id_and_public_metadata(self, entity_reference):
-    """ Returns the analyitics ID and a dict of public metadata for the current entity. """
-    pass
+    @abstractmethod
+    def analytics_id_and_public_metadata(self, entity_reference):
+        """ Returns the analyitics ID and a dict of public metadata for the current entity. """
+        pass
 
 
 class AnonymousEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return None
+    def credential_username(self, entity_reference):
+        return None
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return None
+    def get_serialized_entity_reference(self, entity_reference):
+        return None
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return None
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return None
 
-  def description(self, entity_reference):
-    return "anonymous"
+    def description(self, entity_reference):
+        return "anonymous"
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return "anonymous", {}
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return "anonymous", {}
 
 
 class UserEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return entity_reference.username
+    def credential_username(self, entity_reference):
+        return entity_reference.username
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return entity_reference.uuid
+    def get_serialized_entity_reference(self, entity_reference):
+        return entity_reference.uuid
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return model.user.get_user_by_uuid(serialized_entity_reference)
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return model.user.get_user_by_uuid(serialized_entity_reference)
 
-  def description(self, entity_reference):
-    return "user %s" % entity_reference.username
+    def description(self, entity_reference):
+        return "user %s" % entity_reference.username
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return entity_reference.username, {
-      'username': entity_reference.username,
-    }
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return entity_reference.username, {"username": entity_reference.username}
 
 
 class RobotEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return entity_reference.username
+    def credential_username(self, entity_reference):
+        return entity_reference.username
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return entity_reference.username
+    def get_serialized_entity_reference(self, entity_reference):
+        return entity_reference.username
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return model.user.lookup_robot(serialized_entity_reference)
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return model.user.lookup_robot(serialized_entity_reference)
 
-  def description(self, entity_reference):
-    return "robot %s" % entity_reference.username
+    def description(self, entity_reference):
+        return "robot %s" % entity_reference.username
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return entity_reference.username, {
-      'username': entity_reference.username,
-      'is_robot': True,
-    }
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return (
+            entity_reference.username,
+            {"username": entity_reference.username, "is_robot": True},
+        )
 
 
 class TokenEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return ACCESS_TOKEN_USERNAME
+    def credential_username(self, entity_reference):
+        return ACCESS_TOKEN_USERNAME
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return entity_reference.get_code()
+    def get_serialized_entity_reference(self, entity_reference):
+        return entity_reference.get_code()
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return model.token.load_token_data(serialized_entity_reference)
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return model.token.load_token_data(serialized_entity_reference)
 
-  def description(self, entity_reference):
-    return "token %s" % entity_reference.friendly_name
+    def description(self, entity_reference):
+        return "token %s" % entity_reference.friendly_name
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return 'token:%s' % entity_reference.id, {
-      'token': entity_reference.friendly_name,
-    }
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return (
+            "token:%s" % entity_reference.id,
+            {"token": entity_reference.friendly_name},
+        )
 
 
 class OAuthTokenEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return OAUTH_TOKEN_USERNAME
+    def credential_username(self, entity_reference):
+        return OAUTH_TOKEN_USERNAME
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return entity_reference.uuid
+    def get_serialized_entity_reference(self, entity_reference):
+        return entity_reference.uuid
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return model.oauth.lookup_access_token_by_uuid(serialized_entity_reference)
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return model.oauth.lookup_access_token_by_uuid(serialized_entity_reference)
 
-  def description(self, entity_reference):
-    return "oauthtoken for user %s" % entity_reference.authorized_user.username
+    def description(self, entity_reference):
+        return "oauthtoken for user %s" % entity_reference.authorized_user.username
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return 'oauthtoken:%s' % entity_reference.id, {
-      'oauth_token_id': entity_reference.id,
-      'oauth_token_application_id': entity_reference.application.client_id,
-      'oauth_token_application': entity_reference.application.name,
-      'username': entity_reference.authorized_user.username,
-    }
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return (
+            "oauthtoken:%s" % entity_reference.id,
+            {
+                "oauth_token_id": entity_reference.id,
+                "oauth_token_application_id": entity_reference.application.client_id,
+                "oauth_token_application": entity_reference.application.name,
+                "username": entity_reference.authorized_user.username,
+            },
+        )
 
 
 class AppSpecificTokenEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return APP_SPECIFIC_TOKEN_USERNAME
+    def credential_username(self, entity_reference):
+        return APP_SPECIFIC_TOKEN_USERNAME
 
-  def get_serialized_entity_reference(self, entity_reference):
-    return entity_reference.uuid
+    def get_serialized_entity_reference(self, entity_reference):
+        return entity_reference.uuid
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    return model.appspecifictoken.get_token_by_uuid(serialized_entity_reference)
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        return model.appspecifictoken.get_token_by_uuid(serialized_entity_reference)
 
-  def description(self, entity_reference):
-    tpl = (entity_reference.title, entity_reference.user.username)
-    return "app specific token %s for user %s" % tpl
+    def description(self, entity_reference):
+        tpl = (entity_reference.title, entity_reference.user.username)
+        return "app specific token %s for user %s" % tpl
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return 'appspecifictoken:%s' % entity_reference.id, {
-      'app_specific_token': entity_reference.uuid,
-      'app_specific_token_title': entity_reference.title,
-      'username': entity_reference.user.username,
-    }
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return (
+            "appspecifictoken:%s" % entity_reference.id,
+            {
+                "app_specific_token": entity_reference.uuid,
+                "app_specific_token_title": entity_reference.title,
+                "username": entity_reference.user.username,
+            },
+        )
 
 
 class SignedDataEntityHandler(ContextEntityHandler):
-  def credential_username(self, entity_reference):
-    return None
+    def credential_username(self, entity_reference):
+        return None
 
-  def get_serialized_entity_reference(self, entity_reference):
-    raise NotImplementedError
+    def get_serialized_entity_reference(self, entity_reference):
+        raise NotImplementedError
 
-  def deserialize_entity_reference(self, serialized_entity_reference):
-    raise NotImplementedError
+    def deserialize_entity_reference(self, serialized_entity_reference):
+        raise NotImplementedError
 
-  def description(self, entity_reference):
-    return "signed"
+    def description(self, entity_reference):
+        return "signed"
 
-  def analytics_id_and_public_metadata(self, entity_reference):
-    return 'signed', {'signed': entity_reference}
+    def analytics_id_and_public_metadata(self, entity_reference):
+        return "signed", {"signed": entity_reference}
 
 
 CONTEXT_ENTITY_HANDLERS = {
-  ContextEntityKind.anonymous: AnonymousEntityHandler,
-  ContextEntityKind.user: UserEntityHandler,
-  ContextEntityKind.robot: RobotEntityHandler,
-  ContextEntityKind.token: TokenEntityHandler,
-  ContextEntityKind.oauthtoken: OAuthTokenEntityHandler,
-  ContextEntityKind.appspecifictoken: AppSpecificTokenEntityHandler,
-  ContextEntityKind.signed_data: SignedDataEntityHandler,
+    ContextEntityKind.anonymous: AnonymousEntityHandler,
+    ContextEntityKind.user: UserEntityHandler,
+    ContextEntityKind.robot: RobotEntityHandler,
+    ContextEntityKind.token: TokenEntityHandler,
+    ContextEntityKind.oauthtoken: OAuthTokenEntityHandler,
+    ContextEntityKind.appspecifictoken: AppSpecificTokenEntityHandler,
+    ContextEntityKind.signed_data: SignedDataEntityHandler,
 }
diff --git a/auth/cookie.py b/auth/cookie.py
index 68ed0f8ee..839183f32 100644
--- a/auth/cookie.py
+++ b/auth/cookie.py
@@ -7,31 +7,40 @@ from auth.validateresult import AuthKind, ValidateResult
 
 logger = logging.getLogger(__name__)
 
+
 def validate_session_cookie(auth_header_unusued=None):
-  """ Attempts to load a user from a session cookie. """
-  if current_user.is_anonymous:
-    return ValidateResult(AuthKind.cookie, missing=True)
+    """ Attempts to load a user from a session cookie. """
+    if current_user.is_anonymous:
+        return ValidateResult(AuthKind.cookie, missing=True)
 
-  try:
-    # Attempt to parse the user uuid to make sure the cookie has the right value type
-    UUID(current_user.get_id())
-  except ValueError:
-    logger.debug('Got non-UUID for session cookie user: %s', current_user.get_id())
-    return ValidateResult(AuthKind.cookie, error_message='Invalid session cookie format')
+    try:
+        # Attempt to parse the user uuid to make sure the cookie has the right value type
+        UUID(current_user.get_id())
+    except ValueError:
+        logger.debug("Got non-UUID for session cookie user: %s", current_user.get_id())
+        return ValidateResult(
+            AuthKind.cookie, error_message="Invalid session cookie format"
+        )
 
-  logger.debug('Loading user from cookie: %s', current_user.get_id())
-  db_user = current_user.db_user()
-  if db_user is None:
-    return ValidateResult(AuthKind.cookie, error_message='Could not find matching user')
+    logger.debug("Loading user from cookie: %s", current_user.get_id())
+    db_user = current_user.db_user()
+    if db_user is None:
+        return ValidateResult(
+            AuthKind.cookie, error_message="Could not find matching user"
+        )
 
-  # Don't allow disabled users to login.
-  if not db_user.enabled:
-    logger.debug('User %s in session cookie is disabled', db_user.username)
-    return ValidateResult(AuthKind.cookie, error_message='User account is disabled')
+    # Don't allow disabled users to login.
+    if not db_user.enabled:
+        logger.debug("User %s in session cookie is disabled", db_user.username)
+        return ValidateResult(AuthKind.cookie, error_message="User account is disabled")
 
-  # Don't allow organizations to "login".
-  if db_user.organization:
-    logger.debug('User %s in session cookie is in-fact organization', db_user.username)
-    return ValidateResult(AuthKind.cookie, error_message='Cannot login to organization')
+    # Don't allow organizations to "login".
+    if db_user.organization:
+        logger.debug(
+            "User %s in session cookie is in-fact organization", db_user.username
+        )
+        return ValidateResult(
+            AuthKind.cookie, error_message="Cannot login to organization"
+        )
 
-  return ValidateResult(AuthKind.cookie, user=db_user)
+    return ValidateResult(AuthKind.cookie, user=db_user)
diff --git a/auth/credential_consts.py b/auth/credential_consts.py
index dda9834d1..93287d833 100644
--- a/auth/credential_consts.py
+++ b/auth/credential_consts.py
@@ -1,3 +1,3 @@
-ACCESS_TOKEN_USERNAME = '$token'
-OAUTH_TOKEN_USERNAME = '$oauthtoken'
-APP_SPECIFIC_TOKEN_USERNAME = '$app'
+ACCESS_TOKEN_USERNAME = "$token"
+OAUTH_TOKEN_USERNAME = "$oauthtoken"
+APP_SPECIFIC_TOKEN_USERNAME = "$app"
diff --git a/auth/credentials.py b/auth/credentials.py
index 5d8c8b4dd..f56f6a540 100644
--- a/auth/credentials.py
+++ b/auth/credentials.py
@@ -7,8 +7,11 @@ import features
 from app import authentication
 from auth.oauth import validate_oauth_token
 from auth.validateresult import ValidateResult, AuthKind
-from auth.credential_consts import (ACCESS_TOKEN_USERNAME, OAUTH_TOKEN_USERNAME,
-                                    APP_SPECIFIC_TOKEN_USERNAME)
+from auth.credential_consts import (
+    ACCESS_TOKEN_USERNAME,
+    OAUTH_TOKEN_USERNAME,
+    APP_SPECIFIC_TOKEN_USERNAME,
+)
 from data import model
 from util.names import parse_robot_username
 
@@ -16,70 +19,116 @@ logger = logging.getLogger(__name__)
 
 
 class CredentialKind(Enum):
-  user = 'user'
-  robot = 'robot'
-  token = ACCESS_TOKEN_USERNAME
-  oauth_token = OAUTH_TOKEN_USERNAME
-  app_specific_token = APP_SPECIFIC_TOKEN_USERNAME
+    user = "user"
+    robot = "robot"
+    token = ACCESS_TOKEN_USERNAME
+    oauth_token = OAUTH_TOKEN_USERNAME
+    app_specific_token = APP_SPECIFIC_TOKEN_USERNAME
 
 
 def validate_credentials(auth_username, auth_password_or_token):
-  """ Validates a pair of auth username and password/token credentials. """
-  # Check for access tokens.
-  if auth_username == ACCESS_TOKEN_USERNAME:
-    logger.debug('Found credentials for access token')
-    try:
-      token = model.token.load_token_data(auth_password_or_token)
-      logger.debug('Successfully validated credentials for access token %s', token.id)
-      return ValidateResult(AuthKind.credentials, token=token), CredentialKind.token
-    except model.DataModelException:
-      logger.warning('Failed to validate credentials for access token %s', auth_password_or_token)
-      return (ValidateResult(AuthKind.credentials, error_message='Invalid access token'),
-              CredentialKind.token)
+    """ Validates a pair of auth username and password/token credentials. """
+    # Check for access tokens.
+    if auth_username == ACCESS_TOKEN_USERNAME:
+        logger.debug("Found credentials for access token")
+        try:
+            token = model.token.load_token_data(auth_password_or_token)
+            logger.debug(
+                "Successfully validated credentials for access token %s", token.id
+            )
+            return (
+                ValidateResult(AuthKind.credentials, token=token),
+                CredentialKind.token,
+            )
+        except model.DataModelException:
+            logger.warning(
+                "Failed to validate credentials for access token %s",
+                auth_password_or_token,
+            )
+            return (
+                ValidateResult(
+                    AuthKind.credentials, error_message="Invalid access token"
+                ),
+                CredentialKind.token,
+            )
 
-  # Check for App Specific tokens.
-  if features.APP_SPECIFIC_TOKENS and auth_username == APP_SPECIFIC_TOKEN_USERNAME:
-    logger.debug('Found credentials for app specific auth token')
-    token = model.appspecifictoken.access_valid_token(auth_password_or_token)
-    if token is None:
-      logger.debug('Failed to validate credentials for app specific token: %s',
-                   auth_password_or_token)
-      return (ValidateResult(AuthKind.credentials, error_message='Invalid token'),
-              CredentialKind.app_specific_token)
+    # Check for App Specific tokens.
+    if features.APP_SPECIFIC_TOKENS and auth_username == APP_SPECIFIC_TOKEN_USERNAME:
+        logger.debug("Found credentials for app specific auth token")
+        token = model.appspecifictoken.access_valid_token(auth_password_or_token)
+        if token is None:
+            logger.debug(
+                "Failed to validate credentials for app specific token: %s",
+                auth_password_or_token,
+            )
+            return (
+                ValidateResult(AuthKind.credentials, error_message="Invalid token"),
+                CredentialKind.app_specific_token,
+            )
 
-    if not token.user.enabled:
-      logger.debug('Tried to use an app specific token for a disabled user: %s',
-                   token.uuid)
-      return (ValidateResult(AuthKind.credentials,
-              error_message='This user has been disabled. Please contact your administrator.'),
-              CredentialKind.app_specific_token)
+        if not token.user.enabled:
+            logger.debug(
+                "Tried to use an app specific token for a disabled user: %s", token.uuid
+            )
+            return (
+                ValidateResult(
+                    AuthKind.credentials,
+                    error_message="This user has been disabled. Please contact your administrator.",
+                ),
+                CredentialKind.app_specific_token,
+            )
 
-    logger.debug('Successfully validated credentials for app specific token %s', token.id)
-    return (ValidateResult(AuthKind.credentials, appspecifictoken=token),
-            CredentialKind.app_specific_token)
+        logger.debug(
+            "Successfully validated credentials for app specific token %s", token.id
+        )
+        return (
+            ValidateResult(AuthKind.credentials, appspecifictoken=token),
+            CredentialKind.app_specific_token,
+        )
 
-  # Check for OAuth tokens.
-  if auth_username == OAUTH_TOKEN_USERNAME:
-    return validate_oauth_token(auth_password_or_token), CredentialKind.oauth_token
+    # Check for OAuth tokens.
+    if auth_username == OAUTH_TOKEN_USERNAME:
+        return validate_oauth_token(auth_password_or_token), CredentialKind.oauth_token
 
-  # Check for robots and users.
-  is_robot = parse_robot_username(auth_username)
-  if is_robot:
-    logger.debug('Found credentials header for robot %s', auth_username)
-    try:
-      robot = model.user.verify_robot(auth_username, auth_password_or_token)
-      logger.debug('Successfully validated credentials for robot %s', auth_username)
-      return ValidateResult(AuthKind.credentials, robot=robot), CredentialKind.robot
-    except model.InvalidRobotException as ire:
-      logger.warning('Failed to validate credentials for robot %s: %s', auth_username, ire)
-      return ValidateResult(AuthKind.credentials, error_message=str(ire)), CredentialKind.robot
+    # Check for robots and users.
+    is_robot = parse_robot_username(auth_username)
+    if is_robot:
+        logger.debug("Found credentials header for robot %s", auth_username)
+        try:
+            robot = model.user.verify_robot(auth_username, auth_password_or_token)
+            logger.debug(
+                "Successfully validated credentials for robot %s", auth_username
+            )
+            return (
+                ValidateResult(AuthKind.credentials, robot=robot),
+                CredentialKind.robot,
+            )
+        except model.InvalidRobotException as ire:
+            logger.warning(
+                "Failed to validate credentials for robot %s: %s", auth_username, ire
+            )
+            return (
+                ValidateResult(AuthKind.credentials, error_message=str(ire)),
+                CredentialKind.robot,
+            )
 
-  # Otherwise, treat as a standard user.
-  (authenticated, err) = authentication.verify_and_link_user(auth_username, auth_password_or_token,
-                                                             basic_auth=True)
-  if authenticated:
-    logger.debug('Successfully validated credentials for user %s', authenticated.username)
-    return ValidateResult(AuthKind.credentials, user=authenticated), CredentialKind.user
-  else:
-    logger.warning('Failed to validate credentials for user %s: %s', auth_username, err)
-    return ValidateResult(AuthKind.credentials, error_message=err), CredentialKind.user
+    # Otherwise, treat as a standard user.
+    (authenticated, err) = authentication.verify_and_link_user(
+        auth_username, auth_password_or_token, basic_auth=True
+    )
+    if authenticated:
+        logger.debug(
+            "Successfully validated credentials for user %s", authenticated.username
+        )
+        return (
+            ValidateResult(AuthKind.credentials, user=authenticated),
+            CredentialKind.user,
+        )
+    else:
+        logger.warning(
+            "Failed to validate credentials for user %s: %s", auth_username, err
+        )
+        return (
+            ValidateResult(AuthKind.credentials, error_message=err),
+            CredentialKind.user,
+        )
diff --git a/auth/decorators.py b/auth/decorators.py
index 5fc966140..6e5a0cf05 100644
--- a/auth/decorators.py
+++ b/auth/decorators.py
@@ -14,83 +14,101 @@ from util.http import abort
 
 logger = logging.getLogger(__name__)
 
+
 def _auth_decorator(pass_result=False, handlers=None):
-  """ Builds an auth decorator that runs the given handlers and, if any return successfully,
+    """ Builds an auth decorator that runs the given handlers and, if any return successfully,
       sets up the auth context. The wrapped function will be invoked *regardless of success or
       failure of the auth handler(s)*
   """
-  def processor(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      auth_header = request.headers.get('authorization', '')
-      result = None
 
-      for handler in handlers:
-        result = handler(auth_header)
-        # If the handler was missing the necessary information, skip it and try the next one.
-        if result.missing:
-          continue
+    def processor(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            auth_header = request.headers.get("authorization", "")
+            result = None
 
-        # Check for a valid result.
-        if result.auth_valid:
-          logger.debug('Found valid auth result: %s', result.tuple())
+            for handler in handlers:
+                result = handler(auth_header)
+                # If the handler was missing the necessary information, skip it and try the next one.
+                if result.missing:
+                    continue
 
-          # Set the various pieces of the auth context.
-          result.apply_to_context()
+                # Check for a valid result.
+                if result.auth_valid:
+                    logger.debug("Found valid auth result: %s", result.tuple())
 
-          # Log the metric.
-          metric_queue.authentication_count.Inc(labelvalues=[result.kind, True])
-          break
+                    # Set the various pieces of the auth context.
+                    result.apply_to_context()
 
-        # Otherwise, report the error.
-        if result.error_message is not None:
-          # Log the failure.
-          metric_queue.authentication_count.Inc(labelvalues=[result.kind, False])
-          break
+                    # Log the metric.
+                    metric_queue.authentication_count.Inc(
+                        labelvalues=[result.kind, True]
+                    )
+                    break
 
-      if pass_result:
-        kwargs['auth_result'] = result
+                # Otherwise, report the error.
+                if result.error_message is not None:
+                    # Log the failure.
+                    metric_queue.authentication_count.Inc(
+                        labelvalues=[result.kind, False]
+                    )
+                    break
 
-      return func(*args, **kwargs)
-    return wrapper
-  return processor
+            if pass_result:
+                kwargs["auth_result"] = result
+
+            return func(*args, **kwargs)
+
+        return wrapper
+
+    return processor
 
 
-process_oauth = _auth_decorator(handlers=[validate_bearer_auth, validate_session_cookie])
+process_oauth = _auth_decorator(
+    handlers=[validate_bearer_auth, validate_session_cookie]
+)
 process_auth = _auth_decorator(handlers=[validate_signed_grant, validate_basic_auth])
-process_auth_or_cookie = _auth_decorator(handlers=[validate_basic_auth, validate_session_cookie])
+process_auth_or_cookie = _auth_decorator(
+    handlers=[validate_basic_auth, validate_session_cookie]
+)
 process_basic_auth = _auth_decorator(handlers=[validate_basic_auth], pass_result=True)
 process_basic_auth_no_pass = _auth_decorator(handlers=[validate_basic_auth])
 
 
 def require_session_login(func):
-  """ Decorates a function and ensures that a valid session cookie exists or a 401 is raised. If
+    """ Decorates a function and ensures that a valid session cookie exists or a 401 is raised. If
       a valid session cookie does exist, the authenticated user and identity are also set.
   """
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    result = validate_session_cookie()
-    if result.has_nonrobot_user:
-      result.apply_to_context()
-      metric_queue.authentication_count.Inc(labelvalues=[result.kind, True])
-      return func(*args, **kwargs)
-    elif not result.missing:
-      metric_queue.authentication_count.Inc(labelvalues=[result.kind, False])
 
-    abort(401, message='Method requires login and no valid login could be loaded.')
-  return wrapper
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        result = validate_session_cookie()
+        if result.has_nonrobot_user:
+            result.apply_to_context()
+            metric_queue.authentication_count.Inc(labelvalues=[result.kind, True])
+            return func(*args, **kwargs)
+        elif not result.missing:
+            metric_queue.authentication_count.Inc(labelvalues=[result.kind, False])
+
+        abort(401, message="Method requires login and no valid login could be loaded.")
+
+    return wrapper
 
 
 def extract_namespace_repo_from_session(func):
-  """ Extracts the namespace and repository name from the current session (which must exist)
+    """ Extracts the namespace and repository name from the current session (which must exist)
       and passes them into the decorated function as the first and second arguments. If the
       session doesn't exist or does not contain these arugments, a 400 error is raised.
   """
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    if 'namespace' not in session or 'repository' not in session:
-      logger.error('Unable to load namespace or repository from session: %s', session)
-      abort(400, message='Missing namespace in request')
 
-    return func(session['namespace'], session['repository'], *args, **kwargs)
-  return wrapper
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        if "namespace" not in session or "repository" not in session:
+            logger.error(
+                "Unable to load namespace or repository from session: %s", session
+            )
+            abort(400, message="Missing namespace in request")
+
+        return func(session["namespace"], session["repository"], *args, **kwargs)
+
+    return wrapper
diff --git a/auth/oauth.py b/auth/oauth.py
index aaea92831..b9f3ca7bd 100644
--- a/auth/oauth.py
+++ b/auth/oauth.py
@@ -8,41 +8,47 @@ from data import model
 
 logger = logging.getLogger(__name__)
 
+
 def validate_bearer_auth(auth_header):
-  """ Validates an OAuth token found inside a basic auth `Bearer` token, returning whether it
+    """ Validates an OAuth token found inside a basic auth `Bearer` token, returning whether it
       points to a valid OAuth token.
   """
-  if not auth_header:
-    return ValidateResult(AuthKind.oauth, missing=True)
+    if not auth_header:
+        return ValidateResult(AuthKind.oauth, missing=True)
 
-  normalized = [part.strip() for part in auth_header.split(' ') if part]
-  if normalized[0].lower() != 'bearer' or len(normalized) != 2:
-    logger.debug('Got invalid bearer token format: %s', auth_header)
-    return ValidateResult(AuthKind.oauth, missing=True)
+    normalized = [part.strip() for part in auth_header.split(" ") if part]
+    if normalized[0].lower() != "bearer" or len(normalized) != 2:
+        logger.debug("Got invalid bearer token format: %s", auth_header)
+        return ValidateResult(AuthKind.oauth, missing=True)
 
-  (_, oauth_token) = normalized
-  return validate_oauth_token(oauth_token)
+    (_, oauth_token) = normalized
+    return validate_oauth_token(oauth_token)
 
 
 def validate_oauth_token(token):
-  """ Validates the specified OAuth token, returning whether it points to a valid OAuth token.
+    """ Validates the specified OAuth token, returning whether it points to a valid OAuth token.
   """
-  validated = model.oauth.validate_access_token(token)
-  if not validated:
-    logger.warning('OAuth access token could not be validated: %s', token)
-    return ValidateResult(AuthKind.oauth,
-                          error_message='OAuth access token could not be validated')
+    validated = model.oauth.validate_access_token(token)
+    if not validated:
+        logger.warning("OAuth access token could not be validated: %s", token)
+        return ValidateResult(
+            AuthKind.oauth, error_message="OAuth access token could not be validated"
+        )
 
-  if validated.expires_at <= datetime.utcnow():
-    logger.warning('OAuth access with an expired token: %s', token)
-    return ValidateResult(AuthKind.oauth, error_message='OAuth access token has expired')
+    if validated.expires_at <= datetime.utcnow():
+        logger.warning("OAuth access with an expired token: %s", token)
+        return ValidateResult(
+            AuthKind.oauth, error_message="OAuth access token has expired"
+        )
 
-  # Don't allow disabled users to login.
-  if not validated.authorized_user.enabled:
-    return ValidateResult(AuthKind.oauth,
-                          error_message='Granter of the oauth access token is disabled')
+    # Don't allow disabled users to login.
+    if not validated.authorized_user.enabled:
+        return ValidateResult(
+            AuthKind.oauth,
+            error_message="Granter of the oauth access token is disabled",
+        )
 
-  # We have a valid token
-  scope_set = scopes_from_scope_string(validated.scope)
-  logger.debug('Successfully validated oauth access token with scope: %s', scope_set)
-  return ValidateResult(AuthKind.oauth, oauthtoken=validated)
+    # We have a valid token
+    scope_set = scopes_from_scope_string(validated.scope)
+    logger.debug("Successfully validated oauth access token with scope: %s", scope_set)
+    return ValidateResult(AuthKind.oauth, oauthtoken=validated)
diff --git a/auth/permissions.py b/auth/permissions.py
index c967aa046..10419acbc 100644
--- a/auth/permissions.py
+++ b/auth/permissions.py
@@ -14,351 +14,399 @@ from data import model
 logger = logging.getLogger(__name__)
 
 
-_ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
-_RepositoryNeed = partial(_ResourceNeed, 'repository')
-_NamespaceWideNeed = namedtuple('namespacewide', ['type', 'namespace', 'role'])
-_OrganizationNeed = partial(_NamespaceWideNeed, 'organization')
-_OrganizationRepoNeed = partial(_NamespaceWideNeed, 'organizationrepo')
-_TeamTypeNeed = namedtuple('teamwideneed', ['type', 'orgname', 'teamname', 'role'])
-_TeamNeed = partial(_TeamTypeNeed, 'orgteam')
-_UserTypeNeed = namedtuple('userspecificneed', ['type', 'username', 'role'])
-_UserNeed = partial(_UserTypeNeed, 'user')
-_SuperUserNeed = partial(namedtuple('superuserneed', ['type']), 'superuser')
+_ResourceNeed = namedtuple("resource", ["type", "namespace", "name", "role"])
+_RepositoryNeed = partial(_ResourceNeed, "repository")
+_NamespaceWideNeed = namedtuple("namespacewide", ["type", "namespace", "role"])
+_OrganizationNeed = partial(_NamespaceWideNeed, "organization")
+_OrganizationRepoNeed = partial(_NamespaceWideNeed, "organizationrepo")
+_TeamTypeNeed = namedtuple("teamwideneed", ["type", "orgname", "teamname", "role"])
+_TeamNeed = partial(_TeamTypeNeed, "orgteam")
+_UserTypeNeed = namedtuple("userspecificneed", ["type", "username", "role"])
+_UserNeed = partial(_UserTypeNeed, "user")
+_SuperUserNeed = partial(namedtuple("superuserneed", ["type"]), "superuser")
 
 
-REPO_ROLES = [None, 'read', 'write', 'admin']
-TEAM_ROLES = [None, 'member', 'creator', 'admin']
-USER_ROLES = [None, 'read', 'admin']
+REPO_ROLES = [None, "read", "write", "admin"]
+TEAM_ROLES = [None, "member", "creator", "admin"]
+USER_ROLES = [None, "read", "admin"]
 
-TEAM_ORGWIDE_REPO_ROLES = {
-  'admin': 'admin',
-  'creator': None,
-  'member': None,
-}
+TEAM_ORGWIDE_REPO_ROLES = {"admin": "admin", "creator": None, "member": None}
 
 SCOPE_MAX_REPO_ROLES = defaultdict(lambda: None)
-SCOPE_MAX_REPO_ROLES.update({
-  scopes.READ_REPO: 'read',
-  scopes.WRITE_REPO: 'write',
-  scopes.ADMIN_REPO: 'admin',
-  scopes.DIRECT_LOGIN: 'admin',
-})
+SCOPE_MAX_REPO_ROLES.update(
+    {
+        scopes.READ_REPO: "read",
+        scopes.WRITE_REPO: "write",
+        scopes.ADMIN_REPO: "admin",
+        scopes.DIRECT_LOGIN: "admin",
+    }
+)
 
 SCOPE_MAX_TEAM_ROLES = defaultdict(lambda: None)
-SCOPE_MAX_TEAM_ROLES.update({
-  scopes.CREATE_REPO: 'creator',
-  scopes.DIRECT_LOGIN: 'admin',
-  scopes.ORG_ADMIN: 'admin',
-})
+SCOPE_MAX_TEAM_ROLES.update(
+    {
+        scopes.CREATE_REPO: "creator",
+        scopes.DIRECT_LOGIN: "admin",
+        scopes.ORG_ADMIN: "admin",
+    }
+)
 
 SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)
-SCOPE_MAX_USER_ROLES.update({
-  scopes.READ_USER: 'read',
-  scopes.DIRECT_LOGIN: 'admin',
-  scopes.ADMIN_USER: 'admin',
-})
+SCOPE_MAX_USER_ROLES.update(
+    {scopes.READ_USER: "read", scopes.DIRECT_LOGIN: "admin", scopes.ADMIN_USER: "admin"}
+)
+
 
 def repository_read_grant(namespace, repository):
-  return _RepositoryNeed(namespace, repository, 'read')
+    return _RepositoryNeed(namespace, repository, "read")
 
 
 def repository_write_grant(namespace, repository):
-  return _RepositoryNeed(namespace, repository, 'write')
+    return _RepositoryNeed(namespace, repository, "write")
 
 
 def repository_admin_grant(namespace, repository):
-  return _RepositoryNeed(namespace, repository, 'admin')
+    return _RepositoryNeed(namespace, repository, "admin")
 
 
 class QuayDeferredPermissionUser(Identity):
-  def __init__(self, uuid, auth_type, auth_scopes, user=None):
-    super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
+    def __init__(self, uuid, auth_type, auth_scopes, user=None):
+        super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
 
-    self._namespace_wide_loaded = set()
-    self._repositories_loaded = set()
-    self._personal_loaded = False
+        self._namespace_wide_loaded = set()
+        self._repositories_loaded = set()
+        self._personal_loaded = False
 
-    self._scope_set = auth_scopes
-    self._user_object = user
+        self._scope_set = auth_scopes
+        self._user_object = user
 
-  @staticmethod
-  def for_id(uuid, auth_scopes=None):
-    auth_scopes = auth_scopes if auth_scopes is not None else {scopes.DIRECT_LOGIN}
-    return QuayDeferredPermissionUser(uuid, 'user_uuid', auth_scopes)
+    @staticmethod
+    def for_id(uuid, auth_scopes=None):
+        auth_scopes = auth_scopes if auth_scopes is not None else {scopes.DIRECT_LOGIN}
+        return QuayDeferredPermissionUser(uuid, "user_uuid", auth_scopes)
 
-  @staticmethod
-  def for_user(user, auth_scopes=None):
-    auth_scopes = auth_scopes if auth_scopes is not None else {scopes.DIRECT_LOGIN}
-    return QuayDeferredPermissionUser(user.uuid, 'user_uuid', auth_scopes, user=user)
+    @staticmethod
+    def for_user(user, auth_scopes=None):
+        auth_scopes = auth_scopes if auth_scopes is not None else {scopes.DIRECT_LOGIN}
+        return QuayDeferredPermissionUser(
+            user.uuid, "user_uuid", auth_scopes, user=user
+        )
 
-  def _translate_role_for_scopes(self, cardinality, max_roles, role):
-    if self._scope_set is None:
-      return role
+    def _translate_role_for_scopes(self, cardinality, max_roles, role):
+        if self._scope_set is None:
+            return role
 
-    max_for_scopes = max({cardinality.index(max_roles[scope]) for scope in self._scope_set})
+        max_for_scopes = max(
+            {cardinality.index(max_roles[scope]) for scope in self._scope_set}
+        )
 
-    if max_for_scopes < cardinality.index(role):
-      logger.debug('Translated permission %s -> %s', role, cardinality[max_for_scopes])
-      return cardinality[max_for_scopes]
-    else:
-      return role
+        if max_for_scopes < cardinality.index(role):
+            logger.debug(
+                "Translated permission %s -> %s", role, cardinality[max_for_scopes]
+            )
+            return cardinality[max_for_scopes]
+        else:
+            return role
 
-  def _team_role_for_scopes(self, role):
-    return self._translate_role_for_scopes(TEAM_ROLES, SCOPE_MAX_TEAM_ROLES, role)
+    def _team_role_for_scopes(self, role):
+        return self._translate_role_for_scopes(TEAM_ROLES, SCOPE_MAX_TEAM_ROLES, role)
 
-  def _repo_role_for_scopes(self, role):
-    return self._translate_role_for_scopes(REPO_ROLES, SCOPE_MAX_REPO_ROLES, role)
+    def _repo_role_for_scopes(self, role):
+        return self._translate_role_for_scopes(REPO_ROLES, SCOPE_MAX_REPO_ROLES, role)
 
-  def _user_role_for_scopes(self, role):
-    return self._translate_role_for_scopes(USER_ROLES, SCOPE_MAX_USER_ROLES, role)
+    def _user_role_for_scopes(self, role):
+        return self._translate_role_for_scopes(USER_ROLES, SCOPE_MAX_USER_ROLES, role)
 
-  def _populate_user_provides(self, user_object):
-    """ Populates the provides that naturally apply to a user, such as being the admin of
+    def _populate_user_provides(self, user_object):
+        """ Populates the provides that naturally apply to a user, such as being the admin of
         their own namespace.
     """
 
-    # Add the user specific permissions, only for non-oauth permission
-    user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin'))
-    logger.debug('User permission: {0}'.format(user_grant))
-    self.provides.add(user_grant)
+        # Add the user specific permissions, only for non-oauth permission
+        user_grant = _UserNeed(
+            user_object.username, self._user_role_for_scopes("admin")
+        )
+        logger.debug("User permission: {0}".format(user_grant))
+        self.provides.add(user_grant)
 
-    # Every user is the admin of their own 'org'
-    user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin'))
-    logger.debug('User namespace permission: {0}'.format(user_namespace))
-    self.provides.add(user_namespace)
+        # Every user is the admin of their own 'org'
+        user_namespace = _OrganizationNeed(
+            user_object.username, self._team_role_for_scopes("admin")
+        )
+        logger.debug("User namespace permission: {0}".format(user_namespace))
+        self.provides.add(user_namespace)
 
-    # Org repo roles can differ for scopes
-    user_repos = _OrganizationRepoNeed(user_object.username, self._repo_role_for_scopes('admin'))
-    logger.debug('User namespace repo permission: {0}'.format(user_repos))
-    self.provides.add(user_repos)
+        # Org repo roles can differ for scopes
+        user_repos = _OrganizationRepoNeed(
+            user_object.username, self._repo_role_for_scopes("admin")
+        )
+        logger.debug("User namespace repo permission: {0}".format(user_repos))
+        self.provides.add(user_repos)
 
-    if ((scopes.SUPERUSER in self._scope_set or scopes.DIRECT_LOGIN in self._scope_set) and
-        superusers.is_superuser(user_object.username)):
-      logger.debug('Adding superuser to user: %s', user_object.username)
-      self.provides.add(_SuperUserNeed())
+        if (
+            scopes.SUPERUSER in self._scope_set
+            or scopes.DIRECT_LOGIN in self._scope_set
+        ) and superusers.is_superuser(user_object.username):
+            logger.debug("Adding superuser to user: %s", user_object.username)
+            self.provides.add(_SuperUserNeed())
 
-  def _populate_namespace_wide_provides(self, user_object, namespace_filter):
-    """ Populates the namespace-wide provides for a particular user under a particular namespace.
+    def _populate_namespace_wide_provides(self, user_object, namespace_filter):
+        """ Populates the namespace-wide provides for a particular user under a particular namespace.
         This method does *not* add any provides for specific repositories.
     """
 
-    for team in model.permission.get_org_wide_permissions(user_object, org_filter=namespace_filter):
-      team_org_grant = _OrganizationNeed(team.organization.username,
-                                         self._team_role_for_scopes(team.role.name))
-      logger.debug('Organization team added permission: {0}'.format(team_org_grant))
-      self.provides.add(team_org_grant)
+        for team in model.permission.get_org_wide_permissions(
+            user_object, org_filter=namespace_filter
+        ):
+            team_org_grant = _OrganizationNeed(
+                team.organization.username, self._team_role_for_scopes(team.role.name)
+            )
+            logger.debug(
+                "Organization team added permission: {0}".format(team_org_grant)
+            )
+            self.provides.add(team_org_grant)
 
-      team_repo_role = TEAM_ORGWIDE_REPO_ROLES[team.role.name]
-      org_repo_grant = _OrganizationRepoNeed(team.organization.username,
-                                             self._repo_role_for_scopes(team_repo_role))
-      logger.debug('Organization team added repo permission: {0}'.format(org_repo_grant))
-      self.provides.add(org_repo_grant)
+            team_repo_role = TEAM_ORGWIDE_REPO_ROLES[team.role.name]
+            org_repo_grant = _OrganizationRepoNeed(
+                team.organization.username, self._repo_role_for_scopes(team_repo_role)
+            )
+            logger.debug(
+                "Organization team added repo permission: {0}".format(org_repo_grant)
+            )
+            self.provides.add(org_repo_grant)
 
-      team_grant = _TeamNeed(team.organization.username, team.name,
-                             self._team_role_for_scopes(team.role.name))
-      logger.debug('Team added permission: {0}'.format(team_grant))
-      self.provides.add(team_grant)
+            team_grant = _TeamNeed(
+                team.organization.username,
+                team.name,
+                self._team_role_for_scopes(team.role.name),
+            )
+            logger.debug("Team added permission: {0}".format(team_grant))
+            self.provides.add(team_grant)
 
-  def _populate_repository_provides(self, user_object, namespace_filter, repository_name):
-    """ Populates the repository-specific provides for a particular user and repository. """
+    def _populate_repository_provides(
+        self, user_object, namespace_filter, repository_name
+    ):
+        """ Populates the repository-specific provides for a particular user and repository. """
 
-    if namespace_filter and repository_name:
-      permissions = model.permission.get_user_repository_permissions(user_object, namespace_filter,
-                                                                     repository_name)
-    else:
-      permissions = model.permission.get_all_user_repository_permissions(user_object)
+        if namespace_filter and repository_name:
+            permissions = model.permission.get_user_repository_permissions(
+                user_object, namespace_filter, repository_name
+            )
+        else:
+            permissions = model.permission.get_all_user_repository_permissions(
+                user_object
+            )
 
-    for perm in permissions:
-      repo_grant = _RepositoryNeed(perm.repository.namespace_user.username, perm.repository.name,
-                                   self._repo_role_for_scopes(perm.role.name))
-      logger.debug('User added permission: {0}'.format(repo_grant))
-      self.provides.add(repo_grant)
+        for perm in permissions:
+            repo_grant = _RepositoryNeed(
+                perm.repository.namespace_user.username,
+                perm.repository.name,
+                self._repo_role_for_scopes(perm.role.name),
+            )
+            logger.debug("User added permission: {0}".format(repo_grant))
+            self.provides.add(repo_grant)
 
-  def can(self, permission):
-    logger.debug('Loading user permissions after deferring for: %s', self.id)
-    user_object = self._user_object or model.user.get_user_by_uuid(self.id)
-    if user_object is None:
-      return super(QuayDeferredPermissionUser, self).can(permission)
+    def can(self, permission):
+        logger.debug("Loading user permissions after deferring for: %s", self.id)
+        user_object = self._user_object or model.user.get_user_by_uuid(self.id)
+        if user_object is None:
+            return super(QuayDeferredPermissionUser, self).can(permission)
 
-    # Add the user-specific provides.
-    if not self._personal_loaded:
-      self._populate_user_provides(user_object)
-      self._personal_loaded = True
+        # Add the user-specific provides.
+        if not self._personal_loaded:
+            self._populate_user_provides(user_object)
+            self._personal_loaded = True
 
-    # If we now have permission, no need to load any more permissions.
-    if super(QuayDeferredPermissionUser, self).can(permission):
-      return super(QuayDeferredPermissionUser, self).can(permission)
+        # If we now have permission, no need to load any more permissions.
+        if super(QuayDeferredPermissionUser, self).can(permission):
+            return super(QuayDeferredPermissionUser, self).can(permission)
 
-    # Check for namespace and/or repository permissions.
-    perm_namespace = permission.namespace
-    perm_repo_name = permission.repo_name
-    perm_repository = None
+        # Check for namespace and/or repository permissions.
+        perm_namespace = permission.namespace
+        perm_repo_name = permission.repo_name
+        perm_repository = None
 
-    if perm_namespace and perm_repo_name:
-      perm_repository = '%s/%s' % (perm_namespace, perm_repo_name)
+        if perm_namespace and perm_repo_name:
+            perm_repository = "%s/%s" % (perm_namespace, perm_repo_name)
 
-    if not perm_namespace and not perm_repo_name:
-      # Nothing more to load, so just check directly.
-      return super(QuayDeferredPermissionUser, self).can(permission)
+        if not perm_namespace and not perm_repo_name:
+            # Nothing more to load, so just check directly.
+            return super(QuayDeferredPermissionUser, self).can(permission)
 
-    # Lazy-load the repository-specific permissions.
-    if perm_repository and perm_repository not in self._repositories_loaded:
-      self._populate_repository_provides(user_object, perm_namespace, perm_repo_name)
-      self._repositories_loaded.add(perm_repository)
+        # Lazy-load the repository-specific permissions.
+        if perm_repository and perm_repository not in self._repositories_loaded:
+            self._populate_repository_provides(
+                user_object, perm_namespace, perm_repo_name
+            )
+            self._repositories_loaded.add(perm_repository)
+
+            # If we now have permission, no need to load any more permissions.
+            if super(QuayDeferredPermissionUser, self).can(permission):
+                return super(QuayDeferredPermissionUser, self).can(permission)
+
+        # Lazy-load the namespace-wide-only permissions.
+        if perm_namespace and perm_namespace not in self._namespace_wide_loaded:
+            self._populate_namespace_wide_provides(user_object, perm_namespace)
+            self._namespace_wide_loaded.add(perm_namespace)
 
-      # If we now have permission, no need to load any more permissions.
-      if super(QuayDeferredPermissionUser, self).can(permission):
         return super(QuayDeferredPermissionUser, self).can(permission)
 
-    # Lazy-load the namespace-wide-only permissions.
-    if perm_namespace and perm_namespace not in self._namespace_wide_loaded:
-      self._populate_namespace_wide_provides(user_object, perm_namespace)
-      self._namespace_wide_loaded.add(perm_namespace)
-
-    return super(QuayDeferredPermissionUser, self).can(permission)
-
 
 class QuayPermission(Permission):
-  """ Base for all permissions in Quay. """
-  namespace = None
-  repo_name = None
+    """ Base for all permissions in Quay. """
+
+    namespace = None
+    repo_name = None
 
 
 class ModifyRepositoryPermission(QuayPermission):
-  def __init__(self, namespace, name):
-    admin_need = _RepositoryNeed(namespace, name, 'admin')
-    write_need = _RepositoryNeed(namespace, name, 'write')
-    org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
-    org_write_need = _OrganizationRepoNeed(namespace, 'write')
+    def __init__(self, namespace, name):
+        admin_need = _RepositoryNeed(namespace, name, "admin")
+        write_need = _RepositoryNeed(namespace, name, "write")
+        org_admin_need = _OrganizationRepoNeed(namespace, "admin")
+        org_write_need = _OrganizationRepoNeed(namespace, "write")
 
-    self.namespace = namespace
-    self.repo_name = name
+        self.namespace = namespace
+        self.repo_name = name
 
-    super(ModifyRepositoryPermission, self).__init__(admin_need, write_need, org_admin_need,
-                                                     org_write_need)
+        super(ModifyRepositoryPermission, self).__init__(
+            admin_need, write_need, org_admin_need, org_write_need
+        )
 
 
 class ReadRepositoryPermission(QuayPermission):
-  def __init__(self, namespace, name):
-    admin_need = _RepositoryNeed(namespace, name, 'admin')
-    write_need = _RepositoryNeed(namespace, name, 'write')
-    read_need = _RepositoryNeed(namespace, name, 'read')
-    org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
-    org_write_need = _OrganizationRepoNeed(namespace, 'write')
-    org_read_need = _OrganizationRepoNeed(namespace, 'read')
+    def __init__(self, namespace, name):
+        admin_need = _RepositoryNeed(namespace, name, "admin")
+        write_need = _RepositoryNeed(namespace, name, "write")
+        read_need = _RepositoryNeed(namespace, name, "read")
+        org_admin_need = _OrganizationRepoNeed(namespace, "admin")
+        org_write_need = _OrganizationRepoNeed(namespace, "write")
+        org_read_need = _OrganizationRepoNeed(namespace, "read")
 
-    self.namespace = namespace
-    self.repo_name = name
+        self.namespace = namespace
+        self.repo_name = name
 
-    super(ReadRepositoryPermission, self).__init__(admin_need, write_need, read_need,
-                                                   org_admin_need, org_read_need, org_write_need)
+        super(ReadRepositoryPermission, self).__init__(
+            admin_need,
+            write_need,
+            read_need,
+            org_admin_need,
+            org_read_need,
+            org_write_need,
+        )
 
 
 class AdministerRepositoryPermission(QuayPermission):
-  def __init__(self, namespace, name):
-    admin_need = _RepositoryNeed(namespace, name, 'admin')
-    org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
+    def __init__(self, namespace, name):
+        admin_need = _RepositoryNeed(namespace, name, "admin")
+        org_admin_need = _OrganizationRepoNeed(namespace, "admin")
 
-    self.namespace = namespace
-    self.repo_name = name
+        self.namespace = namespace
+        self.repo_name = name
 
-    super(AdministerRepositoryPermission, self).__init__(admin_need,
-                                                         org_admin_need)
+        super(AdministerRepositoryPermission, self).__init__(admin_need, org_admin_need)
 
 
 class CreateRepositoryPermission(QuayPermission):
-  def __init__(self, namespace):
-    admin_org = _OrganizationNeed(namespace, 'admin')
-    create_repo_org = _OrganizationNeed(namespace, 'creator')
+    def __init__(self, namespace):
+        admin_org = _OrganizationNeed(namespace, "admin")
+        create_repo_org = _OrganizationNeed(namespace, "creator")
 
-    self.namespace = namespace
+        self.namespace = namespace
+
+        super(CreateRepositoryPermission, self).__init__(admin_org, create_repo_org)
 
-    super(CreateRepositoryPermission, self).__init__(admin_org,
-                                                     create_repo_org)
 
 class SuperUserPermission(QuayPermission):
-  def __init__(self):
-    need = _SuperUserNeed()
-    super(SuperUserPermission, self).__init__(need)
+    def __init__(self):
+        need = _SuperUserNeed()
+        super(SuperUserPermission, self).__init__(need)
 
 
 class UserAdminPermission(QuayPermission):
-  def __init__(self, username):
-    user_admin = _UserNeed(username, 'admin')
-    super(UserAdminPermission, self).__init__(user_admin)
+    def __init__(self, username):
+        user_admin = _UserNeed(username, "admin")
+        super(UserAdminPermission, self).__init__(user_admin)
 
 
 class UserReadPermission(QuayPermission):
-  def __init__(self, username):
-    user_admin = _UserNeed(username, 'admin')
-    user_read = _UserNeed(username, 'read')
-    super(UserReadPermission, self).__init__(user_read, user_admin)
+    def __init__(self, username):
+        user_admin = _UserNeed(username, "admin")
+        user_read = _UserNeed(username, "read")
+        super(UserReadPermission, self).__init__(user_read, user_admin)
 
 
 class AdministerOrganizationPermission(QuayPermission):
-  def __init__(self, org_name):
-    admin_org = _OrganizationNeed(org_name, 'admin')
+    def __init__(self, org_name):
+        admin_org = _OrganizationNeed(org_name, "admin")
 
-    self.namespace = org_name
+        self.namespace = org_name
 
-    super(AdministerOrganizationPermission, self).__init__(admin_org)
+        super(AdministerOrganizationPermission, self).__init__(admin_org)
 
 
 class OrganizationMemberPermission(QuayPermission):
-  def __init__(self, org_name):
-    admin_org = _OrganizationNeed(org_name, 'admin')
-    repo_creator_org = _OrganizationNeed(org_name, 'creator')
-    org_member = _OrganizationNeed(org_name, 'member')
+    def __init__(self, org_name):
+        admin_org = _OrganizationNeed(org_name, "admin")
+        repo_creator_org = _OrganizationNeed(org_name, "creator")
+        org_member = _OrganizationNeed(org_name, "member")
 
-    self.namespace = org_name
+        self.namespace = org_name
 
-    super(OrganizationMemberPermission, self).__init__(admin_org, org_member,
-                                                       repo_creator_org)
+        super(OrganizationMemberPermission, self).__init__(
+            admin_org, org_member, repo_creator_org
+        )
 
 
 class ViewTeamPermission(QuayPermission):
-  def __init__(self, org_name, team_name):
-    team_admin = _TeamNeed(org_name, team_name, 'admin')
-    team_creator = _TeamNeed(org_name, team_name, 'creator')
-    team_member = _TeamNeed(org_name, team_name, 'member')
-    admin_org = _OrganizationNeed(org_name, 'admin')
+    def __init__(self, org_name, team_name):
+        team_admin = _TeamNeed(org_name, team_name, "admin")
+        team_creator = _TeamNeed(org_name, team_name, "creator")
+        team_member = _TeamNeed(org_name, team_name, "member")
+        admin_org = _OrganizationNeed(org_name, "admin")
 
-    self.namespace = org_name
+        self.namespace = org_name
 
-    super(ViewTeamPermission, self).__init__(team_admin, team_creator,
-                                             team_member, admin_org)
+        super(ViewTeamPermission, self).__init__(
+            team_admin, team_creator, team_member, admin_org
+        )
 
 
 class AlwaysFailPermission(QuayPermission):
-  def can(self):
-    return False
+    def can(self):
+        return False
 
 
 @identity_loaded.connect_via(app)
 def on_identity_loaded(sender, identity):
-  logger.debug('Identity loaded: %s' % identity)
-  # We have verified an identity, load in all of the permissions
+    logger.debug("Identity loaded: %s" % identity)
+    # We have verified an identity, load in all of the permissions
 
-  if isinstance(identity, QuayDeferredPermissionUser):
-    logger.debug('Deferring permissions for user with uuid: %s', identity.id)
+    if isinstance(identity, QuayDeferredPermissionUser):
+        logger.debug("Deferring permissions for user with uuid: %s", identity.id)
 
-  elif identity.auth_type == 'user_uuid':
-    logger.debug('Switching username permission to deferred object with uuid: %s', identity.id)
-    switch_to_deferred = QuayDeferredPermissionUser.for_id(identity.id)
-    identity_changed.send(app, identity=switch_to_deferred)
+    elif identity.auth_type == "user_uuid":
+        logger.debug(
+            "Switching username permission to deferred object with uuid: %s",
+            identity.id,
+        )
+        switch_to_deferred = QuayDeferredPermissionUser.for_id(identity.id)
+        identity_changed.send(app, identity=switch_to_deferred)
 
-  elif identity.auth_type == 'token':
-    logger.debug('Loading permissions for token: %s', identity.id)
-    token_data = model.token.load_token_data(identity.id)
+    elif identity.auth_type == "token":
+        logger.debug("Loading permissions for token: %s", identity.id)
+        token_data = model.token.load_token_data(identity.id)
 
-    repo_grant = _RepositoryNeed(token_data.repository.namespace_user.username,
-                                 token_data.repository.name,
-                                 token_data.role.name)
-    logger.debug('Delegate token added permission: %s', repo_grant)
-    identity.provides.add(repo_grant)
+        repo_grant = _RepositoryNeed(
+            token_data.repository.namespace_user.username,
+            token_data.repository.name,
+            token_data.role.name,
+        )
+        logger.debug("Delegate token added permission: %s", repo_grant)
+        identity.provides.add(repo_grant)
 
-  elif identity.auth_type == 'signed_grant' or identity.auth_type == 'signed_jwt':
-    logger.debug('Loaded %s identity for: %s', identity.auth_type, identity.id)
+    elif identity.auth_type == "signed_grant" or identity.auth_type == "signed_jwt":
+        logger.debug("Loaded %s identity for: %s", identity.auth_type, identity.id)
 
-  else:
-    logger.error('Unknown identity auth type: %s', identity.auth_type)
+    else:
+        logger.error("Unknown identity auth type: %s", identity.auth_type)
diff --git a/auth/registry_jwt_auth.py b/auth/registry_jwt_auth.py
index 75be63d73..135e49a94 100644
--- a/auth/registry_jwt_auth.py
+++ b/auth/registry_jwt_auth.py
@@ -9,156 +9,166 @@ from flask_principal import identity_changed, Identity
 from app import app, get_app_url, instance_keys, metric_queue
 from auth.auth_context import set_authenticated_context
 from auth.auth_context_type import SignedAuthContext
-from auth.permissions import repository_read_grant, repository_write_grant, repository_admin_grant
+from auth.permissions import (
+    repository_read_grant,
+    repository_write_grant,
+    repository_admin_grant,
+)
 from util.http import abort
 from util.names import parse_namespace_repository
-from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,
-                                        InvalidBearerTokenException)
+from util.security.registry_jwt import (
+    ANONYMOUS_SUB,
+    decode_bearer_header,
+    InvalidBearerTokenException,
+)
 
 
 logger = logging.getLogger(__name__)
 
 
 ACCESS_SCHEMA = {
-  'type': 'array',
-  'description': 'List of access granted to the subject',
-  'items': {
-    'type': 'object',
-    'required': [
-      'type',
-      'name',
-      'actions',
-    ],
-    'properties': {
-      'type': {
-        'type': 'string',
-        'description': 'We only allow repository permissions',
-        'enum': [
-          'repository',
-        ],
-      },
-      'name': {
-        'type': 'string',
-        'description': 'The name of the repository for which we are receiving access'
-      },
-      'actions': {
-        'type': 'array',
-        'description': 'List of specific verbs which can be performed against repository',
-        'items': {
-          'type': 'string',
-          'enum': [
-            'push',
-            'pull',
-            '*',
-          ],
+    "type": "array",
+    "description": "List of access granted to the subject",
+    "items": {
+        "type": "object",
+        "required": ["type", "name", "actions"],
+        "properties": {
+            "type": {
+                "type": "string",
+                "description": "We only allow repository permissions",
+                "enum": ["repository"],
+            },
+            "name": {
+                "type": "string",
+                "description": "The name of the repository for which we are receiving access",
+            },
+            "actions": {
+                "type": "array",
+                "description": "List of specific verbs which can be performed against repository",
+                "items": {"type": "string", "enum": ["push", "pull", "*"]},
+            },
         },
-      },
     },
-  },
 }
 
 
 class InvalidJWTException(Exception):
-  pass
+    pass
 
 
 def get_auth_headers(repository=None, scopes=None):
-  """ Returns a dictionary of headers for auth responses. """
-  headers = {}
-  realm_auth_path = url_for('v2.generate_registry_jwt')
-  authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(get_app_url(),
-                                                              realm_auth_path,
-                                                              app.config['SERVER_HOSTNAME'])
-  if repository:
-    scopes_string = "repository:{0}".format(repository)
-    if scopes:
-      scopes_string += ':' + ','.join(scopes)
+    """ Returns a dictionary of headers for auth responses. """
+    headers = {}
+    realm_auth_path = url_for("v2.generate_registry_jwt")
+    authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(
+        get_app_url(), realm_auth_path, app.config["SERVER_HOSTNAME"]
+    )
+    if repository:
+        scopes_string = "repository:{0}".format(repository)
+        if scopes:
+            scopes_string += ":" + ",".join(scopes)
 
-    authenticate += ',scope="{0}"'.format(scopes_string)
+        authenticate += ',scope="{0}"'.format(scopes_string)
 
-  headers['WWW-Authenticate'] = authenticate
-  headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-  return headers
+    headers["WWW-Authenticate"] = authenticate
+    headers["Docker-Distribution-API-Version"] = "registry/2.0"
+    return headers
 
 
 def identity_from_bearer_token(bearer_header):
-  """ Process a bearer header and return the loaded identity, or raise InvalidJWTException if an
+    """ Process a bearer header and return the loaded identity, or raise InvalidJWTException if an
       identity could not be loaded. Expects tokens and grants in the format of the Docker registry
       v2 auth spec: https://docs.docker.com/registry/spec/auth/token/
   """
-  logger.debug('Validating auth header: %s', bearer_header)
+    logger.debug("Validating auth header: %s", bearer_header)
 
-  try:
-    payload = decode_bearer_header(bearer_header, instance_keys, app.config,
-                                   metric_queue=metric_queue)
-  except InvalidBearerTokenException as bte:
-    logger.exception('Invalid bearer token: %s', bte)
-    raise InvalidJWTException(bte)
-
-  loaded_identity = Identity(payload['sub'], 'signed_jwt')
-
-  # Process the grants from the payload
-  if 'access' in payload:
     try:
-      validate(payload['access'], ACCESS_SCHEMA)
-    except ValidationError:
-      logger.exception('We should not be minting invalid credentials')
-      raise InvalidJWTException('Token contained invalid or malformed access grants')
+        payload = decode_bearer_header(
+            bearer_header, instance_keys, app.config, metric_queue=metric_queue
+        )
+    except InvalidBearerTokenException as bte:
+        logger.exception("Invalid bearer token: %s", bte)
+        raise InvalidJWTException(bte)
 
-    lib_namespace = app.config['LIBRARY_NAMESPACE']
-    for grant in payload['access']:
-      namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace)
+    loaded_identity = Identity(payload["sub"], "signed_jwt")
 
-      if '*' in grant['actions']:
-        loaded_identity.provides.add(repository_admin_grant(namespace, repo_name))
-      elif 'push' in grant['actions']:
-        loaded_identity.provides.add(repository_write_grant(namespace, repo_name))
-      elif 'pull' in grant['actions']:
-        loaded_identity.provides.add(repository_read_grant(namespace, repo_name))
+    # Process the grants from the payload
+    if "access" in payload:
+        try:
+            validate(payload["access"], ACCESS_SCHEMA)
+        except ValidationError:
+            logger.exception("We should not be minting invalid credentials")
+            raise InvalidJWTException(
+                "Token contained invalid or malformed access grants"
+            )
 
-  default_context = {
-    'kind': 'anonymous'
-  }
+        lib_namespace = app.config["LIBRARY_NAMESPACE"]
+        for grant in payload["access"]:
+            namespace, repo_name = parse_namespace_repository(
+                grant["name"], lib_namespace
+            )
 
-  if payload['sub'] != ANONYMOUS_SUB:
-    default_context = {
-      'kind': 'user',
-      'user': payload['sub'],
-    }
+            if "*" in grant["actions"]:
+                loaded_identity.provides.add(
+                    repository_admin_grant(namespace, repo_name)
+                )
+            elif "push" in grant["actions"]:
+                loaded_identity.provides.add(
+                    repository_write_grant(namespace, repo_name)
+                )
+            elif "pull" in grant["actions"]:
+                loaded_identity.provides.add(
+                    repository_read_grant(namespace, repo_name)
+                )
 
-  return loaded_identity, payload.get('context', default_context)
+    default_context = {"kind": "anonymous"}
+
+    if payload["sub"] != ANONYMOUS_SUB:
+        default_context = {"kind": "user", "user": payload["sub"]}
+
+    return loaded_identity, payload.get("context", default_context)
 
 
 def process_registry_jwt_auth(scopes=None):
-  """ Processes the registry JWT auth token found in the authorization header. If none found,
+    """ Processes the registry JWT auth token found in the authorization header. If none found,
       no error is returned. If an invalid token is found, raises a 401.
   """
-  def inner(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      logger.debug('Called with params: %s, %s', args, kwargs)
-      auth = request.headers.get('authorization', '').strip()
-      if auth:
-        try:
-          extracted_identity, context_dict = identity_from_bearer_token(auth)
-          identity_changed.send(app, identity=extracted_identity)
-          logger.debug('Identity changed to %s', extracted_identity.id)
 
-          auth_context = SignedAuthContext.build_from_signed_dict(context_dict)
-          if auth_context is not None:
-            logger.debug('Auth context set to %s', auth_context.signed_data)
-            set_authenticated_context(auth_context)
+    def inner(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            logger.debug("Called with params: %s, %s", args, kwargs)
+            auth = request.headers.get("authorization", "").strip()
+            if auth:
+                try:
+                    extracted_identity, context_dict = identity_from_bearer_token(auth)
+                    identity_changed.send(app, identity=extracted_identity)
+                    logger.debug("Identity changed to %s", extracted_identity.id)
 
-        except InvalidJWTException as ije:
-          repository = None
-          if 'namespace_name' in kwargs and 'repo_name' in kwargs:
-            repository = kwargs['namespace_name'] + '/' + kwargs['repo_name']
+                    auth_context = SignedAuthContext.build_from_signed_dict(
+                        context_dict
+                    )
+                    if auth_context is not None:
+                        logger.debug("Auth context set to %s", auth_context.signed_data)
+                        set_authenticated_context(auth_context)
 
-          abort(401, message=ije.message, headers=get_auth_headers(repository=repository,
-                                                                   scopes=scopes))
-      else:
-        logger.debug('No auth header.')
+                except InvalidJWTException as ije:
+                    repository = None
+                    if "namespace_name" in kwargs and "repo_name" in kwargs:
+                        repository = (
+                            kwargs["namespace_name"] + "/" + kwargs["repo_name"]
+                        )
 
-      return func(*args, **kwargs)
-    return wrapper
-  return inner
+                    abort(
+                        401,
+                        message=ije.message,
+                        headers=get_auth_headers(repository=repository, scopes=scopes),
+                    )
+            else:
+                logger.debug("No auth header.")
+
+            return func(*args, **kwargs)
+
+        return wrapper
+
+    return inner
diff --git a/auth/scopes.py b/auth/scopes.py
index dbbb0ae1c..c16a3dbf3 100644
--- a/auth/scopes.py
+++ b/auth/scopes.py
@@ -2,145 +2,194 @@ from collections import namedtuple
 import features
 import re
 
-Scope = namedtuple('scope', ['scope', 'icon', 'dangerous', 'title', 'description'])
+Scope = namedtuple("scope", ["scope", "icon", "dangerous", "title", "description"])
 
 
-READ_REPO = Scope(scope='repo:read',
-                  icon='fa-hdd-o',
-                  dangerous=False,
-                  title='View all visible repositories',
-                  description=('This application will be able to view and pull all repositories '
-                               'visible to the granting user or robot account'))
+READ_REPO = Scope(
+    scope="repo:read",
+    icon="fa-hdd-o",
+    dangerous=False,
+    title="View all visible repositories",
+    description=(
+        "This application will be able to view and pull all repositories "
+        "visible to the granting user or robot account"
+    ),
+)
 
-WRITE_REPO = Scope(scope='repo:write',
-                   icon='fa-hdd-o',
-                   dangerous=False,
-                   title='Read/Write to any accessible repositories',
-                   description=('This application will be able to view, push and pull to all '
-                                'repositories to which the granting user or robot account has '
-                                'write access'))
+WRITE_REPO = Scope(
+    scope="repo:write",
+    icon="fa-hdd-o",
+    dangerous=False,
+    title="Read/Write to any accessible repositories",
+    description=(
+        "This application will be able to view, push and pull to all "
+        "repositories to which the granting user or robot account has "
+        "write access"
+    ),
+)
 
-ADMIN_REPO = Scope(scope='repo:admin',
-                   icon='fa-hdd-o',
-                   dangerous=False,
-                   title='Administer Repositories',
-                   description=('This application will have administrator access to all '
-                                'repositories to which the granting user or robot account has '
-                                'access'))
+ADMIN_REPO = Scope(
+    scope="repo:admin",
+    icon="fa-hdd-o",
+    dangerous=False,
+    title="Administer Repositories",
+    description=(
+        "This application will have administrator access to all "
+        "repositories to which the granting user or robot account has "
+        "access"
+    ),
+)
 
-CREATE_REPO = Scope(scope='repo:create',
-                    icon='fa-plus',
-                    dangerous=False,
-                    title='Create Repositories',
-                    description=('This application will be able to create repositories in to any '
-                                 'namespaces that the granting user or robot account is allowed '
-                                 'to create repositories'))
+CREATE_REPO = Scope(
+    scope="repo:create",
+    icon="fa-plus",
+    dangerous=False,
+    title="Create Repositories",
+    description=(
+        "This application will be able to create repositories in to any "
+        "namespaces that the granting user or robot account is allowed "
+        "to create repositories"
+    ),
+)
 
-READ_USER = Scope(scope= 'user:read',
-                  icon='fa-user',
-                  dangerous=False,
-                  title='Read User Information',
-                  description=('This application will be able to read user information such as '
-                               'username and email address.'))
+READ_USER = Scope(
+    scope="user:read",
+    icon="fa-user",
+    dangerous=False,
+    title="Read User Information",
+    description=(
+        "This application will be able to read user information such as "
+        "username and email address."
+    ),
+)
 
-ADMIN_USER = Scope(scope= 'user:admin',
-                  icon='fa-gear',
-                  dangerous=True,
-                  title='Administer User',
-                  description=('This application will be able to administer your account '
-                               'including creating robots and granting them permissions '
-                               'to your repositories. You should have absolute trust in the '
-                               'requesting application before granting this permission.'))
+ADMIN_USER = Scope(
+    scope="user:admin",
+    icon="fa-gear",
+    dangerous=True,
+    title="Administer User",
+    description=(
+        "This application will be able to administer your account "
+        "including creating robots and granting them permissions "
+        "to your repositories. You should have absolute trust in the "
+        "requesting application before granting this permission."
+    ),
+)
 
-ORG_ADMIN = Scope(scope='org:admin',
-                  icon='fa-gear',
-                  dangerous=True,
-                  title='Administer Organization',
-                  description=('This application will be able to administer your organizations '
-                               'including creating robots, creating teams, adjusting team '
-                               'membership, and changing billing settings. You should have '
-                               'absolute trust in the requesting application before granting this '
-                               'permission.'))
+ORG_ADMIN = Scope(
+    scope="org:admin",
+    icon="fa-gear",
+    dangerous=True,
+    title="Administer Organization",
+    description=(
+        "This application will be able to administer your organizations "
+        "including creating robots, creating teams, adjusting team "
+        "membership, and changing billing settings. You should have "
+        "absolute trust in the requesting application before granting this "
+        "permission."
+    ),
+)
 
-DIRECT_LOGIN = Scope(scope='direct_user_login',
-                     icon='fa-exclamation-triangle',
-                     dangerous=True,
-                     title='Full Access',
-                     description=('This scope should not be available to OAuth applications. '
-                                  'Never approve a request for this scope!'))
+DIRECT_LOGIN = Scope(
+    scope="direct_user_login",
+    icon="fa-exclamation-triangle",
+    dangerous=True,
+    title="Full Access",
+    description=(
+        "This scope should not be available to OAuth applications. "
+        "Never approve a request for this scope!"
+    ),
+)
 
-SUPERUSER = Scope(scope='super:user',
-                  icon='fa-street-view',
-                  dangerous=True,
-                  title='Super User Access',
-                  description=('This application will be able to administer your installation '
-                               'including managing users, managing organizations and other '
-                               'features found in the superuser panel. You should have '
-                               'absolute trust in the requesting application before granting this '
-                               'permission.'))
+SUPERUSER = Scope(
+    scope="super:user",
+    icon="fa-street-view",
+    dangerous=True,
+    title="Super User Access",
+    description=(
+        "This application will be able to administer your installation "
+        "including managing users, managing organizations and other "
+        "features found in the superuser panel. You should have "
+        "absolute trust in the requesting application before granting this "
+        "permission."
+    ),
+)
 
-ALL_SCOPES = {scope.scope: scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
-                                               READ_USER, ORG_ADMIN, SUPERUSER, ADMIN_USER)}
+ALL_SCOPES = {
+    scope.scope: scope
+    for scope in (
+        READ_REPO,
+        WRITE_REPO,
+        ADMIN_REPO,
+        CREATE_REPO,
+        READ_USER,
+        ORG_ADMIN,
+        SUPERUSER,
+        ADMIN_USER,
+    )
+}
 
 IMPLIED_SCOPES = {
-  ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO},
-  WRITE_REPO: {WRITE_REPO, READ_REPO},
-  READ_REPO: {READ_REPO},
-  CREATE_REPO: {CREATE_REPO},
-  READ_USER: {READ_USER},
-  ORG_ADMIN: {ORG_ADMIN},
-  SUPERUSER: {SUPERUSER},
-  ADMIN_USER: {ADMIN_USER},
-  None: set(),
+    ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO},
+    WRITE_REPO: {WRITE_REPO, READ_REPO},
+    READ_REPO: {READ_REPO},
+    CREATE_REPO: {CREATE_REPO},
+    READ_USER: {READ_USER},
+    ORG_ADMIN: {ORG_ADMIN},
+    SUPERUSER: {SUPERUSER},
+    ADMIN_USER: {ADMIN_USER},
+    None: set(),
 }
 
 
 def app_scopes(app_config):
-  scopes_from_config = dict(ALL_SCOPES)
-  if not app_config.get('FEATURE_SUPER_USERS', False):
-    del scopes_from_config[SUPERUSER.scope]
-  return scopes_from_config
+    scopes_from_config = dict(ALL_SCOPES)
+    if not app_config.get("FEATURE_SUPER_USERS", False):
+        del scopes_from_config[SUPERUSER.scope]
+    return scopes_from_config
 
 
 def scopes_from_scope_string(scopes):
-  if not scopes:
-    scopes = ''
+    if not scopes:
+        scopes = ""
 
-  # Note: The scopes string should be space seperated according to the spec:
-  # https://tools.ietf.org/html/rfc6749#section-3.3
-  # However, we also support commas for backwards compatibility with existing callers to our code.
-  scope_set = {ALL_SCOPES.get(scope, None) for scope in re.split(' |,', scopes)}
-  return scope_set if not None in scope_set else set()
+    # Note: The scopes string should be space seperated according to the spec:
+    # https://tools.ietf.org/html/rfc6749#section-3.3
+    # However, we also support commas for backwards compatibility with existing callers to our code.
+    scope_set = {ALL_SCOPES.get(scope, None) for scope in re.split(" |,", scopes)}
+    return scope_set if not None in scope_set else set()
 
 
 def validate_scope_string(scopes):
-  decoded = scopes_from_scope_string(scopes)
-  return len(decoded) > 0
+    decoded = scopes_from_scope_string(scopes)
+    return len(decoded) > 0
 
 
 def is_subset_string(full_string, expected_string):
-  """ Returns true if the scopes found in expected_string are also found
+    """ Returns true if the scopes found in expected_string are also found
       in full_string.
   """
-  full_scopes = scopes_from_scope_string(full_string)
-  if not full_scopes:
-    return False
+    full_scopes = scopes_from_scope_string(full_string)
+    if not full_scopes:
+        return False
 
-  full_implied_scopes = set.union(*[IMPLIED_SCOPES[scope] for scope in full_scopes])
-  expected_scopes = scopes_from_scope_string(expected_string)
-  return expected_scopes.issubset(full_implied_scopes)
+    full_implied_scopes = set.union(*[IMPLIED_SCOPES[scope] for scope in full_scopes])
+    expected_scopes = scopes_from_scope_string(expected_string)
+    return expected_scopes.issubset(full_implied_scopes)
 
 
 def get_scope_information(scopes_string):
-  scopes = scopes_from_scope_string(scopes_string)
-  scope_info = []
-  for scope in scopes:
-    scope_info.append({
-      'title': scope.title,
-      'scope': scope.scope,
-      'description': scope.description,
-      'icon': scope.icon,
-      'dangerous': scope.dangerous,
-    })
+    scopes = scopes_from_scope_string(scopes_string)
+    scope_info = []
+    for scope in scopes:
+        scope_info.append(
+            {
+                "title": scope.title,
+                "scope": scope.scope,
+                "description": scope.description,
+                "icon": scope.icon,
+                "dangerous": scope.dangerous,
+            }
+        )
 
-  return scope_info
+    return scope_info
diff --git a/auth/signedgrant.py b/auth/signedgrant.py
index b8169114d..4063115a0 100644
--- a/auth/signedgrant.py
+++ b/auth/signedgrant.py
@@ -8,48 +8,49 @@ from auth.validateresult import AuthKind, ValidateResult
 logger = logging.getLogger(__name__)
 
 # The prefix for all signatures of signed granted.
-SIGNATURE_PREFIX = 'sigv2='
+SIGNATURE_PREFIX = "sigv2="
+
 
 def generate_signed_token(grants, user_context):
-  """ Generates a signed session token with the given grants and user context. """
-  ser = SecureCookieSessionInterface().get_signing_serializer(app)
-  data_to_sign = {
-    'grants': grants,
-    'user_context': user_context,
-  }
+    """ Generates a signed session token with the given grants and user context. """
+    ser = SecureCookieSessionInterface().get_signing_serializer(app)
+    data_to_sign = {"grants": grants, "user_context": user_context}
 
-  encrypted = ser.dumps(data_to_sign)
-  return '{0}{1}'.format(SIGNATURE_PREFIX, encrypted)
+    encrypted = ser.dumps(data_to_sign)
+    return "{0}{1}".format(SIGNATURE_PREFIX, encrypted)
 
 
 def validate_signed_grant(auth_header):
-  """ Validates a signed grant as found inside an auth header and returns whether it points to
+    """ Validates a signed grant as found inside an auth header and returns whether it points to
       a valid grant.
   """
-  if not auth_header:
-    return ValidateResult(AuthKind.signed_grant, missing=True)
+    if not auth_header:
+        return ValidateResult(AuthKind.signed_grant, missing=True)
 
-  # Try to parse the token from the header.
-  normalized = [part.strip() for part in auth_header.split(' ') if part]
-  if normalized[0].lower() != 'token' or len(normalized) != 2:
-    logger.debug('Not a token: %s', auth_header)
-    return ValidateResult(AuthKind.signed_grant, missing=True)
+    # Try to parse the token from the header.
+    normalized = [part.strip() for part in auth_header.split(" ") if part]
+    if normalized[0].lower() != "token" or len(normalized) != 2:
+        logger.debug("Not a token: %s", auth_header)
+        return ValidateResult(AuthKind.signed_grant, missing=True)
 
-  # Check that it starts with the expected prefix.
-  if not normalized[1].startswith(SIGNATURE_PREFIX):
-    logger.debug('Not a signed grant token: %s', auth_header)
-    return ValidateResult(AuthKind.signed_grant, missing=True)
+    # Check that it starts with the expected prefix.
+    if not normalized[1].startswith(SIGNATURE_PREFIX):
+        logger.debug("Not a signed grant token: %s", auth_header)
+        return ValidateResult(AuthKind.signed_grant, missing=True)
 
-  # Decrypt the grant.
-  encrypted = normalized[1][len(SIGNATURE_PREFIX):]
-  ser = SecureCookieSessionInterface().get_signing_serializer(app)
+    # Decrypt the grant.
+    encrypted = normalized[1][len(SIGNATURE_PREFIX) :]
+    ser = SecureCookieSessionInterface().get_signing_serializer(app)
 
-  try:
-    token_data = ser.loads(encrypted, max_age=app.config['SIGNED_GRANT_EXPIRATION_SEC'])
-  except BadSignature:
-    logger.warning('Signed grant could not be validated: %s', encrypted)
-    return ValidateResult(AuthKind.signed_grant,
-                          error_message='Signed grant could not be validated')
+    try:
+        token_data = ser.loads(
+            encrypted, max_age=app.config["SIGNED_GRANT_EXPIRATION_SEC"]
+        )
+    except BadSignature:
+        logger.warning("Signed grant could not be validated: %s", encrypted)
+        return ValidateResult(
+            AuthKind.signed_grant, error_message="Signed grant could not be validated"
+        )
 
-  logger.debug('Successfully validated signed grant with data: %s', token_data)
-  return ValidateResult(AuthKind.signed_grant, signed_data=token_data)
+    logger.debug("Successfully validated signed grant with data: %s", token_data)
+    return ValidateResult(AuthKind.signed_grant, signed_data=token_data)
diff --git a/auth/test/test_auth_context_type.py b/auth/test/test_auth_context_type.py
index 7778d7f90..0b4e8227a 100644
--- a/auth/test/test_auth_context_type.py
+++ b/auth/test/test_auth_context_type.py
@@ -1,51 +1,65 @@
 import pytest
 
-from auth.auth_context_type import SignedAuthContext, ValidatedAuthContext, ContextEntityKind
+from auth.auth_context_type import (
+    SignedAuthContext,
+    ValidatedAuthContext,
+    ContextEntityKind,
+)
 from data import model, database
 
 from test.fixtures import *
 
+
 def get_oauth_token(_):
-  return database.OAuthAccessToken.get()
+    return database.OAuthAccessToken.get()
 
 
-@pytest.mark.parametrize('kind, entity_reference, loader', [
-  (ContextEntityKind.anonymous, None, None),
-  (ContextEntityKind.appspecifictoken, '%s%s' % ('a' * 60, 'b' * 60),
-   model.appspecifictoken.access_valid_token),
-  (ContextEntityKind.oauthtoken, None, get_oauth_token),
-  (ContextEntityKind.robot, 'devtable+dtrobot', model.user.lookup_robot),
-  (ContextEntityKind.user, 'devtable', model.user.get_user),
-])
-@pytest.mark.parametrize('v1_dict_format', [
-  (True),
-  (False),
-])
-def test_signed_auth_context(kind, entity_reference, loader, v1_dict_format, initialized_db):
-  if kind == ContextEntityKind.anonymous:
-    validated = ValidatedAuthContext()
-    assert validated.is_anonymous
-  else:
-    ref = loader(entity_reference)
-    validated = ValidatedAuthContext(**{kind.value: ref})
-    assert not validated.is_anonymous
+@pytest.mark.parametrize(
+    "kind, entity_reference, loader",
+    [
+        (ContextEntityKind.anonymous, None, None),
+        (
+            ContextEntityKind.appspecifictoken,
+            "%s%s" % ("a" * 60, "b" * 60),
+            model.appspecifictoken.access_valid_token,
+        ),
+        (ContextEntityKind.oauthtoken, None, get_oauth_token),
+        (ContextEntityKind.robot, "devtable+dtrobot", model.user.lookup_robot),
+        (ContextEntityKind.user, "devtable", model.user.get_user),
+    ],
+)
+@pytest.mark.parametrize("v1_dict_format", [(True), (False)])
+def test_signed_auth_context(
+    kind, entity_reference, loader, v1_dict_format, initialized_db
+):
+    if kind == ContextEntityKind.anonymous:
+        validated = ValidatedAuthContext()
+        assert validated.is_anonymous
+    else:
+        ref = loader(entity_reference)
+        validated = ValidatedAuthContext(**{kind.value: ref})
+        assert not validated.is_anonymous
 
-  assert validated.entity_kind == kind
-  assert validated.unique_key
+    assert validated.entity_kind == kind
+    assert validated.unique_key
 
-  signed = SignedAuthContext.build_from_signed_dict(validated.to_signed_dict(),
-                                                    v1_dict_format=v1_dict_format)
+    signed = SignedAuthContext.build_from_signed_dict(
+        validated.to_signed_dict(), v1_dict_format=v1_dict_format
+    )
 
-  if not v1_dict_format:
-    # Under legacy V1 format, we don't track the app specific token, merely its associated user.
-    assert signed.entity_kind == kind
-    assert signed.description == validated.description
-    assert signed.credential_username == validated.credential_username
-    assert signed.analytics_id_and_public_metadata() == validated.analytics_id_and_public_metadata()
-    assert signed.unique_key == validated.unique_key
+    if not v1_dict_format:
+        # Under legacy V1 format, we don't track the app specific token, merely its associated user.
+        assert signed.entity_kind == kind
+        assert signed.description == validated.description
+        assert signed.credential_username == validated.credential_username
+        assert (
+            signed.analytics_id_and_public_metadata()
+            == validated.analytics_id_and_public_metadata()
+        )
+        assert signed.unique_key == validated.unique_key
 
-  assert signed.is_anonymous == validated.is_anonymous
-  assert signed.authed_user == validated.authed_user
-  assert signed.has_nonrobot_user == validated.has_nonrobot_user
+    assert signed.is_anonymous == validated.is_anonymous
+    assert signed.authed_user == validated.authed_user
+    assert signed.has_nonrobot_user == validated.has_nonrobot_user
 
-  assert signed.to_signed_dict() == validated.to_signed_dict()
+    assert signed.to_signed_dict() == validated.to_signed_dict()
diff --git a/auth/test/test_basic.py b/auth/test/test_basic.py
index 24279b4b2..c7ecdc09c 100644
--- a/auth/test/test_basic.py
+++ b/auth/test/test_basic.py
@@ -5,8 +5,11 @@ import pytest
 from base64 import b64encode
 
 from auth.basic import validate_basic_auth
-from auth.credentials import (ACCESS_TOKEN_USERNAME, OAUTH_TOKEN_USERNAME,
-                              APP_SPECIFIC_TOKEN_USERNAME)
+from auth.credentials import (
+    ACCESS_TOKEN_USERNAME,
+    OAUTH_TOKEN_USERNAME,
+    APP_SPECIFIC_TOKEN_USERNAME,
+)
 from auth.validateresult import AuthKind, ValidateResult
 from data import model
 
@@ -14,85 +17,120 @@ from test.fixtures import *
 
 
 def _token(username, password):
-  assert isinstance(username, basestring)
-  assert isinstance(password, basestring)
-  return 'basic ' + b64encode('%s:%s' % (username, password))
+    assert isinstance(username, basestring)
+    assert isinstance(password, basestring)
+    return "basic " + b64encode("%s:%s" % (username, password))
 
 
-@pytest.mark.parametrize('token, expected_result', [
-  ('', ValidateResult(AuthKind.basic, missing=True)),
-  ('someinvalidtoken', ValidateResult(AuthKind.basic, missing=True)),
-  ('somefoobartoken', ValidateResult(AuthKind.basic, missing=True)),
-  ('basic ', ValidateResult(AuthKind.basic, missing=True)),
-  ('basic some token', ValidateResult(AuthKind.basic, missing=True)),
-  ('basic sometoken', ValidateResult(AuthKind.basic, missing=True)),
-  (_token(APP_SPECIFIC_TOKEN_USERNAME, 'invalid'), ValidateResult(AuthKind.basic,
-                                                                  error_message='Invalid token')),
-  (_token(ACCESS_TOKEN_USERNAME, 'invalid'), ValidateResult(AuthKind.basic,
-                                                            error_message='Invalid access token')),
-  (_token(OAUTH_TOKEN_USERNAME, 'invalid'),
-   ValidateResult(AuthKind.basic, error_message='OAuth access token could not be validated')),
-  (_token('devtable', 'invalid'), ValidateResult(AuthKind.basic,
-                                                 error_message='Invalid Username or Password')),
-  (_token('devtable+somebot', 'invalid'), ValidateResult(
-    AuthKind.basic, error_message='Could not find robot with username: devtable+somebot')),
-  (_token('disabled', 'password'), ValidateResult(
-    AuthKind.basic,
-    error_message='This user has been disabled. Please contact your administrator.')),])
+@pytest.mark.parametrize(
+    "token, expected_result",
+    [
+        ("", ValidateResult(AuthKind.basic, missing=True)),
+        ("someinvalidtoken", ValidateResult(AuthKind.basic, missing=True)),
+        ("somefoobartoken", ValidateResult(AuthKind.basic, missing=True)),
+        ("basic ", ValidateResult(AuthKind.basic, missing=True)),
+        ("basic some token", ValidateResult(AuthKind.basic, missing=True)),
+        ("basic sometoken", ValidateResult(AuthKind.basic, missing=True)),
+        (
+            _token(APP_SPECIFIC_TOKEN_USERNAME, "invalid"),
+            ValidateResult(AuthKind.basic, error_message="Invalid token"),
+        ),
+        (
+            _token(ACCESS_TOKEN_USERNAME, "invalid"),
+            ValidateResult(AuthKind.basic, error_message="Invalid access token"),
+        ),
+        (
+            _token(OAUTH_TOKEN_USERNAME, "invalid"),
+            ValidateResult(
+                AuthKind.basic,
+                error_message="OAuth access token could not be validated",
+            ),
+        ),
+        (
+            _token("devtable", "invalid"),
+            ValidateResult(
+                AuthKind.basic, error_message="Invalid Username or Password"
+            ),
+        ),
+        (
+            _token("devtable+somebot", "invalid"),
+            ValidateResult(
+                AuthKind.basic,
+                error_message="Could not find robot with username: devtable+somebot",
+            ),
+        ),
+        (
+            _token("disabled", "password"),
+            ValidateResult(
+                AuthKind.basic,
+                error_message="This user has been disabled. Please contact your administrator.",
+            ),
+        ),
+    ],
+)
 def test_validate_basic_auth_token(token, expected_result, app):
-  result = validate_basic_auth(token)
-  assert result == expected_result
+    result = validate_basic_auth(token)
+    assert result == expected_result
 
 
 def test_valid_user(app):
-  token = _token('devtable', 'password')
-  result = validate_basic_auth(token)
-  assert result == ValidateResult(AuthKind.basic, user=model.user.get_user('devtable'))
+    token = _token("devtable", "password")
+    result = validate_basic_auth(token)
+    assert result == ValidateResult(
+        AuthKind.basic, user=model.user.get_user("devtable")
+    )
 
 
 def test_valid_robot(app):
-  robot, password = model.user.create_robot('somerobot', model.user.get_user('devtable'))
-  token = _token(robot.username, password)
-  result = validate_basic_auth(token)
-  assert result == ValidateResult(AuthKind.basic, robot=robot)
+    robot, password = model.user.create_robot(
+        "somerobot", model.user.get_user("devtable")
+    )
+    token = _token(robot.username, password)
+    result = validate_basic_auth(token)
+    assert result == ValidateResult(AuthKind.basic, robot=robot)
 
 
 def test_valid_token(app):
-  access_token = model.token.create_delegate_token('devtable', 'simple', 'sometoken')
-  token = _token(ACCESS_TOKEN_USERNAME, access_token.get_code())
-  result = validate_basic_auth(token)
-  assert result == ValidateResult(AuthKind.basic, token=access_token)
+    access_token = model.token.create_delegate_token("devtable", "simple", "sometoken")
+    token = _token(ACCESS_TOKEN_USERNAME, access_token.get_code())
+    result = validate_basic_auth(token)
+    assert result == ValidateResult(AuthKind.basic, token=access_token)
 
 
 def test_valid_oauth(app):
-  user = model.user.get_user('devtable')
-  app = model.oauth.list_applications_for_org(model.user.get_user_or_org('buynlarge'))[0]
-  oauth_token, code = model.oauth.create_access_token_for_testing(user, app.client_id, 'repo:read')
-  token = _token(OAUTH_TOKEN_USERNAME, code)
-  result = validate_basic_auth(token)
-  assert result == ValidateResult(AuthKind.basic, oauthtoken=oauth_token)
+    user = model.user.get_user("devtable")
+    app = model.oauth.list_applications_for_org(
+        model.user.get_user_or_org("buynlarge")
+    )[0]
+    oauth_token, code = model.oauth.create_access_token_for_testing(
+        user, app.client_id, "repo:read"
+    )
+    token = _token(OAUTH_TOKEN_USERNAME, code)
+    result = validate_basic_auth(token)
+    assert result == ValidateResult(AuthKind.basic, oauthtoken=oauth_token)
 
 
 def test_valid_app_specific_token(app):
-  user = model.user.get_user('devtable')
-  app_specific_token = model.appspecifictoken.create_token(user, 'some token')
-  full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
-  token = _token(APP_SPECIFIC_TOKEN_USERNAME, full_token)
-  result = validate_basic_auth(token)
-  assert result == ValidateResult(AuthKind.basic, appspecifictoken=app_specific_token)
+    user = model.user.get_user("devtable")
+    app_specific_token = model.appspecifictoken.create_token(user, "some token")
+    full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
+    token = _token(APP_SPECIFIC_TOKEN_USERNAME, full_token)
+    result = validate_basic_auth(token)
+    assert result == ValidateResult(AuthKind.basic, appspecifictoken=app_specific_token)
 
 
 def test_invalid_unicode(app):
-  token = '\xebOH'
-  header = 'basic ' + b64encode(token)
-  result = validate_basic_auth(header)
-  assert result == ValidateResult(AuthKind.basic, missing=True)
+    token = "\xebOH"
+    header = "basic " + b64encode(token)
+    result = validate_basic_auth(header)
+    assert result == ValidateResult(AuthKind.basic, missing=True)
 
 
 def test_invalid_unicode_2(app):
-  token = '“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”'
-  header = 'basic ' + b64encode('devtable+somerobot:%s' % token)
-  result = validate_basic_auth(header)
-  assert result == ValidateResult(
-    AuthKind.basic,
-    error_message='Could not find robot with username: devtable+somerobot and supplied password.')
+    token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
+    header = "basic " + b64encode("devtable+somerobot:%s" % token)
+    result = validate_basic_auth(header)
+    assert result == ValidateResult(
+        AuthKind.basic,
+        error_message="Could not find robot with username: devtable+somerobot and supplied password.",
+    )
diff --git a/auth/test/test_cookie.py b/auth/test/test_cookie.py
index 8c212d709..b9e69b571 100644
--- a/auth/test/test_cookie.py
+++ b/auth/test/test_cookie.py
@@ -9,58 +9,58 @@ from test.fixtures import *
 
 
 def test_anonymous_cookie(app):
-  assert validate_session_cookie().missing
+    assert validate_session_cookie().missing
 
 
 def test_invalidformatted_cookie(app):
-  # "Login" with a non-UUID reference.
-  someuser = model.user.get_user('devtable')
-  login_user(LoginWrappedDBUser('somenonuuid', someuser))
+    # "Login" with a non-UUID reference.
+    someuser = model.user.get_user("devtable")
+    login_user(LoginWrappedDBUser("somenonuuid", someuser))
 
-  # Ensure we get an invalid session cookie format error.
-  result = validate_session_cookie()
-  assert result.authed_user is None
-  assert result.context.identity is None
-  assert not result.has_nonrobot_user
-  assert result.error_message == 'Invalid session cookie format'
+    # Ensure we get an invalid session cookie format error.
+    result = validate_session_cookie()
+    assert result.authed_user is None
+    assert result.context.identity is None
+    assert not result.has_nonrobot_user
+    assert result.error_message == "Invalid session cookie format"
 
 
 def test_disabled_user(app):
-  # "Login" with a disabled user.
-  someuser = model.user.get_user('disabled')
-  login_user(LoginWrappedDBUser(someuser.uuid, someuser))
+    # "Login" with a disabled user.
+    someuser = model.user.get_user("disabled")
+    login_user(LoginWrappedDBUser(someuser.uuid, someuser))
 
-  # Ensure we get an invalid session cookie format error.
-  result = validate_session_cookie()
-  assert result.authed_user is None
-  assert result.context.identity is None
-  assert not result.has_nonrobot_user
-  assert result.error_message == 'User account is disabled'
+    # Ensure we get an invalid session cookie format error.
+    result = validate_session_cookie()
+    assert result.authed_user is None
+    assert result.context.identity is None
+    assert not result.has_nonrobot_user
+    assert result.error_message == "User account is disabled"
 
 
 def test_valid_user(app):
-  # Login with a valid user.
-  someuser = model.user.get_user('devtable')
-  login_user(LoginWrappedDBUser(someuser.uuid, someuser))
+    # Login with a valid user.
+    someuser = model.user.get_user("devtable")
+    login_user(LoginWrappedDBUser(someuser.uuid, someuser))
 
-  result = validate_session_cookie()
-  assert result.authed_user == someuser
-  assert result.context.identity is not None
-  assert result.has_nonrobot_user
-  assert result.error_message is None
+    result = validate_session_cookie()
+    assert result.authed_user == someuser
+    assert result.context.identity is not None
+    assert result.has_nonrobot_user
+    assert result.error_message is None
 
 
 def test_valid_organization(app):
-  # "Login" with a valid organization.
-  someorg = model.user.get_namespace_user('buynlarge')
-  someorg.uuid = str(uuid.uuid4())
-  someorg.verified = True
-  someorg.save()
+    # "Login" with a valid organization.
+    someorg = model.user.get_namespace_user("buynlarge")
+    someorg.uuid = str(uuid.uuid4())
+    someorg.verified = True
+    someorg.save()
 
-  login_user(LoginWrappedDBUser(someorg.uuid, someorg))
+    login_user(LoginWrappedDBUser(someorg.uuid, someorg))
 
-  result = validate_session_cookie()
-  assert result.authed_user is None
-  assert result.context.identity is None
-  assert not result.has_nonrobot_user
-  assert result.error_message == 'Cannot login to organization'
+    result = validate_session_cookie()
+    assert result.authed_user is None
+    assert result.context.identity is None
+    assert not result.has_nonrobot_user
+    assert result.error_message == "Cannot login to organization"
diff --git a/auth/test/test_credentials.py b/auth/test/test_credentials.py
index 4e55c470c..08e5a39c1 100644
--- a/auth/test/test_credentials.py
+++ b/auth/test/test_credentials.py
@@ -1,147 +1,184 @@
 # -*- coding: utf-8 -*-
 
 from auth.credentials import validate_credentials, CredentialKind
-from auth.credential_consts import (ACCESS_TOKEN_USERNAME, OAUTH_TOKEN_USERNAME,
-                                    APP_SPECIFIC_TOKEN_USERNAME)
+from auth.credential_consts import (
+    ACCESS_TOKEN_USERNAME,
+    OAUTH_TOKEN_USERNAME,
+    APP_SPECIFIC_TOKEN_USERNAME,
+)
 from auth.validateresult import AuthKind, ValidateResult
 from data import model
 
 from test.fixtures import *
 
+
 def test_valid_user(app):
-  result, kind = validate_credentials('devtable', 'password')
-  assert kind == CredentialKind.user
-  assert result == ValidateResult(AuthKind.credentials, user=model.user.get_user('devtable'))
+    result, kind = validate_credentials("devtable", "password")
+    assert kind == CredentialKind.user
+    assert result == ValidateResult(
+        AuthKind.credentials, user=model.user.get_user("devtable")
+    )
+
 
 def test_valid_robot(app):
-  robot, password = model.user.create_robot('somerobot', model.user.get_user('devtable'))
-  result, kind = validate_credentials(robot.username, password)
-  assert kind == CredentialKind.robot
-  assert result == ValidateResult(AuthKind.credentials, robot=robot)
+    robot, password = model.user.create_robot(
+        "somerobot", model.user.get_user("devtable")
+    )
+    result, kind = validate_credentials(robot.username, password)
+    assert kind == CredentialKind.robot
+    assert result == ValidateResult(AuthKind.credentials, robot=robot)
+
 
 def test_valid_robot_for_disabled_user(app):
-  user = model.user.get_user('devtable')
-  user.enabled = False
-  user.save()
+    user = model.user.get_user("devtable")
+    user.enabled = False
+    user.save()
 
-  robot, password = model.user.create_robot('somerobot', user)
-  result, kind = validate_credentials(robot.username, password)
-  assert kind == CredentialKind.robot
+    robot, password = model.user.create_robot("somerobot", user)
+    result, kind = validate_credentials(robot.username, password)
+    assert kind == CredentialKind.robot
+
+    err = "This user has been disabled. Please contact your administrator."
+    assert result == ValidateResult(AuthKind.credentials, error_message=err)
 
-  err = 'This user has been disabled. Please contact your administrator.'
-  assert result == ValidateResult(AuthKind.credentials, error_message=err)
 
 def test_valid_token(app):
-  access_token = model.token.create_delegate_token('devtable', 'simple', 'sometoken')
-  result, kind = validate_credentials(ACCESS_TOKEN_USERNAME, access_token.get_code())
-  assert kind == CredentialKind.token
-  assert result == ValidateResult(AuthKind.credentials, token=access_token)
+    access_token = model.token.create_delegate_token("devtable", "simple", "sometoken")
+    result, kind = validate_credentials(ACCESS_TOKEN_USERNAME, access_token.get_code())
+    assert kind == CredentialKind.token
+    assert result == ValidateResult(AuthKind.credentials, token=access_token)
+
 
 def test_valid_oauth(app):
-  user = model.user.get_user('devtable')
-  app = model.oauth.list_applications_for_org(model.user.get_user_or_org('buynlarge'))[0]
-  oauth_token, code = model.oauth.create_access_token_for_testing(user, app.client_id, 'repo:read')
-  result, kind = validate_credentials(OAUTH_TOKEN_USERNAME, code)
-  assert kind == CredentialKind.oauth_token
-  assert result == ValidateResult(AuthKind.oauth, oauthtoken=oauth_token)
+    user = model.user.get_user("devtable")
+    app = model.oauth.list_applications_for_org(
+        model.user.get_user_or_org("buynlarge")
+    )[0]
+    oauth_token, code = model.oauth.create_access_token_for_testing(
+        user, app.client_id, "repo:read"
+    )
+    result, kind = validate_credentials(OAUTH_TOKEN_USERNAME, code)
+    assert kind == CredentialKind.oauth_token
+    assert result == ValidateResult(AuthKind.oauth, oauthtoken=oauth_token)
+
 
 def test_invalid_user(app):
-  result, kind = validate_credentials('devtable', 'somepassword')
-  assert kind == CredentialKind.user
-  assert result == ValidateResult(AuthKind.credentials,
-                                  error_message='Invalid Username or Password')
+    result, kind = validate_credentials("devtable", "somepassword")
+    assert kind == CredentialKind.user
+    assert result == ValidateResult(
+        AuthKind.credentials, error_message="Invalid Username or Password"
+    )
+
 
 def test_valid_app_specific_token(app):
-  user = model.user.get_user('devtable')
-  app_specific_token = model.appspecifictoken.create_token(user, 'some token')
-  full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
-  result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
-  assert kind == CredentialKind.app_specific_token
-  assert result == ValidateResult(AuthKind.credentials, appspecifictoken=app_specific_token)
+    user = model.user.get_user("devtable")
+    app_specific_token = model.appspecifictoken.create_token(user, "some token")
+    full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
+    result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
+    assert kind == CredentialKind.app_specific_token
+    assert result == ValidateResult(
+        AuthKind.credentials, appspecifictoken=app_specific_token
+    )
+
 
 def test_valid_app_specific_token_for_disabled_user(app):
-  user = model.user.get_user('devtable')
-  user.enabled = False
-  user.save()
+    user = model.user.get_user("devtable")
+    user.enabled = False
+    user.save()
 
-  app_specific_token = model.appspecifictoken.create_token(user, 'some token')
-  full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
-  result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
-  assert kind == CredentialKind.app_specific_token
+    app_specific_token = model.appspecifictoken.create_token(user, "some token")
+    full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
+    result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
+    assert kind == CredentialKind.app_specific_token
 
-  err = 'This user has been disabled. Please contact your administrator.'
-  assert result == ValidateResult(AuthKind.credentials, error_message=err)
+    err = "This user has been disabled. Please contact your administrator."
+    assert result == ValidateResult(AuthKind.credentials, error_message=err)
+
+
+def test_invalid_app_specific_token(app):
+    result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, "somecode")
+    assert kind == CredentialKind.app_specific_token
+    assert result == ValidateResult(AuthKind.credentials, error_message="Invalid token")
 
-def test_invalid_app_specific_token(app):  
-  result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, 'somecode')
-  assert kind == CredentialKind.app_specific_token
-  assert result == ValidateResult(AuthKind.credentials, error_message='Invalid token')
 
 def test_invalid_app_specific_token_code(app):
-  user = model.user.get_user('devtable')
-  app_specific_token = model.appspecifictoken.create_token(user, 'some token')
-  full_token = app_specific_token.token_name + 'something'
-  result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
-  assert kind == CredentialKind.app_specific_token
-  assert result == ValidateResult(AuthKind.credentials, error_message='Invalid token')
+    user = model.user.get_user("devtable")
+    app_specific_token = model.appspecifictoken.create_token(user, "some token")
+    full_token = app_specific_token.token_name + "something"
+    result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
+    assert kind == CredentialKind.app_specific_token
+    assert result == ValidateResult(AuthKind.credentials, error_message="Invalid token")
 
-def test_unicode(app):  
-  result, kind = validate_credentials('someusername', 'some₪code')
-  assert kind == CredentialKind.user
-  assert not result.auth_valid
-  assert result == ValidateResult(AuthKind.credentials,
-                                  error_message='Invalid Username or Password')
 
-def test_unicode_robot(app):  
-  robot, _ = model.user.create_robot('somerobot', model.user.get_user('devtable'))
-  result, kind = validate_credentials(robot.username, 'some₪code')
+def test_unicode(app):
+    result, kind = validate_credentials("someusername", "some₪code")
+    assert kind == CredentialKind.user
+    assert not result.auth_valid
+    assert result == ValidateResult(
+        AuthKind.credentials, error_message="Invalid Username or Password"
+    )
 
-  assert kind == CredentialKind.robot
-  assert not result.auth_valid
 
-  msg = 'Could not find robot with username: devtable+somerobot and supplied password.'
-  assert result == ValidateResult(AuthKind.credentials, error_message=msg)
+def test_unicode_robot(app):
+    robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
+    result, kind = validate_credentials(robot.username, "some₪code")
+
+    assert kind == CredentialKind.robot
+    assert not result.auth_valid
+
+    msg = (
+        "Could not find robot with username: devtable+somerobot and supplied password."
+    )
+    assert result == ValidateResult(AuthKind.credentials, error_message=msg)
+
 
 def test_invalid_user(app):
-  result, kind = validate_credentials('someinvaliduser', 'password')
-  assert kind == CredentialKind.user
-  assert not result.authed_user
-  assert not result.auth_valid
+    result, kind = validate_credentials("someinvaliduser", "password")
+    assert kind == CredentialKind.user
+    assert not result.authed_user
+    assert not result.auth_valid
+
 
 def test_invalid_user_password(app):
-  result, kind = validate_credentials('devtable', 'somepassword')
-  assert kind == CredentialKind.user
-  assert not result.authed_user
-  assert not result.auth_valid
+    result, kind = validate_credentials("devtable", "somepassword")
+    assert kind == CredentialKind.user
+    assert not result.authed_user
+    assert not result.auth_valid
+
 
 def test_invalid_robot(app):
-  result, kind = validate_credentials('devtable+doesnotexist', 'password')
-  assert kind == CredentialKind.robot
-  assert not result.authed_user
-  assert not result.auth_valid
+    result, kind = validate_credentials("devtable+doesnotexist", "password")
+    assert kind == CredentialKind.robot
+    assert not result.authed_user
+    assert not result.auth_valid
+
 
 def test_invalid_robot_token(app):
-  robot, _ = model.user.create_robot('somerobot', model.user.get_user('devtable'))
-  result, kind = validate_credentials(robot.username, 'invalidpassword')
-  assert kind == CredentialKind.robot
-  assert not result.authed_user
-  assert not result.auth_valid
+    robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
+    result, kind = validate_credentials(robot.username, "invalidpassword")
+    assert kind == CredentialKind.robot
+    assert not result.authed_user
+    assert not result.auth_valid
+
 
 def test_invalid_unicode_robot(app):
-  token = '“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”'
-  result, kind = validate_credentials('devtable+somerobot', token)
-  assert kind == CredentialKind.robot
-  assert not result.auth_valid
-  msg = 'Could not find robot with username: devtable+somerobot'
-  assert result == ValidateResult(AuthKind.credentials, error_message=msg)
+    token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
+    result, kind = validate_credentials("devtable+somerobot", token)
+    assert kind == CredentialKind.robot
+    assert not result.auth_valid
+    msg = "Could not find robot with username: devtable+somerobot"
+    assert result == ValidateResult(AuthKind.credentials, error_message=msg)
+
 
 def test_invalid_unicode_robot_2(app):
-  user = model.user.get_user('devtable')
-  robot, password = model.user.create_robot('somerobot', user)
+    user = model.user.get_user("devtable")
+    robot, password = model.user.create_robot("somerobot", user)
 
-  token = '“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”'
-  result, kind = validate_credentials('devtable+somerobot', token)
-  assert kind == CredentialKind.robot
-  assert not result.auth_valid
-  msg = 'Could not find robot with username: devtable+somerobot and supplied password.'
-  assert result == ValidateResult(AuthKind.credentials, error_message=msg)
+    token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
+    result, kind = validate_credentials("devtable+somerobot", token)
+    assert kind == CredentialKind.robot
+    assert not result.auth_valid
+    msg = (
+        "Could not find robot with username: devtable+somerobot and supplied password."
+    )
+    assert result == ValidateResult(AuthKind.credentials, error_message=msg)
diff --git a/auth/test/test_decorators.py b/auth/test/test_decorators.py
index b0477f7bd..87b4d2ae9 100644
--- a/auth/test/test_decorators.py
+++ b/auth/test/test_decorators.py
@@ -7,99 +7,102 @@ from werkzeug.exceptions import HTTPException
 from app import LoginWrappedDBUser
 from auth.auth_context import get_authenticated_user
 from auth.decorators import (
-  extract_namespace_repo_from_session, require_session_login, process_auth_or_cookie)
+    extract_namespace_repo_from_session,
+    require_session_login,
+    process_auth_or_cookie,
+)
 from data import model
 from test.fixtures import *
 
 
 def test_extract_namespace_repo_from_session_missing(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  session.clear()
-  with pytest.raises(HTTPException):
-    extract_namespace_repo_from_session(emptyfunc)()
+    session.clear()
+    with pytest.raises(HTTPException):
+        extract_namespace_repo_from_session(emptyfunc)()
 
 
 def test_extract_namespace_repo_from_session_present(app):
-  encountered = []
+    encountered = []
 
-  def somefunc(namespace, repository):
-    encountered.append(namespace)
-    encountered.append(repository)
+    def somefunc(namespace, repository):
+        encountered.append(namespace)
+        encountered.append(repository)
 
-  # Add the namespace and repository to the session.
-  session.clear()
-  session['namespace'] = 'foo'
-  session['repository'] = 'bar'
+    # Add the namespace and repository to the session.
+    session.clear()
+    session["namespace"] = "foo"
+    session["repository"] = "bar"
 
-  # Call the decorated method.
-  extract_namespace_repo_from_session(somefunc)()
+    # Call the decorated method.
+    extract_namespace_repo_from_session(somefunc)()
 
-  assert encountered[0] == 'foo'
-  assert encountered[1] == 'bar'
+    assert encountered[0] == "foo"
+    assert encountered[1] == "bar"
 
 
 def test_require_session_login_missing(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  with pytest.raises(HTTPException):
-    require_session_login(emptyfunc)()
+    with pytest.raises(HTTPException):
+        require_session_login(emptyfunc)()
 
 
 def test_require_session_login_valid_user(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  # Login as a valid user.
-  someuser = model.user.get_user('devtable')
-  login_user(LoginWrappedDBUser(someuser.uuid, someuser))
+    # Login as a valid user.
+    someuser = model.user.get_user("devtable")
+    login_user(LoginWrappedDBUser(someuser.uuid, someuser))
 
-  # Call the function.
-  require_session_login(emptyfunc)()
+    # Call the function.
+    require_session_login(emptyfunc)()
 
-  # Ensure the authenticated user was updated.
-  assert get_authenticated_user() == someuser
+    # Ensure the authenticated user was updated.
+    assert get_authenticated_user() == someuser
 
 
 def test_require_session_login_invalid_user(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  # "Login" as a disabled user.
-  someuser = model.user.get_user('disabled')
-  login_user(LoginWrappedDBUser(someuser.uuid, someuser))
+    # "Login" as a disabled user.
+    someuser = model.user.get_user("disabled")
+    login_user(LoginWrappedDBUser(someuser.uuid, someuser))
 
-  # Call the function.
-  with pytest.raises(HTTPException):
-    require_session_login(emptyfunc)()
+    # Call the function.
+    with pytest.raises(HTTPException):
+        require_session_login(emptyfunc)()
 
-  # Ensure the authenticated user was not updated.
-  assert get_authenticated_user() is None
+    # Ensure the authenticated user was not updated.
+    assert get_authenticated_user() is None
 
 
 def test_process_auth_or_cookie_invalid_user(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  # Call the function.
-  process_auth_or_cookie(emptyfunc)()
+    # Call the function.
+    process_auth_or_cookie(emptyfunc)()
 
-  # Ensure the authenticated user was not updated.
-  assert get_authenticated_user() is None
+    # Ensure the authenticated user was not updated.
+    assert get_authenticated_user() is None
 
 
 def test_process_auth_or_cookie_valid_user(app):
-  def emptyfunc():
-    pass
+    def emptyfunc():
+        pass
 
-  # Login as a valid user.
-  someuser = model.user.get_user('devtable')
-  login_user(LoginWrappedDBUser(someuser.uuid, someuser))
+    # Login as a valid user.
+    someuser = model.user.get_user("devtable")
+    login_user(LoginWrappedDBUser(someuser.uuid, someuser))
 
-  # Call the function.
-  process_auth_or_cookie(emptyfunc)()
+    # Call the function.
+    process_auth_or_cookie(emptyfunc)()
 
-  # Ensure the authenticated user was  updated.
-  assert get_authenticated_user() == someuser
+    # Ensure the authenticated user was  updated.
+    assert get_authenticated_user() == someuser
diff --git a/auth/test/test_oauth.py b/auth/test/test_oauth.py
index f678f2604..1453e878a 100644
--- a/auth/test/test_oauth.py
+++ b/auth/test/test_oauth.py
@@ -6,50 +6,63 @@ from data import model
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('header, expected_result', [
-  ('', ValidateResult(AuthKind.oauth, missing=True)),
-  ('somerandomtoken', ValidateResult(AuthKind.oauth, missing=True)),
-  ('bearer some random token', ValidateResult(AuthKind.oauth, missing=True)),
-  ('bearer invalidtoken',
-   ValidateResult(AuthKind.oauth, error_message='OAuth access token could not be validated')),])
+@pytest.mark.parametrize(
+    "header, expected_result",
+    [
+        ("", ValidateResult(AuthKind.oauth, missing=True)),
+        ("somerandomtoken", ValidateResult(AuthKind.oauth, missing=True)),
+        ("bearer some random token", ValidateResult(AuthKind.oauth, missing=True)),
+        (
+            "bearer invalidtoken",
+            ValidateResult(
+                AuthKind.oauth,
+                error_message="OAuth access token could not be validated",
+            ),
+        ),
+    ],
+)
 def test_bearer(header, expected_result, app):
-  assert validate_bearer_auth(header) == expected_result
+    assert validate_bearer_auth(header) == expected_result
 
 
 def test_valid_oauth(app):
-  user = model.user.get_user('devtable')
-  app = model.oauth.list_applications_for_org(model.user.get_user_or_org('buynlarge'))[0]
-  token_string = '%s%s' % ('a' * 20, 'b' * 20)
-  oauth_token, _ = model.oauth.create_access_token_for_testing(user, app.client_id, 'repo:read',
-                                                               access_token=token_string)
-  result = validate_bearer_auth('bearer ' + token_string)
-  assert result.context.oauthtoken == oauth_token
-  assert result.authed_user == user
-  assert result.auth_valid
+    user = model.user.get_user("devtable")
+    app = model.oauth.list_applications_for_org(
+        model.user.get_user_or_org("buynlarge")
+    )[0]
+    token_string = "%s%s" % ("a" * 20, "b" * 20)
+    oauth_token, _ = model.oauth.create_access_token_for_testing(
+        user, app.client_id, "repo:read", access_token=token_string
+    )
+    result = validate_bearer_auth("bearer " + token_string)
+    assert result.context.oauthtoken == oauth_token
+    assert result.authed_user == user
+    assert result.auth_valid
 
 
 def test_disabled_user_oauth(app):
-  user = model.user.get_user('disabled')
-  token_string = '%s%s' % ('a' * 20, 'b' * 20)
-  oauth_token, _ = model.oauth.create_access_token_for_testing(user, 'deadbeef', 'repo:admin',
-                                                               access_token=token_string)
+    user = model.user.get_user("disabled")
+    token_string = "%s%s" % ("a" * 20, "b" * 20)
+    oauth_token, _ = model.oauth.create_access_token_for_testing(
+        user, "deadbeef", "repo:admin", access_token=token_string
+    )
 
-  result = validate_bearer_auth('bearer ' + token_string)
-  assert result.context.oauthtoken is None
-  assert result.authed_user is None
-  assert not result.auth_valid
-  assert result.error_message == 'Granter of the oauth access token is disabled'
+    result = validate_bearer_auth("bearer " + token_string)
+    assert result.context.oauthtoken is None
+    assert result.authed_user is None
+    assert not result.auth_valid
+    assert result.error_message == "Granter of the oauth access token is disabled"
 
 
 def test_expired_token(app):
-  user = model.user.get_user('devtable')
-  token_string = '%s%s' % ('a' * 20, 'b' * 20)
-  oauth_token, _ = model.oauth.create_access_token_for_testing(user, 'deadbeef', 'repo:admin',
-                                                               access_token=token_string,
-                                                               expires_in=-1000)
+    user = model.user.get_user("devtable")
+    token_string = "%s%s" % ("a" * 20, "b" * 20)
+    oauth_token, _ = model.oauth.create_access_token_for_testing(
+        user, "deadbeef", "repo:admin", access_token=token_string, expires_in=-1000
+    )
 
-  result = validate_bearer_auth('bearer ' + token_string)
-  assert result.context.oauthtoken is None
-  assert result.authed_user is None
-  assert not result.auth_valid
-  assert result.error_message == 'OAuth access token has expired'
+    result = validate_bearer_auth("bearer " + token_string)
+    assert result.context.oauthtoken is None
+    assert result.authed_user is None
+    assert not result.auth_valid
+    assert result.error_message == "OAuth access token has expired"
diff --git a/auth/test/test_permissions.py b/auth/test/test_permissions.py
index f2849934d..e97a11f1d 100644
--- a/auth/test/test_permissions.py
+++ b/auth/test/test_permissions.py
@@ -6,32 +6,33 @@ from data import model
 
 from test.fixtures import *
 
-SUPER_USERNAME = 'devtable'
-UNSUPER_USERNAME = 'freshuser'
+SUPER_USERNAME = "devtable"
+UNSUPER_USERNAME = "freshuser"
+
 
 @pytest.fixture()
 def superuser(initialized_db):
-  return model.user.get_user(SUPER_USERNAME)
+    return model.user.get_user(SUPER_USERNAME)
 
 
 @pytest.fixture()
 def normie(initialized_db):
-  return model.user.get_user(UNSUPER_USERNAME)
+    return model.user.get_user(UNSUPER_USERNAME)
 
 
 def test_superuser_matrix(superuser, normie):
-  test_cases = [
-    (superuser, {scopes.SUPERUSER}, True),
-    (superuser, {scopes.DIRECT_LOGIN}, True),
-    (superuser, {scopes.READ_USER, scopes.SUPERUSER}, True),
-    (superuser, {scopes.READ_USER}, False),
-    (normie, {scopes.SUPERUSER}, False),
-    (normie, {scopes.DIRECT_LOGIN}, False),
-    (normie, {scopes.READ_USER, scopes.SUPERUSER}, False),
-    (normie, {scopes.READ_USER}, False),
-  ]
+    test_cases = [
+        (superuser, {scopes.SUPERUSER}, True),
+        (superuser, {scopes.DIRECT_LOGIN}, True),
+        (superuser, {scopes.READ_USER, scopes.SUPERUSER}, True),
+        (superuser, {scopes.READ_USER}, False),
+        (normie, {scopes.SUPERUSER}, False),
+        (normie, {scopes.DIRECT_LOGIN}, False),
+        (normie, {scopes.READ_USER, scopes.SUPERUSER}, False),
+        (normie, {scopes.READ_USER}, False),
+    ]
 
-  for user_obj, scope_set, expected in test_cases:
-    perm_user = QuayDeferredPermissionUser.for_user(user_obj, scope_set)
-    has_su = perm_user.can(SuperUserPermission())
-    assert has_su == expected
+    for user_obj, scope_set, expected in test_cases:
+        perm_user = QuayDeferredPermissionUser.for_user(user_obj, scope_set)
+        has_su = perm_user.can(SuperUserPermission())
+        assert has_su == expected
diff --git a/auth/test/test_registry_jwt.py b/auth/test/test_registry_jwt.py
index fc6548d74..ffcb9fca7 100644
--- a/auth/test/test_registry_jwt.py
+++ b/auth/test/test_registry_jwt.py
@@ -14,190 +14,226 @@ from initdb import setup_database_for_testing, finished_database_for_testing
 from util.morecollections import AttrDict
 from util.security.registry_jwt import ANONYMOUS_SUB, build_context_and_subject
 
-TEST_AUDIENCE = app.config['SERVER_HOSTNAME']
-TEST_USER = AttrDict({'username': 'joeuser', 'uuid': 'foobar', 'enabled': True})
+TEST_AUDIENCE = app.config["SERVER_HOSTNAME"]
+TEST_USER = AttrDict({"username": "joeuser", "uuid": "foobar", "enabled": True})
 MAX_SIGNED_S = 3660
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
-ANONYMOUS_SUB = '(anonymous)'
-SERVICE_NAME = 'quay'
+ANONYMOUS_SUB = "(anonymous)"
+SERVICE_NAME = "quay"
 
 # This import has to come below any references to "app".
 from test.fixtures import *
 
 
-def _access(typ='repository', name='somens/somerepo', actions=None):
-  actions = [] if actions is None else actions
-  return [{
-    'type': typ,
-    'name': name,
-    'actions': actions,
-  }]
+def _access(typ="repository", name="somens/somerepo", actions=None):
+    actions = [] if actions is None else actions
+    return [{"type": typ, "name": name, "actions": actions}]
 
 
 def _delete_field(token_data, field_name):
-  token_data.pop(field_name)
-  return token_data
+    token_data.pop(field_name)
+    return token_data
 
 
-def _token_data(access=[], context=None, audience=TEST_AUDIENCE, user=TEST_USER, iat=None,
-                exp=None, nbf=None, iss=None, subject=None):
-  if subject is None:
-    _, subject = build_context_and_subject(ValidatedAuthContext(user=user))
-  return {
-    'iss': iss or instance_keys.service_name,
-    'aud': audience,
-    'nbf': nbf if nbf is not None else int(time.time()),
-    'iat': iat if iat is not None else int(time.time()),
-    'exp': exp if exp is not None else int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
-    'sub': subject,
-    'access': access,
-    'context': context,
-  }
+def _token_data(
+    access=[],
+    context=None,
+    audience=TEST_AUDIENCE,
+    user=TEST_USER,
+    iat=None,
+    exp=None,
+    nbf=None,
+    iss=None,
+    subject=None,
+):
+    if subject is None:
+        _, subject = build_context_and_subject(ValidatedAuthContext(user=user))
+    return {
+        "iss": iss or instance_keys.service_name,
+        "aud": audience,
+        "nbf": nbf if nbf is not None else int(time.time()),
+        "iat": iat if iat is not None else int(time.time()),
+        "exp": exp if exp is not None else int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
+        "sub": subject,
+        "access": access,
+        "context": context,
+    }
 
 
 def _token(token_data, key_id=None, private_key=None, skip_header=False, alg=None):
-  key_id = key_id or instance_keys.local_key_id
-  private_key = private_key or instance_keys.local_private_key
+    key_id = key_id or instance_keys.local_key_id
+    private_key = private_key or instance_keys.local_private_key
 
-  if alg == "none":
-    private_key = None
+    if alg == "none":
+        private_key = None
 
-  token_headers = {'kid': key_id}
+    token_headers = {"kid": key_id}
 
-  if skip_header:
-    token_headers = {}
+    if skip_header:
+        token_headers = {}
 
-  token_data = jwt.encode(token_data, private_key, alg or 'RS256', headers=token_headers)
-  return 'Bearer {0}'.format(token_data)
+    token_data = jwt.encode(
+        token_data, private_key, alg or "RS256", headers=token_headers
+    )
+    return "Bearer {0}".format(token_data)
 
 
 def _parse_token(token):
-  return identity_from_bearer_token(token)[0]
+    return identity_from_bearer_token(token)[0]
 
 
 def test_accepted_token(initialized_db):
-  token = _token(_token_data())
-  identity = _parse_token(token)
-  assert identity.id == TEST_USER.username, 'should be %s, but was %s' % (TEST_USER.username,
-                                                                          identity.id)
-  assert len(identity.provides) == 0
+    token = _token(_token_data())
+    identity = _parse_token(token)
+    assert identity.id == TEST_USER.username, "should be %s, but was %s" % (
+        TEST_USER.username,
+        identity.id,
+    )
+    assert len(identity.provides) == 0
 
-  anon_token = _token(_token_data(user=None))
-  anon_identity = _parse_token(anon_token)
-  assert anon_identity.id == ANONYMOUS_SUB, 'should be %s, but was %s' % (ANONYMOUS_SUB,
-                                                                          anon_identity.id)
-  assert len(identity.provides) == 0
+    anon_token = _token(_token_data(user=None))
+    anon_identity = _parse_token(anon_token)
+    assert anon_identity.id == ANONYMOUS_SUB, "should be %s, but was %s" % (
+        ANONYMOUS_SUB,
+        anon_identity.id,
+    )
+    assert len(identity.provides) == 0
 
 
-@pytest.mark.parametrize('access', [
-  (_access(actions=['pull', 'push'])),
-  (_access(actions=['pull', '*'])),
-  (_access(actions=['*', 'push'])),
-  (_access(actions=['*'])),
-  (_access(actions=['pull', '*', 'push'])),])
+@pytest.mark.parametrize(
+    "access",
+    [
+        (_access(actions=["pull", "push"])),
+        (_access(actions=["pull", "*"])),
+        (_access(actions=["*", "push"])),
+        (_access(actions=["*"])),
+        (_access(actions=["pull", "*", "push"])),
+    ],
+)
 def test_token_with_access(access, initialized_db):
-  token = _token(_token_data(access=access))
-  identity = _parse_token(token)
-  assert identity.id == TEST_USER.username, 'should be %s, but was %s' % (TEST_USER.username,
-                                                                          identity.id)
-  assert len(identity.provides) == 1
+    token = _token(_token_data(access=access))
+    identity = _parse_token(token)
+    assert identity.id == TEST_USER.username, "should be %s, but was %s" % (
+        TEST_USER.username,
+        identity.id,
+    )
+    assert len(identity.provides) == 1
 
-  role = list(identity.provides)[0][3]
-  if "*" in access[0]['actions']:
-    assert role == 'admin'
-  elif "push" in access[0]['actions']:
-    assert role == 'write'
-  elif "pull" in access[0]['actions']:
-    assert role == 'read'
+    role = list(identity.provides)[0][3]
+    if "*" in access[0]["actions"]:
+        assert role == "admin"
+    elif "push" in access[0]["actions"]:
+        assert role == "write"
+    elif "pull" in access[0]["actions"]:
+        assert role == "read"
 
 
-@pytest.mark.parametrize('token', [
-  pytest.param(_token(
-    _token_data(access=[{
-      'toipe': 'repository',
-      'namesies': 'somens/somerepo',
-      'akshuns': ['pull', 'push', '*']}])), id='bad access'),
-  pytest.param(_token(_token_data(audience='someotherapp')), id='bad aud'),
-  pytest.param(_token(_delete_field(_token_data(), 'aud')), id='no aud'),
-  pytest.param(_token(_token_data(nbf=int(time.time()) + 600)), id='future nbf'),
-  pytest.param(_token(_delete_field(_token_data(), 'nbf')), id='no nbf'),
-  pytest.param(_token(_token_data(iat=int(time.time()) + 600)), id='future iat'),
-  pytest.param(_token(_delete_field(_token_data(), 'iat')), id='no iat'),
-  pytest.param(_token(_token_data(exp=int(time.time()) + MAX_SIGNED_S * 2)), id='exp too long'),
-  pytest.param(_token(_token_data(exp=int(time.time()) - 60)), id='expired'),
-  pytest.param(_token(_delete_field(_token_data(), 'exp')), id='no exp'),
-  pytest.param(_token(_delete_field(_token_data(), 'sub')), id='no sub'),
-  pytest.param(_token(_token_data(iss='badissuer')), id='bad iss'),
-  pytest.param(_token(_delete_field(_token_data(), 'iss')), id='no iss'),
-  pytest.param(_token(_token_data(), skip_header=True), id='no header'),
-  pytest.param(_token(_token_data(), key_id='someunknownkey'), id='bad key'),
-  pytest.param(_token(_token_data(), key_id='kid7'), id='bad key :: kid7'),
-  pytest.param(_token(_token_data(), alg='none', private_key=None), id='none alg'),
-  pytest.param('some random token', id='random token'),
-  pytest.param('Bearer: sometokenhere', id='extra bearer'),
-  pytest.param('\nBearer: dGVzdA', id='leading newline'),
-])
+@pytest.mark.parametrize(
+    "token",
+    [
+        pytest.param(
+            _token(
+                _token_data(
+                    access=[
+                        {
+                            "toipe": "repository",
+                            "namesies": "somens/somerepo",
+                            "akshuns": ["pull", "push", "*"],
+                        }
+                    ]
+                )
+            ),
+            id="bad access",
+        ),
+        pytest.param(_token(_token_data(audience="someotherapp")), id="bad aud"),
+        pytest.param(_token(_delete_field(_token_data(), "aud")), id="no aud"),
+        pytest.param(_token(_token_data(nbf=int(time.time()) + 600)), id="future nbf"),
+        pytest.param(_token(_delete_field(_token_data(), "nbf")), id="no nbf"),
+        pytest.param(_token(_token_data(iat=int(time.time()) + 600)), id="future iat"),
+        pytest.param(_token(_delete_field(_token_data(), "iat")), id="no iat"),
+        pytest.param(
+            _token(_token_data(exp=int(time.time()) + MAX_SIGNED_S * 2)),
+            id="exp too long",
+        ),
+        pytest.param(_token(_token_data(exp=int(time.time()) - 60)), id="expired"),
+        pytest.param(_token(_delete_field(_token_data(), "exp")), id="no exp"),
+        pytest.param(_token(_delete_field(_token_data(), "sub")), id="no sub"),
+        pytest.param(_token(_token_data(iss="badissuer")), id="bad iss"),
+        pytest.param(_token(_delete_field(_token_data(), "iss")), id="no iss"),
+        pytest.param(_token(_token_data(), skip_header=True), id="no header"),
+        pytest.param(_token(_token_data(), key_id="someunknownkey"), id="bad key"),
+        pytest.param(_token(_token_data(), key_id="kid7"), id="bad key :: kid7"),
+        pytest.param(
+            _token(_token_data(), alg="none", private_key=None), id="none alg"
+        ),
+        pytest.param("some random token", id="random token"),
+        pytest.param("Bearer: sometokenhere", id="extra bearer"),
+        pytest.param("\nBearer: dGVzdA", id="leading newline"),
+    ],
+)
 def test_invalid_jwt(token, initialized_db):
-  with pytest.raises(InvalidJWTException):
-    _parse_token(token)
+    with pytest.raises(InvalidJWTException):
+        _parse_token(token)
 
 
 def test_mixing_keys_e2e(initialized_db):
-  token_data = _token_data()
+    token_data = _token_data()
 
-  # Create a new key for testing.
-  p, key = model.service_keys.generate_service_key(instance_keys.service_name, None, kid='newkey',
-                                                   name='newkey', metadata={})
-  private_key = p.exportKey('PEM')
+    # Create a new key for testing.
+    p, key = model.service_keys.generate_service_key(
+        instance_keys.service_name, None, kid="newkey", name="newkey", metadata={}
+    )
+    private_key = p.exportKey("PEM")
 
-  # Test first with the new valid, but unapproved key.
-  unapproved_key_token = _token(token_data, key_id='newkey', private_key=private_key)
-  with pytest.raises(InvalidJWTException):
-    _parse_token(unapproved_key_token)
+    # Test first with the new valid, but unapproved key.
+    unapproved_key_token = _token(token_data, key_id="newkey", private_key=private_key)
+    with pytest.raises(InvalidJWTException):
+        _parse_token(unapproved_key_token)
 
-  # Approve the key and try again.
-  admin_user = model.user.get_user('devtable')
-  model.service_keys.approve_service_key(key.kid, ServiceKeyApprovalType.SUPERUSER, approver=admin_user)
+    # Approve the key and try again.
+    admin_user = model.user.get_user("devtable")
+    model.service_keys.approve_service_key(
+        key.kid, ServiceKeyApprovalType.SUPERUSER, approver=admin_user
+    )
 
-  valid_token = _token(token_data, key_id='newkey', private_key=private_key)
+    valid_token = _token(token_data, key_id="newkey", private_key=private_key)
 
-  identity = _parse_token(valid_token)
-  assert identity.id == TEST_USER.username
-  assert len(identity.provides) == 0
+    identity = _parse_token(valid_token)
+    assert identity.id == TEST_USER.username
+    assert len(identity.provides) == 0
 
-  # Try using a different private key with the existing key ID.
-  bad_private_token = _token(token_data, key_id='newkey',
-                             private_key=instance_keys.local_private_key)
-  with pytest.raises(InvalidJWTException):
-    _parse_token(bad_private_token)
+    # Try using a different private key with the existing key ID.
+    bad_private_token = _token(
+        token_data, key_id="newkey", private_key=instance_keys.local_private_key
+    )
+    with pytest.raises(InvalidJWTException):
+        _parse_token(bad_private_token)
 
-  # Try using a different key ID with the existing private key.
-  kid_mismatch_token = _token(token_data, key_id=instance_keys.local_key_id,
-                              private_key=private_key)
-  with pytest.raises(InvalidJWTException):
-    _parse_token(kid_mismatch_token)
+    # Try using a different key ID with the existing private key.
+    kid_mismatch_token = _token(
+        token_data, key_id=instance_keys.local_key_id, private_key=private_key
+    )
+    with pytest.raises(InvalidJWTException):
+        _parse_token(kid_mismatch_token)
 
-  # Delete the new key.
-  key.delete_instance(recursive=True)
+    # Delete the new key.
+    key.delete_instance(recursive=True)
 
-  # Ensure it still works (via the cache.)
-  deleted_key_token = _token(token_data, key_id='newkey', private_key=private_key)
-  identity = _parse_token(deleted_key_token)
-  assert identity.id == TEST_USER.username
-  assert len(identity.provides) == 0
+    # Ensure it still works (via the cache.)
+    deleted_key_token = _token(token_data, key_id="newkey", private_key=private_key)
+    identity = _parse_token(deleted_key_token)
+    assert identity.id == TEST_USER.username
+    assert len(identity.provides) == 0
 
-  # Break the cache.
-  instance_keys.clear_cache()
+    # Break the cache.
+    instance_keys.clear_cache()
 
-  # Ensure the key no longer works.
-  with pytest.raises(InvalidJWTException):
-    _parse_token(deleted_key_token)
+    # Ensure the key no longer works.
+    with pytest.raises(InvalidJWTException):
+        _parse_token(deleted_key_token)
 
 
-@pytest.mark.parametrize('token', [
-  u'someunicodetoken✡',
-  u'\xc9\xad\xbd',
-])
+@pytest.mark.parametrize("token", [u"someunicodetoken✡", u"\xc9\xad\xbd"])
 def test_unicode_token(token):
-  with pytest.raises(InvalidJWTException):
-    _parse_token(token)
+    with pytest.raises(InvalidJWTException):
+        _parse_token(token)
diff --git a/auth/test/test_scopes.py b/auth/test/test_scopes.py
index b71140136..a5aa883ea 100644
--- a/auth/test/test_scopes.py
+++ b/auth/test/test_scopes.py
@@ -1,50 +1,55 @@
 import pytest
 
 from auth.scopes import (
-  scopes_from_scope_string, validate_scope_string, ALL_SCOPES, is_subset_string)
+    scopes_from_scope_string,
+    validate_scope_string,
+    ALL_SCOPES,
+    is_subset_string,
+)
 
 
 @pytest.mark.parametrize(
-  'scopes_string, expected',
-  [
-    # Valid single scopes.
-    ('repo:read', ['repo:read']),
-    ('repo:admin', ['repo:admin']),
-
-    # Invalid scopes.
-    ('not:valid', []),
-    ('repo:admins', []),
-
-    # Valid scope strings.
-    ('repo:read repo:admin', ['repo:read', 'repo:admin']),
-    ('repo:read,repo:admin', ['repo:read', 'repo:admin']),
-    ('repo:read,repo:admin repo:write', ['repo:read', 'repo:admin', 'repo:write']),
-
-    # Partially invalid scopes.
-    ('repo:read,not:valid', []),
-    ('repo:read repo:admins', []),
-
-    # Invalid scope strings.
-    ('repo:read|repo:admin', []),
-
-    # Mixture of delimiters.
-    ('repo:read, repo:admin', []),])
+    "scopes_string, expected",
+    [
+        # Valid single scopes.
+        ("repo:read", ["repo:read"]),
+        ("repo:admin", ["repo:admin"]),
+        # Invalid scopes.
+        ("not:valid", []),
+        ("repo:admins", []),
+        # Valid scope strings.
+        ("repo:read repo:admin", ["repo:read", "repo:admin"]),
+        ("repo:read,repo:admin", ["repo:read", "repo:admin"]),
+        ("repo:read,repo:admin repo:write", ["repo:read", "repo:admin", "repo:write"]),
+        # Partially invalid scopes.
+        ("repo:read,not:valid", []),
+        ("repo:read repo:admins", []),
+        # Invalid scope strings.
+        ("repo:read|repo:admin", []),
+        # Mixture of delimiters.
+        ("repo:read, repo:admin", []),
+    ],
+)
 def test_parsing(scopes_string, expected):
-  expected_scope_set = {ALL_SCOPES[scope_name] for scope_name in expected}
-  parsed_scope_set = scopes_from_scope_string(scopes_string)
-  assert parsed_scope_set == expected_scope_set
-  assert validate_scope_string(scopes_string) == bool(expected)
+    expected_scope_set = {ALL_SCOPES[scope_name] for scope_name in expected}
+    parsed_scope_set = scopes_from_scope_string(scopes_string)
+    assert parsed_scope_set == expected_scope_set
+    assert validate_scope_string(scopes_string) == bool(expected)
 
 
-@pytest.mark.parametrize('superset, subset, result', [
-  ('repo:read', 'repo:read', True),
-  ('repo:read repo:admin', 'repo:read', True),
-  ('repo:read,repo:admin', 'repo:read', True),
-  ('repo:read,repo:admin', 'repo:admin', True),
-  ('repo:read,repo:admin', 'repo:admin repo:read', True),
-  ('', 'repo:read', False),
-  ('unknown:tag', 'repo:read', False),
-  ('repo:read unknown:tag', 'repo:read', False),
-  ('repo:read,unknown:tag', 'repo:read', False),])
+@pytest.mark.parametrize(
+    "superset, subset, result",
+    [
+        ("repo:read", "repo:read", True),
+        ("repo:read repo:admin", "repo:read", True),
+        ("repo:read,repo:admin", "repo:read", True),
+        ("repo:read,repo:admin", "repo:admin", True),
+        ("repo:read,repo:admin", "repo:admin repo:read", True),
+        ("", "repo:read", False),
+        ("unknown:tag", "repo:read", False),
+        ("repo:read unknown:tag", "repo:read", False),
+        ("repo:read,unknown:tag", "repo:read", False),
+    ],
+)
 def test_subset_string(superset, subset, result):
-  assert is_subset_string(superset, subset) == result
+    assert is_subset_string(superset, subset) == result
diff --git a/auth/test/test_signedgrant.py b/auth/test/test_signedgrant.py
index e200f0bf1..5575a032d 100644
--- a/auth/test/test_signedgrant.py
+++ b/auth/test/test_signedgrant.py
@@ -1,32 +1,47 @@
 import pytest
 
-from auth.signedgrant import validate_signed_grant, generate_signed_token, SIGNATURE_PREFIX
+from auth.signedgrant import (
+    validate_signed_grant,
+    generate_signed_token,
+    SIGNATURE_PREFIX,
+)
 from auth.validateresult import AuthKind, ValidateResult
 
 
-@pytest.mark.parametrize('header, expected_result', [
-  pytest.param('', ValidateResult(AuthKind.signed_grant, missing=True), id='Missing'),
-  pytest.param('somerandomtoken', ValidateResult(AuthKind.signed_grant, missing=True),
-               id='Invalid header'),
-  pytest.param('token somerandomtoken', ValidateResult(AuthKind.signed_grant, missing=True),
-               id='Random Token'),
-  pytest.param('token ' + SIGNATURE_PREFIX + 'foo',
-               ValidateResult(AuthKind.signed_grant,
-                              error_message='Signed grant could not be validated'),
-               id='Invalid token'),
-])
+@pytest.mark.parametrize(
+    "header, expected_result",
+    [
+        pytest.param(
+            "", ValidateResult(AuthKind.signed_grant, missing=True), id="Missing"
+        ),
+        pytest.param(
+            "somerandomtoken",
+            ValidateResult(AuthKind.signed_grant, missing=True),
+            id="Invalid header",
+        ),
+        pytest.param(
+            "token somerandomtoken",
+            ValidateResult(AuthKind.signed_grant, missing=True),
+            id="Random Token",
+        ),
+        pytest.param(
+            "token " + SIGNATURE_PREFIX + "foo",
+            ValidateResult(
+                AuthKind.signed_grant,
+                error_message="Signed grant could not be validated",
+            ),
+            id="Invalid token",
+        ),
+    ],
+)
 def test_token(header, expected_result):
-  assert validate_signed_grant(header) == expected_result
+    assert validate_signed_grant(header) == expected_result
 
 
 def test_valid_grant():
-  header = 'token ' + generate_signed_token({'a': 'b'}, {'c': 'd'})
-  expected = ValidateResult(AuthKind.signed_grant, signed_data={
-    'grants': {
-      'a': 'b',
-    },
-    'user_context': {
-      'c': 'd'
-    },
-  })
-  assert validate_signed_grant(header) == expected
+    header = "token " + generate_signed_token({"a": "b"}, {"c": "d"})
+    expected = ValidateResult(
+        AuthKind.signed_grant,
+        signed_data={"grants": {"a": "b"}, "user_context": {"c": "d"}},
+    )
+    assert validate_signed_grant(header) == expected
diff --git a/auth/test/test_validateresult.py b/auth/test/test_validateresult.py
index 90875da76..bc514e843 100644
--- a/auth/test/test_validateresult.py
+++ b/auth/test/test_validateresult.py
@@ -6,58 +6,68 @@ from data import model
 from data.database import AppSpecificAuthToken
 from test.fixtures import *
 
+
 def get_user():
-  return model.user.get_user('devtable')
+    return model.user.get_user("devtable")
+
 
 def get_app_specific_token():
-  return AppSpecificAuthToken.get()
+    return AppSpecificAuthToken.get()
+
 
 def get_robot():
-  robot, _ = model.user.create_robot('somebot', get_user())
-  return robot
+    robot, _ = model.user.create_robot("somebot", get_user())
+    return robot
+
 
 def get_token():
-  return model.token.create_delegate_token('devtable', 'simple', 'sometoken')
+    return model.token.create_delegate_token("devtable", "simple", "sometoken")
+
 
 def get_oauthtoken():
-  user = model.user.get_user('devtable')
-  return list(model.oauth.list_access_tokens_for_user(user))[0]
+    user = model.user.get_user("devtable")
+    return list(model.oauth.list_access_tokens_for_user(user))[0]
+
 
 def get_signeddata():
-  return {'grants': {'a': 'b'}, 'user_context': {'c': 'd'}}
+    return {"grants": {"a": "b"}, "user_context": {"c": "d"}}
 
-@pytest.mark.parametrize('get_entity,entity_kind', [
-  (get_user, 'user'),
-  (get_robot, 'robot'),
-  (get_token, 'token'),
-  (get_oauthtoken, 'oauthtoken'),
-  (get_signeddata, 'signed_data'),
-  (get_app_specific_token, 'appspecifictoken'),
-])
+
+@pytest.mark.parametrize(
+    "get_entity,entity_kind",
+    [
+        (get_user, "user"),
+        (get_robot, "robot"),
+        (get_token, "token"),
+        (get_oauthtoken, "oauthtoken"),
+        (get_signeddata, "signed_data"),
+        (get_app_specific_token, "appspecifictoken"),
+    ],
+)
 def test_apply_context(get_entity, entity_kind, app):
-  assert get_authenticated_context() is None
+    assert get_authenticated_context() is None
 
-  entity = get_entity()
-  args = {}
-  args[entity_kind] = entity
+    entity = get_entity()
+    args = {}
+    args[entity_kind] = entity
 
-  result = ValidateResult(AuthKind.basic, **args)
-  result.apply_to_context()
+    result = ValidateResult(AuthKind.basic, **args)
+    result.apply_to_context()
 
-  expected_user = entity if entity_kind == 'user' or entity_kind == 'robot' else None
-  if entity_kind == 'oauthtoken':
-    expected_user = entity.authorized_user
+    expected_user = entity if entity_kind == "user" or entity_kind == "robot" else None
+    if entity_kind == "oauthtoken":
+        expected_user = entity.authorized_user
 
-  if entity_kind == 'appspecifictoken':
-    expected_user = entity.user
+    if entity_kind == "appspecifictoken":
+        expected_user = entity.user
 
-  expected_token = entity if entity_kind == 'token' else None
-  expected_oauth = entity if entity_kind == 'oauthtoken' else None
-  expected_appspecifictoken = entity if entity_kind == 'appspecifictoken' else None
-  expected_grant = entity if entity_kind == 'signed_data' else None
+    expected_token = entity if entity_kind == "token" else None
+    expected_oauth = entity if entity_kind == "oauthtoken" else None
+    expected_appspecifictoken = entity if entity_kind == "appspecifictoken" else None
+    expected_grant = entity if entity_kind == "signed_data" else None
 
-  assert get_authenticated_context().authed_user == expected_user
-  assert get_authenticated_context().token == expected_token
-  assert get_authenticated_context().oauthtoken == expected_oauth
-  assert get_authenticated_context().appspecifictoken == expected_appspecifictoken
-  assert get_authenticated_context().signed_data == expected_grant
+    assert get_authenticated_context().authed_user == expected_user
+    assert get_authenticated_context().token == expected_token
+    assert get_authenticated_context().oauthtoken == expected_oauth
+    assert get_authenticated_context().appspecifictoken == expected_appspecifictoken
+    assert get_authenticated_context().signed_data == expected_grant
diff --git a/auth/validateresult.py b/auth/validateresult.py
index 3235104e0..09cc09b11 100644
--- a/auth/validateresult.py
+++ b/auth/validateresult.py
@@ -3,54 +3,76 @@ from auth.auth_context_type import ValidatedAuthContext, ContextEntityKind
 
 
 class AuthKind(Enum):
-  cookie = 'cookie'
-  basic = 'basic'
-  oauth = 'oauth'
-  signed_grant = 'signed_grant'
-  credentials = 'credentials'
+    cookie = "cookie"
+    basic = "basic"
+    oauth = "oauth"
+    signed_grant = "signed_grant"
+    credentials = "credentials"
 
 
 class ValidateResult(object):
-  """ A result of validating auth in one form or another. """
-  def __init__(self, kind, missing=False, user=None, token=None, oauthtoken=None,
-               robot=None, appspecifictoken=None, signed_data=None, error_message=None):
-    self.kind = kind
-    self.missing = missing
-    self.error_message = error_message
-    self.context = ValidatedAuthContext(user=user, token=token, oauthtoken=oauthtoken, robot=robot,
-                                        appspecifictoken=appspecifictoken, signed_data=signed_data)
+    """ A result of validating auth in one form or another. """
 
-  def tuple(self):
-    return (self.kind, self.missing, self.error_message, self.context.tuple())
+    def __init__(
+        self,
+        kind,
+        missing=False,
+        user=None,
+        token=None,
+        oauthtoken=None,
+        robot=None,
+        appspecifictoken=None,
+        signed_data=None,
+        error_message=None,
+    ):
+        self.kind = kind
+        self.missing = missing
+        self.error_message = error_message
+        self.context = ValidatedAuthContext(
+            user=user,
+            token=token,
+            oauthtoken=oauthtoken,
+            robot=robot,
+            appspecifictoken=appspecifictoken,
+            signed_data=signed_data,
+        )
 
-  def __eq__(self, other):
-    return self.tuple() == other.tuple()
+    def tuple(self):
+        return (self.kind, self.missing, self.error_message, self.context.tuple())
 
-  def apply_to_context(self):
-    """ Applies this auth result to the auth context and Flask-Principal. """
-    self.context.apply_to_request_context()
+    def __eq__(self, other):
+        return self.tuple() == other.tuple()
 
-  def with_kind(self, kind):
-    """ Returns a copy of this result, but with the kind replaced. """
-    result = ValidateResult(kind, missing=self.missing, error_message=self.error_message)
-    result.context = self.context
-    return result
+    def apply_to_context(self):
+        """ Applies this auth result to the auth context and Flask-Principal. """
+        self.context.apply_to_request_context()
 
-  def __repr__(self):
-    return 'ValidateResult: %s (missing: %s, error: %s)' % (self.kind, self.missing,
-                                                            self.error_message)
+    def with_kind(self, kind):
+        """ Returns a copy of this result, but with the kind replaced. """
+        result = ValidateResult(
+            kind, missing=self.missing, error_message=self.error_message
+        )
+        result.context = self.context
+        return result
 
-  @property
-  def authed_user(self):
-    """ Returns the authenticated user, whether directly, or via an OAuth token. """
-    return self.context.authed_user
+    def __repr__(self):
+        return "ValidateResult: %s (missing: %s, error: %s)" % (
+            self.kind,
+            self.missing,
+            self.error_message,
+        )
 
-  @property
-  def has_nonrobot_user(self):
-    """ Returns whether a user (not a robot) was authenticated successfully. """
-    return self.context.has_nonrobot_user
+    @property
+    def authed_user(self):
+        """ Returns the authenticated user, whether directly, or via an OAuth token. """
+        return self.context.authed_user
 
-  @property
-  def auth_valid(self):
-    """ Returns whether authentication successfully occurred. """
-    return self.context.entity_kind != ContextEntityKind.anonymous
+    @property
+    def has_nonrobot_user(self):
+        """ Returns whether a user (not a robot) was authenticated successfully. """
+        return self.context.has_nonrobot_user
+
+    @property
+    def auth_valid(self):
+        """ Returns whether authentication successfully occurred. """
+        return self.context.entity_kind != ContextEntityKind.anonymous
diff --git a/avatars/avatars.py b/avatars/avatars.py
index 737b51191..67969eee7 100644
--- a/avatars/avatars.py
+++ b/avatars/avatars.py
@@ -6,110 +6,133 @@ from requests.exceptions import RequestException
 
 logger = logging.getLogger(__name__)
 
+
 class Avatar(object):
-  def __init__(self, app=None):
-    self.app = app
-    self.state = self._init_app(app)
+    def __init__(self, app=None):
+        self.app = app
+        self.state = self._init_app(app)
 
-  def _init_app(self, app):
-    return AVATAR_CLASSES[app.config.get('AVATAR_KIND', 'Gravatar')](
-      app.config['PREFERRED_URL_SCHEME'], app.config['AVATAR_COLORS'], app.config['HTTPCLIENT'])
+    def _init_app(self, app):
+        return AVATAR_CLASSES[app.config.get("AVATAR_KIND", "Gravatar")](
+            app.config["PREFERRED_URL_SCHEME"],
+            app.config["AVATAR_COLORS"],
+            app.config["HTTPCLIENT"],
+        )
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 class BaseAvatar(object):
-  """ Base class for all avatar implementations. """
-  def __init__(self, preferred_url_scheme, colors, http_client):
-    self.preferred_url_scheme = preferred_url_scheme
-    self.colors = colors
-    self.http_client = http_client
+    """ Base class for all avatar implementations. """
 
-  def get_mail_html(self, name, email_or_id, size=16, kind='user'):
-    """ Returns the full HTML and CSS for viewing the avatar of the given name and email address,
+    def __init__(self, preferred_url_scheme, colors, http_client):
+        self.preferred_url_scheme = preferred_url_scheme
+        self.colors = colors
+        self.http_client = http_client
+
+    def get_mail_html(self, name, email_or_id, size=16, kind="user"):
+        """ Returns the full HTML and CSS for viewing the avatar of the given name and email address,
         with an optional size.
     """
-    data = self.get_data(name, email_or_id, kind)
-    url = self._get_url(data['hash'], size) if kind != 'team' else None
-    font_size = size - 6
+        data = self.get_data(name, email_or_id, kind)
+        url = self._get_url(data["hash"], size) if kind != "team" else None
+        font_size = size - 6
 
-    if url is not None:
-      # Try to load the gravatar. If we get a non-404 response, then we use it in place of
-      # the CSS avatar.
-      try:
-        response = self.http_client.get(url, timeout=5)
-        if response.status_code == 200:
-          return """<img src="%s" width="%s" height="%s" alt="%s"
-                         style="vertical-align: middle;">""" % (url, size, size, kind)
-      except RequestException:
-        logger.exception('Could not retrieve avatar for user %s', name)
+        if url is not None:
+            # Try to load the gravatar. If we get a non-404 response, then we use it in place of
+            # the CSS avatar.
+            try:
+                response = self.http_client.get(url, timeout=5)
+                if response.status_code == 200:
+                    return """<img src="%s" width="%s" height="%s" alt="%s"
+                         style="vertical-align: middle;">""" % (
+                        url,
+                        size,
+                        size,
+                        kind,
+                    )
+            except RequestException:
+                logger.exception("Could not retrieve avatar for user %s", name)
 
-    radius = '50%' if kind == 'team' else '0%'
-    letter = '&Omega;' if kind == 'team' and data['name'] == 'owners' else data['name'].upper()[0]
+        radius = "50%" if kind == "team" else "0%"
+        letter = (
+            "&Omega;"
+            if kind == "team" and data["name"] == "owners"
+            else data["name"].upper()[0]
+        )
 
-    return """
+        return """
       <span style="width: %spx; height: %spx; background-color: %s; font-size: %spx;
                    line-height: %spx; margin-left: 2px; margin-right: 2px; display: inline-block;
                    vertical-align: middle; text-align: center; color: white; border-radius: %s">
         %s
       </span>
-""" % (size, size, data['color'], font_size, size, radius, letter)
+""" % (
+            size,
+            size,
+            data["color"],
+            font_size,
+            size,
+            radius,
+            letter,
+        )
 
-  def get_data_for_user(self, user):
-    return self.get_data(user.username, user.email, 'robot' if user.robot else 'user')
+    def get_data_for_user(self, user):
+        return self.get_data(
+            user.username, user.email, "robot" if user.robot else "user"
+        )
 
-  def get_data_for_team(self, team):
-    return self.get_data(team.name, team.name, 'team')
+    def get_data_for_team(self, team):
+        return self.get_data(team.name, team.name, "team")
 
-  def get_data_for_org(self, org):
-    return self.get_data(org.username, org.email, 'org')
+    def get_data_for_org(self, org):
+        return self.get_data(org.username, org.email, "org")
 
-  def get_data_for_external_user(self, external_user):
-    return self.get_data(external_user.username, external_user.email, 'user')
+    def get_data_for_external_user(self, external_user):
+        return self.get_data(external_user.username, external_user.email, "user")
 
-  def get_data(self, name, email_or_id, kind='user'):
-    """ Computes and returns the full data block for the avatar:
+    def get_data(self, name, email_or_id, kind="user"):
+        """ Computes and returns the full data block for the avatar:
         {
           'name': name,
           'hash': The gravatar hash, if any.
           'color': The color for the avatar
         }
     """
-    colors = self.colors
+        colors = self.colors
 
-    # Note: email_or_id may be None if gotten from external auth when email is disabled,
-    # so use the username in that case.
-    username_email_or_id = email_or_id or name
-    hash_value = hashlib.md5(username_email_or_id.strip().lower()).hexdigest()
+        # Note: email_or_id may be None if gotten from external auth when email is disabled,
+        # so use the username in that case.
+        username_email_or_id = email_or_id or name
+        hash_value = hashlib.md5(username_email_or_id.strip().lower()).hexdigest()
 
-    byte_count = int(math.ceil(math.log(len(colors), 16)))
-    byte_data = hash_value[0:byte_count]
-    hash_color = colors[int(byte_data, 16) % len(colors)]
+        byte_count = int(math.ceil(math.log(len(colors), 16)))
+        byte_data = hash_value[0:byte_count]
+        hash_color = colors[int(byte_data, 16) % len(colors)]
 
-    return {
-      'name': name,
-      'hash': hash_value,
-      'color': hash_color,
-      'kind': kind
-    }
+        return {"name": name, "hash": hash_value, "color": hash_color, "kind": kind}
 
-  def _get_url(self, hash_value, size):
-    """ Returns the URL for displaying the overlay avatar. """
-    return None
+    def _get_url(self, hash_value, size):
+        """ Returns the URL for displaying the overlay avatar. """
+        return None
 
 
 class GravatarAvatar(BaseAvatar):
-  """ Avatar system that uses gravatar for generating avatars. """
-  def _get_url(self, hash_value, size=16):
-    return '%s://www.gravatar.com/avatar/%s?d=404&size=%s' % (self.preferred_url_scheme,
-                                                              hash_value, size)
+    """ Avatar system that uses gravatar for generating avatars. """
+
+    def _get_url(self, hash_value, size=16):
+        return "%s://www.gravatar.com/avatar/%s?d=404&size=%s" % (
+            self.preferred_url_scheme,
+            hash_value,
+            size,
+        )
+
 
 class LocalAvatar(BaseAvatar):
-  """ Avatar system that uses the local system for generating avatars. """
-  pass
+    """ Avatar system that uses the local system for generating avatars. """
 
-AVATAR_CLASSES = {
-  'gravatar': GravatarAvatar,
-  'local': LocalAvatar
-}
+    pass
+
+
+AVATAR_CLASSES = {"gravatar": GravatarAvatar, "local": LocalAvatar}
diff --git a/boot.py b/boot.py
index 228fb2987..d9c906ab5 100755
--- a/boot.py
+++ b/boot.py
@@ -16,7 +16,7 @@ from data.model.release import set_region_release
 from data.model.service_keys import get_service_key
 from util.config.database import sync_database_with_config
 from util.generatepresharedkey import generate_key
-from  _init import CONF_DIR
+from _init import CONF_DIR
 
 
 logger = logging.getLogger(__name__)
@@ -24,108 +24,117 @@ logger = logging.getLogger(__name__)
 
 @lru_cache(maxsize=1)
 def get_audience():
-  audience = app.config.get('JWTPROXY_AUDIENCE')
+    audience = app.config.get("JWTPROXY_AUDIENCE")
 
-  if audience:
-    return audience
+    if audience:
+        return audience
 
-  scheme = app.config.get('PREFERRED_URL_SCHEME')
-  hostname = app.config.get('SERVER_HOSTNAME')
+    scheme = app.config.get("PREFERRED_URL_SCHEME")
+    hostname = app.config.get("SERVER_HOSTNAME")
 
-  # hostname includes port, use that
-  if ':' in hostname:
-    return urlunparse((scheme, hostname, '', '', '', ''))
+    # hostname includes port, use that
+    if ":" in hostname:
+        return urlunparse((scheme, hostname, "", "", "", ""))
 
-  # no port, guess based on scheme
-  if scheme == 'https':
-    port = '443'
-  else:
-    port = '80'
+    # no port, guess based on scheme
+    if scheme == "https":
+        port = "443"
+    else:
+        port = "80"
 
-  return urlunparse((scheme, hostname + ':' + port, '', '', '', ''))
+    return urlunparse((scheme, hostname + ":" + port, "", "", "", ""))
 
 
 def _verify_service_key():
-  try:
-    with open(app.config['INSTANCE_SERVICE_KEY_KID_LOCATION']) as f:
-      quay_key_id = f.read()
-
     try:
-      get_service_key(quay_key_id, approved_only=False)
-      assert os.path.exists(app.config['INSTANCE_SERVICE_KEY_LOCATION'])
-      return quay_key_id
-    except ServiceKeyDoesNotExist:
-      logger.exception('Could not find non-expired existing service key %s; creating a new one',
-                       quay_key_id)
-      return None
+        with open(app.config["INSTANCE_SERVICE_KEY_KID_LOCATION"]) as f:
+            quay_key_id = f.read()
 
-    # Found a valid service key, so exiting.
-  except IOError:
-    logger.exception('Could not load existing service key; creating a new one')
-    return None
+        try:
+            get_service_key(quay_key_id, approved_only=False)
+            assert os.path.exists(app.config["INSTANCE_SERVICE_KEY_LOCATION"])
+            return quay_key_id
+        except ServiceKeyDoesNotExist:
+            logger.exception(
+                "Could not find non-expired existing service key %s; creating a new one",
+                quay_key_id,
+            )
+            return None
+
+        # Found a valid service key, so exiting.
+    except IOError:
+        logger.exception("Could not load existing service key; creating a new one")
+        return None
 
 
 def setup_jwt_proxy():
-  """
+    """
   Creates a service key for quay to use in the jwtproxy and generates the JWT proxy configuration.
   """
-  if os.path.exists(os.path.join(CONF_DIR, 'jwtproxy_conf.yaml')):
-    # Proxy is already setup. Make sure the service key is still valid.
-    quay_key_id = _verify_service_key()
-    if quay_key_id is not None:
-      return
+    if os.path.exists(os.path.join(CONF_DIR, "jwtproxy_conf.yaml")):
+        # Proxy is already setup. Make sure the service key is still valid.
+        quay_key_id = _verify_service_key()
+        if quay_key_id is not None:
+            return
 
-  # Ensure we have an existing key if in read-only mode.
-  if app.config.get('REGISTRY_STATE', 'normal') == 'readonly':
-    quay_key_id = _verify_service_key()
-    if quay_key_id is None:
-      raise Exception('No valid service key found for read-only registry.')
-  else:
-    # Generate the key for this Quay instance to use.
-    minutes_until_expiration = app.config.get('INSTANCE_SERVICE_KEY_EXPIRATION', 120)
-    expiration = datetime.now() + timedelta(minutes=minutes_until_expiration)
-    quay_key, quay_key_id = generate_key(app.config['INSTANCE_SERVICE_KEY_SERVICE'],
-                                         get_audience(), expiration_date=expiration)
+    # Ensure we have an existing key if in read-only mode.
+    if app.config.get("REGISTRY_STATE", "normal") == "readonly":
+        quay_key_id = _verify_service_key()
+        if quay_key_id is None:
+            raise Exception("No valid service key found for read-only registry.")
+    else:
+        # Generate the key for this Quay instance to use.
+        minutes_until_expiration = app.config.get(
+            "INSTANCE_SERVICE_KEY_EXPIRATION", 120
+        )
+        expiration = datetime.now() + timedelta(minutes=minutes_until_expiration)
+        quay_key, quay_key_id = generate_key(
+            app.config["INSTANCE_SERVICE_KEY_SERVICE"],
+            get_audience(),
+            expiration_date=expiration,
+        )
 
-    with open(app.config['INSTANCE_SERVICE_KEY_KID_LOCATION'], mode='w') as f:
-      f.truncate(0)
-      f.write(quay_key_id)
+        with open(app.config["INSTANCE_SERVICE_KEY_KID_LOCATION"], mode="w") as f:
+            f.truncate(0)
+            f.write(quay_key_id)
 
-    with open(app.config['INSTANCE_SERVICE_KEY_LOCATION'], mode='w') as f:
-      f.truncate(0)
-      f.write(quay_key.exportKey())
+        with open(app.config["INSTANCE_SERVICE_KEY_LOCATION"], mode="w") as f:
+            f.truncate(0)
+            f.write(quay_key.exportKey())
 
-  # Generate the JWT proxy configuration.
-  audience = get_audience()
-  registry = audience + '/keys'
-  security_issuer = app.config.get('SECURITY_SCANNER_ISSUER_NAME', 'security_scanner')
+    # Generate the JWT proxy configuration.
+    audience = get_audience()
+    registry = audience + "/keys"
+    security_issuer = app.config.get("SECURITY_SCANNER_ISSUER_NAME", "security_scanner")
 
-  with open(os.path.join(CONF_DIR, 'jwtproxy_conf.yaml.jnj')) as f:
-    template = Template(f.read())
-    rendered = template.render(
-      conf_dir=CONF_DIR,
-      audience=audience,
-      registry=registry,
-      key_id=quay_key_id,
-      security_issuer=security_issuer,
-      service_key_location=app.config['INSTANCE_SERVICE_KEY_LOCATION'],
-    )
+    with open(os.path.join(CONF_DIR, "jwtproxy_conf.yaml.jnj")) as f:
+        template = Template(f.read())
+        rendered = template.render(
+            conf_dir=CONF_DIR,
+            audience=audience,
+            registry=registry,
+            key_id=quay_key_id,
+            security_issuer=security_issuer,
+            service_key_location=app.config["INSTANCE_SERVICE_KEY_LOCATION"],
+        )
 
-  with open(os.path.join(CONF_DIR, 'jwtproxy_conf.yaml'), 'w') as f:
-    f.write(rendered)
+    with open(os.path.join(CONF_DIR, "jwtproxy_conf.yaml"), "w") as f:
+        f.write(rendered)
 
 
 def main():
-  if not app.config.get('SETUP_COMPLETE', False):
-    raise Exception('Your configuration bundle is either not mounted or setup has not been completed')
+    if not app.config.get("SETUP_COMPLETE", False):
+        raise Exception(
+            "Your configuration bundle is either not mounted or setup has not been completed"
+        )
 
-  sync_database_with_config(app.config)
-  setup_jwt_proxy()
+    sync_database_with_config(app.config)
+    setup_jwt_proxy()
 
-  # Record deploy
-  if release.REGION and release.GIT_HEAD:
-    set_region_release(release.SERVICE, release.REGION, release.GIT_HEAD)
+    # Record deploy
+    if release.REGION and release.GIT_HEAD:
+        set_region_release(release.SERVICE, release.REGION, release.GIT_HEAD)
 
 
-if __name__ == '__main__':
-  main()
+if __name__ == "__main__":
+    main()
diff --git a/buildman/asyncutil.py b/buildman/asyncutil.py
index accb13542..f913072c4 100644
--- a/buildman/asyncutil.py
+++ b/buildman/asyncutil.py
@@ -5,38 +5,39 @@ from trollius import get_event_loop, coroutine
 
 
 def wrap_with_threadpool(obj, worker_threads=1):
-  """
+    """
   Wraps a class in an async executor so that it can be safely used in an event loop like trollius.
   """
-  async_executor = ThreadPoolExecutor(worker_threads)
-  return AsyncWrapper(obj, executor=async_executor), async_executor
+    async_executor = ThreadPoolExecutor(worker_threads)
+    return AsyncWrapper(obj, executor=async_executor), async_executor
 
 
 class AsyncWrapper(object):
-  """ Wrapper class which will transform a syncronous library to one that can be used with
+    """ Wrapper class which will transform a syncronous library to one that can be used with
       trollius coroutines.
   """
-  def __init__(self, delegate, loop=None, executor=None):
-    self._loop = loop if loop is not None else get_event_loop()
-    self._delegate = delegate
-    self._executor = executor
 
-  def __getattr__(self, attrib):
-    delegate_attr = getattr(self._delegate, attrib)
+    def __init__(self, delegate, loop=None, executor=None):
+        self._loop = loop if loop is not None else get_event_loop()
+        self._delegate = delegate
+        self._executor = executor
 
-    if not callable(delegate_attr):
-      return delegate_attr
+    def __getattr__(self, attrib):
+        delegate_attr = getattr(self._delegate, attrib)
 
-    def wrapper(*args, **kwargs):
-      """ Wraps the delegate_attr with primitives that will transform sync calls to ones shelled
+        if not callable(delegate_attr):
+            return delegate_attr
+
+        def wrapper(*args, **kwargs):
+            """ Wraps the delegate_attr with primitives that will transform sync calls to ones shelled
           out to a thread pool.
       """
-      callable_delegate_attr = partial(delegate_attr, *args, **kwargs)
-      return self._loop.run_in_executor(self._executor, callable_delegate_attr)
+            callable_delegate_attr = partial(delegate_attr, *args, **kwargs)
+            return self._loop.run_in_executor(self._executor, callable_delegate_attr)
 
-    return wrapper
+        return wrapper
 
-  @coroutine
-  def __call__(self, *args, **kwargs):
-    callable_delegate_attr = partial(self._delegate, *args, **kwargs)
-    return self._loop.run_in_executor(self._executor, callable_delegate_attr)
+    @coroutine
+    def __call__(self, *args, **kwargs):
+        callable_delegate_attr = partial(self._delegate, *args, **kwargs)
+        return self._loop.run_in_executor(self._executor, callable_delegate_attr)
diff --git a/buildman/builder.py b/buildman/builder.py
index 0261c262d..8c31da891 100644
--- a/buildman/builder.py
+++ b/buildman/builder.py
@@ -18,80 +18,104 @@ from raven.conf import setup_logging
 
 logger = logging.getLogger(__name__)
 
-BUILD_MANAGERS = {
-  'enterprise': EnterpriseManager,
-  'ephemeral': EphemeralBuilderManager,
-}
+BUILD_MANAGERS = {"enterprise": EnterpriseManager, "ephemeral": EphemeralBuilderManager}
 
-EXTERNALLY_MANAGED = 'external'
+EXTERNALLY_MANAGED = "external"
 
 DEFAULT_WEBSOCKET_PORT = 8787
 DEFAULT_CONTROLLER_PORT = 8686
 
 LOG_FORMAT = "%(asctime)s [%(process)d] [%(levelname)s] [%(name)s] %(message)s"
 
+
 def run_build_manager():
-  if not features.BUILD_SUPPORT:
-    logger.debug('Building is disabled. Please enable the feature flag')
-    while True:
-      time.sleep(1000)
-    return
+    if not features.BUILD_SUPPORT:
+        logger.debug("Building is disabled. Please enable the feature flag")
+        while True:
+            time.sleep(1000)
+        return
 
-  if app.config.get('REGISTRY_STATE', 'normal') == 'readonly':
-    logger.debug('Building is disabled while in read-only mode.')
-    while True:
-      time.sleep(1000)
-    return
+    if app.config.get("REGISTRY_STATE", "normal") == "readonly":
+        logger.debug("Building is disabled while in read-only mode.")
+        while True:
+            time.sleep(1000)
+        return
 
-  build_manager_config = app.config.get('BUILD_MANAGER')
-  if build_manager_config is None:
-    return
+    build_manager_config = app.config.get("BUILD_MANAGER")
+    if build_manager_config is None:
+        return
 
-  # If the build system is externally managed, then we just sleep this process.
-  if build_manager_config[0] == EXTERNALLY_MANAGED:
-    logger.debug('Builds are externally managed.')
-    while True:
-      time.sleep(1000)
-    return
+    # If the build system is externally managed, then we just sleep this process.
+    if build_manager_config[0] == EXTERNALLY_MANAGED:
+        logger.debug("Builds are externally managed.")
+        while True:
+            time.sleep(1000)
+        return
 
-  logger.debug('Asking to start build manager with lifecycle "%s"', build_manager_config[0])
-  manager_klass = BUILD_MANAGERS.get(build_manager_config[0])
-  if manager_klass is None:
-    return
+    logger.debug(
+        'Asking to start build manager with lifecycle "%s"', build_manager_config[0]
+    )
+    manager_klass = BUILD_MANAGERS.get(build_manager_config[0])
+    if manager_klass is None:
+        return
 
-  manager_hostname = os.environ.get('BUILDMAN_HOSTNAME',
-                                    app.config.get('BUILDMAN_HOSTNAME',
-                                                   app.config['SERVER_HOSTNAME']))
-  websocket_port = int(os.environ.get('BUILDMAN_WEBSOCKET_PORT',
-                                      app.config.get('BUILDMAN_WEBSOCKET_PORT',
-                                                     DEFAULT_WEBSOCKET_PORT)))
-  controller_port = int(os.environ.get('BUILDMAN_CONTROLLER_PORT',
-                                       app.config.get('BUILDMAN_CONTROLLER_PORT',
-                                                      DEFAULT_CONTROLLER_PORT)))
+    manager_hostname = os.environ.get(
+        "BUILDMAN_HOSTNAME",
+        app.config.get("BUILDMAN_HOSTNAME", app.config["SERVER_HOSTNAME"]),
+    )
+    websocket_port = int(
+        os.environ.get(
+            "BUILDMAN_WEBSOCKET_PORT",
+            app.config.get("BUILDMAN_WEBSOCKET_PORT", DEFAULT_WEBSOCKET_PORT),
+        )
+    )
+    controller_port = int(
+        os.environ.get(
+            "BUILDMAN_CONTROLLER_PORT",
+            app.config.get("BUILDMAN_CONTROLLER_PORT", DEFAULT_CONTROLLER_PORT),
+        )
+    )
 
-  logger.debug('Will pass buildman hostname %s to builders for websocket connection',
-               manager_hostname)
+    logger.debug(
+        "Will pass buildman hostname %s to builders for websocket connection",
+        manager_hostname,
+    )
 
-  logger.debug('Starting build manager with lifecycle "%s"', build_manager_config[0])
-  ssl_context = None
-  if os.environ.get('SSL_CONFIG'):
-    logger.debug('Loading SSL cert and key')
-    ssl_context = SSLContext()
-    ssl_context.load_cert_chain(os.path.join(os.environ.get('SSL_CONFIG'), 'ssl.cert'),
-                                os.path.join(os.environ.get('SSL_CONFIG'), 'ssl.key'))
+    logger.debug('Starting build manager with lifecycle "%s"', build_manager_config[0])
+    ssl_context = None
+    if os.environ.get("SSL_CONFIG"):
+        logger.debug("Loading SSL cert and key")
+        ssl_context = SSLContext()
+        ssl_context.load_cert_chain(
+            os.path.join(os.environ.get("SSL_CONFIG"), "ssl.cert"),
+            os.path.join(os.environ.get("SSL_CONFIG"), "ssl.key"),
+        )
 
-  server = BuilderServer(app.config['SERVER_HOSTNAME'], dockerfile_build_queue, build_logs,
-                         user_files, manager_klass, build_manager_config[1], manager_hostname)
-  server.run('0.0.0.0', websocket_port, controller_port, ssl=ssl_context)
+    server = BuilderServer(
+        app.config["SERVER_HOSTNAME"],
+        dockerfile_build_queue,
+        build_logs,
+        user_files,
+        manager_klass,
+        build_manager_config[1],
+        manager_hostname,
+    )
+    server.run("0.0.0.0", websocket_port, controller_port, ssl=ssl_context)
 
-if __name__ == '__main__':
-  logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
-  logging.getLogger('peewee').setLevel(logging.WARN)
-  logging.getLogger('boto').setLevel(logging.WARN)
 
-  if app.config.get('EXCEPTION_LOG_TYPE', 'FakeSentry') == 'Sentry':
-    buildman_name = '%s:buildman' % socket.gethostname()
-    setup_logging(SentryHandler(app.config.get('SENTRY_DSN', ''), name=buildman_name,
-                                level=logging.ERROR))
+if __name__ == "__main__":
+    logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
+    logging.getLogger("peewee").setLevel(logging.WARN)
+    logging.getLogger("boto").setLevel(logging.WARN)
 
-  run_build_manager()
+    if app.config.get("EXCEPTION_LOG_TYPE", "FakeSentry") == "Sentry":
+        buildman_name = "%s:buildman" % socket.gethostname()
+        setup_logging(
+            SentryHandler(
+                app.config.get("SENTRY_DSN", ""),
+                name=buildman_name,
+                level=logging.ERROR,
+            )
+        )
+
+    run_build_manager()
diff --git a/buildman/component/basecomponent.py b/buildman/component/basecomponent.py
index bd4032776..8806b5629 100644
--- a/buildman/component/basecomponent.py
+++ b/buildman/component/basecomponent.py
@@ -1,13 +1,15 @@
 from autobahn.asyncio.wamp import ApplicationSession
 
-class BaseComponent(ApplicationSession):
-  """ Base class for all registered component sessions in the server. """
-  def __init__(self, config, **kwargs):
-    ApplicationSession.__init__(self, config)
-    self.server = None
-    self.parent_manager = None
-    self.build_logs = None
-    self.user_files = None
 
-  def kind(self):
-    raise NotImplementedError
\ No newline at end of file
+class BaseComponent(ApplicationSession):
+    """ Base class for all registered component sessions in the server. """
+
+    def __init__(self, config, **kwargs):
+        ApplicationSession.__init__(self, config)
+        self.server = None
+        self.parent_manager = None
+        self.build_logs = None
+        self.user_files = None
+
+    def kind(self):
+        raise NotImplementedError
diff --git a/buildman/component/buildcomponent.py b/buildman/component/buildcomponent.py
index 62c64e6b8..9e7b4946a 100644
--- a/buildman/component/buildcomponent.py
+++ b/buildman/component/buildcomponent.py
@@ -27,513 +27,632 @@ BUILD_HEARTBEAT_DELAY = datetime.timedelta(seconds=30)
 HEARTBEAT_TIMEOUT = 10
 INITIAL_TIMEOUT = 25
 
-SUPPORTED_WORKER_VERSIONS = ['0.3']
+SUPPORTED_WORKER_VERSIONS = ["0.3"]
 
 # Label which marks a manifest with its source build ID.
-INTERNAL_LABEL_BUILD_UUID = 'quay.build.uuid'
+INTERNAL_LABEL_BUILD_UUID = "quay.build.uuid"
 
 logger = logging.getLogger(__name__)
 
+
 class ComponentStatus(object):
-  """ ComponentStatus represents the possible states of a component. """
-  JOINING = 'joining'
-  WAITING = 'waiting'
-  RUNNING = 'running'
-  BUILDING = 'building'
-  TIMED_OUT = 'timeout'
+    """ ComponentStatus represents the possible states of a component. """
+
+    JOINING = "joining"
+    WAITING = "waiting"
+    RUNNING = "running"
+    BUILDING = "building"
+    TIMED_OUT = "timeout"
+
 
 class BuildComponent(BaseComponent):
-  """ An application session component which conducts one (or more) builds. """
-  def __init__(self, config, realm=None, token=None, **kwargs):
-    self.expected_token = token
-    self.builder_realm = realm
+    """ An application session component which conducts one (or more) builds. """
 
-    self.parent_manager = None
-    self.registry_hostname = None
+    def __init__(self, config, realm=None, token=None, **kwargs):
+        self.expected_token = token
+        self.builder_realm = realm
 
-    self._component_status = ComponentStatus.JOINING
-    self._last_heartbeat = None
-    self._current_job = None
-    self._build_status = None
-    self._image_info = None
-    self._worker_version = None
+        self.parent_manager = None
+        self.registry_hostname = None
 
-    BaseComponent.__init__(self, config, **kwargs)
+        self._component_status = ComponentStatus.JOINING
+        self._last_heartbeat = None
+        self._current_job = None
+        self._build_status = None
+        self._image_info = None
+        self._worker_version = None
 
-  def kind(self):
-    return 'builder'
+        BaseComponent.__init__(self, config, **kwargs)
 
-  def onConnect(self):
-    self.join(self.builder_realm)
+    def kind(self):
+        return "builder"
 
-  @trollius.coroutine
-  def onJoin(self, details):
-    logger.debug('Registering methods and listeners for component %s', self.builder_realm)
-    yield From(self.register(self._on_ready, u'io.quay.buildworker.ready'))
-    yield From(self.register(self._determine_cache_tag, u'io.quay.buildworker.determinecachetag'))
-    yield From(self.register(self._ping, u'io.quay.buildworker.ping'))
-    yield From(self.register(self._on_log_message, u'io.quay.builder.logmessagesynchronously'))
+    def onConnect(self):
+        self.join(self.builder_realm)
 
-    yield From(self.subscribe(self._on_heartbeat, u'io.quay.builder.heartbeat'))
+    @trollius.coroutine
+    def onJoin(self, details):
+        logger.debug(
+            "Registering methods and listeners for component %s", self.builder_realm
+        )
+        yield From(self.register(self._on_ready, u"io.quay.buildworker.ready"))
+        yield From(
+            self.register(
+                self._determine_cache_tag, u"io.quay.buildworker.determinecachetag"
+            )
+        )
+        yield From(self.register(self._ping, u"io.quay.buildworker.ping"))
+        yield From(
+            self.register(
+                self._on_log_message, u"io.quay.builder.logmessagesynchronously"
+            )
+        )
 
-    yield From(self._set_status(ComponentStatus.WAITING))
+        yield From(self.subscribe(self._on_heartbeat, u"io.quay.builder.heartbeat"))
 
-  @trollius.coroutine
-  def start_build(self, build_job):
-    """ Starts a build. """
-    if self._component_status not in (ComponentStatus.WAITING, ComponentStatus.RUNNING):
-      logger.debug('Could not start build for component %s (build %s, worker version: %s): %s',
-                   self.builder_realm, build_job.repo_build.uuid, self._worker_version,
-                   self._component_status)
-      raise Return()
+        yield From(self._set_status(ComponentStatus.WAITING))
 
-    logger.debug('Starting build for component %s (build %s, worker version: %s)',
-                 self.builder_realm, build_job.repo_build.uuid, self._worker_version)
+    @trollius.coroutine
+    def start_build(self, build_job):
+        """ Starts a build. """
+        if self._component_status not in (
+            ComponentStatus.WAITING,
+            ComponentStatus.RUNNING,
+        ):
+            logger.debug(
+                "Could not start build for component %s (build %s, worker version: %s): %s",
+                self.builder_realm,
+                build_job.repo_build.uuid,
+                self._worker_version,
+                self._component_status,
+            )
+            raise Return()
 
-    self._current_job = build_job
-    self._build_status = StatusHandler(self.build_logs, build_job.repo_build.uuid)
-    self._image_info = {}
+        logger.debug(
+            "Starting build for component %s (build %s, worker version: %s)",
+            self.builder_realm,
+            build_job.repo_build.uuid,
+            self._worker_version,
+        )
 
-    yield From(self._set_status(ComponentStatus.BUILDING))
+        self._current_job = build_job
+        self._build_status = StatusHandler(self.build_logs, build_job.repo_build.uuid)
+        self._image_info = {}
 
-    # Send the notification that the build has started.
-    build_job.send_notification('build_start')
+        yield From(self._set_status(ComponentStatus.BUILDING))
 
-    # Parse the build configuration.
-    try:
-      build_config = build_job.build_config
-    except BuildJobLoadException as irbe:
-      yield From(self._build_failure('Could not load build job information', irbe))
-      raise Return()
+        # Send the notification that the build has started.
+        build_job.send_notification("build_start")
 
-    base_image_information = {}
+        # Parse the build configuration.
+        try:
+            build_config = build_job.build_config
+        except BuildJobLoadException as irbe:
+            yield From(
+                self._build_failure("Could not load build job information", irbe)
+            )
+            raise Return()
 
-    # Add the pull robot information, if any.
-    if build_job.pull_credentials:
-      base_image_information['username'] = build_job.pull_credentials.get('username', '')
-      base_image_information['password'] = build_job.pull_credentials.get('password', '')
+        base_image_information = {}
 
-    # Retrieve the repository's fully qualified name.
-    repo = build_job.repo_build.repository
-    repository_name = repo.namespace_user.username + '/' + repo.name
+        # Add the pull robot information, if any.
+        if build_job.pull_credentials:
+            base_image_information["username"] = build_job.pull_credentials.get(
+                "username", ""
+            )
+            base_image_information["password"] = build_job.pull_credentials.get(
+                "password", ""
+            )
 
-    # Parse the build queue item into build arguments.
-    #  build_package: URL to the build package to download and untar/unzip.
-    #                 defaults to empty string to avoid requiring a pointer on the builder.
-    #  sub_directory: The location within the build package of the Dockerfile and the build context.
-    #  repository: The repository for which this build is occurring.
-    #  registry: The registry for which this build is occuring (e.g. 'quay.io').
-    #  pull_token: The token to use when pulling the cache for building.
-    #  push_token: The token to use to push the built image.
-    #  tag_names: The name(s) of the tag(s) for the newly built image.
-    #  base_image: The image name and credentials to use to conduct the base image pull.
-    #   username: The username for pulling the base image (if any).
-    #   password: The password for pulling the base image (if any).
-    context, dockerfile_path = self.extract_dockerfile_args(build_config)
-    build_arguments = {
-      'build_package': build_job.get_build_package_url(self.user_files),
-      'context': context,
-      'dockerfile_path': dockerfile_path,
-      'repository': repository_name,
-      'registry': self.registry_hostname,
-      'pull_token': build_job.repo_build.access_token.get_code(),
-      'push_token': build_job.repo_build.access_token.get_code(),
-      'tag_names': build_config.get('docker_tags', ['latest']),
-      'base_image': base_image_information,
-    }
+        # Retrieve the repository's fully qualified name.
+        repo = build_job.repo_build.repository
+        repository_name = repo.namespace_user.username + "/" + repo.name
 
-    # If the trigger has a private key, it's using git, thus we should add
-    # git data to the build args.
-    #  url: url used to clone the git repository
-    #  sha: the sha1 identifier of the commit to check out
-    #  private_key: the key used to get read access to the git repository
+        # Parse the build queue item into build arguments.
+        #  build_package: URL to the build package to download and untar/unzip.
+        #                 defaults to empty string to avoid requiring a pointer on the builder.
+        #  sub_directory: The location within the build package of the Dockerfile and the build context.
+        #  repository: The repository for which this build is occurring.
+        #  registry: The registry for which this build is occuring (e.g. 'quay.io').
+        #  pull_token: The token to use when pulling the cache for building.
+        #  push_token: The token to use to push the built image.
+        #  tag_names: The name(s) of the tag(s) for the newly built image.
+        #  base_image: The image name and credentials to use to conduct the base image pull.
+        #   username: The username for pulling the base image (if any).
+        #   password: The password for pulling the base image (if any).
+        context, dockerfile_path = self.extract_dockerfile_args(build_config)
+        build_arguments = {
+            "build_package": build_job.get_build_package_url(self.user_files),
+            "context": context,
+            "dockerfile_path": dockerfile_path,
+            "repository": repository_name,
+            "registry": self.registry_hostname,
+            "pull_token": build_job.repo_build.access_token.get_code(),
+            "push_token": build_job.repo_build.access_token.get_code(),
+            "tag_names": build_config.get("docker_tags", ["latest"]),
+            "base_image": base_image_information,
+        }
 
-    # TODO(remove-unenc): Remove legacy field.
-    private_key = None
-    if build_job.repo_build.trigger is not None and \
-       build_job.repo_build.trigger.secure_private_key is not None:
-      private_key = build_job.repo_build.trigger.secure_private_key.decrypt()
+        # If the trigger has a private key, it's using git, thus we should add
+        # git data to the build args.
+        #  url: url used to clone the git repository
+        #  sha: the sha1 identifier of the commit to check out
+        #  private_key: the key used to get read access to the git repository
 
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS) and \
-       private_key is None and \
-       build_job.repo_build.trigger is not None:
-      private_key = build_job.repo_build.trigger.private_key
+        # TODO(remove-unenc): Remove legacy field.
+        private_key = None
+        if (
+            build_job.repo_build.trigger is not None
+            and build_job.repo_build.trigger.secure_private_key is not None
+        ):
+            private_key = build_job.repo_build.trigger.secure_private_key.decrypt()
 
-    if private_key is not None:
-      build_arguments['git'] = {
-        'url': build_config['trigger_metadata'].get('git_url', ''),
-        'sha': BuildComponent._commit_sha(build_config),
-        'private_key': private_key or '',
-      }
+        if (
+            ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
+            and private_key is None
+            and build_job.repo_build.trigger is not None
+        ):
+            private_key = build_job.repo_build.trigger.private_key
 
-    # If the build args have no buildpack, mark it as a failure before sending
-    # it to a builder instance.
-    if not build_arguments['build_package'] and not build_arguments['git']:
-      logger.error('%s: insufficient build args: %s',
-                   self._current_job.repo_build.uuid, build_arguments)
-      yield From(self._build_failure('Insufficient build arguments. No buildpack available.'))
-      raise Return()
+        if private_key is not None:
+            build_arguments["git"] = {
+                "url": build_config["trigger_metadata"].get("git_url", ""),
+                "sha": BuildComponent._commit_sha(build_config),
+                "private_key": private_key or "",
+            }
 
-    # Invoke the build.
-    logger.debug('Invoking build: %s', self.builder_realm)
-    logger.debug('With Arguments: %s', build_arguments)
+        # If the build args have no buildpack, mark it as a failure before sending
+        # it to a builder instance.
+        if not build_arguments["build_package"] and not build_arguments["git"]:
+            logger.error(
+                "%s: insufficient build args: %s",
+                self._current_job.repo_build.uuid,
+                build_arguments,
+            )
+            yield From(
+                self._build_failure(
+                    "Insufficient build arguments. No buildpack available."
+                )
+            )
+            raise Return()
 
-    def build_complete_callback(result):
-      """ This function is used to execute a coroutine as the callback. """
-      trollius.ensure_future(self._build_complete(result))
+        # Invoke the build.
+        logger.debug("Invoking build: %s", self.builder_realm)
+        logger.debug("With Arguments: %s", build_arguments)
 
-    self.call("io.quay.builder.build", **build_arguments).add_done_callback(build_complete_callback)
+        def build_complete_callback(result):
+            """ This function is used to execute a coroutine as the callback. """
+            trollius.ensure_future(self._build_complete(result))
 
-    # Set the heartbeat for the future. If the builder never receives the build call,
-    # then this will cause a timeout after 30 seconds. We know the builder has registered
-    # by this point, so it makes sense to have a timeout.
-    self._last_heartbeat = datetime.datetime.utcnow() + BUILD_HEARTBEAT_DELAY
+        self.call("io.quay.builder.build", **build_arguments).add_done_callback(
+            build_complete_callback
+        )
 
-  @staticmethod
-  def extract_dockerfile_args(build_config):
-    dockerfile_path = build_config.get('build_subdir', '')
-    context = build_config.get('context', '')
-    if not (dockerfile_path == '' or context == ''):
-      # This should not happen and can be removed when we centralize validating build_config
-      dockerfile_abspath = slash_join('', dockerfile_path)
-      if ".." in os.path.relpath(dockerfile_abspath, context):
-        return os.path.split(dockerfile_path)
-      dockerfile_path = os.path.relpath(dockerfile_abspath, context)
+        # Set the heartbeat for the future. If the builder never receives the build call,
+        # then this will cause a timeout after 30 seconds. We know the builder has registered
+        # by this point, so it makes sense to have a timeout.
+        self._last_heartbeat = datetime.datetime.utcnow() + BUILD_HEARTBEAT_DELAY
 
-    return context, dockerfile_path
+    @staticmethod
+    def extract_dockerfile_args(build_config):
+        dockerfile_path = build_config.get("build_subdir", "")
+        context = build_config.get("context", "")
+        if not (dockerfile_path == "" or context == ""):
+            # This should not happen and can be removed when we centralize validating build_config
+            dockerfile_abspath = slash_join("", dockerfile_path)
+            if ".." in os.path.relpath(dockerfile_abspath, context):
+                return os.path.split(dockerfile_path)
+            dockerfile_path = os.path.relpath(dockerfile_abspath, context)
 
-  @staticmethod
-  def _commit_sha(build_config):
-    """ Determines whether the metadata is using an old schema or not and returns the commit. """
-    commit_sha = build_config['trigger_metadata'].get('commit', '')
-    old_commit_sha = build_config['trigger_metadata'].get('commit_sha', '')
-    return commit_sha or old_commit_sha
+        return context, dockerfile_path
 
-  @staticmethod
-  def name_and_path(subdir):
-    """ Returns the dockerfile path and name """
-    if subdir.endswith("/"):
-      subdir += "Dockerfile"
-    elif not subdir.endswith("Dockerfile"):
-      subdir += "/Dockerfile"
-    return os.path.split(subdir)
+    @staticmethod
+    def _commit_sha(build_config):
+        """ Determines whether the metadata is using an old schema or not and returns the commit. """
+        commit_sha = build_config["trigger_metadata"].get("commit", "")
+        old_commit_sha = build_config["trigger_metadata"].get("commit_sha", "")
+        return commit_sha or old_commit_sha
 
-  @staticmethod
-  def _total_completion(statuses, total_images):
-    """ Returns the current amount completion relative to the total completion of a build. """
-    percentage_with_sizes = float(len(statuses.values())) / total_images
-    sent_bytes = sum([status['current'] for status in statuses.values()])
-    total_bytes = sum([status['total'] for status in statuses.values()])
-    return float(sent_bytes) / total_bytes * percentage_with_sizes
+    @staticmethod
+    def name_and_path(subdir):
+        """ Returns the dockerfile path and name """
+        if subdir.endswith("/"):
+            subdir += "Dockerfile"
+        elif not subdir.endswith("Dockerfile"):
+            subdir += "/Dockerfile"
+        return os.path.split(subdir)
 
-  @staticmethod
-  def _process_pushpull_status(status_dict, current_phase, docker_data, images):
-    """ Processes the status of a push or pull by updating the provided status_dict and images. """
-    if not docker_data:
-      return
+    @staticmethod
+    def _total_completion(statuses, total_images):
+        """ Returns the current amount completion relative to the total completion of a build. """
+        percentage_with_sizes = float(len(statuses.values())) / total_images
+        sent_bytes = sum([status["current"] for status in statuses.values()])
+        total_bytes = sum([status["total"] for status in statuses.values()])
+        return float(sent_bytes) / total_bytes * percentage_with_sizes
 
-    num_images = 0
-    status_completion_key = ''
+    @staticmethod
+    def _process_pushpull_status(status_dict, current_phase, docker_data, images):
+        """ Processes the status of a push or pull by updating the provided status_dict and images. """
+        if not docker_data:
+            return
 
-    if current_phase == 'pushing':
-      status_completion_key = 'push_completion'
-      num_images = status_dict['total_commands']
-    elif current_phase == 'pulling':
-      status_completion_key = 'pull_completion'
-    elif current_phase == 'priming-cache':
-      status_completion_key = 'cache_completion'
-    else:
-      return
+        num_images = 0
+        status_completion_key = ""
 
-    if 'progressDetail' in docker_data and 'id' in docker_data:
-      image_id = docker_data['id']
-      detail = docker_data['progressDetail']
+        if current_phase == "pushing":
+            status_completion_key = "push_completion"
+            num_images = status_dict["total_commands"]
+        elif current_phase == "pulling":
+            status_completion_key = "pull_completion"
+        elif current_phase == "priming-cache":
+            status_completion_key = "cache_completion"
+        else:
+            return
 
-      if 'current' in detail and 'total' in detail:
-        images[image_id] = detail
-        status_dict[status_completion_key] = \
-          BuildComponent._total_completion(images, max(len(images), num_images))
+        if "progressDetail" in docker_data and "id" in docker_data:
+            image_id = docker_data["id"]
+            detail = docker_data["progressDetail"]
 
+            if "current" in detail and "total" in detail:
+                images[image_id] = detail
+                status_dict[status_completion_key] = BuildComponent._total_completion(
+                    images, max(len(images), num_images)
+                )
 
-  @trollius.coroutine
-  def _on_log_message(self, phase, json_data):
-    """ Tails log messages and updates the build status. """
-    # Update the heartbeat.
-    self._last_heartbeat = datetime.datetime.utcnow()
+    @trollius.coroutine
+    def _on_log_message(self, phase, json_data):
+        """ Tails log messages and updates the build status. """
+        # Update the heartbeat.
+        self._last_heartbeat = datetime.datetime.utcnow()
 
-    # Parse any of the JSON data logged.
-    log_data = {}
-    if json_data:
-      try:
-        log_data = json.loads(json_data)
-      except ValueError:
-        pass
+        # Parse any of the JSON data logged.
+        log_data = {}
+        if json_data:
+            try:
+                log_data = json.loads(json_data)
+            except ValueError:
+                pass
 
-    # Extract the current status message (if any).
-    fully_unwrapped = ''
-    keys_to_extract = ['error', 'status', 'stream']
-    for key in keys_to_extract:
-      if key in log_data:
-        fully_unwrapped = log_data[key]
-        break
+        # Extract the current status message (if any).
+        fully_unwrapped = ""
+        keys_to_extract = ["error", "status", "stream"]
+        for key in keys_to_extract:
+            if key in log_data:
+                fully_unwrapped = log_data[key]
+                break
 
-    # Determine if this is a step string.
-    current_step = None
-    current_status_string = str(fully_unwrapped.encode('utf-8'))
+        # Determine if this is a step string.
+        current_step = None
+        current_status_string = str(fully_unwrapped.encode("utf-8"))
 
-    if current_status_string and phase == BUILD_PHASE.BUILDING:
-      current_step = extract_current_step(current_status_string)
+        if current_status_string and phase == BUILD_PHASE.BUILDING:
+            current_step = extract_current_step(current_status_string)
+
+        # Parse and update the phase and the status_dict. The status dictionary contains
+        # the pull/push progress, as well as the current step index.
+        with self._build_status as status_dict:
+            try:
+                changed_phase = yield From(
+                    self._build_status.set_phase(phase, log_data.get("status_data"))
+                )
+                if changed_phase:
+                    logger.debug(
+                        "Build %s has entered a new phase: %s",
+                        self.builder_realm,
+                        phase,
+                    )
+                elif self._current_job.repo_build.phase == BUILD_PHASE.CANCELLED:
+                    build_id = self._current_job.repo_build.uuid
+                    logger.debug(
+                        "Trying to move cancelled build into phase: %s with id: %s",
+                        phase,
+                        build_id,
+                    )
+                    raise Return(False)
+            except InvalidRepositoryBuildException:
+                build_id = self._current_job.repo_build.uuid
+                logger.warning(
+                    "Build %s was not found; repo was probably deleted", build_id
+                )
+                raise Return(False)
+
+            BuildComponent._process_pushpull_status(
+                status_dict, phase, log_data, self._image_info
+            )
+
+            # If the current message represents the beginning of a new step, then update the
+            # current command index.
+            if current_step is not None:
+                status_dict["current_command"] = current_step
+
+            # If the json data contains an error, then something went wrong with a push or pull.
+            if "error" in log_data:
+                yield From(self._build_status.set_error(log_data["error"]))
+
+        if current_step is not None:
+            yield From(self._build_status.set_command(current_status_string))
+        elif phase == BUILD_PHASE.BUILDING:
+            yield From(self._build_status.append_log(current_status_string))
+        raise Return(True)
+
+    @trollius.coroutine
+    def _determine_cache_tag(
+        self, command_comments, base_image_name, base_image_tag, base_image_id
+    ):
+        with self._build_status as status_dict:
+            status_dict["total_commands"] = len(command_comments) + 1
+
+        logger.debug(
+            "Checking cache on realm %s. Base image: %s:%s (%s)",
+            self.builder_realm,
+            base_image_name,
+            base_image_tag,
+            base_image_id,
+        )
+
+        tag_found = self._current_job.determine_cached_tag(
+            base_image_id, command_comments
+        )
+        raise Return(tag_found or "")
+
+    @trollius.coroutine
+    def _build_failure(self, error_message, exception=None):
+        """ Handles and logs a failed build. """
+        yield From(
+            self._build_status.set_error(
+                error_message, {"internal_error": str(exception) if exception else None}
+            )
+        )
 
-    # Parse and update the phase and the status_dict. The status dictionary contains
-    # the pull/push progress, as well as the current step index.
-    with self._build_status as status_dict:
-      try:
-        changed_phase = yield From(self._build_status.set_phase(phase, log_data.get('status_data')))
-        if changed_phase:
-          logger.debug('Build %s has entered a new phase: %s', self.builder_realm, phase)
-        elif self._current_job.repo_build.phase == BUILD_PHASE.CANCELLED:
-          build_id = self._current_job.repo_build.uuid
-          logger.debug('Trying to move cancelled build into phase: %s with id: %s', phase, build_id)
-          raise Return(False)
-      except InvalidRepositoryBuildException:
         build_id = self._current_job.repo_build.uuid
-        logger.warning('Build %s was not found; repo was probably deleted', build_id)
-        raise Return(False)
+        logger.warning("Build %s failed with message: %s", build_id, error_message)
 
-      BuildComponent._process_pushpull_status(status_dict, phase, log_data, self._image_info)
-
-      # If the current message represents the beginning of a new step, then update the
-      # current command index.
-      if current_step is not None:
-        status_dict['current_command'] = current_step
-
-      # If the json data contains an error, then something went wrong with a push or pull.
-      if 'error' in log_data:
-        yield From(self._build_status.set_error(log_data['error']))
-
-    if current_step is not None:
-      yield From(self._build_status.set_command(current_status_string))
-    elif phase == BUILD_PHASE.BUILDING:
-      yield From(self._build_status.append_log(current_status_string))
-    raise Return(True)
-
-  @trollius.coroutine
-  def _determine_cache_tag(self, command_comments, base_image_name, base_image_tag, base_image_id):
-    with self._build_status as status_dict:
-      status_dict['total_commands'] = len(command_comments) + 1
-
-    logger.debug('Checking cache on realm %s. Base image: %s:%s (%s)', self.builder_realm,
-                 base_image_name, base_image_tag, base_image_id)
-
-    tag_found = self._current_job.determine_cached_tag(base_image_id, command_comments)
-    raise Return(tag_found or '')
-
-  @trollius.coroutine
-  def _build_failure(self, error_message, exception=None):
-    """ Handles and logs a failed build. """
-    yield From(self._build_status.set_error(error_message, {
-      'internal_error': str(exception) if exception else None
-    }))
-
-    build_id = self._current_job.repo_build.uuid
-    logger.warning('Build %s failed with message: %s', build_id, error_message)
-
-    # Mark that the build has finished (in an error state)
-    yield From(self._build_finished(BuildJobResult.ERROR))
-
-  @trollius.coroutine
-  def _build_complete(self, result):
-    """ Wraps up a completed build. Handles any errors and calls self._build_finished. """
-    build_id = self._current_job.repo_build.uuid
-
-    try:
-      # Retrieve the result. This will raise an ApplicationError on any error that occurred.
-      result_value = result.result()
-      kwargs = {}
-
-      # Note: If we are hitting an older builder that didn't return ANY map data, then the result
-      # value will be a bool instead of a proper CallResult object.
-      # Therefore: we have a try-except guard here to ensure we don't hit this pitfall.
-      try:
-        kwargs = result_value.kwresults
-      except:
-        pass
-
-      try:
-        yield From(self._build_status.set_phase(BUILD_PHASE.COMPLETE))
-      except InvalidRepositoryBuildException:
-        logger.warning('Build %s was not found; repo was probably deleted', build_id)
-        raise Return()
-
-      yield From(self._build_finished(BuildJobResult.COMPLETE))
-
-      # Label the pushed manifests with the build metadata.
-      manifest_digests = kwargs.get('digests') or []
-      repository = registry_model.lookup_repository(self._current_job.namespace,
-                                                    self._current_job.repo_name)
-      if repository is not None:
-        for digest in manifest_digests:
-          with UseThenDisconnect(app.config):
-            manifest = registry_model.lookup_manifest_by_digest(repository, digest,
-                                                                require_available=True)
-            if manifest is None:
-              continue
-
-            registry_model.create_manifest_label(manifest, INTERNAL_LABEL_BUILD_UUID,
-                                                 build_id, 'internal', 'text/plain')
-
-      # Send the notification that the build has completed successfully.
-      self._current_job.send_notification('build_success',
-                                          image_id=kwargs.get('image_id'),
-                                          manifest_digests=manifest_digests)
-    except ApplicationError as aex:
-      worker_error = WorkerError(aex.error, aex.kwargs.get('base_error'))
-
-      # Write the error to the log.
-      yield From(self._build_status.set_error(worker_error.public_message(),
-                                              worker_error.extra_data(),
-                                              internal_error=worker_error.is_internal_error(),
-                                              requeued=self._current_job.has_retries_remaining()))
-
-      # Send the notification that the build has failed.
-      self._current_job.send_notification('build_failure',
-                                          error_message=worker_error.public_message())
-
-      # Mark the build as completed.
-      if worker_error.is_internal_error():
-        logger.exception('[BUILD INTERNAL ERROR: Remote] Build ID: %s: %s', build_id,
-                         worker_error.public_message())
-        yield From(self._build_finished(BuildJobResult.INCOMPLETE))
-      else:
-        logger.debug('Got remote failure exception for build %s: %s', build_id, aex)
+        # Mark that the build has finished (in an error state)
         yield From(self._build_finished(BuildJobResult.ERROR))
 
-    # Remove the current job.
-    self._current_job = None
+    @trollius.coroutine
+    def _build_complete(self, result):
+        """ Wraps up a completed build. Handles any errors and calls self._build_finished. """
+        build_id = self._current_job.repo_build.uuid
 
+        try:
+            # Retrieve the result. This will raise an ApplicationError on any error that occurred.
+            result_value = result.result()
+            kwargs = {}
 
-  @trollius.coroutine
-  def _build_finished(self, job_status):
-    """ Alerts the parent that a build has completed and sets the status back to running. """
-    yield From(self.parent_manager.job_completed(self._current_job, job_status, self))
+            # Note: If we are hitting an older builder that didn't return ANY map data, then the result
+            # value will be a bool instead of a proper CallResult object.
+            # Therefore: we have a try-except guard here to ensure we don't hit this pitfall.
+            try:
+                kwargs = result_value.kwresults
+            except:
+                pass
 
-    # Set the component back to a running state.
-    yield From(self._set_status(ComponentStatus.RUNNING))
+            try:
+                yield From(self._build_status.set_phase(BUILD_PHASE.COMPLETE))
+            except InvalidRepositoryBuildException:
+                logger.warning(
+                    "Build %s was not found; repo was probably deleted", build_id
+                )
+                raise Return()
 
-  @staticmethod
-  def _ping():
-    """ Ping pong. """
-    return 'pong'
+            yield From(self._build_finished(BuildJobResult.COMPLETE))
 
-  @trollius.coroutine
-  def _on_ready(self, token, version):
-    logger.debug('On ready called (token "%s")', token)
-    self._worker_version = version
+            # Label the pushed manifests with the build metadata.
+            manifest_digests = kwargs.get("digests") or []
+            repository = registry_model.lookup_repository(
+                self._current_job.namespace, self._current_job.repo_name
+            )
+            if repository is not None:
+                for digest in manifest_digests:
+                    with UseThenDisconnect(app.config):
+                        manifest = registry_model.lookup_manifest_by_digest(
+                            repository, digest, require_available=True
+                        )
+                        if manifest is None:
+                            continue
 
-    if not version in SUPPORTED_WORKER_VERSIONS:
-      logger.warning('Build component (token "%s") is running an out-of-date version: %s', token,
-                     version)
-      raise Return(False)
+                        registry_model.create_manifest_label(
+                            manifest,
+                            INTERNAL_LABEL_BUILD_UUID,
+                            build_id,
+                            "internal",
+                            "text/plain",
+                        )
 
-    if self._component_status != ComponentStatus.WAITING:
-      logger.warning('Build component (token "%s") is already connected', self.expected_token)
-      raise Return(False)
+            # Send the notification that the build has completed successfully.
+            self._current_job.send_notification(
+                "build_success",
+                image_id=kwargs.get("image_id"),
+                manifest_digests=manifest_digests,
+            )
+        except ApplicationError as aex:
+            worker_error = WorkerError(aex.error, aex.kwargs.get("base_error"))
 
-    if token != self.expected_token:
-      logger.warning('Builder token mismatch. Expected: "%s". Found: "%s"', self.expected_token,
-                     token)
-      raise Return(False)
+            # Write the error to the log.
+            yield From(
+                self._build_status.set_error(
+                    worker_error.public_message(),
+                    worker_error.extra_data(),
+                    internal_error=worker_error.is_internal_error(),
+                    requeued=self._current_job.has_retries_remaining(),
+                )
+            )
 
-    yield From(self._set_status(ComponentStatus.RUNNING))
+            # Send the notification that the build has failed.
+            self._current_job.send_notification(
+                "build_failure", error_message=worker_error.public_message()
+            )
 
-    # Start the heartbeat check and updating loop.
-    loop = trollius.get_event_loop()
-    loop.create_task(self._heartbeat())
-    logger.debug('Build worker %s is connected and ready', self.builder_realm)
-    raise Return(True)
+            # Mark the build as completed.
+            if worker_error.is_internal_error():
+                logger.exception(
+                    "[BUILD INTERNAL ERROR: Remote] Build ID: %s: %s",
+                    build_id,
+                    worker_error.public_message(),
+                )
+                yield From(self._build_finished(BuildJobResult.INCOMPLETE))
+            else:
+                logger.debug(
+                    "Got remote failure exception for build %s: %s", build_id, aex
+                )
+                yield From(self._build_finished(BuildJobResult.ERROR))
 
-  @trollius.coroutine
-  def _set_status(self, phase):
-    if phase == ComponentStatus.RUNNING:
-      yield From(self.parent_manager.build_component_ready(self))
+        # Remove the current job.
+        self._current_job = None
 
-    self._component_status = phase
+    @trollius.coroutine
+    def _build_finished(self, job_status):
+        """ Alerts the parent that a build has completed and sets the status back to running. """
+        yield From(
+            self.parent_manager.job_completed(self._current_job, job_status, self)
+        )
 
-  def _on_heartbeat(self):
-    """ Updates the last known heartbeat. """
-    if self._component_status == ComponentStatus.TIMED_OUT:
-      return
+        # Set the component back to a running state.
+        yield From(self._set_status(ComponentStatus.RUNNING))
 
-    logger.debug('Got heartbeat on realm %s', self.builder_realm)
-    self._last_heartbeat = datetime.datetime.utcnow()
+    @staticmethod
+    def _ping():
+        """ Ping pong. """
+        return "pong"
 
-  @trollius.coroutine
-  def _heartbeat(self):
-    """ Coroutine that runs every HEARTBEAT_TIMEOUT seconds, both checking the worker's heartbeat
+    @trollius.coroutine
+    def _on_ready(self, token, version):
+        logger.debug('On ready called (token "%s")', token)
+        self._worker_version = version
+
+        if not version in SUPPORTED_WORKER_VERSIONS:
+            logger.warning(
+                'Build component (token "%s") is running an out-of-date version: %s',
+                token,
+                version,
+            )
+            raise Return(False)
+
+        if self._component_status != ComponentStatus.WAITING:
+            logger.warning(
+                'Build component (token "%s") is already connected', self.expected_token
+            )
+            raise Return(False)
+
+        if token != self.expected_token:
+            logger.warning(
+                'Builder token mismatch. Expected: "%s". Found: "%s"',
+                self.expected_token,
+                token,
+            )
+            raise Return(False)
+
+        yield From(self._set_status(ComponentStatus.RUNNING))
+
+        # Start the heartbeat check and updating loop.
+        loop = trollius.get_event_loop()
+        loop.create_task(self._heartbeat())
+        logger.debug("Build worker %s is connected and ready", self.builder_realm)
+        raise Return(True)
+
+    @trollius.coroutine
+    def _set_status(self, phase):
+        if phase == ComponentStatus.RUNNING:
+            yield From(self.parent_manager.build_component_ready(self))
+
+        self._component_status = phase
+
+    def _on_heartbeat(self):
+        """ Updates the last known heartbeat. """
+        if self._component_status == ComponentStatus.TIMED_OUT:
+            return
+
+        logger.debug("Got heartbeat on realm %s", self.builder_realm)
+        self._last_heartbeat = datetime.datetime.utcnow()
+
+    @trollius.coroutine
+    def _heartbeat(self):
+        """ Coroutine that runs every HEARTBEAT_TIMEOUT seconds, both checking the worker's heartbeat
         and updating the heartbeat in the build status dictionary (if applicable). This allows
         the build system to catch crashes from either end.
     """
-    yield From(trollius.sleep(INITIAL_TIMEOUT))
+        yield From(trollius.sleep(INITIAL_TIMEOUT))
 
-    while True:
-      # If the component is no longer running or actively building, nothing more to do.
-      if (self._component_status != ComponentStatus.RUNNING and
-          self._component_status != ComponentStatus.BUILDING):
-        raise Return()
+        while True:
+            # If the component is no longer running or actively building, nothing more to do.
+            if (
+                self._component_status != ComponentStatus.RUNNING
+                and self._component_status != ComponentStatus.BUILDING
+            ):
+                raise Return()
 
-      # If there is an active build, write the heartbeat to its status.
-      if self._build_status is not None:
-        with self._build_status as status_dict:
-          status_dict['heartbeat'] = int(time.time())
+            # If there is an active build, write the heartbeat to its status.
+            if self._build_status is not None:
+                with self._build_status as status_dict:
+                    status_dict["heartbeat"] = int(time.time())
 
-      # Mark the build item.
-      current_job = self._current_job
-      if current_job is not None:
-        yield From(self.parent_manager.job_heartbeat(current_job))
+            # Mark the build item.
+            current_job = self._current_job
+            if current_job is not None:
+                yield From(self.parent_manager.job_heartbeat(current_job))
 
-      # Check the heartbeat from the worker.
-      logger.debug('Checking heartbeat on realm %s', self.builder_realm)
-      if (self._last_heartbeat and
-          self._last_heartbeat < datetime.datetime.utcnow() - HEARTBEAT_DELTA):
-        logger.debug('Heartbeat on realm %s has expired: %s', self.builder_realm,
-                     self._last_heartbeat)
+            # Check the heartbeat from the worker.
+            logger.debug("Checking heartbeat on realm %s", self.builder_realm)
+            if (
+                self._last_heartbeat
+                and self._last_heartbeat < datetime.datetime.utcnow() - HEARTBEAT_DELTA
+            ):
+                logger.debug(
+                    "Heartbeat on realm %s has expired: %s",
+                    self.builder_realm,
+                    self._last_heartbeat,
+                )
 
-        yield From(self._timeout())
-        raise Return()
+                yield From(self._timeout())
+                raise Return()
 
-      logger.debug('Heartbeat on realm %s is valid: %s (%s).', self.builder_realm,
-                   self._last_heartbeat, self._component_status)
+            logger.debug(
+                "Heartbeat on realm %s is valid: %s (%s).",
+                self.builder_realm,
+                self._last_heartbeat,
+                self._component_status,
+            )
 
-      yield From(trollius.sleep(HEARTBEAT_TIMEOUT))
+            yield From(trollius.sleep(HEARTBEAT_TIMEOUT))
 
-  @trollius.coroutine
-  def _timeout(self):
-    if self._component_status == ComponentStatus.TIMED_OUT:
-      raise Return()
+    @trollius.coroutine
+    def _timeout(self):
+        if self._component_status == ComponentStatus.TIMED_OUT:
+            raise Return()
 
-    yield From(self._set_status(ComponentStatus.TIMED_OUT))
-    logger.warning('Build component with realm %s has timed out', self.builder_realm)
+        yield From(self._set_status(ComponentStatus.TIMED_OUT))
+        logger.warning(
+            "Build component with realm %s has timed out", self.builder_realm
+        )
 
-    # If we still have a running job, then it has not completed and we need to tell the parent
-    # manager.
-    if self._current_job is not None:
-      yield From(self._build_status.set_error('Build worker timed out', internal_error=True,
-                                              requeued=self._current_job.has_retries_remaining()))
+        # If we still have a running job, then it has not completed and we need to tell the parent
+        # manager.
+        if self._current_job is not None:
+            yield From(
+                self._build_status.set_error(
+                    "Build worker timed out",
+                    internal_error=True,
+                    requeued=self._current_job.has_retries_remaining(),
+                )
+            )
 
-      build_id = self._current_job.build_uuid
-      logger.error('[BUILD INTERNAL ERROR: Timeout] Build ID: %s', build_id)
-      yield From(self.parent_manager.job_completed(self._current_job,
-                                                   BuildJobResult.INCOMPLETE,
-                                                   self))
+            build_id = self._current_job.build_uuid
+            logger.error("[BUILD INTERNAL ERROR: Timeout] Build ID: %s", build_id)
+            yield From(
+                self.parent_manager.job_completed(
+                    self._current_job, BuildJobResult.INCOMPLETE, self
+                )
+            )
 
-    # Unregister the current component so that it cannot be invoked again.
-    self.parent_manager.build_component_disposed(self, True)
+        # Unregister the current component so that it cannot be invoked again.
+        self.parent_manager.build_component_disposed(self, True)
 
-    # Remove the job reference.
-    self._current_job = None
+        # Remove the job reference.
+        self._current_job = None
 
-  @trollius.coroutine
-  def cancel_build(self):
-    self.parent_manager.build_component_disposed(self, True)
-    self._current_job = None
-    yield From(self._set_status(ComponentStatus.RUNNING))
+    @trollius.coroutine
+    def cancel_build(self):
+        self.parent_manager.build_component_disposed(self, True)
+        self._current_job = None
+        yield From(self._set_status(ComponentStatus.RUNNING))
diff --git a/buildman/component/buildparse.py b/buildman/component/buildparse.py
index 3560c0861..18d678cae 100644
--- a/buildman/component/buildparse.py
+++ b/buildman/component/buildparse.py
@@ -1,15 +1,16 @@
 import re
 
+
 def extract_current_step(current_status_string):
-  """ Attempts to extract the current step numeric identifier from the given status string. Returns the step
+    """ Attempts to extract the current step numeric identifier from the given status string. Returns the step
       number or None if none.
   """
-  # Older format: `Step 12 :`
-  # Newer format: `Step 4/13 :`
-  step_increment = re.search(r'Step ([0-9]+)/([0-9]+) :', current_status_string)
-  if step_increment:
-    return int(step_increment.group(1))
+    # Older format: `Step 12 :`
+    # Newer format: `Step 4/13 :`
+    step_increment = re.search(r"Step ([0-9]+)/([0-9]+) :", current_status_string)
+    if step_increment:
+        return int(step_increment.group(1))
 
-  step_increment = re.search(r'Step ([0-9]+) :', current_status_string)
-  if step_increment:
-    return int(step_increment.group(1))
+    step_increment = re.search(r"Step ([0-9]+) :", current_status_string)
+    if step_increment:
+        return int(step_increment.group(1))
diff --git a/buildman/component/test/test_buildcomponent.py b/buildman/component/test/test_buildcomponent.py
index c4e026916..98d70dab0 100644
--- a/buildman/component/test/test_buildcomponent.py
+++ b/buildman/component/test/test_buildcomponent.py
@@ -3,34 +3,62 @@ import pytest
 from buildman.component.buildcomponent import BuildComponent
 
 
-@pytest.mark.parametrize('input,expected_path,expected_file', [
-  ("", "/", "Dockerfile"),
-  ("/", "/", "Dockerfile"),
-  ("/Dockerfile", "/", "Dockerfile"),
-  ("/server.Dockerfile", "/", "server.Dockerfile"),
-  ("/somepath", "/somepath", "Dockerfile"),
-  ("/somepath/", "/somepath", "Dockerfile"),
-  ("/somepath/Dockerfile", "/somepath", "Dockerfile"),
-  ("/somepath/server.Dockerfile", "/somepath", "server.Dockerfile"),
-  ("/somepath/some_other_path", "/somepath/some_other_path", "Dockerfile"),
-  ("/somepath/some_other_path/", "/somepath/some_other_path", "Dockerfile"),
-  ("/somepath/some_other_path/Dockerfile", "/somepath/some_other_path", "Dockerfile"),
-  ("/somepath/some_other_path/server.Dockerfile", "/somepath/some_other_path", "server.Dockerfile"),
-])
+@pytest.mark.parametrize(
+    "input,expected_path,expected_file",
+    [
+        ("", "/", "Dockerfile"),
+        ("/", "/", "Dockerfile"),
+        ("/Dockerfile", "/", "Dockerfile"),
+        ("/server.Dockerfile", "/", "server.Dockerfile"),
+        ("/somepath", "/somepath", "Dockerfile"),
+        ("/somepath/", "/somepath", "Dockerfile"),
+        ("/somepath/Dockerfile", "/somepath", "Dockerfile"),
+        ("/somepath/server.Dockerfile", "/somepath", "server.Dockerfile"),
+        ("/somepath/some_other_path", "/somepath/some_other_path", "Dockerfile"),
+        ("/somepath/some_other_path/", "/somepath/some_other_path", "Dockerfile"),
+        (
+            "/somepath/some_other_path/Dockerfile",
+            "/somepath/some_other_path",
+            "Dockerfile",
+        ),
+        (
+            "/somepath/some_other_path/server.Dockerfile",
+            "/somepath/some_other_path",
+            "server.Dockerfile",
+        ),
+    ],
+)
 def test_path_is_dockerfile(input, expected_path, expected_file):
-  actual_path, actual_file = BuildComponent.name_and_path(input)
-  assert actual_path == expected_path
-  assert actual_file == expected_file
+    actual_path, actual_file = BuildComponent.name_and_path(input)
+    assert actual_path == expected_path
+    assert actual_file == expected_file
 
-@pytest.mark.parametrize('build_config,context,dockerfile_path', [
-  ({}, '', ''),
-  ({'build_subdir': '/builddir/Dockerfile'}, '', '/builddir/Dockerfile'),
-  ({'context': '/builddir'}, '/builddir', ''),
-  ({'context': '/builddir', 'build_subdir': '/builddir/Dockerfile'}, '/builddir', 'Dockerfile'),
-  ({'context': '/some_other_dir/Dockerfile', 'build_subdir': '/builddir/Dockerfile'}, '/builddir', 'Dockerfile'),
-  ({'context': '/', 'build_subdir':'Dockerfile'}, '/', 'Dockerfile')
-])
+
+@pytest.mark.parametrize(
+    "build_config,context,dockerfile_path",
+    [
+        ({}, "", ""),
+        ({"build_subdir": "/builddir/Dockerfile"}, "", "/builddir/Dockerfile"),
+        ({"context": "/builddir"}, "/builddir", ""),
+        (
+            {"context": "/builddir", "build_subdir": "/builddir/Dockerfile"},
+            "/builddir",
+            "Dockerfile",
+        ),
+        (
+            {
+                "context": "/some_other_dir/Dockerfile",
+                "build_subdir": "/builddir/Dockerfile",
+            },
+            "/builddir",
+            "Dockerfile",
+        ),
+        ({"context": "/", "build_subdir": "Dockerfile"}, "/", "Dockerfile"),
+    ],
+)
 def test_extract_dockerfile_args(build_config, context, dockerfile_path):
-  actual_context, actual_dockerfile_path = BuildComponent.extract_dockerfile_args(build_config)
-  assert context == actual_context
-  assert dockerfile_path == actual_dockerfile_path
+    actual_context, actual_dockerfile_path = BuildComponent.extract_dockerfile_args(
+        build_config
+    )
+    assert context == actual_context
+    assert dockerfile_path == actual_dockerfile_path
diff --git a/buildman/component/test/test_buildparse.py b/buildman/component/test/test_buildparse.py
index 3bdb7295e..e40b20189 100644
--- a/buildman/component/test/test_buildparse.py
+++ b/buildman/component/test/test_buildparse.py
@@ -3,14 +3,17 @@ import pytest
 from buildman.component.buildparse import extract_current_step
 
 
-@pytest.mark.parametrize('input,expected_step', [
-  ("", None),
-  ("Step a :", None),
-  ("Step 1 :", 1),
-  ("Step 1 : ", 1),
-  ("Step 1/2 : ", 1),
-  ("Step 2/17 : ", 2),
-  ("Step 4/13 : ARG somearg=foo", 4),
-])
+@pytest.mark.parametrize(
+    "input,expected_step",
+    [
+        ("", None),
+        ("Step a :", None),
+        ("Step 1 :", 1),
+        ("Step 1 : ", 1),
+        ("Step 1/2 : ", 1),
+        ("Step 2/17 : ", 2),
+        ("Step 4/13 : ARG somearg=foo", 4),
+    ],
+)
 def test_extract_current_step(input, expected_step):
-  assert extract_current_step(input) == expected_step
+    assert extract_current_step(input) == expected_step
diff --git a/buildman/enums.py b/buildman/enums.py
index f88d2b690..a7fe7bb99 100644
--- a/buildman/enums.py
+++ b/buildman/enums.py
@@ -1,21 +1,25 @@
 from data.database import BUILD_PHASE
 
+
 class BuildJobResult(object):
-  """ Build job result enum """
-  INCOMPLETE = 'incomplete'
-  COMPLETE = 'complete'
-  ERROR = 'error'
+    """ Build job result enum """
+
+    INCOMPLETE = "incomplete"
+    COMPLETE = "complete"
+    ERROR = "error"
 
 
 class BuildServerStatus(object):
-  """ Build server status enum """
-  STARTING = 'starting'
-  RUNNING = 'running'
-  SHUTDOWN = 'shutting_down'
-  EXCEPTION = 'exception'
+    """ Build server status enum """
+
+    STARTING = "starting"
+    RUNNING = "running"
+    SHUTDOWN = "shutting_down"
+    EXCEPTION = "exception"
+
 
 RESULT_PHASES = {
-  BuildJobResult.INCOMPLETE: BUILD_PHASE.INTERNAL_ERROR,
-  BuildJobResult.COMPLETE: BUILD_PHASE.COMPLETE,
-  BuildJobResult.ERROR: BUILD_PHASE.ERROR,
+    BuildJobResult.INCOMPLETE: BUILD_PHASE.INTERNAL_ERROR,
+    BuildJobResult.COMPLETE: BUILD_PHASE.COMPLETE,
+    BuildJobResult.ERROR: BUILD_PHASE.ERROR,
 }
diff --git a/buildman/jobutil/buildjob.py b/buildman/jobutil/buildjob.py
index f245ce2bf..8ffbe5cd8 100644
--- a/buildman/jobutil/buildjob.py
+++ b/buildman/jobutil/buildjob.py
@@ -14,170 +14,196 @@ logger = logging.getLogger(__name__)
 
 
 class BuildJobLoadException(Exception):
-  """ Exception raised if a build job could not be instantiated for some reason. """
-  pass
+    """ Exception raised if a build job could not be instantiated for some reason. """
+
+    pass
 
 
 class BuildJob(object):
-  """ Represents a single in-progress build job. """
-  def __init__(self, job_item):
-    self.job_item = job_item
+    """ Represents a single in-progress build job. """
 
-    try:
-      self.job_details = json.loads(job_item.body)
-      self.build_notifier = BuildJobNotifier(self.build_uuid)
-    except ValueError:
-      raise BuildJobLoadException(
-        'Could not parse build queue item config with ID %s' % self.job_details['build_uuid']
-      )
+    def __init__(self, job_item):
+        self.job_item = job_item
 
-  @property
-  def retries_remaining(self):
-    return self.job_item.retries_remaining
+        try:
+            self.job_details = json.loads(job_item.body)
+            self.build_notifier = BuildJobNotifier(self.build_uuid)
+        except ValueError:
+            raise BuildJobLoadException(
+                "Could not parse build queue item config with ID %s"
+                % self.job_details["build_uuid"]
+            )
 
-  def has_retries_remaining(self):
-    return self.job_item.retries_remaining > 0
+    @property
+    def retries_remaining(self):
+        return self.job_item.retries_remaining
 
-  def send_notification(self, kind, error_message=None, image_id=None, manifest_digests=None):
-    self.build_notifier.send_notification(kind, error_message, image_id, manifest_digests)
+    def has_retries_remaining(self):
+        return self.job_item.retries_remaining > 0
 
-  @lru_cache(maxsize=1)
-  def _load_repo_build(self):
-    with UseThenDisconnect(app.config):
-      try:
-        return model.build.get_repository_build(self.build_uuid)
-      except model.InvalidRepositoryBuildException:
-        raise BuildJobLoadException(
-            'Could not load repository build with ID %s' % self.build_uuid)
+    def send_notification(
+        self, kind, error_message=None, image_id=None, manifest_digests=None
+    ):
+        self.build_notifier.send_notification(
+            kind, error_message, image_id, manifest_digests
+        )
 
-  @property
-  def build_uuid(self):
-    """ Returns the unique UUID for this build job. """
-    return self.job_details['build_uuid']
+    @lru_cache(maxsize=1)
+    def _load_repo_build(self):
+        with UseThenDisconnect(app.config):
+            try:
+                return model.build.get_repository_build(self.build_uuid)
+            except model.InvalidRepositoryBuildException:
+                raise BuildJobLoadException(
+                    "Could not load repository build with ID %s" % self.build_uuid
+                )
 
-  @property
-  def namespace(self):
-    """ Returns the namespace under which this build is running. """
-    return self.repo_build.repository.namespace_user.username
+    @property
+    def build_uuid(self):
+        """ Returns the unique UUID for this build job. """
+        return self.job_details["build_uuid"]
 
-  @property
-  def repo_name(self):
-    """ Returns the name of the repository under which this build is running. """
-    return self.repo_build.repository.name
+    @property
+    def namespace(self):
+        """ Returns the namespace under which this build is running. """
+        return self.repo_build.repository.namespace_user.username
 
-  @property
-  def repo_build(self):
-    return self._load_repo_build()
+    @property
+    def repo_name(self):
+        """ Returns the name of the repository under which this build is running. """
+        return self.repo_build.repository.name
 
-  def get_build_package_url(self, user_files):
-    """ Returns the URL of the build package for this build, if any or empty string if none. """
-    archive_url = self.build_config.get('archive_url', None)
-    if archive_url:
-      return archive_url
+    @property
+    def repo_build(self):
+        return self._load_repo_build()
 
-    if not self.repo_build.resource_key:
-      return ''
+    def get_build_package_url(self, user_files):
+        """ Returns the URL of the build package for this build, if any or empty string if none. """
+        archive_url = self.build_config.get("archive_url", None)
+        if archive_url:
+            return archive_url
 
-    return user_files.get_file_url(self.repo_build.resource_key, '127.0.0.1', requires_cors=False)
+        if not self.repo_build.resource_key:
+            return ""
 
-  @property
-  def pull_credentials(self):
-    """ Returns the pull credentials for this job, or None if none. """
-    return self.job_details.get('pull_credentials')
+        return user_files.get_file_url(
+            self.repo_build.resource_key, "127.0.0.1", requires_cors=False
+        )
 
-  @property
-  def build_config(self):
-    try:
-      return json.loads(self.repo_build.job_config)
-    except ValueError:
-      raise BuildJobLoadException(
-        'Could not parse repository build job config with ID %s' % self.job_details['build_uuid']
-      )
+    @property
+    def pull_credentials(self):
+        """ Returns the pull credentials for this job, or None if none. """
+        return self.job_details.get("pull_credentials")
 
-  def determine_cached_tag(self, base_image_id=None, cache_comments=None):
-    """ Returns the tag to pull to prime the cache or None if none. """
-    cached_tag = self._determine_cached_tag_by_tag()
-    logger.debug('Determined cached tag %s for %s: %s', cached_tag, base_image_id, cache_comments)
-    return cached_tag
+    @property
+    def build_config(self):
+        try:
+            return json.loads(self.repo_build.job_config)
+        except ValueError:
+            raise BuildJobLoadException(
+                "Could not parse repository build job config with ID %s"
+                % self.job_details["build_uuid"]
+            )
 
-  def _determine_cached_tag_by_tag(self):
-    """ Determines the cached tag by looking for one of the tags being built, and seeing if it
+    def determine_cached_tag(self, base_image_id=None, cache_comments=None):
+        """ Returns the tag to pull to prime the cache or None if none. """
+        cached_tag = self._determine_cached_tag_by_tag()
+        logger.debug(
+            "Determined cached tag %s for %s: %s",
+            cached_tag,
+            base_image_id,
+            cache_comments,
+        )
+        return cached_tag
+
+    def _determine_cached_tag_by_tag(self):
+        """ Determines the cached tag by looking for one of the tags being built, and seeing if it
         exists in the repository. This is a fallback for when no comment information is available.
     """
-    with UseThenDisconnect(app.config):
-      tags = self.build_config.get('docker_tags', ['latest'])
-      repository = RepositoryReference.for_repo_obj(self.repo_build.repository)
-      matching_tag = registry_model.find_matching_tag(repository, tags)
-      if matching_tag is not None:
-        return matching_tag.name
+        with UseThenDisconnect(app.config):
+            tags = self.build_config.get("docker_tags", ["latest"])
+            repository = RepositoryReference.for_repo_obj(self.repo_build.repository)
+            matching_tag = registry_model.find_matching_tag(repository, tags)
+            if matching_tag is not None:
+                return matching_tag.name
 
-      most_recent_tag = registry_model.get_most_recent_tag(repository)
-      if most_recent_tag is not None:
-        return most_recent_tag.name
+            most_recent_tag = registry_model.get_most_recent_tag(repository)
+            if most_recent_tag is not None:
+                return most_recent_tag.name
 
-      return None
+            return None
 
 
 class BuildJobNotifier(object):
-  """ A class for sending notifications to a job that only relies on the build_uuid """
+    """ A class for sending notifications to a job that only relies on the build_uuid """
 
-  def __init__(self, build_uuid):
-    self.build_uuid = build_uuid
+    def __init__(self, build_uuid):
+        self.build_uuid = build_uuid
 
-  @property
-  def repo_build(self):
-    return self._load_repo_build()
+    @property
+    def repo_build(self):
+        return self._load_repo_build()
 
-  @lru_cache(maxsize=1)
-  def _load_repo_build(self):
-    try:
-      return model.build.get_repository_build(self.build_uuid)
-    except model.InvalidRepositoryBuildException:
-      raise BuildJobLoadException(
-        'Could not load repository build with ID %s' % self.build_uuid)
+    @lru_cache(maxsize=1)
+    def _load_repo_build(self):
+        try:
+            return model.build.get_repository_build(self.build_uuid)
+        except model.InvalidRepositoryBuildException:
+            raise BuildJobLoadException(
+                "Could not load repository build with ID %s" % self.build_uuid
+            )
 
-  @property
-  def build_config(self):
-    try:
-      return json.loads(self.repo_build.job_config)
-    except ValueError:
-      raise BuildJobLoadException(
-        'Could not parse repository build job config with ID %s' % self.repo_build.uuid
-      )
+    @property
+    def build_config(self):
+        try:
+            return json.loads(self.repo_build.job_config)
+        except ValueError:
+            raise BuildJobLoadException(
+                "Could not parse repository build job config with ID %s"
+                % self.repo_build.uuid
+            )
 
-  def send_notification(self, kind, error_message=None, image_id=None, manifest_digests=None):
-    with UseThenDisconnect(app.config):
-      tags = self.build_config.get('docker_tags', ['latest'])
-      trigger = self.repo_build.trigger
-      if trigger is not None and trigger.id is not None:
-        trigger_kind = trigger.service.name
-      else:
-        trigger_kind = None
+    def send_notification(
+        self, kind, error_message=None, image_id=None, manifest_digests=None
+    ):
+        with UseThenDisconnect(app.config):
+            tags = self.build_config.get("docker_tags", ["latest"])
+            trigger = self.repo_build.trigger
+            if trigger is not None and trigger.id is not None:
+                trigger_kind = trigger.service.name
+            else:
+                trigger_kind = None
 
-      event_data = {
-        'build_id': self.repo_build.uuid,
-        'build_name': self.repo_build.display_name,
-        'docker_tags': tags,
-        'trigger_id': trigger.uuid if trigger is not None else None,
-        'trigger_kind': trigger_kind,
-        'trigger_metadata': self.build_config.get('trigger_metadata', {})
-      }
+            event_data = {
+                "build_id": self.repo_build.uuid,
+                "build_name": self.repo_build.display_name,
+                "docker_tags": tags,
+                "trigger_id": trigger.uuid if trigger is not None else None,
+                "trigger_kind": trigger_kind,
+                "trigger_metadata": self.build_config.get("trigger_metadata", {}),
+            }
 
-      if image_id is not None:
-        event_data['image_id'] = image_id
+            if image_id is not None:
+                event_data["image_id"] = image_id
 
-      if manifest_digests:
-        event_data['manifest_digests'] = manifest_digests
+            if manifest_digests:
+                event_data["manifest_digests"] = manifest_digests
 
-      if error_message is not None:
-        event_data['error_message'] = error_message
+            if error_message is not None:
+                event_data["error_message"] = error_message
 
-      # TODO: remove when more endpoints have been converted to using
-      # interfaces
-      repo = AttrDict({
-        'namespace_name': self.repo_build.repository.namespace_user.username,
-        'name': self.repo_build.repository.name,
-      })
-      spawn_notification(repo, kind, event_data,
-                         subpage='build/%s' % self.repo_build.uuid,
-                         pathargs=['build', self.repo_build.uuid])
+            # TODO: remove when more endpoints have been converted to using
+            # interfaces
+            repo = AttrDict(
+                {
+                    "namespace_name": self.repo_build.repository.namespace_user.username,
+                    "name": self.repo_build.repository.name,
+                }
+            )
+            spawn_notification(
+                repo,
+                kind,
+                event_data,
+                subpage="build/%s" % self.repo_build.uuid,
+                pathargs=["build", self.repo_build.uuid],
+            )
diff --git a/buildman/jobutil/buildstatus.py b/buildman/jobutil/buildstatus.py
index 662dbaa10..f7bf4a767 100644
--- a/buildman/jobutil/buildstatus.py
+++ b/buildman/jobutil/buildstatus.py
@@ -13,76 +13,94 @@ logger = logging.getLogger(__name__)
 
 
 class StatusHandler(object):
-  """ Context wrapper for writing status to build logs. """
+    """ Context wrapper for writing status to build logs. """
 
-  def __init__(self, build_logs, repository_build_uuid):
-    self._current_phase = None
-    self._current_command = None
-    self._uuid = repository_build_uuid
-    self._build_logs = AsyncWrapper(build_logs)
-    self._sync_build_logs = build_logs
-    self._build_model = AsyncWrapper(model.build)
+    def __init__(self, build_logs, repository_build_uuid):
+        self._current_phase = None
+        self._current_command = None
+        self._uuid = repository_build_uuid
+        self._build_logs = AsyncWrapper(build_logs)
+        self._sync_build_logs = build_logs
+        self._build_model = AsyncWrapper(model.build)
 
-    self._status = {
-      'total_commands': 0,
-      'current_command': None,
-      'push_completion': 0.0,
-      'pull_completion': 0.0,
-    }
+        self._status = {
+            "total_commands": 0,
+            "current_command": None,
+            "push_completion": 0.0,
+            "pull_completion": 0.0,
+        }
 
-    # Write the initial status.
-    self.__exit__(None, None, None)
+        # Write the initial status.
+        self.__exit__(None, None, None)
 
-  @coroutine
-  def _append_log_message(self, log_message, log_type=None, log_data=None):
-    log_data = log_data or {}
-    log_data['datetime'] = str(datetime.datetime.now())
+    @coroutine
+    def _append_log_message(self, log_message, log_type=None, log_data=None):
+        log_data = log_data or {}
+        log_data["datetime"] = str(datetime.datetime.now())
 
-    try:
-      yield From(self._build_logs.append_log_message(self._uuid, log_message, log_type, log_data))
-    except RedisError:
-      logger.exception('Could not save build log for build %s: %s', self._uuid, log_message)
+        try:
+            yield From(
+                self._build_logs.append_log_message(
+                    self._uuid, log_message, log_type, log_data
+                )
+            )
+        except RedisError:
+            logger.exception(
+                "Could not save build log for build %s: %s", self._uuid, log_message
+            )
 
-  @coroutine
-  def append_log(self, log_message, extra_data=None):
-    if log_message is None:
-      return
+    @coroutine
+    def append_log(self, log_message, extra_data=None):
+        if log_message is None:
+            return
 
-    yield From(self._append_log_message(log_message, log_data=extra_data))
+        yield From(self._append_log_message(log_message, log_data=extra_data))
 
-  @coroutine
-  def set_command(self, command, extra_data=None):
-    if self._current_command == command:
-      raise Return()
+    @coroutine
+    def set_command(self, command, extra_data=None):
+        if self._current_command == command:
+            raise Return()
 
-    self._current_command = command
-    yield From(self._append_log_message(command, self._build_logs.COMMAND, extra_data))
+        self._current_command = command
+        yield From(
+            self._append_log_message(command, self._build_logs.COMMAND, extra_data)
+        )
 
-  @coroutine
-  def set_error(self, error_message, extra_data=None, internal_error=False, requeued=False):
-    error_phase = BUILD_PHASE.INTERNAL_ERROR if internal_error and requeued else BUILD_PHASE.ERROR
-    yield From(self.set_phase(error_phase))
+    @coroutine
+    def set_error(
+        self, error_message, extra_data=None, internal_error=False, requeued=False
+    ):
+        error_phase = (
+            BUILD_PHASE.INTERNAL_ERROR
+            if internal_error and requeued
+            else BUILD_PHASE.ERROR
+        )
+        yield From(self.set_phase(error_phase))
 
-    extra_data = extra_data or {}
-    extra_data['internal_error'] = internal_error
-    yield From(self._append_log_message(error_message, self._build_logs.ERROR, extra_data))
+        extra_data = extra_data or {}
+        extra_data["internal_error"] = internal_error
+        yield From(
+            self._append_log_message(error_message, self._build_logs.ERROR, extra_data)
+        )
 
-  @coroutine
-  def set_phase(self, phase, extra_data=None):
-    if phase == self._current_phase:
-      raise Return(False)
+    @coroutine
+    def set_phase(self, phase, extra_data=None):
+        if phase == self._current_phase:
+            raise Return(False)
 
-    self._current_phase = phase
-    yield From(self._append_log_message(phase, self._build_logs.PHASE, extra_data))
+        self._current_phase = phase
+        yield From(self._append_log_message(phase, self._build_logs.PHASE, extra_data))
 
-    # Update the repository build with the new phase
-    raise Return(self._build_model.update_phase_then_close(self._uuid, phase))
+        # Update the repository build with the new phase
+        raise Return(self._build_model.update_phase_then_close(self._uuid, phase))
 
-  def __enter__(self):
-    return self._status
+    def __enter__(self):
+        return self._status
 
-  def __exit__(self, exc_type, value, traceback):
-    try:
-      self._sync_build_logs.set_status(self._uuid, self._status)
-    except RedisError:
-      logger.exception('Could not set status of build %s to %s', self._uuid, self._status)
+    def __exit__(self, exc_type, value, traceback):
+        try:
+            self._sync_build_logs.set_status(self._uuid, self._status)
+        except RedisError:
+            logger.exception(
+                "Could not set status of build %s to %s", self._uuid, self._status
+            )
diff --git a/buildman/jobutil/workererror.py b/buildman/jobutil/workererror.py
index 9245f312e..111ffad2d 100644
--- a/buildman/jobutil/workererror.py
+++ b/buildman/jobutil/workererror.py
@@ -1,119 +1,99 @@
 class WorkerError(object):
-  """ Helper class which represents errors raised by a build worker. """
-  def __init__(self, error_code, base_message=None):
-    self._error_code = error_code
-    self._base_message = base_message
+    """ Helper class which represents errors raised by a build worker. """
 
-    self._error_handlers = {
-      'io.quay.builder.buildpackissue': {
-        'message': 'Could not load build package',
-        'is_internal': True,
-      },
+    def __init__(self, error_code, base_message=None):
+        self._error_code = error_code
+        self._base_message = base_message
 
-      'io.quay.builder.gitfailure': {
-        'message': 'Could not clone git repository',
-        'show_base_error': True,
-      },
+        self._error_handlers = {
+            "io.quay.builder.buildpackissue": {
+                "message": "Could not load build package",
+                "is_internal": True,
+            },
+            "io.quay.builder.gitfailure": {
+                "message": "Could not clone git repository",
+                "show_base_error": True,
+            },
+            "io.quay.builder.gitcheckout": {
+                "message": "Could not checkout git ref. If you force pushed recently, "
+                + "the commit may be missing.",
+                "show_base_error": True,
+            },
+            "io.quay.builder.cannotextractbuildpack": {
+                "message": "Could not extract the contents of the build package"
+            },
+            "io.quay.builder.cannotpullforcache": {
+                "message": "Could not pull cached image",
+                "is_internal": True,
+            },
+            "io.quay.builder.dockerfileissue": {
+                "message": "Could not find or parse Dockerfile",
+                "show_base_error": True,
+            },
+            "io.quay.builder.cannotpullbaseimage": {
+                "message": "Could not pull base image",
+                "show_base_error": True,
+            },
+            "io.quay.builder.internalerror": {
+                "message": "An internal error occurred while building. Please submit a ticket.",
+                "is_internal": True,
+            },
+            "io.quay.builder.buildrunerror": {
+                "message": "Could not start the build process",
+                "is_internal": True,
+            },
+            "io.quay.builder.builderror": {
+                "message": "A build step failed",
+                "show_base_error": True,
+            },
+            "io.quay.builder.tagissue": {
+                "message": "Could not tag built image",
+                "is_internal": True,
+            },
+            "io.quay.builder.pushissue": {
+                "message": "Could not push built image",
+                "show_base_error": True,
+                "is_internal": True,
+            },
+            "io.quay.builder.dockerconnecterror": {
+                "message": "Could not connect to Docker daemon",
+                "is_internal": True,
+            },
+            "io.quay.builder.missingorinvalidargument": {
+                "message": "Missing required arguments for builder",
+                "is_internal": True,
+            },
+            "io.quay.builder.cachelookupissue": {
+                "message": "Error checking for a cached tag",
+                "is_internal": True,
+            },
+            "io.quay.builder.errorduringphasetransition": {
+                "message": "Error during phase transition. If this problem persists "
+                + "please contact customer support.",
+                "is_internal": True,
+            },
+            "io.quay.builder.clientrejectedtransition": {
+                "message": "Build can not be finished due to user cancellation."
+            },
+        }
 
-      'io.quay.builder.gitcheckout': {
-        'message': 'Could not checkout git ref. If you force pushed recently, ' +
-                   'the commit may be missing.',
-        'show_base_error': True,
-      },
+    def is_internal_error(self):
+        handler = self._error_handlers.get(self._error_code)
+        return handler.get("is_internal", False) if handler else True
 
-      'io.quay.builder.cannotextractbuildpack': {
-        'message': 'Could not extract the contents of the build package'
-      },
+    def public_message(self):
+        handler = self._error_handlers.get(self._error_code)
+        if not handler:
+            return "An unknown error occurred"
 
-      'io.quay.builder.cannotpullforcache': {
-        'message': 'Could not pull cached image',
-        'is_internal': True
-      },
+        message = handler["message"]
+        if handler.get("show_base_error", False) and self._base_message:
+            message = message + ": " + self._base_message
 
-      'io.quay.builder.dockerfileissue': {
-        'message': 'Could not find or parse Dockerfile',
-        'show_base_error': True
-      },
+        return message
 
-      'io.quay.builder.cannotpullbaseimage': {
-        'message': 'Could not pull base image',
-        'show_base_error': True
-      },
+    def extra_data(self):
+        if self._base_message:
+            return {"base_error": self._base_message, "error_code": self._error_code}
 
-      'io.quay.builder.internalerror': {
-        'message': 'An internal error occurred while building. Please submit a ticket.',
-        'is_internal': True
-      },
-
-      'io.quay.builder.buildrunerror': {
-        'message': 'Could not start the build process',
-        'is_internal': True
-      },
-
-      'io.quay.builder.builderror': {
-        'message': 'A build step failed',
-        'show_base_error': True
-      },
-
-      'io.quay.builder.tagissue': {
-        'message': 'Could not tag built image',
-        'is_internal': True
-      },
-
-      'io.quay.builder.pushissue': {
-        'message': 'Could not push built image',
-        'show_base_error': True,
-        'is_internal': True
-      },
-
-      'io.quay.builder.dockerconnecterror': {
-        'message': 'Could not connect to Docker daemon',
-        'is_internal': True
-      },
-
-      'io.quay.builder.missingorinvalidargument': {
-        'message': 'Missing required arguments for builder',
-        'is_internal': True
-      },
-
-      'io.quay.builder.cachelookupissue': {
-        'message': 'Error checking for a cached tag',
-        'is_internal': True
-      },
-
-      'io.quay.builder.errorduringphasetransition': {
-        'message': 'Error during phase transition. If this problem persists ' +
-                   'please contact customer support.',
-        'is_internal': True
-      },
-
-      'io.quay.builder.clientrejectedtransition': {
-        'message': 'Build can not be finished due to user cancellation.',
-      }
-    }
-
-  def is_internal_error(self):
-    handler = self._error_handlers.get(self._error_code)
-    return handler.get('is_internal', False) if handler else True
-
-  def public_message(self):
-    handler = self._error_handlers.get(self._error_code)
-    if not handler:
-      return 'An unknown error occurred'
-
-    message = handler['message']
-    if handler.get('show_base_error', False) and self._base_message:
-      message = message + ': ' + self._base_message
-
-    return message
-
-  def extra_data(self):
-    if self._base_message:
-      return {
-        'base_error': self._base_message,
-        'error_code': self._error_code
-      }
-
-    return {
-      'error_code': self._error_code
-    }
+        return {"error_code": self._error_code}
diff --git a/buildman/manager/basemanager.py b/buildman/manager/basemanager.py
index 23627830a..996a4eacc 100644
--- a/buildman/manager/basemanager.py
+++ b/buildman/manager/basemanager.py
@@ -1,71 +1,80 @@
 from trollius import coroutine
 
+
 class BaseManager(object):
-  """ Base for all worker managers. """
-  def __init__(self, register_component, unregister_component, job_heartbeat_callback,
-               job_complete_callback, manager_hostname, heartbeat_period_sec):
-    self.register_component = register_component
-    self.unregister_component = unregister_component
-    self.job_heartbeat_callback = job_heartbeat_callback
-    self.job_complete_callback = job_complete_callback
-    self.manager_hostname = manager_hostname
-    self.heartbeat_period_sec = heartbeat_period_sec
+    """ Base for all worker managers. """
 
-  @coroutine
-  def job_heartbeat(self, build_job):
-    """ Method invoked to tell the manager that a job is still running. This method will be called
+    def __init__(
+        self,
+        register_component,
+        unregister_component,
+        job_heartbeat_callback,
+        job_complete_callback,
+        manager_hostname,
+        heartbeat_period_sec,
+    ):
+        self.register_component = register_component
+        self.unregister_component = unregister_component
+        self.job_heartbeat_callback = job_heartbeat_callback
+        self.job_complete_callback = job_complete_callback
+        self.manager_hostname = manager_hostname
+        self.heartbeat_period_sec = heartbeat_period_sec
+
+    @coroutine
+    def job_heartbeat(self, build_job):
+        """ Method invoked to tell the manager that a job is still running. This method will be called
         every few minutes. """
-    self.job_heartbeat_callback(build_job)
+        self.job_heartbeat_callback(build_job)
 
-  def overall_setup_time(self):
-    """ Returns the number of seconds that the build system should wait before allowing the job
+    def overall_setup_time(self):
+        """ Returns the number of seconds that the build system should wait before allowing the job
         to be picked up again after called 'schedule'.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def shutdown(self):
-    """ Indicates that the build controller server is in a shutdown state and that no new jobs
+    def shutdown(self):
+        """ Indicates that the build controller server is in a shutdown state and that no new jobs
         or workers should be performed. Existing workers should be cleaned up once their jobs
         have completed
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @coroutine
-  def schedule(self, build_job):
-    """ Schedules a queue item to be built. Returns a 2-tuple with (True, None) if the item was
+    @coroutine
+    def schedule(self, build_job):
+        """ Schedules a queue item to be built. Returns a 2-tuple with (True, None) if the item was
         properly scheduled and (False, a retry timeout in seconds) if all workers are busy or an
         error occurs.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def initialize(self, manager_config):
-    """ Runs any initialization code for the manager. Called once the server is in a ready state.
+    def initialize(self, manager_config):
+        """ Runs any initialization code for the manager. Called once the server is in a ready state.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @coroutine
-  def build_component_ready(self, build_component):
-    """ Method invoked whenever a build component announces itself as ready.
+    @coroutine
+    def build_component_ready(self, build_component):
+        """ Method invoked whenever a build component announces itself as ready.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def build_component_disposed(self, build_component, timed_out):
-    """ Method invoked whenever a build component has been disposed. The timed_out boolean indicates
+    def build_component_disposed(self, build_component, timed_out):
+        """ Method invoked whenever a build component has been disposed. The timed_out boolean indicates
         whether the component's heartbeat timed out.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @coroutine
-  def job_completed(self, build_job, job_status, build_component):
-    """ Method invoked once a job_item has completed, in some manner. The job_status will be
+    @coroutine
+    def job_completed(self, build_job, job_status, build_component):
+        """ Method invoked once a job_item has completed, in some manner. The job_status will be
         one of: incomplete, error, complete. Implementations of this method should call coroutine
         self.job_complete_callback with a status of Incomplete if they wish for the job to be
         automatically requeued.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def num_workers(self):
-    """ Returns the number of active build workers currently registered. This includes those
+    def num_workers(self):
+        """ Returns the number of active build workers currently registered. This includes those
         that are currently busy and awaiting more work.
     """
-    raise NotImplementedError
+        raise NotImplementedError
diff --git a/buildman/manager/buildcanceller.py b/buildman/manager/buildcanceller.py
index dd49e9f38..c2ab2d9ad 100644
--- a/buildman/manager/buildcanceller.py
+++ b/buildman/manager/buildcanceller.py
@@ -5,23 +5,23 @@ from buildman.manager.noop_canceller import NoopCanceller
 
 logger = logging.getLogger(__name__)
 
-CANCELLERS = {'ephemeral': OrchestratorCanceller}
+CANCELLERS = {"ephemeral": OrchestratorCanceller}
 
 
 class BuildCanceller(object):
-  """ A class to manage cancelling a build """
+    """ A class to manage cancelling a build """
 
-  def __init__(self, app=None):
-    self.build_manager_config = app.config.get('BUILD_MANAGER')
-    if app is None or self.build_manager_config is None:
-      self.handler = NoopCanceller()
-    else:
-      self.handler = None
+    def __init__(self, app=None):
+        self.build_manager_config = app.config.get("BUILD_MANAGER")
+        if app is None or self.build_manager_config is None:
+            self.handler = NoopCanceller()
+        else:
+            self.handler = None
 
-  def try_cancel_build(self, uuid):
-    """ A method to kill a running build """
-    if self.handler is None:
-      canceller = CANCELLERS.get(self.build_manager_config[0], NoopCanceller)
-      self.handler = canceller(self.build_manager_config[1])
+    def try_cancel_build(self, uuid):
+        """ A method to kill a running build """
+        if self.handler is None:
+            canceller = CANCELLERS.get(self.build_manager_config[0], NoopCanceller)
+            self.handler = canceller(self.build_manager_config[1])
 
-    return self.handler.try_cancel_build(uuid)
+        return self.handler.try_cancel_build(uuid)
diff --git a/buildman/manager/enterprise.py b/buildman/manager/enterprise.py
index 3d32a61d0..0be01269c 100644
--- a/buildman/manager/enterprise.py
+++ b/buildman/manager/enterprise.py
@@ -7,86 +7,89 @@ from buildman.manager.basemanager import BaseManager
 
 from trollius import From, Return, coroutine
 
-REGISTRATION_REALM = 'registration'
+REGISTRATION_REALM = "registration"
 RETRY_TIMEOUT = 5
 logger = logging.getLogger(__name__)
 
+
 class DynamicRegistrationComponent(BaseComponent):
-  """ Component session that handles dynamic registration of the builder components. """
+    """ Component session that handles dynamic registration of the builder components. """
 
-  def onConnect(self):
-    self.join(REGISTRATION_REALM)
+    def onConnect(self):
+        self.join(REGISTRATION_REALM)
 
-  def onJoin(self, details):
-    logger.debug('Registering registration method')
-    yield From(self.register(self._worker_register, u'io.quay.buildworker.register'))
+    def onJoin(self, details):
+        logger.debug("Registering registration method")
+        yield From(
+            self.register(self._worker_register, u"io.quay.buildworker.register")
+        )
 
-  def _worker_register(self):
-    realm = self.parent_manager.add_build_component()
-    logger.debug('Registering new build component+worker with realm %s', realm)
-    return realm
+    def _worker_register(self):
+        realm = self.parent_manager.add_build_component()
+        logger.debug("Registering new build component+worker with realm %s", realm)
+        return realm
 
-  def kind(self):
-    return 'registration'
+    def kind(self):
+        return "registration"
 
 
 class EnterpriseManager(BaseManager):
-  """ Build manager implementation for the Enterprise Registry. """
+    """ Build manager implementation for the Enterprise Registry. """
 
-  def __init__(self, *args, **kwargs):
-    self.ready_components = set()
-    self.all_components = set()
-    self.shutting_down = False
+    def __init__(self, *args, **kwargs):
+        self.ready_components = set()
+        self.all_components = set()
+        self.shutting_down = False
 
-    super(EnterpriseManager, self).__init__(*args, **kwargs)
+        super(EnterpriseManager, self).__init__(*args, **kwargs)
 
-  def initialize(self, manager_config):
-    # Add a component which is used by build workers for dynamic registration. Unlike
-    # production, build workers in enterprise are long-lived and register dynamically.
-    self.register_component(REGISTRATION_REALM, DynamicRegistrationComponent)
+    def initialize(self, manager_config):
+        # Add a component which is used by build workers for dynamic registration. Unlike
+        # production, build workers in enterprise are long-lived and register dynamically.
+        self.register_component(REGISTRATION_REALM, DynamicRegistrationComponent)
 
-  def overall_setup_time(self):
-    # Builders are already registered, so the setup time should be essentially instant. We therefore
-    # only return a minute here.
-    return 60
+    def overall_setup_time(self):
+        # Builders are already registered, so the setup time should be essentially instant. We therefore
+        # only return a minute here.
+        return 60
 
-  def add_build_component(self):
-    """ Adds a new build component for an Enterprise Registry. """
-    # Generate a new unique realm ID for the build worker.
-    realm = str(uuid.uuid4())
-    new_component = self.register_component(realm, BuildComponent, token="")
-    self.all_components.add(new_component)
-    return realm
+    def add_build_component(self):
+        """ Adds a new build component for an Enterprise Registry. """
+        # Generate a new unique realm ID for the build worker.
+        realm = str(uuid.uuid4())
+        new_component = self.register_component(realm, BuildComponent, token="")
+        self.all_components.add(new_component)
+        return realm
 
-  @coroutine
-  def schedule(self, build_job):
-    """ Schedules a build for an Enterprise Registry. """
-    if self.shutting_down or not self.ready_components:
-      raise Return(False, RETRY_TIMEOUT)
+    @coroutine
+    def schedule(self, build_job):
+        """ Schedules a build for an Enterprise Registry. """
+        if self.shutting_down or not self.ready_components:
+            raise Return(False, RETRY_TIMEOUT)
 
-    component = self.ready_components.pop()
+        component = self.ready_components.pop()
 
-    yield From(component.start_build(build_job))
+        yield From(component.start_build(build_job))
 
-    raise Return(True, None)
+        raise Return(True, None)
 
-  @coroutine
-  def build_component_ready(self, build_component):
-    self.ready_components.add(build_component)
+    @coroutine
+    def build_component_ready(self, build_component):
+        self.ready_components.add(build_component)
 
-  def shutdown(self):
-    self.shutting_down = True
+    def shutdown(self):
+        self.shutting_down = True
 
-  @coroutine
-  def job_completed(self, build_job, job_status, build_component):
-    yield From(self.job_complete_callback(build_job, job_status))
+    @coroutine
+    def job_completed(self, build_job, job_status, build_component):
+        yield From(self.job_complete_callback(build_job, job_status))
 
-  def build_component_disposed(self, build_component, timed_out):
-    self.all_components.remove(build_component)
-    if build_component in self.ready_components:
-      self.ready_components.remove(build_component)
+    def build_component_disposed(self, build_component, timed_out):
+        self.all_components.remove(build_component)
+        if build_component in self.ready_components:
+            self.ready_components.remove(build_component)
 
-    self.unregister_component(build_component)
+        self.unregister_component(build_component)
 
-  def num_workers(self):
-    return len(self.all_components)
+    def num_workers(self):
+        return len(self.all_components)
diff --git a/buildman/manager/etcd_canceller.py b/buildman/manager/etcd_canceller.py
index ce92a1bbc..d4b129e52 100644
--- a/buildman/manager/etcd_canceller.py
+++ b/buildman/manager/etcd_canceller.py
@@ -5,33 +5,36 @@ logger = logging.getLogger(__name__)
 
 
 class EtcdCanceller(object):
-  """ A class that sends a message to etcd to cancel a build """
+    """ A class that sends a message to etcd to cancel a build """
 
-  def __init__(self, config):
-    etcd_host = config.get('ETCD_HOST', '127.0.0.1')
-    etcd_port = config.get('ETCD_PORT', 2379)
-    etcd_ca_cert = config.get('ETCD_CA_CERT', None)
-    etcd_auth = config.get('ETCD_CERT_AND_KEY', None)
-    if etcd_auth is not None:
-      etcd_auth = tuple(etcd_auth)
+    def __init__(self, config):
+        etcd_host = config.get("ETCD_HOST", "127.0.0.1")
+        etcd_port = config.get("ETCD_PORT", 2379)
+        etcd_ca_cert = config.get("ETCD_CA_CERT", None)
+        etcd_auth = config.get("ETCD_CERT_AND_KEY", None)
+        if etcd_auth is not None:
+            etcd_auth = tuple(etcd_auth)
 
-    etcd_protocol = 'http' if etcd_auth is None else 'https'
-    logger.debug('Connecting to etcd on %s:%s', etcd_host, etcd_port)
-    self._cancel_prefix = config.get('ETCD_CANCEL_PREFIX', 'cancel/')
-    self._etcd_client = etcd.Client(
-      host=etcd_host,
-      port=etcd_port,
-      cert=etcd_auth,
-      ca_cert=etcd_ca_cert,
-      protocol=etcd_protocol,
-      read_timeout=5)
+        etcd_protocol = "http" if etcd_auth is None else "https"
+        logger.debug("Connecting to etcd on %s:%s", etcd_host, etcd_port)
+        self._cancel_prefix = config.get("ETCD_CANCEL_PREFIX", "cancel/")
+        self._etcd_client = etcd.Client(
+            host=etcd_host,
+            port=etcd_port,
+            cert=etcd_auth,
+            ca_cert=etcd_ca_cert,
+            protocol=etcd_protocol,
+            read_timeout=5,
+        )
 
-  def try_cancel_build(self, build_uuid):
-    """ Writes etcd message to cancel build_uuid. """
-    logger.info("Cancelling build %s".format(build_uuid))
-    try:
-      self._etcd_client.write("{}{}".format(self._cancel_prefix, build_uuid), build_uuid, ttl=60)
-      return True
-    except etcd.EtcdException:
-      logger.exception("Failed to write to etcd client %s", build_uuid)
-      return False
+    def try_cancel_build(self, build_uuid):
+        """ Writes etcd message to cancel build_uuid. """
+        logger.info("Cancelling build %s".format(build_uuid))
+        try:
+            self._etcd_client.write(
+                "{}{}".format(self._cancel_prefix, build_uuid), build_uuid, ttl=60
+            )
+            return True
+        except etcd.EtcdException:
+            logger.exception("Failed to write to etcd client %s", build_uuid)
+            return False
diff --git a/buildman/manager/executor.py b/buildman/manager/executor.py
index e82d7a316..7921adbcc 100644
--- a/buildman/manager/executor.py
+++ b/buildman/manager/executor.py
@@ -29,532 +29,605 @@ from _init import ROOT_DIR
 logger = logging.getLogger(__name__)
 
 
-ONE_HOUR = 60*60
+ONE_HOUR = 60 * 60
 
-_TAG_RETRY_COUNT = 3 # Number of times to retry adding tags.
-_TAG_RETRY_SLEEP = 2 # Number of seconds to wait between tag retries.
+_TAG_RETRY_COUNT = 3  # Number of times to retry adding tags.
+_TAG_RETRY_SLEEP = 2  # Number of seconds to wait between tag retries.
 
 ENV = Environment(loader=FileSystemLoader(os.path.join(ROOT_DIR, "buildman/templates")))
-TEMPLATE = ENV.get_template('cloudconfig.yaml')
+TEMPLATE = ENV.get_template("cloudconfig.yaml")
 CloudConfigContext().populate_jinja_environment(ENV)
 
+
 class ExecutorException(Exception):
-  """ Exception raised when there is a problem starting or stopping a builder.
+    """ Exception raised when there is a problem starting or stopping a builder.
   """
-  pass
+
+    pass
 
 
 class BuilderExecutor(object):
-  def __init__(self, executor_config, manager_hostname):
-    """ Interface which can be plugged into the EphemeralNodeManager to provide a strategy for
+    def __init__(self, executor_config, manager_hostname):
+        """ Interface which can be plugged into the EphemeralNodeManager to provide a strategy for
         starting and stopping builders.
     """
-    self.executor_config = executor_config
-    self.manager_hostname = manager_hostname
+        self.executor_config = executor_config
+        self.manager_hostname = manager_hostname
 
-    default_websocket_scheme = 'wss' if app.config['PREFERRED_URL_SCHEME'] == 'https' else 'ws'
-    self.websocket_scheme = executor_config.get("WEBSOCKET_SCHEME", default_websocket_scheme)
+        default_websocket_scheme = (
+            "wss" if app.config["PREFERRED_URL_SCHEME"] == "https" else "ws"
+        )
+        self.websocket_scheme = executor_config.get(
+            "WEBSOCKET_SCHEME", default_websocket_scheme
+        )
 
-  @property
-  def name(self):
-    """ Name returns the unique name for this executor. """
-    return self.executor_config.get('NAME') or self.__class__.__name__
+    @property
+    def name(self):
+        """ Name returns the unique name for this executor. """
+        return self.executor_config.get("NAME") or self.__class__.__name__
 
-  @property
-  def setup_time(self):
-    """ Returns the amount of time (in seconds) to wait for the execution to start for the build.
+    @property
+    def setup_time(self):
+        """ Returns the amount of time (in seconds) to wait for the execution to start for the build.
         If None, the manager's default will be used.
     """
-    return self.executor_config.get('SETUP_TIME')
+        return self.executor_config.get("SETUP_TIME")
 
-  @coroutine
-  def start_builder(self, realm, token, build_uuid):
-    """ Create a builder with the specified config. Returns a unique id which can be used to manage
+    @coroutine
+    def start_builder(self, realm, token, build_uuid):
+        """ Create a builder with the specified config. Returns a unique id which can be used to manage
         the builder.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @coroutine
-  def stop_builder(self, builder_id):
-    """ Stop a builder which is currently running.
+    @coroutine
+    def stop_builder(self, builder_id):
+        """ Stop a builder which is currently running.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def allowed_for_namespace(self, namespace):
-    """ Returns true if this executor can be used for builds in the given namespace. """
+    def allowed_for_namespace(self, namespace):
+        """ Returns true if this executor can be used for builds in the given namespace. """
 
-    # Check for an explicit namespace whitelist.
-    namespace_whitelist = self.executor_config.get('NAMESPACE_WHITELIST')
-    if namespace_whitelist is not None and namespace in namespace_whitelist:
-      return True
+        # Check for an explicit namespace whitelist.
+        namespace_whitelist = self.executor_config.get("NAMESPACE_WHITELIST")
+        if namespace_whitelist is not None and namespace in namespace_whitelist:
+            return True
 
-    # Check for a staged rollout percentage. If found, we hash the namespace and, if it is found
-    # in the first X% of the character space, we allow this executor to be used.
-    staged_rollout = self.executor_config.get('STAGED_ROLLOUT')
-    if staged_rollout is not None:
-      bucket = int(hashlib.sha256(namespace).hexdigest()[-2:], 16)
-      return bucket < (256 * staged_rollout)
+        # Check for a staged rollout percentage. If found, we hash the namespace and, if it is found
+        # in the first X% of the character space, we allow this executor to be used.
+        staged_rollout = self.executor_config.get("STAGED_ROLLOUT")
+        if staged_rollout is not None:
+            bucket = int(hashlib.sha256(namespace).hexdigest()[-2:], 16)
+            return bucket < (256 * staged_rollout)
 
-    # If there are no restrictions in place, we are free to use this executor.
-    return staged_rollout is None and namespace_whitelist is None
+        # If there are no restrictions in place, we are free to use this executor.
+        return staged_rollout is None and namespace_whitelist is None
 
-  @property
-  def minimum_retry_threshold(self):
-    """ Returns the minimum number of retries required for this executor to be used or 0 if
+    @property
+    def minimum_retry_threshold(self):
+        """ Returns the minimum number of retries required for this executor to be used or 0 if
         none. """
-    return self.executor_config.get('MINIMUM_RETRY_THRESHOLD', 0)
+        return self.executor_config.get("MINIMUM_RETRY_THRESHOLD", 0)
 
-  def generate_cloud_config(self, realm, token, build_uuid, coreos_channel,
-                            manager_hostname, quay_username=None,
-                            quay_password=None):
-    if quay_username is None:
-      quay_username = self.executor_config['QUAY_USERNAME']
+    def generate_cloud_config(
+        self,
+        realm,
+        token,
+        build_uuid,
+        coreos_channel,
+        manager_hostname,
+        quay_username=None,
+        quay_password=None,
+    ):
+        if quay_username is None:
+            quay_username = self.executor_config["QUAY_USERNAME"]
 
-    if quay_password is None:
-      quay_password = self.executor_config['QUAY_PASSWORD']
+        if quay_password is None:
+            quay_password = self.executor_config["QUAY_PASSWORD"]
 
-    return TEMPLATE.render(
-      realm=realm,
-      token=token,
-      build_uuid=build_uuid,
-      quay_username=quay_username,
-      quay_password=quay_password,
-      manager_hostname=manager_hostname,
-      websocket_scheme=self.websocket_scheme,
-      coreos_channel=coreos_channel,
-      worker_image=self.executor_config.get('WORKER_IMAGE', 'quay.io/coreos/registry-build-worker'),
-      worker_tag=self.executor_config['WORKER_TAG'],
-      logentries_token=self.executor_config.get('LOGENTRIES_TOKEN', None),
-      volume_size=self.executor_config.get('VOLUME_SIZE', '42G'),
-      max_lifetime_s=self.executor_config.get('MAX_LIFETIME_S', 10800),
-      ssh_authorized_keys=self.executor_config.get('SSH_AUTHORIZED_KEYS', []),
-    )
+        return TEMPLATE.render(
+            realm=realm,
+            token=token,
+            build_uuid=build_uuid,
+            quay_username=quay_username,
+            quay_password=quay_password,
+            manager_hostname=manager_hostname,
+            websocket_scheme=self.websocket_scheme,
+            coreos_channel=coreos_channel,
+            worker_image=self.executor_config.get(
+                "WORKER_IMAGE", "quay.io/coreos/registry-build-worker"
+            ),
+            worker_tag=self.executor_config["WORKER_TAG"],
+            logentries_token=self.executor_config.get("LOGENTRIES_TOKEN", None),
+            volume_size=self.executor_config.get("VOLUME_SIZE", "42G"),
+            max_lifetime_s=self.executor_config.get("MAX_LIFETIME_S", 10800),
+            ssh_authorized_keys=self.executor_config.get("SSH_AUTHORIZED_KEYS", []),
+        )
 
 
 class EC2Executor(BuilderExecutor):
-  """ Implementation of BuilderExecutor which uses libcloud to start machines on a variety of cloud
+    """ Implementation of BuilderExecutor which uses libcloud to start machines on a variety of cloud
       providers.
   """
-  COREOS_STACK_URL = 'http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_hvm.txt'
 
-  def __init__(self, *args, **kwargs):
-    self._loop = get_event_loop()
-    super(EC2Executor, self).__init__(*args, **kwargs)
-
-  def _get_conn(self):
-    """ Creates an ec2 connection which can be used to manage instances.
-    """
-    return AsyncWrapper(boto.ec2.connect_to_region(
-      self.executor_config['EC2_REGION'],
-      aws_access_key_id=self.executor_config['AWS_ACCESS_KEY'],
-      aws_secret_access_key=self.executor_config['AWS_SECRET_KEY'],
-    ))
-
-  @classmethod
-  @cachetools.func.ttl_cache(ttl=ONE_HOUR)
-  def _get_coreos_ami(cls, ec2_region, coreos_channel):
-    """ Retrieve the CoreOS AMI id from the canonical listing.
-    """
-    stack_list_string = requests.get(EC2Executor.COREOS_STACK_URL % coreos_channel).text
-    stack_amis = dict([stack.split('=') for stack in stack_list_string.split('|')])
-    return stack_amis[ec2_region]
-
-  @coroutine
-  @duration_collector_async(metric_queue.builder_time_to_start, ['ec2'])
-  def start_builder(self, realm, token, build_uuid):
-    region = self.executor_config['EC2_REGION']
-    channel = self.executor_config.get('COREOS_CHANNEL', 'stable')
-
-    coreos_ami = self.executor_config.get('COREOS_AMI', None)
-    if coreos_ami is None:
-      get_ami_callable = partial(self._get_coreos_ami, region, channel)
-      coreos_ami = yield From(self._loop.run_in_executor(None, get_ami_callable))
-
-    user_data = self.generate_cloud_config(realm, token, build_uuid, channel, self.manager_hostname)
-    logger.debug('Generated cloud config for build %s: %s', build_uuid, user_data)
-
-    ec2_conn = self._get_conn()
-
-    ssd_root_ebs = boto.ec2.blockdevicemapping.BlockDeviceType(
-      size=int(self.executor_config.get('BLOCK_DEVICE_SIZE', 48)),
-      volume_type='gp2',
-      delete_on_termination=True,
+    COREOS_STACK_URL = (
+        "http://%s.release.core-os.net/amd64-usr/current/coreos_production_ami_hvm.txt"
     )
-    block_devices = boto.ec2.blockdevicemapping.BlockDeviceMapping()
-    block_devices['/dev/xvda'] = ssd_root_ebs
 
-    interfaces = None
-    if self.executor_config.get('EC2_VPC_SUBNET_ID', None) is not None:
-      interface = boto.ec2.networkinterface.NetworkInterfaceSpecification(
-        subnet_id=self.executor_config['EC2_VPC_SUBNET_ID'],
-        groups=self.executor_config['EC2_SECURITY_GROUP_IDS'],
-        associate_public_ip_address=True,
-      )
-      interfaces = boto.ec2.networkinterface.NetworkInterfaceCollection(interface)
+    def __init__(self, *args, **kwargs):
+        self._loop = get_event_loop()
+        super(EC2Executor, self).__init__(*args, **kwargs)
 
-    try:
-      reservation = yield From(ec2_conn.run_instances(
-        coreos_ami,
-        instance_type=self.executor_config['EC2_INSTANCE_TYPE'],
-        key_name=self.executor_config.get('EC2_KEY_NAME', None),
-        user_data=user_data,
-        instance_initiated_shutdown_behavior='terminate',
-        block_device_map=block_devices,
-        network_interfaces=interfaces,
-      ))
-    except boto.exception.EC2ResponseError as ec2e:
-      logger.exception('Unable to spawn builder instance')
-      metric_queue.ephemeral_build_worker_failure.Inc()
-      raise ec2e
+    def _get_conn(self):
+        """ Creates an ec2 connection which can be used to manage instances.
+    """
+        return AsyncWrapper(
+            boto.ec2.connect_to_region(
+                self.executor_config["EC2_REGION"],
+                aws_access_key_id=self.executor_config["AWS_ACCESS_KEY"],
+                aws_secret_access_key=self.executor_config["AWS_SECRET_KEY"],
+            )
+        )
 
-    if not reservation.instances:
-      raise ExecutorException('Unable to spawn builder instance.')
-    elif len(reservation.instances) != 1:
-      raise ExecutorException('EC2 started wrong number of instances!')
+    @classmethod
+    @cachetools.func.ttl_cache(ttl=ONE_HOUR)
+    def _get_coreos_ami(cls, ec2_region, coreos_channel):
+        """ Retrieve the CoreOS AMI id from the canonical listing.
+    """
+        stack_list_string = requests.get(
+            EC2Executor.COREOS_STACK_URL % coreos_channel
+        ).text
+        stack_amis = dict([stack.split("=") for stack in stack_list_string.split("|")])
+        return stack_amis[ec2_region]
 
-    launched = AsyncWrapper(reservation.instances[0])
+    @coroutine
+    @duration_collector_async(metric_queue.builder_time_to_start, ["ec2"])
+    def start_builder(self, realm, token, build_uuid):
+        region = self.executor_config["EC2_REGION"]
+        channel = self.executor_config.get("COREOS_CHANNEL", "stable")
 
-    # Sleep a few seconds to wait for AWS to spawn the instance.
-    yield From(trollius.sleep(_TAG_RETRY_SLEEP))
+        coreos_ami = self.executor_config.get("COREOS_AMI", None)
+        if coreos_ami is None:
+            get_ami_callable = partial(self._get_coreos_ami, region, channel)
+            coreos_ami = yield From(self._loop.run_in_executor(None, get_ami_callable))
 
-    # Tag the instance with its metadata.
-    for i in range(0, _TAG_RETRY_COUNT):
-      try:
-        yield From(launched.add_tags({
-          'Name': 'Quay Ephemeral Builder',
-          'Realm': realm,
-          'Token': token,
-          'BuildUUID': build_uuid,
-        }))
-      except boto.exception.EC2ResponseError as ec2e:
-        if ec2e.error_code == 'InvalidInstanceID.NotFound':
-          if i < _TAG_RETRY_COUNT - 1:
-            logger.warning('Failed to write EC2 tags for instance %s for build %s (attempt #%s)',
-                           launched.id, build_uuid, i)
-            yield From(trollius.sleep(_TAG_RETRY_SLEEP))
-            continue
+        user_data = self.generate_cloud_config(
+            realm, token, build_uuid, channel, self.manager_hostname
+        )
+        logger.debug("Generated cloud config for build %s: %s", build_uuid, user_data)
 
-          raise ExecutorException('Unable to find builder instance.')
+        ec2_conn = self._get_conn()
 
-        logger.exception('Failed to write EC2 tags (attempt #%s)', i)
+        ssd_root_ebs = boto.ec2.blockdevicemapping.BlockDeviceType(
+            size=int(self.executor_config.get("BLOCK_DEVICE_SIZE", 48)),
+            volume_type="gp2",
+            delete_on_termination=True,
+        )
+        block_devices = boto.ec2.blockdevicemapping.BlockDeviceMapping()
+        block_devices["/dev/xvda"] = ssd_root_ebs
 
-    logger.debug('Machine with ID %s started for build %s', launched.id, build_uuid)
-    raise Return(launched.id)
+        interfaces = None
+        if self.executor_config.get("EC2_VPC_SUBNET_ID", None) is not None:
+            interface = boto.ec2.networkinterface.NetworkInterfaceSpecification(
+                subnet_id=self.executor_config["EC2_VPC_SUBNET_ID"],
+                groups=self.executor_config["EC2_SECURITY_GROUP_IDS"],
+                associate_public_ip_address=True,
+            )
+            interfaces = boto.ec2.networkinterface.NetworkInterfaceCollection(interface)
 
-  @coroutine
-  def stop_builder(self, builder_id):
-    try:
-      ec2_conn = self._get_conn()
-      terminated_instances = yield From(ec2_conn.terminate_instances([builder_id]))
-    except boto.exception.EC2ResponseError as ec2e:
-      if ec2e.error_code == 'InvalidInstanceID.NotFound':
-        logger.debug('Instance %s already terminated', builder_id)
-        return
+        try:
+            reservation = yield From(
+                ec2_conn.run_instances(
+                    coreos_ami,
+                    instance_type=self.executor_config["EC2_INSTANCE_TYPE"],
+                    key_name=self.executor_config.get("EC2_KEY_NAME", None),
+                    user_data=user_data,
+                    instance_initiated_shutdown_behavior="terminate",
+                    block_device_map=block_devices,
+                    network_interfaces=interfaces,
+                )
+            )
+        except boto.exception.EC2ResponseError as ec2e:
+            logger.exception("Unable to spawn builder instance")
+            metric_queue.ephemeral_build_worker_failure.Inc()
+            raise ec2e
 
-      logger.exception('Exception when trying to terminate instance %s', builder_id)
-      raise
+        if not reservation.instances:
+            raise ExecutorException("Unable to spawn builder instance.")
+        elif len(reservation.instances) != 1:
+            raise ExecutorException("EC2 started wrong number of instances!")
 
-    if builder_id not in [si.id for si in terminated_instances]:
-      raise ExecutorException('Unable to terminate instance: %s' % builder_id)
+        launched = AsyncWrapper(reservation.instances[0])
+
+        # Sleep a few seconds to wait for AWS to spawn the instance.
+        yield From(trollius.sleep(_TAG_RETRY_SLEEP))
+
+        # Tag the instance with its metadata.
+        for i in range(0, _TAG_RETRY_COUNT):
+            try:
+                yield From(
+                    launched.add_tags(
+                        {
+                            "Name": "Quay Ephemeral Builder",
+                            "Realm": realm,
+                            "Token": token,
+                            "BuildUUID": build_uuid,
+                        }
+                    )
+                )
+            except boto.exception.EC2ResponseError as ec2e:
+                if ec2e.error_code == "InvalidInstanceID.NotFound":
+                    if i < _TAG_RETRY_COUNT - 1:
+                        logger.warning(
+                            "Failed to write EC2 tags for instance %s for build %s (attempt #%s)",
+                            launched.id,
+                            build_uuid,
+                            i,
+                        )
+                        yield From(trollius.sleep(_TAG_RETRY_SLEEP))
+                        continue
+
+                    raise ExecutorException("Unable to find builder instance.")
+
+                logger.exception("Failed to write EC2 tags (attempt #%s)", i)
+
+        logger.debug("Machine with ID %s started for build %s", launched.id, build_uuid)
+        raise Return(launched.id)
+
+    @coroutine
+    def stop_builder(self, builder_id):
+        try:
+            ec2_conn = self._get_conn()
+            terminated_instances = yield From(
+                ec2_conn.terminate_instances([builder_id])
+            )
+        except boto.exception.EC2ResponseError as ec2e:
+            if ec2e.error_code == "InvalidInstanceID.NotFound":
+                logger.debug("Instance %s already terminated", builder_id)
+                return
+
+            logger.exception(
+                "Exception when trying to terminate instance %s", builder_id
+            )
+            raise
+
+        if builder_id not in [si.id for si in terminated_instances]:
+            raise ExecutorException("Unable to terminate instance: %s" % builder_id)
 
 
 class PopenExecutor(BuilderExecutor):
-  """ Implementation of BuilderExecutor which uses Popen to fork a quay-builder process.
+    """ Implementation of BuilderExecutor which uses Popen to fork a quay-builder process.
   """
-  def __init__(self, executor_config, manager_hostname):
-    self._jobs = {}
 
-    super(PopenExecutor, self).__init__(executor_config, manager_hostname)
+    def __init__(self, executor_config, manager_hostname):
+        self._jobs = {}
 
-  """ Executor which uses Popen to fork a quay-builder process.
+        super(PopenExecutor, self).__init__(executor_config, manager_hostname)
+
+    """ Executor which uses Popen to fork a quay-builder process.
   """
-  @coroutine
-  @duration_collector_async(metric_queue.builder_time_to_start, ['fork'])
-  def start_builder(self, realm, token, build_uuid):
-    # Now start a machine for this job, adding the machine id to the etcd information
-    logger.debug('Forking process for build')
 
-    ws_host = os.environ.get("BUILDMAN_WS_HOST", "localhost")
-    ws_port = os.environ.get("BUILDMAN_WS_PORT", "8787")
-    builder_env = {
-      'TOKEN': token,
-      'REALM': realm,
-      'ENDPOINT': 'ws://%s:%s' % (ws_host, ws_port),
-      'DOCKER_TLS_VERIFY': os.environ.get('DOCKER_TLS_VERIFY', ''),
-      'DOCKER_CERT_PATH': os.environ.get('DOCKER_CERT_PATH', ''),
-      'DOCKER_HOST': os.environ.get('DOCKER_HOST', ''),
-      'PATH': "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-    }
+    @coroutine
+    @duration_collector_async(metric_queue.builder_time_to_start, ["fork"])
+    def start_builder(self, realm, token, build_uuid):
+        # Now start a machine for this job, adding the machine id to the etcd information
+        logger.debug("Forking process for build")
 
-    logpipe = LogPipe(logging.INFO)
-    spawned = subprocess.Popen(os.environ.get('BUILDER_BINARY_LOCATION',
-                                              '/usr/local/bin/quay-builder'),
-                               stdout=logpipe,
-                               stderr=logpipe,
-                               env=builder_env)
+        ws_host = os.environ.get("BUILDMAN_WS_HOST", "localhost")
+        ws_port = os.environ.get("BUILDMAN_WS_PORT", "8787")
+        builder_env = {
+            "TOKEN": token,
+            "REALM": realm,
+            "ENDPOINT": "ws://%s:%s" % (ws_host, ws_port),
+            "DOCKER_TLS_VERIFY": os.environ.get("DOCKER_TLS_VERIFY", ""),
+            "DOCKER_CERT_PATH": os.environ.get("DOCKER_CERT_PATH", ""),
+            "DOCKER_HOST": os.environ.get("DOCKER_HOST", ""),
+            "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        }
 
-    builder_id = str(uuid.uuid4())
-    self._jobs[builder_id] = (spawned, logpipe)
-    logger.debug('Builder spawned with id: %s', builder_id)
-    raise Return(builder_id)
+        logpipe = LogPipe(logging.INFO)
+        spawned = subprocess.Popen(
+            os.environ.get("BUILDER_BINARY_LOCATION", "/usr/local/bin/quay-builder"),
+            stdout=logpipe,
+            stderr=logpipe,
+            env=builder_env,
+        )
 
-  @coroutine
-  def stop_builder(self, builder_id):
-    if builder_id not in self._jobs:
-      raise ExecutorException('Builder id not being tracked by executor.')
+        builder_id = str(uuid.uuid4())
+        self._jobs[builder_id] = (spawned, logpipe)
+        logger.debug("Builder spawned with id: %s", builder_id)
+        raise Return(builder_id)
 
-    logger.debug('Killing builder with id: %s', builder_id)
-    spawned, logpipe = self._jobs[builder_id]
+    @coroutine
+    def stop_builder(self, builder_id):
+        if builder_id not in self._jobs:
+            raise ExecutorException("Builder id not being tracked by executor.")
 
-    if spawned.poll() is None:
-      spawned.kill()
-    logpipe.close()
+        logger.debug("Killing builder with id: %s", builder_id)
+        spawned, logpipe = self._jobs[builder_id]
+
+        if spawned.poll() is None:
+            spawned.kill()
+        logpipe.close()
 
 
 class KubernetesExecutor(BuilderExecutor):
-  """ Executes build jobs by creating Kubernetes jobs which run a qemu-kvm virtual
+    """ Executes build jobs by creating Kubernetes jobs which run a qemu-kvm virtual
       machine in a pod """
-  def __init__(self, *args, **kwargs):
-    super(KubernetesExecutor, self).__init__(*args, **kwargs)
-    self._loop = get_event_loop()
-    self.namespace = self.executor_config.get('BUILDER_NAMESPACE', 'builder')
-    self.image = self.executor_config.get('BUILDER_VM_CONTAINER_IMAGE',
-                                          'quay.io/quay/quay-builder-qemu-coreos:stable')
 
-  @coroutine
-  def _request(self, method, path, **kwargs):
-    request_options = dict(kwargs)
+    def __init__(self, *args, **kwargs):
+        super(KubernetesExecutor, self).__init__(*args, **kwargs)
+        self._loop = get_event_loop()
+        self.namespace = self.executor_config.get("BUILDER_NAMESPACE", "builder")
+        self.image = self.executor_config.get(
+            "BUILDER_VM_CONTAINER_IMAGE", "quay.io/quay/quay-builder-qemu-coreos:stable"
+        )
 
-    tls_cert = self.executor_config.get('K8S_API_TLS_CERT')
-    tls_key = self.executor_config.get('K8S_API_TLS_KEY')
-    tls_ca = self.executor_config.get('K8S_API_TLS_CA')
-    service_account_token = self.executor_config.get('SERVICE_ACCOUNT_TOKEN')
+    @coroutine
+    def _request(self, method, path, **kwargs):
+        request_options = dict(kwargs)
 
-    if 'timeout' not in request_options:
-      request_options['timeout'] = self.executor_config.get("K8S_API_TIMEOUT", 20)
+        tls_cert = self.executor_config.get("K8S_API_TLS_CERT")
+        tls_key = self.executor_config.get("K8S_API_TLS_KEY")
+        tls_ca = self.executor_config.get("K8S_API_TLS_CA")
+        service_account_token = self.executor_config.get("SERVICE_ACCOUNT_TOKEN")
 
-    if service_account_token:
-      scheme = 'https'
-      request_options['headers'] = {'Authorization': 'Bearer ' + service_account_token}
-      logger.debug('Using service account token for Kubernetes authentication')
-    elif tls_cert and tls_key:
-      scheme = 'https'
-      request_options['cert'] = (tls_cert, tls_key)
-      logger.debug('Using tls certificate and key for Kubernetes authentication')
-      if tls_ca:
-        request_options['verify'] = tls_ca
-    else:
-      scheme = 'http'
+        if "timeout" not in request_options:
+            request_options["timeout"] = self.executor_config.get("K8S_API_TIMEOUT", 20)
 
-    server = self.executor_config.get('K8S_API_SERVER', 'localhost:8080')
-    url = '%s://%s%s' % (scheme, server, path)
+        if service_account_token:
+            scheme = "https"
+            request_options["headers"] = {
+                "Authorization": "Bearer " + service_account_token
+            }
+            logger.debug("Using service account token for Kubernetes authentication")
+        elif tls_cert and tls_key:
+            scheme = "https"
+            request_options["cert"] = (tls_cert, tls_key)
+            logger.debug("Using tls certificate and key for Kubernetes authentication")
+            if tls_ca:
+                request_options["verify"] = tls_ca
+        else:
+            scheme = "http"
 
-    logger.debug('Executor config: %s', self.executor_config)
-    logger.debug('Kubernetes request: %s %s: %s', method, url, request_options)
-    res = requests.request(method, url, **request_options)
-    logger.debug('Kubernetes response: %s: %s', res.status_code, res.text)
-    raise Return(res)
+        server = self.executor_config.get("K8S_API_SERVER", "localhost:8080")
+        url = "%s://%s%s" % (scheme, server, path)
 
-  def _jobs_path(self):
-    return '/apis/batch/v1/namespaces/%s/jobs' % self.namespace
+        logger.debug("Executor config: %s", self.executor_config)
+        logger.debug("Kubernetes request: %s %s: %s", method, url, request_options)
+        res = requests.request(method, url, **request_options)
+        logger.debug("Kubernetes response: %s: %s", res.status_code, res.text)
+        raise Return(res)
 
-  def _job_path(self, build_uuid):
-    return '%s/%s' % (self._jobs_path(), build_uuid)
+    def _jobs_path(self):
+        return "/apis/batch/v1/namespaces/%s/jobs" % self.namespace
 
-  def _kubernetes_distribution(self):
-    return self.executor_config.get('KUBERNETES_DISTRIBUTION', 'basic').lower()
+    def _job_path(self, build_uuid):
+        return "%s/%s" % (self._jobs_path(), build_uuid)
 
-  def _is_basic_kubernetes_distribution(self):
-    return self._kubernetes_distribution() == 'basic'
+    def _kubernetes_distribution(self):
+        return self.executor_config.get("KUBERNETES_DISTRIBUTION", "basic").lower()
 
-  def _is_openshift_kubernetes_distribution(self):
-    return self._kubernetes_distribution() == 'openshift'
+    def _is_basic_kubernetes_distribution(self):
+        return self._kubernetes_distribution() == "basic"
 
-  def _build_job_container_resources(self):
-    # Minimum acceptable free resources for this container to "fit" in a quota
-    # These may be lower than the absolute limits if the cluster is knowingly
-    # oversubscribed by some amount.
-    container_requests = {
-      'memory' : self.executor_config.get('CONTAINER_MEMORY_REQUEST', '3968Mi'),
-    }
+    def _is_openshift_kubernetes_distribution(self):
+        return self._kubernetes_distribution() == "openshift"
 
-    container_limits = {
-      'memory' : self.executor_config.get('CONTAINER_MEMORY_LIMITS', '5120Mi'),
-      'cpu' : self.executor_config.get('CONTAINER_CPU_LIMITS', '1000m'),
-    }
+    def _build_job_container_resources(self):
+        # Minimum acceptable free resources for this container to "fit" in a quota
+        # These may be lower than the absolute limits if the cluster is knowingly
+        # oversubscribed by some amount.
+        container_requests = {
+            "memory": self.executor_config.get("CONTAINER_MEMORY_REQUEST", "3968Mi")
+        }
 
-    resources = {
-      'requests': container_requests,
-    }
+        container_limits = {
+            "memory": self.executor_config.get("CONTAINER_MEMORY_LIMITS", "5120Mi"),
+            "cpu": self.executor_config.get("CONTAINER_CPU_LIMITS", "1000m"),
+        }
 
-    if self._is_openshift_kubernetes_distribution():
-      resources['requests']['cpu'] = self.executor_config.get('CONTAINER_CPU_REQUEST', '500m')
-      resources['limits'] = container_limits
+        resources = {"requests": container_requests}
 
-    return resources
+        if self._is_openshift_kubernetes_distribution():
+            resources["requests"]["cpu"] = self.executor_config.get(
+                "CONTAINER_CPU_REQUEST", "500m"
+            )
+            resources["limits"] = container_limits
 
-  def _build_job_containers(self, user_data):
-    vm_memory_limit = self.executor_config.get('VM_MEMORY_LIMIT', '4G')
-    vm_volume_size = self.executor_config.get('VOLUME_SIZE', '32G')
+        return resources
 
-    container = {
-      'name': 'builder',
-      'imagePullPolicy': 'IfNotPresent',
-      'image': self.image,
-      'securityContext': {'privileged': True},
-      'env': [
-        {'name': 'USERDATA', 'value': user_data},
-        {'name': 'VM_MEMORY', 'value': vm_memory_limit},
-        {'name': 'VM_VOLUME_SIZE', 'value': vm_volume_size},
-      ],
-      'resources': self._build_job_container_resources(),
-    }
+    def _build_job_containers(self, user_data):
+        vm_memory_limit = self.executor_config.get("VM_MEMORY_LIMIT", "4G")
+        vm_volume_size = self.executor_config.get("VOLUME_SIZE", "32G")
 
-    if self._is_basic_kubernetes_distribution():
-      container['volumeMounts'] = [{'name': 'secrets-mask','mountPath': '/var/run/secrets/kubernetes.io/serviceaccount'}]
+        container = {
+            "name": "builder",
+            "imagePullPolicy": "IfNotPresent",
+            "image": self.image,
+            "securityContext": {"privileged": True},
+            "env": [
+                {"name": "USERDATA", "value": user_data},
+                {"name": "VM_MEMORY", "value": vm_memory_limit},
+                {"name": "VM_VOLUME_SIZE", "value": vm_volume_size},
+            ],
+            "resources": self._build_job_container_resources(),
+        }
 
-    return container
+        if self._is_basic_kubernetes_distribution():
+            container["volumeMounts"] = [
+                {
+                    "name": "secrets-mask",
+                    "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
+                }
+            ]
 
-  def _job_resource(self, build_uuid, user_data, coreos_channel='stable'):
-    image_pull_secret_name = self.executor_config.get('IMAGE_PULL_SECRET_NAME', 'builder')
-    service_account = self.executor_config.get('SERVICE_ACCOUNT_NAME', 'quay-builder-sa')
-    node_selector_label_key = self.executor_config.get('NODE_SELECTOR_LABEL_KEY', 'beta.kubernetes.io/instance-type')
-    node_selector_label_value = self.executor_config.get('NODE_SELECTOR_LABEL_VALUE', '')
+        return container
 
-    node_selector = {
-      node_selector_label_key : node_selector_label_value
-    }
+    def _job_resource(self, build_uuid, user_data, coreos_channel="stable"):
+        image_pull_secret_name = self.executor_config.get(
+            "IMAGE_PULL_SECRET_NAME", "builder"
+        )
+        service_account = self.executor_config.get(
+            "SERVICE_ACCOUNT_NAME", "quay-builder-sa"
+        )
+        node_selector_label_key = self.executor_config.get(
+            "NODE_SELECTOR_LABEL_KEY", "beta.kubernetes.io/instance-type"
+        )
+        node_selector_label_value = self.executor_config.get(
+            "NODE_SELECTOR_LABEL_VALUE", ""
+        )
 
-    release_sha = release.GIT_HEAD or 'none'
-    if ' ' in release_sha:
-      release_sha = 'HEAD'
+        node_selector = {node_selector_label_key: node_selector_label_value}
 
-    job_resource = {
-      'apiVersion': 'batch/v1',
-      'kind': 'Job',
-      'metadata': {
-        'namespace': self.namespace,
-        'generateName': build_uuid + '-',
-        'labels': {
-          'build': build_uuid,
-          'time': datetime.datetime.now().strftime('%Y-%m-%d-%H'),
-          'manager': socket.gethostname(),
-          'quay-sha': release_sha,
-        },
-      },
-      'spec' : {
-        'activeDeadlineSeconds': self.executor_config.get('MAXIMUM_JOB_TIME', 7200),
-        'template': {
-          'metadata': {
-            'labels': {
-              'build': build_uuid,
-              'time': datetime.datetime.now().strftime('%Y-%m-%d-%H'),
-              'manager': socket.gethostname(),
-              'quay-sha': release_sha,
+        release_sha = release.GIT_HEAD or "none"
+        if " " in release_sha:
+            release_sha = "HEAD"
+
+        job_resource = {
+            "apiVersion": "batch/v1",
+            "kind": "Job",
+            "metadata": {
+                "namespace": self.namespace,
+                "generateName": build_uuid + "-",
+                "labels": {
+                    "build": build_uuid,
+                    "time": datetime.datetime.now().strftime("%Y-%m-%d-%H"),
+                    "manager": socket.gethostname(),
+                    "quay-sha": release_sha,
+                },
             },
-          },
-          'spec': {
-            'imagePullSecrets': [{ 'name': image_pull_secret_name }],
-            'restartPolicy': 'Never',
-            'dnsPolicy': 'Default',
-            'containers': [self._build_job_containers(user_data)],
-          },
-        },
-      },
-    }
+            "spec": {
+                "activeDeadlineSeconds": self.executor_config.get(
+                    "MAXIMUM_JOB_TIME", 7200
+                ),
+                "template": {
+                    "metadata": {
+                        "labels": {
+                            "build": build_uuid,
+                            "time": datetime.datetime.now().strftime("%Y-%m-%d-%H"),
+                            "manager": socket.gethostname(),
+                            "quay-sha": release_sha,
+                        }
+                    },
+                    "spec": {
+                        "imagePullSecrets": [{"name": image_pull_secret_name}],
+                        "restartPolicy": "Never",
+                        "dnsPolicy": "Default",
+                        "containers": [self._build_job_containers(user_data)],
+                    },
+                },
+            },
+        }
 
-    if self._is_openshift_kubernetes_distribution():
-      # Setting `automountServiceAccountToken` to false will prevent automounting API credentials for a service account.
-      job_resource['spec']['template']['spec']['automountServiceAccountToken'] = False
+        if self._is_openshift_kubernetes_distribution():
+            # Setting `automountServiceAccountToken` to false will prevent automounting API credentials for a service account.
+            job_resource["spec"]["template"]["spec"][
+                "automountServiceAccountToken"
+            ] = False
 
-      # Use dedicated service account that has no authorization to any resources.
-      job_resource['spec']['template']['spec']['serviceAccount'] = service_account
+            # Use dedicated service account that has no authorization to any resources.
+            job_resource["spec"]["template"]["spec"]["serviceAccount"] = service_account
 
-      # Setting `enableServiceLinks` to false prevents information about other services from being injected into pod's
-      # environment variables. Pod has no visibility into other services on the cluster.
-      job_resource['spec']['template']['spec']['enableServiceLinks'] = False
+            # Setting `enableServiceLinks` to false prevents information about other services from being injected into pod's
+            # environment variables. Pod has no visibility into other services on the cluster.
+            job_resource["spec"]["template"]["spec"]["enableServiceLinks"] = False
 
-      if node_selector_label_value.strip() != '':
-        job_resource['spec']['template']['spec']['nodeSelector'] = node_selector
+            if node_selector_label_value.strip() != "":
+                job_resource["spec"]["template"]["spec"]["nodeSelector"] = node_selector
 
-    if self._is_basic_kubernetes_distribution():
-      # This volume is a hack to mask the token for the namespace's
-      # default service account, which is placed in a file mounted under
-      # `/var/run/secrets/kubernetes.io/serviceaccount` in all pods.
-      # There's currently no other way to just disable the service
-      # account at either the pod or namespace level.
-      #
-      #   https://github.com/kubernetes/kubernetes/issues/16779
-      #
-      job_resource['spec']['template']['spec']['volumes'] = [{'name': 'secrets-mask','emptyDir': {'medium': 'Memory'}}]
+        if self._is_basic_kubernetes_distribution():
+            # This volume is a hack to mask the token for the namespace's
+            # default service account, which is placed in a file mounted under
+            # `/var/run/secrets/kubernetes.io/serviceaccount` in all pods.
+            # There's currently no other way to just disable the service
+            # account at either the pod or namespace level.
+            #
+            #   https://github.com/kubernetes/kubernetes/issues/16779
+            #
+            job_resource["spec"]["template"]["spec"]["volumes"] = [
+                {"name": "secrets-mask", "emptyDir": {"medium": "Memory"}}
+            ]
 
-    return job_resource
+        return job_resource
 
-  @coroutine
-  @duration_collector_async(metric_queue.builder_time_to_start, ['k8s'])
-  def start_builder(self, realm, token, build_uuid):
-    # generate resource
-    channel = self.executor_config.get('COREOS_CHANNEL', 'stable')
-    user_data = self.generate_cloud_config(realm, token, build_uuid, channel, self.manager_hostname)
-    resource = self._job_resource(build_uuid, user_data, channel)
-    logger.debug('Using Kubernetes Distribution: %s', self._kubernetes_distribution())
-    logger.debug('Generated kubernetes resource:\n%s', resource)
+    @coroutine
+    @duration_collector_async(metric_queue.builder_time_to_start, ["k8s"])
+    def start_builder(self, realm, token, build_uuid):
+        # generate resource
+        channel = self.executor_config.get("COREOS_CHANNEL", "stable")
+        user_data = self.generate_cloud_config(
+            realm, token, build_uuid, channel, self.manager_hostname
+        )
+        resource = self._job_resource(build_uuid, user_data, channel)
+        logger.debug(
+            "Using Kubernetes Distribution: %s", self._kubernetes_distribution()
+        )
+        logger.debug("Generated kubernetes resource:\n%s", resource)
 
-    # schedule
-    create_job = yield From(self._request('POST', self._jobs_path(), json=resource))
-    if int(create_job.status_code / 100) != 2:
-      raise ExecutorException('Failed to create job: %s: %s: %s' %
-                              (build_uuid, create_job.status_code, create_job.text))
+        # schedule
+        create_job = yield From(self._request("POST", self._jobs_path(), json=resource))
+        if int(create_job.status_code / 100) != 2:
+            raise ExecutorException(
+                "Failed to create job: %s: %s: %s"
+                % (build_uuid, create_job.status_code, create_job.text)
+            )
 
-    job = create_job.json()
-    raise Return(job['metadata']['name'])
+        job = create_job.json()
+        raise Return(job["metadata"]["name"])
 
-  @coroutine
-  def stop_builder(self, builder_id):
-    pods_path = '/api/v1/namespaces/%s/pods' % self.namespace
+    @coroutine
+    def stop_builder(self, builder_id):
+        pods_path = "/api/v1/namespaces/%s/pods" % self.namespace
 
-    # Delete the job itself.
-    try:
-      yield From(self._request('DELETE', self._job_path(builder_id)))
-    except:
-      logger.exception('Failed to send delete job call for job %s', builder_id)
+        # Delete the job itself.
+        try:
+            yield From(self._request("DELETE", self._job_path(builder_id)))
+        except:
+            logger.exception("Failed to send delete job call for job %s", builder_id)
 
-    # Delete the pod(s) for the job.
-    selectorString = "job-name=%s" % builder_id
-    try:
-      yield From(self._request('DELETE', pods_path, params=dict(labelSelector=selectorString)))
-    except:
-      logger.exception("Failed to send delete pod call for job %s", builder_id)
+        # Delete the pod(s) for the job.
+        selectorString = "job-name=%s" % builder_id
+        try:
+            yield From(
+                self._request(
+                    "DELETE", pods_path, params=dict(labelSelector=selectorString)
+                )
+            )
+        except:
+            logger.exception("Failed to send delete pod call for job %s", builder_id)
 
 
 class LogPipe(threading.Thread):
-  """ Adapted from http://codereview.stackexchange.com/a/17959
+    """ Adapted from http://codereview.stackexchange.com/a/17959
   """
-  def __init__(self, level):
-    """Setup the object with a logger and a loglevel
+
+    def __init__(self, level):
+        """Setup the object with a logger and a loglevel
     and start the thread
     """
-    threading.Thread.__init__(self)
-    self.daemon = False
-    self.level = level
-    self.fd_read, self.fd_write = os.pipe()
-    self.pipe_reader = os.fdopen(self.fd_read)
-    self.start()
+        threading.Thread.__init__(self)
+        self.daemon = False
+        self.level = level
+        self.fd_read, self.fd_write = os.pipe()
+        self.pipe_reader = os.fdopen(self.fd_read)
+        self.start()
 
-  def fileno(self):
-    """Return the write file descriptor of the pipe
+    def fileno(self):
+        """Return the write file descriptor of the pipe
     """
-    return self.fd_write
+        return self.fd_write
 
-  def run(self):
-    """Run the thread, logging everything.
+    def run(self):
+        """Run the thread, logging everything.
     """
-    for line in iter(self.pipe_reader.readline, ''):
-      logging.log(self.level, line.strip('\n'))
+        for line in iter(self.pipe_reader.readline, ""):
+            logging.log(self.level, line.strip("\n"))
 
-    self.pipe_reader.close()
+        self.pipe_reader.close()
 
-  def close(self):
-    """Close the write end of the pipe.
+    def close(self):
+        """Close the write end of the pipe.
     """
-    os.close(self.fd_write)
+        os.close(self.fd_write)
diff --git a/buildman/manager/noop_canceller.py b/buildman/manager/noop_canceller.py
index 2adf17ad7..51c023fcc 100644
--- a/buildman/manager/noop_canceller.py
+++ b/buildman/manager/noop_canceller.py
@@ -1,8 +1,9 @@
 class NoopCanceller(object):
-  """ A class that can not cancel a build """
-  def __init__(self, config=None):
-    pass
+    """ A class that can not cancel a build """
 
-  def try_cancel_build(self, uuid):
-    """ Does nothing and fails to cancel build. """
-    return False
+    def __init__(self, config=None):
+        pass
+
+    def try_cancel_build(self, uuid):
+        """ Does nothing and fails to cancel build. """
+        return False
diff --git a/buildman/manager/orchestrator_canceller.py b/buildman/manager/orchestrator_canceller.py
index f3f821d5e..64ae4f8d7 100644
--- a/buildman/manager/orchestrator_canceller.py
+++ b/buildman/manager/orchestrator_canceller.py
@@ -7,20 +7,23 @@ from util import slash_join
 logger = logging.getLogger(__name__)
 
 
-CANCEL_PREFIX = 'cancel/'
+CANCEL_PREFIX = "cancel/"
 
 
 class OrchestratorCanceller(object):
-  """ An asynchronous way to cancel a build with any Orchestrator. """
-  def __init__(self, config):
-    self._orchestrator = orchestrator_from_config(config, canceller_only=True)
+    """ An asynchronous way to cancel a build with any Orchestrator. """
 
-  def try_cancel_build(self, build_uuid):
-    logger.info('Cancelling build %s', build_uuid)
-    cancel_key = slash_join(CANCEL_PREFIX, build_uuid)
-    try:
-      self._orchestrator.set_key_sync(cancel_key, build_uuid, expiration=60)
-      return True
-    except OrchestratorError:
-      logger.exception('Failed to write cancel action to redis with uuid %s', build_uuid)
-      return False
+    def __init__(self, config):
+        self._orchestrator = orchestrator_from_config(config, canceller_only=True)
+
+    def try_cancel_build(self, build_uuid):
+        logger.info("Cancelling build %s", build_uuid)
+        cancel_key = slash_join(CANCEL_PREFIX, build_uuid)
+        try:
+            self._orchestrator.set_key_sync(cancel_key, build_uuid, expiration=60)
+            return True
+        except OrchestratorError:
+            logger.exception(
+                "Failed to write cancel action to redis with uuid %s", build_uuid
+            )
+            return False
diff --git a/buildman/test/test_buildman.py b/buildman/test/test_buildman.py
index 49b9a20fc..ec6192ae2 100644
--- a/buildman/test/test_buildman.py
+++ b/buildman/test/test_buildman.py
@@ -9,8 +9,7 @@ from trollius import coroutine, get_event_loop, From, Future, Return
 from app import metric_queue
 from buildman.asyncutil import AsyncWrapper
 from buildman.component.buildcomponent import BuildComponent
-from buildman.manager.ephemeral import (EphemeralBuilderManager, REALM_PREFIX,
-                                        JOB_PREFIX)
+from buildman.manager.ephemeral import EphemeralBuilderManager, REALM_PREFIX, JOB_PREFIX
 from buildman.manager.executor import BuilderExecutor, ExecutorException
 from buildman.orchestrator import KeyEvent, KeyChange
 from buildman.server import BuildJobResult
@@ -18,662 +17,767 @@ from util import slash_join
 from util.metrics.metricqueue import duration_collector_async
 
 
-BUILD_UUID = 'deadbeef-dead-beef-dead-deadbeefdead'
-REALM_ID = '1234-realm'
+BUILD_UUID = "deadbeef-dead-beef-dead-deadbeefdead"
+REALM_ID = "1234-realm"
 
 
 def async_test(f):
-  def wrapper(*args, **kwargs):
-    coro = coroutine(f)
-    future = coro(*args, **kwargs)
-    loop = get_event_loop()
-    loop.run_until_complete(future)
-  return wrapper
+    def wrapper(*args, **kwargs):
+        coro = coroutine(f)
+        future = coro(*args, **kwargs)
+        loop = get_event_loop()
+        loop.run_until_complete(future)
+
+    return wrapper
 
 
 class TestExecutor(BuilderExecutor):
-  job_started = None
-  job_stopped = None
+    job_started = None
+    job_stopped = None
 
-  @coroutine
-  @duration_collector_async(metric_queue.builder_time_to_start, labelvalues=["testlabel"])
-  def start_builder(self, realm, token, build_uuid):
-    self.job_started = str(uuid.uuid4())
-    raise Return(self.job_started)
+    @coroutine
+    @duration_collector_async(
+        metric_queue.builder_time_to_start, labelvalues=["testlabel"]
+    )
+    def start_builder(self, realm, token, build_uuid):
+        self.job_started = str(uuid.uuid4())
+        raise Return(self.job_started)
 
-  @coroutine
-  def stop_builder(self, execution_id):
-    self.job_stopped = execution_id
+    @coroutine
+    def stop_builder(self, execution_id):
+        self.job_stopped = execution_id
 
 
 class BadExecutor(BuilderExecutor):
-  @coroutine
-  @duration_collector_async(metric_queue.builder_time_to_start, labelvalues=["testlabel"])
-  def start_builder(self, realm, token, build_uuid):
-    raise ExecutorException('raised on purpose!')
+    @coroutine
+    @duration_collector_async(
+        metric_queue.builder_time_to_start, labelvalues=["testlabel"]
+    )
+    def start_builder(self, realm, token, build_uuid):
+        raise ExecutorException("raised on purpose!")
 
 
 class EphemeralBuilderTestCase(unittest.TestCase):
-  def __init__(self, *args, **kwargs):
-    self.etcd_client_mock = None
-    super(EphemeralBuilderTestCase, self).__init__(*args, **kwargs)
+    def __init__(self, *args, **kwargs):
+        self.etcd_client_mock = None
+        super(EphemeralBuilderTestCase, self).__init__(*args, **kwargs)
 
-  @staticmethod
-  def _create_completed_future(result=None):
-    def inner(*args, **kwargs):
-      new_future = Future()
-      new_future.set_result(result)
-      return new_future
-    return inner
+    @staticmethod
+    def _create_completed_future(result=None):
+        def inner(*args, **kwargs):
+            new_future = Future()
+            new_future.set_result(result)
+            return new_future
 
-  def setUp(self):
-    self._existing_executors = dict(EphemeralBuilderManager.EXECUTORS)
+        return inner
 
-  def tearDown(self):
-    EphemeralBuilderManager.EXECUTORS = self._existing_executors
+    def setUp(self):
+        self._existing_executors = dict(EphemeralBuilderManager.EXECUTORS)
 
-  @coroutine
-  def _register_component(self, realm_spec, build_component, token):
-    raise Return('hello')
+    def tearDown(self):
+        EphemeralBuilderManager.EXECUTORS = self._existing_executors
 
-  def _create_build_job(self, namespace='namespace', retries=3):
-    mock_job = Mock()
-    mock_job.job_details = {'build_uuid': BUILD_UUID}
-    mock_job.job_item = {
-      'body': json.dumps(mock_job.job_details),
-      'id': 1,
-    }
+    @coroutine
+    def _register_component(self, realm_spec, build_component, token):
+        raise Return("hello")
 
-    mock_job.namespace = namespace
-    mock_job.retries_remaining = retries
-    mock_job.build_uuid = BUILD_UUID
-    return mock_job
+    def _create_build_job(self, namespace="namespace", retries=3):
+        mock_job = Mock()
+        mock_job.job_details = {"build_uuid": BUILD_UUID}
+        mock_job.job_item = {"body": json.dumps(mock_job.job_details), "id": 1}
+
+        mock_job.namespace = namespace
+        mock_job.retries_remaining = retries
+        mock_job.build_uuid = BUILD_UUID
+        return mock_job
 
 
 class TestEphemeralLifecycle(EphemeralBuilderTestCase):
-  """ Tests the various lifecycles of the ephemeral builder and its interaction with etcd. """
+    """ Tests the various lifecycles of the ephemeral builder and its interaction with etcd. """
 
-  def __init__(self, *args, **kwargs):
-    super(TestEphemeralLifecycle, self).__init__(*args, **kwargs)
-    self.etcd_client_mock = None
-    self.test_executor = None
+    def __init__(self, *args, **kwargs):
+        super(TestEphemeralLifecycle, self).__init__(*args, **kwargs)
+        self.etcd_client_mock = None
+        self.test_executor = None
 
-  def _create_completed_future(self, result=None):
-    def inner(*args, **kwargs):
-      new_future = Future()
-      new_future.set_result(result)
-      return new_future
-    return inner
+    def _create_completed_future(self, result=None):
+        def inner(*args, **kwargs):
+            new_future = Future()
+            new_future.set_result(result)
+            return new_future
 
-  def _create_mock_executor(self, *args, **kwargs):
-    self.test_executor = Mock(spec=BuilderExecutor)
-    self.test_executor.start_builder = Mock(side_effect=self._create_completed_future('123'))
-    self.test_executor.stop_builder = Mock(side_effect=self._create_completed_future())
-    self.test_executor.setup_time = 60
-    self.test_executor.name = 'MockExecutor'
-    self.test_executor.minimum_retry_threshold = 0
-    return self.test_executor
+        return inner
 
-  def setUp(self):
-    super(TestEphemeralLifecycle, self).setUp()
+    def _create_mock_executor(self, *args, **kwargs):
+        self.test_executor = Mock(spec=BuilderExecutor)
+        self.test_executor.start_builder = Mock(
+            side_effect=self._create_completed_future("123")
+        )
+        self.test_executor.stop_builder = Mock(
+            side_effect=self._create_completed_future()
+        )
+        self.test_executor.setup_time = 60
+        self.test_executor.name = "MockExecutor"
+        self.test_executor.minimum_retry_threshold = 0
+        return self.test_executor
 
-    EphemeralBuilderManager.EXECUTORS['test'] = self._create_mock_executor
+    def setUp(self):
+        super(TestEphemeralLifecycle, self).setUp()
 
-    self.register_component_callback = Mock()
-    self.unregister_component_callback = Mock()
-    self.job_heartbeat_callback = Mock()
-    self.job_complete_callback = AsyncWrapper(Mock())
+        EphemeralBuilderManager.EXECUTORS["test"] = self._create_mock_executor
 
-    self.manager = EphemeralBuilderManager(
-      self.register_component_callback,
-      self.unregister_component_callback,
-      self.job_heartbeat_callback,
-      self.job_complete_callback,
-      '127.0.0.1',
-      30,
-    )
+        self.register_component_callback = Mock()
+        self.unregister_component_callback = Mock()
+        self.job_heartbeat_callback = Mock()
+        self.job_complete_callback = AsyncWrapper(Mock())
 
-    self.manager.initialize({
-      'EXECUTOR': 'test',
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
+        self.manager = EphemeralBuilderManager(
+            self.register_component_callback,
+            self.unregister_component_callback,
+            self.job_heartbeat_callback,
+            self.job_complete_callback,
+            "127.0.0.1",
+            30,
+        )
 
-    # Ensure that that the realm and building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(REALM_PREFIX, callback_keys)
-    self.assertIn(JOB_PREFIX, callback_keys)
+        self.manager.initialize(
+            {"EXECUTOR": "test", "ORCHESTRATOR": {"MEM_CONFIG": None}}
+        )
 
-    self.mock_job = self._create_build_job()
-    self.mock_job_key = slash_join('building', BUILD_UUID)
+        # Ensure that that the realm and building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(REALM_PREFIX, callback_keys)
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-  def tearDown(self):
-    super(TestEphemeralLifecycle, self).tearDown()
-    self.manager.shutdown()
+        self.mock_job = self._create_build_job()
+        self.mock_job_key = slash_join("building", BUILD_UUID)
 
+    def tearDown(self):
+        super(TestEphemeralLifecycle, self).tearDown()
+        self.manager.shutdown()
 
-  @coroutine
-  def _setup_job_for_managers(self):
-    test_component = Mock(spec=BuildComponent)
-    test_component.builder_realm = REALM_ID
-    test_component.start_build = Mock(side_effect=self._create_completed_future())
-    self.register_component_callback.return_value = test_component
+    @coroutine
+    def _setup_job_for_managers(self):
+        test_component = Mock(spec=BuildComponent)
+        test_component.builder_realm = REALM_ID
+        test_component.start_build = Mock(side_effect=self._create_completed_future())
+        self.register_component_callback.return_value = test_component
 
-    is_scheduled = yield From(self.manager.schedule(self.mock_job))
-    self.assertTrue(is_scheduled)
-    self.assertEqual(self.test_executor.start_builder.call_count, 1)
+        is_scheduled = yield From(self.manager.schedule(self.mock_job))
+        self.assertTrue(is_scheduled)
+        self.assertEqual(self.test_executor.start_builder.call_count, 1)
 
-    # Ensure that that the job, realm, and metric callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(self.mock_job_key, self.manager._orchestrator.state)
-    self.assertIn(REALM_PREFIX, callback_keys)
-    # TODO: assert metric key has been set
+        # Ensure that that the job, realm, and metric callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(self.mock_job_key, self.manager._orchestrator.state)
+        self.assertIn(REALM_PREFIX, callback_keys)
+        # TODO: assert metric key has been set
 
-    realm_for_build = self._find_realm_key(self.manager._orchestrator, BUILD_UUID)
+        realm_for_build = self._find_realm_key(self.manager._orchestrator, BUILD_UUID)
 
-    raw_realm_data = yield From(self.manager._orchestrator.get_key(slash_join('realm',
-                                                                             realm_for_build)))
-    realm_data = json.loads(raw_realm_data)
-    realm_data['realm'] = REALM_ID
+        raw_realm_data = yield From(
+            self.manager._orchestrator.get_key(slash_join("realm", realm_for_build))
+        )
+        realm_data = json.loads(raw_realm_data)
+        realm_data["realm"] = REALM_ID
 
-    # Right now the job is not registered with any managers because etcd has not accepted the job
-    self.assertEqual(self.register_component_callback.call_count, 0)
+        # Right now the job is not registered with any managers because etcd has not accepted the job
+        self.assertEqual(self.register_component_callback.call_count, 0)
 
-    # Fire off a realm changed with the same data.
-    yield From(self.manager._realm_callback(
-      KeyChange(KeyEvent.CREATE,
-                slash_join(REALM_PREFIX, REALM_ID),
-                json.dumps(realm_data))))
+        # Fire off a realm changed with the same data.
+        yield From(
+            self.manager._realm_callback(
+                KeyChange(
+                    KeyEvent.CREATE,
+                    slash_join(REALM_PREFIX, REALM_ID),
+                    json.dumps(realm_data),
+                )
+            )
+        )
 
-    # Ensure that we have at least one component node.
-    self.assertEqual(self.register_component_callback.call_count, 1)
-    self.assertEqual(1, self.manager.num_workers())
+        # Ensure that we have at least one component node.
+        self.assertEqual(self.register_component_callback.call_count, 1)
+        self.assertEqual(1, self.manager.num_workers())
 
-    # Ensure that the build info exists.
-    self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+        # Ensure that the build info exists.
+        self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
 
-    raise Return(test_component)
+        raise Return(test_component)
 
-  @staticmethod
-  def _find_realm_key(orchestrator, build_uuid):
-    for key, value in iteritems(orchestrator.state):
-      if key.startswith(REALM_PREFIX):
-        parsed_value = json.loads(value)
-        body = json.loads(parsed_value['job_queue_item']['body'])
-        if body['build_uuid'] == build_uuid:
-          return parsed_value['realm']
-        continue
-    raise KeyError
+    @staticmethod
+    def _find_realm_key(orchestrator, build_uuid):
+        for key, value in iteritems(orchestrator.state):
+            if key.startswith(REALM_PREFIX):
+                parsed_value = json.loads(value)
+                body = json.loads(parsed_value["job_queue_item"]["body"])
+                if body["build_uuid"] == build_uuid:
+                    return parsed_value["realm"]
+                continue
+        raise KeyError
 
+    @async_test
+    def test_schedule_and_complete(self):
+        # Test that a job is properly registered with all of the managers
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_schedule_and_complete(self):
-    # Test that a job is properly registered with all of the managers
-    test_component = yield From(self._setup_job_for_managers())
+        # Take the job ourselves
+        yield From(self.manager.build_component_ready(test_component))
 
-    # Take the job ourselves
-    yield From(self.manager.build_component_ready(test_component))
+        self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
 
-    self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+        # Finish the job
+        yield From(
+            self.manager.job_completed(
+                self.mock_job, BuildJobResult.COMPLETE, test_component
+            )
+        )
 
-    # Finish the job
-    yield From(self.manager.job_completed(self.mock_job, BuildJobResult.COMPLETE, test_component))
+        # Ensure that the executor kills the job.
+        self.assertEqual(self.test_executor.stop_builder.call_count, 1)
 
-    # Ensure that the executor kills the job.
-    self.assertEqual(self.test_executor.stop_builder.call_count, 1)
+        # Ensure the build information is cleaned up.
+        self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+        self.assertEqual(0, self.manager.num_workers())
 
-    # Ensure the build information is cleaned up.
-    self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
-    self.assertEqual(0, self.manager.num_workers())
+    @async_test
+    def test_another_manager_takes_job(self):
+        # Prepare a job to be taken by another manager
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_another_manager_takes_job(self):
-    # Prepare a job to be taken by another manager
-    test_component = yield From(self._setup_job_for_managers())
+        yield From(
+            self.manager._realm_callback(
+                KeyChange(
+                    KeyEvent.DELETE,
+                    slash_join(REALM_PREFIX, REALM_ID),
+                    json.dumps(
+                        {
+                            "realm": REALM_ID,
+                            "token": "beef",
+                            "execution_id": "123",
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    yield From(self.manager._realm_callback(
-      KeyChange(KeyEvent.DELETE,
-                slash_join(REALM_PREFIX, REALM_ID),
-                json.dumps({'realm': REALM_ID,
-                            'token': 'beef',
-                            'execution_id': '123',
-                            'job_queue_item': self.mock_job.job_item}))))
+        self.unregister_component_callback.assert_called_once_with(test_component)
 
-    self.unregister_component_callback.assert_called_once_with(test_component)
+        # Ensure that the executor does not kill the job.
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
 
-    # Ensure that the executor does not kill the job.
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+        # Ensure that we still have the build info, but not the component.
+        self.assertEqual(0, self.manager.num_workers())
+        self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
 
-    # Ensure that we still have the build info, but not the component.
-    self.assertEqual(0, self.manager.num_workers())
-    self.assertIsNotNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+        # Delete the job once it has "completed".
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.DELETE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": False,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Delete the job once it has "completed".
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.DELETE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': False,
-                            'job_queue_item': self.mock_job.job_item}))))
+        # Ensure the job was removed from the info, but stop was not called.
+        self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
 
-    # Ensure the job was removed from the info, but stop was not called.
-    self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+    @async_test
+    def test_job_started_by_other_manager(self):
+        # Ensure that that the building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-  @async_test
-  def test_job_started_by_other_manager(self):
-    # Ensure that that the building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(JOB_PREFIX, callback_keys)
+        # Send a signal to the callback that the job has been created.
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.CREATE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": False,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Send a signal to the callback that the job has been created.
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.CREATE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': False,
-                            'job_queue_item': self.mock_job.job_item}))))
+        # Ensure the create does nothing.
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
 
-    # Ensure the create does nothing.
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+    @async_test
+    def test_expiring_worker_not_started(self):
+        # Ensure that that the building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-  @async_test
-  def test_expiring_worker_not_started(self):
-    # Ensure that that the building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(JOB_PREFIX, callback_keys)
+        # Send a signal to the callback that a worker has expired
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.EXPIRE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": True,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Send a signal to the callback that a worker has expired
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.EXPIRE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': True,
-                            'job_queue_item': self.mock_job.job_item}))))
+        # Since the realm was never registered, expiration should do nothing.
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
 
-    # Since the realm was never registered, expiration should do nothing.
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+    @async_test
+    def test_expiring_worker_started(self):
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_expiring_worker_started(self):
-    test_component = yield From(self._setup_job_for_managers())
+        # Ensure that that the building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-    # Ensure that that the building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(JOB_PREFIX, callback_keys)
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.EXPIRE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": True,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.EXPIRE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': True,
-                            'job_queue_item': self.mock_job.job_item}))))
+        self.test_executor.stop_builder.assert_called_once_with("123")
+        self.assertEqual(self.test_executor.stop_builder.call_count, 1)
 
-    self.test_executor.stop_builder.assert_called_once_with('123')
-    self.assertEqual(self.test_executor.stop_builder.call_count, 1)
+    @async_test
+    def test_buildjob_deleted(self):
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_buildjob_deleted(self):
-    test_component = yield From(self._setup_job_for_managers())
+        # Ensure that that the building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-    # Ensure that that the building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(JOB_PREFIX, callback_keys)
+        # Send a signal to the callback that a worker has expired
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.DELETE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": False,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Send a signal to the callback that a worker has expired
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.DELETE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': False,
-                            'job_queue_item': self.mock_job.job_item}))))
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+        self.assertEqual(self.job_complete_callback.call_count, 0)
+        self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
 
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
-    self.assertEqual(self.job_complete_callback.call_count, 0)
-    self.assertIsNone(self.manager._build_uuid_to_info.get(BUILD_UUID))
+    @async_test
+    def test_builder_never_starts(self):
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_builder_never_starts(self):
-    test_component = yield From(self._setup_job_for_managers())
+        # Ensure that that the building callbacks have been registered
+        callback_keys = [key for key in self.manager._orchestrator.callbacks]
+        self.assertIn(JOB_PREFIX, callback_keys)
 
-    # Ensure that that the building callbacks have been registered
-    callback_keys = [key for key in self.manager._orchestrator.callbacks]
-    self.assertIn(JOB_PREFIX, callback_keys)
+        # Send a signal to the callback that a worker has expired
+        yield From(
+            self.manager._job_callback(
+                KeyChange(
+                    KeyEvent.EXPIRE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "had_heartbeat": False,
+                            "job_queue_item": self.mock_job.job_item,
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Send a signal to the callback that a worker has expired
-    yield From(self.manager._job_callback(
-      KeyChange(KeyEvent.EXPIRE,
-                self.mock_job_key,
-                json.dumps({'had_heartbeat': False,
-                            'job_queue_item': self.mock_job.job_item}))))
+        self.test_executor.stop_builder.assert_called_once_with("123")
+        self.assertEqual(self.test_executor.stop_builder.call_count, 1)
 
-    self.test_executor.stop_builder.assert_called_once_with('123')
-    self.assertEqual(self.test_executor.stop_builder.call_count, 1)
+        # Ensure the job was marked as incomplete, with an update_phase to True (so the DB record and
+        # logs are updated as well)
+        yield From(
+            self.job_complete_callback.assert_called_once_with(
+                ANY, BuildJobResult.INCOMPLETE, "MockExecutor", update_phase=True
+            )
+        )
 
-    # Ensure the job was marked as incomplete, with an update_phase to True (so the DB record and
-    # logs are updated as well)
-    yield From(self.job_complete_callback.assert_called_once_with(ANY, BuildJobResult.INCOMPLETE,
-                                                                  'MockExecutor',
-                                                                  update_phase=True))
+    @async_test
+    def test_change_worker(self):
+        # Send a signal to the callback that a worker key has been changed
+        self.manager._job_callback(KeyChange(KeyEvent.SET, self.mock_job_key, "value"))
+        self.assertEqual(self.test_executor.stop_builder.call_count, 0)
 
-  @async_test
-  def test_change_worker(self):
-    # Send a signal to the callback that a worker key has been changed
-    self.manager._job_callback(KeyChange(KeyEvent.SET, self.mock_job_key, 'value'))
-    self.assertEqual(self.test_executor.stop_builder.call_count, 0)
+    @async_test
+    def test_realm_expired(self):
+        test_component = yield From(self._setup_job_for_managers())
 
-  @async_test
-  def test_realm_expired(self):
-    test_component = yield From(self._setup_job_for_managers())
+        # Send a signal to the callback that a realm has expired
+        yield From(
+            self.manager._realm_callback(
+                KeyChange(
+                    KeyEvent.EXPIRE,
+                    self.mock_job_key,
+                    json.dumps(
+                        {
+                            "realm": REALM_ID,
+                            "execution_id": "foobar",
+                            "executor_name": "MockExecutor",
+                            "job_queue_item": {"body": '{"build_uuid": "fakeid"}'},
+                        }
+                    ),
+                )
+            )
+        )
 
-    # Send a signal to the callback that a realm has expired
-    yield From(self.manager._realm_callback(KeyChange(
-        KeyEvent.EXPIRE,
-        self.mock_job_key,
-        json.dumps({
-          'realm': REALM_ID,
-          'execution_id': 'foobar',
-          'executor_name': 'MockExecutor',
-          'job_queue_item': {'body': '{"build_uuid": "fakeid"}'},
-        }))))
-
-    # Ensure that the cleanup code for the executor was called.
-    self.test_executor.stop_builder.assert_called_once_with('foobar')
-    self.assertEqual(self.test_executor.stop_builder.call_count, 1)
+        # Ensure that the cleanup code for the executor was called.
+        self.test_executor.stop_builder.assert_called_once_with("foobar")
+        self.assertEqual(self.test_executor.stop_builder.call_count, 1)
 
 
 class TestEphemeral(EphemeralBuilderTestCase):
-  """ Simple unit tests for the ephemeral builder around config management, starting and stopping
+    """ Simple unit tests for the ephemeral builder around config management, starting and stopping
       jobs.
   """
 
-  def setUp(self):
-    super(TestEphemeral, self).setUp()
+    def setUp(self):
+        super(TestEphemeral, self).setUp()
 
-    unregister_component_callback = Mock()
-    job_heartbeat_callback = Mock()
+        unregister_component_callback = Mock()
+        job_heartbeat_callback = Mock()
 
-    @coroutine
-    def job_complete_callback(*args, **kwargs):
-      raise Return()
+        @coroutine
+        def job_complete_callback(*args, **kwargs):
+            raise Return()
 
-    self.manager = EphemeralBuilderManager(
-      self._register_component,
-      unregister_component_callback,
-      job_heartbeat_callback,
-      job_complete_callback,
-      '127.0.0.1',
-      30,
-    )
+        self.manager = EphemeralBuilderManager(
+            self._register_component,
+            unregister_component_callback,
+            job_heartbeat_callback,
+            job_complete_callback,
+            "127.0.0.1",
+            30,
+        )
 
-  def tearDown(self):
-    super(TestEphemeral, self).tearDown()
-    self.manager.shutdown()
+    def tearDown(self):
+        super(TestEphemeral, self).tearDown()
+        self.manager.shutdown()
 
-  def test_verify_executor_oldconfig(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    self.manager.initialize({
-      'EXECUTOR': 'test',
-      'EXECUTOR_CONFIG': dict(MINIMUM_RETRY_THRESHOLD=42),
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
+    def test_verify_executor_oldconfig(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        self.manager.initialize(
+            {
+                "EXECUTOR": "test",
+                "EXECUTOR_CONFIG": dict(MINIMUM_RETRY_THRESHOLD=42),
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
 
-    # Ensure that we have a single test executor.
-    self.assertEqual(1, len(self.manager.registered_executors))
-    self.assertEqual(42, self.manager.registered_executors[0].minimum_retry_threshold)
-    self.assertEqual('TestExecutor', self.manager.registered_executors[0].name)
+        # Ensure that we have a single test executor.
+        self.assertEqual(1, len(self.manager.registered_executors))
+        self.assertEqual(
+            42, self.manager.registered_executors[0].minimum_retry_threshold
+        )
+        self.assertEqual("TestExecutor", self.manager.registered_executors[0].name)
 
-  def test_verify_executor_newconfig(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    self.manager.initialize({
-      'EXECUTORS': [{
-        'EXECUTOR': 'test',
-        'MINIMUM_RETRY_THRESHOLD': 42
-      }],
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
+    def test_verify_executor_newconfig(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        self.manager.initialize(
+            {
+                "EXECUTORS": [{"EXECUTOR": "test", "MINIMUM_RETRY_THRESHOLD": 42}],
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
 
-    # Ensure that we have a single test executor.
-    self.assertEqual(1, len(self.manager.registered_executors))
-    self.assertEqual(42, self.manager.registered_executors[0].minimum_retry_threshold)
+        # Ensure that we have a single test executor.
+        self.assertEqual(1, len(self.manager.registered_executors))
+        self.assertEqual(
+            42, self.manager.registered_executors[0].minimum_retry_threshold
+        )
+
+    def test_multiple_executors_samename(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        EphemeralBuilderManager.EXECUTORS["anotherexecutor"] = TestExecutor
+
+        with self.assertRaises(Exception):
+            self.manager.initialize(
+                {
+                    "EXECUTORS": [
+                        {
+                            "NAME": "primary",
+                            "EXECUTOR": "test",
+                            "MINIMUM_RETRY_THRESHOLD": 42,
+                        },
+                        {
+                            "NAME": "primary",
+                            "EXECUTOR": "anotherexecutor",
+                            "MINIMUM_RETRY_THRESHOLD": 24,
+                        },
+                    ],
+                    "ORCHESTRATOR": {"MEM_CONFIG": None},
+                }
+            )
+
+    def test_verify_multiple_executors(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        EphemeralBuilderManager.EXECUTORS["anotherexecutor"] = TestExecutor
+
+        self.manager.initialize(
+            {
+                "EXECUTORS": [
+                    {
+                        "NAME": "primary",
+                        "EXECUTOR": "test",
+                        "MINIMUM_RETRY_THRESHOLD": 42,
+                    },
+                    {
+                        "NAME": "secondary",
+                        "EXECUTOR": "anotherexecutor",
+                        "MINIMUM_RETRY_THRESHOLD": 24,
+                    },
+                ],
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        # Ensure that we have a two test executors.
+        self.assertEqual(2, len(self.manager.registered_executors))
+        self.assertEqual(
+            42, self.manager.registered_executors[0].minimum_retry_threshold
+        )
+        self.assertEqual(
+            24, self.manager.registered_executors[1].minimum_retry_threshold
+        )
+
+    def test_skip_invalid_executor(self):
+        self.manager.initialize(
+            {
+                "EXECUTORS": [{"EXECUTOR": "unknown", "MINIMUM_RETRY_THRESHOLD": 42}],
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        self.assertEqual(0, len(self.manager.registered_executors))
+
+    @async_test
+    def test_schedule_job_namespace_filter(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        self.manager.initialize(
+            {
+                "EXECUTORS": [
+                    {"EXECUTOR": "test", "NAMESPACE_WHITELIST": ["something"]}
+                ],
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        # Try with a build job in an invalid namespace.
+        build_job = self._create_build_job(namespace="somethingelse")
+        result = yield From(self.manager.schedule(build_job))
+        self.assertFalse(result[0])
+
+        # Try with a valid namespace.
+        build_job = self._create_build_job(namespace="something")
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+    @async_test
+    def test_schedule_job_retries_filter(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+        self.manager.initialize(
+            {
+                "EXECUTORS": [{"EXECUTOR": "test", "MINIMUM_RETRY_THRESHOLD": 2}],
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        # Try with a build job that has too few retries.
+        build_job = self._create_build_job(retries=1)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertFalse(result[0])
+
+        # Try with a valid job.
+        build_job = self._create_build_job(retries=2)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+    @async_test
+    def test_schedule_job_executor_fallback(self):
+        EphemeralBuilderManager.EXECUTORS["primary"] = TestExecutor
+        EphemeralBuilderManager.EXECUTORS["secondary"] = TestExecutor
+
+        self.manager.initialize(
+            {
+                "EXECUTORS": [
+                    {
+                        "NAME": "primary",
+                        "EXECUTOR": "primary",
+                        "NAMESPACE_WHITELIST": ["something"],
+                        "MINIMUM_RETRY_THRESHOLD": 3,
+                    },
+                    {
+                        "NAME": "secondary",
+                        "EXECUTOR": "secondary",
+                        "MINIMUM_RETRY_THRESHOLD": 2,
+                    },
+                ],
+                "ALLOWED_WORKER_COUNT": 5,
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        # Try a job not matching the primary's namespace filter. Should schedule on secondary.
+        build_job = self._create_build_job(namespace="somethingelse")
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        self.assertIsNone(self.manager.registered_executors[0].job_started)
+        self.assertIsNotNone(self.manager.registered_executors[1].job_started)
+
+        self.manager.registered_executors[0].job_started = None
+        self.manager.registered_executors[1].job_started = None
+
+        # Try a job not matching the primary's retry minimum. Should schedule on secondary.
+        build_job = self._create_build_job(namespace="something", retries=2)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        self.assertIsNone(self.manager.registered_executors[0].job_started)
+        self.assertIsNotNone(self.manager.registered_executors[1].job_started)
+
+        self.manager.registered_executors[0].job_started = None
+        self.manager.registered_executors[1].job_started = None
+
+        # Try a job matching the primary. Should schedule on the primary.
+        build_job = self._create_build_job(namespace="something", retries=3)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        self.assertIsNotNone(self.manager.registered_executors[0].job_started)
+        self.assertIsNone(self.manager.registered_executors[1].job_started)
+
+        self.manager.registered_executors[0].job_started = None
+        self.manager.registered_executors[1].job_started = None
+
+        # Try a job not matching either's restrictions.
+        build_job = self._create_build_job(namespace="somethingelse", retries=1)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertFalse(result[0])
+
+        self.assertIsNone(self.manager.registered_executors[0].job_started)
+        self.assertIsNone(self.manager.registered_executors[1].job_started)
+
+        self.manager.registered_executors[0].job_started = None
+        self.manager.registered_executors[1].job_started = None
+
+    @async_test
+    def test_schedule_job_single_executor(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+
+        self.manager.initialize(
+            {
+                "EXECUTOR": "test",
+                "EXECUTOR_CONFIG": {},
+                "ALLOWED_WORKER_COUNT": 5,
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        build_job = self._create_build_job(namespace="something", retries=3)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        self.assertIsNotNone(self.manager.registered_executors[0].job_started)
+        self.manager.registered_executors[0].job_started = None
+
+        build_job = self._create_build_job(namespace="something", retries=0)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        self.assertIsNotNone(self.manager.registered_executors[0].job_started)
+        self.manager.registered_executors[0].job_started = None
+
+    @async_test
+    def test_executor_exception(self):
+        EphemeralBuilderManager.EXECUTORS["bad"] = BadExecutor
+
+        self.manager.initialize(
+            {
+                "EXECUTOR": "bad",
+                "EXECUTOR_CONFIG": {},
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        build_job = self._create_build_job(namespace="something", retries=3)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertFalse(result[0])
+
+    @async_test
+    def test_schedule_and_stop(self):
+        EphemeralBuilderManager.EXECUTORS["test"] = TestExecutor
+
+        self.manager.initialize(
+            {
+                "EXECUTOR": "test",
+                "EXECUTOR_CONFIG": {},
+                "ORCHESTRATOR": {"MEM_CONFIG": None},
+            }
+        )
+
+        # Start the build job.
+        build_job = self._create_build_job(namespace="something", retries=3)
+        result = yield From(self.manager.schedule(build_job))
+        self.assertTrue(result[0])
+
+        executor = self.manager.registered_executors[0]
+        self.assertIsNotNone(executor.job_started)
+
+        # Register the realm so the build information is added.
+        yield From(
+            self.manager._register_realm(
+                {
+                    "realm": str(uuid.uuid4()),
+                    "token": str(uuid.uuid4()),
+                    "execution_id": executor.job_started,
+                    "executor_name": "TestExecutor",
+                    "build_uuid": build_job.build_uuid,
+                    "job_queue_item": build_job.job_item,
+                }
+            )
+        )
+
+        # Stop the build job.
+        yield From(self.manager.kill_builder_executor(build_job.build_uuid))
+        self.assertEqual(executor.job_stopped, executor.job_started)
 
 
-  def test_multiple_executors_samename(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    EphemeralBuilderManager.EXECUTORS['anotherexecutor'] = TestExecutor
-
-    with self.assertRaises(Exception):
-      self.manager.initialize({
-        'EXECUTORS': [
-          {
-            'NAME': 'primary',
-            'EXECUTOR': 'test',
-            'MINIMUM_RETRY_THRESHOLD': 42
-          },
-          {
-            'NAME': 'primary',
-            'EXECUTOR': 'anotherexecutor',
-            'MINIMUM_RETRY_THRESHOLD': 24
-          },
-        ],
-        'ORCHESTRATOR': {'MEM_CONFIG': None},
-      })
-
-
-  def test_verify_multiple_executors(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    EphemeralBuilderManager.EXECUTORS['anotherexecutor'] = TestExecutor
-
-    self.manager.initialize({
-      'EXECUTORS': [
-        {
-          'NAME': 'primary',
-          'EXECUTOR': 'test',
-          'MINIMUM_RETRY_THRESHOLD': 42
-        },
-        {
-          'NAME': 'secondary',
-          'EXECUTOR': 'anotherexecutor',
-          'MINIMUM_RETRY_THRESHOLD': 24
-        },
-      ],
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    # Ensure that we have a two test executors.
-    self.assertEqual(2, len(self.manager.registered_executors))
-    self.assertEqual(42, self.manager.registered_executors[0].minimum_retry_threshold)
-    self.assertEqual(24, self.manager.registered_executors[1].minimum_retry_threshold)
-
-  def test_skip_invalid_executor(self):
-    self.manager.initialize({
-      'EXECUTORS': [
-        {
-          'EXECUTOR': 'unknown',
-          'MINIMUM_RETRY_THRESHOLD': 42
-        },
-      ],
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    self.assertEqual(0, len(self.manager.registered_executors))
-
-  @async_test
-  def test_schedule_job_namespace_filter(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    self.manager.initialize({
-      'EXECUTORS': [{
-        'EXECUTOR': 'test',
-        'NAMESPACE_WHITELIST': ['something'],
-      }],
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    # Try with a build job in an invalid namespace.
-    build_job = self._create_build_job(namespace='somethingelse')
-    result = yield From(self.manager.schedule(build_job))
-    self.assertFalse(result[0])
-
-    # Try with a valid namespace.
-    build_job = self._create_build_job(namespace='something')
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-  @async_test
-  def test_schedule_job_retries_filter(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-    self.manager.initialize({
-      'EXECUTORS': [{
-        'EXECUTOR': 'test',
-        'MINIMUM_RETRY_THRESHOLD': 2,
-      }],
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    # Try with a build job that has too few retries.
-    build_job = self._create_build_job(retries=1)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertFalse(result[0])
-
-    # Try with a valid job.
-    build_job = self._create_build_job(retries=2)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-  @async_test
-  def test_schedule_job_executor_fallback(self):
-    EphemeralBuilderManager.EXECUTORS['primary'] = TestExecutor
-    EphemeralBuilderManager.EXECUTORS['secondary'] = TestExecutor
-
-    self.manager.initialize({
-      'EXECUTORS': [
-        {
-          'NAME': 'primary',
-          'EXECUTOR': 'primary',
-          'NAMESPACE_WHITELIST': ['something'],
-          'MINIMUM_RETRY_THRESHOLD': 3,
-        },
-        {
-          'NAME': 'secondary',
-          'EXECUTOR': 'secondary',
-          'MINIMUM_RETRY_THRESHOLD': 2,
-        },
-      ],
-      'ALLOWED_WORKER_COUNT': 5,
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    # Try a job not matching the primary's namespace filter. Should schedule on secondary.
-    build_job = self._create_build_job(namespace='somethingelse')
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    self.assertIsNone(self.manager.registered_executors[0].job_started)
-    self.assertIsNotNone(self.manager.registered_executors[1].job_started)
-
-    self.manager.registered_executors[0].job_started = None
-    self.manager.registered_executors[1].job_started = None
-
-    # Try a job not matching the primary's retry minimum. Should schedule on secondary.
-    build_job = self._create_build_job(namespace='something', retries=2)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    self.assertIsNone(self.manager.registered_executors[0].job_started)
-    self.assertIsNotNone(self.manager.registered_executors[1].job_started)
-
-    self.manager.registered_executors[0].job_started = None
-    self.manager.registered_executors[1].job_started = None
-
-    # Try a job matching the primary. Should schedule on the primary.
-    build_job = self._create_build_job(namespace='something', retries=3)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    self.assertIsNotNone(self.manager.registered_executors[0].job_started)
-    self.assertIsNone(self.manager.registered_executors[1].job_started)
-
-    self.manager.registered_executors[0].job_started = None
-    self.manager.registered_executors[1].job_started = None
-
-    # Try a job not matching either's restrictions.
-    build_job = self._create_build_job(namespace='somethingelse', retries=1)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertFalse(result[0])
-
-    self.assertIsNone(self.manager.registered_executors[0].job_started)
-    self.assertIsNone(self.manager.registered_executors[1].job_started)
-
-    self.manager.registered_executors[0].job_started = None
-    self.manager.registered_executors[1].job_started = None
-
-
-  @async_test
-  def test_schedule_job_single_executor(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-
-    self.manager.initialize({
-      'EXECUTOR': 'test',
-      'EXECUTOR_CONFIG': {},
-      'ALLOWED_WORKER_COUNT': 5,
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    build_job = self._create_build_job(namespace='something', retries=3)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    self.assertIsNotNone(self.manager.registered_executors[0].job_started)
-    self.manager.registered_executors[0].job_started = None
-
-
-    build_job = self._create_build_job(namespace='something', retries=0)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    self.assertIsNotNone(self.manager.registered_executors[0].job_started)
-    self.manager.registered_executors[0].job_started = None
-
-  @async_test
-  def test_executor_exception(self):
-    EphemeralBuilderManager.EXECUTORS['bad'] = BadExecutor
-
-    self.manager.initialize({
-      'EXECUTOR': 'bad',
-      'EXECUTOR_CONFIG': {},
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    build_job = self._create_build_job(namespace='something', retries=3)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertFalse(result[0])
-
-  @async_test
-  def test_schedule_and_stop(self):
-    EphemeralBuilderManager.EXECUTORS['test'] = TestExecutor
-
-    self.manager.initialize({
-      'EXECUTOR': 'test',
-      'EXECUTOR_CONFIG': {},
-      'ORCHESTRATOR': {'MEM_CONFIG': None},
-    })
-
-    # Start the build job.
-    build_job = self._create_build_job(namespace='something', retries=3)
-    result = yield From(self.manager.schedule(build_job))
-    self.assertTrue(result[0])
-
-    executor = self.manager.registered_executors[0]
-    self.assertIsNotNone(executor.job_started)
-
-    # Register the realm so the build information is added.
-    yield From(self.manager._register_realm({
-      'realm': str(uuid.uuid4()),
-      'token': str(uuid.uuid4()),
-      'execution_id': executor.job_started,
-      'executor_name': 'TestExecutor',
-      'build_uuid': build_job.build_uuid,
-      'job_queue_item': build_job.job_item,
-    }))
-
-    # Stop the build job.
-    yield From(self.manager.kill_builder_executor(build_job.build_uuid))
-    self.assertEqual(executor.job_stopped, executor.job_started)
-
-
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/buildtrigger/__init__.py b/buildtrigger/__init__.py
index 8a794cf96..9c21d9025 100644
--- a/buildtrigger/__init__.py
+++ b/buildtrigger/__init__.py
@@ -2,4 +2,3 @@ import buildtrigger.bitbuckethandler
 import buildtrigger.customhandler
 import buildtrigger.githubhandler
 import buildtrigger.gitlabhandler
-
diff --git a/buildtrigger/basehandler.py b/buildtrigger/basehandler.py
index 8d9b0f753..08bdb68ea 100644
--- a/buildtrigger/basehandler.py
+++ b/buildtrigger/basehandler.py
@@ -9,359 +9,360 @@ from data import model
 from buildtrigger.triggerutil import get_trigger_config, InvalidServiceException
 
 NAMESPACES_SCHEMA = {
-  'type': 'array',
-  'items': {
-    'type': 'object',
-    'properties': {
-      'personal': {
-        'type': 'boolean',
-        'description': 'True if the namespace is the user\'s personal namespace',
-      },
-      'score': {
-        'type': 'number',
-        'description': 'Score of the relevance of the namespace',
-      },
-      'avatar_url': {
-        'type': ['string', 'null'],
-        'description': 'URL of the avatar for this namespace',
-      },
-      'url': {
-        'type': 'string',
-        'description': 'URL of the website to view the namespace',
-      },
-      'id': {
-        'type': 'string',
-        'description': 'Trigger-internal ID of the namespace',
-      },
-      'title': {
-        'type': 'string',
-        'description': 'Human-readable title of the namespace',
-      },
+    "type": "array",
+    "items": {
+        "type": "object",
+        "properties": {
+            "personal": {
+                "type": "boolean",
+                "description": "True if the namespace is the user's personal namespace",
+            },
+            "score": {
+                "type": "number",
+                "description": "Score of the relevance of the namespace",
+            },
+            "avatar_url": {
+                "type": ["string", "null"],
+                "description": "URL of the avatar for this namespace",
+            },
+            "url": {
+                "type": "string",
+                "description": "URL of the website to view the namespace",
+            },
+            "id": {
+                "type": "string",
+                "description": "Trigger-internal ID of the namespace",
+            },
+            "title": {
+                "type": "string",
+                "description": "Human-readable title of the namespace",
+            },
+        },
+        "required": ["personal", "score", "avatar_url", "id", "title"],
     },
-    'required': ['personal', 'score', 'avatar_url', 'id', 'title'],
-  },
 }
 
 BUILD_SOURCES_SCHEMA = {
-  'type': 'array',
-  'items': {
-    'type': 'object',
-    'properties': {
-      'name': {
-        'type': 'string',
-        'description': 'The name of the repository, without its namespace',
-      },
-      'full_name': {
-        'type': 'string',
-        'description': 'The name of the repository, with its namespace',
-      },
-      'description': {
-        'type': 'string',
-        'description': 'The description of the repository. May be an empty string',
-      },
-      'last_updated': {
-        'type': 'number',
-        'description': 'The date/time when the repository was last updated, since epoch in UTC',
-      },
-      'url': {
-        'type': 'string',
-        'description': 'The URL at which to view the repository in the browser',
-      },
-      'has_admin_permissions': {
-        'type': 'boolean',
-        'description': 'True if the current user has admin permissions on the repository',
-      },
-      'private': {
-        'type': 'boolean',
-        'description': 'True if the repository is private',
-      },
+    "type": "array",
+    "items": {
+        "type": "object",
+        "properties": {
+            "name": {
+                "type": "string",
+                "description": "The name of the repository, without its namespace",
+            },
+            "full_name": {
+                "type": "string",
+                "description": "The name of the repository, with its namespace",
+            },
+            "description": {
+                "type": "string",
+                "description": "The description of the repository. May be an empty string",
+            },
+            "last_updated": {
+                "type": "number",
+                "description": "The date/time when the repository was last updated, since epoch in UTC",
+            },
+            "url": {
+                "type": "string",
+                "description": "The URL at which to view the repository in the browser",
+            },
+            "has_admin_permissions": {
+                "type": "boolean",
+                "description": "True if the current user has admin permissions on the repository",
+            },
+            "private": {
+                "type": "boolean",
+                "description": "True if the repository is private",
+            },
+        },
+        "required": [
+            "name",
+            "full_name",
+            "description",
+            "last_updated",
+            "has_admin_permissions",
+            "private",
+        ],
     },
-    'required': ['name', 'full_name', 'description', 'last_updated',
-                 'has_admin_permissions', 'private'],
-  },
 }
 
 METADATA_SCHEMA = {
-  'type': 'object',
-  'properties': {
-    'commit': {
-      'type': 'string',
-      'description': 'first 7 characters of the SHA-1 identifier for a git commit',
-      'pattern': '^([A-Fa-f0-9]{7,})$',
-    },
-    'git_url': {
-      'type': 'string',
-      'description': 'The GIT url to use for the checkout',
-    },
-    'ref': {
-      'type': 'string',
-      'description': 'git reference for a git commit',
-      'pattern': r'^refs\/(heads|tags|remotes)\/(.+)$',
-    },
-    'default_branch': {
-      'type': 'string',
-      'description': 'default branch of the git repository',
-    },
-    'commit_info': {
-      'type': 'object',
-      'description': 'metadata about a git commit',
-      'properties': {
-        'url': {
-          'type': 'string',
-          'description': 'URL to view a git commit',
+    "type": "object",
+    "properties": {
+        "commit": {
+            "type": "string",
+            "description": "first 7 characters of the SHA-1 identifier for a git commit",
+            "pattern": "^([A-Fa-f0-9]{7,})$",
         },
-        'message': {
-          'type': 'string',
-          'description': 'git commit message',
+        "git_url": {
+            "type": "string",
+            "description": "The GIT url to use for the checkout",
         },
-        'date': {
-          'type': 'string',
-          'description': 'timestamp for a git commit'
+        "ref": {
+            "type": "string",
+            "description": "git reference for a git commit",
+            "pattern": r"^refs\/(heads|tags|remotes)\/(.+)$",
         },
-        'author': {
-          'type': 'object',
-          'description': 'metadata about the author of a git commit',
-          'properties': {
-            'username': {
-              'type': 'string',
-              'description': 'username of the author',
-            },
-            'url': {
-              'type': 'string',
-              'description': 'URL to view the profile of the author',
-            },
-            'avatar_url': {
-              'type': 'string',
-              'description': 'URL to view the avatar of the author',
-            },
-          },
-          'required': ['username'],
+        "default_branch": {
+            "type": "string",
+            "description": "default branch of the git repository",
         },
-        'committer': {
-          'type': 'object',
-          'description': 'metadata about the committer of a git commit',
-          'properties': {
-            'username': {
-              'type': 'string',
-              'description': 'username of the committer',
+        "commit_info": {
+            "type": "object",
+            "description": "metadata about a git commit",
+            "properties": {
+                "url": {"type": "string", "description": "URL to view a git commit"},
+                "message": {"type": "string", "description": "git commit message"},
+                "date": {"type": "string", "description": "timestamp for a git commit"},
+                "author": {
+                    "type": "object",
+                    "description": "metadata about the author of a git commit",
+                    "properties": {
+                        "username": {
+                            "type": "string",
+                            "description": "username of the author",
+                        },
+                        "url": {
+                            "type": "string",
+                            "description": "URL to view the profile of the author",
+                        },
+                        "avatar_url": {
+                            "type": "string",
+                            "description": "URL to view the avatar of the author",
+                        },
+                    },
+                    "required": ["username"],
+                },
+                "committer": {
+                    "type": "object",
+                    "description": "metadata about the committer of a git commit",
+                    "properties": {
+                        "username": {
+                            "type": "string",
+                            "description": "username of the committer",
+                        },
+                        "url": {
+                            "type": "string",
+                            "description": "URL to view the profile of the committer",
+                        },
+                        "avatar_url": {
+                            "type": "string",
+                            "description": "URL to view the avatar of the committer",
+                        },
+                    },
+                    "required": ["username"],
+                },
             },
-            'url': {
-              'type': 'string',
-              'description': 'URL to view the profile of the committer',
-            },
-            'avatar_url': {
-              'type': 'string',
-              'description': 'URL to view the avatar of the committer',
-            },
-          },
-          'required': ['username'],
+            "required": ["message"],
         },
-      },
-      'required': ['message'],
     },
-  },
-  'required': ['commit', 'git_url'],
+    "required": ["commit", "git_url"],
 }
 
 
 @add_metaclass(ABCMeta)
 class BuildTriggerHandler(object):
-  def __init__(self, trigger, override_config=None):
-    self.trigger = trigger
-    self.config = override_config or get_trigger_config(trigger)
+    def __init__(self, trigger, override_config=None):
+        self.trigger = trigger
+        self.config = override_config or get_trigger_config(trigger)
 
-  @property
-  def auth_token(self):
-    """ Returns the auth token for the trigger. """
-    # NOTE: This check is for testing.
-    if isinstance(self.trigger.auth_token, str):
-      return self.trigger.auth_token
+    @property
+    def auth_token(self):
+        """ Returns the auth token for the trigger. """
+        # NOTE: This check is for testing.
+        if isinstance(self.trigger.auth_token, str):
+            return self.trigger.auth_token
 
-    # TODO(remove-unenc): Remove legacy field.
-    if self.trigger.secure_auth_token is not None:
-      return self.trigger.secure_auth_token.decrypt()
+        # TODO(remove-unenc): Remove legacy field.
+        if self.trigger.secure_auth_token is not None:
+            return self.trigger.secure_auth_token.decrypt()
 
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-      return self.trigger.auth_token
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+            return self.trigger.auth_token
 
-    return None
+        return None
 
-  @abstractmethod
-  def load_dockerfile_contents(self):
-    """
+    @abstractmethod
+    def load_dockerfile_contents(self):
+        """
     Loads the Dockerfile found for the trigger's config and returns them or None if none could
     be found/loaded.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_build_source_namespaces(self):
-    """
+    @abstractmethod
+    def list_build_source_namespaces(self):
+        """
     Take the auth information for the specific trigger type and load the
     list of namespaces that can contain build sources.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_build_sources_for_namespace(self, namespace):
-    """
+    @abstractmethod
+    def list_build_sources_for_namespace(self, namespace):
+        """
     Take the auth information for the specific trigger type and load the
     list of repositories under the given namespace.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_build_subdirs(self):
-    """
+    @abstractmethod
+    def list_build_subdirs(self):
+        """
     Take the auth information and the specified config so far and list all of
     the possible subdirs containing dockerfiles.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def handle_trigger_request(self, request):
-    """
+    @abstractmethod
+    def handle_trigger_request(self, request):
+        """
     Transform the incoming request data into a set of actions. Returns a PreparedBuild.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def is_active(self):
-    """
+    @abstractmethod
+    def is_active(self):
+        """
     Returns True if the current build trigger is active. Inactive means further
     setup is needed.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def activate(self, standard_webhook_url):
-    """
+    @abstractmethod
+    def activate(self, standard_webhook_url):
+        """
     Activates the trigger for the service, with the given new configuration.
     Returns new public and private config that should be stored if successful.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def deactivate(self):
-    """
+    @abstractmethod
+    def deactivate(self):
+        """
     Deactivates the trigger for the service, removing any hooks installed in
     the remote service. Returns the new config that should be stored if this
     trigger is going to be re-activated.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def manual_start(self, run_parameters=None):
-    """
+    @abstractmethod
+    def manual_start(self, run_parameters=None):
+        """
     Manually creates a repository build for this trigger. Returns a PreparedBuild.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_field_values(self, field_name, limit=None):
-    """
+    @abstractmethod
+    def list_field_values(self, field_name, limit=None):
+        """
     Lists all values for the given custom trigger field. For example, a trigger might have a
     field named "branches", and this method would return all branches.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_repository_url(self):
-    """ Returns the URL of the current trigger's repository. Note that this operation
+    @abstractmethod
+    def get_repository_url(self):
+        """ Returns the URL of the current trigger's repository. Note that this operation
         can be called in a loop, so it should be as fast as possible. """
-    pass
+        pass
 
-  @classmethod
-  def filename_is_dockerfile(cls, file_name):
-    """ Returns whether the file is named Dockerfile or follows the convention <name>.Dockerfile"""
-    return file_name.endswith(".Dockerfile") or u"Dockerfile" == file_name
+    @classmethod
+    def filename_is_dockerfile(cls, file_name):
+        """ Returns whether the file is named Dockerfile or follows the convention <name>.Dockerfile"""
+        return file_name.endswith(".Dockerfile") or u"Dockerfile" == file_name
 
-  @classmethod
-  def service_name(cls):
-    """
+    @classmethod
+    def service_name(cls):
+        """
     Particular service implemented by subclasses.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @classmethod
-  def get_handler(cls, trigger, override_config=None):
-    for subc in cls.__subclasses__():
-      if subc.service_name() == trigger.service.name:
-        return subc(trigger, override_config)
+    @classmethod
+    def get_handler(cls, trigger, override_config=None):
+        for subc in cls.__subclasses__():
+            if subc.service_name() == trigger.service.name:
+                return subc(trigger, override_config)
 
-    raise InvalidServiceException('Unable to find service: %s' % trigger.service.name)
+        raise InvalidServiceException(
+            "Unable to find service: %s" % trigger.service.name
+        )
 
-  def put_config_key(self, key, value):
-    """ Updates a config key in the trigger, saving it to the DB. """
-    self.config[key] = value
-    model.build.update_build_trigger(self.trigger, self.config)
+    def put_config_key(self, key, value):
+        """ Updates a config key in the trigger, saving it to the DB. """
+        self.config[key] = value
+        model.build.update_build_trigger(self.trigger, self.config)
 
-  def set_auth_token(self, auth_token):
-    """ Sets the auth token for the trigger, saving it to the DB. """
-    model.build.update_build_trigger(self.trigger, self.config, auth_token=auth_token)
+    def set_auth_token(self, auth_token):
+        """ Sets the auth token for the trigger, saving it to the DB. """
+        model.build.update_build_trigger(
+            self.trigger, self.config, auth_token=auth_token
+        )
 
-  def get_dockerfile_path(self):
-    """ Returns the normalized path to the Dockerfile found in the subdirectory
+    def get_dockerfile_path(self):
+        """ Returns the normalized path to the Dockerfile found in the subdirectory
         in the config. """
-    dockerfile_path = self.config.get('dockerfile_path') or 'Dockerfile'
-    if dockerfile_path[0] == '/':
-      dockerfile_path = dockerfile_path[1:]
-    return dockerfile_path
+        dockerfile_path = self.config.get("dockerfile_path") or "Dockerfile"
+        if dockerfile_path[0] == "/":
+            dockerfile_path = dockerfile_path[1:]
+        return dockerfile_path
 
-  def prepare_build(self, metadata, is_manual=False):
-    # Ensure that the metadata meets the scheme.
-    validate(metadata, METADATA_SCHEMA)
+    def prepare_build(self, metadata, is_manual=False):
+        # Ensure that the metadata meets the scheme.
+        validate(metadata, METADATA_SCHEMA)
 
-    config = self.config
-    ref = metadata.get('ref', None)
-    commit_sha = metadata['commit']
-    default_branch = metadata.get('default_branch', None)
-    prepared = PreparedBuild(self.trigger)
-    prepared.name_from_sha(commit_sha)
-    prepared.subdirectory = config.get('dockerfile_path', None)
-    prepared.context = config.get('context', None)
-    prepared.is_manual = is_manual
-    prepared.metadata = metadata
+        config = self.config
+        ref = metadata.get("ref", None)
+        commit_sha = metadata["commit"]
+        default_branch = metadata.get("default_branch", None)
+        prepared = PreparedBuild(self.trigger)
+        prepared.name_from_sha(commit_sha)
+        prepared.subdirectory = config.get("dockerfile_path", None)
+        prepared.context = config.get("context", None)
+        prepared.is_manual = is_manual
+        prepared.metadata = metadata
 
-    if ref is not None:
-      prepared.tags_from_ref(ref, default_branch)
-    else:
-      prepared.tags = [commit_sha[:7]]
+        if ref is not None:
+            prepared.tags_from_ref(ref, default_branch)
+        else:
+            prepared.tags = [commit_sha[:7]]
 
-    return prepared
+        return prepared
 
-  @classmethod
-  def build_sources_response(cls, sources):
-    validate(sources, BUILD_SOURCES_SCHEMA)
-    return sources
+    @classmethod
+    def build_sources_response(cls, sources):
+        validate(sources, BUILD_SOURCES_SCHEMA)
+        return sources
 
-  @classmethod
-  def build_namespaces_response(cls, namespaces_dict):
-    namespaces = list(namespaces_dict.values())
-    validate(namespaces, NAMESPACES_SCHEMA)
-    return namespaces
+    @classmethod
+    def build_namespaces_response(cls, namespaces_dict):
+        namespaces = list(namespaces_dict.values())
+        validate(namespaces, NAMESPACES_SCHEMA)
+        return namespaces
 
-  @classmethod
-  def get_parent_directory_mappings(cls, dockerfile_path, current_paths=None):
-    """ Returns a map of dockerfile_paths to it's possible contexts. """
-    if dockerfile_path == "":
-      return {}
+    @classmethod
+    def get_parent_directory_mappings(cls, dockerfile_path, current_paths=None):
+        """ Returns a map of dockerfile_paths to it's possible contexts. """
+        if dockerfile_path == "":
+            return {}
 
-    if dockerfile_path[0] != os.path.sep:
-      dockerfile_path = os.path.sep + dockerfile_path
+        if dockerfile_path[0] != os.path.sep:
+            dockerfile_path = os.path.sep + dockerfile_path
 
-    dockerfile_path = os.path.normpath(dockerfile_path)
-    all_paths = set()
-    path, _ = os.path.split(dockerfile_path)
-    if path == "":
-      path = os.path.sep
+        dockerfile_path = os.path.normpath(dockerfile_path)
+        all_paths = set()
+        path, _ = os.path.split(dockerfile_path)
+        if path == "":
+            path = os.path.sep
 
-    all_paths.add(path)
-    for i in range(1, len(path.split(os.path.sep))):
-      path, _ = os.path.split(path)
-      all_paths.add(path)
+        all_paths.add(path)
+        for i in range(1, len(path.split(os.path.sep))):
+            path, _ = os.path.split(path)
+            all_paths.add(path)
 
-    if current_paths:
-      return dict({dockerfile_path: list(all_paths)}, **current_paths)
+        if current_paths:
+            return dict({dockerfile_path: list(all_paths)}, **current_paths)
 
-    return {dockerfile_path: list(all_paths)}
+        return {dockerfile_path: list(all_paths)}
diff --git a/buildtrigger/bitbuckethandler.py b/buildtrigger/bitbuckethandler.py
index 9573f5c60..c74a06c0d 100644
--- a/buildtrigger/bitbuckethandler.py
+++ b/buildtrigger/bitbuckethandler.py
@@ -9,537 +9,551 @@ from jsonschema import validate
 
 from app import app, get_app_url
 from buildtrigger.basehandler import BuildTriggerHandler
-from buildtrigger.triggerutil import (RepositoryReadException, TriggerActivationException,
-                                      TriggerDeactivationException, TriggerStartException,
-                                      InvalidPayloadException, TriggerProviderException,
-                                      SkipRequestException,
-                                      determine_build_ref, raise_if_skipped_build,
-                                      find_matching_branches)
+from buildtrigger.triggerutil import (
+    RepositoryReadException,
+    TriggerActivationException,
+    TriggerDeactivationException,
+    TriggerStartException,
+    InvalidPayloadException,
+    TriggerProviderException,
+    SkipRequestException,
+    determine_build_ref,
+    raise_if_skipped_build,
+    find_matching_branches,
+)
 from util.dict_wrappers import JSONPathDict, SafeDictSetter
 from util.security.ssh import generate_ssh_keypair
 
 logger = logging.getLogger(__name__)
 
-_BITBUCKET_COMMIT_URL = 'https://bitbucket.org/%s/commits/%s'
-_RAW_AUTHOR_REGEX = re.compile(r'.*<(.+)>')
+_BITBUCKET_COMMIT_URL = "https://bitbucket.org/%s/commits/%s"
+_RAW_AUTHOR_REGEX = re.compile(r".*<(.+)>")
 
 BITBUCKET_WEBHOOK_PAYLOAD_SCHEMA = {
-  'type': 'object',
-  'properties': {
-    'repository': {
-      'type': 'object',
-      'properties': {
-        'full_name': {
-          'type': 'string',
-        },
-      },
-      'required': ['full_name'],
-    }, # /Repository
-    'push': {
-      'type': 'object',
-      'properties': {
-        'changes': {
-          'type': 'array',
-          'items': {
-            'type': 'object',
-            'properties': {
-              'new': {
-                'type': 'object',
-                'properties': {
-                  'target': {
-                    'type': 'object',
-                    'properties': {
-                      'hash': {
-                        'type': 'string'
-                      },
-                      'message': {
-                        'type': 'string'
-                      },
-                      'date': {
-                        'type': 'string'
-                      },
-                      'author': {
-                        'type': 'object',
-                        'properties': {
-                          'user': {
-                            'type': 'object',
-                            'properties': {
-                              'display_name': {
-                                'type': 'string',
-                              },
-                              'account_id': {
-                                'type': 'string',
-                              },
-                              'links': {
-                                'type': 'object',
-                                'properties': {
-                                  'avatar': {
-                                    'type': 'object',
-                                    'properties': {
-                                      'href': {
-                                        'type': 'string',
-                                      },
-                                    },
-                                    'required': ['href'],
-                                  },
+    "type": "object",
+    "properties": {
+        "repository": {
+            "type": "object",
+            "properties": {"full_name": {"type": "string"}},
+            "required": ["full_name"],
+        },  # /Repository
+        "push": {
+            "type": "object",
+            "properties": {
+                "changes": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "new": {
+                                "type": "object",
+                                "properties": {
+                                    "target": {
+                                        "type": "object",
+                                        "properties": {
+                                            "hash": {"type": "string"},
+                                            "message": {"type": "string"},
+                                            "date": {"type": "string"},
+                                            "author": {
+                                                "type": "object",
+                                                "properties": {
+                                                    "user": {
+                                                        "type": "object",
+                                                        "properties": {
+                                                            "display_name": {
+                                                                "type": "string"
+                                                            },
+                                                            "account_id": {
+                                                                "type": "string"
+                                                            },
+                                                            "links": {
+                                                                "type": "object",
+                                                                "properties": {
+                                                                    "avatar": {
+                                                                        "type": "object",
+                                                                        "properties": {
+                                                                            "href": {
+                                                                                "type": "string"
+                                                                            }
+                                                                        },
+                                                                        "required": [
+                                                                            "href"
+                                                                        ],
+                                                                    }
+                                                                },
+                                                                "required": ["avatar"],
+                                                            },  # /User
+                                                        },
+                                                    }  # /Author
+                                                },
+                                            },
+                                        },
+                                        "required": ["hash", "message", "date"],
+                                    }  # /Target
                                 },
-                                'required': ['avatar'],
-                              }, # /User
-                            },
-                          }, # /Author
+                                "required": ["name", "target"],
+                            }  # /New
                         },
-                      },                      
-                    },
-                    'required': ['hash', 'message', 'date'],
-                  }, # /Target
-                },
-                'required': ['name', 'target'],
-              }, # /New
+                    },  # /Changes item
+                }  # /Changes
             },
-          }, # /Changes item
-        }, # /Changes
-      },
-      'required': ['changes'],
-    }, # / Push
-  },
-  'actor': {
-    'type': 'object',
-    'properties': {
-      'account_id': {
-        'type': 'string',
-      },
-      'display_name': {
-        'type': 'string',
-      },
-      'links': {
-        'type': 'object',
-        'properties': {
-          'avatar': {
-            'type': 'object',
-            'properties': {
-              'href': {
-                'type': 'string',
-              },
-            },
-            'required': ['href'],
-          },
-        },
-        'required': ['avatar'],
-      },
+            "required": ["changes"],
+        },  # / Push
     },
-  }, # /Actor
-  'required': ['push', 'repository'],
-} # /Root
+    "actor": {
+        "type": "object",
+        "properties": {
+            "account_id": {"type": "string"},
+            "display_name": {"type": "string"},
+            "links": {
+                "type": "object",
+                "properties": {
+                    "avatar": {
+                        "type": "object",
+                        "properties": {"href": {"type": "string"}},
+                        "required": ["href"],
+                    }
+                },
+                "required": ["avatar"],
+            },
+        },
+    },  # /Actor
+    "required": ["push", "repository"],
+}  # /Root
 
 BITBUCKET_COMMIT_INFO_SCHEMA = {
-  'type': 'object',
-  'properties': {
-    'node': {
-      'type': 'string',
+    "type": "object",
+    "properties": {
+        "node": {"type": "string"},
+        "message": {"type": "string"},
+        "timestamp": {"type": "string"},
+        "raw_author": {"type": "string"},
     },
-    'message': {
-      'type': 'string',
-    },
-    'timestamp': {
-      'type': 'string',
-    },
-    'raw_author': {
-      'type': 'string',
-    },
-  },
-  'required': ['node', 'message', 'timestamp']
+    "required": ["node", "message", "timestamp"],
 }
 
-def get_transformed_commit_info(bb_commit, ref, default_branch, repository_name, lookup_author):
-  """ Returns the BitBucket commit information transformed into our own
+
+def get_transformed_commit_info(
+    bb_commit, ref, default_branch, repository_name, lookup_author
+):
+    """ Returns the BitBucket commit information transformed into our own
       payload format.
   """
-  try:
-    validate(bb_commit, BITBUCKET_COMMIT_INFO_SCHEMA)
-  except Exception as exc:
-    logger.exception('Exception when validating Bitbucket commit information: %s from %s', exc.message, bb_commit)
-    raise InvalidPayloadException(exc.message)
+    try:
+        validate(bb_commit, BITBUCKET_COMMIT_INFO_SCHEMA)
+    except Exception as exc:
+        logger.exception(
+            "Exception when validating Bitbucket commit information: %s from %s",
+            exc.message,
+            bb_commit,
+        )
+        raise InvalidPayloadException(exc.message)
 
-  commit = JSONPathDict(bb_commit)
+    commit = JSONPathDict(bb_commit)
 
-  config = SafeDictSetter()
-  config['commit'] = commit['node']
-  config['ref'] = ref
-  config['default_branch'] = default_branch
-  config['git_url'] = 'git@bitbucket.org:%s.git' % repository_name
+    config = SafeDictSetter()
+    config["commit"] = commit["node"]
+    config["ref"] = ref
+    config["default_branch"] = default_branch
+    config["git_url"] = "git@bitbucket.org:%s.git" % repository_name
 
-  config['commit_info.url'] = _BITBUCKET_COMMIT_URL % (repository_name, commit['node'])
-  config['commit_info.message'] = commit['message']
-  config['commit_info.date'] = commit['timestamp']
+    config["commit_info.url"] = _BITBUCKET_COMMIT_URL % (
+        repository_name,
+        commit["node"],
+    )
+    config["commit_info.message"] = commit["message"]
+    config["commit_info.date"] = commit["timestamp"]
 
-  match = _RAW_AUTHOR_REGEX.match(commit['raw_author'])
-  if match:
-    author = lookup_author(match.group(1))
-    author_info = JSONPathDict(author) if author is not None else None
-    if author_info:
-      config['commit_info.author.username'] = author_info['user.display_name']
-      config['commit_info.author.avatar_url'] = author_info['user.avatar']
+    match = _RAW_AUTHOR_REGEX.match(commit["raw_author"])
+    if match:
+        author = lookup_author(match.group(1))
+        author_info = JSONPathDict(author) if author is not None else None
+        if author_info:
+            config["commit_info.author.username"] = author_info["user.display_name"]
+            config["commit_info.author.avatar_url"] = author_info["user.avatar"]
 
-  return config.dict_value()
+    return config.dict_value()
 
 
 def get_transformed_webhook_payload(bb_payload, default_branch=None):
-  """ Returns the BitBucket webhook JSON payload transformed into our own payload
+    """ Returns the BitBucket webhook JSON payload transformed into our own payload
       format. If the bb_payload is not valid, returns None.
   """
-  try:
-    validate(bb_payload, BITBUCKET_WEBHOOK_PAYLOAD_SCHEMA)
-  except Exception as exc:
-    logger.exception('Exception when validating Bitbucket webhook payload: %s from %s', exc.message,
-                     bb_payload)
-    raise InvalidPayloadException(exc.message)
+    try:
+        validate(bb_payload, BITBUCKET_WEBHOOK_PAYLOAD_SCHEMA)
+    except Exception as exc:
+        logger.exception(
+            "Exception when validating Bitbucket webhook payload: %s from %s",
+            exc.message,
+            bb_payload,
+        )
+        raise InvalidPayloadException(exc.message)
 
-  payload = JSONPathDict(bb_payload)
-  change = payload['push.changes[-1].new']
-  if not change:
-    raise SkipRequestException
+    payload = JSONPathDict(bb_payload)
+    change = payload["push.changes[-1].new"]
+    if not change:
+        raise SkipRequestException
 
-  is_branch = change['type'] == 'branch'
-  ref = 'refs/heads/' + change['name'] if is_branch else 'refs/tags/' + change['name']
+    is_branch = change["type"] == "branch"
+    ref = "refs/heads/" + change["name"] if is_branch else "refs/tags/" + change["name"]
 
-  repository_name = payload['repository.full_name']
-  target = change['target']
+    repository_name = payload["repository.full_name"]
+    target = change["target"]
 
-  config = SafeDictSetter()
-  config['commit'] = target['hash']
-  config['ref'] = ref
-  config['default_branch'] = default_branch
-  config['git_url'] = 'git@bitbucket.org:%s.git' % repository_name
+    config = SafeDictSetter()
+    config["commit"] = target["hash"]
+    config["ref"] = ref
+    config["default_branch"] = default_branch
+    config["git_url"] = "git@bitbucket.org:%s.git" % repository_name
 
-  config['commit_info.url'] = target['links.html.href'] or ''
-  config['commit_info.message'] = target['message']
-  config['commit_info.date'] = target['date']
+    config["commit_info.url"] = target["links.html.href"] or ""
+    config["commit_info.message"] = target["message"]
+    config["commit_info.date"] = target["date"]
 
-  config['commit_info.author.username'] = target['author.user.display_name']
-  config['commit_info.author.avatar_url'] = target['author.user.links.avatar.href']
+    config["commit_info.author.username"] = target["author.user.display_name"]
+    config["commit_info.author.avatar_url"] = target["author.user.links.avatar.href"]
 
-  config['commit_info.committer.username'] = payload['actor.display_name']
-  config['commit_info.committer.avatar_url'] = payload['actor.links.avatar.href']
-  return config.dict_value()
+    config["commit_info.committer.username"] = payload["actor.display_name"]
+    config["commit_info.committer.avatar_url"] = payload["actor.links.avatar.href"]
+    return config.dict_value()
 
 
 class BitbucketBuildTrigger(BuildTriggerHandler):
-  """
+    """
   BuildTrigger for Bitbucket.
   """
-  @classmethod
-  def service_name(cls):
-    return 'bitbucket'
 
-  def _get_client(self):
-    """ Returns a BitBucket API client for this trigger's config. """
-    key = app.config.get('BITBUCKET_TRIGGER_CONFIG', {}).get('CONSUMER_KEY', '')
-    secret = app.config.get('BITBUCKET_TRIGGER_CONFIG', {}).get('CONSUMER_SECRET', '')
+    @classmethod
+    def service_name(cls):
+        return "bitbucket"
 
-    trigger_uuid = self.trigger.uuid
-    callback_url = '%s/oauth1/bitbucket/callback/trigger/%s' % (get_app_url(), trigger_uuid)
+    def _get_client(self):
+        """ Returns a BitBucket API client for this trigger's config. """
+        key = app.config.get("BITBUCKET_TRIGGER_CONFIG", {}).get("CONSUMER_KEY", "")
+        secret = app.config.get("BITBUCKET_TRIGGER_CONFIG", {}).get(
+            "CONSUMER_SECRET", ""
+        )
 
-    return BitBucket(key, secret, callback_url, timeout=15)
+        trigger_uuid = self.trigger.uuid
+        callback_url = "%s/oauth1/bitbucket/callback/trigger/%s" % (
+            get_app_url(),
+            trigger_uuid,
+        )
 
-  def _get_authorized_client(self):
-    """ Returns an authorized API client. """
-    base_client = self._get_client()
-    auth_token = self.auth_token or 'invalid:invalid'
-    token_parts = auth_token.split(':')
-    if len(token_parts) != 2:
-      token_parts = ['invalid', 'invalid']
+        return BitBucket(key, secret, callback_url, timeout=15)
 
-    (access_token, access_token_secret) = token_parts
-    return base_client.get_authorized_client(access_token, access_token_secret)
+    def _get_authorized_client(self):
+        """ Returns an authorized API client. """
+        base_client = self._get_client()
+        auth_token = self.auth_token or "invalid:invalid"
+        token_parts = auth_token.split(":")
+        if len(token_parts) != 2:
+            token_parts = ["invalid", "invalid"]
 
-  def _get_repository_client(self):
-    """ Returns an API client for working with this config's BB repository. """
-    source = self.config['build_source']
-    (namespace, name) = source.split('/')
-    bitbucket_client = self._get_authorized_client()
-    return bitbucket_client.for_namespace(namespace).repositories().get(name)
+        (access_token, access_token_secret) = token_parts
+        return base_client.get_authorized_client(access_token, access_token_secret)
 
-  def _get_default_branch(self, repository, default_value='master'):
-    """ Returns the default branch for the repository or the value given. """
-    (result, data, _) = repository.get_main_branch()
-    if result:
-      return data['name']
+    def _get_repository_client(self):
+        """ Returns an API client for working with this config's BB repository. """
+        source = self.config["build_source"]
+        (namespace, name) = source.split("/")
+        bitbucket_client = self._get_authorized_client()
+        return bitbucket_client.for_namespace(namespace).repositories().get(name)
 
-    return default_value
+    def _get_default_branch(self, repository, default_value="master"):
+        """ Returns the default branch for the repository or the value given. """
+        (result, data, _) = repository.get_main_branch()
+        if result:
+            return data["name"]
 
-  def get_oauth_url(self):
-    """ Returns the OAuth URL to authorize Bitbucket. """
-    bitbucket_client = self._get_client()
-    (result, data, err_msg) = bitbucket_client.get_authorization_url()
-    if not result:
-      raise TriggerProviderException(err_msg)
+        return default_value
 
-    return data
+    def get_oauth_url(self):
+        """ Returns the OAuth URL to authorize Bitbucket. """
+        bitbucket_client = self._get_client()
+        (result, data, err_msg) = bitbucket_client.get_authorization_url()
+        if not result:
+            raise TriggerProviderException(err_msg)
 
-  def exchange_verifier(self, verifier):
-    """ Exchanges the given verifier token to setup this trigger. """
-    bitbucket_client = self._get_client()
-    access_token = self.config.get('access_token', '')
-    access_token_secret = self.auth_token
+        return data
 
-    # Exchange the verifier for a new access token.
-    (result, data, _) = bitbucket_client.verify_token(access_token, access_token_secret, verifier)
-    if not result:
-      return False
+    def exchange_verifier(self, verifier):
+        """ Exchanges the given verifier token to setup this trigger. """
+        bitbucket_client = self._get_client()
+        access_token = self.config.get("access_token", "")
+        access_token_secret = self.auth_token
 
-    # Save the updated access token and secret.
-    self.set_auth_token(data[0] + ':' + data[1])
+        # Exchange the verifier for a new access token.
+        (result, data, _) = bitbucket_client.verify_token(
+            access_token, access_token_secret, verifier
+        )
+        if not result:
+            return False
 
-    # Retrieve the current authorized user's information and store the username in the config.
-    authorized_client = self._get_authorized_client()
-    (result, data, _) = authorized_client.get_current_user()
-    if not result:
-      return False
+        # Save the updated access token and secret.
+        self.set_auth_token(data[0] + ":" + data[1])
 
-    self.put_config_key('account_id', data['user']['account_id'])
-    self.put_config_key('nickname', data['user']['nickname'])
-    return True
+        # Retrieve the current authorized user's information and store the username in the config.
+        authorized_client = self._get_authorized_client()
+        (result, data, _) = authorized_client.get_current_user()
+        if not result:
+            return False
 
-  def is_active(self):
-    return 'webhook_id' in self.config
+        self.put_config_key("account_id", data["user"]["account_id"])
+        self.put_config_key("nickname", data["user"]["nickname"])
+        return True
 
-  def activate(self, standard_webhook_url):
-    config = self.config
+    def is_active(self):
+        return "webhook_id" in self.config
 
-    # Add a deploy key to the repository.
-    public_key, private_key = generate_ssh_keypair()
-    config['credentials'] = [
-      {
-        'name': 'SSH Public Key',
-        'value': public_key,
-      },
-    ]
+    def activate(self, standard_webhook_url):
+        config = self.config
 
-    repository = self._get_repository_client()
-    (result, created_deploykey, err_msg) = repository.deploykeys().create(
-      app.config['REGISTRY_TITLE'] + ' webhook key', public_key)
+        # Add a deploy key to the repository.
+        public_key, private_key = generate_ssh_keypair()
+        config["credentials"] = [{"name": "SSH Public Key", "value": public_key}]
 
-    if not result:
-      msg = 'Unable to add deploy key to repository: %s' % err_msg
-      raise TriggerActivationException(msg)
+        repository = self._get_repository_client()
+        (result, created_deploykey, err_msg) = repository.deploykeys().create(
+            app.config["REGISTRY_TITLE"] + " webhook key", public_key
+        )
 
-    config['deploy_key_id'] = created_deploykey['pk']
+        if not result:
+            msg = "Unable to add deploy key to repository: %s" % err_msg
+            raise TriggerActivationException(msg)
 
-    # Add a webhook callback.
-    description = 'Webhook for invoking builds on %s' % app.config['REGISTRY_TITLE_SHORT']
-    webhook_events = ['repo:push']
-    (result, created_webhook, err_msg) = repository.webhooks().create(
-      description, standard_webhook_url, webhook_events)
+        config["deploy_key_id"] = created_deploykey["pk"]
 
-    if not result:
-      msg = 'Unable to add webhook to repository: %s' % err_msg
-      raise TriggerActivationException(msg)
+        # Add a webhook callback.
+        description = (
+            "Webhook for invoking builds on %s" % app.config["REGISTRY_TITLE_SHORT"]
+        )
+        webhook_events = ["repo:push"]
+        (result, created_webhook, err_msg) = repository.webhooks().create(
+            description, standard_webhook_url, webhook_events
+        )
 
-    config['webhook_id'] = created_webhook['uuid']
-    self.config = config
-    return config, {'private_key': private_key}
+        if not result:
+            msg = "Unable to add webhook to repository: %s" % err_msg
+            raise TriggerActivationException(msg)
 
-  def deactivate(self):
-    config = self.config
+        config["webhook_id"] = created_webhook["uuid"]
+        self.config = config
+        return config, {"private_key": private_key}
 
-    webhook_id = config.pop('webhook_id', None)
-    deploy_key_id = config.pop('deploy_key_id', None)
-    repository = self._get_repository_client()
+    def deactivate(self):
+        config = self.config
 
-    # Remove the webhook.
-    if webhook_id is not None:
-      (result, _, err_msg) = repository.webhooks().delete(webhook_id)
-      if not result:
-        msg = 'Unable to remove webhook from repository: %s' % err_msg
-        raise TriggerDeactivationException(msg)
+        webhook_id = config.pop("webhook_id", None)
+        deploy_key_id = config.pop("deploy_key_id", None)
+        repository = self._get_repository_client()
 
-    # Remove the public key.
-    if deploy_key_id is not None:
-      (result, _, err_msg) = repository.deploykeys().delete(deploy_key_id)
-      if not result:
-        msg = 'Unable to remove deploy key from repository: %s' % err_msg
-        raise TriggerDeactivationException(msg)
+        # Remove the webhook.
+        if webhook_id is not None:
+            (result, _, err_msg) = repository.webhooks().delete(webhook_id)
+            if not result:
+                msg = "Unable to remove webhook from repository: %s" % err_msg
+                raise TriggerDeactivationException(msg)
 
-    return config
+        # Remove the public key.
+        if deploy_key_id is not None:
+            (result, _, err_msg) = repository.deploykeys().delete(deploy_key_id)
+            if not result:
+                msg = "Unable to remove deploy key from repository: %s" % err_msg
+                raise TriggerDeactivationException(msg)
 
-  def list_build_source_namespaces(self):
-    bitbucket_client = self._get_authorized_client()
-    (result, data, err_msg) = bitbucket_client.get_visible_repositories()
-    if not result:
-      raise RepositoryReadException('Could not read repository list: ' + err_msg)
+        return config
 
-    namespaces = {}
-    for repo in data:
-      owner = repo['owner']
+    def list_build_source_namespaces(self):
+        bitbucket_client = self._get_authorized_client()
+        (result, data, err_msg) = bitbucket_client.get_visible_repositories()
+        if not result:
+            raise RepositoryReadException("Could not read repository list: " + err_msg)
 
-      if owner in namespaces:
-        namespaces[owner]['score'] = namespaces[owner]['score'] + 1
-      else:
-        namespaces[owner] = {
-          'personal': owner == self.config.get('nickname', self.config.get('username')),
-          'id': owner,
-          'title': owner,
-          'avatar_url': repo['logo'],
-          'url': 'https://bitbucket.org/%s' % (owner),
-          'score': 1,
-        }
+        namespaces = {}
+        for repo in data:
+            owner = repo["owner"]
 
-    return BuildTriggerHandler.build_namespaces_response(namespaces)
+            if owner in namespaces:
+                namespaces[owner]["score"] = namespaces[owner]["score"] + 1
+            else:
+                namespaces[owner] = {
+                    "personal": owner
+                    == self.config.get("nickname", self.config.get("username")),
+                    "id": owner,
+                    "title": owner,
+                    "avatar_url": repo["logo"],
+                    "url": "https://bitbucket.org/%s" % (owner),
+                    "score": 1,
+                }
 
-  def list_build_sources_for_namespace(self, namespace):
-    def repo_view(repo):
-      last_modified = dateutil.parser.parse(repo['utc_last_updated'])
+        return BuildTriggerHandler.build_namespaces_response(namespaces)
 
-      return {
-        'name': repo['slug'],
-        'full_name': '%s/%s' % (repo['owner'], repo['slug']),
-        'description': repo['description'] or '',
-        'last_updated': timegm(last_modified.utctimetuple()),
-        'url': 'https://bitbucket.org/%s/%s' % (repo['owner'], repo['slug']),
-        'has_admin_permissions': repo['read_only'] is False,
-        'private': repo['is_private'],
-      }
+    def list_build_sources_for_namespace(self, namespace):
+        def repo_view(repo):
+            last_modified = dateutil.parser.parse(repo["utc_last_updated"])
 
-    bitbucket_client = self._get_authorized_client()
-    (result, data, err_msg) = bitbucket_client.get_visible_repositories()
-    if not result:
-      raise RepositoryReadException('Could not read repository list: ' + err_msg)
+            return {
+                "name": repo["slug"],
+                "full_name": "%s/%s" % (repo["owner"], repo["slug"]),
+                "description": repo["description"] or "",
+                "last_updated": timegm(last_modified.utctimetuple()),
+                "url": "https://bitbucket.org/%s/%s" % (repo["owner"], repo["slug"]),
+                "has_admin_permissions": repo["read_only"] is False,
+                "private": repo["is_private"],
+            }
 
-    repos = [repo_view(repo) for repo in data if repo['owner'] == namespace]
-    return BuildTriggerHandler.build_sources_response(repos)
+        bitbucket_client = self._get_authorized_client()
+        (result, data, err_msg) = bitbucket_client.get_visible_repositories()
+        if not result:
+            raise RepositoryReadException("Could not read repository list: " + err_msg)
 
-  def list_build_subdirs(self):
-    config = self.config
-    repository = self._get_repository_client()
+        repos = [repo_view(repo) for repo in data if repo["owner"] == namespace]
+        return BuildTriggerHandler.build_sources_response(repos)
 
-    # Find the first matching branch.
-    repo_branches = self.list_field_values('branch_name') or []
-    branches = find_matching_branches(config, repo_branches)
-    if not branches:
-      branches = [self._get_default_branch(repository)]
+    def list_build_subdirs(self):
+        config = self.config
+        repository = self._get_repository_client()
 
-    (result, data, err_msg) = repository.get_path_contents('', revision=branches[0])
-    if not result:
-      raise RepositoryReadException(err_msg)
+        # Find the first matching branch.
+        repo_branches = self.list_field_values("branch_name") or []
+        branches = find_matching_branches(config, repo_branches)
+        if not branches:
+            branches = [self._get_default_branch(repository)]
 
-    files = set([f['path'] for f in data['files']])
-    return ["/" + file_path for file_path in files if self.filename_is_dockerfile(os.path.basename(file_path))]
+        (result, data, err_msg) = repository.get_path_contents("", revision=branches[0])
+        if not result:
+            raise RepositoryReadException(err_msg)
 
-  def load_dockerfile_contents(self):
-    repository = self._get_repository_client()
-    path = self.get_dockerfile_path()
+        files = set([f["path"] for f in data["files"]])
+        return [
+            "/" + file_path
+            for file_path in files
+            if self.filename_is_dockerfile(os.path.basename(file_path))
+        ]
 
-    (result, data, err_msg) = repository.get_raw_path_contents(path, revision='master')
-    if not result:
-      return None
+    def load_dockerfile_contents(self):
+        repository = self._get_repository_client()
+        path = self.get_dockerfile_path()
 
-    return data
+        (result, data, err_msg) = repository.get_raw_path_contents(
+            path, revision="master"
+        )
+        if not result:
+            return None
 
-  def list_field_values(self, field_name, limit=None):
-    if 'build_source' not in self.config:
-      return None
+        return data
 
-    source = self.config['build_source']
-    (namespace, name) = source.split('/')
+    def list_field_values(self, field_name, limit=None):
+        if "build_source" not in self.config:
+            return None
 
-    bitbucket_client = self._get_authorized_client()
-    repository = bitbucket_client.for_namespace(namespace).repositories().get(name)
+        source = self.config["build_source"]
+        (namespace, name) = source.split("/")
+
+        bitbucket_client = self._get_authorized_client()
+        repository = bitbucket_client.for_namespace(namespace).repositories().get(name)
+
+        if field_name == "refs":
+            (result, data, _) = repository.get_branches_and_tags()
+            if not result:
+                return None
+
+            branches = [b["name"] for b in data["branches"]]
+            tags = [t["name"] for t in data["tags"]]
+
+            return [{"kind": "branch", "name": b} for b in branches] + [
+                {"kind": "tag", "name": tag} for tag in tags
+            ]
+
+        if field_name == "tag_name":
+            (result, data, _) = repository.get_tags()
+            if not result:
+                return None
+
+            tags = list(data.keys())
+            if limit:
+                tags = tags[0:limit]
+
+            return tags
+
+        if field_name == "branch_name":
+            (result, data, _) = repository.get_branches()
+            if not result:
+                return None
+
+            branches = list(data.keys())
+            if limit:
+                branches = branches[0:limit]
+
+            return branches
 
-    if field_name == 'refs':
-      (result, data, _) = repository.get_branches_and_tags()
-      if not result:
         return None
 
-      branches = [b['name'] for b in data['branches']]
-      tags = [t['name'] for t in data['tags']]
+    def get_repository_url(self):
+        source = self.config["build_source"]
+        (namespace, name) = source.split("/")
+        return "https://bitbucket.org/%s/%s" % (namespace, name)
 
-      return ([{'kind': 'branch', 'name': b} for b in branches] +
-              [{'kind': 'tag', 'name': tag} for tag in tags])
+    def handle_trigger_request(self, request):
+        payload = request.get_json()
+        if payload is None:
+            raise InvalidPayloadException("Missing payload")
 
-    if field_name == 'tag_name':
-      (result, data, _) = repository.get_tags()
-      if not result:
-        return None
+        logger.debug("Got BitBucket request: %s", payload)
 
-      tags = list(data.keys())
-      if limit:
-        tags = tags[0:limit]
+        repository = self._get_repository_client()
+        default_branch = self._get_default_branch(repository)
 
-      return tags
+        metadata = get_transformed_webhook_payload(
+            payload, default_branch=default_branch
+        )
+        prepared = self.prepare_build(metadata)
 
-    if field_name == 'branch_name':
-      (result, data, _) = repository.get_branches()
-      if not result:
-        return None
+        # Check if we should skip this build.
+        raise_if_skipped_build(prepared, self.config)
+        return prepared
 
-      branches = list(data.keys())
-      if limit:
-        branches = branches[0:limit]
+    def manual_start(self, run_parameters=None):
+        run_parameters = run_parameters or {}
+        repository = self._get_repository_client()
+        bitbucket_client = self._get_authorized_client()
 
-      return branches
+        def get_branch_sha(branch_name):
+            # Lookup the commit SHA for the branch.
+            (result, data, _) = repository.get_branch(branch_name)
+            if not result:
+                raise TriggerStartException("Could not find branch in repository")
 
-    return None
+            return data["target"]["hash"]
 
-  def get_repository_url(self):
-    source = self.config['build_source']
-    (namespace, name) = source.split('/')
-    return 'https://bitbucket.org/%s/%s' % (namespace, name)
+        def get_tag_sha(tag_name):
+            # Lookup the commit SHA for the tag.
+            (result, data, _) = repository.get_tag(tag_name)
+            if not result:
+                raise TriggerStartException("Could not find tag in repository")
 
-  def handle_trigger_request(self, request):
-    payload = request.get_json()
-    if payload is None:
-      raise InvalidPayloadException('Missing payload')
+            return data["target"]["hash"]
 
-    logger.debug('Got BitBucket request: %s', payload)
+        def lookup_author(email_address):
+            (result, data, _) = bitbucket_client.accounts().get_profile(email_address)
+            return data if result else None
 
-    repository = self._get_repository_client()
-    default_branch = self._get_default_branch(repository)
+        # Find the branch or tag to build.
+        default_branch = self._get_default_branch(repository)
+        (commit_sha, ref) = determine_build_ref(
+            run_parameters, get_branch_sha, get_tag_sha, default_branch
+        )
 
-    metadata = get_transformed_webhook_payload(payload, default_branch=default_branch)
-    prepared = self.prepare_build(metadata)
+        # Lookup the commit SHA in BitBucket.
+        (result, commit_info, _) = repository.changesets().get(commit_sha)
+        if not result:
+            raise TriggerStartException("Could not lookup commit SHA")
 
-    # Check if we should skip this build.
-    raise_if_skipped_build(prepared, self.config)
-    return prepared
+        # Return a prepared build for the commit.
+        repository_name = "%s/%s" % (repository.namespace, repository.repository_name)
+        metadata = get_transformed_commit_info(
+            commit_info, ref, default_branch, repository_name, lookup_author
+        )
 
-  def manual_start(self, run_parameters=None):
-    run_parameters = run_parameters or {}
-    repository = self._get_repository_client()
-    bitbucket_client = self._get_authorized_client()
-
-    def get_branch_sha(branch_name):
-      # Lookup the commit SHA for the branch.
-      (result, data, _) = repository.get_branch(branch_name)
-      if not result:
-        raise TriggerStartException('Could not find branch in repository')
-
-      return data['target']['hash']
-
-    def get_tag_sha(tag_name):
-      # Lookup the commit SHA for the tag.
-      (result, data, _) = repository.get_tag(tag_name)
-      if not result:
-        raise TriggerStartException('Could not find tag in repository')
-
-      return data['target']['hash']
-
-    def lookup_author(email_address):
-      (result, data, _) = bitbucket_client.accounts().get_profile(email_address)
-      return data if result else None
-
-    # Find the branch or tag to build.
-    default_branch = self._get_default_branch(repository)
-    (commit_sha, ref) = determine_build_ref(run_parameters, get_branch_sha, get_tag_sha,
-                                            default_branch)
-
-    # Lookup the commit SHA in BitBucket.
-    (result, commit_info, _) = repository.changesets().get(commit_sha)
-    if not result:
-      raise TriggerStartException('Could not lookup commit SHA')
-
-    # Return a prepared build for the commit.
-    repository_name = '%s/%s' % (repository.namespace, repository.repository_name)
-    metadata = get_transformed_commit_info(commit_info, ref, default_branch,
-                                           repository_name, lookup_author)
-
-    return self.prepare_build(metadata, is_manual=True)
+        return self.prepare_build(metadata, is_manual=True)
diff --git a/buildtrigger/customhandler.py b/buildtrigger/customhandler.py
index 193445ee2..6ed6e08c7 100644
--- a/buildtrigger/customhandler.py
+++ b/buildtrigger/customhandler.py
@@ -2,22 +2,33 @@ import logging
 import json
 
 from jsonschema import validate, ValidationError
-from buildtrigger.triggerutil import (RepositoryReadException, TriggerActivationException,
-                                      TriggerStartException, ValidationRequestException,
-                                      InvalidPayloadException,
-                                      SkipRequestException, raise_if_skipped_build,
-                                      find_matching_branches)
+from buildtrigger.triggerutil import (
+    RepositoryReadException,
+    TriggerActivationException,
+    TriggerStartException,
+    ValidationRequestException,
+    InvalidPayloadException,
+    SkipRequestException,
+    raise_if_skipped_build,
+    find_matching_branches,
+)
 
 from buildtrigger.basehandler import BuildTriggerHandler
 
-from buildtrigger.bitbuckethandler import (BITBUCKET_WEBHOOK_PAYLOAD_SCHEMA as bb_schema,
-                                           get_transformed_webhook_payload as bb_payload)
+from buildtrigger.bitbuckethandler import (
+    BITBUCKET_WEBHOOK_PAYLOAD_SCHEMA as bb_schema,
+    get_transformed_webhook_payload as bb_payload,
+)
 
-from buildtrigger.githubhandler import (GITHUB_WEBHOOK_PAYLOAD_SCHEMA as gh_schema,
-                                        get_transformed_webhook_payload as gh_payload)
+from buildtrigger.githubhandler import (
+    GITHUB_WEBHOOK_PAYLOAD_SCHEMA as gh_schema,
+    get_transformed_webhook_payload as gh_payload,
+)
 
-from buildtrigger.gitlabhandler import (GITLAB_WEBHOOK_PAYLOAD_SCHEMA as gl_schema,
-                                        get_transformed_webhook_payload as gl_payload)
+from buildtrigger.gitlabhandler import (
+    GITLAB_WEBHOOK_PAYLOAD_SCHEMA as gl_schema,
+    get_transformed_webhook_payload as gl_payload,
+)
 
 from util.security.ssh import generate_ssh_keypair
 
@@ -27,203 +38,191 @@ logger = logging.getLogger(__name__)
 # Defines an ordered set of tuples of the schemas and associated transformation functions
 # for incoming webhook payloads.
 SCHEMA_AND_HANDLERS = [
-  (gh_schema, gh_payload),
-  (bb_schema, bb_payload),
-  (gl_schema, gl_payload),
+    (gh_schema, gh_payload),
+    (bb_schema, bb_payload),
+    (gl_schema, gl_payload),
 ]
 
 
 def custom_trigger_payload(metadata, git_url):
-  # First try the customhandler schema. If it matches, nothing more to do.
-  custom_handler_validation_error = None
-  try:
-    validate(metadata, CustomBuildTrigger.payload_schema)
-  except ValidationError as vex:
-    custom_handler_validation_error = vex
-
-  # Otherwise, try the defined schemas, in order, until we find a match.
-  for schema, handler in SCHEMA_AND_HANDLERS:
+    # First try the customhandler schema. If it matches, nothing more to do.
+    custom_handler_validation_error = None
     try:
-      validate(metadata, schema)
-    except ValidationError:
-      continue
+        validate(metadata, CustomBuildTrigger.payload_schema)
+    except ValidationError as vex:
+        custom_handler_validation_error = vex
 
-    result = handler(metadata)
-    result['git_url'] = git_url
-    return result
+    # Otherwise, try the defined schemas, in order, until we find a match.
+    for schema, handler in SCHEMA_AND_HANDLERS:
+        try:
+            validate(metadata, schema)
+        except ValidationError:
+            continue
 
-  # If we have reached this point and no other schemas validated, then raise the error for the
-  # custom schema.
-  if custom_handler_validation_error is not None:
-    raise InvalidPayloadException(custom_handler_validation_error.message)
+        result = handler(metadata)
+        result["git_url"] = git_url
+        return result
 
-  metadata['git_url'] = git_url
-  return metadata
+    # If we have reached this point and no other schemas validated, then raise the error for the
+    # custom schema.
+    if custom_handler_validation_error is not None:
+        raise InvalidPayloadException(custom_handler_validation_error.message)
+
+    metadata["git_url"] = git_url
+    return metadata
 
 
 class CustomBuildTrigger(BuildTriggerHandler):
-  payload_schema = {
-    'type': 'object',
-    'properties': {
-      'commit': {
-        'type': 'string',
-        'description': 'first 7 characters of the SHA-1 identifier for a git commit',
-        'pattern': '^([A-Fa-f0-9]{7,})$',
-      },
-      'ref': {
-        'type': 'string',
-        'description': 'git reference for a git commit',
-        'pattern': '^refs\/(heads|tags|remotes)\/(.+)$',
-      },
-      'default_branch': {
-        'type': 'string',
-        'description': 'default branch of the git repository',
-      },
-      'commit_info': {
-        'type': 'object',
-        'description': 'metadata about a git commit',
-        'properties': {
-          'url': {
-            'type': 'string',
-            'description': 'URL to view a git commit',
-          },
-          'message': {
-            'type': 'string',
-            'description': 'git commit message',
-          },
-          'date': {
-            'type': 'string',
-            'description': 'timestamp for a git commit'
-          },
-          'author': {
-            'type': 'object',
-            'description': 'metadata about the author of a git commit',
-            'properties': {
-              'username': {
-                'type': 'string',
-                'description': 'username of the author',
-              },
-              'url': {
-                'type': 'string',
-                'description': 'URL to view the profile of the author',
-              },
-              'avatar_url': {
-                'type': 'string',
-                'description': 'URL to view the avatar of the author',
-              },
+    payload_schema = {
+        "type": "object",
+        "properties": {
+            "commit": {
+                "type": "string",
+                "description": "first 7 characters of the SHA-1 identifier for a git commit",
+                "pattern": "^([A-Fa-f0-9]{7,})$",
             },
-            'required': ['username', 'url', 'avatar_url'],
-          },
-          'committer': {
-            'type': 'object',
-            'description': 'metadata about the committer of a git commit',
-            'properties': {
-              'username': {
-                'type': 'string',
-                'description': 'username of the committer',
-              },
-              'url': {
-                'type': 'string',
-                'description': 'URL to view the profile of the committer',
-              },
-              'avatar_url': {
-                'type': 'string',
-                'description': 'URL to view the avatar of the committer',
-              },
+            "ref": {
+                "type": "string",
+                "description": "git reference for a git commit",
+                "pattern": "^refs\/(heads|tags|remotes)\/(.+)$",
+            },
+            "default_branch": {
+                "type": "string",
+                "description": "default branch of the git repository",
+            },
+            "commit_info": {
+                "type": "object",
+                "description": "metadata about a git commit",
+                "properties": {
+                    "url": {
+                        "type": "string",
+                        "description": "URL to view a git commit",
+                    },
+                    "message": {"type": "string", "description": "git commit message"},
+                    "date": {
+                        "type": "string",
+                        "description": "timestamp for a git commit",
+                    },
+                    "author": {
+                        "type": "object",
+                        "description": "metadata about the author of a git commit",
+                        "properties": {
+                            "username": {
+                                "type": "string",
+                                "description": "username of the author",
+                            },
+                            "url": {
+                                "type": "string",
+                                "description": "URL to view the profile of the author",
+                            },
+                            "avatar_url": {
+                                "type": "string",
+                                "description": "URL to view the avatar of the author",
+                            },
+                        },
+                        "required": ["username", "url", "avatar_url"],
+                    },
+                    "committer": {
+                        "type": "object",
+                        "description": "metadata about the committer of a git commit",
+                        "properties": {
+                            "username": {
+                                "type": "string",
+                                "description": "username of the committer",
+                            },
+                            "url": {
+                                "type": "string",
+                                "description": "URL to view the profile of the committer",
+                            },
+                            "avatar_url": {
+                                "type": "string",
+                                "description": "URL to view the avatar of the committer",
+                            },
+                        },
+                        "required": ["username", "url", "avatar_url"],
+                    },
+                },
+                "required": ["url", "message", "date"],
             },
-            'required': ['username', 'url', 'avatar_url'],
-          },
         },
-        'required': ['url', 'message', 'date'],
-      },
-    },
-    'required': ['commit', 'ref', 'default_branch'],
-  }
-
-  @classmethod
-  def service_name(cls):
-    return 'custom-git'
-
-  def is_active(self):
-    return self.config.has_key('credentials')
-
-  def _metadata_from_payload(self, payload, git_url):
-   # Parse the JSON payload.
-    try:
-      metadata = json.loads(payload)
-    except ValueError as vex:
-      raise InvalidPayloadException(vex.message)
-
-    return custom_trigger_payload(metadata, git_url)
-
-  def handle_trigger_request(self, request):
-    payload = request.data
-    if not payload:
-      raise InvalidPayloadException('Missing expected payload')
-
-    logger.debug('Payload %s', payload)
-
-    metadata = self._metadata_from_payload(payload, self.config['build_source'])
-    prepared = self.prepare_build(metadata)
-
-    # Check if we should skip this build.
-    raise_if_skipped_build(prepared, self.config)
-
-    return prepared
-
-  def manual_start(self, run_parameters=None):
-    # commit_sha is the only required parameter
-    commit_sha = run_parameters.get('commit_sha')
-    if commit_sha is None:
-      raise TriggerStartException('missing required parameter')
-
-    config = self.config
-    metadata = {
-      'commit': commit_sha,
-      'git_url': config['build_source'],
+        "required": ["commit", "ref", "default_branch"],
     }
 
-    try:
-      return self.prepare_build(metadata, is_manual=True)
-    except ValidationError as ve:
-      raise TriggerStartException(ve.message)
+    @classmethod
+    def service_name(cls):
+        return "custom-git"
 
-  def activate(self, standard_webhook_url):
-    config = self.config
-    public_key, private_key = generate_ssh_keypair()
-    config['credentials'] = [
-      {
-        'name': 'SSH Public Key',
-        'value': public_key,
-      },
-      {
-        'name': 'Webhook Endpoint URL',
-        'value': standard_webhook_url,
-      },
-    ]
-    self.config = config
-    return config, {'private_key': private_key}
+    def is_active(self):
+        return self.config.has_key("credentials")
 
-  def deactivate(self):
-    config = self.config
-    config.pop('credentials', None)
-    self.config = config
-    return config
+    def _metadata_from_payload(self, payload, git_url):
+        # Parse the JSON payload.
+        try:
+            metadata = json.loads(payload)
+        except ValueError as vex:
+            raise InvalidPayloadException(vex.message)
 
-  def get_repository_url(self):
-    return None
+        return custom_trigger_payload(metadata, git_url)
 
-  def list_build_source_namespaces(self):
-    raise NotImplementedError
+    def handle_trigger_request(self, request):
+        payload = request.data
+        if not payload:
+            raise InvalidPayloadException("Missing expected payload")
 
-  def list_build_sources_for_namespace(self, namespace):
-    raise NotImplementedError
+        logger.debug("Payload %s", payload)
 
-  def list_build_subdirs(self):
-    raise NotImplementedError
+        metadata = self._metadata_from_payload(payload, self.config["build_source"])
+        prepared = self.prepare_build(metadata)
 
-  def list_field_values(self, field_name, limit=None):
-    raise NotImplementedError
+        # Check if we should skip this build.
+        raise_if_skipped_build(prepared, self.config)
 
-  def load_dockerfile_contents(self):
-    raise NotImplementedError
+        return prepared
+
+    def manual_start(self, run_parameters=None):
+        # commit_sha is the only required parameter
+        commit_sha = run_parameters.get("commit_sha")
+        if commit_sha is None:
+            raise TriggerStartException("missing required parameter")
+
+        config = self.config
+        metadata = {"commit": commit_sha, "git_url": config["build_source"]}
+
+        try:
+            return self.prepare_build(metadata, is_manual=True)
+        except ValidationError as ve:
+            raise TriggerStartException(ve.message)
+
+    def activate(self, standard_webhook_url):
+        config = self.config
+        public_key, private_key = generate_ssh_keypair()
+        config["credentials"] = [
+            {"name": "SSH Public Key", "value": public_key},
+            {"name": "Webhook Endpoint URL", "value": standard_webhook_url},
+        ]
+        self.config = config
+        return config, {"private_key": private_key}
+
+    def deactivate(self):
+        config = self.config
+        config.pop("credentials", None)
+        self.config = config
+        return config
+
+    def get_repository_url(self):
+        return None
+
+    def list_build_source_namespaces(self):
+        raise NotImplementedError
+
+    def list_build_sources_for_namespace(self, namespace):
+        raise NotImplementedError
+
+    def list_build_subdirs(self):
+        raise NotImplementedError
+
+    def list_field_values(self, field_name, limit=None):
+        raise NotImplementedError
+
+    def load_dockerfile_contents(self):
+        raise NotImplementedError
diff --git a/buildtrigger/githubhandler.py b/buildtrigger/githubhandler.py
index bc40f993c..7fc12135b 100644
--- a/buildtrigger/githubhandler.py
+++ b/buildtrigger/githubhandler.py
@@ -7,18 +7,29 @@ from calendar import timegm
 from functools import wraps
 from ssl import SSLError
 
-from github import (Github, UnknownObjectException, GithubException,
-                    BadCredentialsException as GitHubBadCredentialsException)
+from github import (
+    Github,
+    UnknownObjectException,
+    GithubException,
+    BadCredentialsException as GitHubBadCredentialsException,
+)
 
 from jsonschema import validate
 
 from app import app, github_trigger
-from buildtrigger.triggerutil import (RepositoryReadException, TriggerActivationException,
-                                      TriggerDeactivationException, TriggerStartException,
-                                      EmptyRepositoryException, ValidationRequestException,
-                                      SkipRequestException, InvalidPayloadException,
-                                      determine_build_ref, raise_if_skipped_build,
-                                      find_matching_branches)
+from buildtrigger.triggerutil import (
+    RepositoryReadException,
+    TriggerActivationException,
+    TriggerDeactivationException,
+    TriggerStartException,
+    EmptyRepositoryException,
+    ValidationRequestException,
+    SkipRequestException,
+    InvalidPayloadException,
+    determine_build_ref,
+    raise_if_skipped_build,
+    find_matching_branches,
+)
 from buildtrigger.basehandler import BuildTriggerHandler
 from endpoints.exception import ExternalServiceError
 from util.security.ssh import generate_ssh_keypair
@@ -27,561 +38,576 @@ from util.dict_wrappers import JSONPathDict, SafeDictSetter
 logger = logging.getLogger(__name__)
 
 GITHUB_WEBHOOK_PAYLOAD_SCHEMA = {
-  'type': 'object',
-  'properties': {
-    'ref': {
-      'type': 'string',
+    "type": "object",
+    "properties": {
+        "ref": {"type": "string"},
+        "head_commit": {
+            "type": ["object", "null"],
+            "properties": {
+                "id": {"type": "string"},
+                "url": {"type": "string"},
+                "message": {"type": "string"},
+                "timestamp": {"type": "string"},
+                "author": {
+                    "type": "object",
+                    "properties": {
+                        "username": {"type": "string"},
+                        "html_url": {"type": "string"},
+                        "avatar_url": {"type": "string"},
+                    },
+                },
+                "committer": {
+                    "type": "object",
+                    "properties": {
+                        "username": {"type": "string"},
+                        "html_url": {"type": "string"},
+                        "avatar_url": {"type": "string"},
+                    },
+                },
+            },
+            "required": ["id", "url", "message", "timestamp"],
+        },
+        "repository": {
+            "type": "object",
+            "properties": {"ssh_url": {"type": "string"}},
+            "required": ["ssh_url"],
+        },
     },
-    'head_commit': {
-      'type': ['object', 'null'],
-      'properties': {
-        'id': {
-          'type': 'string',
-        },
-        'url': {
-          'type': 'string',
-        },
-        'message': {
-          'type': 'string',
-        },
-        'timestamp': {
-          'type': 'string',
-        },
-        'author': {
-          'type': 'object',
-          'properties': {
-            'username': {
-              'type': 'string'
-            },
-            'html_url': {
-              'type': 'string'
-            },
-            'avatar_url': {
-              'type': 'string'
-            },
-          },
-        },
-        'committer': {
-          'type': 'object',
-          'properties': {
-            'username': {
-              'type': 'string'
-            },
-            'html_url': {
-              'type': 'string'
-            },
-            'avatar_url': {
-              'type': 'string'
-            },
-          },
-        },
-      },
-      'required': ['id', 'url', 'message', 'timestamp'],
-    },
-    'repository': {
-      'type': 'object',
-      'properties': {
-        'ssh_url': {
-          'type': 'string',
-        },
-      },
-      'required': ['ssh_url'],
-    },
-  },
-  'required': ['ref', 'head_commit', 'repository'],
+    "required": ["ref", "head_commit", "repository"],
 }
 
+
 def get_transformed_webhook_payload(gh_payload, default_branch=None, lookup_user=None):
-  """ Returns the GitHub webhook JSON payload transformed into our own payload
+    """ Returns the GitHub webhook JSON payload transformed into our own payload
       format. If the gh_payload is not valid, returns None.
   """
-  try:
-    validate(gh_payload, GITHUB_WEBHOOK_PAYLOAD_SCHEMA)
-  except Exception as exc:
-    raise InvalidPayloadException(exc.message)
+    try:
+        validate(gh_payload, GITHUB_WEBHOOK_PAYLOAD_SCHEMA)
+    except Exception as exc:
+        raise InvalidPayloadException(exc.message)
 
-  payload = JSONPathDict(gh_payload)
+    payload = JSONPathDict(gh_payload)
 
-  if payload['head_commit'] is None:
-    raise SkipRequestException
+    if payload["head_commit"] is None:
+        raise SkipRequestException
 
-  config = SafeDictSetter()
-  config['commit'] = payload['head_commit.id']
-  config['ref'] = payload['ref']
-  config['default_branch'] = payload['repository.default_branch'] or default_branch
-  config['git_url'] = payload['repository.ssh_url']
+    config = SafeDictSetter()
+    config["commit"] = payload["head_commit.id"]
+    config["ref"] = payload["ref"]
+    config["default_branch"] = payload["repository.default_branch"] or default_branch
+    config["git_url"] = payload["repository.ssh_url"]
 
-  config['commit_info.url'] = payload['head_commit.url']
-  config['commit_info.message'] = payload['head_commit.message']
-  config['commit_info.date'] = payload['head_commit.timestamp']
+    config["commit_info.url"] = payload["head_commit.url"]
+    config["commit_info.message"] = payload["head_commit.message"]
+    config["commit_info.date"] = payload["head_commit.timestamp"]
 
-  config['commit_info.author.username'] = payload['head_commit.author.username']
-  config['commit_info.author.url'] = payload.get('head_commit.author.html_url')
-  config['commit_info.author.avatar_url'] = payload.get('head_commit.author.avatar_url')
+    config["commit_info.author.username"] = payload["head_commit.author.username"]
+    config["commit_info.author.url"] = payload.get("head_commit.author.html_url")
+    config["commit_info.author.avatar_url"] = payload.get(
+        "head_commit.author.avatar_url"
+    )
 
-  config['commit_info.committer.username'] = payload.get('head_commit.committer.username')
-  config['commit_info.committer.url'] = payload.get('head_commit.committer.html_url')
-  config['commit_info.committer.avatar_url'] = payload.get('head_commit.committer.avatar_url')
+    config["commit_info.committer.username"] = payload.get(
+        "head_commit.committer.username"
+    )
+    config["commit_info.committer.url"] = payload.get("head_commit.committer.html_url")
+    config["commit_info.committer.avatar_url"] = payload.get(
+        "head_commit.committer.avatar_url"
+    )
 
-  # Note: GitHub doesn't always return the extra information for users, so we do the lookup
-  # manually if possible.
-  if (lookup_user and not payload.get('head_commit.author.html_url') and
-      payload.get('head_commit.author.username')):
-    author_info = lookup_user(payload['head_commit.author.username'])
-    if author_info:
-      config['commit_info.author.url'] = author_info['html_url']
-      config['commit_info.author.avatar_url'] = author_info['avatar_url']
+    # Note: GitHub doesn't always return the extra information for users, so we do the lookup
+    # manually if possible.
+    if (
+        lookup_user
+        and not payload.get("head_commit.author.html_url")
+        and payload.get("head_commit.author.username")
+    ):
+        author_info = lookup_user(payload["head_commit.author.username"])
+        if author_info:
+            config["commit_info.author.url"] = author_info["html_url"]
+            config["commit_info.author.avatar_url"] = author_info["avatar_url"]
 
-  if (lookup_user and
-      payload.get('head_commit.committer.username') and
-      not payload.get('head_commit.committer.html_url')):
-    committer_info = lookup_user(payload['head_commit.committer.username'])
-    if committer_info:
-      config['commit_info.committer.url'] = committer_info['html_url']
-      config['commit_info.committer.avatar_url'] = committer_info['avatar_url']
+    if (
+        lookup_user
+        and payload.get("head_commit.committer.username")
+        and not payload.get("head_commit.committer.html_url")
+    ):
+        committer_info = lookup_user(payload["head_commit.committer.username"])
+        if committer_info:
+            config["commit_info.committer.url"] = committer_info["html_url"]
+            config["commit_info.committer.avatar_url"] = committer_info["avatar_url"]
 
-  return config.dict_value()
+    return config.dict_value()
 
 
 def _catch_ssl_errors(func):
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    try:
-      return func(*args, **kwargs)
-    except SSLError as se:
-      msg = 'Request to the GitHub API failed: %s' % se.message
-      logger.exception(msg)
-      raise ExternalServiceError(msg)
-  return wrapper
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        try:
+            return func(*args, **kwargs)
+        except SSLError as se:
+            msg = "Request to the GitHub API failed: %s" % se.message
+            logger.exception(msg)
+            raise ExternalServiceError(msg)
+
+    return wrapper
 
 
 class GithubBuildTrigger(BuildTriggerHandler):
-  """
+    """
   BuildTrigger for GitHub that uses the archive API and buildpacks.
   """
-  def _get_client(self):
-    """ Returns an authenticated client for talking to the GitHub API. """
-    return Github(self.auth_token,
-                  base_url=github_trigger.api_endpoint(),
-                  client_id=github_trigger.client_id(),
-                  client_secret=github_trigger.client_secret(),
-                  timeout=5)
 
-  @classmethod
-  def service_name(cls):
-    return 'github'
+    def _get_client(self):
+        """ Returns an authenticated client for talking to the GitHub API. """
+        return Github(
+            self.auth_token,
+            base_url=github_trigger.api_endpoint(),
+            client_id=github_trigger.client_id(),
+            client_secret=github_trigger.client_secret(),
+            timeout=5,
+        )
 
-  def is_active(self):
-    return 'hook_id' in self.config
+    @classmethod
+    def service_name(cls):
+        return "github"
 
-  def get_repository_url(self):
-    source = self.config['build_source']
-    return github_trigger.get_public_url(source)
+    def is_active(self):
+        return "hook_id" in self.config
 
-  @staticmethod
-  def _get_error_message(ghe, default_msg):
-    if ghe.data.get('errors') and ghe.data['errors'][0].get('message'):
-      return ghe.data['errors'][0]['message']
+    def get_repository_url(self):
+        source = self.config["build_source"]
+        return github_trigger.get_public_url(source)
 
-    return default_msg
+    @staticmethod
+    def _get_error_message(ghe, default_msg):
+        if ghe.data.get("errors") and ghe.data["errors"][0].get("message"):
+            return ghe.data["errors"][0]["message"]
 
-  @_catch_ssl_errors
-  def activate(self, standard_webhook_url):
-    config = self.config
-    new_build_source = config['build_source']
-    gh_client = self._get_client()
+        return default_msg
 
-    # Find the GitHub repository.
-    try:
-      gh_repo = gh_client.get_repo(new_build_source)
-    except UnknownObjectException:
-      msg = 'Unable to find GitHub repository for source: %s' % new_build_source
-      raise TriggerActivationException(msg)
-
-    # Add a deploy key to the GitHub repository.
-    public_key, private_key = generate_ssh_keypair()
-    config['credentials'] = [
-      {
-        'name': 'SSH Public Key',
-        'value': public_key,
-      },
-    ]
-
-    try:
-      deploy_key = gh_repo.create_key('%s Builder' % app.config['REGISTRY_TITLE'],
-                                      public_key)
-      config['deploy_key_id'] = deploy_key.id
-    except GithubException as ghe:
-      default_msg = 'Unable to add deploy key to repository: %s' % new_build_source
-      msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
-      raise TriggerActivationException(msg)
-
-    # Add the webhook to the GitHub repository.
-    webhook_config = {
-      'url': standard_webhook_url,
-      'content_type': 'json',
-    }
-
-    try:
-      hook = gh_repo.create_hook('web', webhook_config)
-      config['hook_id'] = hook.id
-      config['master_branch'] = gh_repo.default_branch
-    except GithubException as ghe:
-      default_msg = 'Unable to create webhook on repository: %s' % new_build_source
-      msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
-      raise TriggerActivationException(msg)
-
-    return config, {'private_key': private_key}
-
-  @_catch_ssl_errors
-  def deactivate(self):
-    config = self.config
-    gh_client = self._get_client()
-
-    # Find the GitHub repository.
-    try:
-      repo = gh_client.get_repo(config['build_source'])
-    except UnknownObjectException:
-      msg = 'Unable to find GitHub repository for source: %s' % config['build_source']
-      raise TriggerDeactivationException(msg)
-    except GitHubBadCredentialsException:
-      msg = 'Unable to access repository to disable trigger'
-      raise TriggerDeactivationException(msg)
-
-    # If the trigger uses a deploy key, remove it.
-    try:
-      if config['deploy_key_id']:
-        deploy_key = repo.get_key(config['deploy_key_id'])
-        deploy_key.delete()
-    except KeyError:
-      # There was no config['deploy_key_id'], thus this is an old trigger without a deploy key.
-      pass
-    except GithubException as ghe:
-      default_msg = 'Unable to remove deploy key: %s' % config['deploy_key_id']
-      msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
-      raise TriggerDeactivationException(msg)
-
-    # Remove the webhook.
-    if 'hook_id' in config:
-      try:
-        hook = repo.get_hook(config['hook_id'])
-        hook.delete()
-      except GithubException as ghe:
-        default_msg = 'Unable to remove hook: %s' % config['hook_id']
-        msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
-        raise TriggerDeactivationException(msg)
-
-    config.pop('hook_id', None)
-    self.config = config
-    return config
-
-  @_catch_ssl_errors
-  def list_build_source_namespaces(self):
-    gh_client = self._get_client()
-    usr = gh_client.get_user()
-
-    # Build the full set of namespaces for the user, starting with their own.
-    namespaces = {}
-    namespaces[usr.login] = {
-      'personal': True,
-      'id': usr.login,
-      'title': usr.name or usr.login,
-      'avatar_url': usr.avatar_url,
-      'url': usr.html_url,
-      'score': usr.plan.private_repos if usr.plan else 0,
-    }
-
-    for org in usr.get_orgs():
-      organization = org.login if org.login else org.name
-
-      # NOTE: We don't load the organization's html_url nor its plan, because doing
-      # so requires loading *each organization* via its own API call in this tight
-      # loop, which was massively slowing down the load time for users when setting
-      # up triggers.
-      namespaces[organization] = {
-        'personal': False,
-        'id': organization,
-        'title': organization,
-        'avatar_url': org.avatar_url,
-        'url': '',
-        'score': 0,
-      }
-
-    return BuildTriggerHandler.build_namespaces_response(namespaces)
-
-  @_catch_ssl_errors
-  def list_build_sources_for_namespace(self, namespace):
-    def repo_view(repo):
-      return {
-        'name': repo.name,
-        'full_name': repo.full_name,
-        'description': repo.description or '',
-        'last_updated': timegm(repo.pushed_at.utctimetuple()) if repo.pushed_at else 0,
-        'url': repo.html_url,
-        'has_admin_permissions': repo.permissions.admin,
-        'private': repo.private,
-      }
-
-    gh_client = self._get_client()
-    usr = gh_client.get_user()
-    if namespace == usr.login:
-      repos = [repo_view(repo) for repo in usr.get_repos(type='owner', sort='updated')]
-      return BuildTriggerHandler.build_sources_response(repos)
-
-    try:
-      org = gh_client.get_organization(namespace)
-      if org is None:
-        return []
-    except GithubException:
-      return []
-
-    repos = [repo_view(repo) for repo in org.get_repos(type='member')]
-    return BuildTriggerHandler.build_sources_response(repos)
-
-
-  @_catch_ssl_errors
-  def list_build_subdirs(self):
-    config = self.config
-    gh_client = self._get_client()
-    source = config['build_source']
-
-    try:
-      repo = gh_client.get_repo(source)
-
-      # Find the first matching branch.
-      repo_branches = self.list_field_values('branch_name') or []
-      branches = find_matching_branches(config, repo_branches)
-      branches = branches or [repo.default_branch or 'master']
-      default_commit = repo.get_branch(branches[0]).commit
-      commit_tree = repo.get_git_tree(default_commit.sha, recursive=True)
-
-      return [elem.path for elem in commit_tree.tree
-              if (elem.type == u'blob' and self.filename_is_dockerfile(os.path.basename(elem.path)))]
-    except GithubException as ghe:
-      message = ghe.data.get('message', 'Unable to list contents of repository: %s' % source)
-      if message == 'Branch not found':
-        raise EmptyRepositoryException()
-
-      raise RepositoryReadException(message)
-
-  @_catch_ssl_errors
-  def load_dockerfile_contents(self):
-    config = self.config
-    gh_client = self._get_client()
-    source = config['build_source']
-
-    try:
-      repo = gh_client.get_repo(source)
-    except GithubException as ghe:
-      message = ghe.data.get('message', 'Unable to list contents of repository: %s' % source)
-      raise RepositoryReadException(message)
-
-    path = self.get_dockerfile_path()
-    if not path:
-      return None
-
-    try:
-      file_info = repo.get_contents(path)
-    # TypeError is needed because directory inputs cause a TypeError
-    except (GithubException, TypeError) as ghe:
-      logger.error("got error from trying to find github file %s" % ghe)
-      return None
-
-    if file_info is None:
-      return None
-
-    if isinstance(file_info, list):
-      return None
-
-    content = file_info.content
-    if file_info.encoding == 'base64':
-      content = base64.b64decode(content)
-    return content
-
-  @_catch_ssl_errors
-  def list_field_values(self, field_name, limit=None):
-    if field_name == 'refs':
-      branches = self.list_field_values('branch_name')
-      tags = self.list_field_values('tag_name')
-
-      return ([{'kind': 'branch', 'name': b} for b in branches] +
-              [{'kind': 'tag', 'name': tag} for tag in tags])
-
-    config = self.config
-    source = config.get('build_source')
-    if source is None:
-      return []
-
-    if field_name == 'tag_name':
-      try:
+    @_catch_ssl_errors
+    def activate(self, standard_webhook_url):
+        config = self.config
+        new_build_source = config["build_source"]
         gh_client = self._get_client()
-        repo = gh_client.get_repo(source)
-        gh_tags = repo.get_tags()
-        if limit:
-          gh_tags = repo.get_tags()[0:limit]
 
-        return [tag.name for tag in gh_tags]
-      except GitHubBadCredentialsException:
-        return []
-      except GithubException:
-        logger.exception("Got GitHub Exception when trying to list tags for trigger %s",
-                         self.trigger.id)
-        return []
+        # Find the GitHub repository.
+        try:
+            gh_repo = gh_client.get_repo(new_build_source)
+        except UnknownObjectException:
+            msg = "Unable to find GitHub repository for source: %s" % new_build_source
+            raise TriggerActivationException(msg)
 
-    if field_name == 'branch_name':
-      try:
+        # Add a deploy key to the GitHub repository.
+        public_key, private_key = generate_ssh_keypair()
+        config["credentials"] = [{"name": "SSH Public Key", "value": public_key}]
+
+        try:
+            deploy_key = gh_repo.create_key(
+                "%s Builder" % app.config["REGISTRY_TITLE"], public_key
+            )
+            config["deploy_key_id"] = deploy_key.id
+        except GithubException as ghe:
+            default_msg = (
+                "Unable to add deploy key to repository: %s" % new_build_source
+            )
+            msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
+            raise TriggerActivationException(msg)
+
+        # Add the webhook to the GitHub repository.
+        webhook_config = {"url": standard_webhook_url, "content_type": "json"}
+
+        try:
+            hook = gh_repo.create_hook("web", webhook_config)
+            config["hook_id"] = hook.id
+            config["master_branch"] = gh_repo.default_branch
+        except GithubException as ghe:
+            default_msg = (
+                "Unable to create webhook on repository: %s" % new_build_source
+            )
+            msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
+            raise TriggerActivationException(msg)
+
+        return config, {"private_key": private_key}
+
+    @_catch_ssl_errors
+    def deactivate(self):
+        config = self.config
         gh_client = self._get_client()
-        repo = gh_client.get_repo(source)
-        gh_branches = repo.get_branches()
-        if limit:
-          gh_branches = repo.get_branches()[0:limit]
 
-        branches = [branch.name for branch in gh_branches]
+        # Find the GitHub repository.
+        try:
+            repo = gh_client.get_repo(config["build_source"])
+        except UnknownObjectException:
+            msg = (
+                "Unable to find GitHub repository for source: %s"
+                % config["build_source"]
+            )
+            raise TriggerDeactivationException(msg)
+        except GitHubBadCredentialsException:
+            msg = "Unable to access repository to disable trigger"
+            raise TriggerDeactivationException(msg)
 
-        if not repo.default_branch in branches:
-          branches.insert(0, repo.default_branch)
+        # If the trigger uses a deploy key, remove it.
+        try:
+            if config["deploy_key_id"]:
+                deploy_key = repo.get_key(config["deploy_key_id"])
+                deploy_key.delete()
+        except KeyError:
+            # There was no config['deploy_key_id'], thus this is an old trigger without a deploy key.
+            pass
+        except GithubException as ghe:
+            default_msg = "Unable to remove deploy key: %s" % config["deploy_key_id"]
+            msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
+            raise TriggerDeactivationException(msg)
 
-        if branches[0] != repo.default_branch:
-          branches.remove(repo.default_branch)
-          branches.insert(0, repo.default_branch)
+        # Remove the webhook.
+        if "hook_id" in config:
+            try:
+                hook = repo.get_hook(config["hook_id"])
+                hook.delete()
+            except GithubException as ghe:
+                default_msg = "Unable to remove hook: %s" % config["hook_id"]
+                msg = GithubBuildTrigger._get_error_message(ghe, default_msg)
+                raise TriggerDeactivationException(msg)
 
-        return branches
-      except GitHubBadCredentialsException:
-        return ['master']
-      except GithubException:
-        logger.exception("Got GitHub Exception when trying to list branches for trigger %s",
-                         self.trigger.id)
-        return ['master']
+        config.pop("hook_id", None)
+        self.config = config
+        return config
 
-    return None
+    @_catch_ssl_errors
+    def list_build_source_namespaces(self):
+        gh_client = self._get_client()
+        usr = gh_client.get_user()
 
-  @classmethod
-  def _build_metadata_for_commit(cls, commit_sha, ref, repo):
-    try:
-      commit = repo.get_commit(commit_sha)
-    except GithubException:
-      logger.exception('Could not load commit information from GitHub')
-      return None
+        # Build the full set of namespaces for the user, starting with their own.
+        namespaces = {}
+        namespaces[usr.login] = {
+            "personal": True,
+            "id": usr.login,
+            "title": usr.name or usr.login,
+            "avatar_url": usr.avatar_url,
+            "url": usr.html_url,
+            "score": usr.plan.private_repos if usr.plan else 0,
+        }
 
-    commit_info = {
-      'url': commit.html_url,
-      'message': commit.commit.message,
-      'date': commit.last_modified
-    }
+        for org in usr.get_orgs():
+            organization = org.login if org.login else org.name
 
-    if commit.author:
-      commit_info['author'] = {
-        'username': commit.author.login,
-        'avatar_url': commit.author.avatar_url,
-        'url': commit.author.html_url
-      }
+            # NOTE: We don't load the organization's html_url nor its plan, because doing
+            # so requires loading *each organization* via its own API call in this tight
+            # loop, which was massively slowing down the load time for users when setting
+            # up triggers.
+            namespaces[organization] = {
+                "personal": False,
+                "id": organization,
+                "title": organization,
+                "avatar_url": org.avatar_url,
+                "url": "",
+                "score": 0,
+            }
 
-    if commit.committer:
-      commit_info['committer'] = {
-        'username': commit.committer.login,
-        'avatar_url': commit.committer.avatar_url,
-        'url': commit.committer.html_url
-      }
+        return BuildTriggerHandler.build_namespaces_response(namespaces)
 
-    return {
-      'commit': commit_sha,
-      'ref': ref,
-      'default_branch': repo.default_branch,
-      'git_url': repo.ssh_url,
-      'commit_info': commit_info
-    }
+    @_catch_ssl_errors
+    def list_build_sources_for_namespace(self, namespace):
+        def repo_view(repo):
+            return {
+                "name": repo.name,
+                "full_name": repo.full_name,
+                "description": repo.description or "",
+                "last_updated": timegm(repo.pushed_at.utctimetuple())
+                if repo.pushed_at
+                else 0,
+                "url": repo.html_url,
+                "has_admin_permissions": repo.permissions.admin,
+                "private": repo.private,
+            }
 
-  @_catch_ssl_errors
-  def manual_start(self, run_parameters=None):
-    config = self.config
-    source = config['build_source']
+        gh_client = self._get_client()
+        usr = gh_client.get_user()
+        if namespace == usr.login:
+            repos = [
+                repo_view(repo) for repo in usr.get_repos(type="owner", sort="updated")
+            ]
+            return BuildTriggerHandler.build_sources_response(repos)
 
-    try:
-      gh_client = self._get_client()
-      repo = gh_client.get_repo(source)
-      default_branch = repo.default_branch
-    except GithubException as ghe:
-      msg = GithubBuildTrigger._get_error_message(ghe, 'Unable to start build trigger')
-      raise TriggerStartException(msg)
+        try:
+            org = gh_client.get_organization(namespace)
+            if org is None:
+                return []
+        except GithubException:
+            return []
 
-    def get_branch_sha(branch_name):
-      try:
-        branch = repo.get_branch(branch_name)
-        return branch.commit.sha
-      except GithubException:
-        raise TriggerStartException('Could not find branch in repository')
+        repos = [repo_view(repo) for repo in org.get_repos(type="member")]
+        return BuildTriggerHandler.build_sources_response(repos)
 
-    def get_tag_sha(tag_name):
-      tags = {tag.name: tag for tag in repo.get_tags()}
-      if not tag_name in tags:
-        raise TriggerStartException('Could not find tag in repository')
+    @_catch_ssl_errors
+    def list_build_subdirs(self):
+        config = self.config
+        gh_client = self._get_client()
+        source = config["build_source"]
 
-      return tags[tag_name].commit.sha
+        try:
+            repo = gh_client.get_repo(source)
 
-    # Find the branch or tag to build.
-    (commit_sha, ref) = determine_build_ref(run_parameters, get_branch_sha, get_tag_sha,
-                                            default_branch)
+            # Find the first matching branch.
+            repo_branches = self.list_field_values("branch_name") or []
+            branches = find_matching_branches(config, repo_branches)
+            branches = branches or [repo.default_branch or "master"]
+            default_commit = repo.get_branch(branches[0]).commit
+            commit_tree = repo.get_git_tree(default_commit.sha, recursive=True)
 
-    metadata = GithubBuildTrigger._build_metadata_for_commit(commit_sha, ref, repo)
-    return self.prepare_build(metadata, is_manual=True)
+            return [
+                elem.path
+                for elem in commit_tree.tree
+                if (
+                    elem.type == u"blob"
+                    and self.filename_is_dockerfile(os.path.basename(elem.path))
+                )
+            ]
+        except GithubException as ghe:
+            message = ghe.data.get(
+                "message", "Unable to list contents of repository: %s" % source
+            )
+            if message == "Branch not found":
+                raise EmptyRepositoryException()
 
-  @_catch_ssl_errors
-  def lookup_user(self, username):
-    try:
-      gh_client = self._get_client()
-      user = gh_client.get_user(username)
-      return {
-        'html_url': user.html_url,
-        'avatar_url': user.avatar_url
-      }
-    except GithubException:
-      return None
+            raise RepositoryReadException(message)
 
-  @_catch_ssl_errors
-  def handle_trigger_request(self, request):
-    # Check the payload to see if we should skip it based on the lack of a head_commit.
-    payload = request.get_json()
-    if payload is None:
-      raise InvalidPayloadException('Missing payload')
+    @_catch_ssl_errors
+    def load_dockerfile_contents(self):
+        config = self.config
+        gh_client = self._get_client()
+        source = config["build_source"]
 
-    # This is for GitHub's probing/testing.
-    if 'zen' in payload:
-      raise SkipRequestException()
+        try:
+            repo = gh_client.get_repo(source)
+        except GithubException as ghe:
+            message = ghe.data.get(
+                "message", "Unable to list contents of repository: %s" % source
+            )
+            raise RepositoryReadException(message)
 
-    # Lookup the default branch for the repository.
-    if 'repository' not in payload:
-      raise InvalidPayloadException("Missing 'repository' on request")
+        path = self.get_dockerfile_path()
+        if not path:
+            return None
 
-    if 'owner' not in payload['repository']:
-      raise InvalidPayloadException("Missing 'owner' on repository")
+        try:
+            file_info = repo.get_contents(path)
+        # TypeError is needed because directory inputs cause a TypeError
+        except (GithubException, TypeError) as ghe:
+            logger.error("got error from trying to find github file %s" % ghe)
+            return None
 
-    if 'name' not in payload['repository']['owner']:
-      raise InvalidPayloadException("Missing owner 'name' on repository")
+        if file_info is None:
+            return None
 
-    if 'name' not in payload['repository']:
-      raise InvalidPayloadException("Missing 'name' on repository")
+        if isinstance(file_info, list):
+            return None
 
-    default_branch = None
-    lookup_user = None
-    try:
-      repo_full_name = '%s/%s' % (payload['repository']['owner']['name'],
-                                  payload['repository']['name'])
+        content = file_info.content
+        if file_info.encoding == "base64":
+            content = base64.b64decode(content)
+        return content
 
-      gh_client = self._get_client()
-      repo = gh_client.get_repo(repo_full_name)
-      default_branch = repo.default_branch
-      lookup_user = self.lookup_user
-    except GitHubBadCredentialsException:
-      logger.exception('Got GitHub Credentials Exception; Cannot lookup default branch')
-    except GithubException:
-      logger.exception("Got GitHub Exception when trying to start trigger %s", self.trigger.id)
-      raise SkipRequestException()
+    @_catch_ssl_errors
+    def list_field_values(self, field_name, limit=None):
+        if field_name == "refs":
+            branches = self.list_field_values("branch_name")
+            tags = self.list_field_values("tag_name")
 
-    logger.debug('GitHub trigger payload %s', payload)
-    metadata = get_transformed_webhook_payload(payload, default_branch=default_branch,
-                                               lookup_user=lookup_user)
-    prepared = self.prepare_build(metadata)
+            return [{"kind": "branch", "name": b} for b in branches] + [
+                {"kind": "tag", "name": tag} for tag in tags
+            ]
 
-    # Check if we should skip this build.
-    raise_if_skipped_build(prepared, self.config)
-    return prepared
+        config = self.config
+        source = config.get("build_source")
+        if source is None:
+            return []
+
+        if field_name == "tag_name":
+            try:
+                gh_client = self._get_client()
+                repo = gh_client.get_repo(source)
+                gh_tags = repo.get_tags()
+                if limit:
+                    gh_tags = repo.get_tags()[0:limit]
+
+                return [tag.name for tag in gh_tags]
+            except GitHubBadCredentialsException:
+                return []
+            except GithubException:
+                logger.exception(
+                    "Got GitHub Exception when trying to list tags for trigger %s",
+                    self.trigger.id,
+                )
+                return []
+
+        if field_name == "branch_name":
+            try:
+                gh_client = self._get_client()
+                repo = gh_client.get_repo(source)
+                gh_branches = repo.get_branches()
+                if limit:
+                    gh_branches = repo.get_branches()[0:limit]
+
+                branches = [branch.name for branch in gh_branches]
+
+                if not repo.default_branch in branches:
+                    branches.insert(0, repo.default_branch)
+
+                if branches[0] != repo.default_branch:
+                    branches.remove(repo.default_branch)
+                    branches.insert(0, repo.default_branch)
+
+                return branches
+            except GitHubBadCredentialsException:
+                return ["master"]
+            except GithubException:
+                logger.exception(
+                    "Got GitHub Exception when trying to list branches for trigger %s",
+                    self.trigger.id,
+                )
+                return ["master"]
+
+        return None
+
+    @classmethod
+    def _build_metadata_for_commit(cls, commit_sha, ref, repo):
+        try:
+            commit = repo.get_commit(commit_sha)
+        except GithubException:
+            logger.exception("Could not load commit information from GitHub")
+            return None
+
+        commit_info = {
+            "url": commit.html_url,
+            "message": commit.commit.message,
+            "date": commit.last_modified,
+        }
+
+        if commit.author:
+            commit_info["author"] = {
+                "username": commit.author.login,
+                "avatar_url": commit.author.avatar_url,
+                "url": commit.author.html_url,
+            }
+
+        if commit.committer:
+            commit_info["committer"] = {
+                "username": commit.committer.login,
+                "avatar_url": commit.committer.avatar_url,
+                "url": commit.committer.html_url,
+            }
+
+        return {
+            "commit": commit_sha,
+            "ref": ref,
+            "default_branch": repo.default_branch,
+            "git_url": repo.ssh_url,
+            "commit_info": commit_info,
+        }
+
+    @_catch_ssl_errors
+    def manual_start(self, run_parameters=None):
+        config = self.config
+        source = config["build_source"]
+
+        try:
+            gh_client = self._get_client()
+            repo = gh_client.get_repo(source)
+            default_branch = repo.default_branch
+        except GithubException as ghe:
+            msg = GithubBuildTrigger._get_error_message(
+                ghe, "Unable to start build trigger"
+            )
+            raise TriggerStartException(msg)
+
+        def get_branch_sha(branch_name):
+            try:
+                branch = repo.get_branch(branch_name)
+                return branch.commit.sha
+            except GithubException:
+                raise TriggerStartException("Could not find branch in repository")
+
+        def get_tag_sha(tag_name):
+            tags = {tag.name: tag for tag in repo.get_tags()}
+            if not tag_name in tags:
+                raise TriggerStartException("Could not find tag in repository")
+
+            return tags[tag_name].commit.sha
+
+        # Find the branch or tag to build.
+        (commit_sha, ref) = determine_build_ref(
+            run_parameters, get_branch_sha, get_tag_sha, default_branch
+        )
+
+        metadata = GithubBuildTrigger._build_metadata_for_commit(commit_sha, ref, repo)
+        return self.prepare_build(metadata, is_manual=True)
+
+    @_catch_ssl_errors
+    def lookup_user(self, username):
+        try:
+            gh_client = self._get_client()
+            user = gh_client.get_user(username)
+            return {"html_url": user.html_url, "avatar_url": user.avatar_url}
+        except GithubException:
+            return None
+
+    @_catch_ssl_errors
+    def handle_trigger_request(self, request):
+        # Check the payload to see if we should skip it based on the lack of a head_commit.
+        payload = request.get_json()
+        if payload is None:
+            raise InvalidPayloadException("Missing payload")
+
+        # This is for GitHub's probing/testing.
+        if "zen" in payload:
+            raise SkipRequestException()
+
+        # Lookup the default branch for the repository.
+        if "repository" not in payload:
+            raise InvalidPayloadException("Missing 'repository' on request")
+
+        if "owner" not in payload["repository"]:
+            raise InvalidPayloadException("Missing 'owner' on repository")
+
+        if "name" not in payload["repository"]["owner"]:
+            raise InvalidPayloadException("Missing owner 'name' on repository")
+
+        if "name" not in payload["repository"]:
+            raise InvalidPayloadException("Missing 'name' on repository")
+
+        default_branch = None
+        lookup_user = None
+        try:
+            repo_full_name = "%s/%s" % (
+                payload["repository"]["owner"]["name"],
+                payload["repository"]["name"],
+            )
+
+            gh_client = self._get_client()
+            repo = gh_client.get_repo(repo_full_name)
+            default_branch = repo.default_branch
+            lookup_user = self.lookup_user
+        except GitHubBadCredentialsException:
+            logger.exception(
+                "Got GitHub Credentials Exception; Cannot lookup default branch"
+            )
+        except GithubException:
+            logger.exception(
+                "Got GitHub Exception when trying to start trigger %s", self.trigger.id
+            )
+            raise SkipRequestException()
+
+        logger.debug("GitHub trigger payload %s", payload)
+        metadata = get_transformed_webhook_payload(
+            payload, default_branch=default_branch, lookup_user=lookup_user
+        )
+        prepared = self.prepare_build(metadata)
+
+        # Check if we should skip this build.
+        raise_if_skipped_build(prepared, self.config)
+        return prepared
diff --git a/buildtrigger/gitlabhandler.py b/buildtrigger/gitlabhandler.py
index 9ed3e91d0..fbb0afa63 100644
--- a/buildtrigger/gitlabhandler.py
+++ b/buildtrigger/gitlabhandler.py
@@ -11,12 +11,18 @@ import requests
 from jsonschema import validate
 
 from app import app, gitlab_trigger
-from buildtrigger.triggerutil import (RepositoryReadException, TriggerActivationException,
-                                      TriggerDeactivationException, TriggerStartException,
-                                      SkipRequestException, InvalidPayloadException,
-                                      TriggerAuthException,
-                                      determine_build_ref, raise_if_skipped_build,
-                                      find_matching_branches)
+from buildtrigger.triggerutil import (
+    RepositoryReadException,
+    TriggerActivationException,
+    TriggerDeactivationException,
+    TriggerStartException,
+    SkipRequestException,
+    InvalidPayloadException,
+    TriggerAuthException,
+    determine_build_ref,
+    raise_if_skipped_build,
+    find_matching_branches,
+)
 from buildtrigger.basehandler import BuildTriggerHandler
 from endpoints.exception import ExternalServiceError
 from util.security.ssh import generate_ssh_keypair
@@ -25,597 +31,616 @@ from util.dict_wrappers import JSONPathDict, SafeDictSetter
 logger = logging.getLogger(__name__)
 
 GITLAB_WEBHOOK_PAYLOAD_SCHEMA = {
-  'type': 'object',
-  'properties': {
-    'ref': {
-      'type': 'string',
-    },
-    'checkout_sha': {
-      'type': ['string', 'null'],
-    },
-    'repository': {
-      'type': 'object',
-      'properties': {
-        'git_ssh_url': {
-          'type': 'string',
+    "type": "object",
+    "properties": {
+        "ref": {"type": "string"},
+        "checkout_sha": {"type": ["string", "null"]},
+        "repository": {
+            "type": "object",
+            "properties": {"git_ssh_url": {"type": "string"}},
+            "required": ["git_ssh_url"],
         },
-      },
-      'required': ['git_ssh_url'],
-    },
-    'commits': {
-      'type': 'array',
-      'items': {
-        'type': 'object',
-        'properties': {
-          'id': {
-            'type': 'string',
-          },
-          'url': {
-            'type': ['string', 'null'],
-          },
-          'message': {
-            'type': 'string',
-          },
-          'timestamp': {
-            'type': 'string',
-          },
-          'author': {
-            'type': 'object',
-            'properties': {
-              'email': {
-                'type': 'string',
-              },
+        "commits": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "properties": {
+                    "id": {"type": "string"},
+                    "url": {"type": ["string", "null"]},
+                    "message": {"type": "string"},
+                    "timestamp": {"type": "string"},
+                    "author": {
+                        "type": "object",
+                        "properties": {"email": {"type": "string"}},
+                        "required": ["email"],
+                    },
+                },
+                "required": ["id", "message", "timestamp"],
             },
-            'required': ['email'],
-          },
         },
-        'required': ['id', 'message', 'timestamp'],
-      },
     },
-  },
-  'required': ['ref', 'checkout_sha', 'repository'],
+    "required": ["ref", "checkout_sha", "repository"],
 }
 
 _ACCESS_LEVEL_MAP = {
-  50: ("owner", True),
-  40: ("master", True),
-  30: ("developer", False),
-  20: ("reporter", False),
-  10: ("guest", False),
+    50: ("owner", True),
+    40: ("master", True),
+    30: ("developer", False),
+    20: ("reporter", False),
+    10: ("guest", False),
 }
 
 _PER_PAGE_COUNT = 20
 
 
 def _catch_timeouts_and_errors(func):
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    try:
-      return func(*args, **kwargs)
-    except requests.exceptions.Timeout:
-      msg = 'Request to the GitLab API timed out'
-      logger.exception(msg)
-      raise ExternalServiceError(msg)
-    except gitlab.GitlabError:
-      msg = 'GitLab API error. Please contact support.'
-      logger.exception(msg)
-      raise ExternalServiceError(msg)
-  return wrapper
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        try:
+            return func(*args, **kwargs)
+        except requests.exceptions.Timeout:
+            msg = "Request to the GitLab API timed out"
+            logger.exception(msg)
+            raise ExternalServiceError(msg)
+        except gitlab.GitlabError:
+            msg = "GitLab API error. Please contact support."
+            logger.exception(msg)
+            raise ExternalServiceError(msg)
+
+    return wrapper
 
 
 def _paginated_iterator(func, exc, **kwargs):
-  """ Returns an iterator over invocations of the given function, automatically handling
+    """ Returns an iterator over invocations of the given function, automatically handling
       pagination.
   """
-  page = 1
-  while True:
-    result = func(page=page, per_page=_PER_PAGE_COUNT, **kwargs)
-    if result is None or result is False:
-      raise exc
+    page = 1
+    while True:
+        result = func(page=page, per_page=_PER_PAGE_COUNT, **kwargs)
+        if result is None or result is False:
+            raise exc
 
-    counter = 0
-    for item in result:
-      yield item
-      counter = counter + 1
+        counter = 0
+        for item in result:
+            yield item
+            counter = counter + 1
 
-    if counter < _PER_PAGE_COUNT:
-      break
+        if counter < _PER_PAGE_COUNT:
+            break
 
-    page = page + 1
+        page = page + 1
 
 
-def get_transformed_webhook_payload(gl_payload, default_branch=None, lookup_user=None,
-                                    lookup_commit=None):
-  """ Returns the Gitlab webhook JSON payload transformed into our own payload
+def get_transformed_webhook_payload(
+    gl_payload, default_branch=None, lookup_user=None, lookup_commit=None
+):
+    """ Returns the Gitlab webhook JSON payload transformed into our own payload
       format. If the gl_payload is not valid, returns None.
   """
-  try:
-    validate(gl_payload, GITLAB_WEBHOOK_PAYLOAD_SCHEMA)
-  except Exception as exc:
-    raise InvalidPayloadException(exc.message)
+    try:
+        validate(gl_payload, GITLAB_WEBHOOK_PAYLOAD_SCHEMA)
+    except Exception as exc:
+        raise InvalidPayloadException(exc.message)
 
-  payload = JSONPathDict(gl_payload)
+    payload = JSONPathDict(gl_payload)
 
-  if payload['object_kind'] != 'push' and payload['object_kind'] != 'tag_push':
-    # Unknown kind of webhook.
-    raise SkipRequestException
+    if payload["object_kind"] != "push" and payload["object_kind"] != "tag_push":
+        # Unknown kind of webhook.
+        raise SkipRequestException
 
-  # Check for empty commits. The commits list will be empty if the branch is deleted.
-  commits = payload['commits']
-  if payload['object_kind'] == 'push' and not commits:
-    raise SkipRequestException
+    # Check for empty commits. The commits list will be empty if the branch is deleted.
+    commits = payload["commits"]
+    if payload["object_kind"] == "push" and not commits:
+        raise SkipRequestException
 
-  # Check for missing commit information.
-  commit_sha = payload['checkout_sha'] or payload['after']
-  if commit_sha is None or commit_sha == '0000000000000000000000000000000000000000':
-    raise SkipRequestException
+    # Check for missing commit information.
+    commit_sha = payload["checkout_sha"] or payload["after"]
+    if commit_sha is None or commit_sha == "0000000000000000000000000000000000000000":
+        raise SkipRequestException
 
-  config = SafeDictSetter()
-  config['commit'] = commit_sha
-  config['ref'] = payload['ref']
-  config['default_branch'] = default_branch
-  config['git_url'] = payload['repository.git_ssh_url']
+    config = SafeDictSetter()
+    config["commit"] = commit_sha
+    config["ref"] = payload["ref"]
+    config["default_branch"] = default_branch
+    config["git_url"] = payload["repository.git_ssh_url"]
 
-  found_commit = JSONPathDict({})
-  if payload['object_kind'] == 'push' or payload['object_kind'] == 'tag_push':
-    # Find the commit associated with the checkout_sha. Gitlab doesn't (necessary) send this in
-    # any order, so we cannot simply index into the commits list.
-    found_commit = None
-    if commits is not None:
-      for commit in commits:
-        if commit['id'] == payload['checkout_sha']:
-          found_commit = JSONPathDict(commit)
-          break
+    found_commit = JSONPathDict({})
+    if payload["object_kind"] == "push" or payload["object_kind"] == "tag_push":
+        # Find the commit associated with the checkout_sha. Gitlab doesn't (necessary) send this in
+        # any order, so we cannot simply index into the commits list.
+        found_commit = None
+        if commits is not None:
+            for commit in commits:
+                if commit["id"] == payload["checkout_sha"]:
+                    found_commit = JSONPathDict(commit)
+                    break
 
-    if found_commit is None and lookup_commit:
-      checkout_sha = payload['checkout_sha'] or payload['after']
-      found_commit_info = lookup_commit(payload['project_id'], checkout_sha)
-      found_commit = JSONPathDict(dict(found_commit_info) if found_commit_info else {})
+        if found_commit is None and lookup_commit:
+            checkout_sha = payload["checkout_sha"] or payload["after"]
+            found_commit_info = lookup_commit(payload["project_id"], checkout_sha)
+            found_commit = JSONPathDict(
+                dict(found_commit_info) if found_commit_info else {}
+            )
 
-    if found_commit is None:
-      raise SkipRequestException
+        if found_commit is None:
+            raise SkipRequestException
 
-  config['commit_info.url'] = found_commit['url']
-  config['commit_info.message'] = found_commit['message']
-  config['commit_info.date'] = found_commit['timestamp']
+    config["commit_info.url"] = found_commit["url"]
+    config["commit_info.message"] = found_commit["message"]
+    config["commit_info.date"] = found_commit["timestamp"]
 
-  # Note: Gitlab does not send full user information with the payload, so we have to
-  # (optionally) look it up.
-  author_email = found_commit['author.email'] or found_commit['author_email']
-  if lookup_user and author_email:
-    author_info = lookup_user(author_email)
-    if author_info:
-      config['commit_info.author.username'] = author_info['username']
-      config['commit_info.author.url'] = author_info['html_url']
-      config['commit_info.author.avatar_url'] = author_info['avatar_url']
+    # Note: Gitlab does not send full user information with the payload, so we have to
+    # (optionally) look it up.
+    author_email = found_commit["author.email"] or found_commit["author_email"]
+    if lookup_user and author_email:
+        author_info = lookup_user(author_email)
+        if author_info:
+            config["commit_info.author.username"] = author_info["username"]
+            config["commit_info.author.url"] = author_info["html_url"]
+            config["commit_info.author.avatar_url"] = author_info["avatar_url"]
 
-  return config.dict_value()
+    return config.dict_value()
 
 
 class GitLabBuildTrigger(BuildTriggerHandler):
-  """
+    """
   BuildTrigger for GitLab.
   """
-  @classmethod
-  def service_name(cls):
-    return 'gitlab'
 
-  def _get_authorized_client(self):
-    auth_token = self.auth_token or 'invalid'
-    api_version = self.config.get('API_VERSION', '4')
-    client = gitlab.Gitlab(gitlab_trigger.api_endpoint(), oauth_token=auth_token, timeout=20,
-                           api_version=api_version)
-    try:
-      client.auth()
-    except gitlab.GitlabGetError as ex:
-      raise TriggerAuthException(ex.message)
+    @classmethod
+    def service_name(cls):
+        return "gitlab"
 
-    return client
+    def _get_authorized_client(self):
+        auth_token = self.auth_token or "invalid"
+        api_version = self.config.get("API_VERSION", "4")
+        client = gitlab.Gitlab(
+            gitlab_trigger.api_endpoint(),
+            oauth_token=auth_token,
+            timeout=20,
+            api_version=api_version,
+        )
+        try:
+            client.auth()
+        except gitlab.GitlabGetError as ex:
+            raise TriggerAuthException(ex.message)
 
-  def is_active(self):
-    return 'hook_id' in self.config
+        return client
 
-  @_catch_timeouts_and_errors
-  def activate(self, standard_webhook_url):
-    config = self.config
-    new_build_source = config['build_source']
-    gl_client = self._get_authorized_client()
+    def is_active(self):
+        return "hook_id" in self.config
 
-    # Find the GitLab repository.
-    gl_project = gl_client.projects.get(new_build_source)
-    if not gl_project:
-      msg = 'Unable to find GitLab repository for source: %s' % new_build_source
-      raise TriggerActivationException(msg)
+    @_catch_timeouts_and_errors
+    def activate(self, standard_webhook_url):
+        config = self.config
+        new_build_source = config["build_source"]
+        gl_client = self._get_authorized_client()
 
-    # Add a deploy key to the repository.
-    public_key, private_key = generate_ssh_keypair()
-    config['credentials'] = [
-      {
-        'name': 'SSH Public Key',
-        'value': public_key,
-      },
-    ]
+        # Find the GitLab repository.
+        gl_project = gl_client.projects.get(new_build_source)
+        if not gl_project:
+            msg = "Unable to find GitLab repository for source: %s" % new_build_source
+            raise TriggerActivationException(msg)
 
-    key = gl_project.keys.create({
-      'title': '%s Builder' % app.config['REGISTRY_TITLE'],
-      'key': public_key,
-    })
+        # Add a deploy key to the repository.
+        public_key, private_key = generate_ssh_keypair()
+        config["credentials"] = [{"name": "SSH Public Key", "value": public_key}]
 
-    if not key:
-      msg = 'Unable to add deploy key to repository: %s' % new_build_source
-      raise TriggerActivationException(msg)
+        key = gl_project.keys.create(
+            {"title": "%s Builder" % app.config["REGISTRY_TITLE"], "key": public_key}
+        )
 
-    config['key_id'] = key.get_id()
+        if not key:
+            msg = "Unable to add deploy key to repository: %s" % new_build_source
+            raise TriggerActivationException(msg)
 
-    # Add the webhook to the GitLab repository.
-    hook = gl_project.hooks.create({
-      'url': standard_webhook_url,
-      'push': True,
-      'tag_push': True,
-      'push_events': True,
-      'tag_push_events': True,
-    })
-    if not hook:
-      msg = 'Unable to create webhook on repository: %s' % new_build_source
-      raise TriggerActivationException(msg)
+        config["key_id"] = key.get_id()
 
-    config['hook_id'] = hook.get_id()
-    self.config = config
-    return config, {'private_key': private_key}
+        # Add the webhook to the GitLab repository.
+        hook = gl_project.hooks.create(
+            {
+                "url": standard_webhook_url,
+                "push": True,
+                "tag_push": True,
+                "push_events": True,
+                "tag_push_events": True,
+            }
+        )
+        if not hook:
+            msg = "Unable to create webhook on repository: %s" % new_build_source
+            raise TriggerActivationException(msg)
 
-  def deactivate(self):
-    config = self.config
-    gl_client = self._get_authorized_client()
+        config["hook_id"] = hook.get_id()
+        self.config = config
+        return config, {"private_key": private_key}
+
+    def deactivate(self):
+        config = self.config
+        gl_client = self._get_authorized_client()
+
+        # Find the GitLab repository.
+        try:
+            gl_project = gl_client.projects.get(config["build_source"])
+            if not gl_project:
+                config.pop("key_id", None)
+                config.pop("hook_id", None)
+                self.config = config
+                return config
+        except gitlab.GitlabGetError as ex:
+            if ex.response_code != 404:
+                raise
+
+        # Remove the webhook.
+        try:
+            gl_project.hooks.delete(config["hook_id"])
+        except gitlab.GitlabDeleteError as ex:
+            if ex.response_code != 404:
+                raise
+
+        config.pop("hook_id", None)
+
+        # Remove the key
+        try:
+            gl_project.keys.delete(config["key_id"])
+        except gitlab.GitlabDeleteError as ex:
+            if ex.response_code != 404:
+                raise
+
+        config.pop("key_id", None)
 
-    # Find the GitLab repository.
-    try:
-      gl_project = gl_client.projects.get(config['build_source'])
-      if not gl_project:
-        config.pop('key_id', None)
-        config.pop('hook_id', None)
         self.config = config
         return config
-    except gitlab.GitlabGetError as ex:
-      if ex.response_code != 404:
-        raise
 
-    # Remove the webhook.
-    try:
-      gl_project.hooks.delete(config['hook_id'])
-    except gitlab.GitlabDeleteError as ex:
-      if ex.response_code != 404:
-        raise
+    @_catch_timeouts_and_errors
+    def list_build_source_namespaces(self):
+        gl_client = self._get_authorized_client()
+        current_user = gl_client.user
+        if not current_user:
+            raise RepositoryReadException("Unable to get current user")
 
-    config.pop('hook_id', None)
+        namespaces = {}
+        for namespace in _paginated_iterator(
+            gl_client.namespaces.list, RepositoryReadException
+        ):
+            namespace_id = namespace.get_id()
+            if namespace_id in namespaces:
+                namespaces[namespace_id]["score"] = (
+                    namespaces[namespace_id]["score"] + 1
+                )
+            else:
+                owner = namespace.attributes["name"]
+                namespaces[namespace_id] = {
+                    "personal": namespace.attributes["kind"] == "user",
+                    "id": str(namespace_id),
+                    "title": namespace.attributes["name"],
+                    "avatar_url": namespace.attributes.get("avatar_url"),
+                    "score": 1,
+                    "url": namespace.attributes.get("web_url") or "",
+                }
 
-    # Remove the key
-    try:
-      gl_project.keys.delete(config['key_id'])
-    except gitlab.GitlabDeleteError as ex:
-      if ex.response_code != 404:
-        raise
+        return BuildTriggerHandler.build_namespaces_response(namespaces)
 
-    config.pop('key_id', None)
+    def _get_namespace(self, gl_client, gl_namespace, lazy=False):
+        try:
+            if gl_namespace.attributes["kind"] == "group":
+                return gl_client.groups.get(gl_namespace.attributes["id"], lazy=lazy)
 
-    self.config = config
-    return config
+            if gl_namespace.attributes["kind"] == "user":
+                return gl_client.users.get(gl_client.user.attributes["id"], lazy=lazy)
 
-  @_catch_timeouts_and_errors
-  def list_build_source_namespaces(self):
-    gl_client = self._get_authorized_client()
-    current_user = gl_client.user
-    if not current_user:
-      raise RepositoryReadException('Unable to get current user')
+            # Note: This doesn't seem to work for IDs retrieved via the namespaces API; the IDs are
+            # different.
+            return gl_client.users.get(gl_namespace.attributes["id"], lazy=lazy)
+        except gitlab.GitlabGetError:
+            return None
 
-    namespaces = {}
-    for namespace in _paginated_iterator(gl_client.namespaces.list, RepositoryReadException):
-      namespace_id = namespace.get_id()
-      if namespace_id in namespaces:
-        namespaces[namespace_id]['score'] = namespaces[namespace_id]['score'] + 1
-      else:
-        owner = namespace.attributes['name']
-        namespaces[namespace_id] = {
-          'personal': namespace.attributes['kind'] == 'user',
-          'id': str(namespace_id),
-          'title': namespace.attributes['name'],
-          'avatar_url': namespace.attributes.get('avatar_url'),
-          'score': 1,
-          'url': namespace.attributes.get('web_url') or '',
+    @_catch_timeouts_and_errors
+    def list_build_sources_for_namespace(self, namespace_id):
+        if not namespace_id:
+            return []
+
+        def repo_view(repo):
+            # Because *anything* can be None in GitLab API!
+            permissions = repo.attributes.get("permissions") or {}
+            group_access = permissions.get("group_access") or {}
+            project_access = permissions.get("project_access") or {}
+
+            missing_group_access = permissions.get("group_access") is None
+            missing_project_access = permissions.get("project_access") is None
+
+            access_level = max(
+                group_access.get("access_level") or 0,
+                project_access.get("access_level") or 0,
+            )
+
+            has_admin_permission = _ACCESS_LEVEL_MAP.get(access_level, ("", False))[1]
+            if missing_group_access or missing_project_access:
+                # Default to has permission if we cannot check the permissions. This will allow our users
+                # to select the repository and then GitLab's own checks will ensure that the webhook is
+                # added only if allowed.
+                # TODO: Do we want to display this differently in the UI?
+                has_admin_permission = True
+
+            view = {
+                "name": repo.attributes["path"],
+                "full_name": repo.attributes["path_with_namespace"],
+                "description": repo.attributes.get("description") or "",
+                "url": repo.attributes.get("web_url"),
+                "has_admin_permissions": has_admin_permission,
+                "private": repo.attributes.get("visibility") == "private",
+            }
+
+            if repo.attributes.get("last_activity_at"):
+                try:
+                    last_modified = dateutil.parser.parse(
+                        repo.attributes["last_activity_at"]
+                    )
+                    view["last_updated"] = timegm(last_modified.utctimetuple())
+                except ValueError:
+                    logger.exception(
+                        "Gitlab gave us an invalid last_activity_at: %s", last_modified
+                    )
+
+            return view
+
+        gl_client = self._get_authorized_client()
+
+        try:
+            gl_namespace = gl_client.namespaces.get(namespace_id)
+        except gitlab.GitlabGetError:
+            return []
+
+        namespace_obj = self._get_namespace(gl_client, gl_namespace, lazy=True)
+        repositories = _paginated_iterator(
+            namespace_obj.projects.list, RepositoryReadException
+        )
+
+        try:
+            return BuildTriggerHandler.build_sources_response(
+                [repo_view(repo) for repo in repositories]
+            )
+        except gitlab.GitlabGetError:
+            return []
+
+    @_catch_timeouts_and_errors
+    def list_build_subdirs(self):
+        config = self.config
+        gl_client = self._get_authorized_client()
+        new_build_source = config["build_source"]
+
+        gl_project = gl_client.projects.get(new_build_source)
+        if not gl_project:
+            msg = "Unable to find GitLab repository for source: %s" % new_build_source
+            raise RepositoryReadException(msg)
+
+        repo_branches = gl_project.branches.list()
+        if not repo_branches:
+            msg = "Unable to find GitLab branches for source: %s" % new_build_source
+            raise RepositoryReadException(msg)
+
+        branches = [branch.attributes["name"] for branch in repo_branches]
+        branches = find_matching_branches(config, branches)
+        branches = branches or [gl_project.attributes["default_branch"] or "master"]
+
+        repo_tree = gl_project.repository_tree(ref=branches[0])
+        if not repo_tree:
+            msg = (
+                "Unable to find GitLab repository tree for source: %s"
+                % new_build_source
+            )
+            raise RepositoryReadException(msg)
+
+        return [
+            node["name"]
+            for node in repo_tree
+            if self.filename_is_dockerfile(node["name"])
+        ]
+
+    @_catch_timeouts_and_errors
+    def load_dockerfile_contents(self):
+        gl_client = self._get_authorized_client()
+        path = self.get_dockerfile_path()
+
+        gl_project = gl_client.projects.get(self.config["build_source"])
+        if not gl_project:
+            return None
+
+        branches = self.list_field_values("branch_name")
+        branches = find_matching_branches(self.config, branches)
+        if branches == []:
+            return None
+
+        branch_name = branches[0]
+        if gl_project.attributes["default_branch"] in branches:
+            branch_name = gl_project.attributes["default_branch"]
+
+        try:
+            return gl_project.files.get(path, branch_name).decode()
+        except gitlab.GitlabGetError:
+            return None
+
+    @_catch_timeouts_and_errors
+    def list_field_values(self, field_name, limit=None):
+        if field_name == "refs":
+            branches = self.list_field_values("branch_name")
+            tags = self.list_field_values("tag_name")
+
+            return [{"kind": "branch", "name": b} for b in branches] + [
+                {"kind": "tag", "name": t} for t in tags
+            ]
+
+        gl_client = self._get_authorized_client()
+        gl_project = gl_client.projects.get(self.config["build_source"])
+        if not gl_project:
+            return []
+
+        if field_name == "tag_name":
+            tags = gl_project.tags.list()
+            if not tags:
+                return []
+
+            if limit:
+                tags = tags[0:limit]
+
+            return [tag.attributes["name"] for tag in tags]
+
+        if field_name == "branch_name":
+            branches = gl_project.branches.list()
+            if not branches:
+                return []
+
+            if limit:
+                branches = branches[0:limit]
+
+            return [branch.attributes["name"] for branch in branches]
+
+        return None
+
+    def get_repository_url(self):
+        return gitlab_trigger.get_public_url(self.config["build_source"])
+
+    @_catch_timeouts_and_errors
+    def lookup_commit(self, repo_id, commit_sha):
+        if repo_id is None:
+            return None
+
+        gl_client = self._get_authorized_client()
+        gl_project = gl_client.projects.get(self.config["build_source"], lazy=True)
+        commit = gl_project.commits.get(commit_sha)
+        if not commit:
+            return None
+
+        return commit
+
+    @_catch_timeouts_and_errors
+    def lookup_user(self, email):
+        gl_client = self._get_authorized_client()
+        try:
+            result = gl_client.users.list(search=email)
+            if not result:
+                return None
+
+            [user] = result
+            return {
+                "username": user.attributes["username"],
+                "html_url": user.attributes["web_url"],
+                "avatar_url": user.attributes["avatar_url"],
+            }
+        except ValueError:
+            return None
+
+    @_catch_timeouts_and_errors
+    def get_metadata_for_commit(self, commit_sha, ref, repo):
+        commit = self.lookup_commit(repo.get_id(), commit_sha)
+        if commit is None:
+            return None
+
+        metadata = {
+            "commit": commit.attributes["id"],
+            "ref": ref,
+            "default_branch": repo.attributes["default_branch"],
+            "git_url": repo.attributes["ssh_url_to_repo"],
+            "commit_info": {
+                "url": os.path.join(
+                    repo.attributes["web_url"], "commit", commit.attributes["id"]
+                ),
+                "message": commit.attributes["message"],
+                "date": commit.attributes["committed_date"],
+            },
         }
 
-    return BuildTriggerHandler.build_namespaces_response(namespaces)
+        committer = None
+        if "committer_email" in commit.attributes:
+            committer = self.lookup_user(commit.attributes["committer_email"])
 
-  def _get_namespace(self, gl_client, gl_namespace, lazy=False):
-    try:
-      if gl_namespace.attributes['kind'] == 'group':
-        return gl_client.groups.get(gl_namespace.attributes['id'], lazy=lazy)
+        author = None
+        if "author_email" in commit.attributes:
+            author = self.lookup_user(commit.attributes["author_email"])
 
-      if gl_namespace.attributes['kind'] == 'user':
-        return gl_client.users.get(gl_client.user.attributes['id'], lazy=lazy)
+        if committer is not None:
+            metadata["commit_info"]["committer"] = {
+                "username": committer["username"],
+                "avatar_url": committer["avatar_url"],
+                "url": committer.get("http_url", ""),
+            }
 
-      # Note: This doesn't seem to work for IDs retrieved via the namespaces API; the IDs are
-      # different.
-      return gl_client.users.get(gl_namespace.attributes['id'], lazy=lazy)
-    except gitlab.GitlabGetError:
-      return None
+        if author is not None:
+            metadata["commit_info"]["author"] = {
+                "username": author["username"],
+                "avatar_url": author["avatar_url"],
+                "url": author.get("http_url", ""),
+            }
 
-  @_catch_timeouts_and_errors
-  def list_build_sources_for_namespace(self, namespace_id):
-    if not namespace_id:
-      return []
+        return metadata
 
-    def repo_view(repo):
-      # Because *anything* can be None in GitLab API!
-      permissions = repo.attributes.get('permissions') or {}
-      group_access = permissions.get('group_access') or {}
-      project_access = permissions.get('project_access') or {}
+    @_catch_timeouts_and_errors
+    def manual_start(self, run_parameters=None):
+        gl_client = self._get_authorized_client()
+        gl_project = gl_client.projects.get(self.config["build_source"])
+        if not gl_project:
+            raise TriggerStartException("Could not find repository")
 
-      missing_group_access = permissions.get('group_access') is None
-      missing_project_access = permissions.get('project_access') is None
+        def get_tag_sha(tag_name):
+            try:
+                tag = gl_project.tags.get(tag_name)
+            except gitlab.GitlabGetError:
+                raise TriggerStartException("Could not find tag in repository")
 
-      access_level = max(group_access.get('access_level') or 0,
-                         project_access.get('access_level') or 0)
+            return tag.attributes["commit"]["id"]
 
-      has_admin_permission = _ACCESS_LEVEL_MAP.get(access_level, ("", False))[1]
-      if missing_group_access or missing_project_access:
-        # Default to has permission if we cannot check the permissions. This will allow our users
-        # to select the repository and then GitLab's own checks will ensure that the webhook is
-        # added only if allowed.
-        # TODO: Do we want to display this differently in the UI?
-        has_admin_permission = True
+        def get_branch_sha(branch_name):
+            try:
+                branch = gl_project.branches.get(branch_name)
+            except gitlab.GitlabGetError:
+                raise TriggerStartException("Could not find branch in repository")
 
-      view = {
-        'name': repo.attributes['path'],
-        'full_name': repo.attributes['path_with_namespace'],
-        'description': repo.attributes.get('description') or '',
-        'url': repo.attributes.get('web_url'),
-        'has_admin_permissions': has_admin_permission,
-        'private': repo.attributes.get('visibility') == 'private',
-      }
+            return branch.attributes["commit"]["id"]
 
-      if repo.attributes.get('last_activity_at'):
-        try:
-          last_modified = dateutil.parser.parse(repo.attributes['last_activity_at'])
-          view['last_updated'] = timegm(last_modified.utctimetuple())
-        except ValueError:
-          logger.exception('Gitlab gave us an invalid last_activity_at: %s', last_modified)
+        # Find the branch or tag to build.
+        (commit_sha, ref) = determine_build_ref(
+            run_parameters,
+            get_branch_sha,
+            get_tag_sha,
+            gl_project.attributes["default_branch"],
+        )
 
-      return view
+        metadata = self.get_metadata_for_commit(commit_sha, ref, gl_project)
+        return self.prepare_build(metadata, is_manual=True)
 
-    gl_client = self._get_authorized_client()
+    @_catch_timeouts_and_errors
+    def handle_trigger_request(self, request):
+        payload = request.get_json()
+        if not payload:
+            raise InvalidPayloadException()
 
-    try:
-      gl_namespace = gl_client.namespaces.get(namespace_id)
-    except gitlab.GitlabGetError:
-      return []
+        logger.debug("GitLab trigger payload %s", payload)
 
-    namespace_obj = self._get_namespace(gl_client, gl_namespace, lazy=True)
-    repositories = _paginated_iterator(namespace_obj.projects.list, RepositoryReadException)
+        # Lookup the default branch.
+        gl_client = self._get_authorized_client()
+        gl_project = gl_client.projects.get(self.config["build_source"])
+        if not gl_project:
+            logger.debug(
+                "Skipping GitLab build; project %s not found",
+                self.config["build_source"],
+            )
+            raise InvalidPayloadException()
 
-    try:
-      return BuildTriggerHandler.build_sources_response([repo_view(repo) for repo in repositories])
-    except gitlab.GitlabGetError:
-      return []
+        def lookup_commit(repo_id, commit_sha):
+            commit = self.lookup_commit(repo_id, commit_sha)
+            if commit is None:
+                return None
 
-  @_catch_timeouts_and_errors
-  def list_build_subdirs(self):
-    config = self.config
-    gl_client = self._get_authorized_client()
-    new_build_source = config['build_source']
+            return dict(commit.attributes)
 
-    gl_project = gl_client.projects.get(new_build_source)
-    if not gl_project:
-      msg = 'Unable to find GitLab repository for source: %s' % new_build_source
-      raise RepositoryReadException(msg)
+        default_branch = gl_project.attributes["default_branch"]
+        metadata = get_transformed_webhook_payload(
+            payload,
+            default_branch=default_branch,
+            lookup_user=self.lookup_user,
+            lookup_commit=lookup_commit,
+        )
+        prepared = self.prepare_build(metadata)
 
-    repo_branches = gl_project.branches.list()
-    if not repo_branches:
-      msg = 'Unable to find GitLab branches for source: %s' % new_build_source
-      raise RepositoryReadException(msg)
-
-    branches = [branch.attributes['name'] for branch in repo_branches]
-    branches = find_matching_branches(config, branches)
-    branches = branches or [gl_project.attributes['default_branch'] or 'master']
-
-    repo_tree = gl_project.repository_tree(ref=branches[0])
-    if not repo_tree:
-      msg = 'Unable to find GitLab repository tree for source: %s' % new_build_source
-      raise RepositoryReadException(msg)
-
-    return [node['name'] for node in repo_tree if self.filename_is_dockerfile(node['name'])]
-
-  @_catch_timeouts_and_errors
-  def load_dockerfile_contents(self):
-    gl_client = self._get_authorized_client()
-    path = self.get_dockerfile_path()
-
-    gl_project = gl_client.projects.get(self.config['build_source'])
-    if not gl_project:
-      return None
-
-    branches = self.list_field_values('branch_name')
-    branches = find_matching_branches(self.config, branches)
-    if branches == []:
-      return None
-
-    branch_name = branches[0]
-    if gl_project.attributes['default_branch'] in branches:
-      branch_name = gl_project.attributes['default_branch']
-
-    try:
-      return gl_project.files.get(path, branch_name).decode()
-    except gitlab.GitlabGetError:
-      return None
-
-  @_catch_timeouts_and_errors
-  def list_field_values(self, field_name, limit=None):
-    if field_name == 'refs':
-      branches = self.list_field_values('branch_name')
-      tags = self.list_field_values('tag_name')
-
-      return ([{'kind': 'branch', 'name': b} for b in branches] +
-              [{'kind': 'tag', 'name': t} for t in tags])
-
-    gl_client = self._get_authorized_client()
-    gl_project = gl_client.projects.get(self.config['build_source'])
-    if not gl_project:
-      return []
-
-    if field_name == 'tag_name':
-      tags = gl_project.tags.list()
-      if not tags:
-        return []
-
-      if limit:
-        tags = tags[0:limit]
-
-      return [tag.attributes['name'] for tag in tags]
-
-    if field_name == 'branch_name':
-      branches = gl_project.branches.list()
-      if not branches:
-        return []
-
-      if limit:
-        branches = branches[0:limit]
-
-      return [branch.attributes['name'] for branch in branches]
-
-    return None
-
-  def get_repository_url(self):
-    return gitlab_trigger.get_public_url(self.config['build_source'])
-
-  @_catch_timeouts_and_errors
-  def lookup_commit(self, repo_id, commit_sha):
-    if repo_id is None:
-      return None
-
-    gl_client = self._get_authorized_client()
-    gl_project = gl_client.projects.get(self.config['build_source'], lazy=True)
-    commit = gl_project.commits.get(commit_sha)
-    if not commit:
-      return None
-
-    return commit
-
-  @_catch_timeouts_and_errors
-  def lookup_user(self, email):
-    gl_client = self._get_authorized_client()
-    try:
-      result = gl_client.users.list(search=email)
-      if not result:
-        return None
-
-      [user] = result
-      return {
-        'username': user.attributes['username'],
-        'html_url': user.attributes['web_url'],
-        'avatar_url': user.attributes['avatar_url']
-      }
-    except ValueError:
-      return None
-
-  @_catch_timeouts_and_errors
-  def get_metadata_for_commit(self, commit_sha, ref, repo):
-    commit = self.lookup_commit(repo.get_id(), commit_sha)
-    if commit is None:
-      return None
-
-    metadata = {
-      'commit': commit.attributes['id'],
-      'ref': ref,
-      'default_branch': repo.attributes['default_branch'],
-      'git_url': repo.attributes['ssh_url_to_repo'],
-      'commit_info': {
-        'url': os.path.join(repo.attributes['web_url'], 'commit', commit.attributes['id']),
-        'message': commit.attributes['message'],
-        'date': commit.attributes['committed_date'],
-      },
-    }
-
-    committer = None
-    if 'committer_email' in commit.attributes:
-      committer = self.lookup_user(commit.attributes['committer_email'])
-
-    author = None
-    if 'author_email' in commit.attributes:
-      author = self.lookup_user(commit.attributes['author_email'])
-
-    if committer is not None:
-      metadata['commit_info']['committer'] = {
-        'username': committer['username'],
-        'avatar_url': committer['avatar_url'],
-        'url': committer.get('http_url', ''),
-      }
-
-    if author is not None:
-      metadata['commit_info']['author'] = {
-        'username': author['username'],
-        'avatar_url': author['avatar_url'],
-        'url': author.get('http_url', ''),
-      }
-
-    return metadata
-
-  @_catch_timeouts_and_errors
-  def manual_start(self, run_parameters=None):
-    gl_client = self._get_authorized_client()
-    gl_project = gl_client.projects.get(self.config['build_source'])
-    if not gl_project:
-      raise TriggerStartException('Could not find repository')
-
-    def get_tag_sha(tag_name):
-      try:
-        tag = gl_project.tags.get(tag_name)
-      except gitlab.GitlabGetError:
-        raise TriggerStartException('Could not find tag in repository')
-
-      return tag.attributes['commit']['id']
-
-    def get_branch_sha(branch_name):
-      try:
-        branch = gl_project.branches.get(branch_name)
-      except gitlab.GitlabGetError:
-        raise TriggerStartException('Could not find branch in repository')
-
-      return branch.attributes['commit']['id']
-
-    # Find the branch or tag to build.
-    (commit_sha, ref) = determine_build_ref(run_parameters, get_branch_sha, get_tag_sha,
-                                            gl_project.attributes['default_branch'])
-
-    metadata = self.get_metadata_for_commit(commit_sha, ref, gl_project)
-    return self.prepare_build(metadata, is_manual=True)
-
-  @_catch_timeouts_and_errors
-  def handle_trigger_request(self, request):
-    payload = request.get_json()
-    if not payload:
-      raise InvalidPayloadException()
-
-    logger.debug('GitLab trigger payload %s', payload)
-
-    # Lookup the default branch.
-    gl_client = self._get_authorized_client()
-    gl_project = gl_client.projects.get(self.config['build_source'])
-    if not gl_project:
-      logger.debug('Skipping GitLab build; project %s not found', self.config['build_source'])
-      raise InvalidPayloadException()
-
-    def lookup_commit(repo_id, commit_sha):
-      commit = self.lookup_commit(repo_id, commit_sha)
-      if commit is None:
-        return None
-
-      return dict(commit.attributes)
-
-    default_branch = gl_project.attributes['default_branch']
-    metadata = get_transformed_webhook_payload(payload, default_branch=default_branch,
-                                               lookup_user=self.lookup_user,
-                                               lookup_commit=lookup_commit)
-    prepared = self.prepare_build(metadata)
-
-    # Check if we should skip this build.
-    raise_if_skipped_build(prepared, self.config)
-    return prepared
+        # Check if we should skip this build.
+        raise_if_skipped_build(prepared, self.config)
+        return prepared
diff --git a/buildtrigger/test/bitbucketmock.py b/buildtrigger/test/bitbucketmock.py
index 0e5cad97f..b6cf2b3b8 100644
--- a/buildtrigger/test/bitbucketmock.py
+++ b/buildtrigger/test/bitbucketmock.py
@@ -4,156 +4,168 @@ from mock import Mock
 from buildtrigger.bitbuckethandler import BitbucketBuildTrigger
 from util.morecollections import AttrDict
 
-def get_bitbucket_trigger(dockerfile_path=''):
-  trigger_obj = AttrDict(dict(auth_token='foobar', id='sometrigger'))
-  trigger = BitbucketBuildTrigger(trigger_obj, {
-    'build_source': 'foo/bar',
-    'dockerfile_path': dockerfile_path,
-    'nickname': 'knownuser',
-    'account_id': 'foo',
-  })
 
-  trigger._get_client = get_mock_bitbucket
-  return trigger
+def get_bitbucket_trigger(dockerfile_path=""):
+    trigger_obj = AttrDict(dict(auth_token="foobar", id="sometrigger"))
+    trigger = BitbucketBuildTrigger(
+        trigger_obj,
+        {
+            "build_source": "foo/bar",
+            "dockerfile_path": dockerfile_path,
+            "nickname": "knownuser",
+            "account_id": "foo",
+        },
+    )
+
+    trigger._get_client = get_mock_bitbucket
+    return trigger
+
 
 def get_repo_path_contents(path, revision):
-  data = {
-    'files': [{'path': 'Dockerfile'}],
-  }
+    data = {"files": [{"path": "Dockerfile"}]}
+
+    return (True, data, None)
 
-  return (True, data, None)
 
 def get_raw_path_contents(path, revision):
-  if path == 'Dockerfile':
-    return (True, 'hello world', None)
+    if path == "Dockerfile":
+        return (True, "hello world", None)
 
-  if path == 'somesubdir/Dockerfile':
-    return (True, 'hi universe', None)
+    if path == "somesubdir/Dockerfile":
+        return (True, "hi universe", None)
+
+    return (False, None, None)
 
-  return (False, None, None)
 
 def get_branches_and_tags():
-  data = {
-    'branches': [{'name': 'master'}, {'name': 'otherbranch'}],
-    'tags': [{'name': 'sometag'}, {'name': 'someothertag'}],
-  }
-  return (True, data, None)
+    data = {
+        "branches": [{"name": "master"}, {"name": "otherbranch"}],
+        "tags": [{"name": "sometag"}, {"name": "someothertag"}],
+    }
+    return (True, data, None)
+
 
 def get_branches():
-  return (True, {'master': {}, 'otherbranch': {}}, None)
+    return (True, {"master": {}, "otherbranch": {}}, None)
+
 
 def get_tags():
-  return (True, {'sometag': {}, 'someothertag': {}}, None)
+    return (True, {"sometag": {}, "someothertag": {}}, None)
+
 
 def get_branch(branch_name):
-  if branch_name != 'master':
-    return (False, None, None)
+    if branch_name != "master":
+        return (False, None, None)
 
-  data = {
-    'target': {
-      'hash': 'aaaaaaa',
-    },
-  }
+    data = {"target": {"hash": "aaaaaaa"}}
+
+    return (True, data, None)
 
-  return (True, data, None)
 
 def get_tag(tag_name):
-  if tag_name != 'sometag':
-    return (False, None, None)
+    if tag_name != "sometag":
+        return (False, None, None)
 
-  data = {
-    'target': {
-      'hash': 'aaaaaaa',
-    },
-  }
+    data = {"target": {"hash": "aaaaaaa"}}
+
+    return (True, data, None)
 
-  return (True, data, None)
 
 def get_changeset_mock(commit_sha):
-  if commit_sha != 'aaaaaaa':
-    return (False, None, 'Not found')
+    if commit_sha != "aaaaaaa":
+        return (False, None, "Not found")
 
-  data = {
-    'node': 'aaaaaaa',
-    'message': 'some message',
-    'timestamp': 'now',
-    'raw_author': 'foo@bar.com',
-  }
+    data = {
+        "node": "aaaaaaa",
+        "message": "some message",
+        "timestamp": "now",
+        "raw_author": "foo@bar.com",
+    }
+
+    return (True, data, None)
 
-  return (True, data, None)
 
 def get_changesets():
-  changesets_mock = Mock()
-  changesets_mock.get = Mock(side_effect=get_changeset_mock)
-  return changesets_mock
+    changesets_mock = Mock()
+    changesets_mock.get = Mock(side_effect=get_changeset_mock)
+    return changesets_mock
+
 
 def get_deploykeys():
-  deploykeys_mock = Mock()
-  deploykeys_mock.create = Mock(return_value=(True, {'pk': 'someprivatekey'}, None))
-  deploykeys_mock.delete = Mock(return_value=(True, {}, None))
-  return deploykeys_mock
+    deploykeys_mock = Mock()
+    deploykeys_mock.create = Mock(return_value=(True, {"pk": "someprivatekey"}, None))
+    deploykeys_mock.delete = Mock(return_value=(True, {}, None))
+    return deploykeys_mock
+
 
 def get_webhooks():
-  webhooks_mock = Mock()
-  webhooks_mock.create = Mock(return_value=(True, {'uuid': 'someuuid'}, None))
-  webhooks_mock.delete = Mock(return_value=(True, {}, None))
-  return webhooks_mock
+    webhooks_mock = Mock()
+    webhooks_mock.create = Mock(return_value=(True, {"uuid": "someuuid"}, None))
+    webhooks_mock.delete = Mock(return_value=(True, {}, None))
+    return webhooks_mock
+
 
 def get_repo_mock(name):
-  if name != 'bar':
-    return None
+    if name != "bar":
+        return None
 
-  repo_mock = Mock()
-  repo_mock.get_main_branch = Mock(return_value=(True, {'name': 'master'}, None))
-  repo_mock.get_path_contents = Mock(side_effect=get_repo_path_contents)
-  repo_mock.get_raw_path_contents = Mock(side_effect=get_raw_path_contents)
-  repo_mock.get_branches_and_tags = Mock(side_effect=get_branches_and_tags)
-  repo_mock.get_branches = Mock(side_effect=get_branches)
-  repo_mock.get_tags = Mock(side_effect=get_tags)
-  repo_mock.get_branch = Mock(side_effect=get_branch)
-  repo_mock.get_tag = Mock(side_effect=get_tag)
+    repo_mock = Mock()
+    repo_mock.get_main_branch = Mock(return_value=(True, {"name": "master"}, None))
+    repo_mock.get_path_contents = Mock(side_effect=get_repo_path_contents)
+    repo_mock.get_raw_path_contents = Mock(side_effect=get_raw_path_contents)
+    repo_mock.get_branches_and_tags = Mock(side_effect=get_branches_and_tags)
+    repo_mock.get_branches = Mock(side_effect=get_branches)
+    repo_mock.get_tags = Mock(side_effect=get_tags)
+    repo_mock.get_branch = Mock(side_effect=get_branch)
+    repo_mock.get_tag = Mock(side_effect=get_tag)
+
+    repo_mock.changesets = Mock(side_effect=get_changesets)
+    repo_mock.deploykeys = Mock(side_effect=get_deploykeys)
+    repo_mock.webhooks = Mock(side_effect=get_webhooks)
+    return repo_mock
 
-  repo_mock.changesets = Mock(side_effect=get_changesets)
-  repo_mock.deploykeys = Mock(side_effect=get_deploykeys)
-  repo_mock.webhooks = Mock(side_effect=get_webhooks)
-  return repo_mock
 
 def get_repositories_mock():
-  repos_mock = Mock()
-  repos_mock.get = Mock(side_effect=get_repo_mock)
-  return repos_mock
+    repos_mock = Mock()
+    repos_mock.get = Mock(side_effect=get_repo_mock)
+    return repos_mock
+
 
 def get_namespace_mock(namespace):
-  namespace_mock = Mock()
-  namespace_mock.repositories = Mock(side_effect=get_repositories_mock)
-  return namespace_mock
+    namespace_mock = Mock()
+    namespace_mock.repositories = Mock(side_effect=get_repositories_mock)
+    return namespace_mock
+
 
 def get_repo(namespace, name):
-  return {
-    'owner': namespace,
-    'logo': 'avatarurl',
-    'slug': name,
-    'description': 'some %s repo' % (name),
-    'utc_last_updated': str(datetime.utcfromtimestamp(0)),
-    'read_only': namespace != 'knownuser',
-    'is_private': name == 'somerepo',
-  }
+    return {
+        "owner": namespace,
+        "logo": "avatarurl",
+        "slug": name,
+        "description": "some %s repo" % (name),
+        "utc_last_updated": str(datetime.utcfromtimestamp(0)),
+        "read_only": namespace != "knownuser",
+        "is_private": name == "somerepo",
+    }
+
 
 def get_visible_repos():
-  repos = [
-    get_repo('knownuser', 'somerepo'),
-    get_repo('someorg', 'somerepo'),
-    get_repo('someorg', 'anotherrepo'),
-  ]
-  return (True, repos, None)
+    repos = [
+        get_repo("knownuser", "somerepo"),
+        get_repo("someorg", "somerepo"),
+        get_repo("someorg", "anotherrepo"),
+    ]
+    return (True, repos, None)
+
 
 def get_authed_mock(token, secret):
-  authed_mock = Mock()
-  authed_mock.for_namespace = Mock(side_effect=get_namespace_mock)
-  authed_mock.get_visible_repositories = Mock(side_effect=get_visible_repos)
-  return authed_mock
+    authed_mock = Mock()
+    authed_mock.for_namespace = Mock(side_effect=get_namespace_mock)
+    authed_mock.get_visible_repositories = Mock(side_effect=get_visible_repos)
+    return authed_mock
+
 
 def get_mock_bitbucket():
-  bitbucket_mock = Mock()
-  bitbucket_mock.get_authorized_client = Mock(side_effect=get_authed_mock)
-  return bitbucket_mock
+    bitbucket_mock = Mock()
+    bitbucket_mock.get_authorized_client = Mock(side_effect=get_authed_mock)
+    return bitbucket_mock
diff --git a/buildtrigger/test/githubmock.py b/buildtrigger/test/githubmock.py
index e0f8daffc..c8fcbe73f 100644
--- a/buildtrigger/test/githubmock.py
+++ b/buildtrigger/test/githubmock.py
@@ -6,173 +6,178 @@ from github import GithubException
 from buildtrigger.githubhandler import GithubBuildTrigger
 from util.morecollections import AttrDict
 
-def get_github_trigger(dockerfile_path=''):
-  trigger_obj = AttrDict(dict(auth_token='foobar', id='sometrigger'))
-  trigger = GithubBuildTrigger(trigger_obj, {'build_source': 'foo', 'dockerfile_path': dockerfile_path})
-  trigger._get_client = get_mock_github
-  return trigger
+
+def get_github_trigger(dockerfile_path=""):
+    trigger_obj = AttrDict(dict(auth_token="foobar", id="sometrigger"))
+    trigger = GithubBuildTrigger(
+        trigger_obj, {"build_source": "foo", "dockerfile_path": dockerfile_path}
+    )
+    trigger._get_client = get_mock_github
+    return trigger
+
 
 def get_mock_github():
-  def get_commit_mock(commit_sha):
-    if commit_sha == 'aaaaaaa':
-      commit_mock = Mock()
-      commit_mock.sha = commit_sha
-      commit_mock.html_url = 'http://url/to/commit'
-      commit_mock.last_modified = 'now'
+    def get_commit_mock(commit_sha):
+        if commit_sha == "aaaaaaa":
+            commit_mock = Mock()
+            commit_mock.sha = commit_sha
+            commit_mock.html_url = "http://url/to/commit"
+            commit_mock.last_modified = "now"
 
-      commit_mock.commit = Mock()
-      commit_mock.commit.message = 'some cool message'
+            commit_mock.commit = Mock()
+            commit_mock.commit.message = "some cool message"
 
-      commit_mock.committer = Mock()
-      commit_mock.committer.login = 'someuser'
-      commit_mock.committer.avatar_url = 'avatarurl'
-      commit_mock.committer.html_url = 'htmlurl'
+            commit_mock.committer = Mock()
+            commit_mock.committer.login = "someuser"
+            commit_mock.committer.avatar_url = "avatarurl"
+            commit_mock.committer.html_url = "htmlurl"
 
-      commit_mock.author = Mock()
-      commit_mock.author.login = 'someuser'
-      commit_mock.author.avatar_url = 'avatarurl'
-      commit_mock.author.html_url = 'htmlurl'
-      return commit_mock
+            commit_mock.author = Mock()
+            commit_mock.author.login = "someuser"
+            commit_mock.author.avatar_url = "avatarurl"
+            commit_mock.author.html_url = "htmlurl"
+            return commit_mock
 
-    raise GithubException(None, None)
+        raise GithubException(None, None)
 
-  def get_branch_mock(branch_name):
-    if branch_name == 'master':
-      branch_mock = Mock()
-      branch_mock.commit = Mock()
-      branch_mock.commit.sha = 'aaaaaaa'
-      return branch_mock
+    def get_branch_mock(branch_name):
+        if branch_name == "master":
+            branch_mock = Mock()
+            branch_mock.commit = Mock()
+            branch_mock.commit.sha = "aaaaaaa"
+            return branch_mock
 
-    raise GithubException(None, None)
+        raise GithubException(None, None)
+
+    def get_repo_mock(namespace, name):
+        repo_mock = Mock()
+        repo_mock.owner = Mock()
+        repo_mock.owner.login = namespace
+
+        repo_mock.full_name = "%s/%s" % (namespace, name)
+        repo_mock.name = name
+        repo_mock.description = "some %s repo" % (name)
+
+        if name != "anotherrepo":
+            repo_mock.pushed_at = datetime.utcfromtimestamp(0)
+        else:
+            repo_mock.pushed_at = None
+
+        repo_mock.html_url = "https://bitbucket.org/%s/%s" % (namespace, name)
+        repo_mock.private = name == "somerepo"
+        repo_mock.permissions = Mock()
+        repo_mock.permissions.admin = namespace == "knownuser"
+        return repo_mock
+
+    def get_user_repos_mock(type="all", sort="created"):
+        return [get_repo_mock("knownuser", "somerepo")]
+
+    def get_org_repos_mock(type="all"):
+        return [
+            get_repo_mock("someorg", "somerepo"),
+            get_repo_mock("someorg", "anotherrepo"),
+        ]
+
+    def get_orgs_mock():
+        return [get_org_mock("someorg")]
+
+    def get_user_mock(username="knownuser"):
+        if username == "knownuser":
+            user_mock = Mock()
+            user_mock.name = username
+            user_mock.plan = Mock()
+            user_mock.plan.private_repos = 1
+            user_mock.login = username
+            user_mock.html_url = "https://bitbucket.org/%s" % (username)
+            user_mock.avatar_url = "avatarurl"
+            user_mock.get_repos = Mock(side_effect=get_user_repos_mock)
+            user_mock.get_orgs = Mock(side_effect=get_orgs_mock)
+            return user_mock
+
+        raise GithubException(None, None)
+
+    def get_org_mock(namespace):
+        if namespace == "someorg":
+            org_mock = Mock()
+            org_mock.get_repos = Mock(side_effect=get_org_repos_mock)
+            org_mock.login = namespace
+            org_mock.html_url = "https://bitbucket.org/%s" % (namespace)
+            org_mock.avatar_url = "avatarurl"
+            org_mock.name = namespace
+            org_mock.plan = Mock()
+            org_mock.plan.private_repos = 2
+            return org_mock
+
+        raise GithubException(None, None)
+
+    def get_tags_mock():
+        sometag = Mock()
+        sometag.name = "sometag"
+        sometag.commit = get_commit_mock("aaaaaaa")
+
+        someothertag = Mock()
+        someothertag.name = "someothertag"
+        someothertag.commit = get_commit_mock("aaaaaaa")
+        return [sometag, someothertag]
+
+    def get_branches_mock():
+        master = Mock()
+        master.name = "master"
+        master.commit = get_commit_mock("aaaaaaa")
+
+        otherbranch = Mock()
+        otherbranch.name = "otherbranch"
+        otherbranch.commit = get_commit_mock("aaaaaaa")
+        return [master, otherbranch]
+
+    def get_contents_mock(filepath):
+        if filepath == "Dockerfile":
+            m = Mock()
+            m.content = "hello world"
+            return m
+
+        if filepath == "somesubdir/Dockerfile":
+            m = Mock()
+            m.content = "hi universe"
+            return m
+
+        raise GithubException(None, None)
+
+    def get_git_tree_mock(commit_sha, recursive=False):
+        first_file = Mock()
+        first_file.type = "blob"
+        first_file.path = "Dockerfile"
+
+        second_file = Mock()
+        second_file.type = "other"
+        second_file.path = "/some/Dockerfile"
+
+        third_file = Mock()
+        third_file.type = "blob"
+        third_file.path = "somesubdir/Dockerfile"
+
+        t = Mock()
+
+        if commit_sha == "aaaaaaa":
+            t.tree = [first_file, second_file, third_file]
+        else:
+            t.tree = []
+
+        return t
 
-  def get_repo_mock(namespace, name):
     repo_mock = Mock()
-    repo_mock.owner = Mock()
-    repo_mock.owner.login = namespace
+    repo_mock.default_branch = "master"
+    repo_mock.ssh_url = "ssh_url"
 
-    repo_mock.full_name = '%s/%s' % (namespace, name)
-    repo_mock.name = name
-    repo_mock.description = 'some %s repo' % (name)
+    repo_mock.get_branch = Mock(side_effect=get_branch_mock)
+    repo_mock.get_tags = Mock(side_effect=get_tags_mock)
+    repo_mock.get_branches = Mock(side_effect=get_branches_mock)
+    repo_mock.get_commit = Mock(side_effect=get_commit_mock)
+    repo_mock.get_contents = Mock(side_effect=get_contents_mock)
+    repo_mock.get_git_tree = Mock(side_effect=get_git_tree_mock)
 
-    if name != 'anotherrepo':
-      repo_mock.pushed_at = datetime.utcfromtimestamp(0)
-    else:
-      repo_mock.pushed_at = None
-
-    repo_mock.html_url = 'https://bitbucket.org/%s/%s' % (namespace, name)
-    repo_mock.private = name == 'somerepo'
-    repo_mock.permissions = Mock()
-    repo_mock.permissions.admin = namespace == 'knownuser'
-    return repo_mock
-
-  def get_user_repos_mock(type='all', sort='created'):
-    return [get_repo_mock('knownuser', 'somerepo')]
-
-  def get_org_repos_mock(type='all'):
-    return [get_repo_mock('someorg', 'somerepo'), get_repo_mock('someorg', 'anotherrepo')]
-
-  def get_orgs_mock():
-    return [get_org_mock('someorg')]
-
-  def get_user_mock(username='knownuser'):
-    if username == 'knownuser':
-      user_mock = Mock()
-      user_mock.name = username
-      user_mock.plan = Mock()
-      user_mock.plan.private_repos = 1
-      user_mock.login = username
-      user_mock.html_url = 'https://bitbucket.org/%s' % (username)
-      user_mock.avatar_url = 'avatarurl'
-      user_mock.get_repos = Mock(side_effect=get_user_repos_mock)
-      user_mock.get_orgs = Mock(side_effect=get_orgs_mock)
-      return user_mock
-
-    raise GithubException(None, None)
-
-  def get_org_mock(namespace):
-    if namespace == 'someorg':
-      org_mock = Mock()
-      org_mock.get_repos = Mock(side_effect=get_org_repos_mock)
-      org_mock.login = namespace
-      org_mock.html_url = 'https://bitbucket.org/%s' % (namespace)
-      org_mock.avatar_url = 'avatarurl'
-      org_mock.name = namespace
-      org_mock.plan = Mock()
-      org_mock.plan.private_repos = 2
-      return org_mock
-
-    raise GithubException(None, None)
-
-  def get_tags_mock():
-    sometag = Mock()
-    sometag.name = 'sometag'
-    sometag.commit = get_commit_mock('aaaaaaa')
-
-    someothertag = Mock()
-    someothertag.name = 'someothertag'
-    someothertag.commit = get_commit_mock('aaaaaaa')
-    return [sometag, someothertag]
-
-  def get_branches_mock():
-    master = Mock()
-    master.name = 'master'
-    master.commit = get_commit_mock('aaaaaaa')
-
-    otherbranch = Mock()
-    otherbranch.name = 'otherbranch'
-    otherbranch.commit = get_commit_mock('aaaaaaa')
-    return [master, otherbranch]
-
-  def get_contents_mock(filepath):
-    if filepath == 'Dockerfile':
-      m = Mock()
-      m.content = 'hello world'
-      return m
-
-    if filepath == 'somesubdir/Dockerfile':
-      m = Mock()
-      m.content = 'hi universe'
-      return m
-
-    raise GithubException(None, None)
-
-  def get_git_tree_mock(commit_sha, recursive=False):
-    first_file = Mock()
-    first_file.type = 'blob'
-    first_file.path = 'Dockerfile'
-
-    second_file = Mock()
-    second_file.type = 'other'
-    second_file.path = '/some/Dockerfile'
-
-    third_file = Mock()
-    third_file.type = 'blob'
-    third_file.path = 'somesubdir/Dockerfile'
-
-    t = Mock()
-
-    if commit_sha == 'aaaaaaa':
-      t.tree = [
-        first_file, second_file, third_file,
-      ]
-    else:
-      t.tree = []
-
-    return t
-
-  repo_mock = Mock()
-  repo_mock.default_branch = 'master'
-  repo_mock.ssh_url = 'ssh_url'
-
-  repo_mock.get_branch = Mock(side_effect=get_branch_mock)
-  repo_mock.get_tags = Mock(side_effect=get_tags_mock)
-  repo_mock.get_branches = Mock(side_effect=get_branches_mock)
-  repo_mock.get_commit = Mock(side_effect=get_commit_mock)
-  repo_mock.get_contents = Mock(side_effect=get_contents_mock)
-  repo_mock.get_git_tree = Mock(side_effect=get_git_tree_mock)
-
-  gh_mock = Mock()
-  gh_mock.get_repo = Mock(return_value=repo_mock)
-  gh_mock.get_user = Mock(side_effect=get_user_mock)
-  gh_mock.get_organization = Mock(side_effect=get_org_mock)
-  return gh_mock
+    gh_mock = Mock()
+    gh_mock.get_repo = Mock(return_value=repo_mock)
+    gh_mock.get_user = Mock(side_effect=get_user_mock)
+    gh_mock.get_organization = Mock(side_effect=get_org_mock)
+    return gh_mock
diff --git a/buildtrigger/test/gitlabmock.py b/buildtrigger/test/gitlabmock.py
index cd864241e..90c983a40 100644
--- a/buildtrigger/test/gitlabmock.py
+++ b/buildtrigger/test/gitlabmock.py
@@ -11,588 +11,598 @@ from buildtrigger.gitlabhandler import GitLabBuildTrigger
 from util.morecollections import AttrDict
 
 
-@urlmatch(netloc=r'fakegitlab')
+@urlmatch(netloc=r"fakegitlab")
 def catchall_handler(url, request):
-  return {'status_code': 404}
+    return {"status_code": 404}
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/users$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/users$")
 def users_handler(url, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
+
+    if url.query.find("knownuser") < 0:
+        return {
+            "status_code": 200,
+            "headers": {"Content-Type": "application/json"},
+            "content": json.dumps([]),
+        }
 
-  if url.query.find('knownuser') < 0:
     return {
-      'status_code': 200,
-      'headers': {
-        'Content-Type': 'application/json',
-      },
-      'content': json.dumps([]),
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "id": 1,
+                    "username": "knownuser",
+                    "name": "Known User",
+                    "state": "active",
+                    "avatar_url": "avatarurl",
+                    "web_url": "https://bitbucket.org/knownuser",
+                }
+            ]
+        ),
     }
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([
-      {
-        "id": 1,
-        "username": "knownuser",
-        "name": "Known User",
-        "state": "active",
-        "avatar_url": "avatarurl",
-        "web_url": "https://bitbucket.org/knownuser",
-      },
-    ]),
-  }
 
-
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/user$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/user$")
 def user_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 1,
-      "username": "john_smith",
-      "email": "john@example.com",
-      "name": "John Smith",
-      "state": "active",
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 1,
+                "username": "john_smith",
+                "email": "john@example.com",
+                "name": "John Smith",
+                "state": "active",
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/foo%2Fbar$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/foo%2Fbar$")
 def project_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 4,
-      "description": None,
-      "default_branch": "master",
-      "visibility": "private",
-      "path_with_namespace": "someorg/somerepo",
-      "ssh_url_to_repo": "git@example.com:someorg/somerepo.git",
-      "web_url": "http://example.com/someorg/somerepo",
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 4,
+                "description": None,
+                "default_branch": "master",
+                "visibility": "private",
+                "path_with_namespace": "someorg/somerepo",
+                "ssh_url_to_repo": "git@example.com:someorg/somerepo.git",
+                "web_url": "http://example.com/someorg/somerepo",
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/tree$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/tree$")
 def project_tree_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([
-      {
-        "id": "a1e8f8d745cc87e3a9248358d9352bb7f9a0aeba",
-        "name": "Dockerfile",
-        "type": "tree",
-        "path": "files/Dockerfile",
-        "mode": "040000",
-      },
-    ]),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "id": "a1e8f8d745cc87e3a9248358d9352bb7f9a0aeba",
+                    "name": "Dockerfile",
+                    "type": "tree",
+                    "path": "files/Dockerfile",
+                    "mode": "040000",
+                }
+            ]
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/tags$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/tags$")
 def project_tags_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([
-      {
-        'name': 'sometag',
-        'commit': {
-          'id': '60a8ff033665e1207714d6670fcd7b65304ec02f',
-        },
-      },
-      {
-        'name': 'someothertag',
-        'commit': {
-          'id': '60a8ff033665e1207714d6670fcd7b65304ec02f',
-        },
-      },
-    ]),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "name": "sometag",
+                    "commit": {"id": "60a8ff033665e1207714d6670fcd7b65304ec02f"},
+                },
+                {
+                    "name": "someothertag",
+                    "commit": {"id": "60a8ff033665e1207714d6670fcd7b65304ec02f"},
+                },
+            ]
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/branches$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/branches$")
 def project_branches_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([
-      {
-        'name': 'master',
-        'commit': {
-          'id': '60a8ff033665e1207714d6670fcd7b65304ec02f',
-        },
-      },
-      {
-        'name': 'otherbranch',
-        'commit': {
-          'id': '60a8ff033665e1207714d6670fcd7b65304ec02f',
-        },
-      },
-    ]),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "name": "master",
+                    "commit": {"id": "60a8ff033665e1207714d6670fcd7b65304ec02f"},
+                },
+                {
+                    "name": "otherbranch",
+                    "commit": {"id": "60a8ff033665e1207714d6670fcd7b65304ec02f"},
+                },
+            ]
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/branches/master$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/branches/master$")
 def project_branch_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "name": "master",
-      "merged": True,
-      "protected": True,
-      "developers_can_push": False,
-      "developers_can_merge": False,
-      "commit": {
-        "author_email": "john@example.com",
-        "author_name": "John Smith",
-        "authored_date": "2012-06-27T05:51:39-07:00",
-        "committed_date": "2012-06-28T03:44:20-07:00",
-        "committer_email": "john@example.com",
-        "committer_name": "John Smith",
-        "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",
-        "short_id": "7b5c3cc",
-        "title": "add projects API",
-        "message": "add projects API",
-        "parent_ids": [
-          "4ad91d3c1144c406e50c7b33bae684bd6837faf8",
-        ],
-      },
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "name": "master",
+                "merged": True,
+                "protected": True,
+                "developers_can_push": False,
+                "developers_can_merge": False,
+                "commit": {
+                    "author_email": "john@example.com",
+                    "author_name": "John Smith",
+                    "authored_date": "2012-06-27T05:51:39-07:00",
+                    "committed_date": "2012-06-28T03:44:20-07:00",
+                    "committer_email": "john@example.com",
+                    "committer_name": "John Smith",
+                    "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",
+                    "short_id": "7b5c3cc",
+                    "title": "add projects API",
+                    "message": "add projects API",
+                    "parent_ids": ["4ad91d3c1144c406e50c7b33bae684bd6837faf8"],
+                },
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/namespaces/someorg$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/namespaces/someorg$")
 def namespace_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 2,
-      "name": "someorg",
-      "path": "someorg",
-      "kind": "group",
-      "full_path": "someorg",
-      "parent_id": None,
-      "members_count_with_descendants": 2
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 2,
+                "name": "someorg",
+                "path": "someorg",
+                "kind": "group",
+                "full_path": "someorg",
+                "parent_id": None,
+                "members_count_with_descendants": 2,
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/namespaces/knownuser$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/namespaces/knownuser$")
 def user_namespace_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 1,
-      "name": "knownuser",
-      "path": "knownuser",
-      "kind": "user",
-      "full_path": "knownuser",
-      "parent_id": None,
-      "members_count_with_descendants": 2
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 1,
+                "name": "knownuser",
+                "path": "knownuser",
+                "kind": "user",
+                "full_path": "knownuser",
+                "parent_id": None,
+                "members_count_with_descendants": 2,
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/namespaces(/)?$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/namespaces(/)?$")
 def namespaces_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([{
-      "id": 2,
-      "name": "someorg",
-      "path": "someorg",
-      "kind": "group",
-      "full_path": "someorg",
-      "parent_id": None,
-      "web_url": "http://gitlab.com/groups/someorg",
-      "members_count_with_descendants": 2
-    }]),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "id": 2,
+                    "name": "someorg",
+                    "path": "someorg",
+                    "kind": "group",
+                    "full_path": "someorg",
+                    "parent_id": None,
+                    "web_url": "http://gitlab.com/groups/someorg",
+                    "members_count_with_descendants": 2,
+                }
+            ]
+        ),
+    }
 
 
 def get_projects_handler(add_permissions_block):
-  @urlmatch(netloc=r'fakegitlab', path=r'/api/v4/groups/2/projects$')
-  def projects_handler(_, request):
-    if not request.headers.get('Authorization') == 'Bearer foobar':
-      return {'status_code': 401}
+    @urlmatch(netloc=r"fakegitlab", path=r"/api/v4/groups/2/projects$")
+    def projects_handler(_, request):
+        if not request.headers.get("Authorization") == "Bearer foobar":
+            return {"status_code": 401}
 
-    permissions_block = {
-      "project_access": {
-        "access_level": 10,
-        "notification_level": 3
-      },
-      "group_access": {
-        "access_level": 20,
-        "notification_level": 3
-      },
-    }
+        permissions_block = {
+            "project_access": {"access_level": 10, "notification_level": 3},
+            "group_access": {"access_level": 20, "notification_level": 3},
+        }
 
-    return {
-      'status_code': 200,
-      'headers': {
-        'Content-Type': 'application/json',
-      },
-      'content': json.dumps([{
-        "id": 4,
-        "name": "Some project",
-        "description": None,
-        "default_branch": "master",
-        "visibility": "private",
-        "path": "someproject",
-        "path_with_namespace": "someorg/someproject",
-        "last_activity_at": "2013-09-30T13:46:02Z",
-        "web_url": "http://example.com/someorg/someproject",
-        "permissions": permissions_block if add_permissions_block else None,
-      },
-      {
-        "id": 5,
-        "name": "Another project",
-        "description": None,
-        "default_branch": "master",
-        "visibility": "public",
-        "path": "anotherproject",
-        "path_with_namespace": "someorg/anotherproject",
-        "last_activity_at": "2013-09-30T13:46:02Z",
-        "web_url": "http://example.com/someorg/anotherproject",
-      }]),
-    }
-  return projects_handler
+        return {
+            "status_code": 200,
+            "headers": {"Content-Type": "application/json"},
+            "content": json.dumps(
+                [
+                    {
+                        "id": 4,
+                        "name": "Some project",
+                        "description": None,
+                        "default_branch": "master",
+                        "visibility": "private",
+                        "path": "someproject",
+                        "path_with_namespace": "someorg/someproject",
+                        "last_activity_at": "2013-09-30T13:46:02Z",
+                        "web_url": "http://example.com/someorg/someproject",
+                        "permissions": permissions_block
+                        if add_permissions_block
+                        else None,
+                    },
+                    {
+                        "id": 5,
+                        "name": "Another project",
+                        "description": None,
+                        "default_branch": "master",
+                        "visibility": "public",
+                        "path": "anotherproject",
+                        "path_with_namespace": "someorg/anotherproject",
+                        "last_activity_at": "2013-09-30T13:46:02Z",
+                        "web_url": "http://example.com/someorg/anotherproject",
+                    },
+                ]
+            ),
+        }
+
+    return projects_handler
 
 
 def get_group_handler(null_avatar):
-  @urlmatch(netloc=r'fakegitlab', path=r'/api/v4/groups/2$')
-  def group_handler(_, request):
-    if not request.headers.get('Authorization') == 'Bearer foobar':
-      return {'status_code': 401}
+    @urlmatch(netloc=r"fakegitlab", path=r"/api/v4/groups/2$")
+    def group_handler(_, request):
+        if not request.headers.get("Authorization") == "Bearer foobar":
+            return {"status_code": 401}
+
+        return {
+            "status_code": 200,
+            "headers": {"Content-Type": "application/json"},
+            "content": json.dumps(
+                {
+                    "id": 1,
+                    "name": "SomeOrg Group",
+                    "path": "someorg",
+                    "description": "An interesting group",
+                    "visibility": "public",
+                    "lfs_enabled": True,
+                    "avatar_url": "avatar_url" if not null_avatar else None,
+                    "web_url": "http://gitlab.com/groups/someorg",
+                    "request_access_enabled": False,
+                    "full_name": "SomeOrg Group",
+                    "full_path": "someorg",
+                    "parent_id": None,
+                }
+            ),
+        }
+
+    return group_handler
+
+
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/files/Dockerfile$")
+def dockerfile_handler(_, request):
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
     return {
-      'status_code': 200,
-      'headers': {
-        'Content-Type': 'application/json',
-      },
-      'content': json.dumps({
-        "id": 1,
-        "name": "SomeOrg Group",
-        "path": "someorg",
-        "description": "An interesting group",
-        "visibility": "public",
-        "lfs_enabled": True,
-        "avatar_url": 'avatar_url' if not null_avatar else None,
-        "web_url": "http://gitlab.com/groups/someorg",
-        "request_access_enabled": False,
-        "full_name": "SomeOrg Group",
-        "full_path": "someorg",
-        "parent_id": None,
-      }),
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "file_name": "Dockerfile",
+                "file_path": "Dockerfile",
+                "size": 10,
+                "encoding": "base64",
+                "content": base64.b64encode("hello world"),
+                "ref": "master",
+                "blob_id": "79f7bbd25901e8334750839545a9bd021f0e4c83",
+                "commit_id": "d5a3ff139356ce33e37e73add446f16869741b50",
+                "last_commit_id": "570e7b2abdd848b95f2f578043fc23bd6f6fd24d",
+            }
+        ),
     }
-  return group_handler
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/files/Dockerfile$')
-def dockerfile_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
-
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "file_name": "Dockerfile",
-      "file_path": "Dockerfile",
-      "size": 10,
-      "encoding": "base64",
-      "content": base64.b64encode('hello world'),
-      "ref": "master",
-      "blob_id": "79f7bbd25901e8334750839545a9bd021f0e4c83",
-      "commit_id": "d5a3ff139356ce33e37e73add446f16869741b50",
-      "last_commit_id": "570e7b2abdd848b95f2f578043fc23bd6f6fd24d"
-    }),
-  }
-
-
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/files/somesubdir%2FDockerfile$')
+@urlmatch(
+    netloc=r"fakegitlab",
+    path=r"/api/v4/projects/4/repository/files/somesubdir%2FDockerfile$",
+)
 def sub_dockerfile_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "file_name": "Dockerfile",
-      "file_path": "somesubdir/Dockerfile",
-      "size": 10,
-      "encoding": "base64",
-      "content": base64.b64encode('hi universe'),
-      "ref": "master",
-      "blob_id": "79f7bbd25901e8334750839545a9bd021f0e4c83",
-      "commit_id": "d5a3ff139356ce33e37e73add446f16869741b50",
-      "last_commit_id": "570e7b2abdd848b95f2f578043fc23bd6f6fd24d"
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "file_name": "Dockerfile",
+                "file_path": "somesubdir/Dockerfile",
+                "size": 10,
+                "encoding": "base64",
+                "content": base64.b64encode("hi universe"),
+                "ref": "master",
+                "blob_id": "79f7bbd25901e8334750839545a9bd021f0e4c83",
+                "commit_id": "d5a3ff139356ce33e37e73add446f16869741b50",
+                "last_commit_id": "570e7b2abdd848b95f2f578043fc23bd6f6fd24d",
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/repository/tags/sometag$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/repository/tags/sometag$")
 def tag_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "name": "sometag",
-      "message": "some cool message",
-      "target": "60a8ff033665e1207714d6670fcd7b65304ec02f",
-      "commit": {
-        "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",
-        "short_id": "60a8ff03",
-        "title": "Initial commit",
-        "created_at": "2017-07-26T11:08:53.000+02:00",
-        "parent_ids": [
-          "f61c062ff8bcbdb00e0a1b3317a91aed6ceee06b"
-        ],
-        "message": "v5.0.0\n",
-        "author_name": "Arthur Verschaeve",
-        "author_email": "contact@arthurverschaeve.be",
-        "authored_date": "2015-02-01T21:56:31.000+01:00",
-        "committer_name": "Arthur Verschaeve",
-        "committer_email": "contact@arthurverschaeve.be",
-        "committed_date": "2015-02-01T21:56:31.000+01:00"
-      },
-      "release": None,
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "name": "sometag",
+                "message": "some cool message",
+                "target": "60a8ff033665e1207714d6670fcd7b65304ec02f",
+                "commit": {
+                    "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",
+                    "short_id": "60a8ff03",
+                    "title": "Initial commit",
+                    "created_at": "2017-07-26T11:08:53.000+02:00",
+                    "parent_ids": ["f61c062ff8bcbdb00e0a1b3317a91aed6ceee06b"],
+                    "message": "v5.0.0\n",
+                    "author_name": "Arthur Verschaeve",
+                    "author_email": "contact@arthurverschaeve.be",
+                    "authored_date": "2015-02-01T21:56:31.000+01:00",
+                    "committer_name": "Arthur Verschaeve",
+                    "committer_email": "contact@arthurverschaeve.be",
+                    "committed_date": "2015-02-01T21:56:31.000+01:00",
+                },
+                "release": None,
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/foo%2Fbar/repository/commits/60a8ff033665e1207714d6670fcd7b65304ec02f$')
+@urlmatch(
+    netloc=r"fakegitlab",
+    path=r"/api/v4/projects/foo%2Fbar/repository/commits/60a8ff033665e1207714d6670fcd7b65304ec02f$",
+)
 def commit_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",             
-      "short_id": "60a8ff03366",
-      "title": "Sanitize for network graph",
-      "author_name": "someguy",
-      "author_email": "some.guy@gmail.com",
-      "committer_name": "Some Guy",
-      "committer_email": "some.guy@gmail.com",
-      "created_at": "2012-09-20T09:06:12+03:00",
-      "message": "Sanitize for network graph",
-      "committed_date": "2012-09-20T09:06:12+03:00",
-      "authored_date": "2012-09-20T09:06:12+03:00",
-      "parent_ids": [
-        "ae1d9fb46aa2b07ee9836d49862ec4e2c46fbbba"
-      ],
-      "last_pipeline" : {
-        "id": 8,
-        "ref": "master",
-        "sha": "2dc6aa325a317eda67812f05600bdf0fcdc70ab0",
-        "status": "created",
-      },
-      "stats": {
-        "additions": 15,
-        "deletions": 10,
-        "total": 25
-      },
-      "status": "running"
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": "60a8ff033665e1207714d6670fcd7b65304ec02f",
+                "short_id": "60a8ff03366",
+                "title": "Sanitize for network graph",
+                "author_name": "someguy",
+                "author_email": "some.guy@gmail.com",
+                "committer_name": "Some Guy",
+                "committer_email": "some.guy@gmail.com",
+                "created_at": "2012-09-20T09:06:12+03:00",
+                "message": "Sanitize for network graph",
+                "committed_date": "2012-09-20T09:06:12+03:00",
+                "authored_date": "2012-09-20T09:06:12+03:00",
+                "parent_ids": ["ae1d9fb46aa2b07ee9836d49862ec4e2c46fbbba"],
+                "last_pipeline": {
+                    "id": 8,
+                    "ref": "master",
+                    "sha": "2dc6aa325a317eda67812f05600bdf0fcdc70ab0",
+                    "status": "created",
+                },
+                "stats": {"additions": 15, "deletions": 10, "total": 25},
+                "status": "running",
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/deploy_keys$', method='POST')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/deploy_keys$", method="POST")
 def create_deploykey_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 1,
-      "title": "Public key",
-      "key": "ssh-rsa some stuff",
-      "created_at": "2013-10-02T10:12:29Z",
-      "can_push": False,
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 1,
+                "title": "Public key",
+                "key": "ssh-rsa some stuff",
+                "created_at": "2013-10-02T10:12:29Z",
+                "can_push": False,
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/hooks$', method='POST')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/hooks$", method="POST")
 def create_hook_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({
-      "id": 1,
-      "url": "http://example.com/hook",
-      "project_id": 4,
-      "push_events": True,
-      "issues_events": True,
-      "confidential_issues_events": True,
-      "merge_requests_events": True,
-      "tag_push_events": True,
-      "note_events": True,
-      "job_events": True,
-      "pipeline_events": True,
-      "wiki_page_events": True,
-      "enable_ssl_verification": True,
-      "created_at": "2012-10-12T17:04:47Z",
-    }),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            {
+                "id": 1,
+                "url": "http://example.com/hook",
+                "project_id": 4,
+                "push_events": True,
+                "issues_events": True,
+                "confidential_issues_events": True,
+                "merge_requests_events": True,
+                "tag_push_events": True,
+                "note_events": True,
+                "job_events": True,
+                "pipeline_events": True,
+                "wiki_page_events": True,
+                "enable_ssl_verification": True,
+                "created_at": "2012-10-12T17:04:47Z",
+            }
+        ),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/hooks/1$', method='DELETE')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/projects/4/hooks/1$", method="DELETE")
 def delete_hook_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({}),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps({}),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/projects/4/deploy_keys/1$', method='DELETE')
+@urlmatch(
+    netloc=r"fakegitlab", path=r"/api/v4/projects/4/deploy_keys/1$", method="DELETE"
+)
 def delete_deploykey_handker(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps({}),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps({}),
+    }
 
 
-@urlmatch(netloc=r'fakegitlab', path=r'/api/v4/users/1/projects$')
+@urlmatch(netloc=r"fakegitlab", path=r"/api/v4/users/1/projects$")
 def user_projects_list_handler(_, request):
-  if not request.headers.get('Authorization') == 'Bearer foobar':
-    return {'status_code': 401}
+    if not request.headers.get("Authorization") == "Bearer foobar":
+        return {"status_code": 401}
 
-  return {
-    'status_code': 200,
-    'headers': {
-      'Content-Type': 'application/json',
-    },
-    'content': json.dumps([
-      {
-        "id": 2,
-        "name": "Another project",
-        "description": None,
-        "default_branch": "master",
-        "visibility": "public",
-        "path": "anotherproject",
-        "path_with_namespace": "knownuser/anotherproject",
-        "last_activity_at": "2013-09-30T13:46:02Z",
-        "web_url": "http://example.com/knownuser/anotherproject",
-      }
-    ]),
-  }
+    return {
+        "status_code": 200,
+        "headers": {"Content-Type": "application/json"},
+        "content": json.dumps(
+            [
+                {
+                    "id": 2,
+                    "name": "Another project",
+                    "description": None,
+                    "default_branch": "master",
+                    "visibility": "public",
+                    "path": "anotherproject",
+                    "path_with_namespace": "knownuser/anotherproject",
+                    "last_activity_at": "2013-09-30T13:46:02Z",
+                    "web_url": "http://example.com/knownuser/anotherproject",
+                }
+            ]
+        ),
+    }
 
 
 @contextmanager
-def get_gitlab_trigger(dockerfile_path='', add_permissions=True, missing_avatar_url=False):
-  handlers = [user_handler, users_handler, project_branches_handler, project_tree_handler,
-              project_handler, get_projects_handler(add_permissions), tag_handler,
-              project_branch_handler, get_group_handler(missing_avatar_url), dockerfile_handler,
-              sub_dockerfile_handler, namespace_handler, user_namespace_handler, namespaces_handler,
-              commit_handler, create_deploykey_handler, delete_deploykey_handker,
-              create_hook_handler, delete_hook_handler, project_tags_handler, 
-              user_projects_list_handler, catchall_handler]
+def get_gitlab_trigger(
+    dockerfile_path="", add_permissions=True, missing_avatar_url=False
+):
+    handlers = [
+        user_handler,
+        users_handler,
+        project_branches_handler,
+        project_tree_handler,
+        project_handler,
+        get_projects_handler(add_permissions),
+        tag_handler,
+        project_branch_handler,
+        get_group_handler(missing_avatar_url),
+        dockerfile_handler,
+        sub_dockerfile_handler,
+        namespace_handler,
+        user_namespace_handler,
+        namespaces_handler,
+        commit_handler,
+        create_deploykey_handler,
+        delete_deploykey_handker,
+        create_hook_handler,
+        delete_hook_handler,
+        project_tags_handler,
+        user_projects_list_handler,
+        catchall_handler,
+    ]
 
-  with HTTMock(*handlers):
-    trigger_obj = AttrDict(dict(auth_token='foobar', id='sometrigger'))
-    trigger = GitLabBuildTrigger(trigger_obj, {
-      'build_source': 'foo/bar',
-      'dockerfile_path': dockerfile_path,
-      'username': 'knownuser'
-    })
+    with HTTMock(*handlers):
+        trigger_obj = AttrDict(dict(auth_token="foobar", id="sometrigger"))
+        trigger = GitLabBuildTrigger(
+            trigger_obj,
+            {
+                "build_source": "foo/bar",
+                "dockerfile_path": dockerfile_path,
+                "username": "knownuser",
+            },
+        )
 
-    client = gitlab.Gitlab('http://fakegitlab', oauth_token='foobar', timeout=20, api_version=4)
-    client.auth()
+        client = gitlab.Gitlab(
+            "http://fakegitlab", oauth_token="foobar", timeout=20, api_version=4
+        )
+        client.auth()
 
-    trigger._get_authorized_client = lambda: client
-    yield trigger
+        trigger._get_authorized_client = lambda: client
+        yield trigger
diff --git a/buildtrigger/test/test_basehandler.py b/buildtrigger/test/test_basehandler.py
index 7162c2535..50bdb5022 100644
--- a/buildtrigger/test/test_basehandler.py
+++ b/buildtrigger/test/test_basehandler.py
@@ -3,53 +3,74 @@ import pytest
 from buildtrigger.basehandler import BuildTriggerHandler
 
 
-@pytest.mark.parametrize('input,output', [
-  ("Dockerfile", True),
-  ("server.Dockerfile", True),
-  (u"Dockerfile", True),
-  (u"server.Dockerfile", True),
-  ("bad file name", False),
-  (u"bad file name", False),
-])
+@pytest.mark.parametrize(
+    "input,output",
+    [
+        ("Dockerfile", True),
+        ("server.Dockerfile", True),
+        (u"Dockerfile", True),
+        (u"server.Dockerfile", True),
+        ("bad file name", False),
+        (u"bad file name", False),
+    ],
+)
 def test_path_is_dockerfile(input, output):
-  assert BuildTriggerHandler.filename_is_dockerfile(input) == output
+    assert BuildTriggerHandler.filename_is_dockerfile(input) == output
 
 
-@pytest.mark.parametrize('input,output', [
-  ("", {}),
-  ("/a", {"/a": ["/"]}),
-  ("a", {"/a": ["/"]}),
-  ("/b/a", {"/b/a": ["/b", "/"]}),
-  ("b/a", {"/b/a": ["/b", "/"]}),
-  ("/c/b/a", {"/c/b/a": ["/c/b", "/c", "/"]}),
-  ("/a//b//c", {"/a/b/c": ["/", "/a", "/a/b"]}),
-  ("/a", {"/a": ["/"]}),
-])
+@pytest.mark.parametrize(
+    "input,output",
+    [
+        ("", {}),
+        ("/a", {"/a": ["/"]}),
+        ("a", {"/a": ["/"]}),
+        ("/b/a", {"/b/a": ["/b", "/"]}),
+        ("b/a", {"/b/a": ["/b", "/"]}),
+        ("/c/b/a", {"/c/b/a": ["/c/b", "/c", "/"]}),
+        ("/a//b//c", {"/a/b/c": ["/", "/a", "/a/b"]}),
+        ("/a", {"/a": ["/"]}),
+    ],
+)
 def test_subdir_path_map_no_previous(input, output):
-  actual_mapping = BuildTriggerHandler.get_parent_directory_mappings(input)
-  for key in actual_mapping:
-    value = actual_mapping[key]
-    actual_mapping[key] = value.sort()
-  for key in output:
-    value = output[key]
-    output[key] = value.sort()
+    actual_mapping = BuildTriggerHandler.get_parent_directory_mappings(input)
+    for key in actual_mapping:
+        value = actual_mapping[key]
+        actual_mapping[key] = value.sort()
+    for key in output:
+        value = output[key]
+        output[key] = value.sort()
 
-  assert actual_mapping == output
+    assert actual_mapping == output
 
 
-@pytest.mark.parametrize('new_path,original_dictionary,output', [
-  ("/a", {}, {"/a": ["/"]}),
-  ("b", {"/a": ["some_path", "another_path"]}, {"/a": ["some_path", "another_path"], "/b": ["/"]}),
-  ("/a/b/c/d", {"/e": ["some_path", "another_path"]},
-   {"/e": ["some_path", "another_path"], "/a/b/c/d": ["/", "/a", "/a/b", "/a/b/c"]}),
-])
+@pytest.mark.parametrize(
+    "new_path,original_dictionary,output",
+    [
+        ("/a", {}, {"/a": ["/"]}),
+        (
+            "b",
+            {"/a": ["some_path", "another_path"]},
+            {"/a": ["some_path", "another_path"], "/b": ["/"]},
+        ),
+        (
+            "/a/b/c/d",
+            {"/e": ["some_path", "another_path"]},
+            {
+                "/e": ["some_path", "another_path"],
+                "/a/b/c/d": ["/", "/a", "/a/b", "/a/b/c"],
+            },
+        ),
+    ],
+)
 def test_subdir_path_map(new_path, original_dictionary, output):
-  actual_mapping = BuildTriggerHandler.get_parent_directory_mappings(new_path, original_dictionary)
-  for key in actual_mapping:
-    value = actual_mapping[key]
-    actual_mapping[key] = value.sort()
-  for key in output:
-    value = output[key]
-    output[key] = value.sort()
+    actual_mapping = BuildTriggerHandler.get_parent_directory_mappings(
+        new_path, original_dictionary
+    )
+    for key in actual_mapping:
+        value = actual_mapping[key]
+        actual_mapping[key] = value.sort()
+    for key in output:
+        value = output[key]
+        output[key] = value.sort()
 
-  assert actual_mapping == output
+    assert actual_mapping == output
diff --git a/buildtrigger/test/test_bitbuckethandler.py b/buildtrigger/test/test_bitbuckethandler.py
index dbb47521a..3b08917f7 100644
--- a/buildtrigger/test/test_bitbuckethandler.py
+++ b/buildtrigger/test/test_bitbuckethandler.py
@@ -2,35 +2,44 @@ import json
 import pytest
 
 from buildtrigger.test.bitbucketmock import get_bitbucket_trigger
-from buildtrigger.triggerutil import (SkipRequestException, ValidationRequestException,
-                                      InvalidPayloadException)
+from buildtrigger.triggerutil import (
+    SkipRequestException,
+    ValidationRequestException,
+    InvalidPayloadException,
+)
 from endpoints.building import PreparedBuild
 from util.morecollections import AttrDict
 
+
 @pytest.fixture
 def bitbucket_trigger():
-  return get_bitbucket_trigger()
+    return get_bitbucket_trigger()
 
 
 def test_list_build_subdirs(bitbucket_trigger):
-  assert bitbucket_trigger.list_build_subdirs() == ["/Dockerfile"]
+    assert bitbucket_trigger.list_build_subdirs() == ["/Dockerfile"]
 
 
-@pytest.mark.parametrize('dockerfile_path, contents', [
-  ('/Dockerfile', 'hello world'),
-  ('somesubdir/Dockerfile', 'hi universe'),
-  ('unknownpath', None),
-])
+@pytest.mark.parametrize(
+    "dockerfile_path, contents",
+    [
+        ("/Dockerfile", "hello world"),
+        ("somesubdir/Dockerfile", "hi universe"),
+        ("unknownpath", None),
+    ],
+)
 def test_load_dockerfile_contents(dockerfile_path, contents):
-  trigger = get_bitbucket_trigger(dockerfile_path)
-  assert trigger.load_dockerfile_contents() == contents
+    trigger = get_bitbucket_trigger(dockerfile_path)
+    assert trigger.load_dockerfile_contents() == contents
 
 
-@pytest.mark.parametrize('payload, expected_error, expected_message', [
-  ('{}', InvalidPayloadException, "'push' is a required property"),
-
-  # Valid payload:
-  ('''{
+@pytest.mark.parametrize(
+    "payload, expected_error, expected_message",
+    [
+        ("{}", InvalidPayloadException, "'push' is a required property"),
+        # Valid payload:
+        (
+            """{
     "push": {
         "changes": [{
             "new": {
@@ -51,10 +60,13 @@ def test_load_dockerfile_contents(dockerfile_path, contents):
     "repository": {
         "full_name": "foo/bar"
     }
-   }''', None, None),
-
-  # Skip message:
-  ('''{
+   }""",
+            None,
+            None,
+        ),
+        # Skip message:
+        (
+            """{
     "push": {
         "changes": [{
             "new": {
@@ -75,17 +87,25 @@ def test_load_dockerfile_contents(dockerfile_path, contents):
     "repository": {
         "full_name": "foo/bar"
     }
-   }''', SkipRequestException, ''),
-])
-def test_handle_trigger_request(bitbucket_trigger, payload, expected_error, expected_message):
-  def get_payload():
-    return json.loads(payload)
+   }""",
+            SkipRequestException,
+            "",
+        ),
+    ],
+)
+def test_handle_trigger_request(
+    bitbucket_trigger, payload, expected_error, expected_message
+):
+    def get_payload():
+        return json.loads(payload)
 
-  request = AttrDict(dict(get_json=get_payload))
+    request = AttrDict(dict(get_json=get_payload))
 
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      bitbucket_trigger.handle_trigger_request(request)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(bitbucket_trigger.handle_trigger_request(request), PreparedBuild)
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            bitbucket_trigger.handle_trigger_request(request)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(
+            bitbucket_trigger.handle_trigger_request(request), PreparedBuild
+        )
diff --git a/buildtrigger/test/test_customhandler.py b/buildtrigger/test/test_customhandler.py
index cbb5f484e..984eb27ce 100644
--- a/buildtrigger/test/test_customhandler.py
+++ b/buildtrigger/test/test_customhandler.py
@@ -1,20 +1,32 @@
 import pytest
 
 from buildtrigger.customhandler import CustomBuildTrigger
-from buildtrigger.triggerutil import (InvalidPayloadException, SkipRequestException,
-                                      TriggerStartException)
+from buildtrigger.triggerutil import (
+    InvalidPayloadException,
+    SkipRequestException,
+    TriggerStartException,
+)
 from endpoints.building import PreparedBuild
 from util.morecollections import AttrDict
 
-@pytest.mark.parametrize('payload, expected_error, expected_message', [
-  ('', InvalidPayloadException, 'Missing expected payload'),
-  ('{}', InvalidPayloadException, "'commit' is a required property"),
 
-  ('{"commit": "foo", "ref": "refs/heads/something", "default_branch": "baz"}',
-   InvalidPayloadException, "u'foo' does not match '^([A-Fa-f0-9]{7,})$'"),
-
-  ('{"commit": "11d6fbc", "ref": "refs/heads/something", "default_branch": "baz"}', None, None),
-  ('''{
+@pytest.mark.parametrize(
+    "payload, expected_error, expected_message",
+    [
+        ("", InvalidPayloadException, "Missing expected payload"),
+        ("{}", InvalidPayloadException, "'commit' is a required property"),
+        (
+            '{"commit": "foo", "ref": "refs/heads/something", "default_branch": "baz"}',
+            InvalidPayloadException,
+            "u'foo' does not match '^([A-Fa-f0-9]{7,})$'",
+        ),
+        (
+            '{"commit": "11d6fbc", "ref": "refs/heads/something", "default_branch": "baz"}',
+            None,
+            None,
+        ),
+        (
+            """{
     "commit": "11d6fbc",
     "ref": "refs/heads/something",
     "default_branch": "baz",
@@ -23,29 +35,41 @@ from util.morecollections import AttrDict
       "url": "http://foo.bar",
       "date": "NOW"
     }
-  }''', SkipRequestException, ''),
-])
+  }""",
+            SkipRequestException,
+            "",
+        ),
+    ],
+)
 def test_handle_trigger_request(payload, expected_error, expected_message):
-  trigger = CustomBuildTrigger(None, {'build_source': 'foo'})
-  request = AttrDict(dict(data=payload))
+    trigger = CustomBuildTrigger(None, {"build_source": "foo"})
+    request = AttrDict(dict(data=payload))
 
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      trigger.handle_trigger_request(request)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(trigger.handle_trigger_request(request), PreparedBuild)
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            trigger.handle_trigger_request(request)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(trigger.handle_trigger_request(request), PreparedBuild)
 
-@pytest.mark.parametrize('run_parameters, expected_error, expected_message', [
-  ({}, TriggerStartException, 'missing required parameter'),
-  ({'commit_sha': 'foo'}, TriggerStartException, "'foo' does not match '^([A-Fa-f0-9]{7,})$'"),
-  ({'commit_sha': '11d6fbc'}, None, None),
-])
+
+@pytest.mark.parametrize(
+    "run_parameters, expected_error, expected_message",
+    [
+        ({}, TriggerStartException, "missing required parameter"),
+        (
+            {"commit_sha": "foo"},
+            TriggerStartException,
+            "'foo' does not match '^([A-Fa-f0-9]{7,})$'",
+        ),
+        ({"commit_sha": "11d6fbc"}, None, None),
+    ],
+)
 def test_manual_start(run_parameters, expected_error, expected_message):
-  trigger = CustomBuildTrigger(None, {'build_source': 'foo'})
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      trigger.manual_start(run_parameters)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(trigger.manual_start(run_parameters), PreparedBuild)
+    trigger = CustomBuildTrigger(None, {"build_source": "foo"})
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            trigger.manual_start(run_parameters)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(trigger.manual_start(run_parameters), PreparedBuild)
diff --git a/buildtrigger/test/test_githosthandler.py b/buildtrigger/test/test_githosthandler.py
index fadf8dce5..f0c43b458 100644
--- a/buildtrigger/test/test_githosthandler.py
+++ b/buildtrigger/test/test_githosthandler.py
@@ -9,113 +9,145 @@ from endpoints.building import PreparedBuild
 # in this fixture. Each trigger's mock is expected to return the same data for all of these calls.
 @pytest.fixture(params=[get_github_trigger(), get_bitbucket_trigger()])
 def githost_trigger(request):
-  return request.param
-
-@pytest.mark.parametrize('run_parameters, expected_error, expected_message', [
-  # No branch or tag specified: use the commit of the default branch.
-  ({}, None, None),
-
-  # Invalid branch.
-  ({'refs': {'kind': 'branch', 'name': 'invalid'}}, TriggerStartException,
-   'Could not find branch in repository'),
-
-  # Invalid tag.
-  ({'refs': {'kind': 'tag', 'name': 'invalid'}}, TriggerStartException,
-   'Could not find tag in repository'),
-
-  # Valid branch.
-  ({'refs': {'kind': 'branch', 'name': 'master'}}, None, None),
-
-  # Valid tag.
-  ({'refs': {'kind': 'tag', 'name': 'sometag'}}, None, None),
-])
-def test_manual_start(run_parameters, expected_error, expected_message, githost_trigger):
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      githost_trigger.manual_start(run_parameters)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(githost_trigger.manual_start(run_parameters), PreparedBuild)
+    return request.param
 
 
-@pytest.mark.parametrize('name, expected', [
-  ('refs', [
-    {'kind': 'branch', 'name': 'master'},
-    {'kind': 'branch', 'name': 'otherbranch'},
-    {'kind': 'tag', 'name': 'sometag'},
-    {'kind': 'tag', 'name': 'someothertag'},
-  ]),
-  ('tag_name', set(['sometag', 'someothertag'])),
-  ('branch_name', set(['master', 'otherbranch'])),
-  ('invalid', None)
-])
+@pytest.mark.parametrize(
+    "run_parameters, expected_error, expected_message",
+    [
+        # No branch or tag specified: use the commit of the default branch.
+        ({}, None, None),
+        # Invalid branch.
+        (
+            {"refs": {"kind": "branch", "name": "invalid"}},
+            TriggerStartException,
+            "Could not find branch in repository",
+        ),
+        # Invalid tag.
+        (
+            {"refs": {"kind": "tag", "name": "invalid"}},
+            TriggerStartException,
+            "Could not find tag in repository",
+        ),
+        # Valid branch.
+        ({"refs": {"kind": "branch", "name": "master"}}, None, None),
+        # Valid tag.
+        ({"refs": {"kind": "tag", "name": "sometag"}}, None, None),
+    ],
+)
+def test_manual_start(
+    run_parameters, expected_error, expected_message, githost_trigger
+):
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            githost_trigger.manual_start(run_parameters)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(githost_trigger.manual_start(run_parameters), PreparedBuild)
+
+
+@pytest.mark.parametrize(
+    "name, expected",
+    [
+        (
+            "refs",
+            [
+                {"kind": "branch", "name": "master"},
+                {"kind": "branch", "name": "otherbranch"},
+                {"kind": "tag", "name": "sometag"},
+                {"kind": "tag", "name": "someothertag"},
+            ],
+        ),
+        ("tag_name", set(["sometag", "someothertag"])),
+        ("branch_name", set(["master", "otherbranch"])),
+        ("invalid", None),
+    ],
+)
 def test_list_field_values(name, expected, githost_trigger):
-  if expected is None:
-    assert githost_trigger.list_field_values(name) is None
-  elif isinstance(expected, set):
-    assert set(githost_trigger.list_field_values(name)) == set(expected)
-  else:
-    assert githost_trigger.list_field_values(name) == expected
+    if expected is None:
+        assert githost_trigger.list_field_values(name) is None
+    elif isinstance(expected, set):
+        assert set(githost_trigger.list_field_values(name)) == set(expected)
+    else:
+        assert githost_trigger.list_field_values(name) == expected
 
 
 def test_list_build_source_namespaces():
-  namespaces_expected = [
-    {
-      'personal': True,
-      'score': 1,
-      'avatar_url': 'avatarurl',
-      'id': 'knownuser',
-      'title': 'knownuser',
-      'url': 'https://bitbucket.org/knownuser',
-    },
-    {
-      'score': 2,
-      'title': 'someorg',
-      'personal': False,
-      'url': 'https://bitbucket.org/someorg',
-      'avatar_url': 'avatarurl',
-      'id': 'someorg'
-    }
-  ]
+    namespaces_expected = [
+        {
+            "personal": True,
+            "score": 1,
+            "avatar_url": "avatarurl",
+            "id": "knownuser",
+            "title": "knownuser",
+            "url": "https://bitbucket.org/knownuser",
+        },
+        {
+            "score": 2,
+            "title": "someorg",
+            "personal": False,
+            "url": "https://bitbucket.org/someorg",
+            "avatar_url": "avatarurl",
+            "id": "someorg",
+        },
+    ]
 
-  found = get_bitbucket_trigger().list_build_source_namespaces()
-  found.sort()
+    found = get_bitbucket_trigger().list_build_source_namespaces()
+    found.sort()
 
-  namespaces_expected.sort()
-  assert found == namespaces_expected
+    namespaces_expected.sort()
+    assert found == namespaces_expected
 
 
-@pytest.mark.parametrize('namespace, expected', [
-  ('', []),
-  ('unknown', []),
-
-  ('knownuser', [
-    {
-      'last_updated': 0, 'name': 'somerepo',
-      'url': 'https://bitbucket.org/knownuser/somerepo', 'private': True,
-      'full_name': 'knownuser/somerepo', 'has_admin_permissions': True,
-      'description': 'some somerepo repo'
-    }]),
-
-  ('someorg', [
-    {
-      'last_updated': 0, 'name': 'somerepo',
-      'url': 'https://bitbucket.org/someorg/somerepo', 'private': True,
-      'full_name': 'someorg/somerepo', 'has_admin_permissions': False,
-      'description': 'some somerepo repo'
-    },
-    {
-      'last_updated': 0, 'name': 'anotherrepo',
-      'url': 'https://bitbucket.org/someorg/anotherrepo', 'private': False,
-      'full_name': 'someorg/anotherrepo', 'has_admin_permissions': False,
-      'description': 'some anotherrepo repo'
-    }]),
-])
+@pytest.mark.parametrize(
+    "namespace, expected",
+    [
+        ("", []),
+        ("unknown", []),
+        (
+            "knownuser",
+            [
+                {
+                    "last_updated": 0,
+                    "name": "somerepo",
+                    "url": "https://bitbucket.org/knownuser/somerepo",
+                    "private": True,
+                    "full_name": "knownuser/somerepo",
+                    "has_admin_permissions": True,
+                    "description": "some somerepo repo",
+                }
+            ],
+        ),
+        (
+            "someorg",
+            [
+                {
+                    "last_updated": 0,
+                    "name": "somerepo",
+                    "url": "https://bitbucket.org/someorg/somerepo",
+                    "private": True,
+                    "full_name": "someorg/somerepo",
+                    "has_admin_permissions": False,
+                    "description": "some somerepo repo",
+                },
+                {
+                    "last_updated": 0,
+                    "name": "anotherrepo",
+                    "url": "https://bitbucket.org/someorg/anotherrepo",
+                    "private": False,
+                    "full_name": "someorg/anotherrepo",
+                    "has_admin_permissions": False,
+                    "description": "some anotherrepo repo",
+                },
+            ],
+        ),
+    ],
+)
 def test_list_build_sources_for_namespace(namespace, expected, githost_trigger):
-  assert githost_trigger.list_build_sources_for_namespace(namespace) == expected
+    assert githost_trigger.list_build_sources_for_namespace(namespace) == expected
 
 
 def test_activate_and_deactivate(githost_trigger):
-  _, private_key = githost_trigger.activate('http://some/url')
-  assert 'private_key' in private_key
-  githost_trigger.deactivate()
+    _, private_key = githost_trigger.activate("http://some/url")
+    assert "private_key" in private_key
+    githost_trigger.deactivate()
diff --git a/buildtrigger/test/test_githubhandler.py b/buildtrigger/test/test_githubhandler.py
index f7012b0cf..7866359ce 100644
--- a/buildtrigger/test/test_githubhandler.py
+++ b/buildtrigger/test/test_githubhandler.py
@@ -2,24 +2,33 @@ import json
 import pytest
 
 from buildtrigger.test.githubmock import get_github_trigger
-from buildtrigger.triggerutil import (SkipRequestException, ValidationRequestException,
-                                      InvalidPayloadException)
+from buildtrigger.triggerutil import (
+    SkipRequestException,
+    ValidationRequestException,
+    InvalidPayloadException,
+)
 from endpoints.building import PreparedBuild
 from util.morecollections import AttrDict
 
+
 @pytest.fixture
 def github_trigger():
-  return get_github_trigger()
+    return get_github_trigger()
 
 
-@pytest.mark.parametrize('payload, expected_error, expected_message', [
-  ('{"zen": true}', SkipRequestException, ""),
-
-  ('{}', InvalidPayloadException, "Missing 'repository' on request"),
-  ('{"repository": "foo"}', InvalidPayloadException, "Missing 'owner' on repository"),
-
-  # Valid payload:
-  ('''{
+@pytest.mark.parametrize(
+    "payload, expected_error, expected_message",
+    [
+        ('{"zen": true}', SkipRequestException, ""),
+        ("{}", InvalidPayloadException, "Missing 'repository' on request"),
+        (
+            '{"repository": "foo"}',
+            InvalidPayloadException,
+            "Missing 'owner' on repository",
+        ),
+        # Valid payload:
+        (
+            """{
     "repository": {
       "owner": {
         "name": "someguy"
@@ -34,10 +43,13 @@ def github_trigger():
       "message": "some message",
       "timestamp": "NOW"
     }
-  }''', None, None),
-
-  # Skip message:
-  ('''{
+  }""",
+            None,
+            None,
+        ),
+        # Skip message:
+        (
+            """{
     "repository": {
       "owner": {
         "name": "someguy"
@@ -52,66 +64,84 @@ def github_trigger():
       "message": "[skip build]",
       "timestamp": "NOW"
     }
-  }''', SkipRequestException, ''),
-])
-def test_handle_trigger_request(github_trigger, payload, expected_error, expected_message):
-  def get_payload():
-    return json.loads(payload)
+  }""",
+            SkipRequestException,
+            "",
+        ),
+    ],
+)
+def test_handle_trigger_request(
+    github_trigger, payload, expected_error, expected_message
+):
+    def get_payload():
+        return json.loads(payload)
 
-  request = AttrDict(dict(get_json=get_payload))
+    request = AttrDict(dict(get_json=get_payload))
 
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      github_trigger.handle_trigger_request(request)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(github_trigger.handle_trigger_request(request), PreparedBuild)
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            github_trigger.handle_trigger_request(request)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(github_trigger.handle_trigger_request(request), PreparedBuild)
 
 
-@pytest.mark.parametrize('dockerfile_path, contents', [
-  ('/Dockerfile', 'hello world'),
-  ('somesubdir/Dockerfile', 'hi universe'),
-  ('unknownpath', None),
-])
+@pytest.mark.parametrize(
+    "dockerfile_path, contents",
+    [
+        ("/Dockerfile", "hello world"),
+        ("somesubdir/Dockerfile", "hi universe"),
+        ("unknownpath", None),
+    ],
+)
 def test_load_dockerfile_contents(dockerfile_path, contents):
-  trigger = get_github_trigger(dockerfile_path)
-  assert trigger.load_dockerfile_contents() == contents
+    trigger = get_github_trigger(dockerfile_path)
+    assert trigger.load_dockerfile_contents() == contents
 
 
-@pytest.mark.parametrize('username, expected_response', [
-  ('unknownuser', None),
-  ('knownuser', {'html_url': 'https://bitbucket.org/knownuser', 'avatar_url': 'avatarurl'}),
-])
+@pytest.mark.parametrize(
+    "username, expected_response",
+    [
+        ("unknownuser", None),
+        (
+            "knownuser",
+            {"html_url": "https://bitbucket.org/knownuser", "avatar_url": "avatarurl"},
+        ),
+    ],
+)
 def test_lookup_user(username, expected_response, github_trigger):
-  assert github_trigger.lookup_user(username) == expected_response
+    assert github_trigger.lookup_user(username) == expected_response
 
 
 def test_list_build_subdirs(github_trigger):
-  assert github_trigger.list_build_subdirs() == ['Dockerfile', 'somesubdir/Dockerfile']
+    assert github_trigger.list_build_subdirs() == [
+        "Dockerfile",
+        "somesubdir/Dockerfile",
+    ]
 
 
 def test_list_build_source_namespaces(github_trigger):
-  namespaces_expected = [
-    {
-      'personal': True,
-      'score': 1,
-      'avatar_url': 'avatarurl',
-      'id': 'knownuser',
-      'title': 'knownuser',
-      'url': 'https://bitbucket.org/knownuser',
-    },
-    {
-      'score': 0,
-      'title': 'someorg',
-      'personal': False,
-      'url': '',
-      'avatar_url': 'avatarurl',
-      'id': 'someorg'
-    }
-  ]
+    namespaces_expected = [
+        {
+            "personal": True,
+            "score": 1,
+            "avatar_url": "avatarurl",
+            "id": "knownuser",
+            "title": "knownuser",
+            "url": "https://bitbucket.org/knownuser",
+        },
+        {
+            "score": 0,
+            "title": "someorg",
+            "personal": False,
+            "url": "",
+            "avatar_url": "avatarurl",
+            "id": "someorg",
+        },
+    ]
 
-  found = github_trigger.list_build_source_namespaces()
-  found.sort()
+    found = github_trigger.list_build_source_namespaces()
+    found.sort()
 
-  namespaces_expected.sort()
-  assert found == namespaces_expected
+    namespaces_expected.sort()
+    assert found == namespaces_expected
diff --git a/buildtrigger/test/test_gitlabhandler.py b/buildtrigger/test/test_gitlabhandler.py
index b74095a8c..cb9b50581 100644
--- a/buildtrigger/test/test_gitlabhandler.py
+++ b/buildtrigger/test/test_gitlabhandler.py
@@ -4,91 +4,111 @@ import pytest
 from mock import Mock
 
 from buildtrigger.test.gitlabmock import get_gitlab_trigger
-from buildtrigger.triggerutil import (SkipRequestException, ValidationRequestException,
-                                      InvalidPayloadException, TriggerStartException)
+from buildtrigger.triggerutil import (
+    SkipRequestException,
+    ValidationRequestException,
+    InvalidPayloadException,
+    TriggerStartException,
+)
 from endpoints.building import PreparedBuild
 from util.morecollections import AttrDict
 
+
 @pytest.fixture()
 def gitlab_trigger():
-  with get_gitlab_trigger() as t:
-    yield t
+    with get_gitlab_trigger() as t:
+        yield t
 
 
 def test_list_build_subdirs(gitlab_trigger):
-  assert gitlab_trigger.list_build_subdirs() == ['Dockerfile']
+    assert gitlab_trigger.list_build_subdirs() == ["Dockerfile"]
 
 
-@pytest.mark.parametrize('dockerfile_path, contents', [
-  ('/Dockerfile', 'hello world'),
-  ('somesubdir/Dockerfile', 'hi universe'),
-  ('unknownpath', None),
-])
+@pytest.mark.parametrize(
+    "dockerfile_path, contents",
+    [
+        ("/Dockerfile", "hello world"),
+        ("somesubdir/Dockerfile", "hi universe"),
+        ("unknownpath", None),
+    ],
+)
 def test_load_dockerfile_contents(dockerfile_path, contents):
-  with get_gitlab_trigger(dockerfile_path=dockerfile_path) as trigger:
-    assert trigger.load_dockerfile_contents() == contents
+    with get_gitlab_trigger(dockerfile_path=dockerfile_path) as trigger:
+        assert trigger.load_dockerfile_contents() == contents
 
 
-@pytest.mark.parametrize('email, expected_response', [
-  ('unknown@email.com', None),
-  ('knownuser', {'username': 'knownuser', 'html_url': 'https://bitbucket.org/knownuser',
-                 'avatar_url': 'avatarurl'}),
-])
+@pytest.mark.parametrize(
+    "email, expected_response",
+    [
+        ("unknown@email.com", None),
+        (
+            "knownuser",
+            {
+                "username": "knownuser",
+                "html_url": "https://bitbucket.org/knownuser",
+                "avatar_url": "avatarurl",
+            },
+        ),
+    ],
+)
 def test_lookup_user(email, expected_response, gitlab_trigger):
-  assert gitlab_trigger.lookup_user(email) == expected_response
+    assert gitlab_trigger.lookup_user(email) == expected_response
 
 
 def test_null_permissions():
-  with get_gitlab_trigger(add_permissions=False) as trigger:
-    sources = trigger.list_build_sources_for_namespace('someorg')
-    source = sources[0]
-    assert source['has_admin_permissions']
+    with get_gitlab_trigger(add_permissions=False) as trigger:
+        sources = trigger.list_build_sources_for_namespace("someorg")
+        source = sources[0]
+        assert source["has_admin_permissions"]
 
 
 def test_list_build_sources():
-  with get_gitlab_trigger() as trigger:
-    sources = trigger.list_build_sources_for_namespace('someorg')
-    assert sources == [
-      {
-        'last_updated': 1380548762,
-        'name': u'someproject',
-        'url': u'http://example.com/someorg/someproject',
-        'private': True,
-        'full_name': u'someorg/someproject',
-        'has_admin_permissions': False,
-        'description': ''
-      },
-      {
-        'last_updated': 1380548762,
-        'name': u'anotherproject',
-        'url': u'http://example.com/someorg/anotherproject',
-        'private': False,
-        'full_name': u'someorg/anotherproject',
-        'has_admin_permissions': True,
-        'description': '',
-      }]
+    with get_gitlab_trigger() as trigger:
+        sources = trigger.list_build_sources_for_namespace("someorg")
+        assert sources == [
+            {
+                "last_updated": 1380548762,
+                "name": u"someproject",
+                "url": u"http://example.com/someorg/someproject",
+                "private": True,
+                "full_name": u"someorg/someproject",
+                "has_admin_permissions": False,
+                "description": "",
+            },
+            {
+                "last_updated": 1380548762,
+                "name": u"anotherproject",
+                "url": u"http://example.com/someorg/anotherproject",
+                "private": False,
+                "full_name": u"someorg/anotherproject",
+                "has_admin_permissions": True,
+                "description": "",
+            },
+        ]
 
 
 def test_null_avatar():
-  with get_gitlab_trigger(missing_avatar_url=True) as trigger:
-    namespace_data = trigger.list_build_source_namespaces()
-    expected = {
-      'avatar_url': None,
-      'personal': False,
-      'title': u'someorg',
-      'url': u'http://gitlab.com/groups/someorg',
-      'score': 1,
-      'id': '2',
-    }
+    with get_gitlab_trigger(missing_avatar_url=True) as trigger:
+        namespace_data = trigger.list_build_source_namespaces()
+        expected = {
+            "avatar_url": None,
+            "personal": False,
+            "title": u"someorg",
+            "url": u"http://gitlab.com/groups/someorg",
+            "score": 1,
+            "id": "2",
+        }
 
-    assert namespace_data == [expected]
+        assert namespace_data == [expected]
 
 
-@pytest.mark.parametrize('payload, expected_error, expected_message', [
-  ('{}', InvalidPayloadException, ''),
-
-  # Valid payload:
-  ('''{
+@pytest.mark.parametrize(
+    "payload, expected_error, expected_message",
+    [
+        ("{}", InvalidPayloadException, ""),
+        # Valid payload:
+        (
+            """{
     "object_kind": "push",
     "ref": "refs/heads/master",
     "checkout_sha": "aaaaaaa",
@@ -103,10 +123,13 @@ def test_null_avatar():
         "timestamp": "now"
       }
     ]
-  }''', None, None),
-
-  # Skip message:
-  ('''{
+  }""",
+            None,
+            None,
+        ),
+        # Skip message:
+        (
+            """{
     "object_kind": "push",
     "ref": "refs/heads/master",
     "checkout_sha": "aaaaaaa",
@@ -121,111 +144,136 @@ def test_null_avatar():
         "timestamp": "now"
       }
     ]
-  }''', SkipRequestException, ''),
-])
-def test_handle_trigger_request(gitlab_trigger, payload, expected_error, expected_message):
-  def get_payload():
-    return json.loads(payload)
+  }""",
+            SkipRequestException,
+            "",
+        ),
+    ],
+)
+def test_handle_trigger_request(
+    gitlab_trigger, payload, expected_error, expected_message
+):
+    def get_payload():
+        return json.loads(payload)
 
-  request = AttrDict(dict(get_json=get_payload))
+    request = AttrDict(dict(get_json=get_payload))
 
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      gitlab_trigger.handle_trigger_request(request)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(gitlab_trigger.handle_trigger_request(request), PreparedBuild)
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            gitlab_trigger.handle_trigger_request(request)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(gitlab_trigger.handle_trigger_request(request), PreparedBuild)
 
 
-@pytest.mark.parametrize('run_parameters, expected_error, expected_message', [
-  # No branch or tag specified: use the commit of the default branch.
-  ({}, None, None),
-
-  # Invalid branch.
-  ({'refs': {'kind': 'branch', 'name': 'invalid'}}, TriggerStartException,
-   'Could not find branch in repository'),
-
-  # Invalid tag.
-  ({'refs': {'kind': 'tag', 'name': 'invalid'}}, TriggerStartException,
-   'Could not find tag in repository'),
-
-  # Valid branch.
-  ({'refs': {'kind': 'branch', 'name': 'master'}}, None, None),
-
-  # Valid tag.
-  ({'refs': {'kind': 'tag', 'name': 'sometag'}}, None, None),
-])
+@pytest.mark.parametrize(
+    "run_parameters, expected_error, expected_message",
+    [
+        # No branch or tag specified: use the commit of the default branch.
+        ({}, None, None),
+        # Invalid branch.
+        (
+            {"refs": {"kind": "branch", "name": "invalid"}},
+            TriggerStartException,
+            "Could not find branch in repository",
+        ),
+        # Invalid tag.
+        (
+            {"refs": {"kind": "tag", "name": "invalid"}},
+            TriggerStartException,
+            "Could not find tag in repository",
+        ),
+        # Valid branch.
+        ({"refs": {"kind": "branch", "name": "master"}}, None, None),
+        # Valid tag.
+        ({"refs": {"kind": "tag", "name": "sometag"}}, None, None),
+    ],
+)
 def test_manual_start(run_parameters, expected_error, expected_message, gitlab_trigger):
-  if expected_error is not None:
-    with pytest.raises(expected_error) as ipe:
-      gitlab_trigger.manual_start(run_parameters)
-    assert str(ipe.value) == expected_message
-  else:
-    assert isinstance(gitlab_trigger.manual_start(run_parameters), PreparedBuild)
+    if expected_error is not None:
+        with pytest.raises(expected_error) as ipe:
+            gitlab_trigger.manual_start(run_parameters)
+        assert str(ipe.value) == expected_message
+    else:
+        assert isinstance(gitlab_trigger.manual_start(run_parameters), PreparedBuild)
 
 
 def test_activate_and_deactivate(gitlab_trigger):
-  _, private_key = gitlab_trigger.activate('http://some/url')
-  assert 'private_key' in private_key
+    _, private_key = gitlab_trigger.activate("http://some/url")
+    assert "private_key" in private_key
 
-  gitlab_trigger.deactivate()
+    gitlab_trigger.deactivate()
 
 
-@pytest.mark.parametrize('name, expected', [
-  ('refs', [
-    {'kind': 'branch', 'name': 'master'},
-    {'kind': 'branch', 'name': 'otherbranch'},
-    {'kind': 'tag', 'name': 'sometag'},
-    {'kind': 'tag', 'name': 'someothertag'},
-  ]),
-  ('tag_name', set(['sometag', 'someothertag'])),
-  ('branch_name', set(['master', 'otherbranch'])),
-  ('invalid', None)
-])
+@pytest.mark.parametrize(
+    "name, expected",
+    [
+        (
+            "refs",
+            [
+                {"kind": "branch", "name": "master"},
+                {"kind": "branch", "name": "otherbranch"},
+                {"kind": "tag", "name": "sometag"},
+                {"kind": "tag", "name": "someothertag"},
+            ],
+        ),
+        ("tag_name", set(["sometag", "someothertag"])),
+        ("branch_name", set(["master", "otherbranch"])),
+        ("invalid", None),
+    ],
+)
 def test_list_field_values(name, expected, gitlab_trigger):
-  if expected is None:
-    assert gitlab_trigger.list_field_values(name) is None
-  elif isinstance(expected, set):
-    assert set(gitlab_trigger.list_field_values(name)) == set(expected)
-  else:
-    assert gitlab_trigger.list_field_values(name) == expected
+    if expected is None:
+        assert gitlab_trigger.list_field_values(name) is None
+    elif isinstance(expected, set):
+        assert set(gitlab_trigger.list_field_values(name)) == set(expected)
+    else:
+        assert gitlab_trigger.list_field_values(name) == expected
 
 
-@pytest.mark.parametrize('namespace, expected', [
-  ('', []),
-  ('unknown', []),
-
-  ('knownuser', [
-    {
-      'last_updated': 1380548762,
-      'name': u'anotherproject',
-      'url': u'http://example.com/knownuser/anotherproject',
-      'private': False,
-      'full_name': u'knownuser/anotherproject',
-      'has_admin_permissions': True,
-      'description': ''
-    },
-  ]),
-
-  ('someorg', [
-    {
-      'last_updated': 1380548762,
-      'name': u'someproject',
-      'url': u'http://example.com/someorg/someproject',
-      'private': True,
-      'full_name': u'someorg/someproject',
-      'has_admin_permissions': False,
-      'description': ''
-    },
-    {
-      'last_updated': 1380548762,
-      'name': u'anotherproject',
-      'url': u'http://example.com/someorg/anotherproject',
-      'private': False,
-      'full_name': u'someorg/anotherproject',
-      'has_admin_permissions': True,
-      'description': '',
-    }]),
-])
+@pytest.mark.parametrize(
+    "namespace, expected",
+    [
+        ("", []),
+        ("unknown", []),
+        (
+            "knownuser",
+            [
+                {
+                    "last_updated": 1380548762,
+                    "name": u"anotherproject",
+                    "url": u"http://example.com/knownuser/anotherproject",
+                    "private": False,
+                    "full_name": u"knownuser/anotherproject",
+                    "has_admin_permissions": True,
+                    "description": "",
+                }
+            ],
+        ),
+        (
+            "someorg",
+            [
+                {
+                    "last_updated": 1380548762,
+                    "name": u"someproject",
+                    "url": u"http://example.com/someorg/someproject",
+                    "private": True,
+                    "full_name": u"someorg/someproject",
+                    "has_admin_permissions": False,
+                    "description": "",
+                },
+                {
+                    "last_updated": 1380548762,
+                    "name": u"anotherproject",
+                    "url": u"http://example.com/someorg/anotherproject",
+                    "private": False,
+                    "full_name": u"someorg/anotherproject",
+                    "has_admin_permissions": True,
+                    "description": "",
+                },
+            ],
+        ),
+    ],
+)
 def test_list_build_sources_for_namespace(namespace, expected, gitlab_trigger):
-  assert gitlab_trigger.list_build_sources_for_namespace(namespace) == expected
+    assert gitlab_trigger.list_build_sources_for_namespace(namespace) == expected
diff --git a/buildtrigger/test/test_prepare_trigger.py b/buildtrigger/test/test_prepare_trigger.py
index e3aab6b48..839c0a91a 100644
--- a/buildtrigger/test/test_prepare_trigger.py
+++ b/buildtrigger/test/test_prepare_trigger.py
@@ -12,561 +12,577 @@ from buildtrigger.githubhandler import get_transformed_webhook_payload as gh_web
 from buildtrigger.gitlabhandler import get_transformed_webhook_payload as gl_webhook
 from buildtrigger.triggerutil import SkipRequestException
 
+
 def assertSkipped(filename, processor, *args, **kwargs):
-  with open('buildtrigger/test/triggerjson/%s.json' % filename) as f:
-    payload = json.loads(f.read())
+    with open("buildtrigger/test/triggerjson/%s.json" % filename) as f:
+        payload = json.loads(f.read())
 
-  nargs = [payload]
-  nargs.extend(args)
+    nargs = [payload]
+    nargs.extend(args)
 
-  with pytest.raises(SkipRequestException):
-    processor(*nargs, **kwargs)
+    with pytest.raises(SkipRequestException):
+        processor(*nargs, **kwargs)
 
 
 def assertSchema(filename, expected, processor, *args, **kwargs):
-  with open('buildtrigger/test/triggerjson/%s.json' % filename) as f:
-    payload = json.loads(f.read())
+    with open("buildtrigger/test/triggerjson/%s.json" % filename) as f:
+        payload = json.loads(f.read())
 
-  nargs = [payload]
-  nargs.extend(args)
+    nargs = [payload]
+    nargs.extend(args)
 
-  created = processor(*nargs, **kwargs)
-  assert created == expected
-  validate(created, METADATA_SCHEMA)
+    created = processor(*nargs, **kwargs)
+    assert created == expected
+    validate(created, METADATA_SCHEMA)
 
 
 def test_custom_custom():
-  expected = {
-    u'commit':u'1c002dd',
-    u'commit_info': {
-      u'url': u'gitsoftware.com/repository/commits/1234567',
-      u'date': u'timestamp',
-      u'message': u'initial commit',
-      u'committer': {
-        u'username': u'user',
-        u'url': u'gitsoftware.com/users/user',
-        u'avatar_url': u'gravatar.com/user.png'
-      },
-      u'author': {
-        u'username': u'user',
-        u'url': u'gitsoftware.com/users/user',
-        u'avatar_url': u'gravatar.com/user.png'
-      }
-    },
-    u'ref': u'refs/heads/master',
-    u'default_branch': u'master',
-    u'git_url': u'foobar',
-  }
+    expected = {
+        u"commit": u"1c002dd",
+        u"commit_info": {
+            u"url": u"gitsoftware.com/repository/commits/1234567",
+            u"date": u"timestamp",
+            u"message": u"initial commit",
+            u"committer": {
+                u"username": u"user",
+                u"url": u"gitsoftware.com/users/user",
+                u"avatar_url": u"gravatar.com/user.png",
+            },
+            u"author": {
+                u"username": u"user",
+                u"url": u"gitsoftware.com/users/user",
+                u"avatar_url": u"gravatar.com/user.png",
+            },
+        },
+        u"ref": u"refs/heads/master",
+        u"default_branch": u"master",
+        u"git_url": u"foobar",
+    }
 
-  assertSchema('custom_webhook', expected, custom_trigger_payload, git_url='foobar')
+    assertSchema("custom_webhook", expected, custom_trigger_payload, git_url="foobar")
 
 
 def test_custom_gitlab():
-  expected = {
-    'commit': u'fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-    'ref': u'refs/heads/master',
-    'git_url': u'git@gitlab.com:jsmith/somerepo.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-      'date': u'2015-08-13T19:33:18+00:00',
-      'message': u'Fix link\n',
-    },
-  }
+    expected = {
+        "commit": u"fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@gitlab.com:jsmith/somerepo.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+            "date": u"2015-08-13T19:33:18+00:00",
+            "message": u"Fix link\n",
+        },
+    }
 
-  assertSchema('gitlab_webhook', expected, custom_trigger_payload, git_url='git@gitlab.com:jsmith/somerepo.git')
+    assertSchema(
+        "gitlab_webhook",
+        expected,
+        custom_trigger_payload,
+        git_url="git@gitlab.com:jsmith/somerepo.git",
+    )
 
 
 def test_custom_github():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile',
-      'committer': {
-        'username': u'jsmith',
-      },
-      'author': {
-        'username': u'jsmith',
-      },
-    },
-  }
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+            "committer": {"username": u"jsmith"},
+            "author": {"username": u"jsmith"},
+        },
+    }
 
-  assertSchema('github_webhook', expected, custom_trigger_payload,
-               git_url='git@github.com:jsmith/anothertest.git')
+    assertSchema(
+        "github_webhook",
+        expected,
+        custom_trigger_payload,
+        git_url="git@github.com:jsmith/anothertest.git",
+    )
 
 
 def test_custom_bitbucket():
-  expected = {
-    "commit": u"af64ae7188685f8424040b4735ad12941b980d75",
-    "ref": u"refs/heads/master",
-    "git_url": u"git@bitbucket.org:jsmith/another-repo.git",
-    "commit_info": {
-      "url": u"https://bitbucket.org/jsmith/another-repo/commits/af64ae7188685f8424040b4735ad12941b980d75",
-      "date": u"2015-09-10T20:40:54+00:00",
-      "message": u"Dockerfile edited online with Bitbucket",
-      "author": {
-        "username": u"John Smith",
-        "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
-      },
-      "committer": {
-        "username": u"John Smith",
-        "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
-      },
-    },
-  }
+    expected = {
+        "commit": u"af64ae7188685f8424040b4735ad12941b980d75",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@bitbucket.org:jsmith/another-repo.git",
+        "commit_info": {
+            "url": u"https://bitbucket.org/jsmith/another-repo/commits/af64ae7188685f8424040b4735ad12941b980d75",
+            "date": u"2015-09-10T20:40:54+00:00",
+            "message": u"Dockerfile edited online with Bitbucket",
+            "author": {
+                "username": u"John Smith",
+                "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
+            },
+            "committer": {
+                "username": u"John Smith",
+                "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
+            },
+        },
+    }
 
-  assertSchema('bitbucket_webhook', expected, custom_trigger_payload, git_url='git@bitbucket.org:jsmith/another-repo.git')
+    assertSchema(
+        "bitbucket_webhook",
+        expected,
+        custom_trigger_payload,
+        git_url="git@bitbucket.org:jsmith/another-repo.git",
+    )
 
 
 def test_bitbucket_customer_payload_noauthor():
-  expected = {
-    "commit": "a0ec139843b2bb281ab21a433266ddc498e605dc",
-    "ref": "refs/heads/master",
-    "git_url": "git@bitbucket.org:somecoollabs/svc-identity.git",
-    "commit_info": {
-      "url": "https://bitbucket.org/somecoollabs/svc-identity/commits/a0ec139843b2bb281ab21a433266ddc498e605dc",
-      "date": "2015-09-25T00:55:08+00:00",
-      "message": "Update version.py to 0.1.2 [skip ci]\n\n(by utilitybelt/scripts/autotag_version.py)\n",
-      "committer": {
-        "username": "CodeShip Tagging",
-        "avatar_url": "https://bitbucket.org/account/SomeCoolLabs_CodeShip/avatar/32/",
-      },
-    },
-  }
+    expected = {
+        "commit": "a0ec139843b2bb281ab21a433266ddc498e605dc",
+        "ref": "refs/heads/master",
+        "git_url": "git@bitbucket.org:somecoollabs/svc-identity.git",
+        "commit_info": {
+            "url": "https://bitbucket.org/somecoollabs/svc-identity/commits/a0ec139843b2bb281ab21a433266ddc498e605dc",
+            "date": "2015-09-25T00:55:08+00:00",
+            "message": "Update version.py to 0.1.2 [skip ci]\n\n(by utilitybelt/scripts/autotag_version.py)\n",
+            "committer": {
+                "username": "CodeShip Tagging",
+                "avatar_url": "https://bitbucket.org/account/SomeCoolLabs_CodeShip/avatar/32/",
+            },
+        },
+    }
 
-  assertSchema('bitbucket_customer_example_noauthor', expected, bb_webhook)
+    assertSchema("bitbucket_customer_example_noauthor", expected, bb_webhook)
 
 
 def test_bitbucket_customer_payload_tag():
-  expected = {
-    "commit": "a0ec139843b2bb281ab21a433266ddc498e605dc",
-    "ref": "refs/tags/0.1.2",
-    "git_url": "git@bitbucket.org:somecoollabs/svc-identity.git",
-    "commit_info": {
-      "url": "https://bitbucket.org/somecoollabs/svc-identity/commits/a0ec139843b2bb281ab21a433266ddc498e605dc",
-      "date": "2015-09-25T00:55:08+00:00",
-      "message": "Update version.py to 0.1.2 [skip ci]\n\n(by utilitybelt/scripts/autotag_version.py)\n",
-      "committer": {
-        "username": "CodeShip Tagging",
-        "avatar_url": "https://bitbucket.org/account/SomeCoolLabs_CodeShip/avatar/32/",
-      },
-    },
-  }
+    expected = {
+        "commit": "a0ec139843b2bb281ab21a433266ddc498e605dc",
+        "ref": "refs/tags/0.1.2",
+        "git_url": "git@bitbucket.org:somecoollabs/svc-identity.git",
+        "commit_info": {
+            "url": "https://bitbucket.org/somecoollabs/svc-identity/commits/a0ec139843b2bb281ab21a433266ddc498e605dc",
+            "date": "2015-09-25T00:55:08+00:00",
+            "message": "Update version.py to 0.1.2 [skip ci]\n\n(by utilitybelt/scripts/autotag_version.py)\n",
+            "committer": {
+                "username": "CodeShip Tagging",
+                "avatar_url": "https://bitbucket.org/account/SomeCoolLabs_CodeShip/avatar/32/",
+            },
+        },
+    }
 
-  assertSchema('bitbucket_customer_example_tag', expected, bb_webhook)
+    assertSchema("bitbucket_customer_example_tag", expected, bb_webhook)
 
 
 def test_bitbucket_commit():
-  ref = 'refs/heads/somebranch'
-  default_branch = 'somebranch'
-  repository_name = 'foo/bar'
+    ref = "refs/heads/somebranch"
+    default_branch = "somebranch"
+    repository_name = "foo/bar"
 
-  def lookup_author(_):
-    return {
-      'user': {
-        'display_name': 'cooluser',
-        'avatar': 'http://some/avatar/url'
-      }
+    def lookup_author(_):
+        return {
+            "user": {"display_name": "cooluser", "avatar": "http://some/avatar/url"}
+        }
+
+    expected = {
+        "commit": u"abdeaf1b2b4a6b9ddf742c1e1754236380435a62",
+        "ref": u"refs/heads/somebranch",
+        "git_url": u"git@bitbucket.org:foo/bar.git",
+        "default_branch": u"somebranch",
+        "commit_info": {
+            "url": u"https://bitbucket.org/foo/bar/commits/abdeaf1b2b4a6b9ddf742c1e1754236380435a62",
+            "date": u"2012-07-24 00:26:36",
+            "message": u"making some changes\n",
+            "author": {
+                "avatar_url": u"http://some/avatar/url",
+                "username": u"cooluser",
+            },
+        },
     }
 
-  expected = {
-    "commit": u"abdeaf1b2b4a6b9ddf742c1e1754236380435a62",
-    "ref": u"refs/heads/somebranch",
-    "git_url": u"git@bitbucket.org:foo/bar.git",
-    "default_branch": u"somebranch",
-    "commit_info": {
-      "url": u"https://bitbucket.org/foo/bar/commits/abdeaf1b2b4a6b9ddf742c1e1754236380435a62",
-      "date": u"2012-07-24 00:26:36",
-      "message": u"making some changes\n",
-      "author": {
-        "avatar_url": u"http://some/avatar/url",
-        "username": u"cooluser",
-      }
-    }
-  }
+    assertSchema(
+        "bitbucket_commit",
+        expected,
+        bb_commit,
+        ref,
+        default_branch,
+        repository_name,
+        lookup_author,
+    )
 
-  assertSchema('bitbucket_commit', expected, bb_commit, ref, default_branch,
-               repository_name, lookup_author)
 
 def test_bitbucket_webhook_payload():
-  expected = {
-    "commit": u"af64ae7188685f8424040b4735ad12941b980d75",
-    "ref": u"refs/heads/master",
-    "git_url": u"git@bitbucket.org:jsmith/another-repo.git",
-    "commit_info": {
-      "url": u"https://bitbucket.org/jsmith/another-repo/commits/af64ae7188685f8424040b4735ad12941b980d75",
-      "date": u"2015-09-10T20:40:54+00:00",
-      "message": u"Dockerfile edited online with Bitbucket",
-      "author": {
-        "username": u"John Smith",
-        "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
-      },
-      "committer": {
-        "username": u"John Smith",
-        "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
-      },
-    },
-  }
+    expected = {
+        "commit": u"af64ae7188685f8424040b4735ad12941b980d75",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@bitbucket.org:jsmith/another-repo.git",
+        "commit_info": {
+            "url": u"https://bitbucket.org/jsmith/another-repo/commits/af64ae7188685f8424040b4735ad12941b980d75",
+            "date": u"2015-09-10T20:40:54+00:00",
+            "message": u"Dockerfile edited online with Bitbucket",
+            "author": {
+                "username": u"John Smith",
+                "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
+            },
+            "committer": {
+                "username": u"John Smith",
+                "avatar_url": u"https://bitbucket.org/account/jsmith/avatar/32/",
+            },
+        },
+    }
 
-  assertSchema('bitbucket_webhook', expected, bb_webhook)
+    assertSchema("bitbucket_webhook", expected, bb_webhook)
 
 
 def test_github_webhook_payload_slash_branch():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/slash/branch',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile',
-      'committer': {
-        'username': u'jsmith',
-      },
-      'author': {
-        'username': u'jsmith',
-      },
-    },
-  }
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/slash/branch",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+            "committer": {"username": u"jsmith"},
+            "author": {"username": u"jsmith"},
+        },
+    }
 
-  assertSchema('github_webhook_slash_branch', expected, gh_webhook)
+    assertSchema("github_webhook_slash_branch", expected, gh_webhook)
 
 
 def test_github_webhook_payload():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile',
-      'committer': {
-        'username': u'jsmith',
-      },
-      'author': {
-        'username': u'jsmith',
-      },
-    },
-  }
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+            "committer": {"username": u"jsmith"},
+            "author": {"username": u"jsmith"},
+        },
+    }
 
-  assertSchema('github_webhook', expected, gh_webhook)
+    assertSchema("github_webhook", expected, gh_webhook)
 
 
 def test_github_webhook_payload_with_lookup():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile',
-      'committer': {
-        'username': u'jsmith',
-        'url': u'http://github.com/jsmith',
-        'avatar_url': u'http://some/avatar/url',
-      },
-      'author': {
-        'username': u'jsmith',
-        'url': u'http://github.com/jsmith',
-        'avatar_url': u'http://some/avatar/url',
-      },
-    },
-  }
-
-  def lookup_user(_):
-    return {
-      'html_url': 'http://github.com/jsmith',
-      'avatar_url': 'http://some/avatar/url'
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+            "committer": {
+                "username": u"jsmith",
+                "url": u"http://github.com/jsmith",
+                "avatar_url": u"http://some/avatar/url",
+            },
+            "author": {
+                "username": u"jsmith",
+                "url": u"http://github.com/jsmith",
+                "avatar_url": u"http://some/avatar/url",
+            },
+        },
     }
 
-  assertSchema('github_webhook', expected, gh_webhook, lookup_user=lookup_user)
+    def lookup_user(_):
+        return {
+            "html_url": "http://github.com/jsmith",
+            "avatar_url": "http://some/avatar/url",
+        }
+
+    assertSchema("github_webhook", expected, gh_webhook, lookup_user=lookup_user)
 
 
 def test_github_webhook_payload_missing_fields_with_lookup():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile'
-    },
-  }
-
-  def lookup_user(username):
-    if not username:
-      raise Exception('Fail!')
-
-    return {
-      'html_url': 'http://github.com/jsmith',
-      'avatar_url': 'http://some/avatar/url'
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+        },
     }
 
-  assertSchema('github_webhook_missing', expected, gh_webhook, lookup_user=lookup_user)
+    def lookup_user(username):
+        if not username:
+            raise Exception("Fail!")
+
+        return {
+            "html_url": "http://github.com/jsmith",
+            "avatar_url": "http://some/avatar/url",
+        }
+
+    assertSchema(
+        "github_webhook_missing", expected, gh_webhook, lookup_user=lookup_user
+    )
 
 
 def test_gitlab_webhook_payload():
-  expected = {
-    'commit': u'fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-    'ref': u'refs/heads/master',
-    'git_url': u'git@gitlab.com:jsmith/somerepo.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-      'date': u'2015-08-13T19:33:18+00:00',
-      'message': u'Fix link\n',
-    },
-  }
+    expected = {
+        "commit": u"fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@gitlab.com:jsmith/somerepo.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+            "date": u"2015-08-13T19:33:18+00:00",
+            "message": u"Fix link\n",
+        },
+    }
 
-  assertSchema('gitlab_webhook', expected, gl_webhook)
+    assertSchema("gitlab_webhook", expected, gl_webhook)
 
 
 def test_github_webhook_payload_known_issue():
-  expected = {
-    "commit": "118b07121695d9f2e40a5ff264fdcc2917680870",
-    "ref": "refs/heads/master",
-    "default_branch": "master",
-    "git_url": "git@github.com:jsmith/docker-test.git",
-    "commit_info": {
-      "url": "https://github.com/jsmith/docker-test/commit/118b07121695d9f2e40a5ff264fdcc2917680870",
-      "date": "2015-09-25T14:55:11-04:00",
-      "message": "Fail",
-    },
-  }
+    expected = {
+        "commit": "118b07121695d9f2e40a5ff264fdcc2917680870",
+        "ref": "refs/heads/master",
+        "default_branch": "master",
+        "git_url": "git@github.com:jsmith/docker-test.git",
+        "commit_info": {
+            "url": "https://github.com/jsmith/docker-test/commit/118b07121695d9f2e40a5ff264fdcc2917680870",
+            "date": "2015-09-25T14:55:11-04:00",
+            "message": "Fail",
+        },
+    }
 
-  assertSchema('github_webhook_noname', expected, gh_webhook)
+    assertSchema("github_webhook_noname", expected, gh_webhook)
 
 
 def test_github_webhook_payload_missing_fields():
-  expected = {
-    'commit': u'410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-    'git_url': u'git@github.com:jsmith/anothertest.git',
-    'commit_info': {
-      'url': u'https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c',
-      'date': u'2015-09-11T14:26:16-04:00',
-      'message': u'Update Dockerfile'
-    },
-  }
+    expected = {
+        "commit": u"410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+        "git_url": u"git@github.com:jsmith/anothertest.git",
+        "commit_info": {
+            "url": u"https://github.com/jsmith/anothertest/commit/410f4cdf8ff09b87f245b13845e8497f90b90a4c",
+            "date": u"2015-09-11T14:26:16-04:00",
+            "message": u"Update Dockerfile",
+        },
+    }
 
-  assertSchema('github_webhook_missing', expected, gh_webhook)
+    assertSchema("github_webhook_missing", expected, gh_webhook)
 
 
 def test_gitlab_webhook_nocommit_payload():
-  assertSkipped('gitlab_webhook_nocommit', gl_webhook)
+    assertSkipped("gitlab_webhook_nocommit", gl_webhook)
 
 
 def test_gitlab_webhook_multiple_commits():
-  expected = {
-    'commit': u'9a052a0b2fbe01d4a1a88638dd9fe31c1c56ef53',
-    'ref': u'refs/heads/master',
-    'git_url': u'git@gitlab.com:jsmith/some-test-project.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/jsmith/some-test-project/commit/9a052a0b2fbe01d4a1a88638dd9fe31c1c56ef53',
-      'date': u'2016-09-29T15:02:41+00:00',
-      'message': u"Merge branch 'foobar' into 'master'\r\n\r\nAdd changelog\r\n\r\nSome merge thing\r\n\r\nSee merge request !1",
-      'author': {
-        'username': 'jsmith',
-        'url': 'http://gitlab.com/jsmith',
-        'avatar_url': 'http://some/avatar/url'
-      },
-    },
-  }
-
-  def lookup_user(_):
-    return {
-      'username': 'jsmith',
-      'html_url': 'http://gitlab.com/jsmith',
-      'avatar_url': 'http://some/avatar/url',
+    expected = {
+        "commit": u"9a052a0b2fbe01d4a1a88638dd9fe31c1c56ef53",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@gitlab.com:jsmith/some-test-project.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/jsmith/some-test-project/commit/9a052a0b2fbe01d4a1a88638dd9fe31c1c56ef53",
+            "date": u"2016-09-29T15:02:41+00:00",
+            "message": u"Merge branch 'foobar' into 'master'\r\n\r\nAdd changelog\r\n\r\nSome merge thing\r\n\r\nSee merge request !1",
+            "author": {
+                "username": "jsmith",
+                "url": "http://gitlab.com/jsmith",
+                "avatar_url": "http://some/avatar/url",
+            },
+        },
     }
 
-  assertSchema('gitlab_webhook_multicommit', expected, gl_webhook, lookup_user=lookup_user)
+    def lookup_user(_):
+        return {
+            "username": "jsmith",
+            "html_url": "http://gitlab.com/jsmith",
+            "avatar_url": "http://some/avatar/url",
+        }
+
+    assertSchema(
+        "gitlab_webhook_multicommit", expected, gl_webhook, lookup_user=lookup_user
+    )
 
 
 def test_gitlab_webhook_for_tag():
-  expected = {
-    'commit': u'82b3d5ae55f7080f1e6022629cdb57bfae7cccc7',
-    'commit_info': {
-      'author': {
-        'avatar_url': 'http://some/avatar/url',
-        'url': 'http://gitlab.com/jsmith',
-        'username': 'jsmith'
-      },
-      'date': '2015-08-13T19:33:18+00:00',
-      'message': 'Fix link\n',
-      'url': 'https://some/url',
-    },
-    'git_url': u'git@example.com:jsmith/example.git',
-    'ref': u'refs/tags/v1.0.0',
-  }
-
-  def lookup_user(_):
-    return {
-      'username': 'jsmith',
-      'html_url': 'http://gitlab.com/jsmith',
-      'avatar_url': 'http://some/avatar/url',
+    expected = {
+        "commit": u"82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
+        "commit_info": {
+            "author": {
+                "avatar_url": "http://some/avatar/url",
+                "url": "http://gitlab.com/jsmith",
+                "username": "jsmith",
+            },
+            "date": "2015-08-13T19:33:18+00:00",
+            "message": "Fix link\n",
+            "url": "https://some/url",
+        },
+        "git_url": u"git@example.com:jsmith/example.git",
+        "ref": u"refs/tags/v1.0.0",
     }
 
-  def lookup_commit(repo_id, commit_sha):
-    if commit_sha == '82b3d5ae55f7080f1e6022629cdb57bfae7cccc7':
-      return {
-        "id": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
-        "message": "Fix link\n",
-        "timestamp": "2015-08-13T19:33:18+00:00",
-        "url": "https://some/url",
-        "author_name": "Foo Guy",
-        "author_email": "foo@bar.com",
-      }
+    def lookup_user(_):
+        return {
+            "username": "jsmith",
+            "html_url": "http://gitlab.com/jsmith",
+            "avatar_url": "http://some/avatar/url",
+        }
 
-    return None
+    def lookup_commit(repo_id, commit_sha):
+        if commit_sha == "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7":
+            return {
+                "id": "82b3d5ae55f7080f1e6022629cdb57bfae7cccc7",
+                "message": "Fix link\n",
+                "timestamp": "2015-08-13T19:33:18+00:00",
+                "url": "https://some/url",
+                "author_name": "Foo Guy",
+                "author_email": "foo@bar.com",
+            }
 
-  assertSchema('gitlab_webhook_tag', expected, gl_webhook, lookup_user=lookup_user,
-               lookup_commit=lookup_commit)
+        return None
+
+    assertSchema(
+        "gitlab_webhook_tag",
+        expected,
+        gl_webhook,
+        lookup_user=lookup_user,
+        lookup_commit=lookup_commit,
+    )
 
 
 def test_gitlab_webhook_for_tag_nocommit():
-  assertSkipped('gitlab_webhook_tag', gl_webhook)
+    assertSkipped("gitlab_webhook_tag", gl_webhook)
 
 
 def test_gitlab_webhook_for_tag_commit_sha_null():
-  assertSkipped('gitlab_webhook_tag_commit_sha_null', gl_webhook)
+    assertSkipped("gitlab_webhook_tag_commit_sha_null", gl_webhook)
 
 
 def test_gitlab_webhook_for_tag_known_issue():
-  expected = {
-    'commit': u'770830e7ca132856991e6db4f7fc0f4dbe20bd5f',
-    'ref': u'refs/tags/thirdtag',
-    'git_url': u'git@gitlab.com:someuser/some-test-project.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f',
-      'date': u'2019-10-17T18:07:48Z',
-      'message': u'Update Dockerfile',
-      'author': {
-        'username': 'someuser',
-        'url': 'http://gitlab.com/someuser',
-        'avatar_url': 'http://some/avatar/url',
-      },
-    },
-  }
-
-  def lookup_user(_):
-    return {
-      'username': 'someuser',
-      'html_url': 'http://gitlab.com/someuser',
-      'avatar_url': 'http://some/avatar/url',
+    expected = {
+        "commit": u"770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+        "ref": u"refs/tags/thirdtag",
+        "git_url": u"git@gitlab.com:someuser/some-test-project.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+            "date": u"2019-10-17T18:07:48Z",
+            "message": u"Update Dockerfile",
+            "author": {
+                "username": "someuser",
+                "url": "http://gitlab.com/someuser",
+                "avatar_url": "http://some/avatar/url",
+            },
+        },
     }
 
-  assertSchema('gitlab_webhook_tag_commit_issue', expected, gl_webhook, lookup_user=lookup_user)
+    def lookup_user(_):
+        return {
+            "username": "someuser",
+            "html_url": "http://gitlab.com/someuser",
+            "avatar_url": "http://some/avatar/url",
+        }
+
+    assertSchema(
+        "gitlab_webhook_tag_commit_issue", expected, gl_webhook, lookup_user=lookup_user
+    )
 
 
 def test_gitlab_webhook_payload_known_issue():
-  expected = {
-    'commit': u'770830e7ca132856991e6db4f7fc0f4dbe20bd5f',
-    'ref': u'refs/tags/fourthtag',
-    'git_url': u'git@gitlab.com:someuser/some-test-project.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f',
-      'date': u'2019-10-17T18:07:48Z',
-      'message': u'Update Dockerfile',
-    },
-  }
+    expected = {
+        "commit": u"770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+        "ref": u"refs/tags/fourthtag",
+        "git_url": u"git@gitlab.com:someuser/some-test-project.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+            "date": u"2019-10-17T18:07:48Z",
+            "message": u"Update Dockerfile",
+        },
+    }
 
-  def lookup_commit(repo_id, commit_sha):
-    if commit_sha == '770830e7ca132856991e6db4f7fc0f4dbe20bd5f':
-      return {
-        "added": [], 
-        "author": {
-          "name": "Some User", 
-          "email": "someuser@somedomain.com"
-        }, 
-        "url": "https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f", 
-        "message": "Update Dockerfile", 
-        "removed": [], 
-        "modified": [
-          "Dockerfile"
-        ], 
-        "id": "770830e7ca132856991e6db4f7fc0f4dbe20bd5f"
-      }
+    def lookup_commit(repo_id, commit_sha):
+        if commit_sha == "770830e7ca132856991e6db4f7fc0f4dbe20bd5f":
+            return {
+                "added": [],
+                "author": {"name": "Some User", "email": "someuser@somedomain.com"},
+                "url": "https://gitlab.com/someuser/some-test-project/commit/770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+                "message": "Update Dockerfile",
+                "removed": [],
+                "modified": ["Dockerfile"],
+                "id": "770830e7ca132856991e6db4f7fc0f4dbe20bd5f",
+            }
 
-    return None
+        return None
 
-  assertSchema('gitlab_webhook_known_issue', expected, gl_webhook, lookup_commit=lookup_commit)
+    assertSchema(
+        "gitlab_webhook_known_issue", expected, gl_webhook, lookup_commit=lookup_commit
+    )
 
 
 def test_gitlab_webhook_for_other():
-  assertSkipped('gitlab_webhook_other', gl_webhook)
+    assertSkipped("gitlab_webhook_other", gl_webhook)
 
 
 def test_gitlab_webhook_payload_with_lookup():
-  expected = {
-    'commit': u'fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-    'ref': u'refs/heads/master',
-    'git_url': u'git@gitlab.com:jsmith/somerepo.git',
-    'commit_info': {
-      'url': u'https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e',
-      'date': u'2015-08-13T19:33:18+00:00',
-      'message': u'Fix link\n',
-      'author': {
-        'username': 'jsmith',
-        'url': 'http://gitlab.com/jsmith',
-        'avatar_url': 'http://some/avatar/url',
-      },
-    },
-  }
-
-  def lookup_user(_):
-    return {
-      'username': 'jsmith',
-      'html_url': 'http://gitlab.com/jsmith',
-      'avatar_url': 'http://some/avatar/url',
+    expected = {
+        "commit": u"fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+        "ref": u"refs/heads/master",
+        "git_url": u"git@gitlab.com:jsmith/somerepo.git",
+        "commit_info": {
+            "url": u"https://gitlab.com/jsmith/somerepo/commit/fb88379ee45de28a0a4590fddcbd8eff8b36026e",
+            "date": u"2015-08-13T19:33:18+00:00",
+            "message": u"Fix link\n",
+            "author": {
+                "username": "jsmith",
+                "url": "http://gitlab.com/jsmith",
+                "avatar_url": "http://some/avatar/url",
+            },
+        },
     }
 
-  assertSchema('gitlab_webhook', expected, gl_webhook, lookup_user=lookup_user)
+    def lookup_user(_):
+        return {
+            "username": "jsmith",
+            "html_url": "http://gitlab.com/jsmith",
+            "avatar_url": "http://some/avatar/url",
+        }
+
+    assertSchema("gitlab_webhook", expected, gl_webhook, lookup_user=lookup_user)
 
 
 def test_github_webhook_payload_deleted_commit():
-  expected = {
-    'commit': u'456806b662cb903a0febbaed8344f3ed42f27bab',
-    'commit_info': {
-      'author': {
-        'username': u'jsmith'
-      },
-      'committer': {
-        'username': u'jsmith'
-      },
-      'date': u'2015-12-08T18:07:03-05:00',
-      'message': (u'Merge pull request #1044 from jsmith/errerror\n\n' +
-                  'Assign the exception to a variable to log it'),
-      'url': u'https://github.com/jsmith/somerepo/commit/456806b662cb903a0febbaed8344f3ed42f27bab'
-    },
-    'git_url': u'git@github.com:jsmith/somerepo.git',
-    'ref': u'refs/heads/master',
-    'default_branch': u'master',
-  }
+    expected = {
+        "commit": u"456806b662cb903a0febbaed8344f3ed42f27bab",
+        "commit_info": {
+            "author": {"username": u"jsmith"},
+            "committer": {"username": u"jsmith"},
+            "date": u"2015-12-08T18:07:03-05:00",
+            "message": (
+                u"Merge pull request #1044 from jsmith/errerror\n\n"
+                + "Assign the exception to a variable to log it"
+            ),
+            "url": u"https://github.com/jsmith/somerepo/commit/456806b662cb903a0febbaed8344f3ed42f27bab",
+        },
+        "git_url": u"git@github.com:jsmith/somerepo.git",
+        "ref": u"refs/heads/master",
+        "default_branch": u"master",
+    }
 
-  def lookup_user(_):
-    return None
+    def lookup_user(_):
+        return None
 
-  assertSchema('github_webhook_deletedcommit', expected, gh_webhook, lookup_user=lookup_user)
+    assertSchema(
+        "github_webhook_deletedcommit", expected, gh_webhook, lookup_user=lookup_user
+    )
 
 
 def test_github_webhook_known_issue():
-  def lookup_user(_):
-    return None
+    def lookup_user(_):
+        return None
 
-  assertSkipped('github_webhook_knownissue', gh_webhook, lookup_user=lookup_user)
+    assertSkipped("github_webhook_knownissue", gh_webhook, lookup_user=lookup_user)
 
 
 def test_bitbucket_webhook_known_issue():
-  assertSkipped('bitbucket_knownissue', bb_webhook)
+    assertSkipped("bitbucket_knownissue", bb_webhook)
diff --git a/buildtrigger/test/test_triggerutil.py b/buildtrigger/test/test_triggerutil.py
index 15f1bec10..6a1b6ce28 100644
--- a/buildtrigger/test/test_triggerutil.py
+++ b/buildtrigger/test/test_triggerutil.py
@@ -4,22 +4,43 @@ import pytest
 
 from buildtrigger.triggerutil import matches_ref
 
-@pytest.mark.parametrize('ref, filt, matches', [
-  ('ref/heads/master', '.+', True),
-  ('ref/heads/master', 'heads/.+', True),
-  ('ref/heads/master', 'heads/master', True),
-  ('ref/heads/slash/branch', 'heads/slash/branch', True),
-  ('ref/heads/slash/branch', 'heads/.+', True),
 
-  ('ref/heads/foobar', 'heads/master', False),
-  ('ref/heads/master', 'tags/master', False),
-
-  ('ref/heads/master', '(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)', True),
-  ('ref/heads/alpha', '(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)', True),
-  ('ref/heads/beta', '(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)', True),
-  ('ref/heads/gamma', '(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)', True),
-
-  ('ref/heads/delta', '(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)', False),
-])
+@pytest.mark.parametrize(
+    "ref, filt, matches",
+    [
+        ("ref/heads/master", ".+", True),
+        ("ref/heads/master", "heads/.+", True),
+        ("ref/heads/master", "heads/master", True),
+        ("ref/heads/slash/branch", "heads/slash/branch", True),
+        ("ref/heads/slash/branch", "heads/.+", True),
+        ("ref/heads/foobar", "heads/master", False),
+        ("ref/heads/master", "tags/master", False),
+        (
+            "ref/heads/master",
+            "(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)",
+            True,
+        ),
+        (
+            "ref/heads/alpha",
+            "(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)",
+            True,
+        ),
+        (
+            "ref/heads/beta",
+            "(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)",
+            True,
+        ),
+        (
+            "ref/heads/gamma",
+            "(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)",
+            True,
+        ),
+        (
+            "ref/heads/delta",
+            "(((heads/alpha)|(heads/beta))|(heads/gamma))|(heads/master)",
+            False,
+        ),
+    ],
+)
 def test_matches_ref(ref, filt, matches):
-  assert matches_ref(ref, re.compile(filt)) == matches
+    assert matches_ref(ref, re.compile(filt)) == matches
diff --git a/buildtrigger/triggerutil.py b/buildtrigger/triggerutil.py
index 5c459e53e..c24effb3f 100644
--- a/buildtrigger/triggerutil.py
+++ b/buildtrigger/triggerutil.py
@@ -3,128 +3,146 @@ import io
 import logging
 import re
 
+
 class TriggerException(Exception):
-  pass
+    pass
+
 
 class TriggerAuthException(TriggerException):
-  pass
+    pass
+
 
 class InvalidPayloadException(TriggerException):
-  pass
+    pass
+
 
 class BuildArchiveException(TriggerException):
-  pass
+    pass
+
 
 class InvalidServiceException(TriggerException):
-  pass
+    pass
+
 
 class TriggerActivationException(TriggerException):
-  pass
+    pass
+
 
 class TriggerDeactivationException(TriggerException):
-  pass
+    pass
+
 
 class TriggerStartException(TriggerException):
-  pass
+    pass
+
 
 class ValidationRequestException(TriggerException):
-  pass
+    pass
+
 
 class SkipRequestException(TriggerException):
-  pass
+    pass
+
 
 class EmptyRepositoryException(TriggerException):
-  pass
+    pass
+
 
 class RepositoryReadException(TriggerException):
-  pass
+    pass
+
 
 class TriggerProviderException(TriggerException):
-  pass
+    pass
+
 
 logger = logging.getLogger(__name__)
 
+
 def determine_build_ref(run_parameters, get_branch_sha, get_tag_sha, default_branch):
-  run_parameters = run_parameters or {}
+    run_parameters = run_parameters or {}
 
-  kind = ''
-  value = ''
+    kind = ""
+    value = ""
 
-  if 'refs' in run_parameters and run_parameters['refs']:
-    kind = run_parameters['refs']['kind']
-    value = run_parameters['refs']['name']
-  elif 'branch_name' in run_parameters:
-    kind = 'branch'
-    value = run_parameters['branch_name']
+    if "refs" in run_parameters and run_parameters["refs"]:
+        kind = run_parameters["refs"]["kind"]
+        value = run_parameters["refs"]["name"]
+    elif "branch_name" in run_parameters:
+        kind = "branch"
+        value = run_parameters["branch_name"]
 
-  kind = kind or 'branch'
-  value = value or default_branch or 'master'
+    kind = kind or "branch"
+    value = value or default_branch or "master"
 
-  ref = 'refs/tags/' + value if kind == 'tag' else 'refs/heads/' + value
-  commit_sha = get_tag_sha(value) if kind == 'tag' else get_branch_sha(value)
-  return (commit_sha, ref)
+    ref = "refs/tags/" + value if kind == "tag" else "refs/heads/" + value
+    commit_sha = get_tag_sha(value) if kind == "tag" else get_branch_sha(value)
+    return (commit_sha, ref)
 
 
 def find_matching_branches(config, branches):
-  if 'branchtag_regex' in config:
-    try:
-      regex = re.compile(config['branchtag_regex'])
-      return [branch for branch in branches
-              if matches_ref('refs/heads/' + branch, regex)]
-    except:
-      pass
+    if "branchtag_regex" in config:
+        try:
+            regex = re.compile(config["branchtag_regex"])
+            return [
+                branch
+                for branch in branches
+                if matches_ref("refs/heads/" + branch, regex)
+            ]
+        except:
+            pass
 
-  return branches
+    return branches
 
 
 def should_skip_commit(metadata):
-  if 'commit_info' in metadata:
-    message = metadata['commit_info']['message']
-    return '[skip build]' in message or '[build skip]' in message
-  return False
+    if "commit_info" in metadata:
+        message = metadata["commit_info"]["message"]
+        return "[skip build]" in message or "[build skip]" in message
+    return False
 
 
 def raise_if_skipped_build(prepared_build, config):
-  """ Raises a SkipRequestException if the given build should be skipped. """
-  # Check to ensure we have metadata.
-  if not prepared_build.metadata:
-    logger.debug('Skipping request due to missing metadata for prepared build')
-    raise SkipRequestException()
+    """ Raises a SkipRequestException if the given build should be skipped. """
+    # Check to ensure we have metadata.
+    if not prepared_build.metadata:
+        logger.debug("Skipping request due to missing metadata for prepared build")
+        raise SkipRequestException()
 
-  # Check the branchtag regex.
-  if 'branchtag_regex' in config:
-    try:
-      regex = re.compile(config['branchtag_regex'])
-    except:
-      regex = re.compile('.*')
+    # Check the branchtag regex.
+    if "branchtag_regex" in config:
+        try:
+            regex = re.compile(config["branchtag_regex"])
+        except:
+            regex = re.compile(".*")
 
-    if not matches_ref(prepared_build.metadata.get('ref'), regex):
-      raise SkipRequestException()
+        if not matches_ref(prepared_build.metadata.get("ref"), regex):
+            raise SkipRequestException()
 
-  # Check the commit message.
-  if should_skip_commit(prepared_build.metadata):
-    logger.debug('Skipping request due to commit message request')
-    raise SkipRequestException()
+    # Check the commit message.
+    if should_skip_commit(prepared_build.metadata):
+        logger.debug("Skipping request due to commit message request")
+        raise SkipRequestException()
 
 
 def matches_ref(ref, regex):
-  match_string = ref.split('/', 1)[1]
-  if not regex:
-    return False
+    match_string = ref.split("/", 1)[1]
+    if not regex:
+        return False
 
-  m = regex.match(match_string)
-  if not m:
-    return False
+    m = regex.match(match_string)
+    if not m:
+        return False
 
-  return len(m.group(0)) == len(match_string)
+    return len(m.group(0)) == len(match_string)
 
 
 def raise_unsupported():
-  raise io.UnsupportedOperation
+    raise io.UnsupportedOperation
 
 
 def get_trigger_config(trigger):
-  try:
-    return json.loads(trigger.config)
-  except ValueError:
-    return {}
+    try:
+        return json.loads(trigger.config)
+    except ValueError:
+        return {}
diff --git a/conf/gunicorn_local.py b/conf/gunicorn_local.py
index b33558ef2..ab9afc0ec 100644
--- a/conf/gunicorn_local.py
+++ b/conf/gunicorn_local.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -10,18 +11,24 @@ from util.workers import get_worker_count
 
 
 logconfig = logfile_path(debug=True)
-bind = '0.0.0.0:5000'
-workers = get_worker_count('local', 2, minimum=2, maximum=8)
-worker_class = 'gevent'
+bind = "0.0.0.0:5000"
+workers = get_worker_count("local", 2, minimum=2, maximum=8)
+worker_class = "gevent"
 daemon = False
-pythonpath = '.'
+pythonpath = "."
 preload_app = True
 
+
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting local gunicorn with %s workers and %s worker class', workers, worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting local gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/conf/gunicorn_registry.py b/conf/gunicorn_registry.py
index 23590ba45..c072c740f 100644
--- a/conf/gunicorn_registry.py
+++ b/conf/gunicorn_registry.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -10,19 +11,23 @@ from util.workers import get_worker_count
 
 
 logconfig = logfile_path(debug=False)
-bind = 'unix:/tmp/gunicorn_registry.sock'
-workers = get_worker_count('registry', 4, minimum=8, maximum=64)
-worker_class = 'gevent'
-pythonpath = '.'
+bind = "unix:/tmp/gunicorn_registry.sock"
+workers = get_worker_count("registry", 4, minimum=8, maximum=64)
+worker_class = "gevent"
+pythonpath = "."
 preload_app = True
 
 
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting registry gunicorn with %s workers and %s worker class', workers,
-               worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting registry gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/conf/gunicorn_secscan.py b/conf/gunicorn_secscan.py
index daea39c38..788d79808 100644
--- a/conf/gunicorn_secscan.py
+++ b/conf/gunicorn_secscan.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -10,19 +11,23 @@ from util.workers import get_worker_count
 
 
 logconfig = logfile_path(debug=False)
-bind = 'unix:/tmp/gunicorn_secscan.sock'
-workers = get_worker_count('secscan', 2, minimum=2, maximum=4)
-worker_class = 'gevent'
-pythonpath = '.'
+bind = "unix:/tmp/gunicorn_secscan.sock"
+workers = get_worker_count("secscan", 2, minimum=2, maximum=4)
+worker_class = "gevent"
+pythonpath = "."
 preload_app = True
 
 
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting secscan gunicorn with %s workers and %s worker class', workers,
-               worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting secscan gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/conf/gunicorn_verbs.py b/conf/gunicorn_verbs.py
index 9502f7563..2e6482384 100644
--- a/conf/gunicorn_verbs.py
+++ b/conf/gunicorn_verbs.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -10,18 +11,21 @@ from util.workers import get_worker_count
 
 logconfig = logfile_path(debug=False)
 
-bind = 'unix:/tmp/gunicorn_verbs.sock'
-workers = get_worker_count('verbs', 2, minimum=2, maximum=32)
-pythonpath = '.'
+bind = "unix:/tmp/gunicorn_verbs.sock"
+workers = get_worker_count("verbs", 2, minimum=2, maximum=32)
+pythonpath = "."
 preload_app = True
 timeout = 2000  # Because sync workers
 
 
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting verbs gunicorn with %s workers and sync worker class', workers)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting verbs gunicorn with %s workers and sync worker class", workers
+    )
diff --git a/conf/gunicorn_web.py b/conf/gunicorn_web.py
index 8bd1abaa0..2461861c2 100644
--- a/conf/gunicorn_web.py
+++ b/conf/gunicorn_web.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -11,18 +12,23 @@ from util.workers import get_worker_count
 
 logconfig = logfile_path(debug=False)
 
-bind = 'unix:/tmp/gunicorn_web.sock'
-workers = get_worker_count('web', 2, minimum=2, maximum=32)
-worker_class = 'gevent'
-pythonpath = '.'
+bind = "unix:/tmp/gunicorn_web.sock"
+workers = get_worker_count("web", 2, minimum=2, maximum=32)
+worker_class = "gevent"
+pythonpath = "."
 preload_app = True
 
+
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting web gunicorn with %s workers and %s worker class', workers,
-               worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting web gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/conf/init/nginx_conf_create.py b/conf/init/nginx_conf_create.py
index 56a59a2d2..7b264a015 100644
--- a/conf/init/nginx_conf_create.py
+++ b/conf/init/nginx_conf_create.py
@@ -7,120 +7,130 @@ import jinja2
 QUAYPATH = os.getenv("QUAYPATH", ".")
 QUAYDIR = os.getenv("QUAYDIR", "/")
 QUAYCONF_DIR = os.getenv("QUAYCONF", os.path.join(QUAYDIR, QUAYPATH, "conf"))
-STATIC_DIR = os.path.join(QUAYDIR, 'static')
+STATIC_DIR = os.path.join(QUAYDIR, "static")
 
-SSL_PROTOCOL_DEFAULTS = ['TLSv1', 'TLSv1.1', 'TLSv1.2']
+SSL_PROTOCOL_DEFAULTS = ["TLSv1", "TLSv1.1", "TLSv1.2"]
 SSL_CIPHER_DEFAULTS = [
-  'ECDHE-RSA-AES128-GCM-SHA256',
-  'ECDHE-ECDSA-AES128-GCM-SHA256',
-  'ECDHE-RSA-AES256-GCM-SHA384',
-  'ECDHE-ECDSA-AES256-GCM-SHA384',
-  'DHE-RSA-AES128-GCM-SHA256',
-  'DHE-DSS-AES128-GCM-SHA256',
-  'kEDH+AESGCM',
-  'ECDHE-RSA-AES128-SHA256',
-  'ECDHE-ECDSA-AES128-SHA256',
-  'ECDHE-RSA-AES128-SHA',
-  'ECDHE-ECDSA-AES128-SHA',
-  'ECDHE-RSA-AES256-SHA384',
-  'ECDHE-ECDSA-AES256-SHA384',
-  'ECDHE-RSA-AES256-SHA',
-  'ECDHE-ECDSA-AES256-SHA',
-  'DHE-RSA-AES128-SHA256',
-  'DHE-RSA-AES128-SHA',
-  'DHE-DSS-AES128-SHA256',
-  'DHE-RSA-AES256-SHA256',
-  'DHE-DSS-AES256-SHA',
-  'DHE-RSA-AES256-SHA',
-  'AES128-GCM-SHA256',
-  'AES256-GCM-SHA384',
-  'AES128-SHA256',
-  'AES256-SHA256',
-  'AES128-SHA',
-  'AES256-SHA',
-  'AES',
-  'CAMELLIA',
-  '!3DES',
-  '!aNULL',
-  '!eNULL',
-  '!EXPORT',
-  '!DES',
-  '!RC4',
-  '!MD5',
-  '!PSK',
-  '!aECDH',
-  '!EDH-DSS-DES-CBC3-SHA',
-  '!EDH-RSA-DES-CBC3-SHA',
-  '!KRB5-DES-CBC3-SHA',
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "DHE-RSA-AES128-GCM-SHA256",
+    "DHE-DSS-AES128-GCM-SHA256",
+    "kEDH+AESGCM",
+    "ECDHE-RSA-AES128-SHA256",
+    "ECDHE-ECDSA-AES128-SHA256",
+    "ECDHE-RSA-AES128-SHA",
+    "ECDHE-ECDSA-AES128-SHA",
+    "ECDHE-RSA-AES256-SHA384",
+    "ECDHE-ECDSA-AES256-SHA384",
+    "ECDHE-RSA-AES256-SHA",
+    "ECDHE-ECDSA-AES256-SHA",
+    "DHE-RSA-AES128-SHA256",
+    "DHE-RSA-AES128-SHA",
+    "DHE-DSS-AES128-SHA256",
+    "DHE-RSA-AES256-SHA256",
+    "DHE-DSS-AES256-SHA",
+    "DHE-RSA-AES256-SHA",
+    "AES128-GCM-SHA256",
+    "AES256-GCM-SHA384",
+    "AES128-SHA256",
+    "AES256-SHA256",
+    "AES128-SHA",
+    "AES256-SHA",
+    "AES",
+    "CAMELLIA",
+    "!3DES",
+    "!aNULL",
+    "!eNULL",
+    "!EXPORT",
+    "!DES",
+    "!RC4",
+    "!MD5",
+    "!PSK",
+    "!aECDH",
+    "!EDH-DSS-DES-CBC3-SHA",
+    "!EDH-RSA-DES-CBC3-SHA",
+    "!KRB5-DES-CBC3-SHA",
 ]
 
-def write_config(filename, **kwargs):
-  with open(filename + ".jnj") as f:
-    template = jinja2.Template(f.read())
-  rendered = template.render(kwargs)
 
-  with open(filename, 'w') as f:
-    f.write(rendered)
+def write_config(filename, **kwargs):
+    with open(filename + ".jnj") as f:
+        template = jinja2.Template(f.read())
+    rendered = template.render(kwargs)
+
+    with open(filename, "w") as f:
+        f.write(rendered)
 
 
 def generate_nginx_config(config):
-  """
+    """
   Generates nginx config from the app config
   """
-  config = config or {}
-  use_https = os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/ssl.key'))
-  use_old_certs = os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/ssl.old.key'))
-  v1_only_domain = config.get('V1_ONLY_DOMAIN', None)
-  enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
-  ssl_protocols = config.get('SSL_PROTOCOLS', SSL_PROTOCOL_DEFAULTS)
-  ssl_ciphers = config.get('SSL_CIPHERS', SSL_CIPHER_DEFAULTS)
+    config = config or {}
+    use_https = os.path.exists(os.path.join(QUAYCONF_DIR, "stack/ssl.key"))
+    use_old_certs = os.path.exists(os.path.join(QUAYCONF_DIR, "stack/ssl.old.key"))
+    v1_only_domain = config.get("V1_ONLY_DOMAIN", None)
+    enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
+    ssl_protocols = config.get("SSL_PROTOCOLS", SSL_PROTOCOL_DEFAULTS)
+    ssl_ciphers = config.get("SSL_CIPHERS", SSL_CIPHER_DEFAULTS)
 
-  write_config(os.path.join(QUAYCONF_DIR, 'nginx/nginx.conf'), use_https=use_https,
-               use_old_certs=use_old_certs,
-               enable_rate_limits=enable_rate_limits,
-               v1_only_domain=v1_only_domain,
-               ssl_protocols=ssl_protocols,
-               ssl_ciphers=':'.join(ssl_ciphers))
+    write_config(
+        os.path.join(QUAYCONF_DIR, "nginx/nginx.conf"),
+        use_https=use_https,
+        use_old_certs=use_old_certs,
+        enable_rate_limits=enable_rate_limits,
+        v1_only_domain=v1_only_domain,
+        ssl_protocols=ssl_protocols,
+        ssl_ciphers=":".join(ssl_ciphers),
+    )
 
 
 def generate_server_config(config):
-  """
+    """
   Generates server config from the app config
   """
-  config = config or {}
-  tuf_server = config.get('TUF_SERVER', None)
-  tuf_host = config.get('TUF_HOST', None)
-  signing_enabled = config.get('FEATURE_SIGNING', False)
-  maximum_layer_size = config.get('MAXIMUM_LAYER_SIZE', '20G')
-  enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
+    config = config or {}
+    tuf_server = config.get("TUF_SERVER", None)
+    tuf_host = config.get("TUF_HOST", None)
+    signing_enabled = config.get("FEATURE_SIGNING", False)
+    maximum_layer_size = config.get("MAXIMUM_LAYER_SIZE", "20G")
+    enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
 
-  write_config(
-    os.path.join(QUAYCONF_DIR, 'nginx/server-base.conf'), tuf_server=tuf_server, tuf_host=tuf_host,
-    signing_enabled=signing_enabled, maximum_layer_size=maximum_layer_size,
-    enable_rate_limits=enable_rate_limits,
-    static_dir=STATIC_DIR)
+    write_config(
+        os.path.join(QUAYCONF_DIR, "nginx/server-base.conf"),
+        tuf_server=tuf_server,
+        tuf_host=tuf_host,
+        signing_enabled=signing_enabled,
+        maximum_layer_size=maximum_layer_size,
+        enable_rate_limits=enable_rate_limits,
+        static_dir=STATIC_DIR,
+    )
 
 
 def generate_rate_limiting_config(config):
-  """
+    """
   Generates rate limiting config from the app config
   """
-  config = config or {}
-  non_rate_limited_namespaces = config.get('NON_RATE_LIMITED_NAMESPACES') or set()
-  enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
-  write_config(
-    os.path.join(QUAYCONF_DIR, 'nginx/rate-limiting.conf'),
-    non_rate_limited_namespaces=non_rate_limited_namespaces,
-    enable_rate_limits=enable_rate_limits,
-    static_dir=STATIC_DIR)
+    config = config or {}
+    non_rate_limited_namespaces = config.get("NON_RATE_LIMITED_NAMESPACES") or set()
+    enable_rate_limits = config.get("FEATURE_RATE_LIMITS", False)
+    write_config(
+        os.path.join(QUAYCONF_DIR, "nginx/rate-limiting.conf"),
+        non_rate_limited_namespaces=non_rate_limited_namespaces,
+        enable_rate_limits=enable_rate_limits,
+        static_dir=STATIC_DIR,
+    )
+
 
 if __name__ == "__main__":
-  if os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/config.yaml')):
-    with open(os.path.join(QUAYCONF_DIR, 'stack/config.yaml'), 'r') as f:
-      config = yaml.load(f)
-  else:
-    config = None
+    if os.path.exists(os.path.join(QUAYCONF_DIR, "stack/config.yaml")):
+        with open(os.path.join(QUAYCONF_DIR, "stack/config.yaml"), "r") as f:
+            config = yaml.load(f)
+    else:
+        config = None
 
-  generate_rate_limiting_config(config)
-  generate_server_config(config)
-  generate_nginx_config(config)
+    generate_rate_limiting_config(config)
+    generate_server_config(config)
+    generate_nginx_config(config)
diff --git a/conf/init/supervisord_conf_create.py b/conf/init/supervisord_conf_create.py
index 50f5cabbf..0463d6dfd 100644
--- a/conf/init/supervisord_conf_create.py
+++ b/conf/init/supervisord_conf_create.py
@@ -12,136 +12,74 @@ QUAY_OVERRIDE_SERVICES = os.getenv("QUAY_OVERRIDE_SERVICES", [])
 
 
 def default_services():
-  return {
-    "blobuploadcleanupworker": {
-      "autostart": "true"
-    },
-    "buildlogsarchiver": {
-      "autostart": "true"
-    },
-    "builder": {
-      "autostart": "true"
-    },
-    "chunkcleanupworker": {
-      "autostart": "true"
-    },
-    "expiredappspecifictokenworker": {
-      "autostart": "true"
-    },
-    "exportactionlogsworker": {
-      "autostart": "true"
-    },
-    "gcworker": {
-      "autostart": "true"
-    },
-    "globalpromstats": {
-      "autostart": "true"
-    },
-    "labelbackfillworker": {
-      "autostart": "true"
-    },
-    "logrotateworker": {
-      "autostart": "true"
-    },
-    "namespacegcworker": {
-      "autostart": "true"
-    },
-    "notificationworker": {
-      "autostart": "true"
-    },
-    "queuecleanupworker": {
-      "autostart": "true"
-    },
-    "repositoryactioncounter": {
-      "autostart": "true"
-    },
-    "security_notification_worker": {
-      "autostart": "true"
-    },
-    "securityworker": {
-      "autostart": "true"
-    },
-    "storagereplication": {
-      "autostart": "true"
-    },
-    "tagbackfillworker": {
-      "autostart": "true"
-    },
-    "teamsyncworker": {
-      "autostart": "true"
-    },
-    "dnsmasq": {
-      "autostart": "true"
-    },
-    "gunicorn-registry": {
-      "autostart": "true"
-    },
-    "gunicorn-secscan": {
-      "autostart": "true"
-    },
-    "gunicorn-verbs": {
-      "autostart": "true"
-    },
-    "gunicorn-web": {
-      "autostart": "true"
-    },
-    "ip-resolver-update-worker": {
-      "autostart": "true"
-    },
-    "jwtproxy": {
-      "autostart": "true"
-    },
-    "memcache": {
-      "autostart": "true"
-    },
-    "nginx": {
-      "autostart": "true"
-    },
-    "prometheus-aggregator": {
-      "autostart": "true"
-    },
-    "servicekey": {
-      "autostart": "true"
-    },
-    "repomirrorworker": {
-      "autostart": "false"
+    return {
+        "blobuploadcleanupworker": {"autostart": "true"},
+        "buildlogsarchiver": {"autostart": "true"},
+        "builder": {"autostart": "true"},
+        "chunkcleanupworker": {"autostart": "true"},
+        "expiredappspecifictokenworker": {"autostart": "true"},
+        "exportactionlogsworker": {"autostart": "true"},
+        "gcworker": {"autostart": "true"},
+        "globalpromstats": {"autostart": "true"},
+        "labelbackfillworker": {"autostart": "true"},
+        "logrotateworker": {"autostart": "true"},
+        "namespacegcworker": {"autostart": "true"},
+        "notificationworker": {"autostart": "true"},
+        "queuecleanupworker": {"autostart": "true"},
+        "repositoryactioncounter": {"autostart": "true"},
+        "security_notification_worker": {"autostart": "true"},
+        "securityworker": {"autostart": "true"},
+        "storagereplication": {"autostart": "true"},
+        "tagbackfillworker": {"autostart": "true"},
+        "teamsyncworker": {"autostart": "true"},
+        "dnsmasq": {"autostart": "true"},
+        "gunicorn-registry": {"autostart": "true"},
+        "gunicorn-secscan": {"autostart": "true"},
+        "gunicorn-verbs": {"autostart": "true"},
+        "gunicorn-web": {"autostart": "true"},
+        "ip-resolver-update-worker": {"autostart": "true"},
+        "jwtproxy": {"autostart": "true"},
+        "memcache": {"autostart": "true"},
+        "nginx": {"autostart": "true"},
+        "prometheus-aggregator": {"autostart": "true"},
+        "servicekey": {"autostart": "true"},
+        "repomirrorworker": {"autostart": "false"},
     }
-}
 
 
 def generate_supervisord_config(filename, config):
-  with open(filename + ".jnj") as f:
-    template = jinja2.Template(f.read())
-  rendered = template.render(config=config)
+    with open(filename + ".jnj") as f:
+        template = jinja2.Template(f.read())
+    rendered = template.render(config=config)
 
-  with open(filename, 'w') as f:
-    f.write(rendered)
+    with open(filename, "w") as f:
+        f.write(rendered)
 
 
 def limit_services(config, enabled_services):
-  if enabled_services == []:
-    return
+    if enabled_services == []:
+        return
 
-  for service in config.keys():
-    if service in enabled_services:
-      config[service]["autostart"] = "true"
-    else:
-      config[service]["autostart"] = "false"
+    for service in config.keys():
+        if service in enabled_services:
+            config[service]["autostart"] = "true"
+        else:
+            config[service]["autostart"] = "false"
 
 
 def override_services(config, override_services):
-  if override_services == []:
-    return
+    if override_services == []:
+        return
 
-  for service in config.keys():
-    if service + "=true" in override_services:
-      config[service]["autostart"] = "true"
-    elif service + "=false" in override_services:
-      config[service]["autostart"] = "false"
+    for service in config.keys():
+        if service + "=true" in override_services:
+            config[service]["autostart"] = "true"
+        elif service + "=false" in override_services:
+            config[service]["autostart"] = "false"
 
 
 if __name__ == "__main__":
-  config = default_services()
-  limit_services(config, QUAY_SERVICES)
-  override_services(config, QUAY_OVERRIDE_SERVICES)
-  generate_supervisord_config(os.path.join(QUAYCONF_DIR, 'supervisord.conf'), config)
+    config = default_services()
+    limit_services(config, QUAY_SERVICES)
+    override_services(config, QUAY_OVERRIDE_SERVICES)
+    generate_supervisord_config(os.path.join(QUAYCONF_DIR, "supervisord.conf"), config)
diff --git a/conf/init/test/test_supervisord_conf_create.py b/conf/init/test/test_supervisord_conf_create.py
index 8972b2e39..75c7313d4 100644
--- a/conf/init/test/test_supervisord_conf_create.py
+++ b/conf/init/test/test_supervisord_conf_create.py
@@ -6,17 +6,23 @@ import jinja2
 
 from ..supervisord_conf_create import QUAYCONF_DIR, default_services, limit_services
 
+
 def render_supervisord_conf(config):
-  with open(os.path.join(os.path.dirname(os.path.abspath(__file__)), "../../supervisord.conf.jnj")) as f:
-    template = jinja2.Template(f.read())
-  return template.render(config=config)
+    with open(
+        os.path.join(
+            os.path.dirname(os.path.abspath(__file__)), "../../supervisord.conf.jnj"
+        )
+    ) as f:
+        template = jinja2.Template(f.read())
+    return template.render(config=config)
+
 
 def test_supervisord_conf_create_defaults():
-  config = default_services()
-  limit_services(config, [])
-  rendered = render_supervisord_conf(config)
+    config = default_services()
+    limit_services(config, [])
+    rendered = render_supervisord_conf(config)
 
-  expected = """[supervisord]
+    expected = """[supervisord]
 nodaemon=true
 
 [unix_http_server]
@@ -392,14 +398,15 @@ stderr_logfile_maxbytes=0
 stdout_events_enabled = true
 stderr_events_enabled = true
 # EOF NO NEWLINE"""
-  assert rendered == expected
+    assert rendered == expected
+
 
 def test_supervisord_conf_create_all_overrides():
-  config = default_services()
-  limit_services(config, "servicekey,prometheus-aggregator")
-  rendered = render_supervisord_conf(config)
+    config = default_services()
+    limit_services(config, "servicekey,prometheus-aggregator")
+    rendered = render_supervisord_conf(config)
 
-  expected = """[supervisord]
+    expected = """[supervisord]
 nodaemon=true
 
 [unix_http_server]
@@ -775,4 +782,4 @@ stderr_logfile_maxbytes=0
 stdout_events_enabled = true
 stderr_events_enabled = true
 # EOF NO NEWLINE"""
-  assert rendered == expected
+    assert rendered == expected
diff --git a/config.py b/config.py
index ae742ece8..df693df58 100644
--- a/config.py
+++ b/config.py
@@ -7,603 +7,682 @@ from _init import ROOT_DIR, CONF_DIR
 
 
 def build_requests_session():
-  sess = requests.Session()
-  adapter = requests.adapters.HTTPAdapter(pool_connections=100,
-                                          pool_maxsize=100)
-  sess.mount('http://', adapter)
-  sess.mount('https://', adapter)
-  return sess
+    sess = requests.Session()
+    adapter = requests.adapters.HTTPAdapter(pool_connections=100, pool_maxsize=100)
+    sess.mount("http://", adapter)
+    sess.mount("https://", adapter)
+    return sess
 
 
 # The set of configuration key names that will be accessible in the client. Since these
 # values are sent to the frontend, DO NOT PLACE ANY SECRETS OR KEYS in this list.
-CLIENT_WHITELIST = ['SERVER_HOSTNAME', 'PREFERRED_URL_SCHEME', 'MIXPANEL_KEY',
-                    'STRIPE_PUBLISHABLE_KEY', 'ENTERPRISE_LOGO_URL', 'SENTRY_PUBLIC_DSN',
-                    'AUTHENTICATION_TYPE', 'REGISTRY_TITLE', 'REGISTRY_TITLE_SHORT',
-                    'CONTACT_INFO', 'AVATAR_KIND', 'LOCAL_OAUTH_HANDLER',
-                    'SETUP_COMPLETE', 'DEBUG', 'MARKETO_MUNCHKIN_ID',
-                    'STATIC_SITE_BUCKET', 'RECAPTCHA_SITE_KEY', 'CHANNEL_COLORS',
-                    'TAG_EXPIRATION_OPTIONS', 'INTERNAL_OIDC_SERVICE_ID',
-                    'SEARCH_RESULTS_PER_PAGE', 'SEARCH_MAX_RESULT_PAGE_COUNT', 'BRANDING']
+CLIENT_WHITELIST = [
+    "SERVER_HOSTNAME",
+    "PREFERRED_URL_SCHEME",
+    "MIXPANEL_KEY",
+    "STRIPE_PUBLISHABLE_KEY",
+    "ENTERPRISE_LOGO_URL",
+    "SENTRY_PUBLIC_DSN",
+    "AUTHENTICATION_TYPE",
+    "REGISTRY_TITLE",
+    "REGISTRY_TITLE_SHORT",
+    "CONTACT_INFO",
+    "AVATAR_KIND",
+    "LOCAL_OAUTH_HANDLER",
+    "SETUP_COMPLETE",
+    "DEBUG",
+    "MARKETO_MUNCHKIN_ID",
+    "STATIC_SITE_BUCKET",
+    "RECAPTCHA_SITE_KEY",
+    "CHANNEL_COLORS",
+    "TAG_EXPIRATION_OPTIONS",
+    "INTERNAL_OIDC_SERVICE_ID",
+    "SEARCH_RESULTS_PER_PAGE",
+    "SEARCH_MAX_RESULT_PAGE_COUNT",
+    "BRANDING",
+]
 
 
 def frontend_visible_config(config_dict):
-  visible_dict = {}
-  for name in CLIENT_WHITELIST:
-    if name.lower().find('secret') >= 0:
-      raise Exception('Cannot whitelist secrets: %s' % name)
+    visible_dict = {}
+    for name in CLIENT_WHITELIST:
+        if name.lower().find("secret") >= 0:
+            raise Exception("Cannot whitelist secrets: %s" % name)
 
-    if name in config_dict:
-      visible_dict[name] = config_dict.get(name, None)
-    if 'ENTERPRISE_LOGO_URL' in config_dict:
-      visible_dict['BRANDING'] = visible_dict.get('BRANDING', {})
-      visible_dict['BRANDING']['logo'] = config_dict['ENTERPRISE_LOGO_URL']
+        if name in config_dict:
+            visible_dict[name] = config_dict.get(name, None)
+        if "ENTERPRISE_LOGO_URL" in config_dict:
+            visible_dict["BRANDING"] = visible_dict.get("BRANDING", {})
+            visible_dict["BRANDING"]["logo"] = config_dict["ENTERPRISE_LOGO_URL"]
 
-  return visible_dict
+    return visible_dict
 
 
 # Configuration that should not be changed by end users
 class ImmutableConfig(object):
 
-  # Requests based HTTP client with a large request pool
-  HTTPCLIENT = build_requests_session()
+    # Requests based HTTP client with a large request pool
+    HTTPCLIENT = build_requests_session()
 
-  # Status tag config
-  STATUS_TAGS = {}
-  for tag_name in ['building', 'failed', 'none', 'ready', 'cancelled']:
-    tag_path = os.path.join(ROOT_DIR, 'buildstatus', tag_name + '.svg')
-    with open(tag_path) as tag_svg:
-      STATUS_TAGS[tag_name] = tag_svg.read()
+    # Status tag config
+    STATUS_TAGS = {}
+    for tag_name in ["building", "failed", "none", "ready", "cancelled"]:
+        tag_path = os.path.join(ROOT_DIR, "buildstatus", tag_name + ".svg")
+        with open(tag_path) as tag_svg:
+            STATUS_TAGS[tag_name] = tag_svg.read()
 
-  # Reverse DNS prefixes that are reserved for internal use on labels and should not be allowable
-  # to be set via the API.
-  DEFAULT_LABEL_KEY_RESERVED_PREFIXES = ['com.docker.', 'io.docker.', 'org.dockerproject.',
-                                         'org.opencontainers.', 'io.cncf.',
-                                         'io.kubernetes.', 'io.k8s.',
-                                         'io.quay', 'com.coreos', 'com.tectonic',
-                                         'internal', 'quay']
+    # Reverse DNS prefixes that are reserved for internal use on labels and should not be allowable
+    # to be set via the API.
+    DEFAULT_LABEL_KEY_RESERVED_PREFIXES = [
+        "com.docker.",
+        "io.docker.",
+        "org.dockerproject.",
+        "org.opencontainers.",
+        "io.cncf.",
+        "io.kubernetes.",
+        "io.k8s.",
+        "io.quay",
+        "com.coreos",
+        "com.tectonic",
+        "internal",
+        "quay",
+    ]
 
-  # Colors for local avatars.
-  AVATAR_COLORS = ['#969696', '#aec7e8', '#ff7f0e', '#ffbb78', '#2ca02c', '#98df8a', '#d62728',
-                   '#ff9896', '#9467bd', '#c5b0d5', '#8c564b', '#c49c94', '#e377c2', '#f7b6d2',
-                   '#7f7f7f', '#c7c7c7', '#bcbd22', '#1f77b4', '#17becf', '#9edae5', '#393b79',
-                   '#5254a3', '#6b6ecf', '#9c9ede', '#9ecae1', '#31a354', '#b5cf6b', '#a1d99b',
-                   '#8c6d31', '#ad494a', '#e7ba52', '#a55194']
+    # Colors for local avatars.
+    AVATAR_COLORS = [
+        "#969696",
+        "#aec7e8",
+        "#ff7f0e",
+        "#ffbb78",
+        "#2ca02c",
+        "#98df8a",
+        "#d62728",
+        "#ff9896",
+        "#9467bd",
+        "#c5b0d5",
+        "#8c564b",
+        "#c49c94",
+        "#e377c2",
+        "#f7b6d2",
+        "#7f7f7f",
+        "#c7c7c7",
+        "#bcbd22",
+        "#1f77b4",
+        "#17becf",
+        "#9edae5",
+        "#393b79",
+        "#5254a3",
+        "#6b6ecf",
+        "#9c9ede",
+        "#9ecae1",
+        "#31a354",
+        "#b5cf6b",
+        "#a1d99b",
+        "#8c6d31",
+        "#ad494a",
+        "#e7ba52",
+        "#a55194",
+    ]
 
-  # Colors for channels.
-  CHANNEL_COLORS = ['#969696', '#aec7e8', '#ff7f0e', '#ffbb78', '#2ca02c', '#98df8a', '#d62728',
-                    '#ff9896', '#9467bd', '#c5b0d5', '#8c564b', '#c49c94', '#e377c2', '#f7b6d2',
-                    '#7f7f7f', '#c7c7c7', '#bcbd22', '#1f77b4', '#17becf', '#9edae5', '#393b79',
-                    '#5254a3', '#6b6ecf', '#9c9ede', '#9ecae1', '#31a354', '#b5cf6b', '#a1d99b',
-                    '#8c6d31', '#ad494a', '#e7ba52', '#a55194']
+    # Colors for channels.
+    CHANNEL_COLORS = [
+        "#969696",
+        "#aec7e8",
+        "#ff7f0e",
+        "#ffbb78",
+        "#2ca02c",
+        "#98df8a",
+        "#d62728",
+        "#ff9896",
+        "#9467bd",
+        "#c5b0d5",
+        "#8c564b",
+        "#c49c94",
+        "#e377c2",
+        "#f7b6d2",
+        "#7f7f7f",
+        "#c7c7c7",
+        "#bcbd22",
+        "#1f77b4",
+        "#17becf",
+        "#9edae5",
+        "#393b79",
+        "#5254a3",
+        "#6b6ecf",
+        "#9c9ede",
+        "#9ecae1",
+        "#31a354",
+        "#b5cf6b",
+        "#a1d99b",
+        "#8c6d31",
+        "#ad494a",
+        "#e7ba52",
+        "#a55194",
+    ]
 
-  PROPAGATE_EXCEPTIONS = True
+    PROPAGATE_EXCEPTIONS = True
 
 
 class DefaultConfig(ImmutableConfig):
-  # Flask config
-  JSONIFY_PRETTYPRINT_REGULAR = False
-  SESSION_COOKIE_SECURE = False
-
-  SESSION_COOKIE_HTTPONLY = True
-  SESSION_COOKIE_SAMESITE = 'Lax'
+    # Flask config
+    JSONIFY_PRETTYPRINT_REGULAR = False
+    SESSION_COOKIE_SECURE = False
 
-  LOGGING_LEVEL = 'DEBUG'
-  SEND_FILE_MAX_AGE_DEFAULT = 0
-  PREFERRED_URL_SCHEME = 'http'
-  SERVER_HOSTNAME = 'localhost:5000'
+    SESSION_COOKIE_HTTPONLY = True
+    SESSION_COOKIE_SAMESITE = "Lax"
 
-  REGISTRY_TITLE = 'Project Quay'
-  REGISTRY_TITLE_SHORT = 'Project Quay'
+    LOGGING_LEVEL = "DEBUG"
+    SEND_FILE_MAX_AGE_DEFAULT = 0
+    PREFERRED_URL_SCHEME = "http"
+    SERVER_HOSTNAME = "localhost:5000"
 
-  CONTACT_INFO = []
+    REGISTRY_TITLE = "Project Quay"
+    REGISTRY_TITLE_SHORT = "Project Quay"
 
-  # Mail config
-  MAIL_SERVER = ''
-  MAIL_USE_TLS = True
-  MAIL_PORT = 587
-  MAIL_USERNAME = None
-  MAIL_PASSWORD = None
-  MAIL_DEFAULT_SENDER = 'example@projectquay.io'
-  MAIL_FAIL_SILENTLY = False
-  TESTING = True
+    CONTACT_INFO = []
 
-  # DB config
-  DB_URI = 'sqlite:///test/data/test.db'
-  DB_CONNECTION_ARGS = {
-    'threadlocals': True,
-    'autorollback': True,
-  }
+    # Mail config
+    MAIL_SERVER = ""
+    MAIL_USE_TLS = True
+    MAIL_PORT = 587
+    MAIL_USERNAME = None
+    MAIL_PASSWORD = None
+    MAIL_DEFAULT_SENDER = "example@projectquay.io"
+    MAIL_FAIL_SILENTLY = False
+    TESTING = True
 
-  @staticmethod
-  def create_transaction(db):
-    return db.transaction()
+    # DB config
+    DB_URI = "sqlite:///test/data/test.db"
+    DB_CONNECTION_ARGS = {"threadlocals": True, "autorollback": True}
 
-  DB_TRANSACTION_FACTORY = create_transaction
+    @staticmethod
+    def create_transaction(db):
+        return db.transaction()
 
-  # If set to 'readonly', the entire registry is placed into read only mode and no write operations
-  # may be performed against it.
-  REGISTRY_STATE = 'normal'
+    DB_TRANSACTION_FACTORY = create_transaction
 
-  # If set to true, TLS is used, but is terminated by an external service (such as a load balancer).
-  # Note that PREFERRED_URL_SCHEME must be `https` when this flag is set or it can lead to undefined
-  # behavior.
-  EXTERNAL_TLS_TERMINATION = False
+    # If set to 'readonly', the entire registry is placed into read only mode and no write operations
+    # may be performed against it.
+    REGISTRY_STATE = "normal"
 
-  # If true, CDN URLs will be used for our external dependencies, rather than the local
-  # copies.
-  USE_CDN = False
+    # If set to true, TLS is used, but is terminated by an external service (such as a load balancer).
+    # Note that PREFERRED_URL_SCHEME must be `https` when this flag is set or it can lead to undefined
+    # behavior.
+    EXTERNAL_TLS_TERMINATION = False
 
-  # Authentication
-  AUTHENTICATION_TYPE = 'Database'
+    # If true, CDN URLs will be used for our external dependencies, rather than the local
+    # copies.
+    USE_CDN = False
 
-  # Build logs
-  BUILDLOGS_REDIS = {'host': 'localhost'}
-  BUILDLOGS_OPTIONS = []
+    # Authentication
+    AUTHENTICATION_TYPE = "Database"
 
-  # Real-time user events
-  USER_EVENTS_REDIS = {'host': 'localhost'}
+    # Build logs
+    BUILDLOGS_REDIS = {"host": "localhost"}
+    BUILDLOGS_OPTIONS = []
 
-  # Stripe config
-  BILLING_TYPE = 'FakeStripe'
+    # Real-time user events
+    USER_EVENTS_REDIS = {"host": "localhost"}
 
-  # Analytics
-  ANALYTICS_TYPE = 'FakeAnalytics'
+    # Stripe config
+    BILLING_TYPE = "FakeStripe"
 
-  # Build Queue Metrics
-  QUEUE_METRICS_TYPE = 'Null'
-  QUEUE_WORKER_METRICS_REFRESH_SECONDS = 300
+    # Analytics
+    ANALYTICS_TYPE = "FakeAnalytics"
 
-  # Exception logging
-  EXCEPTION_LOG_TYPE = 'FakeSentry'
-  SENTRY_DSN = None
-  SENTRY_PUBLIC_DSN = None
+    # Build Queue Metrics
+    QUEUE_METRICS_TYPE = "Null"
+    QUEUE_WORKER_METRICS_REFRESH_SECONDS = 300
 
-  # Github Config
-  GITHUB_LOGIN_CONFIG = None
-  GITHUB_TRIGGER_CONFIG = None
+    # Exception logging
+    EXCEPTION_LOG_TYPE = "FakeSentry"
+    SENTRY_DSN = None
+    SENTRY_PUBLIC_DSN = None
 
-  # Google Config.
-  GOOGLE_LOGIN_CONFIG = None
+    # Github Config
+    GITHUB_LOGIN_CONFIG = None
+    GITHUB_TRIGGER_CONFIG = None
 
-  # Bitbucket Config.
-  BITBUCKET_TRIGGER_CONFIG = None
+    # Google Config.
+    GOOGLE_LOGIN_CONFIG = None
 
-  # Gitlab Config.
-  GITLAB_TRIGGER_CONFIG = None
+    # Bitbucket Config.
+    BITBUCKET_TRIGGER_CONFIG = None
 
-  NOTIFICATION_QUEUE_NAME = 'notification'
-  DOCKERFILE_BUILD_QUEUE_NAME = 'dockerfilebuild'
-  REPLICATION_QUEUE_NAME = 'imagestoragereplication'
-  SECSCAN_NOTIFICATION_QUEUE_NAME = 'security_notification'
-  CHUNK_CLEANUP_QUEUE_NAME = 'chunk_cleanup'
-  NAMESPACE_GC_QUEUE_NAME = 'namespacegc'
-  EXPORT_ACTION_LOGS_QUEUE_NAME = 'exportactionlogs'
+    # Gitlab Config.
+    GITLAB_TRIGGER_CONFIG = None
 
-  # Super user config. Note: This MUST BE an empty list for the default config.
-  SUPER_USERS = []
+    NOTIFICATION_QUEUE_NAME = "notification"
+    DOCKERFILE_BUILD_QUEUE_NAME = "dockerfilebuild"
+    REPLICATION_QUEUE_NAME = "imagestoragereplication"
+    SECSCAN_NOTIFICATION_QUEUE_NAME = "security_notification"
+    CHUNK_CLEANUP_QUEUE_NAME = "chunk_cleanup"
+    NAMESPACE_GC_QUEUE_NAME = "namespacegc"
+    EXPORT_ACTION_LOGS_QUEUE_NAME = "exportactionlogs"
 
-  # Feature Flag: Whether sessions are permanent.
-  FEATURE_PERMANENT_SESSIONS = True
+    # Super user config. Note: This MUST BE an empty list for the default config.
+    SUPER_USERS = []
 
-  # Feature Flag: Whether super users are supported.
-  FEATURE_SUPER_USERS = True
+    # Feature Flag: Whether sessions are permanent.
+    FEATURE_PERMANENT_SESSIONS = True
 
-  # Feature Flag: Whether to allow anonymous users to browse and pull public repositories.
-  FEATURE_ANONYMOUS_ACCESS = True
+    # Feature Flag: Whether super users are supported.
+    FEATURE_SUPER_USERS = True
 
-  # Feature Flag: Whether billing is required.
-  FEATURE_BILLING = False
+    # Feature Flag: Whether to allow anonymous users to browse and pull public repositories.
+    FEATURE_ANONYMOUS_ACCESS = True
 
-  # Feature Flag: Whether user accounts automatically have usage log access.
-  FEATURE_USER_LOG_ACCESS = False
+    # Feature Flag: Whether billing is required.
+    FEATURE_BILLING = False
 
-  # Feature Flag: Whether GitHub login is supported.
-  FEATURE_GITHUB_LOGIN = False
+    # Feature Flag: Whether user accounts automatically have usage log access.
+    FEATURE_USER_LOG_ACCESS = False
 
-  # Feature Flag: Whether Google login is supported.
-  FEATURE_GOOGLE_LOGIN = False
+    # Feature Flag: Whether GitHub login is supported.
+    FEATURE_GITHUB_LOGIN = False
 
-  # Feature Flag: Whether to support GitHub build triggers.
-  FEATURE_GITHUB_BUILD = False
+    # Feature Flag: Whether Google login is supported.
+    FEATURE_GOOGLE_LOGIN = False
 
-  # Feature Flag: Whether to support Bitbucket build triggers.
-  FEATURE_BITBUCKET_BUILD = False
+    # Feature Flag: Whether to support GitHub build triggers.
+    FEATURE_GITHUB_BUILD = False
 
-  # Feature Flag: Whether to support GitLab build triggers.
-  FEATURE_GITLAB_BUILD = False
+    # Feature Flag: Whether to support Bitbucket build triggers.
+    FEATURE_BITBUCKET_BUILD = False
 
-  # Feature Flag: Dockerfile build support.
-  FEATURE_BUILD_SUPPORT = True
+    # Feature Flag: Whether to support GitLab build triggers.
+    FEATURE_GITLAB_BUILD = False
 
-  # Feature Flag: Whether emails are enabled.
-  FEATURE_MAILING = True
+    # Feature Flag: Dockerfile build support.
+    FEATURE_BUILD_SUPPORT = True
 
-  # Feature Flag: Whether users can be created (by non-super users).
-  FEATURE_USER_CREATION = True
+    # Feature Flag: Whether emails are enabled.
+    FEATURE_MAILING = True
 
-  # Feature Flag: Whether users being created must be invited by another user.
-  # If FEATURE_USER_CREATION is off, this flag has no effect.
-  FEATURE_INVITE_ONLY_USER_CREATION = False
+    # Feature Flag: Whether users can be created (by non-super users).
+    FEATURE_USER_CREATION = True
 
-  # Feature Flag: Whether users can be renamed
-  FEATURE_USER_RENAME = False
+    # Feature Flag: Whether users being created must be invited by another user.
+    # If FEATURE_USER_CREATION is off, this flag has no effect.
+    FEATURE_INVITE_ONLY_USER_CREATION = False
 
-  # Feature Flag: Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for
-  # basic auth.
-  FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = False
+    # Feature Flag: Whether users can be renamed
+    FEATURE_USER_RENAME = False
 
-  # Feature Flag: Whether to automatically replicate between storage engines.
-  FEATURE_STORAGE_REPLICATION = False
+    # Feature Flag: Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for
+    # basic auth.
+    FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = False
 
-  # Feature Flag: Whether users can directly login to the UI.
-  FEATURE_DIRECT_LOGIN = True
+    # Feature Flag: Whether to automatically replicate between storage engines.
+    FEATURE_STORAGE_REPLICATION = False
 
-  # Feature Flag: Whether the v2/ endpoint is visible
-  FEATURE_ADVERTISE_V2 = True
+    # Feature Flag: Whether users can directly login to the UI.
+    FEATURE_DIRECT_LOGIN = True
 
-  # Semver spec for which Docker versions we will blacklist
-  # Documentation: http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec
-  BLACKLIST_V2_SPEC = '<1.6.0'
+    # Feature Flag: Whether the v2/ endpoint is visible
+    FEATURE_ADVERTISE_V2 = True
 
-  # Feature Flag: Whether to restrict V1 pushes to the whitelist.
-  FEATURE_RESTRICTED_V1_PUSH = False
-  V1_PUSH_WHITELIST = []
+    # Semver spec for which Docker versions we will blacklist
+    # Documentation: http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec
+    BLACKLIST_V2_SPEC = "<1.6.0"
 
-  # Feature Flag: Whether or not to rotate old action logs to storage.
-  FEATURE_ACTION_LOG_ROTATION = False
+    # Feature Flag: Whether to restrict V1 pushes to the whitelist.
+    FEATURE_RESTRICTED_V1_PUSH = False
+    V1_PUSH_WHITELIST = []
 
-  # Feature Flag: Whether to enable conversion to ACIs.
-  FEATURE_ACI_CONVERSION = False
+    # Feature Flag: Whether or not to rotate old action logs to storage.
+    FEATURE_ACTION_LOG_ROTATION = False
 
-  # Feature Flag: Whether to allow for "namespace-less" repositories when pulling and pushing from
-  # Docker.
-  FEATURE_LIBRARY_SUPPORT = True
+    # Feature Flag: Whether to enable conversion to ACIs.
+    FEATURE_ACI_CONVERSION = False
 
-  # Feature Flag: Whether to require invitations when adding a user to a team.
-  FEATURE_REQUIRE_TEAM_INVITE = True
+    # Feature Flag: Whether to allow for "namespace-less" repositories when pulling and pushing from
+    # Docker.
+    FEATURE_LIBRARY_SUPPORT = True
 
-  # Feature Flag: Whether to proxy all direct download URLs in storage via the registry's nginx.
-  FEATURE_PROXY_STORAGE = False
+    # Feature Flag: Whether to require invitations when adding a user to a team.
+    FEATURE_REQUIRE_TEAM_INVITE = True
 
-  # Feature Flag: Whether to collect and support user metadata.
-  FEATURE_USER_METADATA = False
+    # Feature Flag: Whether to proxy all direct download URLs in storage via the registry's nginx.
+    FEATURE_PROXY_STORAGE = False
 
-  # Feature Flag: Whether to support signing
-  FEATURE_SIGNING = False
+    # Feature Flag: Whether to collect and support user metadata.
+    FEATURE_USER_METADATA = False
 
-  # Feature Flag: Whether to enable support for App repositories.
-  FEATURE_APP_REGISTRY = False
+    # Feature Flag: Whether to support signing
+    FEATURE_SIGNING = False
 
-  # Feature Flag: Whether app registry is in a read-only mode.
-  FEATURE_READONLY_APP_REGISTRY = False
+    # Feature Flag: Whether to enable support for App repositories.
+    FEATURE_APP_REGISTRY = False
 
-  # Feature Flag: If set to true, the _catalog endpoint returns public repositories. Otherwise,
-  # only private repositories can be returned.
-  FEATURE_PUBLIC_CATALOG = False
+    # Feature Flag: Whether app registry is in a read-only mode.
+    FEATURE_READONLY_APP_REGISTRY = False
 
-  # Feature Flag: If set to true, build logs may be read by those with read access to the repo,
-  # rather than only write access or admin access.
-  FEATURE_READER_BUILD_LOGS = False
+    # Feature Flag: If set to true, the _catalog endpoint returns public repositories. Otherwise,
+    # only private repositories can be returned.
+    FEATURE_PUBLIC_CATALOG = False
 
-  # Feature Flag: If set to true, autocompletion will apply to partial usernames.
-  FEATURE_PARTIAL_USER_AUTOCOMPLETE = True
+    # Feature Flag: If set to true, build logs may be read by those with read access to the repo,
+    # rather than only write access or admin access.
+    FEATURE_READER_BUILD_LOGS = False
 
-  # Feature Flag: If set to true, users can confirm (and modify) their initial usernames when
-  # logging in via OIDC or a non-database internal auth provider.
-  FEATURE_USERNAME_CONFIRMATION = True
+    # Feature Flag: If set to true, autocompletion will apply to partial usernames.
+    FEATURE_PARTIAL_USER_AUTOCOMPLETE = True
 
-  # If a namespace is defined in the public namespace list, then it will appear on *all*
-  # user's repository list pages, regardless of whether that user is a member of the namespace.
-  # Typically, this is used by an enterprise customer in configuring a set of "well-known"
-  # namespaces.
-  PUBLIC_NAMESPACES = []
+    # Feature Flag: If set to true, users can confirm (and modify) their initial usernames when
+    # logging in via OIDC or a non-database internal auth provider.
+    FEATURE_USERNAME_CONFIRMATION = True
 
-  # The namespace to use for library repositories.
-  # Note: This must remain 'library' until Docker removes their hard-coded namespace for libraries.
-  # See: https://github.com/docker/docker/blob/master/registry/session.go#L320
-  LIBRARY_NAMESPACE = 'library'
+    # If a namespace is defined in the public namespace list, then it will appear on *all*
+    # user's repository list pages, regardless of whether that user is a member of the namespace.
+    # Typically, this is used by an enterprise customer in configuring a set of "well-known"
+    # namespaces.
+    PUBLIC_NAMESPACES = []
 
-  BUILD_MANAGER = ('enterprise', {})
+    # The namespace to use for library repositories.
+    # Note: This must remain 'library' until Docker removes their hard-coded namespace for libraries.
+    # See: https://github.com/docker/docker/blob/master/registry/session.go#L320
+    LIBRARY_NAMESPACE = "library"
 
-  DISTRIBUTED_STORAGE_CONFIG = {
-    'local_eu': ['LocalStorage', {'storage_path': 'test/data/registry/eu'}],
-    'local_us': ['LocalStorage', {'storage_path': 'test/data/registry/us'}],
-  }
+    BUILD_MANAGER = ("enterprise", {})
 
-  DISTRIBUTED_STORAGE_PREFERENCE = ['local_us']
-  DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS = ['local_us']
+    DISTRIBUTED_STORAGE_CONFIG = {
+        "local_eu": ["LocalStorage", {"storage_path": "test/data/registry/eu"}],
+        "local_us": ["LocalStorage", {"storage_path": "test/data/registry/us"}],
+    }
 
-  # Health checker.
-  HEALTH_CHECKER = ('LocalHealthCheck', {})
+    DISTRIBUTED_STORAGE_PREFERENCE = ["local_us"]
+    DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS = ["local_us"]
 
-  # Userfiles
-  USERFILES_LOCATION = 'local_us'
-  USERFILES_PATH = 'userfiles/'
+    # Health checker.
+    HEALTH_CHECKER = ("LocalHealthCheck", {})
 
-  # Build logs archive
-  LOG_ARCHIVE_LOCATION = 'local_us'
-  LOG_ARCHIVE_PATH = 'logarchive/'
+    # Userfiles
+    USERFILES_LOCATION = "local_us"
+    USERFILES_PATH = "userfiles/"
 
-  # Action logs archive
-  ACTION_LOG_ARCHIVE_LOCATION = 'local_us'
-  ACTION_LOG_ARCHIVE_PATH = 'actionlogarchive/'
-  ACTION_LOG_ROTATION_THRESHOLD = '30d'
+    # Build logs archive
+    LOG_ARCHIVE_LOCATION = "local_us"
+    LOG_ARCHIVE_PATH = "logarchive/"
 
-  # Allow registry pulls when unable to write to the audit log
-  ALLOW_PULLS_WITHOUT_STRICT_LOGGING = False
+    # Action logs archive
+    ACTION_LOG_ARCHIVE_LOCATION = "local_us"
+    ACTION_LOG_ARCHIVE_PATH = "actionlogarchive/"
+    ACTION_LOG_ROTATION_THRESHOLD = "30d"
 
-  # Temporary tag expiration in seconds, this may actually be longer based on GC policy
-  PUSH_TEMP_TAG_EXPIRATION_SEC = 60 * 60  # One hour per layer
+    # Allow registry pulls when unable to write to the audit log
+    ALLOW_PULLS_WITHOUT_STRICT_LOGGING = False
 
-  # Signed registry grant token expiration in seconds
-  SIGNED_GRANT_EXPIRATION_SEC = 60 * 60 * 24  # One day to complete a push/pull
+    # Temporary tag expiration in seconds, this may actually be longer based on GC policy
+    PUSH_TEMP_TAG_EXPIRATION_SEC = 60 * 60  # One hour per layer
 
-  # Registry v2 JWT Auth config
-  REGISTRY_JWT_AUTH_MAX_FRESH_S = 60 * 60 + 60  # At most signed one hour, accounting for clock skew
+    # Signed registry grant token expiration in seconds
+    SIGNED_GRANT_EXPIRATION_SEC = 60 * 60 * 24  # One day to complete a push/pull
 
-  # The URL endpoint to which we redirect OAuth when generating a token locally.
-  LOCAL_OAUTH_HANDLER = '/oauth/localapp'
+    # Registry v2 JWT Auth config
+    REGISTRY_JWT_AUTH_MAX_FRESH_S = (
+        60 * 60 + 60
+    )  # At most signed one hour, accounting for clock skew
 
-  # The various avatar background colors.
-  AVATAR_KIND = 'local'
+    # The URL endpoint to which we redirect OAuth when generating a token locally.
+    LOCAL_OAUTH_HANDLER = "/oauth/localapp"
 
-  # Custom branding
-  BRANDING = {
-    'logo': '/static/img/quay-horizontal-color.svg',
-    'footer_img': None,
-    'footer_url': None,
-  }
+    # The various avatar background colors.
+    AVATAR_KIND = "local"
 
-  # How often the Garbage Collection worker runs.
-  GARBAGE_COLLECTION_FREQUENCY = 30 # seconds
+    # Custom branding
+    BRANDING = {
+        "logo": "/static/img/quay-horizontal-color.svg",
+        "footer_img": None,
+        "footer_url": None,
+    }
 
-  # How long notifications will try to send before timing out.
-  NOTIFICATION_SEND_TIMEOUT = 10
+    # How often the Garbage Collection worker runs.
+    GARBAGE_COLLECTION_FREQUENCY = 30  # seconds
 
-  # Security scanner
-  FEATURE_SECURITY_SCANNER = False
-  FEATURE_SECURITY_NOTIFICATIONS = False
+    # How long notifications will try to send before timing out.
+    NOTIFICATION_SEND_TIMEOUT = 10
 
-  # The endpoint for the security scanner.
-  SECURITY_SCANNER_ENDPOINT = 'http://192.168.99.101:6060'
+    # Security scanner
+    FEATURE_SECURITY_SCANNER = False
+    FEATURE_SECURITY_NOTIFICATIONS = False
 
-  # The number of seconds between indexing intervals in the security scanner
-  SECURITY_SCANNER_INDEXING_INTERVAL = 30
+    # The endpoint for the security scanner.
+    SECURITY_SCANNER_ENDPOINT = "http://192.168.99.101:6060"
 
-  # If specified, the security scanner will only index images newer than the provided ID.
-  SECURITY_SCANNER_INDEXING_MIN_ID = None
+    # The number of seconds between indexing intervals in the security scanner
+    SECURITY_SCANNER_INDEXING_INTERVAL = 30
 
-  # If specified, the endpoint to be used for all POST calls to the security scanner.
-  SECURITY_SCANNER_ENDPOINT_BATCH = None
+    # If specified, the security scanner will only index images newer than the provided ID.
+    SECURITY_SCANNER_INDEXING_MIN_ID = None
 
-  # If specified, GET requests that return non-200 will be retried at the following instances.
-  SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS = []
+    # If specified, the endpoint to be used for all POST calls to the security scanner.
+    SECURITY_SCANNER_ENDPOINT_BATCH = None
 
-  # The indexing engine version running inside the security scanner.
-  SECURITY_SCANNER_ENGINE_VERSION_TARGET = 3
+    # If specified, GET requests that return non-200 will be retried at the following instances.
+    SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS = []
 
-  # The version of the API to use for the security scanner.
-  SECURITY_SCANNER_API_VERSION = 'v1'
+    # The indexing engine version running inside the security scanner.
+    SECURITY_SCANNER_ENGINE_VERSION_TARGET = 3
 
-  # API call timeout for the security scanner.
-  SECURITY_SCANNER_API_TIMEOUT_SECONDS = 10
+    # The version of the API to use for the security scanner.
+    SECURITY_SCANNER_API_VERSION = "v1"
 
-  # POST call timeout for the security scanner.
-  SECURITY_SCANNER_API_TIMEOUT_POST_SECONDS = 480
+    # API call timeout for the security scanner.
+    SECURITY_SCANNER_API_TIMEOUT_SECONDS = 10
 
-  # The issuer name for the security scanner.
-  SECURITY_SCANNER_ISSUER_NAME = 'security_scanner'
+    # POST call timeout for the security scanner.
+    SECURITY_SCANNER_API_TIMEOUT_POST_SECONDS = 480
 
-  # Repository mirror
-  FEATURE_REPO_MIRROR = False
+    # The issuer name for the security scanner.
+    SECURITY_SCANNER_ISSUER_NAME = "security_scanner"
 
-  # The number of seconds between indexing intervals in the repository mirror
-  REPO_MIRROR_INTERVAL = 30
+    # Repository mirror
+    FEATURE_REPO_MIRROR = False
 
-  # Require HTTPS and verify certificates of Quay registry during mirror.
-  REPO_MIRROR_TLS_VERIFY = True
+    # The number of seconds between indexing intervals in the repository mirror
+    REPO_MIRROR_INTERVAL = 30
 
-  # Replaces the SERVER_HOSTNAME as the destination for mirroring.
-  REPO_MIRROR_SERVER_HOSTNAME = None
+    # Require HTTPS and verify certificates of Quay registry during mirror.
+    REPO_MIRROR_TLS_VERIFY = True
 
-  # JWTProxy Settings
-  # The address (sans schema) to proxy outgoing requests through the jwtproxy
-  # to be signed
-  JWTPROXY_SIGNER = 'localhost:8081'
+    # Replaces the SERVER_HOSTNAME as the destination for mirroring.
+    REPO_MIRROR_SERVER_HOSTNAME = None
 
-  # The audience that jwtproxy should verify on incoming requests
-  # If None, will be calculated off of the SERVER_HOSTNAME (default)
-  JWTPROXY_AUDIENCE = None
+    # JWTProxy Settings
+    # The address (sans schema) to proxy outgoing requests through the jwtproxy
+    # to be signed
+    JWTPROXY_SIGNER = "localhost:8081"
 
-  # Torrent management flags
-  FEATURE_BITTORRENT = False
-  BITTORRENT_PIECE_SIZE = 512 * 1024
-  BITTORRENT_ANNOUNCE_URL = 'https://localhost:6881/announce'
-  BITTORRENT_FILENAME_PEPPER = str(uuid4())
-  BITTORRENT_WEBSEED_LIFETIME = 3600
+    # The audience that jwtproxy should verify on incoming requests
+    # If None, will be calculated off of the SERVER_HOSTNAME (default)
+    JWTPROXY_AUDIENCE = None
 
-  # "Secret" key for generating encrypted paging tokens. Only needed to be secret to
-  # hide the ID range for production (in which this value is overridden). Should *not*
-  # be relied upon for secure encryption otherwise.
-  # This value is a Fernet key and should be 32bytes URL-safe base64 encoded.
-  PAGE_TOKEN_KEY = '0OYrc16oBuksR8T3JGB-xxYSlZ2-7I_zzqrLzggBJ58='
+    # Torrent management flags
+    FEATURE_BITTORRENT = False
+    BITTORRENT_PIECE_SIZE = 512 * 1024
+    BITTORRENT_ANNOUNCE_URL = "https://localhost:6881/announce"
+    BITTORRENT_FILENAME_PEPPER = str(uuid4())
+    BITTORRENT_WEBSEED_LIFETIME = 3600
 
-  # The timeout for service key approval.
-  UNAPPROVED_SERVICE_KEY_TTL_SEC = 60 * 60 * 24 # One day
+    # "Secret" key for generating encrypted paging tokens. Only needed to be secret to
+    # hide the ID range for production (in which this value is overridden). Should *not*
+    # be relied upon for secure encryption otherwise.
+    # This value is a Fernet key and should be 32bytes URL-safe base64 encoded.
+    PAGE_TOKEN_KEY = "0OYrc16oBuksR8T3JGB-xxYSlZ2-7I_zzqrLzggBJ58="
 
-  # How long to wait before GCing an expired service key.
-  EXPIRED_SERVICE_KEY_TTL_SEC = 60 * 60 * 24 * 7 # One week
+    # The timeout for service key approval.
+    UNAPPROVED_SERVICE_KEY_TTL_SEC = 60 * 60 * 24  # One day
 
-  # The ID of the user account in the database to be used for service audit logs. If none, the
-  # lowest user in the database will be used.
-  SERVICE_LOG_ACCOUNT_ID = None
+    # How long to wait before GCing an expired service key.
+    EXPIRED_SERVICE_KEY_TTL_SEC = 60 * 60 * 24 * 7  # One week
 
-  # The service key ID for the instance service.
-  # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
-  INSTANCE_SERVICE_KEY_SERVICE = 'quay'
+    # The ID of the user account in the database to be used for service audit logs. If none, the
+    # lowest user in the database will be used.
+    SERVICE_LOG_ACCOUNT_ID = None
 
-  # The location of the key ID file generated for this instance.
-  INSTANCE_SERVICE_KEY_KID_LOCATION = os.path.join(CONF_DIR, 'quay.kid')
+    # The service key ID for the instance service.
+    # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
+    INSTANCE_SERVICE_KEY_SERVICE = "quay"
 
-  # The location of the private key generated for this instance.
-  # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
-  INSTANCE_SERVICE_KEY_LOCATION = os.path.join(CONF_DIR, 'quay.pem')
+    # The location of the key ID file generated for this instance.
+    INSTANCE_SERVICE_KEY_KID_LOCATION = os.path.join(CONF_DIR, "quay.kid")
 
-  # This instance's service key expiration in minutes.
-  INSTANCE_SERVICE_KEY_EXPIRATION = 120
+    # The location of the private key generated for this instance.
+    # NOTE: If changed, jwtproxy_conf.yaml.jnj must also be updated.
+    INSTANCE_SERVICE_KEY_LOCATION = os.path.join(CONF_DIR, "quay.pem")
 
-  # Number of minutes between expiration refresh in minutes. Should be the expiration / 2 minus
-  # some additional window time.
-  INSTANCE_SERVICE_KEY_REFRESH = 55
+    # This instance's service key expiration in minutes.
+    INSTANCE_SERVICE_KEY_EXPIRATION = 120
 
-  # The whitelist of client IDs for OAuth applications that allow for direct login.
-  DIRECT_OAUTH_CLIENTID_WHITELIST = []
+    # Number of minutes between expiration refresh in minutes. Should be the expiration / 2 minus
+    # some additional window time.
+    INSTANCE_SERVICE_KEY_REFRESH = 55
 
-  # URL that specifies the location of the prometheus stats aggregator.
-  PROMETHEUS_AGGREGATOR_URL = 'http://localhost:9092'
+    # The whitelist of client IDs for OAuth applications that allow for direct login.
+    DIRECT_OAUTH_CLIENTID_WHITELIST = []
 
-  # Namespace prefix for all prometheus metrics.
-  PROMETHEUS_NAMESPACE = 'quay'
+    # URL that specifies the location of the prometheus stats aggregator.
+    PROMETHEUS_AGGREGATOR_URL = "http://localhost:9092"
 
-  # Overridable list of reverse DNS prefixes that are reserved for internal use on labels.
-  LABEL_KEY_RESERVED_PREFIXES = []
+    # Namespace prefix for all prometheus metrics.
+    PROMETHEUS_NAMESPACE = "quay"
 
-  # Delays workers from starting until a random point in time between 0 and their regular interval.
-  STAGGER_WORKERS = True
+    # Overridable list of reverse DNS prefixes that are reserved for internal use on labels.
+    LABEL_KEY_RESERVED_PREFIXES = []
 
-  # Location of the static marketing site.
-  STATIC_SITE_BUCKET = None
+    # Delays workers from starting until a random point in time between 0 and their regular interval.
+    STAGGER_WORKERS = True
 
-  # Site key and secret key for using recaptcha.
-  FEATURE_RECAPTCHA = False
-  RECAPTCHA_SITE_KEY = None
-  RECAPTCHA_SECRET_KEY = None
+    # Location of the static marketing site.
+    STATIC_SITE_BUCKET = None
 
-  # Server where TUF metadata can be found
-  TUF_SERVER = None
+    # Site key and secret key for using recaptcha.
+    FEATURE_RECAPTCHA = False
+    RECAPTCHA_SITE_KEY = None
+    RECAPTCHA_SECRET_KEY = None
 
-  # Prefix to add to metadata e.g. <prefix>/<namespace>/<reponame>
-  TUF_GUN_PREFIX = None
+    # Server where TUF metadata can be found
+    TUF_SERVER = None
 
-  # Maximum size allowed for layers in the registry.
-  MAXIMUM_LAYER_SIZE = '20G'
+    # Prefix to add to metadata e.g. <prefix>/<namespace>/<reponame>
+    TUF_GUN_PREFIX = None
 
-  # Feature Flag: Whether team syncing from the backing auth is enabled.
-  FEATURE_TEAM_SYNCING = False
-  TEAM_RESYNC_STALE_TIME = '30m'
-  TEAM_SYNC_WORKER_FREQUENCY = 60 # seconds
+    # Maximum size allowed for layers in the registry.
+    MAXIMUM_LAYER_SIZE = "20G"
 
-  # Feature Flag: If enabled, non-superusers can setup team syncing.
-  FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP = False
+    # Feature Flag: Whether team syncing from the backing auth is enabled.
+    FEATURE_TEAM_SYNCING = False
+    TEAM_RESYNC_STALE_TIME = "30m"
+    TEAM_SYNC_WORKER_FREQUENCY = 60  # seconds
 
-  # The default configurable tag expiration time for time machine.
-  DEFAULT_TAG_EXPIRATION = '2w'
+    # Feature Flag: If enabled, non-superusers can setup team syncing.
+    FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP = False
 
-  # The options to present in namespace settings for the tag expiration. If empty, no option
-  # will be given and the default will be displayed read-only.
-  TAG_EXPIRATION_OPTIONS = ['0s', '1d', '1w', '2w', '4w']
+    # The default configurable tag expiration time for time machine.
+    DEFAULT_TAG_EXPIRATION = "2w"
 
-  # Feature Flag: Whether users can view and change their tag expiration.
-  FEATURE_CHANGE_TAG_EXPIRATION = True
+    # The options to present in namespace settings for the tag expiration. If empty, no option
+    # will be given and the default will be displayed read-only.
+    TAG_EXPIRATION_OPTIONS = ["0s", "1d", "1w", "2w", "4w"]
 
-  # Defines a secret for enabling the health-check endpoint's debug information.
-  ENABLE_HEALTH_DEBUG_SECRET = None
+    # Feature Flag: Whether users can view and change their tag expiration.
+    FEATURE_CHANGE_TAG_EXPIRATION = True
 
-  # The lifetime for a user recovery token before it becomes invalid.
-  USER_RECOVERY_TOKEN_LIFETIME = '30m'
+    # Defines a secret for enabling the health-check endpoint's debug information.
+    ENABLE_HEALTH_DEBUG_SECRET = None
 
-  # If specified, when app specific passwords expire by default.
-  APP_SPECIFIC_TOKEN_EXPIRATION = None
+    # The lifetime for a user recovery token before it becomes invalid.
+    USER_RECOVERY_TOKEN_LIFETIME = "30m"
 
-  # Feature Flag: If enabled, users can create and use app specific tokens to login via the CLI.
-  FEATURE_APP_SPECIFIC_TOKENS = True
+    # If specified, when app specific passwords expire by default.
+    APP_SPECIFIC_TOKEN_EXPIRATION = None
 
-  # How long expired app specific tokens should remain visible to users before being automatically
-  # deleted. Set to None to turn off garbage collection.
-  EXPIRED_APP_SPECIFIC_TOKEN_GC = '1d'
+    # Feature Flag: If enabled, users can create and use app specific tokens to login via the CLI.
+    FEATURE_APP_SPECIFIC_TOKENS = True
 
-  # The size of pages returned by the Docker V2 API.
-  V2_PAGINATION_SIZE = 50
+    # How long expired app specific tokens should remain visible to users before being automatically
+    # deleted. Set to None to turn off garbage collection.
+    EXPIRED_APP_SPECIFIC_TOKEN_GC = "1d"
 
-  # If enabled, ensures that API calls are made with the X-Requested-With header
-  # when called from a browser.
-  BROWSER_API_CALLS_XHR_ONLY = True
+    # The size of pages returned by the Docker V2 API.
+    V2_PAGINATION_SIZE = 50
 
-  # If set to a non-None integer value, the default number of maximum builds for a namespace.
-  DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
+    # If enabled, ensures that API calls are made with the X-Requested-With header
+    # when called from a browser.
+    BROWSER_API_CALLS_XHR_ONLY = True
 
-  # If set to a non-None integer value, the default number of maximum builds for a namespace whose
-  # creator IP is deemed a threat.
-  THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
+    # If set to a non-None integer value, the default number of maximum builds for a namespace.
+    DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
 
-  # The API Key to use when requesting IP information.
-  IP_DATA_API_KEY = None
+    # If set to a non-None integer value, the default number of maximum builds for a namespace whose
+    # creator IP is deemed a threat.
+    THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
 
-  # For Billing Support Only: The number of allowed builds on a namespace that has been billed
-  # successfully.
-  BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT = None
+    # The API Key to use when requesting IP information.
+    IP_DATA_API_KEY = None
 
-  # Configuration for the data model cache.
-  DATA_MODEL_CACHE_CONFIG = {
-    'engine': 'memcached',
-    'endpoint': ('127.0.0.1', 18080),
-  }
+    # For Billing Support Only: The number of allowed builds on a namespace that has been billed
+    # successfully.
+    BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT = None
 
-  # Defines the number of successive failures of a build trigger's build before the trigger is
-  # automatically disabled.
-  SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD = 100
+    # Configuration for the data model cache.
+    DATA_MODEL_CACHE_CONFIG = {"engine": "memcached", "endpoint": ("127.0.0.1", 18080)}
 
-  # Defines the number of successive internal errors of a build trigger's build before the
-  # trigger is automatically disabled.
-  SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD = 5
+    # Defines the number of successive failures of a build trigger's build before the trigger is
+    # automatically disabled.
+    SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD = 100
 
-  # Defines the delay required (in seconds) before the last_accessed field of a user/robot or access
-  # token will be updated after the previous update.
-  LAST_ACCESSED_UPDATE_THRESHOLD_S = 60
+    # Defines the number of successive internal errors of a build trigger's build before the
+    # trigger is automatically disabled.
+    SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD = 5
 
-  # Defines the number of results per page used to show search results
-  SEARCH_RESULTS_PER_PAGE = 10
+    # Defines the delay required (in seconds) before the last_accessed field of a user/robot or access
+    # token will be updated after the previous update.
+    LAST_ACCESSED_UPDATE_THRESHOLD_S = 60
 
-  # Defines the maximum number of pages the user can paginate before they are limited
-  SEARCH_MAX_RESULT_PAGE_COUNT = 10
+    # Defines the number of results per page used to show search results
+    SEARCH_RESULTS_PER_PAGE = 10
 
-  # Feature Flag: Whether to record when users were last accessed.
-  FEATURE_USER_LAST_ACCESSED = True
+    # Defines the maximum number of pages the user can paginate before they are limited
+    SEARCH_MAX_RESULT_PAGE_COUNT = 10
 
-  # Feature Flag: Whether to allow users to retrieve aggregated log counts.
-  FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL = True
+    # Feature Flag: Whether to record when users were last accessed.
+    FEATURE_USER_LAST_ACCESSED = True
 
-  # Feature Flag: Whether rate limiting is enabled.
-  FEATURE_RATE_LIMITS = False
+    # Feature Flag: Whether to allow users to retrieve aggregated log counts.
+    FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL = True
 
-  # Feature Flag: Whether to support log exporting.
-  FEATURE_LOG_EXPORT = True
+    # Feature Flag: Whether rate limiting is enabled.
+    FEATURE_RATE_LIMITS = False
 
-  # Maximum number of action logs pages that can be returned via the API.
-  ACTION_LOG_MAX_PAGE = None
+    # Feature Flag: Whether to support log exporting.
+    FEATURE_LOG_EXPORT = True
 
-  # Log model
-  LOGS_MODEL = 'database'
-  LOGS_MODEL_CONFIG = {}
+    # Maximum number of action logs pages that can be returned via the API.
+    ACTION_LOG_MAX_PAGE = None
 
-  # Namespace in which all audit logging is disabled.
-  DISABLED_FOR_AUDIT_LOGS = []
+    # Log model
+    LOGS_MODEL = "database"
+    LOGS_MODEL_CONFIG = {}
 
-  # Namespace in which pull audit logging is disabled.
-  DISABLED_FOR_PULL_LOGS = []
+    # Namespace in which all audit logging is disabled.
+    DISABLED_FOR_AUDIT_LOGS = []
 
-  # Feature Flag: Whether pull logs are disabled for free namespace.
-  FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES = False
+    # Namespace in which pull audit logging is disabled.
+    DISABLED_FOR_PULL_LOGS = []
 
-  # Feature Flag: If set to true, no account using blacklisted email addresses will be allowed
-  # to be created.
-  FEATURE_BLACKLISTED_EMAILS = False
+    # Feature Flag: Whether pull logs are disabled for free namespace.
+    FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES = False
 
-  # The list of domains, including subdomains, for which any *new* User with a matching
-  # email address will be denied creation. This option is only used if
-  # FEATURE_BLACKLISTED_EMAILS is enabled.
-  BLACKLISTED_EMAIL_DOMAINS = []
+    # Feature Flag: If set to true, no account using blacklisted email addresses will be allowed
+    # to be created.
+    FEATURE_BLACKLISTED_EMAILS = False
 
-  # Feature Flag: Whether garbage collection is enabled.
-  FEATURE_GARBAGE_COLLECTION = True
+    # The list of domains, including subdomains, for which any *new* User with a matching
+    # email address will be denied creation. This option is only used if
+    # FEATURE_BLACKLISTED_EMAILS is enabled.
+    BLACKLISTED_EMAIL_DOMAINS = []
+
+    # Feature Flag: Whether garbage collection is enabled.
+    FEATURE_GARBAGE_COLLECTION = True
diff --git a/config_app/_init_config.py b/config_app/_init_config.py
index 8b0533570..bd2eb5826 100644
--- a/config_app/_init_config.py
+++ b/config_app/_init_config.py
@@ -7,31 +7,31 @@ import subprocess
 ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
 CONF_DIR = os.getenv("QUAYCONF", os.path.join(ROOT_DIR, "conf/"))
-STATIC_DIR = os.path.join(ROOT_DIR, 'static/')
-STATIC_LDN_DIR = os.path.join(STATIC_DIR, 'ldn/')
-STATIC_FONTS_DIR = os.path.join(STATIC_DIR, 'fonts/')
-TEMPLATE_DIR = os.path.join(ROOT_DIR, 'templates/')
-IS_KUBERNETES = 'KUBERNETES_SERVICE_HOST' in os.environ
+STATIC_DIR = os.path.join(ROOT_DIR, "static/")
+STATIC_LDN_DIR = os.path.join(STATIC_DIR, "ldn/")
+STATIC_FONTS_DIR = os.path.join(STATIC_DIR, "fonts/")
+TEMPLATE_DIR = os.path.join(ROOT_DIR, "templates/")
+IS_KUBERNETES = "KUBERNETES_SERVICE_HOST" in os.environ
 
 
 def _get_version_number_changelog():
-  try:
-    with open(os.path.join(ROOT_DIR, 'CHANGELOG.md')) as f:
-      return re.search(r'(v[0-9]+\.[0-9]+\.[0-9]+)', f.readline()).group(0)
-  except IOError:
-    return ''
+    try:
+        with open(os.path.join(ROOT_DIR, "CHANGELOG.md")) as f:
+            return re.search(r"(v[0-9]+\.[0-9]+\.[0-9]+)", f.readline()).group(0)
+    except IOError:
+        return ""
 
 
 def _get_git_sha():
-  if os.path.exists("GIT_HEAD"):
-    with open(os.path.join(ROOT_DIR, "GIT_HEAD")) as f:
-      return f.read()
-  else:
-    try:
-      return subprocess.check_output(["git", "rev-parse", "HEAD"]).strip()[0:8]
-    except (OSError, subprocess.CalledProcessError):
-      pass
-  return "unknown"
+    if os.path.exists("GIT_HEAD"):
+        with open(os.path.join(ROOT_DIR, "GIT_HEAD")) as f:
+            return f.read()
+    else:
+        try:
+            return subprocess.check_output(["git", "rev-parse", "HEAD"]).strip()[0:8]
+        except (OSError, subprocess.CalledProcessError):
+            pass
+    return "unknown"
 
 
 __version__ = _get_version_number_changelog()
diff --git a/config_app/c_app.py b/config_app/c_app.py
index 0df198dd1..38847d6c9 100644
--- a/config_app/c_app.py
+++ b/config_app/c_app.py
@@ -15,28 +15,29 @@ app = Flask(__name__)
 
 logger = logging.getLogger(__name__)
 
-OVERRIDE_CONFIG_DIRECTORY = os.path.join(ROOT_DIR, 'config_app/conf/stack')
-INIT_SCRIPTS_LOCATION = '/conf/init/'
+OVERRIDE_CONFIG_DIRECTORY = os.path.join(ROOT_DIR, "config_app/conf/stack")
+INIT_SCRIPTS_LOCATION = "/conf/init/"
 
-is_testing = 'TEST' in os.environ
+is_testing = "TEST" in os.environ
 is_kubernetes = IS_KUBERNETES
 
-logger.debug('Configuration is on a kubernetes deployment: %s' % IS_KUBERNETES)
+logger.debug("Configuration is on a kubernetes deployment: %s" % IS_KUBERNETES)
 
-config_provider = get_config_provider(OVERRIDE_CONFIG_DIRECTORY, 'config.yaml', 'config.py',
-                                      testing=is_testing)
+config_provider = get_config_provider(
+    OVERRIDE_CONFIG_DIRECTORY, "config.yaml", "config.py", testing=is_testing
+)
 
 if is_testing:
-  from test.testconfig import TestConfig
+    from test.testconfig import TestConfig
 
-  logger.debug('Loading test config.')
-  app.config.from_object(TestConfig())
+    logger.debug("Loading test config.")
+    app.config.from_object(TestConfig())
 else:
-  from config import DefaultConfig
+    from config import DefaultConfig
 
-  logger.debug('Loading default config.')
-  app.config.from_object(DefaultConfig())
-  app.teardown_request(database.close_db_filter)
+    logger.debug("Loading default config.")
+    app.config.from_object(DefaultConfig())
+    app.teardown_request(database.close_db_filter)
 
 # Load the override config via the provider.
 config_provider.update_app_config(app.config)
diff --git a/config_app/conf/gunicorn_local.py b/config_app/conf/gunicorn_local.py
index d0ea0a758..add20b457 100644
--- a/config_app/conf/gunicorn_local.py
+++ b/config_app/conf/gunicorn_local.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -9,18 +10,24 @@ from config_app.config_util.log import logfile_path
 
 
 logconfig = logfile_path(debug=True)
-bind = '0.0.0.0:5000'
+bind = "0.0.0.0:5000"
 workers = 1
-worker_class = 'gevent'
+worker_class = "gevent"
 daemon = False
-pythonpath = '.'
+pythonpath = "."
 preload_app = True
 
+
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting local gunicorn with %s workers and %s worker class', workers, worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting local gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/config_app/conf/gunicorn_web.py b/config_app/conf/gunicorn_web.py
index 14225fe72..107d8c395 100644
--- a/config_app/conf/gunicorn_web.py
+++ b/config_app/conf/gunicorn_web.py
@@ -1,5 +1,6 @@
 import sys
 import os
+
 sys.path.append(os.path.join(os.path.dirname(__file__), "../"))
 
 import logging
@@ -10,17 +11,23 @@ from config_app.config_util.log import logfile_path
 
 logconfig = logfile_path(debug=True)
 
-bind = 'unix:/tmp/gunicorn_web.sock'
+bind = "unix:/tmp/gunicorn_web.sock"
 workers = 1
-worker_class = 'gevent'
-pythonpath = '.'
+worker_class = "gevent"
+pythonpath = "."
 preload_app = True
 
+
 def post_fork(server, worker):
-  # Reset the Random library to ensure it won't raise the "PID check failed." error after
-  # gunicorn forks.
-  Random.atfork()
+    # Reset the Random library to ensure it won't raise the "PID check failed." error after
+    # gunicorn forks.
+    Random.atfork()
+
 
 def when_ready(server):
-  logger = logging.getLogger(__name__)
-  logger.debug('Starting local gunicorn with %s workers and %s worker class', workers, worker_class)
+    logger = logging.getLogger(__name__)
+    logger.debug(
+        "Starting local gunicorn with %s workers and %s worker class",
+        workers,
+        worker_class,
+    )
diff --git a/config_app/config_application.py b/config_app/config_application.py
index 43676e354..a6e5d9fa3 100644
--- a/config_app/config_application.py
+++ b/config_app/config_application.py
@@ -3,6 +3,6 @@ from config_app.c_app import app as application
 # Bind all of the blueprints
 import config_web
 
-if __name__ == '__main__':
-  logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
-  application.run(port=5000, debug=True, threaded=True, host='0.0.0.0')
+if __name__ == "__main__":
+    logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
+    application.run(port=5000, debug=True, threaded=True, host="0.0.0.0")
diff --git a/config_app/config_endpoints/api/__init__.py b/config_app/config_endpoints/api/__init__.py
index c80fc1c9c..0620fed63 100644
--- a/config_app/config_endpoints/api/__init__.py
+++ b/config_app/config_endpoints/api/__init__.py
@@ -13,141 +13,153 @@ from config_app.c_app import app, IS_KUBERNETES
 from config_app.config_endpoints.exception import InvalidResponse, InvalidRequest
 
 logger = logging.getLogger(__name__)
-api_bp = Blueprint('api', __name__)
+api_bp = Blueprint("api", __name__)
 
-CROSS_DOMAIN_HEADERS = ['Authorization', 'Content-Type', 'X-Requested-With']
+CROSS_DOMAIN_HEADERS = ["Authorization", "Content-Type", "X-Requested-With"]
 
 
 class ApiExceptionHandlingApi(Api):
-  pass
+    pass
 
-  @crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS)
-  def handle_error(self, error):
-    return super(ApiExceptionHandlingApi, self).handle_error(error)
+    @crossdomain(origin="*", headers=CROSS_DOMAIN_HEADERS)
+    def handle_error(self, error):
+        return super(ApiExceptionHandlingApi, self).handle_error(error)
 
 
 api = ApiExceptionHandlingApi()
 
 api.init_app(api_bp)
 
+
 def log_action(kind, user_or_orgname, metadata=None, repo=None, repo_name=None):
-  if not metadata:
-    metadata = {}
+    if not metadata:
+        metadata = {}
 
-  if repo:
-    repo_name = repo.name
+    if repo:
+        repo_name = repo.name
+
+    model.log.log_action(
+        kind, user_or_orgname, repo_name, user_or_orgname, request.remote_addr, metadata
+    )
 
-  model.log.log_action(kind, user_or_orgname, repo_name, user_or_orgname, request.remote_addr, metadata)
 
 def format_date(date):
-  """ Output an RFC822 date format. """
-  if date is None:
-    return None
-  return formatdate(timegm(date.utctimetuple()))
-
+    """ Output an RFC822 date format. """
+    if date is None:
+        return None
+    return formatdate(timegm(date.utctimetuple()))
 
 
 def resource(*urls, **kwargs):
-  def wrapper(api_resource):
-    if not api_resource:
-      return None
+    def wrapper(api_resource):
+        if not api_resource:
+            return None
 
-    api_resource.registered = True
-    api.add_resource(api_resource, *urls, **kwargs)
-    return api_resource
+        api_resource.registered = True
+        api.add_resource(api_resource, *urls, **kwargs)
+        return api_resource
 
-  return wrapper
+    return wrapper
 
 
 class ApiResource(Resource):
-  registered = False
-  method_decorators = []
+    registered = False
+    method_decorators = []
 
-  def options(self):
-    return None, 200
+    def options(self):
+        return None, 200
 
 
 def add_method_metadata(name, value):
-  def modifier(func):
-    if func is None:
-      return None
+    def modifier(func):
+        if func is None:
+            return None
 
-    if '__api_metadata' not in dir(func):
-      func.__api_metadata = {}
-    func.__api_metadata[name] = value
-    return func
+        if "__api_metadata" not in dir(func):
+            func.__api_metadata = {}
+        func.__api_metadata[name] = value
+        return func
 
-  return modifier
+    return modifier
 
 
 def method_metadata(func, name):
-  if func is None:
-    return None
+    if func is None:
+        return None
 
-  if '__api_metadata' in dir(func):
-    return func.__api_metadata.get(name, None)
-  return None
+    if "__api_metadata" in dir(func):
+        return func.__api_metadata.get(name, None)
+    return None
 
 
 def no_cache(f):
-  @wraps(f)
-  def add_no_cache(*args, **kwargs):
-    response = f(*args, **kwargs)
-    if response is not None:
-      response.headers['Cache-Control'] = 'no-cache, no-store, must-revalidate'
-    return response
-  return add_no_cache
+    @wraps(f)
+    def add_no_cache(*args, **kwargs):
+        response = f(*args, **kwargs)
+        if response is not None:
+            response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        return response
+
+    return add_no_cache
 
 
 def define_json_response(schema_name):
-  def wrapper(func):
-    @add_method_metadata('response_schema', schema_name)
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      schema = self.schemas[schema_name]
-      resp = func(self, *args, **kwargs)
+    def wrapper(func):
+        @add_method_metadata("response_schema", schema_name)
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            schema = self.schemas[schema_name]
+            resp = func(self, *args, **kwargs)
 
-      if app.config['TESTING']:
-        try:
-          validate(resp, schema)
-        except ValidationError as ex:
-          raise InvalidResponse(ex.message)
+            if app.config["TESTING"]:
+                try:
+                    validate(resp, schema)
+                except ValidationError as ex:
+                    raise InvalidResponse(ex.message)
 
-      return resp
-    return wrapped
-  return wrapper
+            return resp
+
+        return wrapped
+
+    return wrapper
 
 
 def validate_json_request(schema_name, optional=False):
-  def wrapper(func):
-    @add_method_metadata('request_schema', schema_name)
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      schema = self.schemas[schema_name]
-      try:
-        json_data = request.get_json()
-        if json_data is None:
-          if not optional:
-            raise InvalidRequest('Missing JSON body')
-        else:
-          validate(json_data, schema)
-        return func(self, *args, **kwargs)
-      except ValidationError as ex:
-        raise InvalidRequest(ex.message)
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @add_method_metadata("request_schema", schema_name)
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            schema = self.schemas[schema_name]
+            try:
+                json_data = request.get_json()
+                if json_data is None:
+                    if not optional:
+                        raise InvalidRequest("Missing JSON body")
+                else:
+                    validate(json_data, schema)
+                return func(self, *args, **kwargs)
+            except ValidationError as ex:
+                raise InvalidRequest(ex.message)
+
+        return wrapped
+
+    return wrapper
+
 
 def kubernetes_only(f):
-  """ Aborts the request with a 400 if the app is not running on kubernetes """
-  @wraps(f)
-  def abort_if_not_kube(*args, **kwargs):
-    if not IS_KUBERNETES:
-      abort(400)
+    """ Aborts the request with a 400 if the app is not running on kubernetes """
 
-    return f(*args, **kwargs)
-  return abort_if_not_kube
+    @wraps(f)
+    def abort_if_not_kube(*args, **kwargs):
+        if not IS_KUBERNETES:
+            abort(400)
 
-nickname = partial(add_method_metadata, 'nickname')
+        return f(*args, **kwargs)
+
+    return abort_if_not_kube
+
+
+nickname = partial(add_method_metadata, "nickname")
 
 
 import config_app.config_endpoints.api.discovery
diff --git a/config_app/config_endpoints/api/discovery.py b/config_app/config_endpoints/api/discovery.py
index 183963ea3..eef5536e5 100644
--- a/config_app/config_endpoints/api/discovery.py
+++ b/config_app/config_endpoints/api/discovery.py
@@ -5,250 +5,253 @@ from collections import OrderedDict
 
 from config_app.c_app import app
 from config_app.config_endpoints.api import method_metadata
-from config_app.config_endpoints.common import fully_qualified_name, PARAM_REGEX, TYPE_CONVERTER
+from config_app.config_endpoints.common import (
+    fully_qualified_name,
+    PARAM_REGEX,
+    TYPE_CONVERTER,
+)
 
 logger = logging.getLogger(__name__)
 
 
 def generate_route_data():
-  include_internal = True
-  compact = True
+    include_internal = True
+    compact = True
 
-  def swagger_parameter(name, description, kind='path', param_type='string', required=True,
-                        enum=None, schema=None):
-    # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#parameterObject
-    parameter_info = {
-      'name': name,
-      'in': kind,
-      'required': required
-    }
+    def swagger_parameter(
+        name,
+        description,
+        kind="path",
+        param_type="string",
+        required=True,
+        enum=None,
+        schema=None,
+    ):
+        # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#parameterObject
+        parameter_info = {"name": name, "in": kind, "required": required}
 
-    if schema:
-      parameter_info['schema'] = {
-        '$ref': '#/definitions/%s' % schema
-      }
-    else:
-      parameter_info['type'] = param_type
-
-    if enum is not None and len(list(enum)) > 0:
-      parameter_info['enum'] = list(enum)
-
-    return parameter_info
-
-  paths = {}
-  models = {}
-  tags = []
-  tags_added = set()
-  operation_ids = set()
-
-  for rule in app.url_map.iter_rules():
-    endpoint_method = app.view_functions[rule.endpoint]
-
-    # Verify that we have a view class for this API method.
-    if not 'view_class' in dir(endpoint_method):
-      continue
-
-    view_class = endpoint_method.view_class
-
-    # Hide the class if it is internal.
-    internal = method_metadata(view_class, 'internal')
-    if not include_internal and internal:
-      continue
-
-    # Build the tag.
-    parts = fully_qualified_name(view_class).split('.')
-    tag_name = parts[-2]
-    if not tag_name in tags_added:
-      tags_added.add(tag_name)
-      tags.append({
-        'name': tag_name,
-        'description': (sys.modules[view_class.__module__].__doc__ or '').strip()
-      })
-
-    # Build the Swagger data for the path.
-    swagger_path = PARAM_REGEX.sub(r'{\2}', rule.rule)
-    full_name = fully_qualified_name(view_class)
-    path_swagger = {
-      'x-name': full_name,
-      'x-path': swagger_path,
-      'x-tag': tag_name
-    }
-
-    related_user_res = method_metadata(view_class, 'related_user_resource')
-    if related_user_res is not None:
-      path_swagger['x-user-related'] = fully_qualified_name(related_user_res)
-
-    paths[swagger_path] = path_swagger
-
-    # Add any global path parameters.
-    param_data_map = view_class.__api_path_params if '__api_path_params' in dir(
-      view_class) else {}
-    if param_data_map:
-      path_parameters_swagger = []
-      for path_parameter in param_data_map:
-        description = param_data_map[path_parameter].get('description')
-        path_parameters_swagger.append(swagger_parameter(path_parameter, description))
-
-      path_swagger['parameters'] = path_parameters_swagger
-
-    # Add the individual HTTP operations.
-    method_names = list(rule.methods.difference(['HEAD', 'OPTIONS']))
-    for method_name in method_names:
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#operation-object
-      method = getattr(view_class, method_name.lower(), None)
-      if method is None:
-        logger.debug('Unable to find method for %s in class %s', method_name, view_class)
-        continue
-
-      operationId = method_metadata(method, 'nickname')
-      operation_swagger = {
-        'operationId': operationId,
-        'parameters': [],
-      }
-
-      if operationId is None:
-        continue
-
-      if operationId in operation_ids:
-        raise Exception('Duplicate operation Id: %s' % operationId)
-
-      operation_ids.add(operationId)
-
-      # Mark the method as internal.
-      internal = method_metadata(method, 'internal')
-      if internal is not None:
-        operation_swagger['x-internal'] = True
-
-      if include_internal:
-        requires_fresh_login = method_metadata(method, 'requires_fresh_login')
-        if requires_fresh_login is not None:
-          operation_swagger['x-requires-fresh-login'] = True
-
-      # Add the path parameters.
-      if rule.arguments:
-        for path_parameter in rule.arguments:
-          description = param_data_map.get(path_parameter, {}).get('description')
-          operation_swagger['parameters'].append(
-            swagger_parameter(path_parameter, description))
-
-      # Add the query parameters.
-      if '__api_query_params' in dir(method):
-        for query_parameter_info in method.__api_query_params:
-          name = query_parameter_info['name']
-          description = query_parameter_info['help']
-          param_type = TYPE_CONVERTER[query_parameter_info['type']]
-          required = query_parameter_info['required']
-
-          operation_swagger['parameters'].append(
-            swagger_parameter(name, description, kind='query',
-                              param_type=param_type,
-                              required=required,
-                              enum=query_parameter_info['choices']))
-
-      # Add the OAuth security block.
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#securityRequirementObject
-      scope = method_metadata(method, 'oauth2_scope')
-      if scope and not compact:
-        operation_swagger['security'] = [{'oauth2_implicit': [scope.scope]}]
-
-      # Add the responses block.
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#responsesObject
-      response_schema_name = method_metadata(method, 'response_schema')
-      if not compact:
-        if response_schema_name:
-          models[response_schema_name] = view_class.schemas[response_schema_name]
-
-        models['ApiError'] = {
-          'type': 'object',
-          'properties': {
-            'status': {
-              'type': 'integer',
-              'description': 'Status code of the response.'
-            },
-            'type': {
-              'type': 'string',
-              'description': 'Reference to the type of the error.'
-            },
-            'detail': {
-              'type': 'string',
-              'description': 'Details about the specific instance of the error.'
-            },
-            'title': {
-              'type': 'string',
-              'description': 'Unique error code to identify the type of error.'
-            },
-            'error_message': {
-              'type': 'string',
-              'description': 'Deprecated; alias for detail'
-            },
-            'error_type': {
-              'type': 'string',
-              'description': 'Deprecated; alias for detail'
-            }
-          },
-          'required': [
-            'status',
-            'type',
-            'title',
-          ]
-        }
-
-        responses = {
-          '400': {
-            'description': 'Bad Request',
-          },
-
-          '401': {
-            'description': 'Session required',
-          },
-
-          '403': {
-            'description': 'Unauthorized access',
-          },
-
-          '404': {
-            'description': 'Not found',
-          },
-        }
-
-        for _, body in responses.items():
-          body['schema'] = {'$ref': '#/definitions/ApiError'}
-
-        if method_name == 'DELETE':
-          responses['204'] = {
-            'description': 'Deleted'
-          }
-        elif method_name == 'POST':
-          responses['201'] = {
-            'description': 'Successful creation'
-          }
+        if schema:
+            parameter_info["schema"] = {"$ref": "#/definitions/%s" % schema}
         else:
-          responses['200'] = {
-            'description': 'Successful invocation'
-          }
+            parameter_info["type"] = param_type
 
-          if response_schema_name:
-            responses['200']['schema'] = {
-              '$ref': '#/definitions/%s' % response_schema_name
-            }
+        if enum is not None and len(list(enum)) > 0:
+            parameter_info["enum"] = list(enum)
 
-        operation_swagger['responses'] = responses
+        return parameter_info
 
-      # Add the request block.
-      request_schema_name = method_metadata(method, 'request_schema')
-      if request_schema_name and not compact:
-        models[request_schema_name] = view_class.schemas[request_schema_name]
+    paths = {}
+    models = {}
+    tags = []
+    tags_added = set()
+    operation_ids = set()
 
-        operation_swagger['parameters'].append(
-          swagger_parameter('body', 'Request body contents.', kind='body',
-                            schema=request_schema_name))
+    for rule in app.url_map.iter_rules():
+        endpoint_method = app.view_functions[rule.endpoint]
 
-      # Add the operation to the parent path.
-      if not internal or (internal and include_internal):
-        path_swagger[method_name.lower()] = operation_swagger
+        # Verify that we have a view class for this API method.
+        if not "view_class" in dir(endpoint_method):
+            continue
 
-  tags.sort(key=lambda t: t['name'])
-  paths = OrderedDict(sorted(paths.items(), key=lambda p: p[1]['x-tag']))
+        view_class = endpoint_method.view_class
 
-  if compact:
-    return {'paths': paths}
+        # Hide the class if it is internal.
+        internal = method_metadata(view_class, "internal")
+        if not include_internal and internal:
+            continue
+
+        # Build the tag.
+        parts = fully_qualified_name(view_class).split(".")
+        tag_name = parts[-2]
+        if not tag_name in tags_added:
+            tags_added.add(tag_name)
+            tags.append(
+                {
+                    "name": tag_name,
+                    "description": (
+                        sys.modules[view_class.__module__].__doc__ or ""
+                    ).strip(),
+                }
+            )
+
+        # Build the Swagger data for the path.
+        swagger_path = PARAM_REGEX.sub(r"{\2}", rule.rule)
+        full_name = fully_qualified_name(view_class)
+        path_swagger = {"x-name": full_name, "x-path": swagger_path, "x-tag": tag_name}
+
+        related_user_res = method_metadata(view_class, "related_user_resource")
+        if related_user_res is not None:
+            path_swagger["x-user-related"] = fully_qualified_name(related_user_res)
+
+        paths[swagger_path] = path_swagger
+
+        # Add any global path parameters.
+        param_data_map = (
+            view_class.__api_path_params
+            if "__api_path_params" in dir(view_class)
+            else {}
+        )
+        if param_data_map:
+            path_parameters_swagger = []
+            for path_parameter in param_data_map:
+                description = param_data_map[path_parameter].get("description")
+                path_parameters_swagger.append(
+                    swagger_parameter(path_parameter, description)
+                )
+
+            path_swagger["parameters"] = path_parameters_swagger
+
+        # Add the individual HTTP operations.
+        method_names = list(rule.methods.difference(["HEAD", "OPTIONS"]))
+        for method_name in method_names:
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#operation-object
+            method = getattr(view_class, method_name.lower(), None)
+            if method is None:
+                logger.debug(
+                    "Unable to find method for %s in class %s", method_name, view_class
+                )
+                continue
+
+            operationId = method_metadata(method, "nickname")
+            operation_swagger = {"operationId": operationId, "parameters": []}
+
+            if operationId is None:
+                continue
+
+            if operationId in operation_ids:
+                raise Exception("Duplicate operation Id: %s" % operationId)
+
+            operation_ids.add(operationId)
+
+            # Mark the method as internal.
+            internal = method_metadata(method, "internal")
+            if internal is not None:
+                operation_swagger["x-internal"] = True
+
+            if include_internal:
+                requires_fresh_login = method_metadata(method, "requires_fresh_login")
+                if requires_fresh_login is not None:
+                    operation_swagger["x-requires-fresh-login"] = True
+
+            # Add the path parameters.
+            if rule.arguments:
+                for path_parameter in rule.arguments:
+                    description = param_data_map.get(path_parameter, {}).get(
+                        "description"
+                    )
+                    operation_swagger["parameters"].append(
+                        swagger_parameter(path_parameter, description)
+                    )
+
+            # Add the query parameters.
+            if "__api_query_params" in dir(method):
+                for query_parameter_info in method.__api_query_params:
+                    name = query_parameter_info["name"]
+                    description = query_parameter_info["help"]
+                    param_type = TYPE_CONVERTER[query_parameter_info["type"]]
+                    required = query_parameter_info["required"]
+
+                    operation_swagger["parameters"].append(
+                        swagger_parameter(
+                            name,
+                            description,
+                            kind="query",
+                            param_type=param_type,
+                            required=required,
+                            enum=query_parameter_info["choices"],
+                        )
+                    )
+
+            # Add the OAuth security block.
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#securityRequirementObject
+            scope = method_metadata(method, "oauth2_scope")
+            if scope and not compact:
+                operation_swagger["security"] = [{"oauth2_implicit": [scope.scope]}]
+
+            # Add the responses block.
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#responsesObject
+            response_schema_name = method_metadata(method, "response_schema")
+            if not compact:
+                if response_schema_name:
+                    models[response_schema_name] = view_class.schemas[
+                        response_schema_name
+                    ]
+
+                models["ApiError"] = {
+                    "type": "object",
+                    "properties": {
+                        "status": {
+                            "type": "integer",
+                            "description": "Status code of the response.",
+                        },
+                        "type": {
+                            "type": "string",
+                            "description": "Reference to the type of the error.",
+                        },
+                        "detail": {
+                            "type": "string",
+                            "description": "Details about the specific instance of the error.",
+                        },
+                        "title": {
+                            "type": "string",
+                            "description": "Unique error code to identify the type of error.",
+                        },
+                        "error_message": {
+                            "type": "string",
+                            "description": "Deprecated; alias for detail",
+                        },
+                        "error_type": {
+                            "type": "string",
+                            "description": "Deprecated; alias for detail",
+                        },
+                    },
+                    "required": ["status", "type", "title"],
+                }
+
+                responses = {
+                    "400": {"description": "Bad Request"},
+                    "401": {"description": "Session required"},
+                    "403": {"description": "Unauthorized access"},
+                    "404": {"description": "Not found"},
+                }
+
+                for _, body in responses.items():
+                    body["schema"] = {"$ref": "#/definitions/ApiError"}
+
+                if method_name == "DELETE":
+                    responses["204"] = {"description": "Deleted"}
+                elif method_name == "POST":
+                    responses["201"] = {"description": "Successful creation"}
+                else:
+                    responses["200"] = {"description": "Successful invocation"}
+
+                    if response_schema_name:
+                        responses["200"]["schema"] = {
+                            "$ref": "#/definitions/%s" % response_schema_name
+                        }
+
+                operation_swagger["responses"] = responses
+
+            # Add the request block.
+            request_schema_name = method_metadata(method, "request_schema")
+            if request_schema_name and not compact:
+                models[request_schema_name] = view_class.schemas[request_schema_name]
+
+                operation_swagger["parameters"].append(
+                    swagger_parameter(
+                        "body",
+                        "Request body contents.",
+                        kind="body",
+                        schema=request_schema_name,
+                    )
+                )
+
+            # Add the operation to the parent path.
+            if not internal or (internal and include_internal):
+                path_swagger[method_name.lower()] = operation_swagger
+
+    tags.sort(key=lambda t: t["name"])
+    paths = OrderedDict(sorted(paths.items(), key=lambda p: p[1]["x-tag"]))
+
+    if compact:
+        return {"paths": paths}
diff --git a/config_app/config_endpoints/api/kube_endpoints.py b/config_app/config_endpoints/api/kube_endpoints.py
index a7143412d..b71d2fe61 100644
--- a/config_app/config_endpoints/api/kube_endpoints.py
+++ b/config_app/config_endpoints/api/kube_endpoints.py
@@ -6,138 +6,152 @@ from config_app.config_util.config import get_config_as_kube_secret
 from data.database import configure
 
 from config_app.c_app import app, config_provider
-from config_app.config_endpoints.api import resource, ApiResource, nickname, kubernetes_only, validate_json_request
-from config_app.config_util.k8saccessor import KubernetesAccessorSingleton, K8sApiException
+from config_app.config_endpoints.api import (
+    resource,
+    ApiResource,
+    nickname,
+    kubernetes_only,
+    validate_json_request,
+)
+from config_app.config_util.k8saccessor import (
+    KubernetesAccessorSingleton,
+    K8sApiException,
+)
 
 logger = logging.getLogger(__name__)
 
-@resource('/v1/kubernetes/deployments/')
+
+@resource("/v1/kubernetes/deployments/")
 class SuperUserKubernetesDeployment(ApiResource):
-  """ Resource for the getting the status of Red Hat Quay deployments and cycling them """
-  schemas = {
-    'ValidateDeploymentNames': {
-      'type': 'object',
-      'description': 'Validates deployment names for cycling',
-      'required': [
-        'deploymentNames'
-      ],
-      'properties': {
-        'deploymentNames': {
-          'type': 'array',
-          'description': 'The names of the deployments to cycle'
-        },
-      },
+    """ Resource for the getting the status of Red Hat Quay deployments and cycling them """
+
+    schemas = {
+        "ValidateDeploymentNames": {
+            "type": "object",
+            "description": "Validates deployment names for cycling",
+            "required": ["deploymentNames"],
+            "properties": {
+                "deploymentNames": {
+                    "type": "array",
+                    "description": "The names of the deployments to cycle",
+                }
+            },
+        }
     }
-  }
 
-  @kubernetes_only
-  @nickname('scGetNumDeployments')
-  def get(self):
-    return KubernetesAccessorSingleton.get_instance().get_qe_deployments()
+    @kubernetes_only
+    @nickname("scGetNumDeployments")
+    def get(self):
+        return KubernetesAccessorSingleton.get_instance().get_qe_deployments()
 
-  @kubernetes_only
-  @validate_json_request('ValidateDeploymentNames')
-  @nickname('scCycleQEDeployments')
-  def put(self):
-    deployment_names = request.get_json()['deploymentNames']
-    return KubernetesAccessorSingleton.get_instance().cycle_qe_deployments(deployment_names)
+    @kubernetes_only
+    @validate_json_request("ValidateDeploymentNames")
+    @nickname("scCycleQEDeployments")
+    def put(self):
+        deployment_names = request.get_json()["deploymentNames"]
+        return KubernetesAccessorSingleton.get_instance().cycle_qe_deployments(
+            deployment_names
+        )
 
 
-@resource('/v1/kubernetes/deployment/<deployment>/status')
+@resource("/v1/kubernetes/deployment/<deployment>/status")
 class QEDeploymentRolloutStatus(ApiResource):
-  @kubernetes_only
-  @nickname('scGetDeploymentRolloutStatus')
-  def get(self, deployment):
-    deployment_rollout_status = KubernetesAccessorSingleton.get_instance().get_deployment_rollout_status(deployment)
-    return {
-      'status': deployment_rollout_status.status,
-      'message': deployment_rollout_status.message,
-    }
+    @kubernetes_only
+    @nickname("scGetDeploymentRolloutStatus")
+    def get(self, deployment):
+        deployment_rollout_status = KubernetesAccessorSingleton.get_instance().get_deployment_rollout_status(
+            deployment
+        )
+        return {
+            "status": deployment_rollout_status.status,
+            "message": deployment_rollout_status.message,
+        }
 
 
-@resource('/v1/kubernetes/deployments/rollback')
+@resource("/v1/kubernetes/deployments/rollback")
 class QEDeploymentRollback(ApiResource):
-  """ Resource for rolling back deployments """
-  schemas = {
-    'ValidateDeploymentNames': {
-      'type': 'object',
-      'description': 'Validates deployment names for rolling back',
-      'required': [
-        'deploymentNames'
-      ],
-      'properties': {
-        'deploymentNames': {
-          'type': 'array',
-          'description': 'The names of the deployments to rollback'
-        },
-      },
-    }
-  }
+    """ Resource for rolling back deployments """
 
-  @kubernetes_only
-  @nickname('scRollbackDeployments')
-  @validate_json_request('ValidateDeploymentNames')
-  def post(self):
-    """
+    schemas = {
+        "ValidateDeploymentNames": {
+            "type": "object",
+            "description": "Validates deployment names for rolling back",
+            "required": ["deploymentNames"],
+            "properties": {
+                "deploymentNames": {
+                    "type": "array",
+                    "description": "The names of the deployments to rollback",
+                }
+            },
+        }
+    }
+
+    @kubernetes_only
+    @nickname("scRollbackDeployments")
+    @validate_json_request("ValidateDeploymentNames")
+    def post(self):
+        """
     Returns the config to its original state and rolls back deployments
     :return:
     """
-    deployment_names = request.get_json()['deploymentNames']
+        deployment_names = request.get_json()["deploymentNames"]
 
-    # To roll back a deployment, we must do 2 things:
-    # 1. Roll back the config secret to its old value (discarding changes we made in this session)
-    # 2. Trigger a rollback to the previous revision, so that the pods will be restarted with
-    # the old config
-    old_secret = get_config_as_kube_secret(config_provider.get_old_config_dir())
-    kube_accessor = KubernetesAccessorSingleton.get_instance()
-    kube_accessor.replace_qe_secret(old_secret)
+        # To roll back a deployment, we must do 2 things:
+        # 1. Roll back the config secret to its old value (discarding changes we made in this session)
+        # 2. Trigger a rollback to the previous revision, so that the pods will be restarted with
+        # the old config
+        old_secret = get_config_as_kube_secret(config_provider.get_old_config_dir())
+        kube_accessor = KubernetesAccessorSingleton.get_instance()
+        kube_accessor.replace_qe_secret(old_secret)
 
-    try:
-      for name in deployment_names:
-        kube_accessor.rollback_deployment(name)
-    except K8sApiException as e:
-      logger.exception('Failed to rollback deployment.')
-      return make_response(e.message, 503)
+        try:
+            for name in deployment_names:
+                kube_accessor.rollback_deployment(name)
+        except K8sApiException as e:
+            logger.exception("Failed to rollback deployment.")
+            return make_response(e.message, 503)
 
-    return make_response('Ok', 204)
+        return make_response("Ok", 204)
 
 
-@resource('/v1/kubernetes/config')
+@resource("/v1/kubernetes/config")
 class SuperUserKubernetesConfiguration(ApiResource):
-  """ Resource for saving the config files to kubernetes secrets. """
+    """ Resource for saving the config files to kubernetes secrets. """
 
-  @kubernetes_only
-  @nickname('scDeployConfiguration')
-  def post(self):
-    try:
-      new_secret = get_config_as_kube_secret(config_provider.get_config_dir_path())
-      KubernetesAccessorSingleton.get_instance().replace_qe_secret(new_secret)
-    except K8sApiException as e:
-      logger.exception('Failed to deploy qe config secret to kubernetes.')
-      return make_response(e.message, 503)
+    @kubernetes_only
+    @nickname("scDeployConfiguration")
+    def post(self):
+        try:
+            new_secret = get_config_as_kube_secret(
+                config_provider.get_config_dir_path()
+            )
+            KubernetesAccessorSingleton.get_instance().replace_qe_secret(new_secret)
+        except K8sApiException as e:
+            logger.exception("Failed to deploy qe config secret to kubernetes.")
+            return make_response(e.message, 503)
 
-    return make_response('Ok', 201)
+        return make_response("Ok", 201)
 
 
-@resource('/v1/kubernetes/config/populate')
+@resource("/v1/kubernetes/config/populate")
 class KubernetesConfigurationPopulator(ApiResource):
-  """ Resource for populating the local configuration from the cluster's kubernetes secrets. """
+    """ Resource for populating the local configuration from the cluster's kubernetes secrets. """
 
-  @kubernetes_only
-  @nickname('scKubePopulateConfig')
-  def post(self):
-    # Get a clean transient directory to write the config into
-    config_provider.new_config_dir()
+    @kubernetes_only
+    @nickname("scKubePopulateConfig")
+    def post(self):
+        # Get a clean transient directory to write the config into
+        config_provider.new_config_dir()
 
-    kube_accessor = KubernetesAccessorSingleton.get_instance()
-    kube_accessor.save_secret_to_directory(config_provider.get_config_dir_path())
-    config_provider.create_copy_of_config_dir()
+        kube_accessor = KubernetesAccessorSingleton.get_instance()
+        kube_accessor.save_secret_to_directory(config_provider.get_config_dir_path())
+        config_provider.create_copy_of_config_dir()
 
-    # We update the db configuration to connect to their specified one
-    # (Note, even if this DB isn't valid, it won't affect much in the config app, since we'll report an error,
-    # and all of the options create a new clean dir, so we'll never pollute configs)
-    combined = dict(**app.config)
-    combined.update(config_provider.get_config())
-    configure(combined)
+        # We update the db configuration to connect to their specified one
+        # (Note, even if this DB isn't valid, it won't affect much in the config app, since we'll report an error,
+        # and all of the options create a new clean dir, so we'll never pollute configs)
+        combined = dict(**app.config)
+        combined.update(config_provider.get_config())
+        configure(combined)
 
-    return 200
+        return 200
diff --git a/config_app/config_endpoints/api/suconfig.py b/config_app/config_endpoints/api/suconfig.py
index 810d4a229..29c3545b7 100644
--- a/config_app/config_endpoints/api/suconfig.py
+++ b/config_app/config_endpoints/api/suconfig.py
@@ -2,301 +2,283 @@ import logging
 
 from flask import abort, request
 
-from config_app.config_endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
-from config_app.config_endpoints.api import resource, ApiResource, nickname, validate_json_request
-from config_app.c_app import (app, config_provider, superusers, ip_resolver,
-                              instance_keys, INIT_SCRIPTS_LOCATION)
+from config_app.config_endpoints.api.suconfig_models_pre_oci import (
+    pre_oci_model as model,
+)
+from config_app.config_endpoints.api import (
+    resource,
+    ApiResource,
+    nickname,
+    validate_json_request,
+)
+from config_app.c_app import (
+    app,
+    config_provider,
+    superusers,
+    ip_resolver,
+    instance_keys,
+    INIT_SCRIPTS_LOCATION,
+)
 
 from data.database import configure
 from data.runmigration import run_alembic_migration
 from util.config.configutil import add_enterprise_config_defaults
-from util.config.validator import validate_service_for_config, ValidatorContext, \
-  is_valid_config_upload_filename
+from util.config.validator import (
+    validate_service_for_config,
+    ValidatorContext,
+    is_valid_config_upload_filename,
+)
 
 logger = logging.getLogger(__name__)
 
 
 def database_is_valid():
-  """ Returns whether the database, as configured, is valid. """
-  return model.is_valid()
+    """ Returns whether the database, as configured, is valid. """
+    return model.is_valid()
 
 
 def database_has_users():
-  """ Returns whether the database has any users defined. """
-  return model.has_users()
+    """ Returns whether the database has any users defined. """
+    return model.has_users()
 
 
-@resource('/v1/superuser/config')
+@resource("/v1/superuser/config")
 class SuperUserConfig(ApiResource):
-  """ Resource for fetching and updating the current configuration, if any. """
-  schemas = {
-    'UpdateConfig': {
-      'type': 'object',
-      'description': 'Updates the YAML config file',
-      'required': [
-        'config',
-      ],
-      'properties': {
-        'config': {
-          'type': 'object'
-        },
-        'password': {
-          'type': 'string'
-        },
-      },
-    },
-  }
+    """ Resource for fetching and updating the current configuration, if any. """
 
-  @nickname('scGetConfig')
-  def get(self):
-    """ Returns the currently defined configuration, if any. """
-    config_object = config_provider.get_config()
-    return {
-      'config': config_object
+    schemas = {
+        "UpdateConfig": {
+            "type": "object",
+            "description": "Updates the YAML config file",
+            "required": ["config"],
+            "properties": {
+                "config": {"type": "object"},
+                "password": {"type": "string"},
+            },
+        }
     }
 
-  @nickname('scUpdateConfig')
-  @validate_json_request('UpdateConfig')
-  def put(self):
-    """ Updates the config override file. """
-    # Note: This method is called to set the database configuration before super users exists,
-    # so we also allow it to be called if there is no valid registry configuration setup.
-    config_object = request.get_json()['config']
+    @nickname("scGetConfig")
+    def get(self):
+        """ Returns the currently defined configuration, if any. """
+        config_object = config_provider.get_config()
+        return {"config": config_object}
 
-    # Add any enterprise defaults missing from the config.
-    add_enterprise_config_defaults(config_object, app.config['SECRET_KEY'])
+    @nickname("scUpdateConfig")
+    @validate_json_request("UpdateConfig")
+    def put(self):
+        """ Updates the config override file. """
+        # Note: This method is called to set the database configuration before super users exists,
+        # so we also allow it to be called if there is no valid registry configuration setup.
+        config_object = request.get_json()["config"]
 
-    # Write the configuration changes to the config override file.
-    config_provider.save_config(config_object)
+        # Add any enterprise defaults missing from the config.
+        add_enterprise_config_defaults(config_object, app.config["SECRET_KEY"])
 
-    # now try to connect to the db provided in their config to validate it works
-    combined = dict(**app.config)
-    combined.update(config_provider.get_config())
-    configure(combined, testing=app.config['TESTING'])
+        # Write the configuration changes to the config override file.
+        config_provider.save_config(config_object)
 
-    return {
-      'exists': True,
-      'config': config_object
-    }
+        # now try to connect to the db provided in their config to validate it works
+        combined = dict(**app.config)
+        combined.update(config_provider.get_config())
+        configure(combined, testing=app.config["TESTING"])
+
+        return {"exists": True, "config": config_object}
 
 
-@resource('/v1/superuser/registrystatus')
+@resource("/v1/superuser/registrystatus")
 class SuperUserRegistryStatus(ApiResource):
-  """ Resource for determining the status of the registry, such as if config exists,
+    """ Resource for determining the status of the registry, such as if config exists,
       if a database is configured, and if it has any defined users.
   """
 
-  @nickname('scRegistryStatus')
-  def get(self):
-    """ Returns the status of the registry. """
-    # If there is no config file, we need to setup the database.
-    if not config_provider.config_exists():
-      return {
-        'status': 'config-db'
-      }
+    @nickname("scRegistryStatus")
+    def get(self):
+        """ Returns the status of the registry. """
+        # If there is no config file, we need to setup the database.
+        if not config_provider.config_exists():
+            return {"status": "config-db"}
 
-    # If the database isn't yet valid, then we need to set it up.
-    if not database_is_valid():
-      return {
-        'status': 'setup-db'
-      }
+        # If the database isn't yet valid, then we need to set it up.
+        if not database_is_valid():
+            return {"status": "setup-db"}
 
-    config = config_provider.get_config()
-    if config and config.get('SETUP_COMPLETE'):
-      return {
-        'status': 'config'
-      }
+        config = config_provider.get_config()
+        if config and config.get("SETUP_COMPLETE"):
+            return {"status": "config"}
 
-    return {
-      'status': 'create-superuser' if not database_has_users() else 'config'
-    }
+        return {"status": "create-superuser" if not database_has_users() else "config"}
 
 
 class _AlembicLogHandler(logging.Handler):
-  def __init__(self):
-    super(_AlembicLogHandler, self).__init__()
-    self.records = []
+    def __init__(self):
+        super(_AlembicLogHandler, self).__init__()
+        self.records = []
 
-  def emit(self, record):
-    self.records.append({
-      'level': record.levelname,
-      'message': record.getMessage()
-    })
+    def emit(self, record):
+        self.records.append({"level": record.levelname, "message": record.getMessage()})
 
 
 def _reload_config():
-  combined = dict(**app.config)
-  combined.update(config_provider.get_config())
-  configure(combined)
-  return combined
+    combined = dict(**app.config)
+    combined.update(config_provider.get_config())
+    configure(combined)
+    return combined
 
 
-@resource('/v1/superuser/setupdb')
+@resource("/v1/superuser/setupdb")
 class SuperUserSetupDatabase(ApiResource):
-  """ Resource for invoking alembic to setup the database. """
+    """ Resource for invoking alembic to setup the database. """
 
-  @nickname('scSetupDatabase')
-  def get(self):
-    """ Invokes the alembic upgrade process. """
-    # Note: This method is called after the database configured is saved, but before the
-    # database has any tables. Therefore, we only allow it to be run in that unique case.
-    if config_provider.config_exists() and not database_is_valid():
-      combined = _reload_config()
+    @nickname("scSetupDatabase")
+    def get(self):
+        """ Invokes the alembic upgrade process. """
+        # Note: This method is called after the database configured is saved, but before the
+        # database has any tables. Therefore, we only allow it to be run in that unique case.
+        if config_provider.config_exists() and not database_is_valid():
+            combined = _reload_config()
 
-      app.config['DB_URI'] = combined['DB_URI']
-      db_uri = app.config['DB_URI']
-      escaped_db_uri = db_uri.replace('%', '%%')
+            app.config["DB_URI"] = combined["DB_URI"]
+            db_uri = app.config["DB_URI"]
+            escaped_db_uri = db_uri.replace("%", "%%")
 
-      log_handler = _AlembicLogHandler()
+            log_handler = _AlembicLogHandler()
 
-      try:
-        run_alembic_migration(escaped_db_uri, log_handler, setup_app=False)
-      except Exception as ex:
-        return {
-          'error': str(ex)
-        }
+            try:
+                run_alembic_migration(escaped_db_uri, log_handler, setup_app=False)
+            except Exception as ex:
+                return {"error": str(ex)}
 
-      return {
-        'logs': log_handler.records
-      }
+            return {"logs": log_handler.records}
 
-    abort(403)
+        abort(403)
 
 
-@resource('/v1/superuser/config/createsuperuser')
+@resource("/v1/superuser/config/createsuperuser")
 class SuperUserCreateInitialSuperUser(ApiResource):
-  """ Resource for creating the initial super user. """
-  schemas = {
-    'CreateSuperUser': {
-      'type': 'object',
-      'description': 'Information for creating the initial super user',
-      'required': [
-        'username',
-        'password',
-        'email'
-      ],
-      'properties': {
-        'username': {
-          'type': 'string',
-          'description': 'The username for the superuser'
-        },
-        'password': {
-          'type': 'string',
-          'description': 'The password for the superuser'
-        },
-        'email': {
-          'type': 'string',
-          'description': 'The e-mail address for the superuser'
-        },
-      },
-    },
-  }
+    """ Resource for creating the initial super user. """
 
-  @nickname('scCreateInitialSuperuser')
-  @validate_json_request('CreateSuperUser')
-  def post(self):
-    """ Creates the initial super user, updates the underlying configuration and
+    schemas = {
+        "CreateSuperUser": {
+            "type": "object",
+            "description": "Information for creating the initial super user",
+            "required": ["username", "password", "email"],
+            "properties": {
+                "username": {
+                    "type": "string",
+                    "description": "The username for the superuser",
+                },
+                "password": {
+                    "type": "string",
+                    "description": "The password for the superuser",
+                },
+                "email": {
+                    "type": "string",
+                    "description": "The e-mail address for the superuser",
+                },
+            },
+        }
+    }
+
+    @nickname("scCreateInitialSuperuser")
+    @validate_json_request("CreateSuperUser")
+    def post(self):
+        """ Creates the initial super user, updates the underlying configuration and
         sets the current session to have that super user. """
 
-    _reload_config()
+        _reload_config()
 
-    # Special security check: This method is only accessible when:
-    #   - There is a valid config YAML file.
-    #   - There are currently no users in the database (clean install)
-    #
-    # We do this special security check because at the point this method is called, the database
-    # is clean but does not (yet) have any super users for our permissions code to check against.
-    if config_provider.config_exists() and not database_has_users():
-      data = request.get_json()
-      username = data['username']
-      password = data['password']
-      email = data['email']
+        # Special security check: This method is only accessible when:
+        #   - There is a valid config YAML file.
+        #   - There are currently no users in the database (clean install)
+        #
+        # We do this special security check because at the point this method is called, the database
+        # is clean but does not (yet) have any super users for our permissions code to check against.
+        if config_provider.config_exists() and not database_has_users():
+            data = request.get_json()
+            username = data["username"]
+            password = data["password"]
+            email = data["email"]
 
-      # Create the user in the database.
-      superuser_uuid = model.create_superuser(username, password, email)
+            # Create the user in the database.
+            superuser_uuid = model.create_superuser(username, password, email)
 
-      # Add the user to the config.
-      config_object = config_provider.get_config()
-      config_object['SUPER_USERS'] = [username]
-      config_provider.save_config(config_object)
+            # Add the user to the config.
+            config_object = config_provider.get_config()
+            config_object["SUPER_USERS"] = [username]
+            config_provider.save_config(config_object)
 
-      # Update the in-memory config for the new superuser.
-      superusers.register_superuser(username)
+            # Update the in-memory config for the new superuser.
+            superusers.register_superuser(username)
 
-      return {
-        'status': True
-      }
+            return {"status": True}
 
-    abort(403)
+        abort(403)
 
 
-@resource('/v1/superuser/config/validate/<service>')
+@resource("/v1/superuser/config/validate/<service>")
 class SuperUserConfigValidate(ApiResource):
-  """ Resource for validating a block of configuration against an external service. """
-  schemas = {
-    'ValidateConfig': {
-      'type': 'object',
-      'description': 'Validates configuration',
-      'required': [
-        'config'
-      ],
-      'properties': {
-        'config': {
-          'type': 'object'
-        },
-        'password': {
-          'type': 'string',
-          'description': 'The users password, used for auth validation'
+    """ Resource for validating a block of configuration against an external service. """
+
+    schemas = {
+        "ValidateConfig": {
+            "type": "object",
+            "description": "Validates configuration",
+            "required": ["config"],
+            "properties": {
+                "config": {"type": "object"},
+                "password": {
+                    "type": "string",
+                    "description": "The users password, used for auth validation",
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @nickname('scValidateConfig')
-  @validate_json_request('ValidateConfig')
-  def post(self, service):
-    """ Validates the given config for the given service. """
-    # Note: This method is called to validate the database configuration before super users exists,
-    # so we also allow it to be called if there is no valid registry configuration setup. Note that
-    # this is also safe since this method does not access any information not given in the request.
-    config = request.get_json()['config']
-    validator_context = ValidatorContext.from_app(app, config,
-                                                  request.get_json().get('password', ''),
-                                                  instance_keys=instance_keys,
-                                                  ip_resolver=ip_resolver,
-                                                  config_provider=config_provider,
-                                                  init_scripts_location=INIT_SCRIPTS_LOCATION)
+    @nickname("scValidateConfig")
+    @validate_json_request("ValidateConfig")
+    def post(self, service):
+        """ Validates the given config for the given service. """
+        # Note: This method is called to validate the database configuration before super users exists,
+        # so we also allow it to be called if there is no valid registry configuration setup. Note that
+        # this is also safe since this method does not access any information not given in the request.
+        config = request.get_json()["config"]
+        validator_context = ValidatorContext.from_app(
+            app,
+            config,
+            request.get_json().get("password", ""),
+            instance_keys=instance_keys,
+            ip_resolver=ip_resolver,
+            config_provider=config_provider,
+            init_scripts_location=INIT_SCRIPTS_LOCATION,
+        )
 
-    return validate_service_for_config(service, validator_context)
+        return validate_service_for_config(service, validator_context)
 
 
-@resource('/v1/superuser/config/file/<filename>')
+@resource("/v1/superuser/config/file/<filename>")
 class SuperUserConfigFile(ApiResource):
-  """ Resource for fetching the status of config files and overriding them. """
+    """ Resource for fetching the status of config files and overriding them. """
 
-  @nickname('scConfigFileExists')
-  def get(self, filename):
-    """ Returns whether the configuration file with the given name exists. """
-    if not is_valid_config_upload_filename(filename):
-      abort(404)
+    @nickname("scConfigFileExists")
+    def get(self, filename):
+        """ Returns whether the configuration file with the given name exists. """
+        if not is_valid_config_upload_filename(filename):
+            abort(404)
 
-    return {
-      'exists': config_provider.volume_file_exists(filename)
-    }
+        return {"exists": config_provider.volume_file_exists(filename)}
 
-  @nickname('scUpdateConfigFile')
-  def post(self, filename):
-    """ Updates the configuration file with the given name. """
-    if not is_valid_config_upload_filename(filename):
-      abort(404)
+    @nickname("scUpdateConfigFile")
+    def post(self, filename):
+        """ Updates the configuration file with the given name. """
+        if not is_valid_config_upload_filename(filename):
+            abort(404)
 
-    # Note: This method can be called before the configuration exists
-    # to upload the database SSL cert.
-    uploaded_file = request.files['file']
-    if not uploaded_file:
-      abort(400)
+        # Note: This method can be called before the configuration exists
+        # to upload the database SSL cert.
+        uploaded_file = request.files["file"]
+        if not uploaded_file:
+            abort(400)
 
-    config_provider.save_volume_file(filename, uploaded_file)
-    return {
-      'status': True
-    }
+        config_provider.save_volume_file(filename, uploaded_file)
+        return {"status": True}
diff --git a/config_app/config_endpoints/api/suconfig_models_interface.py b/config_app/config_endpoints/api/suconfig_models_interface.py
index 9f8cbd0cb..d41a97d11 100644
--- a/config_app/config_endpoints/api/suconfig_models_interface.py
+++ b/config_app/config_endpoints/api/suconfig_models_interface.py
@@ -4,36 +4,36 @@ from six import add_metaclass
 
 @add_metaclass(ABCMeta)
 class SuperuserConfigDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the superuser config API.
   """
 
-  @abstractmethod
-  def is_valid(self):
-    """
+    @abstractmethod
+    def is_valid(self):
+        """
     Returns true if the configured database is valid.
     """
 
-  @abstractmethod
-  def has_users(self):
-    """
+    @abstractmethod
+    def has_users(self):
+        """
     Returns true if there are any users defined.
     """
 
-  @abstractmethod
-  def create_superuser(self, username, password, email):
-    """
+    @abstractmethod
+    def create_superuser(self, username, password, email):
+        """
     Creates a new superuser with the given username, password and email. Returns the user's UUID.
     """
 
-  @abstractmethod
-  def has_federated_login(self, username, service_name):
-    """
+    @abstractmethod
+    def has_federated_login(self, username, service_name):
+        """
     Returns true if the matching user has a federated login under the matching service.
     """
 
-  @abstractmethod
-  def attach_federated_login(self, username, service_name, federated_username):
-    """
+    @abstractmethod
+    def attach_federated_login(self, username, service_name, federated_username):
+        """
     Attaches a federatated login to the matching user, under the given service.
     """
diff --git a/config_app/config_endpoints/api/suconfig_models_pre_oci.py b/config_app/config_endpoints/api/suconfig_models_pre_oci.py
index fbc238078..9e512e88a 100644
--- a/config_app/config_endpoints/api/suconfig_models_pre_oci.py
+++ b/config_app/config_endpoints/api/suconfig_models_pre_oci.py
@@ -1,37 +1,39 @@
 from data import model
 from data.database import User
-from config_app.config_endpoints.api.suconfig_models_interface import SuperuserConfigDataInterface
+from config_app.config_endpoints.api.suconfig_models_interface import (
+    SuperuserConfigDataInterface,
+)
 
 
 class PreOCIModel(SuperuserConfigDataInterface):
-  # Note: this method is different than has_users: the user select will throw if the user
-  # table does not exist, whereas has_users assumes the table is valid
-  def is_valid(self):
-    try:
-      list(User.select().limit(1))
-      return True
-    except:
-      return False
+    # Note: this method is different than has_users: the user select will throw if the user
+    # table does not exist, whereas has_users assumes the table is valid
+    def is_valid(self):
+        try:
+            list(User.select().limit(1))
+            return True
+        except:
+            return False
 
-  def has_users(self):
-    return bool(list(User.select().limit(1)))
+    def has_users(self):
+        return bool(list(User.select().limit(1)))
 
-  def create_superuser(self, username, password, email):
-    return model.user.create_user(username, password, email, auto_verify=True).uuid
+    def create_superuser(self, username, password, email):
+        return model.user.create_user(username, password, email, auto_verify=True).uuid
 
-  def has_federated_login(self, username, service_name):
-    user = model.user.get_user(username)
-    if user is None:
-      return False
+    def has_federated_login(self, username, service_name):
+        user = model.user.get_user(username)
+        if user is None:
+            return False
 
-    return bool(model.user.lookup_federated_login(user, service_name))
+        return bool(model.user.lookup_federated_login(user, service_name))
 
-  def attach_federated_login(self, username, service_name, federated_username):
-    user = model.user.get_user(username)
-    if user is None:
-      return False
+    def attach_federated_login(self, username, service_name, federated_username):
+        user = model.user.get_user(username)
+        if user is None:
+            return False
 
-    model.user.attach_federated_login(user, service_name, federated_username)
+        model.user.attach_federated_login(user, service_name, federated_username)
 
 
 pre_oci_model = PreOCIModel()
diff --git a/config_app/config_endpoints/api/superuser.py b/config_app/config_endpoints/api/superuser.py
index 7e5adccb5..db5d1d81c 100644
--- a/config_app/config_endpoints/api/superuser.py
+++ b/config_app/config_endpoints/api/superuser.py
@@ -12,7 +12,13 @@ from data.model import ServiceKeyDoesNotExist
 from util.config.validator import EXTRA_CA_DIRECTORY
 
 from config_app.config_endpoints.exception import InvalidRequest
-from config_app.config_endpoints.api import resource, ApiResource, nickname, log_action, validate_json_request
+from config_app.config_endpoints.api import (
+    resource,
+    ApiResource,
+    nickname,
+    log_action,
+    validate_json_request,
+)
 from config_app.config_endpoints.api.superuser_models_pre_oci import pre_oci_model
 from config_app.config_util.ssl import load_certificate, CertInvalidException
 from config_app.c_app import app, config_provider, INIT_SCRIPTS_LOCATION
@@ -21,228 +27,233 @@ from config_app.c_app import app, config_provider, INIT_SCRIPTS_LOCATION
 logger = logging.getLogger(__name__)
 
 
-@resource('/v1/superuser/customcerts/<certpath>')
+@resource("/v1/superuser/customcerts/<certpath>")
 class SuperUserCustomCertificate(ApiResource):
-  """ Resource for managing a custom certificate. """
+    """ Resource for managing a custom certificate. """
 
-  @nickname('uploadCustomCertificate')
-  def post(self, certpath):
-    uploaded_file = request.files['file']
-    if not uploaded_file:
-      raise InvalidRequest('Missing certificate file')
+    @nickname("uploadCustomCertificate")
+    def post(self, certpath):
+        uploaded_file = request.files["file"]
+        if not uploaded_file:
+            raise InvalidRequest("Missing certificate file")
 
-    # Save the certificate.
-    certpath = pathvalidate.sanitize_filename(certpath)
-    if not certpath.endswith('.crt'):
-      raise InvalidRequest('Invalid certificate file: must have suffix `.crt`')
+        # Save the certificate.
+        certpath = pathvalidate.sanitize_filename(certpath)
+        if not certpath.endswith(".crt"):
+            raise InvalidRequest("Invalid certificate file: must have suffix `.crt`")
 
-    logger.debug('Saving custom certificate %s', certpath)
-    cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, certpath)
-    config_provider.save_volume_file(cert_full_path, uploaded_file)
-    logger.debug('Saved custom certificate %s', certpath)
+        logger.debug("Saving custom certificate %s", certpath)
+        cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, certpath)
+        config_provider.save_volume_file(cert_full_path, uploaded_file)
+        logger.debug("Saved custom certificate %s", certpath)
 
-    # Validate the certificate.
-    try:
-      logger.debug('Loading custom certificate %s', certpath)
-      with config_provider.get_volume_file(cert_full_path) as f:
-        load_certificate(f.read())
-    except CertInvalidException:
-      logger.exception('Got certificate invalid error for cert %s', certpath)
-      return '', 204
-    except IOError:
-      logger.exception('Got IO error for cert %s', certpath)
-      return '', 204
+        # Validate the certificate.
+        try:
+            logger.debug("Loading custom certificate %s", certpath)
+            with config_provider.get_volume_file(cert_full_path) as f:
+                load_certificate(f.read())
+        except CertInvalidException:
+            logger.exception("Got certificate invalid error for cert %s", certpath)
+            return "", 204
+        except IOError:
+            logger.exception("Got IO error for cert %s", certpath)
+            return "", 204
 
-    # Call the update script with config dir location to install the certificate immediately.
-    if not app.config['TESTING']:
-      cert_dir = os.path.join(config_provider.get_config_dir_path(), EXTRA_CA_DIRECTORY)
-      if subprocess.call([os.path.join(INIT_SCRIPTS_LOCATION, 'certs_install.sh')], env={ 'CERTDIR': cert_dir }) != 0:
-        raise Exception('Could not install certificates')
+        # Call the update script with config dir location to install the certificate immediately.
+        if not app.config["TESTING"]:
+            cert_dir = os.path.join(
+                config_provider.get_config_dir_path(), EXTRA_CA_DIRECTORY
+            )
+            if (
+                subprocess.call(
+                    [os.path.join(INIT_SCRIPTS_LOCATION, "certs_install.sh")],
+                    env={"CERTDIR": cert_dir},
+                )
+                != 0
+            ):
+                raise Exception("Could not install certificates")
 
-    return '', 204
+        return "", 204
 
-  @nickname('deleteCustomCertificate')
-  def delete(self, certpath):
-    cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, certpath)
-    config_provider.remove_volume_file(cert_full_path)
-    return '', 204
+    @nickname("deleteCustomCertificate")
+    def delete(self, certpath):
+        cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, certpath)
+        config_provider.remove_volume_file(cert_full_path)
+        return "", 204
 
 
-@resource('/v1/superuser/customcerts')
+@resource("/v1/superuser/customcerts")
 class SuperUserCustomCertificates(ApiResource):
-  """ Resource for managing custom certificates. """
+    """ Resource for managing custom certificates. """
 
-  @nickname('getCustomCertificates')
-  def get(self):
-    has_extra_certs_path = config_provider.volume_file_exists(EXTRA_CA_DIRECTORY)
-    extra_certs_found = config_provider.list_volume_directory(EXTRA_CA_DIRECTORY)
-    if extra_certs_found is None:
-      return {
-        'status': 'file' if has_extra_certs_path else 'none',
-      }
+    @nickname("getCustomCertificates")
+    def get(self):
+        has_extra_certs_path = config_provider.volume_file_exists(EXTRA_CA_DIRECTORY)
+        extra_certs_found = config_provider.list_volume_directory(EXTRA_CA_DIRECTORY)
+        if extra_certs_found is None:
+            return {"status": "file" if has_extra_certs_path else "none"}
 
-    cert_views = []
-    for extra_cert_path in extra_certs_found:
-      try:
-        cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, extra_cert_path)
-        with config_provider.get_volume_file(cert_full_path) as f:
-          certificate = load_certificate(f.read())
-          cert_views.append({
-            'path': extra_cert_path,
-            'names': list(certificate.names),
-            'expired': certificate.expired,
-          })
-      except CertInvalidException as cie:
-        cert_views.append({
-          'path': extra_cert_path,
-          'error': cie.message,
-        })
-      except IOError as ioe:
-        cert_views.append({
-          'path': extra_cert_path,
-          'error': ioe.message,
-        })
+        cert_views = []
+        for extra_cert_path in extra_certs_found:
+            try:
+                cert_full_path = config_provider.get_volume_path(
+                    EXTRA_CA_DIRECTORY, extra_cert_path
+                )
+                with config_provider.get_volume_file(cert_full_path) as f:
+                    certificate = load_certificate(f.read())
+                    cert_views.append(
+                        {
+                            "path": extra_cert_path,
+                            "names": list(certificate.names),
+                            "expired": certificate.expired,
+                        }
+                    )
+            except CertInvalidException as cie:
+                cert_views.append({"path": extra_cert_path, "error": cie.message})
+            except IOError as ioe:
+                cert_views.append({"path": extra_cert_path, "error": ioe.message})
 
-    return {
-      'status': 'directory',
-      'certs': cert_views,
-    }
+        return {"status": "directory", "certs": cert_views}
 
 
-@resource('/v1/superuser/keys')
+@resource("/v1/superuser/keys")
 class SuperUserServiceKeyManagement(ApiResource):
-  """ Resource for managing service keys."""
-  schemas = {
-    'CreateServiceKey': {
-      'id': 'CreateServiceKey',
-      'type': 'object',
-      'description': 'Description of creation of a service key',
-      'required': ['service', 'expiration'],
-      'properties': {
-        'service': {
-          'type': 'string',
-          'description': 'The service authenticating with this key',
-        },
-        'name': {
-          'type': 'string',
-          'description': 'The friendly name of a service key',
-        },
-        'metadata': {
-          'type': 'object',
-          'description': 'The key/value pairs of this key\'s metadata',
-        },
-        'notes': {
-          'type': 'string',
-          'description': 'If specified, the extra notes for the key',
-        },
-        'expiration': {
-          'description': 'The expiration date as a unix timestamp',
-          'anyOf': [{'type': 'number'}, {'type': 'null'}],
-        },
-      },
-    },
-  }
+    """ Resource for managing service keys."""
 
-  @nickname('listServiceKeys')
-  def get(self):
-    keys = pre_oci_model.list_all_service_keys()
-
-    return jsonify({
-      'keys': [key.to_dict() for key in keys],
-    })
-
-  @nickname('createServiceKey')
-  @validate_json_request('CreateServiceKey')
-  def post(self):
-    body = request.get_json()
-
-    # Ensure we have a valid expiration date if specified.
-    expiration_date = body.get('expiration', None)
-    if expiration_date is not None:
-      try:
-        expiration_date = datetime.utcfromtimestamp(float(expiration_date))
-      except ValueError as ve:
-        raise InvalidRequest('Invalid expiration date: %s' % ve)
-
-      if expiration_date <= datetime.now():
-        raise InvalidRequest('Expiration date cannot be in the past')
-
-    # Create the metadata for the key.
-    metadata = body.get('metadata', {})
-    metadata.update({
-      'created_by': 'Quay Superuser Panel',
-      'ip': request.remote_addr,
-    })
-
-    # Generate a key with a private key that we *never save*.
-    (private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
-                                                               metadata=metadata,
-                                                               name=body.get('name', ''))
-    # Auto-approve the service key.
-    pre_oci_model.approve_service_key(key_id, ServiceKeyApprovalType.SUPERUSER,
-                                      notes=body.get('notes', ''))
-
-    # Log the creation and auto-approval of the service key.
-    key_log_metadata = {
-      'kid': key_id,
-      'preshared': True,
-      'service': body['service'],
-      'name': body.get('name', ''),
-      'expiration_date': expiration_date,
-      'auto_approved': True,
+    schemas = {
+        "CreateServiceKey": {
+            "id": "CreateServiceKey",
+            "type": "object",
+            "description": "Description of creation of a service key",
+            "required": ["service", "expiration"],
+            "properties": {
+                "service": {
+                    "type": "string",
+                    "description": "The service authenticating with this key",
+                },
+                "name": {
+                    "type": "string",
+                    "description": "The friendly name of a service key",
+                },
+                "metadata": {
+                    "type": "object",
+                    "description": "The key/value pairs of this key's metadata",
+                },
+                "notes": {
+                    "type": "string",
+                    "description": "If specified, the extra notes for the key",
+                },
+                "expiration": {
+                    "description": "The expiration date as a unix timestamp",
+                    "anyOf": [{"type": "number"}, {"type": "null"}],
+                },
+            },
+        }
     }
 
-    log_action('service_key_create', None, key_log_metadata)
-    log_action('service_key_approve', None, key_log_metadata)
+    @nickname("listServiceKeys")
+    def get(self):
+        keys = pre_oci_model.list_all_service_keys()
 
-    return jsonify({
-      'kid': key_id,
-      'name': body.get('name', ''),
-      'service': body['service'],
-      'public_key': private_key.publickey().exportKey('PEM'),
-      'private_key': private_key.exportKey('PEM'),
-    })
+        return jsonify({"keys": [key.to_dict() for key in keys]})
 
-@resource('/v1/superuser/approvedkeys/<kid>')
+    @nickname("createServiceKey")
+    @validate_json_request("CreateServiceKey")
+    def post(self):
+        body = request.get_json()
+
+        # Ensure we have a valid expiration date if specified.
+        expiration_date = body.get("expiration", None)
+        if expiration_date is not None:
+            try:
+                expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+            except ValueError as ve:
+                raise InvalidRequest("Invalid expiration date: %s" % ve)
+
+            if expiration_date <= datetime.now():
+                raise InvalidRequest("Expiration date cannot be in the past")
+
+        # Create the metadata for the key.
+        metadata = body.get("metadata", {})
+        metadata.update(
+            {"created_by": "Quay Superuser Panel", "ip": request.remote_addr}
+        )
+
+        # Generate a key with a private key that we *never save*.
+        (private_key, key_id) = pre_oci_model.generate_service_key(
+            body["service"],
+            expiration_date,
+            metadata=metadata,
+            name=body.get("name", ""),
+        )
+        # Auto-approve the service key.
+        pre_oci_model.approve_service_key(
+            key_id, ServiceKeyApprovalType.SUPERUSER, notes=body.get("notes", "")
+        )
+
+        # Log the creation and auto-approval of the service key.
+        key_log_metadata = {
+            "kid": key_id,
+            "preshared": True,
+            "service": body["service"],
+            "name": body.get("name", ""),
+            "expiration_date": expiration_date,
+            "auto_approved": True,
+        }
+
+        log_action("service_key_create", None, key_log_metadata)
+        log_action("service_key_approve", None, key_log_metadata)
+
+        return jsonify(
+            {
+                "kid": key_id,
+                "name": body.get("name", ""),
+                "service": body["service"],
+                "public_key": private_key.publickey().exportKey("PEM"),
+                "private_key": private_key.exportKey("PEM"),
+            }
+        )
+
+
+@resource("/v1/superuser/approvedkeys/<kid>")
 class SuperUserServiceKeyApproval(ApiResource):
-  """ Resource for approving service keys. """
+    """ Resource for approving service keys. """
 
-  schemas = {
-    'ApproveServiceKey': {
-      'id': 'ApproveServiceKey',
-      'type': 'object',
-      'description': 'Information for approving service keys',
-      'properties': {
-        'notes': {
-          'type': 'string',
-          'description': 'Optional approval notes',
-        },
-      },
-    },
-  }
+    schemas = {
+        "ApproveServiceKey": {
+            "id": "ApproveServiceKey",
+            "type": "object",
+            "description": "Information for approving service keys",
+            "properties": {
+                "notes": {"type": "string", "description": "Optional approval notes"}
+            },
+        }
+    }
 
-  @nickname('approveServiceKey')
-  @validate_json_request('ApproveServiceKey')
-  def post(self, kid):
-    notes = request.get_json().get('notes', '')
-    try:
-      key = pre_oci_model.approve_service_key(kid, ServiceKeyApprovalType.SUPERUSER, notes=notes)
+    @nickname("approveServiceKey")
+    @validate_json_request("ApproveServiceKey")
+    def post(self, kid):
+        notes = request.get_json().get("notes", "")
+        try:
+            key = pre_oci_model.approve_service_key(
+                kid, ServiceKeyApprovalType.SUPERUSER, notes=notes
+            )
 
-      # Log the approval of the service key.
-      key_log_metadata = {
-        'kid': kid,
-        'service': key.service,
-        'name': key.name,
-        'expiration_date': key.expiration_date,
-      }
+            # Log the approval of the service key.
+            key_log_metadata = {
+                "kid": kid,
+                "service": key.service,
+                "name": key.name,
+                "expiration_date": key.expiration_date,
+            }
 
-      # Note: this may not actually be the current person modifying the config, but if they're in the config tool,
-      # they have full access to the DB and could pretend to be any user, so pulling any superuser is likely fine
-      super_user = app.config.get('SUPER_USERS', [None])[0]
-      log_action('service_key_approve', super_user, key_log_metadata)
-    except ServiceKeyDoesNotExist:
-      raise NotFound()
-    except ServiceKeyAlreadyApproved:
-      pass
+            # Note: this may not actually be the current person modifying the config, but if they're in the config tool,
+            # they have full access to the DB and could pretend to be any user, so pulling any superuser is likely fine
+            super_user = app.config.get("SUPER_USERS", [None])[0]
+            log_action("service_key_approve", super_user, key_log_metadata)
+        except ServiceKeyDoesNotExist:
+            raise NotFound()
+        except ServiceKeyAlreadyApproved:
+            pass
 
-    return make_response('', 201)
+        return make_response("", 201)
diff --git a/config_app/config_endpoints/api/superuser_models_interface.py b/config_app/config_endpoints/api/superuser_models_interface.py
index 53efc9aec..efd8a0f04 100644
--- a/config_app/config_endpoints/api/superuser_models_interface.py
+++ b/config_app/config_endpoints/api/superuser_models_interface.py
@@ -6,21 +6,33 @@ from config_app.config_endpoints.api import format_date
 
 
 def user_view(user):
-  return {
-    'name': user.username,
-    'kind': 'user',
-    'is_robot': user.robot,
-  }
+    return {"name": user.username, "kind": "user", "is_robot": user.robot}
 
 
-class RepositoryBuild(namedtuple('RepositoryBuild',
-                                 ['uuid', 'logs_archived', 'repository_namespace_user_username',
-                                  'repository_name',
-                                  'can_write', 'can_read', 'pull_robot', 'resource_key', 'trigger',
-                                  'display_name',
-                                  'started', 'job_config', 'phase', 'status', 'error',
-                                  'archive_url'])):
-  """
+class RepositoryBuild(
+    namedtuple(
+        "RepositoryBuild",
+        [
+            "uuid",
+            "logs_archived",
+            "repository_namespace_user_username",
+            "repository_name",
+            "can_write",
+            "can_read",
+            "pull_robot",
+            "resource_key",
+            "trigger",
+            "display_name",
+            "started",
+            "job_config",
+            "phase",
+            "status",
+            "error",
+            "archive_url",
+        ],
+    )
+):
+    """
   RepositoryBuild represents a build associated with a repostiory
   :type uuid: string
   :type logs_archived: boolean
@@ -40,42 +52,46 @@ class RepositoryBuild(namedtuple('RepositoryBuild',
   :type archive_url: string
   """
 
-  def to_dict(self):
+    def to_dict(self):
 
-    resp = {
-      'id': self.uuid,
-      'phase': self.phase,
-      'started': format_date(self.started),
-      'display_name': self.display_name,
-      'status': self.status or {},
-      'subdirectory': self.job_config.get('build_subdir', ''),
-      'dockerfile_path': self.job_config.get('build_subdir', ''),
-      'context': self.job_config.get('context', ''),
-      'tags': self.job_config.get('docker_tags', []),
-      'manual_user': self.job_config.get('manual_user', None),
-      'is_writer': self.can_write,
-      'trigger': self.trigger.to_dict(),
-      'trigger_metadata': self.job_config.get('trigger_metadata', None) if self.can_read else None,
-      'resource_key': self.resource_key,
-      'pull_robot': user_view(self.pull_robot) if self.pull_robot else None,
-      'repository': {
-        'namespace': self.repository_namespace_user_username,
-        'name': self.repository_name
-      },
-      'error': self.error,
-    }
+        resp = {
+            "id": self.uuid,
+            "phase": self.phase,
+            "started": format_date(self.started),
+            "display_name": self.display_name,
+            "status": self.status or {},
+            "subdirectory": self.job_config.get("build_subdir", ""),
+            "dockerfile_path": self.job_config.get("build_subdir", ""),
+            "context": self.job_config.get("context", ""),
+            "tags": self.job_config.get("docker_tags", []),
+            "manual_user": self.job_config.get("manual_user", None),
+            "is_writer": self.can_write,
+            "trigger": self.trigger.to_dict(),
+            "trigger_metadata": self.job_config.get("trigger_metadata", None)
+            if self.can_read
+            else None,
+            "resource_key": self.resource_key,
+            "pull_robot": user_view(self.pull_robot) if self.pull_robot else None,
+            "repository": {
+                "namespace": self.repository_namespace_user_username,
+                "name": self.repository_name,
+            },
+            "error": self.error,
+        }
 
-    if self.can_write:
-      if self.resource_key is not None:
-        resp['archive_url'] = self.archive_url
-      elif self.job_config.get('archive_url', None):
-        resp['archive_url'] = self.job_config['archive_url']
+        if self.can_write:
+            if self.resource_key is not None:
+                resp["archive_url"] = self.archive_url
+            elif self.job_config.get("archive_url", None):
+                resp["archive_url"] = self.job_config["archive_url"]
 
-    return resp
+        return resp
 
 
-class Approval(namedtuple('Approval', ['approver', 'approval_type', 'approved_date', 'notes'])):
-  """
+class Approval(
+    namedtuple("Approval", ["approver", "approval_type", "approved_date", "notes"])
+):
+    """
   Approval represents whether a key has been approved or not
   :type approver: User
   :type approval_type: string
@@ -83,19 +99,32 @@ class Approval(namedtuple('Approval', ['approver', 'approval_type', 'approved_da
   :type notes: string
   """
 
-  def to_dict(self):
-    return {
-      'approver': self.approver.to_dict() if self.approver else None,
-      'approval_type': self.approval_type,
-      'approved_date': self.approved_date,
-      'notes': self.notes,
-    }
+    def to_dict(self):
+        return {
+            "approver": self.approver.to_dict() if self.approver else None,
+            "approval_type": self.approval_type,
+            "approved_date": self.approved_date,
+            "notes": self.notes,
+        }
 
 
 class ServiceKey(
-  namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'metadata', 'created_date',
-                            'expiration_date', 'rotation_duration', 'approval'])):
-  """
+    namedtuple(
+        "ServiceKey",
+        [
+            "name",
+            "kid",
+            "service",
+            "jwk",
+            "metadata",
+            "created_date",
+            "expiration_date",
+            "rotation_duration",
+            "approval",
+        ],
+    )
+):
+    """
   ServiceKey is an apostille signing key
   :type name: string
   :type kid: int
@@ -109,22 +138,22 @@ class ServiceKey(
 
   """
 
-  def to_dict(self):
-    return {
-      'name': self.name,
-      'kid': self.kid,
-      'service': self.service,
-      'jwk': self.jwk,
-      'metadata': self.metadata,
-      'created_date': self.created_date,
-      'expiration_date': self.expiration_date,
-      'rotation_duration': self.rotation_duration,
-      'approval': self.approval.to_dict() if self.approval is not None else None,
-    }
+    def to_dict(self):
+        return {
+            "name": self.name,
+            "kid": self.kid,
+            "service": self.service,
+            "jwk": self.jwk,
+            "metadata": self.metadata,
+            "created_date": self.created_date,
+            "expiration_date": self.expiration_date,
+            "rotation_duration": self.rotation_duration,
+            "approval": self.approval.to_dict() if self.approval is not None else None,
+        }
 
 
-class User(namedtuple('User', ['username', 'email', 'verified', 'enabled', 'robot'])):
-  """
+class User(namedtuple("User", ["username", "email", "verified", "enabled", "robot"])):
+    """
   User represents a single user.
   :type username: string
   :type email: string
@@ -133,41 +162,38 @@ class User(namedtuple('User', ['username', 'email', 'verified', 'enabled', 'robo
   :type robot: User
   """
 
-  def to_dict(self):
-    user_data = {
-      'kind': 'user',
-      'name': self.username,
-      'username': self.username,
-      'email': self.email,
-      'verified': self.verified,
-      'enabled': self.enabled,
-    }
+    def to_dict(self):
+        user_data = {
+            "kind": "user",
+            "name": self.username,
+            "username": self.username,
+            "email": self.email,
+            "verified": self.verified,
+            "enabled": self.enabled,
+        }
 
-    return user_data
+        return user_data
 
 
-class Organization(namedtuple('Organization', ['username', 'email'])):
-  """
+class Organization(namedtuple("Organization", ["username", "email"])):
+    """
   Organization represents a single org.
   :type username: string
   :type email: string
   """
 
-  def to_dict(self):
-    return {
-      'name': self.username,
-      'email': self.email,
-    }
+    def to_dict(self):
+        return {"name": self.username, "email": self.email}
 
 
 @add_metaclass(ABCMeta)
 class SuperuserDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by a superuser api.
   """
 
-  @abstractmethod
-  def list_all_service_keys(self):
-    """
+    @abstractmethod
+    def list_all_service_keys(self):
+        """
     Returns a list of service keys
     """
diff --git a/config_app/config_endpoints/api/superuser_models_pre_oci.py b/config_app/config_endpoints/api/superuser_models_pre_oci.py
index c35b94243..37864ceee 100644
--- a/config_app/config_endpoints/api/superuser_models_pre_oci.py
+++ b/config_app/config_endpoints/api/superuser_models_pre_oci.py
@@ -1,60 +1,85 @@
 from data import model
 
-from config_app.config_endpoints.api.superuser_models_interface import (SuperuserDataInterface, User, ServiceKey,
-                                                                        Approval)
+from config_app.config_endpoints.api.superuser_models_interface import (
+    SuperuserDataInterface,
+    User,
+    ServiceKey,
+    Approval,
+)
 
 
 def _create_user(user):
-  if user is None:
-    return None
-  return User(user.username, user.email, user.verified, user.enabled, user.robot)
+    if user is None:
+        return None
+    return User(user.username, user.email, user.verified, user.enabled, user.robot)
 
 
 def _create_key(key):
-  approval = None
-  if key.approval is not None:
-    approval = Approval(_create_user(key.approval.approver), key.approval.approval_type,
-                        key.approval.approved_date,
-                        key.approval.notes)
+    approval = None
+    if key.approval is not None:
+        approval = Approval(
+            _create_user(key.approval.approver),
+            key.approval.approval_type,
+            key.approval.approved_date,
+            key.approval.notes,
+        )
 
-  return ServiceKey(key.name, key.kid, key.service, key.jwk, key.metadata, key.created_date,
-                    key.expiration_date,
-                    key.rotation_duration, approval)
+    return ServiceKey(
+        key.name,
+        key.kid,
+        key.service,
+        key.jwk,
+        key.metadata,
+        key.created_date,
+        key.expiration_date,
+        key.rotation_duration,
+        approval,
+    )
 
 
 class ServiceKeyDoesNotExist(Exception):
-  pass
+    pass
 
 
 class ServiceKeyAlreadyApproved(Exception):
-  pass
+    pass
 
 
 class PreOCIModel(SuperuserDataInterface):
-  """
+    """
   PreOCIModel implements the data model for the SuperUser using a database schema
   before it was changed to support the OCI specification.
   """
 
-  def list_all_service_keys(self):
-    keys = model.service_keys.list_all_keys()
-    return [_create_key(key) for key in keys]
+    def list_all_service_keys(self):
+        keys = model.service_keys.list_all_keys()
+        return [_create_key(key) for key in keys]
 
-  def approve_service_key(self, kid, approval_type, notes=''):
-    try:
-      key = model.service_keys.approve_service_key(kid, approval_type, notes=notes)
-      return _create_key(key)
-    except model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist
-    except model.ServiceKeyAlreadyApproved:
-      raise ServiceKeyAlreadyApproved
+    def approve_service_key(self, kid, approval_type, notes=""):
+        try:
+            key = model.service_keys.approve_service_key(
+                kid, approval_type, notes=notes
+            )
+            return _create_key(key)
+        except model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist
+        except model.ServiceKeyAlreadyApproved:
+            raise ServiceKeyAlreadyApproved
 
-  def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None,
-                           rotation_duration=None):
-    (private_key, key) = model.service_keys.generate_service_key(service, expiration_date,
-                                                                 metadata=metadata, name=name)
+    def generate_service_key(
+        self,
+        service,
+        expiration_date,
+        kid=None,
+        name="",
+        metadata=None,
+        rotation_duration=None,
+    ):
+        (private_key, key) = model.service_keys.generate_service_key(
+            service, expiration_date, metadata=metadata, name=name
+        )
 
-    return private_key, key.kid
+        return private_key, key.kid
 
 
 pre_oci_model = PreOCIModel()
diff --git a/config_app/config_endpoints/api/tar_config_loader.py b/config_app/config_endpoints/api/tar_config_loader.py
index 8944d9092..06b57cb85 100644
--- a/config_app/config_endpoints/api/tar_config_loader.py
+++ b/config_app/config_endpoints/api/tar_config_loader.py
@@ -10,53 +10,59 @@ from data.database import configure
 
 from config_app.c_app import app, config_provider
 from config_app.config_endpoints.api import resource, ApiResource, nickname
-from config_app.config_util.tar import tarinfo_filter_partial, strip_absolute_path_and_add_trailing_dir
+from config_app.config_util.tar import (
+    tarinfo_filter_partial,
+    strip_absolute_path_and_add_trailing_dir,
+)
 
 
-@resource('/v1/configapp/initialization')
+@resource("/v1/configapp/initialization")
 class ConfigInitialization(ApiResource):
-  """
+    """
   Resource for dealing with any initialization logic for the config app
   """
 
-  @nickname('scStartNewConfig')
-  def post(self):
-    config_provider.new_config_dir()
-    return make_response('OK')
+    @nickname("scStartNewConfig")
+    def post(self):
+        config_provider.new_config_dir()
+        return make_response("OK")
 
 
-@resource('/v1/configapp/tarconfig')
+@resource("/v1/configapp/tarconfig")
 class TarConfigLoader(ApiResource):
-  """
+    """
   Resource for dealing with configuration as a tarball,
   including loading and generating functions
   """
 
-  @nickname('scGetConfigTarball')
-  def get(self):
-    config_path = config_provider.get_config_dir_path()
-    tar_dir_prefix = strip_absolute_path_and_add_trailing_dir(config_path)
-    temp = tempfile.NamedTemporaryFile()
+    @nickname("scGetConfigTarball")
+    def get(self):
+        config_path = config_provider.get_config_dir_path()
+        tar_dir_prefix = strip_absolute_path_and_add_trailing_dir(config_path)
+        temp = tempfile.NamedTemporaryFile()
 
-    with closing(tarfile.open(temp.name, mode="w|gz")) as tar:
-      for name in os.listdir(config_path):
-        tar.add(os.path.join(config_path, name), filter=tarinfo_filter_partial(tar_dir_prefix))
-    return send_file(temp.name, mimetype='application/gzip')
+        with closing(tarfile.open(temp.name, mode="w|gz")) as tar:
+            for name in os.listdir(config_path):
+                tar.add(
+                    os.path.join(config_path, name),
+                    filter=tarinfo_filter_partial(tar_dir_prefix),
+                )
+        return send_file(temp.name, mimetype="application/gzip")
 
-  @nickname('scUploadTarballConfig')
-  def put(self):
-    """ Loads tarball config into the config provider """
-    # Generate a new empty dir to load the config into
-    config_provider.new_config_dir()
-    input_stream = request.stream
-    with tarfile.open(mode="r|gz", fileobj=input_stream) as tar_stream:
-      tar_stream.extractall(config_provider.get_config_dir_path())
+    @nickname("scUploadTarballConfig")
+    def put(self):
+        """ Loads tarball config into the config provider """
+        # Generate a new empty dir to load the config into
+        config_provider.new_config_dir()
+        input_stream = request.stream
+        with tarfile.open(mode="r|gz", fileobj=input_stream) as tar_stream:
+            tar_stream.extractall(config_provider.get_config_dir_path())
 
-    config_provider.create_copy_of_config_dir()
+        config_provider.create_copy_of_config_dir()
 
-    # now try to connect to the db provided in their config to validate it works
-    combined = dict(**app.config)
-    combined.update(config_provider.get_config())
-    configure(combined)
+        # now try to connect to the db provided in their config to validate it works
+        combined = dict(**app.config)
+        combined.update(config_provider.get_config())
+        configure(combined)
 
-    return make_response('OK')
+        return make_response("OK")
diff --git a/config_app/config_endpoints/api/user.py b/config_app/config_endpoints/api/user.py
index 85008c87e..9ab787a47 100644
--- a/config_app/config_endpoints/api/user.py
+++ b/config_app/config_endpoints/api/user.py
@@ -3,12 +3,12 @@ from config_app.config_endpoints.api import resource, ApiResource, nickname
 from config_app.config_endpoints.api.superuser_models_interface import user_view
 
 
-@resource('/v1/user/')
+@resource("/v1/user/")
 class User(ApiResource):
-  """ Operations related to users. """
+    """ Operations related to users. """
 
-  @nickname('getLoggedInUser')
-  def get(self):
-    """ Get user information for the authenticated user. """
-    user = get_authenticated_user()
-    return user_view(user)
+    @nickname("getLoggedInUser")
+    def get(self):
+        """ Get user information for the authenticated user. """
+        user = get_authenticated_user()
+        return user_view(user)
diff --git a/config_app/config_endpoints/common.py b/config_app/config_endpoints/common.py
index c277f3b35..1cf874d5d 100644
--- a/config_app/config_endpoints/common.py
+++ b/config_app/config_endpoints/common.py
@@ -14,60 +14,72 @@ from config_app.config_util.k8sconfig import get_k8s_namespace
 
 
 def truthy_bool(param):
-  return param not in {False, 'false', 'False', '0', 'FALSE', '', 'null'}
+    return param not in {False, "false", "False", "0", "FALSE", "", "null"}
 
 
-DEFAULT_JS_BUNDLE_NAME = 'configapp'
-PARAM_REGEX = re.compile(r'<([^:>]+:)*([\w]+)>')
+DEFAULT_JS_BUNDLE_NAME = "configapp"
+PARAM_REGEX = re.compile(r"<([^:>]+:)*([\w]+)>")
 logger = logging.getLogger(__name__)
 TYPE_CONVERTER = {
-  truthy_bool: 'boolean',
-  str: 'string',
-  basestring: 'string',
-  reqparse.text_type: 'string',
-  int: 'integer',
+    truthy_bool: "boolean",
+    str: "string",
+    basestring: "string",
+    reqparse.text_type: "string",
+    int: "integer",
 }
 
 
 def _list_files(path, extension, contains=""):
-  """ Returns a list of all the files with the given extension found under the given path. """
+    """ Returns a list of all the files with the given extension found under the given path. """
 
-  def matches(f):
-    return os.path.splitext(f)[1] == '.' + extension and contains in os.path.splitext(f)[0]
+    def matches(f):
+        return (
+            os.path.splitext(f)[1] == "." + extension
+            and contains in os.path.splitext(f)[0]
+        )
 
-  def join_path(dp, f):
-    # Remove the static/ prefix. It is added in the template.
-    return os.path.join(dp, f)[len(ROOT_DIR) + 1 + len('config_app/static/'):]
+    def join_path(dp, f):
+        # Remove the static/ prefix. It is added in the template.
+        return os.path.join(dp, f)[len(ROOT_DIR) + 1 + len("config_app/static/") :]
 
-  filepath = os.path.join(os.path.join(ROOT_DIR, 'config_app/static/'), path)
-  return [join_path(dp, f) for dp, _, files in os.walk(filepath) for f in files if matches(f)]
+    filepath = os.path.join(os.path.join(ROOT_DIR, "config_app/static/"), path)
+    return [
+        join_path(dp, f)
+        for dp, _, files in os.walk(filepath)
+        for f in files
+        if matches(f)
+    ]
 
 
-FONT_AWESOME_4 = 'netdna.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.css'
+FONT_AWESOME_4 = "netdna.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.css"
 
 
-def render_page_template(name, route_data=None, js_bundle_name=DEFAULT_JS_BUNDLE_NAME, **kwargs):
-  """ Renders the page template with the given name as the response and returns its contents. """
-  main_scripts = _list_files('build', 'js', js_bundle_name)
+def render_page_template(
+    name, route_data=None, js_bundle_name=DEFAULT_JS_BUNDLE_NAME, **kwargs
+):
+    """ Renders the page template with the given name as the response and returns its contents. """
+    main_scripts = _list_files("build", "js", js_bundle_name)
 
-  use_cdn = os.getenv('TESTING') == 'true'
+    use_cdn = os.getenv("TESTING") == "true"
 
-  external_styles = get_external_css(local=not use_cdn, exclude=FONT_AWESOME_4)
-  external_scripts = get_external_javascript(local=not use_cdn)
+    external_styles = get_external_css(local=not use_cdn, exclude=FONT_AWESOME_4)
+    external_scripts = get_external_javascript(local=not use_cdn)
 
-  contents = render_template(name,
-                             route_data=route_data,
-                             main_scripts=main_scripts,
-                             external_styles=external_styles,
-                             external_scripts=external_scripts,
-                             config_set=frontend_visible_config(app.config),
-                             kubernetes_namespace=IS_KUBERNETES and get_k8s_namespace(),
-                             **kwargs)
+    contents = render_template(
+        name,
+        route_data=route_data,
+        main_scripts=main_scripts,
+        external_styles=external_styles,
+        external_scripts=external_scripts,
+        config_set=frontend_visible_config(app.config),
+        kubernetes_namespace=IS_KUBERNETES and get_k8s_namespace(),
+        **kwargs
+    )
 
-  resp = make_response(contents)
-  resp.headers['X-FRAME-OPTIONS'] = 'DENY'
-  return resp
+    resp = make_response(contents)
+    resp.headers["X-FRAME-OPTIONS"] = "DENY"
+    return resp
 
 
 def fully_qualified_name(method_view_class):
-  return '%s.%s' % (method_view_class.__module__, method_view_class.__name__)
+    return "%s.%s" % (method_view_class.__module__, method_view_class.__name__)
diff --git a/config_app/config_endpoints/exception.py b/config_app/config_endpoints/exception.py
index 7f7f75a41..03e29fba9 100644
--- a/config_app/config_endpoints/exception.py
+++ b/config_app/config_endpoints/exception.py
@@ -5,11 +5,11 @@ from werkzeug.exceptions import HTTPException
 
 
 class ApiErrorType(Enum):
-  invalid_request = 'invalid_request'
+    invalid_request = "invalid_request"
 
 
 class ApiException(HTTPException):
-  """
+    """
   Represents an error in the application/problem+json format.
 
   See: https://tools.ietf.org/html/rfc7807
@@ -31,36 +31,42 @@ class ApiException(HTTPException):
       information if dereferenced.
   """
 
-  def __init__(self, error_type, status_code, error_description, payload=None):
-    Exception.__init__(self)
-    self.error_description = error_description
-    self.code = status_code
-    self.payload = payload
-    self.error_type = error_type
-    self.data = self.to_dict()
+    def __init__(self, error_type, status_code, error_description, payload=None):
+        Exception.__init__(self)
+        self.error_description = error_description
+        self.code = status_code
+        self.payload = payload
+        self.error_type = error_type
+        self.data = self.to_dict()
 
-    super(ApiException, self).__init__(error_description, None)
+        super(ApiException, self).__init__(error_description, None)
 
-  def to_dict(self):
-    rv = dict(self.payload or ())
+    def to_dict(self):
+        rv = dict(self.payload or ())
 
-    if self.error_description is not None:
-      rv['detail'] = self.error_description
-      rv['error_message'] = self.error_description  # TODO: deprecate
+        if self.error_description is not None:
+            rv["detail"] = self.error_description
+            rv["error_message"] = self.error_description  # TODO: deprecate
 
-    rv['error_type'] = self.error_type.value  # TODO: deprecate
-    rv['title'] = self.error_type.value
-    rv['type'] = url_for('api.error', error_type=self.error_type.value, _external=True)
-    rv['status'] = self.code
+        rv["error_type"] = self.error_type.value  # TODO: deprecate
+        rv["title"] = self.error_type.value
+        rv["type"] = url_for(
+            "api.error", error_type=self.error_type.value, _external=True
+        )
+        rv["status"] = self.code
 
-    return rv
+        return rv
 
 
 class InvalidRequest(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.invalid_request, 400, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.invalid_request, 400, error_description, payload
+        )
 
 
 class InvalidResponse(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.invalid_response, 400, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.invalid_response, 400, error_description, payload
+        )
diff --git a/config_app/config_endpoints/setup_web.py b/config_app/config_endpoints/setup_web.py
index 32dda15e2..8db100705 100644
--- a/config_app/config_endpoints/setup_web.py
+++ b/config_app/config_endpoints/setup_web.py
@@ -5,19 +5,21 @@ from config_app.config_endpoints.common import render_page_template
 from config_app.config_endpoints.api.discovery import generate_route_data
 from config_app.config_endpoints.api import no_cache
 
-setup_web = Blueprint('setup_web', __name__, template_folder='templates')
+setup_web = Blueprint("setup_web", __name__, template_folder="templates")
 
 
 @lru_cache(maxsize=1)
 def _get_route_data():
-  return generate_route_data()
+    return generate_route_data()
 
 
 def render_page_template_with_routedata(name, *args, **kwargs):
-  return render_page_template(name, _get_route_data(), *args, **kwargs)
+    return render_page_template(name, _get_route_data(), *args, **kwargs)
 
 
 @no_cache
-@setup_web.route('/', methods=['GET'], defaults={'path': ''})
+@setup_web.route("/", methods=["GET"], defaults={"path": ""})
 def index(path, **kwargs):
-  return render_page_template_with_routedata('index.html', js_bundle_name='configapp', **kwargs)
+    return render_page_template_with_routedata(
+        "index.html", js_bundle_name="configapp", **kwargs
+    )
diff --git a/config_app/config_test/test_api_usage.py b/config_app/config_test/test_api_usage.py
index aa34b3495..4816e0aa5 100644
--- a/config_app/config_test/test_api_usage.py
+++ b/config_app/config_test/test_api_usage.py
@@ -5,204 +5,242 @@ from data import database, model
 from util.security.test.test_ssl_util import generate_test_cert
 
 from config_app.c_app import app
-from config_app.config_test import ApiTestCase, all_queues, ADMIN_ACCESS_USER, ADMIN_ACCESS_EMAIL
+from config_app.config_test import (
+    ApiTestCase,
+    all_queues,
+    ADMIN_ACCESS_USER,
+    ADMIN_ACCESS_EMAIL,
+)
 from config_app.config_endpoints.api import api_bp
-from config_app.config_endpoints.api.superuser import SuperUserCustomCertificate, SuperUserCustomCertificates
-from config_app.config_endpoints.api.suconfig import SuperUserConfig, SuperUserCreateInitialSuperUser, \
-  SuperUserConfigFile, SuperUserRegistryStatus
+from config_app.config_endpoints.api.superuser import (
+    SuperUserCustomCertificate,
+    SuperUserCustomCertificates,
+)
+from config_app.config_endpoints.api.suconfig import (
+    SuperUserConfig,
+    SuperUserCreateInitialSuperUser,
+    SuperUserConfigFile,
+    SuperUserRegistryStatus,
+)
 
 try:
-  app.register_blueprint(api_bp, url_prefix='/api')
+    app.register_blueprint(api_bp, url_prefix="/api")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 
 class TestSuperUserCreateInitialSuperUser(ApiTestCase):
-  def test_create_superuser(self):
-    data = {
-      'username': 'newsuper',
-      'password': 'password',
-      'email': 'jschorr+fake@devtable.com',
-    }
+    def test_create_superuser(self):
+        data = {
+            "username": "newsuper",
+            "password": "password",
+            "email": "jschorr+fake@devtable.com",
+        }
 
-    # Add some fake config.
-    fake_config = {
-      'AUTHENTICATION_TYPE': 'Database',
-      'SECRET_KEY': 'fakekey',
-    }
+        # Add some fake config.
+        fake_config = {"AUTHENTICATION_TYPE": "Database", "SECRET_KEY": "fakekey"}
 
-    self.putJsonResponse(SuperUserConfig, data=dict(config=fake_config, hostname='fakehost'))
+        self.putJsonResponse(
+            SuperUserConfig, data=dict(config=fake_config, hostname="fakehost")
+        )
 
-    # Try to write with config. Should 403 since there are users in the DB.
-    self.postResponse(SuperUserCreateInitialSuperUser, data=data, expected_code=403)
+        # Try to write with config. Should 403 since there are users in the DB.
+        self.postResponse(SuperUserCreateInitialSuperUser, data=data, expected_code=403)
 
-    # Delete all users in the DB.
-    for user in list(database.User.select()):
-      model.user.delete_user(user, all_queues)
+        # Delete all users in the DB.
+        for user in list(database.User.select()):
+            model.user.delete_user(user, all_queues)
 
-    # Create the superuser.
-    self.postJsonResponse(SuperUserCreateInitialSuperUser, data=data)
+        # Create the superuser.
+        self.postJsonResponse(SuperUserCreateInitialSuperUser, data=data)
 
-    # Ensure the user exists in the DB.
-    self.assertIsNotNone(model.user.get_user('newsuper'))
+        # Ensure the user exists in the DB.
+        self.assertIsNotNone(model.user.get_user("newsuper"))
 
-    # Ensure that the current user is a superuser in the config.
-    json = self.getJsonResponse(SuperUserConfig)
-    self.assertEquals(['newsuper'], json['config']['SUPER_USERS'])
+        # Ensure that the current user is a superuser in the config.
+        json = self.getJsonResponse(SuperUserConfig)
+        self.assertEquals(["newsuper"], json["config"]["SUPER_USERS"])
 
-    # Ensure that the current user is a superuser in memory by trying to call an API
-    # that will fail otherwise.
-    self.getResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'))
+        # Ensure that the current user is a superuser in memory by trying to call an API
+        # that will fail otherwise.
+        self.getResponse(SuperUserConfigFile, params=dict(filename="ssl.cert"))
 
 
 class TestSuperUserConfig(ApiTestCase):
-  def test_get_status_update_config(self):
-    # With no config the status should be 'config-db'.
-    json = self.getJsonResponse(SuperUserRegistryStatus)
-    self.assertEquals('config-db', json['status'])
+    def test_get_status_update_config(self):
+        # With no config the status should be 'config-db'.
+        json = self.getJsonResponse(SuperUserRegistryStatus)
+        self.assertEquals("config-db", json["status"])
 
-    # Add some fake config.
-    fake_config = {
-      'AUTHENTICATION_TYPE': 'Database',
-      'SECRET_KEY': 'fakekey',
-    }
+        # Add some fake config.
+        fake_config = {"AUTHENTICATION_TYPE": "Database", "SECRET_KEY": "fakekey"}
 
-    json = self.putJsonResponse(SuperUserConfig, data=dict(config=fake_config,
-                                                           hostname='fakehost'))
-    self.assertEquals('fakekey', json['config']['SECRET_KEY'])
-    self.assertEquals('fakehost', json['config']['SERVER_HOSTNAME'])
-    self.assertEquals('Database', json['config']['AUTHENTICATION_TYPE'])
+        json = self.putJsonResponse(
+            SuperUserConfig, data=dict(config=fake_config, hostname="fakehost")
+        )
+        self.assertEquals("fakekey", json["config"]["SECRET_KEY"])
+        self.assertEquals("fakehost", json["config"]["SERVER_HOSTNAME"])
+        self.assertEquals("Database", json["config"]["AUTHENTICATION_TYPE"])
 
-    # With config the status should be 'setup-db'.
-    # TODO: fix this test
-    # json = self.getJsonResponse(SuperUserRegistryStatus)
-    # self.assertEquals('setup-db', json['status'])
+        # With config the status should be 'setup-db'.
+        # TODO: fix this test
+        # json = self.getJsonResponse(SuperUserRegistryStatus)
+        # self.assertEquals('setup-db', json['status'])
 
-  def test_config_file(self):
-    # Try for an invalid file. Should 404.
-    self.getResponse(SuperUserConfigFile, params=dict(filename='foobar'), expected_code=404)
+    def test_config_file(self):
+        # Try for an invalid file. Should 404.
+        self.getResponse(
+            SuperUserConfigFile, params=dict(filename="foobar"), expected_code=404
+        )
 
-    # Try for a valid filename. Should not exist.
-    json = self.getJsonResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'))
-    self.assertFalse(json['exists'])
+        # Try for a valid filename. Should not exist.
+        json = self.getJsonResponse(
+            SuperUserConfigFile, params=dict(filename="ssl.cert")
+        )
+        self.assertFalse(json["exists"])
 
-    # Add the file.
-    self.postResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'),
-                      file=(StringIO('my file contents'), 'ssl.cert'))
+        # Add the file.
+        self.postResponse(
+            SuperUserConfigFile,
+            params=dict(filename="ssl.cert"),
+            file=(StringIO("my file contents"), "ssl.cert"),
+        )
 
-    # Should now exist.
-    json = self.getJsonResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'))
-    self.assertTrue(json['exists'])
+        # Should now exist.
+        json = self.getJsonResponse(
+            SuperUserConfigFile, params=dict(filename="ssl.cert")
+        )
+        self.assertTrue(json["exists"])
 
-  def test_update_with_external_auth(self):
-    # Run a mock LDAP.
-    mockldap = MockLdap({
-      'dc=quay,dc=io': {
-        'dc': ['quay', 'io']
-      },
-      'ou=employees,dc=quay,dc=io': {
-        'dc': ['quay', 'io'],
-        'ou': 'employees'
-      },
-      'uid=' + ADMIN_ACCESS_USER + ',ou=employees,dc=quay,dc=io': {
-        'dc': ['quay', 'io'],
-        'ou': 'employees',
-        'uid': [ADMIN_ACCESS_USER],
-        'userPassword': ['password'],
-        'mail': [ADMIN_ACCESS_EMAIL],
-      },
-    })
+    def test_update_with_external_auth(self):
+        # Run a mock LDAP.
+        mockldap = MockLdap(
+            {
+                "dc=quay,dc=io": {"dc": ["quay", "io"]},
+                "ou=employees,dc=quay,dc=io": {"dc": ["quay", "io"], "ou": "employees"},
+                "uid="
+                + ADMIN_ACCESS_USER
+                + ",ou=employees,dc=quay,dc=io": {
+                    "dc": ["quay", "io"],
+                    "ou": "employees",
+                    "uid": [ADMIN_ACCESS_USER],
+                    "userPassword": ["password"],
+                    "mail": [ADMIN_ACCESS_EMAIL],
+                },
+            }
+        )
 
-    config = {
-      'AUTHENTICATION_TYPE': 'LDAP',
-      'LDAP_BASE_DN': ['dc=quay', 'dc=io'],
-      'LDAP_ADMIN_DN': 'uid=devtable,ou=employees,dc=quay,dc=io',
-      'LDAP_ADMIN_PASSWD': 'password',
-      'LDAP_USER_RDN': ['ou=employees'],
-      'LDAP_UID_ATTR': 'uid',
-      'LDAP_EMAIL_ATTR': 'mail',
-    }
+        config = {
+            "AUTHENTICATION_TYPE": "LDAP",
+            "LDAP_BASE_DN": ["dc=quay", "dc=io"],
+            "LDAP_ADMIN_DN": "uid=devtable,ou=employees,dc=quay,dc=io",
+            "LDAP_ADMIN_PASSWD": "password",
+            "LDAP_USER_RDN": ["ou=employees"],
+            "LDAP_UID_ATTR": "uid",
+            "LDAP_EMAIL_ATTR": "mail",
+        }
 
-    mockldap.start()
-    try:
-      # Write the config with the valid password.
-      self.putResponse(SuperUserConfig,
-                       data={'config': config,
-                             'password': 'password',
-                             'hostname': 'foo'}, expected_code=200)
+        mockldap.start()
+        try:
+            # Write the config with the valid password.
+            self.putResponse(
+                SuperUserConfig,
+                data={"config": config, "password": "password", "hostname": "foo"},
+                expected_code=200,
+            )
+
+            # Ensure that the user row has been linked.
+            # TODO: fix this test
+            # self.assertEquals(ADMIN_ACCESS_USER,
+            #                   model.user.verify_federated_login('ldap', ADMIN_ACCESS_USER).username)
+        finally:
+            mockldap.stop()
 
-      # Ensure that the user row has been linked.
-      # TODO: fix this test
-      # self.assertEquals(ADMIN_ACCESS_USER,
-      #                   model.user.verify_federated_login('ldap', ADMIN_ACCESS_USER).username)
-    finally:
-      mockldap.stop()
 
 class TestSuperUserCustomCertificates(ApiTestCase):
-  def test_custom_certificates(self):
+    def test_custom_certificates(self):
 
-    # Upload a certificate.
-    cert_contents, _ = generate_test_cert(hostname='somecoolhost', san_list=['DNS:bar', 'DNS:baz'])
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
-                      file=(StringIO(cert_contents), 'testcert.crt'), expected_code=204)
+        # Upload a certificate.
+        cert_contents, _ = generate_test_cert(
+            hostname="somecoolhost", san_list=["DNS:bar", "DNS:baz"]
+        )
+        self.postResponse(
+            SuperUserCustomCertificate,
+            params=dict(certpath="testcert.crt"),
+            file=(StringIO(cert_contents), "testcert.crt"),
+            expected_code=204,
+        )
 
-    # Make sure it is present.
-    json = self.getJsonResponse(SuperUserCustomCertificates)
-    self.assertEquals(1, len(json['certs']))
+        # Make sure it is present.
+        json = self.getJsonResponse(SuperUserCustomCertificates)
+        self.assertEquals(1, len(json["certs"]))
 
-    cert_info = json['certs'][0]
-    self.assertEquals('testcert.crt', cert_info['path'])
+        cert_info = json["certs"][0]
+        self.assertEquals("testcert.crt", cert_info["path"])
 
-    self.assertEquals(set(['somecoolhost', 'bar', 'baz']), set(cert_info['names']))
-    self.assertFalse(cert_info['expired'])
+        self.assertEquals(set(["somecoolhost", "bar", "baz"]), set(cert_info["names"]))
+        self.assertFalse(cert_info["expired"])
 
-    # Remove the certificate.
-    self.deleteResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'))
+        # Remove the certificate.
+        self.deleteResponse(
+            SuperUserCustomCertificate, params=dict(certpath="testcert.crt")
+        )
 
-    # Make sure it is gone.
-    json = self.getJsonResponse(SuperUserCustomCertificates)
-    self.assertEquals(0, len(json['certs']))
+        # Make sure it is gone.
+        json = self.getJsonResponse(SuperUserCustomCertificates)
+        self.assertEquals(0, len(json["certs"]))
 
-  def test_expired_custom_certificate(self):
-    # Upload a certificate.
-    cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
-                      file=(StringIO(cert_contents), 'testcert.crt'), expected_code=204)
+    def test_expired_custom_certificate(self):
+        # Upload a certificate.
+        cert_contents, _ = generate_test_cert(hostname="somecoolhost", expires=-10)
+        self.postResponse(
+            SuperUserCustomCertificate,
+            params=dict(certpath="testcert.crt"),
+            file=(StringIO(cert_contents), "testcert.crt"),
+            expected_code=204,
+        )
 
-    # Make sure it is present.
-    json = self.getJsonResponse(SuperUserCustomCertificates)
-    self.assertEquals(1, len(json['certs']))
+        # Make sure it is present.
+        json = self.getJsonResponse(SuperUserCustomCertificates)
+        self.assertEquals(1, len(json["certs"]))
 
-    cert_info = json['certs'][0]
-    self.assertEquals('testcert.crt', cert_info['path'])
+        cert_info = json["certs"][0]
+        self.assertEquals("testcert.crt", cert_info["path"])
 
-    self.assertEquals(set(['somecoolhost']), set(cert_info['names']))
-    self.assertTrue(cert_info['expired'])
+        self.assertEquals(set(["somecoolhost"]), set(cert_info["names"]))
+        self.assertTrue(cert_info["expired"])
 
-  def test_invalid_custom_certificate(self):
-    # Upload an invalid certificate.
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
-                      file=(StringIO('some contents'), 'testcert.crt'), expected_code=204)
+    def test_invalid_custom_certificate(self):
+        # Upload an invalid certificate.
+        self.postResponse(
+            SuperUserCustomCertificate,
+            params=dict(certpath="testcert.crt"),
+            file=(StringIO("some contents"), "testcert.crt"),
+            expected_code=204,
+        )
 
-    # Make sure it is present but invalid.
-    json = self.getJsonResponse(SuperUserCustomCertificates)
-    self.assertEquals(1, len(json['certs']))
+        # Make sure it is present but invalid.
+        json = self.getJsonResponse(SuperUserCustomCertificates)
+        self.assertEquals(1, len(json["certs"]))
 
-    cert_info = json['certs'][0]
-    self.assertEquals('testcert.crt', cert_info['path'])
-    self.assertEquals('no start line', cert_info['error'])
+        cert_info = json["certs"][0]
+        self.assertEquals("testcert.crt", cert_info["path"])
+        self.assertEquals("no start line", cert_info["error"])
 
-  def test_path_sanitization(self):
-    # Upload a certificate.
-    cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
-    self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert/../foobar.crt'),
-                      file=(StringIO(cert_contents), 'testcert/../foobar.crt'), expected_code=204)
+    def test_path_sanitization(self):
+        # Upload a certificate.
+        cert_contents, _ = generate_test_cert(hostname="somecoolhost", expires=-10)
+        self.postResponse(
+            SuperUserCustomCertificate,
+            params=dict(certpath="testcert/../foobar.crt"),
+            file=(StringIO(cert_contents), "testcert/../foobar.crt"),
+            expected_code=204,
+        )
 
-    # Make sure it is present.
-    json = self.getJsonResponse(SuperUserCustomCertificates)
-    self.assertEquals(1, len(json['certs']))
-
-    cert_info = json['certs'][0]
-    self.assertEquals('foobar.crt', cert_info['path'])
+        # Make sure it is present.
+        json = self.getJsonResponse(SuperUserCustomCertificates)
+        self.assertEquals(1, len(json["certs"]))
 
+        cert_info = json["certs"][0]
+        self.assertEquals("foobar.crt", cert_info["path"])
diff --git a/config_app/config_test/test_suconfig_api.py b/config_app/config_test/test_suconfig_api.py
index 408b96a8b..a805e6421 100644
--- a/config_app/config_test/test_suconfig_api.py
+++ b/config_app/config_test/test_suconfig_api.py
@@ -4,176 +4,235 @@ import mock
 from data.database import User
 from data import model
 
-from config_app.config_endpoints.api.suconfig import SuperUserConfig, SuperUserConfigValidate, SuperUserConfigFile, \
-  SuperUserRegistryStatus, SuperUserCreateInitialSuperUser
+from config_app.config_endpoints.api.suconfig import (
+    SuperUserConfig,
+    SuperUserConfigValidate,
+    SuperUserConfigFile,
+    SuperUserRegistryStatus,
+    SuperUserCreateInitialSuperUser,
+)
 from config_app.config_endpoints.api import api_bp
 from config_app.config_test import ApiTestCase, READ_ACCESS_USER, ADMIN_ACCESS_USER
 from config_app.c_app import app, config_provider
 
 try:
-  app.register_blueprint(api_bp, url_prefix='/api')
+    app.register_blueprint(api_bp, url_prefix="/api")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 # OVERRIDES FROM PORTING FROM OLD APP:
-all_queues = [] # the config app doesn't have any queues
+all_queues = []  # the config app doesn't have any queues
+
 
 class FreshConfigProvider(object):
-  def __enter__(self):
-    config_provider.reset_for_test()
-    return config_provider
+    def __enter__(self):
+        config_provider.reset_for_test()
+        return config_provider
 
-  def __exit__(self, type, value, traceback):
-    config_provider.reset_for_test()
+    def __exit__(self, type, value, traceback):
+        config_provider.reset_for_test()
 
 
 class TestSuperUserRegistryStatus(ApiTestCase):
-  def test_registry_status_no_config(self):
-    with FreshConfigProvider():
-      json = self.getJsonResponse(SuperUserRegistryStatus)
-      self.assertEquals('config-db', json['status'])
+    def test_registry_status_no_config(self):
+        with FreshConfigProvider():
+            json = self.getJsonResponse(SuperUserRegistryStatus)
+            self.assertEquals("config-db", json["status"])
 
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_is_valid", mock.Mock(return_value=False))
-  def test_registry_status_no_database(self):
-    with FreshConfigProvider():
-      config_provider.save_config({'key': 'value'})
-      json = self.getJsonResponse(SuperUserRegistryStatus)
-      self.assertEquals('setup-db', json['status'])
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_is_valid",
+        mock.Mock(return_value=False),
+    )
+    def test_registry_status_no_database(self):
+        with FreshConfigProvider():
+            config_provider.save_config({"key": "value"})
+            json = self.getJsonResponse(SuperUserRegistryStatus)
+            self.assertEquals("setup-db", json["status"])
 
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_is_valid", mock.Mock(return_value=True))
-  def test_registry_status_db_has_superuser(self):
-    with FreshConfigProvider():
-      config_provider.save_config({'key': 'value'})
-      json = self.getJsonResponse(SuperUserRegistryStatus)
-      self.assertEquals('config', json['status'])
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_is_valid",
+        mock.Mock(return_value=True),
+    )
+    def test_registry_status_db_has_superuser(self):
+        with FreshConfigProvider():
+            config_provider.save_config({"key": "value"})
+            json = self.getJsonResponse(SuperUserRegistryStatus)
+            self.assertEquals("config", json["status"])
 
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_is_valid", mock.Mock(return_value=True))
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_has_users", mock.Mock(return_value=False))
-  def test_registry_status_db_no_superuser(self):
-    with FreshConfigProvider():
-      config_provider.save_config({'key': 'value'})
-      json = self.getJsonResponse(SuperUserRegistryStatus)
-      self.assertEquals('create-superuser', json['status'])
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_is_valid",
+        mock.Mock(return_value=True),
+    )
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_has_users",
+        mock.Mock(return_value=False),
+    )
+    def test_registry_status_db_no_superuser(self):
+        with FreshConfigProvider():
+            config_provider.save_config({"key": "value"})
+            json = self.getJsonResponse(SuperUserRegistryStatus)
+            self.assertEquals("create-superuser", json["status"])
+
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_is_valid",
+        mock.Mock(return_value=True),
+    )
+    @mock.patch(
+        "config_app.config_endpoints.api.suconfig.database_has_users",
+        mock.Mock(return_value=True),
+    )
+    def test_registry_status_setup_complete(self):
+        with FreshConfigProvider():
+            config_provider.save_config({"key": "value", "SETUP_COMPLETE": True})
+            json = self.getJsonResponse(SuperUserRegistryStatus)
+            self.assertEquals("config", json["status"])
 
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_is_valid", mock.Mock(return_value=True))
-  @mock.patch("config_app.config_endpoints.api.suconfig.database_has_users", mock.Mock(return_value=True))
-  def test_registry_status_setup_complete(self):
-    with FreshConfigProvider():
-      config_provider.save_config({'key': 'value', 'SETUP_COMPLETE': True})
-      json = self.getJsonResponse(SuperUserRegistryStatus)
-      self.assertEquals('config', json['status'])
 
 class TestSuperUserConfigFile(ApiTestCase):
-  def test_get_superuser_invalid_filename(self):
-    with FreshConfigProvider():
-      self.getResponse(SuperUserConfigFile, params=dict(filename='somefile'), expected_code=404)
+    def test_get_superuser_invalid_filename(self):
+        with FreshConfigProvider():
+            self.getResponse(
+                SuperUserConfigFile, params=dict(filename="somefile"), expected_code=404
+            )
 
-  def test_get_superuser(self):
-    with FreshConfigProvider():
-      result = self.getJsonResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'))
-      self.assertFalse(result['exists'])
+    def test_get_superuser(self):
+        with FreshConfigProvider():
+            result = self.getJsonResponse(
+                SuperUserConfigFile, params=dict(filename="ssl.cert")
+            )
+            self.assertFalse(result["exists"])
 
-  def test_post_no_file(self):
-    with FreshConfigProvider():
-      # No file
-      self.postResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'), expected_code=400)
+    def test_post_no_file(self):
+        with FreshConfigProvider():
+            # No file
+            self.postResponse(
+                SuperUserConfigFile, params=dict(filename="ssl.cert"), expected_code=400
+            )
 
-  def test_post_superuser_invalid_filename(self):
-    with FreshConfigProvider():
-      self.postResponse(SuperUserConfigFile, params=dict(filename='somefile'), expected_code=404)
+    def test_post_superuser_invalid_filename(self):
+        with FreshConfigProvider():
+            self.postResponse(
+                SuperUserConfigFile, params=dict(filename="somefile"), expected_code=404
+            )
 
-  def test_post_superuser(self):
-    with FreshConfigProvider():
-      self.postResponse(SuperUserConfigFile, params=dict(filename='ssl.cert'), expected_code=400)
+    def test_post_superuser(self):
+        with FreshConfigProvider():
+            self.postResponse(
+                SuperUserConfigFile, params=dict(filename="ssl.cert"), expected_code=400
+            )
 
 
 class TestSuperUserCreateInitialSuperUser(ApiTestCase):
-  def test_no_config_file(self):
-    with FreshConfigProvider():
-      # If there is no config.yaml, then this method should security fail.
-      data = dict(username='cooluser', password='password', email='fake@example.com')
-      self.postResponse(SuperUserCreateInitialSuperUser, data=data, expected_code=403)
+    def test_no_config_file(self):
+        with FreshConfigProvider():
+            # If there is no config.yaml, then this method should security fail.
+            data = dict(
+                username="cooluser", password="password", email="fake@example.com"
+            )
+            self.postResponse(
+                SuperUserCreateInitialSuperUser, data=data, expected_code=403
+            )
 
-  def test_config_file_with_db_users(self):
-    with FreshConfigProvider():
-      # Write some config.
-      self.putJsonResponse(SuperUserConfig, data=dict(config={}, hostname='foobar'))
+    def test_config_file_with_db_users(self):
+        with FreshConfigProvider():
+            # Write some config.
+            self.putJsonResponse(
+                SuperUserConfig, data=dict(config={}, hostname="foobar")
+            )
 
-      # If there is a config.yaml, but existing DB users exist, then this method should security
-      # fail.
-      data = dict(username='cooluser', password='password', email='fake@example.com')
-      self.postResponse(SuperUserCreateInitialSuperUser, data=data, expected_code=403)
+            # If there is a config.yaml, but existing DB users exist, then this method should security
+            # fail.
+            data = dict(
+                username="cooluser", password="password", email="fake@example.com"
+            )
+            self.postResponse(
+                SuperUserCreateInitialSuperUser, data=data, expected_code=403
+            )
 
-  def test_config_file_with_no_db_users(self):
-    with FreshConfigProvider():
-      # Write some config.
-      self.putJsonResponse(SuperUserConfig, data=dict(config={}, hostname='foobar'))
+    def test_config_file_with_no_db_users(self):
+        with FreshConfigProvider():
+            # Write some config.
+            self.putJsonResponse(
+                SuperUserConfig, data=dict(config={}, hostname="foobar")
+            )
 
-      # Delete all the users in the DB.
-      for user in list(User.select()):
-        model.user.delete_user(user, all_queues)
+            # Delete all the users in the DB.
+            for user in list(User.select()):
+                model.user.delete_user(user, all_queues)
 
-      # This method should now succeed.
-      data = dict(username='cooluser', password='password', email='fake@example.com')
-      result = self.postJsonResponse(SuperUserCreateInitialSuperUser, data=data)
-      self.assertTrue(result['status'])
+            # This method should now succeed.
+            data = dict(
+                username="cooluser", password="password", email="fake@example.com"
+            )
+            result = self.postJsonResponse(SuperUserCreateInitialSuperUser, data=data)
+            self.assertTrue(result["status"])
 
-      # Verify the superuser was created.
-      User.get(User.username == 'cooluser')
+            # Verify the superuser was created.
+            User.get(User.username == "cooluser")
 
-      # Verify the superuser was placed into the config.
-      result = self.getJsonResponse(SuperUserConfig)
-      self.assertEquals(['cooluser'], result['config']['SUPER_USERS'])
+            # Verify the superuser was placed into the config.
+            result = self.getJsonResponse(SuperUserConfig)
+            self.assertEquals(["cooluser"], result["config"]["SUPER_USERS"])
 
 
 class TestSuperUserConfigValidate(ApiTestCase):
-  def test_nonsuperuser_noconfig(self):
-    with FreshConfigProvider():
-      result = self.postJsonResponse(SuperUserConfigValidate, params=dict(service='someservice'),
-                                                              data=dict(config={}))
+    def test_nonsuperuser_noconfig(self):
+        with FreshConfigProvider():
+            result = self.postJsonResponse(
+                SuperUserConfigValidate,
+                params=dict(service="someservice"),
+                data=dict(config={}),
+            )
 
-      self.assertFalse(result['status'])
+            self.assertFalse(result["status"])
 
+    def test_nonsuperuser_config(self):
+        with FreshConfigProvider():
+            # The validate config call works if there is no config.yaml OR the user is a superuser.
+            # Add a config, and verify it breaks when unauthenticated.
+            json = self.putJsonResponse(
+                SuperUserConfig, data=dict(config={}, hostname="foobar")
+            )
+            self.assertTrue(json["exists"])
 
-  def test_nonsuperuser_config(self):
-    with FreshConfigProvider():
-      # The validate config call works if there is no config.yaml OR the user is a superuser.
-      # Add a config, and verify it breaks when unauthenticated.
-      json = self.putJsonResponse(SuperUserConfig, data=dict(config={}, hostname='foobar'))
-      self.assertTrue(json['exists'])
+            result = self.postJsonResponse(
+                SuperUserConfigValidate,
+                params=dict(service="someservice"),
+                data=dict(config={}),
+            )
 
-
-      result = self.postJsonResponse(SuperUserConfigValidate, params=dict(service='someservice'),
-                                                              data=dict(config={}))
-
-      self.assertFalse(result['status'])
+            self.assertFalse(result["status"])
 
 
 class TestSuperUserConfig(ApiTestCase):
-  def test_get_superuser(self):
-    with FreshConfigProvider():
-      json = self.getJsonResponse(SuperUserConfig)
+    def test_get_superuser(self):
+        with FreshConfigProvider():
+            json = self.getJsonResponse(SuperUserConfig)
 
-      # Note: We expect the config to be none because a config.yaml should never be checked into
-      # the directory.
-      self.assertIsNone(json['config'])
+            # Note: We expect the config to be none because a config.yaml should never be checked into
+            # the directory.
+            self.assertIsNone(json["config"])
 
-  def test_put(self):
-    with FreshConfigProvider() as config:
-      json = self.putJsonResponse(SuperUserConfig, data=dict(config={}, hostname='foobar'))
-      self.assertTrue(json['exists'])
+    def test_put(self):
+        with FreshConfigProvider() as config:
+            json = self.putJsonResponse(
+                SuperUserConfig, data=dict(config={}, hostname="foobar")
+            )
+            self.assertTrue(json["exists"])
 
-      # Verify the config file exists.
-      self.assertTrue(config.config_exists())
+            # Verify the config file exists.
+            self.assertTrue(config.config_exists())
 
-      # This should succeed.
-      json = self.putJsonResponse(SuperUserConfig, data=dict(config={}, hostname='barbaz'))
-      self.assertTrue(json['exists'])
+            # This should succeed.
+            json = self.putJsonResponse(
+                SuperUserConfig, data=dict(config={}, hostname="barbaz")
+            )
+            self.assertTrue(json["exists"])
 
-      json = self.getJsonResponse(SuperUserConfig)
-      self.assertIsNotNone(json['config'])
+            json = self.getJsonResponse(SuperUserConfig)
+            self.assertIsNotNone(json["config"])
 
 
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/config_app/config_util/config/TransientDirectoryProvider.py b/config_app/config_util/config/TransientDirectoryProvider.py
index 5ac685592..a8be2710d 100644
--- a/config_app/config_util/config/TransientDirectoryProvider.py
+++ b/config_app/config_util/config/TransientDirectoryProvider.py
@@ -5,58 +5,63 @@ from backports.tempfile import TemporaryDirectory
 
 from config_app.config_util.config.fileprovider import FileConfigProvider
 
-OLD_CONFIG_SUBDIR = 'old/'
+OLD_CONFIG_SUBDIR = "old/"
+
 
 class TransientDirectoryProvider(FileConfigProvider):
-  """ Implementation of the config provider that reads and writes the data
+    """ Implementation of the config provider that reads and writes the data
       from/to the file system, only using temporary directories,
       deleting old dirs and creating new ones as requested.
   """
 
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    # Create a temp directory that will be cleaned up when we change the config path
-    # This should ensure we have no "pollution" of different configs:
-    # no uploaded config should ever affect subsequent config modifications/creations
-    temp_dir = TemporaryDirectory()
-    self.temp_dir = temp_dir
-    self.old_config_dir = None
-    super(TransientDirectoryProvider, self).__init__(temp_dir.name, yaml_filename, py_filename)
+    def __init__(self, config_volume, yaml_filename, py_filename):
+        # Create a temp directory that will be cleaned up when we change the config path
+        # This should ensure we have no "pollution" of different configs:
+        # no uploaded config should ever affect subsequent config modifications/creations
+        temp_dir = TemporaryDirectory()
+        self.temp_dir = temp_dir
+        self.old_config_dir = None
+        super(TransientDirectoryProvider, self).__init__(
+            temp_dir.name, yaml_filename, py_filename
+        )
 
-  @property
-  def provider_id(self):
-    return 'transient'
+    @property
+    def provider_id(self):
+        return "transient"
 
-  def new_config_dir(self):
-    """
+    def new_config_dir(self):
+        """
     Update the path with a new temporary directory, deleting the old one in the process
     """
-    self.temp_dir.cleanup()
-    temp_dir = TemporaryDirectory()
+        self.temp_dir.cleanup()
+        temp_dir = TemporaryDirectory()
 
-    self.config_volume = temp_dir.name
-    self.temp_dir = temp_dir
-    self.yaml_path = os.path.join(temp_dir.name, self.yaml_filename)
+        self.config_volume = temp_dir.name
+        self.temp_dir = temp_dir
+        self.yaml_path = os.path.join(temp_dir.name, self.yaml_filename)
 
-  def create_copy_of_config_dir(self):
-    """
+    def create_copy_of_config_dir(self):
+        """
     Create a directory to store loaded/populated configuration (for rollback if necessary)
     """
-    if self.old_config_dir is not None:
-      self.old_config_dir.cleanup()
+        if self.old_config_dir is not None:
+            self.old_config_dir.cleanup()
 
-    temp_dir = TemporaryDirectory()
-    self.old_config_dir = temp_dir
+        temp_dir = TemporaryDirectory()
+        self.old_config_dir = temp_dir
 
-    # Python 2.7's shutil.copy() doesn't allow for copying to existing directories,
-    # so when copying/reading to the old saved config, we have to talk to a subdirectory,
-    # and use the shutil.copytree() function
-    copytree(self.config_volume, os.path.join(temp_dir.name, OLD_CONFIG_SUBDIR))
+        # Python 2.7's shutil.copy() doesn't allow for copying to existing directories,
+        # so when copying/reading to the old saved config, we have to talk to a subdirectory,
+        # and use the shutil.copytree() function
+        copytree(self.config_volume, os.path.join(temp_dir.name, OLD_CONFIG_SUBDIR))
 
-  def get_config_dir_path(self):
-    return self.config_volume
+    def get_config_dir_path(self):
+        return self.config_volume
 
-  def get_old_config_dir(self):
-    if self.old_config_dir is None:
-      raise Exception('Cannot return a configuration that  was no old configuration')
+    def get_old_config_dir(self):
+        if self.old_config_dir is None:
+            raise Exception(
+                "Cannot return a configuration that  was no old configuration"
+            )
 
-    return os.path.join(self.old_config_dir.name, OLD_CONFIG_SUBDIR)
+        return os.path.join(self.old_config_dir.name, OLD_CONFIG_SUBDIR)
diff --git a/config_app/config_util/config/__init__.py b/config_app/config_util/config/__init__.py
index d39d0ea1c..7429d17cf 100644
--- a/config_app/config_util/config/__init__.py
+++ b/config_app/config_util/config/__init__.py
@@ -3,37 +3,40 @@ import os
 
 from config_app.config_util.config.fileprovider import FileConfigProvider
 from config_app.config_util.config.testprovider import TestConfigProvider
-from config_app.config_util.config.TransientDirectoryProvider import TransientDirectoryProvider
+from config_app.config_util.config.TransientDirectoryProvider import (
+    TransientDirectoryProvider,
+)
 from util.config.validator import EXTRA_CA_DIRECTORY, EXTRA_CA_DIRECTORY_PREFIX
 
 
 def get_config_provider(config_volume, yaml_filename, py_filename, testing=False):
-  """ Loads and returns the config provider for the current environment. """
+    """ Loads and returns the config provider for the current environment. """
 
-  if testing:
-    return TestConfigProvider()
+    if testing:
+        return TestConfigProvider()
 
-  return TransientDirectoryProvider(config_volume, yaml_filename, py_filename)
+    return TransientDirectoryProvider(config_volume, yaml_filename, py_filename)
 
 
 def get_config_as_kube_secret(config_path):
-  data = {}
+    data = {}
 
-  # Kubernetes secrets don't have sub-directories, so for the extra_ca_certs dir
-  # we have to put the extra certs in with a prefix, and then one of our init scripts
-  # (02_get_kube_certs.sh) will expand the prefixed certs into the equivalent directory
-  # so that they'll be installed correctly on startup by the certs_install script
-  certs_dir = os.path.join(config_path,  EXTRA_CA_DIRECTORY)
-  if os.path.exists(certs_dir):
-    for extra_cert in os.listdir(certs_dir):
-      with open(os.path.join(certs_dir, extra_cert)) as f:
-        data[EXTRA_CA_DIRECTORY_PREFIX + extra_cert] = base64.b64encode(f.read())
+    # Kubernetes secrets don't have sub-directories, so for the extra_ca_certs dir
+    # we have to put the extra certs in with a prefix, and then one of our init scripts
+    # (02_get_kube_certs.sh) will expand the prefixed certs into the equivalent directory
+    # so that they'll be installed correctly on startup by the certs_install script
+    certs_dir = os.path.join(config_path, EXTRA_CA_DIRECTORY)
+    if os.path.exists(certs_dir):
+        for extra_cert in os.listdir(certs_dir):
+            with open(os.path.join(certs_dir, extra_cert)) as f:
+                data[EXTRA_CA_DIRECTORY_PREFIX + extra_cert] = base64.b64encode(
+                    f.read()
+                )
 
+    for name in os.listdir(config_path):
+        file_path = os.path.join(config_path, name)
+        if not os.path.isdir(file_path):
+            with open(file_path) as f:
+                data[name] = base64.b64encode(f.read())
 
-  for name in os.listdir(config_path):
-    file_path = os.path.join(config_path, name)
-    if not os.path.isdir(file_path):
-      with open(file_path) as f:
-        data[name] = base64.b64encode(f.read())
-
-  return data
+    return data
diff --git a/config_app/config_util/config/basefileprovider.py b/config_app/config_util/config/basefileprovider.py
index caf231321..ac78000d9 100644
--- a/config_app/config_util/config/basefileprovider.py
+++ b/config_app/config_util/config/basefileprovider.py
@@ -1,72 +1,76 @@
 import os
 import logging
 
-from config_app.config_util.config.baseprovider import (BaseProvider, import_yaml, export_yaml,
-                                                        CannotWriteConfigException)
+from config_app.config_util.config.baseprovider import (
+    BaseProvider,
+    import_yaml,
+    export_yaml,
+    CannotWriteConfigException,
+)
 
 logger = logging.getLogger(__name__)
 
 
 class BaseFileProvider(BaseProvider):
-  """ Base implementation of the config provider that reads the data from the file system. """
+    """ Base implementation of the config provider that reads the data from the file system. """
 
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    self.config_volume = config_volume
-    self.yaml_filename = yaml_filename
-    self.py_filename = py_filename
+    def __init__(self, config_volume, yaml_filename, py_filename):
+        self.config_volume = config_volume
+        self.yaml_filename = yaml_filename
+        self.py_filename = py_filename
 
-    self.yaml_path = os.path.join(config_volume, yaml_filename)
-    self.py_path = os.path.join(config_volume, py_filename)
+        self.yaml_path = os.path.join(config_volume, yaml_filename)
+        self.py_path = os.path.join(config_volume, py_filename)
 
-  def update_app_config(self, app_config):
-    if os.path.exists(self.py_path):
-      logger.debug('Applying config file: %s', self.py_path)
-      app_config.from_pyfile(self.py_path)
+    def update_app_config(self, app_config):
+        if os.path.exists(self.py_path):
+            logger.debug("Applying config file: %s", self.py_path)
+            app_config.from_pyfile(self.py_path)
 
-    if os.path.exists(self.yaml_path):
-      logger.debug('Applying config file: %s', self.yaml_path)
-      import_yaml(app_config, self.yaml_path)
+        if os.path.exists(self.yaml_path):
+            logger.debug("Applying config file: %s", self.yaml_path)
+            import_yaml(app_config, self.yaml_path)
 
-  def get_config(self):
-    if not self.config_exists():
-      return None
+    def get_config(self):
+        if not self.config_exists():
+            return None
 
-    config_obj = {}
-    import_yaml(config_obj, self.yaml_path)
-    return config_obj
+        config_obj = {}
+        import_yaml(config_obj, self.yaml_path)
+        return config_obj
 
-  def config_exists(self):
-    return self.volume_file_exists(self.yaml_filename)
+    def config_exists(self):
+        return self.volume_file_exists(self.yaml_filename)
 
-  def volume_exists(self):
-    return os.path.exists(self.config_volume)
+    def volume_exists(self):
+        return os.path.exists(self.config_volume)
 
-  def volume_file_exists(self, filename):
-    return os.path.exists(os.path.join(self.config_volume, filename))
+    def volume_file_exists(self, filename):
+        return os.path.exists(os.path.join(self.config_volume, filename))
 
-  def get_volume_file(self, filename, mode='r'):
-    return open(os.path.join(self.config_volume, filename), mode=mode)
+    def get_volume_file(self, filename, mode="r"):
+        return open(os.path.join(self.config_volume, filename), mode=mode)
 
-  def get_volume_path(self, directory, filename):
-    return os.path.join(directory, filename)
+    def get_volume_path(self, directory, filename):
+        return os.path.join(directory, filename)
 
-  def list_volume_directory(self, path):
-    dirpath = os.path.join(self.config_volume, path)
-    if not os.path.exists(dirpath):
-      return None
+    def list_volume_directory(self, path):
+        dirpath = os.path.join(self.config_volume, path)
+        if not os.path.exists(dirpath):
+            return None
 
-    if not os.path.isdir(dirpath):
-      return None
+        if not os.path.isdir(dirpath):
+            return None
 
-    return os.listdir(dirpath)
+        return os.listdir(dirpath)
 
-  def requires_restart(self, app_config):
-    file_config = self.get_config()
-    if not file_config:
-      return False
+    def requires_restart(self, app_config):
+        file_config = self.get_config()
+        if not file_config:
+            return False
 
-    for key in file_config:
-      if app_config.get(key) != file_config[key]:
-        return True
+        for key in file_config:
+            if app_config.get(key) != file_config[key]:
+                return True
 
-    return False
+        return False
diff --git a/config_app/config_util/config/baseprovider.py b/config_app/config_util/config/baseprovider.py
index 17ae7e86b..e6705809d 100644
--- a/config_app/config_util/config/baseprovider.py
+++ b/config_app/config_util/config/baseprovider.py
@@ -12,117 +12,119 @@ logger = logging.getLogger(__name__)
 
 
 class CannotWriteConfigException(Exception):
-  """ Exception raised when the config cannot be written. """
-  pass
+    """ Exception raised when the config cannot be written. """
+
+    pass
 
 
 class SetupIncompleteException(Exception):
-  """ Exception raised when attempting to verify config that has not yet been setup. """
-  pass
+    """ Exception raised when attempting to verify config that has not yet been setup. """
+
+    pass
 
 
 def import_yaml(config_obj, config_file):
-  with open(config_file) as f:
-    c = yaml.safe_load(f)
-    if not c:
-      logger.debug('Empty YAML config file')
-      return
+    with open(config_file) as f:
+        c = yaml.safe_load(f)
+        if not c:
+            logger.debug("Empty YAML config file")
+            return
 
-    if isinstance(c, str):
-      raise Exception('Invalid YAML config file: ' + str(c))
+        if isinstance(c, str):
+            raise Exception("Invalid YAML config file: " + str(c))
 
-    for key in c.iterkeys():
-      if key.isupper():
-        config_obj[key] = c[key]
+        for key in c.iterkeys():
+            if key.isupper():
+                config_obj[key] = c[key]
 
-  if config_obj.get('SETUP_COMPLETE', False):
-    try:
-      validate(config_obj, CONFIG_SCHEMA)
-    except ValidationError:
-      # TODO: Change this into a real error
-      logger.exception('Could not validate config schema')
-  else:
-    logger.debug('Skipping config schema validation because setup is not complete')
+    if config_obj.get("SETUP_COMPLETE", False):
+        try:
+            validate(config_obj, CONFIG_SCHEMA)
+        except ValidationError:
+            # TODO: Change this into a real error
+            logger.exception("Could not validate config schema")
+    else:
+        logger.debug("Skipping config schema validation because setup is not complete")
 
-  return config_obj
+    return config_obj
 
 
 def get_yaml(config_obj):
-  return yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True)
+    return yaml.safe_dump(config_obj, encoding="utf-8", allow_unicode=True)
 
 
 def export_yaml(config_obj, config_file):
-  try:
-    with open(config_file, 'w') as f:
-      f.write(get_yaml(config_obj))
-  except IOError as ioe:
-    raise CannotWriteConfigException(str(ioe))
+    try:
+        with open(config_file, "w") as f:
+            f.write(get_yaml(config_obj))
+    except IOError as ioe:
+        raise CannotWriteConfigException(str(ioe))
 
 
 @add_metaclass(ABCMeta)
 class BaseProvider(object):
-  """ A configuration provider helps to load, save, and handle config override in the application.
+    """ A configuration provider helps to load, save, and handle config override in the application.
   """
 
-  @property
-  def provider_id(self):
-    raise NotImplementedError
+    @property
+    def provider_id(self):
+        raise NotImplementedError
 
-  @abstractmethod
-  def update_app_config(self, app_config):
-    """ Updates the given application config object with the loaded override config. """
+    @abstractmethod
+    def update_app_config(self, app_config):
+        """ Updates the given application config object with the loaded override config. """
 
-  @abstractmethod
-  def get_config(self):
-    """ Returns the contents of the config override file, or None if none. """
+    @abstractmethod
+    def get_config(self):
+        """ Returns the contents of the config override file, or None if none. """
 
-  @abstractmethod
-  def save_config(self, config_object):
-    """ Updates the contents of the config override file to those given. """
+    @abstractmethod
+    def save_config(self, config_object):
+        """ Updates the contents of the config override file to those given. """
 
-  @abstractmethod
-  def config_exists(self):
-    """ Returns true if a config override file exists in the config volume. """
+    @abstractmethod
+    def config_exists(self):
+        """ Returns true if a config override file exists in the config volume. """
 
-  @abstractmethod
-  def volume_exists(self):
-    """ Returns whether the config override volume exists. """
+    @abstractmethod
+    def volume_exists(self):
+        """ Returns whether the config override volume exists. """
 
-  @abstractmethod
-  def volume_file_exists(self, filename):
-    """ Returns whether the file with the given name exists under the config override volume. """
+    @abstractmethod
+    def volume_file_exists(self, filename):
+        """ Returns whether the file with the given name exists under the config override volume. """
 
-  @abstractmethod
-  def get_volume_file(self, filename, mode='r'):
-    """ Returns a Python file referring to the given name under the config override volume. """
+    @abstractmethod
+    def get_volume_file(self, filename, mode="r"):
+        """ Returns a Python file referring to the given name under the config override volume. """
 
-  @abstractmethod
-  def write_volume_file(self, filename, contents):
-    """ Writes the given contents to the config override volumne, with the given filename. """
+    @abstractmethod
+    def write_volume_file(self, filename, contents):
+        """ Writes the given contents to the config override volumne, with the given filename. """
 
-  @abstractmethod
-  def remove_volume_file(self, filename):
-    """ Removes the config override volume file with the given filename. """
+    @abstractmethod
+    def remove_volume_file(self, filename):
+        """ Removes the config override volume file with the given filename. """
 
-  @abstractmethod
-  def list_volume_directory(self, path):
-    """ Returns a list of strings representing the names of the files found in the config override
+    @abstractmethod
+    def list_volume_directory(self, path):
+        """ Returns a list of strings representing the names of the files found in the config override
         directory under the given path. If the path doesn't exist, returns None.
     """
 
-  @abstractmethod
-  def save_volume_file(self, filename, flask_file):
-    """ Saves the given flask file to the config override volume, with the given
+    @abstractmethod
+    def save_volume_file(self, filename, flask_file):
+        """ Saves the given flask file to the config override volume, with the given
         filename.
     """
 
-  @abstractmethod
-  def requires_restart(self, app_config):
-    """ If true, the configuration loaded into memory for the app does not match that on disk,
+    @abstractmethod
+    def requires_restart(self, app_config):
+        """ If true, the configuration loaded into memory for the app does not match that on disk,
         indicating that this container requires a restart.
     """
 
-  @abstractmethod
-  def get_volume_path(self, directory, filename):
-    """ Helper for constructing file paths, which may differ between providers. For example,
+    @abstractmethod
+    def get_volume_path(self, directory, filename):
+        """ Helper for constructing file paths, which may differ between providers. For example,
     kubernetes can't have subfolders in configmaps """
diff --git a/config_app/config_util/config/fileprovider.py b/config_app/config_util/config/fileprovider.py
index 74531e581..4f9d94ad0 100644
--- a/config_app/config_util/config/fileprovider.py
+++ b/config_app/config_util/config/fileprovider.py
@@ -1,60 +1,65 @@
 import os
 import logging
 
-from config_app.config_util.config.baseprovider import export_yaml, CannotWriteConfigException
+from config_app.config_util.config.baseprovider import (
+    export_yaml,
+    CannotWriteConfigException,
+)
 from config_app.config_util.config.basefileprovider import BaseFileProvider
 
 logger = logging.getLogger(__name__)
 
 
 def _ensure_parent_dir(filepath):
-  """ Ensures that the parent directory of the given file path exists. """
-  try:
-    parentpath = os.path.abspath(os.path.join(filepath, os.pardir))
-    if not os.path.isdir(parentpath):
-      os.makedirs(parentpath)
-  except IOError as ioe:
-    raise CannotWriteConfigException(str(ioe))
+    """ Ensures that the parent directory of the given file path exists. """
+    try:
+        parentpath = os.path.abspath(os.path.join(filepath, os.pardir))
+        if not os.path.isdir(parentpath):
+            os.makedirs(parentpath)
+    except IOError as ioe:
+        raise CannotWriteConfigException(str(ioe))
 
 
 class FileConfigProvider(BaseFileProvider):
-  """ Implementation of the config provider that reads and writes the data
+    """ Implementation of the config provider that reads and writes the data
       from/to the file system. """
 
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    super(FileConfigProvider, self).__init__(config_volume, yaml_filename, py_filename)
+    def __init__(self, config_volume, yaml_filename, py_filename):
+        super(FileConfigProvider, self).__init__(
+            config_volume, yaml_filename, py_filename
+        )
 
-  @property
-  def provider_id(self):
-    return 'file'
+    @property
+    def provider_id(self):
+        return "file"
 
-  def save_config(self, config_obj):
-    export_yaml(config_obj, self.yaml_path)
+    def save_config(self, config_obj):
+        export_yaml(config_obj, self.yaml_path)
 
-  def write_volume_file(self, filename, contents):
-    filepath = os.path.join(self.config_volume, filename)
-    _ensure_parent_dir(filepath)
+    def write_volume_file(self, filename, contents):
+        filepath = os.path.join(self.config_volume, filename)
+        _ensure_parent_dir(filepath)
 
-    try:
-      with open(filepath, mode='w') as f:
-        f.write(contents)
-    except IOError as ioe:
-      raise CannotWriteConfigException(str(ioe))
+        try:
+            with open(filepath, mode="w") as f:
+                f.write(contents)
+        except IOError as ioe:
+            raise CannotWriteConfigException(str(ioe))
 
-    return filepath
+        return filepath
 
-  def remove_volume_file(self, filename):
-    filepath = os.path.join(self.config_volume, filename)
-    os.remove(filepath)
+    def remove_volume_file(self, filename):
+        filepath = os.path.join(self.config_volume, filename)
+        os.remove(filepath)
 
-  def save_volume_file(self, filename, flask_file):
-    filepath = os.path.join(self.config_volume, filename)
-    _ensure_parent_dir(filepath)
+    def save_volume_file(self, filename, flask_file):
+        filepath = os.path.join(self.config_volume, filename)
+        _ensure_parent_dir(filepath)
 
-    # Write the file.
-    try:
-      flask_file.save(filepath)
-    except IOError as ioe:
-      raise CannotWriteConfigException(str(ioe))
+        # Write the file.
+        try:
+            flask_file.save(filepath)
+        except IOError as ioe:
+            raise CannotWriteConfigException(str(ioe))
 
-    return filepath
+        return filepath
diff --git a/config_app/config_util/config/test/test_helpers.py b/config_app/config_util/config/test/test_helpers.py
index ceeae51ff..f266bb65c 100644
--- a/config_app/config_util/config/test/test_helpers.py
+++ b/config_app/config_util/config/test/test_helpers.py
@@ -9,67 +9,73 @@ from util.config.validator import EXTRA_CA_DIRECTORY
 
 
 def _create_temp_file_structure(file_structure):
-  temp_dir = TemporaryDirectory()
+    temp_dir = TemporaryDirectory()
 
-  for filename, data in file_structure.iteritems():
-    if filename == EXTRA_CA_DIRECTORY:
-      extra_ca_dir_path = os.path.join(temp_dir.name, EXTRA_CA_DIRECTORY)
-      os.mkdir(extra_ca_dir_path)
+    for filename, data in file_structure.iteritems():
+        if filename == EXTRA_CA_DIRECTORY:
+            extra_ca_dir_path = os.path.join(temp_dir.name, EXTRA_CA_DIRECTORY)
+            os.mkdir(extra_ca_dir_path)
 
-      for name, cert_value in data:
-        with open(os.path.join(extra_ca_dir_path, name), 'w') as f:
-          f.write(cert_value)
-    else:
-      with open(os.path.join(temp_dir.name, filename), 'w') as f:
-        f.write(data)
+            for name, cert_value in data:
+                with open(os.path.join(extra_ca_dir_path, name), "w") as f:
+                    f.write(cert_value)
+        else:
+            with open(os.path.join(temp_dir.name, filename), "w") as f:
+                f.write(data)
 
-  return temp_dir
+    return temp_dir
 
 
-@pytest.mark.parametrize('file_structure, expected_secret', [
-  pytest.param({
-     'config.yaml': 'test:true',
-   },
-   {
-     'config.yaml': 'dGVzdDp0cnVl',
-   }, id='just a config value'),
-  pytest.param({
-     'config.yaml': 'test:true',
-     'otherfile.ext': 'im a file'
-   },
-   {
-     'config.yaml': 'dGVzdDp0cnVl',
-     'otherfile.ext': base64.b64encode('im a file')
-   }, id='config and another file'),
-  pytest.param({
-     'config.yaml': 'test:true',
-     'extra_ca_certs': [
-       ('cert.crt', 'im a cert!'),
-     ]
-   },
-   {
-     'config.yaml': 'dGVzdDp0cnVl',
-     'extra_ca_certs_cert.crt': base64.b64encode('im a cert!'),
-   }, id='config and an extra cert'),
-  pytest.param({
-     'config.yaml': 'test:true',
-     'otherfile.ext': 'im a file',
-     'extra_ca_certs': [
-       ('cert.crt', 'im a cert!'),
-       ('another.crt', 'im a different cert!'),
-     ]
-   },
-   {
-     'config.yaml': 'dGVzdDp0cnVl',
-     'otherfile.ext': base64.b64encode('im a file'),
-     'extra_ca_certs_cert.crt': base64.b64encode('im a cert!'),
-     'extra_ca_certs_another.crt': base64.b64encode('im a different cert!'),
-   }, id='config, files, and extra certs!'),
-])
+@pytest.mark.parametrize(
+    "file_structure, expected_secret",
+    [
+        pytest.param(
+            {"config.yaml": "test:true"},
+            {"config.yaml": "dGVzdDp0cnVl"},
+            id="just a config value",
+        ),
+        pytest.param(
+            {"config.yaml": "test:true", "otherfile.ext": "im a file"},
+            {
+                "config.yaml": "dGVzdDp0cnVl",
+                "otherfile.ext": base64.b64encode("im a file"),
+            },
+            id="config and another file",
+        ),
+        pytest.param(
+            {
+                "config.yaml": "test:true",
+                "extra_ca_certs": [("cert.crt", "im a cert!")],
+            },
+            {
+                "config.yaml": "dGVzdDp0cnVl",
+                "extra_ca_certs_cert.crt": base64.b64encode("im a cert!"),
+            },
+            id="config and an extra cert",
+        ),
+        pytest.param(
+            {
+                "config.yaml": "test:true",
+                "otherfile.ext": "im a file",
+                "extra_ca_certs": [
+                    ("cert.crt", "im a cert!"),
+                    ("another.crt", "im a different cert!"),
+                ],
+            },
+            {
+                "config.yaml": "dGVzdDp0cnVl",
+                "otherfile.ext": base64.b64encode("im a file"),
+                "extra_ca_certs_cert.crt": base64.b64encode("im a cert!"),
+                "extra_ca_certs_another.crt": base64.b64encode("im a different cert!"),
+            },
+            id="config, files, and extra certs!",
+        ),
+    ],
+)
 def test_get_config_as_kube_secret(file_structure, expected_secret):
-  temp_dir = _create_temp_file_structure(file_structure)
+    temp_dir = _create_temp_file_structure(file_structure)
 
-  secret = get_config_as_kube_secret(temp_dir.name)
-  assert secret == expected_secret
+    secret = get_config_as_kube_secret(temp_dir.name)
+    assert secret == expected_secret
 
-  temp_dir.cleanup()
+    temp_dir.cleanup()
diff --git a/config_app/config_util/config/test/test_transient_dir_provider.py b/config_app/config_util/config/test/test_transient_dir_provider.py
index 2d1f3f96c..2d53b5153 100644
--- a/config_app/config_util/config/test/test_transient_dir_provider.py
+++ b/config_app/config_util/config/test/test_transient_dir_provider.py
@@ -1,68 +1,71 @@
 import pytest
 import os
 
-from config_app.config_util.config.TransientDirectoryProvider import TransientDirectoryProvider
+from config_app.config_util.config.TransientDirectoryProvider import (
+    TransientDirectoryProvider,
+)
 
 
-@pytest.mark.parametrize('files_to_write, operations, expected_new_dir', [
-  pytest.param({
-     'config.yaml': 'a config',
-   }, ([], [], []), {
-     'config.yaml': 'a config',
-   }, id='just a config'),
-  pytest.param({
-     'config.yaml': 'a config',
-     'oldfile': 'hmmm'
-   }, ([], [], ['oldfile']), {
-     'config.yaml': 'a config',
-   }, id='delete a file'),
-  pytest.param({
-     'config.yaml': 'a config',
-     'oldfile': 'hmmm'
-   }, ([('newfile', 'asdf')], [], ['oldfile']), {
-     'config.yaml': 'a config',
-     'newfile': 'asdf'
-   }, id='delete and add a file'),
-  pytest.param({
-     'config.yaml': 'a config',
-     'somefile': 'before'
-   }, ([('newfile', 'asdf')], [('somefile', 'after')], []), {
-     'config.yaml': 'a config',
-     'newfile': 'asdf',
-     'somefile': 'after',
-   }, id='add new files and change files'),
-])
+@pytest.mark.parametrize(
+    "files_to_write, operations, expected_new_dir",
+    [
+        pytest.param(
+            {"config.yaml": "a config"},
+            ([], [], []),
+            {"config.yaml": "a config"},
+            id="just a config",
+        ),
+        pytest.param(
+            {"config.yaml": "a config", "oldfile": "hmmm"},
+            ([], [], ["oldfile"]),
+            {"config.yaml": "a config"},
+            id="delete a file",
+        ),
+        pytest.param(
+            {"config.yaml": "a config", "oldfile": "hmmm"},
+            ([("newfile", "asdf")], [], ["oldfile"]),
+            {"config.yaml": "a config", "newfile": "asdf"},
+            id="delete and add a file",
+        ),
+        pytest.param(
+            {"config.yaml": "a config", "somefile": "before"},
+            ([("newfile", "asdf")], [("somefile", "after")], []),
+            {"config.yaml": "a config", "newfile": "asdf", "somefile": "after"},
+            id="add new files and change files",
+        ),
+    ],
+)
 def test_transient_dir_copy_config_dir(files_to_write, operations, expected_new_dir):
-  config_provider = TransientDirectoryProvider('', '', '')
+    config_provider = TransientDirectoryProvider("", "", "")
 
-  for name, data in files_to_write.iteritems():
-    config_provider.write_volume_file(name, data)
+    for name, data in files_to_write.iteritems():
+        config_provider.write_volume_file(name, data)
 
-  config_provider.create_copy_of_config_dir()
+    config_provider.create_copy_of_config_dir()
 
-  for create in operations[0]:
-    (name, data) = create
-    config_provider.write_volume_file(name, data)
+    for create in operations[0]:
+        (name, data) = create
+        config_provider.write_volume_file(name, data)
 
-  for update in operations[1]:
-    (name, data) = update
-    config_provider.write_volume_file(name, data)
+    for update in operations[1]:
+        (name, data) = update
+        config_provider.write_volume_file(name, data)
 
-  for delete in operations[2]:
-    config_provider.remove_volume_file(delete)
+    for delete in operations[2]:
+        config_provider.remove_volume_file(delete)
 
-  # check that the new directory matches expected state
-  for filename, data in expected_new_dir.iteritems():
-    with open(os.path.join(config_provider.get_config_dir_path(), filename)) as f:
-      new_data = f.read()
-      assert new_data == data
+    # check that the new directory matches expected state
+    for filename, data in expected_new_dir.iteritems():
+        with open(os.path.join(config_provider.get_config_dir_path(), filename)) as f:
+            new_data = f.read()
+            assert new_data == data
 
-  # Now check that the old dir matches the original state
-  saved = config_provider.get_old_config_dir()
+    # Now check that the old dir matches the original state
+    saved = config_provider.get_old_config_dir()
 
-  for filename, data in files_to_write.iteritems():
-    with open(os.path.join(saved, filename)) as f:
-      new_data = f.read()
-      assert new_data == data
+    for filename, data in files_to_write.iteritems():
+        with open(os.path.join(saved, filename)) as f:
+            new_data = f.read()
+            assert new_data == data
 
-  config_provider.temp_dir.cleanup()
+    config_provider.temp_dir.cleanup()
diff --git a/config_app/config_util/config/testprovider.py b/config_app/config_util/config/testprovider.py
index 63e563056..39070687e 100644
--- a/config_app/config_util/config/testprovider.py
+++ b/config_app/config_util/config/testprovider.py
@@ -4,80 +4,84 @@ import os
 
 from config_app.config_util.config.baseprovider import BaseProvider
 
-REAL_FILES = ['test/data/signing-private.gpg', 'test/data/signing-public.gpg', 'test/data/test.pem']
+REAL_FILES = [
+    "test/data/signing-private.gpg",
+    "test/data/signing-public.gpg",
+    "test/data/test.pem",
+]
 
 
 class TestConfigProvider(BaseProvider):
-  """ Implementation of the config provider for testing. Everything is kept in-memory instead on
+    """ Implementation of the config provider for testing. Everything is kept in-memory instead on
       the real file system. """
 
-  def __init__(self):
-    self.clear()
+    def __init__(self):
+        self.clear()
 
-  def clear(self):
-    self.files = {}
-    self._config = {}
+    def clear(self):
+        self.files = {}
+        self._config = {}
 
-  @property
-  def provider_id(self):
-    return 'test'
+    @property
+    def provider_id(self):
+        return "test"
 
-  def update_app_config(self, app_config):
-    self._config = app_config
+    def update_app_config(self, app_config):
+        self._config = app_config
 
-  def get_config(self):
-    if not 'config.yaml' in self.files:
-      return None
+    def get_config(self):
+        if not "config.yaml" in self.files:
+            return None
 
-    return json.loads(self.files.get('config.yaml', '{}'))
+        return json.loads(self.files.get("config.yaml", "{}"))
 
-  def save_config(self, config_obj):
-    self.files['config.yaml'] = json.dumps(config_obj)
+    def save_config(self, config_obj):
+        self.files["config.yaml"] = json.dumps(config_obj)
 
-  def config_exists(self):
-    return 'config.yaml' in self.files
+    def config_exists(self):
+        return "config.yaml" in self.files
 
-  def volume_exists(self):
-    return True
+    def volume_exists(self):
+        return True
 
-  def volume_file_exists(self, filename):
-    if filename in REAL_FILES:
-      return True
+    def volume_file_exists(self, filename):
+        if filename in REAL_FILES:
+            return True
 
-    return filename in self.files
+        return filename in self.files
 
-  def save_volume_file(self, filename, flask_file):
-    self.files[filename] = flask_file.read()
+    def save_volume_file(self, filename, flask_file):
+        self.files[filename] = flask_file.read()
 
-  def write_volume_file(self, filename, contents):
-    self.files[filename] = contents
+    def write_volume_file(self, filename, contents):
+        self.files[filename] = contents
 
-  def get_volume_file(self, filename, mode='r'):
-    if filename in REAL_FILES:
-      return open(filename, mode=mode)
+    def get_volume_file(self, filename, mode="r"):
+        if filename in REAL_FILES:
+            return open(filename, mode=mode)
 
-    return io.BytesIO(self.files[filename])
+        return io.BytesIO(self.files[filename])
 
-  def remove_volume_file(self, filename):
-    self.files.pop(filename, None)
+    def remove_volume_file(self, filename):
+        self.files.pop(filename, None)
 
-  def list_volume_directory(self, path):
-    paths = []
-    for filename in self.files:
-      if filename.startswith(path):
-        paths.append(filename[len(path) + 1:])
+    def list_volume_directory(self, path):
+        paths = []
+        for filename in self.files:
+            if filename.startswith(path):
+                paths.append(filename[len(path) + 1 :])
 
-    return paths
+        return paths
 
-  def requires_restart(self, app_config):
-    return False
+    def requires_restart(self, app_config):
+        return False
 
-  def reset_for_test(self):
-    self._config['SUPER_USERS'] = ['devtable']
-    self.files = {}
+    def reset_for_test(self):
+        self._config["SUPER_USERS"] = ["devtable"]
+        self.files = {}
 
-  def get_volume_path(self, directory, filename):
-    return os.path.join(directory, filename)
+    def get_volume_path(self, directory, filename):
+        return os.path.join(directory, filename)
 
-  def get_config_dir_path(self):
-    return ''
+    def get_config_dir_path(self):
+        return ""
diff --git a/config_app/config_util/k8saccessor.py b/config_app/config_util/k8saccessor.py
index dd115681b..e59f127f2 100644
--- a/config_app/config_util/k8saccessor.py
+++ b/config_app/config_util/k8saccessor.py
@@ -12,295 +12,374 @@ from config_app.config_util.k8sconfig import KubernetesConfig
 
 logger = logging.getLogger(__name__)
 
-QE_DEPLOYMENT_LABEL = 'quay-enterprise-component'
-QE_CONTAINER_NAME = 'quay-enterprise-app'
+QE_DEPLOYMENT_LABEL = "quay-enterprise-component"
+QE_CONTAINER_NAME = "quay-enterprise-app"
 
 
 # Tuple containing response of the deployment rollout status method.
 # status is one of: 'failed' | 'progressing' | 'available'
 # message is any string describing the state.
-DeploymentRolloutStatus = namedtuple('DeploymentRolloutStatus', ['status', 'message'])
+DeploymentRolloutStatus = namedtuple("DeploymentRolloutStatus", ["status", "message"])
+
 
 class K8sApiException(Exception):
-  pass
+    pass
 
 
 def _deployment_rollout_status_message(deployment, deployment_name):
-  """
+    """
   Gets the friendly human readable message of the current state of the deployment rollout
   :param deployment: python dict matching: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#deployment-v1-apps
   :param deployment_name: string
   :return: DeploymentRolloutStatus
   """
-  # Logic for rollout status pulled from the `kubectl rollout status` command:
-  # https://github.com/kubernetes/kubernetes/blob/d9ba19c751709c8608e09a0537eea98973f3a796/pkg/kubectl/rollout_status.go#L62
-  if deployment['metadata']['generation'] <= deployment['status']['observedGeneration']:
-    for cond in deployment['status']['conditions']:
-      if cond['type'] == 'Progressing' and cond['reason'] == 'ProgressDeadlineExceeded':
+    # Logic for rollout status pulled from the `kubectl rollout status` command:
+    # https://github.com/kubernetes/kubernetes/blob/d9ba19c751709c8608e09a0537eea98973f3a796/pkg/kubectl/rollout_status.go#L62
+    if (
+        deployment["metadata"]["generation"]
+        <= deployment["status"]["observedGeneration"]
+    ):
+        for cond in deployment["status"]["conditions"]:
+            if (
+                cond["type"] == "Progressing"
+                and cond["reason"] == "ProgressDeadlineExceeded"
+            ):
+                return DeploymentRolloutStatus(
+                    status="failed",
+                    message="Deployment %s's rollout failed. Please try again later."
+                    % deployment_name,
+                )
+
+        desired_replicas = deployment["spec"]["replicas"]
+        current_replicas = deployment["status"].get("replicas", 0)
+        if current_replicas == 0:
+            return DeploymentRolloutStatus(
+                status="available",
+                message="Deployment %s updated (no replicas, so nothing to roll out)"
+                % deployment_name,
+            )
+
+        # Some fields are optional in the spec, so if they're omitted, replace with defaults that won't indicate a wrong status
+        available_replicas = deployment["status"].get("availableReplicas", 0)
+        updated_replicas = deployment["status"].get("updatedReplicas", 0)
+
+        if updated_replicas < desired_replicas:
+            return DeploymentRolloutStatus(
+                status="progressing",
+                message="Waiting for rollout to finish: %d out of %d new replicas have been updated..."
+                % (updated_replicas, desired_replicas),
+            )
+
+        if current_replicas > updated_replicas:
+            return DeploymentRolloutStatus(
+                status="progressing",
+                message="Waiting for rollout to finish: %d old replicas are pending termination..."
+                % (current_replicas - updated_replicas),
+            )
+
+        if available_replicas < updated_replicas:
+            return DeploymentRolloutStatus(
+                status="progressing",
+                message="Waiting for rollout to finish: %d of %d updated replicas are available..."
+                % (available_replicas, updated_replicas),
+            )
+
         return DeploymentRolloutStatus(
-          status='failed',
-          message="Deployment %s's rollout failed. Please try again later." % deployment_name
+            status="available",
+            message="Deployment %s successfully rolled out." % deployment_name,
         )
 
-    desired_replicas = deployment['spec']['replicas']
-    current_replicas = deployment['status'].get('replicas', 0)
-    if current_replicas == 0:
-      return DeploymentRolloutStatus(
-        status='available',
-        message='Deployment %s updated (no replicas, so nothing to roll out)' % deployment_name
-      )
-
-    # Some fields are optional in the spec, so if they're omitted, replace with defaults that won't indicate a wrong status
-    available_replicas = deployment['status'].get('availableReplicas', 0)
-    updated_replicas = deployment['status'].get('updatedReplicas', 0)
-
-    if updated_replicas < desired_replicas:
-      return DeploymentRolloutStatus(
-        status='progressing',
-        message='Waiting for rollout to finish: %d out of %d new replicas have been updated...' % (
-        updated_replicas, desired_replicas)
-      )
-
-    if current_replicas > updated_replicas:
-      return DeploymentRolloutStatus(
-        status='progressing',
-        message='Waiting for rollout to finish: %d old replicas are pending termination...' % (
-              current_replicas - updated_replicas)
-      )
-
-    if available_replicas < updated_replicas:
-      return DeploymentRolloutStatus(
-        status='progressing',
-        message='Waiting for rollout to finish: %d of %d updated replicas are available...' % (
-        available_replicas, updated_replicas)
-      )
-
     return DeploymentRolloutStatus(
-      status='available',
-      message='Deployment %s successfully rolled out.' % deployment_name
+        status="progressing", message="Waiting for deployment spec to be updated..."
     )
 
-  return DeploymentRolloutStatus(
-    status='progressing',
-    message='Waiting for deployment spec to be updated...'
-  )
-
 
 class KubernetesAccessorSingleton(object):
-  """ Singleton allowing access to kubernetes operations """
-  _instance = None
+    """ Singleton allowing access to kubernetes operations """
 
-  def __init__(self, kube_config=None):
-    self.kube_config = kube_config
-    if kube_config is None:
-      self.kube_config = KubernetesConfig.from_env()
+    _instance = None
 
-    KubernetesAccessorSingleton._instance = self
+    def __init__(self, kube_config=None):
+        self.kube_config = kube_config
+        if kube_config is None:
+            self.kube_config = KubernetesConfig.from_env()
 
-  @classmethod
-  def get_instance(cls, kube_config=None):
-    """
+        KubernetesAccessorSingleton._instance = self
+
+    @classmethod
+    def get_instance(cls, kube_config=None):
+        """
     Singleton getter implementation, returns the instance if one exists, otherwise creates the
     instance and ties it to the class.
     :return: KubernetesAccessorSingleton
     """
-    if cls._instance is None:
-      return cls(kube_config)
+        if cls._instance is None:
+            return cls(kube_config)
 
-    return cls._instance
+        return cls._instance
 
-  def save_secret_to_directory(self, dir_path):
-    """
+    def save_secret_to_directory(self, dir_path):
+        """
     Saves all files in the kubernetes secret to a local directory.
     Assumes the directory is empty.
     """
-    secret = self._lookup_secret()
+        secret = self._lookup_secret()
 
-    secret_data = secret.get('data', {})
+        secret_data = secret.get("data", {})
 
-    # Make the `extra_ca_certs` dir to ensure we can populate extra certs
-    extra_ca_dir_path = os.path.join(dir_path, EXTRA_CA_DIRECTORY)
-    os.mkdir(extra_ca_dir_path)
+        # Make the `extra_ca_certs` dir to ensure we can populate extra certs
+        extra_ca_dir_path = os.path.join(dir_path, EXTRA_CA_DIRECTORY)
+        os.mkdir(extra_ca_dir_path)
 
-    for secret_filename, data in secret_data.iteritems():
-      write_path = os.path.join(dir_path, secret_filename)
+        for secret_filename, data in secret_data.iteritems():
+            write_path = os.path.join(dir_path, secret_filename)
 
-      if EXTRA_CA_DIRECTORY_PREFIX in secret_filename:
-        write_path = os.path.join(extra_ca_dir_path, secret_filename.replace(EXTRA_CA_DIRECTORY_PREFIX, ''))
+            if EXTRA_CA_DIRECTORY_PREFIX in secret_filename:
+                write_path = os.path.join(
+                    extra_ca_dir_path,
+                    secret_filename.replace(EXTRA_CA_DIRECTORY_PREFIX, ""),
+                )
 
-      with open(write_path, 'w') as f:
-        f.write(base64.b64decode(data))
+            with open(write_path, "w") as f:
+                f.write(base64.b64decode(data))
 
-    return 200
+        return 200
 
-  def save_file_as_secret(self, name, file_pointer):
-    value = file_pointer.read()
-    self._update_secret_file(name, value)
+    def save_file_as_secret(self, name, file_pointer):
+        value = file_pointer.read()
+        self._update_secret_file(name, value)
 
-  def replace_qe_secret(self, new_secret_data):
-    """
+    def replace_qe_secret(self, new_secret_data):
+        """
     Removes the old config and replaces it with the new_secret_data as one action
     """
-    # Check first that the namespace for Red Hat Quay exists. If it does not, report that
-    # as an error, as it seems to be a common issue.
-    namespace_url = 'namespaces/%s' % (self.kube_config.qe_namespace)
-    response = self._execute_k8s_api('GET', namespace_url)
-    if response.status_code // 100 != 2:
-      msg = 'A Kubernetes namespace with name `%s` must be created to save config' % self.kube_config.qe_namespace
-      raise Exception(msg)
+        # Check first that the namespace for Red Hat Quay exists. If it does not, report that
+        # as an error, as it seems to be a common issue.
+        namespace_url = "namespaces/%s" % (self.kube_config.qe_namespace)
+        response = self._execute_k8s_api("GET", namespace_url)
+        if response.status_code // 100 != 2:
+            msg = (
+                "A Kubernetes namespace with name `%s` must be created to save config"
+                % self.kube_config.qe_namespace
+            )
+            raise Exception(msg)
 
-    # Check if the secret exists. If not, then we create an empty secret and then update the file
-    # inside.
-    secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
-    secret = self._lookup_secret()
-    if secret is None:
-      self._assert_success(self._execute_k8s_api('POST', secret_url, {
-        "kind": "Secret",
-        "apiVersion": "v1",
-        "metadata": {
-          "name": self.kube_config.qe_config_secret
-        },
-        "data": {}
-      }))
+        # Check if the secret exists. If not, then we create an empty secret and then update the file
+        # inside.
+        secret_url = "namespaces/%s/secrets/%s" % (
+            self.kube_config.qe_namespace,
+            self.kube_config.qe_config_secret,
+        )
+        secret = self._lookup_secret()
+        if secret is None:
+            self._assert_success(
+                self._execute_k8s_api(
+                    "POST",
+                    secret_url,
+                    {
+                        "kind": "Secret",
+                        "apiVersion": "v1",
+                        "metadata": {"name": self.kube_config.qe_config_secret},
+                        "data": {},
+                    },
+                )
+            )
 
-    # Update the secret to reflect the file change.
-    secret['data'] = new_secret_data
+        # Update the secret to reflect the file change.
+        secret["data"] = new_secret_data
 
-    self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
+        self._assert_success(self._execute_k8s_api("PUT", secret_url, secret))
 
-  def get_deployment_rollout_status(self, deployment_name):
-    """"
+    def get_deployment_rollout_status(self, deployment_name):
+        """"
     Returns the status of a rollout of a given deployment
     :return _DeploymentRolloutStatus
     """
-    deployment_selector_url = 'namespaces/%s/deployments/%s' % (
-      self.kube_config.qe_namespace, deployment_name
-    )
+        deployment_selector_url = "namespaces/%s/deployments/%s" % (
+            self.kube_config.qe_namespace,
+            deployment_name,
+        )
 
-    response = self._execute_k8s_api('GET', deployment_selector_url, api_prefix='apis/apps/v1')
-    if response.status_code != 200:
-      return DeploymentRolloutStatus('failed', 'Could not get deployment. Please check that the deployment exists')
+        response = self._execute_k8s_api(
+            "GET", deployment_selector_url, api_prefix="apis/apps/v1"
+        )
+        if response.status_code != 200:
+            return DeploymentRolloutStatus(
+                "failed",
+                "Could not get deployment. Please check that the deployment exists",
+            )
 
-    deployment = json.loads(response.text)
+        deployment = json.loads(response.text)
 
-    return _deployment_rollout_status_message(deployment, deployment_name)
+        return _deployment_rollout_status_message(deployment, deployment_name)
 
-  def get_qe_deployments(self):
-    """"
+    def get_qe_deployments(self):
+        """"
     Returns all deployments matching the label selector provided in the KubeConfig
     """
-    deployment_selector_url = 'namespaces/%s/deployments?labelSelector=%s%%3D%s' % (
-      self.kube_config.qe_namespace, QE_DEPLOYMENT_LABEL, self.kube_config.qe_deployment_selector
-    )
+        deployment_selector_url = "namespaces/%s/deployments?labelSelector=%s%%3D%s" % (
+            self.kube_config.qe_namespace,
+            QE_DEPLOYMENT_LABEL,
+            self.kube_config.qe_deployment_selector,
+        )
 
-    response = self._execute_k8s_api('GET', deployment_selector_url, api_prefix='apis/extensions/v1beta1')
-    if response.status_code != 200:
-      return None
-    return json.loads(response.text)
+        response = self._execute_k8s_api(
+            "GET", deployment_selector_url, api_prefix="apis/extensions/v1beta1"
+        )
+        if response.status_code != 200:
+            return None
+        return json.loads(response.text)
 
-  def cycle_qe_deployments(self, deployment_names):
-    """"
+    def cycle_qe_deployments(self, deployment_names):
+        """"
     Triggers a rollout of all desired deployments in the qe namespace
     """
 
-    for name in deployment_names:
-      logger.debug('Cycling deployment %s', name)
-      deployment_url = 'namespaces/%s/deployments/%s' % (self.kube_config.qe_namespace, name)
+        for name in deployment_names:
+            logger.debug("Cycling deployment %s", name)
+            deployment_url = "namespaces/%s/deployments/%s" % (
+                self.kube_config.qe_namespace,
+                name,
+            )
 
-      # There is currently no command to simply rolling restart all the pods: https://github.com/kubernetes/kubernetes/issues/13488
-      # Instead, we modify the template of the deployment with a dummy env variable to trigger a cycle of the pods
-      # (based off this comment: https://github.com/kubernetes/kubernetes/issues/13488#issuecomment-240393845)
-      self._assert_success(self._execute_k8s_api('PATCH', deployment_url, {
-        'spec': {
-          'template': {
-            'spec': {
-              'containers': [{
-                # Note: this name MUST match the deployment template's pod template
-                # (e.g. <template>.spec.template.spec.containers[0] == 'quay-enterprise-app')
-                'name': QE_CONTAINER_NAME,
-                'env': [{
-                  'name': 'RESTART_TIME',
-                  'value': str(datetime.datetime.now())
-                }],
-              }]
-            }
-          }
-        }
-      }, api_prefix='apis/extensions/v1beta1', content_type='application/strategic-merge-patch+json'))
+            # There is currently no command to simply rolling restart all the pods: https://github.com/kubernetes/kubernetes/issues/13488
+            # Instead, we modify the template of the deployment with a dummy env variable to trigger a cycle of the pods
+            # (based off this comment: https://github.com/kubernetes/kubernetes/issues/13488#issuecomment-240393845)
+            self._assert_success(
+                self._execute_k8s_api(
+                    "PATCH",
+                    deployment_url,
+                    {
+                        "spec": {
+                            "template": {
+                                "spec": {
+                                    "containers": [
+                                        {
+                                            # Note: this name MUST match the deployment template's pod template
+                                            # (e.g. <template>.spec.template.spec.containers[0] == 'quay-enterprise-app')
+                                            "name": QE_CONTAINER_NAME,
+                                            "env": [
+                                                {
+                                                    "name": "RESTART_TIME",
+                                                    "value": str(
+                                                        datetime.datetime.now()
+                                                    ),
+                                                }
+                                            ],
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    },
+                    api_prefix="apis/extensions/v1beta1",
+                    content_type="application/strategic-merge-patch+json",
+                )
+            )
 
-  def rollback_deployment(self, deployment_name):
-    deployment_rollback_url = 'namespaces/%s/deployments/%s/rollback' % (
-      self.kube_config.qe_namespace, deployment_name
-    )
+    def rollback_deployment(self, deployment_name):
+        deployment_rollback_url = "namespaces/%s/deployments/%s/rollback" % (
+            self.kube_config.qe_namespace,
+            deployment_name,
+        )
 
-    self._assert_success(self._execute_k8s_api('POST', deployment_rollback_url, {
-      'name': deployment_name,
-      'rollbackTo': {
-        # revision=0 makes the deployment rollout to the previous revision
-        'revision': 0
-      }
-    }, api_prefix='apis/extensions/v1beta1'), 201)
+        self._assert_success(
+            self._execute_k8s_api(
+                "POST",
+                deployment_rollback_url,
+                {
+                    "name": deployment_name,
+                    "rollbackTo": {
+                        # revision=0 makes the deployment rollout to the previous revision
+                        "revision": 0
+                    },
+                },
+                api_prefix="apis/extensions/v1beta1",
+            ),
+            201,
+        )
 
-  def _assert_success(self, response, expected_code=200):
-    if response.status_code != expected_code:
-      logger.error('Kubernetes API call failed with response: %s => %s', response.status_code,
-                   response.text)
-      raise K8sApiException('Kubernetes API call failed: %s' % response.text)
+    def _assert_success(self, response, expected_code=200):
+        if response.status_code != expected_code:
+            logger.error(
+                "Kubernetes API call failed with response: %s => %s",
+                response.status_code,
+                response.text,
+            )
+            raise K8sApiException("Kubernetes API call failed: %s" % response.text)
 
-  def _update_secret_file(self, relative_file_path, value=None):
-    if '/' in relative_file_path:
-      raise Exception('Expected path from get_volume_path, but found slashes')
+    def _update_secret_file(self, relative_file_path, value=None):
+        if "/" in relative_file_path:
+            raise Exception("Expected path from get_volume_path, but found slashes")
 
-    # Check first that the namespace for Red Hat Quay exists. If it does not, report that
-    # as an error, as it seems to be a common issue.
-    namespace_url = 'namespaces/%s' % (self.kube_config.qe_namespace)
-    response = self._execute_k8s_api('GET', namespace_url)
-    if response.status_code // 100 != 2:
-      msg = 'A Kubernetes namespace with name `%s` must be created to save config' % self.kube_config.qe_namespace
-      raise Exception(msg)
+        # Check first that the namespace for Red Hat Quay exists. If it does not, report that
+        # as an error, as it seems to be a common issue.
+        namespace_url = "namespaces/%s" % (self.kube_config.qe_namespace)
+        response = self._execute_k8s_api("GET", namespace_url)
+        if response.status_code // 100 != 2:
+            msg = (
+                "A Kubernetes namespace with name `%s` must be created to save config"
+                % self.kube_config.qe_namespace
+            )
+            raise Exception(msg)
 
-    # Check if the secret exists. If not, then we create an empty secret and then update the file
-    # inside.
-    secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
-    secret = self._lookup_secret()
-    if secret is None:
-      self._assert_success(self._execute_k8s_api('POST', secret_url, {
-        "kind": "Secret",
-        "apiVersion": "v1",
-        "metadata": {
-          "name": self.kube_config.qe_config_secret
-        },
-        "data": {}
-      }))
+        # Check if the secret exists. If not, then we create an empty secret and then update the file
+        # inside.
+        secret_url = "namespaces/%s/secrets/%s" % (
+            self.kube_config.qe_namespace,
+            self.kube_config.qe_config_secret,
+        )
+        secret = self._lookup_secret()
+        if secret is None:
+            self._assert_success(
+                self._execute_k8s_api(
+                    "POST",
+                    secret_url,
+                    {
+                        "kind": "Secret",
+                        "apiVersion": "v1",
+                        "metadata": {"name": self.kube_config.qe_config_secret},
+                        "data": {},
+                    },
+                )
+            )
 
-    # Update the secret to reflect the file change.
-    secret['data'] = secret.get('data', {})
+        # Update the secret to reflect the file change.
+        secret["data"] = secret.get("data", {})
 
-    if value is not None:
-      secret['data'][relative_file_path] = base64.b64encode(value)
-    else:
-      secret['data'].pop(relative_file_path)
+        if value is not None:
+            secret["data"][relative_file_path] = base64.b64encode(value)
+        else:
+            secret["data"].pop(relative_file_path)
 
-    self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
+        self._assert_success(self._execute_k8s_api("PUT", secret_url, secret))
 
-  def _lookup_secret(self):
-    secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
-    response = self._execute_k8s_api('GET', secret_url)
-    if response.status_code != 200:
-      return None
-    return json.loads(response.text)
+    def _lookup_secret(self):
+        secret_url = "namespaces/%s/secrets/%s" % (
+            self.kube_config.qe_namespace,
+            self.kube_config.qe_config_secret,
+        )
+        response = self._execute_k8s_api("GET", secret_url)
+        if response.status_code != 200:
+            return None
+        return json.loads(response.text)
 
-  def _execute_k8s_api(self, method, relative_url, data=None, api_prefix='api/v1', content_type='application/json'):
-    headers = {
-      'Authorization': 'Bearer ' + self.kube_config.service_account_token
-    }
+    def _execute_k8s_api(
+        self,
+        method,
+        relative_url,
+        data=None,
+        api_prefix="api/v1",
+        content_type="application/json",
+    ):
+        headers = {"Authorization": "Bearer " + self.kube_config.service_account_token}
 
-    if data:
-      headers['Content-Type'] = content_type
+        if data:
+            headers["Content-Type"] = content_type
 
-    data = json.dumps(data) if data else None
-    session = Session()
-    url = 'https://%s/%s/%s' % (self.kube_config.api_host, api_prefix, relative_url)
+        data = json.dumps(data) if data else None
+        session = Session()
+        url = "https://%s/%s/%s" % (self.kube_config.api_host, api_prefix, relative_url)
 
-    request = Request(method, url, data=data, headers=headers)
-    return session.send(request.prepare(), verify=False, timeout=2)
+        request = Request(method, url, data=data, headers=headers)
+        return session.send(request.prepare(), verify=False, timeout=2)
diff --git a/config_app/config_util/k8sconfig.py b/config_app/config_util/k8sconfig.py
index c7e5ac3ed..7e4bd43b1 100644
--- a/config_app/config_util/k8sconfig.py
+++ b/config_app/config_util/k8sconfig.py
@@ -1,46 +1,59 @@
 import os
 
-SERVICE_ACCOUNT_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token'
+SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
-DEFAULT_QE_NAMESPACE = 'quay-enterprise'
-DEFAULT_QE_CONFIG_SECRET = 'quay-enterprise-config-secret'
+DEFAULT_QE_NAMESPACE = "quay-enterprise"
+DEFAULT_QE_CONFIG_SECRET = "quay-enterprise-config-secret"
 
 # The name of the quay enterprise deployment (not config app) that is used to query & rollout
-DEFAULT_QE_DEPLOYMENT_SELECTOR = 'app'
+DEFAULT_QE_DEPLOYMENT_SELECTOR = "app"
 
 
 def get_k8s_namespace():
-  return os.environ.get('QE_K8S_NAMESPACE', DEFAULT_QE_NAMESPACE)
+    return os.environ.get("QE_K8S_NAMESPACE", DEFAULT_QE_NAMESPACE)
 
 
 class KubernetesConfig(object):
-  def __init__(self, api_host='', service_account_token=SERVICE_ACCOUNT_TOKEN_PATH,
-               qe_namespace=DEFAULT_QE_NAMESPACE,
-               qe_config_secret=DEFAULT_QE_CONFIG_SECRET,
-               qe_deployment_selector=DEFAULT_QE_DEPLOYMENT_SELECTOR):
-    self.api_host = api_host
-    self.qe_namespace = qe_namespace
-    self.qe_config_secret = qe_config_secret
-    self.qe_deployment_selector = qe_deployment_selector
-    self.service_account_token = service_account_token
+    def __init__(
+        self,
+        api_host="",
+        service_account_token=SERVICE_ACCOUNT_TOKEN_PATH,
+        qe_namespace=DEFAULT_QE_NAMESPACE,
+        qe_config_secret=DEFAULT_QE_CONFIG_SECRET,
+        qe_deployment_selector=DEFAULT_QE_DEPLOYMENT_SELECTOR,
+    ):
+        self.api_host = api_host
+        self.qe_namespace = qe_namespace
+        self.qe_config_secret = qe_config_secret
+        self.qe_deployment_selector = qe_deployment_selector
+        self.service_account_token = service_account_token
 
-  @classmethod
-  def from_env(cls):
-    # Load the service account token from the local store.
-    if not os.path.exists(SERVICE_ACCOUNT_TOKEN_PATH):
-      raise Exception('Cannot load Kubernetes service account token')
+    @classmethod
+    def from_env(cls):
+        # Load the service account token from the local store.
+        if not os.path.exists(SERVICE_ACCOUNT_TOKEN_PATH):
+            raise Exception("Cannot load Kubernetes service account token")
 
-    with open(SERVICE_ACCOUNT_TOKEN_PATH, 'r') as f:
-      service_token = f.read()
+        with open(SERVICE_ACCOUNT_TOKEN_PATH, "r") as f:
+            service_token = f.read()
 
-    api_host = os.environ.get('KUBERNETES_SERVICE_HOST', '')
-    port = os.environ.get('KUBERNETES_SERVICE_PORT')
-    if port:
-      api_host += ':' + port
+        api_host = os.environ.get("KUBERNETES_SERVICE_HOST", "")
+        port = os.environ.get("KUBERNETES_SERVICE_PORT")
+        if port:
+            api_host += ":" + port
 
-    qe_namespace = get_k8s_namespace()
-    qe_config_secret = os.environ.get('QE_K8S_CONFIG_SECRET', DEFAULT_QE_CONFIG_SECRET)
-    qe_deployment_selector = os.environ.get('QE_DEPLOYMENT_SELECTOR', DEFAULT_QE_DEPLOYMENT_SELECTOR)
+        qe_namespace = get_k8s_namespace()
+        qe_config_secret = os.environ.get(
+            "QE_K8S_CONFIG_SECRET", DEFAULT_QE_CONFIG_SECRET
+        )
+        qe_deployment_selector = os.environ.get(
+            "QE_DEPLOYMENT_SELECTOR", DEFAULT_QE_DEPLOYMENT_SELECTOR
+        )
 
-    return cls(api_host=api_host, service_account_token=service_token, qe_namespace=qe_namespace,
-               qe_config_secret=qe_config_secret, qe_deployment_selector=qe_deployment_selector)
+        return cls(
+            api_host=api_host,
+            service_account_token=service_token,
+            qe_namespace=qe_namespace,
+            qe_config_secret=qe_config_secret,
+            qe_deployment_selector=qe_deployment_selector,
+        )
diff --git a/config_app/config_util/log.py b/config_app/config_util/log.py
index 783c9c2cd..65504debc 100644
--- a/config_app/config_util/log.py
+++ b/config_app/config_util/log.py
@@ -3,7 +3,7 @@ from config_app._init_config import CONF_DIR
 
 
 def logfile_path(jsonfmt=False, debug=False):
-  """
+    """
     Returns the a logfileconf path following this rules:
       - conf/logging_debug_json.conf # jsonfmt=true,  debug=true
       - conf/logging_json.conf       # jsonfmt=true,  debug=false
@@ -11,20 +11,20 @@ def logfile_path(jsonfmt=False, debug=False):
       - conf/logging.conf            # jsonfmt=false, debug=false
     Can be parametrized via envvars: JSONLOG=true, DEBUGLOG=true
   """
-  _json = ""
-  _debug = ""
+    _json = ""
+    _debug = ""
 
-  if jsonfmt or os.getenv('JSONLOG', 'false').lower() == 'true':
-    _json = "_json"
+    if jsonfmt or os.getenv("JSONLOG", "false").lower() == "true":
+        _json = "_json"
 
-  if debug or os.getenv('DEBUGLOG', 'false').lower() == 'true':
-    _debug = "_debug"
+    if debug or os.getenv("DEBUGLOG", "false").lower() == "true":
+        _debug = "_debug"
 
-  return os.path.join(CONF_DIR, "logging%s%s.conf" % (_debug, _json))
+    return os.path.join(CONF_DIR, "logging%s%s.conf" % (_debug, _json))
 
 
 def filter_logs(values, filtered_fields):
-  """
+    """
     Takes a dict and a list of keys to filter.
     eg:
      with filtered_fields:
@@ -34,14 +34,14 @@ def filter_logs(values, filtered_fields):
     the returned dict is:
       {'k1': {k2: 'filtered'}, 'k3': 'some-value'}
   """
-  for field in filtered_fields:
-    cdict = values
+    for field in filtered_fields:
+        cdict = values
 
-    for key in field['key'][:-1]:
-      if key in cdict:
-        cdict = cdict[key]
+        for key in field["key"][:-1]:
+            if key in cdict:
+                cdict = cdict[key]
 
-    last_key = field['key'][-1]
+        last_key = field["key"][-1]
 
-    if last_key in cdict and cdict[last_key]:
-      cdict[last_key] = field['fn'](cdict[last_key])
+        if last_key in cdict and cdict[last_key]:
+            cdict[last_key] = field["fn"](cdict[last_key])
diff --git a/config_app/config_util/ssl.py b/config_app/config_util/ssl.py
index e246bc937..98a412588 100644
--- a/config_app/config_util/ssl.py
+++ b/config_app/config_util/ssl.py
@@ -4,82 +4,86 @@ import OpenSSL
 
 
 class CertInvalidException(Exception):
-  """ Exception raised when a certificate could not be parsed/loaded. """
-  pass
+    """ Exception raised when a certificate could not be parsed/loaded. """
+
+    pass
 
 
 class KeyInvalidException(Exception):
-  """ Exception raised when a key could not be parsed/loaded or successfully applied to a cert. """
-  pass
+    """ Exception raised when a key could not be parsed/loaded or successfully applied to a cert. """
+
+    pass
 
 
 def load_certificate(cert_contents):
-  """ Loads the certificate from the given contents and returns it or raises a CertInvalidException
+    """ Loads the certificate from the given contents and returns it or raises a CertInvalidException
       on failure.
   """
-  try:
-    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_contents)
-    return SSLCertificate(cert)
-  except OpenSSL.crypto.Error as ex:
-    raise CertInvalidException(ex.message[0][2])
+    try:
+        cert = OpenSSL.crypto.load_certificate(
+            OpenSSL.crypto.FILETYPE_PEM, cert_contents
+        )
+        return SSLCertificate(cert)
+    except OpenSSL.crypto.Error as ex:
+        raise CertInvalidException(ex.message[0][2])
 
 
-_SUBJECT_ALT_NAME = 'subjectAltName'
+_SUBJECT_ALT_NAME = "subjectAltName"
 
 
 class SSLCertificate(object):
-  """ Helper class for easier working with SSL certificates. """
+    """ Helper class for easier working with SSL certificates. """
 
-  def __init__(self, openssl_cert):
-    self.openssl_cert = openssl_cert
+    def __init__(self, openssl_cert):
+        self.openssl_cert = openssl_cert
 
-  def validate_private_key(self, private_key_path):
-    """ Validates that the private key found at the given file path applies to this certificate.
+    def validate_private_key(self, private_key_path):
+        """ Validates that the private key found at the given file path applies to this certificate.
         Raises a KeyInvalidException on failure.
     """
-    context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
-    context.use_certificate(self.openssl_cert)
+        context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
+        context.use_certificate(self.openssl_cert)
 
-    try:
-      context.use_privatekey_file(private_key_path)
-      context.check_privatekey()
-    except OpenSSL.SSL.Error as ex:
-      raise KeyInvalidException(ex.message[0][2])
+        try:
+            context.use_privatekey_file(private_key_path)
+            context.check_privatekey()
+        except OpenSSL.SSL.Error as ex:
+            raise KeyInvalidException(ex.message[0][2])
 
-  def matches_name(self, check_name):
-    """ Returns true if this SSL certificate matches the given DNS hostname. """
-    for dns_name in self.names:
-      if fnmatch(check_name, dns_name):
-        return True
+    def matches_name(self, check_name):
+        """ Returns true if this SSL certificate matches the given DNS hostname. """
+        for dns_name in self.names:
+            if fnmatch(check_name, dns_name):
+                return True
 
-    return False
+        return False
 
-  @property
-  def expired(self):
-    """ Returns whether the SSL certificate has expired. """
-    return self.openssl_cert.has_expired()
+    @property
+    def expired(self):
+        """ Returns whether the SSL certificate has expired. """
+        return self.openssl_cert.has_expired()
 
-  @property
-  def common_name(self):
-    """ Returns the defined common name for the certificate, if any. """
-    return self.openssl_cert.get_subject().commonName
+    @property
+    def common_name(self):
+        """ Returns the defined common name for the certificate, if any. """
+        return self.openssl_cert.get_subject().commonName
 
-  @property
-  def names(self):
-    """ Returns all the DNS named to which the certificate applies. May be empty. """
-    dns_names = set()
-    common_name = self.common_name
-    if common_name is not None:
-      dns_names.add(common_name)
+    @property
+    def names(self):
+        """ Returns all the DNS named to which the certificate applies. May be empty. """
+        dns_names = set()
+        common_name = self.common_name
+        if common_name is not None:
+            dns_names.add(common_name)
 
-    # Find the DNS extension, if any.
-    for i in range(0, self.openssl_cert.get_extension_count()):
-      ext = self.openssl_cert.get_extension(i)
-      if ext.get_short_name() == _SUBJECT_ALT_NAME:
-        value = str(ext)
-        for san_name in value.split(','):
-          san_name_trimmed = san_name.strip()
-          if san_name_trimmed.startswith('DNS:'):
-            dns_names.add(san_name_trimmed[4:])
+        # Find the DNS extension, if any.
+        for i in range(0, self.openssl_cert.get_extension_count()):
+            ext = self.openssl_cert.get_extension(i)
+            if ext.get_short_name() == _SUBJECT_ALT_NAME:
+                value = str(ext)
+                for san_name in value.split(","):
+                    san_name_trimmed = san_name.strip()
+                    if san_name_trimmed.startswith("DNS:"):
+                        dns_names.add(san_name_trimmed[4:])
 
-    return dns_names
+        return dns_names
diff --git a/config_app/config_util/tar.py b/config_app/config_util/tar.py
index c1dd2e608..bdff6143e 100644
--- a/config_app/config_util/tar.py
+++ b/config_app/config_util/tar.py
@@ -2,21 +2,21 @@ from util.config.validator import EXTRA_CA_DIRECTORY
 
 
 def strip_absolute_path_and_add_trailing_dir(path):
-  """
+    """
   Removes the initial trailing / from the prefix path, and add the last dir one
   """
-  return path[1:] + '/'
+    return path[1:] + "/"
 
 
 def tarinfo_filter_partial(prefix):
-  def tarinfo_filter(tarinfo):
-    # remove leading directory info
-    tarinfo.name = tarinfo.name.replace(prefix, '')
+    def tarinfo_filter(tarinfo):
+        # remove leading directory info
+        tarinfo.name = tarinfo.name.replace(prefix, "")
 
-    # ignore any directory that isn't the specified extra ca one:
-    if tarinfo.isdir() and not tarinfo.name == EXTRA_CA_DIRECTORY:
-      return None
+        # ignore any directory that isn't the specified extra ca one:
+        if tarinfo.isdir() and not tarinfo.name == EXTRA_CA_DIRECTORY:
+            return None
 
-    return tarinfo
+        return tarinfo
 
-  return tarinfo_filter
+    return tarinfo_filter
diff --git a/config_app/config_util/test/test_k8saccessor.py b/config_app/config_util/test/test_k8saccessor.py
index 9cf817064..ee99245d6 100644
--- a/config_app/config_util/test/test_k8saccessor.py
+++ b/config_app/config_util/test/test_k8saccessor.py
@@ -2,115 +2,218 @@ import pytest
 
 from httmock import urlmatch, HTTMock, response
 
-from config_app.config_util.k8saccessor import KubernetesAccessorSingleton, _deployment_rollout_status_message
+from config_app.config_util.k8saccessor import (
+    KubernetesAccessorSingleton,
+    _deployment_rollout_status_message,
+)
 from config_app.config_util.k8sconfig import KubernetesConfig
 
 
-@pytest.mark.parametrize('deployment_object, expected_status, expected_message', [
-  ({'metadata': {'generation': 1},
-    'status': {'observedGeneration': 0, 'conditions': []},
-    'spec': {'replicas': 0}},
-   'progressing',
-   'Waiting for deployment spec to be updated...'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [{'type': 'Progressing', 'reason': 'ProgressDeadlineExceeded'}]},
-    'spec': {'replicas': 0}},
-   'failed',
-   "Deployment my-deployment's rollout failed. Please try again later."),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': []},
-    'spec': {'replicas': 0}},
-   'available',
-   'Deployment my-deployment updated (no replicas, so nothing to roll out)'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [], 'replicas': 1},
-    'spec': {'replicas': 2}},
-   'progressing',
-   'Waiting for rollout to finish: 0 out of 2 new replicas have been updated...'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [], 'replicas': 1, 'updatedReplicas': 1},
-    'spec': {'replicas': 2}},
-   'progressing',
-   'Waiting for rollout to finish: 1 out of 2 new replicas have been updated...'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [], 'replicas': 2, 'updatedReplicas': 1},
-    'spec': {'replicas': 1}},
-   'progressing',
-   'Waiting for rollout to finish: 1 old replicas are pending termination...'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [], 'replicas': 1, 'updatedReplicas': 2, 'availableReplicas': 0},
-    'spec': {'replicas': 0}},
-   'progressing',
-   'Waiting for rollout to finish: 0 of 2 updated replicas are available...'),
-  ({'metadata': {'generation': 0},
-    'status': {'observedGeneration': 0, 'conditions': [], 'replicas': 1, 'updatedReplicas': 2, 'availableReplicas': 2},
-    'spec': {'replicas': 0}},
-   'available',
-   'Deployment my-deployment successfully rolled out.'),
-])
-def test_deployment_rollout_status_message(deployment_object, expected_status, expected_message):
-  deployment_status = _deployment_rollout_status_message(deployment_object, 'my-deployment')
-  assert deployment_status.status == expected_status
-  assert deployment_status.message == expected_message
+@pytest.mark.parametrize(
+    "deployment_object, expected_status, expected_message",
+    [
+        (
+            {
+                "metadata": {"generation": 1},
+                "status": {"observedGeneration": 0, "conditions": []},
+                "spec": {"replicas": 0},
+            },
+            "progressing",
+            "Waiting for deployment spec to be updated...",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {
+                    "observedGeneration": 0,
+                    "conditions": [
+                        {"type": "Progressing", "reason": "ProgressDeadlineExceeded"}
+                    ],
+                },
+                "spec": {"replicas": 0},
+            },
+            "failed",
+            "Deployment my-deployment's rollout failed. Please try again later.",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {"observedGeneration": 0, "conditions": []},
+                "spec": {"replicas": 0},
+            },
+            "available",
+            "Deployment my-deployment updated (no replicas, so nothing to roll out)",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {"observedGeneration": 0, "conditions": [], "replicas": 1},
+                "spec": {"replicas": 2},
+            },
+            "progressing",
+            "Waiting for rollout to finish: 0 out of 2 new replicas have been updated...",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {
+                    "observedGeneration": 0,
+                    "conditions": [],
+                    "replicas": 1,
+                    "updatedReplicas": 1,
+                },
+                "spec": {"replicas": 2},
+            },
+            "progressing",
+            "Waiting for rollout to finish: 1 out of 2 new replicas have been updated...",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {
+                    "observedGeneration": 0,
+                    "conditions": [],
+                    "replicas": 2,
+                    "updatedReplicas": 1,
+                },
+                "spec": {"replicas": 1},
+            },
+            "progressing",
+            "Waiting for rollout to finish: 1 old replicas are pending termination...",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {
+                    "observedGeneration": 0,
+                    "conditions": [],
+                    "replicas": 1,
+                    "updatedReplicas": 2,
+                    "availableReplicas": 0,
+                },
+                "spec": {"replicas": 0},
+            },
+            "progressing",
+            "Waiting for rollout to finish: 0 of 2 updated replicas are available...",
+        ),
+        (
+            {
+                "metadata": {"generation": 0},
+                "status": {
+                    "observedGeneration": 0,
+                    "conditions": [],
+                    "replicas": 1,
+                    "updatedReplicas": 2,
+                    "availableReplicas": 2,
+                },
+                "spec": {"replicas": 0},
+            },
+            "available",
+            "Deployment my-deployment successfully rolled out.",
+        ),
+    ],
+)
+def test_deployment_rollout_status_message(
+    deployment_object, expected_status, expected_message
+):
+    deployment_status = _deployment_rollout_status_message(
+        deployment_object, "my-deployment"
+    )
+    assert deployment_status.status == expected_status
+    assert deployment_status.message == expected_message
 
 
-@pytest.mark.parametrize('kube_config, expected_api, expected_query', [
-  ({'api_host': 'www.customhost.com'},
-   '/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments', 'labelSelector=quay-enterprise-component%3Dapp'),
-
-  ({'api_host': 'www.customhost.com', 'qe_deployment_selector': 'custom-selector'},
-   '/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments',
-   'labelSelector=quay-enterprise-component%3Dcustom-selector'),
-
-  ({'api_host': 'www.customhost.com', 'qe_namespace': 'custom-namespace'},
-   '/apis/extensions/v1beta1/namespaces/custom-namespace/deployments', 'labelSelector=quay-enterprise-component%3Dapp'),
-
-  ({'api_host': 'www.customhost.com', 'qe_namespace': 'custom-namespace', 'qe_deployment_selector': 'custom-selector'},
-   '/apis/extensions/v1beta1/namespaces/custom-namespace/deployments',
-   'labelSelector=quay-enterprise-component%3Dcustom-selector'),
-])
+@pytest.mark.parametrize(
+    "kube_config, expected_api, expected_query",
+    [
+        (
+            {"api_host": "www.customhost.com"},
+            "/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments",
+            "labelSelector=quay-enterprise-component%3Dapp",
+        ),
+        (
+            {
+                "api_host": "www.customhost.com",
+                "qe_deployment_selector": "custom-selector",
+            },
+            "/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments",
+            "labelSelector=quay-enterprise-component%3Dcustom-selector",
+        ),
+        (
+            {"api_host": "www.customhost.com", "qe_namespace": "custom-namespace"},
+            "/apis/extensions/v1beta1/namespaces/custom-namespace/deployments",
+            "labelSelector=quay-enterprise-component%3Dapp",
+        ),
+        (
+            {
+                "api_host": "www.customhost.com",
+                "qe_namespace": "custom-namespace",
+                "qe_deployment_selector": "custom-selector",
+            },
+            "/apis/extensions/v1beta1/namespaces/custom-namespace/deployments",
+            "labelSelector=quay-enterprise-component%3Dcustom-selector",
+        ),
+    ],
+)
 def test_get_qe_deployments(kube_config, expected_api, expected_query):
-  config = KubernetesConfig(**kube_config)
-  url_hit = [False]
+    config = KubernetesConfig(**kube_config)
+    url_hit = [False]
 
-  @urlmatch(netloc=r'www.customhost.com')
-  def handler(request, _):
-    assert request.path == expected_api
-    assert request.query == expected_query
-    url_hit[0] = True
-    return response(200, '{}')
+    @urlmatch(netloc=r"www.customhost.com")
+    def handler(request, _):
+        assert request.path == expected_api
+        assert request.query == expected_query
+        url_hit[0] = True
+        return response(200, "{}")
 
-  with HTTMock(handler):
-    KubernetesAccessorSingleton._instance = None
-    assert KubernetesAccessorSingleton.get_instance(config).get_qe_deployments() is not None
+    with HTTMock(handler):
+        KubernetesAccessorSingleton._instance = None
+        assert (
+            KubernetesAccessorSingleton.get_instance(config).get_qe_deployments()
+            is not None
+        )
 
-  assert url_hit[0]
+    assert url_hit[0]
 
 
-@pytest.mark.parametrize('kube_config, deployment_names, expected_api_hits', [
-  ({'api_host': 'www.customhost.com'}, [], []),
-  ({'api_host': 'www.customhost.com'}, ['myDeployment'],
-   ['/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments/myDeployment']),
-  ({'api_host': 'www.customhost.com', 'qe_namespace': 'custom-namespace'},
-   ['myDeployment', 'otherDeployment'],
-   ['/apis/extensions/v1beta1/namespaces/custom-namespace/deployments/myDeployment',
-    '/apis/extensions/v1beta1/namespaces/custom-namespace/deployments/otherDeployment']),
-])
+@pytest.mark.parametrize(
+    "kube_config, deployment_names, expected_api_hits",
+    [
+        ({"api_host": "www.customhost.com"}, [], []),
+        (
+            {"api_host": "www.customhost.com"},
+            ["myDeployment"],
+            [
+                "/apis/extensions/v1beta1/namespaces/quay-enterprise/deployments/myDeployment"
+            ],
+        ),
+        (
+            {"api_host": "www.customhost.com", "qe_namespace": "custom-namespace"},
+            ["myDeployment", "otherDeployment"],
+            [
+                "/apis/extensions/v1beta1/namespaces/custom-namespace/deployments/myDeployment",
+                "/apis/extensions/v1beta1/namespaces/custom-namespace/deployments/otherDeployment",
+            ],
+        ),
+    ],
+)
 def test_cycle_qe_deployments(kube_config, deployment_names, expected_api_hits):
-  KubernetesAccessorSingleton._instance = None
+    KubernetesAccessorSingleton._instance = None
 
-  config = KubernetesConfig(**kube_config)
-  url_hit = [False] * len(expected_api_hits)
-  i = [0]
+    config = KubernetesConfig(**kube_config)
+    url_hit = [False] * len(expected_api_hits)
+    i = [0]
 
-  @urlmatch(netloc=r'www.customhost.com', method='PATCH')
-  def handler(request, _):
-    assert request.path == expected_api_hits[i[0]]
-    url_hit[i[0]] = True
-    i[0] += 1
-    return response(200, '{}')
+    @urlmatch(netloc=r"www.customhost.com", method="PATCH")
+    def handler(request, _):
+        assert request.path == expected_api_hits[i[0]]
+        url_hit[i[0]] = True
+        i[0] += 1
+        return response(200, "{}")
 
-  with HTTMock(handler):
-    KubernetesAccessorSingleton.get_instance(config).cycle_qe_deployments(deployment_names)
+    with HTTMock(handler):
+        KubernetesAccessorSingleton.get_instance(config).cycle_qe_deployments(
+            deployment_names
+        )
 
-  assert all(url_hit)
+    assert all(url_hit)
diff --git a/config_app/config_util/test/test_tar.py b/config_app/config_util/test/test_tar.py
index b5d2a5621..235a36929 100644
--- a/config_app/config_util/test/test_tar.py
+++ b/config_app/config_util/test/test_tar.py
@@ -8,25 +8,39 @@ from test.fixtures import *
 
 
 class MockTarInfo:
-  def __init__(self, name, isdir):
-    self.name = name
-    self.isdir = lambda: isdir
+    def __init__(self, name, isdir):
+        self.name = name
+        self.isdir = lambda: isdir
 
-  def __eq__(self, other):
-    return other is not None and self.name == other.name
+    def __eq__(self, other):
+        return other is not None and self.name == other.name
 
 
-@pytest.mark.parametrize('prefix,tarinfo,expected', [
-  # It should handle simple files
-  ('Users/sam/', MockTarInfo('Users/sam/config.yaml', False), MockTarInfo('config.yaml', False)),
-  # It should allow the extra CA dir
-  ('Users/sam/', MockTarInfo('Users/sam/%s' % EXTRA_CA_DIRECTORY, True), MockTarInfo('%s' % EXTRA_CA_DIRECTORY, True)),
-  # it should allow a file in that extra dir
-  ('Users/sam/', MockTarInfo('Users/sam/%s/cert.crt' % EXTRA_CA_DIRECTORY, False),
-   MockTarInfo('%s/cert.crt' % EXTRA_CA_DIRECTORY, False)),
-  # it should not allow a directory that isn't the CA dir
-  ('Users/sam/', MockTarInfo('Users/sam/dirignore', True), None),
-])
+@pytest.mark.parametrize(
+    "prefix,tarinfo,expected",
+    [
+        # It should handle simple files
+        (
+            "Users/sam/",
+            MockTarInfo("Users/sam/config.yaml", False),
+            MockTarInfo("config.yaml", False),
+        ),
+        # It should allow the extra CA dir
+        (
+            "Users/sam/",
+            MockTarInfo("Users/sam/%s" % EXTRA_CA_DIRECTORY, True),
+            MockTarInfo("%s" % EXTRA_CA_DIRECTORY, True),
+        ),
+        # it should allow a file in that extra dir
+        (
+            "Users/sam/",
+            MockTarInfo("Users/sam/%s/cert.crt" % EXTRA_CA_DIRECTORY, False),
+            MockTarInfo("%s/cert.crt" % EXTRA_CA_DIRECTORY, False),
+        ),
+        # it should not allow a directory that isn't the CA dir
+        ("Users/sam/", MockTarInfo("Users/sam/dirignore", True), None),
+    ],
+)
 def test_tarinfo_filter(prefix, tarinfo, expected):
-  partial = tarinfo_filter_partial(prefix)
-  assert partial(tarinfo) == expected
+    partial = tarinfo_filter_partial(prefix)
+    assert partial(tarinfo) == expected
diff --git a/config_app/config_web.py b/config_app/config_web.py
index bb283c3cf..7e1b21529 100644
--- a/config_app/config_web.py
+++ b/config_app/config_web.py
@@ -3,4 +3,4 @@ from config_app.config_endpoints.api import api_bp
 from config_app.config_endpoints.setup_web import setup_web
 
 application.register_blueprint(setup_web)
-application.register_blueprint(api_bp, url_prefix='/api')
+application.register_blueprint(api_bp, url_prefix="/api")
diff --git a/data/appr_model/__init__.py b/data/appr_model/__init__.py
index 7c9620864..d7cabc012 100644
--- a/data/appr_model/__init__.py
+++ b/data/appr_model/__init__.py
@@ -1,9 +1,9 @@
 from data.appr_model import (
-  blob,
-  channel,
-  manifest,
-  manifest_list,
-  package,
-  release,
-  tag,
+    blob,
+    channel,
+    manifest,
+    manifest_list,
+    package,
+    release,
+    tag,
 )
diff --git a/data/appr_model/blob.py b/data/appr_model/blob.py
index d340a7491..9ee118994 100644
--- a/data/appr_model/blob.py
+++ b/data/appr_model/blob.py
@@ -6,71 +6,79 @@ from data.model import db_transaction
 
 logger = logging.getLogger(__name__)
 
+
 def _ensure_sha256_header(digest):
-  if digest.startswith('sha256:'):
-    return digest
-  return 'sha256:' + digest
+    if digest.startswith("sha256:"):
+        return digest
+    return "sha256:" + digest
 
 
 def get_blob(digest, models_ref):
-  """ Find a blob by its digest. """
-  Blob = models_ref.Blob
-  return Blob.select().where(Blob.digest == _ensure_sha256_header(digest)).get()
+    """ Find a blob by its digest. """
+    Blob = models_ref.Blob
+    return Blob.select().where(Blob.digest == _ensure_sha256_header(digest)).get()
 
 
 def get_or_create_blob(digest, size, media_type_name, locations, models_ref):
-  """ Try to find a blob by its digest or create it. """
-  Blob = models_ref.Blob
-  BlobPlacement = models_ref.BlobPlacement
+    """ Try to find a blob by its digest or create it. """
+    Blob = models_ref.Blob
+    BlobPlacement = models_ref.BlobPlacement
 
-  # Get or create the blog entry for the digest.
-  try:
-    blob = get_blob(digest, models_ref)
-    logger.debug('Retrieved blob with digest %s', digest)
-  except Blob.DoesNotExist:
-    blob = Blob.create(digest=_ensure_sha256_header(digest),
-                       media_type_id=Blob.media_type.get_id(media_type_name),
-                       size=size)
-    logger.debug('Created blob with digest %s', digest)
-
-  # Add the locations to the blob.
-  for location_name in locations:
-    location_id = BlobPlacement.location.get_id(location_name)
+    # Get or create the blog entry for the digest.
     try:
-      BlobPlacement.create(blob=blob, location=location_id)
-    except IntegrityError:
-      logger.debug('Location %s already existing for blob %s', location_name, blob.id)
+        blob = get_blob(digest, models_ref)
+        logger.debug("Retrieved blob with digest %s", digest)
+    except Blob.DoesNotExist:
+        blob = Blob.create(
+            digest=_ensure_sha256_header(digest),
+            media_type_id=Blob.media_type.get_id(media_type_name),
+            size=size,
+        )
+        logger.debug("Created blob with digest %s", digest)
 
-  return blob
+    # Add the locations to the blob.
+    for location_name in locations:
+        location_id = BlobPlacement.location.get_id(location_name)
+        try:
+            BlobPlacement.create(blob=blob, location=location_id)
+        except IntegrityError:
+            logger.debug(
+                "Location %s already existing for blob %s", location_name, blob.id
+            )
+
+    return blob
 
 
 def get_blob_locations(digest, models_ref):
-  """ Find all locations names for a blob. """
-  Blob = models_ref.Blob
-  BlobPlacement = models_ref.BlobPlacement
-  BlobPlacementLocation = models_ref.BlobPlacementLocation
+    """ Find all locations names for a blob. """
+    Blob = models_ref.Blob
+    BlobPlacement = models_ref.BlobPlacement
+    BlobPlacementLocation = models_ref.BlobPlacementLocation
 
-  return [x.name for x in
-          BlobPlacementLocation
-          .select()
-          .join(BlobPlacement)
-          .join(Blob)
-          .where(Blob.digest == _ensure_sha256_header(digest))]
+    return [
+        x.name
+        for x in BlobPlacementLocation.select()
+        .join(BlobPlacement)
+        .join(Blob)
+        .where(Blob.digest == _ensure_sha256_header(digest))
+    ]
 
 
 def ensure_blob_locations(models_ref, *names):
-  BlobPlacementLocation = models_ref.BlobPlacementLocation
+    BlobPlacementLocation = models_ref.BlobPlacementLocation
 
-  with db_transaction():
-    locations = BlobPlacementLocation.select().where(BlobPlacementLocation.name << names)
+    with db_transaction():
+        locations = BlobPlacementLocation.select().where(
+            BlobPlacementLocation.name << names
+        )
 
-    insert_names = list(names)
+        insert_names = list(names)
 
-    for location in locations:
-      insert_names.remove(location.name)
+        for location in locations:
+            insert_names.remove(location.name)
 
-    if not insert_names:
-      return
+        if not insert_names:
+            return
 
-    data = [{'name': name} for name in insert_names]
-    BlobPlacementLocation.insert_many(data).execute()
+        data = [{"name": name} for name in insert_names]
+        BlobPlacementLocation.insert_many(data).execute()
diff --git a/data/appr_model/channel.py b/data/appr_model/channel.py
index 3631d97a5..297cf144e 100644
--- a/data/appr_model/channel.py
+++ b/data/appr_model/channel.py
@@ -2,63 +2,68 @@ from data.appr_model import tag as tag_model
 
 
 def get_channel_releases(repo, channel, models_ref):
-  """ Return all previously linked tags.
+    """ Return all previously linked tags.
       This works based upon Tag lifetimes.
   """
-  Channel = models_ref.Channel
-  Tag = models_ref.Tag
+    Channel = models_ref.Channel
+    Tag = models_ref.Tag
 
-  tag_kind_id = Channel.tag_kind.get_id('channel')
-  channel_name = channel.name
-  return (Tag
-          .select(Tag, Channel)
-          .join(Channel, on=(Tag.id == Channel.linked_tag))
-          .where(Channel.repository == repo,
-                 Channel.name == channel_name,
-                 Channel.tag_kind == tag_kind_id, Channel.lifetime_end != None)
-          .order_by(Tag.lifetime_end))
+    tag_kind_id = Channel.tag_kind.get_id("channel")
+    channel_name = channel.name
+    return (
+        Tag.select(Tag, Channel)
+        .join(Channel, on=(Tag.id == Channel.linked_tag))
+        .where(
+            Channel.repository == repo,
+            Channel.name == channel_name,
+            Channel.tag_kind == tag_kind_id,
+            Channel.lifetime_end != None,
+        )
+        .order_by(Tag.lifetime_end)
+    )
 
 
 def get_channel(repo, channel_name, models_ref):
-  """ Find a Channel by name. """
-  channel = tag_model.get_tag(repo, channel_name, models_ref, "channel")
-  return channel
+    """ Find a Channel by name. """
+    channel = tag_model.get_tag(repo, channel_name, models_ref, "channel")
+    return channel
 
 
 def get_tag_channels(repo, tag_name, models_ref, active=True):
-  """ Find the Channels associated with a Tag. """
-  Tag = models_ref.Tag
+    """ Find the Channels associated with a Tag. """
+    Tag = models_ref.Tag
 
-  tag = tag_model.get_tag(repo, tag_name, models_ref, "release")
-  query = tag.tag_parents
+    tag = tag_model.get_tag(repo, tag_name, models_ref, "release")
+    query = tag.tag_parents
 
-  if active:
-    query = tag_model.tag_is_alive(query, Tag)
+    if active:
+        query = tag_model.tag_is_alive(query, Tag)
 
-  return query
+    return query
 
 
 def delete_channel(repo, channel_name, models_ref):
-  """ Delete a channel by name. """
-  return tag_model.delete_tag(repo, channel_name, models_ref, "channel")
+    """ Delete a channel by name. """
+    return tag_model.delete_tag(repo, channel_name, models_ref, "channel")
 
 
 def create_or_update_channel(repo, channel_name, tag_name, models_ref):
-  """ Creates or updates a channel to include a particular tag. """
-  tag = tag_model.get_tag(repo, tag_name, models_ref, 'release')
-  return tag_model.create_or_update_tag(repo, channel_name, models_ref, linked_tag=tag,
-                                        tag_kind="channel")
+    """ Creates or updates a channel to include a particular tag. """
+    tag = tag_model.get_tag(repo, tag_name, models_ref, "release")
+    return tag_model.create_or_update_tag(
+        repo, channel_name, models_ref, linked_tag=tag, tag_kind="channel"
+    )
 
 
 def get_repo_channels(repo, models_ref):
-  """ Creates or updates a channel to include a particular tag. """
-  Channel = models_ref.Channel
-  Tag = models_ref.Tag
+    """ Creates or updates a channel to include a particular tag. """
+    Channel = models_ref.Channel
+    Tag = models_ref.Tag
 
-  tag_kind_id = Channel.tag_kind.get_id('channel')
-  query = (Channel
-           .select(Channel, Tag)
-           .join(Tag, on=(Tag.id == Channel.linked_tag))
-           .where(Channel.repository == repo,
-                  Channel.tag_kind == tag_kind_id))
-  return tag_model.tag_is_alive(query, Channel)
+    tag_kind_id = Channel.tag_kind.get_id("channel")
+    query = (
+        Channel.select(Channel, Tag)
+        .join(Tag, on=(Tag.id == Channel.linked_tag))
+        .where(Channel.repository == repo, Channel.tag_kind == tag_kind_id)
+    )
+    return tag_model.tag_is_alive(query, Channel)
diff --git a/data/appr_model/manifest.py b/data/appr_model/manifest.py
index f08be8d9b..36a75d848 100644
--- a/data/appr_model/manifest.py
+++ b/data/appr_model/manifest.py
@@ -12,56 +12,65 @@ logger = logging.getLogger(__name__)
 
 
 def _ensure_sha256_header(digest):
-  if digest.startswith('sha256:'):
-    return digest
-  return 'sha256:' + digest
+    if digest.startswith("sha256:"):
+        return digest
+    return "sha256:" + digest
 
 
 def _digest(manifestjson):
-  return _ensure_sha256_header(hashlib.sha256(json.dumps(manifestjson, sort_keys=True)).hexdigest())
+    return _ensure_sha256_header(
+        hashlib.sha256(json.dumps(manifestjson, sort_keys=True)).hexdigest()
+    )
 
 
 def get_manifest_query(digest, media_type, models_ref):
-  Manifest = models_ref.Manifest
-  return Manifest.select().where(Manifest.digest == _ensure_sha256_header(digest),
-                                 Manifest.media_type == Manifest.media_type.get_id(media_type))
+    Manifest = models_ref.Manifest
+    return Manifest.select().where(
+        Manifest.digest == _ensure_sha256_header(digest),
+        Manifest.media_type == Manifest.media_type.get_id(media_type),
+    )
 
 
 def get_manifest_with_blob(digest, media_type, models_ref):
-  Blob = models_ref.Blob
-  query = get_manifest_query(digest, media_type, models_ref)
-  return query.join(Blob).get()
+    Blob = models_ref.Blob
+    query = get_manifest_query(digest, media_type, models_ref)
+    return query.join(Blob).get()
 
 
 def get_or_create_manifest(manifest_json, media_type_name, models_ref):
-  Manifest = models_ref.Manifest
-  digest = _digest(manifest_json)
-  try:
-    manifest = get_manifest_query(digest, media_type_name, models_ref).get()
-  except Manifest.DoesNotExist:
-    with db_transaction():
-      manifest = Manifest.create(digest=digest,
-                                 manifest_json=manifest_json,
-                                 media_type=Manifest.media_type.get_id(media_type_name))
-  return manifest
+    Manifest = models_ref.Manifest
+    digest = _digest(manifest_json)
+    try:
+        manifest = get_manifest_query(digest, media_type_name, models_ref).get()
+    except Manifest.DoesNotExist:
+        with db_transaction():
+            manifest = Manifest.create(
+                digest=digest,
+                manifest_json=manifest_json,
+                media_type=Manifest.media_type.get_id(media_type_name),
+            )
+    return manifest
+
 
 def get_manifest_types(repo, models_ref, release=None):
-  """ Returns an array of MediaTypes.name for a repo, can filter by tag """
-  Tag = models_ref.Tag
-  ManifestListManifest = models_ref.ManifestListManifest
+    """ Returns an array of MediaTypes.name for a repo, can filter by tag """
+    Tag = models_ref.Tag
+    ManifestListManifest = models_ref.ManifestListManifest
 
-  query = tag_model.tag_is_alive(Tag
-                                  .select(MediaType.name)
-                                  .join(ManifestListManifest,
-                                        on=(ManifestListManifest.manifest_list == Tag.manifest_list))
-                                  .join(MediaType,
-                                        on=(ManifestListManifest.media_type == MediaType.id))
-                                  .where(Tag.repository == repo,
-                                         Tag.tag_kind == Tag.tag_kind.get_id('release')), Tag)
-  if release:
-    query = query.where(Tag.name == release)
+    query = tag_model.tag_is_alive(
+        Tag.select(MediaType.name)
+        .join(
+            ManifestListManifest,
+            on=(ManifestListManifest.manifest_list == Tag.manifest_list),
+        )
+        .join(MediaType, on=(ManifestListManifest.media_type == MediaType.id))
+        .where(Tag.repository == repo, Tag.tag_kind == Tag.tag_kind.get_id("release")),
+        Tag,
+    )
+    if release:
+        query = query.where(Tag.name == release)
 
-  manifests = set()
-  for m in query.distinct().tuples():
-    manifests.add(get_media_type(m[0]))
-  return manifests
+    manifests = set()
+    for m in query.distinct().tuples():
+        manifests.add(get_media_type(m[0]))
+    return manifests
diff --git a/data/appr_model/manifest_list.py b/data/appr_model/manifest_list.py
index 92b10be6e..87010ccc3 100644
--- a/data/appr_model/manifest_list.py
+++ b/data/appr_model/manifest_list.py
@@ -9,59 +9,80 @@ logger = logging.getLogger(__name__)
 
 
 def _ensure_sha256_header(digest):
-  if digest.startswith('sha256:'):
-    return digest
-  return 'sha256:' + digest
+    if digest.startswith("sha256:"):
+        return digest
+    return "sha256:" + digest
 
 
 def _digest(manifestjson):
-  return _ensure_sha256_header(hashlib.sha256(json.dumps(manifestjson, sort_keys=True)).hexdigest())
+    return _ensure_sha256_header(
+        hashlib.sha256(json.dumps(manifestjson, sort_keys=True)).hexdigest()
+    )
 
 
 def get_manifest_list(digest, models_ref):
-  ManifestList = models_ref.ManifestList
-  return ManifestList.select().where(ManifestList.digest == _ensure_sha256_header(digest)).get()
+    ManifestList = models_ref.ManifestList
+    return (
+        ManifestList.select()
+        .where(ManifestList.digest == _ensure_sha256_header(digest))
+        .get()
+    )
 
 
-def get_or_create_manifest_list(manifest_list_json, media_type_name, schema_version, models_ref):
-  ManifestList = models_ref.ManifestList
+def get_or_create_manifest_list(
+    manifest_list_json, media_type_name, schema_version, models_ref
+):
+    ManifestList = models_ref.ManifestList
 
-  digest = _digest(manifest_list_json)
-  media_type_id = ManifestList.media_type.get_id(media_type_name)
+    digest = _digest(manifest_list_json)
+    media_type_id = ManifestList.media_type.get_id(media_type_name)
 
-  try:
-    return get_manifest_list(digest, models_ref)
-  except ManifestList.DoesNotExist:
-    with db_transaction():
-      manifestlist = ManifestList.create(digest=digest, manifest_list_json=manifest_list_json,
-                                         schema_version=schema_version, media_type=media_type_id)
-  return manifestlist
+    try:
+        return get_manifest_list(digest, models_ref)
+    except ManifestList.DoesNotExist:
+        with db_transaction():
+            manifestlist = ManifestList.create(
+                digest=digest,
+                manifest_list_json=manifest_list_json,
+                schema_version=schema_version,
+                media_type=media_type_id,
+            )
+    return manifestlist
 
 
-def create_manifestlistmanifest(manifestlist, manifest_ids, manifest_list_json, models_ref):
-  """ From a manifestlist, manifests, and the manifest list blob,
+def create_manifestlistmanifest(
+    manifestlist, manifest_ids, manifest_list_json, models_ref
+):
+    """ From a manifestlist, manifests, and the manifest list blob,
   create if doesn't exist the manfiestlistmanifest for each manifest """
-  for pos in xrange(len(manifest_ids)):
-    manifest_id = manifest_ids[pos]
-    manifest_json = manifest_list_json[pos]
-    get_or_create_manifestlistmanifest(manifest=manifest_id,
-                                       manifestlist=manifestlist,
-                                       media_type_name=manifest_json['mediaType'],
-                                       models_ref=models_ref)
+    for pos in xrange(len(manifest_ids)):
+        manifest_id = manifest_ids[pos]
+        manifest_json = manifest_list_json[pos]
+        get_or_create_manifestlistmanifest(
+            manifest=manifest_id,
+            manifestlist=manifestlist,
+            media_type_name=manifest_json["mediaType"],
+            models_ref=models_ref,
+        )
 
 
-def get_or_create_manifestlistmanifest(manifest, manifestlist, media_type_name, models_ref):
-  ManifestListManifest = models_ref.ManifestListManifest
+def get_or_create_manifestlistmanifest(
+    manifest, manifestlist, media_type_name, models_ref
+):
+    ManifestListManifest = models_ref.ManifestListManifest
 
-  media_type_id = ManifestListManifest.media_type.get_id(media_type_name)
-  try:
-    ml = (ManifestListManifest
-          .select()
-          .where(ManifestListManifest.manifest == manifest,
-                 ManifestListManifest.media_type == media_type_id,
-                 ManifestListManifest.manifest_list == manifestlist)).get()
+    media_type_id = ManifestListManifest.media_type.get_id(media_type_name)
+    try:
+        ml = (
+            ManifestListManifest.select().where(
+                ManifestListManifest.manifest == manifest,
+                ManifestListManifest.media_type == media_type_id,
+                ManifestListManifest.manifest_list == manifestlist,
+            )
+        ).get()
 
-  except ManifestListManifest.DoesNotExist:
-    ml = ManifestListManifest.create(manifest_list=manifestlist, media_type=media_type_id,
-                                     manifest=manifest)
-    return ml
+    except ManifestListManifest.DoesNotExist:
+        ml = ManifestListManifest.create(
+            manifest_list=manifestlist, media_type=media_type_id, manifest=manifest
+        )
+        return ml
diff --git a/data/appr_model/models.py b/data/appr_model/models.py
index 0fde7d83c..aefdc9f94 100644
--- a/data/appr_model/models.py
+++ b/data/appr_model/models.py
@@ -1,15 +1,47 @@
 from collections import namedtuple
 
-from data.database import (ApprTag, ApprTagKind, ApprBlobPlacementLocation, ApprManifestList,
-                           ApprManifestBlob, ApprBlob, ApprManifestListManifest, ApprManifest,
-                           ApprBlobPlacement, ApprChannel)
+from data.database import (
+    ApprTag,
+    ApprTagKind,
+    ApprBlobPlacementLocation,
+    ApprManifestList,
+    ApprManifestBlob,
+    ApprBlob,
+    ApprManifestListManifest,
+    ApprManifest,
+    ApprBlobPlacement,
+    ApprChannel,
+)
 
-ModelsRef = namedtuple('ModelsRef', ['Tag', 'TagKind', 'BlobPlacementLocation', 'ManifestList',
-                                     'ManifestBlob', 'Blob', 'ManifestListManifest', 'Manifest',
-                                     'BlobPlacement', 'Channel', 'manifestlistmanifest_set_name',
-                                     'tag_set_prefetch_name'])
+ModelsRef = namedtuple(
+    "ModelsRef",
+    [
+        "Tag",
+        "TagKind",
+        "BlobPlacementLocation",
+        "ManifestList",
+        "ManifestBlob",
+        "Blob",
+        "ManifestListManifest",
+        "Manifest",
+        "BlobPlacement",
+        "Channel",
+        "manifestlistmanifest_set_name",
+        "tag_set_prefetch_name",
+    ],
+)
 
-NEW_MODELS = ModelsRef(ApprTag, ApprTagKind, ApprBlobPlacementLocation, ApprManifestList,
-                       ApprManifestBlob, ApprBlob, ApprManifestListManifest, ApprManifest,
-                       ApprBlobPlacement, ApprChannel, 'apprmanifestlistmanifest_set',
-                       'apprtag_set')
+NEW_MODELS = ModelsRef(
+    ApprTag,
+    ApprTagKind,
+    ApprBlobPlacementLocation,
+    ApprManifestList,
+    ApprManifestBlob,
+    ApprBlob,
+    ApprManifestListManifest,
+    ApprManifest,
+    ApprBlobPlacement,
+    ApprChannel,
+    "apprmanifestlistmanifest_set",
+    "apprtag_set",
+)
diff --git a/data/appr_model/package.py b/data/appr_model/package.py
index 97ea9f791..abb15a6ea 100644
--- a/data/appr_model/package.py
+++ b/data/appr_model/package.py
@@ -7,61 +7,70 @@ from data.database import Repository, Namespace
 from data.appr_model import tag as tag_model
 
 
-def list_packages_query(models_ref, namespace=None, media_type=None, search_query=None,
-                        username=None):
-  """ List and filter repository by search query. """
-  Tag = models_ref.Tag
+def list_packages_query(
+    models_ref, namespace=None, media_type=None, search_query=None, username=None
+):
+    """ List and filter repository by search query. """
+    Tag = models_ref.Tag
 
-  if username and not search_query:
-    repositories = model.repository.get_visible_repositories(username,
-                                                             kind_filter='application',
-                                                             include_public=True,
-                                                             namespace=namespace,
-                                                             limit=50)
-    if not repositories:
-      return []
+    if username and not search_query:
+        repositories = model.repository.get_visible_repositories(
+            username,
+            kind_filter="application",
+            include_public=True,
+            namespace=namespace,
+            limit=50,
+        )
+        if not repositories:
+            return []
 
-    repo_query = (Repository
-                  .select(Repository, Namespace.username)
-                  .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                  .where(Repository.id << [repo.rid for repo in repositories]))
+        repo_query = (
+            Repository.select(Repository, Namespace.username)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .where(Repository.id << [repo.rid for repo in repositories])
+        )
 
-    if namespace:
-      repo_query = (repo_query
-                    .where(Namespace.username == namespace))
-  else:
-    if search_query is not None:
-      fields = [model.repository.SEARCH_FIELDS.name.name]
-      repositories = model.repository.get_app_search(search_query,
-                                                     username=username,
-                                                     search_fields=fields,
-                                                     limit=50)
-      if not repositories:
-        return []
-
-      repo_query = (Repository
-                    .select(Repository, Namespace.username)
-                    .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                    .where(Repository.id << [repo.id for repo in repositories]))
+        if namespace:
+            repo_query = repo_query.where(Namespace.username == namespace)
     else:
-      repo_query = (Repository
-                    .select(Repository, Namespace.username)
-                    .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                    .where(Repository.visibility == model.repository.get_public_repo_visibility(),
-                           Repository.kind == Repository.kind.get_id('application')))
+        if search_query is not None:
+            fields = [model.repository.SEARCH_FIELDS.name.name]
+            repositories = model.repository.get_app_search(
+                search_query, username=username, search_fields=fields, limit=50
+            )
+            if not repositories:
+                return []
 
-    if namespace:
-      repo_query = (repo_query
-                    .where(Namespace.username == namespace))
+            repo_query = (
+                Repository.select(Repository, Namespace.username)
+                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+                .where(Repository.id << [repo.id for repo in repositories])
+            )
+        else:
+            repo_query = (
+                Repository.select(Repository, Namespace.username)
+                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+                .where(
+                    Repository.visibility
+                    == model.repository.get_public_repo_visibility(),
+                    Repository.kind == Repository.kind.get_id("application"),
+                )
+            )
 
-  tag_query = (Tag
-               .select()
-               .where(Tag.tag_kind == Tag.tag_kind.get_id('release'))
-               .order_by(Tag.lifetime_start))
+        if namespace:
+            repo_query = repo_query.where(Namespace.username == namespace)
 
-  if media_type:
-    tag_query = tag_model.filter_tags_by_media_type(tag_query, media_type, models_ref)
+    tag_query = (
+        Tag.select()
+        .where(Tag.tag_kind == Tag.tag_kind.get_id("release"))
+        .order_by(Tag.lifetime_start)
+    )
 
-  tag_query = tag_model.tag_is_alive(tag_query, Tag)
-  query = prefetch(repo_query, tag_query)
-  return query
+    if media_type:
+        tag_query = tag_model.filter_tags_by_media_type(
+            tag_query, media_type, models_ref
+        )
+
+    tag_query = tag_model.tag_is_alive(tag_query, Tag)
+    query = prefetch(repo_query, tag_query)
+    return query
diff --git a/data/appr_model/release.py b/data/appr_model/release.py
index dcfa455d0..b5640a5cd 100644
--- a/data/appr_model/release.py
+++ b/data/appr_model/release.py
@@ -4,149 +4,186 @@ from cnr.exception import PackageAlreadyExists
 from cnr.models.package_base import manifest_media_type
 
 from data.database import db_transaction, get_epoch_timestamp
-from data.appr_model import (blob as blob_model, manifest as manifest_model,
-                            manifest_list as manifest_list_model,
-                            tag as tag_model)
+from data.appr_model import (
+    blob as blob_model,
+    manifest as manifest_model,
+    manifest_list as manifest_list_model,
+    tag as tag_model,
+)
 
 
-LIST_MEDIA_TYPE = 'application/vnd.cnr.manifest.list.v0.json'
-SCHEMA_VERSION = 'v0'
+LIST_MEDIA_TYPE = "application/vnd.cnr.manifest.list.v0.json"
+SCHEMA_VERSION = "v0"
 
 
 def _ensure_sha256_header(digest):
-  if digest.startswith('sha256:'):
-    return digest
-  return 'sha256:' + digest
+    if digest.startswith("sha256:"):
+        return digest
+    return "sha256:" + digest
 
 
 def get_app_release(repo, tag_name, media_type, models_ref):
-  """ Returns (tag, manifest, blob) given a repo object, tag_name, and media_type). """
-  ManifestListManifest = models_ref.ManifestListManifest
-  Manifest = models_ref.Manifest
-  Blob = models_ref.Blob
-  ManifestBlob = models_ref.ManifestBlob
-  manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
+    """ Returns (tag, manifest, blob) given a repo object, tag_name, and media_type). """
+    ManifestListManifest = models_ref.ManifestListManifest
+    Manifest = models_ref.Manifest
+    Blob = models_ref.Blob
+    ManifestBlob = models_ref.ManifestBlob
+    manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
 
-  tag = tag_model.get_tag(repo, tag_name, models_ref, tag_kind='release')
-  media_type_id = ManifestListManifest.media_type.get_id(manifest_media_type(media_type))
-  manifestlistmanifest = (getattr(tag.manifest_list, manifestlistmanifest_set_name)
-                          .join(Manifest)
-                          .where(ManifestListManifest.media_type == media_type_id).get())
-  manifest = manifestlistmanifest.manifest
-  blob = Blob.select().join(ManifestBlob).where(ManifestBlob.manifest == manifest).get()
-  return (tag, manifest, blob)
+    tag = tag_model.get_tag(repo, tag_name, models_ref, tag_kind="release")
+    media_type_id = ManifestListManifest.media_type.get_id(
+        manifest_media_type(media_type)
+    )
+    manifestlistmanifest = (
+        getattr(tag.manifest_list, manifestlistmanifest_set_name)
+        .join(Manifest)
+        .where(ManifestListManifest.media_type == media_type_id)
+        .get()
+    )
+    manifest = manifestlistmanifest.manifest
+    blob = (
+        Blob.select().join(ManifestBlob).where(ManifestBlob.manifest == manifest).get()
+    )
+    return (tag, manifest, blob)
 
 
 def delete_app_release(repo, tag_name, media_type, models_ref):
-  """ Terminate a Tag/media-type couple
+    """ Terminate a Tag/media-type couple
   It find the corresponding tag/manifest and remove from the manifestlistmanifest the manifest
   1. it terminates the current tag (in all-cases)
   2. if the new manifestlist is not empty, it creates a new tag for it
   """
-  ManifestListManifest = models_ref.ManifestListManifest
-  manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
+    ManifestListManifest = models_ref.ManifestListManifest
+    manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
 
-  media_type_id = ManifestListManifest.media_type.get_id(manifest_media_type(media_type))
+    media_type_id = ManifestListManifest.media_type.get_id(
+        manifest_media_type(media_type)
+    )
 
-  with db_transaction():
-    tag = tag_model.get_tag(repo, tag_name, models_ref)
-    manifest_list = tag.manifest_list
-    list_json = manifest_list.manifest_list_json
-    mlm_query = (ManifestListManifest
-                 .select()
-                 .where(ManifestListManifest.manifest_list == tag.manifest_list))
-    list_manifest_ids = sorted([mlm.manifest_id for mlm in mlm_query])
-    manifestlistmanifest = (getattr(tag.manifest_list, manifestlistmanifest_set_name)
-                            .where(ManifestListManifest.media_type == media_type_id).get())
-    index = list_manifest_ids.index(manifestlistmanifest.manifest_id)
-    list_manifest_ids.pop(index)
-    list_json.pop(index)
+    with db_transaction():
+        tag = tag_model.get_tag(repo, tag_name, models_ref)
+        manifest_list = tag.manifest_list
+        list_json = manifest_list.manifest_list_json
+        mlm_query = ManifestListManifest.select().where(
+            ManifestListManifest.manifest_list == tag.manifest_list
+        )
+        list_manifest_ids = sorted([mlm.manifest_id for mlm in mlm_query])
+        manifestlistmanifest = (
+            getattr(tag.manifest_list, manifestlistmanifest_set_name)
+            .where(ManifestListManifest.media_type == media_type_id)
+            .get()
+        )
+        index = list_manifest_ids.index(manifestlistmanifest.manifest_id)
+        list_manifest_ids.pop(index)
+        list_json.pop(index)
 
-    if not list_json:
-      tag.lifetime_end = get_epoch_timestamp()
-      tag.save()
-    else:
-      manifestlist = manifest_list_model.get_or_create_manifest_list(list_json, LIST_MEDIA_TYPE,
-                                                                     SCHEMA_VERSION, models_ref)
-      manifest_list_model.create_manifestlistmanifest(manifestlist, list_manifest_ids,
-                                                      list_json, models_ref)
-      tag = tag_model.create_or_update_tag(repo, tag_name, models_ref, manifest_list=manifestlist,
-                                           tag_kind="release")
-    return tag
+        if not list_json:
+            tag.lifetime_end = get_epoch_timestamp()
+            tag.save()
+        else:
+            manifestlist = manifest_list_model.get_or_create_manifest_list(
+                list_json, LIST_MEDIA_TYPE, SCHEMA_VERSION, models_ref
+            )
+            manifest_list_model.create_manifestlistmanifest(
+                manifestlist, list_manifest_ids, list_json, models_ref
+            )
+            tag = tag_model.create_or_update_tag(
+                repo,
+                tag_name,
+                models_ref,
+                manifest_list=manifestlist,
+                tag_kind="release",
+            )
+        return tag
 
 
 def create_app_release(repo, tag_name, manifest_data, digest, models_ref, force=False):
-  """ Create a new application release, it includes creating a new Tag, ManifestList,
+    """ Create a new application release, it includes creating a new Tag, ManifestList,
       ManifestListManifests, Manifest, ManifestBlob.
 
       To deduplicate the ManifestList, the manifestlist_json is kept ordered by the manifest.id.
       To find the insert point in the ManifestList it uses bisect on the manifest-ids list.
   """
-  ManifestList = models_ref.ManifestList
-  ManifestListManifest = models_ref.ManifestListManifest
-  Blob = models_ref.Blob
-  ManifestBlob = models_ref.ManifestBlob
+    ManifestList = models_ref.ManifestList
+    ManifestListManifest = models_ref.ManifestListManifest
+    Blob = models_ref.Blob
+    ManifestBlob = models_ref.ManifestBlob
 
-  with db_transaction():
-    # Create/get the package manifest
-    manifest = manifest_model.get_or_create_manifest(manifest_data, manifest_data['mediaType'],
-                                                     models_ref)
-    # get the tag
-    tag = tag_model.get_or_initialize_tag(repo, tag_name, models_ref)
+    with db_transaction():
+        # Create/get the package manifest
+        manifest = manifest_model.get_or_create_manifest(
+            manifest_data, manifest_data["mediaType"], models_ref
+        )
+        # get the tag
+        tag = tag_model.get_or_initialize_tag(repo, tag_name, models_ref)
 
-    if tag.manifest_list is None:
-      tag.manifest_list = ManifestList(media_type=ManifestList.media_type.get_id(LIST_MEDIA_TYPE),
-                                       schema_version=SCHEMA_VERSION,
-                                       manifest_list_json=[], )
+        if tag.manifest_list is None:
+            tag.manifest_list = ManifestList(
+                media_type=ManifestList.media_type.get_id(LIST_MEDIA_TYPE),
+                schema_version=SCHEMA_VERSION,
+                manifest_list_json=[],
+            )
 
-    elif tag_model.tag_media_type_exists(tag, manifest.media_type, models_ref):
-      if force:
-        delete_app_release(repo, tag_name, manifest.media_type.name, models_ref)
-        return create_app_release(repo, tag_name, manifest_data, digest, models_ref, force=False)
-      else:
-        raise PackageAlreadyExists("package exists already")
+        elif tag_model.tag_media_type_exists(tag, manifest.media_type, models_ref):
+            if force:
+                delete_app_release(repo, tag_name, manifest.media_type.name, models_ref)
+                return create_app_release(
+                    repo, tag_name, manifest_data, digest, models_ref, force=False
+                )
+            else:
+                raise PackageAlreadyExists("package exists already")
 
-    list_json = tag.manifest_list.manifest_list_json
-    mlm_query = (ManifestListManifest
-                 .select()
-                 .where(ManifestListManifest.manifest_list == tag.manifest_list))
-    list_manifest_ids = sorted([mlm.manifest_id for mlm in mlm_query])
-    insert_point = bisect.bisect_left(list_manifest_ids, manifest.id)
-    list_json.insert(insert_point, manifest.manifest_json)
-    list_manifest_ids.insert(insert_point, manifest.id)
-    manifestlist = manifest_list_model.get_or_create_manifest_list(list_json, LIST_MEDIA_TYPE,
-                                                                   SCHEMA_VERSION, models_ref)
-    manifest_list_model.create_manifestlistmanifest(manifestlist, list_manifest_ids, list_json,
-                                                    models_ref)
+        list_json = tag.manifest_list.manifest_list_json
+        mlm_query = ManifestListManifest.select().where(
+            ManifestListManifest.manifest_list == tag.manifest_list
+        )
+        list_manifest_ids = sorted([mlm.manifest_id for mlm in mlm_query])
+        insert_point = bisect.bisect_left(list_manifest_ids, manifest.id)
+        list_json.insert(insert_point, manifest.manifest_json)
+        list_manifest_ids.insert(insert_point, manifest.id)
+        manifestlist = manifest_list_model.get_or_create_manifest_list(
+            list_json, LIST_MEDIA_TYPE, SCHEMA_VERSION, models_ref
+        )
+        manifest_list_model.create_manifestlistmanifest(
+            manifestlist, list_manifest_ids, list_json, models_ref
+        )
 
-    tag = tag_model.create_or_update_tag(repo, tag_name, models_ref, manifest_list=manifestlist,
-                                         tag_kind="release")
-    blob_digest = digest
+        tag = tag_model.create_or_update_tag(
+            repo, tag_name, models_ref, manifest_list=manifestlist, tag_kind="release"
+        )
+        blob_digest = digest
+
+        try:
+            (
+                ManifestBlob.select()
+                .join(Blob)
+                .where(
+                    ManifestBlob.manifest == manifest,
+                    Blob.digest == _ensure_sha256_header(blob_digest),
+                )
+                .get()
+            )
+        except ManifestBlob.DoesNotExist:
+            blob = blob_model.get_blob(blob_digest, models_ref)
+            ManifestBlob.create(manifest=manifest, blob=blob)
+        return tag
 
-    try:
-      (ManifestBlob
-       .select()
-       .join(Blob)
-       .where(ManifestBlob.manifest == manifest,
-              Blob.digest == _ensure_sha256_header(blob_digest)).get())
-    except ManifestBlob.DoesNotExist:
-      blob = blob_model.get_blob(blob_digest, models_ref)
-      ManifestBlob.create(manifest=manifest, blob=blob)
-    return tag
 
 def get_release_objs(repo, models_ref, media_type=None):
-  """ Returns an array of Tag for a repo, with optional filtering by media_type. """
-  Tag = models_ref.Tag
+    """ Returns an array of Tag for a repo, with optional filtering by media_type. """
+    Tag = models_ref.Tag
 
-  release_query = (Tag
-                   .select()
-                   .where(Tag.repository == repo,
-                          Tag.tag_kind == Tag.tag_kind.get_id("release")))
-  if media_type:
-    release_query = tag_model.filter_tags_by_media_type(release_query, media_type, models_ref)
+    release_query = Tag.select().where(
+        Tag.repository == repo, Tag.tag_kind == Tag.tag_kind.get_id("release")
+    )
+    if media_type:
+        release_query = tag_model.filter_tags_by_media_type(
+            release_query, media_type, models_ref
+        )
+
+    return tag_model.tag_is_alive(release_query, Tag)
 
-  return tag_model.tag_is_alive(release_query, Tag)
 
 def get_releases(repo, model_refs, media_type=None):
-  """ Returns an array of Tag.name for a repo, can filter by media_type. """
-  return [t.name for t in get_release_objs(repo, model_refs, media_type)]
+    """ Returns an array of Tag.name for a repo, can filter by media_type. """
+    return [t.name for t in get_release_objs(repo, model_refs, media_type)]
diff --git a/data/appr_model/tag.py b/data/appr_model/tag.py
index 4903a4572..de353bd52 100644
--- a/data/appr_model/tag.py
+++ b/data/appr_model/tag.py
@@ -3,7 +3,7 @@ import logging
 from cnr.models.package_base import manifest_media_type
 from peewee import IntegrityError
 
-from data.model import (db_transaction, TagAlreadyCreatedException)
+from data.model import db_transaction, TagAlreadyCreatedException
 from data.database import get_epoch_timestamp_ms, db_for_update
 
 
@@ -11,89 +11,120 @@ logger = logging.getLogger(__name__)
 
 
 def tag_is_alive(query, cls, now_ts=None):
-  return query.where((cls.lifetime_end >> None) |
-                     (cls.lifetime_end > now_ts))
+    return query.where((cls.lifetime_end >> None) | (cls.lifetime_end > now_ts))
 
 
 def tag_media_type_exists(tag, media_type, models_ref):
-  ManifestListManifest = models_ref.ManifestListManifest
-  manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
-  return (getattr(tag.manifest_list, manifestlistmanifest_set_name)
-          .where(ManifestListManifest.media_type == media_type).count() > 0)
+    ManifestListManifest = models_ref.ManifestListManifest
+    manifestlistmanifest_set_name = models_ref.manifestlistmanifest_set_name
+    return (
+        getattr(tag.manifest_list, manifestlistmanifest_set_name)
+        .where(ManifestListManifest.media_type == media_type)
+        .count()
+        > 0
+    )
 
 
-def create_or_update_tag(repo, tag_name, models_ref, manifest_list=None, linked_tag=None,
-                         tag_kind="release"):
-  Tag = models_ref.Tag
+def create_or_update_tag(
+    repo, tag_name, models_ref, manifest_list=None, linked_tag=None, tag_kind="release"
+):
+    Tag = models_ref.Tag
 
-  now_ts = get_epoch_timestamp_ms()
-  tag_kind_id = Tag.tag_kind.get_id(tag_kind)
-  with db_transaction():
-    try:
-      tag = db_for_update(tag_is_alive(Tag
-                                        .select()
-                                        .where(Tag.repository == repo,
-                                               Tag.name == tag_name,
-                                               Tag.tag_kind == tag_kind_id), Tag, now_ts)).get()
-      if tag.manifest_list == manifest_list and tag.linked_tag == linked_tag:
-        return tag
-      tag.lifetime_end = now_ts
-      tag.save()
-    except Tag.DoesNotExist:
-      pass
+    now_ts = get_epoch_timestamp_ms()
+    tag_kind_id = Tag.tag_kind.get_id(tag_kind)
+    with db_transaction():
+        try:
+            tag = db_for_update(
+                tag_is_alive(
+                    Tag.select().where(
+                        Tag.repository == repo,
+                        Tag.name == tag_name,
+                        Tag.tag_kind == tag_kind_id,
+                    ),
+                    Tag,
+                    now_ts,
+                )
+            ).get()
+            if tag.manifest_list == manifest_list and tag.linked_tag == linked_tag:
+                return tag
+            tag.lifetime_end = now_ts
+            tag.save()
+        except Tag.DoesNotExist:
+            pass
 
-    try:
-      return Tag.create(repository=repo, manifest_list=manifest_list, linked_tag=linked_tag,
-                        name=tag_name, lifetime_start=now_ts, lifetime_end=None,
-                        tag_kind=tag_kind_id)
-    except IntegrityError:
-      msg = 'Tag with name %s and lifetime start %s under repository %s/%s already exists'
-      raise TagAlreadyCreatedException(msg % (tag_name, now_ts, repo.namespace_user, repo.name))
+        try:
+            return Tag.create(
+                repository=repo,
+                manifest_list=manifest_list,
+                linked_tag=linked_tag,
+                name=tag_name,
+                lifetime_start=now_ts,
+                lifetime_end=None,
+                tag_kind=tag_kind_id,
+            )
+        except IntegrityError:
+            msg = "Tag with name %s and lifetime start %s under repository %s/%s already exists"
+            raise TagAlreadyCreatedException(
+                msg % (tag_name, now_ts, repo.namespace_user, repo.name)
+            )
 
 
 def get_or_initialize_tag(repo, tag_name, models_ref, tag_kind="release"):
-  Tag = models_ref.Tag
-  
-  try:
-    return tag_is_alive(Tag.select().where(Tag.repository == repo, Tag.name == tag_name), Tag).get()
-  except Tag.DoesNotExist:
-    return Tag(repo=repo, name=tag_name, tag_kind=Tag.tag_kind.get_id(tag_kind))
+    Tag = models_ref.Tag
+
+    try:
+        return tag_is_alive(
+            Tag.select().where(Tag.repository == repo, Tag.name == tag_name), Tag
+        ).get()
+    except Tag.DoesNotExist:
+        return Tag(repo=repo, name=tag_name, tag_kind=Tag.tag_kind.get_id(tag_kind))
 
 
 def get_tag(repo, tag_name, models_ref, tag_kind="release"):
-  Tag = models_ref.Tag
-  return tag_is_alive(Tag.select()
-                       .where(Tag.repository == repo,
-                              Tag.name == tag_name,
-                              Tag.tag_kind == Tag.tag_kind.get_id(tag_kind)), Tag).get()
+    Tag = models_ref.Tag
+    return tag_is_alive(
+        Tag.select().where(
+            Tag.repository == repo,
+            Tag.name == tag_name,
+            Tag.tag_kind == Tag.tag_kind.get_id(tag_kind),
+        ),
+        Tag,
+    ).get()
 
 
 def delete_tag(repo, tag_name, models_ref, tag_kind="release"):
-  Tag = models_ref.Tag
-  tag_kind_id = Tag.tag_kind.get_id(tag_kind)
-  tag = tag_is_alive(Tag.select()
-                      .where(Tag.repository == repo,
-                             Tag.name == tag_name, Tag.tag_kind == tag_kind_id), Tag).get()
-  tag.lifetime_end = get_epoch_timestamp_ms()
-  tag.save()
-  return tag
+    Tag = models_ref.Tag
+    tag_kind_id = Tag.tag_kind.get_id(tag_kind)
+    tag = tag_is_alive(
+        Tag.select().where(
+            Tag.repository == repo, Tag.name == tag_name, Tag.tag_kind == tag_kind_id
+        ),
+        Tag,
+    ).get()
+    tag.lifetime_end = get_epoch_timestamp_ms()
+    tag.save()
+    return tag
 
 
 def tag_exists(repo, tag_name, models_ref, tag_kind="release"):
-  Tag = models_ref.Tag
-  try:
-    get_tag(repo, tag_name, models_ref, tag_kind)
-    return True
-  except Tag.DoesNotExist:
-    return False
+    Tag = models_ref.Tag
+    try:
+        get_tag(repo, tag_name, models_ref, tag_kind)
+        return True
+    except Tag.DoesNotExist:
+        return False
 
 
 def filter_tags_by_media_type(tag_query, media_type, models_ref):
-  """ Return only available tag for a media_type. """
-  ManifestListManifest = models_ref.ManifestListManifest
-  Tag = models_ref.Tag
-  media_type = manifest_media_type(media_type)
-  t = (tag_query
-       .join(ManifestListManifest, on=(ManifestListManifest.manifest_list == Tag.manifest_list))
-       .where(ManifestListManifest.media_type == ManifestListManifest.media_type.get_id(media_type)))
-  return t
+    """ Return only available tag for a media_type. """
+    ManifestListManifest = models_ref.ManifestListManifest
+    Tag = models_ref.Tag
+    media_type = manifest_media_type(media_type)
+    t = tag_query.join(
+        ManifestListManifest,
+        on=(ManifestListManifest.manifest_list == Tag.manifest_list),
+    ).where(
+        ManifestListManifest.media_type
+        == ManifestListManifest.media_type.get_id(media_type)
+    )
+    return t
diff --git a/data/archivedlogs.py b/data/archivedlogs.py
index 0172c74c8..d2b3fbabb 100644
--- a/data/archivedlogs.py
+++ b/data/archivedlogs.py
@@ -6,32 +6,33 @@ from flask import send_file, abort
 from data.userfiles import DelegateUserfiles, UserfilesHandlers
 
 
-JSON_MIMETYPE = 'application/json'
+JSON_MIMETYPE = "application/json"
 
 
 logger = logging.getLogger(__name__)
 
 
 class LogArchive(object):
-  def __init__(self, app=None, distributed_storage=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app, distributed_storage)
-    else:
-      self.state = None
+    def __init__(self, app=None, distributed_storage=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app, distributed_storage)
+        else:
+            self.state = None
 
-  def init_app(self, app, distributed_storage):
-    location = app.config.get('LOG_ARCHIVE_LOCATION')
-    path = app.config.get('LOG_ARCHIVE_PATH', None)
+    def init_app(self, app, distributed_storage):
+        location = app.config.get("LOG_ARCHIVE_LOCATION")
+        path = app.config.get("LOG_ARCHIVE_PATH", None)
 
-    handler_name = 'web.logarchive'
+        handler_name = "web.logarchive"
 
-    log_archive = DelegateUserfiles(app, distributed_storage, location, path,
-                                    handler_name=handler_name)
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['log_archive'] = log_archive
-    return log_archive
+        log_archive = DelegateUserfiles(
+            app, distributed_storage, location, path, handler_name=handler_name
+        )
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["log_archive"] = log_archive
+        return log_archive
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/data/billing.py b/data/billing.py
index aa2420c01..a18000ea2 100644
--- a/data/billing.py
+++ b/data/billing.py
@@ -6,448 +6,456 @@ from calendar import timegm
 from util.morecollections import AttrDict
 
 PLANS = [
-  # Deprecated Plans (2013-2014)
-  {
-    'title': 'Micro',
-    'price': 700,
-    'privateRepos': 5,
-    'stripeId': 'micro',
-    'audience': 'For smaller teams',
-    'bus_features': False,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'personal-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Basic',
-    'price': 1200,
-    'privateRepos': 10,
-    'stripeId': 'small',
-    'audience': 'For your basic team',
-    'bus_features': False,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'bus-micro-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Yacht',
-    'price': 5000,
-    'privateRepos': 20,
-    'stripeId': 'bus-coreos-trial',
-    'audience': 'For small businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 180,
-    'superseded_by': 'bus-small-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Personal',
-    'price': 1200,
-    'privateRepos': 5,
-    'stripeId': 'personal',
-    'audience': 'Individuals',
-    'bus_features': False,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'personal-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Skiff',
-    'price': 2500,
-    'privateRepos': 10,
-    'stripeId': 'bus-micro',
-    'audience': 'For startups',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'bus-micro-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Yacht',
-    'price': 5000,
-    'privateRepos': 20,
-    'stripeId': 'bus-small',
-    'audience': 'For small businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'bus-small-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Freighter',
-    'price': 10000,
-    'privateRepos': 50,
-    'stripeId': 'bus-medium',
-    'audience': 'For normal businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'bus-medium-30',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Tanker',
-    'price': 20000,
-    'privateRepos': 125,
-    'stripeId': 'bus-large',
-    'audience': 'For large businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 14,
-    'superseded_by': 'bus-large-30',
-    'plans_page_hidden': False,
-  },
-
-  # Deprecated plans (2014-2017)
-  {
-    'title': 'Personal',
-    'price': 1200,
-    'privateRepos': 5,
-    'stripeId': 'personal-30',
-    'audience': 'Individuals',
-    'bus_features': False,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'personal-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Skiff',
-    'price': 2500,
-    'privateRepos': 10,
-    'stripeId': 'bus-micro-30',
-    'audience': 'For startups',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-micro-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Yacht',
-    'price': 5000,
-    'privateRepos': 20,
-    'stripeId': 'bus-small-30',
-    'audience': 'For small businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-small-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Freighter',
-    'price': 10000,
-    'privateRepos': 50,
-    'stripeId': 'bus-medium-30',
-    'audience': 'For normal businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-medium-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Tanker',
-    'price': 20000,
-    'privateRepos': 125,
-    'stripeId': 'bus-large-30',
-    'audience': 'For large businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-large-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Carrier',
-    'price': 35000,
-    'privateRepos': 250,
-    'stripeId': 'bus-xlarge-30',
-    'audience': 'For extra large businesses',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-xlarge-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Huge',
-    'price': 65000,
-    'privateRepos': 500,
-    'stripeId': 'bus-500-30',
-    'audience': 'For huge business',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-500-2018',
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Huuge',
-    'price': 120000,
-    'privateRepos': 1000,
-    'stripeId': 'bus-1000-30',
-    'audience': 'For the SaaS savvy enterprise',
-    'bus_features': True,
-    'deprecated': True,
-    'free_trial_days': 30,
-    'superseded_by': 'bus-1000-2018',
-    'plans_page_hidden': False,
-  },
-
-  # Active plans (as of Dec 2017)
-  {
-    'title': 'Open Source',
-    'price': 0,
-    'privateRepos': 0,
-    'stripeId': 'free',
-    'audience': 'Committment to FOSS',
-    'bus_features': False,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Developer',
-    'price': 1500,
-    'privateRepos': 5,
-    'stripeId': 'personal-2018',
-    'audience': 'Individuals',
-    'bus_features': False,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Micro',
-    'price': 3000,
-    'privateRepos': 10,
-    'stripeId': 'bus-micro-2018',
-    'audience': 'For startups',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Small',
-    'price': 6000,
-    'privateRepos': 20,
-    'stripeId': 'bus-small-2018',
-    'audience': 'For small businesses',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Medium',
-    'price': 12500,
-    'privateRepos': 50,
-    'stripeId': 'bus-medium-2018',
-    'audience': 'For normal businesses',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Large',
-    'price': 25000,
-    'privateRepos': 125,
-    'stripeId': 'bus-large-2018',
-    'audience': 'For large businesses',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'Extra Large',
-    'price': 45000,
-    'privateRepos': 250,
-    'stripeId': 'bus-xlarge-2018',
-    'audience': 'For extra large businesses',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'XXL',
-    'price': 85000,
-    'privateRepos': 500,
-    'stripeId': 'bus-500-2018',
-    'audience': 'For huge business',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'XXXL',
-    'price': 160000,
-    'privateRepos': 1000,
-    'stripeId': 'bus-1000-2018',
-    'audience': 'For the SaaS savvy enterprise',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
-  {
-    'title': 'XXXXL',
-    'price': 310000,
-    'privateRepos': 2000,
-    'stripeId': 'bus-2000-2018',
-    'audience': 'For the SaaS savvy big enterprise',
-    'bus_features': True,
-    'deprecated': False,
-    'free_trial_days': 30,
-    'superseded_by': None,
-    'plans_page_hidden': False,
-  },
+    # Deprecated Plans (2013-2014)
+    {
+        "title": "Micro",
+        "price": 700,
+        "privateRepos": 5,
+        "stripeId": "micro",
+        "audience": "For smaller teams",
+        "bus_features": False,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "personal-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Basic",
+        "price": 1200,
+        "privateRepos": 10,
+        "stripeId": "small",
+        "audience": "For your basic team",
+        "bus_features": False,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "bus-micro-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Yacht",
+        "price": 5000,
+        "privateRepos": 20,
+        "stripeId": "bus-coreos-trial",
+        "audience": "For small businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 180,
+        "superseded_by": "bus-small-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Personal",
+        "price": 1200,
+        "privateRepos": 5,
+        "stripeId": "personal",
+        "audience": "Individuals",
+        "bus_features": False,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "personal-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Skiff",
+        "price": 2500,
+        "privateRepos": 10,
+        "stripeId": "bus-micro",
+        "audience": "For startups",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "bus-micro-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Yacht",
+        "price": 5000,
+        "privateRepos": 20,
+        "stripeId": "bus-small",
+        "audience": "For small businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "bus-small-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Freighter",
+        "price": 10000,
+        "privateRepos": 50,
+        "stripeId": "bus-medium",
+        "audience": "For normal businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "bus-medium-30",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Tanker",
+        "price": 20000,
+        "privateRepos": 125,
+        "stripeId": "bus-large",
+        "audience": "For large businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 14,
+        "superseded_by": "bus-large-30",
+        "plans_page_hidden": False,
+    },
+    # Deprecated plans (2014-2017)
+    {
+        "title": "Personal",
+        "price": 1200,
+        "privateRepos": 5,
+        "stripeId": "personal-30",
+        "audience": "Individuals",
+        "bus_features": False,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "personal-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Skiff",
+        "price": 2500,
+        "privateRepos": 10,
+        "stripeId": "bus-micro-30",
+        "audience": "For startups",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-micro-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Yacht",
+        "price": 5000,
+        "privateRepos": 20,
+        "stripeId": "bus-small-30",
+        "audience": "For small businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-small-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Freighter",
+        "price": 10000,
+        "privateRepos": 50,
+        "stripeId": "bus-medium-30",
+        "audience": "For normal businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-medium-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Tanker",
+        "price": 20000,
+        "privateRepos": 125,
+        "stripeId": "bus-large-30",
+        "audience": "For large businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-large-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Carrier",
+        "price": 35000,
+        "privateRepos": 250,
+        "stripeId": "bus-xlarge-30",
+        "audience": "For extra large businesses",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-xlarge-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Huge",
+        "price": 65000,
+        "privateRepos": 500,
+        "stripeId": "bus-500-30",
+        "audience": "For huge business",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-500-2018",
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Huuge",
+        "price": 120000,
+        "privateRepos": 1000,
+        "stripeId": "bus-1000-30",
+        "audience": "For the SaaS savvy enterprise",
+        "bus_features": True,
+        "deprecated": True,
+        "free_trial_days": 30,
+        "superseded_by": "bus-1000-2018",
+        "plans_page_hidden": False,
+    },
+    # Active plans (as of Dec 2017)
+    {
+        "title": "Open Source",
+        "price": 0,
+        "privateRepos": 0,
+        "stripeId": "free",
+        "audience": "Committment to FOSS",
+        "bus_features": False,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Developer",
+        "price": 1500,
+        "privateRepos": 5,
+        "stripeId": "personal-2018",
+        "audience": "Individuals",
+        "bus_features": False,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Micro",
+        "price": 3000,
+        "privateRepos": 10,
+        "stripeId": "bus-micro-2018",
+        "audience": "For startups",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Small",
+        "price": 6000,
+        "privateRepos": 20,
+        "stripeId": "bus-small-2018",
+        "audience": "For small businesses",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Medium",
+        "price": 12500,
+        "privateRepos": 50,
+        "stripeId": "bus-medium-2018",
+        "audience": "For normal businesses",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Large",
+        "price": 25000,
+        "privateRepos": 125,
+        "stripeId": "bus-large-2018",
+        "audience": "For large businesses",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "Extra Large",
+        "price": 45000,
+        "privateRepos": 250,
+        "stripeId": "bus-xlarge-2018",
+        "audience": "For extra large businesses",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "XXL",
+        "price": 85000,
+        "privateRepos": 500,
+        "stripeId": "bus-500-2018",
+        "audience": "For huge business",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "XXXL",
+        "price": 160000,
+        "privateRepos": 1000,
+        "stripeId": "bus-1000-2018",
+        "audience": "For the SaaS savvy enterprise",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
+    {
+        "title": "XXXXL",
+        "price": 310000,
+        "privateRepos": 2000,
+        "stripeId": "bus-2000-2018",
+        "audience": "For the SaaS savvy big enterprise",
+        "bus_features": True,
+        "deprecated": False,
+        "free_trial_days": 30,
+        "superseded_by": None,
+        "plans_page_hidden": False,
+    },
 ]
 
 
 def get_plan(plan_id):
-  """ Returns the plan with the given ID or None if none. """
-  for plan in PLANS:
-    if plan['stripeId'] == plan_id:
-      return plan
+    """ Returns the plan with the given ID or None if none. """
+    for plan in PLANS:
+        if plan["stripeId"] == plan_id:
+            return plan
 
-  return None
+    return None
 
 
 class FakeSubscription(AttrDict):
-  @classmethod
-  def build(cls, data, customer):
-    data = AttrDict.deep_copy(data)
-    data['customer'] = customer
-    return cls(data)
+    @classmethod
+    def build(cls, data, customer):
+        data = AttrDict.deep_copy(data)
+        data["customer"] = customer
+        return cls(data)
 
-  def delete(self):
-    self.customer.subscription = None
+    def delete(self):
+        self.customer.subscription = None
 
 
 class FakeStripe(object):
-  class Customer(AttrDict):
-    FAKE_PLAN = AttrDict({
-      'id': 'bus-small',
-    })
+    class Customer(AttrDict):
+        FAKE_PLAN = AttrDict({"id": "bus-small"})
 
-    FAKE_SUBSCRIPTION = AttrDict({
-      'plan': FAKE_PLAN,
-      'current_period_start': timegm(datetime.utcnow().utctimetuple()),
-      'current_period_end': timegm((datetime.utcnow() + timedelta(days=30)).utctimetuple()),
-      'trial_start': timegm(datetime.utcnow().utctimetuple()),
-      'trial_end': timegm((datetime.utcnow() + timedelta(days=30)).utctimetuple()),
-    })
+        FAKE_SUBSCRIPTION = AttrDict(
+            {
+                "plan": FAKE_PLAN,
+                "current_period_start": timegm(datetime.utcnow().utctimetuple()),
+                "current_period_end": timegm(
+                    (datetime.utcnow() + timedelta(days=30)).utctimetuple()
+                ),
+                "trial_start": timegm(datetime.utcnow().utctimetuple()),
+                "trial_end": timegm(
+                    (datetime.utcnow() + timedelta(days=30)).utctimetuple()
+                ),
+            }
+        )
 
-    FAKE_CARD = AttrDict({
-      'id': 'card123',
-      'name': 'Joe User',
-      'type': 'Visa',
-      'last4': '4242',
-      'exp_month': 5,
-      'exp_year': 2016,
-    })
+        FAKE_CARD = AttrDict(
+            {
+                "id": "card123",
+                "name": "Joe User",
+                "type": "Visa",
+                "last4": "4242",
+                "exp_month": 5,
+                "exp_year": 2016,
+            }
+        )
 
-    FAKE_CARD_LIST = AttrDict({
-      'data': [FAKE_CARD],
-    })
+        FAKE_CARD_LIST = AttrDict({"data": [FAKE_CARD]})
 
-    ACTIVE_CUSTOMERS = {}
+        ACTIVE_CUSTOMERS = {}
 
-    @property
-    def card(self):
-      return self.get('new_card', None)
+        @property
+        def card(self):
+            return self.get("new_card", None)
 
-    @card.setter
-    def card(self, card_token):
-      self['new_card'] = card_token
+        @card.setter
+        def card(self, card_token):
+            self["new_card"] = card_token
 
-    @property
-    def plan(self):
-      return self.get('new_plan', None)
+        @property
+        def plan(self):
+            return self.get("new_plan", None)
 
-    @plan.setter
-    def plan(self, plan_name):
-      self['new_plan'] = plan_name
+        @plan.setter
+        def plan(self, plan_name):
+            self["new_plan"] = plan_name
 
-    def save(self):
-      if self.get('new_card', None) is not None:
-        raise stripe.error.CardError('Test raising exception on set card.', self.get('new_card'), 402)
-      if self.get('new_plan', None) is not None:
-        if self.subscription is None:
-          self.subscription = FakeSubscription.build(self.FAKE_SUBSCRIPTION, self)
-        self.subscription.plan.id = self.get('new_plan')
+        def save(self):
+            if self.get("new_card", None) is not None:
+                raise stripe.error.CardError(
+                    "Test raising exception on set card.", self.get("new_card"), 402
+                )
+            if self.get("new_plan", None) is not None:
+                if self.subscription is None:
+                    self.subscription = FakeSubscription.build(
+                        self.FAKE_SUBSCRIPTION, self
+                    )
+                self.subscription.plan.id = self.get("new_plan")
 
-    @classmethod
-    def retrieve(cls, stripe_customer_id):
-      if stripe_customer_id in cls.ACTIVE_CUSTOMERS:
-        cls.ACTIVE_CUSTOMERS[stripe_customer_id].pop('new_card', None)
-        cls.ACTIVE_CUSTOMERS[stripe_customer_id].pop('new_plan', None)
-        return cls.ACTIVE_CUSTOMERS[stripe_customer_id]
-      else:
-        new_customer = cls({
-          'default_card': 'card123',
-          'cards': AttrDict.deep_copy(cls.FAKE_CARD_LIST),
-          'id': stripe_customer_id,
-        })
-        new_customer.subscription = FakeSubscription.build(cls.FAKE_SUBSCRIPTION, new_customer)
-        cls.ACTIVE_CUSTOMERS[stripe_customer_id] = new_customer
-        return new_customer
+        @classmethod
+        def retrieve(cls, stripe_customer_id):
+            if stripe_customer_id in cls.ACTIVE_CUSTOMERS:
+                cls.ACTIVE_CUSTOMERS[stripe_customer_id].pop("new_card", None)
+                cls.ACTIVE_CUSTOMERS[stripe_customer_id].pop("new_plan", None)
+                return cls.ACTIVE_CUSTOMERS[stripe_customer_id]
+            else:
+                new_customer = cls(
+                    {
+                        "default_card": "card123",
+                        "cards": AttrDict.deep_copy(cls.FAKE_CARD_LIST),
+                        "id": stripe_customer_id,
+                    }
+                )
+                new_customer.subscription = FakeSubscription.build(
+                    cls.FAKE_SUBSCRIPTION, new_customer
+                )
+                cls.ACTIVE_CUSTOMERS[stripe_customer_id] = new_customer
+                return new_customer
 
-  class Invoice(AttrDict):
-    @staticmethod
-    def list(customer, count):
-      return AttrDict({
-        'data': [],
-      })
+    class Invoice(AttrDict):
+        @staticmethod
+        def list(customer, count):
+            return AttrDict({"data": []})
 
 
 class Billing(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    billing_type = app.config.get('BILLING_TYPE', 'FakeStripe')
+    def init_app(self, app):
+        billing_type = app.config.get("BILLING_TYPE", "FakeStripe")
 
-    if billing_type == 'Stripe':
-      billing = stripe
-      stripe.api_key = app.config.get('STRIPE_SECRET_KEY', None)
+        if billing_type == "Stripe":
+            billing = stripe
+            stripe.api_key = app.config.get("STRIPE_SECRET_KEY", None)
 
-    elif billing_type == 'FakeStripe':
-      billing = FakeStripe
+        elif billing_type == "FakeStripe":
+            billing = FakeStripe
 
-    else:
-      raise RuntimeError('Unknown billing type: %s' % billing_type)
+        else:
+            raise RuntimeError("Unknown billing type: %s" % billing_type)
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['billing'] = billing
-    return billing
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["billing"] = billing
+        return billing
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/data/buildlogs.py b/data/buildlogs.py
index b6b4d2652..3763cd569 100644
--- a/data/buildlogs.py
+++ b/data/buildlogs.py
@@ -13,167 +13,174 @@ SEVEN_DAYS = timedelta(days=7)
 
 
 class BuildStatusRetrievalError(Exception):
-  pass
+    pass
+
 
 class RedisBuildLogs(object):
-  ERROR = 'error'
-  COMMAND = 'command'
-  PHASE = 'phase'
+    ERROR = "error"
+    COMMAND = "command"
+    PHASE = "phase"
 
-  def __init__(self, redis_config):
-    self._redis_client = None
-    self._redis_config = redis_config
+    def __init__(self, redis_config):
+        self._redis_client = None
+        self._redis_config = redis_config
 
-  @property
-  def _redis(self):
-    if self._redis_client is not None:
-      return self._redis_client
+    @property
+    def _redis(self):
+        if self._redis_client is not None:
+            return self._redis_client
 
-    args = dict(self._redis_config)
-    args.update({'socket_connect_timeout': 1,
-                 'socket_timeout': 2,
-                 'single_connection_client': True})
+        args = dict(self._redis_config)
+        args.update(
+            {
+                "socket_connect_timeout": 1,
+                "socket_timeout": 2,
+                "single_connection_client": True,
+            }
+        )
 
-    self._redis_client = redis.StrictRedis(**args)
-    return self._redis_client
+        self._redis_client = redis.StrictRedis(**args)
+        return self._redis_client
 
-  @staticmethod
-  def _logs_key(build_id):
-    return 'builds/%s/logs' % build_id
+    @staticmethod
+    def _logs_key(build_id):
+        return "builds/%s/logs" % build_id
 
-  def append_log_entry(self, build_id, log_obj):
-    """
+    def append_log_entry(self, build_id, log_obj):
+        """
     Appends the serialized form of log_obj to the end of the log entry list
     and returns the new length of the list.
     """
-    pipeline = self._redis.pipeline(transaction=False)
-    pipeline.expire(self._logs_key(build_id), SEVEN_DAYS)
-    pipeline.rpush(self._logs_key(build_id), json.dumps(log_obj))
-    result = pipeline.execute()
-    return result[1]
+        pipeline = self._redis.pipeline(transaction=False)
+        pipeline.expire(self._logs_key(build_id), SEVEN_DAYS)
+        pipeline.rpush(self._logs_key(build_id), json.dumps(log_obj))
+        result = pipeline.execute()
+        return result[1]
 
-  def append_log_message(self, build_id, log_message, log_type=None, log_data=None):
-    """
+    def append_log_message(self, build_id, log_message, log_type=None, log_data=None):
+        """
     Wraps the message in an envelope and push it to the end of the log entry
     list and returns the index at which it was inserted.
     """
-    log_obj = {
-      'message': log_message
-    }
+        log_obj = {"message": log_message}
 
-    if log_type:
-      log_obj['type'] = log_type
+        if log_type:
+            log_obj["type"] = log_type
 
-    if log_data:
-      log_obj['data'] = log_data
+        if log_data:
+            log_obj["data"] = log_data
 
-    return self.append_log_entry(build_id, log_obj) - 1
+        return self.append_log_entry(build_id, log_obj) - 1
 
-  def get_log_entries(self, build_id, start_index):
-    """
+    def get_log_entries(self, build_id, start_index):
+        """
     Returns a tuple of the current length of the list and an iterable of the
     requested log entries.
     """
-    try:
-      llen = self._redis.llen(self._logs_key(build_id))
-      log_entries = self._redis.lrange(self._logs_key(build_id), start_index, -1)
-      return (llen, (json.loads(entry) for entry in log_entries))
-    except redis.RedisError as re:
-      raise BuildStatusRetrievalError('Cannot retrieve build logs: %s' % re)
+        try:
+            llen = self._redis.llen(self._logs_key(build_id))
+            log_entries = self._redis.lrange(self._logs_key(build_id), start_index, -1)
+            return (llen, (json.loads(entry) for entry in log_entries))
+        except redis.RedisError as re:
+            raise BuildStatusRetrievalError("Cannot retrieve build logs: %s" % re)
 
-  def expire_status(self, build_id):
-    """
+    def expire_status(self, build_id):
+        """
     Sets the status entry to expire in 1 day.
     """
-    self._redis.expire(self._status_key(build_id), ONE_DAY)
+        self._redis.expire(self._status_key(build_id), ONE_DAY)
 
-  def expire_log_entries(self, build_id):
-    """
+    def expire_log_entries(self, build_id):
+        """
     Sets the log entry to expire in 1 day.
     """
-    self._redis.expire(self._logs_key(build_id), ONE_DAY)
+        self._redis.expire(self._logs_key(build_id), ONE_DAY)
 
-  def delete_log_entries(self, build_id):
-    """
+    def delete_log_entries(self, build_id):
+        """
     Delete the log entry
     """
-    self._redis.delete(self._logs_key(build_id))
+        self._redis.delete(self._logs_key(build_id))
 
-  @staticmethod
-  def _status_key(build_id):
-    return 'builds/%s/status' % build_id
+    @staticmethod
+    def _status_key(build_id):
+        return "builds/%s/status" % build_id
 
-  def set_status(self, build_id, status_obj):
-    """
+    def set_status(self, build_id, status_obj):
+        """
     Sets the status key for this build to json serialized form of the supplied
     obj.
     """
-    self._redis.set(self._status_key(build_id), json.dumps(status_obj), ex=SEVEN_DAYS)
+        self._redis.set(
+            self._status_key(build_id), json.dumps(status_obj), ex=SEVEN_DAYS
+        )
 
-  def get_status(self, build_id):
-    """
+    def get_status(self, build_id):
+        """
     Loads the status information for the specified build id.
     """
-    try:
-      fetched = self._redis.get(self._status_key(build_id))
-    except redis.RedisError as re:
-      raise BuildStatusRetrievalError('Cannot retrieve build status: %s' % re)
+        try:
+            fetched = self._redis.get(self._status_key(build_id))
+        except redis.RedisError as re:
+            raise BuildStatusRetrievalError("Cannot retrieve build status: %s" % re)
 
-    return json.loads(fetched) if fetched else None
+        return json.loads(fetched) if fetched else None
 
-  @staticmethod
-  def _health_key():
-    return '_health'
+    @staticmethod
+    def _health_key():
+        return "_health"
 
-  def check_health(self):
-    try:
-      args = dict(self._redis_config)
-      args.update({'socket_connect_timeout': 1,
-                   'socket_timeout': 1,
-                   'single_connection_client': True})
+    def check_health(self):
+        try:
+            args = dict(self._redis_config)
+            args.update(
+                {
+                    "socket_connect_timeout": 1,
+                    "socket_timeout": 1,
+                    "single_connection_client": True,
+                }
+            )
 
-      with closing(redis.StrictRedis(**args)) as connection:
-        if not connection.ping():
-          return (False, 'Could not ping redis')
+            with closing(redis.StrictRedis(**args)) as connection:
+                if not connection.ping():
+                    return (False, "Could not ping redis")
 
-        # Ensure we can write and read a key.
-        connection.set(self._health_key(), time.time())
-        connection.get(self._health_key())
-        return (True, None)
-    except redis.RedisError as re:
-      return (False, 'Could not connect to redis: %s' % re.message)
+                # Ensure we can write and read a key.
+                connection.set(self._health_key(), time.time())
+                connection.get(self._health_key())
+                return (True, None)
+        except redis.RedisError as re:
+            return (False, "Could not connect to redis: %s" % re.message)
 
 
 class BuildLogs(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    buildlogs_config = app.config.get('BUILDLOGS_REDIS')
-    if not buildlogs_config:
-      # This is the old key name.
-      buildlogs_config = {
-        'host': app.config.get('BUILDLOGS_REDIS_HOSTNAME')
-      }
+    def init_app(self, app):
+        buildlogs_config = app.config.get("BUILDLOGS_REDIS")
+        if not buildlogs_config:
+            # This is the old key name.
+            buildlogs_config = {"host": app.config.get("BUILDLOGS_REDIS_HOSTNAME")}
 
-    buildlogs_options = app.config.get('BUILDLOGS_OPTIONS', [])
-    buildlogs_import = app.config.get('BUILDLOGS_MODULE_AND_CLASS', None)
+        buildlogs_options = app.config.get("BUILDLOGS_OPTIONS", [])
+        buildlogs_import = app.config.get("BUILDLOGS_MODULE_AND_CLASS", None)
 
-    if buildlogs_import is None:
-      klass = RedisBuildLogs
-    else:
-      klass = import_class(buildlogs_import[0], buildlogs_import[1])
+        if buildlogs_import is None:
+            klass = RedisBuildLogs
+        else:
+            klass = import_class(buildlogs_import[0], buildlogs_import[1])
 
-    buildlogs = klass(buildlogs_config, *buildlogs_options)
+        buildlogs = klass(buildlogs_config, *buildlogs_options)
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['buildlogs'] = buildlogs
-    return buildlogs
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["buildlogs"] = buildlogs
+        return buildlogs
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/data/cache/__init__.py b/data/cache/__init__.py
index a7c44dadd..a604c63e3 100644
--- a/data/cache/__init__.py
+++ b/data/cache/__init__.py
@@ -1,23 +1,32 @@
-from data.cache.impl import NoopDataModelCache, InMemoryDataModelCache, MemcachedModelCache
+from data.cache.impl import (
+    NoopDataModelCache,
+    InMemoryDataModelCache,
+    MemcachedModelCache,
+)
+
 
 def get_model_cache(config):
-  """ Returns a data model cache matching the given configuration. """
-  cache_config = config.get('DATA_MODEL_CACHE_CONFIG', {})
-  engine = cache_config.get('engine', 'noop')
+    """ Returns a data model cache matching the given configuration. """
+    cache_config = config.get("DATA_MODEL_CACHE_CONFIG", {})
+    engine = cache_config.get("engine", "noop")
 
-  if engine == 'noop':
-    return NoopDataModelCache()
+    if engine == "noop":
+        return NoopDataModelCache()
 
-  if engine == 'inmemory':
-    return InMemoryDataModelCache()
+    if engine == "inmemory":
+        return InMemoryDataModelCache()
 
-  if engine == 'memcached':
-    endpoint = cache_config.get('endpoint', None)
-    if endpoint is None:
-      raise Exception('Missing `endpoint` for memcached model cache configuration')
+    if engine == "memcached":
+        endpoint = cache_config.get("endpoint", None)
+        if endpoint is None:
+            raise Exception(
+                "Missing `endpoint` for memcached model cache configuration"
+            )
 
-    timeout = cache_config.get('timeout')
-    connect_timeout = cache_config.get('connect_timeout')
-    return MemcachedModelCache(endpoint, timeout=timeout, connect_timeout=connect_timeout)
+        timeout = cache_config.get("timeout")
+        connect_timeout = cache_config.get("connect_timeout")
+        return MemcachedModelCache(
+            endpoint, timeout=timeout, connect_timeout=connect_timeout
+        )
 
-  raise Exception('Unknown model cache engine `%s`' % engine)
+    raise Exception("Unknown model cache engine `%s`" % engine)
diff --git a/data/cache/cache_key.py b/data/cache/cache_key.py
index 93aad65be..3c99d1d80 100644
--- a/data/cache/cache_key.py
+++ b/data/cache/cache_key.py
@@ -1,27 +1,33 @@
 from collections import namedtuple
 
-class CacheKey(namedtuple('CacheKey', ['key', 'expiration'])):
-  """ Defines a key into the data model cache. """
-  pass
+
+class CacheKey(namedtuple("CacheKey", ["key", "expiration"])):
+    """ Defines a key into the data model cache. """
+
+    pass
 
 
 def for_repository_blob(namespace_name, repo_name, digest, version):
-  """ Returns a cache key for a blob in a repository. """
-  return CacheKey('repo_blob__%s_%s_%s_%s' % (namespace_name, repo_name, digest, version), '60s')
+    """ Returns a cache key for a blob in a repository. """
+    return CacheKey(
+        "repo_blob__%s_%s_%s_%s" % (namespace_name, repo_name, digest, version), "60s"
+    )
 
 
 def for_catalog_page(auth_context_key, start_id, limit):
-  """ Returns a cache key for a single page of a catalog lookup for an authed context. """
-  params = (auth_context_key or '(anon)', start_id or 0, limit or 0)
-  return CacheKey('catalog_page__%s_%s_%s' % params, '60s')
+    """ Returns a cache key for a single page of a catalog lookup for an authed context. """
+    params = (auth_context_key or "(anon)", start_id or 0, limit or 0)
+    return CacheKey("catalog_page__%s_%s_%s" % params, "60s")
 
 
 def for_namespace_geo_restrictions(namespace_name):
-  """ Returns a cache key for the geo restrictions for a namespace. """
-  return CacheKey('geo_restrictions__%s' % (namespace_name), '240s')
+    """ Returns a cache key for the geo restrictions for a namespace. """
+    return CacheKey("geo_restrictions__%s" % (namespace_name), "240s")
 
 
 def for_active_repo_tags(repository_id, start_pagination_id, limit):
-  """ Returns a cache key for the active tags in a repository. """
-  return CacheKey('repo_active_tags__%s_%s_%s' % (repository_id, start_pagination_id, limit),
-                  '120s')
+    """ Returns a cache key for the active tags in a repository. """
+    return CacheKey(
+        "repo_active_tags__%s_%s_%s" % (repository_id, start_pagination_id, limit),
+        "120s",
+    )
diff --git a/data/cache/impl.py b/data/cache/impl.py
index 982e950e9..c374f26e2 100644
--- a/data/cache/impl.py
+++ b/data/cache/impl.py
@@ -15,132 +15,185 @@ logger = logging.getLogger(__name__)
 
 
 def is_not_none(value):
-  return value is not None
+    return value is not None
 
 
 @add_metaclass(ABCMeta)
 class DataModelCache(object):
-  """ Defines an interface for cache storing and returning tuple data model objects. """
+    """ Defines an interface for cache storing and returning tuple data model objects. """
 
-  @abstractmethod
-  def retrieve(self, cache_key, loader, should_cache=is_not_none):
-    """ Checks the cache for the specified cache key and returns the value found (if any). If none
+    @abstractmethod
+    def retrieve(self, cache_key, loader, should_cache=is_not_none):
+        """ Checks the cache for the specified cache key and returns the value found (if any). If none
         found, the loader is called to get a result and populate the cache.
     """
-    pass
+        pass
 
 
 class NoopDataModelCache(DataModelCache):
-  """ Implementation of the data model cache which does nothing. """
+    """ Implementation of the data model cache which does nothing. """
 
-  def retrieve(self, cache_key, loader, should_cache=is_not_none):
-    return loader()
+    def retrieve(self, cache_key, loader, should_cache=is_not_none):
+        return loader()
 
 
 class InMemoryDataModelCache(DataModelCache):
-  """ Implementation of the data model cache backed by an in-memory dictionary. """
-  def __init__(self):
-    self.cache = ExpiresDict()
+    """ Implementation of the data model cache backed by an in-memory dictionary. """
 
-  def retrieve(self, cache_key, loader, should_cache=is_not_none):
-    not_found = [None]
-    logger.debug('Checking cache for key %s', cache_key.key)
-    result = self.cache.get(cache_key.key, default_value=not_found)
-    if result != not_found:
-      logger.debug('Found result in cache for key %s: %s', cache_key.key, result)
-      return json.loads(result)
+    def __init__(self):
+        self.cache = ExpiresDict()
 
-    logger.debug('Found no result in cache for key %s; calling loader', cache_key.key)
-    result = loader()
-    logger.debug('Got loaded result for key %s: %s', cache_key.key, result)
-    if should_cache(result):
-      logger.debug('Caching loaded result for key %s with expiration %s: %s', cache_key.key,
-                   result, cache_key.expiration)
-      expires = convert_to_timedelta(cache_key.expiration) + datetime.now()
-      self.cache.set(cache_key.key, json.dumps(result), expires=expires)
-      logger.debug('Cached loaded result for key %s with expiration %s: %s', cache_key.key,
-                   result, cache_key.expiration)
-    else:
-      logger.debug('Not caching loaded result for key %s: %s', cache_key.key, result)
+    def retrieve(self, cache_key, loader, should_cache=is_not_none):
+        not_found = [None]
+        logger.debug("Checking cache for key %s", cache_key.key)
+        result = self.cache.get(cache_key.key, default_value=not_found)
+        if result != not_found:
+            logger.debug("Found result in cache for key %s: %s", cache_key.key, result)
+            return json.loads(result)
 
-    return result
+        logger.debug(
+            "Found no result in cache for key %s; calling loader", cache_key.key
+        )
+        result = loader()
+        logger.debug("Got loaded result for key %s: %s", cache_key.key, result)
+        if should_cache(result):
+            logger.debug(
+                "Caching loaded result for key %s with expiration %s: %s",
+                cache_key.key,
+                result,
+                cache_key.expiration,
+            )
+            expires = convert_to_timedelta(cache_key.expiration) + datetime.now()
+            self.cache.set(cache_key.key, json.dumps(result), expires=expires)
+            logger.debug(
+                "Cached loaded result for key %s with expiration %s: %s",
+                cache_key.key,
+                result,
+                cache_key.expiration,
+            )
+        else:
+            logger.debug(
+                "Not caching loaded result for key %s: %s", cache_key.key, result
+            )
+
+        return result
 
 
-_DEFAULT_MEMCACHE_TIMEOUT = 1 # second
-_DEFAULT_MEMCACHE_CONNECT_TIMEOUT = 1 # second
+_DEFAULT_MEMCACHE_TIMEOUT = 1  # second
+_DEFAULT_MEMCACHE_CONNECT_TIMEOUT = 1  # second
 
 _STRING_TYPE = 1
 _JSON_TYPE = 2
 
+
 class MemcachedModelCache(DataModelCache):
-  """ Implementation of the data model cache backed by a memcached. """
-  def __init__(self, endpoint, timeout=_DEFAULT_MEMCACHE_TIMEOUT,
-               connect_timeout=_DEFAULT_MEMCACHE_CONNECT_TIMEOUT):
-    self.endpoint = endpoint
-    self.timeout = timeout
-    self.connect_timeout = connect_timeout
-    self.client = None
+    """ Implementation of the data model cache backed by a memcached. """
 
-  def _get_client(self):
-    client = self.client
-    if client is not None:
-      return client
+    def __init__(
+        self,
+        endpoint,
+        timeout=_DEFAULT_MEMCACHE_TIMEOUT,
+        connect_timeout=_DEFAULT_MEMCACHE_CONNECT_TIMEOUT,
+    ):
+        self.endpoint = endpoint
+        self.timeout = timeout
+        self.connect_timeout = connect_timeout
+        self.client = None
 
-    try:
-      # Copied from the doc comment for Client.
-      def serialize_json(key, value):
-        if type(value) == str:
-          return value, _STRING_TYPE
+    def _get_client(self):
+        client = self.client
+        if client is not None:
+            return client
 
-        return json.dumps(value), _JSON_TYPE
+        try:
+            # Copied from the doc comment for Client.
+            def serialize_json(key, value):
+                if type(value) == str:
+                    return value, _STRING_TYPE
 
-      def deserialize_json(key, value, flags):
-        if flags == _STRING_TYPE:
-          return value
+                return json.dumps(value), _JSON_TYPE
 
-        if flags == _JSON_TYPE:
-          return json.loads(value)
+            def deserialize_json(key, value, flags):
+                if flags == _STRING_TYPE:
+                    return value
 
-        raise Exception("Unknown flags for value: {1}".format(flags))
+                if flags == _JSON_TYPE:
+                    return json.loads(value)
 
-      self.client = Client(self.endpoint, no_delay=True, timeout=self.timeout,
-                           connect_timeout=self.connect_timeout,
-                           key_prefix='data_model_cache__',
-                           serializer=serialize_json,
-                           deserializer=deserialize_json,
-                           ignore_exc=True)
-      return self.client
-    except:
-      logger.exception('Got exception when creating memcached client to %s', self.endpoint)
-      return None
+                raise Exception("Unknown flags for value: {1}".format(flags))
 
-  def retrieve(self, cache_key, loader, should_cache=is_not_none):
-    not_found = [None]
-    client = self._get_client()
-    if client is not None:
-      logger.debug('Checking cache for key %s', cache_key.key)
-      try:
-        result = client.get(cache_key.key, default=not_found)
-        if result != not_found:
-          logger.debug('Found result in cache for key %s: %s', cache_key.key, result)
-          return result
-      except:
-       logger.exception('Got exception when trying to retrieve key %s', cache_key.key)
+            self.client = Client(
+                self.endpoint,
+                no_delay=True,
+                timeout=self.timeout,
+                connect_timeout=self.connect_timeout,
+                key_prefix="data_model_cache__",
+                serializer=serialize_json,
+                deserializer=deserialize_json,
+                ignore_exc=True,
+            )
+            return self.client
+        except:
+            logger.exception(
+                "Got exception when creating memcached client to %s", self.endpoint
+            )
+            return None
 
-    logger.debug('Found no result in cache for key %s; calling loader', cache_key.key)
-    result = loader()
-    logger.debug('Got loaded result for key %s: %s', cache_key.key, result)
-    if client is not None and should_cache(result):
-      try:
-        logger.debug('Caching loaded result for key %s with expiration %s: %s', cache_key.key,
-                      result, cache_key.expiration)
-        expires = convert_to_timedelta(cache_key.expiration) if cache_key.expiration else None
-        client.set(cache_key.key, result, expire=int(expires.total_seconds()) if expires else None)
-        logger.debug('Cached loaded result for key %s with expiration %s: %s', cache_key.key,
-                      result, cache_key.expiration)
-      except:
-        logger.exception('Got exception when trying to set key %s to %s', cache_key.key, result)
-    else:
-      logger.debug('Not caching loaded result for key %s: %s', cache_key.key, result)
+    def retrieve(self, cache_key, loader, should_cache=is_not_none):
+        not_found = [None]
+        client = self._get_client()
+        if client is not None:
+            logger.debug("Checking cache for key %s", cache_key.key)
+            try:
+                result = client.get(cache_key.key, default=not_found)
+                if result != not_found:
+                    logger.debug(
+                        "Found result in cache for key %s: %s", cache_key.key, result
+                    )
+                    return result
+            except:
+                logger.exception(
+                    "Got exception when trying to retrieve key %s", cache_key.key
+                )
 
-    return result
+        logger.debug(
+            "Found no result in cache for key %s; calling loader", cache_key.key
+        )
+        result = loader()
+        logger.debug("Got loaded result for key %s: %s", cache_key.key, result)
+        if client is not None and should_cache(result):
+            try:
+                logger.debug(
+                    "Caching loaded result for key %s with expiration %s: %s",
+                    cache_key.key,
+                    result,
+                    cache_key.expiration,
+                )
+                expires = (
+                    convert_to_timedelta(cache_key.expiration)
+                    if cache_key.expiration
+                    else None
+                )
+                client.set(
+                    cache_key.key,
+                    result,
+                    expire=int(expires.total_seconds()) if expires else None,
+                )
+                logger.debug(
+                    "Cached loaded result for key %s with expiration %s: %s",
+                    cache_key.key,
+                    result,
+                    cache_key.expiration,
+                )
+            except:
+                logger.exception(
+                    "Got exception when trying to set key %s to %s",
+                    cache_key.key,
+                    result,
+                )
+        else:
+            logger.debug(
+                "Not caching loaded result for key %s: %s", cache_key.key, result
+            )
+
+        return result
diff --git a/data/cache/test/test_cache.py b/data/cache/test/test_cache.py
index bf0c4cccd..380765ce0 100644
--- a/data/cache/test/test_cache.py
+++ b/data/cache/test/test_cache.py
@@ -5,52 +5,50 @@ from mock import patch
 from data.cache import InMemoryDataModelCache, NoopDataModelCache, MemcachedModelCache
 from data.cache.cache_key import CacheKey
 
+
 class MockClient(object):
-  def __init__(self, server, **kwargs):
-    self.data = {}
+    def __init__(self, server, **kwargs):
+        self.data = {}
 
-  def get(self, key, default=None):
-    return self.data.get(key, default)
+    def get(self, key, default=None):
+        return self.data.get(key, default)
 
-  def set(self, key, value, expire=None):
-    self.data[key] = value
+    def set(self, key, value, expire=None):
+        self.data[key] = value
 
 
-@pytest.mark.parametrize('cache_type', [
-  (NoopDataModelCache),
-  (InMemoryDataModelCache),
-])
+@pytest.mark.parametrize("cache_type", [(NoopDataModelCache), (InMemoryDataModelCache)])
 def test_caching(cache_type):
-  key = CacheKey('foo', '60m')
-  cache = cache_type()
+    key = CacheKey("foo", "60m")
+    cache = cache_type()
 
-  # Perform two retrievals, and make sure both return.
-  assert cache.retrieve(key, lambda: {'a': 1234}) == {'a': 1234}
-  assert cache.retrieve(key, lambda: {'a': 1234}) == {'a': 1234}
+    # Perform two retrievals, and make sure both return.
+    assert cache.retrieve(key, lambda: {"a": 1234}) == {"a": 1234}
+    assert cache.retrieve(key, lambda: {"a": 1234}) == {"a": 1234}
 
 
 def test_memcache():
-  key = CacheKey('foo', '60m')
-  with patch('data.cache.impl.Client', MockClient):
-    cache = MemcachedModelCache(('127.0.0.1', '-1'))
-    assert cache.retrieve(key, lambda: {'a': 1234}) == {'a': 1234}
-    assert cache.retrieve(key, lambda: {'a': 1234}) == {'a': 1234}
+    key = CacheKey("foo", "60m")
+    with patch("data.cache.impl.Client", MockClient):
+        cache = MemcachedModelCache(("127.0.0.1", "-1"))
+        assert cache.retrieve(key, lambda: {"a": 1234}) == {"a": 1234}
+        assert cache.retrieve(key, lambda: {"a": 1234}) == {"a": 1234}
 
 
 def test_memcache_should_cache():
-  key = CacheKey('foo', None)
+    key = CacheKey("foo", None)
 
-  def sc(value):
-    return value['a'] != 1234
+    def sc(value):
+        return value["a"] != 1234
 
-  with patch('data.cache.impl.Client', MockClient):
-    cache = MemcachedModelCache(('127.0.0.1', '-1'))
-    assert cache.retrieve(key, lambda: {'a': 1234}, should_cache=sc) == {'a': 1234}
+    with patch("data.cache.impl.Client", MockClient):
+        cache = MemcachedModelCache(("127.0.0.1", "-1"))
+        assert cache.retrieve(key, lambda: {"a": 1234}, should_cache=sc) == {"a": 1234}
 
-    # Ensure not cached since it was `1234`.
-    assert cache._get_client().get(key.key) is None
+        # Ensure not cached since it was `1234`.
+        assert cache._get_client().get(key.key) is None
 
-    # Ensure cached.
-    assert cache.retrieve(key, lambda: {'a': 2345}, should_cache=sc) == {'a': 2345}
-    assert cache._get_client().get(key.key) is not None
-    assert cache.retrieve(key, lambda: {'a': 2345}, should_cache=sc) == {'a': 2345}
+        # Ensure cached.
+        assert cache.retrieve(key, lambda: {"a": 2345}, should_cache=sc) == {"a": 2345}
+        assert cache._get_client().get(key.key) is not None
+        assert cache.retrieve(key, lambda: {"a": 2345}, should_cache=sc) == {"a": 2345}
diff --git a/data/database.py b/data/database.py
index 62c59e6e0..2a0a90f6b 100644
--- a/data/database.py
+++ b/data/database.py
@@ -18,7 +18,11 @@ import toposort
 from enum import IntEnum, Enum, unique
 from peewee import *
 from peewee import __exception_wrapper__, Function
-from playhouse.pool import PooledMySQLDatabase, PooledPostgresqlDatabase, PooledSqliteDatabase
+from playhouse.pool import (
+    PooledMySQLDatabase,
+    PooledPostgresqlDatabase,
+    PooledSqliteDatabase,
+)
 
 from sqlalchemy.engine.url import make_url
 
@@ -26,9 +30,18 @@ import resumablehashlib
 from cachetools.func import lru_cache
 
 from active_migration import ERTMigrationFlags, ActiveDataMigration
-from data.fields import (ResumableSHA256Field, ResumableSHA1Field, JSONField, Base64BinaryField,
-                         FullIndexedTextField, FullIndexedCharField, EnumField as ClientEnumField,
-                         EncryptedTextField, EncryptedCharField, CredentialField)
+from data.fields import (
+    ResumableSHA256Field,
+    ResumableSHA1Field,
+    JSONField,
+    Base64BinaryField,
+    FullIndexedTextField,
+    FullIndexedCharField,
+    EnumField as ClientEnumField,
+    EncryptedTextField,
+    EncryptedCharField,
+    CredentialField,
+)
 from data.text import match_mysql, match_like
 from data.encryption import FieldEncrypter
 from data.readreplica import ReadReplicaSupportedModel, ReadOnlyConfig
@@ -38,86 +51,86 @@ from util.validation import validate_postgres_precondition
 
 logger = logging.getLogger(__name__)
 
-DEFAULT_DB_CONNECT_TIMEOUT = 10 # seconds
+DEFAULT_DB_CONNECT_TIMEOUT = 10  # seconds
 
 
 # IMAGE_NOT_SCANNED_ENGINE_VERSION is the version found in security_indexed_engine when the
 # image has not yet been scanned.
 IMAGE_NOT_SCANNED_ENGINE_VERSION = -1
 
-schemedriver = namedtuple('schemedriver', ['driver', 'pooled_driver'])
+schemedriver = namedtuple("schemedriver", ["driver", "pooled_driver"])
 
 _SCHEME_DRIVERS = {
-  'mysql': schemedriver(MySQLDatabase, PooledMySQLDatabase),
-  'mysql+pymysql': schemedriver(MySQLDatabase, PooledMySQLDatabase),
-  'sqlite': schemedriver(SqliteDatabase, PooledSqliteDatabase),
-  'postgresql': schemedriver(PostgresqlDatabase, PooledPostgresqlDatabase),
-  'postgresql+psycopg2': schemedriver(PostgresqlDatabase, PooledPostgresqlDatabase),
+    "mysql": schemedriver(MySQLDatabase, PooledMySQLDatabase),
+    "mysql+pymysql": schemedriver(MySQLDatabase, PooledMySQLDatabase),
+    "sqlite": schemedriver(SqliteDatabase, PooledSqliteDatabase),
+    "postgresql": schemedriver(PostgresqlDatabase, PooledPostgresqlDatabase),
+    "postgresql+psycopg2": schemedriver(PostgresqlDatabase, PooledPostgresqlDatabase),
 }
 
 
 SCHEME_MATCH_FUNCTION = {
-  'mysql': match_mysql,
-  'mysql+pymysql': match_mysql,
-  'sqlite': match_like,
-  'postgresql': match_like,
-  'postgresql+psycopg2': match_like,
+    "mysql": match_mysql,
+    "mysql+pymysql": match_mysql,
+    "sqlite": match_like,
+    "postgresql": match_like,
+    "postgresql+psycopg2": match_like,
 }
 
 
 SCHEME_RANDOM_FUNCTION = {
-  'mysql': fn.Rand,
-  'mysql+pymysql': fn.Rand,
-  'sqlite': fn.Random,
-  'postgresql': fn.Random,
-  'postgresql+psycopg2': fn.Random,
+    "mysql": fn.Rand,
+    "mysql+pymysql": fn.Rand,
+    "sqlite": fn.Random,
+    "postgresql": fn.Random,
+    "postgresql+psycopg2": fn.Random,
 }
 
 
 PRECONDITION_VALIDATION = {
-  'postgresql': validate_postgres_precondition,
-  'postgresql+psycopg2': validate_postgres_precondition,
+    "postgresql": validate_postgres_precondition,
+    "postgresql+psycopg2": validate_postgres_precondition,
 }
 
 
 _EXTRA_ARGS = {
-  'mysql': dict(charset='utf8mb4'),
-  'mysql+pymysql': dict(charset='utf8mb4'),
+    "mysql": dict(charset="utf8mb4"),
+    "mysql+pymysql": dict(charset="utf8mb4"),
 }
 
 
 def pipes_concat(arg1, arg2, *extra_args):
-  """ Concat function for sqlite, since it doesn't support fn.Concat.
+    """ Concat function for sqlite, since it doesn't support fn.Concat.
       Concatenates clauses with || characters.
   """
-  reduced = arg1.concat(arg2)
-  for arg in extra_args:
-    reduced = reduced.concat(arg)
-  return reduced
+    reduced = arg1.concat(arg2)
+    for arg in extra_args:
+        reduced = reduced.concat(arg)
+    return reduced
 
 
 def function_concat(arg1, arg2, *extra_args):
-  """ Default implementation of concat which uses fn.Concat(). Used by all
+    """ Default implementation of concat which uses fn.Concat(). Used by all
       database engines except sqlite.
   """
-  return fn.Concat(arg1, arg2, *extra_args)
+    return fn.Concat(arg1, arg2, *extra_args)
 
 
-SCHEME_SPECIALIZED_CONCAT = {
-  'sqlite': pipes_concat,
-}
+SCHEME_SPECIALIZED_CONCAT = {"sqlite": pipes_concat}
 
 
 def real_for_update(query):
-  return query.for_update()
+    return query.for_update()
 
 
 def null_for_update(query):
-  return query
+    return query
 
 
-def delete_instance_filtered(instance, model_class, delete_nullable, skip_transitive_deletes):
-  """ Deletes the DB instance recursively, skipping any models in the skip_transitive_deletes set.
+def delete_instance_filtered(
+    instance, model_class, delete_nullable, skip_transitive_deletes
+):
+    """ Deletes the DB instance recursively, skipping any models in the skip_transitive_deletes set.
 
       Callers *must* ensure that any models listed in the skip_transitive_deletes must be capable
       of being directly deleted when the instance is deleted (with automatic sorting handling
@@ -127,143 +140,147 @@ def delete_instance_filtered(instance, model_class, delete_nullable, skip_transi
       *same* repository when RepositoryTag references Image, so we can safely skip
       transitive deletion for the RepositoryTag table.
   """
-  # We need to sort the ops so that models get cleaned in order of their dependencies
-  ops = reversed(list(instance.dependencies(delete_nullable)))
-  filtered_ops = []
+    # We need to sort the ops so that models get cleaned in order of their dependencies
+    ops = reversed(list(instance.dependencies(delete_nullable)))
+    filtered_ops = []
 
-  dependencies = defaultdict(set)
+    dependencies = defaultdict(set)
 
-  for query, fk in ops:
-    # We only want to skip transitive deletes, which are done using subqueries in the form of
-    # DELETE FROM <table> in <subquery>. If an op is not using a subquery, we allow it to be
-    # applied directly.
-    if fk.model not in skip_transitive_deletes or query.op.lower() != 'in':
-      filtered_ops.append((query, fk))
+    for query, fk in ops:
+        # We only want to skip transitive deletes, which are done using subqueries in the form of
+        # DELETE FROM <table> in <subquery>. If an op is not using a subquery, we allow it to be
+        # applied directly.
+        if fk.model not in skip_transitive_deletes or query.op.lower() != "in":
+            filtered_ops.append((query, fk))
 
-    if query.op.lower() == 'in':
-      dependencies[fk.model.__name__].add(query.rhs.model.__name__)
-    elif query.op == '=':
-      dependencies[fk.model.__name__].add(model_class.__name__)
-    else:
-      raise RuntimeError('Unknown operator in recursive repository delete query')
+        if query.op.lower() == "in":
+            dependencies[fk.model.__name__].add(query.rhs.model.__name__)
+        elif query.op == "=":
+            dependencies[fk.model.__name__].add(model_class.__name__)
+        else:
+            raise RuntimeError("Unknown operator in recursive repository delete query")
 
-  sorted_models = list(reversed(toposort.toposort_flatten(dependencies)))
-  def sorted_model_key(query_fk_tuple):
-    cmp_query, cmp_fk = query_fk_tuple
-    if cmp_query.op.lower() == 'in':
-      return -1
-    return sorted_models.index(cmp_fk.model.__name__)
-  filtered_ops.sort(key=sorted_model_key)
+    sorted_models = list(reversed(toposort.toposort_flatten(dependencies)))
 
-  with db_transaction():
-    for query, fk in filtered_ops:
-      _model = fk.model
-      if fk.null and not delete_nullable:
-        _model.update(**{fk.name: None}).where(query).execute()
-      else:
-        _model.delete().where(query).execute()
+    def sorted_model_key(query_fk_tuple):
+        cmp_query, cmp_fk = query_fk_tuple
+        if cmp_query.op.lower() == "in":
+            return -1
+        return sorted_models.index(cmp_fk.model.__name__)
 
-    return instance.delete().where(instance._pk_expr()).execute()
+    filtered_ops.sort(key=sorted_model_key)
+
+    with db_transaction():
+        for query, fk in filtered_ops:
+            _model = fk.model
+            if fk.null and not delete_nullable:
+                _model.update(**{fk.name: None}).where(query).execute()
+            else:
+                _model.delete().where(query).execute()
+
+        return instance.delete().where(instance._pk_expr()).execute()
 
 
-SCHEME_SPECIALIZED_FOR_UPDATE = {
-  'sqlite': null_for_update,
-}
+SCHEME_SPECIALIZED_FOR_UPDATE = {"sqlite": null_for_update}
 
 
 class CallableProxy(Proxy):
-  def __call__(self, *args, **kwargs):
-    if self.obj is None:
-      raise AttributeError('Cannot use uninitialized Proxy.')
-    return self.obj(*args, **kwargs)
+    def __call__(self, *args, **kwargs):
+        if self.obj is None:
+            raise AttributeError("Cannot use uninitialized Proxy.")
+        return self.obj(*args, **kwargs)
 
 
 class RetryOperationalError(object):
+    def execute_sql(self, sql, params=None, commit=True):
+        try:
+            cursor = super(RetryOperationalError, self).execute_sql(sql, params, commit)
+        except OperationalError:
+            if not self.is_closed():
+                self.close()
 
-  def execute_sql(self, sql, params=None, commit=True):
-    try:
-      cursor = super(RetryOperationalError, self).execute_sql(sql, params, commit)
-    except OperationalError:
-      if not self.is_closed():
-        self.close()
+            with __exception_wrapper__:
+                cursor = self.cursor()
+                cursor.execute(sql, params or ())
+                if commit and not self.in_transaction():
+                    self.commit()
 
-      with __exception_wrapper__:
-        cursor = self.cursor()
-        cursor.execute(sql, params or ())
-        if commit and not self.in_transaction():
-          self.commit()
-
-    return cursor
+        return cursor
 
 
 class CloseForLongOperation(object):
-  """ Helper object which disconnects the database then reconnects after the nested operation
+    """ Helper object which disconnects the database then reconnects after the nested operation
       completes.
   """
 
-  def __init__(self, config_object):
-    self.config_object = config_object
+    def __init__(self, config_object):
+        self.config_object = config_object
 
-  def __enter__(self):
-    if self.config_object.get('TESTING') is True:
-      return
+    def __enter__(self):
+        if self.config_object.get("TESTING") is True:
+            return
 
-    close_db_filter(None)
+        close_db_filter(None)
 
-  def __exit__(self, typ, value, traceback):
-    # Note: Nothing to do. The next SQL call will reconnect automatically.
-    pass
+    def __exit__(self, typ, value, traceback):
+        # Note: Nothing to do. The next SQL call will reconnect automatically.
+        pass
 
 
 class UseThenDisconnect(object):
-  """ Helper object for conducting work with a database and then tearing it down. """
+    """ Helper object for conducting work with a database and then tearing it down. """
 
-  def __init__(self, config_object):
-    self.config_object = config_object
+    def __init__(self, config_object):
+        self.config_object = config_object
 
-  def __enter__(self):
-    pass
+    def __enter__(self):
+        pass
 
-  def __exit__(self, typ, value, traceback):
-    if self.config_object.get('TESTING') is True:
-      return
+    def __exit__(self, typ, value, traceback):
+        if self.config_object.get("TESTING") is True:
+            return
 
-    close_db_filter(None)
+        close_db_filter(None)
 
 
 class TupleSelector(object):
-  """ Helper class for selecting tuples from a peewee query and easily accessing
+    """ Helper class for selecting tuples from a peewee query and easily accessing
       them as if they were objects.
   """
-  class _TupleWrapper(object):
-    def __init__(self, data, fields):
-      self._data = data
-      self._fields = fields
 
-    def get(self, field):
-      return self._data[self._fields.index(TupleSelector.tuple_reference_key(field))]
+    class _TupleWrapper(object):
+        def __init__(self, data, fields):
+            self._data = data
+            self._fields = fields
 
-  @classmethod
-  def tuple_reference_key(cls, field):
-    """ Returns a string key for referencing a field in a TupleSelector. """
-    if isinstance(field, Function):
-      return field.name + ','.join([cls.tuple_reference_key(arg) for arg in field.arguments])
+        def get(self, field):
+            return self._data[
+                self._fields.index(TupleSelector.tuple_reference_key(field))
+            ]
 
-    if isinstance(field, Field):
-      return field.name + ':' + field.model.__name__
+    @classmethod
+    def tuple_reference_key(cls, field):
+        """ Returns a string key for referencing a field in a TupleSelector. """
+        if isinstance(field, Function):
+            return field.name + ",".join(
+                [cls.tuple_reference_key(arg) for arg in field.arguments]
+            )
 
-    raise Exception('Unknown field type %s in TupleSelector' % field._node_type)
+        if isinstance(field, Field):
+            return field.name + ":" + field.model.__name__
 
-  def __init__(self, query, fields):
-    self._query = query.select(*fields).tuples()
-    self._fields = [TupleSelector.tuple_reference_key(field) for field in fields]
+        raise Exception("Unknown field type %s in TupleSelector" % field._node_type)
 
-  def __iter__(self):
-    return self._build_iterator()
+    def __init__(self, query, fields):
+        self._query = query.select(*fields).tuples()
+        self._fields = [TupleSelector.tuple_reference_key(field) for field in fields]
 
-  def _build_iterator(self):
-    for tuple_data in self._query:
-      yield TupleSelector._TupleWrapper(tuple_data, self._fields)
+    def __iter__(self):
+        return self._build_iterator()
+
+    def _build_iterator(self):
+        for tuple_data in self._query:
+            yield TupleSelector._TupleWrapper(tuple_data, self._fields)
 
 
 db = Proxy()
@@ -278,141 +295,170 @@ ensure_under_transaction = CallableProxy()
 
 
 def validate_database_url(url, db_kwargs, connect_timeout=5):
-  """ Validates that we can connect to the given database URL, with the given kwargs. Raises
+    """ Validates that we can connect to the given database URL, with the given kwargs. Raises
       an exception if the validation fails. """
-  db_kwargs = db_kwargs.copy()
+    db_kwargs = db_kwargs.copy()
 
-  try:
-    driver = _db_from_url(url, db_kwargs, connect_timeout=connect_timeout, allow_retry=False,
-                          allow_pooling=False)
-    driver.connect()
-  finally:
     try:
-      driver.close()
-    except:
-      pass
+        driver = _db_from_url(
+            url,
+            db_kwargs,
+            connect_timeout=connect_timeout,
+            allow_retry=False,
+            allow_pooling=False,
+        )
+        driver.connect()
+    finally:
+        try:
+            driver.close()
+        except:
+            pass
 
 
 def validate_database_precondition(url, db_kwargs, connect_timeout=5):
-  """ Validates that we can connect to the given database URL and the database meets our
+    """ Validates that we can connect to the given database URL and the database meets our
       precondition. Raises an exception if the validation fails. """
-  db_kwargs = db_kwargs.copy()
-  try:
-    driver = _db_from_url(url, db_kwargs, connect_timeout=connect_timeout, allow_retry=False,
-                          allow_pooling=False)
-    driver.connect()
-    pre_condition_check = PRECONDITION_VALIDATION.get(make_url(url).drivername)
-    if pre_condition_check:
-      pre_condition_check(driver)
-
-  finally:
+    db_kwargs = db_kwargs.copy()
     try:
-      driver.close()
-    except:
-      pass
+        driver = _db_from_url(
+            url,
+            db_kwargs,
+            connect_timeout=connect_timeout,
+            allow_retry=False,
+            allow_pooling=False,
+        )
+        driver.connect()
+        pre_condition_check = PRECONDITION_VALIDATION.get(make_url(url).drivername)
+        if pre_condition_check:
+            pre_condition_check(driver)
+
+    finally:
+        try:
+            driver.close()
+        except:
+            pass
 
 
 def _wrap_for_retry(driver):
-  return type('Retrying' + driver.__name__, (RetryOperationalError, driver), {})
+    return type("Retrying" + driver.__name__, (RetryOperationalError, driver), {})
 
 
-def _db_from_url(url, db_kwargs, connect_timeout=DEFAULT_DB_CONNECT_TIMEOUT,
-                 allow_pooling=True, allow_retry=True):
-  parsed_url = make_url(url)
+def _db_from_url(
+    url,
+    db_kwargs,
+    connect_timeout=DEFAULT_DB_CONNECT_TIMEOUT,
+    allow_pooling=True,
+    allow_retry=True,
+):
+    parsed_url = make_url(url)
 
-  if parsed_url.host:
-    db_kwargs['host'] = parsed_url.host
-  if parsed_url.port:
-    db_kwargs['port'] = parsed_url.port
-  if parsed_url.username:
-    db_kwargs['user'] = parsed_url.username
-  if parsed_url.password:
-    db_kwargs['password'] = parsed_url.password
+    if parsed_url.host:
+        db_kwargs["host"] = parsed_url.host
+    if parsed_url.port:
+        db_kwargs["port"] = parsed_url.port
+    if parsed_url.username:
+        db_kwargs["user"] = parsed_url.username
+    if parsed_url.password:
+        db_kwargs["password"] = parsed_url.password
 
-  # Remove threadlocals. It used to be required.
-  db_kwargs.pop('threadlocals', None)
+    # Remove threadlocals. It used to be required.
+    db_kwargs.pop("threadlocals", None)
 
-  # Note: sqlite does not support connect_timeout.
-  if parsed_url.drivername != 'sqlite':
-    db_kwargs['connect_timeout'] = db_kwargs.get('connect_timeout', connect_timeout)
+    # Note: sqlite does not support connect_timeout.
+    if parsed_url.drivername != "sqlite":
+        db_kwargs["connect_timeout"] = db_kwargs.get("connect_timeout", connect_timeout)
 
-  drivers = _SCHEME_DRIVERS[parsed_url.drivername]
-  driver = drivers.driver
-  if allow_pooling and os.getenv('DB_CONNECTION_POOLING', 'false').lower() == 'true':
-    driver = drivers.pooled_driver
-    db_kwargs['stale_timeout'] = db_kwargs.get('stale_timeout', None)
-    db_kwargs['max_connections'] = db_kwargs.get('max_connections', None)
-    logger.info('Connection pooling enabled for %s; stale timeout: %s; max connection count: %s',
-                parsed_url.drivername, db_kwargs['stale_timeout'], db_kwargs['max_connections'])
-  else:
-    logger.info('Connection pooling disabled for %s', parsed_url.drivername)
-    db_kwargs.pop('stale_timeout', None)
-    db_kwargs.pop('max_connections', None)
+    drivers = _SCHEME_DRIVERS[parsed_url.drivername]
+    driver = drivers.driver
+    if allow_pooling and os.getenv("DB_CONNECTION_POOLING", "false").lower() == "true":
+        driver = drivers.pooled_driver
+        db_kwargs["stale_timeout"] = db_kwargs.get("stale_timeout", None)
+        db_kwargs["max_connections"] = db_kwargs.get("max_connections", None)
+        logger.info(
+            "Connection pooling enabled for %s; stale timeout: %s; max connection count: %s",
+            parsed_url.drivername,
+            db_kwargs["stale_timeout"],
+            db_kwargs["max_connections"],
+        )
+    else:
+        logger.info("Connection pooling disabled for %s", parsed_url.drivername)
+        db_kwargs.pop("stale_timeout", None)
+        db_kwargs.pop("max_connections", None)
 
-  for key, value in _EXTRA_ARGS.get(parsed_url.drivername, {}).iteritems():
-    if key not in db_kwargs:
-      db_kwargs[key] = value
+    for key, value in _EXTRA_ARGS.get(parsed_url.drivername, {}).iteritems():
+        if key not in db_kwargs:
+            db_kwargs[key] = value
 
-  if allow_retry:
-    driver = _wrap_for_retry(driver)
+    if allow_retry:
+        driver = _wrap_for_retry(driver)
 
-  created = driver(parsed_url.database, **db_kwargs)
-  
-  # Revert the behavior "fixed" in:
-  # https://github.com/coleifer/peewee/commit/36bd887ac07647c60dfebe610b34efabec675706
-  if parsed_url.drivername.find("mysql") >= 0:
-    created.compound_select_parentheses = 0  
-  return created
+    created = driver(parsed_url.database, **db_kwargs)
+
+    # Revert the behavior "fixed" in:
+    # https://github.com/coleifer/peewee/commit/36bd887ac07647c60dfebe610b34efabec675706
+    if parsed_url.drivername.find("mysql") >= 0:
+        created.compound_select_parentheses = 0
+    return created
 
 
 def configure(config_object, testing=False):
-  logger.debug('Configuring database')
-  db_kwargs = dict(config_object['DB_CONNECTION_ARGS'])
-  write_db_uri = config_object['DB_URI']
-  db.initialize(_db_from_url(write_db_uri, db_kwargs))
+    logger.debug("Configuring database")
+    db_kwargs = dict(config_object["DB_CONNECTION_ARGS"])
+    write_db_uri = config_object["DB_URI"]
+    db.initialize(_db_from_url(write_db_uri, db_kwargs))
 
-  parsed_write_uri = make_url(write_db_uri)
-  db_random_func.initialize(SCHEME_RANDOM_FUNCTION[parsed_write_uri.drivername])
-  db_match_func.initialize(SCHEME_MATCH_FUNCTION[parsed_write_uri.drivername])
-  db_for_update.initialize(SCHEME_SPECIALIZED_FOR_UPDATE.get(parsed_write_uri.drivername,
-                                                             real_for_update))
-  db_concat_func.initialize(SCHEME_SPECIALIZED_CONCAT.get(parsed_write_uri.drivername,
-                                                          function_concat))
-  db_encrypter.initialize(FieldEncrypter(config_object.get('DATABASE_SECRET_KEY')))
+    parsed_write_uri = make_url(write_db_uri)
+    db_random_func.initialize(SCHEME_RANDOM_FUNCTION[parsed_write_uri.drivername])
+    db_match_func.initialize(SCHEME_MATCH_FUNCTION[parsed_write_uri.drivername])
+    db_for_update.initialize(
+        SCHEME_SPECIALIZED_FOR_UPDATE.get(parsed_write_uri.drivername, real_for_update)
+    )
+    db_concat_func.initialize(
+        SCHEME_SPECIALIZED_CONCAT.get(parsed_write_uri.drivername, function_concat)
+    )
+    db_encrypter.initialize(FieldEncrypter(config_object.get("DATABASE_SECRET_KEY")))
 
-  read_replicas = config_object.get('DB_READ_REPLICAS', None)
-  is_read_only = config_object.get('REGISTRY_STATE', 'normal') == 'readonly'
+    read_replicas = config_object.get("DB_READ_REPLICAS", None)
+    is_read_only = config_object.get("REGISTRY_STATE", "normal") == "readonly"
 
-  read_replica_dbs = []
-  if read_replicas:
-    read_replica_dbs = [_db_from_url(config['DB_URI'], db_kwargs) for config in read_replicas]
+    read_replica_dbs = []
+    if read_replicas:
+        read_replica_dbs = [
+            _db_from_url(config["DB_URI"], db_kwargs) for config in read_replicas
+        ]
 
-  read_only_config.initialize(ReadOnlyConfig(is_read_only, read_replica_dbs))
+    read_only_config.initialize(ReadOnlyConfig(is_read_only, read_replica_dbs))
 
-  def _db_transaction():
-    return config_object['DB_TRANSACTION_FACTORY'](db)
+    def _db_transaction():
+        return config_object["DB_TRANSACTION_FACTORY"](db)
 
-  @contextmanager
-  def _ensure_under_transaction():
-    if not testing and not config_object['TESTING']:
-      if db.transaction_depth() == 0:
-        raise Exception('Expected to be under a transaction')
+    @contextmanager
+    def _ensure_under_transaction():
+        if not testing and not config_object["TESTING"]:
+            if db.transaction_depth() == 0:
+                raise Exception("Expected to be under a transaction")
 
-    yield
+        yield
+
+    db_transaction.initialize(_db_transaction)
+    ensure_under_transaction.initialize(_ensure_under_transaction)
 
-  db_transaction.initialize(_db_transaction)
-  ensure_under_transaction.initialize(_ensure_under_transaction)
 
 def random_string_generator(length=16):
-  def random_string():
-    random = SystemRandom()
-    return ''.join([random.choice(string.ascii_uppercase + string.digits)
-                    for _ in range(length)])
-  return random_string
+    def random_string():
+        random = SystemRandom()
+        return "".join(
+            [
+                random.choice(string.ascii_uppercase + string.digits)
+                for _ in range(length)
+            ]
+        )
+
+    return random_string
 
 
 def uuid_generator():
-  return str(uuid.uuid4())
+    return str(uuid.uuid4())
 
 
 get_epoch_timestamp = lambda: int(time.time())
@@ -420,1374 +466,1494 @@ get_epoch_timestamp_ms = lambda: int(time.time() * 1000)
 
 
 def close_db_filter(_):
-  if db.obj is not None and not db.is_closed():
-    logger.debug('Disconnecting from database.')
-    db.close()
+    if db.obj is not None and not db.is_closed():
+        logger.debug("Disconnecting from database.")
+        db.close()
 
-  if read_only_config.obj is not None:
-    for read_replica in read_only_config.obj.read_replicas:
-      if not read_replica.is_closed():
-        logger.debug('Disconnecting from read replica.')
-        read_replica.close()
+    if read_only_config.obj is not None:
+        for read_replica in read_only_config.obj.read_replicas:
+            if not read_replica.is_closed():
+                logger.debug("Disconnecting from read replica.")
+                read_replica.close()
 
 
 class QuayUserField(ForeignKeyField):
-  def __init__(self, allows_robots=False, robot_null_delete=False, *args, **kwargs):
-    self.allows_robots = allows_robots
-    self.robot_null_delete = robot_null_delete
-    if 'model' not in kwargs:
-      kwargs['model'] = User
-    super(QuayUserField, self).__init__(*args, **kwargs)
+    def __init__(self, allows_robots=False, robot_null_delete=False, *args, **kwargs):
+        self.allows_robots = allows_robots
+        self.robot_null_delete = robot_null_delete
+        if "model" not in kwargs:
+            kwargs["model"] = User
+        super(QuayUserField, self).__init__(*args, **kwargs)
 
 
 @lru_cache(maxsize=16)
 def _get_enum_field_values(enum_field):
-  values = []
-  for row in enum_field.rel_model.select():
-    key = getattr(row, enum_field.enum_key_field)
-    value = getattr(row, 'id')
-    values.append((key, value))
-  return Enum(enum_field.rel_model.__name__, values)
+    values = []
+    for row in enum_field.rel_model.select():
+        key = getattr(row, enum_field.enum_key_field)
+        value = getattr(row, "id")
+        values.append((key, value))
+    return Enum(enum_field.rel_model.__name__, values)
 
 
 class EnumField(ForeignKeyField):
-  """ Create a cached python Enum from an EnumTable """
-  def __init__(self, model, enum_key_field='name', *args, **kwargs):
-    """
+    """ Create a cached python Enum from an EnumTable """
+
+    def __init__(self, model, enum_key_field="name", *args, **kwargs):
+        """
     model is the EnumTable model-class (see ForeignKeyField)
     enum_key_field is the field from the EnumTable to use as the enum name
     """
-    self.enum_key_field = enum_key_field
-    super(EnumField, self).__init__(model, *args, **kwargs)
+        self.enum_key_field = enum_key_field
+        super(EnumField, self).__init__(model, *args, **kwargs)
 
-  @property
-  def enum(self):
-    """ Returns a python enun.Enum generated from the associated EnumTable """
-    return _get_enum_field_values(self)
+    @property
+    def enum(self):
+        """ Returns a python enun.Enum generated from the associated EnumTable """
+        return _get_enum_field_values(self)
 
-  def get_id(self, name):
-    """ Returns the ForeignKeyId from the name field
+    def get_id(self, name):
+        """ Returns the ForeignKeyId from the name field
     Example:
        >>> Repository.repo_kind.get_id("application")
        2
     """
-    try:
-      return self.enum[name].value
-    except KeyError:
-      raise self.rel_model.DoesNotExist
+        try:
+            return self.enum[name].value
+        except KeyError:
+            raise self.rel_model.DoesNotExist
 
-  def get_name(self, value):
-    """ Returns the name value from the ForeignKeyId
+    def get_name(self, value):
+        """ Returns the name value from the ForeignKeyId
     Example:
        >>> Repository.repo_kind.get_name(2)
        "application"
     """
-    try:
-      return self.enum(value).name
-    except ValueError:
-      raise self.rel_model.DoesNotExist
+        try:
+            return self.enum(value).name
+        except ValueError:
+            raise self.rel_model.DoesNotExist
 
 
 def deprecated_field(field, flag):
-  """ Marks a field as deprecated and removes it from the peewee model if the
+    """ Marks a field as deprecated and removes it from the peewee model if the
       flag is not set. A flag is defined in the active_migration module and will
       be associated with one or more migration phases.
   """
-  if ActiveDataMigration.has_flag(flag):
-    return field
+    if ActiveDataMigration.has_flag(flag):
+        return field
 
-  return None
+    return None
 
 
 class BaseModel(ReadReplicaSupportedModel):
-  class Meta:
-    database = db
-    encrypter = db_encrypter
-    read_only_config = read_only_config
+    class Meta:
+        database = db
+        encrypter = db_encrypter
+        read_only_config = read_only_config
 
-  def __getattribute__(self, name):
-    """ Adds _id accessors so that foreign key field IDs can be looked up without making
+    def __getattribute__(self, name):
+        """ Adds _id accessors so that foreign key field IDs can be looked up without making
         a database roundtrip.
     """
-    if name.endswith('_id'):
-      field_name = name[0:len(name) - 3]
-      if field_name in self._meta.fields:
-        return self.__data__.get(field_name)
+        if name.endswith("_id"):
+            field_name = name[0 : len(name) - 3]
+            if field_name in self._meta.fields:
+                return self.__data__.get(field_name)
 
-    return super(BaseModel, self).__getattribute__(name)
+        return super(BaseModel, self).__getattribute__(name)
 
 
 class User(BaseModel):
-  uuid = CharField(default=uuid_generator, max_length=36, null=True, index=True)
-  username = CharField(unique=True, index=True)
-  password_hash = CharField(null=True)
-  email = CharField(unique=True, index=True,
-                    default=random_string_generator(length=64))
-  verified = BooleanField(default=False)
-  stripe_id = CharField(index=True, null=True)
-  organization = BooleanField(default=False, index=True)
-  robot = BooleanField(default=False, index=True)
-  invoice_email = BooleanField(default=False)
-  invalid_login_attempts = IntegerField(default=0)
-  last_invalid_login = DateTimeField(default=datetime.utcnow)
-  removed_tag_expiration_s = IntegerField(default=1209600)  # Two weeks
-  enabled = BooleanField(default=True)
-  invoice_email_address = CharField(null=True, index=True)
+    uuid = CharField(default=uuid_generator, max_length=36, null=True, index=True)
+    username = CharField(unique=True, index=True)
+    password_hash = CharField(null=True)
+    email = CharField(
+        unique=True, index=True, default=random_string_generator(length=64)
+    )
+    verified = BooleanField(default=False)
+    stripe_id = CharField(index=True, null=True)
+    organization = BooleanField(default=False, index=True)
+    robot = BooleanField(default=False, index=True)
+    invoice_email = BooleanField(default=False)
+    invalid_login_attempts = IntegerField(default=0)
+    last_invalid_login = DateTimeField(default=datetime.utcnow)
+    removed_tag_expiration_s = IntegerField(default=1209600)  # Two weeks
+    enabled = BooleanField(default=True)
+    invoice_email_address = CharField(null=True, index=True)
 
-  given_name = CharField(null=True)
-  family_name = CharField(null=True)
-  company = CharField(null=True)
-  location = CharField(null=True)
+    given_name = CharField(null=True)
+    family_name = CharField(null=True)
+    company = CharField(null=True)
+    location = CharField(null=True)
 
-  maximum_queued_builds_count = IntegerField(null=True)
-  creation_date = DateTimeField(default=datetime.utcnow, null=True)
-  last_accessed = DateTimeField(null=True, index=True)
+    maximum_queued_builds_count = IntegerField(null=True)
+    creation_date = DateTimeField(default=datetime.utcnow, null=True)
+    last_accessed = DateTimeField(null=True, index=True)
 
-  def delete_instance(self, recursive=False, delete_nullable=False):
-    # If we are deleting a robot account, only execute the subset of queries necessary.
-    if self.robot:
-      # For all the model dependencies, only delete those that allow robots.
-      for query, fk in reversed(list(self.dependencies(search_nullable=True))):
-        if isinstance(fk, QuayUserField) and fk.allows_robots:
-          _model = fk.model
+    def delete_instance(self, recursive=False, delete_nullable=False):
+        # If we are deleting a robot account, only execute the subset of queries necessary.
+        if self.robot:
+            # For all the model dependencies, only delete those that allow robots.
+            for query, fk in reversed(list(self.dependencies(search_nullable=True))):
+                if isinstance(fk, QuayUserField) and fk.allows_robots:
+                    _model = fk.model
 
-          if fk.robot_null_delete:
-            _model.update(**{fk.name: None}).where(query).execute()
-          else:
-            _model.delete().where(query).execute()
+                    if fk.robot_null_delete:
+                        _model.update(**{fk.name: None}).where(query).execute()
+                    else:
+                        _model.delete().where(query).execute()
 
-      # Delete the instance itself.
-      super(User, self).delete_instance(recursive=False, delete_nullable=False)
-    else:
-      if not recursive:
-        raise RuntimeError('Non-recursive delete on user.')
+            # Delete the instance itself.
+            super(User, self).delete_instance(recursive=False, delete_nullable=False)
+        else:
+            if not recursive:
+                raise RuntimeError("Non-recursive delete on user.")
 
-      # These models don't need to use transitive deletes, because the referenced objects
-      # are cleaned up directly in the model.
-      skip_transitive_deletes = {Image, Repository, Team, RepositoryBuild, ServiceKeyApproval,
-                                 RepositoryBuildTrigger, ServiceKey, RepositoryPermission,
-                                 TeamMemberInvite, Star, RepositoryAuthorizedEmail, TeamMember,
-                                 RepositoryTag, PermissionPrototype, DerivedStorageForImage,
-                                 TagManifest, AccessToken, OAuthAccessToken, BlobUpload,
-                                 RepositoryNotification, OAuthAuthorizationCode,
-                                 RepositoryActionCount, TagManifestLabel,
-                                 TeamSync, RepositorySearchScore,
-                                 DeletedNamespace, RepoMirrorRule,
-                                 NamespaceGeoRestriction} | appr_classes | v22_classes | transition_classes
-      delete_instance_filtered(self, User, delete_nullable, skip_transitive_deletes)
+            # These models don't need to use transitive deletes, because the referenced objects
+            # are cleaned up directly in the model.
+            skip_transitive_deletes = (
+                {
+                    Image,
+                    Repository,
+                    Team,
+                    RepositoryBuild,
+                    ServiceKeyApproval,
+                    RepositoryBuildTrigger,
+                    ServiceKey,
+                    RepositoryPermission,
+                    TeamMemberInvite,
+                    Star,
+                    RepositoryAuthorizedEmail,
+                    TeamMember,
+                    RepositoryTag,
+                    PermissionPrototype,
+                    DerivedStorageForImage,
+                    TagManifest,
+                    AccessToken,
+                    OAuthAccessToken,
+                    BlobUpload,
+                    RepositoryNotification,
+                    OAuthAuthorizationCode,
+                    RepositoryActionCount,
+                    TagManifestLabel,
+                    TeamSync,
+                    RepositorySearchScore,
+                    DeletedNamespace,
+                    RepoMirrorRule,
+                    NamespaceGeoRestriction,
+                }
+                | appr_classes
+                | v22_classes
+                | transition_classes
+            )
+            delete_instance_filtered(
+                self, User, delete_nullable, skip_transitive_deletes
+            )
 
 
 Namespace = User.alias()
 
 
 class RobotAccountMetadata(BaseModel):
-  robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
-  description = CharField()
-  unstructured_json = JSONField()
+    robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
+    description = CharField()
+    unstructured_json = JSONField()
 
 
 class RobotAccountToken(BaseModel):
-  robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
-  token = EncryptedCharField(default_token_length=64)
-  fully_migrated = BooleanField(default=False)
+    robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
+    token = EncryptedCharField(default_token_length=64)
+    fully_migrated = BooleanField(default=False)
 
 
 class DeletedNamespace(BaseModel):
-  namespace = QuayUserField(index=True, allows_robots=False, unique=True)
-  marked = DateTimeField(default=datetime.now)
-  original_username = CharField(index=True)
-  original_email = CharField(index=True)
-  queue_id = CharField(null=True, index=True)
+    namespace = QuayUserField(index=True, allows_robots=False, unique=True)
+    marked = DateTimeField(default=datetime.now)
+    original_username = CharField(index=True)
+    original_email = CharField(index=True)
+    queue_id = CharField(null=True, index=True)
 
 
 class NamespaceGeoRestriction(BaseModel):
-  namespace = QuayUserField(index=True, allows_robots=False)
-  added = DateTimeField(default=datetime.utcnow)
-  description = CharField()
-  unstructured_json = JSONField()
-  restricted_region_iso_code = CharField(index=True)
+    namespace = QuayUserField(index=True, allows_robots=False)
+    added = DateTimeField(default=datetime.utcnow)
+    description = CharField()
+    unstructured_json = JSONField()
+    restricted_region_iso_code = CharField(index=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('namespace', 'restricted_region_iso_code'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("namespace", "restricted_region_iso_code"), True),)
 
 
 class UserPromptTypes(object):
-  CONFIRM_USERNAME = 'confirm_username'
-  ENTER_NAME = 'enter_name'
-  ENTER_COMPANY = 'enter_company'
+    CONFIRM_USERNAME = "confirm_username"
+    ENTER_NAME = "enter_name"
+    ENTER_COMPANY = "enter_company"
 
 
 class UserPromptKind(BaseModel):
-  name = CharField(index=True)
+    name = CharField(index=True)
 
 
 class UserPrompt(BaseModel):
-  user = QuayUserField(allows_robots=False, index=True)
-  kind = ForeignKeyField(UserPromptKind)
+    user = QuayUserField(allows_robots=False, index=True)
+    kind = ForeignKeyField(UserPromptKind)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-     (('user', 'kind'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("user", "kind"), True),)
 
 
 class TeamRole(BaseModel):
-  name = CharField(index=True)
+    name = CharField(index=True)
 
 
 class Team(BaseModel):
-  name = CharField(index=True)
-  organization = QuayUserField(index=True)
-  role = EnumField(TeamRole)
-  description = TextField(default='')
+    name = CharField(index=True)
+    organization = QuayUserField(index=True)
+    role = EnumField(TeamRole)
+    description = TextField(default="")
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # A team name must be unique within an organization
-      (('name', 'organization'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # A team name must be unique within an organization
+            (("name", "organization"), True),
+        )
 
 
 class TeamMember(BaseModel):
-  user = QuayUserField(allows_robots=True, index=True)
-  team = ForeignKeyField(Team)
+    user = QuayUserField(allows_robots=True, index=True)
+    team = ForeignKeyField(Team)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # A user may belong to a team only once
-      (('user', 'team'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # A user may belong to a team only once
+            (("user", "team"), True),
+        )
 
 
 class TeamMemberInvite(BaseModel):
-  # Note: Either user OR email will be filled in, but not both.
-  user = QuayUserField(index=True, null=True)
-  email = CharField(null=True)
-  team = ForeignKeyField(Team)
-  inviter = ForeignKeyField(User, backref='inviter')
-  invite_token = CharField(default=urn_generator(['teaminvite']))
+    # Note: Either user OR email will be filled in, but not both.
+    user = QuayUserField(index=True, null=True)
+    email = CharField(null=True)
+    team = ForeignKeyField(Team)
+    inviter = ForeignKeyField(User, backref="inviter")
+    invite_token = CharField(default=urn_generator(["teaminvite"]))
 
 
 class LoginService(BaseModel):
-  name = CharField(unique=True, index=True)
+    name = CharField(unique=True, index=True)
 
 
 class TeamSync(BaseModel):
-  team = ForeignKeyField(Team, unique=True)
+    team = ForeignKeyField(Team, unique=True)
 
-  transaction_id = CharField()
-  last_updated = DateTimeField(null=True, index=True)
-  service = ForeignKeyField(LoginService)
-  config = JSONField()
+    transaction_id = CharField()
+    last_updated = DateTimeField(null=True, index=True)
+    service = ForeignKeyField(LoginService)
+    config = JSONField()
 
 
 class FederatedLogin(BaseModel):
-  user = QuayUserField(allows_robots=True, index=True)
-  service = ForeignKeyField(LoginService)
-  service_ident = CharField()
-  metadata_json = TextField(default='{}')
+    user = QuayUserField(allows_robots=True, index=True)
+    service = ForeignKeyField(LoginService)
+    service_ident = CharField()
+    metadata_json = TextField(default="{}")
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on service and the local service id
-      (('service', 'service_ident'), True),
-
-      # a user may only have one federated login per service
-      (('service', 'user'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on service and the local service id
+            (("service", "service_ident"), True),
+            # a user may only have one federated login per service
+            (("service", "user"), True),
+        )
 
 
 class Visibility(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class RepositoryKind(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 @unique
 class RepositoryState(IntEnum):
-  """
+    """
   Possible states of a repository.
   NORMAL:    Regular repo where all actions are possible
   READ_ONLY: Only read actions, such as pull, are allowed regardless of specific user permissions
   MIRROR:    Equivalent to READ_ONLY except that mirror robot has write permission
   """
-  NORMAL = 0
-  READ_ONLY = 1
-  MIRROR = 2
+
+    NORMAL = 0
+    READ_ONLY = 1
+    MIRROR = 2
 
 
 class Repository(BaseModel):
-  namespace_user = QuayUserField(null=True)
-  name = FullIndexedCharField(match_function=db_match_func)
-  visibility = EnumField(Visibility)
-  description = FullIndexedTextField(match_function=db_match_func, null=True)
-  badge_token = CharField(default=uuid_generator)
-  kind = EnumField(RepositoryKind)
-  trust_enabled = BooleanField(default=False)
-  state = ClientEnumField(RepositoryState, default=RepositoryState.NORMAL)
+    namespace_user = QuayUserField(null=True)
+    name = FullIndexedCharField(match_function=db_match_func)
+    visibility = EnumField(Visibility)
+    description = FullIndexedTextField(match_function=db_match_func, null=True)
+    badge_token = CharField(default=uuid_generator)
+    kind = EnumField(RepositoryKind)
+    trust_enabled = BooleanField(default=False)
+    state = ClientEnumField(RepositoryState, default=RepositoryState.NORMAL)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on namespace and name
-      (('namespace_user', 'name'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on namespace and name
+            (("namespace_user", "name"), True),
+        )
 
-  def delete_instance(self, recursive=False, delete_nullable=False):
-    if not recursive:
-      raise RuntimeError('Non-recursive delete on repository.')
+    def delete_instance(self, recursive=False, delete_nullable=False):
+        if not recursive:
+            raise RuntimeError("Non-recursive delete on repository.")
 
-    # These models don't need to use transitive deletes, because the referenced objects
-    # are cleaned up directly
-    skip_transitive_deletes = ({RepositoryTag, RepositoryBuild, RepositoryBuildTrigger, BlobUpload,
-                                Image, TagManifest, TagManifestLabel, Label, DerivedStorageForImage,
-                                RepositorySearchScore, RepoMirrorConfig, RepoMirrorRule}
-                                | appr_classes | v22_classes | transition_classes)
+        # These models don't need to use transitive deletes, because the referenced objects
+        # are cleaned up directly
+        skip_transitive_deletes = (
+            {
+                RepositoryTag,
+                RepositoryBuild,
+                RepositoryBuildTrigger,
+                BlobUpload,
+                Image,
+                TagManifest,
+                TagManifestLabel,
+                Label,
+                DerivedStorageForImage,
+                RepositorySearchScore,
+                RepoMirrorConfig,
+                RepoMirrorRule,
+            }
+            | appr_classes
+            | v22_classes
+            | transition_classes
+        )
 
-    delete_instance_filtered(self, Repository, delete_nullable, skip_transitive_deletes)
+        delete_instance_filtered(
+            self, Repository, delete_nullable, skip_transitive_deletes
+        )
 
 
 class RepositorySearchScore(BaseModel):
-  repository = ForeignKeyField(Repository, unique=True)
-  score = BigIntegerField(index=True, default=0)
-  last_updated = DateTimeField(null=True)
+    repository = ForeignKeyField(Repository, unique=True)
+    score = BigIntegerField(index=True, default=0)
+    last_updated = DateTimeField(null=True)
 
 
 class Star(BaseModel):
-  user = ForeignKeyField(User)
-  repository = ForeignKeyField(Repository)
-  created = DateTimeField(default=datetime.now)
+    user = ForeignKeyField(User)
+    repository = ForeignKeyField(Repository)
+    created = DateTimeField(default=datetime.now)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on user and repository
-      (('user', 'repository'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on user and repository
+            (("user", "repository"), True),
+        )
 
 
 class Role(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class RepositoryPermission(BaseModel):
-  team = ForeignKeyField(Team, null=True)
-  user = QuayUserField(allows_robots=True, null=True)
-  repository = ForeignKeyField(Repository)
-  role = ForeignKeyField(Role)
+    team = ForeignKeyField(Team, null=True)
+    user = QuayUserField(allows_robots=True, null=True)
+    repository = ForeignKeyField(Repository)
+    role = ForeignKeyField(Role)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('team', 'repository'), True),
-      (('user', 'repository'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("team", "repository"), True), (("user", "repository"), True))
 
 
 class PermissionPrototype(BaseModel):
-  org = QuayUserField(index=True, backref='orgpermissionproto')
-  uuid = CharField(default=uuid_generator, index=True)
-  activating_user = QuayUserField(allows_robots=True, index=True, null=True,
-                                  backref='userpermissionproto')
-  delegate_user = QuayUserField(allows_robots=True, backref='receivingpermission',
-                                null=True)
-  delegate_team = ForeignKeyField(Team, backref='receivingpermission',
-                                  null=True)
-  role = ForeignKeyField(Role)
-
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('org', 'activating_user'), False),
+    org = QuayUserField(index=True, backref="orgpermissionproto")
+    uuid = CharField(default=uuid_generator, index=True)
+    activating_user = QuayUserField(
+        allows_robots=True, index=True, null=True, backref="userpermissionproto"
     )
+    delegate_user = QuayUserField(
+        allows_robots=True, backref="receivingpermission", null=True
+    )
+    delegate_team = ForeignKeyField(Team, backref="receivingpermission", null=True)
+    role = ForeignKeyField(Role)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("org", "activating_user"), False),)
 
 
 class AccessTokenKind(BaseModel):
-  name = CharField(unique=True, index=True)
+    name = CharField(unique=True, index=True)
 
 
 class AccessToken(BaseModel):
-  friendly_name = CharField(null=True)
+    friendly_name = CharField(null=True)
 
-  # TODO(remove-unenc): This field is deprecated and should be removed soon.
-  code = deprecated_field(
-    CharField(default=random_string_generator(length=64), unique=True, index=True, null=True),
-    ERTMigrationFlags.WRITE_OLD_FIELDS)
+    # TODO(remove-unenc): This field is deprecated and should be removed soon.
+    code = deprecated_field(
+        CharField(
+            default=random_string_generator(length=64),
+            unique=True,
+            index=True,
+            null=True,
+        ),
+        ERTMigrationFlags.WRITE_OLD_FIELDS,
+    )
 
-  token_name = CharField(default=random_string_generator(length=32), unique=True, index=True)
-  token_code = EncryptedCharField(default_token_length=32)
+    token_name = CharField(
+        default=random_string_generator(length=32), unique=True, index=True
+    )
+    token_code = EncryptedCharField(default_token_length=32)
 
-  repository = ForeignKeyField(Repository)
-  created = DateTimeField(default=datetime.now)
-  role = ForeignKeyField(Role)
-  temporary = BooleanField(default=True)
-  kind = ForeignKeyField(AccessTokenKind, null=True)
+    repository = ForeignKeyField(Repository)
+    created = DateTimeField(default=datetime.now)
+    role = ForeignKeyField(Role)
+    temporary = BooleanField(default=True)
+    kind = ForeignKeyField(AccessTokenKind, null=True)
 
-  def get_code(self):
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-      return self.code
-    else:
-      return self.token_name + self.token_code.decrypt()
+    def get_code(self):
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+            return self.code
+        else:
+            return self.token_name + self.token_code.decrypt()
 
 
 class BuildTriggerService(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class DisableReason(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class RepositoryBuildTrigger(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  service = ForeignKeyField(BuildTriggerService)
-  repository = ForeignKeyField(Repository)
-  connected_user = QuayUserField()
+    uuid = CharField(default=uuid_generator, index=True)
+    service = ForeignKeyField(BuildTriggerService)
+    repository = ForeignKeyField(Repository)
+    connected_user = QuayUserField()
 
-  # TODO(remove-unenc): These fields are deprecated and should be removed soon.
-  auth_token = deprecated_field(CharField(null=True), ERTMigrationFlags.WRITE_OLD_FIELDS)
-  private_key = deprecated_field(TextField(null=True), ERTMigrationFlags.WRITE_OLD_FIELDS)
+    # TODO(remove-unenc): These fields are deprecated and should be removed soon.
+    auth_token = deprecated_field(
+        CharField(null=True), ERTMigrationFlags.WRITE_OLD_FIELDS
+    )
+    private_key = deprecated_field(
+        TextField(null=True), ERTMigrationFlags.WRITE_OLD_FIELDS
+    )
 
-  secure_auth_token = EncryptedCharField(null=True)
-  secure_private_key = EncryptedTextField(null=True)
-  fully_migrated = BooleanField(default=False)
+    secure_auth_token = EncryptedCharField(null=True)
+    secure_private_key = EncryptedTextField(null=True)
+    fully_migrated = BooleanField(default=False)
 
-  config = TextField(default='{}')
-  write_token = ForeignKeyField(AccessToken, null=True)
-  pull_robot = QuayUserField(allows_robots=True, null=True, backref='triggerpullrobot',
-                             robot_null_delete=True)
+    config = TextField(default="{}")
+    write_token = ForeignKeyField(AccessToken, null=True)
+    pull_robot = QuayUserField(
+        allows_robots=True,
+        null=True,
+        backref="triggerpullrobot",
+        robot_null_delete=True,
+    )
 
-  enabled = BooleanField(default=True)
-  disabled_reason = EnumField(DisableReason, null=True)
-  disabled_datetime = DateTimeField(default=datetime.utcnow, null=True, index=True)
-  successive_failure_count = IntegerField(default=0)
-  successive_internal_error_count = IntegerField(default=0)
+    enabled = BooleanField(default=True)
+    disabled_reason = EnumField(DisableReason, null=True)
+    disabled_datetime = DateTimeField(default=datetime.utcnow, null=True, index=True)
+    successive_failure_count = IntegerField(default=0)
+    successive_internal_error_count = IntegerField(default=0)
 
 
 class EmailConfirmation(BaseModel):
-  code = CharField(default=random_string_generator(), unique=True, index=True)
-  verification_code = CredentialField(null=True)
-  user = QuayUserField()
-  pw_reset = BooleanField(default=False)
-  new_email = CharField(null=True)
-  email_confirm = BooleanField(default=False)
-  created = DateTimeField(default=datetime.now)
+    code = CharField(default=random_string_generator(), unique=True, index=True)
+    verification_code = CredentialField(null=True)
+    user = QuayUserField()
+    pw_reset = BooleanField(default=False)
+    new_email = CharField(null=True)
+    email_confirm = BooleanField(default=False)
+    created = DateTimeField(default=datetime.now)
 
 
 class ImageStorage(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True, unique=True)
-  image_size = BigIntegerField(null=True)
-  uncompressed_size = BigIntegerField(null=True)
-  uploading = BooleanField(default=True, null=True)
-  cas_path = BooleanField(default=True)
-  content_checksum = CharField(null=True, index=True)
+    uuid = CharField(default=uuid_generator, index=True, unique=True)
+    image_size = BigIntegerField(null=True)
+    uncompressed_size = BigIntegerField(null=True)
+    uploading = BooleanField(default=True, null=True)
+    cas_path = BooleanField(default=True)
+    content_checksum = CharField(null=True, index=True)
 
 
 class ImageStorageTransformation(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class ImageStorageSignatureKind(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class ImageStorageSignature(BaseModel):
-  storage = ForeignKeyField(ImageStorage)
-  kind = ForeignKeyField(ImageStorageSignatureKind)
-  signature = TextField(null=True)
-  uploading = BooleanField(default=True, null=True)
+    storage = ForeignKeyField(ImageStorage)
+    kind = ForeignKeyField(ImageStorageSignatureKind)
+    signature = TextField(null=True)
+    uploading = BooleanField(default=True, null=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('kind', 'storage'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("kind", "storage"), True),)
 
 
 class ImageStorageLocation(BaseModel):
-  name = CharField(unique=True, index=True)
+    name = CharField(unique=True, index=True)
 
 
 class ImageStoragePlacement(BaseModel):
-  storage = ForeignKeyField(ImageStorage)
-  location = ForeignKeyField(ImageStorageLocation)
+    storage = ForeignKeyField(ImageStorage)
+    location = ForeignKeyField(ImageStorageLocation)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # An image can only be placed in the same place once
-      (('storage', 'location'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # An image can only be placed in the same place once
+            (("storage", "location"), True),
+        )
 
 
 class UserRegion(BaseModel):
-  user = QuayUserField(index=True, allows_robots=False)
-  location = ForeignKeyField(ImageStorageLocation)
+    user = QuayUserField(index=True, allows_robots=False)
+    location = ForeignKeyField(ImageStorageLocation)
 
-  indexes = (
-    (('user', 'location'), True),
-  )
+    indexes = ((("user", "location"), True),)
 
 
 class Image(BaseModel):
-  # This class is intentionally denormalized. Even though images are supposed
-  # to be globally unique we can't treat them as such for permissions and
-  # security reasons. So rather than Repository <-> Image being many to many
-  # each image now belongs to exactly one repository.
-  docker_image_id = CharField(index=True)
-  repository = ForeignKeyField(Repository)
+    # This class is intentionally denormalized. Even though images are supposed
+    # to be globally unique we can't treat them as such for permissions and
+    # security reasons. So rather than Repository <-> Image being many to many
+    # each image now belongs to exactly one repository.
+    docker_image_id = CharField(index=True)
+    repository = ForeignKeyField(Repository)
 
-  # '/' separated list of ancestory ids, e.g. /1/2/6/7/10/
-  ancestors = CharField(index=True, default='/', max_length=64535, null=True)
+    # '/' separated list of ancestory ids, e.g. /1/2/6/7/10/
+    ancestors = CharField(index=True, default="/", max_length=64535, null=True)
 
-  storage = ForeignKeyField(ImageStorage, null=True)
+    storage = ForeignKeyField(ImageStorage, null=True)
 
-  created = DateTimeField(null=True)
-  comment = TextField(null=True)
-  command = TextField(null=True)
-  aggregate_size = BigIntegerField(null=True)
-  v1_json_metadata = TextField(null=True)
-  v1_checksum = CharField(null=True)
+    created = DateTimeField(null=True)
+    comment = TextField(null=True)
+    command = TextField(null=True)
+    aggregate_size = BigIntegerField(null=True)
+    v1_json_metadata = TextField(null=True)
+    v1_checksum = CharField(null=True)
 
-  security_indexed = BooleanField(default=False, index=True)
-  security_indexed_engine = IntegerField(default=IMAGE_NOT_SCANNED_ENGINE_VERSION, index=True)
-
-  # We use a proxy here instead of 'self' in order to disable the foreign key constraint
-  parent = DeferredForeignKey('Image', null=True, backref='children')
-
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # we don't really want duplicates
-      (('repository', 'docker_image_id'), True),
-
-      (('security_indexed_engine', 'security_indexed'), False),
+    security_indexed = BooleanField(default=False, index=True)
+    security_indexed_engine = IntegerField(
+        default=IMAGE_NOT_SCANNED_ENGINE_VERSION, index=True
     )
 
-  def ancestor_id_list(self):
-    """ Returns an integer list of ancestor ids, ordered chronologically from
+    # We use a proxy here instead of 'self' in order to disable the foreign key constraint
+    parent = DeferredForeignKey("Image", null=True, backref="children")
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # we don't really want duplicates
+            (("repository", "docker_image_id"), True),
+            (("security_indexed_engine", "security_indexed"), False),
+        )
+
+    def ancestor_id_list(self):
+        """ Returns an integer list of ancestor ids, ordered chronologically from
         root to direct parent.
     """
-    return map(int, self.ancestors.split('/')[1:-1])
+        return map(int, self.ancestors.split("/")[1:-1])
 
 
 class DerivedStorageForImage(BaseModel):
-  source_image = ForeignKeyField(Image)
-  derivative = ForeignKeyField(ImageStorage)
-  transformation = ForeignKeyField(ImageStorageTransformation)
-  uniqueness_hash = CharField(null=True)
+    source_image = ForeignKeyField(Image)
+    derivative = ForeignKeyField(ImageStorage)
+    transformation = ForeignKeyField(ImageStorageTransformation)
+    uniqueness_hash = CharField(null=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('source_image', 'transformation', 'uniqueness_hash'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("source_image", "transformation", "uniqueness_hash"), True),)
 
 
 class RepositoryTag(BaseModel):
-  name = CharField()
-  image = ForeignKeyField(Image)
-  repository = ForeignKeyField(Repository)
-  lifetime_start_ts = IntegerField(default=get_epoch_timestamp)
-  lifetime_end_ts = IntegerField(null=True, index=True)
-  hidden = BooleanField(default=False)
-  reversion = BooleanField(default=False)
+    name = CharField()
+    image = ForeignKeyField(Image)
+    repository = ForeignKeyField(Repository)
+    lifetime_start_ts = IntegerField(default=get_epoch_timestamp)
+    lifetime_end_ts = IntegerField(null=True, index=True)
+    hidden = BooleanField(default=False)
+    reversion = BooleanField(default=False)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'name'), False),
-      (('repository', 'lifetime_start_ts'), False),
-      (('repository', 'lifetime_end_ts'), False),
-
-      # This unique index prevents deadlocks when concurrently moving and deleting tags
-      (('repository', 'name', 'lifetime_end_ts'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "name"), False),
+            (("repository", "lifetime_start_ts"), False),
+            (("repository", "lifetime_end_ts"), False),
+            # This unique index prevents deadlocks when concurrently moving and deleting tags
+            (("repository", "name", "lifetime_end_ts"), True),
+        )
 
 
 class BUILD_PHASE(object):
-  """ Build phases enum """
-  ERROR = 'error'
-  INTERNAL_ERROR = 'internalerror'
-  BUILD_SCHEDULED = 'build-scheduled'
-  UNPACKING = 'unpacking'
-  PULLING = 'pulling'
-  BUILDING = 'building'
-  PUSHING = 'pushing'
-  WAITING = 'waiting'
-  COMPLETE = 'complete'
-  CANCELLED = 'cancelled'
+    """ Build phases enum """
 
-  @classmethod
-  def is_terminal_phase(cls, phase):
-    return (phase == cls.COMPLETE or
-            phase == cls.ERROR or
-            phase == cls.INTERNAL_ERROR or
-            phase == cls.CANCELLED)
+    ERROR = "error"
+    INTERNAL_ERROR = "internalerror"
+    BUILD_SCHEDULED = "build-scheduled"
+    UNPACKING = "unpacking"
+    PULLING = "pulling"
+    BUILDING = "building"
+    PUSHING = "pushing"
+    WAITING = "waiting"
+    COMPLETE = "complete"
+    CANCELLED = "cancelled"
+
+    @classmethod
+    def is_terminal_phase(cls, phase):
+        return (
+            phase == cls.COMPLETE
+            or phase == cls.ERROR
+            or phase == cls.INTERNAL_ERROR
+            or phase == cls.CANCELLED
+        )
 
 
 class TRIGGER_DISABLE_REASON(object):
-  """ Build trigger disable reason enum """
-  BUILD_FALURES = 'successive_build_failures'
-  INTERNAL_ERRORS = 'successive_build_internal_errors'
-  USER_TOGGLED = 'user_toggled'
+    """ Build trigger disable reason enum """
+
+    BUILD_FALURES = "successive_build_failures"
+    INTERNAL_ERRORS = "successive_build_internal_errors"
+    USER_TOGGLED = "user_toggled"
 
 
 class QueueItem(BaseModel):
-  queue_name = CharField(index=True, max_length=1024)
-  body = TextField()
-  available_after = DateTimeField(default=datetime.utcnow)
-  available = BooleanField(default=True)
-  processing_expires = DateTimeField(null=True)
-  retries_remaining = IntegerField(default=5)
-  state_id = CharField(default=uuid_generator, index=True, unique=True)
+    queue_name = CharField(index=True, max_length=1024)
+    body = TextField()
+    available_after = DateTimeField(default=datetime.utcnow)
+    available = BooleanField(default=True)
+    processing_expires = DateTimeField(null=True)
+    retries_remaining = IntegerField(default=5)
+    state_id = CharField(default=uuid_generator, index=True, unique=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    only_save_dirty = True
-    indexes = (
-      (('processing_expires', 'available'), False),
-      (('processing_expires', 'queue_name', 'available'), False),
-      (('processing_expires', 'available_after', 'retries_remaining', 'available'), False),
-      (('processing_expires', 'available_after', 'queue_name', 'retries_remaining', 'available'), False),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        only_save_dirty = True
+        indexes = (
+            (("processing_expires", "available"), False),
+            (("processing_expires", "queue_name", "available"), False),
+            (
+                (
+                    "processing_expires",
+                    "available_after",
+                    "retries_remaining",
+                    "available",
+                ),
+                False,
+            ),
+            (
+                (
+                    "processing_expires",
+                    "available_after",
+                    "queue_name",
+                    "retries_remaining",
+                    "available",
+                ),
+                False,
+            ),
+        )
 
-  def save(self, *args, **kwargs):
-    # Always change the queue item's state ID when we update it.
-    self.state_id = str(uuid.uuid4())
-    super(QueueItem, self).save(*args, **kwargs)
+    def save(self, *args, **kwargs):
+        # Always change the queue item's state ID when we update it.
+        self.state_id = str(uuid.uuid4())
+        super(QueueItem, self).save(*args, **kwargs)
 
 
 class RepositoryBuild(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  repository = ForeignKeyField(Repository)
-  access_token = ForeignKeyField(AccessToken)
-  resource_key = CharField(index=True, null=True)
-  job_config = TextField()
-  phase = CharField(default=BUILD_PHASE.WAITING)
-  started = DateTimeField(default=datetime.now, index=True)
-  display_name = CharField()
-  trigger = ForeignKeyField(RepositoryBuildTrigger, null=True)
-  pull_robot = QuayUserField(null=True, backref='buildpullrobot', allows_robots=True,
-                             robot_null_delete=True)
-  logs_archived = BooleanField(default=False, index=True)
-  queue_id = CharField(null=True, index=True)
-
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'started', 'phase'), False),
-      (('started', 'logs_archived', 'phase'), False),
+    uuid = CharField(default=uuid_generator, index=True)
+    repository = ForeignKeyField(Repository)
+    access_token = ForeignKeyField(AccessToken)
+    resource_key = CharField(index=True, null=True)
+    job_config = TextField()
+    phase = CharField(default=BUILD_PHASE.WAITING)
+    started = DateTimeField(default=datetime.now, index=True)
+    display_name = CharField()
+    trigger = ForeignKeyField(RepositoryBuildTrigger, null=True)
+    pull_robot = QuayUserField(
+        null=True, backref="buildpullrobot", allows_robots=True, robot_null_delete=True
     )
+    logs_archived = BooleanField(default=False, index=True)
+    queue_id = CharField(null=True, index=True)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "started", "phase"), False),
+            (("started", "logs_archived", "phase"), False),
+        )
 
 
 class LogEntryKind(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class LogEntry(BaseModel):
-  id = BigAutoField()
-  kind = ForeignKeyField(LogEntryKind)
-  account = IntegerField(index=True, column_name='account_id')
-  performer = IntegerField(index=True, null=True, column_name='performer_id')
-  repository = IntegerField(index=True, null=True, column_name='repository_id')
-  datetime = DateTimeField(default=datetime.now, index=True)
-  ip = CharField(null=True)
-  metadata_json = TextField(default='{}')
+    id = BigAutoField()
+    kind = ForeignKeyField(LogEntryKind)
+    account = IntegerField(index=True, column_name="account_id")
+    performer = IntegerField(index=True, null=True, column_name="performer_id")
+    repository = IntegerField(index=True, null=True, column_name="repository_id")
+    datetime = DateTimeField(default=datetime.now, index=True)
+    ip = CharField(null=True)
+    metadata_json = TextField(default="{}")
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('account', 'datetime'), False),
-      (('performer', 'datetime'), False),
-      (('repository', 'datetime'), False),
-      (('repository', 'datetime', 'kind'), False),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("account", "datetime"), False),
+            (("performer", "datetime"), False),
+            (("repository", "datetime"), False),
+            (("repository", "datetime", "kind"), False),
+        )
 
 
 class LogEntry2(BaseModel):
-  """ TEMP FOR QUAY.IO ONLY. DO NOT RELEASE INTO QUAY ENTERPRISE. """
-  kind = ForeignKeyField(LogEntryKind)
-  account = IntegerField(index=True, db_column='account_id')
-  performer = IntegerField(index=True, null=True, db_column='performer_id')
-  repository = IntegerField(index=True, null=True, db_column='repository_id')
-  datetime = DateTimeField(default=datetime.now, index=True)
-  ip = CharField(null=True)
-  metadata_json = TextField(default='{}')
+    """ TEMP FOR QUAY.IO ONLY. DO NOT RELEASE INTO QUAY ENTERPRISE. """
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('account', 'datetime'), False),
-      (('performer', 'datetime'), False),
-      (('repository', 'datetime'), False),
-      (('repository', 'datetime', 'kind'), False),
-    )
+    kind = ForeignKeyField(LogEntryKind)
+    account = IntegerField(index=True, db_column="account_id")
+    performer = IntegerField(index=True, null=True, db_column="performer_id")
+    repository = IntegerField(index=True, null=True, db_column="repository_id")
+    datetime = DateTimeField(default=datetime.now, index=True)
+    ip = CharField(null=True)
+    metadata_json = TextField(default="{}")
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("account", "datetime"), False),
+            (("performer", "datetime"), False),
+            (("repository", "datetime"), False),
+            (("repository", "datetime", "kind"), False),
+        )
 
 
 class LogEntry3(BaseModel):
-  id = BigAutoField()
-  kind = IntegerField(db_column='kind_id')
-  account = IntegerField(db_column='account_id')
-  performer = IntegerField(null=True, db_column='performer_id')
-  repository = IntegerField(null=True, db_column='repository_id')
-  datetime = DateTimeField(default=datetime.now, index=True)
-  ip = CharField(null=True)
-  metadata_json = TextField(default='{}')
+    id = BigAutoField()
+    kind = IntegerField(db_column="kind_id")
+    account = IntegerField(db_column="account_id")
+    performer = IntegerField(null=True, db_column="performer_id")
+    repository = IntegerField(null=True, db_column="repository_id")
+    datetime = DateTimeField(default=datetime.now, index=True)
+    ip = CharField(null=True)
+    metadata_json = TextField(default="{}")
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('account', 'datetime'), False),
-      (('performer', 'datetime'), False),
-      (('repository', 'datetime', 'kind'), False),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("account", "datetime"), False),
+            (("performer", "datetime"), False),
+            (("repository", "datetime", "kind"), False),
+        )
 
 
 class RepositoryActionCount(BaseModel):
-  repository = ForeignKeyField(Repository)
-  count = IntegerField()
-  date = DateField(index=True)
+    repository = ForeignKeyField(Repository)
+    count = IntegerField()
+    date = DateField(index=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on repository and date
-      (('repository', 'date'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on repository and date
+            (("repository", "date"), True),
+        )
 
 
 class OAuthApplication(BaseModel):
-  client_id = CharField(index=True, default=random_string_generator(length=20))
-  secure_client_secret = EncryptedCharField(default_token_length=40, null=True)
-  fully_migrated = BooleanField(default=False)
+    client_id = CharField(index=True, default=random_string_generator(length=20))
+    secure_client_secret = EncryptedCharField(default_token_length=40, null=True)
+    fully_migrated = BooleanField(default=False)
 
-  # TODO(remove-unenc): This field is deprecated and should be removed soon.
-  client_secret = deprecated_field(
-    CharField(default=random_string_generator(length=40), null=True),
-    ERTMigrationFlags.WRITE_OLD_FIELDS)
+    # TODO(remove-unenc): This field is deprecated and should be removed soon.
+    client_secret = deprecated_field(
+        CharField(default=random_string_generator(length=40), null=True),
+        ERTMigrationFlags.WRITE_OLD_FIELDS,
+    )
 
-  redirect_uri = CharField()
-  application_uri = CharField()
-  organization = QuayUserField()
+    redirect_uri = CharField()
+    application_uri = CharField()
+    organization = QuayUserField()
 
-  name = CharField()
-  description = TextField(default='')
-  avatar_email = CharField(null=True, column_name='gravatar_email')
+    name = CharField()
+    description = TextField(default="")
+    avatar_email = CharField(null=True, column_name="gravatar_email")
 
 
 class OAuthAuthorizationCode(BaseModel):
-  application = ForeignKeyField(OAuthApplication)
+    application = ForeignKeyField(OAuthApplication)
 
-  # TODO(remove-unenc): This field is deprecated and should be removed soon.
-  code = deprecated_field(
-    CharField(index=True, unique=True, null=True),
-    ERTMigrationFlags.WRITE_OLD_FIELDS)
+    # TODO(remove-unenc): This field is deprecated and should be removed soon.
+    code = deprecated_field(
+        CharField(index=True, unique=True, null=True),
+        ERTMigrationFlags.WRITE_OLD_FIELDS,
+    )
 
-  code_name = CharField(index=True, unique=True)
-  code_credential = CredentialField()
+    code_name = CharField(index=True, unique=True)
+    code_credential = CredentialField()
 
-  scope = CharField()
-  data = TextField()  # Context for the code, such as the user
+    scope = CharField()
+    data = TextField()  # Context for the code, such as the user
 
 
 class OAuthAccessToken(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  application = ForeignKeyField(OAuthApplication)
-  authorized_user = QuayUserField()
-  scope = CharField()
-  token_name = CharField(index=True, unique=True)
-  token_code = CredentialField()
+    uuid = CharField(default=uuid_generator, index=True)
+    application = ForeignKeyField(OAuthApplication)
+    authorized_user = QuayUserField()
+    scope = CharField()
+    token_name = CharField(index=True, unique=True)
+    token_code = CredentialField()
 
-  # TODO(remove-unenc): This field is deprecated and should be removed soon.
-  access_token = deprecated_field(
-    CharField(index=True, null=True),
-    ERTMigrationFlags.WRITE_OLD_FIELDS)
+    # TODO(remove-unenc): This field is deprecated and should be removed soon.
+    access_token = deprecated_field(
+        CharField(index=True, null=True), ERTMigrationFlags.WRITE_OLD_FIELDS
+    )
 
-  token_type = CharField(default='Bearer')
-  expires_at = DateTimeField()
-  data = TextField()  # This is context for which this token was generated, such as the user
+    token_type = CharField(default="Bearer")
+    expires_at = DateTimeField()
+    data = (
+        TextField()
+    )  # This is context for which this token was generated, such as the user
 
 
 class NotificationKind(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class Notification(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  kind = ForeignKeyField(NotificationKind)
-  target = QuayUserField(index=True, allows_robots=True)
-  metadata_json = TextField(default='{}')
-  created = DateTimeField(default=datetime.now, index=True)
-  dismissed = BooleanField(default=False)
-  lookup_path = CharField(null=True, index=True)
+    uuid = CharField(default=uuid_generator, index=True)
+    kind = ForeignKeyField(NotificationKind)
+    target = QuayUserField(index=True, allows_robots=True)
+    metadata_json = TextField(default="{}")
+    created = DateTimeField(default=datetime.now, index=True)
+    dismissed = BooleanField(default=False)
+    lookup_path = CharField(null=True, index=True)
 
 
 class ExternalNotificationEvent(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class ExternalNotificationMethod(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class RepositoryNotification(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  repository = ForeignKeyField(Repository)
-  event = ForeignKeyField(ExternalNotificationEvent)
-  method = ForeignKeyField(ExternalNotificationMethod)
-  title = CharField(null=True)
-  config_json = TextField()
-  event_config_json = TextField(default='{}')
-  number_of_failures = IntegerField(default=0)
+    uuid = CharField(default=uuid_generator, index=True)
+    repository = ForeignKeyField(Repository)
+    event = ForeignKeyField(ExternalNotificationEvent)
+    method = ForeignKeyField(ExternalNotificationMethod)
+    title = CharField(null=True)
+    config_json = TextField()
+    event_config_json = TextField(default="{}")
+    number_of_failures = IntegerField(default=0)
 
 
 class RepositoryAuthorizedEmail(BaseModel):
-  repository = ForeignKeyField(Repository)
-  email = CharField()
-  code = CharField(default=random_string_generator(), unique=True, index=True)
-  confirmed = BooleanField(default=False)
+    repository = ForeignKeyField(Repository)
+    email = CharField()
+    code = CharField(default=random_string_generator(), unique=True, index=True)
+    confirmed = BooleanField(default=False)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on email and repository
-      (('email', 'repository'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on email and repository
+            (("email", "repository"), True),
+        )
 
 
 class BlobUpload(BaseModel):
-  repository = ForeignKeyField(Repository)
-  uuid = CharField(index=True, unique=True)
-  byte_count = BigIntegerField(default=0)
-  sha_state = ResumableSHA256Field(null=True, default=resumablehashlib.sha256)
-  location = ForeignKeyField(ImageStorageLocation)
-  storage_metadata = JSONField(null=True, default={})
-  chunk_count = IntegerField(default=0)
-  uncompressed_byte_count = BigIntegerField(null=True)
-  created = DateTimeField(default=datetime.now, index=True)
-  piece_sha_state = ResumableSHA1Field(null=True)
-  piece_hashes = Base64BinaryField(null=True)
+    repository = ForeignKeyField(Repository)
+    uuid = CharField(index=True, unique=True)
+    byte_count = BigIntegerField(default=0)
+    sha_state = ResumableSHA256Field(null=True, default=resumablehashlib.sha256)
+    location = ForeignKeyField(ImageStorageLocation)
+    storage_metadata = JSONField(null=True, default={})
+    chunk_count = IntegerField(default=0)
+    uncompressed_byte_count = BigIntegerField(null=True)
+    created = DateTimeField(default=datetime.now, index=True)
+    piece_sha_state = ResumableSHA1Field(null=True)
+    piece_hashes = Base64BinaryField(null=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # create a unique index on email and repository
-      (('repository', 'uuid'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # create a unique index on email and repository
+            (("repository", "uuid"), True),
+        )
 
 
 class QuayService(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class QuayRegion(BaseModel):
-  name = CharField(index=True, unique=True)
+    name = CharField(index=True, unique=True)
 
 
 class QuayRelease(BaseModel):
-  service = ForeignKeyField(QuayService)
-  version = CharField()
-  region = ForeignKeyField(QuayRegion)
-  reverted = BooleanField(default=False)
-  created = DateTimeField(default=datetime.now, index=True)
+    service = ForeignKeyField(QuayService)
+    version = CharField()
+    region = ForeignKeyField(QuayRegion)
+    reverted = BooleanField(default=False)
+    created = DateTimeField(default=datetime.now, index=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # unique release per region
-      (('service', 'version', 'region'), True),
-
-      # get recent releases
-      (('service', 'region', 'created'), False),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # unique release per region
+            (("service", "version", "region"), True),
+            # get recent releases
+            (("service", "region", "created"), False),
+        )
 
 
 class TorrentInfo(BaseModel):
-  storage = ForeignKeyField(ImageStorage)
-  piece_length = IntegerField()
-  pieces = Base64BinaryField()
+    storage = ForeignKeyField(ImageStorage)
+    piece_length = IntegerField()
+    pieces = Base64BinaryField()
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      # we may want to compute the piece hashes multiple times with different piece lengths
-      (('storage', 'piece_length'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            # we may want to compute the piece hashes multiple times with different piece lengths
+            (("storage", "piece_length"), True),
+        )
 
 
 class ServiceKeyApprovalType(Enum):
-  SUPERUSER = 'Super User API'
-  KEY_ROTATION = 'Key Rotation'
-  AUTOMATIC = 'Automatic'
+    SUPERUSER = "Super User API"
+    KEY_ROTATION = "Key Rotation"
+    AUTOMATIC = "Automatic"
 
 
 class ServiceKeyApproval(BaseModel):
-  approver = QuayUserField(null=True)
-  approval_type = CharField(index=True)
-  approved_date = DateTimeField(default=datetime.utcnow)
-  notes = TextField(default='')
+    approver = QuayUserField(null=True)
+    approval_type = CharField(index=True)
+    approved_date = DateTimeField(default=datetime.utcnow)
+    notes = TextField(default="")
 
 
 class ServiceKey(BaseModel):
-  name = CharField()
-  kid = CharField(unique=True, index=True)
-  service = CharField(index=True)
-  jwk = JSONField()
-  metadata = JSONField()
-  created_date = DateTimeField(default=datetime.utcnow)
-  expiration_date = DateTimeField(null=True)
-  rotation_duration = IntegerField(null=True)
-  approval = ForeignKeyField(ServiceKeyApproval, null=True)
+    name = CharField()
+    kid = CharField(unique=True, index=True)
+    service = CharField(index=True)
+    jwk = JSONField()
+    metadata = JSONField()
+    created_date = DateTimeField(default=datetime.utcnow)
+    expiration_date = DateTimeField(null=True)
+    rotation_duration = IntegerField(null=True)
+    approval = ForeignKeyField(ServiceKeyApproval, null=True)
 
 
 class MediaType(BaseModel):
-  """ MediaType is an enumeration of the possible formats of various objects in the data model.
+    """ MediaType is an enumeration of the possible formats of various objects in the data model.
   """
-  name = CharField(index=True, unique=True)
+
+    name = CharField(index=True, unique=True)
 
 
 class Messages(BaseModel):
-  content = TextField()
-  uuid = CharField(default=uuid_generator, max_length=36, index=True)
-  severity = CharField(default='info', index=True)
-  media_type = ForeignKeyField(MediaType)
+    content = TextField()
+    uuid = CharField(default=uuid_generator, max_length=36, index=True)
+    severity = CharField(default="info", index=True)
+    media_type = ForeignKeyField(MediaType)
 
 
 class LabelSourceType(BaseModel):
-  """ LabelSourceType is an enumeration of the possible sources for a label.
+    """ LabelSourceType is an enumeration of the possible sources for a label.
   """
-  name = CharField(index=True, unique=True)
-  mutable = BooleanField(default=False)
+
+    name = CharField(index=True, unique=True)
+    mutable = BooleanField(default=False)
 
 
 class Label(BaseModel):
-  """ Label represents user-facing metadata associated with another entry in the database (e.g. a
+    """ Label represents user-facing metadata associated with another entry in the database (e.g. a
       Manifest).
   """
-  uuid = CharField(default=uuid_generator, index=True, unique=True)
-  key = CharField(index=True)
-  value = TextField()
-  media_type = EnumField(MediaType)
-  source_type = EnumField(LabelSourceType)
+
+    uuid = CharField(default=uuid_generator, index=True, unique=True)
+    key = CharField(index=True)
+    value = TextField()
+    media_type = EnumField(MediaType)
+    source_type = EnumField(LabelSourceType)
 
 
 class ApprBlob(BaseModel):
-  """ ApprBlob represents a content-addressable object stored outside of the database.
+    """ ApprBlob represents a content-addressable object stored outside of the database.
   """
-  digest = CharField(index=True, unique=True)
-  media_type = EnumField(MediaType)
-  size = BigIntegerField()
-  uncompressed_size = BigIntegerField(null=True)
+
+    digest = CharField(index=True, unique=True)
+    media_type = EnumField(MediaType)
+    size = BigIntegerField()
+    uncompressed_size = BigIntegerField(null=True)
 
 
 class ApprBlobPlacementLocation(BaseModel):
-  """ ApprBlobPlacementLocation is an enumeration of the possible storage locations for ApprBlobs.
+    """ ApprBlobPlacementLocation is an enumeration of the possible storage locations for ApprBlobs.
   """
-  name = CharField(index=True, unique=True)
+
+    name = CharField(index=True, unique=True)
 
 
 class ApprBlobPlacement(BaseModel):
-  """ ApprBlobPlacement represents the location of a Blob.
+    """ ApprBlobPlacement represents the location of a Blob.
   """
-  blob = ForeignKeyField(ApprBlob)
-  location = EnumField(ApprBlobPlacementLocation)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('blob', 'location'), True),
-    )
+    blob = ForeignKeyField(ApprBlob)
+    location = EnumField(ApprBlobPlacementLocation)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("blob", "location"), True),)
 
 
 class ApprManifest(BaseModel):
-  """ ApprManifest represents the metadata and collection of blobs that comprise an Appr image.
+    """ ApprManifest represents the metadata and collection of blobs that comprise an Appr image.
   """
-  digest = CharField(index=True, unique=True)
-  media_type = EnumField(MediaType)
-  manifest_json = JSONField()
+
+    digest = CharField(index=True, unique=True)
+    media_type = EnumField(MediaType)
+    manifest_json = JSONField()
 
 
 class ApprManifestBlob(BaseModel):
-  """ ApprManifestBlob is a many-to-many relation table linking ApprManifests and ApprBlobs.
+    """ ApprManifestBlob is a many-to-many relation table linking ApprManifests and ApprBlobs.
   """
-  manifest = ForeignKeyField(ApprManifest, index=True)
-  blob = ForeignKeyField(ApprBlob, index=True)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('manifest', 'blob'), True),
-    )
+    manifest = ForeignKeyField(ApprManifest, index=True)
+    blob = ForeignKeyField(ApprBlob, index=True)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("manifest", "blob"), True),)
 
 
 class ApprManifestList(BaseModel):
-  """ ApprManifestList represents all of the various Appr manifests that compose an ApprTag.
+    """ ApprManifestList represents all of the various Appr manifests that compose an ApprTag.
   """
-  digest = CharField(index=True, unique=True)
-  manifest_list_json = JSONField()
-  schema_version = CharField()
-  media_type = EnumField(MediaType)
 
+    digest = CharField(index=True, unique=True)
+    manifest_list_json = JSONField()
+    schema_version = CharField()
+    media_type = EnumField(MediaType)
 
 
 class ApprTagKind(BaseModel):
-  """ ApprTagKind is a enumtable to reference tag kinds.
+    """ ApprTagKind is a enumtable to reference tag kinds.
   """
-  name = CharField(index=True, unique=True)
+
+    name = CharField(index=True, unique=True)
 
 
 class ApprTag(BaseModel):
-  """ ApprTag represents a user-facing alias for referencing an ApprManifestList.
+    """ ApprTag represents a user-facing alias for referencing an ApprManifestList.
   """
-  name = CharField()
-  repository = ForeignKeyField(Repository)
-  manifest_list = ForeignKeyField(ApprManifestList, null=True)
-  lifetime_start = BigIntegerField(default=get_epoch_timestamp_ms)
-  lifetime_end = BigIntegerField(null=True, index=True)
-  hidden = BooleanField(default=False)
-  reverted = BooleanField(default=False)
-  protected = BooleanField(default=False)
-  tag_kind = EnumField(ApprTagKind)
-  linked_tag = ForeignKeyField('self', null=True, backref='tag_parents')
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'name'), False),
-      (('repository', 'name', 'hidden'), False),
-      # This unique index prevents deadlocks when concurrently moving and deleting tags
-      (('repository', 'name', 'lifetime_end'), True),
-    )
+    name = CharField()
+    repository = ForeignKeyField(Repository)
+    manifest_list = ForeignKeyField(ApprManifestList, null=True)
+    lifetime_start = BigIntegerField(default=get_epoch_timestamp_ms)
+    lifetime_end = BigIntegerField(null=True, index=True)
+    hidden = BooleanField(default=False)
+    reverted = BooleanField(default=False)
+    protected = BooleanField(default=False)
+    tag_kind = EnumField(ApprTagKind)
+    linked_tag = ForeignKeyField("self", null=True, backref="tag_parents")
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "name"), False),
+            (("repository", "name", "hidden"), False),
+            # This unique index prevents deadlocks when concurrently moving and deleting tags
+            (("repository", "name", "lifetime_end"), True),
+        )
+
 
 ApprChannel = ApprTag.alias()
 
 
 class ApprManifestListManifest(BaseModel):
-  """ ApprManifestListManifest is a many-to-many relation table linking ApprManifestLists and
+    """ ApprManifestListManifest is a many-to-many relation table linking ApprManifestLists and
       ApprManifests.
   """
-  manifest_list = ForeignKeyField(ApprManifestList, index=True)
-  manifest = ForeignKeyField(ApprManifest, index=True)
-  operating_system = CharField(null=True)
-  architecture = CharField(null=True)
-  platform_json = JSONField(null=True)
-  media_type = EnumField(MediaType)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('manifest_list', 'media_type'), False),
-    )
+    manifest_list = ForeignKeyField(ApprManifestList, index=True)
+    manifest = ForeignKeyField(ApprManifest, index=True)
+    operating_system = CharField(null=True)
+    architecture = CharField(null=True)
+    platform_json = JSONField(null=True)
+    media_type = EnumField(MediaType)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("manifest_list", "media_type"), False),)
 
 
 class AppSpecificAuthToken(BaseModel):
-  """ AppSpecificAuthToken represents a token generated by a user for use with an external
+    """ AppSpecificAuthToken represents a token generated by a user for use with an external
       application where putting the user's credentials, even encrypted, is deemed too risky.
   """
-  user = QuayUserField()
-  uuid = CharField(default=uuid_generator, max_length=36, index=True)
-  title = CharField()
-  token_name = CharField(index=True, unique=True, default=random_string_generator(60))
-  token_secret = EncryptedCharField(default_token_length=60)
 
-  # TODO(remove-unenc): This field is deprecated and should be removed soon.
-  token_code = deprecated_field(
-    CharField(default=random_string_generator(length=120), unique=True, index=True, null=True),
-    ERTMigrationFlags.WRITE_OLD_FIELDS)
+    user = QuayUserField()
+    uuid = CharField(default=uuid_generator, max_length=36, index=True)
+    title = CharField()
+    token_name = CharField(index=True, unique=True, default=random_string_generator(60))
+    token_secret = EncryptedCharField(default_token_length=60)
 
-  created = DateTimeField(default=datetime.now)
-  expiration = DateTimeField(null=True)
-  last_accessed = DateTimeField(null=True)
-
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('user', 'expiration'), False),
+    # TODO(remove-unenc): This field is deprecated and should be removed soon.
+    token_code = deprecated_field(
+        CharField(
+            default=random_string_generator(length=120),
+            unique=True,
+            index=True,
+            null=True,
+        ),
+        ERTMigrationFlags.WRITE_OLD_FIELDS,
     )
 
+    created = DateTimeField(default=datetime.now)
+    expiration = DateTimeField(null=True)
+    last_accessed = DateTimeField(null=True)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("user", "expiration"), False),)
+
 
 class Manifest(BaseModel):
-  """ Manifest represents a single manifest under a repository. Within a repository,
+    """ Manifest represents a single manifest under a repository. Within a repository,
       there can only be one manifest with the same digest.
   """
-  repository = ForeignKeyField(Repository)
-  digest = CharField(index=True)
-  media_type = EnumField(MediaType)
-  manifest_bytes = TextField()
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'digest'), True),
-      (('repository', 'media_type'), False),
-    )
+    repository = ForeignKeyField(Repository)
+    digest = CharField(index=True)
+    media_type = EnumField(MediaType)
+    manifest_bytes = TextField()
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "digest"), True),
+            (("repository", "media_type"), False),
+        )
 
 
 class TagKind(BaseModel):
-  """ TagKind describes the various kinds of tags that can be found in the registry.
+    """ TagKind describes the various kinds of tags that can be found in the registry.
   """
-  name = CharField(index=True, unique=True)
+
+    name = CharField(index=True, unique=True)
 
 
 class Tag(BaseModel):
-  """ Tag represents a user-facing alias for referencing a Manifest or as an alias to another tag.
+    """ Tag represents a user-facing alias for referencing a Manifest or as an alias to another tag.
   """
-  name = CharField()
-  repository = ForeignKeyField(Repository)
-  manifest = ForeignKeyField(Manifest, null=True)
-  lifetime_start_ms = BigIntegerField(default=get_epoch_timestamp_ms)
-  lifetime_end_ms = BigIntegerField(null=True, index=True)
-  hidden = BooleanField(default=False)
-  reversion = BooleanField(default=False)
-  tag_kind = EnumField(TagKind)
-  linked_tag = ForeignKeyField('self', null=True, backref='tag_parents')
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'name'), False),
-      (('repository', 'name', 'hidden'), False),
-      (('repository', 'name', 'tag_kind'), False),
+    name = CharField()
+    repository = ForeignKeyField(Repository)
+    manifest = ForeignKeyField(Manifest, null=True)
+    lifetime_start_ms = BigIntegerField(default=get_epoch_timestamp_ms)
+    lifetime_end_ms = BigIntegerField(null=True, index=True)
+    hidden = BooleanField(default=False)
+    reversion = BooleanField(default=False)
+    tag_kind = EnumField(TagKind)
+    linked_tag = ForeignKeyField("self", null=True, backref="tag_parents")
 
-      (('repository', 'lifetime_start_ms'), False),
-      (('repository', 'lifetime_end_ms'), False),
-
-      # This unique index prevents deadlocks when concurrently moving and deleting tags
-      (('repository', 'name', 'lifetime_end_ms'), True),
-    )
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "name"), False),
+            (("repository", "name", "hidden"), False),
+            (("repository", "name", "tag_kind"), False),
+            (("repository", "lifetime_start_ms"), False),
+            (("repository", "lifetime_end_ms"), False),
+            # This unique index prevents deadlocks when concurrently moving and deleting tags
+            (("repository", "name", "lifetime_end_ms"), True),
+        )
 
 
 class ManifestChild(BaseModel):
-  """ ManifestChild represents a relationship between a manifest and its child manifest(s).
+    """ ManifestChild represents a relationship between a manifest and its child manifest(s).
       Multiple manifests can share the same children. Note that since Manifests are stored
       per-repository, the repository here is a bit redundant, but we do so to make cleanup easier.
   """
-  repository = ForeignKeyField(Repository)
-  manifest = ForeignKeyField(Manifest)
-  child_manifest = ForeignKeyField(Manifest)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('repository', 'manifest'), False),
-      (('repository', 'child_manifest'), False),
-      (('repository', 'manifest', 'child_manifest'), False),
-      (('manifest', 'child_manifest'), True),
-    )
+    repository = ForeignKeyField(Repository)
+    manifest = ForeignKeyField(Manifest)
+    child_manifest = ForeignKeyField(Manifest)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = (
+            (("repository", "manifest"), False),
+            (("repository", "child_manifest"), False),
+            (("repository", "manifest", "child_manifest"), False),
+            (("manifest", "child_manifest"), True),
+        )
 
 
 class ManifestLabel(BaseModel):
-  """ ManifestLabel represents a label applied to a Manifest, within a repository.
+    """ ManifestLabel represents a label applied to a Manifest, within a repository.
       Note that since Manifests are stored per-repository, the repository here is
       a bit redundant, but we do so to make cleanup easier.
   """
-  repository = ForeignKeyField(Repository, index=True)
-  manifest = ForeignKeyField(Manifest)
-  label = ForeignKeyField(Label)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('manifest', 'label'), True),
-    )
+    repository = ForeignKeyField(Repository, index=True)
+    manifest = ForeignKeyField(Manifest)
+    label = ForeignKeyField(Label)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("manifest", "label"), True),)
 
 
 class ManifestBlob(BaseModel):
-  """ ManifestBlob represents a blob that is used by a manifest. """
-  repository = ForeignKeyField(Repository, index=True)
-  manifest = ForeignKeyField(Manifest)
-  blob = ForeignKeyField(ImageStorage)
+    """ ManifestBlob represents a blob that is used by a manifest. """
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('manifest', 'blob'), True),
-    )
+    repository = ForeignKeyField(Repository, index=True)
+    manifest = ForeignKeyField(Manifest)
+    blob = ForeignKeyField(ImageStorage)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("manifest", "blob"), True),)
 
 
 class ManifestLegacyImage(BaseModel):
-  """ For V1-compatible manifests only, this table maps from the manifest to its associated
+    """ For V1-compatible manifests only, this table maps from the manifest to its associated
       Docker image.
   """
-  repository = ForeignKeyField(Repository, index=True)
-  manifest = ForeignKeyField(Manifest, unique=True)
-  image = ForeignKeyField(Image)
+
+    repository = ForeignKeyField(Repository, index=True)
+    manifest = ForeignKeyField(Manifest, unique=True)
+    image = ForeignKeyField(Image)
 
 
 class TagManifest(BaseModel):
-  """ TO BE DEPRECATED: The manifest for a tag. """
-  tag = ForeignKeyField(RepositoryTag, unique=True)
-  digest = CharField(index=True)
-  json_data = TextField()
+    """ TO BE DEPRECATED: The manifest for a tag. """
+
+    tag = ForeignKeyField(RepositoryTag, unique=True)
+    digest = CharField(index=True)
+    json_data = TextField()
 
 
 class TagManifestToManifest(BaseModel):
-  """ NOTE: Only used for the duration of the migrations. """
-  tag_manifest = ForeignKeyField(TagManifest, index=True, unique=True)
-  manifest = ForeignKeyField(Manifest, index=True)
-  broken = BooleanField(index=True, default=False)
+    """ NOTE: Only used for the duration of the migrations. """
+
+    tag_manifest = ForeignKeyField(TagManifest, index=True, unique=True)
+    manifest = ForeignKeyField(Manifest, index=True)
+    broken = BooleanField(index=True, default=False)
 
 
 class TagManifestLabel(BaseModel):
-  """ TO BE DEPRECATED: Mapping from a tag manifest to a label.
+    """ TO BE DEPRECATED: Mapping from a tag manifest to a label.
   """
-  repository = ForeignKeyField(Repository, index=True)
-  annotated = ForeignKeyField(TagManifest, index=True)
-  label = ForeignKeyField(Label)
 
-  class Meta:
-    database = db
-    read_only_config = read_only_config
-    indexes = (
-      (('annotated', 'label'), True),
-    )
+    repository = ForeignKeyField(Repository, index=True)
+    annotated = ForeignKeyField(TagManifest, index=True)
+    label = ForeignKeyField(Label)
+
+    class Meta:
+        database = db
+        read_only_config = read_only_config
+        indexes = ((("annotated", "label"), True),)
 
 
 class TagManifestLabelMap(BaseModel):
-  """ NOTE: Only used for the duration of the migrations. """
-  tag_manifest = ForeignKeyField(TagManifest, index=True)
-  manifest = ForeignKeyField(Manifest, null=True, index=True)
+    """ NOTE: Only used for the duration of the migrations. """
 
-  label = ForeignKeyField(Label, index=True)
+    tag_manifest = ForeignKeyField(TagManifest, index=True)
+    manifest = ForeignKeyField(Manifest, null=True, index=True)
 
-  tag_manifest_label = ForeignKeyField(TagManifestLabel, index=True)
-  manifest_label = ForeignKeyField(ManifestLabel, null=True, index=True)
+    label = ForeignKeyField(Label, index=True)
 
-  broken_manifest = BooleanField(index=True, default=False)
+    tag_manifest_label = ForeignKeyField(TagManifestLabel, index=True)
+    manifest_label = ForeignKeyField(ManifestLabel, null=True, index=True)
+
+    broken_manifest = BooleanField(index=True, default=False)
 
 
 class TagToRepositoryTag(BaseModel):
-  """ NOTE: Only used for the duration of the migrations. """
-  repository = ForeignKeyField(Repository, index=True)
-  tag = ForeignKeyField(Tag, index=True, unique=True)
-  repository_tag = ForeignKeyField(RepositoryTag, index=True, unique=True)
+    """ NOTE: Only used for the duration of the migrations. """
+
+    repository = ForeignKeyField(Repository, index=True)
+    tag = ForeignKeyField(Tag, index=True, unique=True)
+    repository_tag = ForeignKeyField(RepositoryTag, index=True, unique=True)
 
 
 @unique
 class RepoMirrorRuleType(IntEnum):
-  """
+    """
   Types of mirroring rules.
   TAG_GLOB_CSV: Comma separated glob values (eg. "7.6,7.6-1.*")
   """
-  TAG_GLOB_CSV = 1
+
+    TAG_GLOB_CSV = 1
 
 
 class RepoMirrorRule(BaseModel):
-  """
+    """
   Determines how a given Repository should be mirrored.
   """
-  uuid = CharField(default=uuid_generator, max_length=36, index=True)
-  repository = ForeignKeyField(Repository, index=True)
-  creation_date = DateTimeField(default=datetime.utcnow)
 
-  rule_type = ClientEnumField(RepoMirrorRuleType, default=RepoMirrorRuleType.TAG_GLOB_CSV)
-  rule_value = JSONField()
+    uuid = CharField(default=uuid_generator, max_length=36, index=True)
+    repository = ForeignKeyField(Repository, index=True)
+    creation_date = DateTimeField(default=datetime.utcnow)
 
-  # Optional associations to allow the generation of a ruleset tree
-  left_child = ForeignKeyField('self', null=True, backref='left_child')
-  right_child = ForeignKeyField('self', null=True, backref='right_child')
+    rule_type = ClientEnumField(
+        RepoMirrorRuleType, default=RepoMirrorRuleType.TAG_GLOB_CSV
+    )
+    rule_value = JSONField()
+
+    # Optional associations to allow the generation of a ruleset tree
+    left_child = ForeignKeyField("self", null=True, backref="left_child")
+    right_child = ForeignKeyField("self", null=True, backref="right_child")
 
 
 @unique
 class RepoMirrorType(IntEnum):
-  """
+    """
   Types of repository mirrors.
   """
-  PULL = 1  # Pull images from the external repo
+
+    PULL = 1  # Pull images from the external repo
 
 
 @unique
 class RepoMirrorStatus(IntEnum):
-  """
+    """
   Possible statuses of repository mirroring.
   """
-  FAIL = -1
-  NEVER_RUN = 0
-  SUCCESS = 1
-  SYNCING = 2
-  SYNC_NOW = 3
+
+    FAIL = -1
+    NEVER_RUN = 0
+    SUCCESS = 1
+    SYNCING = 2
+    SYNC_NOW = 3
 
 
 class RepoMirrorConfig(BaseModel):
-  """
+    """
   Represents a repository to be mirrored and any additional configuration
   required to perform the mirroring.
   """
-  repository = ForeignKeyField(Repository, index=True, unique=True, backref='mirror')
-  creation_date = DateTimeField(default=datetime.utcnow)
-  is_enabled = BooleanField(default=True)
 
-  # Mirror Configuration
-  mirror_type = ClientEnumField(RepoMirrorType, default=RepoMirrorType.PULL)
-  internal_robot = QuayUserField(allows_robots=True, null=True, backref='mirrorpullrobot',
-                                 robot_null_delete=True)
-  external_reference = CharField()
-  external_registry_username = EncryptedCharField(max_length=2048, null=True)
-  external_registry_password = EncryptedCharField(max_length=2048, null=True)
-  external_registry_config = JSONField(default={})
+    repository = ForeignKeyField(Repository, index=True, unique=True, backref="mirror")
+    creation_date = DateTimeField(default=datetime.utcnow)
+    is_enabled = BooleanField(default=True)
 
-  # Worker Queuing
-  sync_interval = IntegerField()  # seconds between syncs
-  sync_start_date = DateTimeField(null=True)  # next start time
-  sync_expiration_date = DateTimeField(null=True)  # max duration
-  sync_retries_remaining = IntegerField(default=3)
-  sync_status = ClientEnumField(RepoMirrorStatus, default=RepoMirrorStatus.NEVER_RUN)
-  sync_transaction_id = CharField(default=uuid_generator, max_length=36)
+    # Mirror Configuration
+    mirror_type = ClientEnumField(RepoMirrorType, default=RepoMirrorType.PULL)
+    internal_robot = QuayUserField(
+        allows_robots=True, null=True, backref="mirrorpullrobot", robot_null_delete=True
+    )
+    external_reference = CharField()
+    external_registry_username = EncryptedCharField(max_length=2048, null=True)
+    external_registry_password = EncryptedCharField(max_length=2048, null=True)
+    external_registry_config = JSONField(default={})
 
-  # Tag-Matching Rules
-  root_rule = ForeignKeyField(RepoMirrorRule)
+    # Worker Queuing
+    sync_interval = IntegerField()  # seconds between syncs
+    sync_start_date = DateTimeField(null=True)  # next start time
+    sync_expiration_date = DateTimeField(null=True)  # max duration
+    sync_retries_remaining = IntegerField(default=3)
+    sync_status = ClientEnumField(RepoMirrorStatus, default=RepoMirrorStatus.NEVER_RUN)
+    sync_transaction_id = CharField(default=uuid_generator, max_length=36)
+
+    # Tag-Matching Rules
+    root_rule = ForeignKeyField(RepoMirrorRule)
 
 
-appr_classes = set([ApprTag, ApprTagKind, ApprBlobPlacementLocation, ApprManifestList,
-                    ApprManifestBlob, ApprBlob, ApprManifestListManifest, ApprManifest,
-                    ApprBlobPlacement])
-v22_classes = set([Manifest, ManifestLabel, ManifestBlob, ManifestLegacyImage, TagKind,
-                   ManifestChild, Tag])
-transition_classes = set([TagManifestToManifest, TagManifestLabelMap, TagToRepositoryTag])
+appr_classes = set(
+    [
+        ApprTag,
+        ApprTagKind,
+        ApprBlobPlacementLocation,
+        ApprManifestList,
+        ApprManifestBlob,
+        ApprBlob,
+        ApprManifestListManifest,
+        ApprManifest,
+        ApprBlobPlacement,
+    ]
+)
+v22_classes = set(
+    [
+        Manifest,
+        ManifestLabel,
+        ManifestBlob,
+        ManifestLegacyImage,
+        TagKind,
+        ManifestChild,
+        Tag,
+    ]
+)
+transition_classes = set(
+    [TagManifestToManifest, TagManifestLabelMap, TagToRepositoryTag]
+)
 
-is_model = lambda x: inspect.isclass(x) and issubclass(x, BaseModel) and x is not BaseModel
+is_model = (
+    lambda x: inspect.isclass(x) and issubclass(x, BaseModel) and x is not BaseModel
+)
 all_models = [model[1] for model in inspect.getmembers(sys.modules[__name__], is_model)]
diff --git a/data/encryption.py b/data/encryption.py
index 429f09827..199373ca1 100644
--- a/data/encryption.py
+++ b/data/encryption.py
@@ -7,81 +7,86 @@ from cryptography.hazmat.primitives.ciphers.aead import AESCCM
 
 from util.security.secret import convert_secret_key
 
+
 class DecryptionFailureException(Exception):
-  """ Exception raised if a field could not be decrypted. """
+    """ Exception raised if a field could not be decrypted. """
 
 
-EncryptionVersion = namedtuple('EncryptionVersion', ['prefix', 'encrypt', 'decrypt'])
+EncryptionVersion = namedtuple("EncryptionVersion", ["prefix", "encrypt", "decrypt"])
 
 logger = logging.getLogger(__name__)
 
 
-_SEPARATOR = '$$'
+_SEPARATOR = "$$"
 AES_CCM_NONCE_LENGTH = 13
 
 
 def _encrypt_ccm(secret_key, value, field_max_length=None):
-  aesccm = AESCCM(secret_key)
-  nonce = os.urandom(AES_CCM_NONCE_LENGTH)
-  ct = aesccm.encrypt(nonce, value.encode('utf-8'), None)
-  encrypted = base64.b64encode(nonce + ct)
-  if field_max_length:
-    msg = 'Tried to encode a value too large for this field'
-    assert (len(encrypted) + _RESERVED_FIELD_SPACE) <= field_max_length, msg
+    aesccm = AESCCM(secret_key)
+    nonce = os.urandom(AES_CCM_NONCE_LENGTH)
+    ct = aesccm.encrypt(nonce, value.encode("utf-8"), None)
+    encrypted = base64.b64encode(nonce + ct)
+    if field_max_length:
+        msg = "Tried to encode a value too large for this field"
+        assert (len(encrypted) + _RESERVED_FIELD_SPACE) <= field_max_length, msg
 
-  return encrypted
+    return encrypted
 
 
 def _decrypt_ccm(secret_key, value):
-  aesccm = AESCCM(secret_key)
-  try:
-    decoded = base64.b64decode(value)
-    nonce = decoded[:AES_CCM_NONCE_LENGTH]
-    ct = decoded[AES_CCM_NONCE_LENGTH:]
-    decrypted = aesccm.decrypt(nonce, ct, None)
-    return decrypted.decode('utf-8')
-  except Exception:
-    logger.exception('Got exception when trying to decrypt value `%s`', value)
-    raise DecryptionFailureException()
+    aesccm = AESCCM(secret_key)
+    try:
+        decoded = base64.b64decode(value)
+        nonce = decoded[:AES_CCM_NONCE_LENGTH]
+        ct = decoded[AES_CCM_NONCE_LENGTH:]
+        decrypted = aesccm.decrypt(nonce, ct, None)
+        return decrypted.decode("utf-8")
+    except Exception:
+        logger.exception("Got exception when trying to decrypt value `%s`", value)
+        raise DecryptionFailureException()
 
 
 # Defines the versions of encryptions we support. This will allow us to upgrade to newer encryption
 # protocols (fairly seamlessly) if need be in the future.
-_VERSIONS = {
-  'v0': EncryptionVersion('v0', _encrypt_ccm, _decrypt_ccm),
-}
+_VERSIONS = {"v0": EncryptionVersion("v0", _encrypt_ccm, _decrypt_ccm)}
 
 _RESERVED_FIELD_SPACE = len(_SEPARATOR) + max([len(k) for k in _VERSIONS.keys()])
 
 
 class FieldEncrypter(object):
-  """ Helper object for defining how fields are encrypted and decrypted between the database
+    """ Helper object for defining how fields are encrypted and decrypted between the database
       and the application.
   """
-  def __init__(self, secret_key, version='v0'):
-    # NOTE: secret_key will be None when the system is being first initialized, so we allow that
-    # case here, but make sure to assert that it is *not* None below if any encryption is actually
-    # needed.
-    self._secret_key = convert_secret_key(secret_key) if secret_key is not None else None
-    self._encryption_version = _VERSIONS[version]
 
-  def encrypt_value(self, value, field_max_length=None):
-    """ Encrypts the value using the current version of encryption. """
-    assert self._secret_key is not None
-    encrypted_value = self._encryption_version.encrypt(self._secret_key, value, field_max_length)
-    return '%s%s%s' % (self._encryption_version.prefix, _SEPARATOR, encrypted_value)
+    def __init__(self, secret_key, version="v0"):
+        # NOTE: secret_key will be None when the system is being first initialized, so we allow that
+        # case here, but make sure to assert that it is *not* None below if any encryption is actually
+        # needed.
+        self._secret_key = (
+            convert_secret_key(secret_key) if secret_key is not None else None
+        )
+        self._encryption_version = _VERSIONS[version]
 
-  def decrypt_value(self, value):
-    """ Decrypts the value, returning it. If the value cannot be decrypted
+    def encrypt_value(self, value, field_max_length=None):
+        """ Encrypts the value using the current version of encryption. """
+        assert self._secret_key is not None
+        encrypted_value = self._encryption_version.encrypt(
+            self._secret_key, value, field_max_length
+        )
+        return "%s%s%s" % (self._encryption_version.prefix, _SEPARATOR, encrypted_value)
+
+    def decrypt_value(self, value):
+        """ Decrypts the value, returning it. If the value cannot be decrypted
         raises a DecryptionFailureException.
     """
-    assert self._secret_key is not None
-    if _SEPARATOR not in value:
-      raise DecryptionFailureException('Invalid encrypted value')
+        assert self._secret_key is not None
+        if _SEPARATOR not in value:
+            raise DecryptionFailureException("Invalid encrypted value")
 
-    version_prefix, data = value.split(_SEPARATOR, 1)
-    if version_prefix not in _VERSIONS:
-      raise DecryptionFailureException('Unknown version prefix %s' % version_prefix)
-
-    return _VERSIONS[version_prefix].decrypt(self._secret_key, data)
+        version_prefix, data = value.split(_SEPARATOR, 1)
+        if version_prefix not in _VERSIONS:
+            raise DecryptionFailureException(
+                "Unknown version prefix %s" % version_prefix
+            )
 
+        return _VERSIONS[version_prefix].decrypt(self._secret_key, data)
diff --git a/data/fields.py b/data/fields.py
index c79a7e6bd..e72fddd93 100644
--- a/data/fields.py
+++ b/data/fields.py
@@ -12,176 +12,182 @@ from data.text import prefix_search
 
 
 def random_string(length=16):
-  random = SystemRandom()
-  return ''.join([random.choice(string.ascii_uppercase + string.digits)
-                  for _ in range(length)])
+    random = SystemRandom()
+    return "".join(
+        [random.choice(string.ascii_uppercase + string.digits) for _ in range(length)]
+    )
 
 
 class _ResumableSHAField(TextField):
-  def _create_sha(self):
-    raise NotImplementedError
+    def _create_sha(self):
+        raise NotImplementedError
 
-  def db_value(self, value):
-    if value is None:
-      return None
+    def db_value(self, value):
+        if value is None:
+            return None
 
-    sha_state = value.state()
+        sha_state = value.state()
 
-    # One of the fields is a byte string, let's base64 encode it to make sure
-    # we can store and fetch it regardless of default collocation.
-    sha_state[3] = base64.b64encode(sha_state[3])
+        # One of the fields is a byte string, let's base64 encode it to make sure
+        # we can store and fetch it regardless of default collocation.
+        sha_state[3] = base64.b64encode(sha_state[3])
 
-    return json.dumps(sha_state)
+        return json.dumps(sha_state)
 
-  def python_value(self, value):
-    if value is None:
-      return None
+    def python_value(self, value):
+        if value is None:
+            return None
 
-    sha_state = json.loads(value)
+        sha_state = json.loads(value)
 
-    # We need to base64 decode the data bytestring.
-    sha_state[3] = base64.b64decode(sha_state[3])
-    to_resume = self._create_sha()
-    to_resume.set_state(sha_state)
-    return to_resume
+        # We need to base64 decode the data bytestring.
+        sha_state[3] = base64.b64decode(sha_state[3])
+        to_resume = self._create_sha()
+        to_resume.set_state(sha_state)
+        return to_resume
 
 
 class ResumableSHA256Field(_ResumableSHAField):
-  def _create_sha(self):
-    return resumablehashlib.sha256()
+    def _create_sha(self):
+        return resumablehashlib.sha256()
 
 
 class ResumableSHA1Field(_ResumableSHAField):
-  def _create_sha(self):
-    return resumablehashlib.sha1()
+    def _create_sha(self):
+        return resumablehashlib.sha1()
 
 
 class JSONField(TextField):
-  def db_value(self, value):
-    return json.dumps(value)
+    def db_value(self, value):
+        return json.dumps(value)
 
-  def python_value(self, value):
-    if value is None or value == "":
-      return {}
-    return json.loads(value)
+    def python_value(self, value):
+        if value is None or value == "":
+            return {}
+        return json.loads(value)
 
 
 class Base64BinaryField(TextField):
-  def db_value(self, value):
-    if value is None:
-      return None
-    return base64.b64encode(value)
+    def db_value(self, value):
+        if value is None:
+            return None
+        return base64.b64encode(value)
 
-  def python_value(self, value):
-    if value is None:
-      return None
-    return base64.b64decode(value)
+    def python_value(self, value):
+        if value is None:
+            return None
+        return base64.b64decode(value)
 
 
 class DecryptedValue(object):
-  """ Wrapper around an already decrypted value to be placed into an encrypted field. """
-  def __init__(self, decrypted_value):
-    assert decrypted_value is not None
-    self.value = decrypted_value
+    """ Wrapper around an already decrypted value to be placed into an encrypted field. """
 
-  def decrypt(self):
-    return self.value
+    def __init__(self, decrypted_value):
+        assert decrypted_value is not None
+        self.value = decrypted_value
 
-  def matches(self, unencrypted_value):
-    """ Returns whether the value of this field matches the unencrypted_value. """
-    return self.decrypt() == unencrypted_value
+    def decrypt(self):
+        return self.value
+
+    def matches(self, unencrypted_value):
+        """ Returns whether the value of this field matches the unencrypted_value. """
+        return self.decrypt() == unencrypted_value
 
 
 class LazyEncryptedValue(object):
-  """ Wrapper around an encrypted value in an encrypted field. Will decrypt lazily. """
-  def __init__(self, encrypted_value, field):
-    self.encrypted_value = encrypted_value
-    self._field = field
+    """ Wrapper around an encrypted value in an encrypted field. Will decrypt lazily. """
 
-  def decrypt(self):
-    """ Decrypts the value. """
-    return self._field.model._meta.encrypter.decrypt_value(self.encrypted_value)
+    def __init__(self, encrypted_value, field):
+        self.encrypted_value = encrypted_value
+        self._field = field
 
-  def matches(self, unencrypted_value):
-    """ Returns whether the value of this field matches the unencrypted_value. """
-    return self.decrypt() == unencrypted_value
+    def decrypt(self):
+        """ Decrypts the value. """
+        return self._field.model._meta.encrypter.decrypt_value(self.encrypted_value)
 
-  def __eq__(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def matches(self, unencrypted_value):
+        """ Returns whether the value of this field matches the unencrypted_value. """
+        return self.decrypt() == unencrypted_value
 
-  def __mod__(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def __eq__(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
-  def __pow__(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def __mod__(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
-  def __contains__(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def __pow__(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
-  def contains(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def __contains__(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
-  def startswith(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def contains(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
-  def endswith(self, _):
-    raise Exception('Disallowed operation; use `matches`')
+    def startswith(self, _):
+        raise Exception("Disallowed operation; use `matches`")
+
+    def endswith(self, _):
+        raise Exception("Disallowed operation; use `matches`")
 
 
 def _add_encryption(field_class, requires_length_check=True):
-  """ Adds support for encryption and decryption to the given field class. """
-  class indexed_class(field_class):
-    def __init__(self, default_token_length=None, *args, **kwargs):
-      def _generate_default():
-        return DecryptedValue(random_string(default_token_length))
+    """ Adds support for encryption and decryption to the given field class. """
 
-      if default_token_length is not None:
-        kwargs['default'] = _generate_default
+    class indexed_class(field_class):
+        def __init__(self, default_token_length=None, *args, **kwargs):
+            def _generate_default():
+                return DecryptedValue(random_string(default_token_length))
 
-      field_class.__init__(self, *args, **kwargs)
-      assert not self.index
+            if default_token_length is not None:
+                kwargs["default"] = _generate_default
 
-    def db_value(self, value):
-      if value is None:
-        return None
+            field_class.__init__(self, *args, **kwargs)
+            assert not self.index
 
-      if isinstance(value, LazyEncryptedValue):
-        return value.encrypted_value
+        def db_value(self, value):
+            if value is None:
+                return None
 
-      if isinstance(value, DecryptedValue):
-        value = value.value
+            if isinstance(value, LazyEncryptedValue):
+                return value.encrypted_value
 
-      meta = self.model._meta
-      return meta.encrypter.encrypt_value(value, self.max_length if requires_length_check else None)
+            if isinstance(value, DecryptedValue):
+                value = value.value
 
-    def python_value(self, value):
-      if value is None:
-        return None
+            meta = self.model._meta
+            return meta.encrypter.encrypt_value(
+                value, self.max_length if requires_length_check else None
+            )
 
-      return LazyEncryptedValue(value, self)
+        def python_value(self, value):
+            if value is None:
+                return None
 
-    def __eq__(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+            return LazyEncryptedValue(value, self)
 
-    def __mod__(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def __eq__(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-    def __pow__(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def __mod__(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-    def __contains__(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def __pow__(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-    def contains(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def __contains__(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-    def startswith(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def contains(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-    def endswith(self, _):
-      raise Exception('Disallowed operation; use `matches`')
+        def startswith(self, _):
+            raise Exception("Disallowed operation; use `matches`")
 
-  return indexed_class
+        def endswith(self, _):
+            raise Exception("Disallowed operation; use `matches`")
+
+    return indexed_class
 
 
 EncryptedCharField = _add_encryption(CharField)
@@ -189,61 +195,60 @@ EncryptedTextField = _add_encryption(TextField, requires_length_check=False)
 
 
 class EnumField(SmallIntegerField):
-  def __init__(self, enum_type, *args, **kwargs):
-    kwargs.pop('index', None)
+    def __init__(self, enum_type, *args, **kwargs):
+        kwargs.pop("index", None)
 
-    super(EnumField, self).__init__(index=True, *args, **kwargs)
-    self.enum_type = enum_type
+        super(EnumField, self).__init__(index=True, *args, **kwargs)
+        self.enum_type = enum_type
 
-  def db_value(self, value):
-      """Convert the python value for storage in the database."""
-      return int(value.value)
+    def db_value(self, value):
+        """Convert the python value for storage in the database."""
+        return int(value.value)
 
-  def python_value(self, value):
-      """Convert the database value to a pythonic value."""
-      return self.enum_type(value) if value is not None else None
+    def python_value(self, value):
+        """Convert the database value to a pythonic value."""
+        return self.enum_type(value) if value is not None else None
 
-  def clone_base(self, **kwargs):
-    return super(EnumField, self).clone_base(
-      enum_type=self.enum_type,
-      **kwargs)
+    def clone_base(self, **kwargs):
+        return super(EnumField, self).clone_base(enum_type=self.enum_type, **kwargs)
 
 
 def _add_fulltext(field_class):
-  """ Adds support for full text indexing and lookup to the given field class. """
-  class indexed_class(field_class):
-    # Marker used by SQLAlchemy translation layer to add the proper index for full text searching.
-    __fulltext__ = True
+    """ Adds support for full text indexing and lookup to the given field class. """
 
-    def __init__(self, match_function, *args, **kwargs):
-      field_class.__init__(self, *args, **kwargs)
-      self.match_function = match_function
+    class indexed_class(field_class):
+        # Marker used by SQLAlchemy translation layer to add the proper index for full text searching.
+        __fulltext__ = True
 
-    def match(self, query):
-      return self.match_function(self, query)
+        def __init__(self, match_function, *args, **kwargs):
+            field_class.__init__(self, *args, **kwargs)
+            self.match_function = match_function
 
-    def match_prefix(self, query):
-      return prefix_search(self, query)
+        def match(self, query):
+            return self.match_function(self, query)
 
-    def __mod__(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def match_prefix(self, query):
+            return prefix_search(self, query)
 
-    def __pow__(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def __mod__(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
 
-    def __contains__(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def __pow__(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
 
-    def contains(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def __contains__(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
 
-    def startswith(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def contains(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
 
-    def endswith(self, _):
-      raise Exception('Unsafe operation: Use `match` or `match_prefix`')
+        def startswith(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
 
-  return indexed_class
+        def endswith(self, _):
+            raise Exception("Unsafe operation: Use `match` or `match_prefix`")
+
+    return indexed_class
 
 
 FullIndexedCharField = _add_fulltext(CharField)
@@ -251,47 +256,51 @@ FullIndexedTextField = _add_fulltext(TextField)
 
 
 class Credential(object):
-  """ Credential represents a hashed credential. """
-  def __init__(self, hashed):
-    self.hashed = hashed
+    """ Credential represents a hashed credential. """
 
-  def matches(self, value):
-    """ Returns true if this credential matches the unhashed value given. """
-    return bcrypt.hashpw(value.encode('utf-8'), self.hashed) == self.hashed
+    def __init__(self, hashed):
+        self.hashed = hashed
 
-  @classmethod
-  def from_string(cls, string_value):
-    """ Returns a Credential object from an unhashed string value. """
-    return Credential(bcrypt.hashpw(string_value.encode('utf-8'), bcrypt.gensalt()))
+    def matches(self, value):
+        """ Returns true if this credential matches the unhashed value given. """
+        return bcrypt.hashpw(value.encode("utf-8"), self.hashed) == self.hashed
 
-  @classmethod
-  def generate(cls, length=20):
-    """ Generates a new credential and returns it, along with its unhashed form. """
-    token = random_string(length)
-    return Credential.from_string(token), token
+    @classmethod
+    def from_string(cls, string_value):
+        """ Returns a Credential object from an unhashed string value. """
+        return Credential(bcrypt.hashpw(string_value.encode("utf-8"), bcrypt.gensalt()))
+
+    @classmethod
+    def generate(cls, length=20):
+        """ Generates a new credential and returns it, along with its unhashed form. """
+        token = random_string(length)
+        return Credential.from_string(token), token
 
 
 class CredentialField(CharField):
-  """ A character field that stores crytographically hashed credentials that should never be
+    """ A character field that stores crytographically hashed credentials that should never be
       available to the user in plaintext after initial creation. This field automatically
       provides verification.
   """
-  def __init__(self, *args, **kwargs):
-    CharField.__init__(self, *args, **kwargs)
-    assert 'default' not in kwargs
-    assert not self.index
 
-  def db_value(self, value):
-    if value is None:
-      return None
+    def __init__(self, *args, **kwargs):
+        CharField.__init__(self, *args, **kwargs)
+        assert "default" not in kwargs
+        assert not self.index
 
-    if isinstance(value, basestring):
-      raise Exception('A string cannot be given to a CredentialField; please wrap in a Credential')
+    def db_value(self, value):
+        if value is None:
+            return None
 
-    return value.hashed
+        if isinstance(value, basestring):
+            raise Exception(
+                "A string cannot be given to a CredentialField; please wrap in a Credential"
+            )
 
-  def python_value(self, value):
-    if value is None:
-      return None
+        return value.hashed
 
-    return Credential(value)
+    def python_value(self, value):
+        if value is None:
+            return None
+
+        return Credential(value)
diff --git a/data/logs_model/__init__.py b/data/logs_model/__init__.py
index be8cc9402..75c1023f3 100644
--- a/data/logs_model/__init__.py
+++ b/data/logs_model/__init__.py
@@ -8,57 +8,61 @@ logger = logging.getLogger(__name__)
 
 
 def _transition_model(*args, **kwargs):
-  return CombinedLogsModel(
-    DocumentLogsModel(*args, **kwargs),
-    TableLogsModel(*args, **kwargs),
-  )
+    return CombinedLogsModel(
+        DocumentLogsModel(*args, **kwargs), TableLogsModel(*args, **kwargs)
+    )
 
 
 _LOG_MODELS = {
-  'database': TableLogsModel,
-  'transition_reads_both_writes_es': _transition_model,
-  'elasticsearch': DocumentLogsModel,
+    "database": TableLogsModel,
+    "transition_reads_both_writes_es": _transition_model,
+    "elasticsearch": DocumentLogsModel,
 }
 
-_PULL_LOG_KINDS = {'pull_repo', 'repo_verb'}
+_PULL_LOG_KINDS = {"pull_repo", "repo_verb"}
+
 
 class LogsModelProxy(object):
-  def __init__(self):
-    self._model = None
+    def __init__(self):
+        self._model = None
 
-  def initialize(self, model):
-    self._model = model
-    logger.info('===============================')
-    logger.info('Using logs model `%s`', self._model)
-    logger.info('===============================')
+    def initialize(self, model):
+        self._model = model
+        logger.info("===============================")
+        logger.info("Using logs model `%s`", self._model)
+        logger.info("===============================")
 
-  def __getattr__(self, attr):
-    if not self._model:
-      raise AttributeError("LogsModelProxy is not initialized")
-    return getattr(self._model, attr)
+    def __getattr__(self, attr):
+        if not self._model:
+            raise AttributeError("LogsModelProxy is not initialized")
+        return getattr(self._model, attr)
 
 
 logs_model = LogsModelProxy()
 
 
 def configure(app_config):
-  logger.debug('Configuring log lodel')
-  model_name = app_config.get('LOGS_MODEL', 'database')
-  model_config = app_config.get('LOGS_MODEL_CONFIG', {})
+    logger.debug("Configuring log lodel")
+    model_name = app_config.get("LOGS_MODEL", "database")
+    model_config = app_config.get("LOGS_MODEL_CONFIG", {})
 
-  def should_skip_logging(kind_name, namespace_name, is_free_namespace):
-    if namespace_name and namespace_name in app_config.get('DISABLED_FOR_AUDIT_LOGS', {}):
-      return True
+    def should_skip_logging(kind_name, namespace_name, is_free_namespace):
+        if namespace_name and namespace_name in app_config.get(
+            "DISABLED_FOR_AUDIT_LOGS", {}
+        ):
+            return True
 
-    if kind_name in _PULL_LOG_KINDS:
-      if namespace_name and namespace_name in app_config.get('DISABLED_FOR_PULL_LOGS', {}):
-        return True
+        if kind_name in _PULL_LOG_KINDS:
+            if namespace_name and namespace_name in app_config.get(
+                "DISABLED_FOR_PULL_LOGS", {}
+            ):
+                return True
 
-      if app_config.get('FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES'):
-        if is_free_namespace:
-          return True
+            if app_config.get("FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES"):
+                if is_free_namespace:
+                    return True
 
-    return False
+        return False
 
-  model_config['should_skip_logging'] = should_skip_logging
-  logs_model.initialize(_LOG_MODELS[model_name](**model_config))
+    model_config["should_skip_logging"] = should_skip_logging
+    logs_model.initialize(_LOG_MODELS[model_name](**model_config))
diff --git a/data/logs_model/combined_model.py b/data/logs_model/combined_model.py
index 735101601..ea62ff7a4 100644
--- a/data/logs_model/combined_model.py
+++ b/data/logs_model/combined_model.py
@@ -9,124 +9,201 @@ logger = logging.getLogger(__name__)
 
 
 def _merge_aggregated_log_counts(*args):
-  """ Merge two lists of AggregatedLogCount based on the value of their kind_id and datetime.
+    """ Merge two lists of AggregatedLogCount based on the value of their kind_id and datetime.
   """
-  matching_keys = {}
-  aggregated_log_counts_list = itertools.chain.from_iterable(args)
+    matching_keys = {}
+    aggregated_log_counts_list = itertools.chain.from_iterable(args)
 
-  def canonical_key_from_kind_date_tuple(kind_id, dt):
-    """ Return a comma separated key from an AggregatedLogCount's kind_id and datetime. """
-    return str(kind_id) + ',' + str(dt)
+    def canonical_key_from_kind_date_tuple(kind_id, dt):
+        """ Return a comma separated key from an AggregatedLogCount's kind_id and datetime. """
+        return str(kind_id) + "," + str(dt)
 
-  for kind_id, count, dt in aggregated_log_counts_list:
-    kind_date_key = canonical_key_from_kind_date_tuple(kind_id, dt)
-    if kind_date_key in matching_keys:
-      existing_count = matching_keys[kind_date_key][2]
-      matching_keys[kind_date_key] = (kind_id, dt, existing_count + count)
-    else:
-      matching_keys[kind_date_key] = (kind_id, dt, count)
+    for kind_id, count, dt in aggregated_log_counts_list:
+        kind_date_key = canonical_key_from_kind_date_tuple(kind_id, dt)
+        if kind_date_key in matching_keys:
+            existing_count = matching_keys[kind_date_key][2]
+            matching_keys[kind_date_key] = (kind_id, dt, existing_count + count)
+        else:
+            matching_keys[kind_date_key] = (kind_id, dt, count)
 
-  return [AggregatedLogCount(kind_id, count, dt) for (kind_id, dt, count) in matching_keys.values()]
+    return [
+        AggregatedLogCount(kind_id, count, dt)
+        for (kind_id, dt, count) in matching_keys.values()
+    ]
 
 
 class CombinedLogsModel(SharedModel, ActionLogsDataInterface):
-  """
+    """
   CombinedLogsModel implements the data model that logs to the first logs model and reads from
   both.
   """
 
-  def __init__(self, read_write_logs_model, read_only_logs_model):
-    self.read_write_logs_model = read_write_logs_model
-    self.read_only_logs_model = read_only_logs_model
+    def __init__(self, read_write_logs_model, read_only_logs_model):
+        self.read_write_logs_model = read_write_logs_model
+        self.read_only_logs_model = read_only_logs_model
 
-  def log_action(self, kind_name, namespace_name=None, performer=None, ip=None, metadata=None,
-                 repository=None, repository_name=None, timestamp=None, is_free_namespace=False):
-    return self.read_write_logs_model.log_action(kind_name, namespace_name, performer, ip, metadata,
-                                                 repository, repository_name, timestamp,
-                                                 is_free_namespace)
+    def log_action(
+        self,
+        kind_name,
+        namespace_name=None,
+        performer=None,
+        ip=None,
+        metadata=None,
+        repository=None,
+        repository_name=None,
+        timestamp=None,
+        is_free_namespace=False,
+    ):
+        return self.read_write_logs_model.log_action(
+            kind_name,
+            namespace_name,
+            performer,
+            ip,
+            metadata,
+            repository,
+            repository_name,
+            timestamp,
+            is_free_namespace,
+        )
 
-  def count_repository_actions(self, repository, day):
-    rw_count = self.read_write_logs_model.count_repository_actions(repository, day)
-    ro_count = self.read_only_logs_model.count_repository_actions(repository, day)
-    return rw_count + ro_count
+    def count_repository_actions(self, repository, day):
+        rw_count = self.read_write_logs_model.count_repository_actions(repository, day)
+        ro_count = self.read_only_logs_model.count_repository_actions(repository, day)
+        return rw_count + ro_count
 
-  def get_aggregated_log_counts(self, start_datetime, end_datetime, performer_name=None,
-                                repository_name=None, namespace_name=None, filter_kinds=None):
-    rw_model = self.read_write_logs_model
-    ro_model = self.read_only_logs_model
-    rw_count = rw_model.get_aggregated_log_counts(start_datetime, end_datetime,
-                                                  performer_name=performer_name,
-                                                  repository_name=repository_name,
-                                                  namespace_name=namespace_name,
-                                                  filter_kinds=filter_kinds)
-    ro_count = ro_model.get_aggregated_log_counts(start_datetime, end_datetime,
-                                                  performer_name=performer_name,
-                                                  repository_name=repository_name,
-                                                  namespace_name=namespace_name,
-                                                  filter_kinds=filter_kinds)
-    return _merge_aggregated_log_counts(rw_count, ro_count)
+    def get_aggregated_log_counts(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        rw_model = self.read_write_logs_model
+        ro_model = self.read_only_logs_model
+        rw_count = rw_model.get_aggregated_log_counts(
+            start_datetime,
+            end_datetime,
+            performer_name=performer_name,
+            repository_name=repository_name,
+            namespace_name=namespace_name,
+            filter_kinds=filter_kinds,
+        )
+        ro_count = ro_model.get_aggregated_log_counts(
+            start_datetime,
+            end_datetime,
+            performer_name=performer_name,
+            repository_name=repository_name,
+            namespace_name=namespace_name,
+            filter_kinds=filter_kinds,
+        )
+        return _merge_aggregated_log_counts(rw_count, ro_count)
 
-  def yield_logs_for_export(self, start_datetime, end_datetime, repository_id=None,
-                            namespace_id=None, max_query_time=None):
-    rw_model = self.read_write_logs_model
-    ro_model = self.read_only_logs_model
-    rw_logs = rw_model.yield_logs_for_export(start_datetime, end_datetime, repository_id,
-                                             namespace_id, max_query_time)
-    ro_logs = ro_model.yield_logs_for_export(start_datetime, end_datetime, repository_id,
-                                             namespace_id, max_query_time)
-    for batch in itertools.chain(rw_logs, ro_logs):
-      yield batch
+    def yield_logs_for_export(
+        self,
+        start_datetime,
+        end_datetime,
+        repository_id=None,
+        namespace_id=None,
+        max_query_time=None,
+    ):
+        rw_model = self.read_write_logs_model
+        ro_model = self.read_only_logs_model
+        rw_logs = rw_model.yield_logs_for_export(
+            start_datetime, end_datetime, repository_id, namespace_id, max_query_time
+        )
+        ro_logs = ro_model.yield_logs_for_export(
+            start_datetime, end_datetime, repository_id, namespace_id, max_query_time
+        )
+        for batch in itertools.chain(rw_logs, ro_logs):
+            yield batch
 
-  def lookup_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                  namespace_name=None, filter_kinds=None, page_token=None, max_page_count=None):
-    rw_model = self.read_write_logs_model
-    ro_model = self.read_only_logs_model
+    def lookup_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        page_token=None,
+        max_page_count=None,
+    ):
+        rw_model = self.read_write_logs_model
+        ro_model = self.read_only_logs_model
 
-    page_token = page_token or {}
+        page_token = page_token or {}
 
-    new_page_token = {}
-    if page_token is None or not page_token.get('under_readonly_model', False):
-      rw_page_token = page_token.get('readwrite_page_token')
-      rw_logs = rw_model.lookup_logs(start_datetime, end_datetime, performer_name,
-                                     repository_name, namespace_name, filter_kinds,
-                                     rw_page_token, max_page_count)
-      logs, next_page_token = rw_logs
-      new_page_token['under_readonly_model'] = next_page_token is None
-      new_page_token['readwrite_page_token'] = next_page_token
-      return LogEntriesPage(logs, new_page_token)
-    else:
-      readonly_page_token = page_token.get('readonly_page_token')
-      ro_logs = ro_model.lookup_logs(start_datetime, end_datetime, performer_name,
-                                     repository_name, namespace_name, filter_kinds,
-                                     readonly_page_token, max_page_count)
-      logs, next_page_token = ro_logs
-      if next_page_token is None:
-        return LogEntriesPage(logs, None)
+        new_page_token = {}
+        if page_token is None or not page_token.get("under_readonly_model", False):
+            rw_page_token = page_token.get("readwrite_page_token")
+            rw_logs = rw_model.lookup_logs(
+                start_datetime,
+                end_datetime,
+                performer_name,
+                repository_name,
+                namespace_name,
+                filter_kinds,
+                rw_page_token,
+                max_page_count,
+            )
+            logs, next_page_token = rw_logs
+            new_page_token["under_readonly_model"] = next_page_token is None
+            new_page_token["readwrite_page_token"] = next_page_token
+            return LogEntriesPage(logs, new_page_token)
+        else:
+            readonly_page_token = page_token.get("readonly_page_token")
+            ro_logs = ro_model.lookup_logs(
+                start_datetime,
+                end_datetime,
+                performer_name,
+                repository_name,
+                namespace_name,
+                filter_kinds,
+                readonly_page_token,
+                max_page_count,
+            )
+            logs, next_page_token = ro_logs
+            if next_page_token is None:
+                return LogEntriesPage(logs, None)
 
-      new_page_token['under_readonly_model'] = True
-      new_page_token['readonly_page_token'] = next_page_token
-      return LogEntriesPage(logs, new_page_token)
+            new_page_token["under_readonly_model"] = True
+            new_page_token["readonly_page_token"] = next_page_token
+            return LogEntriesPage(logs, new_page_token)
 
-  def lookup_latest_logs(self, performer_name=None, repository_name=None, namespace_name=None,
-                         filter_kinds=None, size=20):
-    latest_logs = []
-    rw_model = self.read_write_logs_model
-    ro_model = self.read_only_logs_model
+    def lookup_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        size=20,
+    ):
+        latest_logs = []
+        rw_model = self.read_write_logs_model
+        ro_model = self.read_only_logs_model
 
-    rw_logs = rw_model.lookup_latest_logs(performer_name, repository_name, namespace_name,
-                                          filter_kinds, size)
-    latest_logs.extend(rw_logs)
-    if len(latest_logs) < size:
-      ro_logs = ro_model.lookup_latest_logs(performer_name, repository_name, namespace_name,
-                                            filter_kinds, size - len(latest_logs))
-      latest_logs.extend(ro_logs)
+        rw_logs = rw_model.lookup_latest_logs(
+            performer_name, repository_name, namespace_name, filter_kinds, size
+        )
+        latest_logs.extend(rw_logs)
+        if len(latest_logs) < size:
+            ro_logs = ro_model.lookup_latest_logs(
+                performer_name,
+                repository_name,
+                namespace_name,
+                filter_kinds,
+                size - len(latest_logs),
+            )
+            latest_logs.extend(ro_logs)
 
-    return latest_logs
+        return latest_logs
 
-  def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
-    ro_model = self.read_only_logs_model
-    rw_model = self.read_write_logs_model
-    ro_ctx = ro_model.yield_log_rotation_context(cutoff_date, min_logs_per_rotation)
-    rw_ctx = rw_model.yield_log_rotation_context(cutoff_date, min_logs_per_rotation)
-    for ctx in itertools.chain(ro_ctx, rw_ctx):
-      yield ctx
+    def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
+        ro_model = self.read_only_logs_model
+        rw_model = self.read_write_logs_model
+        ro_ctx = ro_model.yield_log_rotation_context(cutoff_date, min_logs_per_rotation)
+        rw_ctx = rw_model.yield_log_rotation_context(cutoff_date, min_logs_per_rotation)
+        for ctx in itertools.chain(ro_ctx, rw_ctx):
+            yield ctx
diff --git a/data/logs_model/datatypes.py b/data/logs_model/datatypes.py
index 03db6756f..f670c6397 100644
--- a/data/logs_model/datatypes.py
+++ b/data/logs_model/datatypes.py
@@ -11,145 +11,187 @@ from util.morecollections import AttrDict
 
 
 def _format_date(date):
-  """ Output an RFC822 date format. """
-  if date is None:
-    return None
+    """ Output an RFC822 date format. """
+    if date is None:
+        return None
 
-  return formatdate(timegm(date.utctimetuple()))
+    return formatdate(timegm(date.utctimetuple()))
 
 
 @lru_cache(maxsize=1)
 def _kinds():
-  return model.log.get_log_entry_kinds()
+    return model.log.get_log_entry_kinds()
 
 
-class LogEntriesPage(namedtuple('LogEntriesPage', ['logs', 'next_page_token'])):
-  """ Represents a page returned by the lookup_logs call. The `logs` contains the logs
+class LogEntriesPage(namedtuple("LogEntriesPage", ["logs", "next_page_token"])):
+    """ Represents a page returned by the lookup_logs call. The `logs` contains the logs
       found for the page and `next_page_token`, if not None, contains the token to be
       encoded and returned for the followup call.
   """
 
 
-class Log(namedtuple('Log', [
-    'metadata_json', 'ip', 'datetime', 'performer_email', 'performer_username', 'performer_robot',
-    'account_organization', 'account_username', 'account_email', 'account_robot', 'kind_id'])):
-  """ Represents a single log entry returned by the logs model. """
+class Log(
+    namedtuple(
+        "Log",
+        [
+            "metadata_json",
+            "ip",
+            "datetime",
+            "performer_email",
+            "performer_username",
+            "performer_robot",
+            "account_organization",
+            "account_username",
+            "account_email",
+            "account_robot",
+            "kind_id",
+        ],
+    )
+):
+    """ Represents a single log entry returned by the logs model. """
 
-  @classmethod
-  def for_logentry(cls, log):
-    account_organization = None
-    account_username = None
-    account_email = None
-    account_robot = None
+    @classmethod
+    def for_logentry(cls, log):
+        account_organization = None
+        account_username = None
+        account_email = None
+        account_robot = None
 
-    try:
-      account_organization = log.account.organization
-      account_username = log.account.username
-      account_email = log.account.email
-      account_robot = log.account.robot
-    except AttributeError:
-      pass
+        try:
+            account_organization = log.account.organization
+            account_username = log.account.username
+            account_email = log.account.email
+            account_robot = log.account.robot
+        except AttributeError:
+            pass
 
-    performer_robot = None
-    performer_username = None
-    performer_email = None
+        performer_robot = None
+        performer_username = None
+        performer_email = None
 
-    try:
-      performer_robot = log.performer.robot
-      performer_username = log.performer.username
-      performer_email = log.performer.email
-    except AttributeError:
-      pass
+        try:
+            performer_robot = log.performer.robot
+            performer_username = log.performer.username
+            performer_email = log.performer.email
+        except AttributeError:
+            pass
 
-    return Log(log.metadata_json, log.ip, log.datetime, performer_email, performer_username,
-               performer_robot, account_organization, account_username, account_email,
-               account_robot, log.kind_id)
+        return Log(
+            log.metadata_json,
+            log.ip,
+            log.datetime,
+            performer_email,
+            performer_username,
+            performer_robot,
+            account_organization,
+            account_username,
+            account_email,
+            account_robot,
+            log.kind_id,
+        )
 
-  @classmethod
-  def for_elasticsearch_log(cls, log, id_user_map):
-    account_organization = None
-    account_username = None
-    account_email = None
-    account_robot = None
+    @classmethod
+    def for_elasticsearch_log(cls, log, id_user_map):
+        account_organization = None
+        account_username = None
+        account_email = None
+        account_robot = None
 
-    try:
-      if log.account_id:
-        account = id_user_map[log.account_id]
-        account_organization = account.organization
-        account_username = account.username
-        account_email = account.email
-        account_robot = account.robot
-    except AttributeError:
-      pass
+        try:
+            if log.account_id:
+                account = id_user_map[log.account_id]
+                account_organization = account.organization
+                account_username = account.username
+                account_email = account.email
+                account_robot = account.robot
+        except AttributeError:
+            pass
 
-    performer_robot = None
-    performer_username = None
-    performer_email = None
+        performer_robot = None
+        performer_username = None
+        performer_email = None
 
-    try:
-      if log.performer_id:
-        performer = id_user_map[log.performer_id]
-        performer_robot = performer.robot
-        performer_username = performer.username
-        performer_email = performer.email
-    except AttributeError:
-      pass
+        try:
+            if log.performer_id:
+                performer = id_user_map[log.performer_id]
+                performer_robot = performer.robot
+                performer_username = performer.username
+                performer_email = performer.email
+        except AttributeError:
+            pass
 
-    return Log(log.metadata_json, str(log.ip), log.datetime, performer_email, performer_username,
-               performer_robot, account_organization, account_username, account_email,
-               account_robot, log.kind_id)
+        return Log(
+            log.metadata_json,
+            str(log.ip),
+            log.datetime,
+            performer_email,
+            performer_username,
+            performer_robot,
+            account_organization,
+            account_username,
+            account_email,
+            account_robot,
+            log.kind_id,
+        )
 
-  def to_dict(self, avatar, include_namespace=False):
-    view = {
-      'kind': _kinds()[self.kind_id],
-      'metadata': json.loads(self.metadata_json),
-      'ip': self.ip,
-      'datetime': _format_date(self.datetime),
-    }
+    def to_dict(self, avatar, include_namespace=False):
+        view = {
+            "kind": _kinds()[self.kind_id],
+            "metadata": json.loads(self.metadata_json),
+            "ip": self.ip,
+            "datetime": _format_date(self.datetime),
+        }
 
-    if self.performer_username:
-      performer = AttrDict({'username': self.performer_username, 'email': self.performer_email})
-      performer.robot = None
-      if self.performer_robot:
-        performer.robot = self.performer_robot
+        if self.performer_username:
+            performer = AttrDict(
+                {"username": self.performer_username, "email": self.performer_email}
+            )
+            performer.robot = None
+            if self.performer_robot:
+                performer.robot = self.performer_robot
 
-      view['performer'] = {
-        'kind': 'user',
-        'name': self.performer_username,
-        'is_robot': self.performer_robot,
-        'avatar': avatar.get_data_for_user(performer),
-      }
+            view["performer"] = {
+                "kind": "user",
+                "name": self.performer_username,
+                "is_robot": self.performer_robot,
+                "avatar": avatar.get_data_for_user(performer),
+            }
 
-    if include_namespace:
-      if self.account_username:
-        account = AttrDict({'username': self.account_username, 'email': self.account_email})
-        if self.account_organization:
+        if include_namespace:
+            if self.account_username:
+                account = AttrDict(
+                    {"username": self.account_username, "email": self.account_email}
+                )
+                if self.account_organization:
 
-          view['namespace'] = {
-            'kind': 'org',
-            'name': self.account_username,
-            'avatar': avatar.get_data_for_org(account),
-          }
-        else:
-          account.robot = None
-          if self.account_robot:
-            account.robot = self.account_robot
-          view['namespace'] = {
-            'kind': 'user',
-            'name': self.account_username,
-            'avatar': avatar.get_data_for_user(account),
-          }
+                    view["namespace"] = {
+                        "kind": "org",
+                        "name": self.account_username,
+                        "avatar": avatar.get_data_for_org(account),
+                    }
+                else:
+                    account.robot = None
+                    if self.account_robot:
+                        account.robot = self.account_robot
+                    view["namespace"] = {
+                        "kind": "user",
+                        "name": self.account_username,
+                        "avatar": avatar.get_data_for_user(account),
+                    }
 
-    return view
+        return view
 
 
-class AggregatedLogCount(namedtuple('AggregatedLogCount', ['kind_id', 'count', 'datetime'])):
-  """ Represents the aggregated count of the number of logs, of a particular kind, on a day. """
-  def to_dict(self):
-    view = {
-      'kind': _kinds()[self.kind_id],
-      'count': self.count,
-      'datetime': _format_date(self.datetime),
-    }
+class AggregatedLogCount(
+    namedtuple("AggregatedLogCount", ["kind_id", "count", "datetime"])
+):
+    """ Represents the aggregated count of the number of logs, of a particular kind, on a day. """
 
-    return view
+    def to_dict(self):
+        view = {
+            "kind": _kinds()[self.kind_id],
+            "count": self.count,
+            "datetime": _format_date(self.datetime),
+        }
+
+        return view
diff --git a/data/logs_model/document_logs_model.py b/data/logs_model/document_logs_model.py
index e93cd2062..be1257284 100644
--- a/data/logs_model/document_logs_model.py
+++ b/data/logs_model/document_logs_model.py
@@ -16,18 +16,28 @@ from elasticsearch.exceptions import ConnectionTimeout, NotFoundError
 from data import model
 from data.database import CloseForLongOperation
 from data.model import config
-from data.model.log import (_json_serialize, ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING,
-                            DataModelException)
+from data.model.log import (
+    _json_serialize,
+    ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING,
+    DataModelException,
+)
 from data.logs_model.elastic_logs import LogEntry, configure_es
 from data.logs_model.datatypes import Log, AggregatedLogCount, LogEntriesPage
-from data.logs_model.interface import (ActionLogsDataInterface, LogRotationContextInterface,
-                                       LogsIterationTimeout)
+from data.logs_model.interface import (
+    ActionLogsDataInterface,
+    LogRotationContextInterface,
+    LogsIterationTimeout,
+)
 from data.logs_model.shared import SharedModel, epoch_ms
 
 from data.logs_model.logs_producer import LogProducerProxy, LogSendException
 from data.logs_model.logs_producer.kafka_logs_producer import KafkaLogsProducer
-from data.logs_model.logs_producer.elasticsearch_logs_producer import ElasticsearchLogsProducer
-from data.logs_model.logs_producer.kinesis_stream_logs_producer import KinesisStreamLogsProducer
+from data.logs_model.logs_producer.elasticsearch_logs_producer import (
+    ElasticsearchLogsProducer,
+)
+from data.logs_model.logs_producer.kinesis_stream_logs_producer import (
+    KinesisStreamLogsProducer,
+)
 
 
 logger = logging.getLogger(__name__)
@@ -43,490 +53,643 @@ DATE_RANGE_LIMIT = 32
 COUNT_REPOSITORY_ACTION_TIMEOUT = 30
 
 
-
 def _date_range_descending(start_datetime, end_datetime, includes_end_datetime=False):
-  """ Generate the dates between `end_datetime` and `start_datetime`.
+    """ Generate the dates between `end_datetime` and `start_datetime`.
 
   If `includes_end_datetime` is set, the generator starts at `end_datetime`,
   otherwise, starts the generator at `end_datetime` minus 1 second.
   """
-  assert end_datetime >= start_datetime
-  start_date = start_datetime.date()
+    assert end_datetime >= start_datetime
+    start_date = start_datetime.date()
 
-  if includes_end_datetime:
-    current_date = end_datetime.date()
-  else:
-    current_date = (end_datetime - timedelta(seconds=1)).date()
+    if includes_end_datetime:
+        current_date = end_datetime.date()
+    else:
+        current_date = (end_datetime - timedelta(seconds=1)).date()
 
-  while current_date >= start_date:
-    yield current_date
-    current_date = current_date - timedelta(days=1)
+    while current_date >= start_date:
+        yield current_date
+        current_date = current_date - timedelta(days=1)
 
 
 def _date_range_in_single_index(dt1, dt2):
-  """ Determine whether a single index can be searched given a range
+    """ Determine whether a single index can be searched given a range
   of dates or datetimes. If date instances are given, difference should be 1 day.
 
   NOTE: dt2 is exclusive to the search result set.
   i.e. The date range is larger or equal to dt1 and strictly smaller than dt2
   """
-  assert isinstance(dt1, date) and isinstance(dt2, date)
+    assert isinstance(dt1, date) and isinstance(dt2, date)
 
-  dt = dt2 - dt1
+    dt = dt2 - dt1
 
-  # Check if date or datetime
-  if not isinstance(dt1, datetime) and not isinstance(dt2, datetime):
-    return dt == timedelta(days=1)
+    # Check if date or datetime
+    if not isinstance(dt1, datetime) and not isinstance(dt2, datetime):
+        return dt == timedelta(days=1)
 
-  if dt < timedelta(days=1) and dt >= timedelta(days=0):
-    return dt2.day == dt1.day
+    if dt < timedelta(days=1) and dt >= timedelta(days=0):
+        return dt2.day == dt1.day
 
-  # Check if datetime can be interpreted as a date: hour, minutes, seconds or microseconds set to 0
-  if dt == timedelta(days=1):
-    return dt1.hour == 0 and dt1.minute == 0 and dt1.second == 0 and dt1.microsecond == 0
+    # Check if datetime can be interpreted as a date: hour, minutes, seconds or microseconds set to 0
+    if dt == timedelta(days=1):
+        return (
+            dt1.hour == 0
+            and dt1.minute == 0
+            and dt1.second == 0
+            and dt1.microsecond == 0
+        )
 
-  return False
+    return False
 
 
 def _for_elasticsearch_logs(logs, repository_id=None, namespace_id=None):
-  namespace_ids = set()
-  for log in logs:
-    namespace_ids.add(log.account_id)
-    namespace_ids.add(log.performer_id)
-    assert namespace_id is None or log.account_id == namespace_id
-    assert repository_id is None or log.repository_id == repository_id
+    namespace_ids = set()
+    for log in logs:
+        namespace_ids.add(log.account_id)
+        namespace_ids.add(log.performer_id)
+        assert namespace_id is None or log.account_id == namespace_id
+        assert repository_id is None or log.repository_id == repository_id
 
-  id_user_map = model.user.get_user_map_by_ids(namespace_ids)
-  return [Log.for_elasticsearch_log(log, id_user_map) for log in logs]
+    id_user_map = model.user.get_user_map_by_ids(namespace_ids)
+    return [Log.for_elasticsearch_log(log, id_user_map) for log in logs]
 
 
 def _random_id():
-  """ Generates a unique uuid4 string for the random_id field in LogEntry.
+    """ Generates a unique uuid4 string for the random_id field in LogEntry.
   It is used as tie-breaker for sorting logs based on datetime:
   https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-search-after.html
   """
-  return str(uuid.uuid4())
+    return str(uuid.uuid4())
 
 
 @add_metaclass(ABCMeta)
 class ElasticsearchLogsModelInterface(object):
-  """
+    """
   Interface for Elasticsearch specific operations with the logs model.
   These operations are usually index based.
   """
 
-  @abstractmethod
-  def can_delete_index(self, index, cutoff_date):
-    """ Return whether the given index is older than the given cutoff date. """
+    @abstractmethod
+    def can_delete_index(self, index, cutoff_date):
+        """ Return whether the given index is older than the given cutoff date. """
 
-  @abstractmethod
-  def list_indices(self):
-    """ List the logs model's indices. """
+    @abstractmethod
+    def list_indices(self):
+        """ List the logs model's indices. """
 
 
-class DocumentLogsModel(SharedModel, ActionLogsDataInterface, ElasticsearchLogsModelInterface):
-  """
+class DocumentLogsModel(
+    SharedModel, ActionLogsDataInterface, ElasticsearchLogsModelInterface
+):
+    """
   DocumentLogsModel implements the data model for the logs API backed by an
   elasticsearch service.
   """
-  def __init__(self, should_skip_logging=None, elasticsearch_config=None, producer=None, **kwargs):
-    self._should_skip_logging = should_skip_logging
-    self._logs_producer = LogProducerProxy()
-    self._es_client = configure_es(**elasticsearch_config)
 
-    if producer == 'kafka':
-      kafka_config = kwargs['kafka_config']
-      self._logs_producer.initialize(KafkaLogsProducer(**kafka_config))
-    elif producer == 'elasticsearch':
-      self._logs_producer.initialize(ElasticsearchLogsProducer())
-    elif producer == 'kinesis_stream':
-      kinesis_stream_config = kwargs['kinesis_stream_config']
-      self._logs_producer.initialize(KinesisStreamLogsProducer(**kinesis_stream_config))
-    else:
-      raise Exception('Invalid log producer: %s' % producer)
+    def __init__(
+        self,
+        should_skip_logging=None,
+        elasticsearch_config=None,
+        producer=None,
+        **kwargs
+    ):
+        self._should_skip_logging = should_skip_logging
+        self._logs_producer = LogProducerProxy()
+        self._es_client = configure_es(**elasticsearch_config)
 
-  @staticmethod
-  def _get_ids_by_names(repository_name, namespace_name, performer_name):
-    """ Retrieve repository/namespace/performer ids based on their names.
+        if producer == "kafka":
+            kafka_config = kwargs["kafka_config"]
+            self._logs_producer.initialize(KafkaLogsProducer(**kafka_config))
+        elif producer == "elasticsearch":
+            self._logs_producer.initialize(ElasticsearchLogsProducer())
+        elif producer == "kinesis_stream":
+            kinesis_stream_config = kwargs["kinesis_stream_config"]
+            self._logs_producer.initialize(
+                KinesisStreamLogsProducer(**kinesis_stream_config)
+            )
+        else:
+            raise Exception("Invalid log producer: %s" % producer)
+
+    @staticmethod
+    def _get_ids_by_names(repository_name, namespace_name, performer_name):
+        """ Retrieve repository/namespace/performer ids based on their names.
         throws DataModelException when the namespace_name does not match any
         user in the database.
         returns database ID or None if not exists.
     """
-    repository_id = None
-    account_id = None
-    performer_id = None
+        repository_id = None
+        account_id = None
+        performer_id = None
 
-    if repository_name and namespace_name:
-      repository = model.repository.get_repository(namespace_name, repository_name)
-      if repository:
-        repository_id = repository.id
-        account_id = repository.namespace_user.id
+        if repository_name and namespace_name:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
+            if repository:
+                repository_id = repository.id
+                account_id = repository.namespace_user.id
 
-    if namespace_name and account_id is None:
-      account = model.user.get_user_or_org(namespace_name)
-      if account is None:
-        raise DataModelException('Invalid namespace requested')
+        if namespace_name and account_id is None:
+            account = model.user.get_user_or_org(namespace_name)
+            if account is None:
+                raise DataModelException("Invalid namespace requested")
 
-      account_id = account.id
+            account_id = account.id
 
-    if performer_name:
-      performer = model.user.get_user(performer_name)
-      if performer:
-        performer_id = performer.id
+        if performer_name:
+            performer = model.user.get_user(performer_name)
+            if performer:
+                performer_id = performer.id
 
-    return repository_id, account_id, performer_id
+        return repository_id, account_id, performer_id
 
-  def _base_query(self, performer_id=None, repository_id=None, account_id=None, filter_kinds=None,
-                  index=None):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+    def _base_query(
+        self,
+        performer_id=None,
+        repository_id=None,
+        account_id=None,
+        filter_kinds=None,
+        index=None,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-    if index is not None:
-      search = LogEntry.search(index=index)
-    else:
-      search = LogEntry.search()
+        if index is not None:
+            search = LogEntry.search(index=index)
+        else:
+            search = LogEntry.search()
 
-    if performer_id is not None:
-      assert isinstance(performer_id, int)
-      search = search.filter('term', performer_id=performer_id)
+        if performer_id is not None:
+            assert isinstance(performer_id, int)
+            search = search.filter("term", performer_id=performer_id)
 
-    if repository_id is not None:
-      assert isinstance(repository_id, int)
-      search = search.filter('term', repository_id=repository_id)
+        if repository_id is not None:
+            assert isinstance(repository_id, int)
+            search = search.filter("term", repository_id=repository_id)
 
-    if account_id is not None and repository_id is None:
-      assert isinstance(account_id, int)
-      search = search.filter('term', account_id=account_id)
+        if account_id is not None and repository_id is None:
+            assert isinstance(account_id, int)
+            search = search.filter("term", account_id=account_id)
 
-    if filter_kinds is not None:
-      kind_map = model.log.get_log_entry_kinds()
-      ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
-      search = search.exclude('terms', kind_id=ignore_ids)
+        if filter_kinds is not None:
+            kind_map = model.log.get_log_entry_kinds()
+            ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
+            search = search.exclude("terms", kind_id=ignore_ids)
 
-    return search
+        return search
 
-  def _base_query_date_range(self, start_datetime, end_datetime, performer_id, repository_id,
-                             account_id, filter_kinds, index=None):
-    skip_datetime_check = False
-    if _date_range_in_single_index(start_datetime, end_datetime):
-      index = self._es_client.index_name(start_datetime)
-      skip_datetime_check = self._es_client.index_exists(index)
+    def _base_query_date_range(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_id,
+        repository_id,
+        account_id,
+        filter_kinds,
+        index=None,
+    ):
+        skip_datetime_check = False
+        if _date_range_in_single_index(start_datetime, end_datetime):
+            index = self._es_client.index_name(start_datetime)
+            skip_datetime_check = self._es_client.index_exists(index)
 
-    if index and (skip_datetime_check or self._es_client.index_exists(index)):
-      search = self._base_query(performer_id, repository_id, account_id, filter_kinds,
-                                index=index)
-    else:
-      search = self._base_query(performer_id, repository_id, account_id, filter_kinds)
+        if index and (skip_datetime_check or self._es_client.index_exists(index)):
+            search = self._base_query(
+                performer_id, repository_id, account_id, filter_kinds, index=index
+            )
+        else:
+            search = self._base_query(
+                performer_id, repository_id, account_id, filter_kinds
+            )
 
-    if not skip_datetime_check:
-      search = search.query('range', datetime={'gte': start_datetime, 'lt': end_datetime})
+        if not skip_datetime_check:
+            search = search.query(
+                "range", datetime={"gte": start_datetime, "lt": end_datetime}
+            )
 
-    return search
+        return search
 
-  def _load_logs_for_day(self, logs_date, performer_id, repository_id, account_id, filter_kinds,
-                         after_datetime=None, after_random_id=None, size=PAGE_SIZE):
-    index = self._es_client.index_name(logs_date)
-    if not self._es_client.index_exists(index):
-      return []
+    def _load_logs_for_day(
+        self,
+        logs_date,
+        performer_id,
+        repository_id,
+        account_id,
+        filter_kinds,
+        after_datetime=None,
+        after_random_id=None,
+        size=PAGE_SIZE,
+    ):
+        index = self._es_client.index_name(logs_date)
+        if not self._es_client.index_exists(index):
+            return []
 
-    search = self._base_query(performer_id, repository_id, account_id, filter_kinds,
-                              index=index)
-    search = search.sort({'datetime': 'desc'}, {'random_id.keyword': 'desc'})
-    search = search.extra(size=size)
+        search = self._base_query(
+            performer_id, repository_id, account_id, filter_kinds, index=index
+        )
+        search = search.sort({"datetime": "desc"}, {"random_id.keyword": "desc"})
+        search = search.extra(size=size)
 
-    if after_datetime is not None and after_random_id is not None:
-      after_datetime_epoch_ms = epoch_ms(after_datetime)
-      search = search.extra(search_after=[after_datetime_epoch_ms, after_random_id])
+        if after_datetime is not None and after_random_id is not None:
+            after_datetime_epoch_ms = epoch_ms(after_datetime)
+            search = search.extra(
+                search_after=[after_datetime_epoch_ms, after_random_id]
+            )
 
-    return search.execute()
+        return search.execute()
 
-  def _load_latest_logs(self, performer_id, repository_id, account_id, filter_kinds, size):
-    """ Return the latest logs from Elasticsearch.
+    def _load_latest_logs(
+        self, performer_id, repository_id, account_id, filter_kinds, size
+    ):
+        """ Return the latest logs from Elasticsearch.
 
     Look at indices up to theset logrotateworker threshold, or up to 30 days if not defined.
     """
-    # Set the last index to check to be the logrotateworker threshold, or 30 days
-    end_datetime = datetime.now()
-    start_datetime = end_datetime - timedelta(days=DATE_RANGE_LIMIT)
+        # Set the last index to check to be the logrotateworker threshold, or 30 days
+        end_datetime = datetime.now()
+        start_datetime = end_datetime - timedelta(days=DATE_RANGE_LIMIT)
 
-    latest_logs = []
-    for day in _date_range_descending(start_datetime, end_datetime, includes_end_datetime=True):
-      try:
-        logs = self._load_logs_for_day(day, performer_id, repository_id, account_id, filter_kinds,
-                                       size=size)
-        latest_logs.extend(logs)
-      except NotFoundError:
-        continue
+        latest_logs = []
+        for day in _date_range_descending(
+            start_datetime, end_datetime, includes_end_datetime=True
+        ):
+            try:
+                logs = self._load_logs_for_day(
+                    day,
+                    performer_id,
+                    repository_id,
+                    account_id,
+                    filter_kinds,
+                    size=size,
+                )
+                latest_logs.extend(logs)
+            except NotFoundError:
+                continue
 
-      if len(latest_logs) >= size:
-        break
+            if len(latest_logs) >= size:
+                break
 
-    return _for_elasticsearch_logs(latest_logs[:size], repository_id, account_id)
+        return _for_elasticsearch_logs(latest_logs[:size], repository_id, account_id)
 
-  def lookup_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                  namespace_name=None, filter_kinds=None, page_token=None, max_page_count=None):
-    assert start_datetime is not None and end_datetime is not None
+    def lookup_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        page_token=None,
+        max_page_count=None,
+    ):
+        assert start_datetime is not None and end_datetime is not None
 
-    # Check for a valid combined model token when migrating online from a combined model
-    if page_token is not None and page_token.get('readwrite_page_token') is not None:
-      page_token = page_token.get('readwrite_page_token')
+        # Check for a valid combined model token when migrating online from a combined model
+        if (
+            page_token is not None
+            and page_token.get("readwrite_page_token") is not None
+        ):
+            page_token = page_token.get("readwrite_page_token")
 
-    if page_token is not None and max_page_count is not None:
-      page_number = page_token.get('page_number')
-      if page_number is not None and page_number + 1 > max_page_count:
-        return LogEntriesPage([], None)
+        if page_token is not None and max_page_count is not None:
+            page_number = page_token.get("page_number")
+            if page_number is not None and page_number + 1 > max_page_count:
+                return LogEntriesPage([], None)
 
-    repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
-      repository_name, namespace_name, performer_name)
+        repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
+            repository_name, namespace_name, performer_name
+        )
 
-    after_datetime = None
-    after_random_id = None
-    if page_token is not None:
-      after_datetime = parse_datetime(page_token['datetime'])
-      after_random_id = page_token['random_id']
+        after_datetime = None
+        after_random_id = None
+        if page_token is not None:
+            after_datetime = parse_datetime(page_token["datetime"])
+            after_random_id = page_token["random_id"]
 
-    if after_datetime is not None:
-      end_datetime = min(end_datetime, after_datetime)
+        if after_datetime is not None:
+            end_datetime = min(end_datetime, after_datetime)
 
-    all_logs = []
+        all_logs = []
+
+        with CloseForLongOperation(config.app_config):
+            for current_date in _date_range_descending(start_datetime, end_datetime):
+                try:
+                    logs = self._load_logs_for_day(
+                        current_date,
+                        performer_id,
+                        repository_id,
+                        account_id,
+                        filter_kinds,
+                        after_datetime,
+                        after_random_id,
+                        size=PAGE_SIZE + 1,
+                    )
+
+                    all_logs.extend(logs)
+                except NotFoundError:
+                    continue
+
+                if len(all_logs) > PAGE_SIZE:
+                    break
+
+        next_page_token = None
+        all_logs = all_logs[0 : PAGE_SIZE + 1]
+
+        if len(all_logs) == PAGE_SIZE + 1:
+            # The last element in the response is used to check if there's more elements.
+            # The second element in the response is used as the pagination token because search_after does
+            # not include the exact match, and so the next page will start with the last element.
+            # This keeps the behavior exactly the same as table_logs_model, so that
+            # the caller can expect when a pagination token is non-empty, there must be
+            # at least 1 log to be retrieved.
+            next_page_token = {
+                "datetime": all_logs[-2].datetime.isoformat(),
+                "random_id": all_logs[-2].random_id,
+                "page_number": page_token["page_number"] + 1 if page_token else 1,
+            }
+
+        return LogEntriesPage(
+            _for_elasticsearch_logs(all_logs[:PAGE_SIZE], repository_id, account_id),
+            next_page_token,
+        )
+
+    def lookup_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        size=20,
+    ):
+        repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
+            repository_name, namespace_name, performer_name
+        )
+
+        with CloseForLongOperation(config.app_config):
+            latest_logs = self._load_latest_logs(
+                performer_id, repository_id, account_id, filter_kinds, size
+            )
+
+        return latest_logs
+
+    def get_aggregated_log_counts(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        if end_datetime - start_datetime >= timedelta(days=DATE_RANGE_LIMIT):
+            raise Exception(
+                "Cannot lookup aggregated logs over a period longer than a month"
+            )
+
+        repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
+            repository_name, namespace_name, performer_name
+        )
+
+        with CloseForLongOperation(config.app_config):
+            search = self._base_query_date_range(
+                start_datetime,
+                end_datetime,
+                performer_id,
+                repository_id,
+                account_id,
+                filter_kinds,
+            )
+            search.aggs.bucket("by_id", "terms", field="kind_id").bucket(
+                "by_date", "date_histogram", field="datetime", interval="day"
+            )
+            # es returns all buckets when size=0
+            search = search.extra(size=0)
+            resp = search.execute()
+
+        if not resp.aggregations:
+            return []
+
+        counts = []
+        by_id = resp.aggregations["by_id"]
+
+        for id_bucket in by_id.buckets:
+            for date_bucket in id_bucket.by_date.buckets:
+                if date_bucket.doc_count > 0:
+                    counts.append(
+                        AggregatedLogCount(
+                            id_bucket.key, date_bucket.doc_count, date_bucket.key
+                        )
+                    )
+
+        return counts
+
+    def count_repository_actions(self, repository, day):
+        index = self._es_client.index_name(day)
+        search = self._base_query_date_range(
+            day, day + timedelta(days=1), None, repository.id, None, None, index=index
+        )
+        search = search.params(request_timeout=COUNT_REPOSITORY_ACTION_TIMEOUT)
 
-    with CloseForLongOperation(config.app_config):
-      for current_date in _date_range_descending(start_datetime, end_datetime):
         try:
-          logs = self._load_logs_for_day(current_date, performer_id, repository_id, account_id,
-                                         filter_kinds, after_datetime, after_random_id,
-                                         size=PAGE_SIZE+1)
-
-          all_logs.extend(logs)
+            return search.count()
         except NotFoundError:
-          continue
+            return 0
 
-        if len(all_logs) > PAGE_SIZE:
-          break
+    def log_action(
+        self,
+        kind_name,
+        namespace_name=None,
+        performer=None,
+        ip=None,
+        metadata=None,
+        repository=None,
+        repository_name=None,
+        timestamp=None,
+        is_free_namespace=False,
+    ):
+        if self._should_skip_logging and self._should_skip_logging(
+            kind_name, namespace_name, is_free_namespace
+        ):
+            return
 
-    next_page_token = None
-    all_logs = all_logs[0:PAGE_SIZE+1]
+        if repository_name is not None:
+            assert repository is None
+            assert namespace_name is not None
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
 
-    if len(all_logs) == PAGE_SIZE + 1:
-      # The last element in the response is used to check if there's more elements.
-      # The second element in the response is used as the pagination token because search_after does
-      # not include the exact match, and so the next page will start with the last element.
-      # This keeps the behavior exactly the same as table_logs_model, so that
-      # the caller can expect when a pagination token is non-empty, there must be
-      # at least 1 log to be retrieved.
-      next_page_token = {
-        'datetime': all_logs[-2].datetime.isoformat(),
-        'random_id': all_logs[-2].random_id,
-        'page_number': page_token['page_number'] + 1 if page_token else 1,
-      }
+        if timestamp is None:
+            timestamp = datetime.today()
 
-    return LogEntriesPage(_for_elasticsearch_logs(all_logs[:PAGE_SIZE], repository_id, account_id),
-                          next_page_token)
+        account_id = None
+        performer_id = None
+        repository_id = None
 
-  def lookup_latest_logs(self, performer_name=None, repository_name=None, namespace_name=None,
-                         filter_kinds=None, size=20):
-    repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
-      repository_name, namespace_name, performer_name)
+        if namespace_name is not None:
+            account_id = model.user.get_namespace_user(namespace_name).id
 
-    with CloseForLongOperation(config.app_config):
-      latest_logs = self._load_latest_logs(performer_id, repository_id, account_id, filter_kinds,
-                                           size)
+        if performer is not None:
+            performer_id = performer.id
 
-    return latest_logs
+        if repository is not None:
+            repository_id = repository.id
 
+        metadata_json = json.dumps(metadata or {}, default=_json_serialize)
+        kind_id = model.log._get_log_entry_kind(kind_name)
+        log = LogEntry(
+            random_id=_random_id(),
+            kind_id=kind_id,
+            account_id=account_id,
+            performer_id=performer_id,
+            ip=ip,
+            metadata_json=metadata_json,
+            repository_id=repository_id,
+            datetime=timestamp,
+        )
 
-  def get_aggregated_log_counts(self, start_datetime, end_datetime, performer_name=None,
-                                repository_name=None, namespace_name=None, filter_kinds=None):
-    if end_datetime - start_datetime >= timedelta(days=DATE_RANGE_LIMIT):
-      raise Exception('Cannot lookup aggregated logs over a period longer than a month')
+        try:
+            self._logs_producer.send(log)
+        except LogSendException as lse:
+            strict_logging_disabled = config.app_config.get(
+                "ALLOW_PULLS_WITHOUT_STRICT_LOGGING"
+            )
+            logger.exception(
+                "log_action failed", extra=({"exception": lse}).update(log.to_dict())
+            )
+            if not (
+                strict_logging_disabled
+                and kind_name in ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING
+            ):
+                raise
 
-    repository_id, account_id, performer_id = DocumentLogsModel._get_ids_by_names(
-      repository_name, namespace_name, performer_name)
+    def yield_logs_for_export(
+        self,
+        start_datetime,
+        end_datetime,
+        repository_id=None,
+        namespace_id=None,
+        max_query_time=None,
+    ):
+        max_query_time = (
+            max_query_time.total_seconds() if max_query_time is not None else 300
+        )
+        search = self._base_query_date_range(
+            start_datetime, end_datetime, None, repository_id, namespace_id, None
+        )
 
-    with CloseForLongOperation(config.app_config):
-      search = self._base_query_date_range(start_datetime, end_datetime, performer_id,
-                                           repository_id, account_id, filter_kinds)
-      search.aggs.bucket('by_id', 'terms', field='kind_id').bucket('by_date', 'date_histogram',
-                                                                   field='datetime', interval='day')
-      # es returns all buckets when size=0
-      search = search.extra(size=0)
-      resp = search.execute()
+        def raise_on_timeout(batch_generator):
+            start = time()
+            for batch in batch_generator:
+                elapsed = time() - start
+                if elapsed > max_query_time:
+                    logger.error(
+                        "Retrieval of logs `%s/%s` timed out with time of `%s`",
+                        namespace_id,
+                        repository_id,
+                        elapsed,
+                    )
+                    raise LogsIterationTimeout()
 
-    if not resp.aggregations:
-      return []
+                yield batch
+                start = time()
 
-    counts = []
-    by_id = resp.aggregations['by_id']
+        def read_batch(scroll):
+            batch = []
+            for log in scroll:
+                batch.append(log)
+                if len(batch) == DEFAULT_RESULT_WINDOW:
+                    yield _for_elasticsearch_logs(
+                        batch, repository_id=repository_id, namespace_id=namespace_id
+                    )
+                    batch = []
 
-    for id_bucket in by_id.buckets:
-      for date_bucket in id_bucket.by_date.buckets:
-        if date_bucket.doc_count > 0:
-          counts.append(AggregatedLogCount(id_bucket.key, date_bucket.doc_count, date_bucket.key))
+            if batch:
+                yield _for_elasticsearch_logs(
+                    batch, repository_id=repository_id, namespace_id=namespace_id
+                )
 
-    return counts
+        search = search.params(
+            size=DEFAULT_RESULT_WINDOW, request_timeout=max_query_time
+        )
 
-  def count_repository_actions(self, repository, day):
-    index = self._es_client.index_name(day)
-    search = self._base_query_date_range(day, day + timedelta(days=1),
-                                         None,
-                                         repository.id,
-                                         None,
-                                         None,
-                                         index=index)
-    search = search.params(request_timeout=COUNT_REPOSITORY_ACTION_TIMEOUT)
+        try:
+            with CloseForLongOperation(config.app_config):
+                for batch in raise_on_timeout(read_batch(search.scan())):
+                    yield batch
+        except ConnectionTimeout:
+            raise LogsIterationTimeout()
 
-    try:
-      return search.count()
-    except NotFoundError:
-      return 0
+    def can_delete_index(self, index, cutoff_date):
+        return self._es_client.can_delete_index(index, cutoff_date)
 
-  def log_action(self, kind_name, namespace_name=None, performer=None, ip=None, metadata=None,
-                 repository=None, repository_name=None, timestamp=None, is_free_namespace=False):
-    if self._should_skip_logging and self._should_skip_logging(kind_name, namespace_name,
-                                                               is_free_namespace):
-      return
+    def list_indices(self):
+        return self._es_client.list_indices()
 
-    if repository_name is not None:
-      assert repository is None
-      assert namespace_name is not None
-      repository = model.repository.get_repository(namespace_name, repository_name)
+    def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
+        """ Yield a context manager for a group of outdated logs. """
+        all_indices = self.list_indices()
+        for index in all_indices:
+            if not self.can_delete_index(index, cutoff_date):
+                continue
 
-    if timestamp is None:
-      timestamp = datetime.today()
-
-    account_id = None
-    performer_id = None
-    repository_id = None
-
-    if namespace_name is not None:
-      account_id = model.user.get_namespace_user(namespace_name).id
-
-    if performer is not None:
-      performer_id = performer.id
-
-    if repository is not None:
-      repository_id = repository.id
-
-    metadata_json = json.dumps(metadata or {}, default=_json_serialize)
-    kind_id = model.log._get_log_entry_kind(kind_name)
-    log = LogEntry(random_id=_random_id(), kind_id=kind_id, account_id=account_id,
-                   performer_id=performer_id, ip=ip, metadata_json=metadata_json,
-                   repository_id=repository_id, datetime=timestamp)
-
-    try:
-      self._logs_producer.send(log)
-    except LogSendException as lse:
-      strict_logging_disabled = config.app_config.get('ALLOW_PULLS_WITHOUT_STRICT_LOGGING')
-      logger.exception('log_action failed', extra=({'exception': lse}).update(log.to_dict()))
-      if not (strict_logging_disabled and kind_name in ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING):
-        raise
-
-  def yield_logs_for_export(self, start_datetime, end_datetime, repository_id=None,
-                            namespace_id=None, max_query_time=None):
-    max_query_time = max_query_time.total_seconds() if max_query_time is not None else 300
-    search = self._base_query_date_range(start_datetime, end_datetime, None, repository_id,
-                                         namespace_id, None)
-
-    def raise_on_timeout(batch_generator):
-      start = time()
-      for batch in batch_generator:
-        elapsed = time() - start
-        if elapsed > max_query_time:
-          logger.error('Retrieval of logs `%s/%s` timed out with time of `%s`', namespace_id,
-                       repository_id, elapsed)
-          raise LogsIterationTimeout()
-
-        yield batch
-        start = time()
-
-    def read_batch(scroll):
-      batch = []
-      for log in scroll:
-        batch.append(log)
-        if len(batch) == DEFAULT_RESULT_WINDOW:
-          yield _for_elasticsearch_logs(batch, repository_id=repository_id,
-                                        namespace_id=namespace_id)
-          batch = []
-
-      if batch:
-        yield _for_elasticsearch_logs(batch, repository_id=repository_id, namespace_id=namespace_id)
-
-    search = search.params(size=DEFAULT_RESULT_WINDOW, request_timeout=max_query_time)
-
-    try:
-      with CloseForLongOperation(config.app_config):
-        for batch in raise_on_timeout(read_batch(search.scan())):
-          yield batch
-    except ConnectionTimeout:
-      raise LogsIterationTimeout()
-
-  def can_delete_index(self, index, cutoff_date):
-    return self._es_client.can_delete_index(index, cutoff_date)
-
-  def list_indices(self):
-    return self._es_client.list_indices()
-
-  def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
-    """ Yield a context manager for a group of outdated logs. """
-    all_indices = self.list_indices()
-    for index in all_indices:
-      if not self.can_delete_index(index, cutoff_date):
-        continue
-
-      context = ElasticsearchLogRotationContext(index, min_logs_per_rotation, self._es_client)
-      yield context
+            context = ElasticsearchLogRotationContext(
+                index, min_logs_per_rotation, self._es_client
+            )
+            yield context
 
 
 class ElasticsearchLogRotationContext(LogRotationContextInterface):
-  """
+    """
   ElasticsearchLogRotationContext yield batch of logs from an index.
 
   When completed without exceptions, this context will delete its associated
   Elasticsearch index.
   """
-  def __init__(self, index, min_logs_per_rotation, es_client):
-    self._es_client = es_client
-    self.min_logs_per_rotation = min_logs_per_rotation
-    self.index = index
 
-    self.start_pos = 0
-    self.end_pos = 0
+    def __init__(self, index, min_logs_per_rotation, es_client):
+        self._es_client = es_client
+        self.min_logs_per_rotation = min_logs_per_rotation
+        self.index = index
 
-    self.scroll = None
+        self.start_pos = 0
+        self.end_pos = 0
 
-  def __enter__(self):
-    search = self._base_query()
-    self.scroll = search.scan()
-    return self
+        self.scroll = None
 
-  def __exit__(self, ex_type, ex_value, ex_traceback):
-    if ex_type is None and ex_value is None and ex_traceback is None:
-      logger.debug('Deleting index %s', self.index)
-      self._es_client.delete_index(self.index)
+    def __enter__(self):
+        search = self._base_query()
+        self.scroll = search.scan()
+        return self
 
-  def yield_logs_batch(self):
-    def batched_logs(gen, size):
-      batch = []
-      for log in gen:
-        batch.append(log)
-        if len(batch) == size:
-          yield batch
-          batch = []
+    def __exit__(self, ex_type, ex_value, ex_traceback):
+        if ex_type is None and ex_value is None and ex_traceback is None:
+            logger.debug("Deleting index %s", self.index)
+            self._es_client.delete_index(self.index)
 
-      if batch:
-        yield batch
+    def yield_logs_batch(self):
+        def batched_logs(gen, size):
+            batch = []
+            for log in gen:
+                batch.append(log)
+                if len(batch) == size:
+                    yield batch
+                    batch = []
 
-    for batch in batched_logs(self.scroll, self.min_logs_per_rotation):
-      self.end_pos = self.start_pos + len(batch) - 1
-      yield batch, self._generate_filename()
-      self.start_pos = self.end_pos + 1
+            if batch:
+                yield batch
 
-  def _base_query(self):
-    search = LogEntry.search(index=self.index)
-    return search
+        for batch in batched_logs(self.scroll, self.min_logs_per_rotation):
+            self.end_pos = self.start_pos + len(batch) - 1
+            yield batch, self._generate_filename()
+            self.start_pos = self.end_pos + 1
 
-  def _generate_filename(self):
-    """ Generate the filenames used to archive the action logs. """
-    filename = '%s_%d-%d' % (self.index, self.start_pos, self.end_pos)
-    filename = '.'.join((filename, 'txt.gz'))
-    return filename
+    def _base_query(self):
+        search = LogEntry.search(index=self.index)
+        return search
+
+    def _generate_filename(self):
+        """ Generate the filenames used to archive the action logs. """
+        filename = "%s_%d-%d" % (self.index, self.start_pos, self.end_pos)
+        filename = ".".join((filename, "txt.gz"))
+        return filename
diff --git a/data/logs_model/elastic_logs.py b/data/logs_model/elastic_logs.py
index cd3ff675d..e6147aa68 100644
--- a/data/logs_model/elastic_logs.py
+++ b/data/logs_model/elastic_logs.py
@@ -14,13 +14,13 @@ from elasticsearch_dsl.connections import connections
 logger = logging.getLogger(__name__)
 
 # Name of the connection used for Elasticearch's template API
-ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS = 'logentry_template'
+ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS = "logentry_template"
 
 # Prefix of autogenerated indices
-INDEX_NAME_PREFIX = 'logentry_'
+INDEX_NAME_PREFIX = "logentry_"
 
 # Time-based index date format
-INDEX_DATE_FORMAT = '%Y-%m-%d'
+INDEX_DATE_FORMAT = "%Y-%m-%d"
 
 # Timeout for default connection
 ELASTICSEARCH_DEFAULT_CONNECTION_TIMEOUT = 15
@@ -29,227 +29,265 @@ ELASTICSEARCH_DEFAULT_CONNECTION_TIMEOUT = 15
 ELASTICSEARCH_TEMPLATE_CONNECTION_TIMEOUT = 60
 
 # Force an index template update
-ELASTICSEARCH_FORCE_INDEX_TEMPLATE_UPDATE = os.environ.get('FORCE_INDEX_TEMPLATE_UPDATE', '')
+ELASTICSEARCH_FORCE_INDEX_TEMPLATE_UPDATE = os.environ.get(
+    "FORCE_INDEX_TEMPLATE_UPDATE", ""
+)
 
 # Valid index prefix pattern
-VALID_INDEX_PATTERN = r'^((?!\.$|\.\.$|[-_+])([^A-Z:\/*?\"<>|,# ]){1,255})$'
+VALID_INDEX_PATTERN = r"^((?!\.$|\.\.$|[-_+])([^A-Z:\/*?\"<>|,# ]){1,255})$"
 
 
 class LogEntry(Document):
-  # random_id is the tie-breaker for sorting in pagination.
-  # random_id is also used for deduplication of records when using a "at-least-once" delivery stream.
-  # Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-search-after.html
-  #
-  # We use don't use the _id of a document since a `doc_values` is not build for this field:
-  # An on-disk data structure that stores the same data in a columnar format
-  # for optimized sorting and aggregations.
-  # Reference: https://github.com/elastic/elasticsearch/issues/35369
-  random_id = Text(fields={'keyword': Keyword()})
-  kind_id = Integer()
-  account_id = Integer()
-  performer_id = Integer()
-  repository_id = Integer()
-  ip = Ip()
-  metadata_json = Text()
-  datetime = Date()
+    # random_id is the tie-breaker for sorting in pagination.
+    # random_id is also used for deduplication of records when using a "at-least-once" delivery stream.
+    # Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-search-after.html
+    #
+    # We use don't use the _id of a document since a `doc_values` is not build for this field:
+    # An on-disk data structure that stores the same data in a columnar format
+    # for optimized sorting and aggregations.
+    # Reference: https://github.com/elastic/elasticsearch/issues/35369
+    random_id = Text(fields={"keyword": Keyword()})
+    kind_id = Integer()
+    account_id = Integer()
+    performer_id = Integer()
+    repository_id = Integer()
+    ip = Ip()
+    metadata_json = Text()
+    datetime = Date()
 
-  _initialized = False
+    _initialized = False
 
-  @classmethod
-  def init(cls, index_prefix, index_settings=None, skip_template_init=False):
-    """
+    @classmethod
+    def init(cls, index_prefix, index_settings=None, skip_template_init=False):
+        """
     Create the index template, and populate LogEntry's mapping and index settings.
     """
-    wildcard_index = Index(name=index_prefix + '*')
-    wildcard_index.settings(**(index_settings or {}))
-    wildcard_index.document(cls)
-    cls._index = wildcard_index
-    cls._index_prefix = index_prefix
+        wildcard_index = Index(name=index_prefix + "*")
+        wildcard_index.settings(**(index_settings or {}))
+        wildcard_index.document(cls)
+        cls._index = wildcard_index
+        cls._index_prefix = index_prefix
 
-    if not skip_template_init:
-      cls.create_or_update_template()
+        if not skip_template_init:
+            cls.create_or_update_template()
 
-    # Since the elasticsearch-dsl API requires the document's index being defined as an inner class at the class level,
-    # this function needs to be called first before being able to call `save`.
-    cls._initialized = True
+        # Since the elasticsearch-dsl API requires the document's index being defined as an inner class at the class level,
+        # this function needs to be called first before being able to call `save`.
+        cls._initialized = True
 
-  @classmethod
-  def create_or_update_template(cls):
-    assert cls._index and cls._index_prefix
-    index_template = cls._index.as_template(cls._index_prefix)
-    index_template.save(using=ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS)
+    @classmethod
+    def create_or_update_template(cls):
+        assert cls._index and cls._index_prefix
+        index_template = cls._index.as_template(cls._index_prefix)
+        index_template.save(using=ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS)
 
-  def save(self, **kwargs):
-    # We group the logs based on year, month and day as different indexes, so that
-    # dropping those indexes based on retention range is easy.
-    #
-    # NOTE: This is only used if logging directly to Elasticsearch
-    #       When using Kinesis or Kafka, the consumer of these streams
-    #       will be responsible for the management of the indices' lifecycle.
-    assert LogEntry._initialized
-    kwargs['index'] = self.datetime.strftime(self._index_prefix + INDEX_DATE_FORMAT)
-    return super(LogEntry, self).save(**kwargs)
+    def save(self, **kwargs):
+        # We group the logs based on year, month and day as different indexes, so that
+        # dropping those indexes based on retention range is easy.
+        #
+        # NOTE: This is only used if logging directly to Elasticsearch
+        #       When using Kinesis or Kafka, the consumer of these streams
+        #       will be responsible for the management of the indices' lifecycle.
+        assert LogEntry._initialized
+        kwargs["index"] = self.datetime.strftime(self._index_prefix + INDEX_DATE_FORMAT)
+        return super(LogEntry, self).save(**kwargs)
 
 
 class ElasticsearchLogs(object):
-  """
+    """
   Model for logs operations stored in an Elasticsearch cluster.
   """
 
-  def __init__(self, host=None, port=None, access_key=None, secret_key=None, aws_region=None,
-               index_settings=None, use_ssl=True, index_prefix=INDEX_NAME_PREFIX):
-    # For options in index_settings, refer to:
-    # https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html
-    # some index settings are set at index creation time, and therefore, you should NOT
-    # change those settings once the index is set.
-    self._host = host
-    self._port = port
-    self._access_key = access_key
-    self._secret_key = secret_key
-    self._aws_region = aws_region
-    self._index_prefix = index_prefix
-    self._index_settings = index_settings
-    self._use_ssl = use_ssl
+    def __init__(
+        self,
+        host=None,
+        port=None,
+        access_key=None,
+        secret_key=None,
+        aws_region=None,
+        index_settings=None,
+        use_ssl=True,
+        index_prefix=INDEX_NAME_PREFIX,
+    ):
+        # For options in index_settings, refer to:
+        # https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html
+        # some index settings are set at index creation time, and therefore, you should NOT
+        # change those settings once the index is set.
+        self._host = host
+        self._port = port
+        self._access_key = access_key
+        self._secret_key = secret_key
+        self._aws_region = aws_region
+        self._index_prefix = index_prefix
+        self._index_settings = index_settings
+        self._use_ssl = use_ssl
 
-    self._client = None
-    self._initialized = False
+        self._client = None
+        self._initialized = False
 
-  def _initialize(self):
-    """
+    def _initialize(self):
+        """
     Initialize a connection to an ES cluster and
     creates an index template if it does not exist.
     """
-    if not self._initialized:
-      http_auth = None
-      if self._access_key and self._secret_key and self._aws_region:
-        http_auth = AWS4Auth(self._access_key, self._secret_key, self._aws_region, 'es')
-      elif self._access_key and self._secret_key:
-        http_auth = (self._access_key, self._secret_key)
-      else:
-        logger.warn("Connecting to Elasticsearch without HTTP auth")
+        if not self._initialized:
+            http_auth = None
+            if self._access_key and self._secret_key and self._aws_region:
+                http_auth = AWS4Auth(
+                    self._access_key, self._secret_key, self._aws_region, "es"
+                )
+            elif self._access_key and self._secret_key:
+                http_auth = (self._access_key, self._secret_key)
+            else:
+                logger.warn("Connecting to Elasticsearch without HTTP auth")
 
-      self._client = connections.create_connection(
-        hosts=[{
-          'host': self._host,
-          'port': self._port
-        }],
-        http_auth=http_auth,
-        use_ssl=self._use_ssl,
-        verify_certs=True,
-        connection_class=RequestsHttpConnection,
-        timeout=ELASTICSEARCH_DEFAULT_CONNECTION_TIMEOUT,
-      )
+            self._client = connections.create_connection(
+                hosts=[{"host": self._host, "port": self._port}],
+                http_auth=http_auth,
+                use_ssl=self._use_ssl,
+                verify_certs=True,
+                connection_class=RequestsHttpConnection,
+                timeout=ELASTICSEARCH_DEFAULT_CONNECTION_TIMEOUT,
+            )
 
-      # Create a second connection with a timeout of 60s vs 10s.
-      # For some reason the PUT template API can take anywhere between
-      # 10s and 30s on the test cluster.
-      # This only needs to be done once to initialize the index template
-      connections.create_connection(
-        alias=ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS,
-        hosts=[{
-          'host': self._host,
-          'port': self._port
-        }],
-        http_auth=http_auth,
-        use_ssl=self._use_ssl,
-        verify_certs=True,
-        connection_class=RequestsHttpConnection,
-        timeout=ELASTICSEARCH_TEMPLATE_CONNECTION_TIMEOUT,
-      )
+            # Create a second connection with a timeout of 60s vs 10s.
+            # For some reason the PUT template API can take anywhere between
+            # 10s and 30s on the test cluster.
+            # This only needs to be done once to initialize the index template
+            connections.create_connection(
+                alias=ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS,
+                hosts=[{"host": self._host, "port": self._port}],
+                http_auth=http_auth,
+                use_ssl=self._use_ssl,
+                verify_certs=True,
+                connection_class=RequestsHttpConnection,
+                timeout=ELASTICSEARCH_TEMPLATE_CONNECTION_TIMEOUT,
+            )
 
-      try:
-        force_template_update = ELASTICSEARCH_FORCE_INDEX_TEMPLATE_UPDATE.lower() == 'true'
-        self._client.indices.get_template(self._index_prefix)
-        LogEntry.init(self._index_prefix, self._index_settings,
-                      skip_template_init=not force_template_update)
-      except NotFoundError:
-        LogEntry.init(self._index_prefix, self._index_settings, skip_template_init=False)
-      finally:
+            try:
+                force_template_update = (
+                    ELASTICSEARCH_FORCE_INDEX_TEMPLATE_UPDATE.lower() == "true"
+                )
+                self._client.indices.get_template(self._index_prefix)
+                LogEntry.init(
+                    self._index_prefix,
+                    self._index_settings,
+                    skip_template_init=not force_template_update,
+                )
+            except NotFoundError:
+                LogEntry.init(
+                    self._index_prefix, self._index_settings, skip_template_init=False
+                )
+            finally:
+                try:
+                    connections.remove_connection(
+                        ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS
+                    )
+                except KeyError as ke:
+                    logger.exception(
+                        "Elasticsearch connection not found to remove %s: %s",
+                        ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS,
+                        ke,
+                    )
+
+            self._initialized = True
+
+    def index_name(self, day):
+        """ Return an index name for the given day. """
+        return self._index_prefix + day.strftime(INDEX_DATE_FORMAT)
+
+    def index_exists(self, index):
         try:
-          connections.remove_connection(ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS)
-        except KeyError as ke:
-          logger.exception('Elasticsearch connection not found to remove %s: %s',
-                           ELASTICSEARCH_TEMPLATE_CONNECTION_ALIAS, ke)
+            return index in self._client.indices.get(index)
+        except NotFoundError:
+            return False
 
-      self._initialized = True
-
-  def index_name(self, day):
-    """ Return an index name for the given day. """
-    return self._index_prefix + day.strftime(INDEX_DATE_FORMAT)
-
-  def index_exists(self, index):
-    try:
-      return index in self._client.indices.get(index)
-    except NotFoundError:
-      return False
-
-  @staticmethod
-  def _valid_index_prefix(prefix):
-    """ Check that the given index prefix is valid with the set of
+    @staticmethod
+    def _valid_index_prefix(prefix):
+        """ Check that the given index prefix is valid with the set of
     indices used by this class.
     """
-    return re.match(VALID_INDEX_PATTERN, prefix) is not None
+        return re.match(VALID_INDEX_PATTERN, prefix) is not None
 
-  def _valid_index_name(self, index):
-    """ Check that the given index name is valid and follows the format:
+    def _valid_index_name(self, index):
+        """ Check that the given index name is valid and follows the format:
     <index_prefix>YYYY-MM-DD
     """
-    if not ElasticsearchLogs._valid_index_prefix(index):
-      return False
+        if not ElasticsearchLogs._valid_index_prefix(index):
+            return False
 
-    if not index.startswith(self._index_prefix) or len(index) > 255:
-      return False
+        if not index.startswith(self._index_prefix) or len(index) > 255:
+            return False
 
-    index_dt_str = index.split(self._index_prefix, 1)[-1]
-    try:
-      datetime.strptime(index_dt_str, INDEX_DATE_FORMAT)
-      return True
-    except ValueError:
-      logger.exception('Invalid date format (YYYY-MM-DD) for index: %s', index)
-      return False
+        index_dt_str = index.split(self._index_prefix, 1)[-1]
+        try:
+            datetime.strptime(index_dt_str, INDEX_DATE_FORMAT)
+            return True
+        except ValueError:
+            logger.exception("Invalid date format (YYYY-MM-DD) for index: %s", index)
+            return False
 
-  def can_delete_index(self, index, cutoff_date):
-    """ Check if the given index can be deleted based on the given index's date and cutoff date. """
-    assert self._valid_index_name(index)
-    index_dt = datetime.strptime(index[len(self._index_prefix):], INDEX_DATE_FORMAT)
-    return index_dt < cutoff_date and cutoff_date - index_dt >= timedelta(days=1)
+    def can_delete_index(self, index, cutoff_date):
+        """ Check if the given index can be deleted based on the given index's date and cutoff date. """
+        assert self._valid_index_name(index)
+        index_dt = datetime.strptime(
+            index[len(self._index_prefix) :], INDEX_DATE_FORMAT
+        )
+        return index_dt < cutoff_date and cutoff_date - index_dt >= timedelta(days=1)
 
-  def list_indices(self):
-    self._initialize()
-    try:
-      return self._client.indices.get(self._index_prefix + '*').keys()
-    except NotFoundError as nfe:
-      logger.exception('`%s` indices not found: %s', self._index_prefix, nfe.info)
-      return []
-    except AuthorizationException as ae:
-      logger.exception('Unauthorized for indices `%s`: %s', self._index_prefix, ae.info)
-      return None
+    def list_indices(self):
+        self._initialize()
+        try:
+            return self._client.indices.get(self._index_prefix + "*").keys()
+        except NotFoundError as nfe:
+            logger.exception("`%s` indices not found: %s", self._index_prefix, nfe.info)
+            return []
+        except AuthorizationException as ae:
+            logger.exception(
+                "Unauthorized for indices `%s`: %s", self._index_prefix, ae.info
+            )
+            return None
 
-  def delete_index(self, index):
-    self._initialize()
-    assert self._valid_index_name(index)
+    def delete_index(self, index):
+        self._initialize()
+        assert self._valid_index_name(index)
 
-    try:
-      self._client.indices.delete(index)
-      return index
-    except NotFoundError as nfe:
-      logger.exception('`%s` indices not found: %s', index, nfe.info)
-      return None
-    except AuthorizationException as ae:
-      logger.exception('Unauthorized to delete index `%s`: %s', index, ae.info)
-      return None
+        try:
+            self._client.indices.delete(index)
+            return index
+        except NotFoundError as nfe:
+            logger.exception("`%s` indices not found: %s", index, nfe.info)
+            return None
+        except AuthorizationException as ae:
+            logger.exception("Unauthorized to delete index `%s`: %s", index, ae.info)
+            return None
 
 
-def configure_es(host, port, access_key=None, secret_key=None, aws_region=None,
-                 index_prefix=None, use_ssl=True, index_settings=None):
-  """
+def configure_es(
+    host,
+    port,
+    access_key=None,
+    secret_key=None,
+    aws_region=None,
+    index_prefix=None,
+    use_ssl=True,
+    index_settings=None,
+):
+    """
   For options in index_settings, refer to:
   https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html
   some index settings are set at index creation time, and therefore, you should NOT
   change those settings once the index is set.
   """
-  es_client = ElasticsearchLogs(host=host, port=port, access_key=access_key, secret_key=secret_key,
-                                aws_region=aws_region, index_prefix=index_prefix or INDEX_NAME_PREFIX,
-                                use_ssl=use_ssl, index_settings=index_settings)
-  es_client._initialize()
-  return es_client
+    es_client = ElasticsearchLogs(
+        host=host,
+        port=port,
+        access_key=access_key,
+        secret_key=secret_key,
+        aws_region=aws_region,
+        index_prefix=index_prefix or INDEX_NAME_PREFIX,
+        use_ssl=use_ssl,
+        index_settings=index_settings,
+    )
+    es_client._initialize()
+    return es_client
diff --git a/data/logs_model/inmemory_model.py b/data/logs_model/inmemory_model.py
index f9a219f51..2a2da020c 100644
--- a/data/logs_model/inmemory_model.py
+++ b/data/logs_model/inmemory_model.py
@@ -8,237 +8,345 @@ from dateutil.relativedelta import relativedelta
 
 from data import model
 from data.logs_model.datatypes import AggregatedLogCount, LogEntriesPage, Log
-from data.logs_model.interface import (ActionLogsDataInterface, LogRotationContextInterface,
-                                       LogsIterationTimeout)
+from data.logs_model.interface import (
+    ActionLogsDataInterface,
+    LogRotationContextInterface,
+    LogsIterationTimeout,
+)
 
 logger = logging.getLogger(__name__)
 
-LogAndRepository = namedtuple('LogAndRepository', ['log', 'stored_log', 'repository'])
+LogAndRepository = namedtuple("LogAndRepository", ["log", "stored_log", "repository"])
+
+StoredLog = namedtuple(
+    "StoredLog",
+    [
+        "kind_id",
+        "account_id",
+        "performer_id",
+        "ip",
+        "metadata_json",
+        "repository_id",
+        "datetime",
+    ],
+)
 
-StoredLog = namedtuple('StoredLog', ['kind_id',
-                                     'account_id',
-                                     'performer_id',
-                                     'ip',
-                                     'metadata_json',
-                                     'repository_id',
-                                     'datetime'])
 
 class InMemoryModel(ActionLogsDataInterface):
-  """
+    """
   InMemoryModel implements the data model for logs in-memory. FOR TESTING ONLY.
   """
-  def __init__(self):
-    self.logs = []
 
-  def _filter_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                   namespace_name=None, filter_kinds=None):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+    def __init__(self):
+        self.logs = []
 
-    for log_and_repo in self.logs:
-      if log_and_repo.log.datetime < start_datetime or log_and_repo.log.datetime > end_datetime:
-        continue
+    def _filter_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-      if performer_name and log_and_repo.log.performer_username != performer_name:
-        continue
+        for log_and_repo in self.logs:
+            if (
+                log_and_repo.log.datetime < start_datetime
+                or log_and_repo.log.datetime > end_datetime
+            ):
+                continue
 
-      if (repository_name and
-          (not log_and_repo.repository or log_and_repo.repository.name != repository_name)):
-        continue
+            if performer_name and log_and_repo.log.performer_username != performer_name:
+                continue
 
-      if namespace_name and log_and_repo.log.account_username != namespace_name:
-        continue
+            if repository_name and (
+                not log_and_repo.repository
+                or log_and_repo.repository.name != repository_name
+            ):
+                continue
 
-      if filter_kinds:
-        kind_map = model.log.get_log_entry_kinds()
-        ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
-        if log_and_repo.log.kind_id in ignore_ids:
-          continue
+            if namespace_name and log_and_repo.log.account_username != namespace_name:
+                continue
 
-      yield log_and_repo
+            if filter_kinds:
+                kind_map = model.log.get_log_entry_kinds()
+                ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
+                if log_and_repo.log.kind_id in ignore_ids:
+                    continue
 
-  def _filter_latest_logs(self, performer_name=None, repository_name=None,
-                          namespace_name=None, filter_kinds=None):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+            yield log_and_repo
 
-    for log_and_repo in sorted(self.logs, key=lambda t: t.log.datetime, reverse=True):
-      if performer_name and log_and_repo.log.performer_username != performer_name:
-        continue
+    def _filter_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-      if (repository_name and
-          (not log_and_repo.repository or log_and_repo.repository.name != repository_name)):
-        continue
+        for log_and_repo in sorted(
+            self.logs, key=lambda t: t.log.datetime, reverse=True
+        ):
+            if performer_name and log_and_repo.log.performer_username != performer_name:
+                continue
 
-      if namespace_name and log_and_repo.log.account_username != namespace_name:
-        continue
+            if repository_name and (
+                not log_and_repo.repository
+                or log_and_repo.repository.name != repository_name
+            ):
+                continue
 
-      if filter_kinds:
-        kind_map = model.log.get_log_entry_kinds()
-        ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
-        if log_and_repo.log.kind_id in ignore_ids:
-          continue
+            if namespace_name and log_and_repo.log.account_username != namespace_name:
+                continue
 
-      yield log_and_repo
+            if filter_kinds:
+                kind_map = model.log.get_log_entry_kinds()
+                ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds]
+                if log_and_repo.log.kind_id in ignore_ids:
+                    continue
 
-  def lookup_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                  namespace_name=None, filter_kinds=None, page_token=None, max_page_count=None):
-    logs = []
-    for log_and_repo in self._filter_logs(start_datetime, end_datetime, performer_name,
-                                          repository_name, namespace_name, filter_kinds):
-      logs.append(log_and_repo.log)
-    return LogEntriesPage(logs, None)
+            yield log_and_repo
 
-  def lookup_latest_logs(self, performer_name=None, repository_name=None, namespace_name=None,
-                         filter_kinds=None, size=20):
-    latest_logs = []
-    for log_and_repo in self._filter_latest_logs(performer_name, repository_name, namespace_name,
-                                                 filter_kinds):
-      if size is not None and len(latest_logs) == size:
-        break
+    def lookup_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        page_token=None,
+        max_page_count=None,
+    ):
+        logs = []
+        for log_and_repo in self._filter_logs(
+            start_datetime,
+            end_datetime,
+            performer_name,
+            repository_name,
+            namespace_name,
+            filter_kinds,
+        ):
+            logs.append(log_and_repo.log)
+        return LogEntriesPage(logs, None)
 
-      latest_logs.append(log_and_repo.log)
+    def lookup_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        size=20,
+    ):
+        latest_logs = []
+        for log_and_repo in self._filter_latest_logs(
+            performer_name, repository_name, namespace_name, filter_kinds
+        ):
+            if size is not None and len(latest_logs) == size:
+                break
 
-    return latest_logs
+            latest_logs.append(log_and_repo.log)
 
-  def get_aggregated_log_counts(self, start_datetime, end_datetime, performer_name=None,
-                                repository_name=None, namespace_name=None, filter_kinds=None):
-    entries = {}
-    for log_and_repo in self._filter_logs(start_datetime, end_datetime, performer_name,
-                                          repository_name, namespace_name, filter_kinds):
-      entry = log_and_repo.log
-      synthetic_date = datetime(start_datetime.year, start_datetime.month, int(entry.datetime.day),
-                                tzinfo=get_localzone())
-      if synthetic_date.day < start_datetime.day:
-        synthetic_date = synthetic_date + relativedelta(months=1)
+        return latest_logs
 
-      key = '%s-%s' % (entry.kind_id, entry.datetime.day)
+    def get_aggregated_log_counts(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        entries = {}
+        for log_and_repo in self._filter_logs(
+            start_datetime,
+            end_datetime,
+            performer_name,
+            repository_name,
+            namespace_name,
+            filter_kinds,
+        ):
+            entry = log_and_repo.log
+            synthetic_date = datetime(
+                start_datetime.year,
+                start_datetime.month,
+                int(entry.datetime.day),
+                tzinfo=get_localzone(),
+            )
+            if synthetic_date.day < start_datetime.day:
+                synthetic_date = synthetic_date + relativedelta(months=1)
 
-      if key in entries:
-        entries[key] = AggregatedLogCount(entry.kind_id, entries[key].count + 1,
-                                          synthetic_date)
-      else:
-        entries[key] = AggregatedLogCount(entry.kind_id, 1, synthetic_date)
+            key = "%s-%s" % (entry.kind_id, entry.datetime.day)
 
-    return entries.values()
+            if key in entries:
+                entries[key] = AggregatedLogCount(
+                    entry.kind_id, entries[key].count + 1, synthetic_date
+                )
+            else:
+                entries[key] = AggregatedLogCount(entry.kind_id, 1, synthetic_date)
 
-  def count_repository_actions(self, repository, day):
-    count = 0
-    for log_and_repo in self.logs:
-      if log_and_repo.repository != repository:
-        continue
+        return entries.values()
 
-      if log_and_repo.log.datetime.day != day.day:
-        continue
+    def count_repository_actions(self, repository, day):
+        count = 0
+        for log_and_repo in self.logs:
+            if log_and_repo.repository != repository:
+                continue
 
-      count += 1
+            if log_and_repo.log.datetime.day != day.day:
+                continue
 
-    return count
+            count += 1
 
-  def queue_logs_export(self, start_datetime, end_datetime, export_action_logs_queue,
-                        namespace_name=None, repository_name=None, callback_url=None,
-                        callback_email=None, filter_kinds=None):
-    raise NotImplementedError
+        return count
 
-  def log_action(self, kind_name, namespace_name=None, performer=None, ip=None, metadata=None,
-                 repository=None, repository_name=None, timestamp=None, is_free_namespace=False):
-    timestamp = timestamp or datetime.today()
+    def queue_logs_export(
+        self,
+        start_datetime,
+        end_datetime,
+        export_action_logs_queue,
+        namespace_name=None,
+        repository_name=None,
+        callback_url=None,
+        callback_email=None,
+        filter_kinds=None,
+    ):
+        raise NotImplementedError
 
-    if not repository and repository_name and namespace_name:
-      repository = model.repository.get_repository(namespace_name, repository_name)
+    def log_action(
+        self,
+        kind_name,
+        namespace_name=None,
+        performer=None,
+        ip=None,
+        metadata=None,
+        repository=None,
+        repository_name=None,
+        timestamp=None,
+        is_free_namespace=False,
+    ):
+        timestamp = timestamp or datetime.today()
 
-    account = None
-    account_id = None
-    performer_id = None
-    repository_id = None
+        if not repository and repository_name and namespace_name:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
 
-    if namespace_name is not None:
-      account = model.user.get_namespace_user(namespace_name)
-      account_id = account.id
+        account = None
+        account_id = None
+        performer_id = None
+        repository_id = None
 
-    if performer is not None:
-      performer_id = performer.id
+        if namespace_name is not None:
+            account = model.user.get_namespace_user(namespace_name)
+            account_id = account.id
 
-    if repository is not None:
-      repository_id = repository.id
+        if performer is not None:
+            performer_id = performer.id
 
-    metadata_json = json.dumps(metadata or {})
-    kind_id = model.log.get_log_entry_kinds()[kind_name]
+        if repository is not None:
+            repository_id = repository.id
 
-    stored_log = StoredLog(
-      kind_id,
-      account_id,
-      performer_id,
-      ip,
-      metadata_json,
-      repository_id,
-      timestamp
-    )
+        metadata_json = json.dumps(metadata or {})
+        kind_id = model.log.get_log_entry_kinds()[kind_name]
 
-    log = Log(metadata_json=metadata,
-              ip=ip,
-              datetime=timestamp,
-              performer_email=performer.email if performer else None,
-              performer_username=performer.username if performer else None,
-              performer_robot=performer.robot if performer else None,
-              account_organization=account.organization if account else None,
-              account_username=account.username if account else None,
-              account_email=account.email if account else None,
-              account_robot=account.robot if account else None,
-              kind_id=kind_id)
+        stored_log = StoredLog(
+            kind_id,
+            account_id,
+            performer_id,
+            ip,
+            metadata_json,
+            repository_id,
+            timestamp,
+        )
 
-    self.logs.append(LogAndRepository(log, stored_log, repository))
+        log = Log(
+            metadata_json=metadata,
+            ip=ip,
+            datetime=timestamp,
+            performer_email=performer.email if performer else None,
+            performer_username=performer.username if performer else None,
+            performer_robot=performer.robot if performer else None,
+            account_organization=account.organization if account else None,
+            account_username=account.username if account else None,
+            account_email=account.email if account else None,
+            account_robot=account.robot if account else None,
+            kind_id=kind_id,
+        )
 
-  def yield_logs_for_export(self, start_datetime, end_datetime, repository_id=None,
-                            namespace_id=None, max_query_time=None):
-    # Just for testing.
-    if max_query_time is not None:
-      raise LogsIterationTimeout()
+        self.logs.append(LogAndRepository(log, stored_log, repository))
 
-    logs = []
-    for log_and_repo in self._filter_logs(start_datetime, end_datetime):
-      if (repository_id and
-          (not log_and_repo.repository or log_and_repo.repository.id != repository_id)):
-        continue
+    def yield_logs_for_export(
+        self,
+        start_datetime,
+        end_datetime,
+        repository_id=None,
+        namespace_id=None,
+        max_query_time=None,
+    ):
+        # Just for testing.
+        if max_query_time is not None:
+            raise LogsIterationTimeout()
 
-      if namespace_id:
-        if log_and_repo.log.account_username is None:
-          continue
+        logs = []
+        for log_and_repo in self._filter_logs(start_datetime, end_datetime):
+            if repository_id and (
+                not log_and_repo.repository
+                or log_and_repo.repository.id != repository_id
+            ):
+                continue
 
-        namespace = model.user.get_namespace_user(log_and_repo.log.account_username)
-        if namespace.id != namespace_id:
-          continue
+            if namespace_id:
+                if log_and_repo.log.account_username is None:
+                    continue
 
-      logs.append(log_and_repo.log)
+                namespace = model.user.get_namespace_user(
+                    log_and_repo.log.account_username
+                )
+                if namespace.id != namespace_id:
+                    continue
 
-    yield logs
+            logs.append(log_and_repo.log)
 
-  def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
-    expired_logs = [log_and_repo for log_and_repo in self.logs
-                    if log_and_repo.log.datetime <= cutoff_date]
-    while True:
-      if not expired_logs:
-        break
-      context = InMemoryLogRotationContext(expired_logs[:min_logs_per_rotation], self.logs)
-      expired_logs = expired_logs[min_logs_per_rotation:]
-      yield context
+        yield logs
+
+    def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
+        expired_logs = [
+            log_and_repo
+            for log_and_repo in self.logs
+            if log_and_repo.log.datetime <= cutoff_date
+        ]
+        while True:
+            if not expired_logs:
+                break
+            context = InMemoryLogRotationContext(
+                expired_logs[:min_logs_per_rotation], self.logs
+            )
+            expired_logs = expired_logs[min_logs_per_rotation:]
+            yield context
 
 
 class InMemoryLogRotationContext(LogRotationContextInterface):
-  def __init__(self, expired_logs, all_logs):
-    self.expired_logs = expired_logs
-    self.all_logs = all_logs
+    def __init__(self, expired_logs, all_logs):
+        self.expired_logs = expired_logs
+        self.all_logs = all_logs
 
-  def __enter__(self):
-    return self
+    def __enter__(self):
+        return self
 
-  def __exit__(self, ex_type, ex_value, ex_traceback):
-    if ex_type is None and ex_value is None and ex_traceback is None:
-      for log in self.expired_logs:
-        self.all_logs.remove(log)
+    def __exit__(self, ex_type, ex_value, ex_traceback):
+        if ex_type is None and ex_value is None and ex_traceback is None:
+            for log in self.expired_logs:
+                self.all_logs.remove(log)
 
-  def yield_logs_batch(self):
-    """ Yield a batch of logs and a filename for that batch. """
-    filename = 'inmemory_model_filename_placeholder'
-    filename = '.'.join((filename, 'txt.gz'))
-    yield [log_and_repo.stored_log for log_and_repo in self.expired_logs], filename
+    def yield_logs_batch(self):
+        """ Yield a batch of logs and a filename for that batch. """
+        filename = "inmemory_model_filename_placeholder"
+        filename = ".".join((filename, "txt.gz"))
+        yield [log_and_repo.stored_log for log_and_repo in self.expired_logs], filename
diff --git a/data/logs_model/interface.py b/data/logs_model/interface.py
index 705d46cc0..b7c254259 100644
--- a/data/logs_model/interface.py
+++ b/data/logs_model/interface.py
@@ -1,64 +1,112 @@
 from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
+
 class LogsIterationTimeout(Exception):
-  """ Exception raised if logs iteration times out. """
+    """ Exception raised if logs iteration times out. """
 
 
 @add_metaclass(ABCMeta)
 class ActionLogsDataInterface(object):
-  """ Interface for code to work with the logs data model. The logs data model consists
+    """ Interface for code to work with the logs data model. The logs data model consists
       of all access for reading and writing action logs.
   """
-  @abstractmethod
-  def lookup_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                  namespace_name=None, filter_kinds=None, page_token=None, max_page_count=None):
-    """ Looks up all logs between the start_datetime and end_datetime, filtered
+
+    @abstractmethod
+    def lookup_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        page_token=None,
+        max_page_count=None,
+    ):
+        """ Looks up all logs between the start_datetime and end_datetime, filtered
         by performer (a user), repository or namespace. Note that one (and only one) of the three
         can be specified. Returns a LogEntriesPage. `filter_kinds`, if specified, is a set/list
         of the kinds of logs to filter out.
     """
 
-  @abstractmethod
-  def lookup_latest_logs(self, performer_name=None, repository_name=None, namespace_name=None,
-                         filter_kinds=None, size=20):
-    """ Looks up latest logs of a specific kind, filtered by performer (a user),
+    @abstractmethod
+    def lookup_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        size=20,
+    ):
+        """ Looks up latest logs of a specific kind, filtered by performer (a user),
         repository or namespace. Note that one (and only one) of the three can be specified.
         Returns a list of `Log`.
     """
 
-  @abstractmethod
-  def get_aggregated_log_counts(self, start_datetime, end_datetime, performer_name=None,
-                                repository_name=None, namespace_name=None, filter_kinds=None):
-    """ Returns the aggregated count of logs, by kind, between the start_datetime and end_datetime,
+    @abstractmethod
+    def get_aggregated_log_counts(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        """ Returns the aggregated count of logs, by kind, between the start_datetime and end_datetime,
         filtered by performer (a user), repository or namespace. Note that one (and only one) of
         the three can be specified. Returns a list of AggregatedLogCount.
     """
 
-  @abstractmethod
-  def count_repository_actions(self, repository, day):
-    """ Returns the total number of repository actions over the given day, in the given repository
+    @abstractmethod
+    def count_repository_actions(self, repository, day):
+        """ Returns the total number of repository actions over the given day, in the given repository
         or None on error.
     """
 
-  @abstractmethod
-  def queue_logs_export(self, start_datetime, end_datetime, export_action_logs_queue,
-                        namespace_name=None, repository_name=None, callback_url=None,
-                        callback_email=None, filter_kinds=None):
-    """ Queues logs between the start_datetime and end_time, filtered by a repository or namespace,
+    @abstractmethod
+    def queue_logs_export(
+        self,
+        start_datetime,
+        end_datetime,
+        export_action_logs_queue,
+        namespace_name=None,
+        repository_name=None,
+        callback_url=None,
+        callback_email=None,
+        filter_kinds=None,
+    ):
+        """ Queues logs between the start_datetime and end_time, filtered by a repository or namespace,
         for export to the specified URL and/or email address. Returns the ID of the export job
         queued or None if error.
     """
 
-  @abstractmethod
-  def log_action(self, kind_name, namespace_name=None, performer=None, ip=None, metadata=None,
-                 repository=None, repository_name=None, timestamp=None, is_free_namespace=False):
-    """ Logs a single action as having taken place. """
+    @abstractmethod
+    def log_action(
+        self,
+        kind_name,
+        namespace_name=None,
+        performer=None,
+        ip=None,
+        metadata=None,
+        repository=None,
+        repository_name=None,
+        timestamp=None,
+        is_free_namespace=False,
+    ):
+        """ Logs a single action as having taken place. """
 
-  @abstractmethod
-  def yield_logs_for_export(self, start_datetime, end_datetime, repository_id=None,
-                            namespace_id=None, max_query_time=None):
-    """ Returns an iterator that yields bundles of all logs found between the start_datetime and
+    @abstractmethod
+    def yield_logs_for_export(
+        self,
+        start_datetime,
+        end_datetime,
+        repository_id=None,
+        namespace_id=None,
+        max_query_time=None,
+    ):
+        """ Returns an iterator that yields bundles of all logs found between the start_datetime and
         end_datetime, optionally filtered by the repository or namespace. This function should be
         used for any bulk lookup operations, and should be implemented by implementors to put
         minimal strain on the backing storage for large operations. If there was an error in setting
@@ -69,9 +117,9 @@ class ActionLogsDataInterface(object):
         LogsIterationTimeout will be raised instead of returning the logs bundle.
     """
 
-  @abstractmethod
-  def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
-    """
+    @abstractmethod
+    def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
+        """
     A generator that yields contexts implementing the LogRotationContextInterface.
     Each context represents a set of logs to be archived and deleted once
     the context completes without exceptions.
@@ -86,10 +134,11 @@ class ActionLogsDataInterface(object):
 
 @add_metaclass(ABCMeta)
 class LogRotationContextInterface(object):
-  """ Interface for iterating over a set of logs to be archived. """
-  @abstractmethod
-  def yield_logs_batch(self):
-    """
+    """ Interface for iterating over a set of logs to be archived. """
+
+    @abstractmethod
+    def yield_logs_batch(self):
+        """
     Generator yielding batch of logs and a filename for that batch.
     A batch is a subset of the logs part of the context.
     """
diff --git a/data/logs_model/logs_producer/__init__.py b/data/logs_model/logs_producer/__init__.py
index 17bd605ad..a843658e2 100644
--- a/data/logs_model/logs_producer/__init__.py
+++ b/data/logs_model/logs_producer/__init__.py
@@ -5,23 +5,24 @@ logger = logging.getLogger(__name__)
 
 
 class LogSendException(Exception):
-  """ A generic error when sending the logs to its destination.
+    """ A generic error when sending the logs to its destination.
   e.g. Kinesis, Kafka, Elasticsearch, ...
   """
-  pass
+
+    pass
 
 
 class LogProducerProxy(object):
-  def __init__(self):
-    self._model = None
+    def __init__(self):
+        self._model = None
 
-  def initialize(self, model):
-    self._model = model
-    logger.info('===============================')
-    logger.info('Using producer `%s`', self._model)
-    logger.info('===============================')
+    def initialize(self, model):
+        self._model = model
+        logger.info("===============================")
+        logger.info("Using producer `%s`", self._model)
+        logger.info("===============================")
 
-  def __getattr__(self, attr):
-    if not self._model:
-      raise AttributeError("LogsModelProxy is not initialized")
-    return getattr(self._model, attr)
+    def __getattr__(self, attr):
+        if not self._model:
+            raise AttributeError("LogsModelProxy is not initialized")
+        return getattr(self._model, attr)
diff --git a/data/logs_model/logs_producer/elasticsearch_logs_producer.py b/data/logs_model/logs_producer/elasticsearch_logs_producer.py
index 175fb4ac6..2b311dd4e 100644
--- a/data/logs_model/logs_producer/elasticsearch_logs_producer.py
+++ b/data/logs_model/logs_producer/elasticsearch_logs_producer.py
@@ -10,16 +10,27 @@ logger = logging.getLogger(__name__)
 
 
 class ElasticsearchLogsProducer(LogProducerInterface):
-  """ Log producer writing log entries to Elasticsearch.
+    """ Log producer writing log entries to Elasticsearch.
 
   This implementation writes directly to Elasticsearch without a streaming/queueing service.
   """
-  def send(self, logentry):
-    try:
-      logentry.save()
-    except ElasticsearchException as ex:
-      logger.exception('ElasticsearchLogsProducer error sending log to Elasticsearch: %s', ex)
-      raise LogSendException('ElasticsearchLogsProducer error sending log to Elasticsearch: %s' % ex)
-    except Exception as e:
-      logger.exception('ElasticsearchLogsProducer exception sending log to Elasticsearch: %s', e)
-      raise LogSendException('ElasticsearchLogsProducer exception sending log to Elasticsearch: %s' % e)
+
+    def send(self, logentry):
+        try:
+            logentry.save()
+        except ElasticsearchException as ex:
+            logger.exception(
+                "ElasticsearchLogsProducer error sending log to Elasticsearch: %s", ex
+            )
+            raise LogSendException(
+                "ElasticsearchLogsProducer error sending log to Elasticsearch: %s" % ex
+            )
+        except Exception as e:
+            logger.exception(
+                "ElasticsearchLogsProducer exception sending log to Elasticsearch: %s",
+                e,
+            )
+            raise LogSendException(
+                "ElasticsearchLogsProducer exception sending log to Elasticsearch: %s"
+                % e
+            )
diff --git a/data/logs_model/logs_producer/interface.py b/data/logs_model/logs_producer/interface.py
index d0d9b71d4..c9693725a 100644
--- a/data/logs_model/logs_producer/interface.py
+++ b/data/logs_model/logs_producer/interface.py
@@ -1,8 +1,9 @@
 from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
+
 @add_metaclass(ABCMeta)
 class LogProducerInterface(object):
-  @abstractmethod
-  def send(self, logentry):
-    """ Send a log entry to the configured log infrastructure. """
+    @abstractmethod
+    def send(self, logentry):
+        """ Send a log entry to the configured log infrastructure. """
diff --git a/data/logs_model/logs_producer/kafka_logs_producer.py b/data/logs_model/logs_producer/kafka_logs_producer.py
index 9c13a441d..69ccae961 100644
--- a/data/logs_model/logs_producer/kafka_logs_producer.py
+++ b/data/logs_model/logs_producer/kafka_logs_producer.py
@@ -15,31 +15,44 @@ DEFAULT_MAX_BLOCK_SECONDS = 5
 
 
 class KafkaLogsProducer(LogProducerInterface):
-  """ Log producer writing log entries to a Kafka stream. """
-  def __init__(self, bootstrap_servers=None, topic=None, client_id=None, max_block_seconds=None):
-    self.bootstrap_servers = bootstrap_servers
-    self.topic = topic
-    self.client_id = client_id
-    self.max_block_ms = (max_block_seconds or DEFAULT_MAX_BLOCK_SECONDS) * 1000
+    """ Log producer writing log entries to a Kafka stream. """
 
-    self._producer = KafkaProducer(bootstrap_servers=self.bootstrap_servers,
-                                   client_id=self.client_id,
-                                   max_block_ms=self.max_block_ms,
-                                   value_serializer=logs_json_serializer)
+    def __init__(
+        self, bootstrap_servers=None, topic=None, client_id=None, max_block_seconds=None
+    ):
+        self.bootstrap_servers = bootstrap_servers
+        self.topic = topic
+        self.client_id = client_id
+        self.max_block_ms = (max_block_seconds or DEFAULT_MAX_BLOCK_SECONDS) * 1000
 
-  def send(self, logentry):
-    try:
-      # send() has a (max_block_ms) timeout and get() has a (max_block_ms) timeout
-      # for an upper bound of 2x(max_block_ms) before guaranteed delivery
-      future = self._producer.send(self.topic, logentry.to_dict(), timestamp_ms=epoch_ms(logentry.datetime))
-      record_metadata = future.get(timeout=self.max_block_ms)
-      assert future.succeeded
-    except KafkaTimeoutError as kte:
-      logger.exception('KafkaLogsProducer timeout sending log to Kafka: %s', kte)
-      raise LogSendException('KafkaLogsProducer timeout sending log to Kafka: %s' % kte)
-    except KafkaError as ke:
-      logger.exception('KafkaLogsProducer error sending log to Kafka: %s', ke)
-      raise LogSendException('KafkaLogsProducer error sending log to Kafka: %s' % ke)
-    except Exception as e:
-      logger.exception('KafkaLogsProducer exception sending log to Kafka: %s', e)
-      raise LogSendException('KafkaLogsProducer exception sending log to Kafka: %s' % e)
+        self._producer = KafkaProducer(
+            bootstrap_servers=self.bootstrap_servers,
+            client_id=self.client_id,
+            max_block_ms=self.max_block_ms,
+            value_serializer=logs_json_serializer,
+        )
+
+    def send(self, logentry):
+        try:
+            # send() has a (max_block_ms) timeout and get() has a (max_block_ms) timeout
+            # for an upper bound of 2x(max_block_ms) before guaranteed delivery
+            future = self._producer.send(
+                self.topic, logentry.to_dict(), timestamp_ms=epoch_ms(logentry.datetime)
+            )
+            record_metadata = future.get(timeout=self.max_block_ms)
+            assert future.succeeded
+        except KafkaTimeoutError as kte:
+            logger.exception("KafkaLogsProducer timeout sending log to Kafka: %s", kte)
+            raise LogSendException(
+                "KafkaLogsProducer timeout sending log to Kafka: %s" % kte
+            )
+        except KafkaError as ke:
+            logger.exception("KafkaLogsProducer error sending log to Kafka: %s", ke)
+            raise LogSendException(
+                "KafkaLogsProducer error sending log to Kafka: %s" % ke
+            )
+        except Exception as e:
+            logger.exception("KafkaLogsProducer exception sending log to Kafka: %s", e)
+            raise LogSendException(
+                "KafkaLogsProducer exception sending log to Kafka: %s" % e
+            )
diff --git a/data/logs_model/logs_producer/kinesis_stream_logs_producer.py b/data/logs_model/logs_producer/kinesis_stream_logs_producer.py
index d4c03f711..1fb60f798 100644
--- a/data/logs_model/logs_producer/kinesis_stream_logs_producer.py
+++ b/data/logs_model/logs_producer/kinesis_stream_logs_producer.py
@@ -13,7 +13,7 @@ from data.logs_model.logs_producer import LogSendException
 
 logger = logging.getLogger(__name__)
 
-KINESIS_PARTITION_KEY_PREFIX = 'logentry_partition_key_'
+KINESIS_PARTITION_KEY_PREFIX = "logentry_partition_key_"
 DEFAULT_CONNECT_TIMEOUT = 5
 DEFAULT_READ_TIMEOUT = 5
 MAX_RETRY_ATTEMPTS = 5
@@ -21,55 +21,79 @@ DEFAULT_MAX_POOL_CONNECTIONS = 10
 
 
 def _partition_key(number_of_shards=None):
-  """ Generate a partition key for AWS Kinesis stream.
+    """ Generate a partition key for AWS Kinesis stream.
   If the number of shards is specified, generate keys where the size of the key space is
   the number of shards.
   """
-  key = None
-  if number_of_shards is not None:
-    shard_number = random.randrange(0, number_of_shards)
-    key = hashlib.sha1(KINESIS_PARTITION_KEY_PREFIX + str(shard_number)).hexdigest()
-  else:
-    key = hashlib.sha1(KINESIS_PARTITION_KEY_PREFIX + str(random.getrandbits(256))).hexdigest()
+    key = None
+    if number_of_shards is not None:
+        shard_number = random.randrange(0, number_of_shards)
+        key = hashlib.sha1(KINESIS_PARTITION_KEY_PREFIX + str(shard_number)).hexdigest()
+    else:
+        key = hashlib.sha1(
+            KINESIS_PARTITION_KEY_PREFIX + str(random.getrandbits(256))
+        ).hexdigest()
 
-  return key
+    return key
 
 
 class KinesisStreamLogsProducer(LogProducerInterface):
-  """ Log producer writing log entries to an Amazon Kinesis Data Stream. """
-  def __init__(self, stream_name, aws_region, aws_access_key=None, aws_secret_key=None,
-               connect_timeout=None, read_timeout=None, max_retries=None,
-               max_pool_connections=None):
-    self._stream_name = stream_name
-    self._aws_region = aws_region
-    self._aws_access_key = aws_access_key
-    self._aws_secret_key = aws_secret_key
-    self._connect_timeout = connect_timeout or DEFAULT_CONNECT_TIMEOUT
-    self._read_timeout = read_timeout or DEFAULT_READ_TIMEOUT
-    self._max_retries = max_retries or MAX_RETRY_ATTEMPTS
-    self._max_pool_connections=max_pool_connections or DEFAULT_MAX_POOL_CONNECTIONS
+    """ Log producer writing log entries to an Amazon Kinesis Data Stream. """
 
-    client_config = Config(connect_timeout=self._connect_timeout,
-                           read_timeout=self._read_timeout ,
-                           retries={'max_attempts': self._max_retries},
-                           max_pool_connections=self._max_pool_connections)
-    self._producer = boto3.client('kinesis', use_ssl=True,
-                                  region_name=self._aws_region,
-                                  aws_access_key_id=self._aws_access_key,
-                                  aws_secret_access_key=self._aws_secret_key,
-                                  config=client_config)
+    def __init__(
+        self,
+        stream_name,
+        aws_region,
+        aws_access_key=None,
+        aws_secret_key=None,
+        connect_timeout=None,
+        read_timeout=None,
+        max_retries=None,
+        max_pool_connections=None,
+    ):
+        self._stream_name = stream_name
+        self._aws_region = aws_region
+        self._aws_access_key = aws_access_key
+        self._aws_secret_key = aws_secret_key
+        self._connect_timeout = connect_timeout or DEFAULT_CONNECT_TIMEOUT
+        self._read_timeout = read_timeout or DEFAULT_READ_TIMEOUT
+        self._max_retries = max_retries or MAX_RETRY_ATTEMPTS
+        self._max_pool_connections = (
+            max_pool_connections or DEFAULT_MAX_POOL_CONNECTIONS
+        )
 
-  def send(self, logentry):
-    try:
-      data = logs_json_serializer(logentry)
-      self._producer.put_record(
-        StreamName=self._stream_name,
-        Data=data,
-        PartitionKey=_partition_key()
-      )
-    except ClientError as ce:
-      logger.exception('KinesisStreamLogsProducer client error sending log to Kinesis: %s', ce)
-      raise LogSendException('KinesisStreamLogsProducer client error sending log to Kinesis: %s' % ce)
-    except Exception as e:
-      logger.exception('KinesisStreamLogsProducer exception sending log to Kinesis: %s', e)
-      raise LogSendException('KinesisStreamLogsProducer exception sending log to Kinesis: %s' % e)
+        client_config = Config(
+            connect_timeout=self._connect_timeout,
+            read_timeout=self._read_timeout,
+            retries={"max_attempts": self._max_retries},
+            max_pool_connections=self._max_pool_connections,
+        )
+        self._producer = boto3.client(
+            "kinesis",
+            use_ssl=True,
+            region_name=self._aws_region,
+            aws_access_key_id=self._aws_access_key,
+            aws_secret_access_key=self._aws_secret_key,
+            config=client_config,
+        )
+
+    def send(self, logentry):
+        try:
+            data = logs_json_serializer(logentry)
+            self._producer.put_record(
+                StreamName=self._stream_name, Data=data, PartitionKey=_partition_key()
+            )
+        except ClientError as ce:
+            logger.exception(
+                "KinesisStreamLogsProducer client error sending log to Kinesis: %s", ce
+            )
+            raise LogSendException(
+                "KinesisStreamLogsProducer client error sending log to Kinesis: %s" % ce
+            )
+        except Exception as e:
+            logger.exception(
+                "KinesisStreamLogsProducer exception sending log to Kinesis: %s", e
+            )
+            raise LogSendException(
+                "KinesisStreamLogsProducer exception sending log to Kinesis: %s" % e
+            )
diff --git a/data/logs_model/logs_producer/test/test_json_logs_serializer.py b/data/logs_model/logs_producer/test/test_json_logs_serializer.py
index a45b0c5bb..4c2c18333 100644
--- a/data/logs_model/logs_producer/test/test_json_logs_serializer.py
+++ b/data/logs_model/logs_producer/test/test_json_logs_serializer.py
@@ -17,29 +17,50 @@ TEST_DATETIME = datetime.utcnow()
 TEST_JSON_STRING = '{"a": "b", "c": "d"}'
 TEST_JSON_STRING_WITH_UNICODE = u'{"éëê": "îôû"}'
 
-VALID_LOGENTRY = LogEntry(random_id='123-45', ip='0.0.0.0', metadata_json=TEST_JSON_STRING, datetime=TEST_DATETIME)
-VALID_LOGENTRY_WITH_UNICODE = LogEntry(random_id='123-45', ip='0.0.0.0', metadata_json=TEST_JSON_STRING_WITH_UNICODE, datetime=TEST_DATETIME)
+VALID_LOGENTRY = LogEntry(
+    random_id="123-45",
+    ip="0.0.0.0",
+    metadata_json=TEST_JSON_STRING,
+    datetime=TEST_DATETIME,
+)
+VALID_LOGENTRY_WITH_UNICODE = LogEntry(
+    random_id="123-45",
+    ip="0.0.0.0",
+    metadata_json=TEST_JSON_STRING_WITH_UNICODE,
+    datetime=TEST_DATETIME,
+)
 
-VALID_LOGENTRY_EXPECTED_OUTPUT = '{"datetime": "%s", "ip": "0.0.0.0", "metadata_json": "{\\"a\\": \\"b\\", \\"c\\": \\"d\\"}", "random_id": "123-45"}' % TEST_DATETIME.isoformat()
-VALID_LOGENTRY_WITH_UNICODE_EXPECTED_OUTPUT = '{"datetime": "%s", "ip": "0.0.0.0", "metadata_json": "{\\"\\u00e9\\u00eb\\u00ea\\": \\"\\u00ee\\u00f4\\u00fb\\"}", "random_id": "123-45"}' % TEST_DATETIME.isoformat()
+VALID_LOGENTRY_EXPECTED_OUTPUT = (
+    '{"datetime": "%s", "ip": "0.0.0.0", "metadata_json": "{\\"a\\": \\"b\\", \\"c\\": \\"d\\"}", "random_id": "123-45"}'
+    % TEST_DATETIME.isoformat()
+)
+VALID_LOGENTRY_WITH_UNICODE_EXPECTED_OUTPUT = (
+    '{"datetime": "%s", "ip": "0.0.0.0", "metadata_json": "{\\"\\u00e9\\u00eb\\u00ea\\": \\"\\u00ee\\u00f4\\u00fb\\"}", "random_id": "123-45"}'
+    % TEST_DATETIME.isoformat()
+)
 
 
 @pytest.mark.parametrize(
-  'is_valid, given_input, expected_output',
-  [
-    # Valid inputs
-    pytest.param(True, VALID_LOGENTRY, VALID_LOGENTRY_EXPECTED_OUTPUT),
-    # With unicode
-    pytest.param(True, VALID_LOGENTRY_WITH_UNICODE, VALID_LOGENTRY_WITH_UNICODE_EXPECTED_OUTPUT),
-  ])
+    "is_valid, given_input, expected_output",
+    [
+        # Valid inputs
+        pytest.param(True, VALID_LOGENTRY, VALID_LOGENTRY_EXPECTED_OUTPUT),
+        # With unicode
+        pytest.param(
+            True,
+            VALID_LOGENTRY_WITH_UNICODE,
+            VALID_LOGENTRY_WITH_UNICODE_EXPECTED_OUTPUT,
+        ),
+    ],
+)
 def test_logs_json_serializer(is_valid, given_input, expected_output):
-  if not is_valid:
-    with pytest.raises(ValueError) as ve:
-      data = logs_json_serializer(given_input)
-  else:
-    data = logs_json_serializer(given_input, sort_keys=True)
-    assert data == expected_output
+    if not is_valid:
+        with pytest.raises(ValueError) as ve:
+            data = logs_json_serializer(given_input)
+    else:
+        data = logs_json_serializer(given_input, sort_keys=True)
+        assert data == expected_output
 
-  # Make sure the datetime was serialized in the correct ISO8601
-  datetime_str = json.loads(data)['datetime']
-  assert datetime_str == TEST_DATETIME.isoformat()
+    # Make sure the datetime was serialized in the correct ISO8601
+    datetime_str = json.loads(data)["datetime"]
+    assert datetime_str == TEST_DATETIME.isoformat()
diff --git a/data/logs_model/logs_producer/util.py b/data/logs_model/logs_producer/util.py
index d6c3e2d8d..fb8fa0038 100644
--- a/data/logs_model/logs_producer/util.py
+++ b/data/logs_model/logs_producer/util.py
@@ -1,15 +1,22 @@
 import json
 from datetime import datetime
 
-class LogEntryJSONEncoder(json.JSONEncoder):
-  """ JSON encoder to encode datetimes to ISO8601 format. """
-  def default(self, obj):
-    if isinstance(obj, datetime):
-      return obj.isoformat()
 
-    return super(LogEntryJSONEncoder, self).default(obj)
+class LogEntryJSONEncoder(json.JSONEncoder):
+    """ JSON encoder to encode datetimes to ISO8601 format. """
+
+    def default(self, obj):
+        if isinstance(obj, datetime):
+            return obj.isoformat()
+
+        return super(LogEntryJSONEncoder, self).default(obj)
+
 
 def logs_json_serializer(logentry, sort_keys=False):
-  """ Serializes a LogEntry to json bytes. """
-  return json.dumps(logentry.to_dict(), cls=LogEntryJSONEncoder,
-                    ensure_ascii=True, sort_keys=sort_keys).encode('ascii')
+    """ Serializes a LogEntry to json bytes. """
+    return json.dumps(
+        logentry.to_dict(),
+        cls=LogEntryJSONEncoder,
+        ensure_ascii=True,
+        sort_keys=sort_keys,
+    ).encode("ascii")
diff --git a/data/logs_model/shared.py b/data/logs_model/shared.py
index 550cac95e..210b57dc9 100644
--- a/data/logs_model/shared.py
+++ b/data/logs_model/shared.py
@@ -7,47 +7,62 @@ from data import model
 
 
 class SharedModel:
-  def queue_logs_export(self, start_datetime, end_datetime, export_action_logs_queue,
-                        namespace_name=None, repository_name=None, callback_url=None,
-                        callback_email=None, filter_kinds=None):
-    """ Queues logs between the start_datetime and end_time, filtered by a repository or namespace,
+    def queue_logs_export(
+        self,
+        start_datetime,
+        end_datetime,
+        export_action_logs_queue,
+        namespace_name=None,
+        repository_name=None,
+        callback_url=None,
+        callback_email=None,
+        filter_kinds=None,
+    ):
+        """ Queues logs between the start_datetime and end_time, filtered by a repository or namespace,
         for export to the specified URL and/or email address. Returns the ID of the export job
         queued or None if error.
     """
-    export_id = str(uuid.uuid4())
-    namespace = model.user.get_namespace_user(namespace_name)
-    if namespace is None:
-      return None
+        export_id = str(uuid.uuid4())
+        namespace = model.user.get_namespace_user(namespace_name)
+        if namespace is None:
+            return None
 
-    repository = None
-    if repository_name is not None:
-      repository = model.repository.get_repository(namespace_name, repository_name)
-      if repository is None:
-        return None
+        repository = None
+        if repository_name is not None:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
+            if repository is None:
+                return None
 
-    export_action_logs_queue.put([namespace_name],
-                                 json.dumps({
-                                   'export_id': export_id,
-                                   'repository_id': repository.id if repository else None,
-                                   'namespace_id': namespace.id,
-                                   'namespace_name': namespace.username,
-                                   'repository_name': repository.name if repository else None,
-                                   'start_time': start_datetime.strftime('%m/%d/%Y'),
-                                   'end_time': end_datetime.strftime('%m/%d/%Y'),
-                                   'callback_url': callback_url,
-                                   'callback_email': callback_email,
-                                 }), retries_remaining=3)
+        export_action_logs_queue.put(
+            [namespace_name],
+            json.dumps(
+                {
+                    "export_id": export_id,
+                    "repository_id": repository.id if repository else None,
+                    "namespace_id": namespace.id,
+                    "namespace_name": namespace.username,
+                    "repository_name": repository.name if repository else None,
+                    "start_time": start_datetime.strftime("%m/%d/%Y"),
+                    "end_time": end_datetime.strftime("%m/%d/%Y"),
+                    "callback_url": callback_url,
+                    "callback_email": callback_email,
+                }
+            ),
+            retries_remaining=3,
+        )
 
-    return export_id
+        return export_id
 
 
 def epoch_ms(dt):
-  return (timegm(dt.timetuple()) * 1000) + (dt.microsecond / 1000)
+    return (timegm(dt.timetuple()) * 1000) + (dt.microsecond / 1000)
 
 
 def get_kinds_filter(kinds):
-  """ Given a list of kinds, return the set of kinds not that are not part of that list.
+    """ Given a list of kinds, return the set of kinds not that are not part of that list.
       i.e Returns the list of kinds to be filtered out. """
-  kind_map = model.log.get_log_entry_kinds()
-  kind_map = {key: kind_map[key] for key in kind_map if not isinstance(key, int)}
-  return [kind_name for kind_name in kind_map if kind_name not in kinds]
+    kind_map = model.log.get_log_entry_kinds()
+    kind_map = {key: kind_map[key] for key in kind_map if not isinstance(key, int)}
+    return [kind_name for kind_name in kind_map if kind_name not in kinds]
diff --git a/data/logs_model/table_logs_model.py b/data/logs_model/table_logs_model.py
index 697bf2dc6..6cfcdda17 100644
--- a/data/logs_model/table_logs_model.py
+++ b/data/logs_model/table_logs_model.py
@@ -10,16 +10,19 @@ from dateutil.relativedelta import relativedelta
 from data import model
 from data.model import config
 from data.database import LogEntry, LogEntry2, LogEntry3, UseThenDisconnect
-from data.logs_model.interface import ActionLogsDataInterface, LogsIterationTimeout, \
-  LogRotationContextInterface
+from data.logs_model.interface import (
+    ActionLogsDataInterface,
+    LogsIterationTimeout,
+    LogRotationContextInterface,
+)
 from data.logs_model.datatypes import Log, AggregatedLogCount, LogEntriesPage
 from data.logs_model.shared import SharedModel
 from data.model.log import get_stale_logs, get_stale_logs_start_id, delete_stale_logs
 
 logger = logging.getLogger(__name__)
 
-MINIMUM_RANGE_SIZE = 1 # second
-MAXIMUM_RANGE_SIZE = 60 * 60 * 24 * 30 # seconds ~= 1 month
+MINIMUM_RANGE_SIZE = 1  # second
+MAXIMUM_RANGE_SIZE = 60 * 60 * 24 * 30  # seconds ~= 1 month
 EXPECTED_ITERATION_LOG_COUNT = 1000
 
 
@@ -27,265 +30,379 @@ LOG_MODELS = [LogEntry3, LogEntry2, LogEntry]
 
 
 class TableLogsModel(SharedModel, ActionLogsDataInterface):
-  """
+    """
   TableLogsModel implements the data model for the logs API backed by a single table
   in the database.
   """
-  def __init__(self, should_skip_logging=None, **kwargs):
-    self._should_skip_logging = should_skip_logging
 
-  def lookup_logs(self, start_datetime, end_datetime, performer_name=None, repository_name=None,
-                  namespace_name=None, filter_kinds=None, page_token=None, max_page_count=None):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+    def __init__(self, should_skip_logging=None, **kwargs):
+        self._should_skip_logging = should_skip_logging
 
-    assert start_datetime is not None
-    assert end_datetime is not None
+    def lookup_logs(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        page_token=None,
+        max_page_count=None,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-    repository = None
-    if repository_name and namespace_name:
-      repository = model.repository.get_repository(namespace_name, repository_name)
-      assert repository
+        assert start_datetime is not None
+        assert end_datetime is not None
 
-    performer = None
-    if performer_name:
-      performer = model.user.get_user(performer_name)
-      assert performer
+        repository = None
+        if repository_name and namespace_name:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
+            assert repository
 
-    def get_logs(m, page_token):
-      logs_query = model.log.get_logs_query(start_datetime, end_datetime, performer=performer,
-                                            repository=repository, namespace=namespace_name,
-                                            ignore=filter_kinds, model=m)
+        performer = None
+        if performer_name:
+            performer = model.user.get_user(performer_name)
+            assert performer
 
-      logs, next_page_token = model.modelutil.paginate(logs_query, m,
-                                                       descending=True,
-                                                       page_token=page_token,
-                                                       limit=20,
-                                                       max_page=max_page_count,
-                                                       sort_field_name='datetime')
+        def get_logs(m, page_token):
+            logs_query = model.log.get_logs_query(
+                start_datetime,
+                end_datetime,
+                performer=performer,
+                repository=repository,
+                namespace=namespace_name,
+                ignore=filter_kinds,
+                model=m,
+            )
 
-      return logs, next_page_token
+            logs, next_page_token = model.modelutil.paginate(
+                logs_query,
+                m,
+                descending=True,
+                page_token=page_token,
+                limit=20,
+                max_page=max_page_count,
+                sort_field_name="datetime",
+            )
 
-    TOKEN_TABLE_ID = 'tti'
-    table_index = 0
-    logs = []
-    next_page_token = page_token or None
+            return logs, next_page_token
 
-    # Skip empty pages (empty table)
-    while len(logs) == 0 and table_index < len(LOG_MODELS) - 1:
-      table_specified = next_page_token is not None and next_page_token.get(TOKEN_TABLE_ID) is not None
-      if table_specified:
-        table_index = next_page_token.get(TOKEN_TABLE_ID)
+        TOKEN_TABLE_ID = "tti"
+        table_index = 0
+        logs = []
+        next_page_token = page_token or None
 
-      logs_result, next_page_token = get_logs(LOG_MODELS[table_index], next_page_token)
-      logs.extend(logs_result)
+        # Skip empty pages (empty table)
+        while len(logs) == 0 and table_index < len(LOG_MODELS) - 1:
+            table_specified = (
+                next_page_token is not None
+                and next_page_token.get(TOKEN_TABLE_ID) is not None
+            )
+            if table_specified:
+                table_index = next_page_token.get(TOKEN_TABLE_ID)
 
-      if next_page_token is None and table_index < len(LOG_MODELS) - 1:
-        next_page_token = {TOKEN_TABLE_ID: table_index + 1}
+            logs_result, next_page_token = get_logs(
+                LOG_MODELS[table_index], next_page_token
+            )
+            logs.extend(logs_result)
 
-    return LogEntriesPage([Log.for_logentry(log) for log in logs], next_page_token)
+            if next_page_token is None and table_index < len(LOG_MODELS) - 1:
+                next_page_token = {TOKEN_TABLE_ID: table_index + 1}
 
-  def lookup_latest_logs(self, performer_name=None, repository_name=None, namespace_name=None,
-                         filter_kinds=None, size=20):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+        return LogEntriesPage([Log.for_logentry(log) for log in logs], next_page_token)
 
-    repository = None
-    if repository_name and namespace_name:
-      repository = model.repository.get_repository(namespace_name, repository_name)
-      assert repository
+    def lookup_latest_logs(
+        self,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+        size=20,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-    performer = None
-    if performer_name:
-      performer = model.user.get_user(performer_name)
-      assert performer
+        repository = None
+        if repository_name and namespace_name:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
+            assert repository
 
-    def get_latest_logs(m):
-      logs_query = model.log.get_latest_logs_query(performer=performer, repository=repository,
-                                                   namespace=namespace_name, ignore=filter_kinds,
-                                                   model=m, size=size)
+        performer = None
+        if performer_name:
+            performer = model.user.get_user(performer_name)
+            assert performer
 
-      logs = list(logs_query)
-      return [Log.for_logentry(log) for log in logs]
+        def get_latest_logs(m):
+            logs_query = model.log.get_latest_logs_query(
+                performer=performer,
+                repository=repository,
+                namespace=namespace_name,
+                ignore=filter_kinds,
+                model=m,
+                size=size,
+            )
 
-    return get_latest_logs(LOG_MODELS[0])
+            logs = list(logs_query)
+            return [Log.for_logentry(log) for log in logs]
 
-  def get_aggregated_log_counts(self, start_datetime, end_datetime, performer_name=None,
-                                repository_name=None, namespace_name=None, filter_kinds=None):
-    if filter_kinds is not None:
-      assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
+        return get_latest_logs(LOG_MODELS[0])
 
-    if end_datetime - start_datetime >= timedelta(weeks=4):
-      raise Exception('Cannot lookup aggregated logs over a period longer than a month')
+    def get_aggregated_log_counts(
+        self,
+        start_datetime,
+        end_datetime,
+        performer_name=None,
+        repository_name=None,
+        namespace_name=None,
+        filter_kinds=None,
+    ):
+        if filter_kinds is not None:
+            assert all(isinstance(kind_name, str) for kind_name in filter_kinds)
 
-    repository = None
-    if repository_name and namespace_name:
-      repository = model.repository.get_repository(namespace_name, repository_name)
+        if end_datetime - start_datetime >= timedelta(weeks=4):
+            raise Exception(
+                "Cannot lookup aggregated logs over a period longer than a month"
+            )
 
-    performer = None
-    if performer_name:
-      performer = model.user.get_user(performer_name)
+        repository = None
+        if repository_name and namespace_name:
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
 
-    entries = {}
-    for log_model in LOG_MODELS:
-      aggregated = model.log.get_aggregated_logs(start_datetime, end_datetime,
-                                                 performer=performer,
-                                                 repository=repository,
-                                                 namespace=namespace_name,
-                                                 ignore=filter_kinds,
-                                                 model=log_model)
+        performer = None
+        if performer_name:
+            performer = model.user.get_user(performer_name)
 
-      for entry in aggregated:
-        synthetic_date = datetime(start_datetime.year, start_datetime.month, int(entry.day),
-                                  tzinfo=get_localzone())
-        if synthetic_date.day < start_datetime.day:
-          synthetic_date = synthetic_date + relativedelta(months=1)
+        entries = {}
+        for log_model in LOG_MODELS:
+            aggregated = model.log.get_aggregated_logs(
+                start_datetime,
+                end_datetime,
+                performer=performer,
+                repository=repository,
+                namespace=namespace_name,
+                ignore=filter_kinds,
+                model=log_model,
+            )
 
-        key = '%s-%s' % (entry.kind_id, entry.day)
+            for entry in aggregated:
+                synthetic_date = datetime(
+                    start_datetime.year,
+                    start_datetime.month,
+                    int(entry.day),
+                    tzinfo=get_localzone(),
+                )
+                if synthetic_date.day < start_datetime.day:
+                    synthetic_date = synthetic_date + relativedelta(months=1)
 
-        if key in entries:
-          entries[key] = AggregatedLogCount(entry.kind_id, entry.count + entries[key].count,
-                                            synthetic_date)
-        else:
-          entries[key] = AggregatedLogCount(entry.kind_id, entry.count, synthetic_date)
+                key = "%s-%s" % (entry.kind_id, entry.day)
 
-    return entries.values()
+                if key in entries:
+                    entries[key] = AggregatedLogCount(
+                        entry.kind_id, entry.count + entries[key].count, synthetic_date
+                    )
+                else:
+                    entries[key] = AggregatedLogCount(
+                        entry.kind_id, entry.count, synthetic_date
+                    )
 
-  def count_repository_actions(self, repository, day):
-    return model.repositoryactioncount.count_repository_actions(repository, day)
+        return entries.values()
 
-  def log_action(self, kind_name, namespace_name=None, performer=None, ip=None, metadata=None,
-                 repository=None, repository_name=None, timestamp=None, is_free_namespace=False):
-    if self._should_skip_logging and self._should_skip_logging(kind_name, namespace_name,
-                                                               is_free_namespace):
-      return
+    def count_repository_actions(self, repository, day):
+        return model.repositoryactioncount.count_repository_actions(repository, day)
 
-    if repository_name is not None:
-      assert repository is None
-      assert namespace_name is not None
-      repository = model.repository.get_repository(namespace_name, repository_name)
+    def log_action(
+        self,
+        kind_name,
+        namespace_name=None,
+        performer=None,
+        ip=None,
+        metadata=None,
+        repository=None,
+        repository_name=None,
+        timestamp=None,
+        is_free_namespace=False,
+    ):
+        if self._should_skip_logging and self._should_skip_logging(
+            kind_name, namespace_name, is_free_namespace
+        ):
+            return
 
-    model.log.log_action(kind_name, namespace_name, performer=performer, repository=repository,
-                         ip=ip, metadata=metadata or {}, timestamp=timestamp)
+        if repository_name is not None:
+            assert repository is None
+            assert namespace_name is not None
+            repository = model.repository.get_repository(
+                namespace_name, repository_name
+            )
 
-  def yield_logs_for_export(self, start_datetime, end_datetime, repository_id=None,
-                            namespace_id=None, max_query_time=None):
-    # Using an adjusting scale, start downloading log rows in batches, starting at
-    # MINIMUM_RANGE_SIZE and doubling until we've reached EXPECTED_ITERATION_LOG_COUNT or
-    # the lookup range has reached MAXIMUM_RANGE_SIZE. If at any point this operation takes
-    # longer than the MAXIMUM_WORK_PERIOD_SECONDS, terminate the batch operation as timed out.
-    batch_start_time = datetime.utcnow()
+        model.log.log_action(
+            kind_name,
+            namespace_name,
+            performer=performer,
+            repository=repository,
+            ip=ip,
+            metadata=metadata or {},
+            timestamp=timestamp,
+        )
 
-    current_start_datetime = start_datetime
-    current_batch_size = timedelta(seconds=MINIMUM_RANGE_SIZE)
+    def yield_logs_for_export(
+        self,
+        start_datetime,
+        end_datetime,
+        repository_id=None,
+        namespace_id=None,
+        max_query_time=None,
+    ):
+        # Using an adjusting scale, start downloading log rows in batches, starting at
+        # MINIMUM_RANGE_SIZE and doubling until we've reached EXPECTED_ITERATION_LOG_COUNT or
+        # the lookup range has reached MAXIMUM_RANGE_SIZE. If at any point this operation takes
+        # longer than the MAXIMUM_WORK_PERIOD_SECONDS, terminate the batch operation as timed out.
+        batch_start_time = datetime.utcnow()
 
-    while current_start_datetime < end_datetime:
-      # Verify we haven't been working for too long.
-      work_elapsed = datetime.utcnow() - batch_start_time
-      if max_query_time is not None and work_elapsed > max_query_time:
-        logger.error('Retrieval of logs `%s/%s` timed out with time of `%s`',
-                     namespace_id, repository_id, work_elapsed)
-        raise LogsIterationTimeout()
+        current_start_datetime = start_datetime
+        current_batch_size = timedelta(seconds=MINIMUM_RANGE_SIZE)
 
-      current_end_datetime = current_start_datetime + current_batch_size
-      current_end_datetime = min(current_end_datetime, end_datetime)
+        while current_start_datetime < end_datetime:
+            # Verify we haven't been working for too long.
+            work_elapsed = datetime.utcnow() - batch_start_time
+            if max_query_time is not None and work_elapsed > max_query_time:
+                logger.error(
+                    "Retrieval of logs `%s/%s` timed out with time of `%s`",
+                    namespace_id,
+                    repository_id,
+                    work_elapsed,
+                )
+                raise LogsIterationTimeout()
 
-      # Load the next set of logs.
-      def load_logs():
-        logger.debug('Retrieving logs over range %s -> %s with namespace %s and repository %s',
-                     current_start_datetime, current_end_datetime, namespace_id, repository_id)
+            current_end_datetime = current_start_datetime + current_batch_size
+            current_end_datetime = min(current_end_datetime, end_datetime)
 
-        logs_query = model.log.get_logs_query(namespace=namespace_id,
-                                              repository=repository_id,
-                                              start_time=current_start_datetime,
-                                              end_time=current_end_datetime)
-        logs = list(logs_query)
-        for log in logs:
-          if namespace_id is not None:
-            assert log.account_id == namespace_id
+            # Load the next set of logs.
+            def load_logs():
+                logger.debug(
+                    "Retrieving logs over range %s -> %s with namespace %s and repository %s",
+                    current_start_datetime,
+                    current_end_datetime,
+                    namespace_id,
+                    repository_id,
+                )
 
-          if repository_id is not None:
-            assert log.repository_id == repository_id
+                logs_query = model.log.get_logs_query(
+                    namespace=namespace_id,
+                    repository=repository_id,
+                    start_time=current_start_datetime,
+                    end_time=current_end_datetime,
+                )
+                logs = list(logs_query)
+                for log in logs:
+                    if namespace_id is not None:
+                        assert log.account_id == namespace_id
 
-        logs = [Log.for_logentry(log) for log in logs]
-        return logs
+                    if repository_id is not None:
+                        assert log.repository_id == repository_id
 
-      logs, elapsed = _run_and_time(load_logs)
-      if max_query_time is not None and elapsed > max_query_time:
-        logger.error('Retrieval of logs for export `%s/%s` with range `%s-%s` timed out at `%s`',
-                     namespace_id, repository_id, current_start_datetime, current_end_datetime,
-                     elapsed)
-        raise LogsIterationTimeout()
+                logs = [Log.for_logentry(log) for log in logs]
+                return logs
 
-      yield logs
+            logs, elapsed = _run_and_time(load_logs)
+            if max_query_time is not None and elapsed > max_query_time:
+                logger.error(
+                    "Retrieval of logs for export `%s/%s` with range `%s-%s` timed out at `%s`",
+                    namespace_id,
+                    repository_id,
+                    current_start_datetime,
+                    current_end_datetime,
+                    elapsed,
+                )
+                raise LogsIterationTimeout()
 
-      # Move forward.
-      current_start_datetime = current_end_datetime
+            yield logs
 
-      # Increase the batch size if necessary.
-      if len(logs) < EXPECTED_ITERATION_LOG_COUNT:
-        seconds = min(MAXIMUM_RANGE_SIZE, current_batch_size.total_seconds() * 2)
-        current_batch_size = timedelta(seconds=seconds)
+            # Move forward.
+            current_start_datetime = current_end_datetime
 
-  def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
-    """ Yield a context manager for a group of outdated logs. """
-    for log_model in LOG_MODELS:
-      while True:
-        with UseThenDisconnect(config.app_config):
-          start_id = get_stale_logs_start_id(log_model)
+            # Increase the batch size if necessary.
+            if len(logs) < EXPECTED_ITERATION_LOG_COUNT:
+                seconds = min(
+                    MAXIMUM_RANGE_SIZE, current_batch_size.total_seconds() * 2
+                )
+                current_batch_size = timedelta(seconds=seconds)
 
-          if start_id is None:
-            logger.warning('Failed to find start id')
-            break
+    def yield_log_rotation_context(self, cutoff_date, min_logs_per_rotation):
+        """ Yield a context manager for a group of outdated logs. """
+        for log_model in LOG_MODELS:
+            while True:
+                with UseThenDisconnect(config.app_config):
+                    start_id = get_stale_logs_start_id(log_model)
 
-          logger.debug('Found starting ID %s', start_id)
-          lookup_end_id = start_id + min_logs_per_rotation
-          logs = [log for log in get_stale_logs(start_id, lookup_end_id,
-                                                log_model, cutoff_date)]
+                    if start_id is None:
+                        logger.warning("Failed to find start id")
+                        break
 
-        if not logs:
-          logger.debug('No further logs found')
-          break
+                    logger.debug("Found starting ID %s", start_id)
+                    lookup_end_id = start_id + min_logs_per_rotation
+                    logs = [
+                        log
+                        for log in get_stale_logs(
+                            start_id, lookup_end_id, log_model, cutoff_date
+                        )
+                    ]
 
-        end_id = max([log.id for log in logs])
-        context = DatabaseLogRotationContext(logs, log_model, start_id, end_id)
-        yield context
+                if not logs:
+                    logger.debug("No further logs found")
+                    break
+
+                end_id = max([log.id for log in logs])
+                context = DatabaseLogRotationContext(logs, log_model, start_id, end_id)
+                yield context
 
 
 def _run_and_time(fn):
-  start_time = datetime.utcnow()
-  result = fn()
-  return result, datetime.utcnow() - start_time
+    start_time = datetime.utcnow()
+    result = fn()
+    return result, datetime.utcnow() - start_time
 
 
 table_logs_model = TableLogsModel()
 
 
 class DatabaseLogRotationContext(LogRotationContextInterface):
-  """
+    """
   DatabaseLogRotationContext represents a batch of logs to be archived together.
   i.e A set of logs to be archived in the same file (based on the number of logs per rotation).
 
   When completed without exceptions, this context will delete the stale logs
   from rows `start_id` to `end_id`.
   """
-  def __init__(self, logs, log_model, start_id, end_id):
-    self.logs = logs
-    self.log_model = log_model
-    self.start_id = start_id
-    self.end_id = end_id
 
-  def __enter__(self):
-    return self
+    def __init__(self, logs, log_model, start_id, end_id):
+        self.logs = logs
+        self.log_model = log_model
+        self.start_id = start_id
+        self.end_id = end_id
 
-  def __exit__(self, ex_type, ex_value, ex_traceback):
-    if ex_type is None and ex_value is None and ex_traceback is None:
-      with UseThenDisconnect(config.app_config):
-        logger.debug('Deleting logs from IDs %s to %s', self.start_id, self.end_id)
-        delete_stale_logs(self.start_id, self.end_id, self.log_model)
+    def __enter__(self):
+        return self
 
-  def yield_logs_batch(self):
-    """ Yield a batch of logs and a filename for that batch. """
-    filename = '%d-%d-%s.txt.gz' % (self.start_id, self.end_id,
-                                    self.log_model.__name__.lower())
-    yield self.logs, filename
+    def __exit__(self, ex_type, ex_value, ex_traceback):
+        if ex_type is None and ex_value is None and ex_traceback is None:
+            with UseThenDisconnect(config.app_config):
+                logger.debug(
+                    "Deleting logs from IDs %s to %s", self.start_id, self.end_id
+                )
+                delete_stale_logs(self.start_id, self.end_id, self.log_model)
+
+    def yield_logs_batch(self):
+        """ Yield a batch of logs and a filename for that batch. """
+        filename = "%d-%d-%s.txt.gz" % (
+            self.start_id,
+            self.end_id,
+            self.log_model.__name__.lower(),
+        )
+        yield self.logs, filename
diff --git a/data/logs_model/test/mock_elasticsearch.py b/data/logs_model/test/mock_elasticsearch.py
index bd26a10c7..d3b4da883 100644
--- a/data/logs_model/test/mock_elasticsearch.py
+++ b/data/logs_model/test/mock_elasticsearch.py
@@ -8,368 +8,304 @@ from data.logs_model.datatypes import LogEntriesPage, Log, AggregatedLogCount
 
 
 def _status(d, code=200):
-  return {"status_code": code, "content": json.dumps(d)}
+    return {"status_code": code, "content": json.dumps(d)}
 
 
 def _shards(d, total=5, failed=0, successful=5):
-  d.update({"_shards": {"total": total, "failed": failed, "successful": successful}})
-  return d
+    d.update({"_shards": {"total": total, "failed": failed, "successful": successful}})
+    return d
 
 
 def _hits(hits):
-  return {"hits": {"total": len(hits), "max_score": None, "hits": hits}}
+    return {"hits": {"total": len(hits), "max_score": None, "hits": hits}}
 
 
-INDEX_LIST_RESPONSE_HIT1_HIT2 = _status({
-  "logentry_2018-03-08": {},
-  "logentry_2018-04-02": {}
-})
+INDEX_LIST_RESPONSE_HIT1_HIT2 = _status(
+    {"logentry_2018-03-08": {}, "logentry_2018-04-02": {}}
+)
 
 
-INDEX_LIST_RESPONSE_HIT2 = _status({
-  "logentry_2018-04-02": {}
-})
+INDEX_LIST_RESPONSE_HIT2 = _status({"logentry_2018-04-02": {}})
 
 
-INDEX_LIST_RESPONSE = _status({
-  "logentry_2019-01-01": {},
-  "logentry_2017-03-08": {},
-  "logentry_2018-03-08": {},
-  "logentry_2018-04-02": {}
-})
+INDEX_LIST_RESPONSE = _status(
+    {
+        "logentry_2019-01-01": {},
+        "logentry_2017-03-08": {},
+        "logentry_2018-03-08": {},
+        "logentry_2018-04-02": {},
+    }
+)
 
 
 DEFAULT_TEMPLATE_RESPONSE = _status({"acknowledged": True})
 INDEX_RESPONSE_2019_01_01 = _status(
-  _shards({
-    "_index": "logentry_2019-01-01",
-    "_type": "_doc",
-    "_id": "1",
-    "_version": 1,
-    "_seq_no": 0,
-    "_primary_term": 1,
-    "result": "created"
-  }))
+    _shards(
+        {
+            "_index": "logentry_2019-01-01",
+            "_type": "_doc",
+            "_id": "1",
+            "_version": 1,
+            "_seq_no": 0,
+            "_primary_term": 1,
+            "result": "created",
+        }
+    )
+)
 
 INDEX_RESPONSE_2017_03_08 = _status(
-  _shards({
-    "_index": "logentry_2017-03-08",
-    "_type": "_doc",
-    "_id": "1",
-    "_version": 1,
-    "_seq_no": 0,
-    "_primary_term": 1,
-    "result": "created"
-  }))
+    _shards(
+        {
+            "_index": "logentry_2017-03-08",
+            "_type": "_doc",
+            "_id": "1",
+            "_version": 1,
+            "_seq_no": 0,
+            "_primary_term": 1,
+            "result": "created",
+        }
+    )
+)
 
 FAILURE_400 = _status({}, 400)
 
 INDEX_REQUEST_2019_01_01 = [
-  "logentry_2019-01-01", {
-    "account_id":
-      1,
-    "repository_id":
-      1,
-    "ip":
-      "192.168.1.1",
-    "random_id":
-      233,
-    "datetime":
-      "2019-01-01T03:30:00",
-    "metadata_json": json.loads("{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1520479800}"),
-    "performer_id":
-      1,
-    "kind_id":
-      1
-  }
+    "logentry_2019-01-01",
+    {
+        "account_id": 1,
+        "repository_id": 1,
+        "ip": "192.168.1.1",
+        "random_id": 233,
+        "datetime": "2019-01-01T03:30:00",
+        "metadata_json": json.loads(
+            '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1520479800}'
+        ),
+        "performer_id": 1,
+        "kind_id": 1,
+    },
 ]
 
 INDEX_REQUEST_2017_03_08 = [
-  "logentry_2017-03-08", {
-    "repository_id":
-      1,
-    "account_id":
-      1,
-    "ip":
-      "192.168.1.1",
-    "random_id":
-      233,
-    "datetime":
-      "2017-03-08T03:30:00",
-    "metadata_json": json.loads("{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1520479800}"),
-    "performer_id":
-      1,
-    "kind_id":
-      2
-  }
+    "logentry_2017-03-08",
+    {
+        "repository_id": 1,
+        "account_id": 1,
+        "ip": "192.168.1.1",
+        "random_id": 233,
+        "datetime": "2017-03-08T03:30:00",
+        "metadata_json": json.loads(
+            '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1520479800}'
+        ),
+        "performer_id": 1,
+        "kind_id": 2,
+    },
 ]
 
 _hit1 = {
-  "_index": "logentry_2018-03-08",
-  "_type": "doc",
-  "_id": "1",
-  "_score": None,
-  "_source": {
-    "random_id":
-      233,
-    "kind_id":
-      1,
-    "account_id":
-      1,
-    "performer_id":
-      1,
-    "repository_id":
-      1,
-    "ip":
-      "192.168.1.1",
-    "metadata_json":
-      "{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1520479800}",
-    "datetime":
-      "2018-03-08T03:30",
-  },
-  "sort": [1520479800000, 233]
+    "_index": "logentry_2018-03-08",
+    "_type": "doc",
+    "_id": "1",
+    "_score": None,
+    "_source": {
+        "random_id": 233,
+        "kind_id": 1,
+        "account_id": 1,
+        "performer_id": 1,
+        "repository_id": 1,
+        "ip": "192.168.1.1",
+        "metadata_json": '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1520479800}',
+        "datetime": "2018-03-08T03:30",
+    },
+    "sort": [1520479800000, 233],
 }
 
 _hit2 = {
-  "_index": "logentry_2018-04-02",
-  "_type": "doc",
-  "_id": "2",
-  "_score": None,
-  "_source": {
-    "random_id":
-      233,
-    "kind_id":
-      2,
-    "account_id":
-      1,
-    "performer_id":
-      1,
-    "repository_id":
-      1,
-    "ip":
-      "192.168.1.2",
-    "metadata_json":
-      "{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1522639800}",
-    "datetime":
-      "2018-04-02T03:30",
-  },
-  "sort": [1522639800000, 233]
+    "_index": "logentry_2018-04-02",
+    "_type": "doc",
+    "_id": "2",
+    "_score": None,
+    "_source": {
+        "random_id": 233,
+        "kind_id": 2,
+        "account_id": 1,
+        "performer_id": 1,
+        "repository_id": 1,
+        "ip": "192.168.1.2",
+        "metadata_json": '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1522639800}',
+        "datetime": "2018-04-02T03:30",
+    },
+    "sort": [1522639800000, 233],
 }
 
 _log1 = Log(
-  "{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1520479800}",
-  "192.168.1.1", parse("2018-03-08T03:30"), "user1.email", "user1.username", "user1.robot",
-  "user1.organization", "user1.username", "user1.email", "user1.robot", 1)
+    '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1520479800}',
+    "192.168.1.1",
+    parse("2018-03-08T03:30"),
+    "user1.email",
+    "user1.username",
+    "user1.robot",
+    "user1.organization",
+    "user1.username",
+    "user1.email",
+    "user1.robot",
+    1,
+)
 _log2 = Log(
-  "{\"\\ud83d\\ude02\": \"\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\", \"key\": \"value\", \"time\": 1522639800}",
-  "192.168.1.2", parse("2018-04-02T03:30"), "user1.email", "user1.username", "user1.robot",
-  "user1.organization", "user1.username", "user1.email", "user1.robot", 2)
+    '{"\\ud83d\\ude02": "\\ud83d\\ude02\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c\\ud83d\\udc4c", "key": "value", "time": 1522639800}',
+    "192.168.1.2",
+    parse("2018-04-02T03:30"),
+    "user1.email",
+    "user1.username",
+    "user1.robot",
+    "user1.organization",
+    "user1.username",
+    "user1.email",
+    "user1.robot",
+    2,
+)
 
 SEARCH_RESPONSE_START = _status(_shards(_hits([_hit1, _hit2])))
 SEARCH_RESPONSE_END = _status(_shards(_hits([_hit2])))
 SEARCH_REQUEST_START = {
-  "sort": [{
-    "datetime": "desc"
-  }, {
-    "random_id.keyword": "desc"
-  }],
-  "query": {
-    "bool": {
-      "filter": [{
-        "term": {
-          "performer_id": 1
+    "sort": [{"datetime": "desc"}, {"random_id.keyword": "desc"}],
+    "query": {
+        "bool": {
+            "filter": [{"term": {"performer_id": 1}}, {"term": {"repository_id": 1}}]
         }
-      }, {
-        "term": {
-          "repository_id": 1
-        }
-      }]
-    }
-  },
-  "size": 2
+    },
+    "size": 2,
 }
 SEARCH_REQUEST_END = {
-  "sort": [{
-    "datetime": "desc"
-  }, {
-    "random_id.keyword": "desc"
-  }],
-  "query": {
-    "bool": {
-      "filter": [{
-        "term": {
-          "performer_id": 1
+    "sort": [{"datetime": "desc"}, {"random_id.keyword": "desc"}],
+    "query": {
+        "bool": {
+            "filter": [{"term": {"performer_id": 1}}, {"term": {"repository_id": 1}}]
         }
-      }, {
-        "term": {
-          "repository_id": 1
-        }
-      }]
-    }
-  },
-  "search_after": [1520479800000, 233],
-  "size": 2
+    },
+    "search_after": [1520479800000, 233],
+    "size": 2,
 }
 SEARCH_REQUEST_FILTER = {
-  "sort": [{
-    "datetime": "desc"
-  }, {
-    "random_id.keyword": "desc"
-  }],
-  "query": {
-    "bool": {
-      "filter": [{
-        "term": {
-          "performer_id": 1
-        }
-      }, {
-        "term": {
-          "repository_id": 1
-        }
-      }, {
+    "sort": [{"datetime": "desc"}, {"random_id.keyword": "desc"}],
+    "query": {
         "bool": {
-          "must_not": [{
-            "terms": {
-              "kind_id": [1]
-            }
-          }]
+            "filter": [
+                {"term": {"performer_id": 1}},
+                {"term": {"repository_id": 1}},
+                {"bool": {"must_not": [{"terms": {"kind_id": [1]}}]}},
+            ]
         }
-      }]
-    }
-  },
-  "size": 2
+    },
+    "size": 2,
 }
 SEARCH_PAGE_TOKEN = {
-  "datetime": datetime(2018, 3, 8, 3, 30).isoformat(),
-  "random_id": 233,
-  "page_number": 1
+    "datetime": datetime(2018, 3, 8, 3, 30).isoformat(),
+    "random_id": 233,
+    "page_number": 1,
 }
 SEARCH_PAGE_START = LogEntriesPage(logs=[_log1], next_page_token=SEARCH_PAGE_TOKEN)
 SEARCH_PAGE_END = LogEntriesPage(logs=[_log2], next_page_token=None)
 SEARCH_PAGE_EMPTY = LogEntriesPage([], None)
 
 AGGS_RESPONSE = _status(
-  _shards({
-    "hits": {
-      "total": 4,
-      "max_score": None,
-      "hits": []
-    },
-    "aggregations": {
-      "by_id": {
-        "doc_count_error_upper_bound":
-          0,
-        "sum_other_doc_count":
-          0,
-        "buckets": [{
-          "key": 2,
-          "doc_count": 3,
-          "by_date": {
-            "buckets": [{
-              "key_as_string": "2009-11-12T00:00:00.000Z",
-              "key": 1257984000000,
-              "doc_count": 1
-            }, {
-              "key_as_string": "2009-11-13T00:00:00.000Z",
-              "key": 1258070400000,
-              "doc_count": 0
-            }, {
-              "key_as_string": "2009-11-14T00:00:00.000Z",
-              "key": 1258156800000,
-              "doc_count": 2
-            }]
-          }
-        }, {
-          "key": 1,
-          "doc_count": 1,
-          "by_date": {
-            "buckets": [{
-              "key_as_string": "2009-11-15T00:00:00.000Z",
-              "key": 1258243200000,
-              "doc_count": 1
-            }]
-          }
-        }]
-      }
-    }
-  }))
+    _shards(
+        {
+            "hits": {"total": 4, "max_score": None, "hits": []},
+            "aggregations": {
+                "by_id": {
+                    "doc_count_error_upper_bound": 0,
+                    "sum_other_doc_count": 0,
+                    "buckets": [
+                        {
+                            "key": 2,
+                            "doc_count": 3,
+                            "by_date": {
+                                "buckets": [
+                                    {
+                                        "key_as_string": "2009-11-12T00:00:00.000Z",
+                                        "key": 1257984000000,
+                                        "doc_count": 1,
+                                    },
+                                    {
+                                        "key_as_string": "2009-11-13T00:00:00.000Z",
+                                        "key": 1258070400000,
+                                        "doc_count": 0,
+                                    },
+                                    {
+                                        "key_as_string": "2009-11-14T00:00:00.000Z",
+                                        "key": 1258156800000,
+                                        "doc_count": 2,
+                                    },
+                                ]
+                            },
+                        },
+                        {
+                            "key": 1,
+                            "doc_count": 1,
+                            "by_date": {
+                                "buckets": [
+                                    {
+                                        "key_as_string": "2009-11-15T00:00:00.000Z",
+                                        "key": 1258243200000,
+                                        "doc_count": 1,
+                                    }
+                                ]
+                            },
+                        },
+                    ],
+                }
+            },
+        }
+    )
+)
 
 AGGS_REQUEST = {
-  "query": {
-    "bool": {
-      "filter": [{
-        "term": {
-          "performer_id": 1
-        }
-      }, {
-        "term": {
-          "repository_id": 1
-        }
-      }, {
+    "query": {
         "bool": {
-          "must_not": [{
-            "terms": {
-              "kind_id": [2]
-            }
-          }]
+            "filter": [
+                {"term": {"performer_id": 1}},
+                {"term": {"repository_id": 1}},
+                {"bool": {"must_not": [{"terms": {"kind_id": [2]}}]}},
+            ],
+            "must": [
+                {
+                    "range": {
+                        "datetime": {
+                            "lt": "2018-04-08T03:30:00",
+                            "gte": "2018-03-08T03:30:00",
+                        }
+                    }
+                }
+            ],
         }
-      }],
-      "must": [{
-        "range": {
-          "datetime": {
-            "lt": "2018-04-08T03:30:00",
-            "gte": "2018-03-08T03:30:00"
-          }
+    },
+    "aggs": {
+        "by_id": {
+            "terms": {"field": "kind_id"},
+            "aggs": {
+                "by_date": {"date_histogram": {"field": "datetime", "interval": "day"}}
+            },
         }
-      }]
-    }
-  },
-  "aggs": {
-    "by_id": {
-      "terms": {
-        "field": "kind_id"
-      },
-      "aggs": {
-        "by_date": {
-          "date_histogram": {
-            "field": "datetime",
-            "interval": "day"
-          }
-        }
-      }
-    }
-  },
-  "size": 0
+    },
+    "size": 0,
 }
 
 AGGS_COUNT = [
-  AggregatedLogCount(1, 1, parse("2009-11-15T00:00:00.000")),
-  AggregatedLogCount(2, 1, parse("2009-11-12T00:00:00.000")),
-  AggregatedLogCount(2, 2, parse("2009-11-14T00:00:00.000"))
+    AggregatedLogCount(1, 1, parse("2009-11-15T00:00:00.000")),
+    AggregatedLogCount(2, 1, parse("2009-11-12T00:00:00.000")),
+    AggregatedLogCount(2, 2, parse("2009-11-14T00:00:00.000")),
 ]
 
-COUNT_REQUEST = {
-  "query": {
-    "bool": {
-      "filter": [{
-        "term": {
-          "repository_id": 1
-        }
-      }]
-    }
-  }
-}
-COUNT_RESPONSE = _status(_shards({
-  "count": 1,
-}))
+COUNT_REQUEST = {"query": {"bool": {"filter": [{"term": {"repository_id": 1}}]}}}
+COUNT_RESPONSE = _status(_shards({"count": 1}))
 
 # assume there are 2 pages
 _scroll_id = "DnF1ZXJ5VGhlbkZldGNoBQAAAAAAACEmFkk1aGlTRzdSUWllejZmYTlEYTN3SVEAAAAAAAAhJRZJNWhpU0c3UlFpZXo2ZmE5RGEzd0lRAAAAAAAAHtAWLWZpaFZXVzVSTy1OTXA5V3MwcHZrZwAAAAAAAB7RFi1maWhWV1c1Uk8tTk1wOVdzMHB2a2cAAAAAAAAhJxZJNWhpU0c3UlFpZXo2ZmE5RGEzd0lR"
 
 
 def _scroll(d):
-  d["_scroll_id"] = _scroll_id
-  return d
+    d["_scroll_id"] = _scroll_id
+    return d
 
 
 SCROLL_CREATE = _status(_shards(_scroll(_hits([_hit1]))))
@@ -379,22 +315,24 @@ SCROLL_DELETE = _status({"succeeded": True, "num_freed": 5})
 SCROLL_LOGS = [[_log1], [_log2]]
 
 SCROLL_REQUESTS = [
-  [
-    "5m", 1, {
-      "sort": "_doc",
-      "query": {
-        "range": {
-          "datetime": {
-            "lt": "2018-04-02T00:00:00",
-            "gte": "2018-03-08T00:00:00"
-          }
-        }
-      }
-    }
-  ],
-  [{"scroll": "5m", "scroll_id": _scroll_id}],
-  [{"scroll":"5m", "scroll_id": _scroll_id}],
-  [{"scroll_id": [_scroll_id]}],
+    [
+        "5m",
+        1,
+        {
+            "sort": "_doc",
+            "query": {
+                "range": {
+                    "datetime": {
+                        "lt": "2018-04-02T00:00:00",
+                        "gte": "2018-03-08T00:00:00",
+                    }
+                }
+            },
+        },
+    ],
+    [{"scroll": "5m", "scroll_id": _scroll_id}],
+    [{"scroll": "5m", "scroll_id": _scroll_id}],
+    [{"scroll_id": [_scroll_id]}],
 ]
 
 SCROLL_RESPONSES = [SCROLL_CREATE, SCROLL_GET, SCROLL_GET_2, SCROLL_DELETE]
diff --git a/data/logs_model/test/test_combined_model.py b/data/logs_model/test/test_combined_model.py
index 7b288e72f..c6a6c6297 100644
--- a/data/logs_model/test/test_combined_model.py
+++ b/data/logs_model/test/test_combined_model.py
@@ -10,121 +10,144 @@ from test.fixtures import *
 
 @pytest.fixture()
 def first_model():
-  return InMemoryModel()
+    return InMemoryModel()
 
 
 @pytest.fixture()
 def second_model():
-  return InMemoryModel()
+    return InMemoryModel()
 
 
 @pytest.fixture()
 def combined_model(first_model, second_model, initialized_db):
-  return CombinedLogsModel(first_model, second_model)
+    return CombinedLogsModel(first_model, second_model)
 
 
 def test_log_action(first_model, second_model, combined_model, initialized_db):
-  day = date(2019, 1, 1)
+    day = date(2019, 1, 1)
 
-  # Write to the combined model.
-  with freeze_time(day):
-    combined_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                              ip='1.2.3.4')
+    # Write to the combined model.
+    with freeze_time(day):
+        combined_model.log_action(
+            "push_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+        )
 
-  simple_repo = model.repository.get_repository('devtable', 'simple')
+    simple_repo = model.repository.get_repository("devtable", "simple")
 
-  # Make sure it is found in the first model but not the second.
-  assert combined_model.count_repository_actions(simple_repo, day) == 1
-  assert first_model.count_repository_actions(simple_repo, day) == 1
-  assert second_model.count_repository_actions(simple_repo, day) == 0
+    # Make sure it is found in the first model but not the second.
+    assert combined_model.count_repository_actions(simple_repo, day) == 1
+    assert first_model.count_repository_actions(simple_repo, day) == 1
+    assert second_model.count_repository_actions(simple_repo, day) == 0
 
 
-def test_count_repository_actions(first_model, second_model, combined_model, initialized_db):
-  # Write to each model.
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
+def test_count_repository_actions(
+    first_model, second_model, combined_model, initialized_db
+):
+    # Write to each model.
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  # Ensure the counts match as expected.
-  day = datetime.today() - timedelta(minutes=60)
-  simple_repo = model.repository.get_repository('devtable', 'simple')
+    # Ensure the counts match as expected.
+    day = datetime.today() - timedelta(minutes=60)
+    simple_repo = model.repository.get_repository("devtable", "simple")
 
-  assert first_model.count_repository_actions(simple_repo, day) == 3
-  assert second_model.count_repository_actions(simple_repo, day) == 2
-  assert combined_model.count_repository_actions(simple_repo, day) == 5
+    assert first_model.count_repository_actions(simple_repo, day) == 3
+    assert second_model.count_repository_actions(simple_repo, day) == 2
+    assert combined_model.count_repository_actions(simple_repo, day) == 5
 
 
-def test_yield_logs_for_export(first_model, second_model, combined_model, initialized_db):
-  now = datetime.now()
+def test_yield_logs_for_export(
+    first_model, second_model, combined_model, initialized_db
+):
+    now = datetime.now()
 
-  # Write to each model.
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
+    # Write to each model.
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  later = datetime.now()
+    later = datetime.now()
 
-  # Ensure the full set of logs is yielded.
-  first_logs = list(first_model.yield_logs_for_export(now, later))[0]
-  second_logs = list(second_model.yield_logs_for_export(now, later))[0]
+    # Ensure the full set of logs is yielded.
+    first_logs = list(first_model.yield_logs_for_export(now, later))[0]
+    second_logs = list(second_model.yield_logs_for_export(now, later))[0]
 
-  combined = list(combined_model.yield_logs_for_export(now, later))
-  full_combined = []
-  for subset in combined:
-    full_combined.extend(subset)
+    combined = list(combined_model.yield_logs_for_export(now, later))
+    full_combined = []
+    for subset in combined:
+        full_combined.extend(subset)
 
-  assert len(full_combined) == len(first_logs) + len(second_logs)
-  assert full_combined == (first_logs + second_logs)
+    assert len(full_combined) == len(first_logs) + len(second_logs)
+    assert full_combined == (first_logs + second_logs)
 
 
 def test_lookup_logs(first_model, second_model, combined_model, initialized_db):
-  now = datetime.now()
+    now = datetime.now()
 
-  # Write to each model.
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
-  first_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                         ip='1.2.3.4')
+    # Write to each model.
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    first_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
-  second_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    second_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  later = datetime.now()
+    later = datetime.now()
 
-  def _collect_logs(model):
-    page_token = None
-    all_logs = []
-    while True:
-      paginated_logs = model.lookup_logs(now, later, page_token=page_token)
-      page_token = paginated_logs.next_page_token
-      all_logs.extend(paginated_logs.logs)
-      if page_token is None:
-        break
-    return all_logs
+    def _collect_logs(model):
+        page_token = None
+        all_logs = []
+        while True:
+            paginated_logs = model.lookup_logs(now, later, page_token=page_token)
+            page_token = paginated_logs.next_page_token
+            all_logs.extend(paginated_logs.logs)
+            if page_token is None:
+                break
+        return all_logs
 
-  first_logs = _collect_logs(first_model)
-  second_logs = _collect_logs(second_model)
-  combined = _collect_logs(combined_model)
+    first_logs = _collect_logs(first_model)
+    second_logs = _collect_logs(second_model)
+    combined = _collect_logs(combined_model)
 
-  assert len(combined) == len(first_logs) + len(second_logs)
-  assert combined == (first_logs + second_logs)
+    assert len(combined) == len(first_logs) + len(second_logs)
+    assert combined == (first_logs + second_logs)
diff --git a/data/logs_model/test/test_elasticsearch.py b/data/logs_model/test/test_elasticsearch.py
index a305010f4..2449c6168 100644
--- a/data/logs_model/test/test_elasticsearch.py
+++ b/data/logs_model/test/test_elasticsearch.py
@@ -12,256 +12,340 @@ from dateutil.parser import parse
 from httmock import urlmatch, HTTMock
 
 from data.model.log import _json_serialize
-from data.logs_model.elastic_logs import ElasticsearchLogs, INDEX_NAME_PREFIX, INDEX_DATE_FORMAT
+from data.logs_model.elastic_logs import (
+    ElasticsearchLogs,
+    INDEX_NAME_PREFIX,
+    INDEX_DATE_FORMAT,
+)
 from data.logs_model import configure, LogsModelProxy
 from mock_elasticsearch import *
 
-FAKE_ES_HOST = 'fakees'
-FAKE_ES_HOST_PATTERN = r'fakees.*'
+FAKE_ES_HOST = "fakees"
+FAKE_ES_HOST_PATTERN = r"fakees.*"
 FAKE_ES_PORT = 443
 FAKE_AWS_ACCESS_KEY = None
 FAKE_AWS_SECRET_KEY = None
 FAKE_AWS_REGION = None
 
+
 @pytest.fixture()
 def logs_model_config():
-  conf = {
-    'LOGS_MODEL': 'elasticsearch',
-    'LOGS_MODEL_CONFIG': {
-      'producer': 'elasticsearch',
-      'elasticsearch_config': {
-        'host': FAKE_ES_HOST,
-        'port': FAKE_ES_PORT,
-        'access_key': FAKE_AWS_ACCESS_KEY,
-        'secret_key': FAKE_AWS_SECRET_KEY,
-        'aws_region': FAKE_AWS_REGION
-      }
+    conf = {
+        "LOGS_MODEL": "elasticsearch",
+        "LOGS_MODEL_CONFIG": {
+            "producer": "elasticsearch",
+            "elasticsearch_config": {
+                "host": FAKE_ES_HOST,
+                "port": FAKE_ES_PORT,
+                "access_key": FAKE_AWS_ACCESS_KEY,
+                "secret_key": FAKE_AWS_SECRET_KEY,
+                "aws_region": FAKE_AWS_REGION,
+            },
+        },
     }
-  }
-  return conf
+    return conf
 
 
-FAKE_LOG_ENTRY_KINDS = {'push_repo': 1, 'pull_repo': 2}
+FAKE_LOG_ENTRY_KINDS = {"push_repo": 1, "pull_repo": 2}
 FAKE_NAMESPACES = {
-  'user1':
-    Mock(id=1, organization="user1.organization", username="user1.username", email="user1.email",
-         robot="user1.robot"),
-  'user2':
-    Mock(id=2, organization="user2.organization", username="user2.username", email="user2.email",
-         robot="user2.robot")
+    "user1": Mock(
+        id=1,
+        organization="user1.organization",
+        username="user1.username",
+        email="user1.email",
+        robot="user1.robot",
+    ),
+    "user2": Mock(
+        id=2,
+        organization="user2.organization",
+        username="user2.username",
+        email="user2.email",
+        robot="user2.robot",
+    ),
 }
 FAKE_REPOSITORIES = {
-  'user1/repo1': Mock(id=1, namespace_user=FAKE_NAMESPACES['user1']),
-  'user2/repo2': Mock(id=2, namespace_user=FAKE_NAMESPACES['user2']),
+    "user1/repo1": Mock(id=1, namespace_user=FAKE_NAMESPACES["user1"]),
+    "user2/repo2": Mock(id=2, namespace_user=FAKE_NAMESPACES["user2"]),
 }
 
 
 @pytest.fixture()
 def logs_model():
-  # prevent logs model from changing
-  logs_model = LogsModelProxy()
-  with patch('data.logs_model.logs_model', logs_model):
-    yield logs_model
+    # prevent logs model from changing
+    logs_model = LogsModelProxy()
+    with patch("data.logs_model.logs_model", logs_model):
+        yield logs_model
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def app_config(logs_model_config):
-  fake_config = {}
-  fake_config.update(logs_model_config)
-  with patch("data.logs_model.document_logs_model.config.app_config", fake_config):
-    yield fake_config
+    fake_config = {}
+    fake_config.update(logs_model_config)
+    with patch("data.logs_model.document_logs_model.config.app_config", fake_config):
+        yield fake_config
 
 
 @pytest.fixture()
 def mock_page_size():
-  with patch('data.logs_model.document_logs_model.PAGE_SIZE', 1):
-    yield
+    with patch("data.logs_model.document_logs_model.PAGE_SIZE", 1):
+        yield
 
 
 @pytest.fixture()
 def mock_max_result_window():
-  with patch('data.logs_model.document_logs_model.DEFAULT_RESULT_WINDOW', 1):
-    yield
+    with patch("data.logs_model.document_logs_model.DEFAULT_RESULT_WINDOW", 1):
+        yield
 
 
 @pytest.fixture
 def mock_random_id():
-  mock_random = Mock(return_value=233)
-  with patch('data.logs_model.document_logs_model._random_id', mock_random):
-    yield
+    mock_random = Mock(return_value=233)
+    with patch("data.logs_model.document_logs_model._random_id", mock_random):
+        yield
 
 
 @pytest.fixture()
 def mock_db_model():
-  def get_user_map_by_ids(namespace_ids):
-    mapping = {}
-    for i in namespace_ids:
-      for name in FAKE_NAMESPACES:
-        if FAKE_NAMESPACES[name].id == i:
-          mapping[i] = FAKE_NAMESPACES[name]
-    return mapping
+    def get_user_map_by_ids(namespace_ids):
+        mapping = {}
+        for i in namespace_ids:
+            for name in FAKE_NAMESPACES:
+                if FAKE_NAMESPACES[name].id == i:
+                    mapping[i] = FAKE_NAMESPACES[name]
+        return mapping
 
-  model = Mock(
-    user=Mock(
-      get_namespace_user=FAKE_NAMESPACES.get,
-      get_user_or_org=FAKE_NAMESPACES.get,
-      get_user=FAKE_NAMESPACES.get,
-      get_user_map_by_ids=get_user_map_by_ids,
-    ),
-    repository=Mock(get_repository=lambda user_name, repo_name: FAKE_REPOSITORIES.get(
-      user_name + '/' + repo_name),
-                    ),
-    log=Mock(
-      _get_log_entry_kind=lambda name: FAKE_LOG_ENTRY_KINDS[name],
-      _json_serialize=_json_serialize,
-      get_log_entry_kinds=Mock(return_value=FAKE_LOG_ENTRY_KINDS),
-    ),
-  )
+    model = Mock(
+        user=Mock(
+            get_namespace_user=FAKE_NAMESPACES.get,
+            get_user_or_org=FAKE_NAMESPACES.get,
+            get_user=FAKE_NAMESPACES.get,
+            get_user_map_by_ids=get_user_map_by_ids,
+        ),
+        repository=Mock(
+            get_repository=lambda user_name, repo_name: FAKE_REPOSITORIES.get(
+                user_name + "/" + repo_name
+            )
+        ),
+        log=Mock(
+            _get_log_entry_kind=lambda name: FAKE_LOG_ENTRY_KINDS[name],
+            _json_serialize=_json_serialize,
+            get_log_entry_kinds=Mock(return_value=FAKE_LOG_ENTRY_KINDS),
+        ),
+    )
 
-  with patch('data.logs_model.document_logs_model.model', model), patch(
-      'data.logs_model.datatypes.model', model):
-    yield
+    with patch("data.logs_model.document_logs_model.model", model), patch(
+        "data.logs_model.datatypes.model", model
+    ):
+        yield
 
 
 def parse_query(query):
-  return {s.split('=')[0]: s.split('=')[1] for s in query.split("&") if s != ""}
+    return {s.split("=")[0]: s.split("=")[1] for s in query.split("&") if s != ""}
 
 
 @pytest.fixture()
 def mock_elasticsearch():
-  mock = Mock()
-  mock.template.side_effect = NotImplementedError
-  mock.index.side_effect = NotImplementedError
-  mock.count.side_effect = NotImplementedError
-  mock.scroll_get.side_effect = NotImplementedError
-  mock.scroll_delete.side_effect = NotImplementedError
-  mock.search_scroll_create.side_effect = NotImplementedError
-  mock.search_aggs.side_effect = NotImplementedError
-  mock.search_after.side_effect = NotImplementedError
-  mock.list_indices.side_effect = NotImplementedError
+    mock = Mock()
+    mock.template.side_effect = NotImplementedError
+    mock.index.side_effect = NotImplementedError
+    mock.count.side_effect = NotImplementedError
+    mock.scroll_get.side_effect = NotImplementedError
+    mock.scroll_delete.side_effect = NotImplementedError
+    mock.search_scroll_create.side_effect = NotImplementedError
+    mock.search_aggs.side_effect = NotImplementedError
+    mock.search_after.side_effect = NotImplementedError
+    mock.list_indices.side_effect = NotImplementedError
 
-  @urlmatch(netloc=r'.*', path=r'.*')
-  def default(url, req):
-    raise Exception('\nurl={}\nmethod={}\nreq.url={}\nheaders={}\nbody={}'.format(
-      url, req.method, req.url, req.headers, req.body))
+    @urlmatch(netloc=r".*", path=r".*")
+    def default(url, req):
+        raise Exception(
+            "\nurl={}\nmethod={}\nreq.url={}\nheaders={}\nbody={}".format(
+                url, req.method, req.url, req.headers, req.body
+            )
+        )
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/_template/.*')
-  def template(url, req):
-    return mock.template(url.query.split('/')[-1], req.body)
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/_template/.*")
+    def template(url, req):
+        return mock.template(url.query.split("/")[-1], req.body)
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/logentry_(\*|[0-9\-]+)')
-  def list_indices(url, req):
-    return mock.list_indices()
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/logentry_(\*|[0-9\-]+)")
+    def list_indices(url, req):
+        return mock.list_indices()
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/logentry_[0-9\-]*/_doc')
-  def index(url, req):
-    index = url.path.split('/')[1]
-    body = json.loads(req.body)
-    body['metadata_json'] = json.loads(body['metadata_json'])
-    return mock.index(index, body)
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/logentry_[0-9\-]*/_doc")
+    def index(url, req):
+        index = url.path.split("/")[1]
+        body = json.loads(req.body)
+        body["metadata_json"] = json.loads(body["metadata_json"])
+        return mock.index(index, body)
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/logentry_([0-9\-]*|\*)/_count')
-  def count(_, req):
-    return mock.count(json.loads(req.body))
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/logentry_([0-9\-]*|\*)/_count")
+    def count(_, req):
+        return mock.count(json.loads(req.body))
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/_search/scroll')
-  def scroll(url, req):
-    if req.method == 'DELETE':
-      return mock.scroll_delete(json.loads(req.body))
-    elif req.method == 'GET':
-      request_obj = json.loads(req.body)
-      return mock.scroll_get(request_obj)
-    raise NotImplementedError()
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/_search/scroll")
+    def scroll(url, req):
+        if req.method == "DELETE":
+            return mock.scroll_delete(json.loads(req.body))
+        elif req.method == "GET":
+            request_obj = json.loads(req.body)
+            return mock.scroll_get(request_obj)
+        raise NotImplementedError()
 
-  @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r'/logentry_(\*|[0-9\-]*)/_search')
-  def search(url, req):
-    if "scroll" in url.query:
-      query = parse_query(url.query)
-      window_size = query['scroll']
-      maximum_result_size = int(query['size'])
-      return mock.search_scroll_create(window_size, maximum_result_size, json.loads(req.body))
-    elif "aggs" in req.body:
-      return mock.search_aggs(json.loads(req.body))
-    else:
-      return mock.search_after(json.loads(req.body))
+    @urlmatch(netloc=FAKE_ES_HOST_PATTERN, path=r"/logentry_(\*|[0-9\-]*)/_search")
+    def search(url, req):
+        if "scroll" in url.query:
+            query = parse_query(url.query)
+            window_size = query["scroll"]
+            maximum_result_size = int(query["size"])
+            return mock.search_scroll_create(
+                window_size, maximum_result_size, json.loads(req.body)
+            )
+        elif "aggs" in req.body:
+            return mock.search_aggs(json.loads(req.body))
+        else:
+            return mock.search_after(json.loads(req.body))
 
-  with HTTMock(scroll, count, search, index, template, list_indices, default):
-    yield mock
+    with HTTMock(scroll, count, search, index, template, list_indices, default):
+        yield mock
 
 
 @pytest.mark.parametrize(
-  """
+    """
   unlogged_pulls_ok, kind_name, namespace_name, repository, repository_name,
   timestamp,
   index_response, expected_request, throws
   """,
-  [
-    # Invalid inputs
-    pytest.param(
-      False, 'non-existing', None, None, None,
-      None,
-      None, None, True,
-      id="Invalid Kind"
-    ),
-    pytest.param(
-      False, 'pull_repo', 'user1', Mock(id=1), 'repo1',
-      None,
-      None, None, True,
-      id="Invalid Parameters"
-    ),
+    [
+        # Invalid inputs
+        pytest.param(
+            False,
+            "non-existing",
+            None,
+            None,
+            None,
+            None,
+            None,
+            None,
+            True,
+            id="Invalid Kind",
+        ),
+        pytest.param(
+            False,
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            "repo1",
+            None,
+            None,
+            None,
+            True,
+            id="Invalid Parameters",
+        ),
+        # Remote exceptions
+        pytest.param(
+            False,
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            None,
+            None,
+            FAILURE_400,
+            None,
+            True,
+            id="Throw on pull log failure",
+        ),
+        pytest.param(
+            True,
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            None,
+            parse("2017-03-08T03:30"),
+            FAILURE_400,
+            INDEX_REQUEST_2017_03_08,
+            False,
+            id="Ok on pull log failure",
+        ),
+        # Success executions
+        pytest.param(
+            False,
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            None,
+            parse("2017-03-08T03:30"),
+            INDEX_RESPONSE_2017_03_08,
+            INDEX_REQUEST_2017_03_08,
+            False,
+            id="Log with namespace name and repository",
+        ),
+        pytest.param(
+            False,
+            "push_repo",
+            "user1",
+            None,
+            "repo1",
+            parse("2019-01-01T03:30"),
+            INDEX_RESPONSE_2019_01_01,
+            INDEX_REQUEST_2019_01_01,
+            False,
+            id="Log with namespace name and repository name",
+        ),
+    ],
+)
+def test_log_action(
+    unlogged_pulls_ok,
+    kind_name,
+    namespace_name,
+    repository,
+    repository_name,
+    timestamp,
+    index_response,
+    expected_request,
+    throws,
+    app_config,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+    mock_random_id,
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+    mock_elasticsearch.index = Mock(return_value=index_response)
+    app_config["ALLOW_PULLS_WITHOUT_STRICT_LOGGING"] = unlogged_pulls_ok
+    configure(app_config)
 
-    # Remote exceptions
-    pytest.param(
-      False, 'pull_repo', 'user1', Mock(id=1), None,
-      None,
-      FAILURE_400, None, True,
-      id="Throw on pull log failure"
-    ),
-    pytest.param(
-      True, 'pull_repo', 'user1', Mock(id=1), None,
-      parse("2017-03-08T03:30"),
-      FAILURE_400, INDEX_REQUEST_2017_03_08, False,
-      id="Ok on pull log failure"
-    ),
-
-    # Success executions
-    pytest.param(
-      False, 'pull_repo', 'user1', Mock(id=1), None,
-      parse("2017-03-08T03:30"),
-      INDEX_RESPONSE_2017_03_08, INDEX_REQUEST_2017_03_08, False,
-      id="Log with namespace name and repository"
-    ),
-    pytest.param(
-      False, 'push_repo', 'user1', None, 'repo1',
-      parse("2019-01-01T03:30"),
-      INDEX_RESPONSE_2019_01_01, INDEX_REQUEST_2019_01_01, False,
-      id="Log with namespace name and repository name"
-    ),
-  ])
-def test_log_action(unlogged_pulls_ok, kind_name, namespace_name, repository, repository_name,
-                    timestamp,
-                    index_response, expected_request, throws,
-                    app_config, logs_model, mock_elasticsearch, mock_db_model, mock_random_id):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
-  mock_elasticsearch.index = Mock(return_value=index_response)
-  app_config['ALLOW_PULLS_WITHOUT_STRICT_LOGGING'] = unlogged_pulls_ok
-  configure(app_config)
-
-  performer = Mock(id=1)
-  ip = "192.168.1.1"
-  metadata = {'key': 'value', 'time': parse("2018-03-08T03:30"), '😂': '😂👌👌👌👌'}
-  if throws:
-    with pytest.raises(Exception):
-      logs_model.log_action(kind_name, namespace_name, performer, ip, metadata, repository,
-                            repository_name, timestamp)
-  else:
-    logs_model.log_action(kind_name, namespace_name, performer, ip, metadata, repository,
-                          repository_name, timestamp)
-    mock_elasticsearch.index.assert_called_with(*expected_request)
+    performer = Mock(id=1)
+    ip = "192.168.1.1"
+    metadata = {"key": "value", "time": parse("2018-03-08T03:30"), "😂": "😂👌👌👌👌"}
+    if throws:
+        with pytest.raises(Exception):
+            logs_model.log_action(
+                kind_name,
+                namespace_name,
+                performer,
+                ip,
+                metadata,
+                repository,
+                repository_name,
+                timestamp,
+            )
+    else:
+        logs_model.log_action(
+            kind_name,
+            namespace_name,
+            performer,
+            ip,
+            metadata,
+            repository,
+            repository_name,
+            timestamp,
+        )
+        mock_elasticsearch.index.assert_called_with(*expected_request)
 
 
 @pytest.mark.parametrize(
-  """
+    """
   start_datetime, end_datetime,
   performer_name, repository_name, namespace_name,
   filter_kinds,
@@ -273,257 +357,377 @@ def test_log_action(unlogged_pulls_ok, kind_name, namespace_name, repository, re
   expected_page,
   throws
   """,
-  [
-    # 1st page
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-08T03:30'),
-      'user1', 'repo1', 'user1',
-      None,
-      None,
-      None,
-      SEARCH_RESPONSE_START,
-      INDEX_LIST_RESPONSE_HIT1_HIT2,
-      SEARCH_REQUEST_START,
-      SEARCH_PAGE_START,
-      False,
-      id="1st page"
-    ),
+    [
+        # 1st page
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-08T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            None,
+            None,
+            None,
+            SEARCH_RESPONSE_START,
+            INDEX_LIST_RESPONSE_HIT1_HIT2,
+            SEARCH_REQUEST_START,
+            SEARCH_PAGE_START,
+            False,
+            id="1st page",
+        ),
+        # Last page
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-08T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            None,
+            SEARCH_PAGE_TOKEN,
+            None,
+            SEARCH_RESPONSE_END,
+            INDEX_LIST_RESPONSE_HIT1_HIT2,
+            SEARCH_REQUEST_END,
+            SEARCH_PAGE_END,
+            False,
+            id="Search using pagination token",
+        ),
+        # Filter
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-08T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            ["push_repo"],
+            None,
+            None,
+            SEARCH_RESPONSE_END,
+            INDEX_LIST_RESPONSE_HIT2,
+            SEARCH_REQUEST_FILTER,
+            SEARCH_PAGE_END,
+            False,
+            id="Filtered search",
+        ),
+        # Max page count
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-08T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            None,
+            SEARCH_PAGE_TOKEN,
+            1,
+            AssertionError,  # Assert that it should not reach the ES server
+            None,
+            None,
+            SEARCH_PAGE_EMPTY,
+            False,
+            id="Page token reaches maximum page count",
+        ),
+    ],
+)
+def test_lookup_logs(
+    start_datetime,
+    end_datetime,
+    performer_name,
+    repository_name,
+    namespace_name,
+    filter_kinds,
+    page_token,
+    max_page_count,
+    search_response,
+    list_indices_response,
+    expected_request,
+    expected_page,
+    throws,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+    mock_page_size,
+    app_config,
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+    mock_elasticsearch.search_after = Mock(return_value=search_response)
+    mock_elasticsearch.list_indices = Mock(return_value=list_indices_response)
 
-    # Last page
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-08T03:30'),
-      'user1', 'repo1', 'user1',
-      None,
-      SEARCH_PAGE_TOKEN,
-      None,
-      SEARCH_RESPONSE_END,
-      INDEX_LIST_RESPONSE_HIT1_HIT2,
-      SEARCH_REQUEST_END,
-      SEARCH_PAGE_END,
-      False,
-      id="Search using pagination token"
-    ),
-
-    # Filter
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-08T03:30'),
-      'user1', 'repo1', 'user1',
-      ['push_repo'],
-      None,
-      None,
-      SEARCH_RESPONSE_END,
-      INDEX_LIST_RESPONSE_HIT2,
-      SEARCH_REQUEST_FILTER,
-      SEARCH_PAGE_END,
-      False,
-      id="Filtered search"
-    ),
-
-    # Max page count
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-08T03:30'),
-      'user1', 'repo1', 'user1',
-      None,
-      SEARCH_PAGE_TOKEN,
-      1,
-      AssertionError, # Assert that it should not reach the ES server
-      None,
-      None,
-      SEARCH_PAGE_EMPTY,
-      False,
-      id="Page token reaches maximum page count",
-     ),
-  ])
-def test_lookup_logs(start_datetime, end_datetime,
-                     performer_name, repository_name, namespace_name,
-                     filter_kinds,
-                     page_token,
-                     max_page_count,
-                     search_response,
-                     list_indices_response,
-                     expected_request,
-                     expected_page,
-                     throws,
-                     logs_model, mock_elasticsearch, mock_db_model, mock_page_size, app_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
-  mock_elasticsearch.search_after = Mock(return_value=search_response)
-  mock_elasticsearch.list_indices = Mock(return_value=list_indices_response)
-
-  configure(app_config)
-  if throws:
-    with pytest.raises(Exception):
-      logs_model.lookup_logs(start_datetime, end_datetime, performer_name, repository_name,
-                             namespace_name, filter_kinds, page_token, max_page_count)
-  else:
-    page = logs_model.lookup_logs(start_datetime, end_datetime, performer_name, repository_name,
-                                  namespace_name, filter_kinds, page_token, max_page_count)
-    assert page == expected_page
-    if expected_request:
-      mock_elasticsearch.search_after.assert_called_with(expected_request)
+    configure(app_config)
+    if throws:
+        with pytest.raises(Exception):
+            logs_model.lookup_logs(
+                start_datetime,
+                end_datetime,
+                performer_name,
+                repository_name,
+                namespace_name,
+                filter_kinds,
+                page_token,
+                max_page_count,
+            )
+    else:
+        page = logs_model.lookup_logs(
+            start_datetime,
+            end_datetime,
+            performer_name,
+            repository_name,
+            namespace_name,
+            filter_kinds,
+            page_token,
+            max_page_count,
+        )
+        assert page == expected_page
+        if expected_request:
+            mock_elasticsearch.search_after.assert_called_with(expected_request)
 
 
 @pytest.mark.parametrize(
-  """
+    """
   start_datetime, end_datetime,
   performer_name, repository_name, namespace_name,
   filter_kinds, search_response, expected_request, expected_counts, throws
   """,
-  [
-    # Valid
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-08T03:30'),
-      'user1', 'repo1', 'user1',
-      ['pull_repo'], AGGS_RESPONSE, AGGS_REQUEST, AGGS_COUNT, False,
-      id="Valid Counts"
-    ),
+    [
+        # Valid
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-08T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            ["pull_repo"],
+            AGGS_RESPONSE,
+            AGGS_REQUEST,
+            AGGS_COUNT,
+            False,
+            id="Valid Counts",
+        ),
+        # Invalid case: date range too big
+        pytest.param(
+            parse("2018-03-08T03:30"),
+            parse("2018-04-09T03:30"),
+            "user1",
+            "repo1",
+            "user1",
+            [],
+            None,
+            None,
+            None,
+            True,
+            id="Throw on date range too big",
+        ),
+    ],
+)
+def test_get_aggregated_log_counts(
+    start_datetime,
+    end_datetime,
+    performer_name,
+    repository_name,
+    namespace_name,
+    filter_kinds,
+    search_response,
+    expected_request,
+    expected_counts,
+    throws,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+    app_config,
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+    mock_elasticsearch.search_aggs = Mock(return_value=search_response)
 
-    # Invalid case: date range too big
-    pytest.param(
-      parse('2018-03-08T03:30'), parse('2018-04-09T03:30'),
-      'user1', 'repo1', 'user1',
-      [], None, None, None, True,
-      id="Throw on date range too big"
-    )
-  ])
-def test_get_aggregated_log_counts(start_datetime, end_datetime,
-                                   performer_name, repository_name, namespace_name,
-                                   filter_kinds, search_response, expected_request, expected_counts, throws,
-                                   logs_model, mock_elasticsearch, mock_db_model, app_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
-  mock_elasticsearch.search_aggs = Mock(return_value=search_response)
-
-  configure(app_config)
-  if throws:
-    with pytest.raises(Exception):
-      logs_model.get_aggregated_log_counts(start_datetime, end_datetime, performer_name,
-                                           repository_name, namespace_name, filter_kinds)
-  else:
-    counts = logs_model.get_aggregated_log_counts(start_datetime, end_datetime, performer_name,
-                                                  repository_name, namespace_name, filter_kinds)
-    assert set(counts) == set(expected_counts)
-    if expected_request:
-      mock_elasticsearch.search_aggs.assert_called_with(expected_request)
+    configure(app_config)
+    if throws:
+        with pytest.raises(Exception):
+            logs_model.get_aggregated_log_counts(
+                start_datetime,
+                end_datetime,
+                performer_name,
+                repository_name,
+                namespace_name,
+                filter_kinds,
+            )
+    else:
+        counts = logs_model.get_aggregated_log_counts(
+            start_datetime,
+            end_datetime,
+            performer_name,
+            repository_name,
+            namespace_name,
+            filter_kinds,
+        )
+        assert set(counts) == set(expected_counts)
+        if expected_request:
+            mock_elasticsearch.search_aggs.assert_called_with(expected_request)
 
 
 @pytest.mark.parametrize(
-  """
+    """
   repository,
   day,
   count_response, expected_request, expected_count, throws
   """,
-  [
-    pytest.param(
-      FAKE_REPOSITORIES['user1/repo1'],
-      parse("2018-03-08").date(),
-      COUNT_RESPONSE, COUNT_REQUEST, 1, False,
-      id="Valid Count with 1 as result"),
-  ])
-def test_count_repository_actions(repository,
-                                  day,
-                                  count_response, expected_request, expected_count, throws,
-                                  logs_model, mock_elasticsearch, mock_db_model, app_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
-  mock_elasticsearch.count = Mock(return_value=count_response)
-  mock_elasticsearch.list_indices = Mock(return_value=INDEX_LIST_RESPONSE)
+    [
+        pytest.param(
+            FAKE_REPOSITORIES["user1/repo1"],
+            parse("2018-03-08").date(),
+            COUNT_RESPONSE,
+            COUNT_REQUEST,
+            1,
+            False,
+            id="Valid Count with 1 as result",
+        )
+    ],
+)
+def test_count_repository_actions(
+    repository,
+    day,
+    count_response,
+    expected_request,
+    expected_count,
+    throws,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+    app_config,
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+    mock_elasticsearch.count = Mock(return_value=count_response)
+    mock_elasticsearch.list_indices = Mock(return_value=INDEX_LIST_RESPONSE)
 
-  configure(app_config)
-  if throws:
-    with pytest.raises(Exception):
-      logs_model.count_repository_actions(repository, day)
-  else:
-    count = logs_model.count_repository_actions(repository, day)
-    assert count == expected_count
-    if expected_request:
-      mock_elasticsearch.count.assert_called_with(expected_request)
+    configure(app_config)
+    if throws:
+        with pytest.raises(Exception):
+            logs_model.count_repository_actions(repository, day)
+    else:
+        count = logs_model.count_repository_actions(repository, day)
+        assert count == expected_count
+        if expected_request:
+            mock_elasticsearch.count.assert_called_with(expected_request)
 
 
 @pytest.mark.parametrize(
-  """
+    """
   start_datetime, end_datetime,
   repository_id, namespace_id,
   max_query_time, scroll_responses, expected_requests, expected_logs, throws
   """,
-  [
-    pytest.param(
-      parse("2018-03-08"), parse("2018-04-02"),
-      1, 1,
-      timedelta(seconds=10), SCROLL_RESPONSES, SCROLL_REQUESTS, SCROLL_LOGS, False,
-      id="Scroll 3 pages with page size = 1"
-    ),
-  ])
-def test_yield_logs_for_export(start_datetime, end_datetime,
-                               repository_id, namespace_id,
-                               max_query_time, scroll_responses, expected_requests, expected_logs, throws,
-                               logs_model, mock_elasticsearch, mock_db_model, mock_max_result_window, app_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
-  mock_elasticsearch.search_scroll_create = Mock(return_value=scroll_responses[0])
-  mock_elasticsearch.scroll_get = Mock(side_effect=scroll_responses[1:-1])
-  mock_elasticsearch.scroll_delete = Mock(return_value=scroll_responses[-1])
+    [
+        pytest.param(
+            parse("2018-03-08"),
+            parse("2018-04-02"),
+            1,
+            1,
+            timedelta(seconds=10),
+            SCROLL_RESPONSES,
+            SCROLL_REQUESTS,
+            SCROLL_LOGS,
+            False,
+            id="Scroll 3 pages with page size = 1",
+        )
+    ],
+)
+def test_yield_logs_for_export(
+    start_datetime,
+    end_datetime,
+    repository_id,
+    namespace_id,
+    max_query_time,
+    scroll_responses,
+    expected_requests,
+    expected_logs,
+    throws,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+    mock_max_result_window,
+    app_config,
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+    mock_elasticsearch.search_scroll_create = Mock(return_value=scroll_responses[0])
+    mock_elasticsearch.scroll_get = Mock(side_effect=scroll_responses[1:-1])
+    mock_elasticsearch.scroll_delete = Mock(return_value=scroll_responses[-1])
 
-  configure(app_config)
-  if throws:
-    with pytest.raises(Exception):
-      logs_model.yield_logs_for_export(start_datetime, end_datetime, max_query_time=max_query_time)
-  else:
-    log_generator = logs_model.yield_logs_for_export(start_datetime, end_datetime,
-                                                     max_query_time=max_query_time)
-    counter = 0
-    for logs in log_generator:
-      if counter == 0:
-        mock_elasticsearch.search_scroll_create.assert_called_with(*expected_requests[counter])
-      else:
-        mock_elasticsearch.scroll_get.assert_called_with(*expected_requests[counter])
-      assert expected_logs[counter] == logs
-      counter += 1
-    # the last two requests must be
-    # 1. get with response scroll with 0 hits, which indicates the termination condition
-    # 2. delete scroll request
-    mock_elasticsearch.scroll_get.assert_called_with(*expected_requests[-2])
-    mock_elasticsearch.scroll_delete.assert_called_with(*expected_requests[-1])
+    configure(app_config)
+    if throws:
+        with pytest.raises(Exception):
+            logs_model.yield_logs_for_export(
+                start_datetime, end_datetime, max_query_time=max_query_time
+            )
+    else:
+        log_generator = logs_model.yield_logs_for_export(
+            start_datetime, end_datetime, max_query_time=max_query_time
+        )
+        counter = 0
+        for logs in log_generator:
+            if counter == 0:
+                mock_elasticsearch.search_scroll_create.assert_called_with(
+                    *expected_requests[counter]
+                )
+            else:
+                mock_elasticsearch.scroll_get.assert_called_with(
+                    *expected_requests[counter]
+                )
+            assert expected_logs[counter] == logs
+            counter += 1
+        # the last two requests must be
+        # 1. get with response scroll with 0 hits, which indicates the termination condition
+        # 2. delete scroll request
+        mock_elasticsearch.scroll_get.assert_called_with(*expected_requests[-2])
+        mock_elasticsearch.scroll_delete.assert_called_with(*expected_requests[-1])
 
 
-@pytest.mark.parametrize('prefix, is_valid', [
-  pytest.param('..', False, id='Invalid `..`'),
-  pytest.param('.', False, id='Invalid `.`'),
-  pytest.param('-prefix', False, id='Invalid prefix start -'),
-  pytest.param('_prefix', False, id='Invalid prefix start _'),
-  pytest.param('+prefix', False, id='Invalid prefix start +'),
-  pytest.param('prefix_with_UPPERCASES', False, id='Invalid uppercase'),
-  pytest.param('valid_index', True, id='Valid prefix'),
-  pytest.param('valid_index_with_numbers1234', True, id='Valid prefix with numbers'),
-  pytest.param('a'*256, False, id='Prefix too long')
-])
+@pytest.mark.parametrize(
+    "prefix, is_valid",
+    [
+        pytest.param("..", False, id="Invalid `..`"),
+        pytest.param(".", False, id="Invalid `.`"),
+        pytest.param("-prefix", False, id="Invalid prefix start -"),
+        pytest.param("_prefix", False, id="Invalid prefix start _"),
+        pytest.param("+prefix", False, id="Invalid prefix start +"),
+        pytest.param("prefix_with_UPPERCASES", False, id="Invalid uppercase"),
+        pytest.param("valid_index", True, id="Valid prefix"),
+        pytest.param(
+            "valid_index_with_numbers1234", True, id="Valid prefix with numbers"
+        ),
+        pytest.param("a" * 256, False, id="Prefix too long"),
+    ],
+)
 def test_valid_index_prefix(prefix, is_valid):
-  assert ElasticsearchLogs._valid_index_prefix(prefix) == is_valid
+    assert ElasticsearchLogs._valid_index_prefix(prefix) == is_valid
 
 
-@pytest.mark.parametrize('index, cutoff_date, expected_result', [
-  pytest.param(
-    INDEX_NAME_PREFIX+'2019-06-06',
-    datetime(2019, 6, 8),
-    True,
-    id="Index older than cutoff"
-  ),
-  pytest.param(
-    INDEX_NAME_PREFIX+'2019-06-06',
-    datetime(2019, 6, 4),
-    False,
-    id="Index younger than cutoff"
-  ),
-  pytest.param(
-    INDEX_NAME_PREFIX+'2019-06-06',
-    datetime(2019, 6, 6, 23),
-    False,
-    id="Index older than cutoff but timedelta less than 1 day"
-  ),
-  pytest.param(
-    INDEX_NAME_PREFIX+'2019-06-06',
-    datetime(2019, 6, 7),
-    True,
-    id="Index older than cutoff by exactly one day"
-  ),
-])
+@pytest.mark.parametrize(
+    "index, cutoff_date, expected_result",
+    [
+        pytest.param(
+            INDEX_NAME_PREFIX + "2019-06-06",
+            datetime(2019, 6, 8),
+            True,
+            id="Index older than cutoff",
+        ),
+        pytest.param(
+            INDEX_NAME_PREFIX + "2019-06-06",
+            datetime(2019, 6, 4),
+            False,
+            id="Index younger than cutoff",
+        ),
+        pytest.param(
+            INDEX_NAME_PREFIX + "2019-06-06",
+            datetime(2019, 6, 6, 23),
+            False,
+            id="Index older than cutoff but timedelta less than 1 day",
+        ),
+        pytest.param(
+            INDEX_NAME_PREFIX + "2019-06-06",
+            datetime(2019, 6, 7),
+            True,
+            id="Index older than cutoff by exactly one day",
+        ),
+    ],
+)
 def test_can_delete_index(index, cutoff_date, expected_result):
-  es = ElasticsearchLogs(index_prefix=INDEX_NAME_PREFIX)
-  assert datetime.strptime(index.split(es._index_prefix, 1)[-1], INDEX_DATE_FORMAT)
-  assert es.can_delete_index(index, cutoff_date) == expected_result
+    es = ElasticsearchLogs(index_prefix=INDEX_NAME_PREFIX)
+    assert datetime.strptime(index.split(es._index_prefix, 1)[-1], INDEX_DATE_FORMAT)
+    assert es.can_delete_index(index, cutoff_date) == expected_result
diff --git a/data/logs_model/test/test_logs_interface.py b/data/logs_model/test/test_logs_interface.py
index 8f4f143c0..74dbe0298 100644
--- a/data/logs_model/test/test_logs_interface.py
+++ b/data/logs_model/test/test_logs_interface.py
@@ -4,7 +4,10 @@ from data.logs_model.table_logs_model import TableLogsModel
 from data.logs_model.combined_model import CombinedLogsModel
 from data.logs_model.inmemory_model import InMemoryModel
 from data.logs_model.combined_model import _merge_aggregated_log_counts
-from data.logs_model.document_logs_model import _date_range_in_single_index, DocumentLogsModel
+from data.logs_model.document_logs_model import (
+    _date_range_in_single_index,
+    DocumentLogsModel,
+)
 from data.logs_model.interface import LogsIterationTimeout
 from data.logs_model.test.fake_elasticsearch import FAKE_ES_HOST, fake_elasticsearch
 
@@ -16,279 +19,293 @@ from test.fixtures import *
 
 @pytest.fixture()
 def mock_page_size():
-  page_size = 2
-  with patch('data.logs_model.document_logs_model.PAGE_SIZE', page_size):
-    yield page_size
+    page_size = 2
+    with patch("data.logs_model.document_logs_model.PAGE_SIZE", page_size):
+        yield page_size
 
 
 @pytest.fixture()
 def clear_db_logs(initialized_db):
-  LogEntry.delete().execute()
-  LogEntry2.delete().execute()
-  LogEntry3.delete().execute()
+    LogEntry.delete().execute()
+    LogEntry2.delete().execute()
+    LogEntry3.delete().execute()
 
 
 def combined_model():
-  return CombinedLogsModel(TableLogsModel(), InMemoryModel())
+    return CombinedLogsModel(TableLogsModel(), InMemoryModel())
 
 
 def es_model():
-  return DocumentLogsModel(producer='elasticsearch', elasticsearch_config={
-    'host': FAKE_ES_HOST,
-    'port': 12345,
-  })
+    return DocumentLogsModel(
+        producer="elasticsearch",
+        elasticsearch_config={"host": FAKE_ES_HOST, "port": 12345},
+    )
+
 
 @pytest.fixture()
 def fake_es():
-  with fake_elasticsearch():
-    yield
+    with fake_elasticsearch():
+        yield
 
 
 @pytest.fixture(params=[TableLogsModel, InMemoryModel, es_model, combined_model])
 def logs_model(request, clear_db_logs, fake_es):
-  return request.param()
+    return request.param()
 
 
 def _lookup_logs(logs_model, start_time, end_time, **kwargs):
-  logs_found = []
-  page_token = None
-  while True:
-    found = logs_model.lookup_logs(start_time, end_time, page_token=page_token, **kwargs)
-    logs_found.extend(found.logs)
-    page_token = found.next_page_token
-    if not found.logs or not page_token:
-      break
+    logs_found = []
+    page_token = None
+    while True:
+        found = logs_model.lookup_logs(
+            start_time, end_time, page_token=page_token, **kwargs
+        )
+        logs_found.extend(found.logs)
+        page_token = found.next_page_token
+        if not found.logs or not page_token:
+            break
 
-  assert len(logs_found) == len(set(logs_found))
-  return logs_found
+    assert len(logs_found) == len(set(logs_found))
+    return logs_found
 
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('mysql') >= 0, 
-                    reason='Flaky on MySQL')
-@pytest.mark.parametrize('namespace_name, repo_name, performer_name, check_args, expect_results', [
-  pytest.param('devtable', 'simple', 'devtable', {}, True, id='no filters'),
-  pytest.param('devtable', 'simple', 'devtable', {
-    'performer_name': 'devtable',
-  }, True, id='matching performer'),
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI", "").find("mysql") >= 0, reason="Flaky on MySQL"
+)
+@pytest.mark.parametrize(
+    "namespace_name, repo_name, performer_name, check_args, expect_results",
+    [
+        pytest.param("devtable", "simple", "devtable", {}, True, id="no filters"),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"performer_name": "devtable"},
+            True,
+            id="matching performer",
+        ),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"namespace_name": "devtable"},
+            True,
+            id="matching namespace",
+        ),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"namespace_name": "devtable", "repository_name": "simple"},
+            True,
+            id="matching repository",
+        ),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"performer_name": "public"},
+            False,
+            id="different performer",
+        ),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"namespace_name": "public"},
+            False,
+            id="different namespace",
+        ),
+        pytest.param(
+            "devtable",
+            "simple",
+            "devtable",
+            {"namespace_name": "devtable", "repository_name": "complex"},
+            False,
+            id="different repository",
+        ),
+    ],
+)
+def test_logs(
+    namespace_name, repo_name, performer_name, check_args, expect_results, logs_model
+):
+    # Add some logs.
+    kinds = list(LogEntryKind.select())
+    user = model.user.get_user(performer_name)
 
-  pytest.param('devtable', 'simple', 'devtable', {
-    'namespace_name': 'devtable',
-  }, True, id='matching namespace'),
+    start_timestamp = datetime.utcnow()
+    timestamp = start_timestamp
 
-  pytest.param('devtable', 'simple', 'devtable', {
-    'namespace_name': 'devtable',
-    'repository_name': 'simple',
-  }, True, id='matching repository'),
+    for kind in kinds:
+        for index in range(0, 3):
+            logs_model.log_action(
+                kind.name,
+                namespace_name=namespace_name,
+                repository_name=repo_name,
+                performer=user,
+                ip="1.2.3.4",
+                timestamp=timestamp,
+            )
+            timestamp = timestamp + timedelta(seconds=1)
 
-  pytest.param('devtable', 'simple', 'devtable', {
-    'performer_name': 'public',
-  }, False, id='different performer'),
+    found = _lookup_logs(
+        logs_model,
+        start_timestamp,
+        start_timestamp + timedelta(minutes=10),
+        **check_args
+    )
+    if expect_results:
+        assert len(found) == len(kinds) * 3
+    else:
+        assert not found
 
-  pytest.param('devtable', 'simple', 'devtable', {
-    'namespace_name': 'public',
-  }, False, id='different namespace'),
-
-  pytest.param('devtable', 'simple', 'devtable', {
-    'namespace_name': 'devtable',
-    'repository_name': 'complex',
-  }, False, id='different repository'),
-])
-def test_logs(namespace_name, repo_name, performer_name, check_args, expect_results, logs_model):
-  # Add some logs.
-  kinds = list(LogEntryKind.select())
-  user = model.user.get_user(performer_name)
-
-  start_timestamp = datetime.utcnow()
-  timestamp = start_timestamp
-
-  for kind in kinds:
-    for index in range(0, 3):
-      logs_model.log_action(kind.name, namespace_name=namespace_name, repository_name=repo_name,
-                            performer=user, ip='1.2.3.4', timestamp=timestamp)
-      timestamp = timestamp + timedelta(seconds=1)
-
-  found = _lookup_logs(logs_model, start_timestamp, start_timestamp + timedelta(minutes=10),
-                       **check_args)
-  if expect_results:
-    assert len(found) == len(kinds) * 3
-  else:
-    assert not found
-
-  aggregated_counts = logs_model.get_aggregated_log_counts(start_timestamp,
-                                                           start_timestamp + timedelta(minutes=10),
-                                                           **check_args)
-  if expect_results:
-    assert len(aggregated_counts) == len(kinds)
-    for ac in aggregated_counts:
-      assert ac.count == 3
-  else:
-    assert not aggregated_counts
+    aggregated_counts = logs_model.get_aggregated_log_counts(
+        start_timestamp, start_timestamp + timedelta(minutes=10), **check_args
+    )
+    if expect_results:
+        assert len(aggregated_counts) == len(kinds)
+        for ac in aggregated_counts:
+            assert ac.count == 3
+    else:
+        assert not aggregated_counts
 
 
-@pytest.mark.parametrize('filter_kinds, expect_results', [
-  pytest.param(None, True),
-  pytest.param(['push_repo'], True, id='push_repo filter'),
-  pytest.param(['pull_repo'], True, id='pull_repo filter'),
-  pytest.param(['push_repo', 'pull_repo'], False, id='push and pull filters')
-])
+@pytest.mark.parametrize(
+    "filter_kinds, expect_results",
+    [
+        pytest.param(None, True),
+        pytest.param(["push_repo"], True, id="push_repo filter"),
+        pytest.param(["pull_repo"], True, id="pull_repo filter"),
+        pytest.param(["push_repo", "pull_repo"], False, id="push and pull filters"),
+    ],
+)
 def test_lookup_latest_logs(filter_kinds, expect_results, logs_model):
-  kind_map = model.log.get_log_entry_kinds()
-  if filter_kinds:
-    ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds if filter_kinds]
-  else:
-    ignore_ids = []
+    kind_map = model.log.get_log_entry_kinds()
+    if filter_kinds:
+        ignore_ids = [kind_map[kind_name] for kind_name in filter_kinds if filter_kinds]
+    else:
+        ignore_ids = []
 
-  now = datetime.now()
-  namespace_name = 'devtable'
-  repo_name = 'simple'
-  performer_name = 'devtable'
+    now = datetime.now()
+    namespace_name = "devtable"
+    repo_name = "simple"
+    performer_name = "devtable"
 
-  user = model.user.get_user(performer_name)
-  size = 3
+    user = model.user.get_user(performer_name)
+    size = 3
 
-  # Log some push actions
-  logs_model.log_action('push_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=1, seconds=11))
-  logs_model.log_action('push_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=7, seconds=33))
+    # Log some push actions
+    logs_model.log_action(
+        "push_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=1, seconds=11),
+    )
+    logs_model.log_action(
+        "push_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=7, seconds=33),
+    )
 
-  # Log some pull actions
-  logs_model.log_action('pull_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=0, seconds=3))
-  logs_model.log_action('pull_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=3, seconds=55))
-  logs_model.log_action('pull_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=5, seconds=3))
-  logs_model.log_action('pull_repo', namespace_name=namespace_name, repository_name=repo_name,
-                        performer=user, ip='0.0.0.0', timestamp=now-timedelta(days=11, seconds=11))
+    # Log some pull actions
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=0, seconds=3),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=3, seconds=55),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=5, seconds=3),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name=namespace_name,
+        repository_name=repo_name,
+        performer=user,
+        ip="0.0.0.0",
+        timestamp=now - timedelta(days=11, seconds=11),
+    )
 
-  # Get the latest logs
-  latest_logs = logs_model.lookup_latest_logs(performer_name, repo_name, namespace_name,
-                                              filter_kinds=filter_kinds, size=size)
+    # Get the latest logs
+    latest_logs = logs_model.lookup_latest_logs(
+        performer_name, repo_name, namespace_name, filter_kinds=filter_kinds, size=size
+    )
 
-  # Test max lookup size
-  assert len(latest_logs) <= size
+    # Test max lookup size
+    assert len(latest_logs) <= size
 
-  # Make sure that the latest logs returned are in decreasing order
-  assert all(x >= y for x, y in zip(latest_logs, latest_logs[1:]))
+    # Make sure that the latest logs returned are in decreasing order
+    assert all(x >= y for x, y in zip(latest_logs, latest_logs[1:]))
 
-  if expect_results:
-    assert latest_logs
+    if expect_results:
+        assert latest_logs
 
-    # Lookup all logs filtered by kinds and sort them in reverse chronological order
-    all_logs = _lookup_logs(logs_model, now - timedelta(days=30), now + timedelta(days=30),
-                            filter_kinds=filter_kinds, namespace_name=namespace_name,
-                            repository_name=repo_name)
-    all_logs = sorted(all_logs, key=lambda l: l.datetime, reverse=True)
+        # Lookup all logs filtered by kinds and sort them in reverse chronological order
+        all_logs = _lookup_logs(
+            logs_model,
+            now - timedelta(days=30),
+            now + timedelta(days=30),
+            filter_kinds=filter_kinds,
+            namespace_name=namespace_name,
+            repository_name=repo_name,
+        )
+        all_logs = sorted(all_logs, key=lambda l: l.datetime, reverse=True)
 
-    # Check that querying all logs does not return the filtered kinds
-    assert all([log.kind_id not in ignore_ids for log in all_logs])
+        # Check that querying all logs does not return the filtered kinds
+        assert all([log.kind_id not in ignore_ids for log in all_logs])
 
-    # Check that the latest logs contains only th most recent ones
-    assert latest_logs == all_logs[:len(latest_logs)]
+        # Check that the latest logs contains only th most recent ones
+        assert latest_logs == all_logs[: len(latest_logs)]
 
 
 def test_count_repository_actions(logs_model):
-  # Log some actions.
-  logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
-
-  # Log some actions to a different repo.
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='complex',
-                        ip='1.2.3.4')
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='complex',
-                        ip='1.2.3.4')
-
-  # Count the actions.
-  day = date.today()
-  simple_repo = model.repository.get_repository('devtable', 'simple')
-
-  count = logs_model.count_repository_actions(simple_repo, day)
-  assert count == 3
-
-  complex_repo = model.repository.get_repository('devtable', 'complex')
-  count = logs_model.count_repository_actions(complex_repo, day)
-  assert count == 2
-
-  # Try counting actions for a few days in the future to ensure it doesn't raise an error.
-  count = logs_model.count_repository_actions(simple_repo, day + timedelta(days=5))
-  assert count == 0
-
-
-def test_yield_log_rotation_context(logs_model):
-  cutoff_date = datetime.now()
-  min_logs_per_rotation = 3
-
-  # Log some actions to be archived
-  # One day
-  logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple1',
-                        ip='1.2.3.4', timestamp=cutoff_date-timedelta(days=1, seconds=1))
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple2',
-                        ip='5.6.7.8', timestamp=cutoff_date-timedelta(days=1, seconds=2))
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple3',
-                        ip='9.10.11.12', timestamp=cutoff_date-timedelta(days=1, seconds=3))
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple4',
-                        ip='0.0.0.0', timestamp=cutoff_date-timedelta(days=1, seconds=4))
-  # Another day
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple5',
-                        ip='1.1.1.1', timestamp=cutoff_date-timedelta(days=2, seconds=1))
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple5',
-                        ip='1.1.1.1', timestamp=cutoff_date-timedelta(days=2, seconds=2))
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple5',
-                        ip='1.1.1.1', timestamp=cutoff_date-timedelta(days=2, seconds=3))
-
-  found = _lookup_logs(logs_model, cutoff_date - timedelta(days=3), cutoff_date + timedelta(days=1))
-  assert found is not None and len(found) == 7
-
-  # Iterate the logs using the log rotation contexts
-  all_logs = []
-  for log_rotation_context in logs_model.yield_log_rotation_context(cutoff_date,
-                                                                    min_logs_per_rotation):
-    with log_rotation_context as context:
-      for logs, _ in context.yield_logs_batch():
-        all_logs.extend(logs)
-
-  assert len(all_logs) == 7
-  found = _lookup_logs(logs_model, cutoff_date - timedelta(days=3), cutoff_date + timedelta(days=1))
-  assert not found
-
-  # Make sure all datetimes are monotonically increasing (by datetime) after sorting the lookup
-  # to make sure no duplicates were returned
-  all_logs.sort(key=lambda d: d.datetime)
-  assert all(x.datetime < y.datetime for x, y in zip(all_logs, all_logs[1:]))
-
-
-def test_count_repository_actions_with_wildcard_disabled(initialized_db):
-  with fake_elasticsearch(allow_wildcard=False):
-    logs_model = es_model()
-
     # Log some actions.
-    logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
-
-    logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
-    logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4')
+    logs_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
     # Log some actions to a different repo.
-    logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='complex',
-                          ip='1.2.3.4')
-    logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='complex',
-                          ip='1.2.3.4')
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="complex", ip="1.2.3.4"
+    )
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="complex", ip="1.2.3.4"
+    )
 
     # Count the actions.
     day = date.today()
-    simple_repo = model.repository.get_repository('devtable', 'simple')
+    simple_repo = model.repository.get_repository("devtable", "simple")
 
     count = logs_model.count_repository_actions(simple_repo, day)
     assert count == 3
 
-    complex_repo = model.repository.get_repository('devtable', 'complex')
+    complex_repo = model.repository.get_repository("devtable", "complex")
     count = logs_model.count_repository_actions(complex_repo, day)
     assert count == 2
 
@@ -297,177 +314,384 @@ def test_count_repository_actions_with_wildcard_disabled(initialized_db):
     assert count == 0
 
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('mysql') >= 0, 
-                    reason='Flaky on MySQL')
+def test_yield_log_rotation_context(logs_model):
+    cutoff_date = datetime.now()
+    min_logs_per_rotation = 3
+
+    # Log some actions to be archived
+    # One day
+    logs_model.log_action(
+        "push_repo",
+        namespace_name="devtable",
+        repository_name="simple1",
+        ip="1.2.3.4",
+        timestamp=cutoff_date - timedelta(days=1, seconds=1),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple2",
+        ip="5.6.7.8",
+        timestamp=cutoff_date - timedelta(days=1, seconds=2),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple3",
+        ip="9.10.11.12",
+        timestamp=cutoff_date - timedelta(days=1, seconds=3),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple4",
+        ip="0.0.0.0",
+        timestamp=cutoff_date - timedelta(days=1, seconds=4),
+    )
+    # Another day
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple5",
+        ip="1.1.1.1",
+        timestamp=cutoff_date - timedelta(days=2, seconds=1),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple5",
+        ip="1.1.1.1",
+        timestamp=cutoff_date - timedelta(days=2, seconds=2),
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple5",
+        ip="1.1.1.1",
+        timestamp=cutoff_date - timedelta(days=2, seconds=3),
+    )
+
+    found = _lookup_logs(
+        logs_model, cutoff_date - timedelta(days=3), cutoff_date + timedelta(days=1)
+    )
+    assert found is not None and len(found) == 7
+
+    # Iterate the logs using the log rotation contexts
+    all_logs = []
+    for log_rotation_context in logs_model.yield_log_rotation_context(
+        cutoff_date, min_logs_per_rotation
+    ):
+        with log_rotation_context as context:
+            for logs, _ in context.yield_logs_batch():
+                all_logs.extend(logs)
+
+    assert len(all_logs) == 7
+    found = _lookup_logs(
+        logs_model, cutoff_date - timedelta(days=3), cutoff_date + timedelta(days=1)
+    )
+    assert not found
+
+    # Make sure all datetimes are monotonically increasing (by datetime) after sorting the lookup
+    # to make sure no duplicates were returned
+    all_logs.sort(key=lambda d: d.datetime)
+    assert all(x.datetime < y.datetime for x, y in zip(all_logs, all_logs[1:]))
+
+
+def test_count_repository_actions_with_wildcard_disabled(initialized_db):
+    with fake_elasticsearch(allow_wildcard=False):
+        logs_model = es_model()
+
+        # Log some actions.
+        logs_model.log_action(
+            "push_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+        )
+
+        logs_model.log_action(
+            "pull_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+        )
+        logs_model.log_action(
+            "pull_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+        )
+
+        # Log some actions to a different repo.
+        logs_model.log_action(
+            "pull_repo",
+            namespace_name="devtable",
+            repository_name="complex",
+            ip="1.2.3.4",
+        )
+        logs_model.log_action(
+            "pull_repo",
+            namespace_name="devtable",
+            repository_name="complex",
+            ip="1.2.3.4",
+        )
+
+        # Count the actions.
+        day = date.today()
+        simple_repo = model.repository.get_repository("devtable", "simple")
+
+        count = logs_model.count_repository_actions(simple_repo, day)
+        assert count == 3
+
+        complex_repo = model.repository.get_repository("devtable", "complex")
+        count = logs_model.count_repository_actions(complex_repo, day)
+        assert count == 2
+
+        # Try counting actions for a few days in the future to ensure it doesn't raise an error.
+        count = logs_model.count_repository_actions(
+            simple_repo, day + timedelta(days=5)
+        )
+        assert count == 0
+
+
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI", "").find("mysql") >= 0, reason="Flaky on MySQL"
+)
 def test_yield_logs_for_export(logs_model):
-  # Add some logs.
-  kinds = list(LogEntryKind.select())
-  user = model.user.get_user('devtable')
+    # Add some logs.
+    kinds = list(LogEntryKind.select())
+    user = model.user.get_user("devtable")
 
-  start_timestamp = datetime.utcnow()
-  timestamp = start_timestamp
+    start_timestamp = datetime.utcnow()
+    timestamp = start_timestamp
 
-  for kind in kinds:
-    for index in range(0, 10):
-      logs_model.log_action(kind.name, namespace_name='devtable', repository_name='simple',
-                            performer=user, ip='1.2.3.4', timestamp=timestamp)
-      timestamp = timestamp + timedelta(seconds=1)
+    for kind in kinds:
+        for index in range(0, 10):
+            logs_model.log_action(
+                kind.name,
+                namespace_name="devtable",
+                repository_name="simple",
+                performer=user,
+                ip="1.2.3.4",
+                timestamp=timestamp,
+            )
+            timestamp = timestamp + timedelta(seconds=1)
 
-  # Yield the logs.
-  simple_repo = model.repository.get_repository('devtable', 'simple')
-  logs_found = []
-  for logs in logs_model.yield_logs_for_export(start_timestamp, timestamp + timedelta(minutes=10),
-                                               repository_id=simple_repo.id):
-    logs_found.extend(logs)
+    # Yield the logs.
+    simple_repo = model.repository.get_repository("devtable", "simple")
+    logs_found = []
+    for logs in logs_model.yield_logs_for_export(
+        start_timestamp, timestamp + timedelta(minutes=10), repository_id=simple_repo.id
+    ):
+        logs_found.extend(logs)
 
-  # Ensure we found all added logs.
-  assert len(logs_found) == len(kinds) * 10
+    # Ensure we found all added logs.
+    assert len(logs_found) == len(kinds) * 10
 
 
 def test_yield_logs_for_export_timeout(logs_model):
-  # Add some logs.
-  kinds = list(LogEntryKind.select())
-  user = model.user.get_user('devtable')
+    # Add some logs.
+    kinds = list(LogEntryKind.select())
+    user = model.user.get_user("devtable")
 
-  start_timestamp = datetime.utcnow()
-  timestamp = start_timestamp
+    start_timestamp = datetime.utcnow()
+    timestamp = start_timestamp
 
-  for kind in kinds:
-    for _ in range(0, 2):
-      logs_model.log_action(kind.name, namespace_name='devtable', repository_name='simple',
-                            performer=user, ip='1.2.3.4', timestamp=timestamp)
-      timestamp = timestamp + timedelta(seconds=1)
+    for kind in kinds:
+        for _ in range(0, 2):
+            logs_model.log_action(
+                kind.name,
+                namespace_name="devtable",
+                repository_name="simple",
+                performer=user,
+                ip="1.2.3.4",
+                timestamp=timestamp,
+            )
+            timestamp = timestamp + timedelta(seconds=1)
 
-  # Yield the logs. Since we set the timeout to nothing, it should immediately fail.
-  simple_repo = model.repository.get_repository('devtable', 'simple')
-  with pytest.raises(LogsIterationTimeout):
-    list(logs_model.yield_logs_for_export(start_timestamp, timestamp + timedelta(minutes=1),
-                                          repository_id=simple_repo.id,
-                                          max_query_time=timedelta(seconds=0)))
+    # Yield the logs. Since we set the timeout to nothing, it should immediately fail.
+    simple_repo = model.repository.get_repository("devtable", "simple")
+    with pytest.raises(LogsIterationTimeout):
+        list(
+            logs_model.yield_logs_for_export(
+                start_timestamp,
+                timestamp + timedelta(minutes=1),
+                repository_id=simple_repo.id,
+                max_query_time=timedelta(seconds=0),
+            )
+        )
 
 
 def test_disabled_namespace(clear_db_logs):
-  logs_model = TableLogsModel(lambda kind, namespace, is_free: namespace == 'devtable')
+    logs_model = TableLogsModel(
+        lambda kind, namespace, is_free: namespace == "devtable"
+    )
 
-  # Log some actions.
-  logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
+    # Log some actions.
+    logs_model.log_action(
+        "push_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple',
-                        ip='1.2.3.4')
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
+    logs_model.log_action(
+        "pull_repo", namespace_name="devtable", repository_name="simple", ip="1.2.3.4"
+    )
 
-  # Log some actions to a different namespace.
-  logs_model.log_action('push_repo', namespace_name='buynlarge', repository_name='orgrepo',
-                        ip='1.2.3.4')
+    # Log some actions to a different namespace.
+    logs_model.log_action(
+        "push_repo", namespace_name="buynlarge", repository_name="orgrepo", ip="1.2.3.4"
+    )
 
-  logs_model.log_action('pull_repo', namespace_name='buynlarge', repository_name='orgrepo',
-                        ip='1.2.3.4')
-  logs_model.log_action('pull_repo', namespace_name='buynlarge', repository_name='orgrepo',
-                        ip='1.2.3.4')
+    logs_model.log_action(
+        "pull_repo", namespace_name="buynlarge", repository_name="orgrepo", ip="1.2.3.4"
+    )
+    logs_model.log_action(
+        "pull_repo", namespace_name="buynlarge", repository_name="orgrepo", ip="1.2.3.4"
+    )
 
-  # Count the actions.
-  day = datetime.today() - timedelta(minutes=60)
-  simple_repo = model.repository.get_repository('devtable', 'simple')
-  count = logs_model.count_repository_actions(simple_repo, day)
-  assert count == 0
+    # Count the actions.
+    day = datetime.today() - timedelta(minutes=60)
+    simple_repo = model.repository.get_repository("devtable", "simple")
+    count = logs_model.count_repository_actions(simple_repo, day)
+    assert count == 0
 
-  org_repo = model.repository.get_repository('buynlarge', 'orgrepo')
-  count = logs_model.count_repository_actions(org_repo, day)
-  assert count == 3
+    org_repo = model.repository.get_repository("buynlarge", "orgrepo")
+    count = logs_model.count_repository_actions(org_repo, day)
+    assert count == 3
 
 
-@pytest.mark.parametrize('aggregated_log_counts1, aggregated_log_counts2, expected_result', [
-  pytest.param(
+@pytest.mark.parametrize(
+    "aggregated_log_counts1, aggregated_log_counts2, expected_result",
     [
-      AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0)), # 1
-      AggregatedLogCount(1, 3, datetime(2019, 6, 7, 0, 0)), # 2
+        pytest.param(
+            [
+                AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0)),  # 1
+                AggregatedLogCount(1, 3, datetime(2019, 6, 7, 0, 0)),  # 2
+            ],
+            [
+                AggregatedLogCount(1, 5, datetime(2019, 6, 6, 0, 0)),  # 1
+                AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0)),  # 2
+                AggregatedLogCount(3, 3, datetime(2019, 6, 1, 0, 0)),  # 3
+            ],
+            [
+                AggregatedLogCount(1, 8, datetime(2019, 6, 6, 0, 0)),  # 1
+                AggregatedLogCount(1, 10, datetime(2019, 6, 7, 0, 0)),  # 2
+                AggregatedLogCount(3, 3, datetime(2019, 6, 1, 0, 0)),  # 3
+            ],
+        ),
+        pytest.param(
+            [AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0))],  # 1
+            [AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0))],  # 2
+            [
+                AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0)),  # 1
+                AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0)),  # 2
+            ],
+        ),
+        pytest.param(
+            [],
+            [AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0))],
+            [AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0))],
+        ),
     ],
+)
+def test_merge_aggregated_log_counts(
+    aggregated_log_counts1, aggregated_log_counts2, expected_result
+):
+    assert sorted(
+        _merge_aggregated_log_counts(aggregated_log_counts1, aggregated_log_counts2)
+    ) == sorted(expected_result)
+
+
+@pytest.mark.parametrize(
+    "dt1, dt2, expected_result",
     [
-      AggregatedLogCount(1, 5, datetime(2019, 6, 6, 0, 0)), # 1
-      AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0)), # 2
-      AggregatedLogCount(3, 3, datetime(2019, 6, 1, 0, 0)), # 3
+        # Valid dates
+        pytest.param(date(2019, 6, 17), date(2019, 6, 18), True),
+        # Invalid dates
+        pytest.param(date(2019, 6, 17), date(2019, 6, 17), False),
+        pytest.param(date(2019, 6, 17), date(2019, 6, 19), False),
+        pytest.param(date(2019, 6, 18), date(2019, 6, 17), False),
+        # Valid datetimes
+        pytest.param(datetime(2019, 6, 17, 0, 1), datetime(2019, 6, 17, 0, 2), True),
+        # Invalid datetimes
+        pytest.param(datetime(2019, 6, 17, 0, 2), datetime(2019, 6, 17, 0, 1), False),
+        pytest.param(
+            datetime(2019, 6, 17, 11),
+            datetime(2019, 6, 17, 11) + timedelta(hours=14),
+            False,
+        ),
     ],
-    [
-      AggregatedLogCount(1, 8, datetime(2019, 6, 6, 0, 0)), # 1
-      AggregatedLogCount(1, 10, datetime(2019, 6, 7, 0, 0)), # 2
-      AggregatedLogCount(3, 3, datetime(2019, 6, 1, 0, 0)) # 3
-    ]
-  ),
-  pytest.param(
-    [
-      AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0)), # 1
-    ],
-    [
-      AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0)), # 2
-    ],
-    [
-      AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0)), # 1
-      AggregatedLogCount(1, 7, datetime(2019, 6, 7, 0, 0)), # 2
-    ]
-  ),
-  pytest.param(
-    [],
-    [AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0))],
-    [AggregatedLogCount(1, 3, datetime(2019, 6, 6, 0, 0))]
-  ),
-])
-def test_merge_aggregated_log_counts(aggregated_log_counts1, aggregated_log_counts2, expected_result):
-  assert (sorted(_merge_aggregated_log_counts(aggregated_log_counts1, aggregated_log_counts2)) ==
-          sorted(expected_result))
-
-
-@pytest.mark.parametrize('dt1, dt2, expected_result', [
-  # Valid dates
-  pytest.param(date(2019, 6, 17), date(2019, 6, 18), True),
-
-  # Invalid dates
-  pytest.param(date(2019, 6, 17), date(2019, 6, 17), False),
-  pytest.param(date(2019, 6, 17), date(2019, 6, 19), False),
-  pytest.param(date(2019, 6, 18), date(2019, 6, 17), False),
-
-  # Valid datetimes 
-  pytest.param(datetime(2019, 6, 17, 0, 1), datetime(2019, 6, 17, 0, 2), True),
-
-  # Invalid datetimes
-  pytest.param(datetime(2019, 6, 17, 0, 2), datetime(2019, 6, 17, 0, 1), False),
-  pytest.param(datetime(2019, 6, 17, 11), datetime(2019, 6, 17, 11) + timedelta(hours=14), False),
-])
+)
 def test_date_range_in_single_index(dt1, dt2, expected_result):
-  assert _date_range_in_single_index(dt1, dt2) == expected_result
+    assert _date_range_in_single_index(dt1, dt2) == expected_result
 
 
 def test_pagination(logs_model, mock_page_size):
-  """
+    """
   Make sure that pagination does not stop if searching through multiple indices by day,
   and the current log count matches the page size while there are still indices to be searched.
   """
-  day1 = datetime.now()
-  day2 = day1 + timedelta(days=1)
-  day3 = day2 + timedelta(days=1)
+    day1 = datetime.now()
+    day2 = day1 + timedelta(days=1)
+    day3 = day2 + timedelta(days=1)
 
-  # Log some actions in day indices
-  # One day
-  logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple1',
-                        ip='1.2.3.4', timestamp=day1)
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple1',
-                        ip='5.6.7.8', timestamp=day1)
+    # Log some actions in day indices
+    # One day
+    logs_model.log_action(
+        "push_repo",
+        namespace_name="devtable",
+        repository_name="simple1",
+        ip="1.2.3.4",
+        timestamp=day1,
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple1",
+        ip="5.6.7.8",
+        timestamp=day1,
+    )
 
-  found = _lookup_logs(logs_model, day1-timedelta(seconds=1), day3+timedelta(seconds=1))
-  assert len(found) == mock_page_size
+    found = _lookup_logs(
+        logs_model, day1 - timedelta(seconds=1), day3 + timedelta(seconds=1)
+    )
+    assert len(found) == mock_page_size
 
-  # Another day
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple2',
-                        ip='1.1.1.1', timestamp=day2)
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple2',
-                        ip='0.0.0.0', timestamp=day2)
+    # Another day
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple2",
+        ip="1.1.1.1",
+        timestamp=day2,
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple2",
+        ip="0.0.0.0",
+        timestamp=day2,
+    )
 
-  # Yet another day
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple2',
-                        ip='1.1.1.1', timestamp=day3)
-  logs_model.log_action('pull_repo', namespace_name='devtable', repository_name='simple2',
-                        ip='0.0.0.0', timestamp=day3)
+    # Yet another day
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple2",
+        ip="1.1.1.1",
+        timestamp=day3,
+    )
+    logs_model.log_action(
+        "pull_repo",
+        namespace_name="devtable",
+        repository_name="simple2",
+        ip="0.0.0.0",
+        timestamp=day3,
+    )
 
-  found = _lookup_logs(logs_model, day1-timedelta(seconds=1), day3+timedelta(seconds=1))
-  assert len(found) == 6
+    found = _lookup_logs(
+        logs_model, day1 - timedelta(seconds=1), day3 + timedelta(seconds=1)
+    )
+    assert len(found) == 6
diff --git a/data/logs_model/test/test_logs_producer.py b/data/logs_model/test/test_logs_producer.py
index 382684244..5d6759edb 100644
--- a/data/logs_model/test/test_logs_producer.py
+++ b/data/logs_model/test/test_logs_producer.py
@@ -7,71 +7,105 @@ import botocore
 
 from data.logs_model import configure
 
-from test_elasticsearch import app_config, logs_model_config, logs_model, mock_elasticsearch, mock_db_model
+from test_elasticsearch import (
+    app_config,
+    logs_model_config,
+    logs_model,
+    mock_elasticsearch,
+    mock_db_model,
+)
 from mock_elasticsearch import *
 
 
 logger = logging.getLogger(__name__)
 
-FAKE_KAFKA_BROKERS = ['fake_server1', 'fake_server2']
-FAKE_KAFKA_TOPIC = 'sometopic'
+FAKE_KAFKA_BROKERS = ["fake_server1", "fake_server2"]
+FAKE_KAFKA_TOPIC = "sometopic"
 FAKE_MAX_BLOCK_SECONDS = 1
 
+
 @pytest.fixture()
 def kafka_logs_producer_config(app_config):
-  producer_config = {}
-  producer_config.update(app_config)
-  
-  kafka_config = {
-    'bootstrap_servers': FAKE_KAFKA_BROKERS,
-    'topic': FAKE_KAFKA_TOPIC,
-    'max_block_seconds': FAKE_MAX_BLOCK_SECONDS
-  }
+    producer_config = {}
+    producer_config.update(app_config)
 
-  producer_config['LOGS_MODEL_CONFIG']['producer'] = 'kafka'
-  producer_config['LOGS_MODEL_CONFIG']['kafka_config'] = kafka_config
-  return producer_config
+    kafka_config = {
+        "bootstrap_servers": FAKE_KAFKA_BROKERS,
+        "topic": FAKE_KAFKA_TOPIC,
+        "max_block_seconds": FAKE_MAX_BLOCK_SECONDS,
+    }
+
+    producer_config["LOGS_MODEL_CONFIG"]["producer"] = "kafka"
+    producer_config["LOGS_MODEL_CONFIG"]["kafka_config"] = kafka_config
+    return producer_config
 
 
 @pytest.fixture()
 def kinesis_logs_producer_config(app_config):
-  producer_config = {}
-  producer_config.update(app_config)
-  
-  kinesis_stream_config = {
-    'stream_name': 'test-stream',
-    'aws_region': 'fake_region',
-    'aws_access_key': 'some_key',
-    'aws_secret_key': 'some_secret'
-  }
+    producer_config = {}
+    producer_config.update(app_config)
 
-  producer_config['LOGS_MODEL_CONFIG']['producer'] = 'kinesis_stream'
-  producer_config['LOGS_MODEL_CONFIG']['kinesis_stream_config'] = kinesis_stream_config
-  return producer_config
+    kinesis_stream_config = {
+        "stream_name": "test-stream",
+        "aws_region": "fake_region",
+        "aws_access_key": "some_key",
+        "aws_secret_key": "some_secret",
+    }
+
+    producer_config["LOGS_MODEL_CONFIG"]["producer"] = "kinesis_stream"
+    producer_config["LOGS_MODEL_CONFIG"][
+        "kinesis_stream_config"
+    ] = kinesis_stream_config
+    return producer_config
 
 
-def test_kafka_logs_producers(logs_model, mock_elasticsearch, mock_db_model, kafka_logs_producer_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+def test_kafka_logs_producers(
+    logs_model, mock_elasticsearch, mock_db_model, kafka_logs_producer_config
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
 
-  producer_config = kafka_logs_producer_config
-  with patch('kafka.client_async.KafkaClient.check_version'), patch('kafka.KafkaProducer.send') as mock_send:
-    configure(producer_config)
-    logs_model.log_action('pull_repo', 'user1', Mock(id=1), '192.168.1.1', {'key': 'value'},
-                          None, 'repo1', parse("2019-01-01T03:30"))
-    
-    mock_send.assert_called_once()
+    producer_config = kafka_logs_producer_config
+    with patch("kafka.client_async.KafkaClient.check_version"), patch(
+        "kafka.KafkaProducer.send"
+    ) as mock_send:
+        configure(producer_config)
+        logs_model.log_action(
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            "192.168.1.1",
+            {"key": "value"},
+            None,
+            "repo1",
+            parse("2019-01-01T03:30"),
+        )
+
+        mock_send.assert_called_once()
 
 
-def test_kinesis_logs_producers(logs_model, mock_elasticsearch, mock_db_model, kinesis_logs_producer_config):
-  mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
+def test_kinesis_logs_producers(
+    logs_model, mock_elasticsearch, mock_db_model, kinesis_logs_producer_config
+):
+    mock_elasticsearch.template = Mock(return_value=DEFAULT_TEMPLATE_RESPONSE)
 
-  producer_config = kinesis_logs_producer_config
-  with patch('botocore.endpoint.EndpointCreator.create_endpoint'), \
-       patch('botocore.client.BaseClient._make_api_call') as mock_send:
-    configure(producer_config)
-    logs_model.log_action('pull_repo', 'user1', Mock(id=1), '192.168.1.1', {'key': 'value'},
-                          None, 'repo1', parse("2019-01-01T03:30"))
+    producer_config = kinesis_logs_producer_config
+    with patch("botocore.endpoint.EndpointCreator.create_endpoint"), patch(
+        "botocore.client.BaseClient._make_api_call"
+    ) as mock_send:
+        configure(producer_config)
+        logs_model.log_action(
+            "pull_repo",
+            "user1",
+            Mock(id=1),
+            "192.168.1.1",
+            {"key": "value"},
+            None,
+            "repo1",
+            parse("2019-01-01T03:30"),
+        )
 
-    # Check that a PutRecord api call is made.
-    # NOTE: The second arg of _make_api_call uses a randomized PartitionKey
-    mock_send.assert_called_once_with(u'PutRecord', mock_send.call_args_list[0][0][1])
+        # Check that a PutRecord api call is made.
+        # NOTE: The second arg of _make_api_call uses a randomized PartitionKey
+        mock_send.assert_called_once_with(
+            u"PutRecord", mock_send.call_args_list[0][0][1]
+        )
diff --git a/data/migrations/progress.py b/data/migrations/progress.py
index 91278beea..2f849253a 100644
--- a/data/migrations/progress.py
+++ b/data/migrations/progress.py
@@ -9,93 +9,97 @@ from util.abchelpers import nooper
 
 @add_metaclass(ABCMeta)
 class ProgressReporter(object):
-  """ Implements an interface for reporting progress with the migrations.
+    """ Implements an interface for reporting progress with the migrations.
   """
-  @abstractmethod
-  def report_version_complete(self, success):
-    """ Called when an entire migration is complete. """
 
-  @abstractmethod
-  def report_step_progress(self):
-    """ Called when a single step in the migration has been completed. """
+    @abstractmethod
+    def report_version_complete(self, success):
+        """ Called when an entire migration is complete. """
+
+    @abstractmethod
+    def report_step_progress(self):
+        """ Called when a single step in the migration has been completed. """
 
 
 @nooper
 class NullReporter(ProgressReporter):
-  """ No-op version of the progress reporter, designed for use when no progress
+    """ No-op version of the progress reporter, designed for use when no progress
       reporting endpoint is provided. """
 
 
 class PrometheusReporter(ProgressReporter):
-  def __init__(self, prom_pushgateway_addr, prom_job, labels, total_steps_num=None):
-    self._total_steps_num = total_steps_num
-    self._completed_steps = 0.0
+    def __init__(self, prom_pushgateway_addr, prom_job, labels, total_steps_num=None):
+        self._total_steps_num = total_steps_num
+        self._completed_steps = 0.0
 
-    registry = CollectorRegistry()
+        registry = CollectorRegistry()
 
-    self._migration_completion_percent = Gauge(
-      'migration_completion_percent',
-      'Estimate of the completion percentage of the job',
-      registry=registry,
-    )
-    self._migration_complete_total = Counter(
-      'migration_complete_total',
-      'Binary value of whether or not the job is complete',
-      registry=registry,
-    )
-    self._migration_failed_total = Counter(
-      'migration_failed_total',
-      'Binary value of whether or not the job has failed',
-      registry=registry,
-    )
-    self._migration_items_completed_total = Counter(
-      'migration_items_completed_total',
-      'Number of items this migration has completed',
-      registry=registry,
-    )
+        self._migration_completion_percent = Gauge(
+            "migration_completion_percent",
+            "Estimate of the completion percentage of the job",
+            registry=registry,
+        )
+        self._migration_complete_total = Counter(
+            "migration_complete_total",
+            "Binary value of whether or not the job is complete",
+            registry=registry,
+        )
+        self._migration_failed_total = Counter(
+            "migration_failed_total",
+            "Binary value of whether or not the job has failed",
+            registry=registry,
+        )
+        self._migration_items_completed_total = Counter(
+            "migration_items_completed_total",
+            "Number of items this migration has completed",
+            registry=registry,
+        )
 
-    self._push = partial(push_to_gateway,
-                         prom_pushgateway_addr,
-                         job=prom_job,
-                         registry=registry,
-                         grouping_key=labels,
-                        )
+        self._push = partial(
+            push_to_gateway,
+            prom_pushgateway_addr,
+            job=prom_job,
+            registry=registry,
+            grouping_key=labels,
+        )
 
-  def report_version_complete(self, success=True):
-    if success:
-      self._migration_complete_total.inc()
-    else:
-      self._migration_failed_total.inc()
-      self._migration_completion_percent.set(1.0)
+    def report_version_complete(self, success=True):
+        if success:
+            self._migration_complete_total.inc()
+        else:
+            self._migration_failed_total.inc()
+            self._migration_completion_percent.set(1.0)
 
-    self._push()
+        self._push()
 
-  def report_step_progress(self):
-    self._migration_items_completed_total.inc()
+    def report_step_progress(self):
+        self._migration_items_completed_total.inc()
 
-    if self._total_steps_num is not None:
-      self._completed_steps += 1
-      self._migration_completion_percent = self._completed_steps / self._total_steps_num
+        if self._total_steps_num is not None:
+            self._completed_steps += 1
+            self._migration_completion_percent = (
+                self._completed_steps / self._total_steps_num
+            )
 
-    self._push()
+        self._push()
 
 
 class ProgressWrapper(object):
-  def __init__(self, delegate_module, progress_monitor):
-    self._delegate_module = delegate_module
-    self._progress_monitor = progress_monitor
+    def __init__(self, delegate_module, progress_monitor):
+        self._delegate_module = delegate_module
+        self._progress_monitor = progress_monitor
 
-  def __getattr__(self, attr_name):
-     # Will raise proper attribute error
-    maybe_callable = self._delegate_module.__dict__[attr_name]
-    if callable(maybe_callable):
-      # Build a callable which when executed places the request
-      # onto a queue
-      @wraps(maybe_callable)
-      def wrapped_method(*args, **kwargs):
-        result = maybe_callable(*args, **kwargs)
-        self._progress_monitor.report_step_progress()
-        return result
+    def __getattr__(self, attr_name):
+        # Will raise proper attribute error
+        maybe_callable = self._delegate_module.__dict__[attr_name]
+        if callable(maybe_callable):
+            # Build a callable which when executed places the request
+            # onto a queue
+            @wraps(maybe_callable)
+            def wrapped_method(*args, **kwargs):
+                result = maybe_callable(*args, **kwargs)
+                self._progress_monitor.report_step_progress()
+                return result
 
-      return wrapped_method
-    return maybe_callable
+            return wrapped_method
+        return maybe_callable
diff --git a/data/migrations/test/test_db_config.py b/data/migrations/test/test_db_config.py
index 747c5eb73..4f524608d 100644
--- a/data/migrations/test/test_db_config.py
+++ b/data/migrations/test/test_db_config.py
@@ -5,17 +5,21 @@ from data.runmigration import run_alembic_migration
 from alembic.script import ScriptDirectory
 from test.fixtures import *
 
-@pytest.mark.parametrize('db_uri, is_valid', [
-  ('postgresql://devtable:password@quay-postgres/registry_database', True),
-  ('postgresql://devtable:password%25@quay-postgres/registry_database', False),
-  ('postgresql://devtable:password%%25@quay-postgres/registry_database', True),
-  ('postgresql://devtable@db:password@quay-postgres/registry_database', True),
-])
+
+@pytest.mark.parametrize(
+    "db_uri, is_valid",
+    [
+        ("postgresql://devtable:password@quay-postgres/registry_database", True),
+        ("postgresql://devtable:password%25@quay-postgres/registry_database", False),
+        ("postgresql://devtable:password%%25@quay-postgres/registry_database", True),
+        ("postgresql://devtable@db:password@quay-postgres/registry_database", True),
+    ],
+)
 def test_alembic_db_uri(db_uri, is_valid):
-  """ Test if the given URI is escaped for string interpolation (Python's configparser). """
-  with patch('alembic.script.ScriptDirectory.run_env') as m:
-    if is_valid:
-      run_alembic_migration(db_uri)
-    else:
-      with pytest.raises(ValueError):
-        run_alembic_migration(db_uri)
+    """ Test if the given URI is escaped for string interpolation (Python's configparser). """
+    with patch("alembic.script.ScriptDirectory.run_env") as m:
+        if is_valid:
+            run_alembic_migration(db_uri)
+        else:
+            with pytest.raises(ValueError):
+                run_alembic_migration(db_uri)
diff --git a/data/migrations/tester.py b/data/migrations/tester.py
index 2643b80e2..34f3065b1 100644
--- a/data/migrations/tester.py
+++ b/data/migrations/tester.py
@@ -13,128 +13,142 @@ from util.abchelpers import nooper
 
 logger = logging.getLogger(__name__)
 
-def escape_table_name(table_name):
-  if op.get_bind().engine.name == 'postgresql':
-    # Needed for the `user` table.
-    return '"%s"' % table_name
 
-  return table_name
+def escape_table_name(table_name):
+    if op.get_bind().engine.name == "postgresql":
+        # Needed for the `user` table.
+        return '"%s"' % table_name
+
+    return table_name
 
 
 class DataTypes(object):
-  @staticmethod
-  def DateTime():
-    return datetime.now()
+    @staticmethod
+    def DateTime():
+        return datetime.now()
 
-  @staticmethod
-  def Date():
-    return datetime.now()
+    @staticmethod
+    def Date():
+        return datetime.now()
 
-  @staticmethod
-  def String():
-    return 'somestringvalue'
+    @staticmethod
+    def String():
+        return "somestringvalue"
 
-  @staticmethod
-  def Token():
-    return '%s%s' % ('a' * 60, 'b' * 60)
+    @staticmethod
+    def Token():
+        return "%s%s" % ("a" * 60, "b" * 60)
 
-  @staticmethod
-  def UTF8Char():
-    return 'some other value'
+    @staticmethod
+    def UTF8Char():
+        return "some other value"
 
-  @staticmethod
-  def UUID():
-    return str(uuid.uuid4())
+    @staticmethod
+    def UUID():
+        return str(uuid.uuid4())
 
-  @staticmethod
-  def JSON():
-    return json.dumps(dict(foo='bar', baz='meh'))
+    @staticmethod
+    def JSON():
+        return json.dumps(dict(foo="bar", baz="meh"))
 
-  @staticmethod
-  def Boolean():
-    if op.get_bind().engine.name == 'postgresql':
-      return True
+    @staticmethod
+    def Boolean():
+        if op.get_bind().engine.name == "postgresql":
+            return True
 
-    return 1
+        return 1
 
-  @staticmethod
-  def BigInteger():
-    return 21474836470
+    @staticmethod
+    def BigInteger():
+        return 21474836470
 
-  @staticmethod
-  def Integer():
-    return 42
+    @staticmethod
+    def Integer():
+        return 42
 
-  @staticmethod
-  def Constant(value):
-    def get_value():
-      return value
-    return get_value
+    @staticmethod
+    def Constant(value):
+        def get_value():
+            return value
 
-  @staticmethod
-  def Foreign(table_name):
-    def get_index():
-      result = op.get_bind().execute("SELECT id FROM %s LIMIT 1" % escape_table_name(table_name))
-      try:
-        return list(result)[0][0]
-      except IndexError:
-        raise Exception('Could not find row for table %s' % table_name)
-      finally:
-        result.close()
+        return get_value
 
-    return get_index
+    @staticmethod
+    def Foreign(table_name):
+        def get_index():
+            result = op.get_bind().execute(
+                "SELECT id FROM %s LIMIT 1" % escape_table_name(table_name)
+            )
+            try:
+                return list(result)[0][0]
+            except IndexError:
+                raise Exception("Could not find row for table %s" % table_name)
+            finally:
+                result.close()
+
+        return get_index
 
 
 @add_metaclass(ABCMeta)
 class MigrationTester(object):
-  """ Implements an interface for adding testing capabilities to the
+    """ Implements an interface for adding testing capabilities to the
       data model migration system in Alembic.
   """
-  TestDataType = DataTypes
 
-  @abstractproperty
-  def is_testing(self):
-    """ Returns whether we are currently under a migration test. """
+    TestDataType = DataTypes
 
-  @abstractmethod
-  def populate_table(self, table_name, fields):
-    """ Called to populate a table with the given fields filled in with testing data. """
+    @abstractproperty
+    def is_testing(self):
+        """ Returns whether we are currently under a migration test. """
 
-  @abstractmethod
-  def populate_column(self, table_name, col_name, field_type):
-    """ Called to populate a column in a table to be filled in with testing data. """
+    @abstractmethod
+    def populate_table(self, table_name, fields):
+        """ Called to populate a table with the given fields filled in with testing data. """
+
+    @abstractmethod
+    def populate_column(self, table_name, col_name, field_type):
+        """ Called to populate a column in a table to be filled in with testing data. """
 
 
 @nooper
 class NoopTester(MigrationTester):
-  """ No-op version of the tester, designed for production workloads. """
+    """ No-op version of the tester, designed for production workloads. """
 
 
 class PopulateTestDataTester(MigrationTester):
-  @property
-  def is_testing(self):
-    return True
+    @property
+    def is_testing(self):
+        return True
 
-  def populate_table(self, table_name, fields):
-    columns = {field_name: field_type() for field_name, field_type in fields}
-    field_name_vars = [':' + field_name for field_name, _ in fields]
+    def populate_table(self, table_name, fields):
+        columns = {field_name: field_type() for field_name, field_type in fields}
+        field_name_vars = [":" + field_name for field_name, _ in fields]
 
-    if op.get_bind().engine.name == 'postgresql':
-      field_names = ["%s" % field_name for field_name, _ in fields]
-    else:
-      field_names = ["`%s`" % field_name for field_name, _ in fields]
+        if op.get_bind().engine.name == "postgresql":
+            field_names = ["%s" % field_name for field_name, _ in fields]
+        else:
+            field_names = ["`%s`" % field_name for field_name, _ in fields]
 
-    table_name = escape_table_name(table_name)
-    query = text('INSERT INTO %s (%s) VALUES (%s)' % (table_name, ', '.join(field_names),
-                                                      ', '.join(field_name_vars)))
-    logger.info("Executing test query %s with values %s", query, columns.values())
-    op.get_bind().execute(query, **columns)
+        table_name = escape_table_name(table_name)
+        query = text(
+            "INSERT INTO %s (%s) VALUES (%s)"
+            % (table_name, ", ".join(field_names), ", ".join(field_name_vars))
+        )
+        logger.info("Executing test query %s with values %s", query, columns.values())
+        op.get_bind().execute(query, **columns)
 
-  def populate_column(self, table_name, col_name, field_type):
-    col_value = field_type()
-    row_id = DataTypes.Foreign(table_name)()
+    def populate_column(self, table_name, col_name, field_type):
+        col_value = field_type()
+        row_id = DataTypes.Foreign(table_name)()
 
-    table_name = escape_table_name(table_name)
-    update_text = text("UPDATE %s SET %s=:col_value where ID=:row_id" % (table_name, col_name))
-    logger.info("Executing test query %s with value %s on row %s", update_text, col_value, row_id)
-    op.get_bind().execute(update_text, col_value=col_value, row_id=row_id)
+        table_name = escape_table_name(table_name)
+        update_text = text(
+            "UPDATE %s SET %s=:col_value where ID=:row_id" % (table_name, col_name)
+        )
+        logger.info(
+            "Executing test query %s with value %s on row %s",
+            update_text,
+            col_value,
+            row_id,
+        )
+        op.get_bind().execute(update_text, col_value=col_value, row_id=row_id)
diff --git a/data/migrations/versions/0cf50323c78b_add_creation_date_to_user_table.py b/data/migrations/versions/0cf50323c78b_add_creation_date_to_user_table.py
index 2a995e58c..77fcee664 100644
--- a/data/migrations/versions/0cf50323c78b_add_creation_date_to_user_table.py
+++ b/data/migrations/versions/0cf50323c78b_add_creation_date_to_user_table.py
@@ -7,8 +7,8 @@ Create Date: 2018-03-09 13:19:41.903196
 """
 
 # revision identifiers, used by Alembic.
-revision = '0cf50323c78b'
-down_revision = '87fbbc224f10'
+revision = "0cf50323c78b"
+down_revision = "87fbbc224f10"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -18,16 +18,16 @@ import sqlalchemy as sa
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('user', sa.Column('creation_date', sa.DateTime(), nullable=True))
+    op.add_column("user", sa.Column("creation_date", sa.DateTime(), nullable=True))
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('user', 'creation_date', tester.TestDataType.DateTime)
+    tester.populate_column("user", "creation_date", tester.TestDataType.DateTime)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('user', 'creation_date')
+    op.drop_column("user", "creation_date")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/10f45ee2310b_add_tag_tagkind_and_manifestchild_tables.py b/data/migrations/versions/10f45ee2310b_add_tag_tagkind_and_manifestchild_tables.py
index e2b4073da..a693498bf 100644
--- a/data/migrations/versions/10f45ee2310b_add_tag_tagkind_and_manifestchild_tables.py
+++ b/data/migrations/versions/10f45ee2310b_add_tag_tagkind_and_manifestchild_tables.py
@@ -7,94 +7,179 @@ Create Date: 2018-10-29 15:22:53.552216
 """
 
 # revision identifiers, used by Alembic.
-revision = '10f45ee2310b'
-down_revision = '13411de1c0ff'
+revision = "10f45ee2310b"
+down_revision = "13411de1c0ff"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from util.migrate import UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('tagkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagkind'))
+    op.create_table(
+        "tagkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagkind")),
     )
-    op.create_index('tagkind_name', 'tagkind', ['name'], unique=True)
-    op.create_table('manifestchild',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('child_manifest_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['child_manifest_id'], ['manifest.id'], name=op.f('fk_manifestchild_child_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestchild_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestchild_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestchild'))
+    op.create_index("tagkind_name", "tagkind", ["name"], unique=True)
+    op.create_table(
+        "manifestchild",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("child_manifest_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["child_manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestchild_child_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestchild_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestchild_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestchild")),
     )
-    op.create_index('manifestchild_child_manifest_id', 'manifestchild', ['child_manifest_id'], unique=False)
-    op.create_index('manifestchild_manifest_id', 'manifestchild', ['manifest_id'], unique=False)
-    op.create_index('manifestchild_manifest_id_child_manifest_id', 'manifestchild', ['manifest_id', 'child_manifest_id'], unique=True)
-    op.create_index('manifestchild_repository_id', 'manifestchild', ['repository_id'], unique=False)
-    op.create_index('manifestchild_repository_id_child_manifest_id', 'manifestchild', ['repository_id', 'child_manifest_id'], unique=False)
-    op.create_index('manifestchild_repository_id_manifest_id', 'manifestchild', ['repository_id', 'manifest_id'], unique=False)
-    op.create_index('manifestchild_repository_id_manifest_id_child_manifest_id', 'manifestchild', ['repository_id', 'manifest_id', 'child_manifest_id'], unique=False)
-    op.create_table('tag',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=True),
-    sa.Column('lifetime_start_ms', sa.BigInteger(), nullable=False),
-    sa.Column('lifetime_end_ms', sa.BigInteger(), nullable=True),
-    sa.Column('hidden', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('reversion', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('tag_kind_id', sa.Integer(), nullable=False),
-    sa.Column('linked_tag_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['linked_tag_id'], ['tag.id'], name=op.f('fk_tag_linked_tag_id_tag')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_tag_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_tag_repository_id_repository')),
-    sa.ForeignKeyConstraint(['tag_kind_id'], ['tagkind.id'], name=op.f('fk_tag_tag_kind_id_tagkind')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tag'))
+    op.create_index(
+        "manifestchild_child_manifest_id",
+        "manifestchild",
+        ["child_manifest_id"],
+        unique=False,
     )
-    op.create_index('tag_lifetime_end_ms', 'tag', ['lifetime_end_ms'], unique=False)
-    op.create_index('tag_linked_tag_id', 'tag', ['linked_tag_id'], unique=False)
-    op.create_index('tag_manifest_id', 'tag', ['manifest_id'], unique=False)
-    op.create_index('tag_repository_id', 'tag', ['repository_id'], unique=False)
-    op.create_index('tag_repository_id_name', 'tag', ['repository_id', 'name'], unique=False)
-    op.create_index('tag_repository_id_name_hidden', 'tag', ['repository_id', 'name', 'hidden'], unique=False)
-    op.create_index('tag_repository_id_name_lifetime_end_ms', 'tag', ['repository_id', 'name', 'lifetime_end_ms'], unique=True)
-    op.create_index('tag_repository_id_name_tag_kind_id', 'tag', ['repository_id', 'name', 'tag_kind_id'], unique=False)
-    op.create_index('tag_tag_kind_id', 'tag', ['tag_kind_id'], unique=False)
+    op.create_index(
+        "manifestchild_manifest_id", "manifestchild", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestchild_manifest_id_child_manifest_id",
+        "manifestchild",
+        ["manifest_id", "child_manifest_id"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestchild_repository_id", "manifestchild", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "manifestchild_repository_id_child_manifest_id",
+        "manifestchild",
+        ["repository_id", "child_manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestchild_repository_id_manifest_id",
+        "manifestchild",
+        ["repository_id", "manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestchild_repository_id_manifest_id_child_manifest_id",
+        "manifestchild",
+        ["repository_id", "manifest_id", "child_manifest_id"],
+        unique=False,
+    )
+    op.create_table(
+        "tag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=True),
+        sa.Column("lifetime_start_ms", sa.BigInteger(), nullable=False),
+        sa.Column("lifetime_end_ms", sa.BigInteger(), nullable=True),
+        sa.Column(
+            "hidden",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column(
+            "reversion",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column("tag_kind_id", sa.Integer(), nullable=False),
+        sa.Column("linked_tag_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["linked_tag_id"], ["tag.id"], name=op.f("fk_tag_linked_tag_id_tag")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"], ["manifest.id"], name=op.f("fk_tag_manifest_id_manifest")
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_tag_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_kind_id"], ["tagkind.id"], name=op.f("fk_tag_tag_kind_id_tagkind")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tag")),
+    )
+    op.create_index("tag_lifetime_end_ms", "tag", ["lifetime_end_ms"], unique=False)
+    op.create_index("tag_linked_tag_id", "tag", ["linked_tag_id"], unique=False)
+    op.create_index("tag_manifest_id", "tag", ["manifest_id"], unique=False)
+    op.create_index("tag_repository_id", "tag", ["repository_id"], unique=False)
+    op.create_index(
+        "tag_repository_id_name", "tag", ["repository_id", "name"], unique=False
+    )
+    op.create_index(
+        "tag_repository_id_name_hidden",
+        "tag",
+        ["repository_id", "name", "hidden"],
+        unique=False,
+    )
+    op.create_index(
+        "tag_repository_id_name_lifetime_end_ms",
+        "tag",
+        ["repository_id", "name", "lifetime_end_ms"],
+        unique=True,
+    )
+    op.create_index(
+        "tag_repository_id_name_tag_kind_id",
+        "tag",
+        ["repository_id", "name", "tag_kind_id"],
+        unique=False,
+    )
+    op.create_index("tag_tag_kind_id", "tag", ["tag_kind_id"], unique=False)
     # ### end Alembic commands ###
 
-    op.bulk_insert(tables.tagkind,
-    [
-        {'name': 'tag'},
-    ])
+    op.bulk_insert(tables.tagkind, [{"name": "tag"}])
 
     # ### population of test data ### #
-    tester.populate_table('tag', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('tag_kind_id', tester.TestDataType.Foreign('tagkind')),
-        ('name', tester.TestDataType.String),
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('lifetime_start_ms', tester.TestDataType.BigInteger),
-    ])
+    tester.populate_table(
+        "tag",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("tag_kind_id", tester.TestDataType.Foreign("tagkind")),
+            ("name", tester.TestDataType.String),
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("lifetime_start_ms", tester.TestDataType.BigInteger),
+        ],
+    )
 
-    tester.populate_table('manifestchild', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('child_manifest_id', tester.TestDataType.Foreign('manifest')),
-    ])
+    tester.populate_table(
+        "manifestchild",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("child_manifest_id", tester.TestDataType.Foreign("manifest")),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('tag')
-    op.drop_table('manifestchild')
-    op.drop_table('tagkind')
+    op.drop_table("tag")
+    op.drop_table("manifestchild")
+    op.drop_table("tagkind")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/13411de1c0ff_remove_unique_from_tagmanifesttomanifest.py b/data/migrations/versions/13411de1c0ff_remove_unique_from_tagmanifesttomanifest.py
index 70e0a21d7..08a661695 100644
--- a/data/migrations/versions/13411de1c0ff_remove_unique_from_tagmanifesttomanifest.py
+++ b/data/migrations/versions/13411de1c0ff_remove_unique_from_tagmanifesttomanifest.py
@@ -7,38 +7,71 @@ Create Date: 2018-08-19 23:30:24.969549
 """
 
 # revision identifiers, used by Alembic.
-revision = '13411de1c0ff'
-down_revision = '654e6df88b71'
+revision = "13411de1c0ff"
+down_revision = "654e6df88b71"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # Note: Because of a restriction in MySQL, we cannot simply remove the index and re-add
     # it without the unique=False, nor can we simply alter the index. To make it work, we'd have to
     # remove the primary key on the field, so instead we simply drop the table entirely and
     # recreate it with the modified index. The backfill will re-fill this in.
-    op.drop_table('tagmanifesttomanifest')
+    op.drop_table("tagmanifesttomanifest")
 
-    op.create_table('tagmanifesttomanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('tag_manifest_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('broken', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_tagmanifesttomanifest_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['tag_manifest_id'], ['tagmanifest.id'], name=op.f('fk_tagmanifesttomanifest_tag_manifest_id_tagmanifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagmanifesttomanifest'))
+    op.create_table(
+        "tagmanifesttomanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("tag_manifest_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "broken",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_tagmanifesttomanifest_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_manifest_id"],
+            ["tagmanifest.id"],
+            name=op.f("fk_tagmanifesttomanifest_tag_manifest_id_tagmanifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagmanifesttomanifest")),
+    )
+    op.create_index(
+        "tagmanifesttomanifest_broken",
+        "tagmanifesttomanifest",
+        ["broken"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifesttomanifest_manifest_id",
+        "tagmanifesttomanifest",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifesttomanifest_tag_manifest_id",
+        "tagmanifesttomanifest",
+        ["tag_manifest_id"],
+        unique=True,
     )
-    op.create_index('tagmanifesttomanifest_broken', 'tagmanifesttomanifest', ['broken'], unique=False)
-    op.create_index('tagmanifesttomanifest_manifest_id', 'tagmanifesttomanifest', ['manifest_id'], unique=False)
-    op.create_index('tagmanifesttomanifest_tag_manifest_id', 'tagmanifesttomanifest', ['tag_manifest_id'], unique=True)
 
-    tester.populate_table('tagmanifesttomanifest', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('tag_manifest_id', tester.TestDataType.Foreign('tagmanifest')),
-    ])
+    tester.populate_table(
+        "tagmanifesttomanifest",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("tag_manifest_id", tester.TestDataType.Foreign("tagmanifest")),
+        ],
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
diff --git a/data/migrations/versions/152bb29a1bb3_add_maximum_build_queue_count_setting_.py b/data/migrations/versions/152bb29a1bb3_add_maximum_build_queue_count_setting_.py
index 489303dde..bc246cdbe 100644
--- a/data/migrations/versions/152bb29a1bb3_add_maximum_build_queue_count_setting_.py
+++ b/data/migrations/versions/152bb29a1bb3_add_maximum_build_queue_count_setting_.py
@@ -7,27 +7,32 @@ Create Date: 2018-02-20 13:34:34.902415
 """
 
 # revision identifiers, used by Alembic.
-revision = '152bb29a1bb3'
-down_revision = 'cbc8177760d9'
+revision = "152bb29a1bb3"
+down_revision = "cbc8177760d9"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('user', sa.Column('maximum_queued_builds_count', sa.Integer(), nullable=True))
+    op.add_column(
+        "user", sa.Column("maximum_queued_builds_count", sa.Integer(), nullable=True)
+    )
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('user', 'maximum_queued_builds_count', tester.TestDataType.Integer)
+    tester.populate_column(
+        "user", "maximum_queued_builds_count", tester.TestDataType.Integer
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('user', 'maximum_queued_builds_count')
+    op.drop_column("user", "maximum_queued_builds_count")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/152edccba18c_make_blodupload_byte_count_not_nullable.py b/data/migrations/versions/152edccba18c_make_blodupload_byte_count_not_nullable.py
index 6eca834fa..593b9f231 100644
--- a/data/migrations/versions/152edccba18c_make_blodupload_byte_count_not_nullable.py
+++ b/data/migrations/versions/152edccba18c_make_blodupload_byte_count_not_nullable.py
@@ -7,8 +7,8 @@ Create Date: 2018-02-23 12:41:25.571835
 """
 
 # revision identifiers, used by Alembic.
-revision = '152edccba18c'
-down_revision = 'c91c564aad34'
+revision = "152edccba18c"
+down_revision = "c91c564aad34"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -17,11 +17,13 @@ import sqlalchemy as sa
 
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.alter_column('blobupload', 'byte_count', existing_type=sa.BigInteger(),
-                    nullable=False)
+    op.alter_column(
+        "blobupload", "byte_count", existing_type=sa.BigInteger(), nullable=False
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.alter_column('blobupload', 'byte_count', existing_type=sa.BigInteger(),
-                    nullable=True)
+    op.alter_column(
+        "blobupload", "byte_count", existing_type=sa.BigInteger(), nullable=True
+    )
diff --git a/data/migrations/versions/1783530bee68_add_logentry2_table_quay_io_only.py b/data/migrations/versions/1783530bee68_add_logentry2_table_quay_io_only.py
index ffe5d9176..09f2d7818 100644
--- a/data/migrations/versions/1783530bee68_add_logentry2_table_quay_io_only.py
+++ b/data/migrations/versions/1783530bee68_add_logentry2_table_quay_io_only.py
@@ -7,8 +7,8 @@ Create Date: 2018-05-17 16:32:28.532264
 """
 
 # revision identifiers, used by Alembic.
-revision = '1783530bee68'
-down_revision = '5b7503aada1b'
+revision = "1783530bee68"
+down_revision = "5b7503aada1b"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -18,32 +18,61 @@ import sqlalchemy as sa
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('logentry2',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.Column('account_id', sa.Integer(), nullable=False),
-    sa.Column('performer_id', sa.Integer(), nullable=True),
-    sa.Column('repository_id', sa.Integer(), nullable=True),
-    sa.Column('datetime', sa.DateTime(), nullable=False),
-    sa.Column('ip', sa.String(length=255), nullable=True),
-    sa.Column('metadata_json', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['kind_id'], ['logentrykind.id'], name=op.f('fk_logentry2_kind_id_logentrykind')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_logentry2'))
+    op.create_table(
+        "logentry2",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.Column("account_id", sa.Integer(), nullable=False),
+        sa.Column("performer_id", sa.Integer(), nullable=True),
+        sa.Column("repository_id", sa.Integer(), nullable=True),
+        sa.Column("datetime", sa.DateTime(), nullable=False),
+        sa.Column("ip", sa.String(length=255), nullable=True),
+        sa.Column("metadata_json", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["logentrykind.id"],
+            name=op.f("fk_logentry2_kind_id_logentrykind"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_logentry2")),
+    )
+    op.create_index("logentry2_account_id", "logentry2", ["account_id"], unique=False)
+    op.create_index(
+        "logentry2_account_id_datetime",
+        "logentry2",
+        ["account_id", "datetime"],
+        unique=False,
+    )
+    op.create_index("logentry2_datetime", "logentry2", ["datetime"], unique=False)
+    op.create_index("logentry2_kind_id", "logentry2", ["kind_id"], unique=False)
+    op.create_index(
+        "logentry2_performer_id", "logentry2", ["performer_id"], unique=False
+    )
+    op.create_index(
+        "logentry2_performer_id_datetime",
+        "logentry2",
+        ["performer_id", "datetime"],
+        unique=False,
+    )
+    op.create_index(
+        "logentry2_repository_id", "logentry2", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "logentry2_repository_id_datetime",
+        "logentry2",
+        ["repository_id", "datetime"],
+        unique=False,
+    )
+    op.create_index(
+        "logentry2_repository_id_datetime_kind_id",
+        "logentry2",
+        ["repository_id", "datetime", "kind_id"],
+        unique=False,
     )
-    op.create_index('logentry2_account_id', 'logentry2', ['account_id'], unique=False)
-    op.create_index('logentry2_account_id_datetime', 'logentry2', ['account_id', 'datetime'], unique=False)
-    op.create_index('logentry2_datetime', 'logentry2', ['datetime'], unique=False)
-    op.create_index('logentry2_kind_id', 'logentry2', ['kind_id'], unique=False)
-    op.create_index('logentry2_performer_id', 'logentry2', ['performer_id'], unique=False)
-    op.create_index('logentry2_performer_id_datetime', 'logentry2', ['performer_id', 'datetime'], unique=False)
-    op.create_index('logentry2_repository_id', 'logentry2', ['repository_id'], unique=False)
-    op.create_index('logentry2_repository_id_datetime', 'logentry2', ['repository_id', 'datetime'], unique=False)
-    op.create_index('logentry2_repository_id_datetime_kind_id', 'logentry2', ['repository_id', 'datetime', 'kind_id'], unique=False)
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('logentry2')
+    op.drop_table("logentry2")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/17aff2e1354e_add_automatic_disable_of_build_triggers.py b/data/migrations/versions/17aff2e1354e_add_automatic_disable_of_build_triggers.py
index 27f1aafa6..8f3e83eec 100644
--- a/data/migrations/versions/17aff2e1354e_add_automatic_disable_of_build_triggers.py
+++ b/data/migrations/versions/17aff2e1354e_add_automatic_disable_of_build_triggers.py
@@ -7,48 +7,73 @@ Create Date: 2017-10-18 15:58:03.971526
 """
 
 # revision identifiers, used by Alembic.
-revision = '17aff2e1354e'
-down_revision = '61cadbacb9fc'
+revision = "17aff2e1354e"
+down_revision = "61cadbacb9fc"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('repositorybuildtrigger', sa.Column('successive_failure_count', sa.Integer(), server_default='0', nullable=False))
-    op.add_column('repositorybuildtrigger', sa.Column('successive_internal_error_count', sa.Integer(), server_default='0', nullable=False))
+    op.add_column(
+        "repositorybuildtrigger",
+        sa.Column(
+            "successive_failure_count", sa.Integer(), server_default="0", nullable=False
+        ),
+    )
+    op.add_column(
+        "repositorybuildtrigger",
+        sa.Column(
+            "successive_internal_error_count",
+            sa.Integer(),
+            server_default="0",
+            nullable=False,
+        ),
+    )
     # ### end Alembic commands ###
 
     op.bulk_insert(
         tables.disablereason,
         [
-        {'id': 2, 'name': 'successive_build_failures'},
-        {'id': 3, 'name': 'successive_build_internal_errors'},
+            {"id": 2, "name": "successive_build_failures"},
+            {"id": 3, "name": "successive_build_internal_errors"},
         ],
     )
 
     # ### population of test data ### #
-    tester.populate_column('repositorybuildtrigger', 'successive_failure_count', tester.TestDataType.Integer)
-    tester.populate_column('repositorybuildtrigger', 'successive_internal_error_count', tester.TestDataType.Integer)
+    tester.populate_column(
+        "repositorybuildtrigger",
+        "successive_failure_count",
+        tester.TestDataType.Integer,
+    )
+    tester.populate_column(
+        "repositorybuildtrigger",
+        "successive_internal_error_count",
+        tester.TestDataType.Integer,
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('repositorybuildtrigger', 'successive_internal_error_count')
-    op.drop_column('repositorybuildtrigger', 'successive_failure_count')
+    op.drop_column("repositorybuildtrigger", "successive_internal_error_count")
+    op.drop_column("repositorybuildtrigger", "successive_failure_count")
     # ### end Alembic commands ###
 
-    op.execute(tables
-                .disablereason
-                .delete()
-                .where(tables.disablereason.c.name == op.inline_literal('successive_internal_error_count')))
+    op.execute(
+        tables.disablereason.delete().where(
+            tables.disablereason.c.name
+            == op.inline_literal("successive_internal_error_count")
+        )
+    )
 
-    op.execute(tables
-                .disablereason
-                .delete()
-                .where(tables.disablereason.c.name == op.inline_literal('successive_failure_count')))
+    op.execute(
+        tables.disablereason.delete().where(
+            tables.disablereason.c.name == op.inline_literal("successive_failure_count")
+        )
+    )
diff --git a/data/migrations/versions/224ce4c72c2f_add_last_accessed_field_to_user_table.py b/data/migrations/versions/224ce4c72c2f_add_last_accessed_field_to_user_table.py
index 9b9bb1978..6208a6a6d 100644
--- a/data/migrations/versions/224ce4c72c2f_add_last_accessed_field_to_user_table.py
+++ b/data/migrations/versions/224ce4c72c2f_add_last_accessed_field_to_user_table.py
@@ -7,8 +7,8 @@ Create Date: 2018-03-12 22:44:07.070490
 """
 
 # revision identifiers, used by Alembic.
-revision = '224ce4c72c2f'
-down_revision = 'b547bc139ad8'
+revision = "224ce4c72c2f"
+down_revision = "b547bc139ad8"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -18,18 +18,18 @@ import sqlalchemy as sa
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('user', sa.Column('last_accessed', sa.DateTime(), nullable=True))
-    op.create_index('user_last_accessed', 'user', ['last_accessed'], unique=False)
+    op.add_column("user", sa.Column("last_accessed", sa.DateTime(), nullable=True))
+    op.create_index("user_last_accessed", "user", ["last_accessed"], unique=False)
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('user', 'last_accessed', tester.TestDataType.DateTime)
+    tester.populate_column("user", "last_accessed", tester.TestDataType.DateTime)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('user_last_accessed', table_name='user')
-    op.drop_column('user', 'last_accessed')
+    op.drop_index("user_last_accessed", table_name="user")
+    op.drop_column("user", "last_accessed")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/34c8ef052ec9_repo_mirror_columns.py b/data/migrations/versions/34c8ef052ec9_repo_mirror_columns.py
index 2b73b8afa..071c1906c 100644
--- a/data/migrations/versions/34c8ef052ec9_repo_mirror_columns.py
+++ b/data/migrations/versions/34c8ef052ec9_repo_mirror_columns.py
@@ -7,8 +7,8 @@ Create Date: 2019-10-07 13:11:20.424715
 """
 
 # revision identifiers, used by Alembic.
-revision = '34c8ef052ec9'
-down_revision = 'cc6778199cdb'
+revision = "34c8ef052ec9"
+down_revision = "cc6778199cdb"
 
 from alembic import op
 from alembic import op as original_op
@@ -17,8 +17,17 @@ from datetime import datetime
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 from peewee import ForeignKeyField, DateTimeField, BooleanField
-from data.database import (BaseModel, RepoMirrorType, RepoMirrorStatus, RepoMirrorRule, uuid_generator,
-                           QuayUserField, Repository, IntegerField, JSONField)
+from data.database import (
+    BaseModel,
+    RepoMirrorType,
+    RepoMirrorStatus,
+    RepoMirrorRule,
+    uuid_generator,
+    QuayUserField,
+    Repository,
+    IntegerField,
+    JSONField,
+)
 from data.fields import EnumField as ClientEnumField, CharField, EncryptedCharField
 
 import logging
@@ -30,100 +39,150 @@ BATCH_SIZE = 10
 
 # Original model
 class RepoMirrorConfig(BaseModel):
-  """
+    """
   Represents a repository to be mirrored and any additional configuration
   required to perform the mirroring.
   """
-  repository = ForeignKeyField(Repository, index=True, unique=True, backref='mirror')
-  creation_date = DateTimeField(default=datetime.utcnow)
-  is_enabled = BooleanField(default=True)
 
-  # Mirror Configuration
-  mirror_type = ClientEnumField(RepoMirrorType, default=RepoMirrorType.PULL)
-  internal_robot = QuayUserField(allows_robots=True, null=True, backref='mirrorpullrobot',
-                                 robot_null_delete=True)
-  external_reference = CharField()
-  external_registry = CharField()
-  external_namespace = CharField()
-  external_repository = CharField()
-  external_registry_username = EncryptedCharField(max_length=2048, null=True)
-  external_registry_password = EncryptedCharField(max_length=2048, null=True)
-  external_registry_config = JSONField(default={})
+    repository = ForeignKeyField(Repository, index=True, unique=True, backref="mirror")
+    creation_date = DateTimeField(default=datetime.utcnow)
+    is_enabled = BooleanField(default=True)
 
-  # Worker Queuing
-  sync_interval = IntegerField()  # seconds between syncs
-  sync_start_date = DateTimeField(null=True)  # next start time
-  sync_expiration_date = DateTimeField(null=True)  # max duration
-  sync_retries_remaining = IntegerField(default=3)
-  sync_status = ClientEnumField(RepoMirrorStatus, default=RepoMirrorStatus.NEVER_RUN)
-  sync_transaction_id = CharField(default=uuid_generator, max_length=36)
+    # Mirror Configuration
+    mirror_type = ClientEnumField(RepoMirrorType, default=RepoMirrorType.PULL)
+    internal_robot = QuayUserField(
+        allows_robots=True, null=True, backref="mirrorpullrobot", robot_null_delete=True
+    )
+    external_reference = CharField()
+    external_registry = CharField()
+    external_namespace = CharField()
+    external_repository = CharField()
+    external_registry_username = EncryptedCharField(max_length=2048, null=True)
+    external_registry_password = EncryptedCharField(max_length=2048, null=True)
+    external_registry_config = JSONField(default={})
 
-  # Tag-Matching Rules
-  root_rule = ForeignKeyField(RepoMirrorRule)
+    # Worker Queuing
+    sync_interval = IntegerField()  # seconds between syncs
+    sync_start_date = DateTimeField(null=True)  # next start time
+    sync_expiration_date = DateTimeField(null=True)  # max duration
+    sync_retries_remaining = IntegerField(default=3)
+    sync_status = ClientEnumField(RepoMirrorStatus, default=RepoMirrorStatus.NEVER_RUN)
+    sync_transaction_id = CharField(default=uuid_generator, max_length=36)
+
+    # Tag-Matching Rules
+    root_rule = ForeignKeyField(RepoMirrorRule)
 
 
 def _iterate(model_class, clause):
-  while True:
-    has_rows = False
-    for row in list(model_class.select().where(clause).limit(BATCH_SIZE)):
-      has_rows = True
-      yield row
+    while True:
+        has_rows = False
+        for row in list(model_class.select().where(clause).limit(BATCH_SIZE)):
+            has_rows = True
+            yield row
 
-    if not has_rows:
-      break
+        if not has_rows:
+            break
 
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
+    op = ProgressWrapper(original_op, progress_reporter)
 
-  logger.info('Migrating to external_reference from existing columns')
+    logger.info("Migrating to external_reference from existing columns")
 
-  op.add_column('repomirrorconfig', sa.Column('external_reference', sa.Text(), nullable=True))
+    op.add_column(
+        "repomirrorconfig", sa.Column("external_reference", sa.Text(), nullable=True)
+    )
 
-  from app import app
-  if app.config.get('SETUP_COMPLETE', False) or tester.is_testing:
-    for repo_mirror in _iterate(RepoMirrorConfig, (RepoMirrorConfig.external_reference >> None)):
-      repo = '%s/%s/%s' % (repo_mirror.external_registry, repo_mirror.external_namespace, repo_mirror.external_repository)
-      logger.info('migrating %s' % repo)
-      repo_mirror.external_reference = repo
-      repo_mirror.save()
+    from app import app
 
-  op.drop_column('repomirrorconfig', 'external_registry')
-  op.drop_column('repomirrorconfig', 'external_namespace')
-  op.drop_column('repomirrorconfig', 'external_repository')
+    if app.config.get("SETUP_COMPLETE", False) or tester.is_testing:
+        for repo_mirror in _iterate(
+            RepoMirrorConfig, (RepoMirrorConfig.external_reference >> None)
+        ):
+            repo = "%s/%s/%s" % (
+                repo_mirror.external_registry,
+                repo_mirror.external_namespace,
+                repo_mirror.external_repository,
+            )
+            logger.info("migrating %s" % repo)
+            repo_mirror.external_reference = repo
+            repo_mirror.save()
 
-  op.alter_column('repomirrorconfig', 'external_reference', nullable=False, existing_type=sa.Text())
+    op.drop_column("repomirrorconfig", "external_registry")
+    op.drop_column("repomirrorconfig", "external_namespace")
+    op.drop_column("repomirrorconfig", "external_repository")
 
+    op.alter_column(
+        "repomirrorconfig",
+        "external_reference",
+        nullable=False,
+        existing_type=sa.Text(),
+    )
 
-  tester.populate_column('repomirrorconfig', 'external_reference', tester.TestDataType.String)
+    tester.populate_column(
+        "repomirrorconfig", "external_reference", tester.TestDataType.String
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
+    op = ProgressWrapper(original_op, progress_reporter)
 
-  '''
+    """
   This will downgrade existing data but may not exactly match previous data structure. If the
   external_reference does not have three parts (registry, namespace, repository) then a failed
   value is inserted.
-  '''
+  """
 
-  op.add_column('repomirrorconfig', sa.Column('external_registry', sa.String(length=255), nullable=True))
-  op.add_column('repomirrorconfig', sa.Column('external_namespace', sa.String(length=255), nullable=True))
-  op.add_column('repomirrorconfig', sa.Column('external_repository', sa.String(length=255), nullable=True))
+    op.add_column(
+        "repomirrorconfig",
+        sa.Column("external_registry", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        "repomirrorconfig",
+        sa.Column("external_namespace", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        "repomirrorconfig",
+        sa.Column("external_repository", sa.String(length=255), nullable=True),
+    )
 
-  from app import app
-  if app.config.get('SETUP_COMPLETE', False):
-    logger.info('Restoring columns from external_reference')
-    for repo_mirror in _iterate(RepoMirrorConfig, (RepoMirrorConfig.external_registry >> None)):
-      logger.info('Restoring %s' % repo_mirror.external_reference)
-      parts = repo_mirror.external_reference.split('/', 2)
-      repo_mirror.external_registry = parts[0] if len(parts) >= 1 else 'DOWNGRADE-FAILED'
-      repo_mirror.external_namespace = parts[1] if len(parts) >= 2 else 'DOWNGRADE-FAILED'
-      repo_mirror.external_repository = parts[2] if len(parts) >= 3 else 'DOWNGRADE-FAILED'
-      repo_mirror.save()
+    from app import app
 
-  op.drop_column('repomirrorconfig', 'external_reference')
+    if app.config.get("SETUP_COMPLETE", False):
+        logger.info("Restoring columns from external_reference")
+        for repo_mirror in _iterate(
+            RepoMirrorConfig, (RepoMirrorConfig.external_registry >> None)
+        ):
+            logger.info("Restoring %s" % repo_mirror.external_reference)
+            parts = repo_mirror.external_reference.split("/", 2)
+            repo_mirror.external_registry = (
+                parts[0] if len(parts) >= 1 else "DOWNGRADE-FAILED"
+            )
+            repo_mirror.external_namespace = (
+                parts[1] if len(parts) >= 2 else "DOWNGRADE-FAILED"
+            )
+            repo_mirror.external_repository = (
+                parts[2] if len(parts) >= 3 else "DOWNGRADE-FAILED"
+            )
+            repo_mirror.save()
 
-  op.alter_column('repomirrorconfig', 'external_registry', nullable=False, existing_type=sa.String(length=255))
-  op.alter_column('repomirrorconfig', 'external_namespace', nullable=False, existing_type=sa.String(length=255))
-  op.alter_column('repomirrorconfig', 'external_repository', nullable=False, existing_type=sa.String(length=255))
+    op.drop_column("repomirrorconfig", "external_reference")
+
+    op.alter_column(
+        "repomirrorconfig",
+        "external_registry",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "repomirrorconfig",
+        "external_namespace",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "repomirrorconfig",
+        "external_repository",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
diff --git a/data/migrations/versions/3e8cc74a1e7b_add_severity_and_media_type_to_global_.py b/data/migrations/versions/3e8cc74a1e7b_add_severity_and_media_type_to_global_.py
index 87e6f8890..47961514b 100644
--- a/data/migrations/versions/3e8cc74a1e7b_add_severity_and_media_type_to_global_.py
+++ b/data/migrations/versions/3e8cc74a1e7b_add_severity_and_media_type_to_global_.py
@@ -7,57 +7,78 @@ Create Date: 2017-01-17 16:22:28.584237
 """
 
 # revision identifiers, used by Alembic.
-revision = '3e8cc74a1e7b'
-down_revision = 'fc47c1ec019f'
+revision = "3e8cc74a1e7b"
+down_revision = "fc47c1ec019f"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('messages', sa.Column('media_type_id', sa.Integer(), nullable=False, server_default='1'))
-    op.add_column('messages', sa.Column('severity', sa.String(length=255), nullable=False, server_default='info'))
-    op.alter_column('messages', 'uuid',
-               existing_type=mysql.VARCHAR(length=36),
-               server_default='',
-               nullable=False)
-    op.create_index('messages_media_type_id', 'messages', ['media_type_id'], unique=False)
-    op.create_index('messages_severity', 'messages', ['severity'], unique=False)
-    op.create_index('messages_uuid', 'messages', ['uuid'], unique=False)
-    op.create_foreign_key(op.f('fk_messages_media_type_id_mediatype'), 'messages', 'mediatype', ['media_type_id'], ['id'])
+    op.add_column(
+        "messages",
+        sa.Column("media_type_id", sa.Integer(), nullable=False, server_default="1"),
+    )
+    op.add_column(
+        "messages",
+        sa.Column(
+            "severity", sa.String(length=255), nullable=False, server_default="info"
+        ),
+    )
+    op.alter_column(
+        "messages",
+        "uuid",
+        existing_type=mysql.VARCHAR(length=36),
+        server_default="",
+        nullable=False,
+    )
+    op.create_index(
+        "messages_media_type_id", "messages", ["media_type_id"], unique=False
+    )
+    op.create_index("messages_severity", "messages", ["severity"], unique=False)
+    op.create_index("messages_uuid", "messages", ["uuid"], unique=False)
+    op.create_foreign_key(
+        op.f("fk_messages_media_type_id_mediatype"),
+        "messages",
+        "mediatype",
+        ["media_type_id"],
+        ["id"],
+    )
     # ### end Alembic commands ###
 
-    op.bulk_insert(tables.mediatype,
-                   [
-                     {'name': 'text/markdown'},
-                   ])
+    op.bulk_insert(tables.mediatype, [{"name": "text/markdown"}])
 
     # ### population of test data ### #
-    tester.populate_column('messages', 'media_type_id', tester.TestDataType.Foreign('mediatype'))
-    tester.populate_column('messages', 'severity', lambda: 'info')
-    tester.populate_column('messages', 'uuid', tester.TestDataType.UUID)
+    tester.populate_column(
+        "messages", "media_type_id", tester.TestDataType.Foreign("mediatype")
+    )
+    tester.populate_column("messages", "severity", lambda: "info")
+    tester.populate_column("messages", "uuid", tester.TestDataType.UUID)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_constraint(op.f('fk_messages_media_type_id_mediatype'), 'messages', type_='foreignkey')
-    op.drop_index('messages_uuid', table_name='messages')
-    op.drop_index('messages_severity', table_name='messages')
-    op.drop_index('messages_media_type_id', table_name='messages')
-    op.alter_column('messages', 'uuid',
-               existing_type=mysql.VARCHAR(length=36),
-               nullable=True)
-    op.drop_column('messages', 'severity')
-    op.drop_column('messages', 'media_type_id')
+    op.drop_constraint(
+        op.f("fk_messages_media_type_id_mediatype"), "messages", type_="foreignkey"
+    )
+    op.drop_index("messages_uuid", table_name="messages")
+    op.drop_index("messages_severity", table_name="messages")
+    op.drop_index("messages_media_type_id", table_name="messages")
+    op.alter_column(
+        "messages", "uuid", existing_type=mysql.VARCHAR(length=36), nullable=True
+    )
+    op.drop_column("messages", "severity")
+    op.drop_column("messages", "media_type_id")
     # ### end Alembic commands ###
 
-    op.execute(tables
-               .mediatype
-               .delete()
-               .where(tables.
-                      mediatype.c.name == op.inline_literal('text/markdown')))
+    op.execute(
+        tables.mediatype.delete().where(
+            tables.mediatype.c.name == op.inline_literal("text/markdown")
+        )
+    )
diff --git a/data/migrations/versions/45fd8b9869d4_add_notification_type.py b/data/migrations/versions/45fd8b9869d4_add_notification_type.py
index 66f5c0870..81c038942 100644
--- a/data/migrations/versions/45fd8b9869d4_add_notification_type.py
+++ b/data/migrations/versions/45fd8b9869d4_add_notification_type.py
@@ -7,24 +7,22 @@ Create Date: 2016-12-01 12:02:19.724528
 """
 
 # revision identifiers, used by Alembic.
-revision = '45fd8b9869d4'
-down_revision = '94836b099894'
+revision = "45fd8b9869d4"
+down_revision = "94836b099894"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.bulk_insert(tables.notificationkind,
-                 [
-                   {'name': 'build_cancelled'},
-                 ])
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.bulk_insert(tables.notificationkind, [{"name": "build_cancelled"}])
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.execute(tables
-             .notificationkind
-             .delete()
-             .where(tables.
-                    notificationkind.c.name == op.inline_literal('build_cancelled')))
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.execute(
+        tables.notificationkind.delete().where(
+            tables.notificationkind.c.name == op.inline_literal("build_cancelled")
+        )
+    )
diff --git a/data/migrations/versions/481623ba00ba_add_index_on_logs_archived_on_.py b/data/migrations/versions/481623ba00ba_add_index_on_logs_archived_on_.py
index da8476f8a..d2bfd0474 100644
--- a/data/migrations/versions/481623ba00ba_add_index_on_logs_archived_on_.py
+++ b/data/migrations/versions/481623ba00ba_add_index_on_logs_archived_on_.py
@@ -7,21 +7,27 @@ Create Date: 2019-02-15 16:09:47.326805
 """
 
 # revision identifiers, used by Alembic.
-revision = '481623ba00ba'
-down_revision = 'b9045731c4de'
+revision = "481623ba00ba"
+down_revision = "b9045731c4de"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('repositorybuild_logs_archived', 'repositorybuild', ['logs_archived'], unique=False)
+    op.create_index(
+        "repositorybuild_logs_archived",
+        "repositorybuild",
+        ["logs_archived"],
+        unique=False,
+    )
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('repositorybuild_logs_archived', table_name='repositorybuild')
+    op.drop_index("repositorybuild_logs_archived", table_name="repositorybuild")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/5248ddf35167_repository_mirror.py b/data/migrations/versions/5248ddf35167_repository_mirror.py
index 8bb806105..6842cc1d5 100644
--- a/data/migrations/versions/5248ddf35167_repository_mirror.py
+++ b/data/migrations/versions/5248ddf35167_repository_mirror.py
@@ -6,139 +6,229 @@ Create Date: 2019-06-25 16:22:36.310532
 
 """
 
-revision = '5248ddf35167'
-down_revision = 'b918abdbee43'
+revision = "5248ddf35167"
+down_revision = "b918abdbee43"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.create_table('repomirrorrule',
-  sa.Column('id', sa.Integer(), nullable=False),
-  sa.Column('uuid', sa.String(length=36), nullable=False),
-  sa.Column('repository_id', sa.Integer(), nullable=False),
-  sa.Column('creation_date', sa.DateTime(), nullable=False),
-  sa.Column('rule_type', sa.Integer(), nullable=False),
-  sa.Column('rule_value', sa.Text(), nullable=False),
-  sa.Column('left_child_id', sa.Integer(), nullable=True),
-  sa.Column('right_child_id', sa.Integer(), nullable=True),
-  sa.ForeignKeyConstraint(['left_child_id'], ['repomirrorrule.id'], name=op.f('fk_repomirrorrule_left_child_id_repomirrorrule')),
-  sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repomirrorrule_repository_id_repository')),
-  sa.ForeignKeyConstraint(['right_child_id'], ['repomirrorrule.id'], name=op.f('fk_repomirrorrule_right_child_id_repomirrorrule')),
-  sa.PrimaryKeyConstraint('id', name=op.f('pk_repomirrorrule')))
-  op.create_index('repomirrorrule_left_child_id', 'repomirrorrule', ['left_child_id'], unique=False)
-  op.create_index('repomirrorrule_repository_id', 'repomirrorrule', ['repository_id'], unique=False)
-  op.create_index('repomirrorrule_right_child_id', 'repomirrorrule', ['right_child_id'], unique=False)
-  op.create_index('repomirrorrule_rule_type', 'repomirrorrule', ['rule_type'], unique=False)
-  op.create_index('repomirrorrule_uuid', 'repomirrorrule', ['uuid'], unique=True)
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.create_table(
+        "repomirrorrule",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=36), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("creation_date", sa.DateTime(), nullable=False),
+        sa.Column("rule_type", sa.Integer(), nullable=False),
+        sa.Column("rule_value", sa.Text(), nullable=False),
+        sa.Column("left_child_id", sa.Integer(), nullable=True),
+        sa.Column("right_child_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["left_child_id"],
+            ["repomirrorrule.id"],
+            name=op.f("fk_repomirrorrule_left_child_id_repomirrorrule"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repomirrorrule_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["right_child_id"],
+            ["repomirrorrule.id"],
+            name=op.f("fk_repomirrorrule_right_child_id_repomirrorrule"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repomirrorrule")),
+    )
+    op.create_index(
+        "repomirrorrule_left_child_id",
+        "repomirrorrule",
+        ["left_child_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorrule_repository_id",
+        "repomirrorrule",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorrule_right_child_id",
+        "repomirrorrule",
+        ["right_child_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorrule_rule_type", "repomirrorrule", ["rule_type"], unique=False
+    )
+    op.create_index("repomirrorrule_uuid", "repomirrorrule", ["uuid"], unique=True)
 
-  op.create_table('repomirrorconfig',
-  sa.Column('id', sa.Integer(), nullable=False),
-  sa.Column('repository_id', sa.Integer(), nullable=False),
-  sa.Column('creation_date', sa.DateTime(), nullable=False),
-  sa.Column('is_enabled', sa.Boolean(), nullable=False),
-  sa.Column('mirror_type', sa.Integer(), nullable=False),
-  sa.Column('internal_robot_id', sa.Integer(), nullable=False),
-  sa.Column('external_registry', sa.String(length=255), nullable=False),
-  sa.Column('external_namespace', sa.String(length=255), nullable=False),
-  sa.Column('external_repository', sa.String(length=255), nullable=False),
-  sa.Column('external_registry_username', sa.String(length=2048), nullable=True),
-  sa.Column('external_registry_password', sa.String(length=2048), nullable=True),
-  sa.Column('external_registry_config', sa.Text(), nullable=False),
-  sa.Column('sync_interval', sa.Integer(), nullable=False, server_default='60'),
-  sa.Column('sync_start_date', sa.DateTime(), nullable=True),
-  sa.Column('sync_expiration_date', sa.DateTime(), nullable=True),
-  sa.Column('sync_retries_remaining', sa.Integer(), nullable=False, server_default='3'),
-  sa.Column('sync_status', sa.Integer(), nullable=False),
-  sa.Column('sync_transaction_id', sa.String(length=36), nullable=True),
-  sa.Column('root_rule_id', sa.Integer(), nullable=False),
-  sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repomirrorconfig_repository_id_repository')),
-  sa.ForeignKeyConstraint(['root_rule_id'], ['repomirrorrule.id'], name=op.f('fk_repomirrorconfig_root_rule_id_repomirrorrule')),
-  sa.ForeignKeyConstraint(['internal_robot_id'], ['user.id'], name=op.f('fk_repomirrorconfig_internal_robot_id_user')),
-  sa.PrimaryKeyConstraint('id', name=op.f('pk_repomirrorconfig'))
-  )
-  op.create_index('repomirrorconfig_mirror_type', 'repomirrorconfig', ['mirror_type'], unique=False)
-  op.create_index('repomirrorconfig_repository_id', 'repomirrorconfig', ['repository_id'], unique=True)
-  op.create_index('repomirrorconfig_root_rule_id', 'repomirrorconfig', ['root_rule_id'], unique=False)
-  op.create_index('repomirrorconfig_sync_status', 'repomirrorconfig', ['sync_status'], unique=False)
-  op.create_index('repomirrorconfig_sync_transaction_id', 'repomirrorconfig', ['sync_transaction_id'], unique=False)
-  op.create_index('repomirrorconfig_internal_robot_id', 'repomirrorconfig', ['internal_robot_id'], unique=False)
+    op.create_table(
+        "repomirrorconfig",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("creation_date", sa.DateTime(), nullable=False),
+        sa.Column("is_enabled", sa.Boolean(), nullable=False),
+        sa.Column("mirror_type", sa.Integer(), nullable=False),
+        sa.Column("internal_robot_id", sa.Integer(), nullable=False),
+        sa.Column("external_registry", sa.String(length=255), nullable=False),
+        sa.Column("external_namespace", sa.String(length=255), nullable=False),
+        sa.Column("external_repository", sa.String(length=255), nullable=False),
+        sa.Column("external_registry_username", sa.String(length=2048), nullable=True),
+        sa.Column("external_registry_password", sa.String(length=2048), nullable=True),
+        sa.Column("external_registry_config", sa.Text(), nullable=False),
+        sa.Column("sync_interval", sa.Integer(), nullable=False, server_default="60"),
+        sa.Column("sync_start_date", sa.DateTime(), nullable=True),
+        sa.Column("sync_expiration_date", sa.DateTime(), nullable=True),
+        sa.Column(
+            "sync_retries_remaining", sa.Integer(), nullable=False, server_default="3"
+        ),
+        sa.Column("sync_status", sa.Integer(), nullable=False),
+        sa.Column("sync_transaction_id", sa.String(length=36), nullable=True),
+        sa.Column("root_rule_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repomirrorconfig_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["root_rule_id"],
+            ["repomirrorrule.id"],
+            name=op.f("fk_repomirrorconfig_root_rule_id_repomirrorrule"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["internal_robot_id"],
+            ["user.id"],
+            name=op.f("fk_repomirrorconfig_internal_robot_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repomirrorconfig")),
+    )
+    op.create_index(
+        "repomirrorconfig_mirror_type",
+        "repomirrorconfig",
+        ["mirror_type"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorconfig_repository_id",
+        "repomirrorconfig",
+        ["repository_id"],
+        unique=True,
+    )
+    op.create_index(
+        "repomirrorconfig_root_rule_id",
+        "repomirrorconfig",
+        ["root_rule_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorconfig_sync_status",
+        "repomirrorconfig",
+        ["sync_status"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorconfig_sync_transaction_id",
+        "repomirrorconfig",
+        ["sync_transaction_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repomirrorconfig_internal_robot_id",
+        "repomirrorconfig",
+        ["internal_robot_id"],
+        unique=False,
+    )
 
-  op.add_column(u'repository', sa.Column('state', sa.Integer(), nullable=False, server_default='0'))
-  op.create_index('repository_state', 'repository', ['state'], unique=False)
+    op.add_column(
+        u"repository",
+        sa.Column("state", sa.Integer(), nullable=False, server_default="0"),
+    )
+    op.create_index("repository_state", "repository", ["state"], unique=False)
 
-  op.bulk_insert(tables.logentrykind,
-               [
-                 {'name': 'repo_mirror_enabled'},
-                 {'name': 'repo_mirror_disabled'},
-                 {'name': 'repo_mirror_config_changed'},
-                 {'name': 'repo_mirror_sync_started'},
-                 {'name': 'repo_mirror_sync_failed'},
-                 {'name': 'repo_mirror_sync_success'},
-                 {'name': 'repo_mirror_sync_now_requested'},
-                 {'name': 'repo_mirror_sync_tag_success'},
-                 {'name': 'repo_mirror_sync_tag_failed'},
-                 {'name': 'repo_mirror_sync_test_success'},
-                 {'name': 'repo_mirror_sync_test_failed'},
-                 {'name': 'repo_mirror_sync_test_started'},
-                 {'name': 'change_repo_state'}
-               ])
+    op.bulk_insert(
+        tables.logentrykind,
+        [
+            {"name": "repo_mirror_enabled"},
+            {"name": "repo_mirror_disabled"},
+            {"name": "repo_mirror_config_changed"},
+            {"name": "repo_mirror_sync_started"},
+            {"name": "repo_mirror_sync_failed"},
+            {"name": "repo_mirror_sync_success"},
+            {"name": "repo_mirror_sync_now_requested"},
+            {"name": "repo_mirror_sync_tag_success"},
+            {"name": "repo_mirror_sync_tag_failed"},
+            {"name": "repo_mirror_sync_test_success"},
+            {"name": "repo_mirror_sync_test_failed"},
+            {"name": "repo_mirror_sync_test_started"},
+            {"name": "change_repo_state"},
+        ],
+    )
 
+    tester.populate_table(
+        "repomirrorrule",
+        [
+            ("uuid", tester.TestDataType.String),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("creation_date", tester.TestDataType.DateTime),
+            ("rule_type", tester.TestDataType.Integer),
+            ("rule_value", tester.TestDataType.String),
+        ],
+    )
 
-  tester.populate_table('repomirrorrule', [
-    ('uuid', tester.TestDataType.String),
-    ('repository_id', tester.TestDataType.Foreign('repository')),
-    ('creation_date', tester.TestDataType.DateTime),
-    ('rule_type', tester.TestDataType.Integer),
-    ('rule_value', tester.TestDataType.String),
-  ])
-
-  tester.populate_table('repomirrorconfig', [
-    ('repository_id', tester.TestDataType.Foreign('repository')),
-    ('creation_date', tester.TestDataType.DateTime),
-    ('is_enabled', tester.TestDataType.Boolean),
-    ('mirror_type', tester.TestDataType.Constant(1)),
-    ('internal_robot_id', tester.TestDataType.Foreign('user')),
-    ('external_registry', tester.TestDataType.String),
-    ('external_namespace', tester.TestDataType.String),
-    ('external_repository', tester.TestDataType.String),
-    ('external_registry_username', tester.TestDataType.String),
-    ('external_registry_password', tester.TestDataType.String),
-    ('external_registry_config', tester.TestDataType.JSON),
-    ('sync_start_date', tester.TestDataType.DateTime),
-    ('sync_expiration_date', tester.TestDataType.DateTime),
-    ('sync_retries_remaining', tester.TestDataType.Integer),
-    ('sync_status', tester.TestDataType.Constant(0)),
-    ('sync_transaction_id', tester.TestDataType.String),
-    ('root_rule_id', tester.TestDataType.Foreign('repomirrorrule')),
-  ])
+    tester.populate_table(
+        "repomirrorconfig",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("creation_date", tester.TestDataType.DateTime),
+            ("is_enabled", tester.TestDataType.Boolean),
+            ("mirror_type", tester.TestDataType.Constant(1)),
+            ("internal_robot_id", tester.TestDataType.Foreign("user")),
+            ("external_registry", tester.TestDataType.String),
+            ("external_namespace", tester.TestDataType.String),
+            ("external_repository", tester.TestDataType.String),
+            ("external_registry_username", tester.TestDataType.String),
+            ("external_registry_password", tester.TestDataType.String),
+            ("external_registry_config", tester.TestDataType.JSON),
+            ("sync_start_date", tester.TestDataType.DateTime),
+            ("sync_expiration_date", tester.TestDataType.DateTime),
+            ("sync_retries_remaining", tester.TestDataType.Integer),
+            ("sync_status", tester.TestDataType.Constant(0)),
+            ("sync_transaction_id", tester.TestDataType.String),
+            ("root_rule_id", tester.TestDataType.Foreign("repomirrorrule")),
+        ],
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.drop_column(u'repository', 'state')
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.drop_column(u"repository", "state")
 
-  op.drop_table('repomirrorconfig')
+    op.drop_table("repomirrorconfig")
 
-  op.drop_table('repomirrorrule')
+    op.drop_table("repomirrorrule")
 
-  for logentrykind in [
-      'repo_mirror_enabled',
-      'repo_mirror_disabled',
-      'repo_mirror_config_changed',
-      'repo_mirror_sync_started',
-      'repo_mirror_sync_failed',
-      'repo_mirror_sync_success',
-      'repo_mirror_sync_now_requested',
-      'repo_mirror_sync_tag_success',
-      'repo_mirror_sync_tag_failed',
-      'repo_mirror_sync_test_success',
-      'repo_mirror_sync_test_failed',
-      'repo_mirror_sync_test_started',
-      'change_repo_state'
-  ]:
-    op.execute(tables.logentrykind.delete()
-               .where(tables.logentrykind.c.name == op.inline_literal(logentrykind)))
+    for logentrykind in [
+        "repo_mirror_enabled",
+        "repo_mirror_disabled",
+        "repo_mirror_config_changed",
+        "repo_mirror_sync_started",
+        "repo_mirror_sync_failed",
+        "repo_mirror_sync_success",
+        "repo_mirror_sync_now_requested",
+        "repo_mirror_sync_tag_success",
+        "repo_mirror_sync_tag_failed",
+        "repo_mirror_sync_test_success",
+        "repo_mirror_sync_test_failed",
+        "repo_mirror_sync_test_started",
+        "change_repo_state",
+    ]:
+        op.execute(
+            tables.logentrykind.delete().where(
+                tables.logentrykind.c.name == op.inline_literal(logentrykind)
+            )
+        )
diff --git a/data/migrations/versions/53e2ac668296_remove_reference_to_subdir.py b/data/migrations/versions/53e2ac668296_remove_reference_to_subdir.py
index e0b61814b..b30ad7ff5 100644
--- a/data/migrations/versions/53e2ac668296_remove_reference_to_subdir.py
+++ b/data/migrations/versions/53e2ac668296_remove_reference_to_subdir.py
@@ -17,38 +17,44 @@ from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
-revision = '53e2ac668296'
-down_revision = 'ed01e313d3cb'
+revision = "53e2ac668296"
+down_revision = "ed01e313d3cb"
 
 log = logging.getLogger(__name__)
 
 
 def run_migration(migrate_function, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  conn = op.get_bind()
-  triggers = conn.execute("SELECT id, config FROM repositorybuildtrigger")
-  for trigger in triggers:
-    config = json.dumps(migrate_function(json.loads(trigger[1])))
-    try:
-      conn.execute("UPDATE repositorybuildtrigger SET config=%s WHERE id=%s", config, trigger[0])
-    except(RevisionError, CommandError) as e:
-      log.warning("Failed to update build trigger %s with exception: ", trigger[0], e)
+    op = ProgressWrapper(original_op, progress_reporter)
+    conn = op.get_bind()
+    triggers = conn.execute("SELECT id, config FROM repositorybuildtrigger")
+    for trigger in triggers:
+        config = json.dumps(migrate_function(json.loads(trigger[1])))
+        try:
+            conn.execute(
+                "UPDATE repositorybuildtrigger SET config=%s WHERE id=%s",
+                config,
+                trigger[0],
+            )
+        except (RevisionError, CommandError) as e:
+            log.warning(
+                "Failed to update build trigger %s with exception: ", trigger[0], e
+            )
 
 
 def upgrade(tables, tester, progress_reporter):
-  run_migration(delete_subdir, progress_reporter)
+    run_migration(delete_subdir, progress_reporter)
 
 
 def downgrade(tables, tester, progress_reporter):
-  run_migration(add_subdir, progress_reporter)
+    run_migration(add_subdir, progress_reporter)
 
 
 def delete_subdir(config):
     """ Remove subdir from config """
     if not config:
         return config
-    if 'subdir' in config:
-        del config['subdir']
+    if "subdir" in config:
+        del config["subdir"]
 
     return config
 
@@ -57,7 +63,7 @@ def add_subdir(config):
     """ Add subdir back into config """
     if not config:
         return config
-    if 'context' in config:
-        config['subdir'] = config['context']
+    if "context" in config:
+        config["subdir"] = config["context"]
 
     return config
diff --git a/data/migrations/versions/54492a68a3cf_add_namespacegeorestriction_table.py b/data/migrations/versions/54492a68a3cf_add_namespacegeorestriction_table.py
index efe900ad7..8ac76c4d6 100644
--- a/data/migrations/versions/54492a68a3cf_add_namespacegeorestriction_table.py
+++ b/data/migrations/versions/54492a68a3cf_add_namespacegeorestriction_table.py
@@ -7,43 +7,67 @@ Create Date: 2018-12-05 15:12:14.201116
 """
 
 # revision identifiers, used by Alembic.
-revision = '54492a68a3cf'
-down_revision = 'c00a1f15968b'
+revision = "54492a68a3cf"
+down_revision = "c00a1f15968b"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('namespacegeorestriction',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('namespace_id', sa.Integer(), nullable=False),
-    sa.Column('added', sa.DateTime(), nullable=False),
-    sa.Column('description', sa.String(length=255), nullable=False),
-    sa.Column('unstructured_json', sa.Text(), nullable=False),
-    sa.Column('restricted_region_iso_code', sa.String(length=255), nullable=False),
-    sa.ForeignKeyConstraint(['namespace_id'], ['user.id'], name=op.f('fk_namespacegeorestriction_namespace_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_namespacegeorestriction'))
+    op.create_table(
+        "namespacegeorestriction",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("namespace_id", sa.Integer(), nullable=False),
+        sa.Column("added", sa.DateTime(), nullable=False),
+        sa.Column("description", sa.String(length=255), nullable=False),
+        sa.Column("unstructured_json", sa.Text(), nullable=False),
+        sa.Column("restricted_region_iso_code", sa.String(length=255), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["namespace_id"],
+            ["user.id"],
+            name=op.f("fk_namespacegeorestriction_namespace_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_namespacegeorestriction")),
+    )
+    op.create_index(
+        "namespacegeorestriction_namespace_id",
+        "namespacegeorestriction",
+        ["namespace_id"],
+        unique=False,
+    )
+    op.create_index(
+        "namespacegeorestriction_namespace_id_restricted_region_iso_code",
+        "namespacegeorestriction",
+        ["namespace_id", "restricted_region_iso_code"],
+        unique=True,
+    )
+    op.create_index(
+        "namespacegeorestriction_restricted_region_iso_code",
+        "namespacegeorestriction",
+        ["restricted_region_iso_code"],
+        unique=False,
     )
-    op.create_index('namespacegeorestriction_namespace_id', 'namespacegeorestriction', ['namespace_id'], unique=False)
-    op.create_index('namespacegeorestriction_namespace_id_restricted_region_iso_code', 'namespacegeorestriction', ['namespace_id', 'restricted_region_iso_code'], unique=True)
-    op.create_index('namespacegeorestriction_restricted_region_iso_code', 'namespacegeorestriction', ['restricted_region_iso_code'], unique=False)
     # ### end Alembic commands ###
 
-    tester.populate_table('namespacegeorestriction', [
-        ('namespace_id', tester.TestDataType.Foreign('user')),
-        ('added', tester.TestDataType.DateTime),
-        ('description', tester.TestDataType.String),
-        ('unstructured_json', tester.TestDataType.JSON),
-        ('restricted_region_iso_code', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "namespacegeorestriction",
+        [
+            ("namespace_id", tester.TestDataType.Foreign("user")),
+            ("added", tester.TestDataType.DateTime),
+            ("description", tester.TestDataType.String),
+            ("unstructured_json", tester.TestDataType.JSON),
+            ("restricted_region_iso_code", tester.TestDataType.String),
+        ],
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('namespacegeorestriction')
+    op.drop_table("namespacegeorestriction")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/5b7503aada1b_cleanup_old_robots.py b/data/migrations/versions/5b7503aada1b_cleanup_old_robots.py
index 89b469d6b..b5b6923bc 100644
--- a/data/migrations/versions/5b7503aada1b_cleanup_old_robots.py
+++ b/data/migrations/versions/5b7503aada1b_cleanup_old_robots.py
@@ -7,8 +7,8 @@ Create Date: 2018-05-09 17:18:52.230504
 """
 
 # revision identifiers, used by Alembic.
-revision = '5b7503aada1b'
-down_revision = '224ce4c72c2f'
+revision = "5b7503aada1b"
+down_revision = "224ce4c72c2f"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,11 +16,13 @@ import sqlalchemy as sa
 
 from util.migrate.cleanup_old_robots import cleanup_old_robots
 
+
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  cleanup_old_robots()
+    op = ProgressWrapper(original_op, progress_reporter)
+    cleanup_old_robots()
+
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  # Nothing to do.
-  pass
+    op = ProgressWrapper(original_op, progress_reporter)
+    # Nothing to do.
+    pass
diff --git a/data/migrations/versions/5cbbfc95bac7_remove_oci_tables_not_used_by_cnr_the_.py b/data/migrations/versions/5cbbfc95bac7_remove_oci_tables_not_used_by_cnr_the_.py
index 46a2c3cec..73917f139 100644
--- a/data/migrations/versions/5cbbfc95bac7_remove_oci_tables_not_used_by_cnr_the_.py
+++ b/data/migrations/versions/5cbbfc95bac7_remove_oci_tables_not_used_by_cnr_the_.py
@@ -7,8 +7,8 @@ Create Date: 2018-05-23 17:28:40.114433
 """
 
 # revision identifiers, used by Alembic.
-revision = '5cbbfc95bac7'
-down_revision = '1783530bee68'
+revision = "5cbbfc95bac7"
+down_revision = "1783530bee68"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,17 +16,18 @@ import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 from util.migrate import UTF8LongText, UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('derivedimage')
-    op.drop_table('manifestlabel')
-    op.drop_table('blobplacementlocationpreference')
-    op.drop_table('blobuploading')
-    op.drop_table('bittorrentpieces')
-    op.drop_table('manifestlayerdockerv1')
-    op.drop_table('manifestlayerscan')
-    op.drop_table('manifestlayer')
+    op.drop_table("derivedimage")
+    op.drop_table("manifestlabel")
+    op.drop_table("blobplacementlocationpreference")
+    op.drop_table("blobuploading")
+    op.drop_table("bittorrentpieces")
+    op.drop_table("manifestlayerdockerv1")
+    op.drop_table("manifestlayerscan")
+    op.drop_table("manifestlayer")
     # ### end Alembic commands ###
 
 
@@ -34,137 +35,277 @@ def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table(
-        'manifestlayer',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('blob_id', sa.Integer(), nullable=False),
-        sa.Column('manifest_id', sa.Integer(), nullable=False),
-        sa.Column('manifest_index', sa.BigInteger(), nullable=False),
-        sa.Column('metadata_json', UTF8LongText, nullable=False),
-        sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_manifestlayer_blob_id_blob')),
-        sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlayer_manifest_id_manifest')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayer'))
+        "manifestlayer",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_index", sa.BigInteger(), nullable=False),
+        sa.Column("metadata_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_manifestlayer_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlayer_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayer")),
     )
-    op.create_index('manifestlayer_manifest_index', 'manifestlayer', ['manifest_index'], unique=False)
-    op.create_index('manifestlayer_manifest_id_manifest_index', 'manifestlayer', ['manifest_id', 'manifest_index'], unique=True)
-    op.create_index('manifestlayer_manifest_id', 'manifestlayer', ['manifest_id'], unique=False)
-    op.create_index('manifestlayer_blob_id', 'manifestlayer', ['blob_id'], unique=False)
+    op.create_index(
+        "manifestlayer_manifest_index",
+        "manifestlayer",
+        ["manifest_index"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlayer_manifest_id_manifest_index",
+        "manifestlayer",
+        ["manifest_id", "manifest_index"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestlayer_manifest_id", "manifestlayer", ["manifest_id"], unique=False
+    )
+    op.create_index("manifestlayer_blob_id", "manifestlayer", ["blob_id"], unique=False)
 
     op.create_table(
-        'manifestlayerscan',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('layer_id', sa.Integer(), nullable=False),
-        sa.Column('scannable', sa.Boolean(), nullable=False),
-        sa.Column('scanned_by', UTF8CharField(length=255), nullable=False),
-        sa.ForeignKeyConstraint(['layer_id'], ['manifestlayer.id'], name=op.f('fk_manifestlayerscan_layer_id_manifestlayer')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayerscan'))
+        "manifestlayerscan",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("layer_id", sa.Integer(), nullable=False),
+        sa.Column("scannable", sa.Boolean(), nullable=False),
+        sa.Column("scanned_by", UTF8CharField(length=255), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["layer_id"],
+            ["manifestlayer.id"],
+            name=op.f("fk_manifestlayerscan_layer_id_manifestlayer"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayerscan")),
+    )
+
+    op.create_index(
+        "manifestlayerscan_layer_id", "manifestlayerscan", ["layer_id"], unique=True
     )
-    
-    op.create_index('manifestlayerscan_layer_id', 'manifestlayerscan', ['layer_id'], unique=True)
 
     op.create_table(
-        'bittorrentpieces',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('blob_id', sa.Integer(), nullable=False),
-        sa.Column('pieces', UTF8LongText, nullable=False),
-        sa.Column('piece_length', sa.BigInteger(), nullable=False),
-        sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_bittorrentpieces_blob_id_blob')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_bittorrentpieces'))
+        "bittorrentpieces",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("pieces", UTF8LongText, nullable=False),
+        sa.Column("piece_length", sa.BigInteger(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_bittorrentpieces_blob_id_blob")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_bittorrentpieces")),
     )
 
-    op.create_index('bittorrentpieces_blob_id_piece_length', 'bittorrentpieces', ['blob_id', 'piece_length'], unique=True)
-    op.create_index('bittorrentpieces_blob_id', 'bittorrentpieces', ['blob_id'], unique=False)
+    op.create_index(
+        "bittorrentpieces_blob_id_piece_length",
+        "bittorrentpieces",
+        ["blob_id", "piece_length"],
+        unique=True,
+    )
+    op.create_index(
+        "bittorrentpieces_blob_id", "bittorrentpieces", ["blob_id"], unique=False
+    )
 
     op.create_table(
-        'blobuploading',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('uuid', sa.String(length=255), nullable=False),
-        sa.Column('created', sa.DateTime(), nullable=False),
-        sa.Column('repository_id', sa.Integer(), nullable=False),
-        sa.Column('location_id', sa.Integer(), nullable=False),
-        sa.Column('byte_count', sa.BigInteger(), nullable=False),
-        sa.Column('uncompressed_byte_count', sa.BigInteger(), nullable=True),
-        sa.Column('chunk_count', sa.BigInteger(), nullable=False),
-        sa.Column('storage_metadata', UTF8LongText, nullable=True),
-        sa.Column('sha_state', UTF8LongText, nullable=True),
-        sa.Column('piece_sha_state', UTF8LongText, nullable=True),
-        sa.Column('piece_hashes', UTF8LongText, nullable=True),
-        sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobuploading_location_id_blobplacementlocation')),
-        sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_blobuploading_repository_id_repository')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_blobuploading'))
+        "blobuploading",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.Column("byte_count", sa.BigInteger(), nullable=False),
+        sa.Column("uncompressed_byte_count", sa.BigInteger(), nullable=True),
+        sa.Column("chunk_count", sa.BigInteger(), nullable=False),
+        sa.Column("storage_metadata", UTF8LongText, nullable=True),
+        sa.Column("sha_state", UTF8LongText, nullable=True),
+        sa.Column("piece_sha_state", UTF8LongText, nullable=True),
+        sa.Column("piece_hashes", UTF8LongText, nullable=True),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobuploading_location_id_blobplacementlocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_blobuploading_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobuploading")),
     )
-    
-    op.create_index('blobuploading_uuid', 'blobuploading', ['uuid'], unique=True)
-    op.create_index('blobuploading_repository_id_uuid', 'blobuploading', ['repository_id', 'uuid'], unique=True)
-    op.create_index('blobuploading_repository_id', 'blobuploading', ['repository_id'], unique=False)
-    op.create_index('blobuploading_location_id', 'blobuploading', ['location_id'], unique=False)
-    op.create_index('blobuploading_created', 'blobuploading', ['created'], unique=False)
+
+    op.create_index("blobuploading_uuid", "blobuploading", ["uuid"], unique=True)
+    op.create_index(
+        "blobuploading_repository_id_uuid",
+        "blobuploading",
+        ["repository_id", "uuid"],
+        unique=True,
+    )
+    op.create_index(
+        "blobuploading_repository_id", "blobuploading", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "blobuploading_location_id", "blobuploading", ["location_id"], unique=False
+    )
+    op.create_index("blobuploading_created", "blobuploading", ["created"], unique=False)
 
     op.create_table(
-        'manifestlayerdockerv1',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('manifest_layer_id', sa.Integer(), nullable=False),
-        sa.Column('image_id', UTF8CharField(length=255), nullable=False),
-        sa.Column('checksum', UTF8CharField(length=255), nullable=False),
-        sa.Column('compat_json', UTF8LongText, nullable=False),
-        sa.ForeignKeyConstraint(['manifest_layer_id'], ['manifestlayer.id'], name=op.f('fk_manifestlayerdockerv1_manifest_layer_id_manifestlayer')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayerdockerv1'))
+        "manifestlayerdockerv1",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_layer_id", sa.Integer(), nullable=False),
+        sa.Column("image_id", UTF8CharField(length=255), nullable=False),
+        sa.Column("checksum", UTF8CharField(length=255), nullable=False),
+        sa.Column("compat_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manifest_layer_id"],
+            ["manifestlayer.id"],
+            name=op.f("fk_manifestlayerdockerv1_manifest_layer_id_manifestlayer"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayerdockerv1")),
     )
 
-    op.create_index('manifestlayerdockerv1_manifest_layer_id', 'manifestlayerdockerv1', ['manifest_layer_id'], unique=False)
-    op.create_index('manifestlayerdockerv1_image_id', 'manifestlayerdockerv1', ['image_id'], unique=False)
+    op.create_index(
+        "manifestlayerdockerv1_manifest_layer_id",
+        "manifestlayerdockerv1",
+        ["manifest_layer_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlayerdockerv1_image_id",
+        "manifestlayerdockerv1",
+        ["image_id"],
+        unique=False,
+    )
 
     op.create_table(
-        'manifestlabel',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('repository_id', sa.Integer(), nullable=False),
-        sa.Column('annotated_id', sa.Integer(), nullable=False),
-        sa.Column('label_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['annotated_id'], ['manifest.id'], name=op.f('fk_manifestlabel_annotated_id_manifest')),
-        sa.ForeignKeyConstraint(['label_id'], ['label.id'], name=op.f('fk_manifestlabel_label_id_label')),
-        sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestlabel_repository_id_repository')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlabel'))
+        "manifestlabel",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("annotated_id", sa.Integer(), nullable=False),
+        sa.Column("label_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["annotated_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlabel_annotated_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["label_id"], ["label.id"], name=op.f("fk_manifestlabel_label_id_label")
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestlabel_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlabel")),
     )
 
-    op.create_index('manifestlabel_repository_id_annotated_id_label_id', 'manifestlabel', ['repository_id', 'annotated_id', 'label_id'], unique=True)
-    op.create_index('manifestlabel_repository_id', 'manifestlabel', ['repository_id'], unique=False)
-    op.create_index('manifestlabel_label_id', 'manifestlabel', ['label_id'], unique=False)
-    op.create_index('manifestlabel_annotated_id', 'manifestlabel', ['annotated_id'], unique=False)
+    op.create_index(
+        "manifestlabel_repository_id_annotated_id_label_id",
+        "manifestlabel",
+        ["repository_id", "annotated_id", "label_id"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestlabel_repository_id", "manifestlabel", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_label_id", "manifestlabel", ["label_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_annotated_id", "manifestlabel", ["annotated_id"], unique=False
+    )
 
     op.create_table(
-        'blobplacementlocationpreference',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('user_id', sa.Integer(), nullable=False),
-        sa.Column('location_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobplacementlocpref_locid_blobplacementlocation')),
-        sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_blobplacementlocationpreference_user_id_user')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacementlocationpreference'))
+        "blobplacementlocationpreference",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobplacementlocpref_locid_blobplacementlocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["user.id"],
+            name=op.f("fk_blobplacementlocationpreference_user_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacementlocationpreference")),
+    )
+    op.create_index(
+        "blobplacementlocationpreference_user_id",
+        "blobplacementlocationpreference",
+        ["user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "blobplacementlocationpreference_location_id",
+        "blobplacementlocationpreference",
+        ["location_id"],
+        unique=False,
     )
-    op.create_index('blobplacementlocationpreference_user_id', 'blobplacementlocationpreference', ['user_id'], unique=False)
-    op.create_index('blobplacementlocationpreference_location_id', 'blobplacementlocationpreference', ['location_id'], unique=False)
-    
 
     op.create_table(
-        'derivedimage',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('uuid', sa.String(length=255), nullable=False),
-        sa.Column('source_manifest_id', sa.Integer(), nullable=False),
-        sa.Column('derived_manifest_json', UTF8LongText, nullable=False),
-        sa.Column('media_type_id', sa.Integer(), nullable=False),
-        sa.Column('blob_id', sa.Integer(), nullable=False),
-        sa.Column('uniqueness_hash', sa.String(length=255), nullable=False),
-        sa.Column('signature_blob_id', sa.Integer(), nullable=True),
-        sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_derivedimage_blob_id_blob')),
-        sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_derivedimage_media_type_id_mediatype')),
-        sa.ForeignKeyConstraint(['signature_blob_id'], ['blob.id'], name=op.f('fk_derivedimage_signature_blob_id_blob')),
-        sa.ForeignKeyConstraint(['source_manifest_id'], ['manifest.id'], name=op.f('fk_derivedimage_source_manifest_id_manifest')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_derivedimage'))
+        "derivedimage",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("source_manifest_id", sa.Integer(), nullable=False),
+        sa.Column("derived_manifest_json", UTF8LongText, nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("uniqueness_hash", sa.String(length=255), nullable=False),
+        sa.Column("signature_blob_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_derivedimage_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_derivedimage_media_type_id_mediatype"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["signature_blob_id"],
+            ["blob.id"],
+            name=op.f("fk_derivedimage_signature_blob_id_blob"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["source_manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_derivedimage_source_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_derivedimage")),
     )
-    op.create_index('derivedimage_uuid', 'derivedimage', ['uuid'], unique=True)
-    op.create_index('derivedimage_uniqueness_hash', 'derivedimage', ['uniqueness_hash'], unique=True)
-    op.create_index('derivedimage_source_manifest_id_media_type_id_uniqueness_hash', 'derivedimage', ['source_manifest_id', 'media_type_id', 'uniqueness_hash'], unique=True)
-    op.create_index('derivedimage_source_manifest_id_blob_id', 'derivedimage', ['source_manifest_id', 'blob_id'], unique=True)
-    op.create_index('derivedimage_source_manifest_id', 'derivedimage', ['source_manifest_id'], unique=False)
-    op.create_index('derivedimage_signature_blob_id', 'derivedimage', ['signature_blob_id'], unique=False)
-    op.create_index('derivedimage_media_type_id', 'derivedimage', ['media_type_id'], unique=False)
-    op.create_index('derivedimage_blob_id', 'derivedimage', ['blob_id'], unique=False)
+    op.create_index("derivedimage_uuid", "derivedimage", ["uuid"], unique=True)
+    op.create_index(
+        "derivedimage_uniqueness_hash", "derivedimage", ["uniqueness_hash"], unique=True
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id_media_type_id_uniqueness_hash",
+        "derivedimage",
+        ["source_manifest_id", "media_type_id", "uniqueness_hash"],
+        unique=True,
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id_blob_id",
+        "derivedimage",
+        ["source_manifest_id", "blob_id"],
+        unique=True,
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id",
+        "derivedimage",
+        ["source_manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "derivedimage_signature_blob_id",
+        "derivedimage",
+        ["signature_blob_id"],
+        unique=False,
+    )
+    op.create_index(
+        "derivedimage_media_type_id", "derivedimage", ["media_type_id"], unique=False
+    )
+    op.create_index("derivedimage_blob_id", "derivedimage", ["blob_id"], unique=False)
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/5d463ea1e8a8_backfill_new_appr_tables.py b/data/migrations/versions/5d463ea1e8a8_backfill_new_appr_tables.py
index a0df295dc..c357b9256 100644
--- a/data/migrations/versions/5d463ea1e8a8_backfill_new_appr_tables.py
+++ b/data/migrations/versions/5d463ea1e8a8_backfill_new_appr_tables.py
@@ -7,25 +7,27 @@ Create Date: 2018-07-08 10:01:19.756126
 """
 
 # revision identifiers, used by Alembic.
-revision = '5d463ea1e8a8'
-down_revision = '610320e9dacf'
+revision = "5d463ea1e8a8"
+down_revision = "610320e9dacf"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from util.migrate.table_ops import copy_table_contents
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     conn = op.get_bind()
 
-    copy_table_contents('blob', 'apprblob', conn)
-    copy_table_contents('manifest', 'apprmanifest', conn)
-    copy_table_contents('manifestlist', 'apprmanifestlist', conn)
-    copy_table_contents('blobplacement', 'apprblobplacement', conn)
-    copy_table_contents('manifestblob', 'apprmanifestblob', conn)
-    copy_table_contents('manifestlistmanifest', 'apprmanifestlistmanifest', conn)
-    copy_table_contents('tag', 'apprtag', conn)
+    copy_table_contents("blob", "apprblob", conn)
+    copy_table_contents("manifest", "apprmanifest", conn)
+    copy_table_contents("manifestlist", "apprmanifestlist", conn)
+    copy_table_contents("blobplacement", "apprblobplacement", conn)
+    copy_table_contents("manifestblob", "apprmanifestblob", conn)
+    copy_table_contents("manifestlistmanifest", "apprmanifestlistmanifest", conn)
+    copy_table_contents("tag", "apprtag", conn)
+
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
diff --git a/data/migrations/versions/610320e9dacf_add_new_appr_specific_tables.py b/data/migrations/versions/610320e9dacf_add_new_appr_specific_tables.py
index 99c365260..dad746d2d 100644
--- a/data/migrations/versions/610320e9dacf_add_new_appr_specific_tables.py
+++ b/data/migrations/versions/610320e9dacf_add_new_appr_specific_tables.py
@@ -7,8 +7,8 @@ Create Date: 2018-05-24 16:46:13.514562
 """
 
 # revision identifiers, used by Alembic.
-revision = '610320e9dacf'
-down_revision = '5cbbfc95bac7'
+revision = "610320e9dacf"
+down_revision = "5cbbfc95bac7"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,191 +16,356 @@ import sqlalchemy as sa
 
 from util.migrate.table_ops import copy_table_contents
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('apprblobplacementlocation',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprblobplacementlocation'))
+    op.create_table(
+        "apprblobplacementlocation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprblobplacementlocation")),
     )
-    op.create_index('apprblobplacementlocation_name', 'apprblobplacementlocation', ['name'], unique=True)
-    op.create_table('apprtagkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprtagkind'))
+    op.create_index(
+        "apprblobplacementlocation_name",
+        "apprblobplacementlocation",
+        ["name"],
+        unique=True,
     )
-    op.create_index('apprtagkind_name', 'apprtagkind', ['name'], unique=True)
-    op.create_table('apprblob',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('size', sa.BigInteger(), nullable=False),
-    sa.Column('uncompressed_size', sa.BigInteger(), nullable=True),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_apprblob_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprblob'))
+    op.create_table(
+        "apprtagkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprtagkind")),
     )
-    op.create_index('apprblob_digest', 'apprblob', ['digest'], unique=True)
-    op.create_index('apprblob_media_type_id', 'apprblob', ['media_type_id'], unique=False)
-    op.create_table('apprmanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_json', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_apprmanifest_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprmanifest'))
+    op.create_index("apprtagkind_name", "apprtagkind", ["name"], unique=True)
+    op.create_table(
+        "apprblob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("size", sa.BigInteger(), nullable=False),
+        sa.Column("uncompressed_size", sa.BigInteger(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_apprblob_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprblob")),
     )
-    op.create_index('apprmanifest_digest', 'apprmanifest', ['digest'], unique=True)
-    op.create_index('apprmanifest_media_type_id', 'apprmanifest', ['media_type_id'], unique=False)
-    op.create_table('apprmanifestlist',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('manifest_list_json', sa.Text(), nullable=False),
-    sa.Column('schema_version', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_apprmanifestlist_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprmanifestlist'))
+    op.create_index("apprblob_digest", "apprblob", ["digest"], unique=True)
+    op.create_index(
+        "apprblob_media_type_id", "apprblob", ["media_type_id"], unique=False
     )
-    op.create_index('apprmanifestlist_digest', 'apprmanifestlist', ['digest'], unique=True)
-    op.create_index('apprmanifestlist_media_type_id', 'apprmanifestlist', ['media_type_id'], unique=False)
-    op.create_table('apprblobplacement',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['apprblob.id'], name=op.f('fk_apprblobplacement_blob_id_apprblob')),
-    sa.ForeignKeyConstraint(['location_id'], ['apprblobplacementlocation.id'], name=op.f('fk_apprblobplacement_location_id_apprblobplacementlocation')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprblobplacement'))
+    op.create_table(
+        "apprmanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_json", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_apprmanifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprmanifest")),
     )
-    op.create_index('apprblobplacement_blob_id', 'apprblobplacement', ['blob_id'], unique=False)
-    op.create_index('apprblobplacement_blob_id_location_id', 'apprblobplacement', ['blob_id', 'location_id'], unique=True)
-    op.create_index('apprblobplacement_location_id', 'apprblobplacement', ['location_id'], unique=False)
-    op.create_table('apprmanifestblob',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['apprblob.id'], name=op.f('fk_apprmanifestblob_blob_id_apprblob')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['apprmanifest.id'], name=op.f('fk_apprmanifestblob_manifest_id_apprmanifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprmanifestblob'))
+    op.create_index("apprmanifest_digest", "apprmanifest", ["digest"], unique=True)
+    op.create_index(
+        "apprmanifest_media_type_id", "apprmanifest", ["media_type_id"], unique=False
     )
-    op.create_index('apprmanifestblob_blob_id', 'apprmanifestblob', ['blob_id'], unique=False)
-    op.create_index('apprmanifestblob_manifest_id', 'apprmanifestblob', ['manifest_id'], unique=False)
-    op.create_index('apprmanifestblob_manifest_id_blob_id', 'apprmanifestblob', ['manifest_id', 'blob_id'], unique=True)
-    op.create_table('apprmanifestlistmanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('manifest_list_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('operating_system', sa.String(length=255), nullable=True),
-    sa.Column('architecture', sa.String(length=255), nullable=True),
-    sa.Column('platform_json', sa.Text(), nullable=True),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['manifest_id'], ['apprmanifest.id'], name=op.f('fk_apprmanifestlistmanifest_manifest_id_apprmanifest')),
-    sa.ForeignKeyConstraint(['manifest_list_id'], ['apprmanifestlist.id'], name=op.f('fk_apprmanifestlistmanifest_manifest_list_id_apprmanifestlist')),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_apprmanifestlistmanifest_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprmanifestlistmanifest'))
+    op.create_table(
+        "apprmanifestlist",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("manifest_list_json", sa.Text(), nullable=False),
+        sa.Column("schema_version", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_apprmanifestlist_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprmanifestlist")),
     )
-    op.create_index('apprmanifestlistmanifest_manifest_id', 'apprmanifestlistmanifest', ['manifest_id'], unique=False)
-    op.create_index('apprmanifestlistmanifest_manifest_list_id', 'apprmanifestlistmanifest', ['manifest_list_id'], unique=False)
-    op.create_index('apprmanifestlistmanifest_manifest_list_id_media_type_id', 'apprmanifestlistmanifest', ['manifest_list_id', 'media_type_id'], unique=False)
-    op.create_index('apprmanifestlistmanifest_manifest_list_id_operating_system_arch', 'apprmanifestlistmanifest', ['manifest_list_id', 'operating_system', 'architecture', 'media_type_id'], unique=False)
-    op.create_index('apprmanifestlistmanifest_media_type_id', 'apprmanifestlistmanifest', ['media_type_id'], unique=False)
-    op.create_table('apprtag',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_list_id', sa.Integer(), nullable=True),
-    sa.Column('lifetime_start', sa.BigInteger(), nullable=False),
-    sa.Column('lifetime_end', sa.BigInteger(), nullable=True),
-    sa.Column('hidden', sa.Boolean(), nullable=False),
-    sa.Column('reverted', sa.Boolean(), nullable=False),
-    sa.Column('protected', sa.Boolean(), nullable=False),
-    sa.Column('tag_kind_id', sa.Integer(), nullable=False),
-    sa.Column('linked_tag_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['linked_tag_id'], ['apprtag.id'], name=op.f('fk_apprtag_linked_tag_id_apprtag')),
-    sa.ForeignKeyConstraint(['manifest_list_id'], ['apprmanifestlist.id'], name=op.f('fk_apprtag_manifest_list_id_apprmanifestlist')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_apprtag_repository_id_repository')),
-    sa.ForeignKeyConstraint(['tag_kind_id'], ['apprtagkind.id'], name=op.f('fk_apprtag_tag_kind_id_apprtagkind')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_apprtag'))
+    op.create_index(
+        "apprmanifestlist_digest", "apprmanifestlist", ["digest"], unique=True
     )
-    op.create_index('apprtag_lifetime_end', 'apprtag', ['lifetime_end'], unique=False)
-    op.create_index('apprtag_linked_tag_id', 'apprtag', ['linked_tag_id'], unique=False)
-    op.create_index('apprtag_manifest_list_id', 'apprtag', ['manifest_list_id'], unique=False)
-    op.create_index('apprtag_repository_id', 'apprtag', ['repository_id'], unique=False)
-    op.create_index('apprtag_repository_id_name', 'apprtag', ['repository_id', 'name'], unique=False)
-    op.create_index('apprtag_repository_id_name_hidden', 'apprtag', ['repository_id', 'name', 'hidden'], unique=False)
-    op.create_index('apprtag_repository_id_name_lifetime_end', 'apprtag', ['repository_id', 'name', 'lifetime_end'], unique=True)
-    op.create_index('apprtag_tag_kind_id', 'apprtag', ['tag_kind_id'], unique=False)
+    op.create_index(
+        "apprmanifestlist_media_type_id",
+        "apprmanifestlist",
+        ["media_type_id"],
+        unique=False,
+    )
+    op.create_table(
+        "apprblobplacement",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"],
+            ["apprblob.id"],
+            name=op.f("fk_apprblobplacement_blob_id_apprblob"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["apprblobplacementlocation.id"],
+            name=op.f("fk_apprblobplacement_location_id_apprblobplacementlocation"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprblobplacement")),
+    )
+    op.create_index(
+        "apprblobplacement_blob_id", "apprblobplacement", ["blob_id"], unique=False
+    )
+    op.create_index(
+        "apprblobplacement_blob_id_location_id",
+        "apprblobplacement",
+        ["blob_id", "location_id"],
+        unique=True,
+    )
+    op.create_index(
+        "apprblobplacement_location_id",
+        "apprblobplacement",
+        ["location_id"],
+        unique=False,
+    )
+    op.create_table(
+        "apprmanifestblob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"],
+            ["apprblob.id"],
+            name=op.f("fk_apprmanifestblob_blob_id_apprblob"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["apprmanifest.id"],
+            name=op.f("fk_apprmanifestblob_manifest_id_apprmanifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprmanifestblob")),
+    )
+    op.create_index(
+        "apprmanifestblob_blob_id", "apprmanifestblob", ["blob_id"], unique=False
+    )
+    op.create_index(
+        "apprmanifestblob_manifest_id",
+        "apprmanifestblob",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "apprmanifestblob_manifest_id_blob_id",
+        "apprmanifestblob",
+        ["manifest_id", "blob_id"],
+        unique=True,
+    )
+    op.create_table(
+        "apprmanifestlistmanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("operating_system", sa.String(length=255), nullable=True),
+        sa.Column("architecture", sa.String(length=255), nullable=True),
+        sa.Column("platform_json", sa.Text(), nullable=True),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["apprmanifest.id"],
+            name=op.f("fk_apprmanifestlistmanifest_manifest_id_apprmanifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["apprmanifestlist.id"],
+            name=op.f("fk_apprmanifestlistmanifest_manifest_list_id_apprmanifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_apprmanifestlistmanifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprmanifestlistmanifest")),
+    )
+    op.create_index(
+        "apprmanifestlistmanifest_manifest_id",
+        "apprmanifestlistmanifest",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "apprmanifestlistmanifest_manifest_list_id",
+        "apprmanifestlistmanifest",
+        ["manifest_list_id"],
+        unique=False,
+    )
+    op.create_index(
+        "apprmanifestlistmanifest_manifest_list_id_media_type_id",
+        "apprmanifestlistmanifest",
+        ["manifest_list_id", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "apprmanifestlistmanifest_manifest_list_id_operating_system_arch",
+        "apprmanifestlistmanifest",
+        ["manifest_list_id", "operating_system", "architecture", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "apprmanifestlistmanifest_media_type_id",
+        "apprmanifestlistmanifest",
+        ["media_type_id"],
+        unique=False,
+    )
+    op.create_table(
+        "apprtag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=True),
+        sa.Column("lifetime_start", sa.BigInteger(), nullable=False),
+        sa.Column("lifetime_end", sa.BigInteger(), nullable=True),
+        sa.Column("hidden", sa.Boolean(), nullable=False),
+        sa.Column("reverted", sa.Boolean(), nullable=False),
+        sa.Column("protected", sa.Boolean(), nullable=False),
+        sa.Column("tag_kind_id", sa.Integer(), nullable=False),
+        sa.Column("linked_tag_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["linked_tag_id"],
+            ["apprtag.id"],
+            name=op.f("fk_apprtag_linked_tag_id_apprtag"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["apprmanifestlist.id"],
+            name=op.f("fk_apprtag_manifest_list_id_apprmanifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_apprtag_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_kind_id"],
+            ["apprtagkind.id"],
+            name=op.f("fk_apprtag_tag_kind_id_apprtagkind"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_apprtag")),
+    )
+    op.create_index("apprtag_lifetime_end", "apprtag", ["lifetime_end"], unique=False)
+    op.create_index("apprtag_linked_tag_id", "apprtag", ["linked_tag_id"], unique=False)
+    op.create_index(
+        "apprtag_manifest_list_id", "apprtag", ["manifest_list_id"], unique=False
+    )
+    op.create_index("apprtag_repository_id", "apprtag", ["repository_id"], unique=False)
+    op.create_index(
+        "apprtag_repository_id_name", "apprtag", ["repository_id", "name"], unique=False
+    )
+    op.create_index(
+        "apprtag_repository_id_name_hidden",
+        "apprtag",
+        ["repository_id", "name", "hidden"],
+        unique=False,
+    )
+    op.create_index(
+        "apprtag_repository_id_name_lifetime_end",
+        "apprtag",
+        ["repository_id", "name", "lifetime_end"],
+        unique=True,
+    )
+    op.create_index("apprtag_tag_kind_id", "apprtag", ["tag_kind_id"], unique=False)
     # ### end Alembic commands ###
 
     conn = op.get_bind()
-    copy_table_contents('blobplacementlocation', 'apprblobplacementlocation', conn)
-    copy_table_contents('tagkind', 'apprtagkind', conn)
-    
+    copy_table_contents("blobplacementlocation", "apprblobplacementlocation", conn)
+    copy_table_contents("tagkind", "apprtagkind", conn)
+
     # ### population of test data ### #
-        
-    tester.populate_table('apprmanifest', [
-        ('digest', tester.TestDataType.String),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-        ('manifest_json', tester.TestDataType.JSON),
-    ])
 
-    tester.populate_table('apprmanifestlist', [
-        ('digest', tester.TestDataType.String),
-        ('manifest_list_json', tester.TestDataType.JSON),
-        ('schema_version', tester.TestDataType.String),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-    ])
+    tester.populate_table(
+        "apprmanifest",
+        [
+            ("digest", tester.TestDataType.String),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+            ("manifest_json", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('apprmanifestlistmanifest', [
-        ('manifest_list_id', tester.TestDataType.Foreign('apprmanifestlist')),
-        ('manifest_id', tester.TestDataType.Foreign('apprmanifest')),
-        ('operating_system', tester.TestDataType.String),
-        ('architecture', tester.TestDataType.String),
-        ('platform_json', tester.TestDataType.JSON),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-    ])
+    tester.populate_table(
+        "apprmanifestlist",
+        [
+            ("digest", tester.TestDataType.String),
+            ("manifest_list_json", tester.TestDataType.JSON),
+            ("schema_version", tester.TestDataType.String),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+        ],
+    )
 
-    tester.populate_table('apprblob', [
-        ('digest', tester.TestDataType.String),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-        ('size', tester.TestDataType.BigInteger),
-        ('uncompressed_size', tester.TestDataType.BigInteger),
-    ])
+    tester.populate_table(
+        "apprmanifestlistmanifest",
+        [
+            ("manifest_list_id", tester.TestDataType.Foreign("apprmanifestlist")),
+            ("manifest_id", tester.TestDataType.Foreign("apprmanifest")),
+            ("operating_system", tester.TestDataType.String),
+            ("architecture", tester.TestDataType.String),
+            ("platform_json", tester.TestDataType.JSON),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+        ],
+    )
 
-    tester.populate_table('apprmanifestblob', [
-        ('manifest_id', tester.TestDataType.Foreign('apprmanifest')),
-        ('blob_id', tester.TestDataType.Foreign('apprblob')),
-    ])
+    tester.populate_table(
+        "apprblob",
+        [
+            ("digest", tester.TestDataType.String),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+            ("size", tester.TestDataType.BigInteger),
+            ("uncompressed_size", tester.TestDataType.BigInteger),
+        ],
+    )
 
-    tester.populate_table('apprtag', [
-        ('name', tester.TestDataType.String),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('manifest_list_id', tester.TestDataType.Foreign('apprmanifestlist')),
-        ('lifetime_start', tester.TestDataType.Integer),
-        ('hidden', tester.TestDataType.Boolean),
-        ('reverted', tester.TestDataType.Boolean),
-        ('protected', tester.TestDataType.Boolean),
-        ('tag_kind_id', tester.TestDataType.Foreign('apprtagkind')),
-    ])
+    tester.populate_table(
+        "apprmanifestblob",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("apprmanifest")),
+            ("blob_id", tester.TestDataType.Foreign("apprblob")),
+        ],
+    )
 
-    tester.populate_table('apprblobplacement', [
-        ('blob_id', tester.TestDataType.Foreign('apprmanifestblob')),
-        ('location_id', tester.TestDataType.Foreign('apprblobplacementlocation')),
-    ])
+    tester.populate_table(
+        "apprtag",
+        [
+            ("name", tester.TestDataType.String),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("manifest_list_id", tester.TestDataType.Foreign("apprmanifestlist")),
+            ("lifetime_start", tester.TestDataType.Integer),
+            ("hidden", tester.TestDataType.Boolean),
+            ("reverted", tester.TestDataType.Boolean),
+            ("protected", tester.TestDataType.Boolean),
+            ("tag_kind_id", tester.TestDataType.Foreign("apprtagkind")),
+        ],
+    )
+
+    tester.populate_table(
+        "apprblobplacement",
+        [
+            ("blob_id", tester.TestDataType.Foreign("apprmanifestblob")),
+            ("location_id", tester.TestDataType.Foreign("apprblobplacementlocation")),
+        ],
+    )
 
     # ### end population of test data ### #
 
 
-
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('apprtag')
-    op.drop_table('apprmanifestlistmanifest')
-    op.drop_table('apprmanifestblob')
-    op.drop_table('apprblobplacement')
-    op.drop_table('apprmanifestlist')
-    op.drop_table('apprmanifest')
-    op.drop_table('apprblob')
-    op.drop_table('apprtagkind')
-    op.drop_table('apprblobplacementlocation')
+    op.drop_table("apprtag")
+    op.drop_table("apprmanifestlistmanifest")
+    op.drop_table("apprmanifestblob")
+    op.drop_table("apprblobplacement")
+    op.drop_table("apprmanifestlist")
+    op.drop_table("apprmanifest")
+    op.drop_table("apprblob")
+    op.drop_table("apprtagkind")
+    op.drop_table("apprblobplacementlocation")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/61cadbacb9fc_add_ability_for_build_triggers_to_be_.py b/data/migrations/versions/61cadbacb9fc_add_ability_for_build_triggers_to_be_.py
index 1dbb1e7a4..73a590057 100644
--- a/data/migrations/versions/61cadbacb9fc_add_ability_for_build_triggers_to_be_.py
+++ b/data/migrations/versions/61cadbacb9fc_add_ability_for_build_triggers_to_be_.py
@@ -7,58 +7,88 @@ Create Date: 2017-10-18 12:07:26.190901
 """
 
 # revision identifiers, used by Alembic.
-revision = '61cadbacb9fc'
-down_revision = 'b4c2d45bc132'
+revision = "61cadbacb9fc"
+down_revision = "b4c2d45bc132"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('disablereason',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_disablereason'))
+    op.create_table(
+        "disablereason",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_disablereason")),
     )
-    op.create_index('disablereason_name', 'disablereason', ['name'], unique=True)
+    op.create_index("disablereason_name", "disablereason", ["name"], unique=True)
 
-    op.bulk_insert(
-        tables.disablereason,
-        [
-        {'id': 1, 'name': 'user_toggled'},
-        ],
+    op.bulk_insert(tables.disablereason, [{"id": 1, "name": "user_toggled"}])
+
+    op.bulk_insert(tables.logentrykind, [{"name": "toggle_repo_trigger"}])
+
+    op.add_column(
+        u"repositorybuildtrigger",
+        sa.Column("disabled_reason_id", sa.Integer(), nullable=True),
+    )
+    op.add_column(
+        u"repositorybuildtrigger",
+        sa.Column(
+            "enabled",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.true(),
+        ),
+    )
+    op.create_index(
+        "repositorybuildtrigger_disabled_reason_id",
+        "repositorybuildtrigger",
+        ["disabled_reason_id"],
+        unique=False,
+    )
+    op.create_foreign_key(
+        op.f("fk_repositorybuildtrigger_disabled_reason_id_disablereason"),
+        "repositorybuildtrigger",
+        "disablereason",
+        ["disabled_reason_id"],
+        ["id"],
     )
-
-    op.bulk_insert(tables.logentrykind, [
-        {'name': 'toggle_repo_trigger'},
-    ])
-
-    op.add_column(u'repositorybuildtrigger', sa.Column('disabled_reason_id', sa.Integer(), nullable=True))
-    op.add_column(u'repositorybuildtrigger', sa.Column('enabled', sa.Boolean(), nullable=False, server_default=sa.sql.expression.true()))
-    op.create_index('repositorybuildtrigger_disabled_reason_id', 'repositorybuildtrigger', ['disabled_reason_id'], unique=False)
-    op.create_foreign_key(op.f('fk_repositorybuildtrigger_disabled_reason_id_disablereason'), 'repositorybuildtrigger', 'disablereason', ['disabled_reason_id'], ['id'])
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('repositorybuildtrigger', 'disabled_reason_id', tester.TestDataType.Foreign('disablereason'))
-    tester.populate_column('repositorybuildtrigger', 'enabled', tester.TestDataType.Boolean)
+    tester.populate_column(
+        "repositorybuildtrigger",
+        "disabled_reason_id",
+        tester.TestDataType.Foreign("disablereason"),
+    )
+    tester.populate_column(
+        "repositorybuildtrigger", "enabled", tester.TestDataType.Boolean
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_constraint(op.f('fk_repositorybuildtrigger_disabled_reason_id_disablereason'), 'repositorybuildtrigger', type_='foreignkey')
-    op.drop_index('repositorybuildtrigger_disabled_reason_id', table_name='repositorybuildtrigger')
-    op.drop_column(u'repositorybuildtrigger', 'enabled')
-    op.drop_column(u'repositorybuildtrigger', 'disabled_reason_id')
-    op.drop_table('disablereason')
+    op.drop_constraint(
+        op.f("fk_repositorybuildtrigger_disabled_reason_id_disablereason"),
+        "repositorybuildtrigger",
+        type_="foreignkey",
+    )
+    op.drop_index(
+        "repositorybuildtrigger_disabled_reason_id", table_name="repositorybuildtrigger"
+    )
+    op.drop_column(u"repositorybuildtrigger", "enabled")
+    op.drop_column(u"repositorybuildtrigger", "disabled_reason_id")
+    op.drop_table("disablereason")
     # ### end Alembic commands ###
 
-    op.execute(tables
-                .logentrykind
-                .delete()
-                .where(tables.logentrykind.c.name == op.inline_literal('toggle_repo_trigger')))
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.c.name == op.inline_literal("toggle_repo_trigger")
+        )
+    )
diff --git a/data/migrations/versions/654e6df88b71_change_manifest_bytes_to_a_utf8_text_.py b/data/migrations/versions/654e6df88b71_change_manifest_bytes_to_a_utf8_text_.py
index b7d17207f..790516349 100644
--- a/data/migrations/versions/654e6df88b71_change_manifest_bytes_to_a_utf8_text_.py
+++ b/data/migrations/versions/654e6df88b71_change_manifest_bytes_to_a_utf8_text_.py
@@ -7,8 +7,8 @@ Create Date: 2018-08-15 09:58:46.109277
 """
 
 # revision identifiers, used by Alembic.
-revision = '654e6df88b71'
-down_revision = 'eafdeadcebc7'
+revision = "654e6df88b71"
+down_revision = "eafdeadcebc7"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -19,8 +19,13 @@ from util.migrate import UTF8LongText
 
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.alter_column('manifest', 'manifest_bytes', existing_type=sa.Text(), type_=UTF8LongText())
+    op.alter_column(
+        "manifest", "manifest_bytes", existing_type=sa.Text(), type_=UTF8LongText()
+    )
+
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.alter_column('manifest', 'manifest_bytes', existing_type=UTF8LongText(), type_=sa.Text())
+    op.alter_column(
+        "manifest", "manifest_bytes", existing_type=UTF8LongText(), type_=sa.Text()
+    )
diff --git a/data/migrations/versions/67f0abd172ae_add_tagtorepositorytag_table.py b/data/migrations/versions/67f0abd172ae_add_tagtorepositorytag_table.py
index aae5325b9..c707e2711 100644
--- a/data/migrations/versions/67f0abd172ae_add_tagtorepositorytag_table.py
+++ b/data/migrations/versions/67f0abd172ae_add_tagtorepositorytag_table.py
@@ -7,41 +7,68 @@ Create Date: 2018-10-30 11:31:06.615488
 """
 
 # revision identifiers, used by Alembic.
-revision = '67f0abd172ae'
-down_revision = '10f45ee2310b'
+revision = "67f0abd172ae"
+down_revision = "10f45ee2310b"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('tagtorepositorytag',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('tag_id', sa.Integer(), nullable=False),
-    sa.Column('repository_tag_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_tagtorepositorytag_repository_id_repository')),
-    sa.ForeignKeyConstraint(['repository_tag_id'], ['repositorytag.id'], name=op.f('fk_tagtorepositorytag_repository_tag_id_repositorytag')),
-    sa.ForeignKeyConstraint(['tag_id'], ['tag.id'], name=op.f('fk_tagtorepositorytag_tag_id_tag')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagtorepositorytag'))
+    op.create_table(
+        "tagtorepositorytag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("tag_id", sa.Integer(), nullable=False),
+        sa.Column("repository_tag_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_tagtorepositorytag_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_tag_id"],
+            ["repositorytag.id"],
+            name=op.f("fk_tagtorepositorytag_repository_tag_id_repositorytag"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_id"], ["tag.id"], name=op.f("fk_tagtorepositorytag_tag_id_tag")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagtorepositorytag")),
+    )
+    op.create_index(
+        "tagtorepositorytag_repository_id",
+        "tagtorepositorytag",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagtorepositorytag_repository_tag_id",
+        "tagtorepositorytag",
+        ["repository_tag_id"],
+        unique=True,
+    )
+    op.create_index(
+        "tagtorepositorytag_tag_id", "tagtorepositorytag", ["tag_id"], unique=True
     )
-    op.create_index('tagtorepositorytag_repository_id', 'tagtorepositorytag', ['repository_id'], unique=False)
-    op.create_index('tagtorepositorytag_repository_tag_id', 'tagtorepositorytag', ['repository_tag_id'], unique=True)
-    op.create_index('tagtorepositorytag_tag_id', 'tagtorepositorytag', ['tag_id'], unique=True)
     # ### end Alembic commands ###
 
-    tester.populate_table('tagtorepositorytag', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('tag_id', tester.TestDataType.Foreign('tag')),
-        ('repository_tag_id', tester.TestDataType.Foreign('repositorytag')),
-    ])
+    tester.populate_table(
+        "tagtorepositorytag",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("tag_id", tester.TestDataType.Foreign("tag")),
+            ("repository_tag_id", tester.TestDataType.Foreign("repositorytag")),
+        ],
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('tagtorepositorytag')
+    op.drop_table("tagtorepositorytag")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/6c21e2cfb8b6_change_logentry_to_use_a_biginteger_as_.py b/data/migrations/versions/6c21e2cfb8b6_change_logentry_to_use_a_biginteger_as_.py
index 789ba4fa4..53e0a497d 100644
--- a/data/migrations/versions/6c21e2cfb8b6_change_logentry_to_use_a_biginteger_as_.py
+++ b/data/migrations/versions/6c21e2cfb8b6_change_logentry_to_use_a_biginteger_as_.py
@@ -7,8 +7,8 @@ Create Date: 2018-07-27 16:30:02.877346
 """
 
 # revision identifiers, used by Alembic.
-revision = '6c21e2cfb8b6'
-down_revision = 'd17c695859ea'
+revision = "6c21e2cfb8b6"
+down_revision = "d17c695859ea"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -18,18 +18,19 @@ import sqlalchemy as sa
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     op.alter_column(
-        table_name='logentry',
-        column_name='id',
+        table_name="logentry",
+        column_name="id",
         nullable=False,
         autoincrement=True,
         type_=sa.BigInteger(),
     )
 
+
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     op.alter_column(
-        table_name='logentry',
-        column_name='id',
+        table_name="logentry",
+        column_name="id",
         nullable=False,
         autoincrement=True,
         type_=sa.Integer(),
diff --git a/data/migrations/versions/6c7014e84a5e_add_user_prompt_support.py b/data/migrations/versions/6c7014e84a5e_add_user_prompt_support.py
index 99ee1e77c..4f040d432 100644
--- a/data/migrations/versions/6c7014e84a5e_add_user_prompt_support.py
+++ b/data/migrations/versions/6c7014e84a5e_add_user_prompt_support.py
@@ -7,50 +7,62 @@ Create Date: 2016-10-31 16:26:31.447705
 """
 
 # revision identifiers, used by Alembic.
-revision = '6c7014e84a5e'
-down_revision = 'c156deb8845d'
+revision = "6c7014e84a5e"
+down_revision = "c156deb8845d"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('userpromptkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_userpromptkind'))
+    op.create_table(
+        "userpromptkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_userpromptkind")),
     )
-    op.create_index('userpromptkind_name', 'userpromptkind', ['name'], unique=False)
-    op.create_table('userprompt',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['kind_id'], ['userpromptkind.id'], name=op.f('fk_userprompt_kind_id_userpromptkind')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_userprompt_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_userprompt'))
+    op.create_index("userpromptkind_name", "userpromptkind", ["name"], unique=False)
+    op.create_table(
+        "userprompt",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["userpromptkind.id"],
+            name=op.f("fk_userprompt_kind_id_userpromptkind"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_userprompt_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_userprompt")),
+    )
+    op.create_index("userprompt_kind_id", "userprompt", ["kind_id"], unique=False)
+    op.create_index("userprompt_user_id", "userprompt", ["user_id"], unique=False)
+    op.create_index(
+        "userprompt_user_id_kind_id", "userprompt", ["user_id", "kind_id"], unique=True
     )
-    op.create_index('userprompt_kind_id', 'userprompt', ['kind_id'], unique=False)
-    op.create_index('userprompt_user_id', 'userprompt', ['user_id'], unique=False)
-    op.create_index('userprompt_user_id_kind_id', 'userprompt', ['user_id', 'kind_id'], unique=True)
     ### end Alembic commands ###
 
-    op.bulk_insert(tables.userpromptkind,
-    [
-        {'name':'confirm_username'},
-    ])
+    op.bulk_insert(tables.userpromptkind, [{"name": "confirm_username"}])
 
     # ### population of test data ### #
-    tester.populate_table('userprompt', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('kind_id', tester.TestDataType.Foreign('userpromptkind')),
-    ])
+    tester.populate_table(
+        "userprompt",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("kind_id", tester.TestDataType.Foreign("userpromptkind")),
+        ],
+    )
     # ### end population of test data ### #
 
+
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('userprompt')
-    op.drop_table('userpromptkind')
+    op.drop_table("userprompt")
+    op.drop_table("userpromptkind")
     ### end Alembic commands ###
diff --git a/data/migrations/versions/6ec8726c0ace_add_logentry3_table.py b/data/migrations/versions/6ec8726c0ace_add_logentry3_table.py
index 47ecf1cb1..59568e4bc 100644
--- a/data/migrations/versions/6ec8726c0ace_add_logentry3_table.py
+++ b/data/migrations/versions/6ec8726c0ace_add_logentry3_table.py
@@ -7,37 +7,54 @@ Create Date: 2019-01-03 13:41:02.897957
 """
 
 # revision identifiers, used by Alembic.
-revision = '6ec8726c0ace'
-down_revision = '54492a68a3cf'
+revision = "6ec8726c0ace"
+down_revision = "54492a68a3cf"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('logentry3',
-    sa.Column('id', sa.BigInteger(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.Column('account_id', sa.Integer(), nullable=False),
-    sa.Column('performer_id', sa.Integer(), nullable=True),
-    sa.Column('repository_id', sa.Integer(), nullable=True),
-    sa.Column('datetime', sa.DateTime(), nullable=False),
-    sa.Column('ip', sa.String(length=255), nullable=True),
-    sa.Column('metadata_json', sa.Text(), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_logentry3'))
+    op.create_table(
+        "logentry3",
+        sa.Column("id", sa.BigInteger(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.Column("account_id", sa.Integer(), nullable=False),
+        sa.Column("performer_id", sa.Integer(), nullable=True),
+        sa.Column("repository_id", sa.Integer(), nullable=True),
+        sa.Column("datetime", sa.DateTime(), nullable=False),
+        sa.Column("ip", sa.String(length=255), nullable=True),
+        sa.Column("metadata_json", sa.Text(), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_logentry3")),
+    )
+    op.create_index(
+        "logentry3_account_id_datetime",
+        "logentry3",
+        ["account_id", "datetime"],
+        unique=False,
+    )
+    op.create_index("logentry3_datetime", "logentry3", ["datetime"], unique=False)
+    op.create_index(
+        "logentry3_performer_id_datetime",
+        "logentry3",
+        ["performer_id", "datetime"],
+        unique=False,
+    )
+    op.create_index(
+        "logentry3_repository_id_datetime_kind_id",
+        "logentry3",
+        ["repository_id", "datetime", "kind_id"],
+        unique=False,
     )
-    op.create_index('logentry3_account_id_datetime', 'logentry3', ['account_id', 'datetime'], unique=False)
-    op.create_index('logentry3_datetime', 'logentry3', ['datetime'], unique=False)
-    op.create_index('logentry3_performer_id_datetime', 'logentry3', ['performer_id', 'datetime'], unique=False)
-    op.create_index('logentry3_repository_id_datetime_kind_id', 'logentry3', ['repository_id', 'datetime', 'kind_id'], unique=False)
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('logentry3')
+    op.drop_table("logentry3")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/703298a825c2_backfill_new_encrypted_fields.py b/data/migrations/versions/703298a825c2_backfill_new_encrypted_fields.py
index 43459af40..575bc3429 100644
--- a/data/migrations/versions/703298a825c2_backfill_new_encrypted_fields.py
+++ b/data/migrations/versions/703298a825c2_backfill_new_encrypted_fields.py
@@ -6,282 +6,474 @@ Create Date: 2019-08-19 16:07:48.109889
 
 """
 # revision identifiers, used by Alembic.
-revision = '703298a825c2'
-down_revision = 'c13c8052f7a6'
+revision = "703298a825c2"
+down_revision = "c13c8052f7a6"
 
 import logging
 import uuid
 
 from datetime import datetime
 
-from peewee import (JOIN, IntegrityError, DateTimeField, CharField, ForeignKeyField,
-                    BooleanField, TextField, IntegerField)
+from peewee import (
+    JOIN,
+    IntegrityError,
+    DateTimeField,
+    CharField,
+    ForeignKeyField,
+    BooleanField,
+    TextField,
+    IntegerField,
+)
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
 import sqlalchemy as sa
 
-from data.database import (BaseModel, User, Repository, AccessTokenKind, Role,
-                           random_string_generator, QuayUserField, BuildTriggerService,
-                           uuid_generator, DisableReason)
-from data.fields import Credential, DecryptedValue, EncryptedCharField, EncryptedTextField, EnumField, CredentialField
+from data.database import (
+    BaseModel,
+    User,
+    Repository,
+    AccessTokenKind,
+    Role,
+    random_string_generator,
+    QuayUserField,
+    BuildTriggerService,
+    uuid_generator,
+    DisableReason,
+)
+from data.fields import (
+    Credential,
+    DecryptedValue,
+    EncryptedCharField,
+    EncryptedTextField,
+    EnumField,
+    CredentialField,
+)
 from data.model.token import ACCESS_TOKEN_NAME_PREFIX_LENGTH
-from data.model.appspecifictoken import TOKEN_NAME_PREFIX_LENGTH as AST_TOKEN_NAME_PREFIX_LENGTH
-from data.model.oauth import ACCESS_TOKEN_PREFIX_LENGTH as OAUTH_ACCESS_TOKEN_PREFIX_LENGTH
+from data.model.appspecifictoken import (
+    TOKEN_NAME_PREFIX_LENGTH as AST_TOKEN_NAME_PREFIX_LENGTH,
+)
+from data.model.oauth import (
+    ACCESS_TOKEN_PREFIX_LENGTH as OAUTH_ACCESS_TOKEN_PREFIX_LENGTH,
+)
 from data.model.oauth import AUTHORIZATION_CODE_PREFIX_LENGTH
 
 BATCH_SIZE = 10
 
 logger = logging.getLogger(__name__)
 
-def _iterate(model_class, clause):
-  while True:
-    has_rows = False
-    for row in list(model_class.select().where(clause).limit(BATCH_SIZE)):
-      has_rows = True
-      yield row
 
-    if not has_rows:
-      break
+def _iterate(model_class, clause):
+    while True:
+        has_rows = False
+        for row in list(model_class.select().where(clause).limit(BATCH_SIZE)):
+            has_rows = True
+            yield row
+
+        if not has_rows:
+            break
 
 
 def _decrypted(value):
-  if value is None:
-    return None
+    if value is None:
+        return None
 
-  assert isinstance(value, basestring)
-  return DecryptedValue(value)
+    assert isinstance(value, basestring)
+    return DecryptedValue(value)
 
 
 # NOTE: As per standard migrations involving Peewee models, we copy them here, as they will change
 # after this call.
 class AccessToken(BaseModel):
-  code = CharField(default=random_string_generator(length=64), unique=True, index=True)
-  token_name = CharField(default=random_string_generator(length=32), unique=True, index=True)
-  token_code = EncryptedCharField(default_token_length=32)
+    code = CharField(
+        default=random_string_generator(length=64), unique=True, index=True
+    )
+    token_name = CharField(
+        default=random_string_generator(length=32), unique=True, index=True
+    )
+    token_code = EncryptedCharField(default_token_length=32)
+
 
 class RobotAccountToken(BaseModel):
-  robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
-  token = EncryptedCharField(default_token_length=64)
-  fully_migrated = BooleanField(default=False)
+    robot_account = QuayUserField(index=True, allows_robots=True, unique=True)
+    token = EncryptedCharField(default_token_length=64)
+    fully_migrated = BooleanField(default=False)
+
 
 class RepositoryBuildTrigger(BaseModel):
-  uuid = CharField(default=uuid_generator, index=True)
-  auth_token = CharField(null=True)
-  private_key = TextField(null=True)
+    uuid = CharField(default=uuid_generator, index=True)
+    auth_token = CharField(null=True)
+    private_key = TextField(null=True)
+
+    secure_auth_token = EncryptedCharField(null=True)
+    secure_private_key = EncryptedTextField(null=True)
+    fully_migrated = BooleanField(default=False)
 
-  secure_auth_token = EncryptedCharField(null=True)
-  secure_private_key = EncryptedTextField(null=True)
-  fully_migrated = BooleanField(default=False)
 
 class AppSpecificAuthToken(BaseModel):
-  token_name = CharField(index=True, unique=True, default=random_string_generator(60))
-  token_secret = EncryptedCharField(default_token_length=60)
-  token_code = CharField(default=random_string_generator(length=120), unique=True, index=True)
+    token_name = CharField(index=True, unique=True, default=random_string_generator(60))
+    token_secret = EncryptedCharField(default_token_length=60)
+    token_code = CharField(
+        default=random_string_generator(length=120), unique=True, index=True
+    )
+
 
 class OAuthAccessToken(BaseModel):
-  token_name = CharField(index=True, unique=True)
-  token_code = CredentialField()
-  access_token = CharField(index=True)
+    token_name = CharField(index=True, unique=True)
+    token_code = CredentialField()
+    access_token = CharField(index=True)
+
 
 class OAuthAuthorizationCode(BaseModel):
-  code = CharField(index=True, unique=True, null=True)
-  code_name = CharField(index=True, unique=True)
-  code_credential = CredentialField()
+    code = CharField(index=True, unique=True, null=True)
+    code_name = CharField(index=True, unique=True)
+    code_credential = CredentialField()
+
 
 class OAuthApplication(BaseModel):
-  secure_client_secret = EncryptedCharField(default_token_length=40, null=True)
-  fully_migrated = BooleanField(default=False)
-  client_secret = CharField(default=random_string_generator(length=40))
+    secure_client_secret = EncryptedCharField(default_token_length=40, null=True)
+    fully_migrated = BooleanField(default=False)
+    client_secret = CharField(default=random_string_generator(length=40))
 
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
+    op = ProgressWrapper(original_op, progress_reporter)
 
-  from app import app
-  if app.config.get('SETUP_COMPLETE', False) or tester.is_testing:
-    # Empty all access token names to fix the bug where we put the wrong name and code
-    # in for some tokens.
-    AccessToken.update(token_name=None).where(AccessToken.token_name >> None).execute()
+    from app import app
 
-    # AccessToken.
-    logger.info('Backfilling encrypted credentials for access tokens')
-    for access_token in _iterate(AccessToken, ((AccessToken.token_name >> None) |
-                                              (AccessToken.token_name == ''))):
-      logger.info('Backfilling encrypted credentials for access token %s', access_token.id)
-      assert access_token.code is not None
-      assert access_token.code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
-      assert access_token.code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:]
+    if app.config.get("SETUP_COMPLETE", False) or tester.is_testing:
+        # Empty all access token names to fix the bug where we put the wrong name and code
+        # in for some tokens.
+        AccessToken.update(token_name=None).where(
+            AccessToken.token_name >> None
+        ).execute()
 
-      token_name = access_token.code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
-      token_code = _decrypted(access_token.code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:])
+        # AccessToken.
+        logger.info("Backfilling encrypted credentials for access tokens")
+        for access_token in _iterate(
+            AccessToken,
+            ((AccessToken.token_name >> None) | (AccessToken.token_name == "")),
+        ):
+            logger.info(
+                "Backfilling encrypted credentials for access token %s", access_token.id
+            )
+            assert access_token.code is not None
+            assert access_token.code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
+            assert access_token.code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:]
 
-      (AccessToken
-      .update(token_name=token_name, token_code=token_code)
-      .where(AccessToken.id == access_token.id, AccessToken.code == access_token.code)
-      .execute())
+            token_name = access_token.code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
+            token_code = _decrypted(access_token.code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:])
 
-    assert AccessToken.select().where(AccessToken.token_name >> None).count() == 0
+            (
+                AccessToken.update(token_name=token_name, token_code=token_code)
+                .where(
+                    AccessToken.id == access_token.id,
+                    AccessToken.code == access_token.code,
+                )
+                .execute()
+            )
 
-    # Robots.
-    logger.info('Backfilling encrypted credentials for robots')
-    while True:
-      has_row = False
-      query = (User
-              .select()
-              .join(RobotAccountToken, JOIN.LEFT_OUTER)
-              .where(User.robot == True, RobotAccountToken.id >> None)
-              .limit(BATCH_SIZE))
+        assert AccessToken.select().where(AccessToken.token_name >> None).count() == 0
 
-      for robot_user in query:
-        logger.info('Backfilling encrypted credentials for robot %s', robot_user.id)
-        has_row = True
-        try:
-          RobotAccountToken.create(robot_account=robot_user,
-                                  token=_decrypted(robot_user.email),
-                                  fully_migrated=False)
-        except IntegrityError:
-          break
+        # Robots.
+        logger.info("Backfilling encrypted credentials for robots")
+        while True:
+            has_row = False
+            query = (
+                User.select()
+                .join(RobotAccountToken, JOIN.LEFT_OUTER)
+                .where(User.robot == True, RobotAccountToken.id >> None)
+                .limit(BATCH_SIZE)
+            )
 
-      if not has_row:
-        break
+            for robot_user in query:
+                logger.info(
+                    "Backfilling encrypted credentials for robot %s", robot_user.id
+                )
+                has_row = True
+                try:
+                    RobotAccountToken.create(
+                        robot_account=robot_user,
+                        token=_decrypted(robot_user.email),
+                        fully_migrated=False,
+                    )
+                except IntegrityError:
+                    break
 
-    # RepositoryBuildTrigger
-    logger.info('Backfilling encrypted credentials for repo build triggers')
-    for repo_build_trigger in _iterate(RepositoryBuildTrigger,
-                                      (RepositoryBuildTrigger.fully_migrated == False)):
-      logger.info('Backfilling encrypted credentials for repo build trigger %s',
-                  repo_build_trigger.id)
+            if not has_row:
+                break
 
-      (RepositoryBuildTrigger
-      .update(secure_auth_token=_decrypted(repo_build_trigger.auth_token),
-              secure_private_key=_decrypted(repo_build_trigger.private_key),
-              fully_migrated=True)
-      .where(RepositoryBuildTrigger.id == repo_build_trigger.id,
-              RepositoryBuildTrigger.uuid == repo_build_trigger.uuid)
-      .execute())
+        # RepositoryBuildTrigger
+        logger.info("Backfilling encrypted credentials for repo build triggers")
+        for repo_build_trigger in _iterate(
+            RepositoryBuildTrigger, (RepositoryBuildTrigger.fully_migrated == False)
+        ):
+            logger.info(
+                "Backfilling encrypted credentials for repo build trigger %s",
+                repo_build_trigger.id,
+            )
 
-    assert (RepositoryBuildTrigger
-            .select()
+            (
+                RepositoryBuildTrigger.update(
+                    secure_auth_token=_decrypted(repo_build_trigger.auth_token),
+                    secure_private_key=_decrypted(repo_build_trigger.private_key),
+                    fully_migrated=True,
+                )
+                .where(
+                    RepositoryBuildTrigger.id == repo_build_trigger.id,
+                    RepositoryBuildTrigger.uuid == repo_build_trigger.uuid,
+                )
+                .execute()
+            )
+
+        assert (
+            RepositoryBuildTrigger.select()
             .where(RepositoryBuildTrigger.fully_migrated == False)
-            .count()) == 0
+            .count()
+        ) == 0
 
-    # AppSpecificAuthToken
-    logger.info('Backfilling encrypted credentials for app specific auth tokens')
-    for token in _iterate(AppSpecificAuthToken, ((AppSpecificAuthToken.token_name >> None) |
-                                                (AppSpecificAuthToken.token_name == '') |
-                                                (AppSpecificAuthToken.token_secret >> None))):
-      logger.info('Backfilling encrypted credentials for app specific auth %s',
-                  token.id)
-      assert token.token_code[AST_TOKEN_NAME_PREFIX_LENGTH:]
+        # AppSpecificAuthToken
+        logger.info("Backfilling encrypted credentials for app specific auth tokens")
+        for token in _iterate(
+            AppSpecificAuthToken,
+            (
+                (AppSpecificAuthToken.token_name >> None)
+                | (AppSpecificAuthToken.token_name == "")
+                | (AppSpecificAuthToken.token_secret >> None)
+            ),
+        ):
+            logger.info(
+                "Backfilling encrypted credentials for app specific auth %s", token.id
+            )
+            assert token.token_code[AST_TOKEN_NAME_PREFIX_LENGTH:]
 
-      token_name = token.token_code[:AST_TOKEN_NAME_PREFIX_LENGTH]
-      token_secret = _decrypted(token.token_code[AST_TOKEN_NAME_PREFIX_LENGTH:])
-      assert token_name
-      assert token_secret
+            token_name = token.token_code[:AST_TOKEN_NAME_PREFIX_LENGTH]
+            token_secret = _decrypted(token.token_code[AST_TOKEN_NAME_PREFIX_LENGTH:])
+            assert token_name
+            assert token_secret
 
-      (AppSpecificAuthToken
-      .update(token_name=token_name,
-              token_secret=token_secret)
-      .where(AppSpecificAuthToken.id == token.id,
-              AppSpecificAuthToken.token_code == token.token_code)
-      .execute())
+            (
+                AppSpecificAuthToken.update(
+                    token_name=token_name, token_secret=token_secret
+                )
+                .where(
+                    AppSpecificAuthToken.id == token.id,
+                    AppSpecificAuthToken.token_code == token.token_code,
+                )
+                .execute()
+            )
 
-    assert (AppSpecificAuthToken
-            .select()
+        assert (
+            AppSpecificAuthToken.select()
             .where(AppSpecificAuthToken.token_name >> None)
-            .count()) == 0
+            .count()
+        ) == 0
 
-    # OAuthAccessToken
-    logger.info('Backfilling credentials for OAuth access tokens')
-    for token in _iterate(OAuthAccessToken, ((OAuthAccessToken.token_name >> None) |
-                                            (OAuthAccessToken.token_name == ''))):
-      logger.info('Backfilling credentials for OAuth access token %s', token.id)
-      token_name = token.access_token[:OAUTH_ACCESS_TOKEN_PREFIX_LENGTH]
-      token_code = Credential.from_string(token.access_token[OAUTH_ACCESS_TOKEN_PREFIX_LENGTH:])
-      assert token_name
-      assert token.access_token[OAUTH_ACCESS_TOKEN_PREFIX_LENGTH:]
+        # OAuthAccessToken
+        logger.info("Backfilling credentials for OAuth access tokens")
+        for token in _iterate(
+            OAuthAccessToken,
+            (
+                (OAuthAccessToken.token_name >> None)
+                | (OAuthAccessToken.token_name == "")
+            ),
+        ):
+            logger.info("Backfilling credentials for OAuth access token %s", token.id)
+            token_name = token.access_token[:OAUTH_ACCESS_TOKEN_PREFIX_LENGTH]
+            token_code = Credential.from_string(
+                token.access_token[OAUTH_ACCESS_TOKEN_PREFIX_LENGTH:]
+            )
+            assert token_name
+            assert token.access_token[OAUTH_ACCESS_TOKEN_PREFIX_LENGTH:]
 
-      (OAuthAccessToken
-      .update(token_name=token_name,
-              token_code=token_code)
-      .where(OAuthAccessToken.id == token.id,
-              OAuthAccessToken.access_token == token.access_token)
-      .execute())
+            (
+                OAuthAccessToken.update(token_name=token_name, token_code=token_code)
+                .where(
+                    OAuthAccessToken.id == token.id,
+                    OAuthAccessToken.access_token == token.access_token,
+                )
+                .execute()
+            )
 
-    assert (OAuthAccessToken
-            .select()
-            .where(OAuthAccessToken.token_name >> None)
-            .count()) == 0
+        assert (
+            OAuthAccessToken.select().where(OAuthAccessToken.token_name >> None).count()
+        ) == 0
 
-    # OAuthAuthorizationCode
-    logger.info('Backfilling credentials for OAuth auth code')
-    for code in _iterate(OAuthAuthorizationCode, ((OAuthAuthorizationCode.code_name >> None) |
-                                                  (OAuthAuthorizationCode.code_name == ''))):
-      logger.info('Backfilling credentials for OAuth auth code %s', code.id)
-      user_code = code.code or random_string_generator(AUTHORIZATION_CODE_PREFIX_LENGTH * 2)()
-      code_name = user_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
-      code_credential = Credential.from_string(user_code[AUTHORIZATION_CODE_PREFIX_LENGTH:])
-      assert code_name
-      assert user_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
+        # OAuthAuthorizationCode
+        logger.info("Backfilling credentials for OAuth auth code")
+        for code in _iterate(
+            OAuthAuthorizationCode,
+            (
+                (OAuthAuthorizationCode.code_name >> None)
+                | (OAuthAuthorizationCode.code_name == "")
+            ),
+        ):
+            logger.info("Backfilling credentials for OAuth auth code %s", code.id)
+            user_code = (
+                code.code
+                or random_string_generator(AUTHORIZATION_CODE_PREFIX_LENGTH * 2)()
+            )
+            code_name = user_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
+            code_credential = Credential.from_string(
+                user_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
+            )
+            assert code_name
+            assert user_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
 
-      (OAuthAuthorizationCode
-      .update(code_name=code_name, code_credential=code_credential)
-      .where(OAuthAuthorizationCode.id == code.id)
-      .execute())
+            (
+                OAuthAuthorizationCode.update(
+                    code_name=code_name, code_credential=code_credential
+                )
+                .where(OAuthAuthorizationCode.id == code.id)
+                .execute()
+            )
 
-    assert (OAuthAuthorizationCode
-            .select()
+        assert (
+            OAuthAuthorizationCode.select()
             .where(OAuthAuthorizationCode.code_name >> None)
-            .count()) == 0
+            .count()
+        ) == 0
 
-    # OAuthApplication
-    logger.info('Backfilling secret for OAuth applications')
-    for app in _iterate(OAuthApplication, OAuthApplication.fully_migrated == False):
-      logger.info('Backfilling secret for OAuth application %s', app.id)
-      client_secret = app.client_secret or str(uuid.uuid4())
-      secure_client_secret = _decrypted(client_secret)
+        # OAuthApplication
+        logger.info("Backfilling secret for OAuth applications")
+        for app in _iterate(OAuthApplication, OAuthApplication.fully_migrated == False):
+            logger.info("Backfilling secret for OAuth application %s", app.id)
+            client_secret = app.client_secret or str(uuid.uuid4())
+            secure_client_secret = _decrypted(client_secret)
 
-      (OAuthApplication
-      .update(secure_client_secret=secure_client_secret, fully_migrated=True)
-      .where(OAuthApplication.id == app.id, OAuthApplication.fully_migrated == False)
-      .execute())
+            (
+                OAuthApplication.update(
+                    secure_client_secret=secure_client_secret, fully_migrated=True
+                )
+                .where(
+                    OAuthApplication.id == app.id,
+                    OAuthApplication.fully_migrated == False,
+                )
+                .execute()
+            )
 
-    assert (OAuthApplication
-            .select()
+        assert (
+            OAuthApplication.select()
             .where(OAuthApplication.fully_migrated == False)
-            .count()) == 0
+            .count()
+        ) == 0
 
-  # Adjust existing fields to be nullable.
-  op.alter_column('accesstoken', 'code', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('oauthaccesstoken', 'access_token', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('oauthauthorizationcode', 'code', nullable=True, existing_type=sa.String(length=255))
-  op.alter_column('appspecificauthtoken', 'token_code', nullable=True, existing_type=sa.String(length=255))
+    # Adjust existing fields to be nullable.
+    op.alter_column(
+        "accesstoken", "code", nullable=True, existing_type=sa.String(length=255)
+    )
+    op.alter_column(
+        "oauthaccesstoken",
+        "access_token",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "oauthauthorizationcode",
+        "code",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "appspecificauthtoken",
+        "token_code",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
 
-  # Adjust new fields to be non-nullable.
-  op.alter_column('accesstoken', 'token_name', nullable=False, existing_type=sa.String(length=255))       
-  op.alter_column('accesstoken', 'token_code', nullable=False, existing_type=sa.String(length=255))       
+    # Adjust new fields to be non-nullable.
+    op.alter_column(
+        "accesstoken", "token_name", nullable=False, existing_type=sa.String(length=255)
+    )
+    op.alter_column(
+        "accesstoken", "token_code", nullable=False, existing_type=sa.String(length=255)
+    )
 
-  op.alter_column('appspecificauthtoken', 'token_name', nullable=False, existing_type=sa.String(length=255))       
-  op.alter_column('appspecificauthtoken', 'token_secret', nullable=False, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "appspecificauthtoken",
+        "token_name",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "appspecificauthtoken",
+        "token_secret",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
 
-  op.alter_column('oauthaccesstoken', 'token_name', nullable=False, existing_type=sa.String(length=255))       
-  op.alter_column('oauthaccesstoken', 'token_code', nullable=False, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "oauthaccesstoken",
+        "token_name",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "oauthaccesstoken",
+        "token_code",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+
+    op.alter_column(
+        "oauthauthorizationcode",
+        "code_name",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "oauthauthorizationcode",
+        "code_credential",
+        nullable=False,
+        existing_type=sa.String(length=255),
+    )
 
-  op.alter_column('oauthauthorizationcode', 'code_name', nullable=False, existing_type=sa.String(length=255))       
-  op.alter_column('oauthauthorizationcode', 'code_credential', nullable=False, existing_type=sa.String(length=255))       
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
+    op = ProgressWrapper(original_op, progress_reporter)
 
-  op.alter_column('accesstoken', 'token_name', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('accesstoken', 'token_code', nullable=True, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "accesstoken", "token_name", nullable=True, existing_type=sa.String(length=255)
+    )
+    op.alter_column(
+        "accesstoken", "token_code", nullable=True, existing_type=sa.String(length=255)
+    )
 
-  op.alter_column('appspecificauthtoken', 'token_name', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('appspecificauthtoken', 'token_secret', nullable=True, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "appspecificauthtoken",
+        "token_name",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "appspecificauthtoken",
+        "token_secret",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
 
-  op.alter_column('oauthaccesstoken', 'token_name', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('oauthaccesstoken', 'token_code', nullable=True, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "oauthaccesstoken",
+        "token_name",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "oauthaccesstoken",
+        "token_code",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
 
-  op.alter_column('oauthauthorizationcode', 'code_name', nullable=True, existing_type=sa.String(length=255))       
-  op.alter_column('oauthauthorizationcode', 'code_credential', nullable=True, existing_type=sa.String(length=255))       
+    op.alter_column(
+        "oauthauthorizationcode",
+        "code_name",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
+    op.alter_column(
+        "oauthauthorizationcode",
+        "code_credential",
+        nullable=True,
+        existing_type=sa.String(length=255),
+    )
diff --git a/data/migrations/versions/7367229b38d9_add_support_for_app_specific_tokens.py b/data/migrations/versions/7367229b38d9_add_support_for_app_specific_tokens.py
index b5fb97d63..3f2e41fd1 100644
--- a/data/migrations/versions/7367229b38d9_add_support_for_app_specific_tokens.py
+++ b/data/migrations/versions/7367229b38d9_add_support_for_app_specific_tokens.py
@@ -7,8 +7,8 @@ Create Date: 2017-12-12 13:15:42.419764
 """
 
 # revision identifiers, used by Alembic.
-revision = '7367229b38d9'
-down_revision = 'd8989249f8f6'
+revision = "7367229b38d9"
+down_revision = "d8989249f8f6"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,59 +16,83 @@ import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 from util.migrate import UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('appspecificauthtoken',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=36), nullable=False),
-    sa.Column('title', UTF8CharField(length=255), nullable=False),
-    sa.Column('token_code', sa.String(length=255), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.Column('expiration', sa.DateTime(), nullable=True),
-    sa.Column('last_accessed', sa.DateTime(), nullable=True),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_appspecificauthtoken_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_appspecificauthtoken'))
+    op.create_table(
+        "appspecificauthtoken",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=36), nullable=False),
+        sa.Column("title", UTF8CharField(length=255), nullable=False),
+        sa.Column("token_code", sa.String(length=255), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.Column("expiration", sa.DateTime(), nullable=True),
+        sa.Column("last_accessed", sa.DateTime(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_appspecificauthtoken_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_appspecificauthtoken")),
+    )
+    op.create_index(
+        "appspecificauthtoken_token_code",
+        "appspecificauthtoken",
+        ["token_code"],
+        unique=True,
+    )
+    op.create_index(
+        "appspecificauthtoken_user_id",
+        "appspecificauthtoken",
+        ["user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "appspecificauthtoken_user_id_expiration",
+        "appspecificauthtoken",
+        ["user_id", "expiration"],
+        unique=False,
+    )
+    op.create_index(
+        "appspecificauthtoken_uuid", "appspecificauthtoken", ["uuid"], unique=False
     )
-    op.create_index('appspecificauthtoken_token_code', 'appspecificauthtoken', ['token_code'], unique=True)
-    op.create_index('appspecificauthtoken_user_id', 'appspecificauthtoken', ['user_id'], unique=False)
-    op.create_index('appspecificauthtoken_user_id_expiration', 'appspecificauthtoken', ['user_id', 'expiration'], unique=False)
-    op.create_index('appspecificauthtoken_uuid', 'appspecificauthtoken', ['uuid'], unique=False)
     # ### end Alembic commands ###
 
-    op.bulk_insert(tables.logentrykind, [
-        {'name': 'create_app_specific_token'},
-        {'name': 'revoke_app_specific_token'},
-    ])
+    op.bulk_insert(
+        tables.logentrykind,
+        [{"name": "create_app_specific_token"}, {"name": "revoke_app_specific_token"}],
+    )
 
     # ### population of test data ### #
-    tester.populate_table('appspecificauthtoken', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('uuid', tester.TestDataType.UUID),
-        ('title', tester.TestDataType.UTF8Char),
-        ('token_code', tester.TestDataType.String),
-        ('created', tester.TestDataType.DateTime),
-        ('expiration', tester.TestDataType.DateTime),
-        ('last_accessed', tester.TestDataType.DateTime),
-    ])
+    tester.populate_table(
+        "appspecificauthtoken",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("uuid", tester.TestDataType.UUID),
+            ("title", tester.TestDataType.UTF8Char),
+            ("token_code", tester.TestDataType.String),
+            ("created", tester.TestDataType.DateTime),
+            ("expiration", tester.TestDataType.DateTime),
+            ("last_accessed", tester.TestDataType.DateTime),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('appspecificauthtoken')
+    op.drop_table("appspecificauthtoken")
     # ### end Alembic commands ###
 
-    op.execute(tables
-               .logentrykind
-               .delete()
-               .where(tables.
-                      logentrykind.name == op.inline_literal('create_app_specific_token')))
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.name == op.inline_literal("create_app_specific_token")
+        )
+    )
 
-    op.execute(tables
-               .logentrykind
-               .delete()
-               .where(tables.
-                      logentrykind.name == op.inline_literal('revoke_app_specific_token')))
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.name == op.inline_literal("revoke_app_specific_token")
+        )
+    )
diff --git a/data/migrations/versions/7a525c68eb13_add_oci_app_models.py b/data/migrations/versions/7a525c68eb13_add_oci_app_models.py
index 7cade6854..903440477 100644
--- a/data/migrations/versions/7a525c68eb13_add_oci_app_models.py
+++ b/data/migrations/versions/7a525c68eb13_add_oci_app_models.py
@@ -7,8 +7,8 @@ Create Date: 2017-01-24 16:25:52.170277
 """
 
 # revision identifiers, used by Alembic.
-revision = '7a525c68eb13'
-down_revision = 'e2894a3a3c19'
+revision = "7a525c68eb13"
+down_revision = "e2894a3a3c19"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -19,322 +19,563 @@ from util.migrate import UTF8LongText, UTF8CharField
 
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.create_table(
-    'tagkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagkind'))
-  )
-  op.create_index('tagkind_name', 'tagkind', ['name'], unique=True)
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.create_table(
+        "tagkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagkind")),
+    )
+    op.create_index("tagkind_name", "tagkind", ["name"], unique=True)
 
-  op.create_table(
-    'blobplacementlocation',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacementlocation'))
-  )
-  op.create_index('blobplacementlocation_name', 'blobplacementlocation', ['name'], unique=True)
+    op.create_table(
+        "blobplacementlocation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacementlocation")),
+    )
+    op.create_index(
+        "blobplacementlocation_name", "blobplacementlocation", ["name"], unique=True
+    )
 
-  op.create_table(
-    'blob',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('size', sa.BigInteger(), nullable=False),
-    sa.Column('uncompressed_size', sa.BigInteger(), nullable=True),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_blob_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blob'))
-  )
-  op.create_index('blob_digest', 'blob', ['digest'], unique=True)
-  op.create_index('blob_media_type_id', 'blob', ['media_type_id'], unique=False)
+    op.create_table(
+        "blob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("size", sa.BigInteger(), nullable=False),
+        sa.Column("uncompressed_size", sa.BigInteger(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_blob_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blob")),
+    )
+    op.create_index("blob_digest", "blob", ["digest"], unique=True)
+    op.create_index("blob_media_type_id", "blob", ["media_type_id"], unique=False)
 
-  op.create_table(
-    'blobplacementlocationpreference',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobplacementlocpref_locid_blobplacementlocation')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_blobplacementlocationpreference_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacementlocationpreference'))
-  )
-  op.create_index('blobplacementlocationpreference_location_id', 'blobplacementlocationpreference', ['location_id'], unique=False)
-  op.create_index('blobplacementlocationpreference_user_id', 'blobplacementlocationpreference', ['user_id'], unique=False)
+    op.create_table(
+        "blobplacementlocationpreference",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobplacementlocpref_locid_blobplacementlocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["user.id"],
+            name=op.f("fk_blobplacementlocationpreference_user_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacementlocationpreference")),
+    )
+    op.create_index(
+        "blobplacementlocationpreference_location_id",
+        "blobplacementlocationpreference",
+        ["location_id"],
+        unique=False,
+    )
+    op.create_index(
+        "blobplacementlocationpreference_user_id",
+        "blobplacementlocationpreference",
+        ["user_id"],
+        unique=False,
+    )
 
-  op.create_table(
-    'manifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_json', UTF8LongText, nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifest_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifest'))
-  )
-  op.create_index('manifest_digest', 'manifest', ['digest'], unique=True)
-  op.create_index('manifest_media_type_id', 'manifest', ['media_type_id'], unique=False)
+    op.create_table(
+        "manifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifest")),
+    )
+    op.create_index("manifest_digest", "manifest", ["digest"], unique=True)
+    op.create_index(
+        "manifest_media_type_id", "manifest", ["media_type_id"], unique=False
+    )
 
-  op.create_table(
-    'manifestlist',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('manifest_list_json', UTF8LongText, nullable=False),
-    sa.Column('schema_version', UTF8CharField(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifestlist_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlist'))
-  )
-  op.create_index('manifestlist_digest', 'manifestlist', ['digest'], unique=True)
-  op.create_index('manifestlist_media_type_id', 'manifestlist', ['media_type_id'], unique=False)
+    op.create_table(
+        "manifestlist",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("manifest_list_json", UTF8LongText, nullable=False),
+        sa.Column("schema_version", UTF8CharField(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifestlist_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlist")),
+    )
+    op.create_index("manifestlist_digest", "manifestlist", ["digest"], unique=True)
+    op.create_index(
+        "manifestlist_media_type_id", "manifestlist", ["media_type_id"], unique=False
+    )
 
-  op.create_table(
-    'bittorrentpieces',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('pieces', UTF8LongText, nullable=False),
-    sa.Column('piece_length', sa.BigInteger(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_bittorrentpieces_blob_id_blob')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_bittorrentpieces'))
-  )
-  op.create_index('bittorrentpieces_blob_id', 'bittorrentpieces', ['blob_id'], unique=False)
-  op.create_index('bittorrentpieces_blob_id_piece_length', 'bittorrentpieces', ['blob_id', 'piece_length'], unique=True)
+    op.create_table(
+        "bittorrentpieces",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("pieces", UTF8LongText, nullable=False),
+        sa.Column("piece_length", sa.BigInteger(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_bittorrentpieces_blob_id_blob")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_bittorrentpieces")),
+    )
+    op.create_index(
+        "bittorrentpieces_blob_id", "bittorrentpieces", ["blob_id"], unique=False
+    )
+    op.create_index(
+        "bittorrentpieces_blob_id_piece_length",
+        "bittorrentpieces",
+        ["blob_id", "piece_length"],
+        unique=True,
+    )
 
-  op.create_table(
-    'blobplacement',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_blobplacement_blob_id_blob')),
-    sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobplacement_location_id_blobplacementlocation')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacement'))
-  )
-  op.create_index('blobplacement_blob_id', 'blobplacement', ['blob_id'], unique=False)
-  op.create_index('blobplacement_blob_id_location_id', 'blobplacement', ['blob_id', 'location_id'], unique=True)
-  op.create_index('blobplacement_location_id', 'blobplacement', ['location_id'], unique=False)
+    op.create_table(
+        "blobplacement",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_blobplacement_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobplacement_location_id_blobplacementlocation"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacement")),
+    )
+    op.create_index("blobplacement_blob_id", "blobplacement", ["blob_id"], unique=False)
+    op.create_index(
+        "blobplacement_blob_id_location_id",
+        "blobplacement",
+        ["blob_id", "location_id"],
+        unique=True,
+    )
+    op.create_index(
+        "blobplacement_location_id", "blobplacement", ["location_id"], unique=False
+    )
 
-  op.create_table(
-    'blobuploading',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.Column('byte_count', sa.BigInteger(), nullable=False),
-    sa.Column('uncompressed_byte_count', sa.BigInteger(), nullable=True),
-    sa.Column('chunk_count', sa.BigInteger(), nullable=False),
-    sa.Column('storage_metadata', UTF8LongText, nullable=True),
-    sa.Column('sha_state', UTF8LongText, nullable=True),
-    sa.Column('piece_sha_state', UTF8LongText, nullable=True),
-    sa.Column('piece_hashes', UTF8LongText, nullable=True),
-    sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobuploading_location_id_blobplacementlocation')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_blobuploading_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blobuploading'))
-  )
-  op.create_index('blobuploading_created', 'blobuploading', ['created'], unique=False)
-  op.create_index('blobuploading_location_id', 'blobuploading', ['location_id'], unique=False)
-  op.create_index('blobuploading_repository_id', 'blobuploading', ['repository_id'], unique=False)
-  op.create_index('blobuploading_repository_id_uuid', 'blobuploading', ['repository_id', 'uuid'], unique=True)
-  op.create_index('blobuploading_uuid', 'blobuploading', ['uuid'], unique=True)
+    op.create_table(
+        "blobuploading",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.Column("byte_count", sa.BigInteger(), nullable=False),
+        sa.Column("uncompressed_byte_count", sa.BigInteger(), nullable=True),
+        sa.Column("chunk_count", sa.BigInteger(), nullable=False),
+        sa.Column("storage_metadata", UTF8LongText, nullable=True),
+        sa.Column("sha_state", UTF8LongText, nullable=True),
+        sa.Column("piece_sha_state", UTF8LongText, nullable=True),
+        sa.Column("piece_hashes", UTF8LongText, nullable=True),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobuploading_location_id_blobplacementlocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_blobuploading_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobuploading")),
+    )
+    op.create_index("blobuploading_created", "blobuploading", ["created"], unique=False)
+    op.create_index(
+        "blobuploading_location_id", "blobuploading", ["location_id"], unique=False
+    )
+    op.create_index(
+        "blobuploading_repository_id", "blobuploading", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "blobuploading_repository_id_uuid",
+        "blobuploading",
+        ["repository_id", "uuid"],
+        unique=True,
+    )
+    op.create_index("blobuploading_uuid", "blobuploading", ["uuid"], unique=True)
 
-  op.create_table(
-    'derivedimage',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('source_manifest_id', sa.Integer(), nullable=False),
-    sa.Column('derived_manifest_json', UTF8LongText, nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('uniqueness_hash', sa.String(length=255), nullable=False),
-    sa.Column('signature_blob_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_derivedimage_blob_id_blob')),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_derivedimage_media_type_id_mediatype')),
-    sa.ForeignKeyConstraint(['signature_blob_id'], ['blob.id'], name=op.f('fk_derivedimage_signature_blob_id_blob')),
-    sa.ForeignKeyConstraint(['source_manifest_id'], ['manifest.id'], name=op.f('fk_derivedimage_source_manifest_id_manifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_derivedimage'))
-  )
-  op.create_index('derivedimage_blob_id', 'derivedimage', ['blob_id'], unique=False)
-  op.create_index('derivedimage_media_type_id', 'derivedimage', ['media_type_id'], unique=False)
-  op.create_index('derivedimage_signature_blob_id', 'derivedimage', ['signature_blob_id'], unique=False)
-  op.create_index('derivedimage_source_manifest_id', 'derivedimage', ['source_manifest_id'], unique=False)
-  op.create_index('derivedimage_source_manifest_id_blob_id', 'derivedimage', ['source_manifest_id', 'blob_id'], unique=True)
-  op.create_index('derivedimage_source_manifest_id_media_type_id_uniqueness_hash', 'derivedimage', ['source_manifest_id', 'media_type_id', 'uniqueness_hash'], unique=True)
-  op.create_index('derivedimage_uniqueness_hash', 'derivedimage', ['uniqueness_hash'], unique=True)
-  op.create_index('derivedimage_uuid', 'derivedimage', ['uuid'], unique=True)
+    op.create_table(
+        "derivedimage",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("source_manifest_id", sa.Integer(), nullable=False),
+        sa.Column("derived_manifest_json", UTF8LongText, nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("uniqueness_hash", sa.String(length=255), nullable=False),
+        sa.Column("signature_blob_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_derivedimage_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_derivedimage_media_type_id_mediatype"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["signature_blob_id"],
+            ["blob.id"],
+            name=op.f("fk_derivedimage_signature_blob_id_blob"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["source_manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_derivedimage_source_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_derivedimage")),
+    )
+    op.create_index("derivedimage_blob_id", "derivedimage", ["blob_id"], unique=False)
+    op.create_index(
+        "derivedimage_media_type_id", "derivedimage", ["media_type_id"], unique=False
+    )
+    op.create_index(
+        "derivedimage_signature_blob_id",
+        "derivedimage",
+        ["signature_blob_id"],
+        unique=False,
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id",
+        "derivedimage",
+        ["source_manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id_blob_id",
+        "derivedimage",
+        ["source_manifest_id", "blob_id"],
+        unique=True,
+    )
+    op.create_index(
+        "derivedimage_source_manifest_id_media_type_id_uniqueness_hash",
+        "derivedimage",
+        ["source_manifest_id", "media_type_id", "uniqueness_hash"],
+        unique=True,
+    )
+    op.create_index(
+        "derivedimage_uniqueness_hash", "derivedimage", ["uniqueness_hash"], unique=True
+    )
+    op.create_index("derivedimage_uuid", "derivedimage", ["uuid"], unique=True)
 
-  op.create_table(
-    'manifestblob',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_manifestblob_blob_id_blob')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestblob_manifest_id_manifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestblob'))
-  )
-  op.create_index('manifestblob_blob_id', 'manifestblob', ['blob_id'], unique=False)
-  op.create_index('manifestblob_manifest_id', 'manifestblob', ['manifest_id'], unique=False)
-  op.create_index('manifestblob_manifest_id_blob_id', 'manifestblob', ['manifest_id', 'blob_id'], unique=True)
+    op.create_table(
+        "manifestblob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_manifestblob_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestblob_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestblob")),
+    )
+    op.create_index("manifestblob_blob_id", "manifestblob", ["blob_id"], unique=False)
+    op.create_index(
+        "manifestblob_manifest_id", "manifestblob", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestblob_manifest_id_blob_id",
+        "manifestblob",
+        ["manifest_id", "blob_id"],
+        unique=True,
+    )
 
-  op.create_table(
-    'manifestlabel',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('annotated_id', sa.Integer(), nullable=False),
-    sa.Column('label_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['annotated_id'], ['manifest.id'], name=op.f('fk_manifestlabel_annotated_id_manifest')),
-    sa.ForeignKeyConstraint(['label_id'], ['label.id'], name=op.f('fk_manifestlabel_label_id_label')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestlabel_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlabel'))
-  )
-  op.create_index('manifestlabel_annotated_id', 'manifestlabel', ['annotated_id'], unique=False)
-  op.create_index('manifestlabel_label_id', 'manifestlabel', ['label_id'], unique=False)
-  op.create_index('manifestlabel_repository_id', 'manifestlabel', ['repository_id'], unique=False)
-  op.create_index('manifestlabel_repository_id_annotated_id_label_id', 'manifestlabel', ['repository_id', 'annotated_id', 'label_id'], unique=True)
+    op.create_table(
+        "manifestlabel",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("annotated_id", sa.Integer(), nullable=False),
+        sa.Column("label_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["annotated_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlabel_annotated_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["label_id"], ["label.id"], name=op.f("fk_manifestlabel_label_id_label")
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestlabel_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlabel")),
+    )
+    op.create_index(
+        "manifestlabel_annotated_id", "manifestlabel", ["annotated_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_label_id", "manifestlabel", ["label_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_repository_id", "manifestlabel", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_repository_id_annotated_id_label_id",
+        "manifestlabel",
+        ["repository_id", "annotated_id", "label_id"],
+        unique=True,
+    )
 
-  op.create_table(
-    'manifestlayer',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_index', sa.BigInteger(), nullable=False),
-    sa.Column('metadata_json', UTF8LongText, nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_manifestlayer_blob_id_blob')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlayer_manifest_id_manifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayer'))
-  )
-  op.create_index('manifestlayer_blob_id', 'manifestlayer', ['blob_id'], unique=False)
-  op.create_index('manifestlayer_manifest_id', 'manifestlayer', ['manifest_id'], unique=False)
-  op.create_index('manifestlayer_manifest_id_manifest_index', 'manifestlayer', ['manifest_id', 'manifest_index'], unique=True)
-  op.create_index('manifestlayer_manifest_index', 'manifestlayer', ['manifest_index'], unique=False)
+    op.create_table(
+        "manifestlayer",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_index", sa.BigInteger(), nullable=False),
+        sa.Column("metadata_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_manifestlayer_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlayer_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayer")),
+    )
+    op.create_index("manifestlayer_blob_id", "manifestlayer", ["blob_id"], unique=False)
+    op.create_index(
+        "manifestlayer_manifest_id", "manifestlayer", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestlayer_manifest_id_manifest_index",
+        "manifestlayer",
+        ["manifest_id", "manifest_index"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestlayer_manifest_index",
+        "manifestlayer",
+        ["manifest_index"],
+        unique=False,
+    )
 
-  op.create_table(
-    'manifestlistmanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('manifest_list_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('operating_system', UTF8CharField(length=255), nullable=True),
-    sa.Column('architecture', UTF8CharField(length=255), nullable=True),
-    sa.Column('platform_json', UTF8LongText, nullable=True),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlistmanifest_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['manifest_list_id'], ['manifestlist.id'], name=op.f('fk_manifestlistmanifest_manifest_list_id_manifestlist')),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifestlistmanifest_media_type_id_mediatype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlistmanifest'))
-  )
-  op.create_index('manifestlistmanifest_manifest_id', 'manifestlistmanifest', ['manifest_id'], unique=False)
-  op.create_index('manifestlistmanifest_manifest_list_id', 'manifestlistmanifest', ['manifest_list_id'], unique=False)
-  op.create_index('manifestlistmanifest_manifest_listid_os_arch_mtid', 'manifestlistmanifest', ['manifest_list_id', 'operating_system', 'architecture', 'media_type_id'], unique=False)
-  op.create_index('manifestlistmanifest_manifest_listid_mtid', 'manifestlistmanifest', ['manifest_list_id', 'media_type_id'], unique=False)
-  op.create_index('manifestlistmanifest_media_type_id', 'manifestlistmanifest', ['media_type_id'], unique=False)
+    op.create_table(
+        "manifestlistmanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("operating_system", UTF8CharField(length=255), nullable=True),
+        sa.Column("architecture", UTF8CharField(length=255), nullable=True),
+        sa.Column("platform_json", UTF8LongText, nullable=True),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlistmanifest_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["manifestlist.id"],
+            name=op.f("fk_manifestlistmanifest_manifest_list_id_manifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifestlistmanifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlistmanifest")),
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_id",
+        "manifestlistmanifest",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_list_id",
+        "manifestlistmanifest",
+        ["manifest_list_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_listid_os_arch_mtid",
+        "manifestlistmanifest",
+        ["manifest_list_id", "operating_system", "architecture", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_listid_mtid",
+        "manifestlistmanifest",
+        ["manifest_list_id", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_media_type_id",
+        "manifestlistmanifest",
+        ["media_type_id"],
+        unique=False,
+    )
 
-  op.create_table(
-    'tag',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', UTF8CharField(length=190), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_list_id', sa.Integer(), nullable=True),
-    sa.Column('lifetime_start', sa.BigInteger(), nullable=False),
-    sa.Column('lifetime_end', sa.BigInteger(), nullable=True),
-    sa.Column('hidden', sa.Boolean(), nullable=False),
-    sa.Column('reverted', sa.Boolean(), nullable=False),
-    sa.Column('protected', sa.Boolean(), nullable=False),
-    sa.Column('tag_kind_id', sa.Integer(), nullable=False),
-    sa.Column('linked_tag_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['linked_tag_id'], ['tag.id'], name=op.f('fk_tag_linked_tag_id_tag')),
-    sa.ForeignKeyConstraint(['manifest_list_id'], ['manifestlist.id'], name=op.f('fk_tag_manifest_list_id_manifestlist')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_tag_repository_id_repository')),
-    sa.ForeignKeyConstraint(['tag_kind_id'], ['tagkind.id'], name=op.f('fk_tag_tag_kind_id_tagkind')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tag'))
-  )
-  op.create_index('tag_lifetime_end', 'tag', ['lifetime_end'], unique=False)
-  op.create_index('tag_linked_tag_id', 'tag', ['linked_tag_id'], unique=False)
-  op.create_index('tag_manifest_list_id', 'tag', ['manifest_list_id'], unique=False)
-  op.create_index('tag_repository_id', 'tag', ['repository_id'], unique=False)
-  op.create_index('tag_repository_id_name_hidden', 'tag', ['repository_id', 'name', 'hidden'], unique=False)
-  op.create_index('tag_repository_id_name_lifetime_end', 'tag', ['repository_id', 'name', 'lifetime_end'], unique=True)
-  op.create_index('tag_repository_id_name', 'tag', ['repository_id', 'name'], unique=False)
-  op.create_index('tag_tag_kind_id', 'tag', ['tag_kind_id'], unique=False)
+    op.create_table(
+        "tag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", UTF8CharField(length=190), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=True),
+        sa.Column("lifetime_start", sa.BigInteger(), nullable=False),
+        sa.Column("lifetime_end", sa.BigInteger(), nullable=True),
+        sa.Column("hidden", sa.Boolean(), nullable=False),
+        sa.Column("reverted", sa.Boolean(), nullable=False),
+        sa.Column("protected", sa.Boolean(), nullable=False),
+        sa.Column("tag_kind_id", sa.Integer(), nullable=False),
+        sa.Column("linked_tag_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["linked_tag_id"], ["tag.id"], name=op.f("fk_tag_linked_tag_id_tag")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["manifestlist.id"],
+            name=op.f("fk_tag_manifest_list_id_manifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_tag_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_kind_id"], ["tagkind.id"], name=op.f("fk_tag_tag_kind_id_tagkind")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tag")),
+    )
+    op.create_index("tag_lifetime_end", "tag", ["lifetime_end"], unique=False)
+    op.create_index("tag_linked_tag_id", "tag", ["linked_tag_id"], unique=False)
+    op.create_index("tag_manifest_list_id", "tag", ["manifest_list_id"], unique=False)
+    op.create_index("tag_repository_id", "tag", ["repository_id"], unique=False)
+    op.create_index(
+        "tag_repository_id_name_hidden",
+        "tag",
+        ["repository_id", "name", "hidden"],
+        unique=False,
+    )
+    op.create_index(
+        "tag_repository_id_name_lifetime_end",
+        "tag",
+        ["repository_id", "name", "lifetime_end"],
+        unique=True,
+    )
+    op.create_index(
+        "tag_repository_id_name", "tag", ["repository_id", "name"], unique=False
+    )
+    op.create_index("tag_tag_kind_id", "tag", ["tag_kind_id"], unique=False)
 
-  op.create_table(
-    'manifestlayerdockerv1',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('manifest_layer_id', sa.Integer(), nullable=False),
-    sa.Column('image_id', UTF8CharField(length=255), nullable=False),
-    sa.Column('checksum', UTF8CharField(length=255), nullable=False),
-    sa.Column('compat_json', UTF8LongText, nullable=False),
-    sa.ForeignKeyConstraint(['manifest_layer_id'], ['manifestlayer.id'], name=op.f('fk_manifestlayerdockerv1_manifest_layer_id_manifestlayer')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayerdockerv1'))
-  )
-  op.create_index('manifestlayerdockerv1_image_id', 'manifestlayerdockerv1', ['image_id'], unique=False)
-  op.create_index('manifestlayerdockerv1_manifest_layer_id', 'manifestlayerdockerv1', ['manifest_layer_id'], unique=False)
+    op.create_table(
+        "manifestlayerdockerv1",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_layer_id", sa.Integer(), nullable=False),
+        sa.Column("image_id", UTF8CharField(length=255), nullable=False),
+        sa.Column("checksum", UTF8CharField(length=255), nullable=False),
+        sa.Column("compat_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manifest_layer_id"],
+            ["manifestlayer.id"],
+            name=op.f("fk_manifestlayerdockerv1_manifest_layer_id_manifestlayer"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayerdockerv1")),
+    )
+    op.create_index(
+        "manifestlayerdockerv1_image_id",
+        "manifestlayerdockerv1",
+        ["image_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlayerdockerv1_manifest_layer_id",
+        "manifestlayerdockerv1",
+        ["manifest_layer_id"],
+        unique=False,
+    )
 
-  op.create_table(
-    'manifestlayerscan',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('layer_id', sa.Integer(), nullable=False),
-    sa.Column('scannable', sa.Boolean(), nullable=False),
-    sa.Column('scanned_by', UTF8CharField(length=255), nullable=False),
-    sa.ForeignKeyConstraint(['layer_id'], ['manifestlayer.id'], name=op.f('fk_manifestlayerscan_layer_id_manifestlayer')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlayerscan'))
-  )
-  op.create_index('manifestlayerscan_layer_id', 'manifestlayerscan', ['layer_id'], unique=True)
+    op.create_table(
+        "manifestlayerscan",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("layer_id", sa.Integer(), nullable=False),
+        sa.Column("scannable", sa.Boolean(), nullable=False),
+        sa.Column("scanned_by", UTF8CharField(length=255), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["layer_id"],
+            ["manifestlayer.id"],
+            name=op.f("fk_manifestlayerscan_layer_id_manifestlayer"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlayerscan")),
+    )
+    op.create_index(
+        "manifestlayerscan_layer_id", "manifestlayerscan", ["layer_id"], unique=True
+    )
 
-  blobplacementlocation_table = table('blobplacementlocation',
-      column('id', sa.Integer()),
-      column('name', sa.String()),
-  )
+    blobplacementlocation_table = table(
+        "blobplacementlocation", column("id", sa.Integer()), column("name", sa.String())
+    )
 
-  op.bulk_insert(
-    blobplacementlocation_table,
-    [
-      {'name': 'local_eu'},
-      {'name': 'local_us'},
-    ],
-  )
+    op.bulk_insert(
+        blobplacementlocation_table, [{"name": "local_eu"}, {"name": "local_us"}]
+    )
 
-  op.bulk_insert(
-    tables.mediatype,
-    [
-      {'name': 'application/vnd.cnr.blob.v0.tar+gzip'},
-      {'name': 'application/vnd.cnr.package-manifest.helm.v0.json'},
-      {'name': 'application/vnd.cnr.package-manifest.kpm.v0.json'},
-      {'name': 'application/vnd.cnr.package-manifest.docker-compose.v0.json'},
-      {'name': 'application/vnd.cnr.package.kpm.v0.tar+gzip'},
-      {'name': 'application/vnd.cnr.package.helm.v0.tar+gzip'},
-      {'name': 'application/vnd.cnr.package.docker-compose.v0.tar+gzip'},
-      {'name': 'application/vnd.cnr.manifests.v0.json'},
-      {'name': 'application/vnd.cnr.manifest.list.v0.json'},
-    ],
-  )
+    op.bulk_insert(
+        tables.mediatype,
+        [
+            {"name": "application/vnd.cnr.blob.v0.tar+gzip"},
+            {"name": "application/vnd.cnr.package-manifest.helm.v0.json"},
+            {"name": "application/vnd.cnr.package-manifest.kpm.v0.json"},
+            {"name": "application/vnd.cnr.package-manifest.docker-compose.v0.json"},
+            {"name": "application/vnd.cnr.package.kpm.v0.tar+gzip"},
+            {"name": "application/vnd.cnr.package.helm.v0.tar+gzip"},
+            {"name": "application/vnd.cnr.package.docker-compose.v0.tar+gzip"},
+            {"name": "application/vnd.cnr.manifests.v0.json"},
+            {"name": "application/vnd.cnr.manifest.list.v0.json"},
+        ],
+    )
 
-  tagkind_table = table('tagkind',
-      column('id', sa.Integer()),
-      column('name', sa.String()),
-  )
+    tagkind_table = table(
+        "tagkind", column("id", sa.Integer()), column("name", sa.String())
+    )
+
+    op.bulk_insert(
+        tagkind_table,
+        [
+            {"id": 1, "name": "tag"},
+            {"id": 2, "name": "release"},
+            {"id": 3, "name": "channel"},
+        ],
+    )
 
-  op.bulk_insert(
-    tagkind_table,
-    [
-      {'id': 1, 'name': 'tag'},
-      {'id': 2, 'name': 'release'},
-      {'id': 3, 'name': 'channel'},
-    ]
-  )
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.drop_table('manifestlayerscan')
-  op.drop_table('manifestlayerdockerv1')
-  op.drop_table('tag')
-  op.drop_table('manifestlistmanifest')
-  op.drop_table('manifestlayer')
-  op.drop_table('manifestlabel')
-  op.drop_table('manifestblob')
-  op.drop_table('derivedimage')
-  op.drop_table('blobuploading')
-  op.drop_table('blobplacement')
-  op.drop_table('bittorrentpieces')
-  op.drop_table('manifestlist')
-  op.drop_table('manifest')
-  op.drop_table('blobplacementlocationpreference')
-  op.drop_table('blob')
-  op.drop_table('tagkind')
-  op.drop_table('blobplacementlocation')
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.drop_table("manifestlayerscan")
+    op.drop_table("manifestlayerdockerv1")
+    op.drop_table("tag")
+    op.drop_table("manifestlistmanifest")
+    op.drop_table("manifestlayer")
+    op.drop_table("manifestlabel")
+    op.drop_table("manifestblob")
+    op.drop_table("derivedimage")
+    op.drop_table("blobuploading")
+    op.drop_table("blobplacement")
+    op.drop_table("bittorrentpieces")
+    op.drop_table("manifestlist")
+    op.drop_table("manifest")
+    op.drop_table("blobplacementlocationpreference")
+    op.drop_table("blob")
+    op.drop_table("tagkind")
+    op.drop_table("blobplacementlocation")
diff --git a/data/migrations/versions/87fbbc224f10_add_disabled_datetime_to_trigger.py b/data/migrations/versions/87fbbc224f10_add_disabled_datetime_to_trigger.py
index ac177cd9f..a244005b2 100644
--- a/data/migrations/versions/87fbbc224f10_add_disabled_datetime_to_trigger.py
+++ b/data/migrations/versions/87fbbc224f10_add_disabled_datetime_to_trigger.py
@@ -7,29 +7,42 @@ Create Date: 2017-10-24 14:06:37.658705
 """
 
 # revision identifiers, used by Alembic.
-revision = '87fbbc224f10'
-down_revision = '17aff2e1354e'
+revision = "87fbbc224f10"
+down_revision = "17aff2e1354e"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('repositorybuildtrigger', sa.Column('disabled_datetime', sa.DateTime(), nullable=True))
-    op.create_index('repositorybuildtrigger_disabled_datetime', 'repositorybuildtrigger', ['disabled_datetime'], unique=False)
+    op.add_column(
+        "repositorybuildtrigger",
+        sa.Column("disabled_datetime", sa.DateTime(), nullable=True),
+    )
+    op.create_index(
+        "repositorybuildtrigger_disabled_datetime",
+        "repositorybuildtrigger",
+        ["disabled_datetime"],
+        unique=False,
+    )
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('repositorybuildtrigger', 'disabled_datetime', tester.TestDataType.DateTime)
+    tester.populate_column(
+        "repositorybuildtrigger", "disabled_datetime", tester.TestDataType.DateTime
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('repositorybuildtrigger_disabled_datetime', table_name='repositorybuildtrigger')
-    op.drop_column('repositorybuildtrigger', 'disabled_datetime')
+    op.drop_index(
+        "repositorybuildtrigger_disabled_datetime", table_name="repositorybuildtrigger"
+    )
+    op.drop_column("repositorybuildtrigger", "disabled_datetime")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/9093adccc784_add_v2_2_data_models_for_manifest_.py b/data/migrations/versions/9093adccc784_add_v2_2_data_models_for_manifest_.py
index 49797c6ae..94a4f11d7 100644
--- a/data/migrations/versions/9093adccc784_add_v2_2_data_models_for_manifest_.py
+++ b/data/migrations/versions/9093adccc784_add_v2_2_data_models_for_manifest_.py
@@ -7,8 +7,8 @@ Create Date: 2018-08-06 16:07:50.222749
 """
 
 # revision identifiers, used by Alembic.
-revision = '9093adccc784'
-down_revision = '6c21e2cfb8b6'
+revision = "9093adccc784"
+down_revision = "6c21e2cfb8b6"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -19,144 +19,344 @@ from image.docker.schema1 import DOCKER_SCHEMA1_CONTENT_TYPES
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('manifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_bytes', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifest_media_type_id_mediatype')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifest_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifest'))
+    op.create_table(
+        "manifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_bytes", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifest_media_type_id_mediatype"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifest_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifest")),
     )
-    op.create_index('manifest_digest', 'manifest', ['digest'], unique=False)
-    op.create_index('manifest_media_type_id', 'manifest', ['media_type_id'], unique=False)
-    op.create_index('manifest_repository_id', 'manifest', ['repository_id'], unique=False)
-    op.create_index('manifest_repository_id_digest', 'manifest', ['repository_id', 'digest'], unique=True)
-    op.create_index('manifest_repository_id_media_type_id', 'manifest', ['repository_id', 'media_type_id'], unique=False)
-    op.create_table('manifestblob',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('blob_id', sa.Integer(), nullable=False),
-    sa.Column('blob_index', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['blob_id'], ['imagestorage.id'], name=op.f('fk_manifestblob_blob_id_imagestorage')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestblob_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestblob_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestblob'))
+    op.create_index("manifest_digest", "manifest", ["digest"], unique=False)
+    op.create_index(
+        "manifest_media_type_id", "manifest", ["media_type_id"], unique=False
     )
-    op.create_index('manifestblob_blob_id', 'manifestblob', ['blob_id'], unique=False)
-    op.create_index('manifestblob_manifest_id', 'manifestblob', ['manifest_id'], unique=False)
-    op.create_index('manifestblob_manifest_id_blob_id', 'manifestblob', ['manifest_id', 'blob_id'], unique=True)
-    op.create_index('manifestblob_manifest_id_blob_index', 'manifestblob', ['manifest_id', 'blob_index'], unique=True)
-    op.create_index('manifestblob_repository_id', 'manifestblob', ['repository_id'], unique=False)
-    op.create_table('manifestlabel',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('label_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['label_id'], ['label.id'], name=op.f('fk_manifestlabel_label_id_label')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlabel_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestlabel_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlabel'))
+    op.create_index(
+        "manifest_repository_id", "manifest", ["repository_id"], unique=False
     )
-    op.create_index('manifestlabel_label_id', 'manifestlabel', ['label_id'], unique=False)
-    op.create_index('manifestlabel_manifest_id', 'manifestlabel', ['manifest_id'], unique=False)
-    op.create_index('manifestlabel_manifest_id_label_id', 'manifestlabel', ['manifest_id', 'label_id'], unique=True)
-    op.create_index('manifestlabel_repository_id', 'manifestlabel', ['repository_id'], unique=False)
-    op.create_table('manifestlegacyimage',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('image_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['image_id'], ['image.id'], name=op.f('fk_manifestlegacyimage_image_id_image')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlegacyimage_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_manifestlegacyimage_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlegacyimage'))
+    op.create_index(
+        "manifest_repository_id_digest",
+        "manifest",
+        ["repository_id", "digest"],
+        unique=True,
     )
-    op.create_index('manifestlegacyimage_image_id', 'manifestlegacyimage', ['image_id'], unique=False)
-    op.create_index('manifestlegacyimage_manifest_id', 'manifestlegacyimage', ['manifest_id'], unique=True)
-    op.create_index('manifestlegacyimage_repository_id', 'manifestlegacyimage', ['repository_id'], unique=False)
-    op.create_table('tagmanifesttomanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('tag_manifest_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=False),
-    sa.Column('broken', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_tagmanifesttomanifest_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['tag_manifest_id'], ['tagmanifest.id'], name=op.f('fk_tagmanifesttomanifest_tag_manifest_id_tagmanifest')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagmanifesttomanifest'))
+    op.create_index(
+        "manifest_repository_id_media_type_id",
+        "manifest",
+        ["repository_id", "media_type_id"],
+        unique=False,
     )
-    op.create_index('tagmanifesttomanifest_broken', 'tagmanifesttomanifest', ['broken'], unique=False)
-    op.create_index('tagmanifesttomanifest_manifest_id', 'tagmanifesttomanifest', ['manifest_id'], unique=True)
-    op.create_index('tagmanifesttomanifest_tag_manifest_id', 'tagmanifesttomanifest', ['tag_manifest_id'], unique=True)
-    op.create_table('tagmanifestlabelmap',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('tag_manifest_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_id', sa.Integer(), nullable=True),
-    sa.Column('label_id', sa.Integer(), nullable=False),
-    sa.Column('tag_manifest_label_id', sa.Integer(), nullable=False),
-    sa.Column('manifest_label_id', sa.Integer(), nullable=True),
-    sa.Column('broken_manifest', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.ForeignKeyConstraint(['label_id'], ['label.id'], name=op.f('fk_tagmanifestlabelmap_label_id_label')),
-    sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_tagmanifestlabelmap_manifest_id_manifest')),
-    sa.ForeignKeyConstraint(['manifest_label_id'], ['manifestlabel.id'], name=op.f('fk_tagmanifestlabelmap_manifest_label_id_manifestlabel')),
-    sa.ForeignKeyConstraint(['tag_manifest_id'], ['tagmanifest.id'], name=op.f('fk_tagmanifestlabelmap_tag_manifest_id_tagmanifest')),
-    sa.ForeignKeyConstraint(['tag_manifest_label_id'], ['tagmanifestlabel.id'], name=op.f('fk_tagmanifestlabelmap_tag_manifest_label_id_tagmanifestlabel')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagmanifestlabelmap'))
+    op.create_table(
+        "manifestblob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("blob_index", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_manifestblob_blob_id_imagestorage"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestblob_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestblob_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestblob")),
+    )
+    op.create_index("manifestblob_blob_id", "manifestblob", ["blob_id"], unique=False)
+    op.create_index(
+        "manifestblob_manifest_id", "manifestblob", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestblob_manifest_id_blob_id",
+        "manifestblob",
+        ["manifest_id", "blob_id"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestblob_manifest_id_blob_index",
+        "manifestblob",
+        ["manifest_id", "blob_index"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestblob_repository_id", "manifestblob", ["repository_id"], unique=False
+    )
+    op.create_table(
+        "manifestlabel",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("label_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["label_id"], ["label.id"], name=op.f("fk_manifestlabel_label_id_label")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlabel_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestlabel_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlabel")),
+    )
+    op.create_index(
+        "manifestlabel_label_id", "manifestlabel", ["label_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_manifest_id", "manifestlabel", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestlabel_manifest_id_label_id",
+        "manifestlabel",
+        ["manifest_id", "label_id"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestlabel_repository_id", "manifestlabel", ["repository_id"], unique=False
+    )
+    op.create_table(
+        "manifestlegacyimage",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("image_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["image_id"],
+            ["image.id"],
+            name=op.f("fk_manifestlegacyimage_image_id_image"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlegacyimage_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_manifestlegacyimage_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlegacyimage")),
+    )
+    op.create_index(
+        "manifestlegacyimage_image_id",
+        "manifestlegacyimage",
+        ["image_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlegacyimage_manifest_id",
+        "manifestlegacyimage",
+        ["manifest_id"],
+        unique=True,
+    )
+    op.create_index(
+        "manifestlegacyimage_repository_id",
+        "manifestlegacyimage",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_table(
+        "tagmanifesttomanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("tag_manifest_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "broken",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_tagmanifesttomanifest_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_manifest_id"],
+            ["tagmanifest.id"],
+            name=op.f("fk_tagmanifesttomanifest_tag_manifest_id_tagmanifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagmanifesttomanifest")),
+    )
+    op.create_index(
+        "tagmanifesttomanifest_broken",
+        "tagmanifesttomanifest",
+        ["broken"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifesttomanifest_manifest_id",
+        "tagmanifesttomanifest",
+        ["manifest_id"],
+        unique=True,
+    )
+    op.create_index(
+        "tagmanifesttomanifest_tag_manifest_id",
+        "tagmanifesttomanifest",
+        ["tag_manifest_id"],
+        unique=True,
+    )
+    op.create_table(
+        "tagmanifestlabelmap",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("tag_manifest_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=True),
+        sa.Column("label_id", sa.Integer(), nullable=False),
+        sa.Column("tag_manifest_label_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_label_id", sa.Integer(), nullable=True),
+        sa.Column(
+            "broken_manifest",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.ForeignKeyConstraint(
+            ["label_id"],
+            ["label.id"],
+            name=op.f("fk_tagmanifestlabelmap_label_id_label"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_tagmanifestlabelmap_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_label_id"],
+            ["manifestlabel.id"],
+            name=op.f("fk_tagmanifestlabelmap_manifest_label_id_manifestlabel"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_manifest_id"],
+            ["tagmanifest.id"],
+            name=op.f("fk_tagmanifestlabelmap_tag_manifest_id_tagmanifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_manifest_label_id"],
+            ["tagmanifestlabel.id"],
+            name=op.f("fk_tagmanifestlabelmap_tag_manifest_label_id_tagmanifestlabel"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagmanifestlabelmap")),
+    )
+    op.create_index(
+        "tagmanifestlabelmap_broken_manifest",
+        "tagmanifestlabelmap",
+        ["broken_manifest"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabelmap_label_id",
+        "tagmanifestlabelmap",
+        ["label_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabelmap_manifest_id",
+        "tagmanifestlabelmap",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabelmap_manifest_label_id",
+        "tagmanifestlabelmap",
+        ["manifest_label_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabelmap_tag_manifest_id",
+        "tagmanifestlabelmap",
+        ["tag_manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabelmap_tag_manifest_label_id",
+        "tagmanifestlabelmap",
+        ["tag_manifest_label_id"],
+        unique=False,
     )
-    op.create_index('tagmanifestlabelmap_broken_manifest', 'tagmanifestlabelmap', ['broken_manifest'], unique=False)
-    op.create_index('tagmanifestlabelmap_label_id', 'tagmanifestlabelmap', ['label_id'], unique=False)
-    op.create_index('tagmanifestlabelmap_manifest_id', 'tagmanifestlabelmap', ['manifest_id'], unique=False)
-    op.create_index('tagmanifestlabelmap_manifest_label_id', 'tagmanifestlabelmap', ['manifest_label_id'], unique=False)
-    op.create_index('tagmanifestlabelmap_tag_manifest_id', 'tagmanifestlabelmap', ['tag_manifest_id'], unique=False)
-    op.create_index('tagmanifestlabelmap_tag_manifest_label_id', 'tagmanifestlabelmap', ['tag_manifest_label_id'], unique=False)
     # ### end Alembic commands ###
 
     for media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-        op.bulk_insert(tables.mediatype,
-                       [
-                         {'name': media_type},
-                       ])
+        op.bulk_insert(tables.mediatype, [{"name": media_type}])
 
     # ### population of test data ### #
-    tester.populate_table('manifest', [
-        ('digest', tester.TestDataType.String),
-        ('manifest_bytes', tester.TestDataType.JSON),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-    ])
+    tester.populate_table(
+        "manifest",
+        [
+            ("digest", tester.TestDataType.String),
+            ("manifest_bytes", tester.TestDataType.JSON),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+        ],
+    )
 
-    tester.populate_table('manifestblob', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('blob_id', tester.TestDataType.Foreign('imagestorage')),
-        ('blob_index', tester.TestDataType.Integer),
-    ])
+    tester.populate_table(
+        "manifestblob",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("blob_id", tester.TestDataType.Foreign("imagestorage")),
+            ("blob_index", tester.TestDataType.Integer),
+        ],
+    )
 
-    tester.populate_table('manifestlabel', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('label_id', tester.TestDataType.Foreign('label')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-    ])
+    tester.populate_table(
+        "manifestlabel",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("label_id", tester.TestDataType.Foreign("label")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+        ],
+    )
 
-    tester.populate_table('manifestlegacyimage', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('image_id', tester.TestDataType.Foreign('image')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-    ])
+    tester.populate_table(
+        "manifestlegacyimage",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("image_id", tester.TestDataType.Foreign("image")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+        ],
+    )
 
-    tester.populate_table('tagmanifesttomanifest', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('tag_manifest_id', tester.TestDataType.Foreign('tagmanifest')),
-    ])
+    tester.populate_table(
+        "tagmanifesttomanifest",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("tag_manifest_id", tester.TestDataType.Foreign("tagmanifest")),
+        ],
+    )
 
-    tester.populate_table('tagmanifestlabelmap', [
-        ('manifest_id', tester.TestDataType.Foreign('manifest')),
-        ('tag_manifest_id', tester.TestDataType.Foreign('tagmanifest')),
-        ('tag_manifest_label_id', tester.TestDataType.Foreign('tagmanifestlabel')),
-        ('manifest_label_id', tester.TestDataType.Foreign('manifestlabel')),
-        ('label_id', tester.TestDataType.Foreign('label')),
-    ])
+    tester.populate_table(
+        "tagmanifestlabelmap",
+        [
+            ("manifest_id", tester.TestDataType.Foreign("manifest")),
+            ("tag_manifest_id", tester.TestDataType.Foreign("tagmanifest")),
+            ("tag_manifest_label_id", tester.TestDataType.Foreign("tagmanifestlabel")),
+            ("manifest_label_id", tester.TestDataType.Foreign("manifestlabel")),
+            ("label_id", tester.TestDataType.Foreign("label")),
+        ],
+    )
 
     # ### end population of test data ### #
 
@@ -164,17 +364,17 @@ def upgrade(tables, tester, progress_reporter):
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     for media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-        op.execute(tables
-                    .mediatype
-                    .delete()
-                    .where(tables.
-                            mediatype.c.name == op.inline_literal(media_type)))
+        op.execute(
+            tables.mediatype.delete().where(
+                tables.mediatype.c.name == op.inline_literal(media_type)
+            )
+        )
 
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('tagmanifestlabelmap')
-    op.drop_table('tagmanifesttomanifest')
-    op.drop_table('manifestlegacyimage')
-    op.drop_table('manifestlabel')
-    op.drop_table('manifestblob')
-    op.drop_table('manifest')
+    op.drop_table("tagmanifestlabelmap")
+    op.drop_table("tagmanifesttomanifest")
+    op.drop_table("manifestlegacyimage")
+    op.drop_table("manifestlabel")
+    op.drop_table("manifestblob")
+    op.drop_table("manifest")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/94836b099894_create_new_notification_type.py b/data/migrations/versions/94836b099894_create_new_notification_type.py
index 6bc780d01..f46cf08ae 100644
--- a/data/migrations/versions/94836b099894_create_new_notification_type.py
+++ b/data/migrations/versions/94836b099894_create_new_notification_type.py
@@ -7,8 +7,8 @@ Create Date: 2016-11-30 10:29:51.519278
 """
 
 # revision identifiers, used by Alembic.
-revision = '94836b099894'
-down_revision = 'faf752bd2e0a'
+revision = "94836b099894"
+down_revision = "faf752bd2e0a"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,16 +16,14 @@ from data.migrations.progress import ProgressWrapper
 
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.bulk_insert(tables.externalnotificationevent,
-                   [
-                       {'name': 'build_cancelled'},
-                   ])
+    op.bulk_insert(tables.externalnotificationevent, [{"name": "build_cancelled"}])
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.execute(tables
-               .externalnotificationevent
-               .delete()
-               .where(tables.
-                      externalnotificationevent.c.name == op.inline_literal('build_cancelled')))
+    op.execute(
+        tables.externalnotificationevent.delete().where(
+            tables.externalnotificationevent.c.name
+            == op.inline_literal("build_cancelled")
+        )
+    )
diff --git a/data/migrations/versions/a6c463dfb9fe_back_fill_build_expand_config.py b/data/migrations/versions/a6c463dfb9fe_back_fill_build_expand_config.py
index c4c6b3f33..927f6952b 100644
--- a/data/migrations/versions/a6c463dfb9fe_back_fill_build_expand_config.py
+++ b/data/migrations/versions/a6c463dfb9fe_back_fill_build_expand_config.py
@@ -14,88 +14,89 @@ from app import app
 from peewee import *
 from data.database import BaseModel
 
-revision = 'a6c463dfb9fe'
-down_revision = 'b4df55dea4b3'
+revision = "a6c463dfb9fe"
+down_revision = "b4df55dea4b3"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
 
 class RepositoryBuildTrigger(BaseModel):
-  config = TextField(default='{}')
+    config = TextField(default="{}")
+
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  if not app.config.get('SETUP_COMPLETE', False):
-    return
+    op = ProgressWrapper(original_op, progress_reporter)
+    if not app.config.get("SETUP_COMPLETE", False):
+        return
 
-  repostioryBuildTriggers = RepositoryBuildTrigger.select()
-  for repositoryBuildTrigger in repostioryBuildTriggers:
-    config = json.loads(repositoryBuildTrigger.config)
-    repositoryBuildTrigger.config = json.dumps(get_config_expand(config))
-    repositoryBuildTrigger.save()
+    repostioryBuildTriggers = RepositoryBuildTrigger.select()
+    for repositoryBuildTrigger in repostioryBuildTriggers:
+        config = json.loads(repositoryBuildTrigger.config)
+        repositoryBuildTrigger.config = json.dumps(get_config_expand(config))
+        repositoryBuildTrigger.save()
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  if not app.config.get('SETUP_COMPLETE', False):
-    return
+    op = ProgressWrapper(original_op, progress_reporter)
+    if not app.config.get("SETUP_COMPLETE", False):
+        return
 
-  repostioryBuildTriggers = RepositoryBuildTrigger.select()
-  for repositoryBuildTrigger in repostioryBuildTriggers:
-    config = json.loads(repositoryBuildTrigger.config)
-    repositoryBuildTrigger.config = json.dumps(get_config_expand(config))
-    repositoryBuildTrigger.save()
+    repostioryBuildTriggers = RepositoryBuildTrigger.select()
+    for repositoryBuildTrigger in repostioryBuildTriggers:
+        config = json.loads(repositoryBuildTrigger.config)
+        repositoryBuildTrigger.config = json.dumps(get_config_expand(config))
+        repositoryBuildTrigger.save()
 
 
 def create_context(current_subdir):
-  if current_subdir == "":
-    current_subdir = os.path.sep + current_subdir
+    if current_subdir == "":
+        current_subdir = os.path.sep + current_subdir
 
-  if current_subdir[len(current_subdir) - 1] != os.path.sep:
-    current_subdir += os.path.sep
+    if current_subdir[len(current_subdir) - 1] != os.path.sep:
+        current_subdir += os.path.sep
 
-  context, _ = os.path.split(current_subdir)
-  return context
+    context, _ = os.path.split(current_subdir)
+    return context
 
 
 def create_dockerfile_path(current_subdir):
-  if current_subdir == "":
-    current_subdir = os.path.sep + current_subdir
+    if current_subdir == "":
+        current_subdir = os.path.sep + current_subdir
 
-  if current_subdir[len(current_subdir) - 1] != os.path.sep:
-    current_subdir += os.path.sep
+    if current_subdir[len(current_subdir) - 1] != os.path.sep:
+        current_subdir += os.path.sep
 
-  return current_subdir + "Dockerfile"
+    return current_subdir + "Dockerfile"
 
 
 def get_config_expand(config):
-  """ A function to transform old records into new records """
-  if not config:
-    return config
+    """ A function to transform old records into new records """
+    if not config:
+        return config
 
-  # skip records that have been updated
-  if "context" in config or "dockerfile_path" in config:
-    return config
+    # skip records that have been updated
+    if "context" in config or "dockerfile_path" in config:
+        return config
 
-  config_expand = {}
-  if "subdir" in config:
-    config_expand = dict(config)
-    config_expand["context"] = create_context(config["subdir"])
-    config_expand["dockerfile_path"] = create_dockerfile_path(config["subdir"])
+    config_expand = {}
+    if "subdir" in config:
+        config_expand = dict(config)
+        config_expand["context"] = create_context(config["subdir"])
+        config_expand["dockerfile_path"] = create_dockerfile_path(config["subdir"])
 
-  return config_expand
+    return config_expand
 
 
 def get_config_contract(config):
-  """ A function to delete context and dockerfile_path from config """
-  if not config:
+    """ A function to delete context and dockerfile_path from config """
+    if not config:
+        return config
+
+    if "context" in config:
+        del config["context"]
+
+    if "dockerfile_path" in config:
+        del config["dockerfile_path"]
+
     return config
-
-  if "context" in config:
-    del config["context"]
-
-  if "dockerfile_path" in config:
-    del config["dockerfile_path"]
-
-  return config
diff --git a/data/migrations/versions/b4c2d45bc132_add_deleted_namespace_table.py b/data/migrations/versions/b4c2d45bc132_add_deleted_namespace_table.py
index d9c53f10c..a24c7d6bc 100644
--- a/data/migrations/versions/b4c2d45bc132_add_deleted_namespace_table.py
+++ b/data/migrations/versions/b4c2d45bc132_add_deleted_namespace_table.py
@@ -7,8 +7,8 @@ Create Date: 2018-02-27 11:43:02.329941
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b4c2d45bc132'
-down_revision = '152edccba18c'
+revision = "b4c2d45bc132"
+down_revision = "152edccba18c"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -18,36 +18,60 @@ import sqlalchemy as sa
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('deletednamespace',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('namespace_id', sa.Integer(), nullable=False),
-    sa.Column('marked', sa.DateTime(), nullable=False),
-    sa.Column('original_username', sa.String(length=255), nullable=False),
-    sa.Column('original_email', sa.String(length=255), nullable=False),
-    sa.Column('queue_id', sa.String(length=255), nullable=True),
-    sa.ForeignKeyConstraint(['namespace_id'], ['user.id'], name=op.f('fk_deletednamespace_namespace_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_deletednamespace'))
+    op.create_table(
+        "deletednamespace",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("namespace_id", sa.Integer(), nullable=False),
+        sa.Column("marked", sa.DateTime(), nullable=False),
+        sa.Column("original_username", sa.String(length=255), nullable=False),
+        sa.Column("original_email", sa.String(length=255), nullable=False),
+        sa.Column("queue_id", sa.String(length=255), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["namespace_id"],
+            ["user.id"],
+            name=op.f("fk_deletednamespace_namespace_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_deletednamespace")),
+    )
+    op.create_index(
+        "deletednamespace_namespace_id",
+        "deletednamespace",
+        ["namespace_id"],
+        unique=True,
+    )
+    op.create_index(
+        "deletednamespace_original_email",
+        "deletednamespace",
+        ["original_email"],
+        unique=False,
+    )
+    op.create_index(
+        "deletednamespace_original_username",
+        "deletednamespace",
+        ["original_username"],
+        unique=False,
+    )
+    op.create_index(
+        "deletednamespace_queue_id", "deletednamespace", ["queue_id"], unique=False
     )
-    op.create_index('deletednamespace_namespace_id', 'deletednamespace', ['namespace_id'], unique=True)
-    op.create_index('deletednamespace_original_email', 'deletednamespace', ['original_email'], unique=False)
-    op.create_index('deletednamespace_original_username', 'deletednamespace', ['original_username'], unique=False)
-    op.create_index('deletednamespace_queue_id', 'deletednamespace', ['queue_id'], unique=False)
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_table('deletednamespace', [
-        ('namespace_id', tester.TestDataType.Foreign('user')),
-        ('marked', tester.TestDataType.DateTime),
-        ('original_username', tester.TestDataType.UTF8Char),
-        ('original_email', tester.TestDataType.String),
-        ('queue_id', tester.TestDataType.Foreign('queueitem')),
-    ])
+    tester.populate_table(
+        "deletednamespace",
+        [
+            ("namespace_id", tester.TestDataType.Foreign("user")),
+            ("marked", tester.TestDataType.DateTime),
+            ("original_username", tester.TestDataType.UTF8Char),
+            ("original_email", tester.TestDataType.String),
+            ("queue_id", tester.TestDataType.Foreign("queueitem")),
+        ],
+    )
     # ### end population of test data ### #
 
 
-
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('deletednamespace')
+    op.drop_table("deletednamespace")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/b4df55dea4b3_add_repository_kind.py b/data/migrations/versions/b4df55dea4b3_add_repository_kind.py
index d96dd8c43..47836bc50 100644
--- a/data/migrations/versions/b4df55dea4b3_add_repository_kind.py
+++ b/data/migrations/versions/b4df55dea4b3_add_repository_kind.py
@@ -7,8 +7,8 @@ Create Date: 2017-03-19 12:59:41.484430
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b4df55dea4b3'
-down_revision = 'b8ae68ad3e52'
+revision = "b4df55dea4b3"
+down_revision = "b8ae68ad3e52"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -17,35 +17,45 @@ from sqlalchemy.dialects import mysql
 
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.create_table(
-    'repositorykind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorykind'))
-  )
-  op.create_index('repositorykind_name', 'repositorykind', ['name'], unique=True)
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.create_table(
+        "repositorykind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorykind")),
+    )
+    op.create_index("repositorykind_name", "repositorykind", ["name"], unique=True)
 
-  op.bulk_insert(
-    tables.repositorykind,
-    [
-      {'id': 1, 'name': 'image'},
-      {'id': 2, 'name': 'application'},
-    ],
-  )
+    op.bulk_insert(
+        tables.repositorykind,
+        [{"id": 1, "name": "image"}, {"id": 2, "name": "application"}],
+    )
 
-  op.add_column(u'repository', sa.Column('kind_id', sa.Integer(), nullable=False, server_default='1'))
-  op.create_index('repository_kind_id', 'repository', ['kind_id'], unique=False)
-  op.create_foreign_key(op.f('fk_repository_kind_id_repositorykind'), 'repository', 'repositorykind', ['kind_id'], ['id'])
+    op.add_column(
+        u"repository",
+        sa.Column("kind_id", sa.Integer(), nullable=False, server_default="1"),
+    )
+    op.create_index("repository_kind_id", "repository", ["kind_id"], unique=False)
+    op.create_foreign_key(
+        op.f("fk_repository_kind_id_repositorykind"),
+        "repository",
+        "repositorykind",
+        ["kind_id"],
+        ["id"],
+    )
 
-  # ### population of test data ### #
-  tester.populate_column('repository', 'kind_id', tester.TestDataType.Foreign('repositorykind'))
-  # ### end population of test data ### #
+    # ### population of test data ### #
+    tester.populate_column(
+        "repository", "kind_id", tester.TestDataType.Foreign("repositorykind")
+    )
+    # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.drop_constraint(op.f('fk_repository_kind_id_repositorykind'), 'repository', type_='foreignkey')
-  op.drop_index('repository_kind_id', table_name='repository')
-  op.drop_column(u'repository', 'kind_id')
-  op.drop_table('repositorykind')
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.drop_constraint(
+        op.f("fk_repository_kind_id_repositorykind"), "repository", type_="foreignkey"
+    )
+    op.drop_index("repository_kind_id", table_name="repository")
+    op.drop_column(u"repository", "kind_id")
+    op.drop_table("repositorykind")
diff --git a/data/migrations/versions/b547bc139ad8_add_robotaccountmetadata_table.py b/data/migrations/versions/b547bc139ad8_add_robotaccountmetadata_table.py
index 1d26fa2d9..529a95cb3 100644
--- a/data/migrations/versions/b547bc139ad8_add_robotaccountmetadata_table.py
+++ b/data/migrations/versions/b547bc139ad8_add_robotaccountmetadata_table.py
@@ -7,8 +7,8 @@ Create Date: 2018-03-09 15:50:48.298880
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b547bc139ad8'
-down_revision = '0cf50323c78b'
+revision = "b547bc139ad8"
+down_revision = "0cf50323c78b"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -19,28 +19,41 @@ from util.migrate import UTF8CharField
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('robotaccountmetadata',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('robot_account_id', sa.Integer(), nullable=False),
-    sa.Column('description', UTF8CharField(length=255), nullable=False),
-    sa.Column('unstructured_json', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['robot_account_id'], ['user.id'], name=op.f('fk_robotaccountmetadata_robot_account_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_robotaccountmetadata'))
+    op.create_table(
+        "robotaccountmetadata",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("robot_account_id", sa.Integer(), nullable=False),
+        sa.Column("description", UTF8CharField(length=255), nullable=False),
+        sa.Column("unstructured_json", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["robot_account_id"],
+            ["user.id"],
+            name=op.f("fk_robotaccountmetadata_robot_account_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_robotaccountmetadata")),
+    )
+    op.create_index(
+        "robotaccountmetadata_robot_account_id",
+        "robotaccountmetadata",
+        ["robot_account_id"],
+        unique=True,
     )
-    op.create_index('robotaccountmetadata_robot_account_id', 'robotaccountmetadata', ['robot_account_id'], unique=True)
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_table('robotaccountmetadata', [
-        ('robot_account_id', tester.TestDataType.Foreign('user')),        
-        ('description', tester.TestDataType.UTF8Char),        
-        ('unstructured_json', tester.TestDataType.JSON),        
-    ])
+    tester.populate_table(
+        "robotaccountmetadata",
+        [
+            ("robot_account_id", tester.TestDataType.Foreign("user")),
+            ("description", tester.TestDataType.UTF8Char),
+            ("unstructured_json", tester.TestDataType.JSON),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('robotaccountmetadata')
+    op.drop_table("robotaccountmetadata")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/b8ae68ad3e52_change_blobupload_fields_to_bigintegers_.py b/data/migrations/versions/b8ae68ad3e52_change_blobupload_fields_to_bigintegers_.py
index d76c8e018..64278a27d 100644
--- a/data/migrations/versions/b8ae68ad3e52_change_blobupload_fields_to_bigintegers_.py
+++ b/data/migrations/versions/b8ae68ad3e52_change_blobupload_fields_to_bigintegers_.py
@@ -7,31 +7,50 @@ Create Date: 2017-02-27 11:26:49.182349
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b8ae68ad3e52'
-down_revision = '7a525c68eb13'
+revision = "b8ae68ad3e52"
+down_revision = "7a525c68eb13"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.alter_column('blobupload', 'byte_count', existing_type=sa.Integer(), type_=sa.BigInteger())
-    op.alter_column('blobupload', 'uncompressed_byte_count', existing_type=sa.Integer(), type_=sa.BigInteger())
+    op.alter_column(
+        "blobupload", "byte_count", existing_type=sa.Integer(), type_=sa.BigInteger()
+    )
+    op.alter_column(
+        "blobupload",
+        "uncompressed_byte_count",
+        existing_type=sa.Integer(),
+        type_=sa.BigInteger(),
+    )
 
     # ### population of test data ### #
-    tester.populate_column('blobupload', 'byte_count', tester.TestDataType.BigInteger)
-    tester.populate_column('blobupload', 'uncompressed_byte_count', tester.TestDataType.BigInteger)
+    tester.populate_column("blobupload", "byte_count", tester.TestDataType.BigInteger)
+    tester.populate_column(
+        "blobupload", "uncompressed_byte_count", tester.TestDataType.BigInteger
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### population of test data ### #
-    tester.populate_column('blobupload', 'byte_count', tester.TestDataType.Integer)
-    tester.populate_column('blobupload', 'uncompressed_byte_count', tester.TestDataType.Integer)
+    tester.populate_column("blobupload", "byte_count", tester.TestDataType.Integer)
+    tester.populate_column(
+        "blobupload", "uncompressed_byte_count", tester.TestDataType.Integer
+    )
     # ### end population of test data ### #
 
-    op.alter_column('blobupload', 'byte_count', existing_type=sa.BigInteger(), type_=sa.Integer())
-    op.alter_column('blobupload', 'uncompressed_byte_count', existing_type=sa.BigInteger(), type_=sa.Integer())
+    op.alter_column(
+        "blobupload", "byte_count", existing_type=sa.BigInteger(), type_=sa.Integer()
+    )
+    op.alter_column(
+        "blobupload",
+        "uncompressed_byte_count",
+        existing_type=sa.BigInteger(),
+        type_=sa.Integer(),
+    )
diff --git a/data/migrations/versions/b9045731c4de_add_lifetime_indexes_to_tag_tables.py b/data/migrations/versions/b9045731c4de_add_lifetime_indexes_to_tag_tables.py
index b85ae3514..59448f2e8 100644
--- a/data/migrations/versions/b9045731c4de_add_lifetime_indexes_to_tag_tables.py
+++ b/data/migrations/versions/b9045731c4de_add_lifetime_indexes_to_tag_tables.py
@@ -7,29 +7,54 @@ Create Date: 2019-02-14 17:18:40.474310
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b9045731c4de'
-down_revision = 'e184af42242d'
+revision = "b9045731c4de"
+down_revision = "e184af42242d"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('repositorytag_repository_id_lifetime_end_ts', 'repositorytag', ['repository_id', 'lifetime_end_ts'], unique=False)
-    op.create_index('tag_repository_id_lifetime_end_ms', 'tag', ['repository_id', 'lifetime_end_ms'], unique=False)
+    op.create_index(
+        "repositorytag_repository_id_lifetime_end_ts",
+        "repositorytag",
+        ["repository_id", "lifetime_end_ts"],
+        unique=False,
+    )
+    op.create_index(
+        "tag_repository_id_lifetime_end_ms",
+        "tag",
+        ["repository_id", "lifetime_end_ms"],
+        unique=False,
+    )
 
-    op.create_index('repositorytag_repository_id_lifetime_start_ts', 'repositorytag', ['repository_id', 'lifetime_start_ts'], unique=False)
-    op.create_index('tag_repository_id_lifetime_start_ms', 'tag', ['repository_id', 'lifetime_start_ms'], unique=False)
+    op.create_index(
+        "repositorytag_repository_id_lifetime_start_ts",
+        "repositorytag",
+        ["repository_id", "lifetime_start_ts"],
+        unique=False,
+    )
+    op.create_index(
+        "tag_repository_id_lifetime_start_ms",
+        "tag",
+        ["repository_id", "lifetime_start_ms"],
+        unique=False,
+    )
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('tag_repository_id_lifetime_end_ms', table_name='tag')
-    op.drop_index('repositorytag_repository_id_lifetime_end_ts', table_name='repositorytag')
+    op.drop_index("tag_repository_id_lifetime_end_ms", table_name="tag")
+    op.drop_index(
+        "repositorytag_repository_id_lifetime_end_ts", table_name="repositorytag"
+    )
 
-    op.drop_index('tag_repository_id_lifetime_start_ms', table_name='tag')
-    op.drop_index('repositorytag_repository_id_lifetime_start_ts', table_name='repositorytag')
+    op.drop_index("tag_repository_id_lifetime_start_ms", table_name="tag")
+    op.drop_index(
+        "repositorytag_repository_id_lifetime_start_ts", table_name="repositorytag"
+    )
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/b918abdbee43_run_full_tag_backfill.py b/data/migrations/versions/b918abdbee43_run_full_tag_backfill.py
index 3968abd32..267301ff3 100644
--- a/data/migrations/versions/b918abdbee43_run_full_tag_backfill.py
+++ b/data/migrations/versions/b918abdbee43_run_full_tag_backfill.py
@@ -7,8 +7,8 @@ Create Date: 2019-03-14 13:38:03.411609
 """
 
 # revision identifiers, used by Alembic.
-revision = 'b918abdbee43'
-down_revision = '481623ba00ba'
+revision = "b918abdbee43"
+down_revision = "481623ba00ba"
 
 import logging.config
 
@@ -23,7 +23,7 @@ logger = logging.getLogger(__name__)
 
 
 def upgrade(tables, tester, progress_reporter):
-    if not app.config.get('SETUP_COMPLETE', False):
+    if not app.config.get("SETUP_COMPLETE", False):
         return
 
     start_id = 0
@@ -40,16 +40,19 @@ def upgrade(tables, tester, progress_reporter):
         if start_id > max_id:
             break
 
-        logger.info('Checking tag range %s - %s', start_id, end_id)
-        r = list(RepositoryTag
-                .select()
-                .join(Repository)
-                .switch(RepositoryTag)
-                .join(TagToRepositoryTag, JOIN.LEFT_OUTER)
-                .where(TagToRepositoryTag.id >> None)
-                .where(RepositoryTag.hidden == False,
-                        RepositoryTag.id >= start_id,
-                        RepositoryTag.id < end_id))
+        logger.info("Checking tag range %s - %s", start_id, end_id)
+        r = list(
+            RepositoryTag.select()
+            .join(Repository)
+            .switch(RepositoryTag)
+            .join(TagToRepositoryTag, JOIN.LEFT_OUTER)
+            .where(TagToRepositoryTag.id >> None)
+            .where(
+                RepositoryTag.hidden == False,
+                RepositoryTag.id >= start_id,
+                RepositoryTag.id < end_id,
+            )
+        )
 
         if len(r) < 1000 and size < 100000:
             size *= 2
@@ -60,7 +63,7 @@ def upgrade(tables, tester, progress_reporter):
         if not len(r):
             continue
 
-        logger.info('Found %s tags to backfill', len(r))
+        logger.info("Found %s tags to backfill", len(r))
         for index, t in enumerate(r):
             logger.info("Backfilling tag %s of %s", index, len(r))
             backfill_tag(t)
diff --git a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
index 62c0aba44..52c829d89 100644
--- a/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
+++ b/data/migrations/versions/be8d1c402ce0_add_teamsync_table.py
@@ -7,46 +7,57 @@ Create Date: 2017-02-23 13:34:52.356812
 """
 
 # revision identifiers, used by Alembic.
-revision = 'be8d1c402ce0'
-down_revision = 'a6c463dfb9fe'
+revision = "be8d1c402ce0"
+down_revision = "a6c463dfb9fe"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from util.migrate import UTF8LongText
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('teamsync',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('team_id', sa.Integer(), nullable=False),
-    sa.Column('transaction_id', sa.String(length=255), nullable=False),
-    sa.Column('last_updated', sa.DateTime(), nullable=True),
-    sa.Column('service_id', sa.Integer(), nullable=False),
-    sa.Column('config', UTF8LongText(), nullable=False),
-    sa.ForeignKeyConstraint(['service_id'], ['loginservice.id'], name=op.f('fk_teamsync_service_id_loginservice')),
-    sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_teamsync_team_id_team')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_teamsync'))
+    op.create_table(
+        "teamsync",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("team_id", sa.Integer(), nullable=False),
+        sa.Column("transaction_id", sa.String(length=255), nullable=False),
+        sa.Column("last_updated", sa.DateTime(), nullable=True),
+        sa.Column("service_id", sa.Integer(), nullable=False),
+        sa.Column("config", UTF8LongText(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["service_id"],
+            ["loginservice.id"],
+            name=op.f("fk_teamsync_service_id_loginservice"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["team_id"], ["team.id"], name=op.f("fk_teamsync_team_id_team")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_teamsync")),
     )
-    op.create_index('teamsync_last_updated', 'teamsync', ['last_updated'], unique=False)
-    op.create_index('teamsync_service_id', 'teamsync', ['service_id'], unique=False)
-    op.create_index('teamsync_team_id', 'teamsync', ['team_id'], unique=True)
+    op.create_index("teamsync_last_updated", "teamsync", ["last_updated"], unique=False)
+    op.create_index("teamsync_service_id", "teamsync", ["service_id"], unique=False)
+    op.create_index("teamsync_team_id", "teamsync", ["team_id"], unique=True)
     ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_table('teamsync', [
-        ('team_id', tester.TestDataType.Foreign('team')),
-        ('transaction_id', tester.TestDataType.String),
-        ('last_updated', tester.TestDataType.DateTime),
-        ('service_id', tester.TestDataType.Foreign('loginservice')),
-        ('config', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "teamsync",
+        [
+            ("team_id", tester.TestDataType.Foreign("team")),
+            ("transaction_id", tester.TestDataType.String),
+            ("last_updated", tester.TestDataType.DateTime),
+            ("service_id", tester.TestDataType.Foreign("loginservice")),
+            ("config", tester.TestDataType.JSON),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('teamsync')
+    op.drop_table("teamsync")
     ### end Alembic commands ###
diff --git a/data/migrations/versions/c00a1f15968b_add_schema2_media_types.py b/data/migrations/versions/c00a1f15968b_add_schema2_media_types.py
index 2d2a050df..71e2b6d3b 100644
--- a/data/migrations/versions/c00a1f15968b_add_schema2_media_types.py
+++ b/data/migrations/versions/c00a1f15968b_add_schema2_media_types.py
@@ -9,26 +9,24 @@ Create Date: 2018-11-13 09:20:21.968503
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c00a1f15968b'
-down_revision = '67f0abd172ae'
+revision = "c00a1f15968b"
+down_revision = "67f0abd172ae"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     for media_type in DOCKER_SCHEMA2_CONTENT_TYPES:
-        op.bulk_insert(tables.mediatype,
-                       [
-                         {'name': media_type},
-                       ])
+        op.bulk_insert(tables.mediatype, [{"name": media_type}])
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     for media_type in DOCKER_SCHEMA2_CONTENT_TYPES:
-        op.execute(tables
-                    .mediatype
-                    .delete()
-                    .where(tables.
-                            mediatype.c.name == op.inline_literal(media_type)))
+        op.execute(
+            tables.mediatype.delete().where(
+                tables.mediatype.c.name == op.inline_literal(media_type)
+            )
+        )
diff --git a/data/migrations/versions/c059b952ed76_remove_unencrypted_fields_and_data.py b/data/migrations/versions/c059b952ed76_remove_unencrypted_fields_and_data.py
index 4854630bf..c348842aa 100644
--- a/data/migrations/versions/c059b952ed76_remove_unencrypted_fields_and_data.py
+++ b/data/migrations/versions/c059b952ed76_remove_unencrypted_fields_and_data.py
@@ -7,8 +7,8 @@ Create Date: 2019-08-19 16:31:00.952773
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c059b952ed76'
-down_revision = '703298a825c2'
+revision = "c059b952ed76"
+down_revision = "703298a825c2"
 
 import uuid
 
@@ -22,25 +22,26 @@ from data.database import FederatedLogin, User, RobotAccountToken
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('oauthaccesstoken_refresh_token', table_name='oauthaccesstoken')
-    op.drop_column(u'oauthaccesstoken', 'refresh_token')
+    op.drop_index("oauthaccesstoken_refresh_token", table_name="oauthaccesstoken")
+    op.drop_column(u"oauthaccesstoken", "refresh_token")
 
-    op.drop_column('accesstoken', 'code')
+    op.drop_column("accesstoken", "code")
 
-    op.drop_column('appspecificauthtoken', 'token_code')
+    op.drop_column("appspecificauthtoken", "token_code")
 
-    op.drop_column('oauthaccesstoken', 'access_token')
-    op.drop_column('oauthapplication', 'client_secret')
+    op.drop_column("oauthaccesstoken", "access_token")
+    op.drop_column("oauthapplication", "client_secret")
 
-    op.drop_column('oauthauthorizationcode', 'code')
+    op.drop_column("oauthauthorizationcode", "code")
 
-    op.drop_column('repositorybuildtrigger', 'private_key')
-    op.drop_column('repositorybuildtrigger', 'auth_token')
+    op.drop_column("repositorybuildtrigger", "private_key")
+    op.drop_column("repositorybuildtrigger", "auth_token")
     # ### end Alembic commands ###
 
     # Overwrite all plaintext robot credentials.
     from app import app
-    if app.config.get('SETUP_COMPLETE', False) or tester.is_testing:
+
+    if app.config.get("SETUP_COMPLETE", False) or tester.is_testing:
         while True:
             try:
                 robot_account_token = RobotAccountToken.get(fully_migrated=False)
@@ -50,7 +51,7 @@ def upgrade(tables, tester, progress_reporter):
                 robot_account.save()
 
                 federated_login = FederatedLogin.get(user=robot_account)
-                federated_login.service_ident = 'robot:%s' % robot_account.id
+                federated_login.service_ident = "robot:%s" % robot_account.id
                 federated_login.save()
 
                 robot_account_token.fully_migrated = True
@@ -62,23 +63,62 @@ def upgrade(tables, tester, progress_reporter):
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column(u'oauthaccesstoken', sa.Column('refresh_token', sa.String(length=255), nullable=True))
-    op.create_index('oauthaccesstoken_refresh_token', 'oauthaccesstoken', ['refresh_token'], unique=False)
+    op.add_column(
+        u"oauthaccesstoken",
+        sa.Column("refresh_token", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "oauthaccesstoken_refresh_token",
+        "oauthaccesstoken",
+        ["refresh_token"],
+        unique=False,
+    )
 
-    op.add_column('repositorybuildtrigger', sa.Column('auth_token', sa.String(length=255), nullable=True))
-    op.add_column('repositorybuildtrigger', sa.Column('private_key', sa.Text(), nullable=True))
+    op.add_column(
+        "repositorybuildtrigger",
+        sa.Column("auth_token", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        "repositorybuildtrigger", sa.Column("private_key", sa.Text(), nullable=True)
+    )
 
-    op.add_column('oauthauthorizationcode', sa.Column('code', sa.String(length=255), nullable=True))
-    op.create_index('oauthauthorizationcode_code', 'oauthauthorizationcode', ['code'], unique=True)
+    op.add_column(
+        "oauthauthorizationcode",
+        sa.Column("code", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "oauthauthorizationcode_code", "oauthauthorizationcode", ["code"], unique=True
+    )
 
-    op.add_column('oauthapplication', sa.Column('client_secret', sa.String(length=255), nullable=True))
-    op.add_column('oauthaccesstoken', sa.Column('access_token', sa.String(length=255), nullable=True))
+    op.add_column(
+        "oauthapplication",
+        sa.Column("client_secret", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        "oauthaccesstoken",
+        sa.Column("access_token", sa.String(length=255), nullable=True),
+    )
 
-    op.create_index('oauthaccesstoken_access_token', 'oauthaccesstoken', ['access_token'], unique=False)
+    op.create_index(
+        "oauthaccesstoken_access_token",
+        "oauthaccesstoken",
+        ["access_token"],
+        unique=False,
+    )
 
-    op.add_column('appspecificauthtoken', sa.Column('token_code', sa.String(length=255), nullable=True))
-    op.create_index('appspecificauthtoken_token_code', 'appspecificauthtoken', ['token_code'], unique=True)
+    op.add_column(
+        "appspecificauthtoken",
+        sa.Column("token_code", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "appspecificauthtoken_token_code",
+        "appspecificauthtoken",
+        ["token_code"],
+        unique=True,
+    )
 
-    op.add_column('accesstoken', sa.Column('code', sa.String(length=255), nullable=True))
-    op.create_index('accesstoken_code', 'accesstoken', ['code'], unique=True)
+    op.add_column(
+        "accesstoken", sa.Column("code", sa.String(length=255), nullable=True)
+    )
+    op.create_index("accesstoken_code", "accesstoken", ["code"], unique=True)
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/c13c8052f7a6_add_new_fields_and_tables_for_encrypted_.py b/data/migrations/versions/c13c8052f7a6_add_new_fields_and_tables_for_encrypted_.py
index 15ecabd00..2e7d5c8d3 100644
--- a/data/migrations/versions/c13c8052f7a6_add_new_fields_and_tables_for_encrypted_.py
+++ b/data/migrations/versions/c13c8052f7a6_add_new_fields_and_tables_for_encrypted_.py
@@ -7,98 +7,176 @@ Create Date: 2019-08-19 15:59:36.269155
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c13c8052f7a6'
-down_revision = '5248ddf35167'
+revision = "c13c8052f7a6"
+down_revision = "5248ddf35167"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('robotaccounttoken',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('robot_account_id', sa.Integer(), nullable=False),
-    sa.Column('token', sa.String(length=255), nullable=False),
-    sa.Column('fully_migrated', sa.Boolean(), nullable=False, server_default='0'),
-    sa.ForeignKeyConstraint(['robot_account_id'], ['user.id'], name=op.f('fk_robotaccounttoken_robot_account_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_robotaccounttoken'))
+    op.create_table(
+        "robotaccounttoken",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("robot_account_id", sa.Integer(), nullable=False),
+        sa.Column("token", sa.String(length=255), nullable=False),
+        sa.Column("fully_migrated", sa.Boolean(), nullable=False, server_default="0"),
+        sa.ForeignKeyConstraint(
+            ["robot_account_id"],
+            ["user.id"],
+            name=op.f("fk_robotaccounttoken_robot_account_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_robotaccounttoken")),
+    )
+    op.create_index(
+        "robotaccounttoken_robot_account_id",
+        "robotaccounttoken",
+        ["robot_account_id"],
+        unique=True,
     )
-    op.create_index('robotaccounttoken_robot_account_id', 'robotaccounttoken', ['robot_account_id'], unique=True)
 
-    op.add_column(u'accesstoken', sa.Column('token_code', sa.String(length=255), nullable=True))
-    op.add_column(u'accesstoken', sa.Column('token_name', sa.String(length=255), nullable=True))
-    op.create_index('accesstoken_token_name', 'accesstoken', ['token_name'], unique=True)
+    op.add_column(
+        u"accesstoken", sa.Column("token_code", sa.String(length=255), nullable=True)
+    )
+    op.add_column(
+        u"accesstoken", sa.Column("token_name", sa.String(length=255), nullable=True)
+    )
+    op.create_index(
+        "accesstoken_token_name", "accesstoken", ["token_name"], unique=True
+    )
 
-    op.add_column(u'appspecificauthtoken', sa.Column('token_name', sa.String(length=255), nullable=True))
-    op.add_column(u'appspecificauthtoken', sa.Column('token_secret', sa.String(length=255), nullable=True))
-    op.create_index('appspecificauthtoken_token_name', 'appspecificauthtoken', ['token_name'], unique=True)
+    op.add_column(
+        u"appspecificauthtoken",
+        sa.Column("token_name", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        u"appspecificauthtoken",
+        sa.Column("token_secret", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "appspecificauthtoken_token_name",
+        "appspecificauthtoken",
+        ["token_name"],
+        unique=True,
+    )
 
-    op.add_column(u'emailconfirmation', sa.Column('verification_code', sa.String(length=255), nullable=True))
+    op.add_column(
+        u"emailconfirmation",
+        sa.Column("verification_code", sa.String(length=255), nullable=True),
+    )
 
-    op.add_column(u'oauthaccesstoken', sa.Column('token_code', sa.String(length=255), nullable=True))
-    op.add_column(u'oauthaccesstoken', sa.Column('token_name', sa.String(length=255), nullable=True))
-    op.create_index('oauthaccesstoken_token_name', 'oauthaccesstoken', ['token_name'], unique=True)
+    op.add_column(
+        u"oauthaccesstoken",
+        sa.Column("token_code", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        u"oauthaccesstoken",
+        sa.Column("token_name", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "oauthaccesstoken_token_name", "oauthaccesstoken", ["token_name"], unique=True
+    )
 
-    op.add_column(u'oauthapplication', sa.Column('secure_client_secret', sa.String(length=255), nullable=True))
-    op.add_column(u'oauthapplication', sa.Column('fully_migrated', sa.Boolean(), server_default='0', nullable=False))
+    op.add_column(
+        u"oauthapplication",
+        sa.Column("secure_client_secret", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        u"oauthapplication",
+        sa.Column("fully_migrated", sa.Boolean(), server_default="0", nullable=False),
+    )
 
-    op.add_column(u'oauthauthorizationcode', sa.Column('code_credential', sa.String(length=255), nullable=True))
-    op.add_column(u'oauthauthorizationcode', sa.Column('code_name', sa.String(length=255), nullable=True))
-    op.create_index('oauthauthorizationcode_code_name', 'oauthauthorizationcode', ['code_name'], unique=True)
-    op.drop_index('oauthauthorizationcode_code', table_name='oauthauthorizationcode')
-    op.create_index('oauthauthorizationcode_code', 'oauthauthorizationcode', ['code'], unique=True)
+    op.add_column(
+        u"oauthauthorizationcode",
+        sa.Column("code_credential", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        u"oauthauthorizationcode",
+        sa.Column("code_name", sa.String(length=255), nullable=True),
+    )
+    op.create_index(
+        "oauthauthorizationcode_code_name",
+        "oauthauthorizationcode",
+        ["code_name"],
+        unique=True,
+    )
+    op.drop_index("oauthauthorizationcode_code", table_name="oauthauthorizationcode")
+    op.create_index(
+        "oauthauthorizationcode_code", "oauthauthorizationcode", ["code"], unique=True
+    )
 
-    op.add_column(u'repositorybuildtrigger', sa.Column('secure_auth_token', sa.String(length=255), nullable=True))
-    op.add_column(u'repositorybuildtrigger', sa.Column('secure_private_key', sa.Text(), nullable=True))
-    op.add_column(u'repositorybuildtrigger', sa.Column('fully_migrated', sa.Boolean(), server_default='0', nullable=False))
+    op.add_column(
+        u"repositorybuildtrigger",
+        sa.Column("secure_auth_token", sa.String(length=255), nullable=True),
+    )
+    op.add_column(
+        u"repositorybuildtrigger",
+        sa.Column("secure_private_key", sa.Text(), nullable=True),
+    )
+    op.add_column(
+        u"repositorybuildtrigger",
+        sa.Column("fully_migrated", sa.Boolean(), server_default="0", nullable=False),
+    )
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_table('robotaccounttoken', [
-        ('robot_account_id', tester.TestDataType.Foreign('user')),
-        ('token', tester.TestDataType.Token),
-        ('fully_migrated', tester.TestDataType.Boolean),
-    ])
-    
-    tester.populate_column('accesstoken', 'code', tester.TestDataType.Token)
+    tester.populate_table(
+        "robotaccounttoken",
+        [
+            ("robot_account_id", tester.TestDataType.Foreign("user")),
+            ("token", tester.TestDataType.Token),
+            ("fully_migrated", tester.TestDataType.Boolean),
+        ],
+    )
 
-    tester.populate_column('appspecificauthtoken', 'token_code', tester.TestDataType.Token)
+    tester.populate_column("accesstoken", "code", tester.TestDataType.Token)
 
-    tester.populate_column('emailconfirmation', 'verification_code', tester.TestDataType.Token)
+    tester.populate_column(
+        "appspecificauthtoken", "token_code", tester.TestDataType.Token
+    )
 
-    tester.populate_column('oauthaccesstoken', 'token_code', tester.TestDataType.Token)
+    tester.populate_column(
+        "emailconfirmation", "verification_code", tester.TestDataType.Token
+    )
+
+    tester.populate_column("oauthaccesstoken", "token_code", tester.TestDataType.Token)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column(u'repositorybuildtrigger', 'secure_private_key')
-    op.drop_column(u'repositorybuildtrigger', 'secure_auth_token')
+    op.drop_column(u"repositorybuildtrigger", "secure_private_key")
+    op.drop_column(u"repositorybuildtrigger", "secure_auth_token")
 
-    op.drop_index('oauthauthorizationcode_code', table_name='oauthauthorizationcode')
-    op.create_index('oauthauthorizationcode_code', 'oauthauthorizationcode', ['code'], unique=False)
-    op.drop_index('oauthauthorizationcode_code_name', table_name='oauthauthorizationcode')
-    op.drop_column(u'oauthauthorizationcode', 'code_name')
-    op.drop_column(u'oauthauthorizationcode', 'code_credential')
+    op.drop_index("oauthauthorizationcode_code", table_name="oauthauthorizationcode")
+    op.create_index(
+        "oauthauthorizationcode_code", "oauthauthorizationcode", ["code"], unique=False
+    )
+    op.drop_index(
+        "oauthauthorizationcode_code_name", table_name="oauthauthorizationcode"
+    )
+    op.drop_column(u"oauthauthorizationcode", "code_name")
+    op.drop_column(u"oauthauthorizationcode", "code_credential")
 
-    op.drop_column(u'oauthapplication', 'secure_client_secret')
+    op.drop_column(u"oauthapplication", "secure_client_secret")
 
-    op.drop_index('oauthaccesstoken_token_name', table_name='oauthaccesstoken')
-    op.drop_column(u'oauthaccesstoken', 'token_name')
-    op.drop_column(u'oauthaccesstoken', 'token_code')
+    op.drop_index("oauthaccesstoken_token_name", table_name="oauthaccesstoken")
+    op.drop_column(u"oauthaccesstoken", "token_name")
+    op.drop_column(u"oauthaccesstoken", "token_code")
 
-    op.drop_column(u'emailconfirmation', 'verification_code')
+    op.drop_column(u"emailconfirmation", "verification_code")
 
-    op.drop_index('appspecificauthtoken_token_name', table_name='appspecificauthtoken')
-    op.drop_column(u'appspecificauthtoken', 'token_secret')
-    op.drop_column(u'appspecificauthtoken', 'token_name')
+    op.drop_index("appspecificauthtoken_token_name", table_name="appspecificauthtoken")
+    op.drop_column(u"appspecificauthtoken", "token_secret")
+    op.drop_column(u"appspecificauthtoken", "token_name")
 
-    op.drop_index('accesstoken_token_name', table_name='accesstoken')
-    op.drop_column(u'accesstoken', 'token_name')
-    op.drop_column(u'accesstoken', 'token_code')
+    op.drop_index("accesstoken_token_name", table_name="accesstoken")
+    op.drop_column(u"accesstoken", "token_name")
+    op.drop_column(u"accesstoken", "token_code")
 
-    op.drop_table('robotaccounttoken')
+    op.drop_table("robotaccounttoken")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/c156deb8845d_reset_our_migrations_with_a_required_.py b/data/migrations/versions/c156deb8845d_reset_our_migrations_with_a_required_.py
index 3277f5ae6..0158dcb61 100644
--- a/data/migrations/versions/c156deb8845d_reset_our_migrations_with_a_required_.py
+++ b/data/migrations/versions/c156deb8845d_reset_our_migrations_with_a_required_.py
@@ -7,7 +7,7 @@ Create Date: 2016-11-08 11:58:11.110762
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c156deb8845d'
+revision = "c156deb8845d"
 down_revision = None
 
 from alembic import op as original_op
@@ -16,1239 +16,2149 @@ import sqlalchemy as sa
 from util.migrate import UTF8LongText, UTF8CharField
 from datetime import datetime
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     now = datetime.now().strftime("'%Y-%m-%d %H:%M:%S'")
 
-    op.create_table('accesstokenkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_accesstokenkind'))
+    op.create_table(
+        "accesstokenkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_accesstokenkind")),
     )
-    op.create_index('accesstokenkind_name', 'accesstokenkind', ['name'], unique=True)
-    op.create_table('buildtriggerservice',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_buildtriggerservice'))
+    op.create_index("accesstokenkind_name", "accesstokenkind", ["name"], unique=True)
+    op.create_table(
+        "buildtriggerservice",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_buildtriggerservice")),
     )
-    op.create_index('buildtriggerservice_name', 'buildtriggerservice', ['name'], unique=True)
-    op.create_table('externalnotificationevent',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_externalnotificationevent'))
+    op.create_index(
+        "buildtriggerservice_name", "buildtriggerservice", ["name"], unique=True
     )
-    op.create_index('externalnotificationevent_name', 'externalnotificationevent', ['name'], unique=True)
-    op.create_table('externalnotificationmethod',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_externalnotificationmethod'))
+    op.create_table(
+        "externalnotificationevent",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_externalnotificationevent")),
     )
-    op.create_index('externalnotificationmethod_name', 'externalnotificationmethod', ['name'], unique=True)
-    op.create_table('imagestorage',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('checksum', sa.String(length=255), nullable=True),
-    sa.Column('image_size', sa.BigInteger(), nullable=True),
-    sa.Column('uncompressed_size', sa.BigInteger(), nullable=True),
-    sa.Column('uploading', sa.Boolean(), nullable=True),
-    sa.Column('cas_path', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('content_checksum', sa.String(length=255), nullable=True),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestorage'))
+    op.create_index(
+        "externalnotificationevent_name",
+        "externalnotificationevent",
+        ["name"],
+        unique=True,
     )
-    op.create_index('imagestorage_content_checksum', 'imagestorage', ['content_checksum'], unique=False)
-    op.create_index('imagestorage_uuid', 'imagestorage', ['uuid'], unique=True)
-    op.create_table('imagestoragelocation',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestoragelocation'))
+    op.create_table(
+        "externalnotificationmethod",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_externalnotificationmethod")),
     )
-    op.create_index('imagestoragelocation_name', 'imagestoragelocation', ['name'], unique=True)
-    op.create_table('imagestoragesignaturekind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestoragesignaturekind'))
+    op.create_index(
+        "externalnotificationmethod_name",
+        "externalnotificationmethod",
+        ["name"],
+        unique=True,
     )
-    op.create_index('imagestoragesignaturekind_name', 'imagestoragesignaturekind', ['name'], unique=True)
-    op.create_table('imagestoragetransformation',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestoragetransformation'))
+    op.create_table(
+        "imagestorage",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("checksum", sa.String(length=255), nullable=True),
+        sa.Column("image_size", sa.BigInteger(), nullable=True),
+        sa.Column("uncompressed_size", sa.BigInteger(), nullable=True),
+        sa.Column("uploading", sa.Boolean(), nullable=True),
+        sa.Column(
+            "cas_path",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column("content_checksum", sa.String(length=255), nullable=True),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestorage")),
     )
-    op.create_index('imagestoragetransformation_name', 'imagestoragetransformation', ['name'], unique=True)
-    op.create_table('labelsourcetype',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('mutable', sa.Boolean(), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_labelsourcetype'))
+    op.create_index(
+        "imagestorage_content_checksum",
+        "imagestorage",
+        ["content_checksum"],
+        unique=False,
     )
-    op.create_index('labelsourcetype_name', 'labelsourcetype', ['name'], unique=True)
-    op.create_table('logentrykind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_logentrykind'))
+    op.create_index("imagestorage_uuid", "imagestorage", ["uuid"], unique=True)
+    op.create_table(
+        "imagestoragelocation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestoragelocation")),
     )
-    op.create_index('logentrykind_name', 'logentrykind', ['name'], unique=True)
-    op.create_table('loginservice',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_loginservice'))
+    op.create_index(
+        "imagestoragelocation_name", "imagestoragelocation", ["name"], unique=True
     )
-    op.create_index('loginservice_name', 'loginservice', ['name'], unique=True)
-    op.create_table('mediatype',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_mediatype'))
+    op.create_table(
+        "imagestoragesignaturekind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestoragesignaturekind")),
     )
-    op.create_index('mediatype_name', 'mediatype', ['name'], unique=True)
-    op.create_table('messages',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('content', sa.Text(), nullable=False),
-    sa.Column('uuid', sa.String(length=36), nullable=True),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_messages'))
+    op.create_index(
+        "imagestoragesignaturekind_name",
+        "imagestoragesignaturekind",
+        ["name"],
+        unique=True,
     )
-    op.create_table('notificationkind',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_notificationkind'))
+    op.create_table(
+        "imagestoragetransformation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestoragetransformation")),
     )
-    op.create_index('notificationkind_name', 'notificationkind', ['name'], unique=True)
-    op.create_table('quayregion',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayregion'))
+    op.create_index(
+        "imagestoragetransformation_name",
+        "imagestoragetransformation",
+        ["name"],
+        unique=True,
     )
-    op.create_index('quayregion_name', 'quayregion', ['name'], unique=True)
-    op.create_table('quayservice',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayservice'))
+    op.create_table(
+        "labelsourcetype",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("mutable", sa.Boolean(), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_labelsourcetype")),
     )
-    op.create_index('quayservice_name', 'quayservice', ['name'], unique=True)
-    op.create_table('queueitem',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('queue_name', sa.String(length=1024), nullable=False),
-    sa.Column('body', sa.Text(), nullable=False),
-    sa.Column('available_after', sa.DateTime(), nullable=False),
-    sa.Column('available', sa.Boolean(), nullable=False),
-    sa.Column('processing_expires', sa.DateTime(), nullable=True),
-    sa.Column('retries_remaining', sa.Integer(), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_queueitem'))
+    op.create_index("labelsourcetype_name", "labelsourcetype", ["name"], unique=True)
+    op.create_table(
+        "logentrykind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_logentrykind")),
     )
-    op.create_index('queueitem_available', 'queueitem', ['available'], unique=False)
-    op.create_index('queueitem_available_after', 'queueitem', ['available_after'], unique=False)
-    op.create_index('queueitem_processing_expires', 'queueitem', ['processing_expires'], unique=False)
-    op.create_index('queueitem_queue_name', 'queueitem', ['queue_name'], unique=False, mysql_length=767)
-    op.create_index('queueitem_retries_remaining', 'queueitem', ['retries_remaining'], unique=False)
-    op.create_table('role',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_role'))
+    op.create_index("logentrykind_name", "logentrykind", ["name"], unique=True)
+    op.create_table(
+        "loginservice",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_loginservice")),
     )
-    op.create_index('role_name', 'role', ['name'], unique=True)
-    op.create_table('servicekeyapproval',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('approver_id', sa.Integer(), nullable=True),
-    sa.Column('approval_type', sa.String(length=255), nullable=False),
-    sa.Column('approved_date', sa.DateTime(), nullable=False),
-    sa.Column('notes', UTF8LongText(), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_servicekeyapproval'))
+    op.create_index("loginservice_name", "loginservice", ["name"], unique=True)
+    op.create_table(
+        "mediatype",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_mediatype")),
     )
-    op.create_index('servicekeyapproval_approval_type', 'servicekeyapproval', ['approval_type'], unique=False)
-    op.create_index('servicekeyapproval_approver_id', 'servicekeyapproval', ['approver_id'], unique=False)
-    op.create_table('teamrole',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_teamrole'))
+    op.create_index("mediatype_name", "mediatype", ["name"], unique=True)
+    op.create_table(
+        "messages",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("content", sa.Text(), nullable=False),
+        sa.Column("uuid", sa.String(length=36), nullable=True),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_messages")),
     )
-    op.create_index('teamrole_name', 'teamrole', ['name'], unique=False)
-    op.create_table('user',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=36), nullable=True),
-    sa.Column('username', sa.String(length=255), nullable=False),
-    sa.Column('password_hash', sa.String(length=255), nullable=True),
-    sa.Column('email', sa.String(length=255), nullable=False),
-    sa.Column('verified', sa.Boolean(), nullable=False),
-    sa.Column('stripe_id', sa.String(length=255), nullable=True),
-    sa.Column('organization', sa.Boolean(), nullable=False),
-    sa.Column('robot', sa.Boolean(), nullable=False),
-    sa.Column('invoice_email', sa.Boolean(), nullable=False),
-    sa.Column('invalid_login_attempts', sa.Integer(), nullable=False, server_default='0'),
-    sa.Column('last_invalid_login', sa.DateTime(), nullable=False),
-    sa.Column('removed_tag_expiration_s', sa.Integer(), nullable=False, server_default='1209600'),
-    sa.Column('enabled', sa.Boolean(), nullable=False, server_default=sa.sql.expression.true()),
-    sa.Column('invoice_email_address', sa.String(length=255), nullable=True),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_user'))
+    op.create_table(
+        "notificationkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_notificationkind")),
     )
-    op.create_index('user_email', 'user', ['email'], unique=True)
-    op.create_index('user_invoice_email_address', 'user', ['invoice_email_address'], unique=False)
-    op.create_index('user_organization', 'user', ['organization'], unique=False)
-    op.create_index('user_robot', 'user', ['robot'], unique=False)
-    op.create_index('user_stripe_id', 'user', ['stripe_id'], unique=False)
-    op.create_index('user_username', 'user', ['username'], unique=True)
-    op.create_table('visibility',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_visibility'))
+    op.create_index("notificationkind_name", "notificationkind", ["name"], unique=True)
+    op.create_table(
+        "quayregion",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_quayregion")),
     )
-    op.create_index('visibility_name', 'visibility', ['name'], unique=True)
-    op.create_table('emailconfirmation',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('code', sa.String(length=255), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('pw_reset', sa.Boolean(), nullable=False),
-    sa.Column('new_email', sa.String(length=255), nullable=True),
-    sa.Column('email_confirm', sa.Boolean(), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_emailconfirmation_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_emailconfirmation'))
+    op.create_index("quayregion_name", "quayregion", ["name"], unique=True)
+    op.create_table(
+        "quayservice",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_quayservice")),
     )
-    op.create_index('emailconfirmation_code', 'emailconfirmation', ['code'], unique=True)
-    op.create_index('emailconfirmation_user_id', 'emailconfirmation', ['user_id'], unique=False)
-    op.create_table('federatedlogin',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('service_id', sa.Integer(), nullable=False),
-    sa.Column('service_ident', sa.String(length=255), nullable=False),
-    sa.Column('metadata_json', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['service_id'], ['loginservice.id'], name=op.f('fk_federatedlogin_service_id_loginservice')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_federatedlogin_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_federatedlogin'))
+    op.create_index("quayservice_name", "quayservice", ["name"], unique=True)
+    op.create_table(
+        "queueitem",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("queue_name", sa.String(length=1024), nullable=False),
+        sa.Column("body", sa.Text(), nullable=False),
+        sa.Column("available_after", sa.DateTime(), nullable=False),
+        sa.Column("available", sa.Boolean(), nullable=False),
+        sa.Column("processing_expires", sa.DateTime(), nullable=True),
+        sa.Column("retries_remaining", sa.Integer(), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_queueitem")),
     )
-    op.create_index('federatedlogin_service_id', 'federatedlogin', ['service_id'], unique=False)
-    op.create_index('federatedlogin_service_id_service_ident', 'federatedlogin', ['service_id', 'service_ident'], unique=True)
-    op.create_index('federatedlogin_service_id_user_id', 'federatedlogin', ['service_id', 'user_id'], unique=True)
-    op.create_index('federatedlogin_user_id', 'federatedlogin', ['user_id'], unique=False)
-    op.create_table('imagestorageplacement',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('storage_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['location_id'], ['imagestoragelocation.id'], name=op.f('fk_imagestorageplacement_location_id_imagestoragelocation')),
-    sa.ForeignKeyConstraint(['storage_id'], ['imagestorage.id'], name=op.f('fk_imagestorageplacement_storage_id_imagestorage')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestorageplacement'))
+    op.create_index("queueitem_available", "queueitem", ["available"], unique=False)
+    op.create_index(
+        "queueitem_available_after", "queueitem", ["available_after"], unique=False
     )
-    op.create_index('imagestorageplacement_location_id', 'imagestorageplacement', ['location_id'], unique=False)
-    op.create_index('imagestorageplacement_storage_id', 'imagestorageplacement', ['storage_id'], unique=False)
-    op.create_index('imagestorageplacement_storage_id_location_id', 'imagestorageplacement', ['storage_id', 'location_id'], unique=True)
-    op.create_table('imagestoragesignature',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('storage_id', sa.Integer(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.Column('signature', sa.Text(), nullable=True),
-    sa.Column('uploading', sa.Boolean(), nullable=True),
-    sa.ForeignKeyConstraint(['kind_id'], ['imagestoragesignaturekind.id'], name=op.f('fk_imagestoragesignature_kind_id_imagestoragesignaturekind')),
-    sa.ForeignKeyConstraint(['storage_id'], ['imagestorage.id'], name=op.f('fk_imagestoragesignature_storage_id_imagestorage')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_imagestoragesignature'))
+    op.create_index(
+        "queueitem_processing_expires",
+        "queueitem",
+        ["processing_expires"],
+        unique=False,
     )
-    op.create_index('imagestoragesignature_kind_id', 'imagestoragesignature', ['kind_id'], unique=False)
-    op.create_index('imagestoragesignature_kind_id_storage_id', 'imagestoragesignature', ['kind_id', 'storage_id'], unique=True)
-    op.create_index('imagestoragesignature_storage_id', 'imagestoragesignature', ['storage_id'], unique=False)
-    op.create_table('label',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('key', UTF8CharField(length=255), nullable=False),
-    sa.Column('value', UTF8LongText(), nullable=False),
-    sa.Column('media_type_id', sa.Integer(), nullable=False),
-    sa.Column('source_type_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_label_media_type_id_mediatype')),
-    sa.ForeignKeyConstraint(['source_type_id'], ['labelsourcetype.id'], name=op.f('fk_label_source_type_id_labelsourcetype')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_label'))
+    op.create_index(
+        "queueitem_queue_name",
+        "queueitem",
+        ["queue_name"],
+        unique=False,
+        mysql_length=767,
     )
-    op.create_index('label_key', 'label', ['key'], unique=False)
-    op.create_index('label_media_type_id', 'label', ['media_type_id'], unique=False)
-    op.create_index('label_source_type_id', 'label', ['source_type_id'], unique=False)
-    op.create_index('label_uuid', 'label', ['uuid'], unique=True)
-    op.create_table('logentry',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.Column('account_id', sa.Integer(), nullable=False),
-    sa.Column('performer_id', sa.Integer(), nullable=True),
-    sa.Column('repository_id', sa.Integer(), nullable=True),
-    sa.Column('datetime', sa.DateTime(), nullable=False),
-    sa.Column('ip', sa.String(length=255), nullable=True),
-    sa.Column('metadata_json', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['kind_id'], ['logentrykind.id'], name=op.f('fk_logentry_kind_id_logentrykind')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_logentry'))
+    op.create_index(
+        "queueitem_retries_remaining", "queueitem", ["retries_remaining"], unique=False
     )
-    op.create_index('logentry_account_id', 'logentry', ['account_id'], unique=False)
-    op.create_index('logentry_account_id_datetime', 'logentry', ['account_id', 'datetime'], unique=False)
-    op.create_index('logentry_datetime', 'logentry', ['datetime'], unique=False)
-    op.create_index('logentry_kind_id', 'logentry', ['kind_id'], unique=False)
-    op.create_index('logentry_performer_id', 'logentry', ['performer_id'], unique=False)
-    op.create_index('logentry_performer_id_datetime', 'logentry', ['performer_id', 'datetime'], unique=False)
-    op.create_index('logentry_repository_id', 'logentry', ['repository_id'], unique=False)
-    op.create_index('logentry_repository_id_datetime', 'logentry', ['repository_id', 'datetime'], unique=False)
-    op.create_index('logentry_repository_id_datetime_kind_id', 'logentry', ['repository_id', 'datetime', 'kind_id'], unique=False)
-    op.create_table('notification',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=False),
-    sa.Column('target_id', sa.Integer(), nullable=False),
-    sa.Column('metadata_json', sa.Text(), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.Column('dismissed', sa.Boolean(), nullable=False),
-    sa.Column('lookup_path', sa.String(length=255), nullable=True),
-    sa.ForeignKeyConstraint(['kind_id'], ['notificationkind.id'], name=op.f('fk_notification_kind_id_notificationkind')),
-    sa.ForeignKeyConstraint(['target_id'], ['user.id'], name=op.f('fk_notification_target_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_notification'))
+    op.create_table(
+        "role",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_role")),
     )
-    op.create_index('notification_created', 'notification', ['created'], unique=False)
-    op.create_index('notification_kind_id', 'notification', ['kind_id'], unique=False)
-    op.create_index('notification_lookup_path', 'notification', ['lookup_path'], unique=False)
-    op.create_index('notification_target_id', 'notification', ['target_id'], unique=False)
-    op.create_index('notification_uuid', 'notification', ['uuid'], unique=False)
-    op.create_table('oauthapplication',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('client_id', sa.String(length=255), nullable=False),
-    sa.Column('client_secret', sa.String(length=255), nullable=False),
-    sa.Column('redirect_uri', sa.String(length=255), nullable=False),
-    sa.Column('application_uri', sa.String(length=255), nullable=False),
-    sa.Column('organization_id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('description', sa.Text(), nullable=False),
-    sa.Column('gravatar_email', sa.String(length=255), nullable=True),
-    sa.ForeignKeyConstraint(['organization_id'], ['user.id'], name=op.f('fk_oauthapplication_organization_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_oauthapplication'))
+    op.create_index("role_name", "role", ["name"], unique=True)
+    op.create_table(
+        "servicekeyapproval",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("approver_id", sa.Integer(), nullable=True),
+        sa.Column("approval_type", sa.String(length=255), nullable=False),
+        sa.Column("approved_date", sa.DateTime(), nullable=False),
+        sa.Column("notes", UTF8LongText(), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_servicekeyapproval")),
     )
-    op.create_index('oauthapplication_client_id', 'oauthapplication', ['client_id'], unique=False)
-    op.create_index('oauthapplication_organization_id', 'oauthapplication', ['organization_id'], unique=False)
-    op.create_table('quayrelease',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('service_id', sa.Integer(), nullable=False),
-    sa.Column('version', sa.String(length=255), nullable=False),
-    sa.Column('region_id', sa.Integer(), nullable=False),
-    sa.Column('reverted', sa.Boolean(), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.ForeignKeyConstraint(['region_id'], ['quayregion.id'], name=op.f('fk_quayrelease_region_id_quayregion')),
-    sa.ForeignKeyConstraint(['service_id'], ['quayservice.id'], name=op.f('fk_quayrelease_service_id_quayservice')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayrelease'))
+    op.create_index(
+        "servicekeyapproval_approval_type",
+        "servicekeyapproval",
+        ["approval_type"],
+        unique=False,
     )
-    op.create_index('quayrelease_created', 'quayrelease', ['created'], unique=False)
-    op.create_index('quayrelease_region_id', 'quayrelease', ['region_id'], unique=False)
-    op.create_index('quayrelease_service_id', 'quayrelease', ['service_id'], unique=False)
-    op.create_index('quayrelease_service_id_region_id_created', 'quayrelease', ['service_id', 'region_id', 'created'], unique=False)
-    op.create_index('quayrelease_service_id_version_region_id', 'quayrelease', ['service_id', 'version', 'region_id'], unique=True)
-    op.create_table('repository',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('namespace_user_id', sa.Integer(), nullable=True),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('visibility_id', sa.Integer(), nullable=False),
-    sa.Column('description', sa.Text(), nullable=True),
-    sa.Column('badge_token', sa.String(length=255), nullable=False),
-    sa.ForeignKeyConstraint(['namespace_user_id'], ['user.id'], name=op.f('fk_repository_namespace_user_id_user')),
-    sa.ForeignKeyConstraint(['visibility_id'], ['visibility.id'], name=op.f('fk_repository_visibility_id_visibility')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repository'))
+    op.create_index(
+        "servicekeyapproval_approver_id",
+        "servicekeyapproval",
+        ["approver_id"],
+        unique=False,
     )
-    op.create_index('repository_namespace_user_id', 'repository', ['namespace_user_id'], unique=False)
-    op.create_index('repository_namespace_user_id_name', 'repository', ['namespace_user_id', 'name'], unique=True)
-    op.create_index('repository_visibility_id', 'repository', ['visibility_id'], unique=False)
-    op.create_table('servicekey',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('kid', sa.String(length=255), nullable=False),
-    sa.Column('service', sa.String(length=255), nullable=False),
-    sa.Column('jwk', UTF8LongText(), nullable=False),
-    sa.Column('metadata', UTF8LongText(), nullable=False),
-    sa.Column('created_date', sa.DateTime(), nullable=False),
-    sa.Column('expiration_date', sa.DateTime(), nullable=True),
-    sa.Column('rotation_duration', sa.Integer(), nullable=True),
-    sa.Column('approval_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['approval_id'], ['servicekeyapproval.id'], name=op.f('fk_servicekey_approval_id_servicekeyapproval')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_servicekey'))
+    op.create_table(
+        "teamrole",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_teamrole")),
     )
-    op.create_index('servicekey_approval_id', 'servicekey', ['approval_id'], unique=False)
-    op.create_index('servicekey_kid', 'servicekey', ['kid'], unique=True)
-    op.create_index('servicekey_service', 'servicekey', ['service'], unique=False)
-    op.create_table('team',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('organization_id', sa.Integer(), nullable=False),
-    sa.Column('role_id', sa.Integer(), nullable=False),
-    sa.Column('description', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['organization_id'], ['user.id'], name=op.f('fk_team_organization_id_user')),
-    sa.ForeignKeyConstraint(['role_id'], ['teamrole.id'], name=op.f('fk_team_role_id_teamrole')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_team'))
+    op.create_index("teamrole_name", "teamrole", ["name"], unique=False)
+    op.create_table(
+        "user",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=36), nullable=True),
+        sa.Column("username", sa.String(length=255), nullable=False),
+        sa.Column("password_hash", sa.String(length=255), nullable=True),
+        sa.Column("email", sa.String(length=255), nullable=False),
+        sa.Column("verified", sa.Boolean(), nullable=False),
+        sa.Column("stripe_id", sa.String(length=255), nullable=True),
+        sa.Column("organization", sa.Boolean(), nullable=False),
+        sa.Column("robot", sa.Boolean(), nullable=False),
+        sa.Column("invoice_email", sa.Boolean(), nullable=False),
+        sa.Column(
+            "invalid_login_attempts", sa.Integer(), nullable=False, server_default="0"
+        ),
+        sa.Column("last_invalid_login", sa.DateTime(), nullable=False),
+        sa.Column(
+            "removed_tag_expiration_s",
+            sa.Integer(),
+            nullable=False,
+            server_default="1209600",
+        ),
+        sa.Column(
+            "enabled",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.true(),
+        ),
+        sa.Column("invoice_email_address", sa.String(length=255), nullable=True),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_user")),
     )
-    op.create_index('team_name', 'team', ['name'], unique=False)
-    op.create_index('team_name_organization_id', 'team', ['name', 'organization_id'], unique=True)
-    op.create_index('team_organization_id', 'team', ['organization_id'], unique=False)
-    op.create_index('team_role_id', 'team', ['role_id'], unique=False)
-    op.create_table('torrentinfo',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('storage_id', sa.Integer(), nullable=False),
-    sa.Column('piece_length', sa.Integer(), nullable=False),
-    sa.Column('pieces', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['storage_id'], ['imagestorage.id'], name=op.f('fk_torrentinfo_storage_id_imagestorage')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_torrentinfo'))
+    op.create_index("user_email", "user", ["email"], unique=True)
+    op.create_index(
+        "user_invoice_email_address", "user", ["invoice_email_address"], unique=False
     )
-    op.create_index('torrentinfo_storage_id', 'torrentinfo', ['storage_id'], unique=False)
-    op.create_index('torrentinfo_storage_id_piece_length', 'torrentinfo', ['storage_id', 'piece_length'], unique=True)
-    op.create_table('userregion',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['location_id'], ['imagestoragelocation.id'], name=op.f('fk_userregion_location_id_imagestoragelocation')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_userregion_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_userregion'))
+    op.create_index("user_organization", "user", ["organization"], unique=False)
+    op.create_index("user_robot", "user", ["robot"], unique=False)
+    op.create_index("user_stripe_id", "user", ["stripe_id"], unique=False)
+    op.create_index("user_username", "user", ["username"], unique=True)
+    op.create_table(
+        "visibility",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_visibility")),
     )
-    op.create_index('userregion_location_id', 'userregion', ['location_id'], unique=False)
-    op.create_index('userregion_user_id', 'userregion', ['user_id'], unique=False)
-    op.create_table('accesstoken',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('friendly_name', sa.String(length=255), nullable=True),
-    sa.Column('code', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.Column('role_id', sa.Integer(), nullable=False),
-    sa.Column('temporary', sa.Boolean(), nullable=False),
-    sa.Column('kind_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['kind_id'], ['accesstokenkind.id'], name=op.f('fk_accesstoken_kind_id_accesstokenkind')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_accesstoken_repository_id_repository')),
-    sa.ForeignKeyConstraint(['role_id'], ['role.id'], name=op.f('fk_accesstoken_role_id_role')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_accesstoken'))
+    op.create_index("visibility_name", "visibility", ["name"], unique=True)
+    op.create_table(
+        "emailconfirmation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("code", sa.String(length=255), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("pw_reset", sa.Boolean(), nullable=False),
+        sa.Column("new_email", sa.String(length=255), nullable=True),
+        sa.Column("email_confirm", sa.Boolean(), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_emailconfirmation_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_emailconfirmation")),
     )
-    op.create_index('accesstoken_code', 'accesstoken', ['code'], unique=True)
-    op.create_index('accesstoken_kind_id', 'accesstoken', ['kind_id'], unique=False)
-    op.create_index('accesstoken_repository_id', 'accesstoken', ['repository_id'], unique=False)
-    op.create_index('accesstoken_role_id', 'accesstoken', ['role_id'], unique=False)
-    op.create_table('blobupload',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('byte_count', sa.Integer(), nullable=False),
-    sa.Column('sha_state', sa.Text(), nullable=True),
-    sa.Column('location_id', sa.Integer(), nullable=False),
-    sa.Column('storage_metadata', sa.Text(), nullable=True),
-    sa.Column('chunk_count', sa.Integer(), nullable=False, server_default='0'),
-    sa.Column('uncompressed_byte_count', sa.Integer(), nullable=True),
-    sa.Column('created', sa.DateTime(), nullable=False, server_default=sa.text(now)),
-    sa.Column('piece_sha_state', UTF8LongText(), nullable=True),
-    sa.Column('piece_hashes', UTF8LongText(), nullable=True),
-    sa.ForeignKeyConstraint(['location_id'], ['imagestoragelocation.id'], name=op.f('fk_blobupload_location_id_imagestoragelocation')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_blobupload_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_blobupload'))
+    op.create_index(
+        "emailconfirmation_code", "emailconfirmation", ["code"], unique=True
     )
-    op.create_index('blobupload_created', 'blobupload', ['created'], unique=False)
-    op.create_index('blobupload_location_id', 'blobupload', ['location_id'], unique=False)
-    op.create_index('blobupload_repository_id', 'blobupload', ['repository_id'], unique=False)
-    op.create_index('blobupload_repository_id_uuid', 'blobupload', ['repository_id', 'uuid'], unique=True)
-    op.create_index('blobupload_uuid', 'blobupload', ['uuid'], unique=True)
-    op.create_table('image',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('docker_image_id', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('ancestors', sa.String(length=60535), nullable=True),
-    sa.Column('storage_id', sa.Integer(), nullable=True),
-    sa.Column('created', sa.DateTime(), nullable=True),
-    sa.Column('comment', UTF8LongText(), nullable=True),
-    sa.Column('command', sa.Text(), nullable=True),
-    sa.Column('aggregate_size', sa.BigInteger(), nullable=True),
-    sa.Column('v1_json_metadata', UTF8LongText(), nullable=True),
-    sa.Column('v1_checksum', sa.String(length=255), nullable=True),
-    sa.Column('security_indexed', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('security_indexed_engine', sa.Integer(), nullable=False, server_default='-1'),
-    sa.Column('parent_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_image_repository_id_repository')),
-    sa.ForeignKeyConstraint(['storage_id'], ['imagestorage.id'], name=op.f('fk_image_storage_id_imagestorage')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_image'))
+    op.create_index(
+        "emailconfirmation_user_id", "emailconfirmation", ["user_id"], unique=False
     )
-    op.create_index('image_ancestors', 'image', ['ancestors'], unique=False, mysql_length=767)
-    op.create_index('image_docker_image_id', 'image', ['docker_image_id'], unique=False)
-    op.create_index('image_parent_id', 'image', ['parent_id'], unique=False)
-    op.create_index('image_repository_id', 'image', ['repository_id'], unique=False)
-    op.create_index('image_repository_id_docker_image_id', 'image', ['repository_id', 'docker_image_id'], unique=True)
-    op.create_index('image_security_indexed', 'image', ['security_indexed'], unique=False)
-    op.create_index('image_security_indexed_engine', 'image', ['security_indexed_engine'], unique=False)
-    op.create_index('image_security_indexed_engine_security_indexed', 'image', ['security_indexed_engine', 'security_indexed'], unique=False)
-    op.create_index('image_storage_id', 'image', ['storage_id'], unique=False)
-    op.create_table('oauthaccesstoken',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('application_id', sa.Integer(), nullable=False),
-    sa.Column('authorized_user_id', sa.Integer(), nullable=False),
-    sa.Column('scope', sa.String(length=255), nullable=False),
-    sa.Column('access_token', sa.String(length=255), nullable=False),
-    sa.Column('token_type', sa.String(length=255), nullable=False),
-    sa.Column('expires_at', sa.DateTime(), nullable=False),
-    sa.Column('refresh_token', sa.String(length=255), nullable=True),
-    sa.Column('data', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['application_id'], ['oauthapplication.id'], name=op.f('fk_oauthaccesstoken_application_id_oauthapplication')),
-    sa.ForeignKeyConstraint(['authorized_user_id'], ['user.id'], name=op.f('fk_oauthaccesstoken_authorized_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_oauthaccesstoken'))
+    op.create_table(
+        "federatedlogin",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("service_id", sa.Integer(), nullable=False),
+        sa.Column("service_ident", sa.String(length=255), nullable=False),
+        sa.Column("metadata_json", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["service_id"],
+            ["loginservice.id"],
+            name=op.f("fk_federatedlogin_service_id_loginservice"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_federatedlogin_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_federatedlogin")),
     )
-    op.create_index('oauthaccesstoken_access_token', 'oauthaccesstoken', ['access_token'], unique=False)
-    op.create_index('oauthaccesstoken_application_id', 'oauthaccesstoken', ['application_id'], unique=False)
-    op.create_index('oauthaccesstoken_authorized_user_id', 'oauthaccesstoken', ['authorized_user_id'], unique=False)
-    op.create_index('oauthaccesstoken_refresh_token', 'oauthaccesstoken', ['refresh_token'], unique=False)
-    op.create_index('oauthaccesstoken_uuid', 'oauthaccesstoken', ['uuid'], unique=False)
-    op.create_table('oauthauthorizationcode',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('application_id', sa.Integer(), nullable=False),
-    sa.Column('code', sa.String(length=255), nullable=False),
-    sa.Column('scope', sa.String(length=255), nullable=False),
-    sa.Column('data', sa.Text(), nullable=False),
-    sa.ForeignKeyConstraint(['application_id'], ['oauthapplication.id'], name=op.f('fk_oauthauthorizationcode_application_id_oauthapplication')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_oauthauthorizationcode'))
+    op.create_index(
+        "federatedlogin_service_id", "federatedlogin", ["service_id"], unique=False
     )
-    op.create_index('oauthauthorizationcode_application_id', 'oauthauthorizationcode', ['application_id'], unique=False)
-    op.create_index('oauthauthorizationcode_code', 'oauthauthorizationcode', ['code'], unique=False)
-    op.create_table('permissionprototype',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('org_id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('activating_user_id', sa.Integer(), nullable=True),
-    sa.Column('delegate_user_id', sa.Integer(), nullable=True),
-    sa.Column('delegate_team_id', sa.Integer(), nullable=True),
-    sa.Column('role_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['activating_user_id'], ['user.id'], name=op.f('fk_permissionprototype_activating_user_id_user')),
-    sa.ForeignKeyConstraint(['delegate_team_id'], ['team.id'], name=op.f('fk_permissionprototype_delegate_team_id_team')),
-    sa.ForeignKeyConstraint(['delegate_user_id'], ['user.id'], name=op.f('fk_permissionprototype_delegate_user_id_user')),
-    sa.ForeignKeyConstraint(['org_id'], ['user.id'], name=op.f('fk_permissionprototype_org_id_user')),
-    sa.ForeignKeyConstraint(['role_id'], ['role.id'], name=op.f('fk_permissionprototype_role_id_role')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_permissionprototype'))
+    op.create_index(
+        "federatedlogin_service_id_service_ident",
+        "federatedlogin",
+        ["service_id", "service_ident"],
+        unique=True,
     )
-    op.create_index('permissionprototype_activating_user_id', 'permissionprototype', ['activating_user_id'], unique=False)
-    op.create_index('permissionprototype_delegate_team_id', 'permissionprototype', ['delegate_team_id'], unique=False)
-    op.create_index('permissionprototype_delegate_user_id', 'permissionprototype', ['delegate_user_id'], unique=False)
-    op.create_index('permissionprototype_org_id', 'permissionprototype', ['org_id'], unique=False)
-    op.create_index('permissionprototype_org_id_activating_user_id', 'permissionprototype', ['org_id', 'activating_user_id'], unique=False)
-    op.create_index('permissionprototype_role_id', 'permissionprototype', ['role_id'], unique=False)
-    op.create_table('repositoryactioncount',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('count', sa.Integer(), nullable=False),
-    sa.Column('date', sa.Date(), nullable=False),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositoryactioncount_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositoryactioncount'))
+    op.create_index(
+        "federatedlogin_service_id_user_id",
+        "federatedlogin",
+        ["service_id", "user_id"],
+        unique=True,
     )
-    op.create_index('repositoryactioncount_date', 'repositoryactioncount', ['date'], unique=False)
-    op.create_index('repositoryactioncount_repository_id', 'repositoryactioncount', ['repository_id'], unique=False)
-    op.create_index('repositoryactioncount_repository_id_date', 'repositoryactioncount', ['repository_id', 'date'], unique=True)
-    op.create_table('repositoryauthorizedemail',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('email', sa.String(length=255), nullable=False),
-    sa.Column('code', sa.String(length=255), nullable=False),
-    sa.Column('confirmed', sa.Boolean(), nullable=False),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositoryauthorizedemail_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositoryauthorizedemail'))
+    op.create_index(
+        "federatedlogin_user_id", "federatedlogin", ["user_id"], unique=False
     )
-    op.create_index('repositoryauthorizedemail_code', 'repositoryauthorizedemail', ['code'], unique=True)
-    op.create_index('repositoryauthorizedemail_email_repository_id', 'repositoryauthorizedemail', ['email', 'repository_id'], unique=True)
-    op.create_index('repositoryauthorizedemail_repository_id', 'repositoryauthorizedemail', ['repository_id'], unique=False)
-    op.create_table('repositorynotification',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('event_id', sa.Integer(), nullable=False),
-    sa.Column('method_id', sa.Integer(), nullable=False),
-    sa.Column('title', sa.String(length=255), nullable=True),
-    sa.Column('config_json', sa.Text(), nullable=False),
-    sa.Column('event_config_json', UTF8LongText(), nullable=False),
-    sa.ForeignKeyConstraint(['event_id'], ['externalnotificationevent.id'], name=op.f('fk_repositorynotification_event_id_externalnotificationevent')),
-    sa.ForeignKeyConstraint(['method_id'], ['externalnotificationmethod.id'], name=op.f('fk_repositorynotification_method_id_externalnotificationmethod')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorynotification_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorynotification'))
+    op.create_table(
+        "imagestorageplacement",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("storage_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["imagestoragelocation.id"],
+            name=op.f("fk_imagestorageplacement_location_id_imagestoragelocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["storage_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_imagestorageplacement_storage_id_imagestorage"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestorageplacement")),
     )
-    op.create_index('repositorynotification_event_id', 'repositorynotification', ['event_id'], unique=False)
-    op.create_index('repositorynotification_method_id', 'repositorynotification', ['method_id'], unique=False)
-    op.create_index('repositorynotification_repository_id', 'repositorynotification', ['repository_id'], unique=False)
-    op.create_index('repositorynotification_uuid', 'repositorynotification', ['uuid'], unique=False)
-    op.create_table('repositorypermission',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('team_id', sa.Integer(), nullable=True),
-    sa.Column('user_id', sa.Integer(), nullable=True),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('role_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorypermission_repository_id_repository')),
-    sa.ForeignKeyConstraint(['role_id'], ['role.id'], name=op.f('fk_repositorypermission_role_id_role')),
-    sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_repositorypermission_team_id_team')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_repositorypermission_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorypermission'))
+    op.create_index(
+        "imagestorageplacement_location_id",
+        "imagestorageplacement",
+        ["location_id"],
+        unique=False,
     )
-    op.create_index('repositorypermission_repository_id', 'repositorypermission', ['repository_id'], unique=False)
-    op.create_index('repositorypermission_role_id', 'repositorypermission', ['role_id'], unique=False)
-    op.create_index('repositorypermission_team_id', 'repositorypermission', ['team_id'], unique=False)
-    op.create_index('repositorypermission_team_id_repository_id', 'repositorypermission', ['team_id', 'repository_id'], unique=True)
-    op.create_index('repositorypermission_user_id', 'repositorypermission', ['user_id'], unique=False)
-    op.create_index('repositorypermission_user_id_repository_id', 'repositorypermission', ['user_id', 'repository_id'], unique=True)
-    op.create_table('star',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('created', sa.DateTime(), nullable=False),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_star_repository_id_repository')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_star_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_star'))
+    op.create_index(
+        "imagestorageplacement_storage_id",
+        "imagestorageplacement",
+        ["storage_id"],
+        unique=False,
     )
-    op.create_index('star_repository_id', 'star', ['repository_id'], unique=False)
-    op.create_index('star_user_id', 'star', ['user_id'], unique=False)
-    op.create_index('star_user_id_repository_id', 'star', ['user_id', 'repository_id'], unique=True)
-    op.create_table('teammember',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=False),
-    sa.Column('team_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_teammember_team_id_team')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_teammember_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_teammember'))
+    op.create_index(
+        "imagestorageplacement_storage_id_location_id",
+        "imagestorageplacement",
+        ["storage_id", "location_id"],
+        unique=True,
     )
-    op.create_index('teammember_team_id', 'teammember', ['team_id'], unique=False)
-    op.create_index('teammember_user_id', 'teammember', ['user_id'], unique=False)
-    op.create_index('teammember_user_id_team_id', 'teammember', ['user_id', 'team_id'], unique=True)
-    op.create_table('teammemberinvite',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('user_id', sa.Integer(), nullable=True),
-    sa.Column('email', sa.String(length=255), nullable=True),
-    sa.Column('team_id', sa.Integer(), nullable=False),
-    sa.Column('inviter_id', sa.Integer(), nullable=False),
-    sa.Column('invite_token', sa.String(length=255), nullable=False),
-    sa.ForeignKeyConstraint(['inviter_id'], ['user.id'], name=op.f('fk_teammemberinvite_inviter_id_user')),
-    sa.ForeignKeyConstraint(['team_id'], ['team.id'], name=op.f('fk_teammemberinvite_team_id_team')),
-    sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_teammemberinvite_user_id_user')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_teammemberinvite'))
+    op.create_table(
+        "imagestoragesignature",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("storage_id", sa.Integer(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.Column("signature", sa.Text(), nullable=True),
+        sa.Column("uploading", sa.Boolean(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["imagestoragesignaturekind.id"],
+            name=op.f("fk_imagestoragesignature_kind_id_imagestoragesignaturekind"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["storage_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_imagestoragesignature_storage_id_imagestorage"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_imagestoragesignature")),
     )
-    op.create_index('teammemberinvite_inviter_id', 'teammemberinvite', ['inviter_id'], unique=False)
-    op.create_index('teammemberinvite_team_id', 'teammemberinvite', ['team_id'], unique=False)
-    op.create_index('teammemberinvite_user_id', 'teammemberinvite', ['user_id'], unique=False)
-    op.create_table('derivedstorageforimage',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('source_image_id', sa.Integer(), nullable=False),
-    sa.Column('derivative_id', sa.Integer(), nullable=False),
-    sa.Column('transformation_id', sa.Integer(), nullable=False),
-    sa.Column('uniqueness_hash', sa.String(length=255), nullable=True),
-    sa.ForeignKeyConstraint(['derivative_id'], ['imagestorage.id'], name=op.f('fk_derivedstorageforimage_derivative_id_imagestorage')),
-    sa.ForeignKeyConstraint(['source_image_id'], ['image.id'], name=op.f('fk_derivedstorageforimage_source_image_id_image')),
-    sa.ForeignKeyConstraint(['transformation_id'], ['imagestoragetransformation.id'], name=op.f('fk_derivedstorageforimage_transformation_constraint')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_derivedstorageforimage'))
+    op.create_index(
+        "imagestoragesignature_kind_id",
+        "imagestoragesignature",
+        ["kind_id"],
+        unique=False,
     )
-    op.create_index('derivedstorageforimage_derivative_id', 'derivedstorageforimage', ['derivative_id'], unique=False)
-    op.create_index('derivedstorageforimage_source_image_id', 'derivedstorageforimage', ['source_image_id'], unique=False)
-    op.create_index('uniqueness_index', 'derivedstorageforimage', ['source_image_id', 'transformation_id', 'uniqueness_hash'], unique=True)
-    op.create_index('derivedstorageforimage_transformation_id', 'derivedstorageforimage', ['transformation_id'], unique=False)
-    op.create_table('repositorybuildtrigger',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('service_id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('connected_user_id', sa.Integer(), nullable=False),
-    sa.Column('auth_token', sa.String(length=255), nullable=True),
-    sa.Column('private_key', sa.Text(), nullable=True),
-    sa.Column('config', sa.Text(), nullable=False),
-    sa.Column('write_token_id', sa.Integer(), nullable=True),
-    sa.Column('pull_robot_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['connected_user_id'], ['user.id'], name=op.f('fk_repositorybuildtrigger_connected_user_id_user')),
-    sa.ForeignKeyConstraint(['pull_robot_id'], ['user.id'], name=op.f('fk_repositorybuildtrigger_pull_robot_id_user')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorybuildtrigger_repository_id_repository')),
-    sa.ForeignKeyConstraint(['service_id'], ['buildtriggerservice.id'], name=op.f('fk_repositorybuildtrigger_service_id_buildtriggerservice')),
-    sa.ForeignKeyConstraint(['write_token_id'], ['accesstoken.id'], name=op.f('fk_repositorybuildtrigger_write_token_id_accesstoken')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorybuildtrigger'))
+    op.create_index(
+        "imagestoragesignature_kind_id_storage_id",
+        "imagestoragesignature",
+        ["kind_id", "storage_id"],
+        unique=True,
     )
-    op.create_index('repositorybuildtrigger_connected_user_id', 'repositorybuildtrigger', ['connected_user_id'], unique=False)
-    op.create_index('repositorybuildtrigger_pull_robot_id', 'repositorybuildtrigger', ['pull_robot_id'], unique=False)
-    op.create_index('repositorybuildtrigger_repository_id', 'repositorybuildtrigger', ['repository_id'], unique=False)
-    op.create_index('repositorybuildtrigger_service_id', 'repositorybuildtrigger', ['service_id'], unique=False)
-    op.create_index('repositorybuildtrigger_write_token_id', 'repositorybuildtrigger', ['write_token_id'], unique=False)
-    op.create_table('repositorytag',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('image_id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('lifetime_start_ts', sa.Integer(), nullable=False, server_default='0'),
-    sa.Column('lifetime_end_ts', sa.Integer(), nullable=True),
-    sa.Column('hidden', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('reversion', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.ForeignKeyConstraint(['image_id'], ['image.id'], name=op.f('fk_repositorytag_image_id_image')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorytag_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorytag'))
+    op.create_index(
+        "imagestoragesignature_storage_id",
+        "imagestoragesignature",
+        ["storage_id"],
+        unique=False,
     )
-    op.create_index('repositorytag_image_id', 'repositorytag', ['image_id'], unique=False)
-    op.create_index('repositorytag_lifetime_end_ts', 'repositorytag', ['lifetime_end_ts'], unique=False)
-    op.create_index('repositorytag_repository_id', 'repositorytag', ['repository_id'], unique=False)
-    op.create_index('repositorytag_repository_id_name', 'repositorytag', ['repository_id', 'name'], unique=False)
-    op.create_index('repositorytag_repository_id_name_lifetime_end_ts', 'repositorytag', ['repository_id', 'name', 'lifetime_end_ts'], unique=True)
-    op.create_table('repositorybuild',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('uuid', sa.String(length=255), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('access_token_id', sa.Integer(), nullable=False),
-    sa.Column('resource_key', sa.String(length=255), nullable=True),
-    sa.Column('job_config', sa.Text(), nullable=False),
-    sa.Column('phase', sa.String(length=255), nullable=False),
-    sa.Column('started', sa.DateTime(), nullable=False),
-    sa.Column('display_name', sa.String(length=255), nullable=False),
-    sa.Column('trigger_id', sa.Integer(), nullable=True),
-    sa.Column('pull_robot_id', sa.Integer(), nullable=True),
-    sa.Column('logs_archived', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()),
-    sa.Column('queue_id', sa.String(length=255), nullable=True),
-    sa.ForeignKeyConstraint(['access_token_id'], ['accesstoken.id'], name=op.f('fk_repositorybuild_access_token_id_accesstoken')),
-    sa.ForeignKeyConstraint(['pull_robot_id'], ['user.id'], name=op.f('fk_repositorybuild_pull_robot_id_user')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorybuild_repository_id_repository')),
-    sa.ForeignKeyConstraint(['trigger_id'], ['repositorybuildtrigger.id'], name=op.f('fk_repositorybuild_trigger_id_repositorybuildtrigger')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorybuild'))
+    op.create_table(
+        "label",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("key", UTF8CharField(length=255), nullable=False),
+        sa.Column("value", UTF8LongText(), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("source_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_label_media_type_id_mediatype"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["source_type_id"],
+            ["labelsourcetype.id"],
+            name=op.f("fk_label_source_type_id_labelsourcetype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_label")),
     )
-    op.create_index('repositorybuild_access_token_id', 'repositorybuild', ['access_token_id'], unique=False)
-    op.create_index('repositorybuild_pull_robot_id', 'repositorybuild', ['pull_robot_id'], unique=False)
-    op.create_index('repositorybuild_queue_id', 'repositorybuild', ['queue_id'], unique=False)
-    op.create_index('repositorybuild_repository_id', 'repositorybuild', ['repository_id'], unique=False)
-    op.create_index('repositorybuild_repository_id_started_phase', 'repositorybuild', ['repository_id', 'started', 'phase'], unique=False)
-    op.create_index('repositorybuild_resource_key', 'repositorybuild', ['resource_key'], unique=False)
-    op.create_index('repositorybuild_started', 'repositorybuild', ['started'], unique=False)
-    op.create_index('repositorybuild_started_logs_archived_phase', 'repositorybuild', ['started', 'logs_archived', 'phase'], unique=False)
-    op.create_index('repositorybuild_trigger_id', 'repositorybuild', ['trigger_id'], unique=False)
-    op.create_index('repositorybuild_uuid', 'repositorybuild', ['uuid'], unique=False)
-    op.create_table('tagmanifest',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('tag_id', sa.Integer(), nullable=False),
-    sa.Column('digest', sa.String(length=255), nullable=False),
-    sa.Column('json_data', UTF8LongText(), nullable=False),
-    sa.ForeignKeyConstraint(['tag_id'], ['repositorytag.id'], name=op.f('fk_tagmanifest_tag_id_repositorytag')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagmanifest'))
+    op.create_index("label_key", "label", ["key"], unique=False)
+    op.create_index("label_media_type_id", "label", ["media_type_id"], unique=False)
+    op.create_index("label_source_type_id", "label", ["source_type_id"], unique=False)
+    op.create_index("label_uuid", "label", ["uuid"], unique=True)
+    op.create_table(
+        "logentry",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.Column("account_id", sa.Integer(), nullable=False),
+        sa.Column("performer_id", sa.Integer(), nullable=True),
+        sa.Column("repository_id", sa.Integer(), nullable=True),
+        sa.Column("datetime", sa.DateTime(), nullable=False),
+        sa.Column("ip", sa.String(length=255), nullable=True),
+        sa.Column("metadata_json", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["logentrykind.id"],
+            name=op.f("fk_logentry_kind_id_logentrykind"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_logentry")),
     )
-    op.create_index('tagmanifest_digest', 'tagmanifest', ['digest'], unique=False)
-    op.create_index('tagmanifest_tag_id', 'tagmanifest', ['tag_id'], unique=True)
-    op.create_table('tagmanifestlabel',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('annotated_id', sa.Integer(), nullable=False),
-    sa.Column('label_id', sa.Integer(), nullable=False),
-    sa.ForeignKeyConstraint(['annotated_id'], ['tagmanifest.id'], name=op.f('fk_tagmanifestlabel_annotated_id_tagmanifest')),
-    sa.ForeignKeyConstraint(['label_id'], ['label.id'], name=op.f('fk_tagmanifestlabel_label_id_label')),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_tagmanifestlabel_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_tagmanifestlabel'))
+    op.create_index("logentry_account_id", "logentry", ["account_id"], unique=False)
+    op.create_index(
+        "logentry_account_id_datetime",
+        "logentry",
+        ["account_id", "datetime"],
+        unique=False,
+    )
+    op.create_index("logentry_datetime", "logentry", ["datetime"], unique=False)
+    op.create_index("logentry_kind_id", "logentry", ["kind_id"], unique=False)
+    op.create_index("logentry_performer_id", "logentry", ["performer_id"], unique=False)
+    op.create_index(
+        "logentry_performer_id_datetime",
+        "logentry",
+        ["performer_id", "datetime"],
+        unique=False,
+    )
+    op.create_index(
+        "logentry_repository_id", "logentry", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "logentry_repository_id_datetime",
+        "logentry",
+        ["repository_id", "datetime"],
+        unique=False,
+    )
+    op.create_index(
+        "logentry_repository_id_datetime_kind_id",
+        "logentry",
+        ["repository_id", "datetime", "kind_id"],
+        unique=False,
+    )
+    op.create_table(
+        "notification",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=False),
+        sa.Column("target_id", sa.Integer(), nullable=False),
+        sa.Column("metadata_json", sa.Text(), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.Column("dismissed", sa.Boolean(), nullable=False),
+        sa.Column("lookup_path", sa.String(length=255), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["notificationkind.id"],
+            name=op.f("fk_notification_kind_id_notificationkind"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["target_id"], ["user.id"], name=op.f("fk_notification_target_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_notification")),
+    )
+    op.create_index("notification_created", "notification", ["created"], unique=False)
+    op.create_index("notification_kind_id", "notification", ["kind_id"], unique=False)
+    op.create_index(
+        "notification_lookup_path", "notification", ["lookup_path"], unique=False
+    )
+    op.create_index(
+        "notification_target_id", "notification", ["target_id"], unique=False
+    )
+    op.create_index("notification_uuid", "notification", ["uuid"], unique=False)
+    op.create_table(
+        "oauthapplication",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("client_id", sa.String(length=255), nullable=False),
+        sa.Column("client_secret", sa.String(length=255), nullable=False),
+        sa.Column("redirect_uri", sa.String(length=255), nullable=False),
+        sa.Column("application_uri", sa.String(length=255), nullable=False),
+        sa.Column("organization_id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("description", sa.Text(), nullable=False),
+        sa.Column("gravatar_email", sa.String(length=255), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["organization_id"],
+            ["user.id"],
+            name=op.f("fk_oauthapplication_organization_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_oauthapplication")),
+    )
+    op.create_index(
+        "oauthapplication_client_id", "oauthapplication", ["client_id"], unique=False
+    )
+    op.create_index(
+        "oauthapplication_organization_id",
+        "oauthapplication",
+        ["organization_id"],
+        unique=False,
+    )
+    op.create_table(
+        "quayrelease",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("service_id", sa.Integer(), nullable=False),
+        sa.Column("version", sa.String(length=255), nullable=False),
+        sa.Column("region_id", sa.Integer(), nullable=False),
+        sa.Column("reverted", sa.Boolean(), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["region_id"],
+            ["quayregion.id"],
+            name=op.f("fk_quayrelease_region_id_quayregion"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["service_id"],
+            ["quayservice.id"],
+            name=op.f("fk_quayrelease_service_id_quayservice"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_quayrelease")),
+    )
+    op.create_index("quayrelease_created", "quayrelease", ["created"], unique=False)
+    op.create_index("quayrelease_region_id", "quayrelease", ["region_id"], unique=False)
+    op.create_index(
+        "quayrelease_service_id", "quayrelease", ["service_id"], unique=False
+    )
+    op.create_index(
+        "quayrelease_service_id_region_id_created",
+        "quayrelease",
+        ["service_id", "region_id", "created"],
+        unique=False,
+    )
+    op.create_index(
+        "quayrelease_service_id_version_region_id",
+        "quayrelease",
+        ["service_id", "version", "region_id"],
+        unique=True,
+    )
+    op.create_table(
+        "repository",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("namespace_user_id", sa.Integer(), nullable=True),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("visibility_id", sa.Integer(), nullable=False),
+        sa.Column("description", sa.Text(), nullable=True),
+        sa.Column("badge_token", sa.String(length=255), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["namespace_user_id"],
+            ["user.id"],
+            name=op.f("fk_repository_namespace_user_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["visibility_id"],
+            ["visibility.id"],
+            name=op.f("fk_repository_visibility_id_visibility"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repository")),
+    )
+    op.create_index(
+        "repository_namespace_user_id",
+        "repository",
+        ["namespace_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repository_namespace_user_id_name",
+        "repository",
+        ["namespace_user_id", "name"],
+        unique=True,
+    )
+    op.create_index(
+        "repository_visibility_id", "repository", ["visibility_id"], unique=False
+    )
+    op.create_table(
+        "servicekey",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("kid", sa.String(length=255), nullable=False),
+        sa.Column("service", sa.String(length=255), nullable=False),
+        sa.Column("jwk", UTF8LongText(), nullable=False),
+        sa.Column("metadata", UTF8LongText(), nullable=False),
+        sa.Column("created_date", sa.DateTime(), nullable=False),
+        sa.Column("expiration_date", sa.DateTime(), nullable=True),
+        sa.Column("rotation_duration", sa.Integer(), nullable=True),
+        sa.Column("approval_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["approval_id"],
+            ["servicekeyapproval.id"],
+            name=op.f("fk_servicekey_approval_id_servicekeyapproval"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_servicekey")),
+    )
+    op.create_index(
+        "servicekey_approval_id", "servicekey", ["approval_id"], unique=False
+    )
+    op.create_index("servicekey_kid", "servicekey", ["kid"], unique=True)
+    op.create_index("servicekey_service", "servicekey", ["service"], unique=False)
+    op.create_table(
+        "team",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("organization_id", sa.Integer(), nullable=False),
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.Column("description", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["organization_id"], ["user.id"], name=op.f("fk_team_organization_id_user")
+        ),
+        sa.ForeignKeyConstraint(
+            ["role_id"], ["teamrole.id"], name=op.f("fk_team_role_id_teamrole")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_team")),
+    )
+    op.create_index("team_name", "team", ["name"], unique=False)
+    op.create_index(
+        "team_name_organization_id", "team", ["name", "organization_id"], unique=True
+    )
+    op.create_index("team_organization_id", "team", ["organization_id"], unique=False)
+    op.create_index("team_role_id", "team", ["role_id"], unique=False)
+    op.create_table(
+        "torrentinfo",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("storage_id", sa.Integer(), nullable=False),
+        sa.Column("piece_length", sa.Integer(), nullable=False),
+        sa.Column("pieces", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["storage_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_torrentinfo_storage_id_imagestorage"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_torrentinfo")),
+    )
+    op.create_index(
+        "torrentinfo_storage_id", "torrentinfo", ["storage_id"], unique=False
+    )
+    op.create_index(
+        "torrentinfo_storage_id_piece_length",
+        "torrentinfo",
+        ["storage_id", "piece_length"],
+        unique=True,
+    )
+    op.create_table(
+        "userregion",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["imagestoragelocation.id"],
+            name=op.f("fk_userregion_location_id_imagestoragelocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_userregion_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_userregion")),
+    )
+    op.create_index(
+        "userregion_location_id", "userregion", ["location_id"], unique=False
+    )
+    op.create_index("userregion_user_id", "userregion", ["user_id"], unique=False)
+    op.create_table(
+        "accesstoken",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("friendly_name", sa.String(length=255), nullable=True),
+        sa.Column("code", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.Column("temporary", sa.Boolean(), nullable=False),
+        sa.Column("kind_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["kind_id"],
+            ["accesstokenkind.id"],
+            name=op.f("fk_accesstoken_kind_id_accesstokenkind"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_accesstoken_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["role_id"], ["role.id"], name=op.f("fk_accesstoken_role_id_role")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_accesstoken")),
+    )
+    op.create_index("accesstoken_code", "accesstoken", ["code"], unique=True)
+    op.create_index("accesstoken_kind_id", "accesstoken", ["kind_id"], unique=False)
+    op.create_index(
+        "accesstoken_repository_id", "accesstoken", ["repository_id"], unique=False
+    )
+    op.create_index("accesstoken_role_id", "accesstoken", ["role_id"], unique=False)
+    op.create_table(
+        "blobupload",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("byte_count", sa.Integer(), nullable=False),
+        sa.Column("sha_state", sa.Text(), nullable=True),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.Column("storage_metadata", sa.Text(), nullable=True),
+        sa.Column("chunk_count", sa.Integer(), nullable=False, server_default="0"),
+        sa.Column("uncompressed_byte_count", sa.Integer(), nullable=True),
+        sa.Column(
+            "created", sa.DateTime(), nullable=False, server_default=sa.text(now)
+        ),
+        sa.Column("piece_sha_state", UTF8LongText(), nullable=True),
+        sa.Column("piece_hashes", UTF8LongText(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["imagestoragelocation.id"],
+            name=op.f("fk_blobupload_location_id_imagestoragelocation"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_blobupload_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobupload")),
+    )
+    op.create_index("blobupload_created", "blobupload", ["created"], unique=False)
+    op.create_index(
+        "blobupload_location_id", "blobupload", ["location_id"], unique=False
+    )
+    op.create_index(
+        "blobupload_repository_id", "blobupload", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "blobupload_repository_id_uuid",
+        "blobupload",
+        ["repository_id", "uuid"],
+        unique=True,
+    )
+    op.create_index("blobupload_uuid", "blobupload", ["uuid"], unique=True)
+    op.create_table(
+        "image",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("docker_image_id", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("ancestors", sa.String(length=60535), nullable=True),
+        sa.Column("storage_id", sa.Integer(), nullable=True),
+        sa.Column("created", sa.DateTime(), nullable=True),
+        sa.Column("comment", UTF8LongText(), nullable=True),
+        sa.Column("command", sa.Text(), nullable=True),
+        sa.Column("aggregate_size", sa.BigInteger(), nullable=True),
+        sa.Column("v1_json_metadata", UTF8LongText(), nullable=True),
+        sa.Column("v1_checksum", sa.String(length=255), nullable=True),
+        sa.Column(
+            "security_indexed",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column(
+            "security_indexed_engine", sa.Integer(), nullable=False, server_default="-1"
+        ),
+        sa.Column("parent_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_image_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["storage_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_image_storage_id_imagestorage"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_image")),
+    )
+    op.create_index(
+        "image_ancestors", "image", ["ancestors"], unique=False, mysql_length=767
+    )
+    op.create_index("image_docker_image_id", "image", ["docker_image_id"], unique=False)
+    op.create_index("image_parent_id", "image", ["parent_id"], unique=False)
+    op.create_index("image_repository_id", "image", ["repository_id"], unique=False)
+    op.create_index(
+        "image_repository_id_docker_image_id",
+        "image",
+        ["repository_id", "docker_image_id"],
+        unique=True,
+    )
+    op.create_index(
+        "image_security_indexed", "image", ["security_indexed"], unique=False
+    )
+    op.create_index(
+        "image_security_indexed_engine",
+        "image",
+        ["security_indexed_engine"],
+        unique=False,
+    )
+    op.create_index(
+        "image_security_indexed_engine_security_indexed",
+        "image",
+        ["security_indexed_engine", "security_indexed"],
+        unique=False,
+    )
+    op.create_index("image_storage_id", "image", ["storage_id"], unique=False)
+    op.create_table(
+        "oauthaccesstoken",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("application_id", sa.Integer(), nullable=False),
+        sa.Column("authorized_user_id", sa.Integer(), nullable=False),
+        sa.Column("scope", sa.String(length=255), nullable=False),
+        sa.Column("access_token", sa.String(length=255), nullable=False),
+        sa.Column("token_type", sa.String(length=255), nullable=False),
+        sa.Column("expires_at", sa.DateTime(), nullable=False),
+        sa.Column("refresh_token", sa.String(length=255), nullable=True),
+        sa.Column("data", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["application_id"],
+            ["oauthapplication.id"],
+            name=op.f("fk_oauthaccesstoken_application_id_oauthapplication"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["authorized_user_id"],
+            ["user.id"],
+            name=op.f("fk_oauthaccesstoken_authorized_user_id_user"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_oauthaccesstoken")),
+    )
+    op.create_index(
+        "oauthaccesstoken_access_token",
+        "oauthaccesstoken",
+        ["access_token"],
+        unique=False,
+    )
+    op.create_index(
+        "oauthaccesstoken_application_id",
+        "oauthaccesstoken",
+        ["application_id"],
+        unique=False,
+    )
+    op.create_index(
+        "oauthaccesstoken_authorized_user_id",
+        "oauthaccesstoken",
+        ["authorized_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "oauthaccesstoken_refresh_token",
+        "oauthaccesstoken",
+        ["refresh_token"],
+        unique=False,
+    )
+    op.create_index("oauthaccesstoken_uuid", "oauthaccesstoken", ["uuid"], unique=False)
+    op.create_table(
+        "oauthauthorizationcode",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("application_id", sa.Integer(), nullable=False),
+        sa.Column("code", sa.String(length=255), nullable=False),
+        sa.Column("scope", sa.String(length=255), nullable=False),
+        sa.Column("data", sa.Text(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["application_id"],
+            ["oauthapplication.id"],
+            name=op.f("fk_oauthauthorizationcode_application_id_oauthapplication"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_oauthauthorizationcode")),
+    )
+    op.create_index(
+        "oauthauthorizationcode_application_id",
+        "oauthauthorizationcode",
+        ["application_id"],
+        unique=False,
+    )
+    op.create_index(
+        "oauthauthorizationcode_code", "oauthauthorizationcode", ["code"], unique=False
+    )
+    op.create_table(
+        "permissionprototype",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("org_id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("activating_user_id", sa.Integer(), nullable=True),
+        sa.Column("delegate_user_id", sa.Integer(), nullable=True),
+        sa.Column("delegate_team_id", sa.Integer(), nullable=True),
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["activating_user_id"],
+            ["user.id"],
+            name=op.f("fk_permissionprototype_activating_user_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["delegate_team_id"],
+            ["team.id"],
+            name=op.f("fk_permissionprototype_delegate_team_id_team"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["delegate_user_id"],
+            ["user.id"],
+            name=op.f("fk_permissionprototype_delegate_user_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["org_id"], ["user.id"], name=op.f("fk_permissionprototype_org_id_user")
+        ),
+        sa.ForeignKeyConstraint(
+            ["role_id"], ["role.id"], name=op.f("fk_permissionprototype_role_id_role")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_permissionprototype")),
+    )
+    op.create_index(
+        "permissionprototype_activating_user_id",
+        "permissionprototype",
+        ["activating_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "permissionprototype_delegate_team_id",
+        "permissionprototype",
+        ["delegate_team_id"],
+        unique=False,
+    )
+    op.create_index(
+        "permissionprototype_delegate_user_id",
+        "permissionprototype",
+        ["delegate_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "permissionprototype_org_id", "permissionprototype", ["org_id"], unique=False
+    )
+    op.create_index(
+        "permissionprototype_org_id_activating_user_id",
+        "permissionprototype",
+        ["org_id", "activating_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "permissionprototype_role_id", "permissionprototype", ["role_id"], unique=False
+    )
+    op.create_table(
+        "repositoryactioncount",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("count", sa.Integer(), nullable=False),
+        sa.Column("date", sa.Date(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositoryactioncount_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositoryactioncount")),
+    )
+    op.create_index(
+        "repositoryactioncount_date", "repositoryactioncount", ["date"], unique=False
+    )
+    op.create_index(
+        "repositoryactioncount_repository_id",
+        "repositoryactioncount",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositoryactioncount_repository_id_date",
+        "repositoryactioncount",
+        ["repository_id", "date"],
+        unique=True,
+    )
+    op.create_table(
+        "repositoryauthorizedemail",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("email", sa.String(length=255), nullable=False),
+        sa.Column("code", sa.String(length=255), nullable=False),
+        sa.Column("confirmed", sa.Boolean(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositoryauthorizedemail_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositoryauthorizedemail")),
+    )
+    op.create_index(
+        "repositoryauthorizedemail_code",
+        "repositoryauthorizedemail",
+        ["code"],
+        unique=True,
+    )
+    op.create_index(
+        "repositoryauthorizedemail_email_repository_id",
+        "repositoryauthorizedemail",
+        ["email", "repository_id"],
+        unique=True,
+    )
+    op.create_index(
+        "repositoryauthorizedemail_repository_id",
+        "repositoryauthorizedemail",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_table(
+        "repositorynotification",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("event_id", sa.Integer(), nullable=False),
+        sa.Column("method_id", sa.Integer(), nullable=False),
+        sa.Column("title", sa.String(length=255), nullable=True),
+        sa.Column("config_json", sa.Text(), nullable=False),
+        sa.Column("event_config_json", UTF8LongText(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["event_id"],
+            ["externalnotificationevent.id"],
+            name=op.f("fk_repositorynotification_event_id_externalnotificationevent"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["method_id"],
+            ["externalnotificationmethod.id"],
+            name=op.f("fk_repositorynotification_method_id_externalnotificationmethod"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorynotification_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorynotification")),
+    )
+    op.create_index(
+        "repositorynotification_event_id",
+        "repositorynotification",
+        ["event_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorynotification_method_id",
+        "repositorynotification",
+        ["method_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorynotification_repository_id",
+        "repositorynotification",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorynotification_uuid", "repositorynotification", ["uuid"], unique=False
+    )
+    op.create_table(
+        "repositorypermission",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("team_id", sa.Integer(), nullable=True),
+        sa.Column("user_id", sa.Integer(), nullable=True),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorypermission_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["role_id"], ["role.id"], name=op.f("fk_repositorypermission_role_id_role")
+        ),
+        sa.ForeignKeyConstraint(
+            ["team_id"], ["team.id"], name=op.f("fk_repositorypermission_team_id_team")
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_repositorypermission_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorypermission")),
+    )
+    op.create_index(
+        "repositorypermission_repository_id",
+        "repositorypermission",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorypermission_role_id",
+        "repositorypermission",
+        ["role_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorypermission_team_id",
+        "repositorypermission",
+        ["team_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorypermission_team_id_repository_id",
+        "repositorypermission",
+        ["team_id", "repository_id"],
+        unique=True,
+    )
+    op.create_index(
+        "repositorypermission_user_id",
+        "repositorypermission",
+        ["user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorypermission_user_id_repository_id",
+        "repositorypermission",
+        ["user_id", "repository_id"],
+        unique=True,
+    )
+    op.create_table(
+        "star",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("created", sa.DateTime(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_star_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_star_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_star")),
+    )
+    op.create_index("star_repository_id", "star", ["repository_id"], unique=False)
+    op.create_index("star_user_id", "star", ["user_id"], unique=False)
+    op.create_index(
+        "star_user_id_repository_id", "star", ["user_id", "repository_id"], unique=True
+    )
+    op.create_table(
+        "teammember",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("team_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["team_id"], ["team.id"], name=op.f("fk_teammember_team_id_team")
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_teammember_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_teammember")),
+    )
+    op.create_index("teammember_team_id", "teammember", ["team_id"], unique=False)
+    op.create_index("teammember_user_id", "teammember", ["user_id"], unique=False)
+    op.create_index(
+        "teammember_user_id_team_id", "teammember", ["user_id", "team_id"], unique=True
+    )
+    op.create_table(
+        "teammemberinvite",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=True),
+        sa.Column("email", sa.String(length=255), nullable=True),
+        sa.Column("team_id", sa.Integer(), nullable=False),
+        sa.Column("inviter_id", sa.Integer(), nullable=False),
+        sa.Column("invite_token", sa.String(length=255), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["inviter_id"],
+            ["user.id"],
+            name=op.f("fk_teammemberinvite_inviter_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["team_id"], ["team.id"], name=op.f("fk_teammemberinvite_team_id_team")
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"], ["user.id"], name=op.f("fk_teammemberinvite_user_id_user")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_teammemberinvite")),
+    )
+    op.create_index(
+        "teammemberinvite_inviter_id", "teammemberinvite", ["inviter_id"], unique=False
+    )
+    op.create_index(
+        "teammemberinvite_team_id", "teammemberinvite", ["team_id"], unique=False
+    )
+    op.create_index(
+        "teammemberinvite_user_id", "teammemberinvite", ["user_id"], unique=False
+    )
+    op.create_table(
+        "derivedstorageforimage",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("source_image_id", sa.Integer(), nullable=False),
+        sa.Column("derivative_id", sa.Integer(), nullable=False),
+        sa.Column("transformation_id", sa.Integer(), nullable=False),
+        sa.Column("uniqueness_hash", sa.String(length=255), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["derivative_id"],
+            ["imagestorage.id"],
+            name=op.f("fk_derivedstorageforimage_derivative_id_imagestorage"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["source_image_id"],
+            ["image.id"],
+            name=op.f("fk_derivedstorageforimage_source_image_id_image"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["transformation_id"],
+            ["imagestoragetransformation.id"],
+            name=op.f("fk_derivedstorageforimage_transformation_constraint"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_derivedstorageforimage")),
+    )
+    op.create_index(
+        "derivedstorageforimage_derivative_id",
+        "derivedstorageforimage",
+        ["derivative_id"],
+        unique=False,
+    )
+    op.create_index(
+        "derivedstorageforimage_source_image_id",
+        "derivedstorageforimage",
+        ["source_image_id"],
+        unique=False,
+    )
+    op.create_index(
+        "uniqueness_index",
+        "derivedstorageforimage",
+        ["source_image_id", "transformation_id", "uniqueness_hash"],
+        unique=True,
+    )
+    op.create_index(
+        "derivedstorageforimage_transformation_id",
+        "derivedstorageforimage",
+        ["transformation_id"],
+        unique=False,
+    )
+    op.create_table(
+        "repositorybuildtrigger",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("service_id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("connected_user_id", sa.Integer(), nullable=False),
+        sa.Column("auth_token", sa.String(length=255), nullable=True),
+        sa.Column("private_key", sa.Text(), nullable=True),
+        sa.Column("config", sa.Text(), nullable=False),
+        sa.Column("write_token_id", sa.Integer(), nullable=True),
+        sa.Column("pull_robot_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["connected_user_id"],
+            ["user.id"],
+            name=op.f("fk_repositorybuildtrigger_connected_user_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["pull_robot_id"],
+            ["user.id"],
+            name=op.f("fk_repositorybuildtrigger_pull_robot_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorybuildtrigger_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["service_id"],
+            ["buildtriggerservice.id"],
+            name=op.f("fk_repositorybuildtrigger_service_id_buildtriggerservice"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["write_token_id"],
+            ["accesstoken.id"],
+            name=op.f("fk_repositorybuildtrigger_write_token_id_accesstoken"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorybuildtrigger")),
+    )
+    op.create_index(
+        "repositorybuildtrigger_connected_user_id",
+        "repositorybuildtrigger",
+        ["connected_user_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuildtrigger_pull_robot_id",
+        "repositorybuildtrigger",
+        ["pull_robot_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuildtrigger_repository_id",
+        "repositorybuildtrigger",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuildtrigger_service_id",
+        "repositorybuildtrigger",
+        ["service_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuildtrigger_write_token_id",
+        "repositorybuildtrigger",
+        ["write_token_id"],
+        unique=False,
+    )
+    op.create_table(
+        "repositorytag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("image_id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "lifetime_start_ts", sa.Integer(), nullable=False, server_default="0"
+        ),
+        sa.Column("lifetime_end_ts", sa.Integer(), nullable=True),
+        sa.Column(
+            "hidden",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column(
+            "reversion",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.ForeignKeyConstraint(
+            ["image_id"], ["image.id"], name=op.f("fk_repositorytag_image_id_image")
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorytag_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorytag")),
+    )
+    op.create_index(
+        "repositorytag_image_id", "repositorytag", ["image_id"], unique=False
+    )
+    op.create_index(
+        "repositorytag_lifetime_end_ts",
+        "repositorytag",
+        ["lifetime_end_ts"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorytag_repository_id", "repositorytag", ["repository_id"], unique=False
+    )
+    op.create_index(
+        "repositorytag_repository_id_name",
+        "repositorytag",
+        ["repository_id", "name"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorytag_repository_id_name_lifetime_end_ts",
+        "repositorytag",
+        ["repository_id", "name", "lifetime_end_ts"],
+        unique=True,
+    )
+    op.create_table(
+        "repositorybuild",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("uuid", sa.String(length=255), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("access_token_id", sa.Integer(), nullable=False),
+        sa.Column("resource_key", sa.String(length=255), nullable=True),
+        sa.Column("job_config", sa.Text(), nullable=False),
+        sa.Column("phase", sa.String(length=255), nullable=False),
+        sa.Column("started", sa.DateTime(), nullable=False),
+        sa.Column("display_name", sa.String(length=255), nullable=False),
+        sa.Column("trigger_id", sa.Integer(), nullable=True),
+        sa.Column("pull_robot_id", sa.Integer(), nullable=True),
+        sa.Column(
+            "logs_archived",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+        sa.Column("queue_id", sa.String(length=255), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["access_token_id"],
+            ["accesstoken.id"],
+            name=op.f("fk_repositorybuild_access_token_id_accesstoken"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["pull_robot_id"],
+            ["user.id"],
+            name=op.f("fk_repositorybuild_pull_robot_id_user"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorybuild_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["trigger_id"],
+            ["repositorybuildtrigger.id"],
+            name=op.f("fk_repositorybuild_trigger_id_repositorybuildtrigger"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorybuild")),
+    )
+    op.create_index(
+        "repositorybuild_access_token_id",
+        "repositorybuild",
+        ["access_token_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_pull_robot_id",
+        "repositorybuild",
+        ["pull_robot_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_queue_id", "repositorybuild", ["queue_id"], unique=False
+    )
+    op.create_index(
+        "repositorybuild_repository_id",
+        "repositorybuild",
+        ["repository_id"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_repository_id_started_phase",
+        "repositorybuild",
+        ["repository_id", "started", "phase"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_resource_key",
+        "repositorybuild",
+        ["resource_key"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_started", "repositorybuild", ["started"], unique=False
+    )
+    op.create_index(
+        "repositorybuild_started_logs_archived_phase",
+        "repositorybuild",
+        ["started", "logs_archived", "phase"],
+        unique=False,
+    )
+    op.create_index(
+        "repositorybuild_trigger_id", "repositorybuild", ["trigger_id"], unique=False
+    )
+    op.create_index("repositorybuild_uuid", "repositorybuild", ["uuid"], unique=False)
+    op.create_table(
+        "tagmanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("tag_id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("json_data", UTF8LongText(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["tag_id"],
+            ["repositorytag.id"],
+            name=op.f("fk_tagmanifest_tag_id_repositorytag"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagmanifest")),
+    )
+    op.create_index("tagmanifest_digest", "tagmanifest", ["digest"], unique=False)
+    op.create_index("tagmanifest_tag_id", "tagmanifest", ["tag_id"], unique=True)
+    op.create_table(
+        "tagmanifestlabel",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("annotated_id", sa.Integer(), nullable=False),
+        sa.Column("label_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["annotated_id"],
+            ["tagmanifest.id"],
+            name=op.f("fk_tagmanifestlabel_annotated_id_tagmanifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["label_id"], ["label.id"], name=op.f("fk_tagmanifestlabel_label_id_label")
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_tagmanifestlabel_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagmanifestlabel")),
+    )
+    op.create_index(
+        "tagmanifestlabel_annotated_id",
+        "tagmanifestlabel",
+        ["annotated_id"],
+        unique=False,
+    )
+    op.create_index(
+        "tagmanifestlabel_annotated_id_label_id",
+        "tagmanifestlabel",
+        ["annotated_id", "label_id"],
+        unique=True,
+    )
+    op.create_index(
+        "tagmanifestlabel_label_id", "tagmanifestlabel", ["label_id"], unique=False
+    )
+    op.create_index(
+        "tagmanifestlabel_repository_id",
+        "tagmanifestlabel",
+        ["repository_id"],
+        unique=False,
     )
-    op.create_index('tagmanifestlabel_annotated_id', 'tagmanifestlabel', ['annotated_id'], unique=False)
-    op.create_index('tagmanifestlabel_annotated_id_label_id', 'tagmanifestlabel', ['annotated_id', 'label_id'], unique=True)
-    op.create_index('tagmanifestlabel_label_id', 'tagmanifestlabel', ['label_id'], unique=False)
-    op.create_index('tagmanifestlabel_repository_id', 'tagmanifestlabel', ['repository_id'], unique=False)
 
-    op.bulk_insert(tables.accesstokenkind,
-    [
-        {'name':'build-worker'},
-        {'name':'pushpull-token'},
-    ])
+    op.bulk_insert(
+        tables.accesstokenkind, [{"name": "build-worker"}, {"name": "pushpull-token"}]
+    )
 
-    op.bulk_insert(tables.buildtriggerservice,
-    [
-        {'name':'github'},
-        {'name':'gitlab'},
-        {'name':'bitbucket'},
-        {'name':'custom-git'},
-    ])
+    op.bulk_insert(
+        tables.buildtriggerservice,
+        [
+            {"name": "github"},
+            {"name": "gitlab"},
+            {"name": "bitbucket"},
+            {"name": "custom-git"},
+        ],
+    )
 
-    op.bulk_insert(tables.externalnotificationevent,
-    [
-        {'name':'build_failure'},
-        {'name':'build_queued'},
-        {'name':'build_start'},
-        {'name':'build_success'},
-        {'name':'repo_push'},
-        {'name':'vulnerability_found'},
-    ])
+    op.bulk_insert(
+        tables.externalnotificationevent,
+        [
+            {"name": "build_failure"},
+            {"name": "build_queued"},
+            {"name": "build_start"},
+            {"name": "build_success"},
+            {"name": "repo_push"},
+            {"name": "vulnerability_found"},
+        ],
+    )
 
-    op.bulk_insert(tables.externalnotificationmethod,
-    [
-        {'name':'email'},
-        {'name':'flowdock'},
-        {'name':'hipchat'},
-        {'name':'quay_notification'},
-        {'name':'slack'},
-        {'name':'webhook'},
-    ])
+    op.bulk_insert(
+        tables.externalnotificationmethod,
+        [
+            {"name": "email"},
+            {"name": "flowdock"},
+            {"name": "hipchat"},
+            {"name": "quay_notification"},
+            {"name": "slack"},
+            {"name": "webhook"},
+        ],
+    )
 
-    op.bulk_insert(tables.imagestoragelocation,
-    [
-        {'name':'s3_us_east_1'},
-        {'name':'s3_eu_west_1'},
-        {'name':'s3_ap_southeast_1'},
-        {'name':'s3_ap_southeast_2'},
-        {'name':'s3_ap_northeast_1'},
-        {'name':'s3_sa_east_1'},
-        {'name':'local'},
-        {'name':'s3_us_west_1'},
-    ])
+    op.bulk_insert(
+        tables.imagestoragelocation,
+        [
+            {"name": "s3_us_east_1"},
+            {"name": "s3_eu_west_1"},
+            {"name": "s3_ap_southeast_1"},
+            {"name": "s3_ap_southeast_2"},
+            {"name": "s3_ap_northeast_1"},
+            {"name": "s3_sa_east_1"},
+            {"name": "local"},
+            {"name": "s3_us_west_1"},
+        ],
+    )
 
-    op.bulk_insert(tables.imagestoragesignaturekind,
-    [
-        {'name':'gpg2'},
-    ])
+    op.bulk_insert(tables.imagestoragesignaturekind, [{"name": "gpg2"}])
 
-    op.bulk_insert(tables.imagestoragetransformation,
-    [
-        {'name':'squash'},
-        {'name':'aci'},
-    ])
+    op.bulk_insert(
+        tables.imagestoragetransformation, [{"name": "squash"}, {"name": "aci"}]
+    )
 
-    op.bulk_insert(tables.labelsourcetype,
-    [
-      {'name':'manifest', 'mutable': False},
-      {'name':'api', 'mutable': True},
-      {'name':'internal', 'mutable': False},
-    ])
+    op.bulk_insert(
+        tables.labelsourcetype,
+        [
+            {"name": "manifest", "mutable": False},
+            {"name": "api", "mutable": True},
+            {"name": "internal", "mutable": False},
+        ],
+    )
 
-    op.bulk_insert(tables.logentrykind,
-    [
-        {'name':'account_change_cc'},
-        {'name':'account_change_password'},
-        {'name':'account_change_plan'},
-        {'name':'account_convert'},
-        {'name':'add_repo_accesstoken'},
-        {'name':'add_repo_notification'},
-        {'name':'add_repo_permission'},
-        {'name':'add_repo_webhook'},
-        {'name':'build_dockerfile'},
-        {'name':'change_repo_permission'},
-        {'name':'change_repo_visibility'},
-        {'name':'create_application'},
-        {'name':'create_prototype_permission'},
-        {'name':'create_repo'},
-        {'name':'create_robot'},
-        {'name':'create_tag'},
-        {'name':'delete_application'},
-        {'name':'delete_prototype_permission'},
-        {'name':'delete_repo'},
-        {'name':'delete_repo_accesstoken'},
-        {'name':'delete_repo_notification'},
-        {'name':'delete_repo_permission'},
-        {'name':'delete_repo_trigger'},
-        {'name':'delete_repo_webhook'},
-        {'name':'delete_robot'},
-        {'name':'delete_tag'},
-        {'name':'manifest_label_add'},
-        {'name':'manifest_label_delete'},
-        {'name':'modify_prototype_permission'},
-        {'name':'move_tag'},
-        {'name':'org_add_team_member'},
-        {'name':'org_create_team'},
-        {'name':'org_delete_team'},
-        {'name':'org_delete_team_member_invite'},
-        {'name':'org_invite_team_member'},
-        {'name':'org_remove_team_member'},
-        {'name':'org_set_team_description'},
-        {'name':'org_set_team_role'},
-        {'name':'org_team_member_invite_accepted'},
-        {'name':'org_team_member_invite_declined'},
-        {'name':'pull_repo'},
-        {'name':'push_repo'},
-        {'name':'regenerate_robot_token'},
-        {'name':'repo_verb'},
-        {'name':'reset_application_client_secret'},
-        {'name':'revert_tag'},
-        {'name':'service_key_approve'},
-        {'name':'service_key_create'},
-        {'name':'service_key_delete'},
-        {'name':'service_key_extend'},
-        {'name':'service_key_modify'},
-        {'name':'service_key_rotate'},
-        {'name':'setup_repo_trigger'},
-        {'name':'set_repo_description'},
-        {'name':'take_ownership'},
-        {'name':'update_application'},
-    ])
+    op.bulk_insert(
+        tables.logentrykind,
+        [
+            {"name": "account_change_cc"},
+            {"name": "account_change_password"},
+            {"name": "account_change_plan"},
+            {"name": "account_convert"},
+            {"name": "add_repo_accesstoken"},
+            {"name": "add_repo_notification"},
+            {"name": "add_repo_permission"},
+            {"name": "add_repo_webhook"},
+            {"name": "build_dockerfile"},
+            {"name": "change_repo_permission"},
+            {"name": "change_repo_visibility"},
+            {"name": "create_application"},
+            {"name": "create_prototype_permission"},
+            {"name": "create_repo"},
+            {"name": "create_robot"},
+            {"name": "create_tag"},
+            {"name": "delete_application"},
+            {"name": "delete_prototype_permission"},
+            {"name": "delete_repo"},
+            {"name": "delete_repo_accesstoken"},
+            {"name": "delete_repo_notification"},
+            {"name": "delete_repo_permission"},
+            {"name": "delete_repo_trigger"},
+            {"name": "delete_repo_webhook"},
+            {"name": "delete_robot"},
+            {"name": "delete_tag"},
+            {"name": "manifest_label_add"},
+            {"name": "manifest_label_delete"},
+            {"name": "modify_prototype_permission"},
+            {"name": "move_tag"},
+            {"name": "org_add_team_member"},
+            {"name": "org_create_team"},
+            {"name": "org_delete_team"},
+            {"name": "org_delete_team_member_invite"},
+            {"name": "org_invite_team_member"},
+            {"name": "org_remove_team_member"},
+            {"name": "org_set_team_description"},
+            {"name": "org_set_team_role"},
+            {"name": "org_team_member_invite_accepted"},
+            {"name": "org_team_member_invite_declined"},
+            {"name": "pull_repo"},
+            {"name": "push_repo"},
+            {"name": "regenerate_robot_token"},
+            {"name": "repo_verb"},
+            {"name": "reset_application_client_secret"},
+            {"name": "revert_tag"},
+            {"name": "service_key_approve"},
+            {"name": "service_key_create"},
+            {"name": "service_key_delete"},
+            {"name": "service_key_extend"},
+            {"name": "service_key_modify"},
+            {"name": "service_key_rotate"},
+            {"name": "setup_repo_trigger"},
+            {"name": "set_repo_description"},
+            {"name": "take_ownership"},
+            {"name": "update_application"},
+        ],
+    )
 
-    op.bulk_insert(tables.loginservice,
-    [
-        {'name':'github'},
-        {'name':'quayrobot'},
-        {'name':'ldap'},
-        {'name':'google'},
-        {'name':'keystone'},
-        {'name':'dex'},
-        {'name':'jwtauthn'},
-    ])
+    op.bulk_insert(
+        tables.loginservice,
+        [
+            {"name": "github"},
+            {"name": "quayrobot"},
+            {"name": "ldap"},
+            {"name": "google"},
+            {"name": "keystone"},
+            {"name": "dex"},
+            {"name": "jwtauthn"},
+        ],
+    )
 
-    op.bulk_insert(tables.mediatype,
-    [
-        {'name':'text/plain'},
-        {'name':'application/json'},
-    ])
+    op.bulk_insert(
+        tables.mediatype, [{"name": "text/plain"}, {"name": "application/json"}]
+    )
 
-    op.bulk_insert(tables.notificationkind,
-    [
-        {'name':'build_failure'},
-        {'name':'build_queued'},
-        {'name':'build_start'},
-        {'name':'build_success'},
-        {'name':'expiring_license'},
-        {'name':'maintenance'},
-        {'name':'org_team_invite'},
-        {'name':'over_private_usage'},
-        {'name':'password_required'},
-        {'name':'repo_push'},
-        {'name':'service_key_submitted'},
-        {'name':'vulnerability_found'},
-    ])
+    op.bulk_insert(
+        tables.notificationkind,
+        [
+            {"name": "build_failure"},
+            {"name": "build_queued"},
+            {"name": "build_start"},
+            {"name": "build_success"},
+            {"name": "expiring_license"},
+            {"name": "maintenance"},
+            {"name": "org_team_invite"},
+            {"name": "over_private_usage"},
+            {"name": "password_required"},
+            {"name": "repo_push"},
+            {"name": "service_key_submitted"},
+            {"name": "vulnerability_found"},
+        ],
+    )
 
-    op.bulk_insert(tables.role,
-    [
-        {'name':'admin'},
-        {'name':'write'},
-        {'name':'read'},
-    ])
+    op.bulk_insert(
+        tables.role, [{"name": "admin"}, {"name": "write"}, {"name": "read"}]
+    )
 
-    op.bulk_insert(tables.teamrole,
-    [
-        {'name':'admin'},
-        {'name':'creator'},
-        {'name':'member'},
-    ])
+    op.bulk_insert(
+        tables.teamrole, [{"name": "admin"}, {"name": "creator"}, {"name": "member"}]
+    )
 
-    op.bulk_insert(tables.visibility,
-    [
-        {'name':'public'},
-        {'name':'private'},
-    ])
+    op.bulk_insert(tables.visibility, [{"name": "public"}, {"name": "private"}])
 
     # ### population of test data ### #
-    tester.populate_table('user', [
-        ('uuid', tester.TestDataType.UUID),
-        ('username', tester.TestDataType.String),
-        ('password_hash', tester.TestDataType.String),
-        ('email', tester.TestDataType.String),
-        ('verified', tester.TestDataType.Boolean),
-        ('organization', tester.TestDataType.Boolean),
-        ('robot', tester.TestDataType.Boolean),
-        ('invoice_email', tester.TestDataType.Boolean),
-        ('invalid_login_attempts', tester.TestDataType.Integer),
-        ('last_invalid_login', tester.TestDataType.DateTime),
-        ('removed_tag_expiration_s', tester.TestDataType.Integer),
-        ('enabled', tester.TestDataType.Boolean),
-        ('invoice_email_address', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "user",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("username", tester.TestDataType.String),
+            ("password_hash", tester.TestDataType.String),
+            ("email", tester.TestDataType.String),
+            ("verified", tester.TestDataType.Boolean),
+            ("organization", tester.TestDataType.Boolean),
+            ("robot", tester.TestDataType.Boolean),
+            ("invoice_email", tester.TestDataType.Boolean),
+            ("invalid_login_attempts", tester.TestDataType.Integer),
+            ("last_invalid_login", tester.TestDataType.DateTime),
+            ("removed_tag_expiration_s", tester.TestDataType.Integer),
+            ("enabled", tester.TestDataType.Boolean),
+            ("invoice_email_address", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('repository', [
-        ('namespace_user_id', tester.TestDataType.Foreign('user')),
-        ('name', tester.TestDataType.String),
-        ('visibility_id', tester.TestDataType.Foreign('visibility')),
-        ('description', tester.TestDataType.String),
-        ('badge_token', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "repository",
+        [
+            ("namespace_user_id", tester.TestDataType.Foreign("user")),
+            ("name", tester.TestDataType.String),
+            ("visibility_id", tester.TestDataType.Foreign("visibility")),
+            ("description", tester.TestDataType.String),
+            ("badge_token", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('emailconfirmation', [
-        ('code', tester.TestDataType.String),
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('pw_reset', tester.TestDataType.Boolean),
-        ('email_confirm', tester.TestDataType.Boolean),
-        ('created', tester.TestDataType.DateTime),
-    ])
+    tester.populate_table(
+        "emailconfirmation",
+        [
+            ("code", tester.TestDataType.String),
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("pw_reset", tester.TestDataType.Boolean),
+            ("email_confirm", tester.TestDataType.Boolean),
+            ("created", tester.TestDataType.DateTime),
+        ],
+    )
 
-    tester.populate_table('federatedlogin', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('service_id', tester.TestDataType.Foreign('loginservice')),
-        ('service_ident', tester.TestDataType.String),
-        ('metadata_json', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "federatedlogin",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("service_id", tester.TestDataType.Foreign("loginservice")),
+            ("service_ident", tester.TestDataType.String),
+            ("metadata_json", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('imagestorage', [
-        ('uuid', tester.TestDataType.UUID),
-        ('checksum', tester.TestDataType.String),
-        ('image_size', tester.TestDataType.BigInteger),
-        ('uncompressed_size', tester.TestDataType.BigInteger),
-        ('uploading', tester.TestDataType.Boolean),
-        ('cas_path', tester.TestDataType.Boolean),
-        ('content_checksum', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "imagestorage",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("checksum", tester.TestDataType.String),
+            ("image_size", tester.TestDataType.BigInteger),
+            ("uncompressed_size", tester.TestDataType.BigInteger),
+            ("uploading", tester.TestDataType.Boolean),
+            ("cas_path", tester.TestDataType.Boolean),
+            ("content_checksum", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('image', [
-        ('docker_image_id', tester.TestDataType.UUID),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('ancestors', tester.TestDataType.String),
-        ('storage_id', tester.TestDataType.Foreign('imagestorage')),
-        ('security_indexed', tester.TestDataType.Boolean),
-        ('security_indexed_engine', tester.TestDataType.Integer),
-    ])
+    tester.populate_table(
+        "image",
+        [
+            ("docker_image_id", tester.TestDataType.UUID),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("ancestors", tester.TestDataType.String),
+            ("storage_id", tester.TestDataType.Foreign("imagestorage")),
+            ("security_indexed", tester.TestDataType.Boolean),
+            ("security_indexed_engine", tester.TestDataType.Integer),
+        ],
+    )
 
-    tester.populate_table('imagestorageplacement', [
-        ('storage_id', tester.TestDataType.Foreign('imagestorage')),
-        ('location_id', tester.TestDataType.Foreign('imagestoragelocation')),
-    ])
+    tester.populate_table(
+        "imagestorageplacement",
+        [
+            ("storage_id", tester.TestDataType.Foreign("imagestorage")),
+            ("location_id", tester.TestDataType.Foreign("imagestoragelocation")),
+        ],
+    )
 
-    tester.populate_table('messages', [
-        ('content', tester.TestDataType.String),
-        ('uuid', tester.TestDataType.UUID),
-    ])
+    tester.populate_table(
+        "messages",
+        [("content", tester.TestDataType.String), ("uuid", tester.TestDataType.UUID)],
+    )
 
-    tester.populate_table('queueitem', [
-        ('queue_name', tester.TestDataType.String),
-        ('body', tester.TestDataType.JSON),
-        ('available_after', tester.TestDataType.DateTime),
-        ('available', tester.TestDataType.Boolean),
-        ('processing_expires', tester.TestDataType.DateTime),
-        ('retries_remaining', tester.TestDataType.Integer),
-    ])
+    tester.populate_table(
+        "queueitem",
+        [
+            ("queue_name", tester.TestDataType.String),
+            ("body", tester.TestDataType.JSON),
+            ("available_after", tester.TestDataType.DateTime),
+            ("available", tester.TestDataType.Boolean),
+            ("processing_expires", tester.TestDataType.DateTime),
+            ("retries_remaining", tester.TestDataType.Integer),
+        ],
+    )
 
-    tester.populate_table('servicekeyapproval', [
-        ('approver_id', tester.TestDataType.Foreign('user')),
-        ('approval_type', tester.TestDataType.String),
-        ('approved_date', tester.TestDataType.DateTime),
-        ('notes', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "servicekeyapproval",
+        [
+            ("approver_id", tester.TestDataType.Foreign("user")),
+            ("approval_type", tester.TestDataType.String),
+            ("approved_date", tester.TestDataType.DateTime),
+            ("notes", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('servicekey', [
-        ('name', tester.TestDataType.String),
-        ('kid', tester.TestDataType.String),
-        ('service', tester.TestDataType.String),
-        ('jwk', tester.TestDataType.JSON),
-        ('metadata', tester.TestDataType.JSON),
-        ('created_date', tester.TestDataType.DateTime),
-        ('approval_id', tester.TestDataType.Foreign('servicekeyapproval')),
-    ])
+    tester.populate_table(
+        "servicekey",
+        [
+            ("name", tester.TestDataType.String),
+            ("kid", tester.TestDataType.String),
+            ("service", tester.TestDataType.String),
+            ("jwk", tester.TestDataType.JSON),
+            ("metadata", tester.TestDataType.JSON),
+            ("created_date", tester.TestDataType.DateTime),
+            ("approval_id", tester.TestDataType.Foreign("servicekeyapproval")),
+        ],
+    )
 
-    tester.populate_table('label', [
-        ('uuid', tester.TestDataType.UUID),
-        ('key', tester.TestDataType.UTF8Char),
-        ('value', tester.TestDataType.JSON),
-        ('media_type_id', tester.TestDataType.Foreign('mediatype')),
-        ('source_type_id', tester.TestDataType.Foreign('labelsourcetype')),
-    ])
+    tester.populate_table(
+        "label",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("key", tester.TestDataType.UTF8Char),
+            ("value", tester.TestDataType.JSON),
+            ("media_type_id", tester.TestDataType.Foreign("mediatype")),
+            ("source_type_id", tester.TestDataType.Foreign("labelsourcetype")),
+        ],
+    )
 
-    tester.populate_table('logentry', [
-        ('kind_id', tester.TestDataType.Foreign('logentrykind')),
-        ('account_id', tester.TestDataType.Foreign('user')),
-        ('performer_id', tester.TestDataType.Foreign('user')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('datetime', tester.TestDataType.DateTime),
-        ('ip', tester.TestDataType.String),
-        ('metadata_json', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "logentry",
+        [
+            ("kind_id", tester.TestDataType.Foreign("logentrykind")),
+            ("account_id", tester.TestDataType.Foreign("user")),
+            ("performer_id", tester.TestDataType.Foreign("user")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("datetime", tester.TestDataType.DateTime),
+            ("ip", tester.TestDataType.String),
+            ("metadata_json", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('notification', [
-        ('uuid', tester.TestDataType.UUID),
-        ('kind_id', tester.TestDataType.Foreign('notificationkind')),
-        ('target_id', tester.TestDataType.Foreign('user')),
-        ('metadata_json', tester.TestDataType.JSON),
-        ('created', tester.TestDataType.DateTime),
-        ('dismissed', tester.TestDataType.Boolean),
-        ('lookup_path', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "notification",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("kind_id", tester.TestDataType.Foreign("notificationkind")),
+            ("target_id", tester.TestDataType.Foreign("user")),
+            ("metadata_json", tester.TestDataType.JSON),
+            ("created", tester.TestDataType.DateTime),
+            ("dismissed", tester.TestDataType.Boolean),
+            ("lookup_path", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('oauthapplication', [
-        ('client_id', tester.TestDataType.String),
-        ('client_secret', tester.TestDataType.String),
-        ('redirect_uri', tester.TestDataType.String),
-        ('application_uri', tester.TestDataType.String),
-        ('organization_id', tester.TestDataType.Foreign('user')),
-        ('name', tester.TestDataType.String),
-        ('description', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "oauthapplication",
+        [
+            ("client_id", tester.TestDataType.String),
+            ("client_secret", tester.TestDataType.String),
+            ("redirect_uri", tester.TestDataType.String),
+            ("application_uri", tester.TestDataType.String),
+            ("organization_id", tester.TestDataType.Foreign("user")),
+            ("name", tester.TestDataType.String),
+            ("description", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('team', [
-        ('name', tester.TestDataType.String),
-        ('organization_id', tester.TestDataType.Foreign('user')),
-        ('role_id', tester.TestDataType.Foreign('teamrole')),
-        ('description', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "team",
+        [
+            ("name", tester.TestDataType.String),
+            ("organization_id", tester.TestDataType.Foreign("user")),
+            ("role_id", tester.TestDataType.Foreign("teamrole")),
+            ("description", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('torrentinfo', [
-        ('storage_id', tester.TestDataType.Foreign('imagestorage')),
-        ('piece_length', tester.TestDataType.Integer),
-        ('pieces', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "torrentinfo",
+        [
+            ("storage_id", tester.TestDataType.Foreign("imagestorage")),
+            ("piece_length", tester.TestDataType.Integer),
+            ("pieces", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('userregion', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('location_id', tester.TestDataType.Foreign('imagestoragelocation')),
-    ])
+    tester.populate_table(
+        "userregion",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("location_id", tester.TestDataType.Foreign("imagestoragelocation")),
+        ],
+    )
 
-    tester.populate_table('accesstoken', [
-        ('friendly_name', tester.TestDataType.String),
-        ('code', tester.TestDataType.Token),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('created', tester.TestDataType.DateTime),
-        ('role_id', tester.TestDataType.Foreign('role')),
-        ('temporary', tester.TestDataType.Boolean),
-        ('kind_id', tester.TestDataType.Foreign('accesstokenkind')),
-    ])
+    tester.populate_table(
+        "accesstoken",
+        [
+            ("friendly_name", tester.TestDataType.String),
+            ("code", tester.TestDataType.Token),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("created", tester.TestDataType.DateTime),
+            ("role_id", tester.TestDataType.Foreign("role")),
+            ("temporary", tester.TestDataType.Boolean),
+            ("kind_id", tester.TestDataType.Foreign("accesstokenkind")),
+        ],
+    )
 
-    tester.populate_table('blobupload', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('uuid', tester.TestDataType.UUID),
-        ('byte_count', tester.TestDataType.Integer),
-        ('sha_state', tester.TestDataType.String),
-        ('location_id', tester.TestDataType.Foreign('imagestoragelocation')),
-        ('chunk_count', tester.TestDataType.Integer),
-        ('created', tester.TestDataType.DateTime),
-    ])
+    tester.populate_table(
+        "blobupload",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("uuid", tester.TestDataType.UUID),
+            ("byte_count", tester.TestDataType.Integer),
+            ("sha_state", tester.TestDataType.String),
+            ("location_id", tester.TestDataType.Foreign("imagestoragelocation")),
+            ("chunk_count", tester.TestDataType.Integer),
+            ("created", tester.TestDataType.DateTime),
+        ],
+    )
 
-    tester.populate_table('oauthaccesstoken', [
-        ('uuid', tester.TestDataType.UUID),
-        ('application_id', tester.TestDataType.Foreign('oauthapplication')),
-        ('authorized_user_id', tester.TestDataType.Foreign('user')),
-        ('scope', tester.TestDataType.String),
-        ('access_token', tester.TestDataType.Token),
-        ('token_type', tester.TestDataType.String),
-        ('expires_at', tester.TestDataType.DateTime),
-        ('data', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "oauthaccesstoken",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("application_id", tester.TestDataType.Foreign("oauthapplication")),
+            ("authorized_user_id", tester.TestDataType.Foreign("user")),
+            ("scope", tester.TestDataType.String),
+            ("access_token", tester.TestDataType.Token),
+            ("token_type", tester.TestDataType.String),
+            ("expires_at", tester.TestDataType.DateTime),
+            ("data", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('oauthauthorizationcode', [
-        ('application_id', tester.TestDataType.Foreign('oauthapplication')),
-        ('code', tester.TestDataType.Token),
-        ('scope', tester.TestDataType.String),
-        ('data', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "oauthauthorizationcode",
+        [
+            ("application_id", tester.TestDataType.Foreign("oauthapplication")),
+            ("code", tester.TestDataType.Token),
+            ("scope", tester.TestDataType.String),
+            ("data", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('permissionprototype', [
-        ('org_id', tester.TestDataType.Foreign('user')),
-        ('uuid', tester.TestDataType.UUID),
-        ('activating_user_id', tester.TestDataType.Foreign('user')),
-        ('delegate_user_id', tester.TestDataType.Foreign('user')),
-        ('role_id', tester.TestDataType.Foreign('role')),
-    ])
+    tester.populate_table(
+        "permissionprototype",
+        [
+            ("org_id", tester.TestDataType.Foreign("user")),
+            ("uuid", tester.TestDataType.UUID),
+            ("activating_user_id", tester.TestDataType.Foreign("user")),
+            ("delegate_user_id", tester.TestDataType.Foreign("user")),
+            ("role_id", tester.TestDataType.Foreign("role")),
+        ],
+    )
 
-    tester.populate_table('repositoryactioncount', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('count', tester.TestDataType.Integer),
-        ('date', tester.TestDataType.Date),
-    ])
+    tester.populate_table(
+        "repositoryactioncount",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("count", tester.TestDataType.Integer),
+            ("date", tester.TestDataType.Date),
+        ],
+    )
 
-    tester.populate_table('repositoryauthorizedemail', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('email', tester.TestDataType.String),
-        ('code', tester.TestDataType.String),
-        ('confirmed', tester.TestDataType.Boolean),
-    ])
+    tester.populate_table(
+        "repositoryauthorizedemail",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("email", tester.TestDataType.String),
+            ("code", tester.TestDataType.String),
+            ("confirmed", tester.TestDataType.Boolean),
+        ],
+    )
 
-    tester.populate_table('repositorynotification', [
-        ('uuid', tester.TestDataType.UUID),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('event_id', tester.TestDataType.Foreign('externalnotificationevent')),
-        ('method_id', tester.TestDataType.Foreign('externalnotificationmethod')),
-        ('title', tester.TestDataType.String),
-        ('config_json', tester.TestDataType.JSON),
-        ('event_config_json', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "repositorynotification",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("event_id", tester.TestDataType.Foreign("externalnotificationevent")),
+            ("method_id", tester.TestDataType.Foreign("externalnotificationmethod")),
+            ("title", tester.TestDataType.String),
+            ("config_json", tester.TestDataType.JSON),
+            ("event_config_json", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('repositorypermission', [
-        ('team_id', tester.TestDataType.Foreign('team')),
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('role_id', tester.TestDataType.Foreign('role')),
-    ])
+    tester.populate_table(
+        "repositorypermission",
+        [
+            ("team_id", tester.TestDataType.Foreign("team")),
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("role_id", tester.TestDataType.Foreign("role")),
+        ],
+    )
 
-    tester.populate_table('star', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('created', tester.TestDataType.DateTime),
-    ])
+    tester.populate_table(
+        "star",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("created", tester.TestDataType.DateTime),
+        ],
+    )
 
-    tester.populate_table('teammember', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('team_id', tester.TestDataType.Foreign('team')),
-    ])
+    tester.populate_table(
+        "teammember",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("team_id", tester.TestDataType.Foreign("team")),
+        ],
+    )
 
-    tester.populate_table('teammemberinvite', [
-        ('user_id', tester.TestDataType.Foreign('user')),
-        ('email', tester.TestDataType.String),
-        ('team_id', tester.TestDataType.Foreign('team')),
-        ('inviter_id', tester.TestDataType.Foreign('user')),
-        ('invite_token', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "teammemberinvite",
+        [
+            ("user_id", tester.TestDataType.Foreign("user")),
+            ("email", tester.TestDataType.String),
+            ("team_id", tester.TestDataType.Foreign("team")),
+            ("inviter_id", tester.TestDataType.Foreign("user")),
+            ("invite_token", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('derivedstorageforimage', [
-        ('source_image_id', tester.TestDataType.Foreign('image')),
-        ('derivative_id', tester.TestDataType.Foreign('imagestorage')),
-        ('transformation_id', tester.TestDataType.Foreign('imagestoragetransformation')),
-        ('uniqueness_hash', tester.TestDataType.String),
-    ])
+    tester.populate_table(
+        "derivedstorageforimage",
+        [
+            ("source_image_id", tester.TestDataType.Foreign("image")),
+            ("derivative_id", tester.TestDataType.Foreign("imagestorage")),
+            (
+                "transformation_id",
+                tester.TestDataType.Foreign("imagestoragetransformation"),
+            ),
+            ("uniqueness_hash", tester.TestDataType.String),
+        ],
+    )
 
-    tester.populate_table('repositorybuildtrigger', [
-        ('uuid', tester.TestDataType.UUID),
-        ('service_id', tester.TestDataType.Foreign('buildtriggerservice')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('connected_user_id', tester.TestDataType.Foreign('user')),
-        ('auth_token', tester.TestDataType.String),
-        ('config', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "repositorybuildtrigger",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("service_id", tester.TestDataType.Foreign("buildtriggerservice")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("connected_user_id", tester.TestDataType.Foreign("user")),
+            ("auth_token", tester.TestDataType.String),
+            ("config", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('repositorytag', [
-        ('name', tester.TestDataType.String),
-        ('image_id', tester.TestDataType.Foreign('image')),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('lifetime_start_ts', tester.TestDataType.Integer),
-        ('hidden', tester.TestDataType.Boolean),
-        ('reversion', tester.TestDataType.Boolean),
-    ])
+    tester.populate_table(
+        "repositorytag",
+        [
+            ("name", tester.TestDataType.String),
+            ("image_id", tester.TestDataType.Foreign("image")),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("lifetime_start_ts", tester.TestDataType.Integer),
+            ("hidden", tester.TestDataType.Boolean),
+            ("reversion", tester.TestDataType.Boolean),
+        ],
+    )
 
-    tester.populate_table('repositorybuild', [
-        ('uuid', tester.TestDataType.UUID),
-        ('phase', tester.TestDataType.String),
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('access_token_id', tester.TestDataType.Foreign('accesstoken')),
-        ('resource_key', tester.TestDataType.String),
-        ('job_config', tester.TestDataType.JSON),
-        ('started', tester.TestDataType.DateTime),
-        ('display_name', tester.TestDataType.JSON),
-        ('trigger_id', tester.TestDataType.Foreign('repositorybuildtrigger')),
-        ('logs_archived', tester.TestDataType.Boolean),
-    ])
+    tester.populate_table(
+        "repositorybuild",
+        [
+            ("uuid", tester.TestDataType.UUID),
+            ("phase", tester.TestDataType.String),
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("access_token_id", tester.TestDataType.Foreign("accesstoken")),
+            ("resource_key", tester.TestDataType.String),
+            ("job_config", tester.TestDataType.JSON),
+            ("started", tester.TestDataType.DateTime),
+            ("display_name", tester.TestDataType.JSON),
+            ("trigger_id", tester.TestDataType.Foreign("repositorybuildtrigger")),
+            ("logs_archived", tester.TestDataType.Boolean),
+        ],
+    )
 
-    tester.populate_table('tagmanifest', [
-        ('tag_id', tester.TestDataType.Foreign('repositorytag')),
-        ('digest', tester.TestDataType.String),
-        ('json_data', tester.TestDataType.JSON),
-    ])
+    tester.populate_table(
+        "tagmanifest",
+        [
+            ("tag_id", tester.TestDataType.Foreign("repositorytag")),
+            ("digest", tester.TestDataType.String),
+            ("json_data", tester.TestDataType.JSON),
+        ],
+    )
 
-    tester.populate_table('tagmanifestlabel', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('annotated_id', tester.TestDataType.Foreign('tagmanifest')),
-        ('label_id', tester.TestDataType.Foreign('label')),
-    ])
+    tester.populate_table(
+        "tagmanifestlabel",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("annotated_id", tester.TestDataType.Foreign("tagmanifest")),
+            ("label_id", tester.TestDataType.Foreign("label")),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.drop_table('tagmanifestlabel')
-    op.drop_table('tagmanifest')
-    op.drop_table('repositorybuild')
-    op.drop_table('repositorytag')
-    op.drop_table('repositorybuildtrigger')
-    op.drop_table('derivedstorageforimage')
-    op.drop_table('teammemberinvite')
-    op.drop_table('teammember')
-    op.drop_table('star')
-    op.drop_table('repositorypermission')
-    op.drop_table('repositorynotification')
-    op.drop_table('repositoryauthorizedemail')
-    op.drop_table('repositoryactioncount')
-    op.drop_table('permissionprototype')
-    op.drop_table('oauthauthorizationcode')
-    op.drop_table('oauthaccesstoken')
-    op.drop_table('image')
-    op.drop_table('blobupload')
-    op.drop_table('accesstoken')
-    op.drop_table('userregion')
-    op.drop_table('torrentinfo')
-    op.drop_table('team')
-    op.drop_table('servicekey')
-    op.drop_table('repository')
-    op.drop_table('quayrelease')
-    op.drop_table('oauthapplication')
-    op.drop_table('notification')
-    op.drop_table('logentry')
-    op.drop_table('label')
-    op.drop_table('imagestoragesignature')
-    op.drop_table('imagestorageplacement')
-    op.drop_table('federatedlogin')
-    op.drop_table('emailconfirmation')
-    op.drop_table('visibility')
-    op.drop_table('user')
-    op.drop_table('teamrole')
-    op.drop_table('servicekeyapproval')
-    op.drop_table('role')
-    op.drop_table('queueitem')
-    op.drop_table('quayservice')
-    op.drop_table('quayregion')
-    op.drop_table('notificationkind')
-    op.drop_table('messages')
-    op.drop_table('mediatype')
-    op.drop_table('loginservice')
-    op.drop_table('logentrykind')
-    op.drop_table('labelsourcetype')
-    op.drop_table('imagestoragetransformation')
-    op.drop_table('imagestoragesignaturekind')
-    op.drop_table('imagestoragelocation')
-    op.drop_table('imagestorage')
-    op.drop_table('externalnotificationmethod')
-    op.drop_table('externalnotificationevent')
-    op.drop_table('buildtriggerservice')
-    op.drop_table('accesstokenkind')
+    op.drop_table("tagmanifestlabel")
+    op.drop_table("tagmanifest")
+    op.drop_table("repositorybuild")
+    op.drop_table("repositorytag")
+    op.drop_table("repositorybuildtrigger")
+    op.drop_table("derivedstorageforimage")
+    op.drop_table("teammemberinvite")
+    op.drop_table("teammember")
+    op.drop_table("star")
+    op.drop_table("repositorypermission")
+    op.drop_table("repositorynotification")
+    op.drop_table("repositoryauthorizedemail")
+    op.drop_table("repositoryactioncount")
+    op.drop_table("permissionprototype")
+    op.drop_table("oauthauthorizationcode")
+    op.drop_table("oauthaccesstoken")
+    op.drop_table("image")
+    op.drop_table("blobupload")
+    op.drop_table("accesstoken")
+    op.drop_table("userregion")
+    op.drop_table("torrentinfo")
+    op.drop_table("team")
+    op.drop_table("servicekey")
+    op.drop_table("repository")
+    op.drop_table("quayrelease")
+    op.drop_table("oauthapplication")
+    op.drop_table("notification")
+    op.drop_table("logentry")
+    op.drop_table("label")
+    op.drop_table("imagestoragesignature")
+    op.drop_table("imagestorageplacement")
+    op.drop_table("federatedlogin")
+    op.drop_table("emailconfirmation")
+    op.drop_table("visibility")
+    op.drop_table("user")
+    op.drop_table("teamrole")
+    op.drop_table("servicekeyapproval")
+    op.drop_table("role")
+    op.drop_table("queueitem")
+    op.drop_table("quayservice")
+    op.drop_table("quayregion")
+    op.drop_table("notificationkind")
+    op.drop_table("messages")
+    op.drop_table("mediatype")
+    op.drop_table("loginservice")
+    op.drop_table("logentrykind")
+    op.drop_table("labelsourcetype")
+    op.drop_table("imagestoragetransformation")
+    op.drop_table("imagestoragesignaturekind")
+    op.drop_table("imagestoragelocation")
+    op.drop_table("imagestorage")
+    op.drop_table("externalnotificationmethod")
+    op.drop_table("externalnotificationevent")
+    op.drop_table("buildtriggerservice")
+    op.drop_table("accesstokenkind")
diff --git a/data/migrations/versions/c3d4b7ebcdf7_backfill_repositorysearchscore_table.py b/data/migrations/versions/c3d4b7ebcdf7_backfill_repositorysearchscore_table.py
index 8e0a8ab8c..a2f61ae44 100644
--- a/data/migrations/versions/c3d4b7ebcdf7_backfill_repositorysearchscore_table.py
+++ b/data/migrations/versions/c3d4b7ebcdf7_backfill_repositorysearchscore_table.py
@@ -7,19 +7,23 @@ Create Date: 2017-04-13 12:01:59.572775
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c3d4b7ebcdf7'
-down_revision = 'f30984525c86'
+revision = "c3d4b7ebcdf7"
+down_revision = "f30984525c86"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # Add a 0 entry into the RepositorySearchScore table for each repository that isn't present
     conn = op.get_bind()
-    conn.execute("insert into repositorysearchscore (repository_id, score) SELECT id, 0 FROM " +
-                 "repository WHERE id not in (select repository_id from repositorysearchscore)")
+    conn.execute(
+        "insert into repositorysearchscore (repository_id, score) SELECT id, 0 FROM "
+        + "repository WHERE id not in (select repository_id from repositorysearchscore)"
+    )
+
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
diff --git a/data/migrations/versions/c91c564aad34_drop_checksum_on_imagestorage.py b/data/migrations/versions/c91c564aad34_drop_checksum_on_imagestorage.py
index dc1567bd5..0497e1559 100644
--- a/data/migrations/versions/c91c564aad34_drop_checksum_on_imagestorage.py
+++ b/data/migrations/versions/c91c564aad34_drop_checksum_on_imagestorage.py
@@ -7,8 +7,8 @@ Create Date: 2018-02-21 12:17:52.405644
 """
 
 # revision identifiers, used by Alembic.
-revision = 'c91c564aad34'
-down_revision = '152bb29a1bb3'
+revision = "c91c564aad34"
+down_revision = "152bb29a1bb3"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -17,9 +17,11 @@ import sqlalchemy as sa
 
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.drop_column('imagestorage', 'checksum')
+    op.drop_column("imagestorage", "checksum")
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.add_column('imagestorage', sa.Column('checksum', sa.String(length=255), nullable=True))
+    op.add_column(
+        "imagestorage", sa.Column("checksum", sa.String(length=255), nullable=True)
+    )
diff --git a/data/migrations/versions/cbc8177760d9_add_user_location_field.py b/data/migrations/versions/cbc8177760d9_add_user_location_field.py
index cbdc87706..866aafd38 100644
--- a/data/migrations/versions/cbc8177760d9_add_user_location_field.py
+++ b/data/migrations/versions/cbc8177760d9_add_user_location_field.py
@@ -7,8 +7,8 @@ Create Date: 2018-02-02 17:39:16.589623
 """
 
 # revision identifiers, used by Alembic.
-revision = 'cbc8177760d9'
-down_revision = '7367229b38d9'
+revision = "cbc8177760d9"
+down_revision = "7367229b38d9"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,15 +16,18 @@ import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 from util.migrate import UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.add_column('user', sa.Column('location', UTF8CharField(length=255), nullable=True))
+    op.add_column(
+        "user", sa.Column("location", UTF8CharField(length=255), nullable=True)
+    )
 
     # ### population of test data ### #
-    tester.populate_column('user', 'location', tester.TestDataType.UTF8Char)
+    tester.populate_column("user", "location", tester.TestDataType.UTF8Char)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
-    op.drop_column('user', 'location')
+    op.drop_column("user", "location")
diff --git a/data/migrations/versions/cc6778199cdb_repository_mirror_notification.py b/data/migrations/versions/cc6778199cdb_repository_mirror_notification.py
index a44704eec..8b64e1f65 100644
--- a/data/migrations/versions/cc6778199cdb_repository_mirror_notification.py
+++ b/data/migrations/versions/cc6778199cdb_repository_mirror_notification.py
@@ -7,62 +7,73 @@ Create Date: 2019-10-03 17:41:23.316914
 """
 
 # revision identifiers, used by Alembic.
-revision = 'cc6778199cdb'
-down_revision = 'c059b952ed76'
+revision = "cc6778199cdb"
+down_revision = "c059b952ed76"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
-def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
 
-  op.bulk_insert(tables.notificationkind,
-                 [
-                   {'name': 'repo_mirror_sync_started'},
-                   {'name': 'repo_mirror_sync_success'},
-                   {'name': 'repo_mirror_sync_failed'},
-                 ])
-  op.bulk_insert(tables.externalnotificationevent,
-                 [
-                   {'name': 'repo_mirror_sync_started'},
-                   {'name': 'repo_mirror_sync_success'},
-                   {'name': 'repo_mirror_sync_failed'},
-                 ])
+def upgrade(tables, tester, progress_reporter):
+    op = ProgressWrapper(original_op, progress_reporter)
+
+    op.bulk_insert(
+        tables.notificationkind,
+        [
+            {"name": "repo_mirror_sync_started"},
+            {"name": "repo_mirror_sync_success"},
+            {"name": "repo_mirror_sync_failed"},
+        ],
+    )
+    op.bulk_insert(
+        tables.externalnotificationevent,
+        [
+            {"name": "repo_mirror_sync_started"},
+            {"name": "repo_mirror_sync_success"},
+            {"name": "repo_mirror_sync_failed"},
+        ],
+    )
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
+    op = ProgressWrapper(original_op, progress_reporter)
 
-  op.execute(tables
-             .notificationkind
-             .delete()
-             .where(tables.
-                    notificationkind.c.name == op.inline_literal('repo_mirror_sync_started')))
-  op.execute(tables
-             .notificationkind
-             .delete()
-             .where(tables.
-                    notificationkind.c.name == op.inline_literal('repo_mirror_sync_success')))
-  op.execute(tables
-             .notificationkind
-             .delete()
-             .where(tables.
-                    notificationkind.c.name == op.inline_literal('repo_mirror_sync_failed')))
+    op.execute(
+        tables.notificationkind.delete().where(
+            tables.notificationkind.c.name
+            == op.inline_literal("repo_mirror_sync_started")
+        )
+    )
+    op.execute(
+        tables.notificationkind.delete().where(
+            tables.notificationkind.c.name
+            == op.inline_literal("repo_mirror_sync_success")
+        )
+    )
+    op.execute(
+        tables.notificationkind.delete().where(
+            tables.notificationkind.c.name
+            == op.inline_literal("repo_mirror_sync_failed")
+        )
+    )
 
-  op.execute(tables
-             .externalnotificationevent
-             .delete()
-             .where(tables.
-                    externalnotificationevent.c.name == op.inline_literal('repo_mirror_sync_started')))
-  op.execute(tables
-             .externalnotificationevent
-             .delete()
-             .where(tables.
-                    externalnotificationevent.c.name == op.inline_literal('repo_mirror_sync_success')))
-  op.execute(tables
-             .externalnotificationevent
-             .delete()
-             .where(tables.
-                    externalnotificationevent.c.name == op.inline_literal('repo_mirror_sync_failed')))
+    op.execute(
+        tables.externalnotificationevent.delete().where(
+            tables.externalnotificationevent.c.name
+            == op.inline_literal("repo_mirror_sync_started")
+        )
+    )
+    op.execute(
+        tables.externalnotificationevent.delete().where(
+            tables.externalnotificationevent.c.name
+            == op.inline_literal("repo_mirror_sync_success")
+        )
+    )
+    op.execute(
+        tables.externalnotificationevent.delete().where(
+            tables.externalnotificationevent.c.name
+            == op.inline_literal("repo_mirror_sync_failed")
+        )
+    )
diff --git a/data/migrations/versions/d17c695859ea_delete_old_appr_tables.py b/data/migrations/versions/d17c695859ea_delete_old_appr_tables.py
index 9e847e8e2..df4b56814 100644
--- a/data/migrations/versions/d17c695859ea_delete_old_appr_tables.py
+++ b/data/migrations/versions/d17c695859ea_delete_old_appr_tables.py
@@ -7,8 +7,8 @@ Create Date: 2018-07-16 15:21:11.593040
 """
 
 # revision identifiers, used by Alembic.
-revision = 'd17c695859ea'
-down_revision = '5d463ea1e8a8'
+revision = "d17c695859ea"
+down_revision = "5d463ea1e8a8"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,18 +16,19 @@ import sqlalchemy as sa
 from sqlalchemy.sql import table, column
 from util.migrate import UTF8LongText, UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('tag')
-    op.drop_table('manifestlistmanifest')
-    op.drop_table('manifestlist')
-    op.drop_table('manifestblob')
-    op.drop_table('manifest')
-    op.drop_table('blobplacement')
-    op.drop_table('blob')
-    op.drop_table('blobplacementlocation')
-    op.drop_table('tagkind')
+    op.drop_table("tag")
+    op.drop_table("manifestlistmanifest")
+    op.drop_table("manifestlist")
+    op.drop_table("manifestblob")
+    op.drop_table("manifest")
+    op.drop_table("blobplacement")
+    op.drop_table("blob")
+    op.drop_table("blobplacementlocation")
+    op.drop_table("tagkind")
     # ### end Alembic commands ###
 
 
@@ -35,158 +36,257 @@ def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table(
-        'tagkind',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('name', sa.String(length=255), nullable=False),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_tagkind'))
+        "tagkind",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tagkind")),
     )
-    op.create_index('tagkind_name', 'tagkind', ['name'], unique=True)
+    op.create_index("tagkind_name", "tagkind", ["name"], unique=True)
 
     op.create_table(
-        'blobplacementlocation',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('name', sa.String(length=255), nullable=False),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacementlocation'))
+        "blobplacementlocation",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacementlocation")),
+    )
+    op.create_index(
+        "blobplacementlocation_name", "blobplacementlocation", ["name"], unique=True
     )
-    op.create_index('blobplacementlocation_name', 'blobplacementlocation', ['name'], unique=True)
 
     op.create_table(
-        'blob',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('digest', sa.String(length=255), nullable=False),
-        sa.Column('media_type_id', sa.Integer(), nullable=False),
-        sa.Column('size', sa.BigInteger(), nullable=False),
-        sa.Column('uncompressed_size', sa.BigInteger(), nullable=True),
-        sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_blob_media_type_id_mediatype')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_blob'))
+        "blob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("size", sa.BigInteger(), nullable=False),
+        sa.Column("uncompressed_size", sa.BigInteger(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_blob_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blob")),
     )
-    op.create_index('blob_digest', 'blob', ['digest'], unique=True)
-    op.create_index('blob_media_type_id', 'blob', ['media_type_id'], unique=False)
+    op.create_index("blob_digest", "blob", ["digest"], unique=True)
+    op.create_index("blob_media_type_id", "blob", ["media_type_id"], unique=False)
 
     op.create_table(
-        'manifest',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('digest', sa.String(length=255), nullable=False),
-        sa.Column('media_type_id', sa.Integer(), nullable=False),
-        sa.Column('manifest_json', UTF8LongText, nullable=False),
-        sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifest_media_type_id_mediatype')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifest'))
+        "manifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_json", UTF8LongText, nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifest")),
+    )
+    op.create_index("manifest_digest", "manifest", ["digest"], unique=True)
+    op.create_index(
+        "manifest_media_type_id", "manifest", ["media_type_id"], unique=False
     )
-    op.create_index('manifest_digest', 'manifest', ['digest'], unique=True)
-    op.create_index('manifest_media_type_id', 'manifest', ['media_type_id'], unique=False)
 
     op.create_table(
-        'manifestlist',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('digest', sa.String(length=255), nullable=False),
-        sa.Column('manifest_list_json', UTF8LongText, nullable=False),
-        sa.Column('schema_version', UTF8CharField(length=255), nullable=False),
-        sa.Column('media_type_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifestlist_media_type_id_mediatype')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlist'))
+        "manifestlist",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("digest", sa.String(length=255), nullable=False),
+        sa.Column("manifest_list_json", UTF8LongText, nullable=False),
+        sa.Column("schema_version", UTF8CharField(length=255), nullable=False),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifestlist_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlist")),
+    )
+    op.create_index("manifestlist_digest", "manifestlist", ["digest"], unique=True)
+    op.create_index(
+        "manifestlist_media_type_id", "manifestlist", ["media_type_id"], unique=False
     )
-    op.create_index('manifestlist_digest', 'manifestlist', ['digest'], unique=True)
-    op.create_index('manifestlist_media_type_id', 'manifestlist', ['media_type_id'], unique=False)
 
     op.create_table(
-        'blobplacement',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('blob_id', sa.Integer(), nullable=False),
-        sa.Column('location_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_blobplacement_blob_id_blob')),
-        sa.ForeignKeyConstraint(['location_id'], ['blobplacementlocation.id'], name=op.f('fk_blobplacement_location_id_blobplacementlocation')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_blobplacement'))
+        "blobplacement",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.Column("location_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_blobplacement_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["location_id"],
+            ["blobplacementlocation.id"],
+            name=op.f("fk_blobplacement_location_id_blobplacementlocation"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_blobplacement")),
+    )
+    op.create_index("blobplacement_blob_id", "blobplacement", ["blob_id"], unique=False)
+    op.create_index(
+        "blobplacement_blob_id_location_id",
+        "blobplacement",
+        ["blob_id", "location_id"],
+        unique=True,
+    )
+    op.create_index(
+        "blobplacement_location_id", "blobplacement", ["location_id"], unique=False
     )
-    op.create_index('blobplacement_blob_id', 'blobplacement', ['blob_id'], unique=False)
-    op.create_index('blobplacement_blob_id_location_id', 'blobplacement', ['blob_id', 'location_id'], unique=True)
-    op.create_index('blobplacement_location_id', 'blobplacement', ['location_id'], unique=False)
 
     op.create_table(
-        'manifestblob',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('manifest_id', sa.Integer(), nullable=False),
-        sa.Column('blob_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['blob_id'], ['blob.id'], name=op.f('fk_manifestblob_blob_id_blob')),
-        sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestblob_manifest_id_manifest')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestblob'))
+        "manifestblob",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("blob_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["blob_id"], ["blob.id"], name=op.f("fk_manifestblob_blob_id_blob")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestblob_manifest_id_manifest"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestblob")),
+    )
+    op.create_index("manifestblob_blob_id", "manifestblob", ["blob_id"], unique=False)
+    op.create_index(
+        "manifestblob_manifest_id", "manifestblob", ["manifest_id"], unique=False
+    )
+    op.create_index(
+        "manifestblob_manifest_id_blob_id",
+        "manifestblob",
+        ["manifest_id", "blob_id"],
+        unique=True,
     )
-    op.create_index('manifestblob_blob_id', 'manifestblob', ['blob_id'], unique=False)
-    op.create_index('manifestblob_manifest_id', 'manifestblob', ['manifest_id'], unique=False)
-    op.create_index('manifestblob_manifest_id_blob_id', 'manifestblob', ['manifest_id', 'blob_id'], unique=True)
 
     op.create_table(
-        'manifestlistmanifest',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('manifest_list_id', sa.Integer(), nullable=False),
-        sa.Column('manifest_id', sa.Integer(), nullable=False),
-        sa.Column('operating_system', UTF8CharField(length=255), nullable=True),
-        sa.Column('architecture', UTF8CharField(length=255), nullable=True),
-        sa.Column('platform_json', UTF8LongText, nullable=True),
-        sa.Column('media_type_id', sa.Integer(), nullable=False),
-        sa.ForeignKeyConstraint(['manifest_id'], ['manifest.id'], name=op.f('fk_manifestlistmanifest_manifest_id_manifest')),
-        sa.ForeignKeyConstraint(['manifest_list_id'], ['manifestlist.id'], name=op.f('fk_manifestlistmanifest_manifest_list_id_manifestlist')),
-        sa.ForeignKeyConstraint(['media_type_id'], ['mediatype.id'], name=op.f('fk_manifestlistmanifest_media_type_id_mediatype')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_manifestlistmanifest'))
+        "manifestlistmanifest",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_id", sa.Integer(), nullable=False),
+        sa.Column("operating_system", UTF8CharField(length=255), nullable=True),
+        sa.Column("architecture", UTF8CharField(length=255), nullable=True),
+        sa.Column("platform_json", UTF8LongText, nullable=True),
+        sa.Column("media_type_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["manifest_id"],
+            ["manifest.id"],
+            name=op.f("fk_manifestlistmanifest_manifest_id_manifest"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["manifestlist.id"],
+            name=op.f("fk_manifestlistmanifest_manifest_list_id_manifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["media_type_id"],
+            ["mediatype.id"],
+            name=op.f("fk_manifestlistmanifest_media_type_id_mediatype"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_manifestlistmanifest")),
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_id",
+        "manifestlistmanifest",
+        ["manifest_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_list_id",
+        "manifestlistmanifest",
+        ["manifest_list_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_listid_os_arch_mtid",
+        "manifestlistmanifest",
+        ["manifest_list_id", "operating_system", "architecture", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_manifest_listid_mtid",
+        "manifestlistmanifest",
+        ["manifest_list_id", "media_type_id"],
+        unique=False,
+    )
+    op.create_index(
+        "manifestlistmanifest_media_type_id",
+        "manifestlistmanifest",
+        ["media_type_id"],
+        unique=False,
     )
-    op.create_index('manifestlistmanifest_manifest_id', 'manifestlistmanifest', ['manifest_id'], unique=False)
-    op.create_index('manifestlistmanifest_manifest_list_id', 'manifestlistmanifest', ['manifest_list_id'], unique=False)
-    op.create_index('manifestlistmanifest_manifest_listid_os_arch_mtid', 'manifestlistmanifest', ['manifest_list_id', 'operating_system', 'architecture', 'media_type_id'], unique=False)
-    op.create_index('manifestlistmanifest_manifest_listid_mtid', 'manifestlistmanifest', ['manifest_list_id', 'media_type_id'], unique=False)
-    op.create_index('manifestlistmanifest_media_type_id', 'manifestlistmanifest', ['media_type_id'], unique=False)
 
     op.create_table(
-        'tag',
-        sa.Column('id', sa.Integer(), nullable=False),
-        sa.Column('name', UTF8CharField(length=190), nullable=False),
-        sa.Column('repository_id', sa.Integer(), nullable=False),
-        sa.Column('manifest_list_id', sa.Integer(), nullable=True),
-        sa.Column('lifetime_start', sa.BigInteger(), nullable=False),
-        sa.Column('lifetime_end', sa.BigInteger(), nullable=True),
-        sa.Column('hidden', sa.Boolean(), nullable=False),
-        sa.Column('reverted', sa.Boolean(), nullable=False),
-        sa.Column('protected', sa.Boolean(), nullable=False),
-        sa.Column('tag_kind_id', sa.Integer(), nullable=False),
-        sa.Column('linked_tag_id', sa.Integer(), nullable=True),
-        sa.ForeignKeyConstraint(['linked_tag_id'], ['tag.id'], name=op.f('fk_tag_linked_tag_id_tag')),
-        sa.ForeignKeyConstraint(['manifest_list_id'], ['manifestlist.id'], name=op.f('fk_tag_manifest_list_id_manifestlist')),
-        sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_tag_repository_id_repository')),
-        sa.ForeignKeyConstraint(['tag_kind_id'], ['tagkind.id'], name=op.f('fk_tag_tag_kind_id_tagkind')),
-        sa.PrimaryKeyConstraint('id', name=op.f('pk_tag'))
+        "tag",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("name", UTF8CharField(length=190), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("manifest_list_id", sa.Integer(), nullable=True),
+        sa.Column("lifetime_start", sa.BigInteger(), nullable=False),
+        sa.Column("lifetime_end", sa.BigInteger(), nullable=True),
+        sa.Column("hidden", sa.Boolean(), nullable=False),
+        sa.Column("reverted", sa.Boolean(), nullable=False),
+        sa.Column("protected", sa.Boolean(), nullable=False),
+        sa.Column("tag_kind_id", sa.Integer(), nullable=False),
+        sa.Column("linked_tag_id", sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["linked_tag_id"], ["tag.id"], name=op.f("fk_tag_linked_tag_id_tag")
+        ),
+        sa.ForeignKeyConstraint(
+            ["manifest_list_id"],
+            ["manifestlist.id"],
+            name=op.f("fk_tag_manifest_list_id_manifestlist"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_tag_repository_id_repository"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["tag_kind_id"], ["tagkind.id"], name=op.f("fk_tag_tag_kind_id_tagkind")
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_tag")),
     )
-    op.create_index('tag_lifetime_end', 'tag', ['lifetime_end'], unique=False)
-    op.create_index('tag_linked_tag_id', 'tag', ['linked_tag_id'], unique=False)
-    op.create_index('tag_manifest_list_id', 'tag', ['manifest_list_id'], unique=False)
-    op.create_index('tag_repository_id', 'tag', ['repository_id'], unique=False)
-    op.create_index('tag_repository_id_name_hidden', 'tag', ['repository_id', 'name', 'hidden'], unique=False)
-    op.create_index('tag_repository_id_name_lifetime_end', 'tag', ['repository_id', 'name', 'lifetime_end'], unique=True)
-    op.create_index('tag_repository_id_name', 'tag', ['repository_id', 'name'], unique=False)
-    op.create_index('tag_tag_kind_id', 'tag', ['tag_kind_id'], unique=False)
+    op.create_index("tag_lifetime_end", "tag", ["lifetime_end"], unique=False)
+    op.create_index("tag_linked_tag_id", "tag", ["linked_tag_id"], unique=False)
+    op.create_index("tag_manifest_list_id", "tag", ["manifest_list_id"], unique=False)
+    op.create_index("tag_repository_id", "tag", ["repository_id"], unique=False)
+    op.create_index(
+        "tag_repository_id_name_hidden",
+        "tag",
+        ["repository_id", "name", "hidden"],
+        unique=False,
+    )
+    op.create_index(
+        "tag_repository_id_name_lifetime_end",
+        "tag",
+        ["repository_id", "name", "lifetime_end"],
+        unique=True,
+    )
+    op.create_index(
+        "tag_repository_id_name", "tag", ["repository_id", "name"], unique=False
+    )
+    op.create_index("tag_tag_kind_id", "tag", ["tag_kind_id"], unique=False)
 
     # ### end Alembic commands ###
 
-    blobplacementlocation_table = table('blobplacementlocation',
-        column('id', sa.Integer()),
-        column('name', sa.String()),
+    blobplacementlocation_table = table(
+        "blobplacementlocation", column("id", sa.Integer()), column("name", sa.String())
     )
 
     op.bulk_insert(
-        blobplacementlocation_table,
-        [
-        {'name': 'local_eu'},
-        {'name': 'local_us'},
-        ],
+        blobplacementlocation_table, [{"name": "local_eu"}, {"name": "local_us"}]
     )
 
-    tagkind_table = table('tagkind',
-        column('id', sa.Integer()),
-        column('name', sa.String()),
+    tagkind_table = table(
+        "tagkind", column("id", sa.Integer()), column("name", sa.String())
     )
 
     op.bulk_insert(
         tagkind_table,
         [
-        {'id': 1, 'name': 'tag'},
-        {'id': 2, 'name': 'release'},
-        {'id': 3, 'name': 'channel'},
-        ]
-    )
\ No newline at end of file
+            {"id": 1, "name": "tag"},
+            {"id": 2, "name": "release"},
+            {"id": 3, "name": "channel"},
+        ],
+    )
diff --git a/data/migrations/versions/d42c175b439a_backfill_state_id_and_make_it_unique.py b/data/migrations/versions/d42c175b439a_backfill_state_id_and_make_it_unique.py
index 24a65b8a4..a31f1acb3 100644
--- a/data/migrations/versions/d42c175b439a_backfill_state_id_and_make_it_unique.py
+++ b/data/migrations/versions/d42c175b439a_backfill_state_id_and_make_it_unique.py
@@ -7,14 +7,15 @@ Create Date: 2017-01-18 15:11:01.635632
 """
 
 # revision identifiers, used by Alembic.
-revision = 'd42c175b439a'
-down_revision = '3e8cc74a1e7b'
+revision = "d42c175b439a"
+down_revision = "3e8cc74a1e7b"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # Backfill the queueitem table's state_id field with unique values for all entries which are
@@ -23,14 +24,14 @@ def upgrade(tables, tester, progress_reporter):
     conn.execute("update queueitem set state_id = id where state_id = ''")
 
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('queueitem_state_id', table_name='queueitem')
-    op.create_index('queueitem_state_id', 'queueitem', ['state_id'], unique=True)
+    op.drop_index("queueitem_state_id", table_name="queueitem")
+    op.create_index("queueitem_state_id", "queueitem", ["state_id"], unique=True)
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('queueitem_state_id', table_name='queueitem')
-    op.create_index('queueitem_state_id', 'queueitem', ['state_id'], unique=False)
+    op.drop_index("queueitem_state_id", table_name="queueitem")
+    op.create_index("queueitem_state_id", "queueitem", ["state_id"], unique=False)
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/d8989249f8f6_add_change_tag_expiration_log_type.py b/data/migrations/versions/d8989249f8f6_add_change_tag_expiration_log_type.py
index 42ec883eb..27a1dbc49 100644
--- a/data/migrations/versions/d8989249f8f6_add_change_tag_expiration_log_type.py
+++ b/data/migrations/versions/d8989249f8f6_add_change_tag_expiration_log_type.py
@@ -7,22 +7,22 @@ Create Date: 2017-06-21 21:18:25.948689
 """
 
 # revision identifiers, used by Alembic.
-revision = 'd8989249f8f6'
-down_revision = 'dc4af11a5f90'
+revision = "d8989249f8f6"
+down_revision = "dc4af11a5f90"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.bulk_insert(tables.logentrykind, [
-    {'name': 'change_tag_expiration'},
-  ])
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.bulk_insert(tables.logentrykind, [{"name": "change_tag_expiration"}])
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.execute(tables
-             .logentrykind
-             .delete()
-             .where(tables.logentrykind.c.name == op.inline_literal('change_tag_expiration')))
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.c.name == op.inline_literal("change_tag_expiration")
+        )
+    )
diff --git a/data/migrations/versions/dc4af11a5f90_add_notification_number_of_failures_.py b/data/migrations/versions/dc4af11a5f90_add_notification_number_of_failures_.py
index dc8512026..5ec6a1ddd 100644
--- a/data/migrations/versions/dc4af11a5f90_add_notification_number_of_failures_.py
+++ b/data/migrations/versions/dc4af11a5f90_add_notification_number_of_failures_.py
@@ -7,8 +7,8 @@ Create Date: 2017-05-16 17:24:02.630365
 """
 
 # revision identifiers, used by Alembic.
-revision = 'dc4af11a5f90'
-down_revision = '53e2ac668296'
+revision = "dc4af11a5f90"
+down_revision = "53e2ac668296"
 
 import sqlalchemy as sa
 from alembic import op as original_op
@@ -16,24 +16,27 @@ from data.migrations.progress import ProgressWrapper
 
 
 def upgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.add_column('repositorynotification', sa.Column('number_of_failures',
-                                                    sa.Integer(),
-                                                    nullable=False,
-                                                    server_default='0'))
-  op.bulk_insert(tables.logentrykind, [
-    {'name': 'reset_repo_notification'},
-  ])
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.add_column(
+        "repositorynotification",
+        sa.Column(
+            "number_of_failures", sa.Integer(), nullable=False, server_default="0"
+        ),
+    )
+    op.bulk_insert(tables.logentrykind, [{"name": "reset_repo_notification"}])
 
-  # ### population of test data ### #
-  tester.populate_column('repositorynotification', 'number_of_failures', tester.TestDataType.Integer)
-  # ### end population of test data ### #
+    # ### population of test data ### #
+    tester.populate_column(
+        "repositorynotification", "number_of_failures", tester.TestDataType.Integer
+    )
+    # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
-  op = ProgressWrapper(original_op, progress_reporter)
-  op.drop_column('repositorynotification', 'number_of_failures')
-  op.execute(tables
-             .logentrykind
-             .delete()
-             .where(tables.logentrykind.c.name == op.inline_literal('reset_repo_notification')))
+    op = ProgressWrapper(original_op, progress_reporter)
+    op.drop_column("repositorynotification", "number_of_failures")
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.c.name == op.inline_literal("reset_repo_notification")
+        )
+    )
diff --git a/data/migrations/versions/e184af42242d_add_missing_index_on_uuid_fields.py b/data/migrations/versions/e184af42242d_add_missing_index_on_uuid_fields.py
index b4513ce6d..4477260ec 100644
--- a/data/migrations/versions/e184af42242d_add_missing_index_on_uuid_fields.py
+++ b/data/migrations/versions/e184af42242d_add_missing_index_on_uuid_fields.py
@@ -7,25 +7,30 @@ Create Date: 2019-02-14 16:35:47.768086
 """
 
 # revision identifiers, used by Alembic.
-revision = 'e184af42242d'
-down_revision = '6ec8726c0ace'
+revision = "e184af42242d"
+down_revision = "6ec8726c0ace"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('permissionprototype_uuid', 'permissionprototype', ['uuid'], unique=False)
-    op.create_index('repositorybuildtrigger_uuid', 'repositorybuildtrigger', ['uuid'], unique=False)
-    op.create_index('user_uuid', 'user', ['uuid'], unique=False)
+    op.create_index(
+        "permissionprototype_uuid", "permissionprototype", ["uuid"], unique=False
+    )
+    op.create_index(
+        "repositorybuildtrigger_uuid", "repositorybuildtrigger", ["uuid"], unique=False
+    )
+    op.create_index("user_uuid", "user", ["uuid"], unique=False)
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('user_uuid', table_name='user')
-    op.drop_index('repositorybuildtrigger_uuid', table_name='repositorybuildtrigger')
-    op.drop_index('permissionprototype_uuid', table_name='permissionprototype')
+    op.drop_index("user_uuid", table_name="user")
+    op.drop_index("repositorybuildtrigger_uuid", table_name="repositorybuildtrigger")
+    op.drop_index("permissionprototype_uuid", table_name="permissionprototype")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/e2894a3a3c19_add_full_text_search_indexing_for_repo_.py b/data/migrations/versions/e2894a3a3c19_add_full_text_search_indexing_for_repo_.py
index 13ed12ba5..f858e1a33 100644
--- a/data/migrations/versions/e2894a3a3c19_add_full_text_search_indexing_for_repo_.py
+++ b/data/migrations/versions/e2894a3a3c19_add_full_text_search_indexing_for_repo_.py
@@ -7,25 +7,42 @@ Create Date: 2017-01-11 13:55:54.890774
 """
 
 # revision identifiers, used by Alembic.
-revision = 'e2894a3a3c19'
-down_revision = 'd42c175b439a'
+revision = "e2894a3a3c19"
+down_revision = "d42c175b439a"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('repository_description__fulltext', 'repository', ['description'], unique=False, postgresql_using='gin', postgresql_ops={'description': 'gin_trgm_ops'}, mysql_prefix='FULLTEXT')
-    op.create_index('repository_name__fulltext', 'repository', ['name'], unique=False, postgresql_using='gin', postgresql_ops={'name': 'gin_trgm_ops'}, mysql_prefix='FULLTEXT')
+    op.create_index(
+        "repository_description__fulltext",
+        "repository",
+        ["description"],
+        unique=False,
+        postgresql_using="gin",
+        postgresql_ops={"description": "gin_trgm_ops"},
+        mysql_prefix="FULLTEXT",
+    )
+    op.create_index(
+        "repository_name__fulltext",
+        "repository",
+        ["name"],
+        unique=False,
+        postgresql_using="gin",
+        postgresql_ops={"name": "gin_trgm_ops"},
+        mysql_prefix="FULLTEXT",
+    )
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('repository_name__fulltext', table_name='repository')
-    op.drop_index('repository_description__fulltext', table_name='repository')
+    op.drop_index("repository_name__fulltext", table_name="repository")
+    op.drop_index("repository_description__fulltext", table_name="repository")
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/eafdeadcebc7_remove_blob_index_from_manifestblob_.py b/data/migrations/versions/eafdeadcebc7_remove_blob_index_from_manifestblob_.py
index e2e69d99f..3ed8c3856 100644
--- a/data/migrations/versions/eafdeadcebc7_remove_blob_index_from_manifestblob_.py
+++ b/data/migrations/versions/eafdeadcebc7_remove_blob_index_from_manifestblob_.py
@@ -7,25 +7,39 @@ Create Date: 2018-08-07 15:57:54.001225
 """
 
 # revision identifiers, used by Alembic.
-revision = 'eafdeadcebc7'
-down_revision = '9093adccc784'
+revision = "eafdeadcebc7"
+down_revision = "9093adccc784"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('manifestblob_manifest_id_blob_index', table_name='manifestblob')
-    op.drop_column('manifestblob', 'blob_index')
+    op.drop_index("manifestblob_manifest_id_blob_index", table_name="manifestblob")
+    op.drop_column("manifestblob", "blob_index")
     # ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('manifestblob', sa.Column('blob_index', mysql.INTEGER(display_width=11), autoincrement=False, nullable=True))
-    op.create_index('manifestblob_manifest_id_blob_index', 'manifestblob', ['manifest_id', 'blob_index'], unique=True)
+    op.add_column(
+        "manifestblob",
+        sa.Column(
+            "blob_index",
+            mysql.INTEGER(display_width=11),
+            autoincrement=False,
+            nullable=True,
+        ),
+    )
+    op.create_index(
+        "manifestblob_manifest_id_blob_index",
+        "manifestblob",
+        ["manifest_id", "blob_index"],
+        unique=True,
+    )
     # ### end Alembic commands ###
diff --git a/data/migrations/versions/ed01e313d3cb_add_trust_enabled_to_repository.py b/data/migrations/versions/ed01e313d3cb_add_trust_enabled_to_repository.py
index 2a59ee4ec..85d584e0c 100644
--- a/data/migrations/versions/ed01e313d3cb_add_trust_enabled_to_repository.py
+++ b/data/migrations/versions/ed01e313d3cb_add_trust_enabled_to_repository.py
@@ -7,35 +7,42 @@ Create Date: 2017-04-14 17:38:03.319695
 """
 
 # revision identifiers, used by Alembic.
-revision = 'ed01e313d3cb'
-down_revision = 'c3d4b7ebcdf7'
+revision = "ed01e313d3cb"
+down_revision = "c3d4b7ebcdf7"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('repository', sa.Column('trust_enabled', sa.Boolean(), nullable=False, server_default=sa.sql.expression.false()))
+    op.add_column(
+        "repository",
+        sa.Column(
+            "trust_enabled",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.sql.expression.false(),
+        ),
+    )
     ### end Alembic commands ###
-    op.bulk_insert(tables.logentrykind, [
-        {'name': 'change_repo_trust'},
-    ])
+    op.bulk_insert(tables.logentrykind, [{"name": "change_repo_trust"}])
 
     # ### population of test data ### #
-    tester.populate_column('repository', 'trust_enabled', tester.TestDataType.Boolean)
+    tester.populate_column("repository", "trust_enabled", tester.TestDataType.Boolean)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('repository', 'trust_enabled')
+    op.drop_column("repository", "trust_enabled")
     ### end Alembic commands ###
 
-    op.execute(tables
-               .logentrykind
-               .delete()
-               .where(tables.
-                      logentrykind.name == op.inline_literal('change_repo_trust')))
+    op.execute(
+        tables.logentrykind.delete().where(
+            tables.logentrykind.name == op.inline_literal("change_repo_trust")
+        )
+    )
diff --git a/data/migrations/versions/f30984525c86_add_repositorysearchscore_table.py b/data/migrations/versions/f30984525c86_add_repositorysearchscore_table.py
index f4a0d4045..bdec2639e 100644
--- a/data/migrations/versions/f30984525c86_add_repositorysearchscore_table.py
+++ b/data/migrations/versions/f30984525c86_add_repositorysearchscore_table.py
@@ -7,40 +7,56 @@ Create Date: 2017-04-04 14:30:13.270728
 """
 
 # revision identifiers, used by Alembic.
-revision = 'f30984525c86'
-down_revision = 'be8d1c402ce0'
+revision = "f30984525c86"
+down_revision = "be8d1c402ce0"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('repositorysearchscore',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('repository_id', sa.Integer(), nullable=False),
-    sa.Column('score', sa.BigInteger(), nullable=False),
-    sa.Column('last_updated', sa.DateTime(), nullable=True),
-    sa.ForeignKeyConstraint(['repository_id'], ['repository.id'], name=op.f('fk_repositorysearchscore_repository_id_repository')),
-    sa.PrimaryKeyConstraint('id', name=op.f('pk_repositorysearchscore'))
+    op.create_table(
+        "repositorysearchscore",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("repository_id", sa.Integer(), nullable=False),
+        sa.Column("score", sa.BigInteger(), nullable=False),
+        sa.Column("last_updated", sa.DateTime(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["repository_id"],
+            ["repository.id"],
+            name=op.f("fk_repositorysearchscore_repository_id_repository"),
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_repositorysearchscore")),
+    )
+    op.create_index(
+        "repositorysearchscore_repository_id",
+        "repositorysearchscore",
+        ["repository_id"],
+        unique=True,
+    )
+    op.create_index(
+        "repositorysearchscore_score", "repositorysearchscore", ["score"], unique=False
     )
-    op.create_index('repositorysearchscore_repository_id', 'repositorysearchscore', ['repository_id'], unique=True)
-    op.create_index('repositorysearchscore_score', 'repositorysearchscore', ['score'], unique=False)
     ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_table('repositorysearchscore', [
-        ('repository_id', tester.TestDataType.Foreign('repository')),
-        ('score', tester.TestDataType.BigInteger),
-        ('last_updated', tester.TestDataType.DateTime),
-    ])
+    tester.populate_table(
+        "repositorysearchscore",
+        [
+            ("repository_id", tester.TestDataType.Foreign("repository")),
+            ("score", tester.TestDataType.BigInteger),
+            ("last_updated", tester.TestDataType.DateTime),
+        ],
+    )
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('repositorysearchscore')
+    op.drop_table("repositorysearchscore")
     ### end Alembic commands ###
diff --git a/data/migrations/versions/f5167870dd66_update_queue_item_table_indices.py b/data/migrations/versions/f5167870dd66_update_queue_item_table_indices.py
index d801764c1..7875f1f0c 100644
--- a/data/migrations/versions/f5167870dd66_update_queue_item_table_indices.py
+++ b/data/migrations/versions/f5167870dd66_update_queue_item_table_indices.py
@@ -7,37 +7,79 @@ Create Date: 2016-12-08 17:26:20.333846
 """
 
 # revision identifiers, used by Alembic.
-revision = 'f5167870dd66'
-down_revision = '45fd8b9869d4'
+revision = "f5167870dd66"
+down_revision = "45fd8b9869d4"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('queueitem_processing_expires_available', 'queueitem', ['processing_expires', 'available'], unique=False)
-    op.create_index('queueitem_pe_aafter_qname_rremaining_available', 'queueitem', ['processing_expires', 'available_after', 'queue_name', 'retries_remaining', 'available'], unique=False)
-    op.create_index('queueitem_pexpires_aafter_rremaining_available', 'queueitem', ['processing_expires', 'available_after', 'retries_remaining', 'available'], unique=False)
-    op.create_index('queueitem_processing_expires_queue_name_available', 'queueitem', ['processing_expires', 'queue_name', 'available'], unique=False)
-    op.drop_index('queueitem_available', table_name='queueitem')
-    op.drop_index('queueitem_available_after', table_name='queueitem')
-    op.drop_index('queueitem_processing_expires', table_name='queueitem')
-    op.drop_index('queueitem_retries_remaining', table_name='queueitem')
+    op.create_index(
+        "queueitem_processing_expires_available",
+        "queueitem",
+        ["processing_expires", "available"],
+        unique=False,
+    )
+    op.create_index(
+        "queueitem_pe_aafter_qname_rremaining_available",
+        "queueitem",
+        [
+            "processing_expires",
+            "available_after",
+            "queue_name",
+            "retries_remaining",
+            "available",
+        ],
+        unique=False,
+    )
+    op.create_index(
+        "queueitem_pexpires_aafter_rremaining_available",
+        "queueitem",
+        ["processing_expires", "available_after", "retries_remaining", "available"],
+        unique=False,
+    )
+    op.create_index(
+        "queueitem_processing_expires_queue_name_available",
+        "queueitem",
+        ["processing_expires", "queue_name", "available"],
+        unique=False,
+    )
+    op.drop_index("queueitem_available", table_name="queueitem")
+    op.drop_index("queueitem_available_after", table_name="queueitem")
+    op.drop_index("queueitem_processing_expires", table_name="queueitem")
+    op.drop_index("queueitem_retries_remaining", table_name="queueitem")
     ### end Alembic commands ###
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.create_index('queueitem_retries_remaining', 'queueitem', ['retries_remaining'], unique=False)
-    op.create_index('queueitem_processing_expires', 'queueitem', ['processing_expires'], unique=False)
-    op.create_index('queueitem_available_after', 'queueitem', ['available_after'], unique=False)
-    op.create_index('queueitem_available', 'queueitem', ['available'], unique=False)
-    op.drop_index('queueitem_processing_expires_queue_name_available', table_name='queueitem')
-    op.drop_index('queueitem_pexpires_aafter_rremaining_available', table_name='queueitem')
-    op.drop_index('queueitem_pe_aafter_qname_rremaining_available', table_name='queueitem')
-    op.drop_index('queueitem_processing_expires_available', table_name='queueitem')
+    op.create_index(
+        "queueitem_retries_remaining", "queueitem", ["retries_remaining"], unique=False
+    )
+    op.create_index(
+        "queueitem_processing_expires",
+        "queueitem",
+        ["processing_expires"],
+        unique=False,
+    )
+    op.create_index(
+        "queueitem_available_after", "queueitem", ["available_after"], unique=False
+    )
+    op.create_index("queueitem_available", "queueitem", ["available"], unique=False)
+    op.drop_index(
+        "queueitem_processing_expires_queue_name_available", table_name="queueitem"
+    )
+    op.drop_index(
+        "queueitem_pexpires_aafter_rremaining_available", table_name="queueitem"
+    )
+    op.drop_index(
+        "queueitem_pe_aafter_qname_rremaining_available", table_name="queueitem"
+    )
+    op.drop_index("queueitem_processing_expires_available", table_name="queueitem")
     ### end Alembic commands ###
diff --git a/data/migrations/versions/faf752bd2e0a_add_user_metadata_fields.py b/data/migrations/versions/faf752bd2e0a_add_user_metadata_fields.py
index 3e3b9b9a6..95c3e9a56 100644
--- a/data/migrations/versions/faf752bd2e0a_add_user_metadata_fields.py
+++ b/data/migrations/versions/faf752bd2e0a_add_user_metadata_fields.py
@@ -7,8 +7,8 @@ Create Date: 2016-11-14 17:29:03.984665
 """
 
 # revision identifiers, used by Alembic.
-revision = 'faf752bd2e0a'
-down_revision = '6c7014e84a5e'
+revision = "faf752bd2e0a"
+down_revision = "6c7014e84a5e"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
@@ -16,41 +16,52 @@ import sqlalchemy as sa
 
 from util.migrate import UTF8CharField
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('user', sa.Column('company', UTF8CharField(length=255), nullable=True))
-    op.add_column('user', sa.Column('family_name', UTF8CharField(length=255), nullable=True))
-    op.add_column('user', sa.Column('given_name', UTF8CharField(length=255), nullable=True))
+    op.add_column(
+        "user", sa.Column("company", UTF8CharField(length=255), nullable=True)
+    )
+    op.add_column(
+        "user", sa.Column("family_name", UTF8CharField(length=255), nullable=True)
+    )
+    op.add_column(
+        "user", sa.Column("given_name", UTF8CharField(length=255), nullable=True)
+    )
     ### end Alembic commands ###
 
-    op.bulk_insert(tables.userpromptkind,
-    [
-        {'name':'enter_name'},
-        {'name':'enter_company'},
-    ])
+    op.bulk_insert(
+        tables.userpromptkind, [{"name": "enter_name"}, {"name": "enter_company"}]
+    )
 
     # ### population of test data ### #
-    tester.populate_column('user', 'company', tester.TestDataType.UTF8Char)
-    tester.populate_column('user', 'family_name', tester.TestDataType.UTF8Char)
-    tester.populate_column('user', 'given_name', tester.TestDataType.UTF8Char)
+    tester.populate_column("user", "company", tester.TestDataType.UTF8Char)
+    tester.populate_column("user", "family_name", tester.TestDataType.UTF8Char)
+    tester.populate_column("user", "given_name", tester.TestDataType.UTF8Char)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('user', 'given_name')
-    op.drop_column('user', 'family_name')
-    op.drop_column('user', 'company')
+    op.drop_column("user", "given_name")
+    op.drop_column("user", "family_name")
+    op.drop_column("user", "company")
     ### end Alembic commands ###
 
     op.execute(
-        (tables.userpromptkind.delete()
-         .where(tables.userpromptkind.c.name == op.inline_literal('enter_name')))
+        (
+            tables.userpromptkind.delete().where(
+                tables.userpromptkind.c.name == op.inline_literal("enter_name")
+            )
         )
+    )
 
     op.execute(
-        (tables.userpromptkind.delete()
-         .where(tables.userpromptkind.c.name == op.inline_literal('enter_company')))
+        (
+            tables.userpromptkind.delete().where(
+                tables.userpromptkind.c.name == op.inline_literal("enter_company")
+            )
         )
+    )
diff --git a/data/migrations/versions/fc47c1ec019f_add_state_id_field_to_queueitem.py b/data/migrations/versions/fc47c1ec019f_add_state_id_field_to_queueitem.py
index dd0363ce3..b5defe0a9 100644
--- a/data/migrations/versions/fc47c1ec019f_add_state_id_field_to_queueitem.py
+++ b/data/migrations/versions/fc47c1ec019f_add_state_id_field_to_queueitem.py
@@ -7,29 +7,33 @@ Create Date: 2017-01-12 15:44:23.643016
 """
 
 # revision identifiers, used by Alembic.
-revision = 'fc47c1ec019f'
-down_revision = 'f5167870dd66'
+revision = "fc47c1ec019f"
+down_revision = "f5167870dd66"
 
 from alembic import op as original_op
 from data.migrations.progress import ProgressWrapper
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 
+
 def upgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('queueitem', sa.Column('state_id', sa.String(length=255), nullable=False, server_default=''))
-    op.create_index('queueitem_state_id', 'queueitem', ['state_id'], unique=False)
+    op.add_column(
+        "queueitem",
+        sa.Column("state_id", sa.String(length=255), nullable=False, server_default=""),
+    )
+    op.create_index("queueitem_state_id", "queueitem", ["state_id"], unique=False)
     # ### end Alembic commands ###
 
     # ### population of test data ### #
-    tester.populate_column('queueitem', 'state_id', tester.TestDataType.String)
+    tester.populate_column("queueitem", "state_id", tester.TestDataType.String)
     # ### end population of test data ### #
 
 
 def downgrade(tables, tester, progress_reporter):
     op = ProgressWrapper(original_op, progress_reporter)
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index('queueitem_state_id', table_name='queueitem')
-    op.drop_column('queueitem', 'state_id')
+    op.drop_index("queueitem_state_id", table_name="queueitem")
+    op.drop_column("queueitem", "state_id")
     # ### end Alembic commands ###
diff --git a/data/migrationutil.py b/data/migrationutil.py
index a433605f5..b68223624 100644
--- a/data/migrationutil.py
+++ b/data/migrationutil.py
@@ -4,66 +4,73 @@ from abc import ABCMeta, abstractmethod, abstractproperty
 from collections import namedtuple
 from six import add_metaclass
 
-MigrationPhase = namedtuple('MigrationPhase', ['name', 'alembic_revision', 'flags'])
+MigrationPhase = namedtuple("MigrationPhase", ["name", "alembic_revision", "flags"])
 
 
 @add_metaclass(ABCMeta)
 class DataMigration(object):
-  @abstractproperty
-  def alembic_migration_revision(self):
-    """ Returns the alembic migration revision corresponding to the currently configured phase.
+    @abstractproperty
+    def alembic_migration_revision(self):
+        """ Returns the alembic migration revision corresponding to the currently configured phase.
     """
 
-  @abstractmethod
-  def has_flag(self, flag):
-    """ Returns true if the data migration's current phase has the given flag set. """
+    @abstractmethod
+    def has_flag(self, flag):
+        """ Returns true if the data migration's current phase has the given flag set. """
 
 
 class NullDataMigration(DataMigration):
-  @property
-  def alembic_migration_revision(self):
-    return 'head'
+    @property
+    def alembic_migration_revision(self):
+        return "head"
 
-  def has_flag(self, flag):
-    raise NotImplementedError()
+    def has_flag(self, flag):
+        raise NotImplementedError()
 
 
 class DefinedDataMigration(DataMigration):
-  def __init__(self, name, env_var, phases):
-    assert phases
+    def __init__(self, name, env_var, phases):
+        assert phases
 
-    self.name = name
-    self.phases = {phase.name: phase for phase in phases}
+        self.name = name
+        self.phases = {phase.name: phase for phase in phases}
 
-    # Add a synthetic phase for new installations that skips the entire migration.
-    self.phases['new-installation'] = phases[-1]._replace(name='new-installation',
-                                                          alembic_revision='head')
+        # Add a synthetic phase for new installations that skips the entire migration.
+        self.phases["new-installation"] = phases[-1]._replace(
+            name="new-installation", alembic_revision="head"
+        )
 
-    phase_name = os.getenv(env_var)
-    if phase_name is None:
-      msg = 'Missing env var `%s` for data migration `%s`. %s' % (env_var, self.name,
-                                                                  self._error_suffix)
-      raise Exception(msg)
+        phase_name = os.getenv(env_var)
+        if phase_name is None:
+            msg = "Missing env var `%s` for data migration `%s`. %s" % (
+                env_var,
+                self.name,
+                self._error_suffix,
+            )
+            raise Exception(msg)
 
-    current_phase = self.phases.get(phase_name)
-    if current_phase is None:
-      msg = 'Unknown phase `%s` for data migration `%s`. %s' % (phase_name, self.name,
-                                                                self._error_suffix)
-      raise Exception(msg)
+        current_phase = self.phases.get(phase_name)
+        if current_phase is None:
+            msg = "Unknown phase `%s` for data migration `%s`. %s" % (
+                phase_name,
+                self.name,
+                self._error_suffix,
+            )
+            raise Exception(msg)
 
-    self.current_phase = current_phase
+        self.current_phase = current_phase
 
-  @property
-  def _error_suffix(self):
-    message = 'Available values for this migration: %s. ' % (self.phases.keys())
-    message += 'If this is a new installation, please use `new-installation`.'
-    return message
+    @property
+    def _error_suffix(self):
+        message = "Available values for this migration: %s. " % (self.phases.keys())
+        message += "If this is a new installation, please use `new-installation`."
+        return message
 
-  @property
-  def alembic_migration_revision(self):
-    assert self.current_phase
-    return self.current_phase.alembic_revision
+    @property
+    def alembic_migration_revision(self):
+        assert self.current_phase
+        return self.current_phase.alembic_revision
 
-  def has_flag(self, flag):
-    assert self.current_phase
-    return flag in self.current_phase.flags
+    def has_flag(self, flag):
+        assert self.current_phase
+        return flag in self.current_phase.flags
diff --git a/data/model/__init__.py b/data/model/__init__.py
index 2c9260469..357474122 100644
--- a/data/model/__init__.py
+++ b/data/model/__init__.py
@@ -2,122 +2,123 @@ from data.database import db, db_transaction
 
 
 class DataModelException(Exception):
-  pass
+    pass
 
 
 class InvalidLabelKeyException(DataModelException):
-  pass
+    pass
 
 
 class InvalidMediaTypeException(DataModelException):
-  pass
+    pass
 
 
 class BlobDoesNotExist(DataModelException):
-  pass
+    pass
 
 
 class TorrentInfoDoesNotExist(DataModelException):
-  pass
+    pass
 
 
 class InvalidBlobUpload(DataModelException):
-  pass
+    pass
 
 
 class InvalidEmailAddressException(DataModelException):
-  pass
+    pass
 
 
 class InvalidOrganizationException(DataModelException):
-  pass
+    pass
 
 
 class InvalidPasswordException(DataModelException):
-  pass
+    pass
 
 
 class InvalidRobotException(DataModelException):
-  pass
+    pass
 
 
 class InvalidUsernameException(DataModelException):
-  pass
+    pass
 
 
 class InvalidRepositoryBuildException(DataModelException):
-  pass
+    pass
 
 
 class InvalidBuildTriggerException(DataModelException):
-  pass
+    pass
 
 
 class InvalidTokenException(DataModelException):
-  pass
+    pass
 
 
 class InvalidNotificationException(DataModelException):
-  pass
+    pass
 
 
 class InvalidImageException(DataModelException):
-  pass
+    pass
 
 
 class UserAlreadyInTeam(DataModelException):
-  pass
+    pass
 
 
 class InvalidTeamException(DataModelException):
-  pass
+    pass
 
 
 class InvalidTeamMemberException(DataModelException):
-  pass
+    pass
 
 
 class InvalidManifestException(DataModelException):
-  pass
+    pass
 
 
 class ServiceKeyDoesNotExist(DataModelException):
-  pass
+    pass
 
 
 class ServiceKeyAlreadyApproved(DataModelException):
-  pass
+    pass
 
 
 class ServiceNameInvalid(DataModelException):
-  pass
+    pass
 
 
 class TagAlreadyCreatedException(DataModelException):
-  pass
+    pass
+
 
 class StaleTagException(DataModelException):
-  pass
+    pass
 
 
 class TooManyLoginAttemptsException(Exception):
-  def __init__(self, message, retry_after):
-    super(TooManyLoginAttemptsException, self).__init__(message)
-    self.retry_after = retry_after
+    def __init__(self, message, retry_after):
+        super(TooManyLoginAttemptsException, self).__init__(message)
+        self.retry_after = retry_after
 
 
 class Config(object):
-  def __init__(self):
-    self.app_config = None
-    self.store = None
-    self.image_cleanup_callbacks = []
-    self.repo_cleanup_callbacks = []
+    def __init__(self):
+        self.app_config = None
+        self.store = None
+        self.image_cleanup_callbacks = []
+        self.repo_cleanup_callbacks = []
 
-  def register_image_cleanup_callback(self, callback):
-    self.image_cleanup_callbacks.append(callback)
-    
-  def register_repo_cleanup_callback(self, callback):
-    self.repo_cleanup_callbacks.append(callback)
+    def register_image_cleanup_callback(self, callback):
+        self.image_cleanup_callbacks.append(callback)
+
+    def register_repo_cleanup_callback(self, callback):
+        self.repo_cleanup_callbacks.append(callback)
 
 
 config = Config()
@@ -126,28 +127,28 @@ config = Config()
 # There MUST NOT be any circular dependencies between these subsections. If there are fix it by
 # moving the minimal number of things to _basequery
 from data.model import (
-  appspecifictoken,
-  blob,
-  build,
-  gc,
-  image,
-  label,
-  log,
-  message,
-  modelutil,
-  notification,
-  oauth,
-  organization,
-  permission,
-  repositoryactioncount,
-  repo_mirror,
-  release,
-  repo_mirror,
-  repository,
-  service_keys,
-  storage,
-  tag,
-  team,
-  token,
-  user,
+    appspecifictoken,
+    blob,
+    build,
+    gc,
+    image,
+    label,
+    log,
+    message,
+    modelutil,
+    notification,
+    oauth,
+    organization,
+    permission,
+    repositoryactioncount,
+    repo_mirror,
+    release,
+    repo_mirror,
+    repository,
+    service_keys,
+    storage,
+    tag,
+    team,
+    token,
+    user,
 )
diff --git a/data/model/_basequery.py b/data/model/_basequery.py
index 5fc1733e0..c7297c87c 100644
--- a/data/model/_basequery.py
+++ b/data/model/_basequery.py
@@ -7,192 +7,228 @@ from datetime import datetime, timedelta
 
 from data.model import DataModelException, config
 from data.readreplica import ReadOnlyModeException
-from data.database import (Repository, User, Team, TeamMember, RepositoryPermission, TeamRole,
-                           Namespace, Visibility, ImageStorage, Image, RepositoryKind,
-                           db_for_update)
+from data.database import (
+    Repository,
+    User,
+    Team,
+    TeamMember,
+    RepositoryPermission,
+    TeamRole,
+    Namespace,
+    Visibility,
+    ImageStorage,
+    Image,
+    RepositoryKind,
+    db_for_update,
+)
 
 logger = logging.getLogger(__name__)
 
+
 def reduce_as_tree(queries_to_reduce):
-  """ This method will split a list of queries into halves recursively until we reach individual
+    """ This method will split a list of queries into halves recursively until we reach individual
       queries, at which point it will start unioning the queries, or the already unioned subqueries.
       This works around a bug in peewee SQL generation where reducing linearly generates a chain
       of queries that will exceed the recursion depth limit when it has around 80 queries.
       """
-  mid = len(queries_to_reduce)/2
-  left = queries_to_reduce[:mid]
-  right = queries_to_reduce[mid:]
+    mid = len(queries_to_reduce) / 2
+    left = queries_to_reduce[:mid]
+    right = queries_to_reduce[mid:]
 
-  to_reduce_right = right[0]
-  if len(right) > 1:
-    to_reduce_right = reduce_as_tree(right)
+    to_reduce_right = right[0]
+    if len(right) > 1:
+        to_reduce_right = reduce_as_tree(right)
 
-  if len(left) > 1:
-    to_reduce_left = reduce_as_tree(left)
-  elif len(left) == 1:
-    to_reduce_left = left[0]
-  else:
-    return to_reduce_right
+    if len(left) > 1:
+        to_reduce_left = reduce_as_tree(left)
+    elif len(left) == 1:
+        to_reduce_left = left[0]
+    else:
+        return to_reduce_right
 
-  return to_reduce_left.union_all(to_reduce_right)
+    return to_reduce_left.union_all(to_reduce_right)
 
 
-def get_existing_repository(namespace_name, repository_name, for_update=False, kind_filter=None):
-  query = (Repository
-           .select(Repository, Namespace)
-           .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-           .where(Namespace.username == namespace_name,
-                  Repository.name == repository_name))
+def get_existing_repository(
+    namespace_name, repository_name, for_update=False, kind_filter=None
+):
+    query = (
+        Repository.select(Repository, Namespace)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
-  if kind_filter:
-    query = (query
-             .switch(Repository)
-             .join(RepositoryKind)
-             .where(RepositoryKind.name == kind_filter))
+    if kind_filter:
+        query = (
+            query.switch(Repository)
+            .join(RepositoryKind)
+            .where(RepositoryKind.name == kind_filter)
+        )
 
-  if for_update:
-    query = db_for_update(query)
+    if for_update:
+        query = db_for_update(query)
 
-  return query.get()
+    return query.get()
 
 
 @lru_cache(maxsize=1)
 def get_public_repo_visibility():
-  return Visibility.get(name='public')
+    return Visibility.get(name="public")
 
 
 def _lookup_team_role(name):
-  return _lookup_team_roles()[name]
+    return _lookup_team_roles()[name]
 
 
 @lru_cache(maxsize=1)
 def _lookup_team_roles():
-  return {role.name:role for role in TeamRole.select()}
+    return {role.name: role for role in TeamRole.select()}
 
 
-def filter_to_repos_for_user(query, user_id=None, namespace=None, repo_kind='image',
-                             include_public=True, start_id=None):
-  if not include_public and not user_id:
-    return Repository.select().where(Repository.id == '-1')
+def filter_to_repos_for_user(
+    query,
+    user_id=None,
+    namespace=None,
+    repo_kind="image",
+    include_public=True,
+    start_id=None,
+):
+    if not include_public and not user_id:
+        return Repository.select().where(Repository.id == "-1")
 
-  # Filter on the type of repository.
-  if repo_kind is not None:
-    try:
-      query = query.where(Repository.kind == Repository.kind.get_id(repo_kind))
-    except RepositoryKind.DoesNotExist:
-      raise DataModelException('Unknown repository kind')
+    # Filter on the type of repository.
+    if repo_kind is not None:
+        try:
+            query = query.where(Repository.kind == Repository.kind.get_id(repo_kind))
+        except RepositoryKind.DoesNotExist:
+            raise DataModelException("Unknown repository kind")
 
-  # Add the start ID if necessary.
-  if start_id is not None:
-    query = query.where(Repository.id >= start_id)
+    # Add the start ID if necessary.
+    if start_id is not None:
+        query = query.where(Repository.id >= start_id)
 
-  # Add a namespace filter if necessary.
-  if namespace:
-    query = query.where(Namespace.username == namespace)
+    # Add a namespace filter if necessary.
+    if namespace:
+        query = query.where(Namespace.username == namespace)
 
-  # Build a set of queries that, when unioned together, return the full set of visible repositories
-  # for the filters specified.
-  queries = []
+    # Build a set of queries that, when unioned together, return the full set of visible repositories
+    # for the filters specified.
+    queries = []
 
-  if include_public:
-    queries.append(query.where(Repository.visibility == get_public_repo_visibility()))
+    if include_public:
+        queries.append(
+            query.where(Repository.visibility == get_public_repo_visibility())
+        )
 
-  if user_id is not None:
-    AdminTeam = Team.alias()
-    AdminTeamMember = TeamMember.alias()
+    if user_id is not None:
+        AdminTeam = Team.alias()
+        AdminTeamMember = TeamMember.alias()
 
-    # Add repositories in which the user has permission.
-    queries.append(query
-                   .switch(RepositoryPermission)
-                   .where(RepositoryPermission.user == user_id))
+        # Add repositories in which the user has permission.
+        queries.append(
+            query.switch(RepositoryPermission).where(
+                RepositoryPermission.user == user_id
+            )
+        )
 
-    # Add repositories in which the user is a member of a team that has permission.
-    queries.append(query
-                   .switch(RepositoryPermission)
-                   .join(Team)
-                   .join(TeamMember)
-                   .where(TeamMember.user == user_id))
+        # Add repositories in which the user is a member of a team that has permission.
+        queries.append(
+            query.switch(RepositoryPermission)
+            .join(Team)
+            .join(TeamMember)
+            .where(TeamMember.user == user_id)
+        )
 
-    # Add repositories under namespaces in which the user is the org admin.
-    queries.append(query
-                   .switch(Repository)
-                   .join(AdminTeam, on=(Repository.namespace_user == AdminTeam.organization))
-                   .join(AdminTeamMember, on=(AdminTeam.id == AdminTeamMember.team))
-                   .where(AdminTeam.role == _lookup_team_role('admin'))
-                   .where(AdminTeamMember.user == user_id))
+        # Add repositories under namespaces in which the user is the org admin.
+        queries.append(
+            query.switch(Repository)
+            .join(AdminTeam, on=(Repository.namespace_user == AdminTeam.organization))
+            .join(AdminTeamMember, on=(AdminTeam.id == AdminTeamMember.team))
+            .where(AdminTeam.role == _lookup_team_role("admin"))
+            .where(AdminTeamMember.user == user_id)
+        )
 
-  return reduce(lambda l, r: l | r, queries)
+    return reduce(lambda l, r: l | r, queries)
 
 
 def get_user_organizations(username):
-  UserAlias = User.alias()
-  return (User
-          .select()
-          .distinct()
-          .join(Team)
-          .join(TeamMember)
-          .join(UserAlias, on=(UserAlias.id == TeamMember.user))
-          .where(User.organization == True, UserAlias.username == username))
+    UserAlias = User.alias()
+    return (
+        User.select()
+        .distinct()
+        .join(Team)
+        .join(TeamMember)
+        .join(UserAlias, on=(UserAlias.id == TeamMember.user))
+        .where(User.organization == True, UserAlias.username == username)
+    )
 
 
 def calculate_image_aggregate_size(ancestors_str, image_size, parent_image):
-  ancestors = ancestors_str.split('/')[1:-1]
-  if not ancestors:
-    return image_size
+    ancestors = ancestors_str.split("/")[1:-1]
+    if not ancestors:
+        return image_size
 
-  if parent_image is None:
-    raise DataModelException('Could not load parent image')
+    if parent_image is None:
+        raise DataModelException("Could not load parent image")
+
+    ancestor_size = parent_image.aggregate_size
+    if ancestor_size is not None:
+        return ancestor_size + image_size
+
+    # Fallback to a slower path if the parent doesn't have an aggregate size saved.
+    # TODO: remove this code if/when we do a full backfill.
+    ancestor_size = (
+        ImageStorage.select(fn.Sum(ImageStorage.image_size))
+        .join(Image)
+        .where(Image.id << ancestors)
+        .scalar()
+    )
+    if ancestor_size is None:
+        return None
 
-  ancestor_size = parent_image.aggregate_size
-  if ancestor_size is not None:
     return ancestor_size + image_size
 
-  # Fallback to a slower path if the parent doesn't have an aggregate size saved.
-  # TODO: remove this code if/when we do a full backfill.
-  ancestor_size = (ImageStorage
-                   .select(fn.Sum(ImageStorage.image_size))
-                   .join(Image)
-                   .where(Image.id << ancestors)
-                   .scalar())
-  if ancestor_size is None:
-    return None
-
-  return ancestor_size + image_size
-
 
 def update_last_accessed(token_or_user):
-  """ Updates the `last_accessed` field on the given token or user. If the existing field's value
+    """ Updates the `last_accessed` field on the given token or user. If the existing field's value
       is within the configured threshold, the update is skipped. """
-  if not config.app_config.get('FEATURE_USER_LAST_ACCESSED'):
-    return
+    if not config.app_config.get("FEATURE_USER_LAST_ACCESSED"):
+        return
 
-  threshold = timedelta(seconds=config.app_config.get('LAST_ACCESSED_UPDATE_THRESHOLD_S', 120))
-  if (token_or_user.last_accessed is not None and
-      datetime.utcnow() - token_or_user.last_accessed < threshold):
-    # Skip updating, as we don't want to put undue pressure on the database.
-    return
+    threshold = timedelta(
+        seconds=config.app_config.get("LAST_ACCESSED_UPDATE_THRESHOLD_S", 120)
+    )
+    if (
+        token_or_user.last_accessed is not None
+        and datetime.utcnow() - token_or_user.last_accessed < threshold
+    ):
+        # Skip updating, as we don't want to put undue pressure on the database.
+        return
 
-  model_class = token_or_user.__class__
-  last_accessed = datetime.utcnow()
+    model_class = token_or_user.__class__
+    last_accessed = datetime.utcnow()
 
-  try:
-    (model_class
-     .update(last_accessed=last_accessed)
-     .where(model_class.id == token_or_user.id)
-     .execute())
-    token_or_user.last_accessed = last_accessed
-  except ReadOnlyModeException:
-    pass
-  except PeeweeException as ex:
-    # If there is any form of DB exception, only fail if strict logging is enabled.
-    strict_logging_disabled = config.app_config.get('ALLOW_PULLS_WITHOUT_STRICT_LOGGING')
-    if strict_logging_disabled:
-      data = {
-        'exception': ex,
-        'token_or_user': token_or_user.id,
-        'class': str(model_class),
-      }
+    try:
+        (
+            model_class.update(last_accessed=last_accessed)
+            .where(model_class.id == token_or_user.id)
+            .execute()
+        )
+        token_or_user.last_accessed = last_accessed
+    except ReadOnlyModeException:
+        pass
+    except PeeweeException as ex:
+        # If there is any form of DB exception, only fail if strict logging is enabled.
+        strict_logging_disabled = config.app_config.get(
+            "ALLOW_PULLS_WITHOUT_STRICT_LOGGING"
+        )
+        if strict_logging_disabled:
+            data = {
+                "exception": ex,
+                "token_or_user": token_or_user.id,
+                "class": str(model_class),
+            }
 
-      logger.exception('update last_accessed for token/user failed', extra=data)
-    else:
-      raise
+            logger.exception("update last_accessed for token/user failed", extra=data)
+        else:
+            raise
diff --git a/data/model/appspecifictoken.py b/data/model/appspecifictoken.py
index c0ead9440..d3fa87ecc 100644
--- a/data/model/appspecifictoken.py
+++ b/data/model/appspecifictoken.py
@@ -17,156 +17,176 @@ MINIMUM_TOKEN_SUFFIX_LENGTH = 60
 
 
 def _default_expiration_duration():
-  expiration_str = config.app_config.get('APP_SPECIFIC_TOKEN_EXPIRATION')
-  return convert_to_timedelta(expiration_str) if expiration_str else None
+    expiration_str = config.app_config.get("APP_SPECIFIC_TOKEN_EXPIRATION")
+    return convert_to_timedelta(expiration_str) if expiration_str else None
 
 
 # Define a "unique" value so that callers can specifiy an expiration of None and *not* have it
 # use the default.
-_default_expiration_duration_opt = '__deo'
+_default_expiration_duration_opt = "__deo"
+
 
 def create_token(user, title, expiration=_default_expiration_duration_opt):
-  """ Creates and returns an app specific token for the given user. If no expiration is specified
+    """ Creates and returns an app specific token for the given user. If no expiration is specified
       (including `None`), then the default from config is used. """
-  if expiration == _default_expiration_duration_opt:
-    duration = _default_expiration_duration()
-    expiration = duration + datetime.now() if duration else None
+    if expiration == _default_expiration_duration_opt:
+        duration = _default_expiration_duration()
+        expiration = duration + datetime.now() if duration else None
 
-  token_code = random_string_generator(TOKEN_NAME_PREFIX_LENGTH + MINIMUM_TOKEN_SUFFIX_LENGTH)()
-  token_name = token_code[:TOKEN_NAME_PREFIX_LENGTH]
-  token_secret = token_code[TOKEN_NAME_PREFIX_LENGTH:]
+    token_code = random_string_generator(
+        TOKEN_NAME_PREFIX_LENGTH + MINIMUM_TOKEN_SUFFIX_LENGTH
+    )()
+    token_name = token_code[:TOKEN_NAME_PREFIX_LENGTH]
+    token_secret = token_code[TOKEN_NAME_PREFIX_LENGTH:]
 
-  assert token_name
-  assert token_secret
+    assert token_name
+    assert token_secret
 
-  # TODO(remove-unenc): Remove legacy handling.
-  old_token_code = (token_code
-                    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS)
-                    else None)
-  return AppSpecificAuthToken.create(user=user,
-                                     title=title,
-                                     expiration=expiration,
-                                     token_name=token_name,
-                                     token_secret=DecryptedValue(token_secret),
-                                     token_code=old_token_code)
+    # TODO(remove-unenc): Remove legacy handling.
+    old_token_code = (
+        token_code
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS)
+        else None
+    )
+    return AppSpecificAuthToken.create(
+        user=user,
+        title=title,
+        expiration=expiration,
+        token_name=token_name,
+        token_secret=DecryptedValue(token_secret),
+        token_code=old_token_code,
+    )
 
 
 def list_tokens(user):
-  """ Lists all tokens for the given user. """
-  return AppSpecificAuthToken.select().where(AppSpecificAuthToken.user == user)
+    """ Lists all tokens for the given user. """
+    return AppSpecificAuthToken.select().where(AppSpecificAuthToken.user == user)
 
 
 def revoke_token(token):
-  """ Revokes an app specific token by deleting it. """
-  token.delete_instance()
+    """ Revokes an app specific token by deleting it. """
+    token.delete_instance()
 
 
 def revoke_token_by_uuid(uuid, owner):
-  """ Revokes an app specific token by deleting it. """
-  try:
-    token = AppSpecificAuthToken.get(uuid=uuid, user=owner)
-  except AppSpecificAuthToken.DoesNotExist:
-    return None
+    """ Revokes an app specific token by deleting it. """
+    try:
+        token = AppSpecificAuthToken.get(uuid=uuid, user=owner)
+    except AppSpecificAuthToken.DoesNotExist:
+        return None
 
-  revoke_token(token)
-  return token
+    revoke_token(token)
+    return token
 
 
 def get_expiring_tokens(user, soon):
-  """ Returns all tokens owned by the given user that will be expiring "soon", where soon is defined
+    """ Returns all tokens owned by the given user that will be expiring "soon", where soon is defined
       by the soon parameter (a timedelta from now).
   """
-  soon_datetime = datetime.now() + soon
-  return (AppSpecificAuthToken
-          .select()
-          .where(AppSpecificAuthToken.user == user,
-                 AppSpecificAuthToken.expiration <= soon_datetime,
-                 AppSpecificAuthToken.expiration > datetime.now()))
+    soon_datetime = datetime.now() + soon
+    return AppSpecificAuthToken.select().where(
+        AppSpecificAuthToken.user == user,
+        AppSpecificAuthToken.expiration <= soon_datetime,
+        AppSpecificAuthToken.expiration > datetime.now(),
+    )
 
 
 def gc_expired_tokens(expiration_window):
-  """ Deletes all expired tokens outside of the expiration window. """
-  (AppSpecificAuthToken
-   .delete()
-   .where(AppSpecificAuthToken.expiration < (datetime.now() - expiration_window))
-   .execute())
+    """ Deletes all expired tokens outside of the expiration window. """
+    (
+        AppSpecificAuthToken.delete()
+        .where(AppSpecificAuthToken.expiration < (datetime.now() - expiration_window))
+        .execute()
+    )
 
 
 def get_token_by_uuid(uuid, owner=None):
-  """ Looks up an unexpired app specific token with the given uuid. Returns it if found or
+    """ Looks up an unexpired app specific token with the given uuid. Returns it if found or
       None if none. If owner is specified, only tokens owned by the owner user will be
       returned.
   """
-  try:
-    query = (AppSpecificAuthToken
-             .select()
-             .where(AppSpecificAuthToken.uuid == uuid,
-                    ((AppSpecificAuthToken.expiration > datetime.now()) |
-                     (AppSpecificAuthToken.expiration >> None))))
-    if owner is not None:
-      query = query.where(AppSpecificAuthToken.user == owner)
+    try:
+        query = AppSpecificAuthToken.select().where(
+            AppSpecificAuthToken.uuid == uuid,
+            (
+                (AppSpecificAuthToken.expiration > datetime.now())
+                | (AppSpecificAuthToken.expiration >> None)
+            ),
+        )
+        if owner is not None:
+            query = query.where(AppSpecificAuthToken.user == owner)
 
-    return query.get()
-  except AppSpecificAuthToken.DoesNotExist:
-    return None
+        return query.get()
+    except AppSpecificAuthToken.DoesNotExist:
+        return None
 
 
 def access_valid_token(token_code):
-  """ Looks up an unexpired app specific token with the given token code. If found, the token's
+    """ Looks up an unexpired app specific token with the given token code. If found, the token's
       last_accessed field is set to now and the token is returned. If not found, returns None.
   """
-  token_code = remove_unicode(token_code)
+    token_code = remove_unicode(token_code)
 
-  prefix = token_code[:TOKEN_NAME_PREFIX_LENGTH]
-  if len(prefix) != TOKEN_NAME_PREFIX_LENGTH:
-    return None
+    prefix = token_code[:TOKEN_NAME_PREFIX_LENGTH]
+    if len(prefix) != TOKEN_NAME_PREFIX_LENGTH:
+        return None
 
-  suffix = token_code[TOKEN_NAME_PREFIX_LENGTH:]
+    suffix = token_code[TOKEN_NAME_PREFIX_LENGTH:]
 
-  # Lookup the token by its prefix.
-  try:
-    token = (AppSpecificAuthToken
-             .select(AppSpecificAuthToken, User)
-             .join(User)
-             .where(AppSpecificAuthToken.token_name == prefix,
-                    ((AppSpecificAuthToken.expiration > datetime.now()) |
-                     (AppSpecificAuthToken.expiration >> None)))
-             .get())
-
-    if not token.token_secret.matches(suffix):
-      return None
-
-    assert len(prefix) == TOKEN_NAME_PREFIX_LENGTH
-    assert len(suffix) >= MINIMUM_TOKEN_SUFFIX_LENGTH
-    update_last_accessed(token)
-    return token
-  except AppSpecificAuthToken.DoesNotExist:
-    pass
-
-  # TODO(remove-unenc): Remove legacy handling.
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+    # Lookup the token by its prefix.
     try:
-      token = (AppSpecificAuthToken
-               .select(AppSpecificAuthToken, User)
-               .join(User)
-               .where(AppSpecificAuthToken.token_code == token_code,
-                      ((AppSpecificAuthToken.expiration > datetime.now()) |
-                      (AppSpecificAuthToken.expiration >> None)))
-               .get())
+        token = (
+            AppSpecificAuthToken.select(AppSpecificAuthToken, User)
+            .join(User)
+            .where(
+                AppSpecificAuthToken.token_name == prefix,
+                (
+                    (AppSpecificAuthToken.expiration > datetime.now())
+                    | (AppSpecificAuthToken.expiration >> None)
+                ),
+            )
+            .get()
+        )
 
-      update_last_accessed(token)
-      return token
+        if not token.token_secret.matches(suffix):
+            return None
+
+        assert len(prefix) == TOKEN_NAME_PREFIX_LENGTH
+        assert len(suffix) >= MINIMUM_TOKEN_SUFFIX_LENGTH
+        update_last_accessed(token)
+        return token
     except AppSpecificAuthToken.DoesNotExist:
-      return None
+        pass
 
-  return None
+    # TODO(remove-unenc): Remove legacy handling.
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+        try:
+            token = (
+                AppSpecificAuthToken.select(AppSpecificAuthToken, User)
+                .join(User)
+                .where(
+                    AppSpecificAuthToken.token_code == token_code,
+                    (
+                        (AppSpecificAuthToken.expiration > datetime.now())
+                        | (AppSpecificAuthToken.expiration >> None)
+                    ),
+                )
+                .get()
+            )
+
+            update_last_accessed(token)
+            return token
+        except AppSpecificAuthToken.DoesNotExist:
+            return None
+
+    return None
 
 
 def get_full_token_string(token):
-  # TODO(remove-unenc): Remove legacy handling.
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-    if not token.token_name:
-      return token.token_code
+    # TODO(remove-unenc): Remove legacy handling.
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+        if not token.token_name:
+            return token.token_code
 
-  assert token.token_name
-  return '%s%s' % (token.token_name, token.token_secret.decrypt())
+    assert token.token_name
+    return "%s%s" % (token.token_name, token.token_secret.decrypt())
diff --git a/data/model/blob.py b/data/model/blob.py
index ac14891e8..5eed2fd7b 100644
--- a/data/model/blob.py
+++ b/data/model/blob.py
@@ -3,235 +3,302 @@ import logging
 from datetime import datetime
 from uuid import uuid4
 
-from data.model import (tag, _basequery, BlobDoesNotExist, InvalidBlobUpload, db_transaction,
-                        storage as storage_model, InvalidImageException)
-from data.database import (Repository, Namespace, ImageStorage, Image, ImageStoragePlacement,
-                           BlobUpload, ImageStorageLocation, db_random_func)
+from data.model import (
+    tag,
+    _basequery,
+    BlobDoesNotExist,
+    InvalidBlobUpload,
+    db_transaction,
+    storage as storage_model,
+    InvalidImageException,
+)
+from data.database import (
+    Repository,
+    Namespace,
+    ImageStorage,
+    Image,
+    ImageStoragePlacement,
+    BlobUpload,
+    ImageStorageLocation,
+    db_random_func,
+)
 
 
 logger = logging.getLogger(__name__)
 
 
 def get_repository_blob_by_digest(repository, blob_digest):
-  """ Find the content-addressable blob linked to the specified repository.
+    """ Find the content-addressable blob linked to the specified repository.
   """
-  assert blob_digest
-  try:
-    storage = (ImageStorage
-               .select(ImageStorage.uuid)
-               .join(Image)
-               .where(Image.repository == repository,
-                      ImageStorage.content_checksum == blob_digest,
-                      ImageStorage.uploading == False)
-               .get())
+    assert blob_digest
+    try:
+        storage = (
+            ImageStorage.select(ImageStorage.uuid)
+            .join(Image)
+            .where(
+                Image.repository == repository,
+                ImageStorage.content_checksum == blob_digest,
+                ImageStorage.uploading == False,
+            )
+            .get()
+        )
 
-    return storage_model.get_storage_by_uuid(storage.uuid)
-  except (ImageStorage.DoesNotExist, InvalidImageException):
-    raise BlobDoesNotExist('Blob does not exist with digest: {0}'.format(blob_digest))
+        return storage_model.get_storage_by_uuid(storage.uuid)
+    except (ImageStorage.DoesNotExist, InvalidImageException):
+        raise BlobDoesNotExist(
+            "Blob does not exist with digest: {0}".format(blob_digest)
+        )
 
 
 def get_repo_blob_by_digest(namespace, repo_name, blob_digest):
-  """ Find the content-addressable blob linked to the specified repository.
+    """ Find the content-addressable blob linked to the specified repository.
   """
-  assert blob_digest
-  try:
-    storage = (ImageStorage
-               .select(ImageStorage.uuid)
-               .join(Image)
-               .join(Repository)
-               .join(Namespace, on=(Namespace.id == Repository.namespace_user))
-               .where(Repository.name == repo_name, Namespace.username == namespace,
-                      ImageStorage.content_checksum == blob_digest,
-                      ImageStorage.uploading == False)
-               .get())
-
-    return storage_model.get_storage_by_uuid(storage.uuid)
-  except (ImageStorage.DoesNotExist, InvalidImageException):
-    raise BlobDoesNotExist('Blob does not exist with digest: {0}'.format(blob_digest))
-
-
-def store_blob_record_and_temp_link(namespace, repo_name, blob_digest, location_obj, byte_count,
-                                    link_expiration_s, uncompressed_byte_count=None):
-  repo = _basequery.get_existing_repository(namespace, repo_name)
-  assert repo
-
-  return store_blob_record_and_temp_link_in_repo(repo.id, blob_digest, location_obj, byte_count,
-                                                 link_expiration_s, uncompressed_byte_count)
-
-
-def store_blob_record_and_temp_link_in_repo(repository_id, blob_digest, location_obj, byte_count,
-                                            link_expiration_s, uncompressed_byte_count=None):
-  """ Store a record of the blob and temporarily link it to the specified repository.
-  """
-  assert blob_digest
-  assert byte_count is not None
-
-  with db_transaction():
+    assert blob_digest
     try:
-      storage = ImageStorage.get(content_checksum=blob_digest)
-      save_changes = False
+        storage = (
+            ImageStorage.select(ImageStorage.uuid)
+            .join(Image)
+            .join(Repository)
+            .join(Namespace, on=(Namespace.id == Repository.namespace_user))
+            .where(
+                Repository.name == repo_name,
+                Namespace.username == namespace,
+                ImageStorage.content_checksum == blob_digest,
+                ImageStorage.uploading == False,
+            )
+            .get()
+        )
 
-      if storage.image_size is None:
-        storage.image_size = byte_count
-        save_changes = True
+        return storage_model.get_storage_by_uuid(storage.uuid)
+    except (ImageStorage.DoesNotExist, InvalidImageException):
+        raise BlobDoesNotExist(
+            "Blob does not exist with digest: {0}".format(blob_digest)
+        )
 
-      if storage.uncompressed_size is None and uncompressed_byte_count is not None:
-        storage.uncompressed_size = uncompressed_byte_count
-        save_changes = True
 
-      if save_changes:
-        storage.save()
+def store_blob_record_and_temp_link(
+    namespace,
+    repo_name,
+    blob_digest,
+    location_obj,
+    byte_count,
+    link_expiration_s,
+    uncompressed_byte_count=None,
+):
+    repo = _basequery.get_existing_repository(namespace, repo_name)
+    assert repo
 
-      ImageStoragePlacement.get(storage=storage, location=location_obj)
-    except ImageStorage.DoesNotExist:
-      storage = ImageStorage.create(content_checksum=blob_digest, uploading=False,
-                                    image_size=byte_count,
-                                    uncompressed_size=uncompressed_byte_count)
-      ImageStoragePlacement.create(storage=storage, location=location_obj)
-    except ImageStoragePlacement.DoesNotExist:
-      ImageStoragePlacement.create(storage=storage, location=location_obj)
+    return store_blob_record_and_temp_link_in_repo(
+        repo.id,
+        blob_digest,
+        location_obj,
+        byte_count,
+        link_expiration_s,
+        uncompressed_byte_count,
+    )
 
-    _temp_link_blob(repository_id, storage, link_expiration_s)
-    return storage
+
+def store_blob_record_and_temp_link_in_repo(
+    repository_id,
+    blob_digest,
+    location_obj,
+    byte_count,
+    link_expiration_s,
+    uncompressed_byte_count=None,
+):
+    """ Store a record of the blob and temporarily link it to the specified repository.
+  """
+    assert blob_digest
+    assert byte_count is not None
+
+    with db_transaction():
+        try:
+            storage = ImageStorage.get(content_checksum=blob_digest)
+            save_changes = False
+
+            if storage.image_size is None:
+                storage.image_size = byte_count
+                save_changes = True
+
+            if (
+                storage.uncompressed_size is None
+                and uncompressed_byte_count is not None
+            ):
+                storage.uncompressed_size = uncompressed_byte_count
+                save_changes = True
+
+            if save_changes:
+                storage.save()
+
+            ImageStoragePlacement.get(storage=storage, location=location_obj)
+        except ImageStorage.DoesNotExist:
+            storage = ImageStorage.create(
+                content_checksum=blob_digest,
+                uploading=False,
+                image_size=byte_count,
+                uncompressed_size=uncompressed_byte_count,
+            )
+            ImageStoragePlacement.create(storage=storage, location=location_obj)
+        except ImageStoragePlacement.DoesNotExist:
+            ImageStoragePlacement.create(storage=storage, location=location_obj)
+
+        _temp_link_blob(repository_id, storage, link_expiration_s)
+        return storage
 
 
 def temp_link_blob(repository_id, blob_digest, link_expiration_s):
-  """ Temporarily links to the blob record from the given repository. If the blob record is not
+    """ Temporarily links to the blob record from the given repository. If the blob record is not
       found, return None.
   """
-  assert blob_digest
+    assert blob_digest
 
-  with db_transaction():
-    try:
-      storage = ImageStorage.get(content_checksum=blob_digest)
-    except ImageStorage.DoesNotExist:
-      return None
+    with db_transaction():
+        try:
+            storage = ImageStorage.get(content_checksum=blob_digest)
+        except ImageStorage.DoesNotExist:
+            return None
 
-    _temp_link_blob(repository_id, storage, link_expiration_s)
-    return storage
+        _temp_link_blob(repository_id, storage, link_expiration_s)
+        return storage
 
 
 def _temp_link_blob(repository_id, storage, link_expiration_s):
-  """ Note: Should *always* be called by a parent under a transaction. """
-  random_image_name = str(uuid4())
+    """ Note: Should *always* be called by a parent under a transaction. """
+    random_image_name = str(uuid4())
 
-  # Create a temporary link into the repository, to be replaced by the v1 metadata later
-  # and create a temporary tag to reference it
-  image = Image.create(storage=storage, docker_image_id=random_image_name, repository=repository_id)
-  tag.create_temporary_hidden_tag(repository_id, image, link_expiration_s)
+    # Create a temporary link into the repository, to be replaced by the v1 metadata later
+    # and create a temporary tag to reference it
+    image = Image.create(
+        storage=storage, docker_image_id=random_image_name, repository=repository_id
+    )
+    tag.create_temporary_hidden_tag(repository_id, image, link_expiration_s)
 
 
 def get_stale_blob_upload(stale_timespan):
-  """ Returns a random blob upload which was created before the stale timespan. """
-  stale_threshold = datetime.now() - stale_timespan
+    """ Returns a random blob upload which was created before the stale timespan. """
+    stale_threshold = datetime.now() - stale_timespan
 
-  try:
-    candidates = (BlobUpload
-                  .select()
-                  .where(BlobUpload.created <= stale_threshold)
-                  .limit(500)
-                  .distinct()
-                  .alias('candidates'))
+    try:
+        candidates = (
+            BlobUpload.select()
+            .where(BlobUpload.created <= stale_threshold)
+            .limit(500)
+            .distinct()
+            .alias("candidates")
+        )
 
-    found = (BlobUpload
-             .select(candidates.c.id)
-             .from_(candidates)
-             .order_by(db_random_func())
-             .get())
-    if not found:
-      return None
+        found = (
+            BlobUpload.select(candidates.c.id)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .get()
+        )
+        if not found:
+            return None
 
-    return (BlobUpload
-            .select(BlobUpload, ImageStorageLocation)
+        return (
+            BlobUpload.select(BlobUpload, ImageStorageLocation)
             .join(ImageStorageLocation)
             .where(BlobUpload.id == found.id)
-            .get())
-  except BlobUpload.DoesNotExist:
-    return None
+            .get()
+        )
+    except BlobUpload.DoesNotExist:
+        return None
 
 
 def get_blob_upload_by_uuid(upload_uuid):
-  """ Loads the upload with the given UUID, if any. """
-  try:
-    return (BlobUpload
-            .select()
-            .where(BlobUpload.uuid == upload_uuid)
-            .get())
-  except BlobUpload.DoesNotExist:
-    return None
+    """ Loads the upload with the given UUID, if any. """
+    try:
+        return BlobUpload.select().where(BlobUpload.uuid == upload_uuid).get()
+    except BlobUpload.DoesNotExist:
+        return None
 
 
 def get_blob_upload(namespace, repo_name, upload_uuid):
-  """ Load the upload which is already in progress.
+    """ Load the upload which is already in progress.
   """
-  try:
-    return (BlobUpload
-            .select(BlobUpload, ImageStorageLocation)
+    try:
+        return (
+            BlobUpload.select(BlobUpload, ImageStorageLocation)
             .join(ImageStorageLocation)
             .switch(BlobUpload)
             .join(Repository)
             .join(Namespace, on=(Namespace.id == Repository.namespace_user))
-            .where(Repository.name == repo_name, Namespace.username == namespace,
-                   BlobUpload.uuid == upload_uuid)
-            .get())
-  except BlobUpload.DoesNotExist:
-    raise InvalidBlobUpload()
+            .where(
+                Repository.name == repo_name,
+                Namespace.username == namespace,
+                BlobUpload.uuid == upload_uuid,
+            )
+            .get()
+        )
+    except BlobUpload.DoesNotExist:
+        raise InvalidBlobUpload()
 
 
 def initiate_upload(namespace, repo_name, uuid, location_name, storage_metadata):
-  """ Initiates a blob upload for the repository with the given namespace and name,
+    """ Initiates a blob upload for the repository with the given namespace and name,
       in a specific location. """
-  repo = _basequery.get_existing_repository(namespace, repo_name)
-  return initiate_upload_for_repo(repo, uuid, location_name, storage_metadata)
+    repo = _basequery.get_existing_repository(namespace, repo_name)
+    return initiate_upload_for_repo(repo, uuid, location_name, storage_metadata)
 
 
 def initiate_upload_for_repo(repo, uuid, location_name, storage_metadata):
-  """ Initiates a blob upload for a specific repository object, in a specific location. """
-  location = storage_model.get_image_location_for_name(location_name)
-  return BlobUpload.create(repository=repo, location=location.id, uuid=uuid,
-                           storage_metadata=storage_metadata)
+    """ Initiates a blob upload for a specific repository object, in a specific location. """
+    location = storage_model.get_image_location_for_name(location_name)
+    return BlobUpload.create(
+        repository=repo,
+        location=location.id,
+        uuid=uuid,
+        storage_metadata=storage_metadata,
+    )
 
 
 def get_shared_blob(digest):
-  """ Returns the ImageStorage blob with the given digest or, if not present,
+    """ Returns the ImageStorage blob with the given digest or, if not present,
       returns None. This method is *only* to be used for shared blobs that are
       globally accessible, such as the special empty gzipped tar layer that Docker
       no longer pushes to us.
   """
-  assert digest
-  try:
-    return ImageStorage.get(content_checksum=digest, uploading=False)
-  except ImageStorage.DoesNotExist:
-    return None
+    assert digest
+    try:
+        return ImageStorage.get(content_checksum=digest, uploading=False)
+    except ImageStorage.DoesNotExist:
+        return None
 
 
 def get_or_create_shared_blob(digest, byte_data, storage):
-  """ Returns the ImageStorage blob with the given digest or, if not present,
+    """ Returns the ImageStorage blob with the given digest or, if not present,
       adds a row and writes the given byte data to the storage engine.
       This method is *only* to be used for shared blobs that are globally
       accessible, such as the special empty gzipped tar layer that Docker
       no longer pushes to us.
   """
-  assert digest
-  assert byte_data is not None
-  assert storage
+    assert digest
+    assert byte_data is not None
+    assert storage
 
-  try:
-    return ImageStorage.get(content_checksum=digest, uploading=False)
-  except ImageStorage.DoesNotExist:
-    record = ImageStorage.create(image_size=len(byte_data), content_checksum=digest,
-                                 cas_path=True, uploading=True)
-    preferred = storage.preferred_locations[0]
-    location_obj = ImageStorageLocation.get(name=preferred)
     try:
-      storage.put_content([preferred], storage_model.get_layer_path(record), byte_data)
-      ImageStoragePlacement.create(storage=record, location=location_obj)
+        return ImageStorage.get(content_checksum=digest, uploading=False)
+    except ImageStorage.DoesNotExist:
+        record = ImageStorage.create(
+            image_size=len(byte_data),
+            content_checksum=digest,
+            cas_path=True,
+            uploading=True,
+        )
+        preferred = storage.preferred_locations[0]
+        location_obj = ImageStorageLocation.get(name=preferred)
+        try:
+            storage.put_content(
+                [preferred], storage_model.get_layer_path(record), byte_data
+            )
+            ImageStoragePlacement.create(storage=record, location=location_obj)
 
-      record.uploading = False
-      record.save()
-    except:
-      logger.exception('Exception when trying to write special layer %s', digest)
-      record.delete_instance()
-      raise
+            record.uploading = False
+            record.save()
+        except:
+            logger.exception("Exception when trying to write special layer %s", digest)
+            record.delete_instance()
+            raise
 
-    return record
+        return record
diff --git a/data/model/build.py b/data/model/build.py
index 79e282509..3732a631e 100644
--- a/data/model/build.py
+++ b/data/model/build.py
@@ -5,59 +5,88 @@ from datetime import timedelta, datetime
 from peewee import JOIN
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from data.database import (BuildTriggerService, RepositoryBuildTrigger, Repository, Namespace, User,
-                           RepositoryBuild, BUILD_PHASE, db_random_func, UseThenDisconnect,
-                           TRIGGER_DISABLE_REASON)
-from data.model import (InvalidBuildTriggerException, InvalidRepositoryBuildException,
-                        db_transaction, user as user_model, config)
+from data.database import (
+    BuildTriggerService,
+    RepositoryBuildTrigger,
+    Repository,
+    Namespace,
+    User,
+    RepositoryBuild,
+    BUILD_PHASE,
+    db_random_func,
+    UseThenDisconnect,
+    TRIGGER_DISABLE_REASON,
+)
+from data.model import (
+    InvalidBuildTriggerException,
+    InvalidRepositoryBuildException,
+    db_transaction,
+    user as user_model,
+    config,
+)
 from data.fields import DecryptedValue
 
 
 PRESUMED_DEAD_BUILD_AGE = timedelta(days=15)
-PHASES_NOT_ALLOWED_TO_CANCEL_FROM = (BUILD_PHASE.PUSHING, BUILD_PHASE.COMPLETE,
-                                     BUILD_PHASE.ERROR, BUILD_PHASE.INTERNAL_ERROR)
+PHASES_NOT_ALLOWED_TO_CANCEL_FROM = (
+    BUILD_PHASE.PUSHING,
+    BUILD_PHASE.COMPLETE,
+    BUILD_PHASE.ERROR,
+    BUILD_PHASE.INTERNAL_ERROR,
+)
 
-ARCHIVABLE_BUILD_PHASES = [BUILD_PHASE.COMPLETE, BUILD_PHASE.ERROR, BUILD_PHASE.CANCELLED]
+ARCHIVABLE_BUILD_PHASES = [
+    BUILD_PHASE.COMPLETE,
+    BUILD_PHASE.ERROR,
+    BUILD_PHASE.CANCELLED,
+]
 
 
 def update_build_trigger(trigger, config, auth_token=None, write_token=None):
-  trigger.config = json.dumps(config or {})
+    trigger.config = json.dumps(config or {})
 
-  # TODO(remove-unenc): Remove legacy field.
-  if auth_token is not None:
+    # TODO(remove-unenc): Remove legacy field.
+    if auth_token is not None:
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+            trigger.auth_token = auth_token
+
+        trigger.secure_auth_token = auth_token
+
+    if write_token is not None:
+        trigger.write_token = write_token
+
+    trigger.save()
+
+
+def create_build_trigger(
+    repo, service_name, auth_token, user, pull_robot=None, config=None
+):
+    service = BuildTriggerService.get(name=service_name)
+
+    # TODO(remove-unenc): Remove legacy field.
+    old_auth_token = None
     if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-      trigger.auth_token = auth_token
+        old_auth_token = auth_token
 
-    trigger.secure_auth_token = auth_token
-
-  if write_token is not None:
-    trigger.write_token = write_token
-
-  trigger.save()
-
-
-def create_build_trigger(repo, service_name, auth_token, user, pull_robot=None, config=None):
-  service = BuildTriggerService.get(name=service_name)
-
-  # TODO(remove-unenc): Remove legacy field.
-  old_auth_token = None
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-    old_auth_token = auth_token
-
-  secure_auth_token = DecryptedValue(auth_token) if auth_token else None
-  trigger = RepositoryBuildTrigger.create(repository=repo, service=service,
-                                          auth_token=old_auth_token,
-                                          secure_auth_token=secure_auth_token,
-                                          connected_user=user,
-                                          pull_robot=pull_robot,
-                                          config=json.dumps(config or {}))
-  return trigger
+    secure_auth_token = DecryptedValue(auth_token) if auth_token else None
+    trigger = RepositoryBuildTrigger.create(
+        repository=repo,
+        service=service,
+        auth_token=old_auth_token,
+        secure_auth_token=secure_auth_token,
+        connected_user=user,
+        pull_robot=pull_robot,
+        config=json.dumps(config or {}),
+    )
+    return trigger
 
 
 def get_build_trigger(trigger_uuid):
-  try:
-    return (RepositoryBuildTrigger
-            .select(RepositoryBuildTrigger, BuildTriggerService, Repository, Namespace)
+    try:
+        return (
+            RepositoryBuildTrigger.select(
+                RepositoryBuildTrigger, BuildTriggerService, Repository, Namespace
+            )
             .join(BuildTriggerService)
             .switch(RepositoryBuildTrigger)
             .join(Repository)
@@ -65,259 +94,304 @@ def get_build_trigger(trigger_uuid):
             .switch(RepositoryBuildTrigger)
             .join(User, on=(RepositoryBuildTrigger.connected_user == User.id))
             .where(RepositoryBuildTrigger.uuid == trigger_uuid)
-            .get())
-  except RepositoryBuildTrigger.DoesNotExist:
-    msg = 'No build trigger with uuid: %s' % trigger_uuid
-    raise InvalidBuildTriggerException(msg)
+            .get()
+        )
+    except RepositoryBuildTrigger.DoesNotExist:
+        msg = "No build trigger with uuid: %s" % trigger_uuid
+        raise InvalidBuildTriggerException(msg)
 
 
 def list_build_triggers(namespace_name, repository_name):
-  return (RepositoryBuildTrigger
-          .select(RepositoryBuildTrigger, BuildTriggerService, Repository)
-          .join(BuildTriggerService)
-          .switch(RepositoryBuildTrigger)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    return (
+        RepositoryBuildTrigger.select(
+            RepositoryBuildTrigger, BuildTriggerService, Repository
+        )
+        .join(BuildTriggerService)
+        .switch(RepositoryBuildTrigger)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
 
-def list_trigger_builds(namespace_name, repository_name, trigger_uuid,
-                        limit):
-  return (list_repository_builds(namespace_name, repository_name, limit)
-          .where(RepositoryBuildTrigger.uuid == trigger_uuid))
+def list_trigger_builds(namespace_name, repository_name, trigger_uuid, limit):
+    return list_repository_builds(namespace_name, repository_name, limit).where(
+        RepositoryBuildTrigger.uuid == trigger_uuid
+    )
 
 
 def get_repository_for_resource(resource_key):
-  try:
-    return (Repository
-            .select(Repository, Namespace)
+    try:
+        return (
+            Repository.select(Repository, Namespace)
             .join(Namespace, on=(Repository.namespace_user == Namespace.id))
             .switch(Repository)
             .join(RepositoryBuild)
             .where(RepositoryBuild.resource_key == resource_key)
-            .get())
-  except Repository.DoesNotExist:
-    return None
+            .get()
+        )
+    except Repository.DoesNotExist:
+        return None
 
 
 def _get_build_base_query():
-  return (RepositoryBuild
-          .select(RepositoryBuild, RepositoryBuildTrigger, BuildTriggerService, Repository,
-                  Namespace, User)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .switch(RepositoryBuild)
-          .join(User, JOIN.LEFT_OUTER)
-          .switch(RepositoryBuild)
-          .join(RepositoryBuildTrigger, JOIN.LEFT_OUTER)
-          .join(BuildTriggerService, JOIN.LEFT_OUTER)
-          .order_by(RepositoryBuild.started.desc()))
+    return (
+        RepositoryBuild.select(
+            RepositoryBuild,
+            RepositoryBuildTrigger,
+            BuildTriggerService,
+            Repository,
+            Namespace,
+            User,
+        )
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .switch(RepositoryBuild)
+        .join(User, JOIN.LEFT_OUTER)
+        .switch(RepositoryBuild)
+        .join(RepositoryBuildTrigger, JOIN.LEFT_OUTER)
+        .join(BuildTriggerService, JOIN.LEFT_OUTER)
+        .order_by(RepositoryBuild.started.desc())
+    )
 
 
 def get_repository_build(build_uuid):
-  try:
-    return _get_build_base_query().where(RepositoryBuild.uuid == build_uuid).get()
+    try:
+        return _get_build_base_query().where(RepositoryBuild.uuid == build_uuid).get()
 
-  except RepositoryBuild.DoesNotExist:
-    msg = 'Unable to locate a build by id: %s' % build_uuid
-    raise InvalidRepositoryBuildException(msg)
+    except RepositoryBuild.DoesNotExist:
+        msg = "Unable to locate a build by id: %s" % build_uuid
+        raise InvalidRepositoryBuildException(msg)
 
 
-def list_repository_builds(namespace_name, repository_name, limit,
-                           include_inactive=True, since=None):
-  query = (_get_build_base_query()
-           .where(Repository.name == repository_name, Namespace.username == namespace_name)
-           .limit(limit))
+def list_repository_builds(
+    namespace_name, repository_name, limit, include_inactive=True, since=None
+):
+    query = (
+        _get_build_base_query()
+        .where(Repository.name == repository_name, Namespace.username == namespace_name)
+        .limit(limit)
+    )
 
-  if since is not None:
-    query = query.where(RepositoryBuild.started >= since)
+    if since is not None:
+        query = query.where(RepositoryBuild.started >= since)
 
-  if not include_inactive:
-    query = query.where(RepositoryBuild.phase != BUILD_PHASE.ERROR,
-                        RepositoryBuild.phase != BUILD_PHASE.COMPLETE)
+    if not include_inactive:
+        query = query.where(
+            RepositoryBuild.phase != BUILD_PHASE.ERROR,
+            RepositoryBuild.phase != BUILD_PHASE.COMPLETE,
+        )
 
-  return query
+    return query
 
 
 def get_recent_repository_build(namespace_name, repository_name):
-  query = list_repository_builds(namespace_name, repository_name, 1)
-  try:
-    return query.get()
-  except RepositoryBuild.DoesNotExist:
-    return None
+    query = list_repository_builds(namespace_name, repository_name, 1)
+    try:
+        return query.get()
+    except RepositoryBuild.DoesNotExist:
+        return None
 
 
-def create_repository_build(repo, access_token, job_config_obj, dockerfile_id,
-                            display_name, trigger=None, pull_robot_name=None):
-  pull_robot = None
-  if pull_robot_name:
-    pull_robot = user_model.lookup_robot(pull_robot_name)
+def create_repository_build(
+    repo,
+    access_token,
+    job_config_obj,
+    dockerfile_id,
+    display_name,
+    trigger=None,
+    pull_robot_name=None,
+):
+    pull_robot = None
+    if pull_robot_name:
+        pull_robot = user_model.lookup_robot(pull_robot_name)
 
-  return RepositoryBuild.create(repository=repo, access_token=access_token,
-                                job_config=json.dumps(job_config_obj),
-                                display_name=display_name, trigger=trigger,
-                                resource_key=dockerfile_id,
-                                pull_robot=pull_robot)
+    return RepositoryBuild.create(
+        repository=repo,
+        access_token=access_token,
+        job_config=json.dumps(job_config_obj),
+        display_name=display_name,
+        trigger=trigger,
+        resource_key=dockerfile_id,
+        pull_robot=pull_robot,
+    )
 
 
 def get_pull_robot_name(trigger):
-  if not trigger.pull_robot:
-    return None
+    if not trigger.pull_robot:
+        return None
 
-  return trigger.pull_robot.username
+    return trigger.pull_robot.username
 
 
 def _get_build_row(build_uuid):
-  return RepositoryBuild.select().where(RepositoryBuild.uuid == build_uuid).get()
+    return RepositoryBuild.select().where(RepositoryBuild.uuid == build_uuid).get()
 
 
 def update_phase_then_close(build_uuid, phase):
-  """ A function to change the phase of a build """
-  with UseThenDisconnect(config.app_config):
-    try:
-      build = _get_build_row(build_uuid)
-    except RepositoryBuild.DoesNotExist:
-      return False
+    """ A function to change the phase of a build """
+    with UseThenDisconnect(config.app_config):
+        try:
+            build = _get_build_row(build_uuid)
+        except RepositoryBuild.DoesNotExist:
+            return False
 
-    # Can't update a cancelled build
-    if build.phase == BUILD_PHASE.CANCELLED:
-      return False
+        # Can't update a cancelled build
+        if build.phase == BUILD_PHASE.CANCELLED:
+            return False
 
-    updated = (RepositoryBuild
-               .update(phase=phase)
-               .where(RepositoryBuild.id == build.id, RepositoryBuild.phase == build.phase)
-               .execute())
+        updated = (
+            RepositoryBuild.update(phase=phase)
+            .where(RepositoryBuild.id == build.id, RepositoryBuild.phase == build.phase)
+            .execute()
+        )
 
-    return updated > 0
+        return updated > 0
 
 
 def create_cancel_build_in_queue(build_phase, build_queue_id, build_queue):
-  """ A function to cancel a build before it leaves the queue """
+    """ A function to cancel a build before it leaves the queue """
 
-  def cancel_build():
-    cancelled = False
+    def cancel_build():
+        cancelled = False
 
-    if build_queue_id is not None:
-      cancelled = build_queue.cancel(build_queue_id)
+        if build_queue_id is not None:
+            cancelled = build_queue.cancel(build_queue_id)
 
-    if build_phase != BUILD_PHASE.WAITING:
-      return False
+        if build_phase != BUILD_PHASE.WAITING:
+            return False
 
-    return cancelled
+        return cancelled
 
-  return cancel_build
+    return cancel_build
 
 
 def create_cancel_build_in_manager(build_phase, build_uuid, build_canceller):
-  """ A function to cancel the build before it starts to push """
+    """ A function to cancel the build before it starts to push """
 
-  def cancel_build():
-    if build_phase in PHASES_NOT_ALLOWED_TO_CANCEL_FROM:
-      return False
+    def cancel_build():
+        if build_phase in PHASES_NOT_ALLOWED_TO_CANCEL_FROM:
+            return False
 
-    return build_canceller.try_cancel_build(build_uuid)
+        return build_canceller.try_cancel_build(build_uuid)
 
-  return cancel_build
+    return cancel_build
 
 
 def cancel_repository_build(build, build_queue):
-  """ This tries to cancel the build returns true if request is successful false
+    """ This tries to cancel the build returns true if request is successful false
       if it can't be cancelled """
-  from app import build_canceller
-  from buildman.jobutil.buildjob import BuildJobNotifier
+    from app import build_canceller
+    from buildman.jobutil.buildjob import BuildJobNotifier
 
-  cancel_builds = [create_cancel_build_in_queue(build.phase, build.queue_id, build_queue),
-                   create_cancel_build_in_manager(build.phase, build.uuid, build_canceller), ]
-  for cancelled in cancel_builds:
-    if cancelled():
-      updated = update_phase_then_close(build.uuid, BUILD_PHASE.CANCELLED)
-      if updated:
-        BuildJobNotifier(build.uuid).send_notification("build_cancelled")
+    cancel_builds = [
+        create_cancel_build_in_queue(build.phase, build.queue_id, build_queue),
+        create_cancel_build_in_manager(build.phase, build.uuid, build_canceller),
+    ]
+    for cancelled in cancel_builds:
+        if cancelled():
+            updated = update_phase_then_close(build.uuid, BUILD_PHASE.CANCELLED)
+            if updated:
+                BuildJobNotifier(build.uuid).send_notification("build_cancelled")
 
-      return updated
+            return updated
 
-  return False
+    return False
 
 
 def get_archivable_build():
-  presumed_dead_date = datetime.utcnow() - PRESUMED_DEAD_BUILD_AGE
+    presumed_dead_date = datetime.utcnow() - PRESUMED_DEAD_BUILD_AGE
 
-  candidates = (RepositoryBuild
-                .select(RepositoryBuild.id)
-                .where((RepositoryBuild.phase << ARCHIVABLE_BUILD_PHASES) |
-                       (RepositoryBuild.started < presumed_dead_date),
-                       RepositoryBuild.logs_archived == False)
-                .limit(50)
-                .alias('candidates'))
+    candidates = (
+        RepositoryBuild.select(RepositoryBuild.id)
+        .where(
+            (RepositoryBuild.phase << ARCHIVABLE_BUILD_PHASES)
+            | (RepositoryBuild.started < presumed_dead_date),
+            RepositoryBuild.logs_archived == False,
+        )
+        .limit(50)
+        .alias("candidates")
+    )
 
-  try:
-    found_id = (RepositoryBuild
-                .select(candidates.c.id)
-                .from_(candidates)
-                .order_by(db_random_func())
-                .get())
-    return RepositoryBuild.get(id=found_id)
-  except RepositoryBuild.DoesNotExist:
-    return None
+    try:
+        found_id = (
+            RepositoryBuild.select(candidates.c.id)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .get()
+        )
+        return RepositoryBuild.get(id=found_id)
+    except RepositoryBuild.DoesNotExist:
+        return None
 
 
 def mark_build_archived(build_uuid):
-  """ Mark a build as archived, and return True if we were the ones who actually
+    """ Mark a build as archived, and return True if we were the ones who actually
       updated the row. """
-  return (RepositoryBuild
-          .update(logs_archived=True)
-          .where(RepositoryBuild.uuid == build_uuid,
-                  RepositoryBuild.logs_archived == False)
-          .execute()) > 0
+    return (
+        RepositoryBuild.update(logs_archived=True)
+        .where(
+            RepositoryBuild.uuid == build_uuid, RepositoryBuild.logs_archived == False
+        )
+        .execute()
+    ) > 0
 
 
 def toggle_build_trigger(trigger, enabled, reason=TRIGGER_DISABLE_REASON.USER_TOGGLED):
-  """ Toggles the enabled status of a build trigger. """
-  trigger.enabled = enabled
+    """ Toggles the enabled status of a build trigger. """
+    trigger.enabled = enabled
 
-  if not enabled:
-    trigger.disabled_reason = RepositoryBuildTrigger.disabled_reason.get_id(reason)
-    trigger.disabled_datetime = datetime.utcnow()
+    if not enabled:
+        trigger.disabled_reason = RepositoryBuildTrigger.disabled_reason.get_id(reason)
+        trigger.disabled_datetime = datetime.utcnow()
 
-  trigger.save()
+    trigger.save()
 
 
 def update_trigger_disable_status(trigger, final_phase):
-  """ Updates the disable status of the given build trigger. If the build trigger had a
+    """ Updates the disable status of the given build trigger. If the build trigger had a
       failure, then the counter is increased and, if we've reached the limit, the trigger is
       automatically disabled. Otherwise, if the trigger succeeded, it's counter is reset. This
       ensures that triggers that continue to error are eventually automatically disabled.
   """
-  with db_transaction():
-    try:
-      trigger = RepositoryBuildTrigger.get(id=trigger.id)
-    except RepositoryBuildTrigger.DoesNotExist:
-      # Already deleted.
-      return
+    with db_transaction():
+        try:
+            trigger = RepositoryBuildTrigger.get(id=trigger.id)
+        except RepositoryBuildTrigger.DoesNotExist:
+            # Already deleted.
+            return
 
-    # If the build completed successfully, then reset the successive counters.
-    if final_phase == BUILD_PHASE.COMPLETE:
-      trigger.successive_failure_count = 0
-      trigger.successive_internal_error_count = 0
-      trigger.save()
-      return
+        # If the build completed successfully, then reset the successive counters.
+        if final_phase == BUILD_PHASE.COMPLETE:
+            trigger.successive_failure_count = 0
+            trigger.successive_internal_error_count = 0
+            trigger.save()
+            return
 
-    # Otherwise, increment the counters and check for trigger disable.
-    if final_phase == BUILD_PHASE.ERROR:
-      trigger.successive_failure_count = trigger.successive_failure_count + 1
-      trigger.successive_internal_error_count = 0
-    elif final_phase == BUILD_PHASE.INTERNAL_ERROR:
-      trigger.successive_internal_error_count = trigger.successive_internal_error_count + 1
+        # Otherwise, increment the counters and check for trigger disable.
+        if final_phase == BUILD_PHASE.ERROR:
+            trigger.successive_failure_count = trigger.successive_failure_count + 1
+            trigger.successive_internal_error_count = 0
+        elif final_phase == BUILD_PHASE.INTERNAL_ERROR:
+            trigger.successive_internal_error_count = (
+                trigger.successive_internal_error_count + 1
+            )
 
-    # Check if we need to disable the trigger.    
-    failure_threshold = config.app_config.get('SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD')
-    error_threshold = config.app_config.get('SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD')
+        # Check if we need to disable the trigger.
+        failure_threshold = config.app_config.get(
+            "SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD"
+        )
+        error_threshold = config.app_config.get(
+            "SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD"
+        )
 
-    if failure_threshold and trigger.successive_failure_count >= failure_threshold:
-      toggle_build_trigger(trigger, False, TRIGGER_DISABLE_REASON.BUILD_FALURES)
-    elif (error_threshold and
-          trigger.successive_internal_error_count >= error_threshold):
-      toggle_build_trigger(trigger, False, TRIGGER_DISABLE_REASON.INTERNAL_ERRORS)
-    else:
-      # Save the trigger changes.
-      trigger.save()
+        if failure_threshold and trigger.successive_failure_count >= failure_threshold:
+            toggle_build_trigger(trigger, False, TRIGGER_DISABLE_REASON.BUILD_FALURES)
+        elif (
+            error_threshold
+            and trigger.successive_internal_error_count >= error_threshold
+        ):
+            toggle_build_trigger(trigger, False, TRIGGER_DISABLE_REASON.INTERNAL_ERRORS)
+        else:
+            # Save the trigger changes.
+            trigger.save()
diff --git a/data/model/gc.py b/data/model/gc.py
index 7f898bec8..4f3d72489 100644
--- a/data/model/gc.py
+++ b/data/model/gc.py
@@ -4,551 +4,601 @@ from data.model import config, db_transaction, storage, _basequery, tag as pre_o
 from data.model.oci import tag as oci_tag
 from data.database import Repository, db_for_update
 from data.database import ApprTag
-from data.database import (Tag, Manifest, ManifestBlob, ManifestChild, ManifestLegacyImage,
-                           ManifestLabel, Label, TagManifestLabel)
+from data.database import (
+    Tag,
+    Manifest,
+    ManifestBlob,
+    ManifestChild,
+    ManifestLegacyImage,
+    ManifestLabel,
+    Label,
+    TagManifestLabel,
+)
 from data.database import RepositoryTag, TagManifest, Image, DerivedStorageForImage
 from data.database import TagManifestToManifest, TagToRepositoryTag, TagManifestLabelMap
 
 logger = logging.getLogger(__name__)
 
+
 class _GarbageCollectorContext(object):
-  def __init__(self, repository):
-    self.repository = repository
-    self.manifest_ids = set()
-    self.label_ids = set()
-    self.blob_ids = set()
-    self.legacy_image_ids = set()
+    def __init__(self, repository):
+        self.repository = repository
+        self.manifest_ids = set()
+        self.label_ids = set()
+        self.blob_ids = set()
+        self.legacy_image_ids = set()
 
-  def add_manifest_id(self, manifest_id):
-    self.manifest_ids.add(manifest_id)
+    def add_manifest_id(self, manifest_id):
+        self.manifest_ids.add(manifest_id)
 
-  def add_label_id(self, label_id):
-    self.label_ids.add(label_id)
+    def add_label_id(self, label_id):
+        self.label_ids.add(label_id)
 
-  def add_blob_id(self, blob_id):
-    self.blob_ids.add(blob_id)
+    def add_blob_id(self, blob_id):
+        self.blob_ids.add(blob_id)
 
-  def add_legacy_image_id(self, legacy_image_id):
-    self.legacy_image_ids.add(legacy_image_id)
+    def add_legacy_image_id(self, legacy_image_id):
+        self.legacy_image_ids.add(legacy_image_id)
 
-  def mark_label_id_removed(self, label_id):
-    self.label_ids.remove(label_id)
+    def mark_label_id_removed(self, label_id):
+        self.label_ids.remove(label_id)
 
-  def mark_manifest_removed(self, manifest):
-    self.manifest_ids.remove(manifest.id)
+    def mark_manifest_removed(self, manifest):
+        self.manifest_ids.remove(manifest.id)
 
-  def mark_legacy_image_removed(self, legacy_image):
-    self.legacy_image_ids.remove(legacy_image.id)
+    def mark_legacy_image_removed(self, legacy_image):
+        self.legacy_image_ids.remove(legacy_image.id)
 
-  def mark_blob_id_removed(self, blob_id):
-    self.blob_ids.remove(blob_id)
+    def mark_blob_id_removed(self, blob_id):
+        self.blob_ids.remove(blob_id)
 
 
 def purge_repository(namespace_name, repository_name):
-  """ Completely delete all traces of the repository. Will return True upon
+    """ Completely delete all traces of the repository. Will return True upon
       complete success, and False upon partial or total failure. Garbage
       collection is incremental and repeatable, so this return value does
       not need to be checked or responded to.
       """
-  try:
-    repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  except Repository.DoesNotExist:
-    return False
+    try:
+        repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    except Repository.DoesNotExist:
+        return False
 
-  assert repo.name == repository_name
+    assert repo.name == repository_name
 
-  # Delete the repository of all Appr-referenced entries.
-  # Note that new-model Tag's must be deleted in *two* passes, as they can reference parent tags,
-  # and MySQL is... particular... about such relationships when deleting.
-  if repo.kind.name == 'application':
-    ApprTag.delete().where(ApprTag.repository == repo, ~(ApprTag.linked_tag >> None)).execute()
-    ApprTag.delete().where(ApprTag.repository == repo).execute()
-  else:
-    # GC to remove the images and storage.
-    _purge_repository_contents(repo)
+    # Delete the repository of all Appr-referenced entries.
+    # Note that new-model Tag's must be deleted in *two* passes, as they can reference parent tags,
+    # and MySQL is... particular... about such relationships when deleting.
+    if repo.kind.name == "application":
+        ApprTag.delete().where(
+            ApprTag.repository == repo, ~(ApprTag.linked_tag >> None)
+        ).execute()
+        ApprTag.delete().where(ApprTag.repository == repo).execute()
+    else:
+        # GC to remove the images and storage.
+        _purge_repository_contents(repo)
 
-  # Ensure there are no additional tags, manifests, images or blobs in the repository.
-  assert ApprTag.select().where(ApprTag.repository == repo).count() == 0
-  assert Tag.select().where(Tag.repository == repo).count() == 0
-  assert RepositoryTag.select().where(RepositoryTag.repository == repo).count() == 0
-  assert Manifest.select().where(Manifest.repository == repo).count() == 0
-  assert ManifestBlob.select().where(ManifestBlob.repository == repo).count() == 0
-  assert Image.select().where(Image.repository == repo).count() == 0
+    # Ensure there are no additional tags, manifests, images or blobs in the repository.
+    assert ApprTag.select().where(ApprTag.repository == repo).count() == 0
+    assert Tag.select().where(Tag.repository == repo).count() == 0
+    assert RepositoryTag.select().where(RepositoryTag.repository == repo).count() == 0
+    assert Manifest.select().where(Manifest.repository == repo).count() == 0
+    assert ManifestBlob.select().where(ManifestBlob.repository == repo).count() == 0
+    assert Image.select().where(Image.repository == repo).count() == 0
 
-  # Delete the rest of the repository metadata.
-  try:
-    # Make sure the repository still exists.
-    fetched = _basequery.get_existing_repository(namespace_name, repository_name)
-  except Repository.DoesNotExist:
-    return False
+    # Delete the rest of the repository metadata.
+    try:
+        # Make sure the repository still exists.
+        fetched = _basequery.get_existing_repository(namespace_name, repository_name)
+    except Repository.DoesNotExist:
+        return False
 
-  fetched.delete_instance(recursive=True, delete_nullable=False)
+    fetched.delete_instance(recursive=True, delete_nullable=False)
 
-  # Run callbacks
-  for callback in config.repo_cleanup_callbacks:
-    callback(namespace_name, repository_name)
+    # Run callbacks
+    for callback in config.repo_cleanup_callbacks:
+        callback(namespace_name, repository_name)
 
-  return True
+    return True
 
 
 def _chunk_iterate_for_deletion(query, chunk_size=10):
-  """ Returns an iterator that loads the rows returned by the given query in chunks. Note that
+    """ Returns an iterator that loads the rows returned by the given query in chunks. Note that
       order is not guaranteed here, so this will only work (i.e. not return duplicates) if
       the rows returned are being deleted between calls.
   """
-  while True:
-    results = list(query.limit(chunk_size))
-    if not results:
-      raise StopIteration
+    while True:
+        results = list(query.limit(chunk_size))
+        if not results:
+            raise StopIteration
 
-    yield results
+        yield results
 
 
 def _purge_repository_contents(repo):
-  """ Purges all the contents of a repository, removing all of its tags,
+    """ Purges all the contents of a repository, removing all of its tags,
       manifests and images.
   """
-  logger.debug('Purging repository %s', repo)
+    logger.debug("Purging repository %s", repo)
 
-  # Purge via all the tags.
-  while True:
-    found = False
-    for tags in _chunk_iterate_for_deletion(Tag.select().where(Tag.repository == repo)):
-      logger.debug('Found %s tags to GC under repository %s', len(tags), repo)
-      found = True
-      context = _GarbageCollectorContext(repo)
-      for tag in tags:
-        logger.debug('Deleting tag %s under repository %s', tag, repo)
-        assert tag.repository_id == repo.id
-        _purge_oci_tag(tag, context, allow_non_expired=True)
+    # Purge via all the tags.
+    while True:
+        found = False
+        for tags in _chunk_iterate_for_deletion(
+            Tag.select().where(Tag.repository == repo)
+        ):
+            logger.debug("Found %s tags to GC under repository %s", len(tags), repo)
+            found = True
+            context = _GarbageCollectorContext(repo)
+            for tag in tags:
+                logger.debug("Deleting tag %s under repository %s", tag, repo)
+                assert tag.repository_id == repo.id
+                _purge_oci_tag(tag, context, allow_non_expired=True)
 
-      _run_garbage_collection(context)
+            _run_garbage_collection(context)
 
-    if not found:
-      break
+        if not found:
+            break
 
-  # TODO: remove this once we're fully on the OCI data model.
-  while True:
-    found = False
-    repo_tag_query = RepositoryTag.select().where(RepositoryTag.repository == repo)
-    for tags in _chunk_iterate_for_deletion(repo_tag_query):
-      logger.debug('Found %s tags to GC under repository %s', len(tags), repo)
-      found = True
-      context = _GarbageCollectorContext(repo)
+    # TODO: remove this once we're fully on the OCI data model.
+    while True:
+        found = False
+        repo_tag_query = RepositoryTag.select().where(RepositoryTag.repository == repo)
+        for tags in _chunk_iterate_for_deletion(repo_tag_query):
+            logger.debug("Found %s tags to GC under repository %s", len(tags), repo)
+            found = True
+            context = _GarbageCollectorContext(repo)
 
-      for tag in tags:
-        logger.debug('Deleting tag %s under repository %s', tag, repo)
-        assert tag.repository_id == repo.id
-        _purge_pre_oci_tag(tag, context, allow_non_expired=True)
+            for tag in tags:
+                logger.debug("Deleting tag %s under repository %s", tag, repo)
+                assert tag.repository_id == repo.id
+                _purge_pre_oci_tag(tag, context, allow_non_expired=True)
 
-      _run_garbage_collection(context)
+            _run_garbage_collection(context)
 
-    if not found:
-      break
+        if not found:
+            break
 
-  # Add all remaining images to a new context. We do this here to minimize the number of images
-  # we need to load.
-  while True:
-    found_image = False
-    image_context = _GarbageCollectorContext(repo)
-    for image in Image.select().where(Image.repository == repo):
-      found_image = True
-      logger.debug('Deleting image %s under repository %s', image, repo)
-      assert image.repository_id == repo.id
-      image_context.add_legacy_image_id(image.id)
+    # Add all remaining images to a new context. We do this here to minimize the number of images
+    # we need to load.
+    while True:
+        found_image = False
+        image_context = _GarbageCollectorContext(repo)
+        for image in Image.select().where(Image.repository == repo):
+            found_image = True
+            logger.debug("Deleting image %s under repository %s", image, repo)
+            assert image.repository_id == repo.id
+            image_context.add_legacy_image_id(image.id)
 
-    _run_garbage_collection(image_context)
+        _run_garbage_collection(image_context)
 
-    if not found_image:
-      break
+        if not found_image:
+            break
 
 
 def garbage_collect_repo(repo):
-  """ Performs garbage collection over the contents of a repository. """
-  # Purge expired tags.
-  had_changes = False
+    """ Performs garbage collection over the contents of a repository. """
+    # Purge expired tags.
+    had_changes = False
 
-  for tags in _chunk_iterate_for_deletion(oci_tag.lookup_unrecoverable_tags(repo)):
-    logger.debug('Found %s tags to GC under repository %s', len(tags), repo)
-    context = _GarbageCollectorContext(repo)
-    for tag in tags:
-      logger.debug('Deleting tag %s under repository %s', tag, repo)
-      assert tag.repository_id == repo.id
-      assert tag.lifetime_end_ms is not None
-      _purge_oci_tag(tag, context)
+    for tags in _chunk_iterate_for_deletion(oci_tag.lookup_unrecoverable_tags(repo)):
+        logger.debug("Found %s tags to GC under repository %s", len(tags), repo)
+        context = _GarbageCollectorContext(repo)
+        for tag in tags:
+            logger.debug("Deleting tag %s under repository %s", tag, repo)
+            assert tag.repository_id == repo.id
+            assert tag.lifetime_end_ms is not None
+            _purge_oci_tag(tag, context)
 
-    _run_garbage_collection(context)
-    had_changes = True
+        _run_garbage_collection(context)
+        had_changes = True
 
-  for tags in _chunk_iterate_for_deletion(pre_oci_tag.lookup_unrecoverable_tags(repo)):
-    logger.debug('Found %s tags to GC under repository %s', len(tags), repo)
-    context = _GarbageCollectorContext(repo)
-    for tag in tags:
-      logger.debug('Deleting tag %s under repository %s', tag, repo)
-      assert tag.repository_id == repo.id
-      assert tag.lifetime_end_ts is not None
-      _purge_pre_oci_tag(tag, context)
+    for tags in _chunk_iterate_for_deletion(
+        pre_oci_tag.lookup_unrecoverable_tags(repo)
+    ):
+        logger.debug("Found %s tags to GC under repository %s", len(tags), repo)
+        context = _GarbageCollectorContext(repo)
+        for tag in tags:
+            logger.debug("Deleting tag %s under repository %s", tag, repo)
+            assert tag.repository_id == repo.id
+            assert tag.lifetime_end_ts is not None
+            _purge_pre_oci_tag(tag, context)
 
-    _run_garbage_collection(context)
-    had_changes = True
+        _run_garbage_collection(context)
+        had_changes = True
 
-  return had_changes
+    return had_changes
 
 
 def _run_garbage_collection(context):
-  """ Runs the garbage collection loop, deleting manifests, images, labels and blobs
+    """ Runs the garbage collection loop, deleting manifests, images, labels and blobs
       in an iterative fashion.
   """
-  has_changes = True
+    has_changes = True
 
-  while has_changes:
-    has_changes = False
+    while has_changes:
+        has_changes = False
 
-    # GC all manifests encountered.
-    for manifest_id in list(context.manifest_ids):
-      if _garbage_collect_manifest(manifest_id, context):
-        has_changes = True
+        # GC all manifests encountered.
+        for manifest_id in list(context.manifest_ids):
+            if _garbage_collect_manifest(manifest_id, context):
+                has_changes = True
 
-    # GC all images encountered.
-    for image_id in list(context.legacy_image_ids):
-      if _garbage_collect_legacy_image(image_id, context):
-        has_changes = True
+        # GC all images encountered.
+        for image_id in list(context.legacy_image_ids):
+            if _garbage_collect_legacy_image(image_id, context):
+                has_changes = True
 
-    # GC all labels encountered.
-    for label_id in list(context.label_ids):
-      if _garbage_collect_label(label_id, context):
-        has_changes = True
+        # GC all labels encountered.
+        for label_id in list(context.label_ids):
+            if _garbage_collect_label(label_id, context):
+                has_changes = True
 
-    # GC any blobs encountered.
-    if context.blob_ids:
-      storage_ids_removed = set(storage.garbage_collect_storage(context.blob_ids))
-      for blob_removed_id in storage_ids_removed:
-        context.mark_blob_id_removed(blob_removed_id)
-        has_changes = True
+        # GC any blobs encountered.
+        if context.blob_ids:
+            storage_ids_removed = set(storage.garbage_collect_storage(context.blob_ids))
+            for blob_removed_id in storage_ids_removed:
+                context.mark_blob_id_removed(blob_removed_id)
+                has_changes = True
 
 
 def _purge_oci_tag(tag, context, allow_non_expired=False):
-  assert tag.repository_id == context.repository.id
+    assert tag.repository_id == context.repository.id
 
-  if not allow_non_expired:
-    assert tag.lifetime_end_ms is not None
-    assert tag.lifetime_end_ms <= oci_tag.get_epoch_timestamp_ms()
+    if not allow_non_expired:
+        assert tag.lifetime_end_ms is not None
+        assert tag.lifetime_end_ms <= oci_tag.get_epoch_timestamp_ms()
 
-  # Add the manifest to be GCed.
-  context.add_manifest_id(tag.manifest_id)
+    # Add the manifest to be GCed.
+    context.add_manifest_id(tag.manifest_id)
 
-  with db_transaction():
-    # Reload the tag and verify its lifetime_end_ms has not changed.
-    try:
-      reloaded_tag = db_for_update(Tag.select().where(Tag.id == tag.id)).get()
-    except Tag.DoesNotExist:
-      return False
+    with db_transaction():
+        # Reload the tag and verify its lifetime_end_ms has not changed.
+        try:
+            reloaded_tag = db_for_update(Tag.select().where(Tag.id == tag.id)).get()
+        except Tag.DoesNotExist:
+            return False
 
-    assert reloaded_tag.id == tag.id
-    assert reloaded_tag.repository_id == context.repository.id
-    if reloaded_tag.lifetime_end_ms != tag.lifetime_end_ms:
-      return False
+        assert reloaded_tag.id == tag.id
+        assert reloaded_tag.repository_id == context.repository.id
+        if reloaded_tag.lifetime_end_ms != tag.lifetime_end_ms:
+            return False
 
-    # Delete mapping rows.
-    TagToRepositoryTag.delete().where(TagToRepositoryTag.tag == tag).execute()
+        # Delete mapping rows.
+        TagToRepositoryTag.delete().where(TagToRepositoryTag.tag == tag).execute()
 
-    # Delete the tag.
-    tag.delete_instance()
+        # Delete the tag.
+        tag.delete_instance()
 
 
 def _purge_pre_oci_tag(tag, context, allow_non_expired=False):
-  assert tag.repository_id == context.repository.id
+    assert tag.repository_id == context.repository.id
 
-  if not allow_non_expired:
-    assert tag.lifetime_end_ts is not None
-    assert tag.lifetime_end_ts <= pre_oci_tag.get_epoch_timestamp()
+    if not allow_non_expired:
+        assert tag.lifetime_end_ts is not None
+        assert tag.lifetime_end_ts <= pre_oci_tag.get_epoch_timestamp()
 
-  # If it exists, GC the tag manifest.
-  try:
-    tag_manifest = TagManifest.select().where(TagManifest.tag == tag).get()
-    _garbage_collect_legacy_manifest(tag_manifest.id, context)
-  except TagManifest.DoesNotExist:
-    pass
-
-  # Add the tag's legacy image to be GCed.
-  context.add_legacy_image_id(tag.image_id)
-
-  with db_transaction():
-    # Reload the tag and verify its lifetime_end_ts has not changed.
+    # If it exists, GC the tag manifest.
     try:
-      reloaded_tag = db_for_update(RepositoryTag.select().where(RepositoryTag.id == tag.id)).get()
-    except RepositoryTag.DoesNotExist:
-      return False
+        tag_manifest = TagManifest.select().where(TagManifest.tag == tag).get()
+        _garbage_collect_legacy_manifest(tag_manifest.id, context)
+    except TagManifest.DoesNotExist:
+        pass
 
-    assert reloaded_tag.id == tag.id
-    assert reloaded_tag.repository_id == context.repository.id
-    if reloaded_tag.lifetime_end_ts != tag.lifetime_end_ts:
-      return False
+    # Add the tag's legacy image to be GCed.
+    context.add_legacy_image_id(tag.image_id)
 
-    # Delete mapping rows.
-    TagToRepositoryTag.delete().where(TagToRepositoryTag.repository_tag == reloaded_tag).execute()
+    with db_transaction():
+        # Reload the tag and verify its lifetime_end_ts has not changed.
+        try:
+            reloaded_tag = db_for_update(
+                RepositoryTag.select().where(RepositoryTag.id == tag.id)
+            ).get()
+        except RepositoryTag.DoesNotExist:
+            return False
 
-    # Delete the tag.
-    reloaded_tag.delete_instance()
+        assert reloaded_tag.id == tag.id
+        assert reloaded_tag.repository_id == context.repository.id
+        if reloaded_tag.lifetime_end_ts != tag.lifetime_end_ts:
+            return False
+
+        # Delete mapping rows.
+        TagToRepositoryTag.delete().where(
+            TagToRepositoryTag.repository_tag == reloaded_tag
+        ).execute()
+
+        # Delete the tag.
+        reloaded_tag.delete_instance()
 
 
 def _check_manifest_used(manifest_id):
-  assert manifest_id is not None
+    assert manifest_id is not None
 
-  with db_transaction():
-    # Check if the manifest is referenced by any other tag.
-    try:
-      Tag.select().where(Tag.manifest == manifest_id).get()
-      return True
-    except Tag.DoesNotExist:
-      pass
+    with db_transaction():
+        # Check if the manifest is referenced by any other tag.
+        try:
+            Tag.select().where(Tag.manifest == manifest_id).get()
+            return True
+        except Tag.DoesNotExist:
+            pass
 
-    # Check if the manifest is referenced as a child of another manifest.
-    try:
-      ManifestChild.select().where(ManifestChild.child_manifest == manifest_id).get()
-      return True
-    except ManifestChild.DoesNotExist:
-      pass
+        # Check if the manifest is referenced as a child of another manifest.
+        try:
+            ManifestChild.select().where(
+                ManifestChild.child_manifest == manifest_id
+            ).get()
+            return True
+        except ManifestChild.DoesNotExist:
+            pass
 
-  return False
+    return False
 
 
 def _garbage_collect_manifest(manifest_id, context):
-  assert manifest_id is not None
+    assert manifest_id is not None
 
-  # Make sure the manifest isn't referenced.
-  if _check_manifest_used(manifest_id):
-    return False
-
-  # Add the manifest's blobs to the context to be GCed.
-  for manifest_blob in ManifestBlob.select().where(ManifestBlob.manifest == manifest_id):
-    context.add_blob_id(manifest_blob.blob_id)
-
-  # Retrieve the manifest's associated image, if any.
-  try:
-    legacy_image_id = ManifestLegacyImage.get(manifest=manifest_id).image_id
-    context.add_legacy_image_id(legacy_image_id)
-  except ManifestLegacyImage.DoesNotExist:
-    legacy_image_id = None
-
-  # Add child manifests to be GCed.
-  for connector in ManifestChild.select().where(ManifestChild.manifest == manifest_id):
-    context.add_manifest_id(connector.child_manifest_id)
-
-  # Add the labels to be GCed.
-  for manifest_label in ManifestLabel.select().where(ManifestLabel.manifest == manifest_id):
-    context.add_label_id(manifest_label.label_id)
-
-  # Delete the manifest.
-  with db_transaction():
-    try:
-      manifest = Manifest.select().where(Manifest.id == manifest_id).get()
-    except Manifest.DoesNotExist:
-      return False
-
-    assert manifest.id == manifest_id
-    assert manifest.repository_id == context.repository.id
+    # Make sure the manifest isn't referenced.
     if _check_manifest_used(manifest_id):
-      return False
+        return False
 
-    # Delete any label mappings.
-    (TagManifestLabelMap
-     .delete()
-     .where(TagManifestLabelMap.manifest == manifest_id)
-     .execute())
+    # Add the manifest's blobs to the context to be GCed.
+    for manifest_blob in ManifestBlob.select().where(
+        ManifestBlob.manifest == manifest_id
+    ):
+        context.add_blob_id(manifest_blob.blob_id)
 
-    # Delete any mapping rows for the manifest.
-    TagManifestToManifest.delete().where(TagManifestToManifest.manifest == manifest_id).execute()
+    # Retrieve the manifest's associated image, if any.
+    try:
+        legacy_image_id = ManifestLegacyImage.get(manifest=manifest_id).image_id
+        context.add_legacy_image_id(legacy_image_id)
+    except ManifestLegacyImage.DoesNotExist:
+        legacy_image_id = None
 
-    # Delete any label rows.
-    ManifestLabel.delete().where(ManifestLabel.manifest == manifest_id,
-                                 ManifestLabel.repository == context.repository).execute()
+    # Add child manifests to be GCed.
+    for connector in ManifestChild.select().where(
+        ManifestChild.manifest == manifest_id
+    ):
+        context.add_manifest_id(connector.child_manifest_id)
 
-    # Delete any child manifest rows.
-    ManifestChild.delete().where(ManifestChild.manifest == manifest_id,
-                                 ManifestChild.repository == context.repository).execute()
-
-    # Delete the manifest blobs for the manifest.
-    ManifestBlob.delete().where(ManifestBlob.manifest == manifest_id,
-                                ManifestBlob.repository == context.repository).execute()
-
-    # Delete the manifest legacy image row.
-    if legacy_image_id:
-      (ManifestLegacyImage
-       .delete()
-       .where(ManifestLegacyImage.manifest == manifest_id,
-              ManifestLegacyImage.repository == context.repository)
-       .execute())
+    # Add the labels to be GCed.
+    for manifest_label in ManifestLabel.select().where(
+        ManifestLabel.manifest == manifest_id
+    ):
+        context.add_label_id(manifest_label.label_id)
 
     # Delete the manifest.
-    manifest.delete_instance()
+    with db_transaction():
+        try:
+            manifest = Manifest.select().where(Manifest.id == manifest_id).get()
+        except Manifest.DoesNotExist:
+            return False
 
-  context.mark_manifest_removed(manifest)
-  return True
+        assert manifest.id == manifest_id
+        assert manifest.repository_id == context.repository.id
+        if _check_manifest_used(manifest_id):
+            return False
+
+        # Delete any label mappings.
+        (
+            TagManifestLabelMap.delete()
+            .where(TagManifestLabelMap.manifest == manifest_id)
+            .execute()
+        )
+
+        # Delete any mapping rows for the manifest.
+        TagManifestToManifest.delete().where(
+            TagManifestToManifest.manifest == manifest_id
+        ).execute()
+
+        # Delete any label rows.
+        ManifestLabel.delete().where(
+            ManifestLabel.manifest == manifest_id,
+            ManifestLabel.repository == context.repository,
+        ).execute()
+
+        # Delete any child manifest rows.
+        ManifestChild.delete().where(
+            ManifestChild.manifest == manifest_id,
+            ManifestChild.repository == context.repository,
+        ).execute()
+
+        # Delete the manifest blobs for the manifest.
+        ManifestBlob.delete().where(
+            ManifestBlob.manifest == manifest_id,
+            ManifestBlob.repository == context.repository,
+        ).execute()
+
+        # Delete the manifest legacy image row.
+        if legacy_image_id:
+            (
+                ManifestLegacyImage.delete()
+                .where(
+                    ManifestLegacyImage.manifest == manifest_id,
+                    ManifestLegacyImage.repository == context.repository,
+                )
+                .execute()
+            )
+
+        # Delete the manifest.
+        manifest.delete_instance()
+
+    context.mark_manifest_removed(manifest)
+    return True
 
 
 def _garbage_collect_legacy_manifest(legacy_manifest_id, context):
-  assert legacy_manifest_id is not None
+    assert legacy_manifest_id is not None
 
-  # Add the labels to be GCed.
-  query = TagManifestLabel.select().where(TagManifestLabel.annotated == legacy_manifest_id)
-  for manifest_label in query:
-    context.add_label_id(manifest_label.label_id)
-
-  # Delete the tag manifest.
-  with db_transaction():
-    try:
-      tag_manifest = TagManifest.select().where(TagManifest.id == legacy_manifest_id).get()
-    except TagManifest.DoesNotExist:
-      return False
-
-    assert tag_manifest.id == legacy_manifest_id
-    assert tag_manifest.tag.repository_id == context.repository.id
-
-    # Delete any label mapping rows.
-    (TagManifestLabelMap
-     .delete()
-     .where(TagManifestLabelMap.tag_manifest == legacy_manifest_id)
-     .execute())
-
-    # Delete the label rows.
-    TagManifestLabel.delete().where(TagManifestLabel.annotated == legacy_manifest_id).execute()
-
-    # Delete the mapping row if it exists.
-    try:
-      tmt = (TagManifestToManifest
-             .select()
-             .where(TagManifestToManifest.tag_manifest == tag_manifest)
-             .get())
-      context.add_manifest_id(tmt.manifest_id)
-      tmt.delete_instance()
-    except TagManifestToManifest.DoesNotExist:
-      pass
+    # Add the labels to be GCed.
+    query = TagManifestLabel.select().where(
+        TagManifestLabel.annotated == legacy_manifest_id
+    )
+    for manifest_label in query:
+        context.add_label_id(manifest_label.label_id)
 
     # Delete the tag manifest.
-    tag_manifest.delete_instance()
+    with db_transaction():
+        try:
+            tag_manifest = (
+                TagManifest.select().where(TagManifest.id == legacy_manifest_id).get()
+            )
+        except TagManifest.DoesNotExist:
+            return False
 
-  return True
+        assert tag_manifest.id == legacy_manifest_id
+        assert tag_manifest.tag.repository_id == context.repository.id
+
+        # Delete any label mapping rows.
+        (
+            TagManifestLabelMap.delete()
+            .where(TagManifestLabelMap.tag_manifest == legacy_manifest_id)
+            .execute()
+        )
+
+        # Delete the label rows.
+        TagManifestLabel.delete().where(
+            TagManifestLabel.annotated == legacy_manifest_id
+        ).execute()
+
+        # Delete the mapping row if it exists.
+        try:
+            tmt = (
+                TagManifestToManifest.select()
+                .where(TagManifestToManifest.tag_manifest == tag_manifest)
+                .get()
+            )
+            context.add_manifest_id(tmt.manifest_id)
+            tmt.delete_instance()
+        except TagManifestToManifest.DoesNotExist:
+            pass
+
+        # Delete the tag manifest.
+        tag_manifest.delete_instance()
+
+    return True
 
 
 def _check_image_used(legacy_image_id):
-  assert legacy_image_id is not None
+    assert legacy_image_id is not None
 
-  with db_transaction():
-    # Check if the image is referenced by a manifest.
-    try:
-      ManifestLegacyImage.select().where(ManifestLegacyImage.image == legacy_image_id).get()
-      return True
-    except ManifestLegacyImage.DoesNotExist:
-      pass
+    with db_transaction():
+        # Check if the image is referenced by a manifest.
+        try:
+            ManifestLegacyImage.select().where(
+                ManifestLegacyImage.image == legacy_image_id
+            ).get()
+            return True
+        except ManifestLegacyImage.DoesNotExist:
+            pass
 
-    # Check if the image is referenced by a tag.
-    try:
-      RepositoryTag.select().where(RepositoryTag.image == legacy_image_id).get()
-      return True
-    except RepositoryTag.DoesNotExist:
-      pass
+        # Check if the image is referenced by a tag.
+        try:
+            RepositoryTag.select().where(RepositoryTag.image == legacy_image_id).get()
+            return True
+        except RepositoryTag.DoesNotExist:
+            pass
 
-    # Check if the image is referenced by another image.
-    try:
-      Image.select().where(Image.parent == legacy_image_id).get()
-      return True
-    except Image.DoesNotExist:
-      pass
+        # Check if the image is referenced by another image.
+        try:
+            Image.select().where(Image.parent == legacy_image_id).get()
+            return True
+        except Image.DoesNotExist:
+            pass
 
-  return False
+    return False
 
 
 def _garbage_collect_legacy_image(legacy_image_id, context):
-  assert legacy_image_id is not None
+    assert legacy_image_id is not None
 
-  # Check if the image is referenced.
-  if _check_image_used(legacy_image_id):
-    return False
-
-  # We have an unreferenced image. We can now delete it.
-  # Grab any derived storage for the image.
-  for derived in (DerivedStorageForImage
-                  .select()
-                  .where(DerivedStorageForImage.source_image == legacy_image_id)):
-    context.add_blob_id(derived.derivative_id)
-
-  try:
-    image = Image.select().where(Image.id == legacy_image_id).get()
-  except Image.DoesNotExist:
-    return False
-
-  assert image.repository_id == context.repository.id
-
-  # Add the image's blob to be GCed.
-  context.add_blob_id(image.storage_id)
-
-  # If the image has a parent ID, add the parent for GC.
-  if image.parent_id is not None:
-    context.add_legacy_image_id(image.parent_id)
-
-  # Delete the image.
-  with db_transaction():
+    # Check if the image is referenced.
     if _check_image_used(legacy_image_id):
-      return False
+        return False
+
+    # We have an unreferenced image. We can now delete it.
+    # Grab any derived storage for the image.
+    for derived in DerivedStorageForImage.select().where(
+        DerivedStorageForImage.source_image == legacy_image_id
+    ):
+        context.add_blob_id(derived.derivative_id)
 
     try:
-      image = Image.select().where(Image.id == legacy_image_id).get()
+        image = Image.select().where(Image.id == legacy_image_id).get()
     except Image.DoesNotExist:
-      return False
+        return False
 
-    assert image.id == legacy_image_id
     assert image.repository_id == context.repository.id
 
-    # Delete any derived storage for the image.
-    (DerivedStorageForImage
-     .delete()
-     .where(DerivedStorageForImage.source_image == legacy_image_id)
-     .execute())
+    # Add the image's blob to be GCed.
+    context.add_blob_id(image.storage_id)
 
-    # Delete the image itself.
-    image.delete_instance()
+    # If the image has a parent ID, add the parent for GC.
+    if image.parent_id is not None:
+        context.add_legacy_image_id(image.parent_id)
 
-  context.mark_legacy_image_removed(image)
+    # Delete the image.
+    with db_transaction():
+        if _check_image_used(legacy_image_id):
+            return False
 
-  if config.image_cleanup_callbacks:
-    for callback in config.image_cleanup_callbacks:
-      callback([image])
+        try:
+            image = Image.select().where(Image.id == legacy_image_id).get()
+        except Image.DoesNotExist:
+            return False
 
-  return True
+        assert image.id == legacy_image_id
+        assert image.repository_id == context.repository.id
+
+        # Delete any derived storage for the image.
+        (
+            DerivedStorageForImage.delete()
+            .where(DerivedStorageForImage.source_image == legacy_image_id)
+            .execute()
+        )
+
+        # Delete the image itself.
+        image.delete_instance()
+
+    context.mark_legacy_image_removed(image)
+
+    if config.image_cleanup_callbacks:
+        for callback in config.image_cleanup_callbacks:
+            callback([image])
+
+    return True
 
 
 def _check_label_used(label_id):
-  assert label_id is not None
+    assert label_id is not None
 
-  with db_transaction():
-    # Check if the label is referenced by another manifest or tag manifest.
-    try:
-      ManifestLabel.select().where(ManifestLabel.label == label_id).get()
-      return True
-    except ManifestLabel.DoesNotExist:
-      pass
+    with db_transaction():
+        # Check if the label is referenced by another manifest or tag manifest.
+        try:
+            ManifestLabel.select().where(ManifestLabel.label == label_id).get()
+            return True
+        except ManifestLabel.DoesNotExist:
+            pass
 
-    try:
-      TagManifestLabel.select().where(TagManifestLabel.label == label_id).get()
-      return True
-    except TagManifestLabel.DoesNotExist:
-      pass
+        try:
+            TagManifestLabel.select().where(TagManifestLabel.label == label_id).get()
+            return True
+        except TagManifestLabel.DoesNotExist:
+            pass
 
-  return False
+    return False
 
 
 def _garbage_collect_label(label_id, context):
-  assert label_id is not None
+    assert label_id is not None
 
-  # We can now delete the label.
-  with db_transaction():
-    if _check_label_used(label_id):
-      return False
+    # We can now delete the label.
+    with db_transaction():
+        if _check_label_used(label_id):
+            return False
 
-    result = Label.delete().where(Label.id == label_id).execute() == 1
+        result = Label.delete().where(Label.id == label_id).execute() == 1
 
-  if result:
-    context.mark_label_id_removed(label_id)
+    if result:
+        context.mark_label_id_removed(label_id)
 
-  return result
+    return result
diff --git a/data/model/health.py b/data/model/health.py
index b40cee025..1f0471d19 100644
--- a/data/model/health.py
+++ b/data/model/health.py
@@ -4,19 +4,20 @@ from data.database import TeamRole, validate_database_url
 
 logger = logging.getLogger(__name__)
 
-def check_health(app_config):
-  # Attempt to connect to the database first. If the DB is not responding,
-  # using the validate_database_url will timeout quickly, as opposed to
-  # making a normal connect which will just hang (thus breaking the health
-  # check).
-  try:
-    validate_database_url(app_config['DB_URI'], {}, connect_timeout=3)
-  except Exception as ex:
-    return (False, 'Could not connect to the database: %s' % ex.message)
 
-  # We will connect to the db, check that it contains some team role kinds
-  try:
-    okay = bool(list(TeamRole.select().limit(1)))
-    return (okay, 'Could not connect to the database' if not okay else None)
-  except Exception as ex:
-    return (False, 'Could not connect to the database: %s' % ex.message)
+def check_health(app_config):
+    # Attempt to connect to the database first. If the DB is not responding,
+    # using the validate_database_url will timeout quickly, as opposed to
+    # making a normal connect which will just hang (thus breaking the health
+    # check).
+    try:
+        validate_database_url(app_config["DB_URI"], {}, connect_timeout=3)
+    except Exception as ex:
+        return (False, "Could not connect to the database: %s" % ex.message)
+
+    # We will connect to the db, check that it contains some team role kinds
+    try:
+        okay = bool(list(TeamRole.select().limit(1)))
+        return (okay, "Could not connect to the database" if not okay else None)
+    except Exception as ex:
+        return (False, "Could not connect to the database: %s" % ex.message)
diff --git a/data/model/image.py b/data/model/image.py
index 1c6f1b952..f87f83643 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -8,509 +8,640 @@ import dateutil.parser
 
 from peewee import JOIN, IntegrityError, fn
 
-from data.model import (DataModelException, db_transaction, _basequery, storage,
-                        InvalidImageException)
-from data.database import (Image, Repository, ImageStoragePlacement, Namespace, ImageStorage,
-                           ImageStorageLocation, RepositoryPermission, DerivedStorageForImage,
-                           ImageStorageTransformation, User)
+from data.model import (
+    DataModelException,
+    db_transaction,
+    _basequery,
+    storage,
+    InvalidImageException,
+)
+from data.database import (
+    Image,
+    Repository,
+    ImageStoragePlacement,
+    Namespace,
+    ImageStorage,
+    ImageStorageLocation,
+    RepositoryPermission,
+    DerivedStorageForImage,
+    ImageStorageTransformation,
+    User,
+)
 
 from util.canonicaljson import canonicalize
 
 logger = logging.getLogger(__name__)
 
+
 def _namespace_id_for_username(username):
-  try:
-    return User.get(username=username).id
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(username=username).id
+    except User.DoesNotExist:
+        return None
 
 
 def get_image_with_storage(docker_image_id, storage_uuid):
-  """ Returns the image with the given docker image ID and storage uuid or None if none.
+    """ Returns the image with the given docker image ID and storage uuid or None if none.
   """
-  try:
-    return (Image
-            .select(Image, ImageStorage)
+    try:
+        return (
+            Image.select(Image, ImageStorage)
             .join(ImageStorage)
-            .where(Image.docker_image_id == docker_image_id,
-                   ImageStorage.uuid == storage_uuid)
-            .get())
-  except Image.DoesNotExist:
-    return None
+            .where(
+                Image.docker_image_id == docker_image_id,
+                ImageStorage.uuid == storage_uuid,
+            )
+            .get()
+        )
+    except Image.DoesNotExist:
+        return None
 
 
 def get_parent_images(namespace_name, repository_name, image_obj):
-  """ Returns a list of parent Image objects starting with the most recent parent
+    """ Returns a list of parent Image objects starting with the most recent parent
       and ending with the base layer. The images in this query will include the storage.
   """
-  parents = image_obj.ancestors
+    parents = image_obj.ancestors
 
-  # Ancestors are in the format /<root>/<intermediate>/.../<parent>/, with each path section
-  # containing the database Id of the image row.
-  parent_db_ids = parents.strip('/').split('/')
-  if parent_db_ids == ['']:
-    return []
+    # Ancestors are in the format /<root>/<intermediate>/.../<parent>/, with each path section
+    # containing the database Id of the image row.
+    parent_db_ids = parents.strip("/").split("/")
+    if parent_db_ids == [""]:
+        return []
 
-  def filter_to_parents(query):
-    return query.where(Image.id << parent_db_ids)
+    def filter_to_parents(query):
+        return query.where(Image.id << parent_db_ids)
 
-  parents = _get_repository_images_and_storages(namespace_name, repository_name,
-                                                filter_to_parents)
-  id_to_image = {unicode(image.id): image for image in parents}
-  try:
-    return [id_to_image[parent_id] for parent_id in reversed(parent_db_ids)]
-  except KeyError as ke:
-    logger.exception('Could not find an expected parent image for image %s', image_obj.id)
-    raise DataModelException('Unknown parent image')
+    parents = _get_repository_images_and_storages(
+        namespace_name, repository_name, filter_to_parents
+    )
+    id_to_image = {unicode(image.id): image for image in parents}
+    try:
+        return [id_to_image[parent_id] for parent_id in reversed(parent_db_ids)]
+    except KeyError as ke:
+        logger.exception(
+            "Could not find an expected parent image for image %s", image_obj.id
+        )
+        raise DataModelException("Unknown parent image")
 
 
 def get_placements_for_images(images):
-  """ Returns the placements for the given images, as a map from image storage ID to placements. """
-  if not images:
-    return {}
+    """ Returns the placements for the given images, as a map from image storage ID to placements. """
+    if not images:
+        return {}
 
-  query = (ImageStoragePlacement
-           .select(ImageStoragePlacement, ImageStorageLocation, ImageStorage)
-           .join(ImageStorageLocation)
-           .switch(ImageStoragePlacement)
-           .join(ImageStorage)
-           .where(ImageStorage.id << [image.storage_id for image in images]))
+    query = (
+        ImageStoragePlacement.select(
+            ImageStoragePlacement, ImageStorageLocation, ImageStorage
+        )
+        .join(ImageStorageLocation)
+        .switch(ImageStoragePlacement)
+        .join(ImageStorage)
+        .where(ImageStorage.id << [image.storage_id for image in images])
+    )
 
-  placement_map = defaultdict(list)
-  for placement in query:
-    placement_map[placement.storage.id].append(placement)
+    placement_map = defaultdict(list)
+    for placement in query:
+        placement_map[placement.storage.id].append(placement)
 
-  return dict(placement_map)
+    return dict(placement_map)
 
 
 def get_image_and_placements(namespace_name, repo_name, docker_image_id):
-  """ Returns the repo image (with a storage object) and storage placements for the image
+    """ Returns the repo image (with a storage object) and storage placements for the image
       or (None, None) if non found.
   """
-  repo_image = get_repo_image_and_storage(namespace_name, repo_name, docker_image_id)
-  if repo_image is None:
-    return (None, None)
+    repo_image = get_repo_image_and_storage(namespace_name, repo_name, docker_image_id)
+    if repo_image is None:
+        return (None, None)
 
-  query = (ImageStoragePlacement
-           .select(ImageStoragePlacement, ImageStorageLocation)
-           .join(ImageStorageLocation)
-           .switch(ImageStoragePlacement)
-           .join(ImageStorage)
-           .where(ImageStorage.id == repo_image.storage_id))
+    query = (
+        ImageStoragePlacement.select(ImageStoragePlacement, ImageStorageLocation)
+        .join(ImageStorageLocation)
+        .switch(ImageStoragePlacement)
+        .join(ImageStorage)
+        .where(ImageStorage.id == repo_image.storage_id)
+    )
 
-  return repo_image, list(query)
+    return repo_image, list(query)
 
 
 def get_repo_image(namespace_name, repository_name, docker_image_id):
-  """ Returns the repository image with the given Docker image ID or None if none.
+    """ Returns the repository image with the given Docker image ID or None if none.
       Does not include the storage object.
   """
-  def limit_to_image_id(query):
-    return query.where(Image.docker_image_id == docker_image_id).limit(1)
 
-  query = _get_repository_images(namespace_name, repository_name, limit_to_image_id)
-  try:
-    return query.get()
-  except Image.DoesNotExist:
-    return None
+    def limit_to_image_id(query):
+        return query.where(Image.docker_image_id == docker_image_id).limit(1)
+
+    query = _get_repository_images(namespace_name, repository_name, limit_to_image_id)
+    try:
+        return query.get()
+    except Image.DoesNotExist:
+        return None
 
 
 def get_repo_image_and_storage(namespace_name, repository_name, docker_image_id):
-  """ Returns the repository image with the given Docker image ID or None if none.
+    """ Returns the repository image with the given Docker image ID or None if none.
       Includes the storage object.
   """
-  def limit_to_image_id(query):
-    return query.where(Image.docker_image_id == docker_image_id)
 
-  images = _get_repository_images_and_storages(namespace_name, repository_name, limit_to_image_id)
-  if not images:
-    return None
+    def limit_to_image_id(query):
+        return query.where(Image.docker_image_id == docker_image_id)
 
-  return images[0]
+    images = _get_repository_images_and_storages(
+        namespace_name, repository_name, limit_to_image_id
+    )
+    if not images:
+        return None
+
+    return images[0]
 
 
 def get_image_by_id(namespace_name, repository_name, docker_image_id):
-  """ Returns the repository image with the given Docker image ID or raises if not found.
+    """ Returns the repository image with the given Docker image ID or raises if not found.
       Includes the storage object.
   """
-  image = get_repo_image_and_storage(namespace_name, repository_name, docker_image_id)
-  if not image:
-    raise InvalidImageException('Unable to find image \'%s\' for repo \'%s/%s\'' %
-                                (docker_image_id, namespace_name, repository_name))
-  return image
+    image = get_repo_image_and_storage(namespace_name, repository_name, docker_image_id)
+    if not image:
+        raise InvalidImageException(
+            "Unable to find image '%s' for repo '%s/%s'"
+            % (docker_image_id, namespace_name, repository_name)
+        )
+    return image
 
 
-def _get_repository_images_and_storages(namespace_name, repository_name, query_modifier):
-  query = (Image
-           .select(Image, ImageStorage)
-           .join(ImageStorage)
-           .switch(Image)
-           .join(Repository)
-           .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-           .where(Repository.name == repository_name, Namespace.username == namespace_name))
+def _get_repository_images_and_storages(
+    namespace_name, repository_name, query_modifier
+):
+    query = (
+        Image.select(Image, ImageStorage)
+        .join(ImageStorage)
+        .switch(Image)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Repository.name == repository_name, Namespace.username == namespace_name)
+    )
 
-  query = query_modifier(query)
-  return query
+    query = query_modifier(query)
+    return query
 
 
 def _get_repository_images(namespace_name, repository_name, query_modifier):
-  query = (Image
-           .select()
-           .join(Repository)
-           .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-           .where(Repository.name == repository_name, Namespace.username == namespace_name))
+    query = (
+        Image.select()
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Repository.name == repository_name, Namespace.username == namespace_name)
+    )
 
-  query = query_modifier(query)
-  return query
+    query = query_modifier(query)
+    return query
 
 
 def lookup_repository_images(repo, docker_image_ids):
-  return (Image
-          .select(Image, ImageStorage)
-          .join(ImageStorage)
-          .where(Image.repository == repo, Image.docker_image_id << docker_image_ids))
+    return (
+        Image.select(Image, ImageStorage)
+        .join(ImageStorage)
+        .where(Image.repository == repo, Image.docker_image_id << docker_image_ids)
+    )
 
 
 def get_repository_images_without_placements(repo_obj, with_ancestor=None):
-  query = (Image
-           .select(Image, ImageStorage)
-           .join(ImageStorage)
-           .where(Image.repository == repo_obj))
+    query = (
+        Image.select(Image, ImageStorage)
+        .join(ImageStorage)
+        .where(Image.repository == repo_obj)
+    )
 
-  if with_ancestor:
-    ancestors_string = '%s%s/' % (with_ancestor.ancestors, with_ancestor.id)
-    query = query.where((Image.ancestors ** (ancestors_string + '%')) |
-                        (Image.id == with_ancestor.id))
+    if with_ancestor:
+        ancestors_string = "%s%s/" % (with_ancestor.ancestors, with_ancestor.id)
+        query = query.where(
+            (Image.ancestors ** (ancestors_string + "%"))
+            | (Image.id == with_ancestor.id)
+        )
 
-  return query
+    return query
 
 
 def get_repository_images(namespace_name, repository_name):
-  """ Returns all the repository images in the repository. Does not include storage objects. """
-  return _get_repository_images(namespace_name, repository_name, lambda q: q)
+    """ Returns all the repository images in the repository. Does not include storage objects. """
+    return _get_repository_images(namespace_name, repository_name, lambda q: q)
 
 
-def __translate_ancestry(old_ancestry, translations, repo_obj, username, preferred_location):
-  if old_ancestry == '/':
-    return '/'
+def __translate_ancestry(
+    old_ancestry, translations, repo_obj, username, preferred_location
+):
+    if old_ancestry == "/":
+        return "/"
 
-  def translate_id(old_id, docker_image_id):
-    logger.debug('Translating id: %s', old_id)
-    if old_id not in translations:
-      image_in_repo = find_create_or_link_image(docker_image_id, repo_obj, username, translations,
-                                                preferred_location)
-      translations[old_id] = image_in_repo.id
-    return translations[old_id]
+    def translate_id(old_id, docker_image_id):
+        logger.debug("Translating id: %s", old_id)
+        if old_id not in translations:
+            image_in_repo = find_create_or_link_image(
+                docker_image_id, repo_obj, username, translations, preferred_location
+            )
+            translations[old_id] = image_in_repo.id
+        return translations[old_id]
 
-  # Select all the ancestor Docker IDs in a single query.
-  old_ids = [int(id_str) for id_str in old_ancestry.split('/')[1:-1]]
-  query = Image.select(Image.id, Image.docker_image_id).where(Image.id << old_ids)
-  old_images = {i.id: i.docker_image_id for i in  query}
+    # Select all the ancestor Docker IDs in a single query.
+    old_ids = [int(id_str) for id_str in old_ancestry.split("/")[1:-1]]
+    query = Image.select(Image.id, Image.docker_image_id).where(Image.id << old_ids)
+    old_images = {i.id: i.docker_image_id for i in query}
 
-  # Translate the old images into new ones.
-  new_ids = [str(translate_id(old_id, old_images[old_id])) for old_id in old_ids]
-  return '/%s/' % '/'.join(new_ids)
+    # Translate the old images into new ones.
+    new_ids = [str(translate_id(old_id, old_images[old_id])) for old_id in old_ids]
+    return "/%s/" % "/".join(new_ids)
 
 
-def _find_or_link_image(existing_image, repo_obj, username, translations, preferred_location):
-  with db_transaction():
-    # Check for an existing image, under the transaction, to make sure it doesn't already exist.
-    repo_image = get_repo_image(repo_obj.namespace_user.username, repo_obj.name,
-                                existing_image.docker_image_id)
+def _find_or_link_image(
+    existing_image, repo_obj, username, translations, preferred_location
+):
+    with db_transaction():
+        # Check for an existing image, under the transaction, to make sure it doesn't already exist.
+        repo_image = get_repo_image(
+            repo_obj.namespace_user.username,
+            repo_obj.name,
+            existing_image.docker_image_id,
+        )
+        if repo_image:
+            return repo_image
+
+        # Make sure the existing base image still exists.
+        try:
+            to_copy = (
+                Image.select()
+                .join(ImageStorage)
+                .where(Image.id == existing_image.id)
+                .get()
+            )
+
+            msg = "Linking image to existing storage with docker id: %s and uuid: %s"
+            logger.debug(msg, existing_image.docker_image_id, to_copy.storage.uuid)
+
+            new_image_ancestry = __translate_ancestry(
+                to_copy.ancestors, translations, repo_obj, username, preferred_location
+            )
+
+            copied_storage = to_copy.storage
+
+            translated_parent_id = None
+            if new_image_ancestry != "/":
+                translated_parent_id = int(new_image_ancestry.split("/")[-2])
+
+            new_image = Image.create(
+                docker_image_id=existing_image.docker_image_id,
+                repository=repo_obj,
+                storage=copied_storage,
+                ancestors=new_image_ancestry,
+                command=existing_image.command,
+                created=existing_image.created,
+                comment=existing_image.comment,
+                v1_json_metadata=existing_image.v1_json_metadata,
+                aggregate_size=existing_image.aggregate_size,
+                parent=translated_parent_id,
+                v1_checksum=existing_image.v1_checksum,
+            )
+
+            logger.debug(
+                "Storing translation %s -> %s", existing_image.id, new_image.id
+            )
+            translations[existing_image.id] = new_image.id
+            return new_image
+        except Image.DoesNotExist:
+            return None
+
+
+def find_create_or_link_image(
+    docker_image_id, repo_obj, username, translations, preferred_location
+):
+
+    # First check for the image existing in the repository. If found, we simply return it.
+    repo_image = get_repo_image(
+        repo_obj.namespace_user.username, repo_obj.name, docker_image_id
+    )
     if repo_image:
-      return repo_image
+        return repo_image
 
-    # Make sure the existing base image still exists.
+    # We next check to see if there is an existing storage the new image can link to.
+    existing_image_query = (
+        Image.select(Image, ImageStorage)
+        .distinct()
+        .join(ImageStorage)
+        .switch(Image)
+        .join(Repository)
+        .join(RepositoryPermission, JOIN.LEFT_OUTER)
+        .switch(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(
+            ImageStorage.uploading == False, Image.docker_image_id == docker_image_id
+        )
+    )
+
+    existing_image_query = _basequery.filter_to_repos_for_user(
+        existing_image_query, _namespace_id_for_username(username)
+    )
+
+    # If there is an existing image, we try to translate its ancestry and copy its storage.
+    new_image = None
     try:
-      to_copy = Image.select().join(ImageStorage).where(Image.id == existing_image.id).get()
+        logger.debug("Looking up existing image for ID: %s", docker_image_id)
+        existing_image = existing_image_query.get()
 
-      msg = 'Linking image to existing storage with docker id: %s and uuid: %s'
-      logger.debug(msg, existing_image.docker_image_id, to_copy.storage.uuid)
-
-      new_image_ancestry = __translate_ancestry(to_copy.ancestors, translations, repo_obj,
-                                                username, preferred_location)
-
-      copied_storage = to_copy.storage
-
-      translated_parent_id = None
-      if new_image_ancestry != '/':
-        translated_parent_id = int(new_image_ancestry.split('/')[-2])
-
-      new_image = Image.create(docker_image_id=existing_image.docker_image_id,
-                               repository=repo_obj,
-                               storage=copied_storage,
-                               ancestors=new_image_ancestry,
-                               command=existing_image.command,
-                               created=existing_image.created,
-                               comment=existing_image.comment,
-                               v1_json_metadata=existing_image.v1_json_metadata,
-                               aggregate_size=existing_image.aggregate_size,
-                               parent=translated_parent_id,
-                               v1_checksum=existing_image.v1_checksum)
-
-
-      logger.debug('Storing translation %s -> %s', existing_image.id, new_image.id)
-      translations[existing_image.id] = new_image.id
-      return new_image
+        logger.debug(
+            "Existing image %s found for ID: %s", existing_image.id, docker_image_id
+        )
+        new_image = _find_or_link_image(
+            existing_image, repo_obj, username, translations, preferred_location
+        )
+        if new_image:
+            return new_image
     except Image.DoesNotExist:
-      return None
+        logger.debug("No existing image found for ID: %s", docker_image_id)
+
+    # Otherwise, create a new storage directly.
+    with db_transaction():
+        # Final check for an existing image, under the transaction.
+        repo_image = get_repo_image(
+            repo_obj.namespace_user.username, repo_obj.name, docker_image_id
+        )
+        if repo_image:
+            return repo_image
+
+        logger.debug("Creating new storage for docker id: %s", docker_image_id)
+        new_storage = storage.create_v1_storage(preferred_location)
+
+        return Image.create(
+            docker_image_id=docker_image_id,
+            repository=repo_obj,
+            storage=new_storage,
+            ancestors="/",
+        )
 
 
-def find_create_or_link_image(docker_image_id, repo_obj, username, translations,
-                              preferred_location):
-
-  # First check for the image existing in the repository. If found, we simply return it.
-  repo_image = get_repo_image(repo_obj.namespace_user.username, repo_obj.name,
-                              docker_image_id)
-  if repo_image:
-    return repo_image
-
-  # We next check to see if there is an existing storage the new image can link to.
-  existing_image_query = (Image
-                          .select(Image, ImageStorage)
-                          .distinct()
-                          .join(ImageStorage)
-                          .switch(Image)
-                          .join(Repository)
-                          .join(RepositoryPermission, JOIN.LEFT_OUTER)
-                          .switch(Repository)
-                          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                          .where(ImageStorage.uploading == False,
-                                 Image.docker_image_id == docker_image_id))
-
-  existing_image_query = _basequery.filter_to_repos_for_user(existing_image_query,
-                                                             _namespace_id_for_username(username))
-
-  # If there is an existing image, we try to translate its ancestry and copy its storage.
-  new_image = None
-  try:
-    logger.debug('Looking up existing image for ID: %s', docker_image_id)
-    existing_image = existing_image_query.get()
-
-    logger.debug('Existing image %s found for ID: %s', existing_image.id, docker_image_id)
-    new_image = _find_or_link_image(existing_image, repo_obj, username, translations,
-                                    preferred_location)
-    if new_image:
-      return new_image
-  except Image.DoesNotExist:
-    logger.debug('No existing image found for ID: %s', docker_image_id)
-
-  # Otherwise, create a new storage directly.
-  with db_transaction():
-    # Final check for an existing image, under the transaction.
-    repo_image = get_repo_image(repo_obj.namespace_user.username, repo_obj.name,
-                                docker_image_id)
-    if repo_image:
-      return repo_image
-
-    logger.debug('Creating new storage for docker id: %s', docker_image_id)
-    new_storage = storage.create_v1_storage(preferred_location)
-
-    return Image.create(docker_image_id=docker_image_id,
-                        repository=repo_obj, storage=new_storage,
-                        ancestors='/')
-
-
-def set_image_metadata(docker_image_id, namespace_name, repository_name, created_date_str, comment,
-                       command, v1_json_metadata, parent=None):
-  """ Sets metadata that is specific to how a binary piece of storage fits into the layer tree.
+def set_image_metadata(
+    docker_image_id,
+    namespace_name,
+    repository_name,
+    created_date_str,
+    comment,
+    command,
+    v1_json_metadata,
+    parent=None,
+):
+    """ Sets metadata that is specific to how a binary piece of storage fits into the layer tree.
   """
-  with db_transaction():
-    try:
-      fetched = (Image
-                 .select(Image, ImageStorage)
-                 .join(Repository)
-                 .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                 .switch(Image)
-                 .join(ImageStorage)
-                 .where(Repository.name == repository_name, Namespace.username == namespace_name,
-                        Image.docker_image_id == docker_image_id)
-                 .get())
-    except Image.DoesNotExist:
-      raise DataModelException('No image with specified id and repository')
+    with db_transaction():
+        try:
+            fetched = (
+                Image.select(Image, ImageStorage)
+                .join(Repository)
+                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+                .switch(Image)
+                .join(ImageStorage)
+                .where(
+                    Repository.name == repository_name,
+                    Namespace.username == namespace_name,
+                    Image.docker_image_id == docker_image_id,
+                )
+                .get()
+            )
+        except Image.DoesNotExist:
+            raise DataModelException("No image with specified id and repository")
 
-    fetched.created = datetime.now()
-    if created_date_str is not None:
-      try:
-        fetched.created = dateutil.parser.parse(created_date_str).replace(tzinfo=None)
-      except:
-        # parse raises different exceptions, so we cannot use a specific kind of handler here.
-        pass
+        fetched.created = datetime.now()
+        if created_date_str is not None:
+            try:
+                fetched.created = dateutil.parser.parse(created_date_str).replace(
+                    tzinfo=None
+                )
+            except:
+                # parse raises different exceptions, so we cannot use a specific kind of handler here.
+                pass
 
-    # We cleanup any old checksum in case it's a retry after a fail
-    fetched.v1_checksum = None
-    fetched.comment = comment
-    fetched.command = command
-    fetched.v1_json_metadata = v1_json_metadata
+        # We cleanup any old checksum in case it's a retry after a fail
+        fetched.v1_checksum = None
+        fetched.comment = comment
+        fetched.command = command
+        fetched.v1_json_metadata = v1_json_metadata
 
-    if parent:
-      fetched.ancestors = '%s%s/' % (parent.ancestors, parent.id)
-      fetched.parent = parent
+        if parent:
+            fetched.ancestors = "%s%s/" % (parent.ancestors, parent.id)
+            fetched.parent = parent
 
-    fetched.save()
-    return fetched
+        fetched.save()
+        return fetched
 
 
 def get_image(repo, docker_image_id):
-  try:
-    return (Image
-            .select(Image, ImageStorage)
+    try:
+        return (
+            Image.select(Image, ImageStorage)
             .join(ImageStorage)
             .where(Image.docker_image_id == docker_image_id, Image.repository == repo)
-            .get())
-  except Image.DoesNotExist:
-    return None
+            .get()
+        )
+    except Image.DoesNotExist:
+        return None
 
 
 def get_image_by_db_id(id):
-  try:
-    return Image.get(id=id)
-  except Image.DoesNotExist:
-    return None
+    try:
+        return Image.get(id=id)
+    except Image.DoesNotExist:
+        return None
 
 
-def synthesize_v1_image(repo, image_storage_id, storage_image_size, docker_image_id,
-                        created_date_str, comment, command, v1_json_metadata, parent_image=None):
-  """ Find an existing image with this docker image id, and if none exists, write one with the
+def synthesize_v1_image(
+    repo,
+    image_storage_id,
+    storage_image_size,
+    docker_image_id,
+    created_date_str,
+    comment,
+    command,
+    v1_json_metadata,
+    parent_image=None,
+):
+    """ Find an existing image with this docker image id, and if none exists, write one with the
       specified metadata.
   """
-  ancestors = '/'
-  if parent_image is not None:
-    ancestors = '{0}{1}/'.format(parent_image.ancestors, parent_image.id)
+    ancestors = "/"
+    if parent_image is not None:
+        ancestors = "{0}{1}/".format(parent_image.ancestors, parent_image.id)
+
+    created = None
+    if created_date_str is not None:
+        try:
+            created = dateutil.parser.parse(created_date_str).replace(tzinfo=None)
+        except:
+            # parse raises different exceptions, so we cannot use a specific kind of handler here.
+            pass
+
+    # Get the aggregate size for the image.
+    aggregate_size = _basequery.calculate_image_aggregate_size(
+        ancestors, storage_image_size, parent_image
+    )
 
-  created = None
-  if created_date_str is not None:
     try:
-      created = dateutil.parser.parse(created_date_str).replace(tzinfo=None)
-    except:
-      # parse raises different exceptions, so we cannot use a specific kind of handler here.
-      pass
-
-  # Get the aggregate size for the image.
-  aggregate_size = _basequery.calculate_image_aggregate_size(ancestors, storage_image_size,
-                                                             parent_image)
-
-  try:
-    return Image.create(docker_image_id=docker_image_id, ancestors=ancestors, comment=comment,
-                        command=command, v1_json_metadata=v1_json_metadata, created=created,
-                        storage=image_storage_id, repository=repo, parent=parent_image,
-                        aggregate_size=aggregate_size)
-  except IntegrityError:
-    return Image.get(docker_image_id=docker_image_id, repository=repo)
+        return Image.create(
+            docker_image_id=docker_image_id,
+            ancestors=ancestors,
+            comment=comment,
+            command=command,
+            v1_json_metadata=v1_json_metadata,
+            created=created,
+            storage=image_storage_id,
+            repository=repo,
+            parent=parent_image,
+            aggregate_size=aggregate_size,
+        )
+    except IntegrityError:
+        return Image.get(docker_image_id=docker_image_id, repository=repo)
 
 
 def ensure_image_locations(*names):
-  with db_transaction():
-    locations = ImageStorageLocation.select().where(ImageStorageLocation.name << names)
+    with db_transaction():
+        locations = ImageStorageLocation.select().where(
+            ImageStorageLocation.name << names
+        )
 
-    insert_names = list(names)
+        insert_names = list(names)
 
-    for location in locations:
-      insert_names.remove(location.name)
+        for location in locations:
+            insert_names.remove(location.name)
 
-    if not insert_names:
-      return
+        if not insert_names:
+            return
 
-    data = [{'name': name} for name in insert_names]
-    ImageStorageLocation.insert_many(data).execute()
+        data = [{"name": name} for name in insert_names]
+        ImageStorageLocation.insert_many(data).execute()
 
 
 def get_max_id_for_sec_scan():
-  """ Gets the maximum id for a clair sec scan """
-  return Image.select(fn.Max(Image.id)).scalar()
+    """ Gets the maximum id for a clair sec scan """
+    return Image.select(fn.Max(Image.id)).scalar()
 
 
 def get_min_id_for_sec_scan(version):
-  """ Gets the minimum id for a clair sec scan """
-  return (Image
-          .select(fn.Min(Image.id))
-          .where(Image.security_indexed_engine < version)
-          .scalar())
+    """ Gets the minimum id for a clair sec scan """
+    return (
+        Image.select(fn.Min(Image.id))
+        .where(Image.security_indexed_engine < version)
+        .scalar()
+    )
 
 
 def total_image_count():
-  """ Returns the total number of images in DB """
-  return Image.select().count()
+    """ Returns the total number of images in DB """
+    return Image.select().count()
 
 
 def get_image_pk_field():
-  """ Returns the primary key for Image DB model """
-  return Image.id
+    """ Returns the primary key for Image DB model """
+    return Image.id
 
 
 def get_images_eligible_for_scan(clair_version):
-  """ Returns a query that gives all images eligible for a clair scan """
-  return (get_image_with_storage_and_parent_base()
-          .where(Image.security_indexed_engine < clair_version)
-          .where(ImageStorage.uploading == False))
+    """ Returns a query that gives all images eligible for a clair scan """
+    return (
+        get_image_with_storage_and_parent_base()
+        .where(Image.security_indexed_engine < clair_version)
+        .where(ImageStorage.uploading == False)
+    )
 
 
 def get_image_with_storage_and_parent_base():
-  Parent = Image.alias()
-  ParentImageStorage = ImageStorage.alias()
+    Parent = Image.alias()
+    ParentImageStorage = ImageStorage.alias()
 
-  return (Image
-          .select(Image, ImageStorage, Parent, ParentImageStorage)
-          .join(ImageStorage)
-          .switch(Image)
-          .join(Parent, JOIN.LEFT_OUTER, on=(Image.parent == Parent.id))
-          .join(ParentImageStorage, JOIN.LEFT_OUTER, on=(ParentImageStorage.id == Parent.storage)))
+    return (
+        Image.select(Image, ImageStorage, Parent, ParentImageStorage)
+        .join(ImageStorage)
+        .switch(Image)
+        .join(Parent, JOIN.LEFT_OUTER, on=(Image.parent == Parent.id))
+        .join(
+            ParentImageStorage,
+            JOIN.LEFT_OUTER,
+            on=(ParentImageStorage.id == Parent.storage),
+        )
+    )
 
 
 def set_secscan_status(image, indexed, version):
-  return (Image
-          .update(security_indexed=indexed, security_indexed_engine=version)
-          .where(Image.id == image.id)
-          .where((Image.security_indexed_engine != version) | (Image.security_indexed != indexed))
-          .execute()) != 0
+    return (
+        Image.update(security_indexed=indexed, security_indexed_engine=version)
+        .where(Image.id == image.id)
+        .where(
+            (Image.security_indexed_engine != version)
+            | (Image.security_indexed != indexed)
+        )
+        .execute()
+    ) != 0
 
 
 def _get_uniqueness_hash(varying_metadata):
-  if not varying_metadata:
-    return None
+    if not varying_metadata:
+        return None
 
-  return hashlib.sha256(json.dumps(canonicalize(varying_metadata))).hexdigest()
+    return hashlib.sha256(json.dumps(canonicalize(varying_metadata))).hexdigest()
 
 
-def find_or_create_derived_storage(source_image, transformation_name, preferred_location,
-                                   varying_metadata=None):
-  existing = find_derived_storage_for_image(source_image, transformation_name, varying_metadata)
-  if existing is not None:
-    return existing
+def find_or_create_derived_storage(
+    source_image, transformation_name, preferred_location, varying_metadata=None
+):
+    existing = find_derived_storage_for_image(
+        source_image, transformation_name, varying_metadata
+    )
+    if existing is not None:
+        return existing
 
-  uniqueness_hash = _get_uniqueness_hash(varying_metadata)
-  trans = ImageStorageTransformation.get(name=transformation_name)
-  new_storage = storage.create_v1_storage(preferred_location)
+    uniqueness_hash = _get_uniqueness_hash(varying_metadata)
+    trans = ImageStorageTransformation.get(name=transformation_name)
+    new_storage = storage.create_v1_storage(preferred_location)
 
-  try:
-    derived = DerivedStorageForImage.create(source_image=source_image, derivative=new_storage,
-                                            transformation=trans, uniqueness_hash=uniqueness_hash)
-  except IntegrityError:
-    # Storage was created while this method executed. Just return the existing.
-    ImageStoragePlacement.delete().where(ImageStoragePlacement.storage == new_storage).execute()
-    new_storage.delete_instance()
-    return find_derived_storage_for_image(source_image, transformation_name, varying_metadata)
+    try:
+        derived = DerivedStorageForImage.create(
+            source_image=source_image,
+            derivative=new_storage,
+            transformation=trans,
+            uniqueness_hash=uniqueness_hash,
+        )
+    except IntegrityError:
+        # Storage was created while this method executed. Just return the existing.
+        ImageStoragePlacement.delete().where(
+            ImageStoragePlacement.storage == new_storage
+        ).execute()
+        new_storage.delete_instance()
+        return find_derived_storage_for_image(
+            source_image, transformation_name, varying_metadata
+        )
 
-  return derived
+    return derived
 
 
-def find_derived_storage_for_image(source_image, transformation_name, varying_metadata=None):
-  uniqueness_hash = _get_uniqueness_hash(varying_metadata)
+def find_derived_storage_for_image(
+    source_image, transformation_name, varying_metadata=None
+):
+    uniqueness_hash = _get_uniqueness_hash(varying_metadata)
 
-  try:
-    found = (DerivedStorageForImage
-             .select(ImageStorage, DerivedStorageForImage)
-             .join(ImageStorage)
-             .switch(DerivedStorageForImage)
-             .join(ImageStorageTransformation)
-             .where(DerivedStorageForImage.source_image == source_image,
-                    ImageStorageTransformation.name == transformation_name,
-                    DerivedStorageForImage.uniqueness_hash == uniqueness_hash)
-             .get())
-    return found
-  except DerivedStorageForImage.DoesNotExist:
-    return None
+    try:
+        found = (
+            DerivedStorageForImage.select(ImageStorage, DerivedStorageForImage)
+            .join(ImageStorage)
+            .switch(DerivedStorageForImage)
+            .join(ImageStorageTransformation)
+            .where(
+                DerivedStorageForImage.source_image == source_image,
+                ImageStorageTransformation.name == transformation_name,
+                DerivedStorageForImage.uniqueness_hash == uniqueness_hash,
+            )
+            .get()
+        )
+        return found
+    except DerivedStorageForImage.DoesNotExist:
+        return None
 
 
 def delete_derived_storage(derived_storage):
-  derived_storage.derivative.delete_instance(recursive=True)
+    derived_storage.derivative.delete_instance(recursive=True)
diff --git a/data/model/label.py b/data/model/label.py
index fce7479ba..0268363b2 100644
--- a/data/model/label.py
+++ b/data/model/label.py
@@ -2,9 +2,21 @@ import logging
 
 from cachetools.func import lru_cache
 
-from data.database import (Label, TagManifestLabel, MediaType, LabelSourceType, db_transaction,
-                           ManifestLabel, TagManifestLabelMap, TagManifestToManifest)
-from data.model import InvalidLabelKeyException, InvalidMediaTypeException, DataModelException
+from data.database import (
+    Label,
+    TagManifestLabel,
+    MediaType,
+    LabelSourceType,
+    db_transaction,
+    ManifestLabel,
+    TagManifestLabelMap,
+    TagManifestToManifest,
+)
+from data.model import (
+    InvalidLabelKeyException,
+    InvalidMediaTypeException,
+    DataModelException,
+)
 from data.text import prefix_search
 from util.validation import validate_label_key
 from util.validation import is_json
@@ -14,130 +26,147 @@ logger = logging.getLogger(__name__)
 
 @lru_cache(maxsize=1)
 def get_label_source_types():
-  source_type_map = {}
-  for kind in LabelSourceType.select():
-    source_type_map[kind.id] = kind.name
-    source_type_map[kind.name] = kind.id
+    source_type_map = {}
+    for kind in LabelSourceType.select():
+        source_type_map[kind.id] = kind.name
+        source_type_map[kind.name] = kind.id
 
-  return source_type_map
+    return source_type_map
 
 
 @lru_cache(maxsize=1)
 def get_media_types():
-  media_type_map = {}
-  for kind in MediaType.select():
-    media_type_map[kind.id] = kind.name
-    media_type_map[kind.name] = kind.id
+    media_type_map = {}
+    for kind in MediaType.select():
+        media_type_map[kind.id] = kind.name
+        media_type_map[kind.name] = kind.id
 
-  return media_type_map
+    return media_type_map
 
 
 def _get_label_source_type_id(name):
-  kinds = get_label_source_types()
-  return kinds[name]
+    kinds = get_label_source_types()
+    return kinds[name]
 
 
 def _get_media_type_id(name):
-  kinds = get_media_types()
-  return kinds[name]
+    kinds = get_media_types()
+    return kinds[name]
 
 
-def create_manifest_label(tag_manifest, key, value, source_type_name, media_type_name=None):
-  """ Creates a new manifest label on a specific tag manifest. """
-  if not key:
-    raise InvalidLabelKeyException()
+def create_manifest_label(
+    tag_manifest, key, value, source_type_name, media_type_name=None
+):
+    """ Creates a new manifest label on a specific tag manifest. """
+    if not key:
+        raise InvalidLabelKeyException()
 
-  # Note that we don't prevent invalid label names coming from the manifest to be stored, as Docker
-  # does not currently prevent them from being put into said manifests.
-  if not validate_label_key(key) and source_type_name != 'manifest':
-    raise InvalidLabelKeyException()
+    # Note that we don't prevent invalid label names coming from the manifest to be stored, as Docker
+    # does not currently prevent them from being put into said manifests.
+    if not validate_label_key(key) and source_type_name != "manifest":
+        raise InvalidLabelKeyException()
 
-  # Find the matching media type. If none specified, we infer.
-  if media_type_name is None:
-    media_type_name = 'text/plain'
-    if is_json(value):
-      media_type_name = 'application/json'
+    # Find the matching media type. If none specified, we infer.
+    if media_type_name is None:
+        media_type_name = "text/plain"
+        if is_json(value):
+            media_type_name = "application/json"
 
-  media_type_id = _get_media_type_id(media_type_name)
-  if media_type_id is None:
-    raise InvalidMediaTypeException()
+    media_type_id = _get_media_type_id(media_type_name)
+    if media_type_id is None:
+        raise InvalidMediaTypeException()
 
-  source_type_id = _get_label_source_type_id(source_type_name)
+    source_type_id = _get_label_source_type_id(source_type_name)
 
-  with db_transaction():
-    label = Label.create(key=key, value=value, source_type=source_type_id, media_type=media_type_id)
-    tag_manifest_label = TagManifestLabel.create(annotated=tag_manifest, label=label,
-                                                 repository=tag_manifest.tag.repository)
-    try:
-      mapping_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
-      if mapping_row.manifest:
-        manifest_label = ManifestLabel.create(manifest=mapping_row.manifest, label=label,
-                                              repository=tag_manifest.tag.repository)
-        TagManifestLabelMap.create(manifest_label=manifest_label,
-                                   tag_manifest_label=tag_manifest_label,
-                                   label=label,
-                                   manifest=mapping_row.manifest,
-                                   tag_manifest=tag_manifest)
-    except TagManifestToManifest.DoesNotExist:
-      pass
+    with db_transaction():
+        label = Label.create(
+            key=key, value=value, source_type=source_type_id, media_type=media_type_id
+        )
+        tag_manifest_label = TagManifestLabel.create(
+            annotated=tag_manifest, label=label, repository=tag_manifest.tag.repository
+        )
+        try:
+            mapping_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
+            if mapping_row.manifest:
+                manifest_label = ManifestLabel.create(
+                    manifest=mapping_row.manifest,
+                    label=label,
+                    repository=tag_manifest.tag.repository,
+                )
+                TagManifestLabelMap.create(
+                    manifest_label=manifest_label,
+                    tag_manifest_label=tag_manifest_label,
+                    label=label,
+                    manifest=mapping_row.manifest,
+                    tag_manifest=tag_manifest,
+                )
+        except TagManifestToManifest.DoesNotExist:
+            pass
 
-  return label
+    return label
 
 
 def list_manifest_labels(tag_manifest, prefix_filter=None):
-  """ Lists all labels found on the given tag manifest. """
-  query = (Label.select(Label, MediaType)
-           .join(MediaType)
-           .switch(Label)
-           .join(LabelSourceType)
-           .switch(Label)
-           .join(TagManifestLabel)
-           .where(TagManifestLabel.annotated == tag_manifest))
+    """ Lists all labels found on the given tag manifest. """
+    query = (
+        Label.select(Label, MediaType)
+        .join(MediaType)
+        .switch(Label)
+        .join(LabelSourceType)
+        .switch(Label)
+        .join(TagManifestLabel)
+        .where(TagManifestLabel.annotated == tag_manifest)
+    )
 
-  if prefix_filter is not None:
-    query = query.where(prefix_search(Label.key, prefix_filter))
+    if prefix_filter is not None:
+        query = query.where(prefix_search(Label.key, prefix_filter))
 
-  return query
+    return query
 
 
 def get_manifest_label(label_uuid, tag_manifest):
-  """ Retrieves the manifest label on the tag manifest with the given ID. """
-  try:
-    return (Label.select(Label, LabelSourceType)
+    """ Retrieves the manifest label on the tag manifest with the given ID. """
+    try:
+        return (
+            Label.select(Label, LabelSourceType)
             .join(LabelSourceType)
             .where(Label.uuid == label_uuid)
             .switch(Label)
             .join(TagManifestLabel)
             .where(TagManifestLabel.annotated == tag_manifest)
-            .get())
-  except Label.DoesNotExist:
-    return None
+            .get()
+        )
+    except Label.DoesNotExist:
+        return None
 
 
 def delete_manifest_label(label_uuid, tag_manifest):
-  """ Deletes the manifest label on the tag manifest with the given ID. """
+    """ Deletes the manifest label on the tag manifest with the given ID. """
 
-  # Find the label itself.
-  label = get_manifest_label(label_uuid, tag_manifest)
-  if label is None:
-    return None
+    # Find the label itself.
+    label = get_manifest_label(label_uuid, tag_manifest)
+    if label is None:
+        return None
 
-  if not label.source_type.mutable:
-    raise DataModelException('Cannot delete immutable label')
+    if not label.source_type.mutable:
+        raise DataModelException("Cannot delete immutable label")
 
-  # Delete the mapping records and label.
-  (TagManifestLabelMap
-   .delete()
-   .where(TagManifestLabelMap.label == label)
-   .execute())
+    # Delete the mapping records and label.
+    (TagManifestLabelMap.delete().where(TagManifestLabelMap.label == label).execute())
 
-  deleted_count = TagManifestLabel.delete().where(TagManifestLabel.label == label).execute()
-  if deleted_count != 1:
-    logger.warning('More than a single label deleted for matching label %s', label_uuid)
+    deleted_count = (
+        TagManifestLabel.delete().where(TagManifestLabel.label == label).execute()
+    )
+    if deleted_count != 1:
+        logger.warning(
+            "More than a single label deleted for matching label %s", label_uuid
+        )
 
-  deleted_count = ManifestLabel.delete().where(ManifestLabel.label == label).execute()
-  if deleted_count != 1:
-    logger.warning('More than a single label deleted for matching label %s', label_uuid)
+    deleted_count = ManifestLabel.delete().where(ManifestLabel.label == label).execute()
+    if deleted_count != 1:
+        logger.warning(
+            "More than a single label deleted for matching label %s", label_uuid
+        )
 
-  label.delete_instance(recursive=False)
-  return label
+    label.delete_instance(recursive=False)
+    return label
diff --git a/data/model/log.py b/data/model/log.py
index e78ec4b1b..da51a590c 100644
--- a/data/model/log.py
+++ b/data/model/log.py
@@ -12,288 +12,393 @@ from data.model import config, user, DataModelException
 
 logger = logging.getLogger(__name__)
 
-ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING = ['pull_repo']
+ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING = ["pull_repo"]
 
 
-def _logs_query(selections, start_time=None, end_time=None, performer=None, repository=None,
-                namespace=None, ignore=None, model=LogEntry3, id_range=None):
-  """ Returns a query for selecting logs from the table, with various options and filters. """
-  assert (start_time is not None and end_time is not None) or (id_range is not None)
-  joined = (model.select(*selections).switch(model))
+def _logs_query(
+    selections,
+    start_time=None,
+    end_time=None,
+    performer=None,
+    repository=None,
+    namespace=None,
+    ignore=None,
+    model=LogEntry3,
+    id_range=None,
+):
+    """ Returns a query for selecting logs from the table, with various options and filters. """
+    assert (start_time is not None and end_time is not None) or (id_range is not None)
+    joined = model.select(*selections).switch(model)
 
-  if id_range is not None:
-    joined = joined.where(model.id >= id_range[0], model.id <= id_range[1])
-  else:
-    joined = joined.where(model.datetime >= start_time, model.datetime < end_time)
+    if id_range is not None:
+        joined = joined.where(model.id >= id_range[0], model.id <= id_range[1])
+    else:
+        joined = joined.where(model.datetime >= start_time, model.datetime < end_time)
 
-  if repository:
-    joined = joined.where(model.repository == repository)
+    if repository:
+        joined = joined.where(model.repository == repository)
 
-  if performer:
-    joined = joined.where(model.performer == performer)
+    if performer:
+        joined = joined.where(model.performer == performer)
 
-  if namespace and not repository:
-    namespace_user = user.get_user_or_org(namespace)
-    if namespace_user is None:
-      raise DataModelException('Invalid namespace requested')
+    if namespace and not repository:
+        namespace_user = user.get_user_or_org(namespace)
+        if namespace_user is None:
+            raise DataModelException("Invalid namespace requested")
 
-    joined = joined.where(model.account == namespace_user.id)
+        joined = joined.where(model.account == namespace_user.id)
 
-  if ignore:
-    kind_map = get_log_entry_kinds()
-    ignore_ids = [kind_map[kind_name] for kind_name in ignore]
-    joined = joined.where(~(model.kind << ignore_ids))
+    if ignore:
+        kind_map = get_log_entry_kinds()
+        ignore_ids = [kind_map[kind_name] for kind_name in ignore]
+        joined = joined.where(~(model.kind << ignore_ids))
 
-  return joined
+    return joined
 
 
-def _latest_logs_query(selections, performer=None, repository=None, namespace=None, ignore=None,
-                       model=LogEntry3, size=None):
-  """ Returns a query for selecting the latest logs from the table, with various options and
+def _latest_logs_query(
+    selections,
+    performer=None,
+    repository=None,
+    namespace=None,
+    ignore=None,
+    model=LogEntry3,
+    size=None,
+):
+    """ Returns a query for selecting the latest logs from the table, with various options and
       filters. """
-  query = (model.select(*selections).switch(model))
+    query = model.select(*selections).switch(model)
 
-  if repository:
-    query = query.where(model.repository == repository)
+    if repository:
+        query = query.where(model.repository == repository)
 
-  if performer:
-    query = query.where(model.repository == repository)
+    if performer:
+        query = query.where(model.repository == repository)
 
-  if namespace and not repository:
-    namespace_user = user.get_user_or_org(namespace)
-    if namespace_user is None:
-      raise DataModelException('Invalid namespace requested')
+    if namespace and not repository:
+        namespace_user = user.get_user_or_org(namespace)
+        if namespace_user is None:
+            raise DataModelException("Invalid namespace requested")
 
-    query = query.where(model.account == namespace_user.id)
+        query = query.where(model.account == namespace_user.id)
 
-  if ignore:
-    kind_map = get_log_entry_kinds()
-    ignore_ids = [kind_map[kind_name] for kind_name in ignore]
-    query = query.where(~(model.kind << ignore_ids))
+    if ignore:
+        kind_map = get_log_entry_kinds()
+        ignore_ids = [kind_map[kind_name] for kind_name in ignore]
+        query = query.where(~(model.kind << ignore_ids))
 
-  query = query.order_by(model.datetime.desc(), model.id)
+    query = query.order_by(model.datetime.desc(), model.id)
 
-  if size:
-    query = query.limit(size)
+    if size:
+        query = query.limit(size)
 
-  return query
+    return query
 
 
 @lru_cache(maxsize=1)
 def get_log_entry_kinds():
-  kind_map = {}
-  for kind in LogEntryKind.select():
-    kind_map[kind.id] = kind.name
-    kind_map[kind.name] = kind.id
+    kind_map = {}
+    for kind in LogEntryKind.select():
+        kind_map[kind.id] = kind.name
+        kind_map[kind.name] = kind.id
 
-  return kind_map
+    return kind_map
 
 
 def _get_log_entry_kind(name):
-  kinds = get_log_entry_kinds()
-  return kinds[name]
+    kinds = get_log_entry_kinds()
+    return kinds[name]
 
 
-def get_aggregated_logs(start_time, end_time, performer=None, repository=None, namespace=None,
-                        ignore=None, model=LogEntry3):
-  """ Returns the count of logs, by kind and day, for the logs matching the given filters. """
-  date = db.extract_date('day', model.datetime)
-  selections = [model.kind, date.alias('day'), fn.Count(model.id).alias('count')]
-  query = _logs_query(selections, start_time, end_time, performer, repository, namespace, ignore,
-                      model=model)
-  return query.group_by(date, model.kind)
+def get_aggregated_logs(
+    start_time,
+    end_time,
+    performer=None,
+    repository=None,
+    namespace=None,
+    ignore=None,
+    model=LogEntry3,
+):
+    """ Returns the count of logs, by kind and day, for the logs matching the given filters. """
+    date = db.extract_date("day", model.datetime)
+    selections = [model.kind, date.alias("day"), fn.Count(model.id).alias("count")]
+    query = _logs_query(
+        selections,
+        start_time,
+        end_time,
+        performer,
+        repository,
+        namespace,
+        ignore,
+        model=model,
+    )
+    return query.group_by(date, model.kind)
 
 
-def get_logs_query(start_time=None, end_time=None, performer=None, repository=None, namespace=None,
-                   ignore=None, model=LogEntry3, id_range=None):
-  """ Returns the logs matching the given filters. """
-  Performer = User.alias()
-  Account = User.alias()
-  selections = [model, Performer]
+def get_logs_query(
+    start_time=None,
+    end_time=None,
+    performer=None,
+    repository=None,
+    namespace=None,
+    ignore=None,
+    model=LogEntry3,
+    id_range=None,
+):
+    """ Returns the logs matching the given filters. """
+    Performer = User.alias()
+    Account = User.alias()
+    selections = [model, Performer]
 
-  if namespace is None and repository is None:
-    selections.append(Account)
+    if namespace is None and repository is None:
+        selections.append(Account)
 
-  query = _logs_query(selections, start_time, end_time, performer, repository, namespace, ignore,
-                      model=model, id_range=id_range)
-  query = (query.switch(model).join(Performer, JOIN.LEFT_OUTER,
-                                    on=(model.performer == Performer.id).alias('performer')))
+    query = _logs_query(
+        selections,
+        start_time,
+        end_time,
+        performer,
+        repository,
+        namespace,
+        ignore,
+        model=model,
+        id_range=id_range,
+    )
+    query = query.switch(model).join(
+        Performer,
+        JOIN.LEFT_OUTER,
+        on=(model.performer == Performer.id).alias("performer"),
+    )
 
-  if namespace is None and repository is None:
-    query = (query.switch(model).join(Account, JOIN.LEFT_OUTER,
-                                      on=(model.account == Account.id).alias('account')))
+    if namespace is None and repository is None:
+        query = query.switch(model).join(
+            Account, JOIN.LEFT_OUTER, on=(model.account == Account.id).alias("account")
+        )
 
-  return query
+    return query
 
 
-def get_latest_logs_query(performer=None, repository=None, namespace=None, ignore=None,
-                          model=LogEntry3, size=None):
-  """ Returns the latest logs matching the given filters. """
-  Performer = User.alias()
-  Account = User.alias()
-  selections = [model, Performer]
+def get_latest_logs_query(
+    performer=None,
+    repository=None,
+    namespace=None,
+    ignore=None,
+    model=LogEntry3,
+    size=None,
+):
+    """ Returns the latest logs matching the given filters. """
+    Performer = User.alias()
+    Account = User.alias()
+    selections = [model, Performer]
 
-  if namespace is None and repository is None:
-    selections.append(Account)
+    if namespace is None and repository is None:
+        selections.append(Account)
 
-  query = _latest_logs_query(selections, performer, repository, namespace, ignore, model=model,
-                             size=size)
-  query = (query.switch(model).join(Performer, JOIN.LEFT_OUTER,
-                                    on=(model.performer == Performer.id).alias('performer')))
+    query = _latest_logs_query(
+        selections, performer, repository, namespace, ignore, model=model, size=size
+    )
+    query = query.switch(model).join(
+        Performer,
+        JOIN.LEFT_OUTER,
+        on=(model.performer == Performer.id).alias("performer"),
+    )
 
-  if namespace is None and repository is None:
-    query = (query.switch(model).join(Account, JOIN.LEFT_OUTER,
-                                      on=(model.account == Account.id).alias('account')))
+    if namespace is None and repository is None:
+        query = query.switch(model).join(
+            Account, JOIN.LEFT_OUTER, on=(model.account == Account.id).alias("account")
+        )
 
-  return query
+    return query
 
 
 def _json_serialize(obj):
-  if isinstance(obj, datetime):
-    return timegm(obj.utctimetuple())
+    if isinstance(obj, datetime):
+        return timegm(obj.utctimetuple())
 
-  return obj
+    return obj
 
 
-def log_action(kind_name, user_or_organization_name, performer=None, repository=None, ip=None,
-               metadata={}, timestamp=None):
-  """ Logs an entry in the LogEntry table. """
-  if not timestamp:
-    timestamp = datetime.today()
+def log_action(
+    kind_name,
+    user_or_organization_name,
+    performer=None,
+    repository=None,
+    ip=None,
+    metadata={},
+    timestamp=None,
+):
+    """ Logs an entry in the LogEntry table. """
+    if not timestamp:
+        timestamp = datetime.today()
 
-  account = None
-  if user_or_organization_name is not None:
-    account = User.get(User.username == user_or_organization_name).id
-  else:
-    account = config.app_config.get('SERVICE_LOG_ACCOUNT_ID')
-    if account is None:
-      account = user.get_minimum_user_id()
-
-  if performer is not None:
-    performer = performer.id
-
-  if repository is not None:
-    repository = repository.id
-
-  kind = _get_log_entry_kind(kind_name)
-  metadata_json = json.dumps(metadata, default=_json_serialize)
-  log_data = {
-    'kind': kind,
-    'account': account,
-    'performer': performer,
-    'repository': repository,
-    'ip': ip,
-    'metadata_json': metadata_json,
-    'datetime': timestamp
-  }
-
-  try:
-    LogEntry3.create(**log_data)
-  except PeeweeException as ex:
-    strict_logging_disabled = config.app_config.get('ALLOW_PULLS_WITHOUT_STRICT_LOGGING')
-    if strict_logging_disabled and kind_name in ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING:
-      logger.exception('log_action failed', extra=({'exception': ex}).update(log_data))
+    account = None
+    if user_or_organization_name is not None:
+        account = User.get(User.username == user_or_organization_name).id
     else:
-      raise
+        account = config.app_config.get("SERVICE_LOG_ACCOUNT_ID")
+        if account is None:
+            account = user.get_minimum_user_id()
+
+    if performer is not None:
+        performer = performer.id
+
+    if repository is not None:
+        repository = repository.id
+
+    kind = _get_log_entry_kind(kind_name)
+    metadata_json = json.dumps(metadata, default=_json_serialize)
+    log_data = {
+        "kind": kind,
+        "account": account,
+        "performer": performer,
+        "repository": repository,
+        "ip": ip,
+        "metadata_json": metadata_json,
+        "datetime": timestamp,
+    }
+
+    try:
+        LogEntry3.create(**log_data)
+    except PeeweeException as ex:
+        strict_logging_disabled = config.app_config.get(
+            "ALLOW_PULLS_WITHOUT_STRICT_LOGGING"
+        )
+        if (
+            strict_logging_disabled
+            and kind_name in ACTIONS_ALLOWED_WITHOUT_AUDIT_LOGGING
+        ):
+            logger.exception(
+                "log_action failed", extra=({"exception": ex}).update(log_data)
+            )
+        else:
+            raise
 
 
 def get_stale_logs_start_id(model):
-  """ Gets the oldest log entry. """
-  try:
-    return (model.select(fn.Min(model.id)).tuples())[0][0]
-  except IndexError:
-    return None
+    """ Gets the oldest log entry. """
+    try:
+        return (model.select(fn.Min(model.id)).tuples())[0][0]
+    except IndexError:
+        return None
 
 
 def get_stale_logs(start_id, end_id, model, cutoff_date):
-  """ Returns all the logs with IDs between start_id and end_id inclusively. """
-  return model.select().where((model.id >= start_id),
-                              (model.id <= end_id),
-                              model.datetime <= cutoff_date)
+    """ Returns all the logs with IDs between start_id and end_id inclusively. """
+    return model.select().where(
+        (model.id >= start_id), (model.id <= end_id), model.datetime <= cutoff_date
+    )
 
 
 def delete_stale_logs(start_id, end_id, model):
-  """ Deletes all the logs with IDs between start_id and end_id. """
-  model.delete().where((model.id >= start_id), (model.id <= end_id)).execute()
+    """ Deletes all the logs with IDs between start_id and end_id. """
+    model.delete().where((model.id >= start_id), (model.id <= end_id)).execute()
 
 
 def get_repository_action_counts(repo, start_date):
-  """ Returns the daily aggregated action counts for the given repository, starting at the given
+    """ Returns the daily aggregated action counts for the given repository, starting at the given
       start date.
   """
-  return RepositoryActionCount.select().where(RepositoryActionCount.repository == repo,
-                                              RepositoryActionCount.date >= start_date)
+    return RepositoryActionCount.select().where(
+        RepositoryActionCount.repository == repo,
+        RepositoryActionCount.date >= start_date,
+    )
 
 
 def get_repositories_action_sums(repository_ids):
-  """ Returns a map from repository ID to total actions within that repository in the last week. """
-  if not repository_ids:
-    return {}
+    """ Returns a map from repository ID to total actions within that repository in the last week. """
+    if not repository_ids:
+        return {}
 
-  # Filter the join to recent entries only.
-  last_week = datetime.now() - timedelta(weeks=1)
-  tuples = (RepositoryActionCount.select(RepositoryActionCount.repository,
-                                         fn.Sum(RepositoryActionCount.count))
-            .where(RepositoryActionCount.repository << repository_ids)
-            .where(RepositoryActionCount.date >= last_week)
-            .group_by(RepositoryActionCount.repository).tuples())
+    # Filter the join to recent entries only.
+    last_week = datetime.now() - timedelta(weeks=1)
+    tuples = (
+        RepositoryActionCount.select(
+            RepositoryActionCount.repository, fn.Sum(RepositoryActionCount.count)
+        )
+        .where(RepositoryActionCount.repository << repository_ids)
+        .where(RepositoryActionCount.date >= last_week)
+        .group_by(RepositoryActionCount.repository)
+        .tuples()
+    )
 
-  action_count_map = {}
-  for record in tuples:
-    action_count_map[record[0]] = record[1]
+    action_count_map = {}
+    for record in tuples:
+        action_count_map[record[0]] = record[1]
 
-  return action_count_map
+    return action_count_map
 
 
-def get_minimum_id_for_logs(start_time, repository_id=None, namespace_id=None, model=LogEntry3):
-  """ Returns the minimum ID for logs matching the given repository or namespace in
+def get_minimum_id_for_logs(
+    start_time, repository_id=None, namespace_id=None, model=LogEntry3
+):
+    """ Returns the minimum ID for logs matching the given repository or namespace in
       the logs table, starting at the given start time.
   """
-  # First try bounded by a day. Most repositories will meet this criteria, and therefore
-  # can make a much faster query.
-  day_after = start_time + timedelta(days=1)
-  result = _get_bounded_id(fn.Min, model.datetime >= start_time,
-                           repository_id, namespace_id, model.datetime < day_after, model=model)
-  if result is not None:
-    return result
+    # First try bounded by a day. Most repositories will meet this criteria, and therefore
+    # can make a much faster query.
+    day_after = start_time + timedelta(days=1)
+    result = _get_bounded_id(
+        fn.Min,
+        model.datetime >= start_time,
+        repository_id,
+        namespace_id,
+        model.datetime < day_after,
+        model=model,
+    )
+    if result is not None:
+        return result
 
-  return _get_bounded_id(fn.Min, model.datetime >= start_time, repository_id, namespace_id,
-                         model=model)
+    return _get_bounded_id(
+        fn.Min, model.datetime >= start_time, repository_id, namespace_id, model=model
+    )
 
 
-def get_maximum_id_for_logs(end_time, repository_id=None, namespace_id=None, model=LogEntry3):
-  """ Returns the maximum ID for logs matching the given repository or namespace in
+def get_maximum_id_for_logs(
+    end_time, repository_id=None, namespace_id=None, model=LogEntry3
+):
+    """ Returns the maximum ID for logs matching the given repository or namespace in
       the logs table, ending at the given end time.
   """
-  # First try bounded by a day. Most repositories will meet this criteria, and therefore
-  # can make a much faster query.
-  day_before = end_time - timedelta(days=1)
-  result = _get_bounded_id(fn.Max, model.datetime <= end_time,
-                           repository_id, namespace_id, model.datetime > day_before, model=model)
-  if result is not None:
-    return result
+    # First try bounded by a day. Most repositories will meet this criteria, and therefore
+    # can make a much faster query.
+    day_before = end_time - timedelta(days=1)
+    result = _get_bounded_id(
+        fn.Max,
+        model.datetime <= end_time,
+        repository_id,
+        namespace_id,
+        model.datetime > day_before,
+        model=model,
+    )
+    if result is not None:
+        return result
 
-  return _get_bounded_id(fn.Max, model.datetime <= end_time, repository_id, namespace_id,
-                         model=model)
+    return _get_bounded_id(
+        fn.Max, model.datetime <= end_time, repository_id, namespace_id, model=model
+    )
 
 
-def _get_bounded_id(fn, filter_clause, repository_id, namespace_id, reduction_clause=None,
-                    model=LogEntry3):
-  assert (namespace_id is not None) or (repository_id is not None)
-  query = (model
-           .select(fn(model.id))
-           .where(filter_clause))
+def _get_bounded_id(
+    fn,
+    filter_clause,
+    repository_id,
+    namespace_id,
+    reduction_clause=None,
+    model=LogEntry3,
+):
+    assert (namespace_id is not None) or (repository_id is not None)
+    query = model.select(fn(model.id)).where(filter_clause)
 
-  if reduction_clause is not None:
-    query = query.where(reduction_clause)
+    if reduction_clause is not None:
+        query = query.where(reduction_clause)
 
-  if repository_id is not None:
-    query = query.where(model.repository == repository_id)
-  else:
-    query = query.where(model.account == namespace_id)
+    if repository_id is not None:
+        query = query.where(model.repository == repository_id)
+    else:
+        query = query.where(model.account == namespace_id)
 
-  row = query.tuples()[0]
-  if not row:
-    return None
+    row = query.tuples()[0]
+    if not row:
+        return None
 
-  return row[0]
+    return row[0]
diff --git a/data/model/message.py b/data/model/message.py
index 24df4d0ba..911fb974e 100644
--- a/data/model/message.py
+++ b/data/model/message.py
@@ -2,23 +2,28 @@ from data.database import Messages, MediaType
 
 
 def get_messages():
-  """Query the data base for messages and returns a container of database message objects"""
-  return Messages.select(Messages, MediaType).join(MediaType)
+    """Query the data base for messages and returns a container of database message objects"""
+    return Messages.select(Messages, MediaType).join(MediaType)
+
 
 def create(messages):
-  """Insert messages into the database."""
-  inserted = []
-  for message in messages:
-    severity = message['severity']
-    media_type_name = message['media_type']
-    media_type = MediaType.get(name=media_type_name)
+    """Insert messages into the database."""
+    inserted = []
+    for message in messages:
+        severity = message["severity"]
+        media_type_name = message["media_type"]
+        media_type = MediaType.get(name=media_type_name)
+
+        inserted.append(
+            Messages.create(
+                content=message["content"], media_type=media_type, severity=severity
+            )
+        )
+    return inserted
 
-    inserted.append(Messages.create(content=message['content'], media_type=media_type,
-                                    severity=severity))
-  return inserted
 
 def delete_message(uuids):
-  """Delete message from the database"""
-  if not uuids:
-    return
-  Messages.delete().where(Messages.uuid << uuids).execute()
+    """Delete message from the database"""
+    if not uuids:
+        return
+    Messages.delete().where(Messages.uuid << uuids).execute()
diff --git a/data/model/modelutil.py b/data/model/modelutil.py
index 4048e4eff..52830fc39 100644
--- a/data/model/modelutil.py
+++ b/data/model/modelutil.py
@@ -5,73 +5,82 @@ from datetime import datetime
 from peewee import SQL
 
 
-def paginate(query, model, descending=False, page_token=None, limit=50, sort_field_alias=None,
-             max_page=None, sort_field_name=None):
-  """ Paginates the given query using an field range, starting at the optional page_token.
+def paginate(
+    query,
+    model,
+    descending=False,
+    page_token=None,
+    limit=50,
+    sort_field_alias=None,
+    max_page=None,
+    sort_field_name=None,
+):
+    """ Paginates the given query using an field range, starting at the optional page_token.
       Returns a *list* of matching results along with an unencrypted page_token for the
       next page, if any. If descending is set to True, orders by the field descending rather
       than ascending.
   """
-  # Note: We use the sort_field_alias for the order_by, but not the where below. The alias is
-  # necessary for certain queries that use unions in MySQL, as it gets confused on which field
-  # to order by. The where clause, on the other hand, cannot use the alias because Postgres does
-  # not allow aliases in where clauses.
-  sort_field_name = sort_field_name or 'id'
-  sort_field = getattr(model, sort_field_name)
+    # Note: We use the sort_field_alias for the order_by, but not the where below. The alias is
+    # necessary for certain queries that use unions in MySQL, as it gets confused on which field
+    # to order by. The where clause, on the other hand, cannot use the alias because Postgres does
+    # not allow aliases in where clauses.
+    sort_field_name = sort_field_name or "id"
+    sort_field = getattr(model, sort_field_name)
 
-  if sort_field_alias is not None:
-    sort_field_name = sort_field_alias
-    sort_field = SQL(sort_field_alias)
+    if sort_field_alias is not None:
+        sort_field_name = sort_field_alias
+        sort_field = SQL(sort_field_alias)
 
-  if descending:
-    query = query.order_by(sort_field.desc())
-  else:
-    query = query.order_by(sort_field)
-
-  start_index = pagination_start(page_token)
-  if start_index is not None:
     if descending:
-      query = query.where(sort_field <= start_index)
+        query = query.order_by(sort_field.desc())
     else:
-      query = query.where(sort_field >= start_index)
+        query = query.order_by(sort_field)
 
-  query = query.limit(limit + 1)
+    start_index = pagination_start(page_token)
+    if start_index is not None:
+        if descending:
+            query = query.where(sort_field <= start_index)
+        else:
+            query = query.where(sort_field >= start_index)
 
-  page_number = (page_token.get('page_number') or None) if page_token else None
-  if page_number is not None and max_page is not None and page_number > max_page:
-    return [], None
+    query = query.limit(limit + 1)
 
-  return paginate_query(query, limit=limit, sort_field_name=sort_field_name,
-                        page_number=page_number)
+    page_number = (page_token.get("page_number") or None) if page_token else None
+    if page_number is not None and max_page is not None and page_number > max_page:
+        return [], None
+
+    return paginate_query(
+        query, limit=limit, sort_field_name=sort_field_name, page_number=page_number
+    )
 
 
 def pagination_start(page_token=None):
-  """ Returns the start index for pagination for the given page token. Will return None if None. """
-  if page_token is not None:
-    start_index = page_token.get('start_index')
-    if page_token.get('is_datetime'):
-      start_index = dateutil.parser.parse(start_index)
-    return start_index
-  return None
+    """ Returns the start index for pagination for the given page token. Will return None if None. """
+    if page_token is not None:
+        start_index = page_token.get("start_index")
+        if page_token.get("is_datetime"):
+            start_index = dateutil.parser.parse(start_index)
+        return start_index
+    return None
 
 
 def paginate_query(query, limit=50, sort_field_name=None, page_number=None):
-  """ Executes the given query and returns a page's worth of results, as well as the page token
+    """ Executes the given query and returns a page's worth of results, as well as the page token
       for the next page (if any).
   """
-  results = list(query)
-  page_token = None
-  if len(results) > limit:
-    start_index = getattr(results[limit], sort_field_name or 'id')
-    is_datetime = False
-    if isinstance(start_index, datetime):
-      start_index = start_index.isoformat() + "Z"
-      is_datetime = True
+    results = list(query)
+    page_token = None
+    if len(results) > limit:
+        start_index = getattr(results[limit], sort_field_name or "id")
+        is_datetime = False
+        if isinstance(start_index, datetime):
+            start_index = start_index.isoformat() + "Z"
+            is_datetime = True
 
-    page_token = {
-      'start_index': start_index,
-      'page_number': page_number + 1 if page_number else 1,
-      'is_datetime': is_datetime,
-    }
+        page_token = {
+            "start_index": start_index,
+            "page_number": page_number + 1 if page_number else 1,
+            "is_datetime": is_datetime,
+        }
 
-  return results[0:limit], page_token
+    return results[0:limit], page_token
diff --git a/data/model/notification.py b/data/model/notification.py
index 11a84fea7..a8ed15c3e 100644
--- a/data/model/notification.py
+++ b/data/model/notification.py
@@ -2,219 +2,268 @@ import json
 
 from peewee import SQL
 
-from data.database import (Notification, NotificationKind, User, Team, TeamMember, TeamRole,
-                           RepositoryNotification, ExternalNotificationEvent, Repository,
-                           ExternalNotificationMethod, Namespace, db_for_update)
+from data.database import (
+    Notification,
+    NotificationKind,
+    User,
+    Team,
+    TeamMember,
+    TeamRole,
+    RepositoryNotification,
+    ExternalNotificationEvent,
+    Repository,
+    ExternalNotificationMethod,
+    Namespace,
+    db_for_update,
+)
 from data.model import InvalidNotificationException, db_transaction
 
 
 def create_notification(kind_name, target, metadata={}, lookup_path=None):
-  kind_ref = NotificationKind.get(name=kind_name)
-  notification = Notification.create(kind=kind_ref, target=target,
-                                     metadata_json=json.dumps(metadata),
-                                     lookup_path=lookup_path)
-  return notification
+    kind_ref = NotificationKind.get(name=kind_name)
+    notification = Notification.create(
+        kind=kind_ref,
+        target=target,
+        metadata_json=json.dumps(metadata),
+        lookup_path=lookup_path,
+    )
+    return notification
 
 
 def create_unique_notification(kind_name, target, metadata={}):
-  with db_transaction():
-    if list_notifications(target, kind_name).count() == 0:
-      create_notification(kind_name, target, metadata)
+    with db_transaction():
+        if list_notifications(target, kind_name).count() == 0:
+            create_notification(kind_name, target, metadata)
 
 
 def lookup_notification(user, uuid):
-  results = list(list_notifications(user, id_filter=uuid, include_dismissed=True, limit=1))
-  if not results:
-    return None
+    results = list(
+        list_notifications(user, id_filter=uuid, include_dismissed=True, limit=1)
+    )
+    if not results:
+        return None
 
-  return results[0]
+    return results[0]
 
 
 def lookup_notifications_by_path_prefix(prefix):
-  return list((Notification
-               .select()
-               .where(Notification.lookup_path % prefix)))
+    return list((Notification.select().where(Notification.lookup_path % prefix)))
 
 
-def list_notifications(user, kind_name=None, id_filter=None, include_dismissed=False,
-                       page=None, limit=None):
+def list_notifications(
+    user, kind_name=None, id_filter=None, include_dismissed=False, page=None, limit=None
+):
 
-  base_query = (Notification
-                .select(Notification.id,
-                        Notification.uuid,
-                        Notification.kind,
-                        Notification.metadata_json,
-                        Notification.dismissed,
-                        Notification.lookup_path,
-                        Notification.created,
-                        Notification.created.alias('cd'),
-                        Notification.target)
-                .join(NotificationKind))
+    base_query = Notification.select(
+        Notification.id,
+        Notification.uuid,
+        Notification.kind,
+        Notification.metadata_json,
+        Notification.dismissed,
+        Notification.lookup_path,
+        Notification.created,
+        Notification.created.alias("cd"),
+        Notification.target,
+    ).join(NotificationKind)
 
-  if kind_name is not None:
-    base_query = base_query.where(NotificationKind.name == kind_name)
+    if kind_name is not None:
+        base_query = base_query.where(NotificationKind.name == kind_name)
 
-  if id_filter is not None:
-    base_query = base_query.where(Notification.uuid == id_filter)
+    if id_filter is not None:
+        base_query = base_query.where(Notification.uuid == id_filter)
 
-  if not include_dismissed:
-    base_query = base_query.where(Notification.dismissed == False)
+    if not include_dismissed:
+        base_query = base_query.where(Notification.dismissed == False)
 
-  # Lookup directly for the user.
-  user_direct = base_query.clone().where(Notification.target == user)
+    # Lookup directly for the user.
+    user_direct = base_query.clone().where(Notification.target == user)
 
-  # Lookup via organizations admined by the user.
-  Org = User.alias()
-  AdminTeam = Team.alias()
-  AdminTeamMember = TeamMember.alias()
-  AdminUser = User.alias()
+    # Lookup via organizations admined by the user.
+    Org = User.alias()
+    AdminTeam = Team.alias()
+    AdminTeamMember = TeamMember.alias()
+    AdminUser = User.alias()
 
-  via_orgs = (base_query.clone()
-              .join(Org, on=(Org.id == Notification.target))
-              .join(AdminTeam, on=(Org.id == AdminTeam.organization))
-              .join(TeamRole, on=(AdminTeam.role == TeamRole.id))
-              .switch(AdminTeam)
-              .join(AdminTeamMember, on=(AdminTeam.id == AdminTeamMember.team))
-              .join(AdminUser, on=(AdminTeamMember.user == AdminUser.id))
-              .where((AdminUser.id == user) & (TeamRole.name == 'admin')))
+    via_orgs = (
+        base_query.clone()
+        .join(Org, on=(Org.id == Notification.target))
+        .join(AdminTeam, on=(Org.id == AdminTeam.organization))
+        .join(TeamRole, on=(AdminTeam.role == TeamRole.id))
+        .switch(AdminTeam)
+        .join(AdminTeamMember, on=(AdminTeam.id == AdminTeamMember.team))
+        .join(AdminUser, on=(AdminTeamMember.user == AdminUser.id))
+        .where((AdminUser.id == user) & (TeamRole.name == "admin"))
+    )
 
-  query = user_direct | via_orgs
+    query = user_direct | via_orgs
 
-  if page:
-    query = query.paginate(page, limit)
-  elif limit:
-    query = query.limit(limit)
+    if page:
+        query = query.paginate(page, limit)
+    elif limit:
+        query = query.limit(limit)
 
-  return query.order_by(SQL('cd desc'))
+    return query.order_by(SQL("cd desc"))
 
 
 def delete_all_notifications_by_path_prefix(prefix):
-  (Notification
-   .delete()
-   .where(Notification.lookup_path ** (prefix + '%'))
-   .execute())
+    (Notification.delete().where(Notification.lookup_path ** (prefix + "%")).execute())
 
 
 def delete_all_notifications_by_kind(kind_name):
-  kind_ref = NotificationKind.get(name=kind_name)
-  (Notification
-   .delete()
-   .where(Notification.kind == kind_ref)
-   .execute())
+    kind_ref = NotificationKind.get(name=kind_name)
+    (Notification.delete().where(Notification.kind == kind_ref).execute())
 
 
 def delete_notifications_by_kind(target, kind_name):
-  kind_ref = NotificationKind.get(name=kind_name)
-  Notification.delete().where(Notification.target == target,
-                              Notification.kind == kind_ref).execute()
+    kind_ref = NotificationKind.get(name=kind_name)
+    Notification.delete().where(
+        Notification.target == target, Notification.kind == kind_ref
+    ).execute()
 
 
 def delete_matching_notifications(target, kind_name, **kwargs):
-  kind_ref = NotificationKind.get(name=kind_name)
+    kind_ref = NotificationKind.get(name=kind_name)
 
-  # Load all notifications for the user with the given kind.
-  notifications = (Notification
-                   .select()
-                   .where(Notification.target == target,
-                          Notification.kind == kind_ref))
+    # Load all notifications for the user with the given kind.
+    notifications = Notification.select().where(
+        Notification.target == target, Notification.kind == kind_ref
+    )
 
-  # For each, match the metadata to the specified values.
-  for notification in notifications:
-    matches = True
-    try:
-      metadata = json.loads(notification.metadata_json)
-    except:
-      continue
+    # For each, match the metadata to the specified values.
+    for notification in notifications:
+        matches = True
+        try:
+            metadata = json.loads(notification.metadata_json)
+        except:
+            continue
 
-    for (key, value) in kwargs.iteritems():
-      if not key in metadata or metadata[key] != value:
-        matches = False
-        break
+        for (key, value) in kwargs.iteritems():
+            if not key in metadata or metadata[key] != value:
+                matches = False
+                break
 
-    if not matches:
-      continue
+        if not matches:
+            continue
 
-    notification.delete_instance()
+        notification.delete_instance()
 
 
 def increment_notification_failure_count(uuid):
-  """ This increments the number of failures by one """
-  (RepositoryNotification
-   .update(number_of_failures=RepositoryNotification.number_of_failures + 1)
-   .where(RepositoryNotification.uuid == uuid)
-   .execute())
+    """ This increments the number of failures by one """
+    (
+        RepositoryNotification.update(
+            number_of_failures=RepositoryNotification.number_of_failures + 1
+        )
+        .where(RepositoryNotification.uuid == uuid)
+        .execute()
+    )
 
 
 def reset_notification_number_of_failures(namespace_name, repository_name, uuid):
-  """ This resets the number of failures for a repo notification to 0 """
-  try:
-    notification = RepositoryNotification.select().where(RepositoryNotification.uuid == uuid).get()
-    if (notification.repository.namespace_user.username != namespace_name or
-            notification.repository.name != repository_name):
-      raise InvalidNotificationException('No repository notification found with uuid: %s' % uuid)
-    reset_number_of_failures_to_zero(notification.id)
-    return notification
-  except RepositoryNotification.DoesNotExist:
-    return None
+    """ This resets the number of failures for a repo notification to 0 """
+    try:
+        notification = (
+            RepositoryNotification.select()
+            .where(RepositoryNotification.uuid == uuid)
+            .get()
+        )
+        if (
+            notification.repository.namespace_user.username != namespace_name
+            or notification.repository.name != repository_name
+        ):
+            raise InvalidNotificationException(
+                "No repository notification found with uuid: %s" % uuid
+            )
+        reset_number_of_failures_to_zero(notification.id)
+        return notification
+    except RepositoryNotification.DoesNotExist:
+        return None
 
 
 def reset_number_of_failures_to_zero(notification_id):
-  """ This resets the number of failures for a repo notification to 0 """
-  RepositoryNotification.update(number_of_failures=0).where(RepositoryNotification.id == notification_id).execute()
+    """ This resets the number of failures for a repo notification to 0 """
+    RepositoryNotification.update(number_of_failures=0).where(
+        RepositoryNotification.id == notification_id
+    ).execute()
 
 
-def create_repo_notification(repo, event_name, method_name, method_config, event_config, title=None):
-  event = ExternalNotificationEvent.get(ExternalNotificationEvent.name == event_name)
-  method = ExternalNotificationMethod.get(ExternalNotificationMethod.name == method_name)
+def create_repo_notification(
+    repo, event_name, method_name, method_config, event_config, title=None
+):
+    event = ExternalNotificationEvent.get(ExternalNotificationEvent.name == event_name)
+    method = ExternalNotificationMethod.get(
+        ExternalNotificationMethod.name == method_name
+    )
 
-  return RepositoryNotification.create(repository=repo, event=event, method=method,
-                                       config_json=json.dumps(method_config), title=title,
-                                       event_config_json=json.dumps(event_config))
+    return RepositoryNotification.create(
+        repository=repo,
+        event=event,
+        method=method,
+        config_json=json.dumps(method_config),
+        title=title,
+        event_config_json=json.dumps(event_config),
+    )
 
 
 def _base_get_notification(uuid):
-  """ This is a base query for get statements """
-  return (RepositoryNotification
-          .select(RepositoryNotification, Repository, Namespace)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(RepositoryNotification.uuid == uuid))
+    """ This is a base query for get statements """
+    return (
+        RepositoryNotification.select(RepositoryNotification, Repository, Namespace)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(RepositoryNotification.uuid == uuid)
+    )
 
 
 def get_enabled_notification(uuid):
-  """ This returns a notification with less than 3 failures """
-  try:
-    return _base_get_notification(uuid).where(RepositoryNotification.number_of_failures < 3).get()
-  except RepositoryNotification.DoesNotExist:
-    raise InvalidNotificationException('No repository notification found with uuid: %s' % uuid)
+    """ This returns a notification with less than 3 failures """
+    try:
+        return (
+            _base_get_notification(uuid)
+            .where(RepositoryNotification.number_of_failures < 3)
+            .get()
+        )
+    except RepositoryNotification.DoesNotExist:
+        raise InvalidNotificationException(
+            "No repository notification found with uuid: %s" % uuid
+        )
 
 
 def get_repo_notification(uuid):
-  try:
-    return _base_get_notification(uuid).get()
-  except RepositoryNotification.DoesNotExist:
-    raise InvalidNotificationException('No repository notification found with uuid: %s' % uuid)
+    try:
+        return _base_get_notification(uuid).get()
+    except RepositoryNotification.DoesNotExist:
+        raise InvalidNotificationException(
+            "No repository notification found with uuid: %s" % uuid
+        )
 
 
 def delete_repo_notification(namespace_name, repository_name, uuid):
-  found = get_repo_notification(uuid)
-  if found.repository.namespace_user.username != namespace_name or found.repository.name != repository_name:
-    raise InvalidNotificationException('No repository notifiation found with uuid: %s' % uuid)
-  found.delete_instance()
-  return found
+    found = get_repo_notification(uuid)
+    if (
+        found.repository.namespace_user.username != namespace_name
+        or found.repository.name != repository_name
+    ):
+        raise InvalidNotificationException(
+            "No repository notifiation found with uuid: %s" % uuid
+        )
+    found.delete_instance()
+    return found
 
 
 def list_repo_notifications(namespace_name, repository_name, event_name=None):
-  query = (RepositoryNotification
-           .select(RepositoryNotification, Repository, Namespace)
-           .join(Repository)
-           .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-           .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    query = (
+        RepositoryNotification.select(RepositoryNotification, Repository, Namespace)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
-  if event_name:
-    query = (query
-             .switch(RepositoryNotification)
-             .join(ExternalNotificationEvent)
-             .where(ExternalNotificationEvent.name == event_name))
+    if event_name:
+        query = (
+            query.switch(RepositoryNotification)
+            .join(ExternalNotificationEvent)
+            .where(ExternalNotificationEvent.name == event_name)
+        )
 
-  return query
+    return query
diff --git a/data/model/oauth.py b/data/model/oauth.py
index 182c08f32..f0febe832 100644
--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@@ -7,8 +7,13 @@ from oauth2lib.provider import AuthorizationProvider
 from oauth2lib import utils
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User,
-                           random_string_generator)
+from data.database import (
+    OAuthApplication,
+    OAuthAuthorizationCode,
+    OAuthAccessToken,
+    User,
+    random_string_generator,
+)
 from data.fields import DecryptedValue, Credential
 from data.model import user, config
 from auth import scopes
@@ -23,412 +28,465 @@ AUTHORIZATION_CODE_PREFIX_LENGTH = 20
 
 
 class DatabaseAuthorizationProvider(AuthorizationProvider):
-  def get_authorized_user(self):
-    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')
+    def get_authorized_user(self):
+        raise NotImplementedError(
+            "Subclasses must fill in the ability to get the authorized_user."
+        )
 
-  def _generate_data_string(self):
-    return json.dumps({'username': self.get_authorized_user().username})
+    def _generate_data_string(self):
+        return json.dumps({"username": self.get_authorized_user().username})
 
-  @property
-  def token_expires_in(self):
-    """Property method to get the token expiration time in seconds.
+    @property
+    def token_expires_in(self):
+        """Property method to get the token expiration time in seconds.
     """
-    return int(60*60*24*365.25*10)  # 10 Years
+        return int(60 * 60 * 24 * 365.25 * 10)  # 10 Years
 
-  def validate_client_id(self, client_id):
-    return self.get_application_for_client_id(client_id) is not None
+    def validate_client_id(self, client_id):
+        return self.get_application_for_client_id(client_id) is not None
 
-  def get_application_for_client_id(self, client_id):
-    try:
-      return OAuthApplication.get(client_id=client_id)
-    except OAuthApplication.DoesNotExist:
-      return None
-
-  def validate_client_secret(self, client_id, client_secret):
-    try:
-      application = OAuthApplication.get(client_id=client_id)
-
-      # TODO(remove-unenc): Remove legacy check.
-      if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-        if application.secure_client_secret is None:
-          return application.client_secret == client_secret
-
-      assert application.secure_client_secret is not None
-      return application.secure_client_secret.matches(client_secret)
-    except OAuthApplication.DoesNotExist:
-      return False
-
-  def validate_redirect_uri(self, client_id, redirect_uri):
-    internal_redirect_url = '%s%s' % (get_app_url(config.app_config),
-                                      url_for('web.oauth_local_handler'))
-
-    if redirect_uri == internal_redirect_url:
-      return True
-
-    try:
-      oauth_app = OAuthApplication.get(client_id=client_id)
-      if (oauth_app.redirect_uri and redirect_uri and
-          redirect_uri.startswith(oauth_app.redirect_uri)):
-        return True
-      return False
-    except OAuthApplication.DoesNotExist:
-      return False
-
-  def validate_scope(self, client_id, scopes_string):
-    return scopes.validate_scope_string(scopes_string)
-
-  def validate_access(self):
-    return self.get_authorized_user() is not None
-
-  def load_authorized_scope_string(self, client_id, username):
-    found = (OAuthAccessToken
-             .select()
-             .join(OAuthApplication)
-             .switch(OAuthAccessToken)
-             .join(User)
-             .where(OAuthApplication.client_id == client_id, User.username == username,
-                    OAuthAccessToken.expires_at > datetime.utcnow()))
-    found = list(found)
-    logger.debug('Found %s matching tokens.', len(found))
-    long_scope_string = ','.join([token.scope for token in found])
-    logger.debug('Computed long scope string: %s', long_scope_string)
-    return long_scope_string
-
-  def validate_has_scopes(self, client_id, username, scope):
-    long_scope_string = self.load_authorized_scope_string(client_id, username)
-
-    # Make sure the token contains the given scopes (at least).
-    return scopes.is_subset_string(long_scope_string, scope)
-
-  def from_authorization_code(self, client_id, full_code, scope):
-    code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
-    code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
-
-    try:
-      found = (OAuthAuthorizationCode
-               .select()
-               .join(OAuthApplication)
-               .where(OAuthApplication.client_id == client_id,
-                      OAuthAuthorizationCode.code_name == code_name,
-                      OAuthAuthorizationCode.scope == scope)
-               .get())
-      if not found.code_credential.matches(code_credential):
-        return None
-
-      logger.debug('Returning data: %s', found.data)
-      return found.data
-    except OAuthAuthorizationCode.DoesNotExist:
-      # Fallback to the legacy lookup of the full code.
-      # TODO(remove-unenc): Remove legacy fallback.
-      if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+    def get_application_for_client_id(self, client_id):
         try:
-          found = (OAuthAuthorizationCode
-                   .select()
-                   .join(OAuthApplication)
-                   .where(OAuthApplication.client_id == client_id,
-                          OAuthAuthorizationCode.code == full_code,
-                          OAuthAuthorizationCode.scope == scope)
-                  .get())
-          logger.debug('Returning data: %s', found.data)
-          return found.data
+            return OAuthApplication.get(client_id=client_id)
+        except OAuthApplication.DoesNotExist:
+            return None
+
+    def validate_client_secret(self, client_id, client_secret):
+        try:
+            application = OAuthApplication.get(client_id=client_id)
+
+            # TODO(remove-unenc): Remove legacy check.
+            if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+                if application.secure_client_secret is None:
+                    return application.client_secret == client_secret
+
+            assert application.secure_client_secret is not None
+            return application.secure_client_secret.matches(client_secret)
+        except OAuthApplication.DoesNotExist:
+            return False
+
+    def validate_redirect_uri(self, client_id, redirect_uri):
+        internal_redirect_url = "%s%s" % (
+            get_app_url(config.app_config),
+            url_for("web.oauth_local_handler"),
+        )
+
+        if redirect_uri == internal_redirect_url:
+            return True
+
+        try:
+            oauth_app = OAuthApplication.get(client_id=client_id)
+            if (
+                oauth_app.redirect_uri
+                and redirect_uri
+                and redirect_uri.startswith(oauth_app.redirect_uri)
+            ):
+                return True
+            return False
+        except OAuthApplication.DoesNotExist:
+            return False
+
+    def validate_scope(self, client_id, scopes_string):
+        return scopes.validate_scope_string(scopes_string)
+
+    def validate_access(self):
+        return self.get_authorized_user() is not None
+
+    def load_authorized_scope_string(self, client_id, username):
+        found = (
+            OAuthAccessToken.select()
+            .join(OAuthApplication)
+            .switch(OAuthAccessToken)
+            .join(User)
+            .where(
+                OAuthApplication.client_id == client_id,
+                User.username == username,
+                OAuthAccessToken.expires_at > datetime.utcnow(),
+            )
+        )
+        found = list(found)
+        logger.debug("Found %s matching tokens.", len(found))
+        long_scope_string = ",".join([token.scope for token in found])
+        logger.debug("Computed long scope string: %s", long_scope_string)
+        return long_scope_string
+
+    def validate_has_scopes(self, client_id, username, scope):
+        long_scope_string = self.load_authorized_scope_string(client_id, username)
+
+        # Make sure the token contains the given scopes (at least).
+        return scopes.is_subset_string(long_scope_string, scope)
+
+    def from_authorization_code(self, client_id, full_code, scope):
+        code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
+        code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
+
+        try:
+            found = (
+                OAuthAuthorizationCode.select()
+                .join(OAuthApplication)
+                .where(
+                    OAuthApplication.client_id == client_id,
+                    OAuthAuthorizationCode.code_name == code_name,
+                    OAuthAuthorizationCode.scope == scope,
+                )
+                .get()
+            )
+            if not found.code_credential.matches(code_credential):
+                return None
+
+            logger.debug("Returning data: %s", found.data)
+            return found.data
         except OAuthAuthorizationCode.DoesNotExist:
-          return None
-      else:
-        return None
+            # Fallback to the legacy lookup of the full code.
+            # TODO(remove-unenc): Remove legacy fallback.
+            if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+                try:
+                    found = (
+                        OAuthAuthorizationCode.select()
+                        .join(OAuthApplication)
+                        .where(
+                            OAuthApplication.client_id == client_id,
+                            OAuthAuthorizationCode.code == full_code,
+                            OAuthAuthorizationCode.scope == scope,
+                        )
+                        .get()
+                    )
+                    logger.debug("Returning data: %s", found.data)
+                    return found.data
+                except OAuthAuthorizationCode.DoesNotExist:
+                    return None
+            else:
+                return None
 
-  def persist_authorization_code(self, client_id, full_code, scope):
-    oauth_app = OAuthApplication.get(client_id=client_id)
-    data = self._generate_data_string()
+    def persist_authorization_code(self, client_id, full_code, scope):
+        oauth_app = OAuthApplication.get(client_id=client_id)
+        data = self._generate_data_string()
 
-    assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2)
-    code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
-    code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
+        assert len(full_code) >= (AUTHORIZATION_CODE_PREFIX_LENGTH * 2)
+        code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
+        code_credential = full_code[AUTHORIZATION_CODE_PREFIX_LENGTH:]
 
-    # TODO(remove-unenc): Remove legacy fallback.
-    full_code = None
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-      full_code = code_name + code_credential
+        # TODO(remove-unenc): Remove legacy fallback.
+        full_code = None
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+            full_code = code_name + code_credential
 
-    OAuthAuthorizationCode.create(application=oauth_app,
-                                  code=full_code,
-                                  scope=scope,
-                                  code_name=code_name,
-                                  code_credential=Credential.from_string(code_credential),
-                                  data=data)
+        OAuthAuthorizationCode.create(
+            application=oauth_app,
+            code=full_code,
+            scope=scope,
+            code_name=code_name,
+            code_credential=Credential.from_string(code_credential),
+            data=data,
+        )
 
-  def persist_token_information(self, client_id, scope, access_token, token_type,
-                                expires_in, refresh_token, data):
-    assert not refresh_token
-    found = user.get_user(json.loads(data)['username'])
-    if not found:
-      raise RuntimeError('Username must be in the data field')
+    def persist_token_information(
+        self,
+        client_id,
+        scope,
+        access_token,
+        token_type,
+        expires_in,
+        refresh_token,
+        data,
+    ):
+        assert not refresh_token
+        found = user.get_user(json.loads(data)["username"])
+        if not found:
+            raise RuntimeError("Username must be in the data field")
 
-    token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
-    token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
+        token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
+        token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
 
-    assert token_name
-    assert token_code
-    assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH
-    assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH
+        assert token_name
+        assert token_code
+        assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH
+        assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH
 
-    oauth_app = OAuthApplication.get(client_id=client_id)
-    expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
-    OAuthAccessToken.create(application=oauth_app,
-                            authorized_user=found,
-                            scope=scope,
-                            token_name=token_name,
-                            token_code=Credential.from_string(token_code),
-                            access_token='',
-                            token_type=token_type,
-                            expires_at=expires_at,
-                            data=data)
+        oauth_app = OAuthApplication.get(client_id=client_id)
+        expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
+        OAuthAccessToken.create(
+            application=oauth_app,
+            authorized_user=found,
+            scope=scope,
+            token_name=token_name,
+            token_code=Credential.from_string(token_code),
+            access_token="",
+            token_type=token_type,
+            expires_at=expires_at,
+            data=data,
+        )
 
-  def get_auth_denied_response(self, response_type, client_id, redirect_uri, **params):
-    # Ensure proper response_type
-    if response_type != 'token':
-      err = 'unsupported_response_type'
-      return self._make_redirect_error_response(redirect_uri, err)
+    def get_auth_denied_response(
+        self, response_type, client_id, redirect_uri, **params
+    ):
+        # Ensure proper response_type
+        if response_type != "token":
+            err = "unsupported_response_type"
+            return self._make_redirect_error_response(redirect_uri, err)
 
-    # Check redirect URI
-    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
-    if not is_valid_redirect_uri:
-      return self._invalid_redirect_uri_response()
+        # Check redirect URI
+        is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
+        if not is_valid_redirect_uri:
+            return self._invalid_redirect_uri_response()
 
-    return self._make_redirect_error_response(redirect_uri, 'authorization_denied')
+        return self._make_redirect_error_response(redirect_uri, "authorization_denied")
 
-  def get_token_response(self, response_type, client_id, redirect_uri, **params):
-    # Ensure proper response_type
-    if response_type != 'token':
-      err = 'unsupported_response_type'
-      return self._make_redirect_error_response(redirect_uri, err)
+    def get_token_response(self, response_type, client_id, redirect_uri, **params):
+        # Ensure proper response_type
+        if response_type != "token":
+            err = "unsupported_response_type"
+            return self._make_redirect_error_response(redirect_uri, err)
 
-    # Check for a valid client ID.
-    is_valid_client_id = self.validate_client_id(client_id)
-    if not is_valid_client_id:
-      err = 'unauthorized_client'
-      return self._make_redirect_error_response(redirect_uri, err)
+        # Check for a valid client ID.
+        is_valid_client_id = self.validate_client_id(client_id)
+        if not is_valid_client_id:
+            err = "unauthorized_client"
+            return self._make_redirect_error_response(redirect_uri, err)
 
-    # Check for a valid redirect URI.
-    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
-    if not is_valid_redirect_uri:
-      return self._invalid_redirect_uri_response()
+        # Check for a valid redirect URI.
+        is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
+        if not is_valid_redirect_uri:
+            return self._invalid_redirect_uri_response()
 
-    # Check conditions
-    is_valid_access = self.validate_access()
-    scope = params.get('scope', '')
-    are_valid_scopes = self.validate_scope(client_id, scope)
+        # Check conditions
+        is_valid_access = self.validate_access()
+        scope = params.get("scope", "")
+        are_valid_scopes = self.validate_scope(client_id, scope)
 
-    # Return proper error responses on invalid conditions
-    if not is_valid_access:
-      err = 'access_denied'
-      return self._make_redirect_error_response(redirect_uri, err)
+        # Return proper error responses on invalid conditions
+        if not is_valid_access:
+            err = "access_denied"
+            return self._make_redirect_error_response(redirect_uri, err)
 
-    if not are_valid_scopes:
-      err = 'invalid_scope'
-      return self._make_redirect_error_response(redirect_uri, err)
+        if not are_valid_scopes:
+            err = "invalid_scope"
+            return self._make_redirect_error_response(redirect_uri, err)
 
-    # Make sure we have enough random data in the token to have a public
-    # prefix and a private encrypted suffix.
-    access_token = str(self.generate_access_token())
-    assert len(access_token) - ACCESS_TOKEN_PREFIX_LENGTH >= 20
+        # Make sure we have enough random data in the token to have a public
+        # prefix and a private encrypted suffix.
+        access_token = str(self.generate_access_token())
+        assert len(access_token) - ACCESS_TOKEN_PREFIX_LENGTH >= 20
 
-    token_type = self.token_type
-    expires_in = self.token_expires_in
+        token_type = self.token_type
+        expires_in = self.token_expires_in
 
-    data = self._generate_data_string()
-    self.persist_token_information(client_id=client_id,
-                                   scope=scope,
-                                   access_token=access_token,
-                                   token_type=token_type,
-                                   expires_in=expires_in,
-                                   refresh_token=None,
-                                   data=data)
+        data = self._generate_data_string()
+        self.persist_token_information(
+            client_id=client_id,
+            scope=scope,
+            access_token=access_token,
+            token_type=token_type,
+            expires_in=expires_in,
+            refresh_token=None,
+            data=data,
+        )
 
-    url = utils.build_url(redirect_uri, params)
-    url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)
+        url = utils.build_url(redirect_uri, params)
+        url += "#access_token=%s&token_type=%s&expires_in=%s" % (
+            access_token,
+            token_type,
+            expires_in,
+        )
 
-    return self._make_response(headers={'Location': url}, status_code=302)
+        return self._make_response(headers={"Location": url}, status_code=302)
 
-  def from_refresh_token(self, client_id, refresh_token, scope):
-    raise NotImplementedError()
+    def from_refresh_token(self, client_id, refresh_token, scope):
+        raise NotImplementedError()
 
-  def discard_authorization_code(self, client_id, full_code):
-    code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]    
-    try:
-      found = (OAuthAuthorizationCode
-               .select()
-               .join(OAuthApplication)
-               .where(OAuthApplication.client_id == client_id,
-                      OAuthAuthorizationCode.code_name == code_name)
-               .get())
-      found.delete_instance()
-      return
-    except OAuthAuthorizationCode.DoesNotExist:
-      pass
+    def discard_authorization_code(self, client_id, full_code):
+        code_name = full_code[:AUTHORIZATION_CODE_PREFIX_LENGTH]
+        try:
+            found = (
+                OAuthAuthorizationCode.select()
+                .join(OAuthApplication)
+                .where(
+                    OAuthApplication.client_id == client_id,
+                    OAuthAuthorizationCode.code_name == code_name,
+                )
+                .get()
+            )
+            found.delete_instance()
+            return
+        except OAuthAuthorizationCode.DoesNotExist:
+            pass
 
-    # Legacy: full code.
-    # TODO(remove-unenc): Remove legacy fallback.
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-      try:
-        found = (OAuthAuthorizationCode
-                 .select()
-                 .join(OAuthApplication)
-                 .where(OAuthApplication.client_id == client_id,
-                        OAuthAuthorizationCode.code == full_code)
-                 .get())
-        found.delete_instance()
-      except OAuthAuthorizationCode.DoesNotExist:
-        pass
+        # Legacy: full code.
+        # TODO(remove-unenc): Remove legacy fallback.
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+            try:
+                found = (
+                    OAuthAuthorizationCode.select()
+                    .join(OAuthApplication)
+                    .where(
+                        OAuthApplication.client_id == client_id,
+                        OAuthAuthorizationCode.code == full_code,
+                    )
+                    .get()
+                )
+                found.delete_instance()
+            except OAuthAuthorizationCode.DoesNotExist:
+                pass
 
-  def discard_refresh_token(self, client_id, refresh_token):
-    raise NotImplementedError()
+    def discard_refresh_token(self, client_id, refresh_token):
+        raise NotImplementedError()
 
 
 def create_application(org, name, application_uri, redirect_uri, **kwargs):
-  client_secret = kwargs.pop('client_secret', random_string_generator(length=40)())
+    client_secret = kwargs.pop("client_secret", random_string_generator(length=40)())
 
-  # TODO(remove-unenc): Remove legacy field.
-  old_client_secret = None
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-    old_client_secret = client_secret
+    # TODO(remove-unenc): Remove legacy field.
+    old_client_secret = None
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+        old_client_secret = client_secret
 
-  return OAuthApplication.create(organization=org,
-                                 name=name,
-                                 application_uri=application_uri,
-                                 redirect_uri=redirect_uri,
-                                 client_secret=old_client_secret,
-                                 secure_client_secret=DecryptedValue(client_secret),
-                                 **kwargs)
+    return OAuthApplication.create(
+        organization=org,
+        name=name,
+        application_uri=application_uri,
+        redirect_uri=redirect_uri,
+        client_secret=old_client_secret,
+        secure_client_secret=DecryptedValue(client_secret),
+        **kwargs
+    )
 
 
 def validate_access_token(access_token):
-  assert isinstance(access_token, basestring)
-  token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
-  if not token_name:
-    return None
+    assert isinstance(access_token, basestring)
+    token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
+    if not token_name:
+        return None
 
-  token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
-  if not token_code:
-    return None
+    token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
+    if not token_code:
+        return None
 
-  try:
-    found = (OAuthAccessToken
-             .select(OAuthAccessToken, User)
-             .join(User)
-             .where(OAuthAccessToken.token_name == token_name)
-             .get())
-
-    if found.token_code is None or not found.token_code.matches(token_code):
-      return None
-
-    return found
-  except OAuthAccessToken.DoesNotExist:
-    pass
-
-  # Legacy lookup.
-  # TODO(remove-unenc): Remove this once migrated.
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
     try:
-      assert access_token
-      found = (OAuthAccessToken
-               .select(OAuthAccessToken, User)
-               .join(User)
-               .where(OAuthAccessToken.access_token == access_token)
-               .get())
-      return found
-    except OAuthAccessToken.DoesNotExist:
-      return None
+        found = (
+            OAuthAccessToken.select(OAuthAccessToken, User)
+            .join(User)
+            .where(OAuthAccessToken.token_name == token_name)
+            .get()
+        )
 
-  return None
+        if found.token_code is None or not found.token_code.matches(token_code):
+            return None
+
+        return found
+    except OAuthAccessToken.DoesNotExist:
+        pass
+
+    # Legacy lookup.
+    # TODO(remove-unenc): Remove this once migrated.
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+        try:
+            assert access_token
+            found = (
+                OAuthAccessToken.select(OAuthAccessToken, User)
+                .join(User)
+                .where(OAuthAccessToken.access_token == access_token)
+                .get()
+            )
+            return found
+        except OAuthAccessToken.DoesNotExist:
+            return None
+
+    return None
 
 
 def get_application_for_client_id(client_id):
-  try:
-    return OAuthApplication.get(client_id=client_id)
-  except OAuthApplication.DoesNotExist:
-    return None
+    try:
+        return OAuthApplication.get(client_id=client_id)
+    except OAuthApplication.DoesNotExist:
+        return None
 
 
 def reset_client_secret(application):
-  client_secret = random_string_generator(length=40)()
+    client_secret = random_string_generator(length=40)()
 
-  # TODO(remove-unenc): Remove legacy field.
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-    application.client_secret = client_secret
+    # TODO(remove-unenc): Remove legacy field.
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+        application.client_secret = client_secret
 
-  application.secure_client_secret = DecryptedValue(client_secret)
-  application.save()
-  return application
+    application.secure_client_secret = DecryptedValue(client_secret)
+    application.save()
+    return application
 
 
 def lookup_application(org, client_id):
-  try:
-    return OAuthApplication.get(organization=org, client_id=client_id)
-  except OAuthApplication.DoesNotExist:
-    return None
+    try:
+        return OAuthApplication.get(organization=org, client_id=client_id)
+    except OAuthApplication.DoesNotExist:
+        return None
 
 
 def delete_application(org, client_id):
-  application = lookup_application(org, client_id)
-  if not application:
-    return
+    application = lookup_application(org, client_id)
+    if not application:
+        return
 
-  application.delete_instance(recursive=True, delete_nullable=True)
-  return application
+    application.delete_instance(recursive=True, delete_nullable=True)
+    return application
 
 
 def lookup_access_token_by_uuid(token_uuid):
-  try:
-    return OAuthAccessToken.get(OAuthAccessToken.uuid == token_uuid)
-  except OAuthAccessToken.DoesNotExist:
-    return None
+    try:
+        return OAuthAccessToken.get(OAuthAccessToken.uuid == token_uuid)
+    except OAuthAccessToken.DoesNotExist:
+        return None
 
 
 def lookup_access_token_for_user(user_obj, token_uuid):
-  try:
-    return OAuthAccessToken.get(OAuthAccessToken.authorized_user == user_obj,
-                                OAuthAccessToken.uuid == token_uuid)
-  except OAuthAccessToken.DoesNotExist:
-    return None
+    try:
+        return OAuthAccessToken.get(
+            OAuthAccessToken.authorized_user == user_obj,
+            OAuthAccessToken.uuid == token_uuid,
+        )
+    except OAuthAccessToken.DoesNotExist:
+        return None
 
 
 def list_access_tokens_for_user(user_obj):
-  query = (OAuthAccessToken
-           .select()
-           .join(OAuthApplication)
-           .switch(OAuthAccessToken)
-           .join(User)
-           .where(OAuthAccessToken.authorized_user == user_obj))
+    query = (
+        OAuthAccessToken.select()
+        .join(OAuthApplication)
+        .switch(OAuthAccessToken)
+        .join(User)
+        .where(OAuthAccessToken.authorized_user == user_obj)
+    )
 
-  return query
+    return query
 
 
 def list_applications_for_org(org):
-  query = (OAuthApplication
-           .select()
-           .join(User)
-           .where(OAuthApplication.organization == org))
+    query = (
+        OAuthApplication.select().join(User).where(OAuthApplication.organization == org)
+    )
 
-  return query
+    return query
 
 
-def create_access_token_for_testing(user_obj, client_id, scope, access_token=None, expires_in=9000):
-  access_token = access_token or random_string_generator(length=40)()
-  token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
-  token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
+def create_access_token_for_testing(
+    user_obj, client_id, scope, access_token=None, expires_in=9000
+):
+    access_token = access_token or random_string_generator(length=40)()
+    token_name = access_token[:ACCESS_TOKEN_PREFIX_LENGTH]
+    token_code = access_token[ACCESS_TOKEN_PREFIX_LENGTH:]
 
-  assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH
-  assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH
+    assert len(token_name) == ACCESS_TOKEN_PREFIX_LENGTH
+    assert len(token_code) >= ACCESS_TOKEN_MINIMUM_CODE_LENGTH
 
-  expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
-  application = get_application_for_client_id(client_id)
-  created = OAuthAccessToken.create(application=application,
-                                    authorized_user=user_obj,
-                                    scope=scope,
-                                    token_type='token',
-                                    access_token='',
-                                    token_code=Credential.from_string(token_code),
-                                    token_name=token_name,
-                                    expires_at=expires_at,
-                                    data='')
-  return created, access_token
+    expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
+    application = get_application_for_client_id(client_id)
+    created = OAuthAccessToken.create(
+        application=application,
+        authorized_user=user_obj,
+        scope=scope,
+        token_type="token",
+        access_token="",
+        token_code=Credential.from_string(token_code),
+        token_name=token_name,
+        expires_at=expires_at,
+        data="",
+    )
+    return created, access_token
diff --git a/data/model/oci/__init__.py b/data/model/oci/__init__.py
index 39bcef2eb..9bd769121 100644
--- a/data/model/oci/__init__.py
+++ b/data/model/oci/__init__.py
@@ -1,9 +1,3 @@
 # There MUST NOT be any circular dependencies between these subsections. If there are fix it by
 # moving the minimal number of things to shared
-from data.model.oci import (
-  blob,
-  label,
-  manifest,
-  shared,
-  tag,
-)
+from data.model.oci import blob, label, manifest, shared, tag
diff --git a/data/model/oci/blob.py b/data/model/oci/blob.py
index f7739c21b..6d04ff561 100644
--- a/data/model/oci/blob.py
+++ b/data/model/oci/blob.py
@@ -3,24 +3,28 @@ from data.model import BlobDoesNotExist
 from data.model.storage import get_storage_by_uuid, InvalidImageException
 from data.model.blob import get_repository_blob_by_digest as legacy_get
 
+
 def get_repository_blob_by_digest(repository, blob_digest):
-  """ Find the content-addressable blob linked to the specified repository and
+    """ Find the content-addressable blob linked to the specified repository and
       returns it or None if none.
   """
-  try:
-    storage = (ImageStorage
-               .select(ImageStorage.uuid)
-               .join(ManifestBlob)
-               .where(ManifestBlob.repository == repository,
-                      ImageStorage.content_checksum == blob_digest,
-                      ImageStorage.uploading == False)
-               .get())
-
-    return get_storage_by_uuid(storage.uuid)
-  except (ImageStorage.DoesNotExist, InvalidImageException):
-    # TODO: Remove once we are no longer using the legacy tables.
-    # Try the legacy call.
     try:
-      return legacy_get(repository, blob_digest)
-    except BlobDoesNotExist:
-      return None
+        storage = (
+            ImageStorage.select(ImageStorage.uuid)
+            .join(ManifestBlob)
+            .where(
+                ManifestBlob.repository == repository,
+                ImageStorage.content_checksum == blob_digest,
+                ImageStorage.uploading == False,
+            )
+            .get()
+        )
+
+        return get_storage_by_uuid(storage.uuid)
+    except (ImageStorage.DoesNotExist, InvalidImageException):
+        # TODO: Remove once we are no longer using the legacy tables.
+        # Try the legacy call.
+        try:
+            return legacy_get(repository, blob_digest)
+        except BlobDoesNotExist:
+            return None
diff --git a/data/model/oci/label.py b/data/model/oci/label.py
index d019e6d2d..850db9a31 100644
--- a/data/model/oci/label.py
+++ b/data/model/oci/label.py
@@ -1,142 +1,183 @@
 import logging
 
 
-from data.model import InvalidLabelKeyException, InvalidMediaTypeException, DataModelException
-from data.database import (Label, Manifest, TagManifestLabel, MediaType, LabelSourceType,
-                           db_transaction, ManifestLabel, TagManifestLabelMap,
-                           TagManifestToManifest, Repository, TagManifest)
+from data.model import (
+    InvalidLabelKeyException,
+    InvalidMediaTypeException,
+    DataModelException,
+)
+from data.database import (
+    Label,
+    Manifest,
+    TagManifestLabel,
+    MediaType,
+    LabelSourceType,
+    db_transaction,
+    ManifestLabel,
+    TagManifestLabelMap,
+    TagManifestToManifest,
+    Repository,
+    TagManifest,
+)
 from data.text import prefix_search
 from util.validation import validate_label_key
 from util.validation import is_json
 
 logger = logging.getLogger(__name__)
 
+
 def list_manifest_labels(manifest_id, prefix_filter=None):
-  """ Lists all labels found on the given manifest, with an optional filter by key prefix. """
-  query = (Label
-           .select(Label, MediaType)
-           .join(MediaType)
-           .switch(Label)
-           .join(LabelSourceType)
-           .switch(Label)
-           .join(ManifestLabel)
-           .where(ManifestLabel.manifest == manifest_id))
+    """ Lists all labels found on the given manifest, with an optional filter by key prefix. """
+    query = (
+        Label.select(Label, MediaType)
+        .join(MediaType)
+        .switch(Label)
+        .join(LabelSourceType)
+        .switch(Label)
+        .join(ManifestLabel)
+        .where(ManifestLabel.manifest == manifest_id)
+    )
 
-  if prefix_filter is not None:
-    query = query.where(prefix_search(Label.key, prefix_filter))
+    if prefix_filter is not None:
+        query = query.where(prefix_search(Label.key, prefix_filter))
 
-  return query
+    return query
 
 
 def get_manifest_label(label_uuid, manifest):
-  """ Retrieves the manifest label on the manifest with the given UUID or None if none. """
-  try:
-    return (Label
-            .select(Label, LabelSourceType)
+    """ Retrieves the manifest label on the manifest with the given UUID or None if none. """
+    try:
+        return (
+            Label.select(Label, LabelSourceType)
             .join(LabelSourceType)
             .where(Label.uuid == label_uuid)
             .switch(Label)
             .join(ManifestLabel)
             .where(ManifestLabel.manifest == manifest)
-            .get())
-  except Label.DoesNotExist:
-    return None
+            .get()
+        )
+    except Label.DoesNotExist:
+        return None
 
 
-def create_manifest_label(manifest_id, key, value, source_type_name, media_type_name=None,
-                          adjust_old_model=True):
-  """ Creates a new manifest label on a specific tag manifest. """
-  if not key:
-    raise InvalidLabelKeyException()
+def create_manifest_label(
+    manifest_id,
+    key,
+    value,
+    source_type_name,
+    media_type_name=None,
+    adjust_old_model=True,
+):
+    """ Creates a new manifest label on a specific tag manifest. """
+    if not key:
+        raise InvalidLabelKeyException()
 
-  # Note that we don't prevent invalid label names coming from the manifest to be stored, as Docker
-  # does not currently prevent them from being put into said manifests.
-  if not validate_label_key(key) and source_type_name != 'manifest':
-    raise InvalidLabelKeyException('Key `%s` is invalid' % key)
+    # Note that we don't prevent invalid label names coming from the manifest to be stored, as Docker
+    # does not currently prevent them from being put into said manifests.
+    if not validate_label_key(key) and source_type_name != "manifest":
+        raise InvalidLabelKeyException("Key `%s` is invalid" % key)
 
-  # Find the matching media type. If none specified, we infer.
-  if media_type_name is None:
-    media_type_name = 'text/plain'
-    if is_json(value):
-      media_type_name = 'application/json'
+    # Find the matching media type. If none specified, we infer.
+    if media_type_name is None:
+        media_type_name = "text/plain"
+        if is_json(value):
+            media_type_name = "application/json"
 
-  try:
-    media_type_id = Label.media_type.get_id(media_type_name)
-  except MediaType.DoesNotExist:
-    raise InvalidMediaTypeException()
-
-  source_type_id = Label.source_type.get_id(source_type_name)
-
-  # Ensure the manifest exists.
-  try:
-    manifest = (Manifest
-                .select(Manifest, Repository)
-                .join(Repository)
-                .where(Manifest.id == manifest_id)
-                .get())
-  except Manifest.DoesNotExist:
-    return None
-
-  repository = manifest.repository
-
-  # TODO: Remove this code once the TagManifest table is gone.
-  tag_manifest = None
-  if adjust_old_model:
     try:
-      mapping_row = (TagManifestToManifest
-                     .select(TagManifestToManifest, TagManifest)
-                     .join(TagManifest)
-                     .where(TagManifestToManifest.manifest == manifest)
-                     .get())
-      tag_manifest = mapping_row.tag_manifest
-    except TagManifestToManifest.DoesNotExist:
-      tag_manifest = None
+        media_type_id = Label.media_type.get_id(media_type_name)
+    except MediaType.DoesNotExist:
+        raise InvalidMediaTypeException()
 
-  with db_transaction():
-    label = Label.create(key=key, value=value, source_type=source_type_id, media_type=media_type_id)
-    manifest_label = ManifestLabel.create(manifest=manifest_id, label=label, repository=repository)
+    source_type_id = Label.source_type.get_id(source_type_name)
+
+    # Ensure the manifest exists.
+    try:
+        manifest = (
+            Manifest.select(Manifest, Repository)
+            .join(Repository)
+            .where(Manifest.id == manifest_id)
+            .get()
+        )
+    except Manifest.DoesNotExist:
+        return None
+
+    repository = manifest.repository
 
-    # If there exists a mapping to a TagManifest, add the old-style label.
     # TODO: Remove this code once the TagManifest table is gone.
-    if tag_manifest:
-      tag_manifest_label = TagManifestLabel.create(annotated=tag_manifest, label=label,
-                                                   repository=repository)
-      TagManifestLabelMap.create(manifest_label=manifest_label,
-                                 tag_manifest_label=tag_manifest_label,
-                                 label=label,
-                                 manifest=manifest,
-                                 tag_manifest=tag_manifest)
+    tag_manifest = None
+    if adjust_old_model:
+        try:
+            mapping_row = (
+                TagManifestToManifest.select(TagManifestToManifest, TagManifest)
+                .join(TagManifest)
+                .where(TagManifestToManifest.manifest == manifest)
+                .get()
+            )
+            tag_manifest = mapping_row.tag_manifest
+        except TagManifestToManifest.DoesNotExist:
+            tag_manifest = None
 
-  return label
+    with db_transaction():
+        label = Label.create(
+            key=key, value=value, source_type=source_type_id, media_type=media_type_id
+        )
+        manifest_label = ManifestLabel.create(
+            manifest=manifest_id, label=label, repository=repository
+        )
+
+        # If there exists a mapping to a TagManifest, add the old-style label.
+        # TODO: Remove this code once the TagManifest table is gone.
+        if tag_manifest:
+            tag_manifest_label = TagManifestLabel.create(
+                annotated=tag_manifest, label=label, repository=repository
+            )
+            TagManifestLabelMap.create(
+                manifest_label=manifest_label,
+                tag_manifest_label=tag_manifest_label,
+                label=label,
+                manifest=manifest,
+                tag_manifest=tag_manifest,
+            )
+
+    return label
 
 
 def delete_manifest_label(label_uuid, manifest):
-  """ Deletes the manifest label on the tag manifest with the given ID. Returns the label deleted
+    """ Deletes the manifest label on the tag manifest with the given ID. Returns the label deleted
       or None if none.
   """
-  # Find the label itself.
-  label = get_manifest_label(label_uuid, manifest)
-  if label is None:
-    return None
+    # Find the label itself.
+    label = get_manifest_label(label_uuid, manifest)
+    if label is None:
+        return None
 
-  if not label.source_type.mutable:
-    raise DataModelException('Cannot delete immutable label')
+    if not label.source_type.mutable:
+        raise DataModelException("Cannot delete immutable label")
 
-  # Delete the mapping records and label.
-  # TODO: Remove this code once the TagManifest table is gone.
-  with db_transaction():
-    (TagManifestLabelMap
-     .delete()
-     .where(TagManifestLabelMap.label == label)
-     .execute())
+    # Delete the mapping records and label.
+    # TODO: Remove this code once the TagManifest table is gone.
+    with db_transaction():
+        (
+            TagManifestLabelMap.delete()
+            .where(TagManifestLabelMap.label == label)
+            .execute()
+        )
 
-    deleted_count = TagManifestLabel.delete().where(TagManifestLabel.label == label).execute()
-    if deleted_count != 1:
-      logger.warning('More than a single label deleted for matching label %s', label_uuid)
+        deleted_count = (
+            TagManifestLabel.delete().where(TagManifestLabel.label == label).execute()
+        )
+        if deleted_count != 1:
+            logger.warning(
+                "More than a single label deleted for matching label %s", label_uuid
+            )
 
-    deleted_count = ManifestLabel.delete().where(ManifestLabel.label == label).execute()
-    if deleted_count != 1:
-      logger.warning('More than a single label deleted for matching label %s', label_uuid)
+        deleted_count = (
+            ManifestLabel.delete().where(ManifestLabel.label == label).execute()
+        )
+        if deleted_count != 1:
+            logger.warning(
+                "More than a single label deleted for matching label %s", label_uuid
+            )
 
-    label.delete_instance(recursive=False)
-    return label
+        label.delete_instance(recursive=False)
+        return label
diff --git a/data/model/oci/manifest.py b/data/model/oci/manifest.py
index 85b66efc5..806ebba24 100644
--- a/data/model/oci/manifest.py
+++ b/data/model/oci/manifest.py
@@ -4,8 +4,14 @@ from collections import namedtuple
 
 from peewee import IntegrityError
 
-from data.database import (Tag, Manifest, ManifestBlob, ManifestLegacyImage, ManifestChild,
-                           db_transaction)
+from data.database import (
+    Tag,
+    Manifest,
+    ManifestBlob,
+    ManifestLegacyImage,
+    ManifestChild,
+    db_transaction,
+)
 from data.model import BlobDoesNotExist
 from data.model.blob import get_or_create_shared_blob, get_shared_blob
 from data.model.oci.tag import filter_to_alive_tags, create_temporary_tag_if_necessary
@@ -19,73 +25,86 @@ from image.docker.schema2.list import MalformedSchema2ManifestList
 from util.validation import is_json
 
 
-TEMP_TAG_EXPIRATION_SEC = 300 # 5 minutes
+TEMP_TAG_EXPIRATION_SEC = 300  # 5 minutes
 
 
 logger = logging.getLogger(__name__)
 
-CreatedManifest = namedtuple('CreatedManifest', ['manifest', 'newly_created', 'labels_to_apply'])
+CreatedManifest = namedtuple(
+    "CreatedManifest", ["manifest", "newly_created", "labels_to_apply"]
+)
 
 
 class CreateManifestException(Exception):
-  """ Exception raised when creating a manifest fails and explicit exception
+    """ Exception raised when creating a manifest fails and explicit exception
       raising is requested. """
 
 
-def lookup_manifest(repository_id, manifest_digest, allow_dead=False, require_available=False,
-                    temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC):
-  """ Returns the manifest with the specified digest under the specified repository
+def lookup_manifest(
+    repository_id,
+    manifest_digest,
+    allow_dead=False,
+    require_available=False,
+    temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC,
+):
+    """ Returns the manifest with the specified digest under the specified repository
       or None if none. If allow_dead is True, then manifests referenced by only
       dead tags will also be returned. If require_available is True, the manifest
       will be marked with a temporary tag to ensure it remains available.
   """
-  if not require_available:
-    return _lookup_manifest(repository_id, manifest_digest, allow_dead=allow_dead)
+    if not require_available:
+        return _lookup_manifest(repository_id, manifest_digest, allow_dead=allow_dead)
 
-  with db_transaction():
-    found = _lookup_manifest(repository_id, manifest_digest, allow_dead=allow_dead)
-    if found is None:
-      return None
+    with db_transaction():
+        found = _lookup_manifest(repository_id, manifest_digest, allow_dead=allow_dead)
+        if found is None:
+            return None
 
-    create_temporary_tag_if_necessary(found, temp_tag_expiration_sec)
-    return found
+        create_temporary_tag_if_necessary(found, temp_tag_expiration_sec)
+        return found
 
 
 def _lookup_manifest(repository_id, manifest_digest, allow_dead=False):
-  query = (Manifest
-           .select()
-           .where(Manifest.repository == repository_id)
-           .where(Manifest.digest == manifest_digest))
+    query = (
+        Manifest.select()
+        .where(Manifest.repository == repository_id)
+        .where(Manifest.digest == manifest_digest)
+    )
 
-  if allow_dead:
+    if allow_dead:
+        try:
+            return query.get()
+        except Manifest.DoesNotExist:
+            return None
+
+    # Try first to filter to those manifests referenced by an alive tag,
     try:
-      return query.get()
+        return filter_to_alive_tags(query.join(Tag)).get()
     except Manifest.DoesNotExist:
-      return None
+        pass
 
-  # Try first to filter to those manifests referenced by an alive tag,
-  try:
-    return filter_to_alive_tags(query.join(Tag)).get()
-  except Manifest.DoesNotExist:
-    pass
+    # Try referenced as the child of a manifest that has an alive tag.
+    query = query.join(
+        ManifestChild, on=(ManifestChild.child_manifest == Manifest.id)
+    ).join(Tag, on=(Tag.manifest == ManifestChild.manifest))
 
-  # Try referenced as the child of a manifest that has an alive tag.
-  query = (query
-           .join(ManifestChild, on=(ManifestChild.child_manifest == Manifest.id))
-           .join(Tag, on=(Tag.manifest == ManifestChild.manifest)))
+    query = filter_to_alive_tags(query)
 
-  query = filter_to_alive_tags(query)
-
-  try:
-    return query.get()
-  except Manifest.DoesNotExist:
-    return None
+    try:
+        return query.get()
+    except Manifest.DoesNotExist:
+        return None
 
 
-def get_or_create_manifest(repository_id, manifest_interface_instance, storage,
-                           temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC,
-                           for_tagging=False, raise_on_error=False):
-  """ Returns a CreatedManifest for the manifest in the specified repository with the matching
+def get_or_create_manifest(
+    repository_id,
+    manifest_interface_instance,
+    storage,
+    temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC,
+    for_tagging=False,
+    raise_on_error=False,
+):
+    """ Returns a CreatedManifest for the manifest in the specified repository with the matching
       digest (if it already exists) or, if not yet created, creates and returns the manifest.
 
       Returns None if there was an error creating the manifest, unless raise_on_error is specified,
@@ -95,227 +114,293 @@ def get_or_create_manifest(repository_id, manifest_interface_instance, storage,
       Note that *all* blobs referenced by the manifest must exist already in the repository or this
       method will fail with a None.
   """
-  existing = lookup_manifest(repository_id, manifest_interface_instance.digest, allow_dead=True,
-                             require_available=True,
-                             temp_tag_expiration_sec=temp_tag_expiration_sec)
-  if existing is not None:
-    return CreatedManifest(manifest=existing, newly_created=False, labels_to_apply=None)
-
-  return _create_manifest(repository_id, manifest_interface_instance, storage,
-                          temp_tag_expiration_sec, for_tagging=for_tagging,
-                          raise_on_error=raise_on_error)
-
-
-def _create_manifest(repository_id, manifest_interface_instance, storage,
-                     temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC,
-                     for_tagging=False, raise_on_error=False):
-  # Validate the manifest.
-  retriever = RepositoryContentRetriever.for_repository(repository_id, storage)
-  try:
-    manifest_interface_instance.validate(retriever)
-  except (ManifestException, MalformedSchema2ManifestList, BlobDoesNotExist, IOError) as ex:
-    logger.exception('Could not validate manifest `%s`', manifest_interface_instance.digest)
-    if raise_on_error:
-      raise CreateManifestException(ex)
-
-    return None
-
-  # Load, parse and get/create the child manifests, if any.
-  child_manifest_refs = manifest_interface_instance.child_manifests(retriever)
-  child_manifest_rows = {}
-  child_manifest_label_dicts = []
-
-  if child_manifest_refs is not None:
-    for child_manifest_ref in child_manifest_refs:
-      # Load and parse the child manifest.
-      try:
-        child_manifest = child_manifest_ref.manifest_obj
-      except (ManifestException, MalformedSchema2ManifestList, BlobDoesNotExist, IOError) as ex:
-        logger.exception('Could not load manifest list for manifest `%s`',
-                         manifest_interface_instance.digest)
-        if raise_on_error:
-          raise CreateManifestException(ex)
-
-        return None
-
-      # Retrieve its labels.
-      labels = child_manifest.get_manifest_labels(retriever)
-      if labels is None:
-        logger.exception('Could not load manifest labels for child manifest')
-        return None
-
-      # Get/create the child manifest in the database.
-      child_manifest_info = get_or_create_manifest(repository_id, child_manifest, storage,
-                                                   raise_on_error=raise_on_error)
-      if child_manifest_info is None:
-        logger.error('Could not get/create child manifest')
-        return None
-
-      child_manifest_rows[child_manifest_info.manifest.digest] = child_manifest_info.manifest
-      child_manifest_label_dicts.append(labels)
-
-  # Ensure all the blobs in the manifest exist.
-  digests = set(manifest_interface_instance.local_blob_digests)
-  blob_map = {}
-
-  # If the special empty layer is required, simply load it directly. This is much faster
-  # than trying to load it on a per repository basis, and that is unnecessary anyway since
-  # this layer is predefined.
-  if EMPTY_LAYER_BLOB_DIGEST in digests:
-    digests.remove(EMPTY_LAYER_BLOB_DIGEST)
-    blob_map[EMPTY_LAYER_BLOB_DIGEST] = get_shared_blob(EMPTY_LAYER_BLOB_DIGEST)
-    if not blob_map[EMPTY_LAYER_BLOB_DIGEST]:
-      logger.warning('Could not find the special empty blob in storage')
-      return None
-
-  if digests:
-    query = lookup_repo_storages_by_content_checksum(repository_id, digests)
-    blob_map.update({s.content_checksum: s for s in query})
-    for digest_str in digests:
-      if digest_str not in blob_map:
-        logger.warning('Unknown blob `%s` under manifest `%s` for repository `%s`', digest_str,
-                       manifest_interface_instance.digest, repository_id)
-
-        if raise_on_error:
-          raise CreateManifestException('Unknown blob `%s`' % digest_str)
-
-        return None
-
-  # Special check: If the empty layer blob is needed for this manifest, add it to the
-  # blob map. This is necessary because Docker decided to elide sending of this special
-  # empty layer in schema version 2, but we need to have it referenced for GC and schema version 1.
-  if EMPTY_LAYER_BLOB_DIGEST not in blob_map:
-    if manifest_interface_instance.get_requires_empty_layer_blob(retriever):
-      shared_blob = get_or_create_shared_blob(EMPTY_LAYER_BLOB_DIGEST, EMPTY_LAYER_BYTES, storage)
-      assert not shared_blob.uploading
-      assert shared_blob.content_checksum == EMPTY_LAYER_BLOB_DIGEST
-      blob_map[EMPTY_LAYER_BLOB_DIGEST] = shared_blob
-
-  # Determine and populate the legacy image if necessary. Manifest lists will not have a legacy
-  # image.
-  legacy_image = None
-  if manifest_interface_instance.has_legacy_image:
-    legacy_image_id = _populate_legacy_image(repository_id, manifest_interface_instance, blob_map,
-                                             retriever)
-    if legacy_image_id is None:
-      return None
-
-    legacy_image = get_image(repository_id, legacy_image_id)
-    if legacy_image is None:
-      return None
-
-  # Create the manifest and its blobs.
-  media_type = Manifest.media_type.get_id(manifest_interface_instance.media_type)
-  storage_ids = {storage.id for storage in blob_map.values()}
-
-  with db_transaction():
-    # Check for the manifest. This is necessary because Postgres doesn't handle IntegrityErrors
-    # well under transactions.
-    try:
-      manifest = Manifest.get(repository=repository_id, digest=manifest_interface_instance.digest)
-      return CreatedManifest(manifest=manifest, newly_created=False, labels_to_apply=None)
-    except Manifest.DoesNotExist:
-      pass
-
-    # Create the manifest.
-    try:
-      manifest = Manifest.create(repository=repository_id,
-                                 digest=manifest_interface_instance.digest,
-                                 media_type=media_type,
-                                 manifest_bytes=manifest_interface_instance.bytes.as_encoded_str())
-    except IntegrityError:
-      manifest = Manifest.get(repository=repository_id, digest=manifest_interface_instance.digest)
-      return CreatedManifest(manifest=manifest, newly_created=False, labels_to_apply=None)
-
-    # Insert the blobs.
-    blobs_to_insert = [dict(manifest=manifest, repository=repository_id,
-                            blob=storage_id) for storage_id in storage_ids]
-    if blobs_to_insert:
-      ManifestBlob.insert_many(blobs_to_insert).execute()
-
-    # Set the legacy image (if applicable).
-    if legacy_image is not None:
-      ManifestLegacyImage.create(repository=repository_id, image=legacy_image, manifest=manifest)
-
-    # Insert the manifest child rows (if applicable).
-    if child_manifest_rows:
-      children_to_insert = [dict(manifest=manifest, child_manifest=child_manifest,
-                                 repository=repository_id)
-                            for child_manifest in child_manifest_rows.values()]
-      ManifestChild.insert_many(children_to_insert).execute()
-
-    # If this manifest is being created not for immediate tagging, add a temporary tag to the
-    # manifest to ensure it isn't being GCed. If the manifest *is* for tagging, then since we're
-    # creating a new one here, it cannot be GCed (since it isn't referenced by anything yet), so
-    # its safe to elide the temp tag operation. If we ever change GC code to collect *all* manifests
-    # in a repository for GC, then we will have to reevaluate this optimization at that time.
-    if not for_tagging:
-      create_temporary_tag_if_necessary(manifest, temp_tag_expiration_sec)
-
-  # Define the labels for the manifest (if any).
-  labels = manifest_interface_instance.get_manifest_labels(retriever)
-  if labels:
-    for key, value in labels.iteritems():
-      media_type = 'application/json' if is_json(value) else 'text/plain'
-      create_manifest_label(manifest, key, value, 'manifest', media_type)
-
-  # Return the dictionary of labels to apply (i.e. those labels that cause an action to be taken
-  # on the manifest or its resulting tags). We only return those labels either defined on
-  # the manifest or shared amongst all the child manifests. We intersect amongst all child manifests
-  # to ensure that any action performed is defined in all manifests.
-  labels_to_apply = labels or {}
-  if child_manifest_label_dicts:
-    labels_to_apply = child_manifest_label_dicts[0].viewitems()
-    for child_manifest_label_dict in child_manifest_label_dicts[1:]:
-      # Intersect the key+values of the labels to ensure we get the exact same result
-      # for all the child manifests.
-      labels_to_apply = labels_to_apply & child_manifest_label_dict.viewitems()
-
-    labels_to_apply = dict(labels_to_apply)
-
-  return CreatedManifest(manifest=manifest, newly_created=True, labels_to_apply=labels_to_apply)
-
-
-def _populate_legacy_image(repository_id, manifest_interface_instance, blob_map, retriever):
-  # Lookup all the images and their parent images (if any) inside the manifest.
-  # This will let us know which v1 images we need to synthesize and which ones are invalid.
-  docker_image_ids = list(manifest_interface_instance.get_legacy_image_ids(retriever))
-  images_query = lookup_repository_images(repository_id, docker_image_ids)
-  image_storage_map = {i.docker_image_id: i.storage for i in images_query}
-
-  # Rewrite any v1 image IDs that do not match the checksum in the database.
-  try:
-    rewritten_images = manifest_interface_instance.generate_legacy_layers(image_storage_map,
-                                                                          retriever)
-    rewritten_images = list(rewritten_images)
-    parent_image_map = {}
-
-    for rewritten_image in rewritten_images:
-      if not rewritten_image.image_id in image_storage_map:
-        parent_image = None
-        if rewritten_image.parent_image_id:
-          parent_image = parent_image_map.get(rewritten_image.parent_image_id)
-          if parent_image is None:
-            parent_image = get_image(repository_id, rewritten_image.parent_image_id)
-            if parent_image is None:
-              return None
-
-        storage_reference = blob_map[rewritten_image.content_checksum]
-        synthesized = synthesize_v1_image(
-          repository_id,
-          storage_reference.id,
-          storage_reference.image_size,
-          rewritten_image.image_id,
-          rewritten_image.created,
-          rewritten_image.comment,
-          rewritten_image.command,
-          rewritten_image.compat_json,
-          parent_image,
+    existing = lookup_manifest(
+        repository_id,
+        manifest_interface_instance.digest,
+        allow_dead=True,
+        require_available=True,
+        temp_tag_expiration_sec=temp_tag_expiration_sec,
+    )
+    if existing is not None:
+        return CreatedManifest(
+            manifest=existing, newly_created=False, labels_to_apply=None
         )
 
-        parent_image_map[rewritten_image.image_id] = synthesized
-  except ManifestException:
-    logger.exception("exception when rewriting v1 metadata")
-    return None
+    return _create_manifest(
+        repository_id,
+        manifest_interface_instance,
+        storage,
+        temp_tag_expiration_sec,
+        for_tagging=for_tagging,
+        raise_on_error=raise_on_error,
+    )
 
-  return rewritten_images[-1].image_id
+
+def _create_manifest(
+    repository_id,
+    manifest_interface_instance,
+    storage,
+    temp_tag_expiration_sec=TEMP_TAG_EXPIRATION_SEC,
+    for_tagging=False,
+    raise_on_error=False,
+):
+    # Validate the manifest.
+    retriever = RepositoryContentRetriever.for_repository(repository_id, storage)
+    try:
+        manifest_interface_instance.validate(retriever)
+    except (
+        ManifestException,
+        MalformedSchema2ManifestList,
+        BlobDoesNotExist,
+        IOError,
+    ) as ex:
+        logger.exception(
+            "Could not validate manifest `%s`", manifest_interface_instance.digest
+        )
+        if raise_on_error:
+            raise CreateManifestException(ex)
+
+        return None
+
+    # Load, parse and get/create the child manifests, if any.
+    child_manifest_refs = manifest_interface_instance.child_manifests(retriever)
+    child_manifest_rows = {}
+    child_manifest_label_dicts = []
+
+    if child_manifest_refs is not None:
+        for child_manifest_ref in child_manifest_refs:
+            # Load and parse the child manifest.
+            try:
+                child_manifest = child_manifest_ref.manifest_obj
+            except (
+                ManifestException,
+                MalformedSchema2ManifestList,
+                BlobDoesNotExist,
+                IOError,
+            ) as ex:
+                logger.exception(
+                    "Could not load manifest list for manifest `%s`",
+                    manifest_interface_instance.digest,
+                )
+                if raise_on_error:
+                    raise CreateManifestException(ex)
+
+                return None
+
+            # Retrieve its labels.
+            labels = child_manifest.get_manifest_labels(retriever)
+            if labels is None:
+                logger.exception("Could not load manifest labels for child manifest")
+                return None
+
+            # Get/create the child manifest in the database.
+            child_manifest_info = get_or_create_manifest(
+                repository_id, child_manifest, storage, raise_on_error=raise_on_error
+            )
+            if child_manifest_info is None:
+                logger.error("Could not get/create child manifest")
+                return None
+
+            child_manifest_rows[
+                child_manifest_info.manifest.digest
+            ] = child_manifest_info.manifest
+            child_manifest_label_dicts.append(labels)
+
+    # Ensure all the blobs in the manifest exist.
+    digests = set(manifest_interface_instance.local_blob_digests)
+    blob_map = {}
+
+    # If the special empty layer is required, simply load it directly. This is much faster
+    # than trying to load it on a per repository basis, and that is unnecessary anyway since
+    # this layer is predefined.
+    if EMPTY_LAYER_BLOB_DIGEST in digests:
+        digests.remove(EMPTY_LAYER_BLOB_DIGEST)
+        blob_map[EMPTY_LAYER_BLOB_DIGEST] = get_shared_blob(EMPTY_LAYER_BLOB_DIGEST)
+        if not blob_map[EMPTY_LAYER_BLOB_DIGEST]:
+            logger.warning("Could not find the special empty blob in storage")
+            return None
+
+    if digests:
+        query = lookup_repo_storages_by_content_checksum(repository_id, digests)
+        blob_map.update({s.content_checksum: s for s in query})
+        for digest_str in digests:
+            if digest_str not in blob_map:
+                logger.warning(
+                    "Unknown blob `%s` under manifest `%s` for repository `%s`",
+                    digest_str,
+                    manifest_interface_instance.digest,
+                    repository_id,
+                )
+
+                if raise_on_error:
+                    raise CreateManifestException("Unknown blob `%s`" % digest_str)
+
+                return None
+
+    # Special check: If the empty layer blob is needed for this manifest, add it to the
+    # blob map. This is necessary because Docker decided to elide sending of this special
+    # empty layer in schema version 2, but we need to have it referenced for GC and schema version 1.
+    if EMPTY_LAYER_BLOB_DIGEST not in blob_map:
+        if manifest_interface_instance.get_requires_empty_layer_blob(retriever):
+            shared_blob = get_or_create_shared_blob(
+                EMPTY_LAYER_BLOB_DIGEST, EMPTY_LAYER_BYTES, storage
+            )
+            assert not shared_blob.uploading
+            assert shared_blob.content_checksum == EMPTY_LAYER_BLOB_DIGEST
+            blob_map[EMPTY_LAYER_BLOB_DIGEST] = shared_blob
+
+    # Determine and populate the legacy image if necessary. Manifest lists will not have a legacy
+    # image.
+    legacy_image = None
+    if manifest_interface_instance.has_legacy_image:
+        legacy_image_id = _populate_legacy_image(
+            repository_id, manifest_interface_instance, blob_map, retriever
+        )
+        if legacy_image_id is None:
+            return None
+
+        legacy_image = get_image(repository_id, legacy_image_id)
+        if legacy_image is None:
+            return None
+
+    # Create the manifest and its blobs.
+    media_type = Manifest.media_type.get_id(manifest_interface_instance.media_type)
+    storage_ids = {storage.id for storage in blob_map.values()}
+
+    with db_transaction():
+        # Check for the manifest. This is necessary because Postgres doesn't handle IntegrityErrors
+        # well under transactions.
+        try:
+            manifest = Manifest.get(
+                repository=repository_id, digest=manifest_interface_instance.digest
+            )
+            return CreatedManifest(
+                manifest=manifest, newly_created=False, labels_to_apply=None
+            )
+        except Manifest.DoesNotExist:
+            pass
+
+        # Create the manifest.
+        try:
+            manifest = Manifest.create(
+                repository=repository_id,
+                digest=manifest_interface_instance.digest,
+                media_type=media_type,
+                manifest_bytes=manifest_interface_instance.bytes.as_encoded_str(),
+            )
+        except IntegrityError:
+            manifest = Manifest.get(
+                repository=repository_id, digest=manifest_interface_instance.digest
+            )
+            return CreatedManifest(
+                manifest=manifest, newly_created=False, labels_to_apply=None
+            )
+
+        # Insert the blobs.
+        blobs_to_insert = [
+            dict(manifest=manifest, repository=repository_id, blob=storage_id)
+            for storage_id in storage_ids
+        ]
+        if blobs_to_insert:
+            ManifestBlob.insert_many(blobs_to_insert).execute()
+
+        # Set the legacy image (if applicable).
+        if legacy_image is not None:
+            ManifestLegacyImage.create(
+                repository=repository_id, image=legacy_image, manifest=manifest
+            )
+
+        # Insert the manifest child rows (if applicable).
+        if child_manifest_rows:
+            children_to_insert = [
+                dict(
+                    manifest=manifest,
+                    child_manifest=child_manifest,
+                    repository=repository_id,
+                )
+                for child_manifest in child_manifest_rows.values()
+            ]
+            ManifestChild.insert_many(children_to_insert).execute()
+
+        # If this manifest is being created not for immediate tagging, add a temporary tag to the
+        # manifest to ensure it isn't being GCed. If the manifest *is* for tagging, then since we're
+        # creating a new one here, it cannot be GCed (since it isn't referenced by anything yet), so
+        # its safe to elide the temp tag operation. If we ever change GC code to collect *all* manifests
+        # in a repository for GC, then we will have to reevaluate this optimization at that time.
+        if not for_tagging:
+            create_temporary_tag_if_necessary(manifest, temp_tag_expiration_sec)
+
+    # Define the labels for the manifest (if any).
+    labels = manifest_interface_instance.get_manifest_labels(retriever)
+    if labels:
+        for key, value in labels.iteritems():
+            media_type = "application/json" if is_json(value) else "text/plain"
+            create_manifest_label(manifest, key, value, "manifest", media_type)
+
+    # Return the dictionary of labels to apply (i.e. those labels that cause an action to be taken
+    # on the manifest or its resulting tags). We only return those labels either defined on
+    # the manifest or shared amongst all the child manifests. We intersect amongst all child manifests
+    # to ensure that any action performed is defined in all manifests.
+    labels_to_apply = labels or {}
+    if child_manifest_label_dicts:
+        labels_to_apply = child_manifest_label_dicts[0].viewitems()
+        for child_manifest_label_dict in child_manifest_label_dicts[1:]:
+            # Intersect the key+values of the labels to ensure we get the exact same result
+            # for all the child manifests.
+            labels_to_apply = labels_to_apply & child_manifest_label_dict.viewitems()
+
+        labels_to_apply = dict(labels_to_apply)
+
+    return CreatedManifest(
+        manifest=manifest, newly_created=True, labels_to_apply=labels_to_apply
+    )
+
+
+def _populate_legacy_image(
+    repository_id, manifest_interface_instance, blob_map, retriever
+):
+    # Lookup all the images and their parent images (if any) inside the manifest.
+    # This will let us know which v1 images we need to synthesize and which ones are invalid.
+    docker_image_ids = list(manifest_interface_instance.get_legacy_image_ids(retriever))
+    images_query = lookup_repository_images(repository_id, docker_image_ids)
+    image_storage_map = {i.docker_image_id: i.storage for i in images_query}
+
+    # Rewrite any v1 image IDs that do not match the checksum in the database.
+    try:
+        rewritten_images = manifest_interface_instance.generate_legacy_layers(
+            image_storage_map, retriever
+        )
+        rewritten_images = list(rewritten_images)
+        parent_image_map = {}
+
+        for rewritten_image in rewritten_images:
+            if not rewritten_image.image_id in image_storage_map:
+                parent_image = None
+                if rewritten_image.parent_image_id:
+                    parent_image = parent_image_map.get(rewritten_image.parent_image_id)
+                    if parent_image is None:
+                        parent_image = get_image(
+                            repository_id, rewritten_image.parent_image_id
+                        )
+                        if parent_image is None:
+                            return None
+
+                storage_reference = blob_map[rewritten_image.content_checksum]
+                synthesized = synthesize_v1_image(
+                    repository_id,
+                    storage_reference.id,
+                    storage_reference.image_size,
+                    rewritten_image.image_id,
+                    rewritten_image.created,
+                    rewritten_image.comment,
+                    rewritten_image.command,
+                    rewritten_image.compat_json,
+                    parent_image,
+                )
+
+                parent_image_map[rewritten_image.image_id] = synthesized
+    except ManifestException:
+        logger.exception("exception when rewriting v1 metadata")
+        return None
+
+    return rewritten_images[-1].image_id
diff --git a/data/model/oci/retriever.py b/data/model/oci/retriever.py
index b6e9633e0..b4f563058 100644
--- a/data/model/oci/retriever.py
+++ b/data/model/oci/retriever.py
@@ -3,35 +3,38 @@ from data.database import Manifest
 from data.model.oci.blob import get_repository_blob_by_digest
 from data.model.storage import get_layer_path
 
+
 class RepositoryContentRetriever(ContentRetriever):
-  """ Implementation of the ContentRetriever interface for manifests that retrieves
+    """ Implementation of the ContentRetriever interface for manifests that retrieves
       config blobs and child manifests for the specified repository.
   """
-  def __init__(self, repository_id, storage):
-    self.repository_id = repository_id
-    self.storage = storage
 
-  @classmethod
-  def for_repository(cls, repository_id, storage):
-    return RepositoryContentRetriever(repository_id, storage)
+    def __init__(self, repository_id, storage):
+        self.repository_id = repository_id
+        self.storage = storage
 
-  def get_manifest_bytes_with_digest(self, digest):
-    """ Returns the bytes of the manifest with the given digest or None if none found. """
-    query = (Manifest
-             .select()
-             .where(Manifest.repository == self.repository_id)
-             .where(Manifest.digest == digest))
+    @classmethod
+    def for_repository(cls, repository_id, storage):
+        return RepositoryContentRetriever(repository_id, storage)
 
-    try:
-      return query.get().manifest_bytes
-    except Manifest.DoesNotExist:
-      return None
+    def get_manifest_bytes_with_digest(self, digest):
+        """ Returns the bytes of the manifest with the given digest or None if none found. """
+        query = (
+            Manifest.select()
+            .where(Manifest.repository == self.repository_id)
+            .where(Manifest.digest == digest)
+        )
 
-  def get_blob_bytes_with_digest(self, digest):
-    """ Returns the bytes of the blob with the given digest or None if none found. """
-    blob = get_repository_blob_by_digest(self.repository_id, digest)
-    if blob is None:
-      return None
+        try:
+            return query.get().manifest_bytes
+        except Manifest.DoesNotExist:
+            return None
 
-    assert blob.locations is not None
-    return self.storage.get_content(blob.locations, get_layer_path(blob))
+    def get_blob_bytes_with_digest(self, digest):
+        """ Returns the bytes of the blob with the given digest or None if none found. """
+        blob = get_repository_blob_by_digest(self.repository_id, digest)
+        if blob is None:
+            return None
+
+        assert blob.locations is not None
+        return self.storage.get_content(blob.locations, get_layer_path(blob))
diff --git a/data/model/oci/shared.py b/data/model/oci/shared.py
index 887eda383..6bf59c18b 100644
--- a/data/model/oci/shared.py
+++ b/data/model/oci/shared.py
@@ -1,24 +1,27 @@
 from data.database import Manifest, ManifestLegacyImage, Image
 
+
 def get_legacy_image_for_manifest(manifest_id):
-  """ Returns the legacy image associated with the given manifest, if any, or None if none. """
-  try:
-    query = (ManifestLegacyImage
-             .select(ManifestLegacyImage, Image)
-             .join(Image)
-             .where(ManifestLegacyImage.manifest == manifest_id))
-    return query.get().image
-  except ManifestLegacyImage.DoesNotExist:
-    return None
+    """ Returns the legacy image associated with the given manifest, if any, or None if none. """
+    try:
+        query = (
+            ManifestLegacyImage.select(ManifestLegacyImage, Image)
+            .join(Image)
+            .where(ManifestLegacyImage.manifest == manifest_id)
+        )
+        return query.get().image
+    except ManifestLegacyImage.DoesNotExist:
+        return None
 
 
 def get_manifest_for_legacy_image(image_id):
-  """ Returns a manifest that is associated with the given image, if any, or None if none. """
-  try:
-    query = (ManifestLegacyImage
-             .select(ManifestLegacyImage, Manifest)
-             .join(Manifest)
-             .where(ManifestLegacyImage.image == image_id))
-    return query.get().manifest
-  except ManifestLegacyImage.DoesNotExist:
-    return None
+    """ Returns a manifest that is associated with the given image, if any, or None if none. """
+    try:
+        query = (
+            ManifestLegacyImage.select(ManifestLegacyImage, Manifest)
+            .join(Manifest)
+            .where(ManifestLegacyImage.image == image_id)
+        )
+        return query.get().manifest
+    except ManifestLegacyImage.DoesNotExist:
+        return None
diff --git a/data/model/oci/tag.py b/data/model/oci/tag.py
index 4ad1b8c18..45e2c8004 100644
--- a/data/model/oci/tag.py
+++ b/data/model/oci/tag.py
@@ -4,15 +4,31 @@ import logging
 from calendar import timegm
 from peewee import fn
 
-from data.database import (Tag, Manifest, ManifestLegacyImage, Image, ImageStorage,
-                           MediaType, RepositoryTag, TagManifest, TagManifestToManifest,
-                           get_epoch_timestamp_ms, db_transaction, Repository,
-                           TagToRepositoryTag, Namespace, RepositoryNotification,
-                           ExternalNotificationEvent)
+from data.database import (
+    Tag,
+    Manifest,
+    ManifestLegacyImage,
+    Image,
+    ImageStorage,
+    MediaType,
+    RepositoryTag,
+    TagManifest,
+    TagManifestToManifest,
+    get_epoch_timestamp_ms,
+    db_transaction,
+    Repository,
+    TagToRepositoryTag,
+    Namespace,
+    RepositoryNotification,
+    ExternalNotificationEvent,
+)
 from data.model.oci.shared import get_legacy_image_for_manifest
 from data.model import config
-from image.docker.schema1 import (DOCKER_SCHEMA1_CONTENT_TYPES, DockerSchema1Manifest,
-                                  MalformedSchema1Manifest)
+from image.docker.schema1 import (
+    DOCKER_SCHEMA1_CONTENT_TYPES,
+    DockerSchema1Manifest,
+    MalformedSchema1Manifest,
+)
 from util.bytes import Bytes
 from util.timedeltastring import convert_to_timedelta
 
@@ -20,486 +36,558 @@ logger = logging.getLogger(__name__)
 
 
 def get_tag_by_id(tag_id):
-  """ Returns the tag with the given ID, joined with its manifest or None if none. """
-  try:
-    return Tag.select(Tag, Manifest).join(Manifest).where(Tag.id == tag_id).get()
-  except Tag.DoesNotExist:
-    return None
+    """ Returns the tag with the given ID, joined with its manifest or None if none. """
+    try:
+        return Tag.select(Tag, Manifest).join(Manifest).where(Tag.id == tag_id).get()
+    except Tag.DoesNotExist:
+        return None
 
 
 def get_tag(repository_id, tag_name):
-  """ Returns the alive, non-hidden tag with the given name under the specified repository or
+    """ Returns the alive, non-hidden tag with the given name under the specified repository or
       None if none. The tag is returned joined with its manifest.
   """
-  query = (Tag
-           .select(Tag, Manifest)
-           .join(Manifest)
-           .where(Tag.repository == repository_id)
-           .where(Tag.name == tag_name))
+    query = (
+        Tag.select(Tag, Manifest)
+        .join(Manifest)
+        .where(Tag.repository == repository_id)
+        .where(Tag.name == tag_name)
+    )
 
-  query = filter_to_alive_tags(query)
+    query = filter_to_alive_tags(query)
 
-  try:
-    found = query.get()
-    assert not found.hidden
-    return found
-  except Tag.DoesNotExist:
-    return None
+    try:
+        found = query.get()
+        assert not found.hidden
+        return found
+    except Tag.DoesNotExist:
+        return None
 
 
 def lookup_alive_tags_shallow(repository_id, start_pagination_id=None, limit=None):
-  """ Returns a list of the tags alive in the specified repository. Note that the tags returned
+    """ Returns a list of the tags alive in the specified repository. Note that the tags returned
       *only* contain their ID and name. Also note that the Tags are returned ordered by ID.
   """
-  query = (Tag
-           .select(Tag.id, Tag.name)
-           .where(Tag.repository == repository_id)
-           .order_by(Tag.id))
+    query = (
+        Tag.select(Tag.id, Tag.name)
+        .where(Tag.repository == repository_id)
+        .order_by(Tag.id)
+    )
 
-  if start_pagination_id is not None:
-    query = query.where(Tag.id >= start_pagination_id)
+    if start_pagination_id is not None:
+        query = query.where(Tag.id >= start_pagination_id)
 
-  if limit is not None:
-    query = query.limit(limit)
+    if limit is not None:
+        query = query.limit(limit)
 
-  return filter_to_alive_tags(query)
+    return filter_to_alive_tags(query)
 
 
 def list_alive_tags(repository_id):
-  """ Returns a list of all the tags alive in the specified repository.
+    """ Returns a list of all the tags alive in the specified repository.
       Tag's returned are joined with their manifest.
   """
-  query = (Tag
-           .select(Tag, Manifest)
-           .join(Manifest)
-           .where(Tag.repository == repository_id))
+    query = (
+        Tag.select(Tag, Manifest).join(Manifest).where(Tag.repository == repository_id)
+    )
 
-  return filter_to_alive_tags(query)
+    return filter_to_alive_tags(query)
 
 
-def list_repository_tag_history(repository_id, page, page_size, specific_tag_name=None,
-                                active_tags_only=False, since_time_ms=None):
-  """ Returns a tuple of the full set of tags found in the specified repository, including those
+def list_repository_tag_history(
+    repository_id,
+    page,
+    page_size,
+    specific_tag_name=None,
+    active_tags_only=False,
+    since_time_ms=None,
+):
+    """ Returns a tuple of the full set of tags found in the specified repository, including those
       that are no longer alive (unless active_tags_only is True), and whether additional tags exist.
       If specific_tag_name is given, the tags are further filtered by name. If since is given, tags
       are further filtered to newer than that date.
 
       Note that the returned Manifest will not contain the manifest contents.
   """
-  query = (Tag
-           .select(Tag, Manifest.id, Manifest.digest, Manifest.media_type)
-           .join(Manifest)
-           .where(Tag.repository == repository_id)
-           .order_by(Tag.lifetime_start_ms.desc(), Tag.name)
-           .limit(page_size + 1)
-           .offset(page_size * (page - 1)))
+    query = (
+        Tag.select(Tag, Manifest.id, Manifest.digest, Manifest.media_type)
+        .join(Manifest)
+        .where(Tag.repository == repository_id)
+        .order_by(Tag.lifetime_start_ms.desc(), Tag.name)
+        .limit(page_size + 1)
+        .offset(page_size * (page - 1))
+    )
 
-  if specific_tag_name is not None:
-    query = query.where(Tag.name == specific_tag_name)
+    if specific_tag_name is not None:
+        query = query.where(Tag.name == specific_tag_name)
 
-  if since_time_ms is not None:
-    query = query.where((Tag.lifetime_start_ms > since_time_ms) | (Tag.lifetime_end_ms > since_time_ms))
+    if since_time_ms is not None:
+        query = query.where(
+            (Tag.lifetime_start_ms > since_time_ms)
+            | (Tag.lifetime_end_ms > since_time_ms)
+        )
 
-  if active_tags_only:
-    query = filter_to_alive_tags(query)
+    if active_tags_only:
+        query = filter_to_alive_tags(query)
 
-  query = filter_to_visible_tags(query)
-  results = list(query)
+    query = filter_to_visible_tags(query)
+    results = list(query)
 
-  return results[0:page_size], len(results) > page_size
+    return results[0:page_size], len(results) > page_size
 
 
 def get_legacy_images_for_tags(tags):
-  """ Returns a map from tag ID to the legacy image for the tag. """
-  if not tags:
-    return {}
+    """ Returns a map from tag ID to the legacy image for the tag. """
+    if not tags:
+        return {}
 
-  query = (ManifestLegacyImage
-           .select(ManifestLegacyImage, Image, ImageStorage)
-           .join(Image)
-           .join(ImageStorage)
-           .where(ManifestLegacyImage.manifest << [tag.manifest_id for tag in tags]))
+    query = (
+        ManifestLegacyImage.select(ManifestLegacyImage, Image, ImageStorage)
+        .join(Image)
+        .join(ImageStorage)
+        .where(ManifestLegacyImage.manifest << [tag.manifest_id for tag in tags])
+    )
 
-  by_manifest = {mli.manifest_id: mli.image for mli in query}
-  return {tag.id: by_manifest[tag.manifest_id] for tag in tags if tag.manifest_id in by_manifest}
+    by_manifest = {mli.manifest_id: mli.image for mli in query}
+    return {
+        tag.id: by_manifest[tag.manifest_id]
+        for tag in tags
+        if tag.manifest_id in by_manifest
+    }
 
 
 def find_matching_tag(repository_id, tag_names, tag_kinds=None):
-  """ Finds an alive tag in the specified repository with one of the specified tag names and
+    """ Finds an alive tag in the specified repository with one of the specified tag names and
       returns it or None if none. Tag's returned are joined with their manifest.
   """
-  assert repository_id
-  assert tag_names
+    assert repository_id
+    assert tag_names
 
-  query = (Tag
-           .select(Tag, Manifest)
-           .join(Manifest)
-           .where(Tag.repository == repository_id)
-           .where(Tag.name << tag_names))
+    query = (
+        Tag.select(Tag, Manifest)
+        .join(Manifest)
+        .where(Tag.repository == repository_id)
+        .where(Tag.name << tag_names)
+    )
 
-  if tag_kinds:
-    query = query.where(Tag.tag_kind << tag_kinds)
+    if tag_kinds:
+        query = query.where(Tag.tag_kind << tag_kinds)
 
-  try:
-    found = filter_to_alive_tags(query).get()
-    assert not found.hidden
-    return found
-  except Tag.DoesNotExist:
-    return None
+    try:
+        found = filter_to_alive_tags(query).get()
+        assert not found.hidden
+        return found
+    except Tag.DoesNotExist:
+        return None
 
 
 def get_most_recent_tag_lifetime_start(repository_ids):
-  """ Returns a map from repo ID to the timestamp of the most recently pushed alive tag 
+    """ Returns a map from repo ID to the timestamp of the most recently pushed alive tag 
       for each specified repository or None if none. 
   """
-  assert len(repository_ids) > 0 and None not in repository_ids
+    assert len(repository_ids) > 0 and None not in repository_ids
 
-  query = (Tag.select(Tag.repository, fn.Max(Tag.lifetime_start_ms))
-              .where(Tag.repository << [repo_id for repo_id in repository_ids])
-              .group_by(Tag.repository))
-  tuples = filter_to_alive_tags(query).tuples()
+    query = (
+        Tag.select(Tag.repository, fn.Max(Tag.lifetime_start_ms))
+        .where(Tag.repository << [repo_id for repo_id in repository_ids])
+        .group_by(Tag.repository)
+    )
+    tuples = filter_to_alive_tags(query).tuples()
 
-  return {repo_id: timestamp for repo_id, timestamp in tuples}   
+    return {repo_id: timestamp for repo_id, timestamp in tuples}
 
 
 def get_most_recent_tag(repository_id):
-  """ Returns the most recently pushed alive tag in the specified repository or None if none.
+    """ Returns the most recently pushed alive tag in the specified repository or None if none.
       The Tag returned is joined with its manifest.
   """
-  assert repository_id
+    assert repository_id
 
-  query = (Tag
-           .select(Tag, Manifest)
-           .join(Manifest)
-           .where(Tag.repository == repository_id)
-           .order_by(Tag.lifetime_start_ms.desc()))
+    query = (
+        Tag.select(Tag, Manifest)
+        .join(Manifest)
+        .where(Tag.repository == repository_id)
+        .order_by(Tag.lifetime_start_ms.desc())
+    )
 
-  try:
-    found = filter_to_alive_tags(query).get()
-    assert not found.hidden
-    return found
-  except Tag.DoesNotExist:
-    return None
+    try:
+        found = filter_to_alive_tags(query).get()
+        assert not found.hidden
+        return found
+    except Tag.DoesNotExist:
+        return None
 
 
 def get_expired_tag(repository_id, tag_name):
-  """ Returns a tag with the given name that is expired in the repository or None if none.
+    """ Returns a tag with the given name that is expired in the repository or None if none.
   """
-  try:
-    return (Tag
-            .select()
+    try:
+        return (
+            Tag.select()
             .where(Tag.name == tag_name, Tag.repository == repository_id)
             .where(~(Tag.lifetime_end_ms >> None))
             .where(Tag.lifetime_end_ms <= get_epoch_timestamp_ms())
-            .get())
-  except Tag.DoesNotExist:
-    return None
+            .get()
+        )
+    except Tag.DoesNotExist:
+        return None
 
 
 def create_temporary_tag_if_necessary(manifest, expiration_sec):
-  """ Creates a temporary tag pointing to the given manifest, with the given expiration in seconds,
+    """ Creates a temporary tag pointing to the given manifest, with the given expiration in seconds,
       unless there is an existing tag that will keep the manifest around.
   """
-  tag_name = '$temp-%s' % str(uuid.uuid4())
-  now_ms = get_epoch_timestamp_ms()
-  end_ms = now_ms + (expiration_sec * 1000)
+    tag_name = "$temp-%s" % str(uuid.uuid4())
+    now_ms = get_epoch_timestamp_ms()
+    end_ms = now_ms + (expiration_sec * 1000)
 
-  # Check if there is an existing tag on the manifest that won't expire within the
-  # timeframe. If so, no need for a temporary tag.
-  with db_transaction():
-    try:
-      (Tag
-       .select()
-       .where(Tag.manifest == manifest,
-              (Tag.lifetime_end_ms >> None) | (Tag.lifetime_end_ms >= end_ms))
-       .get())
-      return None
-    except Tag.DoesNotExist:
-      pass
+    # Check if there is an existing tag on the manifest that won't expire within the
+    # timeframe. If so, no need for a temporary tag.
+    with db_transaction():
+        try:
+            (
+                Tag.select()
+                .where(
+                    Tag.manifest == manifest,
+                    (Tag.lifetime_end_ms >> None) | (Tag.lifetime_end_ms >= end_ms),
+                )
+                .get()
+            )
+            return None
+        except Tag.DoesNotExist:
+            pass
 
-    return Tag.create(name=tag_name,
-                      repository=manifest.repository_id,
-                      lifetime_start_ms=now_ms,
-                      lifetime_end_ms=end_ms,
-                      reversion=False,
-                      hidden=True,
-                      manifest=manifest,
-                      tag_kind=Tag.tag_kind.get_id('tag'))
+        return Tag.create(
+            name=tag_name,
+            repository=manifest.repository_id,
+            lifetime_start_ms=now_ms,
+            lifetime_end_ms=end_ms,
+            reversion=False,
+            hidden=True,
+            manifest=manifest,
+            tag_kind=Tag.tag_kind.get_id("tag"),
+        )
 
 
-def retarget_tag(tag_name, manifest_id, is_reversion=False, now_ms=None, adjust_old_model=True):
-  """ Creates or updates a tag with the specified name to point to the given manifest under
+def retarget_tag(
+    tag_name, manifest_id, is_reversion=False, now_ms=None, adjust_old_model=True
+):
+    """ Creates or updates a tag with the specified name to point to the given manifest under
       its repository. If this action is a reversion to a previous manifest, is_reversion
       should be set to True. Returns the newly created tag row or None on error.
   """
-  try:
-    manifest = (Manifest
-                .select(Manifest, MediaType)
-                .join(MediaType)
-                .where(Manifest.id == manifest_id)
-                .get())
-  except Manifest.DoesNotExist:
-    return None
-
-  # CHECK: Make sure that we are not mistargeting a schema 1 manifest to a tag with a different
-  # name.
-  if manifest.media_type.name in DOCKER_SCHEMA1_CONTENT_TYPES:
     try:
-      parsed = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest.manifest_bytes),
-                                     validate=False)
-      if parsed.tag != tag_name:
-        logger.error('Tried to re-target schema1 manifest with tag `%s` to tag `%s', parsed.tag,
-                     tag_name)
-        return None
-    except MalformedSchema1Manifest:
-      logger.exception('Could not parse schema1 manifest')
-      return None
-
-  legacy_image = get_legacy_image_for_manifest(manifest)
-  now_ms = now_ms or get_epoch_timestamp_ms()
-  now_ts = int(now_ms / 1000)
-
-  with db_transaction():
-    # Lookup an existing tag in the repository with the same name and, if present, mark it
-    # as expired.
-    existing_tag = get_tag(manifest.repository_id, tag_name)
-    if existing_tag is not None:
-      _, okay = set_tag_end_ms(existing_tag, now_ms)
-
-      # TODO: should we retry here and/or use a for-update?
-      if not okay:
+        manifest = (
+            Manifest.select(Manifest, MediaType)
+            .join(MediaType)
+            .where(Manifest.id == manifest_id)
+            .get()
+        )
+    except Manifest.DoesNotExist:
         return None
 
-    # Create a new tag pointing to the manifest with a lifetime start of now.
-    created = Tag.create(name=tag_name, repository=manifest.repository_id, lifetime_start_ms=now_ms,
-                         reversion=is_reversion, manifest=manifest,
-                         tag_kind=Tag.tag_kind.get_id('tag'))
+    # CHECK: Make sure that we are not mistargeting a schema 1 manifest to a tag with a different
+    # name.
+    if manifest.media_type.name in DOCKER_SCHEMA1_CONTENT_TYPES:
+        try:
+            parsed = DockerSchema1Manifest(
+                Bytes.for_string_or_unicode(manifest.manifest_bytes), validate=False
+            )
+            if parsed.tag != tag_name:
+                logger.error(
+                    "Tried to re-target schema1 manifest with tag `%s` to tag `%s",
+                    parsed.tag,
+                    tag_name,
+                )
+                return None
+        except MalformedSchema1Manifest:
+            logger.exception("Could not parse schema1 manifest")
+            return None
 
-    # TODO: Remove the linkage code once RepositoryTag is gone.
-    # If this is a schema 1 manifest, then add a TagManifest linkage to it. Otherwise, it will only
-    # be pullable via the new OCI model.
-    if adjust_old_model:
-      if manifest.media_type.name in DOCKER_SCHEMA1_CONTENT_TYPES and legacy_image is not None:
-        old_style_tag = RepositoryTag.create(repository=manifest.repository_id, image=legacy_image,
-                                             name=tag_name, lifetime_start_ts=now_ts,
-                                             reversion=is_reversion)
-        TagToRepositoryTag.create(tag=created, repository_tag=old_style_tag,
-                                  repository=manifest.repository_id)
+    legacy_image = get_legacy_image_for_manifest(manifest)
+    now_ms = now_ms or get_epoch_timestamp_ms()
+    now_ts = int(now_ms / 1000)
 
-        tag_manifest = TagManifest.create(tag=old_style_tag, digest=manifest.digest,
-                                          json_data=manifest.manifest_bytes)
-        TagManifestToManifest.create(tag_manifest=tag_manifest, manifest=manifest,
-                                     repository=manifest.repository_id)
+    with db_transaction():
+        # Lookup an existing tag in the repository with the same name and, if present, mark it
+        # as expired.
+        existing_tag = get_tag(manifest.repository_id, tag_name)
+        if existing_tag is not None:
+            _, okay = set_tag_end_ms(existing_tag, now_ms)
 
-    return created
+            # TODO: should we retry here and/or use a for-update?
+            if not okay:
+                return None
+
+        # Create a new tag pointing to the manifest with a lifetime start of now.
+        created = Tag.create(
+            name=tag_name,
+            repository=manifest.repository_id,
+            lifetime_start_ms=now_ms,
+            reversion=is_reversion,
+            manifest=manifest,
+            tag_kind=Tag.tag_kind.get_id("tag"),
+        )
+
+        # TODO: Remove the linkage code once RepositoryTag is gone.
+        # If this is a schema 1 manifest, then add a TagManifest linkage to it. Otherwise, it will only
+        # be pullable via the new OCI model.
+        if adjust_old_model:
+            if (
+                manifest.media_type.name in DOCKER_SCHEMA1_CONTENT_TYPES
+                and legacy_image is not None
+            ):
+                old_style_tag = RepositoryTag.create(
+                    repository=manifest.repository_id,
+                    image=legacy_image,
+                    name=tag_name,
+                    lifetime_start_ts=now_ts,
+                    reversion=is_reversion,
+                )
+                TagToRepositoryTag.create(
+                    tag=created,
+                    repository_tag=old_style_tag,
+                    repository=manifest.repository_id,
+                )
+
+                tag_manifest = TagManifest.create(
+                    tag=old_style_tag,
+                    digest=manifest.digest,
+                    json_data=manifest.manifest_bytes,
+                )
+                TagManifestToManifest.create(
+                    tag_manifest=tag_manifest,
+                    manifest=manifest,
+                    repository=manifest.repository_id,
+                )
+
+        return created
 
 
 def delete_tag(repository_id, tag_name):
-  """ Deletes the alive tag with the given name in the specified repository and returns the deleted
+    """ Deletes the alive tag with the given name in the specified repository and returns the deleted
       tag. If the tag did not exist, returns None.
   """
-  tag = get_tag(repository_id, tag_name)
-  if tag is None:
-    return None
+    tag = get_tag(repository_id, tag_name)
+    if tag is None:
+        return None
 
-  return _delete_tag(tag, get_epoch_timestamp_ms())
+    return _delete_tag(tag, get_epoch_timestamp_ms())
 
 
 def _delete_tag(tag, now_ms):
-  """ Deletes the given tag by marking it as expired. """
-  now_ts = int(now_ms / 1000)
+    """ Deletes the given tag by marking it as expired. """
+    now_ts = int(now_ms / 1000)
 
-  with db_transaction():
-    updated = (Tag
-               .update(lifetime_end_ms=now_ms)
-               .where(Tag.id == tag.id, Tag.lifetime_end_ms == tag.lifetime_end_ms)
-               .execute())
-    if updated != 1:
-      return None
+    with db_transaction():
+        updated = (
+            Tag.update(lifetime_end_ms=now_ms)
+            .where(Tag.id == tag.id, Tag.lifetime_end_ms == tag.lifetime_end_ms)
+            .execute()
+        )
+        if updated != 1:
+            return None
 
-    # TODO: Remove the linkage code once RepositoryTag is gone.
-    try:
-      old_style_tag = (TagToRepositoryTag
-                       .select(TagToRepositoryTag, RepositoryTag)
-                       .join(RepositoryTag)
-                       .where(TagToRepositoryTag.tag == tag)
-                       .get()).repository_tag
+        # TODO: Remove the linkage code once RepositoryTag is gone.
+        try:
+            old_style_tag = (
+                TagToRepositoryTag.select(TagToRepositoryTag, RepositoryTag)
+                .join(RepositoryTag)
+                .where(TagToRepositoryTag.tag == tag)
+                .get()
+            ).repository_tag
 
-      old_style_tag.lifetime_end_ts = now_ts
-      old_style_tag.save()
-    except TagToRepositoryTag.DoesNotExist:
-      pass
+            old_style_tag.lifetime_end_ts = now_ts
+            old_style_tag.save()
+        except TagToRepositoryTag.DoesNotExist:
+            pass
 
-    return tag
+        return tag
 
 
 def delete_tags_for_manifest(manifest):
-  """ Deletes all tags pointing to the given manifest. Returns the list of tags 
+    """ Deletes all tags pointing to the given manifest. Returns the list of tags 
       deleted.
   """
-  query = Tag.select().where(Tag.manifest == manifest)
-  query = filter_to_alive_tags(query)
-  query = filter_to_visible_tags(query)
+    query = Tag.select().where(Tag.manifest == manifest)
+    query = filter_to_alive_tags(query)
+    query = filter_to_visible_tags(query)
 
-  tags = list(query)
-  now_ms = get_epoch_timestamp_ms()
+    tags = list(query)
+    now_ms = get_epoch_timestamp_ms()
 
-  with db_transaction():
-    for tag in tags:
-      _delete_tag(tag, now_ms)
+    with db_transaction():
+        for tag in tags:
+            _delete_tag(tag, now_ms)
 
-  return tags
+    return tags
 
 
 def filter_to_visible_tags(query):
-  """ Adjusts the specified Tag query to only return those tags that are visible.
+    """ Adjusts the specified Tag query to only return those tags that are visible.
   """
-  return query.where(Tag.hidden == False)
+    return query.where(Tag.hidden == False)
 
 
 def filter_to_alive_tags(query, now_ms=None, model=Tag):
-  """ Adjusts the specified Tag query to only return those tags alive. If now_ms is specified,
+    """ Adjusts the specified Tag query to only return those tags alive. If now_ms is specified,
       the given timestamp (in MS) is used in place of the current timestamp for determining wherther
       a tag is alive.
   """
-  if now_ms is None:
-    now_ms = get_epoch_timestamp_ms()
+    if now_ms is None:
+        now_ms = get_epoch_timestamp_ms()
 
-  return (query.where((model.lifetime_end_ms >> None) | (model.lifetime_end_ms > now_ms))
-               .where(model.hidden == False))
+    return query.where(
+        (model.lifetime_end_ms >> None) | (model.lifetime_end_ms > now_ms)
+    ).where(model.hidden == False)
 
 
 def set_tag_expiration_sec_for_manifest(manifest_id, expiration_seconds):
-  """ Sets the tag expiration for any tags that point to the given manifest ID. """
-  query = Tag.select().where(Tag.manifest == manifest_id)
-  query = filter_to_alive_tags(query)
-  tags = list(query)
-  for tag in tags:
-    assert not tag.hidden
-    set_tag_end_ms(tag, tag.lifetime_start_ms + (expiration_seconds * 1000))
+    """ Sets the tag expiration for any tags that point to the given manifest ID. """
+    query = Tag.select().where(Tag.manifest == manifest_id)
+    query = filter_to_alive_tags(query)
+    tags = list(query)
+    for tag in tags:
+        assert not tag.hidden
+        set_tag_end_ms(tag, tag.lifetime_start_ms + (expiration_seconds * 1000))
 
-  return tags
+    return tags
 
 
 def set_tag_expiration_for_manifest(manifest_id, expiration_datetime):
-  """ Sets the tag expiration for any tags that point to the given manifest ID. """
-  query = Tag.select().where(Tag.manifest == manifest_id)
-  query = filter_to_alive_tags(query)
-  tags = list(query)
-  for tag in tags:
-    assert not tag.hidden
-    change_tag_expiration(tag, expiration_datetime)
+    """ Sets the tag expiration for any tags that point to the given manifest ID. """
+    query = Tag.select().where(Tag.manifest == manifest_id)
+    query = filter_to_alive_tags(query)
+    tags = list(query)
+    for tag in tags:
+        assert not tag.hidden
+        change_tag_expiration(tag, expiration_datetime)
 
-  return tags
+    return tags
 
 
 def change_tag_expiration(tag_id, expiration_datetime):
-  """ Changes the expiration of the specified tag to the given expiration datetime. If
+    """ Changes the expiration of the specified tag to the given expiration datetime. If
       the expiration datetime is None, then the tag is marked as not expiring. Returns
       a tuple of the previous expiration timestamp in seconds (if any), and whether the
       operation succeeded.
   """
-  try:
-    tag = Tag.get(id=tag_id)
-  except Tag.DoesNotExist:
-    return (None, False)
+    try:
+        tag = Tag.get(id=tag_id)
+    except Tag.DoesNotExist:
+        return (None, False)
 
-  new_end_ms = None
-  min_expire_sec = convert_to_timedelta(config.app_config.get('LABELED_EXPIRATION_MINIMUM', '1h'))
-  max_expire_sec = convert_to_timedelta(config.app_config.get('LABELED_EXPIRATION_MAXIMUM', '104w'))
+    new_end_ms = None
+    min_expire_sec = convert_to_timedelta(
+        config.app_config.get("LABELED_EXPIRATION_MINIMUM", "1h")
+    )
+    max_expire_sec = convert_to_timedelta(
+        config.app_config.get("LABELED_EXPIRATION_MAXIMUM", "104w")
+    )
 
-  if expiration_datetime is not None:
-    lifetime_start_ts = int(tag.lifetime_start_ms / 1000)
+    if expiration_datetime is not None:
+        lifetime_start_ts = int(tag.lifetime_start_ms / 1000)
 
-    offset = timegm(expiration_datetime.utctimetuple()) - lifetime_start_ts
-    offset = min(max(offset, min_expire_sec.total_seconds()), max_expire_sec.total_seconds())
-    new_end_ms = tag.lifetime_start_ms + (offset * 1000)
+        offset = timegm(expiration_datetime.utctimetuple()) - lifetime_start_ts
+        offset = min(
+            max(offset, min_expire_sec.total_seconds()), max_expire_sec.total_seconds()
+        )
+        new_end_ms = tag.lifetime_start_ms + (offset * 1000)
 
-  if new_end_ms == tag.lifetime_end_ms:
-    return (None, True)
+    if new_end_ms == tag.lifetime_end_ms:
+        return (None, True)
 
-  return set_tag_end_ms(tag, new_end_ms)
+    return set_tag_end_ms(tag, new_end_ms)
 
 
 def lookup_unrecoverable_tags(repo):
-  """ Returns the tags in a repository that are expired and past their time machine recovery
+    """ Returns the tags in a repository that are expired and past their time machine recovery
       period. """
-  expired_clause = get_epoch_timestamp_ms() - (Namespace.removed_tag_expiration_s * 1000)
-  return (Tag
-          .select()
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Tag.repository == repo)
-          .where(~(Tag.lifetime_end_ms >> None), Tag.lifetime_end_ms <= expired_clause))
+    expired_clause = get_epoch_timestamp_ms() - (
+        Namespace.removed_tag_expiration_s * 1000
+    )
+    return (
+        Tag.select()
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Tag.repository == repo)
+        .where(~(Tag.lifetime_end_ms >> None), Tag.lifetime_end_ms <= expired_clause)
+    )
 
 
 def set_tag_end_ms(tag, end_ms):
-  """ Sets the end timestamp for a tag. Should only be called by change_tag_expiration
+    """ Sets the end timestamp for a tag. Should only be called by change_tag_expiration
       or tests.
   """
 
-  with db_transaction():
-    updated = (Tag
-               .update(lifetime_end_ms=end_ms)
-               .where(Tag.id == tag)
-               .where(Tag.lifetime_end_ms == tag.lifetime_end_ms)
-               .execute())
-    if updated != 1:
-      return (None, False)
+    with db_transaction():
+        updated = (
+            Tag.update(lifetime_end_ms=end_ms)
+            .where(Tag.id == tag)
+            .where(Tag.lifetime_end_ms == tag.lifetime_end_ms)
+            .execute()
+        )
+        if updated != 1:
+            return (None, False)
 
-    # TODO: Remove the linkage code once RepositoryTag is gone.
-    try:
-      old_style_tag = (TagToRepositoryTag
-                       .select(TagToRepositoryTag, RepositoryTag)
-                       .join(RepositoryTag)
-                       .where(TagToRepositoryTag.tag == tag)
-                       .get()).repository_tag
+        # TODO: Remove the linkage code once RepositoryTag is gone.
+        try:
+            old_style_tag = (
+                TagToRepositoryTag.select(TagToRepositoryTag, RepositoryTag)
+                .join(RepositoryTag)
+                .where(TagToRepositoryTag.tag == tag)
+                .get()
+            ).repository_tag
 
-      old_style_tag.lifetime_end_ts = end_ms / 1000 if end_ms is not None else None
-      old_style_tag.save()
-    except TagToRepositoryTag.DoesNotExist:
-      pass
+            old_style_tag.lifetime_end_ts = (
+                end_ms / 1000 if end_ms is not None else None
+            )
+            old_style_tag.save()
+        except TagToRepositoryTag.DoesNotExist:
+            pass
 
-    return (tag.lifetime_end_ms, True)
+        return (tag.lifetime_end_ms, True)
 
 
 def tags_containing_legacy_image(image):
-  """ Yields all alive Tags containing the given image as a legacy image, somewhere in its
+    """ Yields all alive Tags containing the given image as a legacy image, somewhere in its
       legacy image hierarchy.
   """
-  ancestors_str = '%s%s/%%' % (image.ancestors, image.id)
-  tags = (Tag
-          .select()
-          .join(Repository)
-          .switch(Tag)
-          .join(Manifest)
-          .join(ManifestLegacyImage)
-          .join(Image)
-          .where(Tag.repository == image.repository_id)
-          .where(Image.repository == image.repository_id)
-          .where((Image.id == image.id) |
-                 (Image.ancestors ** ancestors_str)))
-  return filter_to_alive_tags(tags)
+    ancestors_str = "%s%s/%%" % (image.ancestors, image.id)
+    tags = (
+        Tag.select()
+        .join(Repository)
+        .switch(Tag)
+        .join(Manifest)
+        .join(ManifestLegacyImage)
+        .join(Image)
+        .where(Tag.repository == image.repository_id)
+        .where(Image.repository == image.repository_id)
+        .where((Image.id == image.id) | (Image.ancestors ** ancestors_str))
+    )
+    return filter_to_alive_tags(tags)
 
 
 def lookup_notifiable_tags_for_legacy_image(docker_image_id, storage_uuid, event_name):
-  """ Yields any alive Tags found in repositories with an event with the given name registered
+    """ Yields any alive Tags found in repositories with an event with the given name registered
       and whose legacy Image has the given docker image ID and storage UUID.
   """
-  event = ExternalNotificationEvent.get(name=event_name)
-  images = (Image
-            .select()
-            .join(ImageStorage)
-            .where(Image.docker_image_id == docker_image_id,
-                   ImageStorage.uuid == storage_uuid))
+    event = ExternalNotificationEvent.get(name=event_name)
+    images = (
+        Image.select()
+        .join(ImageStorage)
+        .where(
+            Image.docker_image_id == docker_image_id, ImageStorage.uuid == storage_uuid
+        )
+    )
 
-  for image in list(images):
-    # Ensure the image is under a repository that supports the event.
-    try:
-      RepositoryNotification.get(repository=image.repository_id, event=event)
-    except RepositoryNotification.DoesNotExist:
-      continue
+    for image in list(images):
+        # Ensure the image is under a repository that supports the event.
+        try:
+            RepositoryNotification.get(repository=image.repository_id, event=event)
+        except RepositoryNotification.DoesNotExist:
+            continue
 
-    # If found in a repository with the valid event, yield the tag(s) that contains the image.
-    for tag in tags_containing_legacy_image(image):
-      yield tag
+        # If found in a repository with the valid event, yield the tag(s) that contains the image.
+        for tag in tags_containing_legacy_image(image):
+            yield tag
diff --git a/data/model/oci/test/test_oci_label.py b/data/model/oci/test/test_oci_label.py
index 2ba04521b..b849303bc 100644
--- a/data/model/oci/test/test_oci_label.py
+++ b/data/model/oci/test/test_oci_label.py
@@ -3,85 +3,108 @@ import pytest
 from playhouse.test_utils import assert_query_count
 
 from data.database import Manifest, ManifestLabel
-from data.model.oci.label import (create_manifest_label, list_manifest_labels, get_manifest_label,
-                                  delete_manifest_label, DataModelException)
+from data.model.oci.label import (
+    create_manifest_label,
+    list_manifest_labels,
+    get_manifest_label,
+    delete_manifest_label,
+    DataModelException,
+)
 
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('key, value, source_type, expected_error', [
-  ('foo', 'bar', 'manifest', None),
-
-  pytest.param('..foo', 'bar', 'manifest', None, id='invalid key on manifest'),
-  pytest.param('..foo', 'bar', 'api', 'is invalid', id='invalid key on api'),
-])
+@pytest.mark.parametrize(
+    "key, value, source_type, expected_error",
+    [
+        ("foo", "bar", "manifest", None),
+        pytest.param("..foo", "bar", "manifest", None, id="invalid key on manifest"),
+        pytest.param("..foo", "bar", "api", "is invalid", id="invalid key on api"),
+    ],
+)
 def test_create_manifest_label(key, value, source_type, expected_error, initialized_db):
-  manifest = Manifest.get()
+    manifest = Manifest.get()
 
-  if expected_error:
-    with pytest.raises(DataModelException) as ex:
-      create_manifest_label(manifest, key, value, source_type)
+    if expected_error:
+        with pytest.raises(DataModelException) as ex:
+            create_manifest_label(manifest, key, value, source_type)
 
-    assert ex.match(expected_error)
-    return
+        assert ex.match(expected_error)
+        return
 
-  label = create_manifest_label(manifest, key, value, source_type)
-  labels = [ml.label_id for ml in ManifestLabel.select().where(ManifestLabel.manifest == manifest)]
-  assert label.id in labels
+    label = create_manifest_label(manifest, key, value, source_type)
+    labels = [
+        ml.label_id
+        for ml in ManifestLabel.select().where(ManifestLabel.manifest == manifest)
+    ]
+    assert label.id in labels
 
-  with assert_query_count(1):
-    assert label in list_manifest_labels(manifest)
+    with assert_query_count(1):
+        assert label in list_manifest_labels(manifest)
 
-  assert label not in list_manifest_labels(manifest, 'someprefix')
-  assert label in list_manifest_labels(manifest, key[0:2])
+    assert label not in list_manifest_labels(manifest, "someprefix")
+    assert label in list_manifest_labels(manifest, key[0:2])
 
-  with assert_query_count(1):
-    assert get_manifest_label(label.uuid, manifest) == label
+    with assert_query_count(1):
+        assert get_manifest_label(label.uuid, manifest) == label
 
 
 def test_list_manifest_labels(initialized_db):
-  manifest = Manifest.get()
+    manifest = Manifest.get()
 
-  label1 = create_manifest_label(manifest, 'foo', '1', 'manifest')
-  label2 = create_manifest_label(manifest, 'bar', '2', 'api')
-  label3 = create_manifest_label(manifest, 'baz', '3', 'internal')
+    label1 = create_manifest_label(manifest, "foo", "1", "manifest")
+    label2 = create_manifest_label(manifest, "bar", "2", "api")
+    label3 = create_manifest_label(manifest, "baz", "3", "internal")
 
-  assert label1 in list_manifest_labels(manifest)
-  assert label2 in list_manifest_labels(manifest)
-  assert label3 in list_manifest_labels(manifest)
+    assert label1 in list_manifest_labels(manifest)
+    assert label2 in list_manifest_labels(manifest)
+    assert label3 in list_manifest_labels(manifest)
 
-  other_manifest = Manifest.select().where(Manifest.id != manifest.id).get()
-  assert label1 not in list_manifest_labels(other_manifest)
-  assert label2 not in list_manifest_labels(other_manifest)
-  assert label3 not in list_manifest_labels(other_manifest)
+    other_manifest = Manifest.select().where(Manifest.id != manifest.id).get()
+    assert label1 not in list_manifest_labels(other_manifest)
+    assert label2 not in list_manifest_labels(other_manifest)
+    assert label3 not in list_manifest_labels(other_manifest)
 
 
 def test_get_manifest_label(initialized_db):
-  found = False
-  for manifest_label in ManifestLabel.select():
-    assert (get_manifest_label(manifest_label.label.uuid, manifest_label.manifest) ==
-            manifest_label.label)
-    assert manifest_label.label in list_manifest_labels(manifest_label.manifest)
-    found = True
+    found = False
+    for manifest_label in ManifestLabel.select():
+        assert (
+            get_manifest_label(manifest_label.label.uuid, manifest_label.manifest)
+            == manifest_label.label
+        )
+        assert manifest_label.label in list_manifest_labels(manifest_label.manifest)
+        found = True
 
-  assert found
+    assert found
 
 
 def test_delete_manifest_label(initialized_db):
-  found = False
-  for manifest_label in list(ManifestLabel.select()):
-    assert (get_manifest_label(manifest_label.label.uuid, manifest_label.manifest) ==
-            manifest_label.label)
-    assert manifest_label.label in list_manifest_labels(manifest_label.manifest)
+    found = False
+    for manifest_label in list(ManifestLabel.select()):
+        assert (
+            get_manifest_label(manifest_label.label.uuid, manifest_label.manifest)
+            == manifest_label.label
+        )
+        assert manifest_label.label in list_manifest_labels(manifest_label.manifest)
 
-    if manifest_label.label.source_type.mutable:
-      assert delete_manifest_label(manifest_label.label.uuid, manifest_label.manifest)
-      assert manifest_label.label not in list_manifest_labels(manifest_label.manifest)
-      assert get_manifest_label(manifest_label.label.uuid, manifest_label.manifest) is None
-    else:
-      with pytest.raises(DataModelException):
-        delete_manifest_label(manifest_label.label.uuid, manifest_label.manifest)
+        if manifest_label.label.source_type.mutable:
+            assert delete_manifest_label(
+                manifest_label.label.uuid, manifest_label.manifest
+            )
+            assert manifest_label.label not in list_manifest_labels(
+                manifest_label.manifest
+            )
+            assert (
+                get_manifest_label(manifest_label.label.uuid, manifest_label.manifest)
+                is None
+            )
+        else:
+            with pytest.raises(DataModelException):
+                delete_manifest_label(
+                    manifest_label.label.uuid, manifest_label.manifest
+                )
 
-    found = True
+        found = True
 
-  assert found
+    assert found
diff --git a/data/model/oci/test/test_oci_manifest.py b/data/model/oci/test/test_oci_manifest.py
index 4c5d6ed3b..5dc4278f3 100644
--- a/data/model/oci/test/test_oci_manifest.py
+++ b/data/model/oci/test/test_oci_manifest.py
@@ -5,8 +5,16 @@ from playhouse.test_utils import assert_query_count
 from app import docker_v2_signing_key, storage
 
 from digest.digest_tools import sha256_digest
-from data.database import (Tag, ManifestBlob, ImageStorageLocation, ManifestChild,
-                           ImageStorage, Image, RepositoryTag, get_epoch_timestamp_ms)
+from data.database import (
+    Tag,
+    ManifestBlob,
+    ImageStorageLocation,
+    ManifestChild,
+    ImageStorage,
+    Image,
+    RepositoryTag,
+    get_epoch_timestamp_ms,
+)
 from data.model.oci.manifest import lookup_manifest, get_or_create_manifest
 from data.model.oci.tag import filter_to_alive_tags, get_tag
 from data.model.oci.shared import get_legacy_image_for_manifest
@@ -23,538 +31,542 @@ from util.bytes import Bytes
 
 from test.fixtures import *
 
+
 def test_lookup_manifest(initialized_db):
-  found = False
-  for tag in filter_to_alive_tags(Tag.select()):
-    found = True
-    repo = tag.repository
-    digest = tag.manifest.digest
-    with assert_query_count(1):
-      assert lookup_manifest(repo, digest) == tag.manifest
+    found = False
+    for tag in filter_to_alive_tags(Tag.select()):
+        found = True
+        repo = tag.repository
+        digest = tag.manifest.digest
+        with assert_query_count(1):
+            assert lookup_manifest(repo, digest) == tag.manifest
 
-  assert found
+    assert found
 
-  for tag in Tag.select():
-    repo = tag.repository
-    digest = tag.manifest.digest
-    with assert_query_count(1):
-      assert lookup_manifest(repo, digest, allow_dead=True) == tag.manifest
+    for tag in Tag.select():
+        repo = tag.repository
+        digest = tag.manifest.digest
+        with assert_query_count(1):
+            assert lookup_manifest(repo, digest, allow_dead=True) == tag.manifest
 
 
 def test_lookup_manifest_dead_tag(initialized_db):
-  dead_tag = Tag.select().where(Tag.lifetime_end_ms <= get_epoch_timestamp_ms()).get()
-  assert dead_tag.lifetime_end_ms <= get_epoch_timestamp_ms()
+    dead_tag = Tag.select().where(Tag.lifetime_end_ms <= get_epoch_timestamp_ms()).get()
+    assert dead_tag.lifetime_end_ms <= get_epoch_timestamp_ms()
 
-  assert lookup_manifest(dead_tag.repository, dead_tag.manifest.digest) is None
-  assert (lookup_manifest(dead_tag.repository, dead_tag.manifest.digest, allow_dead=True) ==
-          dead_tag.manifest)
+    assert lookup_manifest(dead_tag.repository, dead_tag.manifest.digest) is None
+    assert (
+        lookup_manifest(dead_tag.repository, dead_tag.manifest.digest, allow_dead=True)
+        == dead_tag.manifest
+    )
 
 
-def create_manifest_for_testing(repository, differentiation_field='1'):
-  # Populate a manifest.
-  layer_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [],
-  })
+def create_manifest_for_testing(repository, differentiation_field="1"):
+    # Populate a manifest.
+    layer_json = json.dumps(
+        {"config": {}, "rootfs": {"type": "layers", "diff_ids": []}, "history": []}
+    )
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  remote_digest = sha256_digest('something')
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(config_digest, len(layer_json))
-  builder.add_layer(remote_digest, 1234, urls=['http://hello/world' + differentiation_field])
-  manifest = builder.build()
+    remote_digest = sha256_digest("something")
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(config_digest, len(layer_json))
+    builder.add_layer(
+        remote_digest, 1234, urls=["http://hello/world" + differentiation_field]
+    )
+    manifest = builder.build()
 
-  created = get_or_create_manifest(repository, manifest, storage)
-  assert created
-  return created.manifest, manifest
+    created = get_or_create_manifest(repository, manifest, storage)
+    assert created
+    return created.manifest, manifest
 
 
 def test_lookup_manifest_child_tag(initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
-  manifest, manifest_impl = create_manifest_for_testing(repository)
+    repository = create_repository("devtable", "newrepo", None)
+    manifest, manifest_impl = create_manifest_for_testing(repository)
 
-  # Mark the hidden tag as dead.
-  hidden_tag = Tag.get(manifest=manifest, hidden=True)
-  hidden_tag.lifetime_end_ms = hidden_tag.lifetime_start_ms
-  hidden_tag.save()
+    # Mark the hidden tag as dead.
+    hidden_tag = Tag.get(manifest=manifest, hidden=True)
+    hidden_tag.lifetime_end_ms = hidden_tag.lifetime_start_ms
+    hidden_tag.save()
 
-  # Ensure the manifest cannot currently be looked up, as it is not pointed to by an alive tag.
-  assert lookup_manifest(repository, manifest.digest) is None
-  assert lookup_manifest(repository, manifest.digest, allow_dead=True) is not None
+    # Ensure the manifest cannot currently be looked up, as it is not pointed to by an alive tag.
+    assert lookup_manifest(repository, manifest.digest) is None
+    assert lookup_manifest(repository, manifest.digest, allow_dead=True) is not None
 
-  # Populate a manifest list.
-  list_builder = DockerSchema2ManifestListBuilder()
-  list_builder.add_manifest(manifest_impl, 'amd64', 'linux')
-  manifest_list = list_builder.build()
+    # Populate a manifest list.
+    list_builder = DockerSchema2ManifestListBuilder()
+    list_builder.add_manifest(manifest_impl, "amd64", "linux")
+    manifest_list = list_builder.build()
 
-  # Write the manifest list, which should also write the manifests themselves.
-  created_tuple = get_or_create_manifest(repository, manifest_list, storage)
-  assert created_tuple is not None
+    # Write the manifest list, which should also write the manifests themselves.
+    created_tuple = get_or_create_manifest(repository, manifest_list, storage)
+    assert created_tuple is not None
 
-  # Since the manifests are not yet referenced by a tag, they cannot be found.
-  assert lookup_manifest(repository, manifest.digest) is None
-  assert lookup_manifest(repository, manifest_list.digest) is None
+    # Since the manifests are not yet referenced by a tag, they cannot be found.
+    assert lookup_manifest(repository, manifest.digest) is None
+    assert lookup_manifest(repository, manifest_list.digest) is None
 
-  # Unless we ask for "dead" manifests.
-  assert lookup_manifest(repository, manifest.digest, allow_dead=True) is not None
-  assert lookup_manifest(repository, manifest_list.digest, allow_dead=True) is not None
+    # Unless we ask for "dead" manifests.
+    assert lookup_manifest(repository, manifest.digest, allow_dead=True) is not None
+    assert (
+        lookup_manifest(repository, manifest_list.digest, allow_dead=True) is not None
+    )
 
 
 def _populate_blob(content):
-  digest = str(sha256_digest(content))
-  location = ImageStorageLocation.get(name='local_us')
-  blob = store_blob_record_and_temp_link('devtable', 'newrepo', digest, location,
-                                         len(content), 120)
-  storage.put_content(['local_us'], get_layer_path(blob), content)
-  return blob, digest
+    digest = str(sha256_digest(content))
+    location = ImageStorageLocation.get(name="local_us")
+    blob = store_blob_record_and_temp_link(
+        "devtable", "newrepo", digest, location, len(content), 120
+    )
+    storage.put_content(["local_us"], get_layer_path(blob), content)
+    return blob, digest
 
 
-@pytest.mark.parametrize('schema_version', [
-  1,
-  2,
-])
+@pytest.mark.parametrize("schema_version", [1, 2])
 def test_get_or_create_manifest(schema_version, initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
+    repository = create_repository("devtable", "newrepo", None)
 
-  expected_labels = {
-    'Foo': 'Bar',
-    'Baz': 'Meh',
-  }
+    expected_labels = {"Foo": "Bar", "Baz": "Meh"}
 
-  layer_json = json.dumps({
-    'id': 'somelegacyid',
-    'config': {
-      'Labels': expected_labels,
-    },
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    layer_json = json.dumps(
+        {
+            "id": "somelegacyid",
+            "config": {"Labels": expected_labels},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                }
+            ],
+        }
+    )
 
-  # Create a legacy image.
-  find_create_or_link_image('somelegacyid', repository, 'devtable', {}, 'local_us')
+    # Create a legacy image.
+    find_create_or_link_image("somelegacyid", repository, "devtable", {}, "local_us")
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  # Add a blob of random data.
-  random_data = 'hello world'
-  _, random_digest = _populate_blob(random_data)
+    # Add a blob of random data.
+    random_data = "hello world"
+    _, random_digest = _populate_blob(random_data)
 
-  # Build the manifest.
-  if schema_version == 1:
-    builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'anothertag')
-    builder.add_layer(random_digest, layer_json)
-    sample_manifest_instance = builder.build(docker_v2_signing_key)
-  elif schema_version == 2:
-    builder = DockerSchema2ManifestBuilder()
-    builder.set_config_digest(config_digest, len(layer_json))
-    builder.add_layer(random_digest, len(random_data))
-    sample_manifest_instance = builder.build()
+    # Build the manifest.
+    if schema_version == 1:
+        builder = DockerSchema1ManifestBuilder("devtable", "simple", "anothertag")
+        builder.add_layer(random_digest, layer_json)
+        sample_manifest_instance = builder.build(docker_v2_signing_key)
+    elif schema_version == 2:
+        builder = DockerSchema2ManifestBuilder()
+        builder.set_config_digest(config_digest, len(layer_json))
+        builder.add_layer(random_digest, len(random_data))
+        sample_manifest_instance = builder.build()
 
-  # Create a new manifest.
-  created_manifest = get_or_create_manifest(repository, sample_manifest_instance, storage)
-  created = created_manifest.manifest
-  newly_created = created_manifest.newly_created
+    # Create a new manifest.
+    created_manifest = get_or_create_manifest(
+        repository, sample_manifest_instance, storage
+    )
+    created = created_manifest.manifest
+    newly_created = created_manifest.newly_created
 
-  assert newly_created
-  assert created is not None
-  assert created.media_type.name == sample_manifest_instance.media_type
-  assert created.digest == sample_manifest_instance.digest
-  assert created.manifest_bytes == sample_manifest_instance.bytes.as_encoded_str()
-  assert created_manifest.labels_to_apply == expected_labels
+    assert newly_created
+    assert created is not None
+    assert created.media_type.name == sample_manifest_instance.media_type
+    assert created.digest == sample_manifest_instance.digest
+    assert created.manifest_bytes == sample_manifest_instance.bytes.as_encoded_str()
+    assert created_manifest.labels_to_apply == expected_labels
 
-  # Verify it has a temporary tag pointing to it.
-  assert Tag.get(manifest=created, hidden=True).lifetime_end_ms
+    # Verify it has a temporary tag pointing to it.
+    assert Tag.get(manifest=created, hidden=True).lifetime_end_ms
 
-  # Verify the legacy image.
-  legacy_image = get_legacy_image_for_manifest(created)
-  assert legacy_image is not None
-  assert legacy_image.storage.content_checksum == random_digest
+    # Verify the legacy image.
+    legacy_image = get_legacy_image_for_manifest(created)
+    assert legacy_image is not None
+    assert legacy_image.storage.content_checksum == random_digest
 
-  # Verify the linked blobs.
-  blob_digests = [mb.blob.content_checksum for mb
-                  in ManifestBlob.select().where(ManifestBlob.manifest == created)]
+    # Verify the linked blobs.
+    blob_digests = [
+        mb.blob.content_checksum
+        for mb in ManifestBlob.select().where(ManifestBlob.manifest == created)
+    ]
 
-  assert random_digest in blob_digests
-  if schema_version == 2:
-    assert config_digest in blob_digests
+    assert random_digest in blob_digests
+    if schema_version == 2:
+        assert config_digest in blob_digests
 
-  # Retrieve it again and ensure it is the same manifest.
-  created_manifest2 = get_or_create_manifest(repository, sample_manifest_instance, storage)
-  created2 = created_manifest2.manifest
-  newly_created2 = created_manifest2.newly_created
+    # Retrieve it again and ensure it is the same manifest.
+    created_manifest2 = get_or_create_manifest(
+        repository, sample_manifest_instance, storage
+    )
+    created2 = created_manifest2.manifest
+    newly_created2 = created_manifest2.newly_created
 
-  assert not newly_created2
-  assert created2 == created
+    assert not newly_created2
+    assert created2 == created
 
-  # Ensure it again has a temporary tag.
-  assert Tag.get(manifest=created2, hidden=True).lifetime_end_ms
+    # Ensure it again has a temporary tag.
+    assert Tag.get(manifest=created2, hidden=True).lifetime_end_ms
 
-  # Ensure the labels were added.
-  labels = list(list_manifest_labels(created))
-  assert len(labels) == 2
+    # Ensure the labels were added.
+    labels = list(list_manifest_labels(created))
+    assert len(labels) == 2
 
-  labels_dict = {label.key: label.value for label in labels}
-  assert labels_dict == expected_labels
+    labels_dict = {label.key: label.value for label in labels}
+    assert labels_dict == expected_labels
 
 
 def test_get_or_create_manifest_invalid_image(initialized_db):
-  repository = get_repository('devtable', 'simple')
+    repository = get_repository("devtable", "simple")
 
-  latest_tag = get_tag(repository, 'latest')
-  parsed = DockerSchema1Manifest(Bytes.for_string_or_unicode(latest_tag.manifest.manifest_bytes),
-                                 validate=False)
+    latest_tag = get_tag(repository, "latest")
+    parsed = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(latest_tag.manifest.manifest_bytes), validate=False
+    )
 
-  builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'anothertag')
-  builder.add_layer(parsed.blob_digests[0], '{"id": "foo", "parent": "someinvalidimageid"}')
-  sample_manifest_instance = builder.build(docker_v2_signing_key)
+    builder = DockerSchema1ManifestBuilder("devtable", "simple", "anothertag")
+    builder.add_layer(
+        parsed.blob_digests[0], '{"id": "foo", "parent": "someinvalidimageid"}'
+    )
+    sample_manifest_instance = builder.build(docker_v2_signing_key)
 
-  created_manifest = get_or_create_manifest(repository, sample_manifest_instance, storage)
-  assert created_manifest is None
+    created_manifest = get_or_create_manifest(
+        repository, sample_manifest_instance, storage
+    )
+    assert created_manifest is None
 
 
 def test_get_or_create_manifest_list(initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
+    repository = create_repository("devtable", "newrepo", None)
 
-  expected_labels = {
-    'Foo': 'Bar',
-    'Baz': 'Meh',
-  }
+    expected_labels = {"Foo": "Bar", "Baz": "Meh"}
 
-  layer_json = json.dumps({
-    'id': 'somelegacyid',
-    'config': {
-      'Labels': expected_labels,
-    },
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    layer_json = json.dumps(
+        {
+            "id": "somelegacyid",
+            "config": {"Labels": expected_labels},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                }
+            ],
+        }
+    )
 
-  # Create a legacy image.
-  find_create_or_link_image('somelegacyid', repository, 'devtable', {}, 'local_us')
+    # Create a legacy image.
+    find_create_or_link_image("somelegacyid", repository, "devtable", {}, "local_us")
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  # Add a blob of random data.
-  random_data = 'hello world'
-  _, random_digest = _populate_blob(random_data)
+    # Add a blob of random data.
+    random_data = "hello world"
+    _, random_digest = _populate_blob(random_data)
 
-  # Build the manifests.
-  v1_builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'anothertag')
-  v1_builder.add_layer(random_digest, layer_json)
-  v1_manifest = v1_builder.build(docker_v2_signing_key).unsigned()
+    # Build the manifests.
+    v1_builder = DockerSchema1ManifestBuilder("devtable", "simple", "anothertag")
+    v1_builder.add_layer(random_digest, layer_json)
+    v1_manifest = v1_builder.build(docker_v2_signing_key).unsigned()
 
-  v2_builder = DockerSchema2ManifestBuilder()
-  v2_builder.set_config_digest(config_digest, len(layer_json))
-  v2_builder.add_layer(random_digest, len(random_data))
-  v2_manifest = v2_builder.build()
+    v2_builder = DockerSchema2ManifestBuilder()
+    v2_builder.set_config_digest(config_digest, len(layer_json))
+    v2_builder.add_layer(random_digest, len(random_data))
+    v2_manifest = v2_builder.build()
 
-  # Write the manifests.
-  v1_created = get_or_create_manifest(repository, v1_manifest, storage)
-  assert v1_created
-  assert v1_created.manifest.digest == v1_manifest.digest
+    # Write the manifests.
+    v1_created = get_or_create_manifest(repository, v1_manifest, storage)
+    assert v1_created
+    assert v1_created.manifest.digest == v1_manifest.digest
 
-  v2_created = get_or_create_manifest(repository, v2_manifest, storage)
-  assert v2_created
-  assert v2_created.manifest.digest == v2_manifest.digest
+    v2_created = get_or_create_manifest(repository, v2_manifest, storage)
+    assert v2_created
+    assert v2_created.manifest.digest == v2_manifest.digest
 
-  # Build the manifest list.
-  list_builder = DockerSchema2ManifestListBuilder()
-  list_builder.add_manifest(v1_manifest, 'amd64', 'linux')
-  list_builder.add_manifest(v2_manifest, 'amd32', 'linux')
-  manifest_list = list_builder.build()
+    # Build the manifest list.
+    list_builder = DockerSchema2ManifestListBuilder()
+    list_builder.add_manifest(v1_manifest, "amd64", "linux")
+    list_builder.add_manifest(v2_manifest, "amd32", "linux")
+    manifest_list = list_builder.build()
 
-  # Write the manifest list, which should also write the manifests themselves.
-  created_tuple = get_or_create_manifest(repository, manifest_list, storage)
-  assert created_tuple is not None
+    # Write the manifest list, which should also write the manifests themselves.
+    created_tuple = get_or_create_manifest(repository, manifest_list, storage)
+    assert created_tuple is not None
 
-  created_list = created_tuple.manifest
-  assert created_list
-  assert created_list.media_type.name == manifest_list.media_type
-  assert created_list.digest == manifest_list.digest
+    created_list = created_tuple.manifest
+    assert created_list
+    assert created_list.media_type.name == manifest_list.media_type
+    assert created_list.digest == manifest_list.digest
 
-  # Ensure the child manifest links exist.
-  child_manifests = {cm.child_manifest.digest: cm.child_manifest
-                     for cm in ManifestChild.select().where(ManifestChild.manifest == created_list)}
-  assert len(child_manifests) == 2
-  assert v1_manifest.digest in child_manifests
-  assert v2_manifest.digest in child_manifests
+    # Ensure the child manifest links exist.
+    child_manifests = {
+        cm.child_manifest.digest: cm.child_manifest
+        for cm in ManifestChild.select().where(ManifestChild.manifest == created_list)
+    }
+    assert len(child_manifests) == 2
+    assert v1_manifest.digest in child_manifests
+    assert v2_manifest.digest in child_manifests
 
-  assert child_manifests[v1_manifest.digest].media_type.name == v1_manifest.media_type
-  assert child_manifests[v2_manifest.digest].media_type.name == v2_manifest.media_type
+    assert child_manifests[v1_manifest.digest].media_type.name == v1_manifest.media_type
+    assert child_manifests[v2_manifest.digest].media_type.name == v2_manifest.media_type
 
 
 def test_get_or_create_manifest_list_duplicate_child_manifest(initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
+    repository = create_repository("devtable", "newrepo", None)
 
-  expected_labels = {
-    'Foo': 'Bar',
-    'Baz': 'Meh',
-  }
+    expected_labels = {"Foo": "Bar", "Baz": "Meh"}
 
-  layer_json = json.dumps({
-    'id': 'somelegacyid',
-    'config': {
-      'Labels': expected_labels,
-    },
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    layer_json = json.dumps(
+        {
+            "id": "somelegacyid",
+            "config": {"Labels": expected_labels},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                }
+            ],
+        }
+    )
 
-  # Create a legacy image.
-  find_create_or_link_image('somelegacyid', repository, 'devtable', {}, 'local_us')
+    # Create a legacy image.
+    find_create_or_link_image("somelegacyid", repository, "devtable", {}, "local_us")
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  # Add a blob of random data.
-  random_data = 'hello world'
-  _, random_digest = _populate_blob(random_data)
+    # Add a blob of random data.
+    random_data = "hello world"
+    _, random_digest = _populate_blob(random_data)
 
-  # Build the manifest.
-  v2_builder = DockerSchema2ManifestBuilder()
-  v2_builder.set_config_digest(config_digest, len(layer_json))
-  v2_builder.add_layer(random_digest, len(random_data))
-  v2_manifest = v2_builder.build()
+    # Build the manifest.
+    v2_builder = DockerSchema2ManifestBuilder()
+    v2_builder.set_config_digest(config_digest, len(layer_json))
+    v2_builder.add_layer(random_digest, len(random_data))
+    v2_manifest = v2_builder.build()
 
-  # Write the manifest.
-  v2_created = get_or_create_manifest(repository, v2_manifest, storage)
-  assert v2_created
-  assert v2_created.manifest.digest == v2_manifest.digest
+    # Write the manifest.
+    v2_created = get_or_create_manifest(repository, v2_manifest, storage)
+    assert v2_created
+    assert v2_created.manifest.digest == v2_manifest.digest
 
-  # Build the manifest list, with the child manifest repeated.
-  list_builder = DockerSchema2ManifestListBuilder()
-  list_builder.add_manifest(v2_manifest, 'amd64', 'linux')
-  list_builder.add_manifest(v2_manifest, 'amd32', 'linux')
-  manifest_list = list_builder.build()
+    # Build the manifest list, with the child manifest repeated.
+    list_builder = DockerSchema2ManifestListBuilder()
+    list_builder.add_manifest(v2_manifest, "amd64", "linux")
+    list_builder.add_manifest(v2_manifest, "amd32", "linux")
+    manifest_list = list_builder.build()
 
-  # Write the manifest list, which should also write the manifests themselves.
-  created_tuple = get_or_create_manifest(repository, manifest_list, storage)
-  assert created_tuple is not None
+    # Write the manifest list, which should also write the manifests themselves.
+    created_tuple = get_or_create_manifest(repository, manifest_list, storage)
+    assert created_tuple is not None
 
-  created_list = created_tuple.manifest
-  assert created_list
-  assert created_list.media_type.name == manifest_list.media_type
-  assert created_list.digest == manifest_list.digest
+    created_list = created_tuple.manifest
+    assert created_list
+    assert created_list.media_type.name == manifest_list.media_type
+    assert created_list.digest == manifest_list.digest
 
-  # Ensure the child manifest links exist.
-  child_manifests = {cm.child_manifest.digest: cm.child_manifest
-                     for cm in ManifestChild.select().where(ManifestChild.manifest == created_list)}
-  assert len(child_manifests) == 1
-  assert v2_manifest.digest in child_manifests
-  assert child_manifests[v2_manifest.digest].media_type.name == v2_manifest.media_type
+    # Ensure the child manifest links exist.
+    child_manifests = {
+        cm.child_manifest.digest: cm.child_manifest
+        for cm in ManifestChild.select().where(ManifestChild.manifest == created_list)
+    }
+    assert len(child_manifests) == 1
+    assert v2_manifest.digest in child_manifests
+    assert child_manifests[v2_manifest.digest].media_type.name == v2_manifest.media_type
 
-  # Try to create again and ensure we get back the same manifest list.
-  created2_tuple = get_or_create_manifest(repository, manifest_list, storage)
-  assert created2_tuple is not None
-  assert created2_tuple.manifest == created_list
+    # Try to create again and ensure we get back the same manifest list.
+    created2_tuple = get_or_create_manifest(repository, manifest_list, storage)
+    assert created2_tuple is not None
+    assert created2_tuple.manifest == created_list
 
 
 def test_get_or_create_manifest_with_remote_layers(initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
+    repository = create_repository("devtable", "newrepo", None)
 
-  layer_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    layer_json = json.dumps(
+        {
+            "config": {},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                },
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                },
+            ],
+        }
+    )
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  # Add a blob of random data.
-  random_data = 'hello world'
-  _, random_digest = _populate_blob(random_data)
+    # Add a blob of random data.
+    random_data = "hello world"
+    _, random_digest = _populate_blob(random_data)
 
-  remote_digest = sha256_digest('something')
+    remote_digest = sha256_digest("something")
 
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(config_digest, len(layer_json))
-  builder.add_layer(remote_digest, 1234, urls=['http://hello/world'])
-  builder.add_layer(random_digest, len(random_data))
-  manifest = builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(config_digest, len(layer_json))
+    builder.add_layer(remote_digest, 1234, urls=["http://hello/world"])
+    builder.add_layer(random_digest, len(random_data))
+    manifest = builder.build()
 
-  assert remote_digest in manifest.blob_digests
-  assert remote_digest not in manifest.local_blob_digests
+    assert remote_digest in manifest.blob_digests
+    assert remote_digest not in manifest.local_blob_digests
 
-  assert manifest.has_remote_layer
-  assert not manifest.has_legacy_image
-  assert manifest.get_schema1_manifest('foo', 'bar', 'baz', None) is None
+    assert manifest.has_remote_layer
+    assert not manifest.has_legacy_image
+    assert manifest.get_schema1_manifest("foo", "bar", "baz", None) is None
 
-  # Write the manifest.
-  created_tuple = get_or_create_manifest(repository, manifest, storage)
-  assert created_tuple is not None
+    # Write the manifest.
+    created_tuple = get_or_create_manifest(repository, manifest, storage)
+    assert created_tuple is not None
 
-  created_manifest = created_tuple.manifest
-  assert created_manifest
-  assert created_manifest.media_type.name == manifest.media_type
-  assert created_manifest.digest == manifest.digest
+    created_manifest = created_tuple.manifest
+    assert created_manifest
+    assert created_manifest.media_type.name == manifest.media_type
+    assert created_manifest.digest == manifest.digest
 
-  # Verify the legacy image.
-  legacy_image = get_legacy_image_for_manifest(created_manifest)
-  assert legacy_image is None
+    # Verify the legacy image.
+    legacy_image = get_legacy_image_for_manifest(created_manifest)
+    assert legacy_image is None
 
-  # Verify the linked blobs.
-  blob_digests = {mb.blob.content_checksum for mb
-                  in ManifestBlob.select().where(ManifestBlob.manifest == created_manifest)}
+    # Verify the linked blobs.
+    blob_digests = {
+        mb.blob.content_checksum
+        for mb in ManifestBlob.select().where(ManifestBlob.manifest == created_manifest)
+    }
 
-  assert random_digest in blob_digests
-  assert config_digest in blob_digests
-  assert remote_digest not in blob_digests
+    assert random_digest in blob_digests
+    assert config_digest in blob_digests
+    assert remote_digest not in blob_digests
 
 
-def create_manifest_for_testing(repository, differentiation_field='1', include_shared_blob=False):
-  # Populate a manifest.
-  layer_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [],
-  })
+def create_manifest_for_testing(
+    repository, differentiation_field="1", include_shared_blob=False
+):
+    # Populate a manifest.
+    layer_json = json.dumps(
+        {"config": {}, "rootfs": {"type": "layers", "diff_ids": []}, "history": []}
+    )
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  remote_digest = sha256_digest('something')
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(config_digest, len(layer_json))
-  builder.add_layer(remote_digest, 1234, urls=['http://hello/world' + differentiation_field])
+    remote_digest = sha256_digest("something")
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(config_digest, len(layer_json))
+    builder.add_layer(
+        remote_digest, 1234, urls=["http://hello/world" + differentiation_field]
+    )
 
-  if include_shared_blob:
-    _, blob_digest = _populate_blob('some data here')
-    builder.add_layer(blob_digest, 4567)
+    if include_shared_blob:
+        _, blob_digest = _populate_blob("some data here")
+        builder.add_layer(blob_digest, 4567)
 
-  manifest = builder.build()
+    manifest = builder.build()
 
-  created = get_or_create_manifest(repository, manifest, storage)
-  assert created
-  return created.manifest, manifest
+    created = get_or_create_manifest(repository, manifest, storage)
+    assert created
+    return created.manifest, manifest
 
 
 def test_retriever(initialized_db):
-  repository = create_repository('devtable', 'newrepo', None)
+    repository = create_repository("devtable", "newrepo", None)
 
-  layer_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    layer_json = json.dumps(
+        {
+            "config": {},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                },
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                },
+            ],
+        }
+    )
 
-  # Add a blob containing the config.
-  _, config_digest = _populate_blob(layer_json)
+    # Add a blob containing the config.
+    _, config_digest = _populate_blob(layer_json)
 
-  # Add a blob of random data.
-  random_data = 'hello world'
-  _, random_digest = _populate_blob(random_data)
+    # Add a blob of random data.
+    random_data = "hello world"
+    _, random_digest = _populate_blob(random_data)
 
-  # Add another blob of random data.
-  other_random_data = 'hi place'
-  _, other_random_digest = _populate_blob(other_random_data)
+    # Add another blob of random data.
+    other_random_data = "hi place"
+    _, other_random_digest = _populate_blob(other_random_data)
 
-  remote_digest = sha256_digest('something')
+    remote_digest = sha256_digest("something")
 
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(config_digest, len(layer_json))
-  builder.add_layer(other_random_digest, len(other_random_data))
-  builder.add_layer(random_digest, len(random_data))
-  manifest = builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(config_digest, len(layer_json))
+    builder.add_layer(other_random_digest, len(other_random_data))
+    builder.add_layer(random_digest, len(random_data))
+    manifest = builder.build()
 
-  assert config_digest in manifest.blob_digests
-  assert random_digest in manifest.blob_digests
-  assert other_random_digest in manifest.blob_digests
+    assert config_digest in manifest.blob_digests
+    assert random_digest in manifest.blob_digests
+    assert other_random_digest in manifest.blob_digests
 
-  assert config_digest in manifest.local_blob_digests
-  assert random_digest in manifest.local_blob_digests
-  assert other_random_digest in manifest.local_blob_digests
+    assert config_digest in manifest.local_blob_digests
+    assert random_digest in manifest.local_blob_digests
+    assert other_random_digest in manifest.local_blob_digests
 
-  # Write the manifest.
-  created_tuple = get_or_create_manifest(repository, manifest, storage)
-  assert created_tuple is not None
+    # Write the manifest.
+    created_tuple = get_or_create_manifest(repository, manifest, storage)
+    assert created_tuple is not None
 
-  created_manifest = created_tuple.manifest
-  assert created_manifest
-  assert created_manifest.media_type.name == manifest.media_type
-  assert created_manifest.digest == manifest.digest
+    created_manifest = created_tuple.manifest
+    assert created_manifest
+    assert created_manifest.media_type.name == manifest.media_type
+    assert created_manifest.digest == manifest.digest
 
-  # Verify the linked blobs.
-  blob_digests = {mb.blob.content_checksum for mb
-                  in ManifestBlob.select().where(ManifestBlob.manifest == created_manifest)}
+    # Verify the linked blobs.
+    blob_digests = {
+        mb.blob.content_checksum
+        for mb in ManifestBlob.select().where(ManifestBlob.manifest == created_manifest)
+    }
 
-  assert random_digest in blob_digests
-  assert other_random_digest in blob_digests
-  assert config_digest in blob_digests
+    assert random_digest in blob_digests
+    assert other_random_digest in blob_digests
+    assert config_digest in blob_digests
 
-  # Delete any Image rows linking to the blobs from temp tags.
-  for blob_digest in blob_digests:
-    storage_row = ImageStorage.get(content_checksum=blob_digest)
-    for image in list(Image.select().where(Image.storage == storage_row)):
-      all_temp = all([rt.hidden for rt
-                      in RepositoryTag.select().where(RepositoryTag.image == image)])
-      if all_temp:
-        RepositoryTag.delete().where(RepositoryTag.image == image).execute()
-        image.delete_instance(recursive=True)
+    # Delete any Image rows linking to the blobs from temp tags.
+    for blob_digest in blob_digests:
+        storage_row = ImageStorage.get(content_checksum=blob_digest)
+        for image in list(Image.select().where(Image.storage == storage_row)):
+            all_temp = all(
+                [
+                    rt.hidden
+                    for rt in RepositoryTag.select().where(RepositoryTag.image == image)
+                ]
+            )
+            if all_temp:
+                RepositoryTag.delete().where(RepositoryTag.image == image).execute()
+                image.delete_instance(recursive=True)
 
-  # Verify the blobs in the retriever.
-  retriever = RepositoryContentRetriever(repository, storage)
-  assert (retriever.get_manifest_bytes_with_digest(created_manifest.digest) ==
-          manifest.bytes.as_encoded_str())
+    # Verify the blobs in the retriever.
+    retriever = RepositoryContentRetriever(repository, storage)
+    assert (
+        retriever.get_manifest_bytes_with_digest(created_manifest.digest)
+        == manifest.bytes.as_encoded_str()
+    )
 
-  for blob_digest in blob_digests:
-    assert retriever.get_blob_bytes_with_digest(blob_digest) is not None
+    for blob_digest in blob_digests:
+        assert retriever.get_blob_bytes_with_digest(blob_digest) is not None
diff --git a/data/model/oci/test/test_oci_tag.py b/data/model/oci/test/test_oci_tag.py
index d37828cf7..b61d44c04 100644
--- a/data/model/oci/test/test_oci_tag.py
+++ b/data/model/oci/test/test_oci_tag.py
@@ -3,376 +3,417 @@ from datetime import timedelta, datetime
 
 from playhouse.test_utils import assert_query_count
 
-from data.database import (Tag, ManifestLegacyImage, TagToRepositoryTag, TagManifestToManifest,
-                           TagManifest, Manifest, Repository)
+from data.database import (
+    Tag,
+    ManifestLegacyImage,
+    TagToRepositoryTag,
+    TagManifestToManifest,
+    TagManifest,
+    Manifest,
+    Repository,
+)
 from data.model.oci.test.test_oci_manifest import create_manifest_for_testing
-from data.model.oci.tag import (find_matching_tag, get_most_recent_tag,
-                                get_most_recent_tag_lifetime_start, list_alive_tags,
-                                get_legacy_images_for_tags, filter_to_alive_tags,
-                                filter_to_visible_tags, list_repository_tag_history,
-                                get_expired_tag, get_tag, delete_tag,
-                                delete_tags_for_manifest, change_tag_expiration,
-                                set_tag_expiration_for_manifest, retarget_tag,
-                                create_temporary_tag_if_necessary,
-                                lookup_alive_tags_shallow,
-                                lookup_unrecoverable_tags,
-                                get_epoch_timestamp_ms)
+from data.model.oci.tag import (
+    find_matching_tag,
+    get_most_recent_tag,
+    get_most_recent_tag_lifetime_start,
+    list_alive_tags,
+    get_legacy_images_for_tags,
+    filter_to_alive_tags,
+    filter_to_visible_tags,
+    list_repository_tag_history,
+    get_expired_tag,
+    get_tag,
+    delete_tag,
+    delete_tags_for_manifest,
+    change_tag_expiration,
+    set_tag_expiration_for_manifest,
+    retarget_tag,
+    create_temporary_tag_if_necessary,
+    lookup_alive_tags_shallow,
+    lookup_unrecoverable_tags,
+    get_epoch_timestamp_ms,
+)
 from data.model.repository import get_repository, create_repository
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('namespace_name, repo_name, tag_names, expected', [
-  ('devtable', 'simple', ['latest'], 'latest'),
-  ('devtable', 'simple', ['unknown', 'latest'], 'latest'),
-  ('devtable', 'simple', ['unknown'], None),
-])
-def test_find_matching_tag(namespace_name, repo_name, tag_names, expected, initialized_db):
-  repo = get_repository(namespace_name, repo_name)
-  if expected is not None:
-    with assert_query_count(1):
-      found = find_matching_tag(repo, tag_names)
 
-    assert found is not None
-    assert found.name == expected
-    assert not found.lifetime_end_ms
-  else:
-    with assert_query_count(1):
-      assert find_matching_tag(repo, tag_names) is None
+@pytest.mark.parametrize(
+    "namespace_name, repo_name, tag_names, expected",
+    [
+        ("devtable", "simple", ["latest"], "latest"),
+        ("devtable", "simple", ["unknown", "latest"], "latest"),
+        ("devtable", "simple", ["unknown"], None),
+    ],
+)
+def test_find_matching_tag(
+    namespace_name, repo_name, tag_names, expected, initialized_db
+):
+    repo = get_repository(namespace_name, repo_name)
+    if expected is not None:
+        with assert_query_count(1):
+            found = find_matching_tag(repo, tag_names)
+
+        assert found is not None
+        assert found.name == expected
+        assert not found.lifetime_end_ms
+    else:
+        with assert_query_count(1):
+            assert find_matching_tag(repo, tag_names) is None
 
 
 def test_get_most_recent_tag_lifetime_start(initialized_db):
-  repo = get_repository('devtable', 'simple')
-  tag = get_most_recent_tag(repo)
+    repo = get_repository("devtable", "simple")
+    tag = get_most_recent_tag(repo)
 
-  with assert_query_count(1):
-    tags = get_most_recent_tag_lifetime_start([repo])
-    assert tags[repo.id] == tag.lifetime_start_ms
+    with assert_query_count(1):
+        tags = get_most_recent_tag_lifetime_start([repo])
+        assert tags[repo.id] == tag.lifetime_start_ms
 
 
 def test_get_most_recent_tag(initialized_db):
-  repo = get_repository('outsideorg', 'coolrepo')
+    repo = get_repository("outsideorg", "coolrepo")
 
-  with assert_query_count(1):
-    assert get_most_recent_tag(repo).name == 'latest'
+    with assert_query_count(1):
+        assert get_most_recent_tag(repo).name == "latest"
 
 
 def test_get_most_recent_tag_empty_repo(initialized_db):
-  empty_repo = create_repository('devtable', 'empty', None)
+    empty_repo = create_repository("devtable", "empty", None)
 
-  with assert_query_count(1):
-    assert get_most_recent_tag(empty_repo) is None
+    with assert_query_count(1):
+        assert get_most_recent_tag(empty_repo) is None
 
 
 def test_list_alive_tags(initialized_db):
-  found = False
-  for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
+    found = False
+    for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
+        tags = list_alive_tags(tag.repository)
+        assert tag in tags
+
+        with assert_query_count(1):
+            legacy_images = get_legacy_images_for_tags(tags)
+
+        for tag in tags:
+            assert (
+                ManifestLegacyImage.get(manifest=tag.manifest).image
+                == legacy_images[tag.id]
+            )
+
+        found = True
+
+    assert found
+
+    # Ensure hidden tags cannot be listed.
+    tag = Tag.get()
+    tag.hidden = True
+    tag.save()
+
     tags = list_alive_tags(tag.repository)
-    assert tag in tags
-
-    with assert_query_count(1):
-      legacy_images = get_legacy_images_for_tags(tags)
-
-    for tag in tags:
-      assert ManifestLegacyImage.get(manifest=tag.manifest).image == legacy_images[tag.id]
-
-    found = True
-
-  assert found
-
-  # Ensure hidden tags cannot be listed.
-  tag = Tag.get()
-  tag.hidden = True
-  tag.save()
-
-  tags = list_alive_tags(tag.repository)
-  assert tag not in tags
+    assert tag not in tags
 
 
 def test_lookup_alive_tags_shallow(initialized_db):
-  found = False
-  for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
+    found = False
+    for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
+        tags = lookup_alive_tags_shallow(tag.repository)
+        found = True
+        assert tag in tags
+
+    assert found
+
+    # Ensure hidden tags cannot be listed.
+    tag = Tag.get()
+    tag.hidden = True
+    tag.save()
+
     tags = lookup_alive_tags_shallow(tag.repository)
-    found = True
-    assert tag in tags
-
-  assert found
-
-  # Ensure hidden tags cannot be listed.
-  tag = Tag.get()
-  tag.hidden = True
-  tag.save()
-
-  tags = lookup_alive_tags_shallow(tag.repository)
-  assert tag not in tags
+    assert tag not in tags
 
 
 def test_get_tag(initialized_db):
-  found = False
-  for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
-    repo = tag.repository
+    found = False
+    for tag in filter_to_visible_tags(filter_to_alive_tags(Tag.select())):
+        repo = tag.repository
+
+        with assert_query_count(1):
+            assert get_tag(repo, tag.name) == tag
+        found = True
+
+    assert found
+
+
+@pytest.mark.parametrize(
+    "namespace_name, repo_name", [("devtable", "simple"), ("devtable", "complex")]
+)
+def test_list_repository_tag_history(namespace_name, repo_name, initialized_db):
+    repo = get_repository(namespace_name, repo_name)
 
     with assert_query_count(1):
-      assert get_tag(repo, tag.name) == tag
-    found = True
+        results, has_more = list_repository_tag_history(repo, 1, 100)
 
-  assert found
-
-
-@pytest.mark.parametrize('namespace_name, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-])
-def test_list_repository_tag_history(namespace_name, repo_name, initialized_db):
-  repo = get_repository(namespace_name, repo_name)
-
-  with assert_query_count(1):
-    results, has_more = list_repository_tag_history(repo, 1, 100)
-
-  assert results
-  assert not has_more
+    assert results
+    assert not has_more
 
 
 def test_list_repository_tag_history_with_history(initialized_db):
-  repo = get_repository('devtable', 'history')
+    repo = get_repository("devtable", "history")
 
-  with assert_query_count(1):
-    results, _ = list_repository_tag_history(repo, 1, 100)
+    with assert_query_count(1):
+        results, _ = list_repository_tag_history(repo, 1, 100)
 
-  assert len(results) == 2
-  assert results[0].lifetime_end_ms is None
-  assert results[1].lifetime_end_ms is not None
+    assert len(results) == 2
+    assert results[0].lifetime_end_ms is None
+    assert results[1].lifetime_end_ms is not None
 
-  with assert_query_count(1):
-    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
+    with assert_query_count(1):
+        results, _ = list_repository_tag_history(
+            repo, 1, 100, specific_tag_name="latest"
+        )
 
-  assert len(results) == 2
-  assert results[0].lifetime_end_ms is None
-  assert results[1].lifetime_end_ms is not None
+    assert len(results) == 2
+    assert results[0].lifetime_end_ms is None
+    assert results[1].lifetime_end_ms is not None
 
-  with assert_query_count(1):
-    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='foobar')
+    with assert_query_count(1):
+        results, _ = list_repository_tag_history(
+            repo, 1, 100, specific_tag_name="foobar"
+        )
 
-  assert len(results) == 0
+    assert len(results) == 0
 
 
 def test_list_repository_tag_history_all_tags(initialized_db):
-  for tag in Tag.select():
-    repo = tag.repository
-    with assert_query_count(1):
-      results, _ = list_repository_tag_history(repo, 1, 1000)
+    for tag in Tag.select():
+        repo = tag.repository
+        with assert_query_count(1):
+            results, _ = list_repository_tag_history(repo, 1, 1000)
 
-    assert (tag in results) == (not tag.hidden)
+        assert (tag in results) == (not tag.hidden)
 
 
-@pytest.mark.parametrize('namespace_name, repo_name, tag_name, expected', [
-  ('devtable', 'simple', 'latest', False),
-  ('devtable', 'simple', 'unknown', False),
-  ('devtable', 'complex', 'latest', False),
-
-  ('devtable', 'history', 'latest', True),
-])
+@pytest.mark.parametrize(
+    "namespace_name, repo_name, tag_name, expected",
+    [
+        ("devtable", "simple", "latest", False),
+        ("devtable", "simple", "unknown", False),
+        ("devtable", "complex", "latest", False),
+        ("devtable", "history", "latest", True),
+    ],
+)
 def test_get_expired_tag(namespace_name, repo_name, tag_name, expected, initialized_db):
-  repo = get_repository(namespace_name, repo_name)
+    repo = get_repository(namespace_name, repo_name)
 
-  with assert_query_count(1):
-    assert bool(get_expired_tag(repo, tag_name)) == expected
+    with assert_query_count(1):
+        assert bool(get_expired_tag(repo, tag_name)) == expected
 
 
 def test_delete_tag(initialized_db):
-  found = False
-  for tag in list(filter_to_visible_tags(filter_to_alive_tags(Tag.select()))):
-    repo = tag.repository
+    found = False
+    for tag in list(filter_to_visible_tags(filter_to_alive_tags(Tag.select()))):
+        repo = tag.repository
 
-    assert get_tag(repo, tag.name) == tag
-    assert tag.lifetime_end_ms is None
+        assert get_tag(repo, tag.name) == tag
+        assert tag.lifetime_end_ms is None
 
-    with assert_query_count(4):
-      assert delete_tag(repo, tag.name) == tag
+        with assert_query_count(4):
+            assert delete_tag(repo, tag.name) == tag
 
-    assert get_tag(repo, tag.name) is None
-    found = True
+        assert get_tag(repo, tag.name) is None
+        found = True
 
-  assert found
+    assert found
 
 
 def test_delete_tags_for_manifest(initialized_db):
-  for tag in list(filter_to_visible_tags(filter_to_alive_tags(Tag.select()))):
-    repo = tag.repository
-    assert get_tag(repo, tag.name) == tag
+    for tag in list(filter_to_visible_tags(filter_to_alive_tags(Tag.select()))):
+        repo = tag.repository
+        assert get_tag(repo, tag.name) == tag
 
-    with assert_query_count(5):
-      assert delete_tags_for_manifest(tag.manifest) == [tag]
+        with assert_query_count(5):
+            assert delete_tags_for_manifest(tag.manifest) == [tag]
 
-    assert get_tag(repo, tag.name) is None
+        assert get_tag(repo, tag.name) is None
 
 
 def test_delete_tags_for_manifest_same_manifest(initialized_db):
-  new_repo = model.repository.create_repository('devtable', 'newrepo', None)
-  manifest_1, _ = create_manifest_for_testing(new_repo, '1')
-  manifest_2, _ = create_manifest_for_testing(new_repo, '2')
+    new_repo = model.repository.create_repository("devtable", "newrepo", None)
+    manifest_1, _ = create_manifest_for_testing(new_repo, "1")
+    manifest_2, _ = create_manifest_for_testing(new_repo, "2")
 
-  assert manifest_1.digest != manifest_2.digest
+    assert manifest_1.digest != manifest_2.digest
 
-  # Add some tag history, moving a tag back and forth between two manifests.
-  retarget_tag('latest', manifest_1)
-  retarget_tag('latest', manifest_2)
-  retarget_tag('latest', manifest_1)
-  retarget_tag('latest', manifest_2)
+    # Add some tag history, moving a tag back and forth between two manifests.
+    retarget_tag("latest", manifest_1)
+    retarget_tag("latest", manifest_2)
+    retarget_tag("latest", manifest_1)
+    retarget_tag("latest", manifest_2)
 
-  retarget_tag('another1', manifest_1)
-  retarget_tag('another2', manifest_2)
+    retarget_tag("another1", manifest_1)
+    retarget_tag("another2", manifest_2)
 
-  # Delete all tags pointing to the first manifest.
-  delete_tags_for_manifest(manifest_1)
+    # Delete all tags pointing to the first manifest.
+    delete_tags_for_manifest(manifest_1)
 
-  assert get_tag(new_repo, 'latest').manifest == manifest_2
-  assert get_tag(new_repo, 'another1') is None
-  assert get_tag(new_repo, 'another2').manifest == manifest_2
+    assert get_tag(new_repo, "latest").manifest == manifest_2
+    assert get_tag(new_repo, "another1") is None
+    assert get_tag(new_repo, "another2").manifest == manifest_2
 
-  # Delete all tags pointing to the second manifest, which should actually delete the `latest`
-  # tag now.
-  delete_tags_for_manifest(manifest_2)
-  assert get_tag(new_repo, 'latest') is None
-  assert get_tag(new_repo, 'another1') is None
-  assert get_tag(new_repo, 'another2') is None
+    # Delete all tags pointing to the second manifest, which should actually delete the `latest`
+    # tag now.
+    delete_tags_for_manifest(manifest_2)
+    assert get_tag(new_repo, "latest") is None
+    assert get_tag(new_repo, "another1") is None
+    assert get_tag(new_repo, "another2") is None
 
 
-@pytest.mark.parametrize('timedelta, expected_timedelta', [
-  pytest.param(timedelta(seconds=1), timedelta(hours=1), id='less than minimum'),
-  pytest.param(timedelta(weeks=300), timedelta(weeks=104), id='more than maxium'),
-  pytest.param(timedelta(weeks=1), timedelta(weeks=1), id='within range'),
-])
+@pytest.mark.parametrize(
+    "timedelta, expected_timedelta",
+    [
+        pytest.param(timedelta(seconds=1), timedelta(hours=1), id="less than minimum"),
+        pytest.param(timedelta(weeks=300), timedelta(weeks=104), id="more than maxium"),
+        pytest.param(timedelta(weeks=1), timedelta(weeks=1), id="within range"),
+    ],
+)
 def test_change_tag_expiration(timedelta, expected_timedelta, initialized_db):
-  now = datetime.utcnow()
-  now_ms = timegm(now.utctimetuple()) * 1000
+    now = datetime.utcnow()
+    now_ms = timegm(now.utctimetuple()) * 1000
 
-  tag = Tag.get()
-  tag.lifetime_start_ms = now_ms
-  tag.save()
+    tag = Tag.get()
+    tag.lifetime_start_ms = now_ms
+    tag.save()
 
-  original_end_ms, okay = change_tag_expiration(tag, now + timedelta)
-  assert okay
-  assert original_end_ms == tag.lifetime_end_ms
+    original_end_ms, okay = change_tag_expiration(tag, now + timedelta)
+    assert okay
+    assert original_end_ms == tag.lifetime_end_ms
 
-  updated_tag = Tag.get(id=tag.id)
-  offset = expected_timedelta.total_seconds() * 1000
-  expected_ms = (updated_tag.lifetime_start_ms + offset)
-  assert updated_tag.lifetime_end_ms == expected_ms
+    updated_tag = Tag.get(id=tag.id)
+    offset = expected_timedelta.total_seconds() * 1000
+    expected_ms = updated_tag.lifetime_start_ms + offset
+    assert updated_tag.lifetime_end_ms == expected_ms
 
-  original_end_ms, okay = change_tag_expiration(tag, None)
-  assert okay
-  assert original_end_ms == expected_ms
+    original_end_ms, okay = change_tag_expiration(tag, None)
+    assert okay
+    assert original_end_ms == expected_ms
 
-  updated_tag = Tag.get(id=tag.id)
-  assert updated_tag.lifetime_end_ms is None
+    updated_tag = Tag.get(id=tag.id)
+    assert updated_tag.lifetime_end_ms is None
 
 
 def test_set_tag_expiration_for_manifest(initialized_db):
-  tag = Tag.get()
-  manifest = tag.manifest
-  assert manifest is not None
+    tag = Tag.get()
+    manifest = tag.manifest
+    assert manifest is not None
 
-  set_tag_expiration_for_manifest(manifest, datetime.utcnow() + timedelta(weeks=1))
+    set_tag_expiration_for_manifest(manifest, datetime.utcnow() + timedelta(weeks=1))
 
-  updated_tag = Tag.get(id=tag.id)
-  assert updated_tag.lifetime_end_ms is not None
+    updated_tag = Tag.get(id=tag.id)
+    assert updated_tag.lifetime_end_ms is not None
 
 
 def test_create_temporary_tag_if_necessary(initialized_db):
-  tag = Tag.get()
-  manifest = tag.manifest
-  assert manifest is not None
+    tag = Tag.get()
+    manifest = tag.manifest
+    assert manifest is not None
 
-  # Ensure no tag is created, since an existing one is present.
-  created = create_temporary_tag_if_necessary(manifest, 60)
-  assert created is None
+    # Ensure no tag is created, since an existing one is present.
+    created = create_temporary_tag_if_necessary(manifest, 60)
+    assert created is None
 
-  # Mark the tag as deleted.
-  tag.lifetime_end_ms = 1
-  tag.save()
+    # Mark the tag as deleted.
+    tag.lifetime_end_ms = 1
+    tag.save()
 
-  # Now create a temp tag.
-  created = create_temporary_tag_if_necessary(manifest, 60)
-  assert created is not None
-  assert created.hidden
-  assert created.name.startswith('$temp-')
-  assert created.manifest == manifest
-  assert created.lifetime_end_ms is not None
-  assert created.lifetime_end_ms == (created.lifetime_start_ms + 60000)
+    # Now create a temp tag.
+    created = create_temporary_tag_if_necessary(manifest, 60)
+    assert created is not None
+    assert created.hidden
+    assert created.name.startswith("$temp-")
+    assert created.manifest == manifest
+    assert created.lifetime_end_ms is not None
+    assert created.lifetime_end_ms == (created.lifetime_start_ms + 60000)
 
-  # Try again and ensure it is not created.
-  created = create_temporary_tag_if_necessary(manifest, 30)
-  assert created is None
+    # Try again and ensure it is not created.
+    created = create_temporary_tag_if_necessary(manifest, 30)
+    assert created is None
 
 
 def test_retarget_tag(initialized_db):
-  repo = get_repository('devtable', 'history')
-  results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
+    repo = get_repository("devtable", "history")
+    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name="latest")
 
-  assert len(results) == 2
-  assert results[0].lifetime_end_ms is None
-  assert results[1].lifetime_end_ms is not None
+    assert len(results) == 2
+    assert results[0].lifetime_end_ms is None
+    assert results[1].lifetime_end_ms is not None
 
-  # Revert back to the original manifest.
-  created = retarget_tag('latest', results[0].manifest, is_reversion=True,
-                         now_ms=results[1].lifetime_end_ms + 10000)
-  assert created.lifetime_end_ms is None
-  assert created.reversion
-  assert created.name == 'latest'
-  assert created.manifest == results[0].manifest
+    # Revert back to the original manifest.
+    created = retarget_tag(
+        "latest",
+        results[0].manifest,
+        is_reversion=True,
+        now_ms=results[1].lifetime_end_ms + 10000,
+    )
+    assert created.lifetime_end_ms is None
+    assert created.reversion
+    assert created.name == "latest"
+    assert created.manifest == results[0].manifest
 
-  # Verify in the history.
-  results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
+    # Verify in the history.
+    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name="latest")
 
-  assert len(results) == 3
-  assert results[0].lifetime_end_ms is None
-  assert results[1].lifetime_end_ms is not None
-  assert results[2].lifetime_end_ms is not None
+    assert len(results) == 3
+    assert results[0].lifetime_end_ms is None
+    assert results[1].lifetime_end_ms is not None
+    assert results[2].lifetime_end_ms is not None
 
-  assert results[0] == created
+    assert results[0] == created
 
-  # Verify old-style tables.
-  repository_tag = TagToRepositoryTag.get(tag=created).repository_tag
-  assert repository_tag.lifetime_start_ts == int(created.lifetime_start_ms / 1000)
+    # Verify old-style tables.
+    repository_tag = TagToRepositoryTag.get(tag=created).repository_tag
+    assert repository_tag.lifetime_start_ts == int(created.lifetime_start_ms / 1000)
 
-  tag_manifest = TagManifest.get(tag=repository_tag)
-  assert TagManifestToManifest.get(tag_manifest=tag_manifest).manifest == created.manifest
+    tag_manifest = TagManifest.get(tag=repository_tag)
+    assert (
+        TagManifestToManifest.get(tag_manifest=tag_manifest).manifest
+        == created.manifest
+    )
 
 
 def test_retarget_tag_wrong_name(initialized_db):
-  repo = get_repository('devtable', 'history')
-  results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
-  assert len(results) == 2
+    repo = get_repository("devtable", "history")
+    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name="latest")
+    assert len(results) == 2
 
-  created = retarget_tag('someothername', results[1].manifest, is_reversion=True)
-  assert created is None
+    created = retarget_tag("someothername", results[1].manifest, is_reversion=True)
+    assert created is None
 
-  results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
-  assert len(results) == 2
+    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name="latest")
+    assert len(results) == 2
 
 
 def test_lookup_unrecoverable_tags(initialized_db):
-  # Ensure no existing tags are found.
-  for repo in Repository.select():
-    assert not list(lookup_unrecoverable_tags(repo))
+    # Ensure no existing tags are found.
+    for repo in Repository.select():
+        assert not list(lookup_unrecoverable_tags(repo))
 
-  # Mark a tag as outside the expiration window and ensure it is found.
-  repo = get_repository('devtable', 'history')
-  results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name='latest')
-  assert len(results) == 2
+    # Mark a tag as outside the expiration window and ensure it is found.
+    repo = get_repository("devtable", "history")
+    results, _ = list_repository_tag_history(repo, 1, 100, specific_tag_name="latest")
+    assert len(results) == 2
 
-  results[1].lifetime_end_ms = 1
-  results[1].save()
+    results[1].lifetime_end_ms = 1
+    results[1].save()
 
-  # Ensure the tag is now found.
-  found = list(lookup_unrecoverable_tags(repo))
-  assert found
-  assert len(found) == 1
-  assert found[0] == results[1]
+    # Ensure the tag is now found.
+    found = list(lookup_unrecoverable_tags(repo))
+    assert found
+    assert len(found) == 1
+    assert found[0] == results[1]
 
-  # Mark the tag as expiring in the future and ensure it is no longer found.
-  results[1].lifetime_end_ms = get_epoch_timestamp_ms() + 1000000
-  results[1].save()
+    # Mark the tag as expiring in the future and ensure it is no longer found.
+    results[1].lifetime_end_ms = get_epoch_timestamp_ms() + 1000000
+    results[1].save()
 
-  found = list(lookup_unrecoverable_tags(repo))
-  assert not found
+    found = list(lookup_unrecoverable_tags(repo))
+    assert not found
diff --git a/data/model/organization.py b/data/model/organization.py
index b42f0d454..a3543e459 100644
--- a/data/model/organization.py
+++ b/data/model/organization.py
@@ -1,167 +1,208 @@
-
-from data.database import (User, FederatedLogin, TeamMember, Team, TeamRole, RepositoryPermission,
-                           Repository, Namespace, DeletedNamespace)
-from data.model import (user, team, DataModelException, InvalidOrganizationException,
-                        InvalidUsernameException, db_transaction, _basequery)
+from data.database import (
+    User,
+    FederatedLogin,
+    TeamMember,
+    Team,
+    TeamRole,
+    RepositoryPermission,
+    Repository,
+    Namespace,
+    DeletedNamespace,
+)
+from data.model import (
+    user,
+    team,
+    DataModelException,
+    InvalidOrganizationException,
+    InvalidUsernameException,
+    db_transaction,
+    _basequery,
+)
 
 
-def create_organization(name, email, creating_user, email_required=True, is_possible_abuser=False):
-  with db_transaction():
-    try:
-      # Create the org
-      new_org = user.create_user_noverify(name, email, email_required=email_required,
-                                          is_possible_abuser=is_possible_abuser)
-      new_org.organization = True
-      new_org.save()
+def create_organization(
+    name, email, creating_user, email_required=True, is_possible_abuser=False
+):
+    with db_transaction():
+        try:
+            # Create the org
+            new_org = user.create_user_noverify(
+                name,
+                email,
+                email_required=email_required,
+                is_possible_abuser=is_possible_abuser,
+            )
+            new_org.organization = True
+            new_org.save()
 
-      # Create a team for the owners
-      owners_team = team.create_team('owners', new_org, 'admin')
+            # Create a team for the owners
+            owners_team = team.create_team("owners", new_org, "admin")
 
-      # Add the user who created the org to the owners team
-      team.add_user_to_team(creating_user, owners_team)
+            # Add the user who created the org to the owners team
+            team.add_user_to_team(creating_user, owners_team)
 
-      return new_org
-    except InvalidUsernameException as iue:
-      raise InvalidOrganizationException(iue.message)
+            return new_org
+        except InvalidUsernameException as iue:
+            raise InvalidOrganizationException(iue.message)
 
 
 def get_organization(name):
-  try:
-    return User.get(username=name, organization=True)
-  except User.DoesNotExist:
-    raise InvalidOrganizationException('Organization does not exist: %s' %
-                                       name)
+    try:
+        return User.get(username=name, organization=True)
+    except User.DoesNotExist:
+        raise InvalidOrganizationException("Organization does not exist: %s" % name)
 
 
 def convert_user_to_organization(user_obj, admin_user):
-  if user_obj.robot:
-    raise DataModelException('Cannot convert a robot into an organization')
+    if user_obj.robot:
+        raise DataModelException("Cannot convert a robot into an organization")
 
-  with db_transaction():
-    # Change the user to an organization and disable this account for login.
-    user_obj.organization = True
-    user_obj.password_hash = None
-    user_obj.save()
+    with db_transaction():
+        # Change the user to an organization and disable this account for login.
+        user_obj.organization = True
+        user_obj.password_hash = None
+        user_obj.save()
 
-    # Clear any federated auth pointing to this user.
-    FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute()
+        # Clear any federated auth pointing to this user.
+        FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute()
 
-    # Delete any user-specific permissions on repositories.
-    (RepositoryPermission.delete()
-                         .where(RepositoryPermission.user == user_obj)
-                         .execute())
+        # Delete any user-specific permissions on repositories.
+        (
+            RepositoryPermission.delete()
+            .where(RepositoryPermission.user == user_obj)
+            .execute()
+        )
 
-    # Create a team for the owners
-    owners_team = team.create_team('owners', user_obj, 'admin')
+        # Create a team for the owners
+        owners_team = team.create_team("owners", user_obj, "admin")
 
-    # Add the user who will admin the org to the owners team
-    team.add_user_to_team(admin_user, owners_team)
+        # Add the user who will admin the org to the owners team
+        team.add_user_to_team(admin_user, owners_team)
 
-    return user_obj
+        return user_obj
 
 
 def get_user_organizations(username):
-  return _basequery.get_user_organizations(username)
+    return _basequery.get_user_organizations(username)
+
 
 def get_organization_team_members(teamid):
-  joined = User.select().join(TeamMember).join(Team)
-  query = joined.where(Team.id == teamid)
-  return query
+    joined = User.select().join(TeamMember).join(Team)
+    query = joined.where(Team.id == teamid)
+    return query
 
 
 def __get_org_admin_users(org):
-  return (User
-          .select()
-          .join(TeamMember)
-          .join(Team)
-          .join(TeamRole)
-          .where(Team.organization == org, TeamRole.name == 'admin', User.robot == False)
-          .distinct())
+    return (
+        User.select()
+        .join(TeamMember)
+        .join(Team)
+        .join(TeamRole)
+        .where(Team.organization == org, TeamRole.name == "admin", User.robot == False)
+        .distinct()
+    )
+
 
 def get_admin_users(org):
-  """ Returns the owner users for the organization. """
-  return __get_org_admin_users(org)
+    """ Returns the owner users for the organization. """
+    return __get_org_admin_users(org)
+
 
 def remove_organization_member(org, user_obj):
-  org_admins = [u.username for u in __get_org_admin_users(org)]
-  if len(org_admins) == 1 and user_obj.username in org_admins:
-    raise DataModelException('Cannot remove user as they are the only organization admin')
+    org_admins = [u.username for u in __get_org_admin_users(org)]
+    if len(org_admins) == 1 and user_obj.username in org_admins:
+        raise DataModelException(
+            "Cannot remove user as they are the only organization admin"
+        )
 
-  with db_transaction():
-    # Find and remove the user from any repositories under the org.
-    permissions = list(RepositoryPermission
-                       .select(RepositoryPermission.id)
-                       .join(Repository)
-                       .where(Repository.namespace_user == org,
-                              RepositoryPermission.user == user_obj))
+    with db_transaction():
+        # Find and remove the user from any repositories under the org.
+        permissions = list(
+            RepositoryPermission.select(RepositoryPermission.id)
+            .join(Repository)
+            .where(
+                Repository.namespace_user == org, RepositoryPermission.user == user_obj
+            )
+        )
 
-    if permissions:
-      RepositoryPermission.delete().where(RepositoryPermission.id << permissions).execute()
+        if permissions:
+            RepositoryPermission.delete().where(
+                RepositoryPermission.id << permissions
+            ).execute()
 
-    # Find and remove the user from any teams under the org.
-    members = list(TeamMember
-                   .select(TeamMember.id)
-                   .join(Team)
-                   .where(Team.organization == org, TeamMember.user == user_obj))
+        # Find and remove the user from any teams under the org.
+        members = list(
+            TeamMember.select(TeamMember.id)
+            .join(Team)
+            .where(Team.organization == org, TeamMember.user == user_obj)
+        )
 
-    if members:
-      TeamMember.delete().where(TeamMember.id << members).execute()
+        if members:
+            TeamMember.delete().where(TeamMember.id << members).execute()
 
 
 def get_organization_member_set(org, include_robots=False, users_filter=None):
-  """ Returns the set of all member usernames under the given organization, with optional
+    """ Returns the set of all member usernames under the given organization, with optional
       filtering by robots and/or by a specific set of User objects.
   """
-  Org = User.alias()
-  org_users = (User
-               .select(User.username)
-               .join(TeamMember)
-               .join(Team)
-               .where(Team.organization == org)
-               .distinct())
+    Org = User.alias()
+    org_users = (
+        User.select(User.username)
+        .join(TeamMember)
+        .join(Team)
+        .where(Team.organization == org)
+        .distinct()
+    )
 
-  if not include_robots:
-    org_users = org_users.where(User.robot == False)
+    if not include_robots:
+        org_users = org_users.where(User.robot == False)
 
-  if users_filter is not None:
-    ids_list = [u.id for u in users_filter if u is not None]
-    if not ids_list:
-      return set()
+    if users_filter is not None:
+        ids_list = [u.id for u in users_filter if u is not None]
+        if not ids_list:
+            return set()
 
-    org_users = org_users.where(User.id << ids_list)
+        org_users = org_users.where(User.id << ids_list)
 
-  return {user.username for user in org_users}
+    return {user.username for user in org_users}
 
 
 def get_all_repo_users_transitive_via_teams(namespace_name, repository_name):
-  return (User
-          .select()
-          .distinct()
-          .join(TeamMember)
-          .join(Team)
-          .join(RepositoryPermission)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    return (
+        User.select()
+        .distinct()
+        .join(TeamMember)
+        .join(Team)
+        .join(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
 
 def get_organizations(deleted=False):
-  query = User.select().where(User.organization == True, User.robot == False)
+    query = User.select().where(User.organization == True, User.robot == False)
 
-  if not deleted:
-    query = query.where(User.id.not_in(DeletedNamespace.select(DeletedNamespace.namespace)))
+    if not deleted:
+        query = query.where(
+            User.id.not_in(DeletedNamespace.select(DeletedNamespace.namespace))
+        )
 
-  return query
+    return query
 
 
 def get_active_org_count():
-  return get_organizations().count()
+    return get_organizations().count()
 
 
 def add_user_as_admin(user_obj, org_obj):
-  try:
-    admin_role = TeamRole.get(name='admin')
-    admin_team = Team.select().where(Team.role == admin_role, Team.organization == org_obj).get()
-    team.add_user_to_team(user_obj, admin_team)
-  except team.UserAlreadyInTeam:
-    pass
+    try:
+        admin_role = TeamRole.get(name="admin")
+        admin_team = (
+            Team.select()
+            .where(Team.role == admin_role, Team.organization == org_obj)
+            .get()
+        )
+        team.add_user_to_team(user_obj, admin_team)
+    except team.UserAlreadyInTeam:
+        pass
diff --git a/data/model/permission.py b/data/model/permission.py
index e38584561..159110f16 100644
--- a/data/model/permission.py
+++ b/data/model/permission.py
@@ -1,322 +1,387 @@
 from peewee import JOIN
 
-from data.database import (RepositoryPermission, User, Repository, Visibility, Role, TeamMember,
-                           PermissionPrototype, Team, TeamRole, Namespace)
+from data.database import (
+    RepositoryPermission,
+    User,
+    Repository,
+    Visibility,
+    Role,
+    TeamMember,
+    PermissionPrototype,
+    Team,
+    TeamRole,
+    Namespace,
+)
 from data.model import DataModelException, _basequery
 from util.names import parse_robot_username
 
+
 def list_team_permissions(team):
-  return (RepositoryPermission
-          .select(RepositoryPermission)
-          .join(Repository)
-          .join(Visibility)
-          .switch(RepositoryPermission)
-          .join(Role)
-          .switch(RepositoryPermission)
-          .where(RepositoryPermission.team == team))
+    return (
+        RepositoryPermission.select(RepositoryPermission)
+        .join(Repository)
+        .join(Visibility)
+        .switch(RepositoryPermission)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .where(RepositoryPermission.team == team)
+    )
 
 
 def list_robot_permissions(robot_name):
-  return (RepositoryPermission
-          .select(RepositoryPermission, User, Repository)
-          .join(Repository)
-          .join(Visibility)
-          .switch(RepositoryPermission)
-          .join(Role)
-          .switch(RepositoryPermission)
-          .join(User)
-          .where(User.username == robot_name, User.robot == True))
+    return (
+        RepositoryPermission.select(RepositoryPermission, User, Repository)
+        .join(Repository)
+        .join(Visibility)
+        .switch(RepositoryPermission)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .join(User)
+        .where(User.username == robot_name, User.robot == True)
+    )
 
 
 def list_organization_member_permissions(organization, limit_to_user=None):
-  query = (RepositoryPermission
-           .select(RepositoryPermission, Repository, User)
-           .join(Repository)
-           .switch(RepositoryPermission)
-           .join(User)
-           .where(Repository.namespace_user == organization))
+    query = (
+        RepositoryPermission.select(RepositoryPermission, Repository, User)
+        .join(Repository)
+        .switch(RepositoryPermission)
+        .join(User)
+        .where(Repository.namespace_user == organization)
+    )
 
-  if limit_to_user is not None:
-    query = query.where(RepositoryPermission.user == limit_to_user)
-  else:
-    query = query.where(User.robot == False)
+    if limit_to_user is not None:
+        query = query.where(RepositoryPermission.user == limit_to_user)
+    else:
+        query = query.where(User.robot == False)
 
-  return query
+    return query
 
 
 def get_all_user_repository_permissions(user):
-  return _get_user_repo_permissions(user)
+    return _get_user_repo_permissions(user)
 
 
 def get_user_repo_permissions(user, repo):
-  return _get_user_repo_permissions(user, limit_to_repository_obj=repo)
+    return _get_user_repo_permissions(user, limit_to_repository_obj=repo)
 
 
 def get_user_repository_permissions(user, namespace, repo_name):
-  return _get_user_repo_permissions(user, limit_namespace=namespace, limit_repo_name=repo_name)
+    return _get_user_repo_permissions(
+        user, limit_namespace=namespace, limit_repo_name=repo_name
+    )
 
 
-def _get_user_repo_permissions(user, limit_to_repository_obj=None, limit_namespace=None,
-                               limit_repo_name=None):
-  UserThroughTeam = User.alias()
+def _get_user_repo_permissions(
+    user, limit_to_repository_obj=None, limit_namespace=None, limit_repo_name=None
+):
+    UserThroughTeam = User.alias()
 
-  base_query = (RepositoryPermission
-                .select(RepositoryPermission, Role, Repository, Namespace)
-                .join(Role)
-                .switch(RepositoryPermission)
-                .join(Repository)
-                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                .switch(RepositoryPermission))
+    base_query = (
+        RepositoryPermission.select(RepositoryPermission, Role, Repository, Namespace)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .switch(RepositoryPermission)
+    )
 
-  if limit_to_repository_obj is not None:
-    base_query = base_query.where(RepositoryPermission.repository == limit_to_repository_obj)
-  elif limit_namespace and limit_repo_name:
-    base_query = base_query.where(Repository.name == limit_repo_name,
-                                  Namespace.username == limit_namespace)
+    if limit_to_repository_obj is not None:
+        base_query = base_query.where(
+            RepositoryPermission.repository == limit_to_repository_obj
+        )
+    elif limit_namespace and limit_repo_name:
+        base_query = base_query.where(
+            Repository.name == limit_repo_name, Namespace.username == limit_namespace
+        )
 
-  direct = (base_query
-            .clone()
-            .join(User)
-            .where(User.id == user))
+    direct = base_query.clone().join(User).where(User.id == user)
 
-  team = (base_query
-          .clone()
-          .join(Team)
-          .join(TeamMember)
-          .join(UserThroughTeam, on=(UserThroughTeam.id == TeamMember.user))
-          .where(UserThroughTeam.id == user))
+    team = (
+        base_query.clone()
+        .join(Team)
+        .join(TeamMember)
+        .join(UserThroughTeam, on=(UserThroughTeam.id == TeamMember.user))
+        .where(UserThroughTeam.id == user)
+    )
 
-  return direct | team
+    return direct | team
 
 
 def delete_prototype_permission(org, uid):
-  found = get_prototype_permission(org, uid)
-  if not found:
-    return None
+    found = get_prototype_permission(org, uid)
+    if not found:
+        return None
 
-  found.delete_instance()
-  return found
+    found.delete_instance()
+    return found
 
 
 def get_prototype_permission(org, uid):
-  try:
-    return PermissionPrototype.get(PermissionPrototype.org == org,
-                                   PermissionPrototype.uuid == uid)
-  except PermissionPrototype.DoesNotExist:
-    return None
+    try:
+        return PermissionPrototype.get(
+            PermissionPrototype.org == org, PermissionPrototype.uuid == uid
+        )
+    except PermissionPrototype.DoesNotExist:
+        return None
 
 
 def get_prototype_permissions(org):
-  ActivatingUser = User.alias()
-  DelegateUser = User.alias()
-  query = (PermissionPrototype
-           .select()
-           .where(PermissionPrototype.org == org)
-           .join(ActivatingUser, JOIN.LEFT_OUTER,
-                 on=(ActivatingUser.id == PermissionPrototype.activating_user))
-           .join(DelegateUser, JOIN.LEFT_OUTER,
-                 on=(DelegateUser.id == PermissionPrototype.delegate_user))
-           .join(Team, JOIN.LEFT_OUTER,
-                 on=(Team.id == PermissionPrototype.delegate_team))
-           .join(Role, JOIN.LEFT_OUTER, on=(Role.id == PermissionPrototype.role)))
-  return query
+    ActivatingUser = User.alias()
+    DelegateUser = User.alias()
+    query = (
+        PermissionPrototype.select()
+        .where(PermissionPrototype.org == org)
+        .join(
+            ActivatingUser,
+            JOIN.LEFT_OUTER,
+            on=(ActivatingUser.id == PermissionPrototype.activating_user),
+        )
+        .join(
+            DelegateUser,
+            JOIN.LEFT_OUTER,
+            on=(DelegateUser.id == PermissionPrototype.delegate_user),
+        )
+        .join(Team, JOIN.LEFT_OUTER, on=(Team.id == PermissionPrototype.delegate_team))
+        .join(Role, JOIN.LEFT_OUTER, on=(Role.id == PermissionPrototype.role))
+    )
+    return query
 
 
 def update_prototype_permission(org, uid, role_name):
-  found = get_prototype_permission(org, uid)
-  if not found:
-    return None
+    found = get_prototype_permission(org, uid)
+    if not found:
+        return None
 
-  new_role = Role.get(Role.name == role_name)
-  found.role = new_role
-  found.save()
-  return found
+    new_role = Role.get(Role.name == role_name)
+    found.role = new_role
+    found.save()
+    return found
 
 
-def add_prototype_permission(org, role_name, activating_user,
-                             delegate_user=None, delegate_team=None):
-  new_role = Role.get(Role.name == role_name)
-  return PermissionPrototype.create(org=org, role=new_role, activating_user=activating_user,
-                                    delegate_user=delegate_user, delegate_team=delegate_team)
+def add_prototype_permission(
+    org, role_name, activating_user, delegate_user=None, delegate_team=None
+):
+    new_role = Role.get(Role.name == role_name)
+    return PermissionPrototype.create(
+        org=org,
+        role=new_role,
+        activating_user=activating_user,
+        delegate_user=delegate_user,
+        delegate_team=delegate_team,
+    )
 
 
 def get_org_wide_permissions(user, org_filter=None):
-  Org = User.alias()
-  team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
-  with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==
-                                                       Org.id))
-  with_user = with_org.switch(Team).join(TeamMember).join(User)
+    Org = User.alias()
+    team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
+    with_org = team_with_role.switch(Team).join(Org, on=(Team.organization == Org.id))
+    with_user = with_org.switch(Team).join(TeamMember).join(User)
 
-  if org_filter:
-    with_user.where(Org.username == org_filter)
+    if org_filter:
+        with_user.where(Org.username == org_filter)
 
-  return with_user.where(User.id == user, Org.organization == True)
+    return with_user.where(User.id == user, Org.organization == True)
 
 
 def get_all_repo_teams(namespace_name, repository_name):
-  return (RepositoryPermission
-          .select(Team.name, Role.name, RepositoryPermission)
-          .join(Team)
-          .switch(RepositoryPermission)
-          .join(Role)
-          .switch(RepositoryPermission)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    return (
+        RepositoryPermission.select(Team.name, Role.name, RepositoryPermission)
+        .join(Team)
+        .switch(RepositoryPermission)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
 
 def apply_default_permissions(repo_obj, creating_user_obj):
-  org = repo_obj.namespace_user
-  user_clause = ((PermissionPrototype.activating_user == creating_user_obj) |
-                 (PermissionPrototype.activating_user >> None))
+    org = repo_obj.namespace_user
+    user_clause = (PermissionPrototype.activating_user == creating_user_obj) | (
+        PermissionPrototype.activating_user >> None
+    )
 
-  team_protos = (PermissionPrototype
-                 .select()
-                 .where(PermissionPrototype.org == org, user_clause,
-                        PermissionPrototype.delegate_user >> None))
+    team_protos = PermissionPrototype.select().where(
+        PermissionPrototype.org == org,
+        user_clause,
+        PermissionPrototype.delegate_user >> None,
+    )
 
-  def create_team_permission(team, repo, role):
-    RepositoryPermission.create(team=team, repository=repo, role=role)
+    def create_team_permission(team, repo, role):
+        RepositoryPermission.create(team=team, repository=repo, role=role)
 
-  __apply_permission_list(repo_obj, team_protos, 'name', create_team_permission)
+    __apply_permission_list(repo_obj, team_protos, "name", create_team_permission)
 
-  user_protos = (PermissionPrototype
-                 .select()
-                 .where(PermissionPrototype.org == org, user_clause,
-                        PermissionPrototype.delegate_team >> None))
+    user_protos = PermissionPrototype.select().where(
+        PermissionPrototype.org == org,
+        user_clause,
+        PermissionPrototype.delegate_team >> None,
+    )
 
-  def create_user_permission(user, repo, role):
-    # The creating user always gets admin anyway
-    if user.username == creating_user_obj.username:
-      return
+    def create_user_permission(user, repo, role):
+        # The creating user always gets admin anyway
+        if user.username == creating_user_obj.username:
+            return
 
-    RepositoryPermission.create(user=user, repository=repo, role=role)
+        RepositoryPermission.create(user=user, repository=repo, role=role)
 
-  __apply_permission_list(repo_obj, user_protos, 'username', create_user_permission)
+    __apply_permission_list(repo_obj, user_protos, "username", create_user_permission)
 
 
 def __apply_permission_list(repo, proto_query, name_property, create_permission_func):
-  final_protos = {}
-  for proto in proto_query:
-    applies_to = proto.delegate_team or proto.delegate_user
-    name = getattr(applies_to, name_property)
-    # We will skip the proto if it is pre-empted by a more important proto
-    if name in final_protos and proto.activating_user is None:
-      continue
+    final_protos = {}
+    for proto in proto_query:
+        applies_to = proto.delegate_team or proto.delegate_user
+        name = getattr(applies_to, name_property)
+        # We will skip the proto if it is pre-empted by a more important proto
+        if name in final_protos and proto.activating_user is None:
+            continue
 
-    # By this point, it is either a user specific proto, or there is no
-    # proto yet, so we can safely assume it applies
-    final_protos[name] = (applies_to, proto.role)
+        # By this point, it is either a user specific proto, or there is no
+        # proto yet, so we can safely assume it applies
+        final_protos[name] = (applies_to, proto.role)
 
-  for delegate, role in final_protos.values():
-    create_permission_func(delegate, repo, role)
+    for delegate, role in final_protos.values():
+        create_permission_func(delegate, repo, role)
 
 
-def __entity_permission_repo_query(entity_id, entity_table, entity_id_property, namespace_name,
-                                   repository_name):
-  """ This method works for both users and teams. """
+def __entity_permission_repo_query(
+    entity_id, entity_table, entity_id_property, namespace_name, repository_name
+):
+    """ This method works for both users and teams. """
 
-  return (RepositoryPermission
-          .select(entity_table, Repository, Namespace, Role, RepositoryPermission)
-          .join(entity_table)
-          .switch(RepositoryPermission)
-          .join(Role)
-          .switch(RepositoryPermission)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Repository.name == repository_name, Namespace.username == namespace_name,
-                 entity_id_property == entity_id))
+    return (
+        RepositoryPermission.select(
+            entity_table, Repository, Namespace, Role, RepositoryPermission
+        )
+        .join(entity_table)
+        .switch(RepositoryPermission)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(
+            Repository.name == repository_name,
+            Namespace.username == namespace_name,
+            entity_id_property == entity_id,
+        )
+    )
 
 
 def get_user_reponame_permission(username, namespace_name, repository_name):
-  fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,
-                                                repository_name))
-  if not fetched:
-    raise DataModelException('User does not have permission for repo.')
+    fetched = list(
+        __entity_permission_repo_query(
+            username, User, User.username, namespace_name, repository_name
+        )
+    )
+    if not fetched:
+        raise DataModelException("User does not have permission for repo.")
 
-  return fetched[0]
+    return fetched[0]
 
 
 def get_team_reponame_permission(team_name, namespace_name, repository_name):
-  fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,
-                                                repository_name))
-  if not fetched:
-    raise DataModelException('Team does not have permission for repo.')
+    fetched = list(
+        __entity_permission_repo_query(
+            team_name, Team, Team.name, namespace_name, repository_name
+        )
+    )
+    if not fetched:
+        raise DataModelException("Team does not have permission for repo.")
 
-  return fetched[0]
+    return fetched[0]
 
 
 def delete_user_permission(username, namespace_name, repository_name):
-  if username == namespace_name:
-    raise DataModelException('Namespace owner must always be admin.')
+    if username == namespace_name:
+        raise DataModelException("Namespace owner must always be admin.")
 
-  fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,
-                                                repository_name))
-  if not fetched:
-    raise DataModelException('User does not have permission for repo.')
+    fetched = list(
+        __entity_permission_repo_query(
+            username, User, User.username, namespace_name, repository_name
+        )
+    )
+    if not fetched:
+        raise DataModelException("User does not have permission for repo.")
 
-  fetched[0].delete_instance()
+    fetched[0].delete_instance()
 
 
 def delete_team_permission(team_name, namespace_name, repository_name):
-  fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,
-                                                repository_name))
-  if not fetched:
-    raise DataModelException('Team does not have permission for repo.')
+    fetched = list(
+        __entity_permission_repo_query(
+            team_name, Team, Team.name, namespace_name, repository_name
+        )
+    )
+    if not fetched:
+        raise DataModelException("Team does not have permission for repo.")
 
-  fetched[0].delete_instance()
+    fetched[0].delete_instance()
 
 
-def __set_entity_repo_permission(entity, permission_entity_property,
-                                 namespace_name, repository_name, role_name):
-  repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  new_role = Role.get(Role.name == role_name)
+def __set_entity_repo_permission(
+    entity, permission_entity_property, namespace_name, repository_name, role_name
+):
+    repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    new_role = Role.get(Role.name == role_name)
 
-  # Fetch any existing permission for this entity on the repo
-  try:
-    entity_attr = getattr(RepositoryPermission, permission_entity_property)
-    perm = RepositoryPermission.get(entity_attr == entity, RepositoryPermission.repository == repo)
-    perm.role = new_role
-    perm.save()
-    return perm
-  except RepositoryPermission.DoesNotExist:
-    set_entity_kwargs = {permission_entity_property: entity}
-    new_perm = RepositoryPermission.create(repository=repo, role=new_role, **set_entity_kwargs)
-    return new_perm
+    # Fetch any existing permission for this entity on the repo
+    try:
+        entity_attr = getattr(RepositoryPermission, permission_entity_property)
+        perm = RepositoryPermission.get(
+            entity_attr == entity, RepositoryPermission.repository == repo
+        )
+        perm.role = new_role
+        perm.save()
+        return perm
+    except RepositoryPermission.DoesNotExist:
+        set_entity_kwargs = {permission_entity_property: entity}
+        new_perm = RepositoryPermission.create(
+            repository=repo, role=new_role, **set_entity_kwargs
+        )
+        return new_perm
 
 
 def set_user_repo_permission(username, namespace_name, repository_name, role_name):
-  if username == namespace_name:
-    raise DataModelException('Namespace owner must always be admin.')
+    if username == namespace_name:
+        raise DataModelException("Namespace owner must always be admin.")
 
-  try:
-    user = User.get(User.username == username)
-  except User.DoesNotExist:
-    raise DataModelException('Invalid username: %s' % username)
+    try:
+        user = User.get(User.username == username)
+    except User.DoesNotExist:
+        raise DataModelException("Invalid username: %s" % username)
 
-  if user.robot:
-    parts = parse_robot_username(user.username)
-    if not parts:
-      raise DataModelException('Invalid robot: %s' % username)
+    if user.robot:
+        parts = parse_robot_username(user.username)
+        if not parts:
+            raise DataModelException("Invalid robot: %s" % username)
 
-    robot_namespace, _ = parts
-    if robot_namespace != namespace_name:
-      raise DataModelException('Cannot add robot %s under namespace %s' %
-                               (username, namespace_name))
+        robot_namespace, _ = parts
+        if robot_namespace != namespace_name:
+            raise DataModelException(
+                "Cannot add robot %s under namespace %s" % (username, namespace_name)
+            )
 
-  return __set_entity_repo_permission(user, 'user', namespace_name, repository_name, role_name)
+    return __set_entity_repo_permission(
+        user, "user", namespace_name, repository_name, role_name
+    )
 
 
 def set_team_repo_permission(team_name, namespace_name, repository_name, role_name):
-  try:
-    team = (Team
-            .select()
+    try:
+        team = (
+            Team.select()
             .join(User)
             .where(Team.name == team_name, User.username == namespace_name)
-            .get())
-  except Team.DoesNotExist:
-    raise DataModelException('No team %s in organization %s' % (team_name, namespace_name))
-
-  return __set_entity_repo_permission(team, 'team', namespace_name, repository_name, role_name)
-
+            .get()
+        )
+    except Team.DoesNotExist:
+        raise DataModelException(
+            "No team %s in organization %s" % (team_name, namespace_name)
+        )
 
+    return __set_entity_repo_permission(
+        team, "team", namespace_name, repository_name, role_name
+    )
diff --git a/data/model/release.py b/data/model/release.py
index f827eaeb0..79c5ecf5e 100644
--- a/data/model/release.py
+++ b/data/model/release.py
@@ -2,20 +2,22 @@ from data.database import QuayRelease, QuayRegion, QuayService
 
 
 def set_region_release(service_name, region_name, version):
-  service, _ = QuayService.get_or_create(name=service_name)
-  region, _ = QuayRegion.get_or_create(name=region_name)
+    service, _ = QuayService.get_or_create(name=service_name)
+    region, _ = QuayRegion.get_or_create(name=region_name)
 
-  return QuayRelease.get_or_create(service=service, version=version, region=region)
+    return QuayRelease.get_or_create(service=service, version=version, region=region)
 
 
 def get_recent_releases(service_name, region_name):
-  return (QuayRelease
-          .select(QuayRelease)
-          .join(QuayService)
-          .switch(QuayRelease)
-          .join(QuayRegion)
-          .where(QuayService.name == service_name,
-                 QuayRegion.name == region_name,
-                 QuayRelease.reverted == False,
-                )
-          .order_by(QuayRelease.created.desc()))
+    return (
+        QuayRelease.select(QuayRelease)
+        .join(QuayService)
+        .switch(QuayRelease)
+        .join(QuayRegion)
+        .where(
+            QuayService.name == service_name,
+            QuayRegion.name == region_name,
+            QuayRelease.reverted == False,
+        )
+        .order_by(QuayRelease.created.desc())
+    )
diff --git a/data/model/repo_mirror.py b/data/model/repo_mirror.py
index a9824f3ab..151057a22 100644
--- a/data/model/repo_mirror.py
+++ b/data/model/repo_mirror.py
@@ -5,8 +5,16 @@ from datetime import datetime, timedelta
 from peewee import IntegrityError, fn
 from jsonschema import ValidationError
 
-from data.database import (RepoMirrorConfig, RepoMirrorRule, RepoMirrorRuleType, RepoMirrorStatus,
-                           RepositoryState, Repository, uuid_generator, db_transaction)
+from data.database import (
+    RepoMirrorConfig,
+    RepoMirrorRule,
+    RepoMirrorRuleType,
+    RepoMirrorStatus,
+    RepositoryState,
+    Repository,
+    uuid_generator,
+    db_transaction,
+)
 from data.fields import DecryptedValue
 from data.model import DataModelException
 from util.names import parse_robot_username
@@ -14,75 +22,87 @@ from util.names import parse_robot_username
 
 # TODO: Move these to the configuration
 MAX_SYNC_RETRIES = 3
-MAX_SYNC_DURATION = 60*60*2  # 2 Hours
+MAX_SYNC_DURATION = 60 * 60 * 2  # 2 Hours
 
 
 def get_eligible_mirrors():
-  """
+    """
   Returns the RepoMirrorConfig that are ready to run now. This includes those that are:
   1. Not currently syncing but whose start time is in the past
   2. Status of "sync now"
   3. Currently marked as syncing but whose expiration time is in the past
   """
-  now = datetime.utcnow()
-  immediate_candidates_filter = ((RepoMirrorConfig.sync_status == RepoMirrorStatus.SYNC_NOW) &
-                                 (RepoMirrorConfig.sync_expiration_date >> None))
+    now = datetime.utcnow()
+    immediate_candidates_filter = (
+        RepoMirrorConfig.sync_status == RepoMirrorStatus.SYNC_NOW
+    ) & (RepoMirrorConfig.sync_expiration_date >> None)
 
-  ready_candidates_filter = ((RepoMirrorConfig.sync_start_date <= now) &
-                             (RepoMirrorConfig.sync_retries_remaining > 0) &
-                             (RepoMirrorConfig.sync_status != RepoMirrorStatus.SYNCING) &
-                             (RepoMirrorConfig.sync_expiration_date >> None) &
-                             (RepoMirrorConfig.is_enabled == True))
+    ready_candidates_filter = (
+        (RepoMirrorConfig.sync_start_date <= now)
+        & (RepoMirrorConfig.sync_retries_remaining > 0)
+        & (RepoMirrorConfig.sync_status != RepoMirrorStatus.SYNCING)
+        & (RepoMirrorConfig.sync_expiration_date >> None)
+        & (RepoMirrorConfig.is_enabled == True)
+    )
 
-  expired_candidates_filter = ((RepoMirrorConfig.sync_start_date <= now) &
-                               (RepoMirrorConfig.sync_retries_remaining > 0) &
-                               (RepoMirrorConfig.sync_status == RepoMirrorStatus.SYNCING) &
-                               (RepoMirrorConfig.sync_expiration_date <= now) &
-                               (RepoMirrorConfig.is_enabled == True))
+    expired_candidates_filter = (
+        (RepoMirrorConfig.sync_start_date <= now)
+        & (RepoMirrorConfig.sync_retries_remaining > 0)
+        & (RepoMirrorConfig.sync_status == RepoMirrorStatus.SYNCING)
+        & (RepoMirrorConfig.sync_expiration_date <= now)
+        & (RepoMirrorConfig.is_enabled == True)
+    )
 
-  return (RepoMirrorConfig
-          .select()
-          .join(Repository)
-          .where(Repository.state == RepositoryState.MIRROR)
-          .where(immediate_candidates_filter | ready_candidates_filter | expired_candidates_filter)
-          .order_by(RepoMirrorConfig.sync_start_date.asc()))
+    return (
+        RepoMirrorConfig.select()
+        .join(Repository)
+        .where(Repository.state == RepositoryState.MIRROR)
+        .where(
+            immediate_candidates_filter
+            | ready_candidates_filter
+            | expired_candidates_filter
+        )
+        .order_by(RepoMirrorConfig.sync_start_date.asc())
+    )
 
 
 def get_max_id_for_repo_mirror_config():
-  """ Gets the maximum id for repository mirroring """
-  return RepoMirrorConfig.select(fn.Max(RepoMirrorConfig.id)).scalar()
+    """ Gets the maximum id for repository mirroring """
+    return RepoMirrorConfig.select(fn.Max(RepoMirrorConfig.id)).scalar()
 
 
 def get_min_id_for_repo_mirror_config():
-  """ Gets the minimum id for a repository mirroring """
-  return RepoMirrorConfig.select(fn.Min(RepoMirrorConfig.id)).scalar()
+    """ Gets the minimum id for a repository mirroring """
+    return RepoMirrorConfig.select(fn.Min(RepoMirrorConfig.id)).scalar()
 
 
 def claim_mirror(mirror):
-  """
+    """
   Attempt to create an exclusive lock on the RepoMirrorConfig and return it.
   If unable to create the lock, `None` will be returned.
   """
 
-  # Attempt to update the RepoMirrorConfig to mark it as "claimed"
-  now = datetime.utcnow()
-  expiration_date = now + timedelta(seconds=MAX_SYNC_DURATION)
-  query = (RepoMirrorConfig
-           .update(sync_status=RepoMirrorStatus.SYNCING,
-                   sync_expiration_date=expiration_date,
-                   sync_transaction_id=uuid_generator())
-           .where(RepoMirrorConfig.id == mirror.id,
-                  RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id))
+    # Attempt to update the RepoMirrorConfig to mark it as "claimed"
+    now = datetime.utcnow()
+    expiration_date = now + timedelta(seconds=MAX_SYNC_DURATION)
+    query = RepoMirrorConfig.update(
+        sync_status=RepoMirrorStatus.SYNCING,
+        sync_expiration_date=expiration_date,
+        sync_transaction_id=uuid_generator(),
+    ).where(
+        RepoMirrorConfig.id == mirror.id,
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+    )
 
-  # If the update was successful, then it was claimed. Return the updated instance.
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
+    # If the update was successful, then it was claimed. Return the updated instance.
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
 
-  return None  # Another process must have claimed the mirror faster.
+    return None  # Another process must have claimed the mirror faster.
 
 
 def release_mirror(mirror, sync_status):
-  """
+    """
   Return a mirror to the queue and update its status.
 
   Upon success, move next sync to be at the next interval in the future. Failures remain with
@@ -91,429 +111,467 @@ def release_mirror(mirror, sync_status):
   for example, to retry the next day. Without this, users would need to manually run syncs
   to clear failure state.
   """
-  if sync_status == RepoMirrorStatus.FAIL:
-    retries = max(0, mirror.sync_retries_remaining - 1)
+    if sync_status == RepoMirrorStatus.FAIL:
+        retries = max(0, mirror.sync_retries_remaining - 1)
 
-  if sync_status == RepoMirrorStatus.SUCCESS or retries < 1:
-    now = datetime.utcnow()
-    delta = now - mirror.sync_start_date
-    delta_seconds = (delta.days * 24 * 60 * 60) + delta.seconds
-    next_start_date = now + timedelta(seconds=mirror.sync_interval - (delta_seconds % mirror.sync_interval))
-    retries = MAX_SYNC_RETRIES
-  else:
-    next_start_date = mirror.sync_start_date
+    if sync_status == RepoMirrorStatus.SUCCESS or retries < 1:
+        now = datetime.utcnow()
+        delta = now - mirror.sync_start_date
+        delta_seconds = (delta.days * 24 * 60 * 60) + delta.seconds
+        next_start_date = now + timedelta(
+            seconds=mirror.sync_interval - (delta_seconds % mirror.sync_interval)
+        )
+        retries = MAX_SYNC_RETRIES
+    else:
+        next_start_date = mirror.sync_start_date
 
-  query = (RepoMirrorConfig
-           .update(sync_transaction_id=uuid_generator(),
-                   sync_status=sync_status,
-                   sync_start_date=next_start_date,
-                   sync_expiration_date=None,
-                   sync_retries_remaining=retries)
-           .where(RepoMirrorConfig.id == mirror.id,
-                  RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id))
+    query = RepoMirrorConfig.update(
+        sync_transaction_id=uuid_generator(),
+        sync_status=sync_status,
+        sync_start_date=next_start_date,
+        sync_expiration_date=None,
+        sync_retries_remaining=retries,
+    ).where(
+        RepoMirrorConfig.id == mirror.id,
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+    )
 
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
 
-  # Unable to release Mirror. Has it been claimed by another process?
-  return None
+    # Unable to release Mirror. Has it been claimed by another process?
+    return None
 
 
 def expire_mirror(mirror):
-  """
+    """
   Set the mirror to synchronize ASAP and reset its failure count.
   """
 
-  # Set the next-sync date to now
-  # TODO: Verify the `where` conditions would not expire a currently syncing mirror.
-  query = (RepoMirrorConfig
-           .update(sync_transaction_id=uuid_generator(),
-                   sync_expiration_date=datetime.utcnow(),
-                   sync_retries_remaining=MAX_SYNC_RETRIES)
-           .where(RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
-                  RepoMirrorConfig.id == mirror.id,
-                  RepoMirrorConfig.state != RepoMirrorStatus.SYNCING))
+    # Set the next-sync date to now
+    # TODO: Verify the `where` conditions would not expire a currently syncing mirror.
+    query = RepoMirrorConfig.update(
+        sync_transaction_id=uuid_generator(),
+        sync_expiration_date=datetime.utcnow(),
+        sync_retries_remaining=MAX_SYNC_RETRIES,
+    ).where(
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+        RepoMirrorConfig.id == mirror.id,
+        RepoMirrorConfig.state != RepoMirrorStatus.SYNCING,
+    )
 
-  # Fetch and return the latest updates
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
+    # Fetch and return the latest updates
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
 
-  # Unable to update expiration date. Perhaps another process has claimed it?
-  return None  # TODO: Raise some Exception?
+    # Unable to update expiration date. Perhaps another process has claimed it?
+    return None  # TODO: Raise some Exception?
 
 
-def create_mirroring_rule(repository, rule_value, rule_type=RepoMirrorRuleType.TAG_GLOB_CSV):
-  """
+def create_mirroring_rule(
+    repository, rule_value, rule_type=RepoMirrorRuleType.TAG_GLOB_CSV
+):
+    """
   Create a RepoMirrorRule for a given Repository.
   """
 
-  if rule_type != RepoMirrorRuleType.TAG_GLOB_CSV:
-    raise ValidationError('validation failed: rule_type must be TAG_GLOB_CSV')
+    if rule_type != RepoMirrorRuleType.TAG_GLOB_CSV:
+        raise ValidationError("validation failed: rule_type must be TAG_GLOB_CSV")
 
-  if not isinstance(rule_value, list) or len(rule_value) < 1:
-    raise ValidationError('validation failed: rule_value for TAG_GLOB_CSV must be a list with at least one rule')
+    if not isinstance(rule_value, list) or len(rule_value) < 1:
+        raise ValidationError(
+            "validation failed: rule_value for TAG_GLOB_CSV must be a list with at least one rule"
+        )
 
-  rule = RepoMirrorRule.create(repository=repository, rule_type=rule_type, rule_value=rule_value)
-  return rule
+    rule = RepoMirrorRule.create(
+        repository=repository, rule_type=rule_type, rule_value=rule_value
+    )
+    return rule
 
 
-def enable_mirroring_for_repository(repository,
-                                    root_rule,
-                                    internal_robot,
-                                    external_reference,
-                                    sync_interval,
-                                    external_registry_username=None,
-                                    external_registry_password=None,
-                                    external_registry_config=None,
-                                    is_enabled=True,
-                                    sync_start_date=None):
-  """
+def enable_mirroring_for_repository(
+    repository,
+    root_rule,
+    internal_robot,
+    external_reference,
+    sync_interval,
+    external_registry_username=None,
+    external_registry_password=None,
+    external_registry_config=None,
+    is_enabled=True,
+    sync_start_date=None,
+):
+    """
   Create a RepoMirrorConfig and set the Repository to the MIRROR state.
   """
-  assert internal_robot.robot
+    assert internal_robot.robot
 
-  namespace, _ = parse_robot_username(internal_robot.username)
-  if namespace != repository.namespace_user.username:
-    raise DataModelException('Cannot use robot for mirroring')
+    namespace, _ = parse_robot_username(internal_robot.username)
+    if namespace != repository.namespace_user.username:
+        raise DataModelException("Cannot use robot for mirroring")
 
-  with db_transaction():
-    # Create the RepoMirrorConfig
-    try:
-      username = DecryptedValue(external_registry_username) if external_registry_username else None
-      password = DecryptedValue(external_registry_password) if external_registry_password else None
-      mirror = RepoMirrorConfig.create(repository=repository,
-                                       root_rule=root_rule,
-                                       is_enabled=is_enabled,
-                                       internal_robot=internal_robot,
-                                       external_reference=external_reference,
-                                       external_registry_username=username,
-                                       external_registry_password=password,
-                                       external_registry_config=external_registry_config or {},
-                                       sync_interval=sync_interval,
-                                       sync_start_date=sync_start_date or datetime.utcnow())
-    except IntegrityError:
-      return RepoMirrorConfig.get(repository=repository)
+    with db_transaction():
+        # Create the RepoMirrorConfig
+        try:
+            username = (
+                DecryptedValue(external_registry_username)
+                if external_registry_username
+                else None
+            )
+            password = (
+                DecryptedValue(external_registry_password)
+                if external_registry_password
+                else None
+            )
+            mirror = RepoMirrorConfig.create(
+                repository=repository,
+                root_rule=root_rule,
+                is_enabled=is_enabled,
+                internal_robot=internal_robot,
+                external_reference=external_reference,
+                external_registry_username=username,
+                external_registry_password=password,
+                external_registry_config=external_registry_config or {},
+                sync_interval=sync_interval,
+                sync_start_date=sync_start_date or datetime.utcnow(),
+            )
+        except IntegrityError:
+            return RepoMirrorConfig.get(repository=repository)
 
-    # Change Repository state to mirroring mode as needed
-    if repository.state != RepositoryState.MIRROR:
-      query = (Repository
-               .update(state=RepositoryState.MIRROR)
-               .where(Repository.id == repository.id))
-      if not query.execute():
-        raise DataModelException('Could not change the state of the repository')
+        # Change Repository state to mirroring mode as needed
+        if repository.state != RepositoryState.MIRROR:
+            query = Repository.update(state=RepositoryState.MIRROR).where(
+                Repository.id == repository.id
+            )
+            if not query.execute():
+                raise DataModelException("Could not change the state of the repository")
 
-    return mirror
+        return mirror
 
 
 def update_sync_status(mirror, sync_status):
-  """
+    """
   Update the sync status
   """
-  query = (RepoMirrorConfig
-           .update(sync_transaction_id=uuid_generator(),
-                   sync_status=sync_status)
-           .where(RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
-                  RepoMirrorConfig.id == mirror.id))
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
+    query = RepoMirrorConfig.update(
+        sync_transaction_id=uuid_generator(), sync_status=sync_status
+    ).where(
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+        RepoMirrorConfig.id == mirror.id,
+    )
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
 
-  return None
+    return None
 
 
 def update_sync_status_to_sync_now(mirror):
-  """
+    """
   This will change the sync status to SYNC_NOW and set the retries remaining to one, if it is
   less than one. None will be returned in cases where this is not possible, such as if the
   mirror is in the SYNCING state.
   """
 
-  if mirror.sync_status == RepoMirrorStatus.SYNCING:
+    if mirror.sync_status == RepoMirrorStatus.SYNCING:
+        return None
+
+    retries = max(mirror.sync_retries_remaining, 1)
+
+    query = RepoMirrorConfig.update(
+        sync_transaction_id=uuid_generator(),
+        sync_status=RepoMirrorStatus.SYNC_NOW,
+        sync_expiration_date=None,
+        sync_retries_remaining=retries,
+    ).where(
+        RepoMirrorConfig.id == mirror.id,
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+    )
+
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
+
     return None
 
-  retries = max(mirror.sync_retries_remaining, 1)
-
-  query = (RepoMirrorConfig
-           .update(sync_transaction_id=uuid_generator(),
-                   sync_status=RepoMirrorStatus.SYNC_NOW,
-                   sync_expiration_date=None,
-                   sync_retries_remaining=retries)
-           .where(RepoMirrorConfig.id == mirror.id,
-                  RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id))
-
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
-
-  return None
-
 
 def update_sync_status_to_cancel(mirror):
-  """
+    """
   If the mirror is SYNCING, it will be force-claimed (ignoring existing transaction id), and the
   state will set to NEVER_RUN. None will be returned in cases where this is not possible, such
   as if the mirror is not in the SYNCING state.
   """
 
-  if mirror.sync_status != RepoMirrorStatus.SYNCING and mirror.sync_status != RepoMirrorStatus.SYNC_NOW:
+    if (
+        mirror.sync_status != RepoMirrorStatus.SYNCING
+        and mirror.sync_status != RepoMirrorStatus.SYNC_NOW
+    ):
+        return None
+
+    query = RepoMirrorConfig.update(
+        sync_transaction_id=uuid_generator(),
+        sync_status=RepoMirrorStatus.NEVER_RUN,
+        sync_expiration_date=None,
+    ).where(RepoMirrorConfig.id == mirror.id)
+
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
+
     return None
 
-  query = (RepoMirrorConfig
-           .update(sync_transaction_id=uuid_generator(),
-                   sync_status=RepoMirrorStatus.NEVER_RUN,
-                   sync_expiration_date=None)
-           .where(RepoMirrorConfig.id == mirror.id))
-
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
-
-  return None
-
 
 def update_with_transaction(mirror, **kwargs):
-  """
+    """
   Helper function which updates a Repository's RepoMirrorConfig while also rolling its
   sync_transaction_id for locking purposes.
   """
 
-  # RepoMirrorConfig attributes which can be modified
-  mutable_attributes = (
-    'is_enabled',
-    'mirror_type',
-    'external_reference',
-    'external_registry_username',
-    'external_registry_password',
-    'external_registry_config',
-    'sync_interval',
-    'sync_start_date',
-    'sync_expiration_date',
-    'sync_retries_remaining',
-    'sync_status',
-    'sync_transaction_id'
-  )
+    # RepoMirrorConfig attributes which can be modified
+    mutable_attributes = (
+        "is_enabled",
+        "mirror_type",
+        "external_reference",
+        "external_registry_username",
+        "external_registry_password",
+        "external_registry_config",
+        "sync_interval",
+        "sync_start_date",
+        "sync_expiration_date",
+        "sync_retries_remaining",
+        "sync_status",
+        "sync_transaction_id",
+    )
 
-  # Key-Value map of changes to make
-  filtered_kwargs = {key:kwargs.pop(key) for key in mutable_attributes if key in kwargs}
+    # Key-Value map of changes to make
+    filtered_kwargs = {
+        key: kwargs.pop(key) for key in mutable_attributes if key in kwargs
+    }
 
-  # Roll the sync_transaction_id to a new value
-  filtered_kwargs['sync_transaction_id'] = uuid_generator()
+    # Roll the sync_transaction_id to a new value
+    filtered_kwargs["sync_transaction_id"] = uuid_generator()
 
-  # Generate the query to perform the updates
-  query = (RepoMirrorConfig
-           .update(filtered_kwargs)
-           .where(RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
-                  RepoMirrorConfig.id == mirror.id))
+    # Generate the query to perform the updates
+    query = RepoMirrorConfig.update(filtered_kwargs).where(
+        RepoMirrorConfig.sync_transaction_id == mirror.sync_transaction_id,
+        RepoMirrorConfig.id == mirror.id,
+    )
 
-  # Apply the change(s) and return the object if successful
-  if query.execute():
-    return RepoMirrorConfig.get_by_id(mirror.id)
-  else:
-    return None
+    # Apply the change(s) and return the object if successful
+    if query.execute():
+        return RepoMirrorConfig.get_by_id(mirror.id)
+    else:
+        return None
 
 
 def get_mirror(repository):
-  """
+    """
   Return the RepoMirrorConfig associated with the given Repository, or None if it doesn't exist.
   """
-  try:
-    return RepoMirrorConfig.get(repository=repository)
-  except RepoMirrorConfig.DoesNotExist:
-    return None
+    try:
+        return RepoMirrorConfig.get(repository=repository)
+    except RepoMirrorConfig.DoesNotExist:
+        return None
 
 
 def enable_mirror(repository):
-  """
+    """
   Enables a RepoMirrorConfig.
   """
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, is_enabled=True))
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, is_enabled=True))
 
 
 def disable_mirror(repository):
-  """
+    """
   Disables a RepoMirrorConfig.
   """
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, is_enabled=False))
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, is_enabled=False))
 
 
 def delete_mirror(repository):
-  """
+    """
   Delete a Repository Mirroring configuration.
   """
-  raise NotImplementedError("TODO: Not Implemented")
+    raise NotImplementedError("TODO: Not Implemented")
 
 
 def change_remote(repository, remote_repository):
-  """
+    """
   Update the external repository for Repository Mirroring.
   """
-  mirror = get_mirror(repository)
-  updates = {
-    'external_reference': remote_repository
-  }
-  return bool(update_with_transaction(mirror, **updates))
+    mirror = get_mirror(repository)
+    updates = {"external_reference": remote_repository}
+    return bool(update_with_transaction(mirror, **updates))
 
 
 def change_credentials(repository, username, password):
-  """
+    """
   Update the credentials used to access the remote repository.
   """
-  mirror = get_mirror(repository)
-  updates = {
-    'external_registry_username': username,
-    'external_registry_password': password,
-  }
-  return bool(update_with_transaction(mirror, **updates))
+    mirror = get_mirror(repository)
+    updates = {
+        "external_registry_username": username,
+        "external_registry_password": password,
+    }
+    return bool(update_with_transaction(mirror, **updates))
 
 
 def change_username(repository, username):
-  """
+    """
   Update the Username used to access the external repository.
   """
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, external_registry_username=username))
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, external_registry_username=username))
 
 
 def change_sync_interval(repository, interval):
-  """
+    """
   Update the interval at which a repository will be synchronized.
   """
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, sync_interval=interval))
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, sync_interval=interval))
 
 
 def change_sync_start_date(repository, dt):
-  """
+    """
   Specify when the repository should be synchronized next.
   """
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, sync_start_date=dt))
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, sync_start_date=dt))
 
 
 def change_root_rule(repository, rule):
-  """
+    """
   Specify which rule should be used for repository mirroring.
   """
-  assert rule.repository == repository
-  mirror = get_mirror(repository)
-  return bool(update_with_transaction(mirror, root_rule=rule))
+    assert rule.repository == repository
+    mirror = get_mirror(repository)
+    return bool(update_with_transaction(mirror, root_rule=rule))
 
 
 def change_sync_status(repository, sync_status):
-  """
+    """
   Change Repository's mirroring status.
   """
-  mirror = get_mirror(repository)
-  return update_with_transaction(mirror, sync_status=sync_status)
+    mirror = get_mirror(repository)
+    return update_with_transaction(mirror, sync_status=sync_status)
 
 
 def change_retries_remaining(repository, retries_remaining):
-  """
+    """
   Change the number of retries remaining for mirroring a repository.
   """
-  mirror = get_mirror(repository)
-  return update_with_transaction(mirror, sync_retries_remaining=retries_remaining)
+    mirror = get_mirror(repository)
+    return update_with_transaction(mirror, sync_retries_remaining=retries_remaining)
 
 
 def change_external_registry_config(repository, config_updates):
-  """
+    """
   Update the 'external_registry_config' with the passed in fields. Config has:
   verify_tls: True|False
   proxy: JSON fields 'http_proxy', 'https_proxy', andn 'no_proxy'
   """
-  mirror = get_mirror(repository)
-  external_registry_config = mirror.external_registry_config
+    mirror = get_mirror(repository)
+    external_registry_config = mirror.external_registry_config
 
-  if 'verify_tls' in config_updates:
-    external_registry_config['verify_tls'] = config_updates['verify_tls']
+    if "verify_tls" in config_updates:
+        external_registry_config["verify_tls"] = config_updates["verify_tls"]
 
-  if 'proxy' in config_updates:
-    proxy_updates = config_updates['proxy']
-    for key in ('http_proxy', 'https_proxy', 'no_proxy'):
-      if key in config_updates['proxy']:
-        if 'proxy' not in external_registry_config:
-          external_registry_config['proxy'] = {}
-        else:
-          external_registry_config['proxy'][key] = proxy_updates[key]
+    if "proxy" in config_updates:
+        proxy_updates = config_updates["proxy"]
+        for key in ("http_proxy", "https_proxy", "no_proxy"):
+            if key in config_updates["proxy"]:
+                if "proxy" not in external_registry_config:
+                    external_registry_config["proxy"] = {}
+                else:
+                    external_registry_config["proxy"][key] = proxy_updates[key]
 
-  return update_with_transaction(mirror, external_registry_config=external_registry_config)
+    return update_with_transaction(
+        mirror, external_registry_config=external_registry_config
+    )
 
 
 def get_mirroring_robot(repository):
-  """
+    """
   Return the robot used for mirroring. Returns None if the repository does not have an associated
   RepoMirrorConfig or the robot does not exist.
   """
-  mirror = get_mirror(repository)
-  if mirror:
-    return mirror.internal_robot
+    mirror = get_mirror(repository)
+    if mirror:
+        return mirror.internal_robot
 
-  return None
+    return None
 
 
 def set_mirroring_robot(repository, robot):
-  """
+    """
   Sets the mirroring robot for the repository.
   """
-  assert robot.robot
-  namespace, _ = parse_robot_username(robot.username)
-  if namespace != repository.namespace_user.username:
-    raise DataModelException('Cannot use robot for mirroring')
+    assert robot.robot
+    namespace, _ = parse_robot_username(robot.username)
+    if namespace != repository.namespace_user.username:
+        raise DataModelException("Cannot use robot for mirroring")
 
-  mirror = get_mirror(repository)
-  mirror.internal_robot = robot
-  mirror.save()
+    mirror = get_mirror(repository)
+    mirror.internal_robot = robot
+    mirror.save()
 
 
 # -------------------- Mirroring Rules --------------------------#
 
 
-def create_rule(repository, rule_value, rule_type=RepoMirrorRuleType.TAG_GLOB_CSV, left_child=None, right_child=None):
-  """
+def create_rule(
+    repository,
+    rule_value,
+    rule_type=RepoMirrorRuleType.TAG_GLOB_CSV,
+    left_child=None,
+    right_child=None,
+):
+    """
   Create a new Rule for mirroring a Repository
   """
 
-  if rule_type != RepoMirrorRuleType.TAG_GLOB_CSV:
-    raise ValidationError('validation failed: rule_type must be TAG_GLOB_CSV')
+    if rule_type != RepoMirrorRuleType.TAG_GLOB_CSV:
+        raise ValidationError("validation failed: rule_type must be TAG_GLOB_CSV")
 
-  if not isinstance(rule_value, list) or len(rule_value) < 1:
-    raise ValidationError('validation failed: rule_value for TAG_GLOB_CSV must be a list with at least one rule')
+    if not isinstance(rule_value, list) or len(rule_value) < 1:
+        raise ValidationError(
+            "validation failed: rule_value for TAG_GLOB_CSV must be a list with at least one rule"
+        )
 
-  rule_kwargs = {
-    'repository': repository,
-    'rule_value': rule_value,
-    'rule_type': rule_type,
-    'left_child': left_child,
-    'right_child': right_child,
-  }
-  rule = RepoMirrorRule.create(**rule_kwargs)
-  return rule
+    rule_kwargs = {
+        "repository": repository,
+        "rule_value": rule_value,
+        "rule_type": rule_type,
+        "left_child": left_child,
+        "right_child": right_child,
+    }
+    rule = RepoMirrorRule.create(**rule_kwargs)
+    return rule
 
 
 def list_rules(repository):
-  """
+    """
   Returns all RepoMirrorRules associated with a Repository.
   """
-  rules = RepoMirrorRule.select().where(RepoMirrorRule.repository == repository).all()
-  return rules
+    rules = RepoMirrorRule.select().where(RepoMirrorRule.repository == repository).all()
+    return rules
 
 
 def get_root_rule(repository):
-  """
+    """
   Return the primary mirroring Rule
   """
-  mirror = get_mirror(repository)
-  try:
-    rule = RepoMirrorRule.get(repository=repository)
-    return rule
-  except RepoMirrorRule.DoesNotExist:
-    return None
+    mirror = get_mirror(repository)
+    try:
+        rule = RepoMirrorRule.get(repository=repository)
+        return rule
+    except RepoMirrorRule.DoesNotExist:
+        return None
 
 
 def change_rule_value(rule, value):
-  """
+    """
   Update the value of an existing rule.
   """
-  query = (RepoMirrorRule
-          .update(rule_value=value)
-          .where(RepoMirrorRule.id == rule.id))
-  return query.execute()
+    query = RepoMirrorRule.update(rule_value=value).where(RepoMirrorRule.id == rule.id)
+    return query.execute()
diff --git a/data/model/repository.py b/data/model/repository.py
index 3400bfde8..fc4bee236 100644
--- a/data/model/repository.py
+++ b/data/model/repository.py
@@ -7,13 +7,40 @@ from peewee import Case, JOIN, fn, SQL, IntegrityError
 from cachetools.func import ttl_cache
 
 from data.model import (
-  config, DataModelException, tag, db_transaction, storage, permission, _basequery)
+    config,
+    DataModelException,
+    tag,
+    db_transaction,
+    storage,
+    permission,
+    _basequery,
+)
 from data.database import (
-  Repository, Namespace, RepositoryTag, Star, Image, ImageStorage, User, Visibility,
-  RepositoryPermission, RepositoryActionCount, Role, RepositoryAuthorizedEmail,
-  DerivedStorageForImage, Label, db_for_update, get_epoch_timestamp,
-  db_random_func, db_concat_func, RepositorySearchScore, RepositoryKind, ApprTag,
-  ManifestLegacyImage, Manifest, ManifestChild)
+    Repository,
+    Namespace,
+    RepositoryTag,
+    Star,
+    Image,
+    ImageStorage,
+    User,
+    Visibility,
+    RepositoryPermission,
+    RepositoryActionCount,
+    Role,
+    RepositoryAuthorizedEmail,
+    DerivedStorageForImage,
+    Label,
+    db_for_update,
+    get_epoch_timestamp,
+    db_random_func,
+    db_concat_func,
+    RepositorySearchScore,
+    RepositoryKind,
+    ApprTag,
+    ManifestLegacyImage,
+    Manifest,
+    ManifestChild,
+)
 from data.text import prefix_search
 from util.itertoolrecipes import take
 
@@ -22,436 +49,572 @@ SEARCH_FIELDS = Enum("SearchFields", ["name", "description"])
 
 
 class RepoStateConfigException(Exception):
-  """ Repository.state value requires further configuration to operate. """
-  pass
+    """ Repository.state value requires further configuration to operate. """
+
+    pass
 
 
 def get_repo_kind_name(repo):
-  return Repository.kind.get_name(repo.kind_id)
+    return Repository.kind.get_name(repo.kind_id)
 
 
 def get_repository_count():
-  return Repository.select().count()
+    return Repository.select().count()
 
 
 def get_public_repo_visibility():
-  return _basequery.get_public_repo_visibility()
+    return _basequery.get_public_repo_visibility()
 
 
-def create_repository(namespace, name, creating_user, visibility='private', repo_kind='image',
-                      description=None):
-  namespace_user = User.get(username=namespace)
-  yesterday = datetime.now() - timedelta(days=1)
+def create_repository(
+    namespace,
+    name,
+    creating_user,
+    visibility="private",
+    repo_kind="image",
+    description=None,
+):
+    namespace_user = User.get(username=namespace)
+    yesterday = datetime.now() - timedelta(days=1)
 
-  with db_transaction():
-    repo = Repository.create(name=name, visibility=Repository.visibility.get_id(visibility),
-                            namespace_user=namespace_user,
-                            kind=Repository.kind.get_id(repo_kind),
-                            description=description)
+    with db_transaction():
+        repo = Repository.create(
+            name=name,
+            visibility=Repository.visibility.get_id(visibility),
+            namespace_user=namespace_user,
+            kind=Repository.kind.get_id(repo_kind),
+            description=description,
+        )
 
-    RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
-    RepositorySearchScore.create(repository=repo, score=0)
+        RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
+        RepositorySearchScore.create(repository=repo, score=0)
 
-    # Note: We put the admin create permission under the transaction to ensure it is created.
-    if creating_user and not creating_user.organization:
-      admin = Role.get(name='admin')
-      RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
+        # Note: We put the admin create permission under the transaction to ensure it is created.
+        if creating_user and not creating_user.organization:
+            admin = Role.get(name="admin")
+            RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
 
-  # Apply default permissions (only occurs for repositories under organizations)
-  if creating_user and not creating_user.organization and creating_user.username != namespace:
-    permission.apply_default_permissions(repo, creating_user)
+    # Apply default permissions (only occurs for repositories under organizations)
+    if (
+        creating_user
+        and not creating_user.organization
+        and creating_user.username != namespace
+    ):
+        permission.apply_default_permissions(repo, creating_user)
 
-  return repo
+    return repo
 
 
 def get_repository(namespace_name, repository_name, kind_filter=None):
-  try:
-    return _basequery.get_existing_repository(namespace_name, repository_name,
-                                              kind_filter=kind_filter)
-  except Repository.DoesNotExist:
-    return None
+    try:
+        return _basequery.get_existing_repository(
+            namespace_name, repository_name, kind_filter=kind_filter
+        )
+    except Repository.DoesNotExist:
+        return None
 
 
-def get_or_create_repository(namespace, name, creating_user, visibility='private',
-                             repo_kind='image'):
-  repo = get_repository(namespace, name, repo_kind)
-  if repo is None:
-    repo = create_repository(namespace, name, creating_user, visibility, repo_kind)
-  return repo
+def get_or_create_repository(
+    namespace, name, creating_user, visibility="private", repo_kind="image"
+):
+    repo = get_repository(namespace, name, repo_kind)
+    if repo is None:
+        repo = create_repository(namespace, name, creating_user, visibility, repo_kind)
+    return repo
 
 
 @ttl_cache(maxsize=1, ttl=600)
 def _get_gc_expiration_policies():
-  policy_tuples_query = (
-    Namespace.select(Namespace.removed_tag_expiration_s).distinct()
-    .limit(100)  # This sucks but it's the only way to limit memory
-    .tuples())
-  return [policy[0] for policy in policy_tuples_query]
+    policy_tuples_query = (
+        Namespace.select(Namespace.removed_tag_expiration_s)
+        .distinct()
+        .limit(100)  # This sucks but it's the only way to limit memory
+        .tuples()
+    )
+    return [policy[0] for policy in policy_tuples_query]
 
 
 def get_random_gc_policy():
-  """ Return a single random policy from the database to use when garbage collecting.
+    """ Return a single random policy from the database to use when garbage collecting.
   """
-  return random.choice(_get_gc_expiration_policies())
+    return random.choice(_get_gc_expiration_policies())
 
 
 def find_repository_with_garbage(limit_to_gc_policy_s):
-  expiration_timestamp = get_epoch_timestamp() - limit_to_gc_policy_s
+    expiration_timestamp = get_epoch_timestamp() - limit_to_gc_policy_s
 
-  try:
-    candidates = (RepositoryTag.select(RepositoryTag.repository).join(Repository)
-                  .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                  .where(~(RepositoryTag.lifetime_end_ts >> None),
-                         (RepositoryTag.lifetime_end_ts <= expiration_timestamp),
-                         (Namespace.removed_tag_expiration_s == limit_to_gc_policy_s)).limit(500)
-                  .distinct().alias('candidates'))
+    try:
+        candidates = (
+            RepositoryTag.select(RepositoryTag.repository)
+            .join(Repository)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .where(
+                ~(RepositoryTag.lifetime_end_ts >> None),
+                (RepositoryTag.lifetime_end_ts <= expiration_timestamp),
+                (Namespace.removed_tag_expiration_s == limit_to_gc_policy_s),
+            )
+            .limit(500)
+            .distinct()
+            .alias("candidates")
+        )
 
-    found = (RepositoryTag.select(candidates.c.repository_id).from_(candidates)
-             .order_by(db_random_func()).get())
+        found = (
+            RepositoryTag.select(candidates.c.repository_id)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .get()
+        )
 
-    if found is None:
-      return
+        if found is None:
+            return
 
-    return Repository.get(Repository.id == found.repository_id)
-  except RepositoryTag.DoesNotExist:
-    return None
-  except Repository.DoesNotExist:
-    return None
+        return Repository.get(Repository.id == found.repository_id)
+    except RepositoryTag.DoesNotExist:
+        return None
+    except Repository.DoesNotExist:
+        return None
 
 
 def star_repository(user, repository):
-  """ Stars a repository. """
-  star = Star.create(user=user.id, repository=repository.id)
-  star.save()
+    """ Stars a repository. """
+    star = Star.create(user=user.id, repository=repository.id)
+    star.save()
 
 
 def unstar_repository(user, repository):
-  """ Unstars a repository. """
-  try:
-    (Star.delete().where(Star.repository == repository.id, Star.user == user.id).execute())
-  except Star.DoesNotExist:
-    raise DataModelException('Star not found.')
+    """ Unstars a repository. """
+    try:
+        (
+            Star.delete()
+            .where(Star.repository == repository.id, Star.user == user.id)
+            .execute()
+        )
+    except Star.DoesNotExist:
+        raise DataModelException("Star not found.")
 
 
 def set_trust(repo, trust_enabled):
-  repo.trust_enabled = trust_enabled
-  repo.save()
+    repo.trust_enabled = trust_enabled
+    repo.save()
 
 
 def set_description(repo, description):
-  repo.description = description
-  repo.save()
+    repo.description = description
+    repo.save()
 
 
-def get_user_starred_repositories(user, kind_filter='image'):
-  """ Retrieves all of the repositories a user has starred. """
-  try:
-    repo_kind = Repository.kind.get_id(kind_filter)
-  except RepositoryKind.DoesNotExist:
-    raise DataModelException('Unknown kind of repository')
+def get_user_starred_repositories(user, kind_filter="image"):
+    """ Retrieves all of the repositories a user has starred. """
+    try:
+        repo_kind = Repository.kind.get_id(kind_filter)
+    except RepositoryKind.DoesNotExist:
+        raise DataModelException("Unknown kind of repository")
 
-  query = (Repository.select(Repository, User, Visibility, Repository.id.alias('rid')).join(Star)
-           .switch(Repository).join(User).switch(Repository).join(Visibility)
-           .where(Star.user == user, Repository.kind == repo_kind))
+    query = (
+        Repository.select(Repository, User, Visibility, Repository.id.alias("rid"))
+        .join(Star)
+        .switch(Repository)
+        .join(User)
+        .switch(Repository)
+        .join(Visibility)
+        .where(Star.user == user, Repository.kind == repo_kind)
+    )
 
-  return query
+    return query
 
 
 def repository_is_starred(user, repository):
-  """ Determines whether a user has starred a repository or not. """
-  try:
-    (Star.select().where(Star.repository == repository.id, Star.user == user.id).get())
-    return True
-  except Star.DoesNotExist:
-    return False
+    """ Determines whether a user has starred a repository or not. """
+    try:
+        (
+            Star.select()
+            .where(Star.repository == repository.id, Star.user == user.id)
+            .get()
+        )
+        return True
+    except Star.DoesNotExist:
+        return False
 
 
 def get_stars(repository_ids):
-  """ Returns a map from repository ID to the number of stars for each repository in the
+    """ Returns a map from repository ID to the number of stars for each repository in the
       given repository IDs list.
   """
-  if not repository_ids:
-    return {}
+    if not repository_ids:
+        return {}
 
-  tuples = (Star.select(Star.repository, fn.Count(Star.id))
-            .where(Star.repository << repository_ids).group_by(Star.repository).tuples())
+    tuples = (
+        Star.select(Star.repository, fn.Count(Star.id))
+        .where(Star.repository << repository_ids)
+        .group_by(Star.repository)
+        .tuples()
+    )
 
-  star_map = {}
-  for record in tuples:
-    star_map[record[0]] = record[1]
+    star_map = {}
+    for record in tuples:
+        star_map[record[0]] = record[1]
 
-  return star_map
+    return star_map
 
 
-def get_visible_repositories(username, namespace=None, kind_filter='image', include_public=False,
-                             start_id=None, limit=None):
-  """ Returns the repositories visible to the given user (if any).
+def get_visible_repositories(
+    username,
+    namespace=None,
+    kind_filter="image",
+    include_public=False,
+    start_id=None,
+    limit=None,
+):
+    """ Returns the repositories visible to the given user (if any).
   """
-  if not include_public and not username:
-    # Short circuit by returning a query that will find no repositories. We need to return a query
-    # here, as it will be modified by other queries later on.
-    return Repository.select(Repository.id.alias('rid')).where(Repository.id == -1)
+    if not include_public and not username:
+        # Short circuit by returning a query that will find no repositories. We need to return a query
+        # here, as it will be modified by other queries later on.
+        return Repository.select(Repository.id.alias("rid")).where(Repository.id == -1)
 
-  query = (Repository.select(Repository.name,
-                             Repository.id.alias('rid'), Repository.description,
-                             Namespace.username, Repository.visibility, Repository.kind)
-           .switch(Repository).join(Namespace, on=(Repository.namespace_user == Namespace.id)))
+    query = (
+        Repository.select(
+            Repository.name,
+            Repository.id.alias("rid"),
+            Repository.description,
+            Namespace.username,
+            Repository.visibility,
+            Repository.kind,
+        )
+        .switch(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+    )
 
-  user_id = None
-  if username:
-    # Note: We only need the permissions table if we will filter based on a user's permissions.
-    query = query.switch(Repository).distinct().join(RepositoryPermission, JOIN.LEFT_OUTER)
-    found_namespace = _get_namespace_user(username)
-    if not found_namespace:
-      return Repository.select(Repository.id.alias('rid')).where(Repository.id == -1)
+    user_id = None
+    if username:
+        # Note: We only need the permissions table if we will filter based on a user's permissions.
+        query = (
+            query.switch(Repository)
+            .distinct()
+            .join(RepositoryPermission, JOIN.LEFT_OUTER)
+        )
+        found_namespace = _get_namespace_user(username)
+        if not found_namespace:
+            return Repository.select(Repository.id.alias("rid")).where(
+                Repository.id == -1
+            )
 
-    user_id = found_namespace.id
+        user_id = found_namespace.id
 
-  query = _basequery.filter_to_repos_for_user(query, user_id, namespace, kind_filter,
-                                              include_public, start_id=start_id)
+    query = _basequery.filter_to_repos_for_user(
+        query, user_id, namespace, kind_filter, include_public, start_id=start_id
+    )
 
-  if limit is not None:
-    query = query.limit(limit).order_by(SQL('rid'))
+    if limit is not None:
+        query = query.limit(limit).order_by(SQL("rid"))
 
-  return query
+    return query
 
 
 def get_app_repository(namespace_name, repository_name):
-  """ Find an application repository. """
-  try:
-    return _basequery.get_existing_repository(namespace_name, repository_name,
-                                              kind_filter='application')
-  except Repository.DoesNotExist:
-    return None
+    """ Find an application repository. """
+    try:
+        return _basequery.get_existing_repository(
+            namespace_name, repository_name, kind_filter="application"
+        )
+    except Repository.DoesNotExist:
+        return None
 
 
 def get_app_search(lookup, search_fields=None, username=None, limit=50):
-  if search_fields is None:
-    search_fields = set([SEARCH_FIELDS.name.name])
+    if search_fields is None:
+        search_fields = set([SEARCH_FIELDS.name.name])
 
-  return get_filtered_matching_repositories(lookup, filter_username=username,
-                                            search_fields=search_fields, repo_kind='application',
-                                            offset=0, limit=limit)
+    return get_filtered_matching_repositories(
+        lookup,
+        filter_username=username,
+        search_fields=search_fields,
+        repo_kind="application",
+        offset=0,
+        limit=limit,
+    )
 
 
 def _get_namespace_user(username):
-  try:
-    return User.get(username=username)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(username=username)
+    except User.DoesNotExist:
+        return None
 
 
-def get_filtered_matching_repositories(lookup_value, filter_username=None, repo_kind='image',
-                                       offset=0, limit=25, search_fields=None):
-  """ Returns an iterator of all repositories matching the given lookup value, with optional
+def get_filtered_matching_repositories(
+    lookup_value,
+    filter_username=None,
+    repo_kind="image",
+    offset=0,
+    limit=25,
+    search_fields=None,
+):
+    """ Returns an iterator of all repositories matching the given lookup value, with optional
       filtering to a specific user. If the user is unspecified, only public repositories will
       be returned.
   """
-  if search_fields is None:
-    search_fields = set([SEARCH_FIELDS.description.name, SEARCH_FIELDS.name.name])
+    if search_fields is None:
+        search_fields = set([SEARCH_FIELDS.description.name, SEARCH_FIELDS.name.name])
 
-  # Build the unfiltered search query.
-  unfiltered_query = _get_sorted_matching_repositories(lookup_value, repo_kind=repo_kind,
-                                                       search_fields=search_fields,
-                                                       include_private=filter_username is not None,
-                                                       ids_only=filter_username is not None)
+    # Build the unfiltered search query.
+    unfiltered_query = _get_sorted_matching_repositories(
+        lookup_value,
+        repo_kind=repo_kind,
+        search_fields=search_fields,
+        include_private=filter_username is not None,
+        ids_only=filter_username is not None,
+    )
 
-  # Add a filter to the iterator, if necessary.
-  if filter_username is not None:
-    filter_user = _get_namespace_user(filter_username)
-    if filter_user is None:
-      return []
+    # Add a filter to the iterator, if necessary.
+    if filter_username is not None:
+        filter_user = _get_namespace_user(filter_username)
+        if filter_user is None:
+            return []
 
-    iterator = _filter_repositories_visible_to_user(unfiltered_query, filter_user.id, limit,
-                                                    repo_kind)
-    if offset > 0:
-      take(offset, iterator)
+        iterator = _filter_repositories_visible_to_user(
+            unfiltered_query, filter_user.id, limit, repo_kind
+        )
+        if offset > 0:
+            take(offset, iterator)
 
-    # Return the results.
-    return list(take(limit, iterator))
+        # Return the results.
+        return list(take(limit, iterator))
 
-  return list(unfiltered_query.offset(offset).limit(limit))
+    return list(unfiltered_query.offset(offset).limit(limit))
 
 
-def _filter_repositories_visible_to_user(unfiltered_query, filter_user_id, limit, repo_kind):
-  encountered = set()
-  chunk_count = limit * 2
-  unfiltered_page = 0
-  iteration_count = 0
+def _filter_repositories_visible_to_user(
+    unfiltered_query, filter_user_id, limit, repo_kind
+):
+    encountered = set()
+    chunk_count = limit * 2
+    unfiltered_page = 0
+    iteration_count = 0
 
-  while iteration_count < 10:  # Just to be safe
-    # Find the next chunk's worth of repository IDs, paginated by the chunk size.
-    unfiltered_page = unfiltered_page + 1
-    found_ids = [r.id for r in unfiltered_query.paginate(unfiltered_page, chunk_count)]
+    while iteration_count < 10:  # Just to be safe
+        # Find the next chunk's worth of repository IDs, paginated by the chunk size.
+        unfiltered_page = unfiltered_page + 1
+        found_ids = [
+            r.id for r in unfiltered_query.paginate(unfiltered_page, chunk_count)
+        ]
 
-    # Make sure we haven't encountered these results before. This code is used to handle
-    # the case where we've previously seen a result, as pagination is not necessary
-    # stable in SQL databases.
-    unfiltered_repository_ids = set(found_ids)
-    new_unfiltered_ids = unfiltered_repository_ids - encountered
-    if not new_unfiltered_ids:
-      break
+        # Make sure we haven't encountered these results before. This code is used to handle
+        # the case where we've previously seen a result, as pagination is not necessary
+        # stable in SQL databases.
+        unfiltered_repository_ids = set(found_ids)
+        new_unfiltered_ids = unfiltered_repository_ids - encountered
+        if not new_unfiltered_ids:
+            break
 
-    encountered.update(new_unfiltered_ids)
+        encountered.update(new_unfiltered_ids)
 
-    # Filter the repositories found to only those visible to the current user.
-    query = (Repository
-             .select(Repository, Namespace)
-             .distinct()
-             .join(Namespace, on=(Namespace.id == Repository.namespace_user)).switch(Repository)
-             .join(RepositoryPermission).where(Repository.id << list(new_unfiltered_ids)))
+        # Filter the repositories found to only those visible to the current user.
+        query = (
+            Repository.select(Repository, Namespace)
+            .distinct()
+            .join(Namespace, on=(Namespace.id == Repository.namespace_user))
+            .switch(Repository)
+            .join(RepositoryPermission)
+            .where(Repository.id << list(new_unfiltered_ids))
+        )
 
-    filtered = _basequery.filter_to_repos_for_user(query, filter_user_id, repo_kind=repo_kind)
+        filtered = _basequery.filter_to_repos_for_user(
+            query, filter_user_id, repo_kind=repo_kind
+        )
 
-    # Sort the filtered repositories by their initial order.
-    all_filtered_repos = list(filtered)
-    all_filtered_repos.sort(key=lambda repo: found_ids.index(repo.id))
+        # Sort the filtered repositories by their initial order.
+        all_filtered_repos = list(filtered)
+        all_filtered_repos.sort(key=lambda repo: found_ids.index(repo.id))
 
-    # Yield the repositories in sorted order.
-    for filtered_repo in all_filtered_repos:
-      yield filtered_repo
+        # Yield the repositories in sorted order.
+        for filtered_repo in all_filtered_repos:
+            yield filtered_repo
 
-    # If the number of found IDs is less than the chunk count, then we're done.
-    if len(found_ids) < chunk_count:
-      break
+        # If the number of found IDs is less than the chunk count, then we're done.
+        if len(found_ids) < chunk_count:
+            break
 
-    iteration_count = iteration_count + 1
+        iteration_count = iteration_count + 1
 
 
-def _get_sorted_matching_repositories(lookup_value, repo_kind='image', include_private=False,
-                                      search_fields=None, ids_only=False):
-  """ Returns a query of repositories matching the given lookup string, with optional inclusion of
+def _get_sorted_matching_repositories(
+    lookup_value,
+    repo_kind="image",
+    include_private=False,
+    search_fields=None,
+    ids_only=False,
+):
+    """ Returns a query of repositories matching the given lookup string, with optional inclusion of
       private repositories. Note that this method does *not* filter results based on visibility
       to users.
   """
-  select_fields = [Repository.id] if ids_only else [Repository, Namespace]
+    select_fields = [Repository.id] if ids_only else [Repository, Namespace]
 
-  if not lookup_value:
-    # This is a generic listing of repositories. Simply return the sorted repositories based
-    # on RepositorySearchScore.
-    query = (Repository
-             .select(*select_fields)
-             .join(RepositorySearchScore)
-             .order_by(RepositorySearchScore.score.desc()))
-  else:
-    if search_fields is None:
-      search_fields = set([SEARCH_FIELDS.description.name, SEARCH_FIELDS.name.name])
+    if not lookup_value:
+        # This is a generic listing of repositories. Simply return the sorted repositories based
+        # on RepositorySearchScore.
+        query = (
+            Repository.select(*select_fields)
+            .join(RepositorySearchScore)
+            .order_by(RepositorySearchScore.score.desc())
+        )
+    else:
+        if search_fields is None:
+            search_fields = set(
+                [SEARCH_FIELDS.description.name, SEARCH_FIELDS.name.name]
+            )
 
-    # Always search at least on name (init clause)
-    clause = Repository.name.match(lookup_value)
-    computed_score = RepositorySearchScore.score.alias('score')
+        # Always search at least on name (init clause)
+        clause = Repository.name.match(lookup_value)
+        computed_score = RepositorySearchScore.score.alias("score")
 
-    # If the description field is in the search fields, then we need to compute a synthetic score
-    # to discount the weight of the description more than the name.
-    if SEARCH_FIELDS.description.name in search_fields:
-      clause = Repository.description.match(lookup_value) | clause
-      cases = [(Repository.name.match(lookup_value), 100 * RepositorySearchScore.score),]
-      computed_score = Case(None, cases, RepositorySearchScore.score).alias('score')
+        # If the description field is in the search fields, then we need to compute a synthetic score
+        # to discount the weight of the description more than the name.
+        if SEARCH_FIELDS.description.name in search_fields:
+            clause = Repository.description.match(lookup_value) | clause
+            cases = [
+                (Repository.name.match(lookup_value), 100 * RepositorySearchScore.score)
+            ]
+            computed_score = Case(None, cases, RepositorySearchScore.score).alias(
+                "score"
+            )
 
-    select_fields.append(computed_score)
-    query = (Repository.select(*select_fields)
-             .join(RepositorySearchScore)
-             .where(clause)
-             .order_by(SQL('score').desc()))
+        select_fields.append(computed_score)
+        query = (
+            Repository.select(*select_fields)
+            .join(RepositorySearchScore)
+            .where(clause)
+            .order_by(SQL("score").desc())
+        )
 
-  if repo_kind is not None:
-    query = query.where(Repository.kind == Repository.kind.get_id(repo_kind))
+    if repo_kind is not None:
+        query = query.where(Repository.kind == Repository.kind.get_id(repo_kind))
 
-  if not include_private:
-    query = query.where(Repository.visibility == _basequery.get_public_repo_visibility())
+    if not include_private:
+        query = query.where(
+            Repository.visibility == _basequery.get_public_repo_visibility()
+        )
 
-  if not ids_only:
-    query = (query
-             .switch(Repository)
-             .join(Namespace, on=(Namespace.id == Repository.namespace_user)))
+    if not ids_only:
+        query = query.switch(Repository).join(
+            Namespace, on=(Namespace.id == Repository.namespace_user)
+        )
 
-  return query
+    return query
 
 
 def lookup_repository(repo_id):
-  try:
-    return Repository.get(Repository.id == repo_id)
-  except Repository.DoesNotExist:
-    return None
+    try:
+        return Repository.get(Repository.id == repo_id)
+    except Repository.DoesNotExist:
+        return None
 
 
 def is_repository_public(repository):
-  return repository.visibility_id == _basequery.get_public_repo_visibility().id
+    return repository.visibility_id == _basequery.get_public_repo_visibility().id
 
 
 def repository_is_public(namespace_name, repository_name):
-  try:
-    (Repository.select().join(Namespace, on=(Repository.namespace_user == Namespace.id))
-     .switch(Repository).join(Visibility).where(Namespace.username == namespace_name,
-                                                Repository.name == repository_name,
-                                                Visibility.name == 'public').get())
-    return True
-  except Repository.DoesNotExist:
-    return False
+    try:
+        (
+            Repository.select()
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .switch(Repository)
+            .join(Visibility)
+            .where(
+                Namespace.username == namespace_name,
+                Repository.name == repository_name,
+                Visibility.name == "public",
+            )
+            .get()
+        )
+        return True
+    except Repository.DoesNotExist:
+        return False
 
 
 def set_repository_visibility(repo, visibility):
-  visibility_obj = Visibility.get(name=visibility)
-  if not visibility_obj:
-    return
+    visibility_obj = Visibility.get(name=visibility)
+    if not visibility_obj:
+        return
 
-  repo.visibility = visibility_obj
-  repo.save()
+    repo.visibility = visibility_obj
+    repo.save()
 
 
 def get_email_authorized_for_repo(namespace, repository, email):
-  try:
-    return (RepositoryAuthorizedEmail.select(RepositoryAuthorizedEmail, Repository, Namespace)
-            .join(Repository).join(Namespace, on=(Repository.namespace_user == Namespace.id))
-            .where(Namespace.username == namespace, Repository.name == repository,
-                   RepositoryAuthorizedEmail.email == email).get())
-  except RepositoryAuthorizedEmail.DoesNotExist:
-    return None
+    try:
+        return (
+            RepositoryAuthorizedEmail.select(
+                RepositoryAuthorizedEmail, Repository, Namespace
+            )
+            .join(Repository)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .where(
+                Namespace.username == namespace,
+                Repository.name == repository,
+                RepositoryAuthorizedEmail.email == email,
+            )
+            .get()
+        )
+    except RepositoryAuthorizedEmail.DoesNotExist:
+        return None
 
 
 def create_email_authorization_for_repo(namespace_name, repository_name, email):
-  try:
-    repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  except Repository.DoesNotExist:
-    raise DataModelException('Invalid repository %s/%s' % (namespace_name, repository_name))
+    try:
+        repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    except Repository.DoesNotExist:
+        raise DataModelException(
+            "Invalid repository %s/%s" % (namespace_name, repository_name)
+        )
 
-  return RepositoryAuthorizedEmail.create(repository=repo, email=email, confirmed=False)
+    return RepositoryAuthorizedEmail.create(
+        repository=repo, email=email, confirmed=False
+    )
 
 
 def confirm_email_authorization_for_repo(code):
-  try:
-    found = (RepositoryAuthorizedEmail.select(RepositoryAuthorizedEmail, Repository, Namespace)
-             .join(Repository).join(Namespace, on=(Repository.namespace_user == Namespace.id))
-             .where(RepositoryAuthorizedEmail.code == code).get())
-  except RepositoryAuthorizedEmail.DoesNotExist:
-    raise DataModelException('Invalid confirmation code.')
+    try:
+        found = (
+            RepositoryAuthorizedEmail.select(
+                RepositoryAuthorizedEmail, Repository, Namespace
+            )
+            .join(Repository)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .where(RepositoryAuthorizedEmail.code == code)
+            .get()
+        )
+    except RepositoryAuthorizedEmail.DoesNotExist:
+        raise DataModelException("Invalid confirmation code.")
 
-  found.confirmed = True
-  found.save()
+    found.confirmed = True
+    found.save()
 
-  return found
+    return found
 
 
 def is_empty(namespace_name, repository_name):
-  """ Returns if the repository referenced by the given namespace and name is empty. If the repo
+    """ Returns if the repository referenced by the given namespace and name is empty. If the repo
       doesn't exist, returns True.
   """
-  try:
-    tag.list_repository_tags(namespace_name, repository_name).limit(1).get()
-    return False
-  except RepositoryTag.DoesNotExist:
-    return True
+    try:
+        tag.list_repository_tags(namespace_name, repository_name).limit(1).get()
+        return False
+    except RepositoryTag.DoesNotExist:
+        return True
 
 
 def get_repository_state(namespace_name, repository_name):
-  """ Return the Repository State if the Repository exists. Otherwise, returns None. """
-  repo = get_repository(namespace_name, repository_name)
-  if repo:
-    return repo.state
+    """ Return the Repository State if the Repository exists. Otherwise, returns None. """
+    repo = get_repository(namespace_name, repository_name)
+    if repo:
+        return repo.state
 
-  return None
+    return None
 
 
 def set_repository_state(repo, state):
-  repo.state = state
-  repo.save()
+    repo.state = state
+    repo.save()
diff --git a/data/model/repositoryactioncount.py b/data/model/repositoryactioncount.py
index 759edc093..7e9364479 100644
--- a/data/model/repositoryactioncount.py
+++ b/data/model/repositoryactioncount.py
@@ -4,12 +4,20 @@ from collections import namedtuple
 from peewee import IntegrityError
 
 from datetime import date, timedelta, datetime
-from data.database import (Repository, LogEntry, LogEntry2, LogEntry3, RepositoryActionCount,
-                           RepositorySearchScore, db_random_func, fn)
+from data.database import (
+    Repository,
+    LogEntry,
+    LogEntry2,
+    LogEntry3,
+    RepositoryActionCount,
+    RepositorySearchScore,
+    db_random_func,
+    fn,
+)
 
 logger = logging.getLogger(__name__)
 
-search_bucket = namedtuple('SearchBucket', ['delta', 'days', 'weight'])
+search_bucket = namedtuple("SearchBucket", ["delta", "days", "weight"])
 
 # Defines the various buckets for search scoring. Each bucket is computed using the given time
 # delta from today *minus the previous bucket's time period*. Once all the actions over the
@@ -17,113 +25,132 @@ search_bucket = namedtuple('SearchBucket', ['delta', 'days', 'weight'])
 # for this bucket were determined via the integral of (2/((x/183)+1)^2)/183 over the period of days
 # in the bucket; this integral over 0..183 has a sum of 1, so we get a good normalize score result.
 SEARCH_BUCKETS = [
-  search_bucket(timedelta(days=1), 1, 0.010870),
-  search_bucket(timedelta(days=7), 6, 0.062815),
-  search_bucket(timedelta(days=31), 24, 0.21604),
-  search_bucket(timedelta(days=183), 152, 0.71028),
+    search_bucket(timedelta(days=1), 1, 0.010870),
+    search_bucket(timedelta(days=7), 6, 0.062815),
+    search_bucket(timedelta(days=31), 24, 0.21604),
+    search_bucket(timedelta(days=183), 152, 0.71028),
 ]
 
+
 def find_uncounted_repository():
-  """ Returns a repository that has not yet had an entry added into the RepositoryActionCount
+    """ Returns a repository that has not yet had an entry added into the RepositoryActionCount
       table for yesterday.
   """
-  try:
-    # Get a random repository to count.
-    today = date.today()
-    yesterday = today - timedelta(days=1)
-    has_yesterday_actions = (RepositoryActionCount
-                             .select(RepositoryActionCount.repository)
-                             .where(RepositoryActionCount.date == yesterday))
+    try:
+        # Get a random repository to count.
+        today = date.today()
+        yesterday = today - timedelta(days=1)
+        has_yesterday_actions = RepositoryActionCount.select(
+            RepositoryActionCount.repository
+        ).where(RepositoryActionCount.date == yesterday)
 
-    to_count = (Repository
-                .select()
-                .where(~(Repository.id << (has_yesterday_actions)))
-                .order_by(db_random_func()).get())
-    return to_count
-  except Repository.DoesNotExist:
-    return None
+        to_count = (
+            Repository.select()
+            .where(~(Repository.id << (has_yesterday_actions)))
+            .order_by(db_random_func())
+            .get()
+        )
+        return to_count
+    except Repository.DoesNotExist:
+        return None
 
 
 def count_repository_actions(to_count, day):
-  """ Aggregates repository actions from the LogEntry table for the specified day. Returns the
+    """ Aggregates repository actions from the LogEntry table for the specified day. Returns the
       count or None on error.
   """
-  # TODO: Clean this up a bit.
-  def lookup_action_count(model):
-    return (model
-            .select()
-            .where(model.repository == to_count,
-                   model.datetime >= day,
-                   model.datetime < (day + timedelta(days=1)))
-            .count())
+    # TODO: Clean this up a bit.
+    def lookup_action_count(model):
+        return (
+            model.select()
+            .where(
+                model.repository == to_count,
+                model.datetime >= day,
+                model.datetime < (day + timedelta(days=1)),
+            )
+            .count()
+        )
 
-  actions = (lookup_action_count(LogEntry3) + lookup_action_count(LogEntry2) +
-             lookup_action_count(LogEntry))
+    actions = (
+        lookup_action_count(LogEntry3)
+        + lookup_action_count(LogEntry2)
+        + lookup_action_count(LogEntry)
+    )
 
-  return actions
+    return actions
 
 
 def store_repository_action_count(repository, day, action_count):
-  """ Stores the action count for a repository for a specific day. Returns False if the
+    """ Stores the action count for a repository for a specific day. Returns False if the
       repository already has an entry for the specified day.
   """
-  try:
-    RepositoryActionCount.create(repository=repository, date=day, count=action_count)
-    return True
-  except IntegrityError:
-    logger.debug('Count already written for repository %s', repository.id)
-    return False
+    try:
+        RepositoryActionCount.create(
+            repository=repository, date=day, count=action_count
+        )
+        return True
+    except IntegrityError:
+        logger.debug("Count already written for repository %s", repository.id)
+        return False
 
 
 def update_repository_score(repo):
-  """ Updates the repository score entry for the given table by retrieving information from
+    """ Updates the repository score entry for the given table by retrieving information from
       the RepositoryActionCount table. Note that count_repository_actions for the repo should
       be called first. Returns True if the row was updated and False otherwise.
   """
-  today = date.today()
+    today = date.today()
 
-  # Retrieve the counts for each bucket and calculate the final score.
-  final_score = 0.0
-  last_end_timedelta = timedelta(days=0)
+    # Retrieve the counts for each bucket and calculate the final score.
+    final_score = 0.0
+    last_end_timedelta = timedelta(days=0)
 
-  for bucket in SEARCH_BUCKETS:
-    start_date = today - bucket.delta
-    end_date = today - last_end_timedelta
-    last_end_timedelta = bucket.delta
+    for bucket in SEARCH_BUCKETS:
+        start_date = today - bucket.delta
+        end_date = today - last_end_timedelta
+        last_end_timedelta = bucket.delta
 
-    query = (RepositoryActionCount
-             .select(fn.Sum(RepositoryActionCount.count), fn.Count(RepositoryActionCount.id))
-             .where(RepositoryActionCount.date >= start_date,
-                    RepositoryActionCount.date < end_date,
-                    RepositoryActionCount.repository == repo))
+        query = RepositoryActionCount.select(
+            fn.Sum(RepositoryActionCount.count), fn.Count(RepositoryActionCount.id)
+        ).where(
+            RepositoryActionCount.date >= start_date,
+            RepositoryActionCount.date < end_date,
+            RepositoryActionCount.repository == repo,
+        )
 
-    bucket_tuple = query.tuples()[0]
-    logger.debug('Got bucket tuple %s for bucket %s for repository %s', bucket_tuple, bucket,
-                 repo.id)
+        bucket_tuple = query.tuples()[0]
+        logger.debug(
+            "Got bucket tuple %s for bucket %s for repository %s",
+            bucket_tuple,
+            bucket,
+            repo.id,
+        )
 
-    if bucket_tuple[0] is None:
-      continue
+        if bucket_tuple[0] is None:
+            continue
 
-    bucket_sum = float(bucket_tuple[0])
-    bucket_count = int(bucket_tuple[1])
-    if not bucket_count:
-      continue
+        bucket_sum = float(bucket_tuple[0])
+        bucket_count = int(bucket_tuple[1])
+        if not bucket_count:
+            continue
 
-    bucket_score = bucket_sum / (bucket_count * 1.0)
-    final_score += bucket_score * bucket.weight
+        bucket_score = bucket_sum / (bucket_count * 1.0)
+        final_score += bucket_score * bucket.weight
 
-  # Update the existing repo search score row or create a new one.
-  normalized_score = int(final_score * 100.0)
-  try:
+    # Update the existing repo search score row or create a new one.
+    normalized_score = int(final_score * 100.0)
     try:
-      search_score_row = RepositorySearchScore.get(repository=repo)
-      search_score_row.last_updated = datetime.now()
-      search_score_row.score = normalized_score
-      search_score_row.save()
-      return True
-    except RepositorySearchScore.DoesNotExist:
-      RepositorySearchScore.create(repository=repo, score=normalized_score, last_updated=today)
-      return True
-  except IntegrityError:
-    logger.debug('RepositorySearchScore row already existed; skipping')
-    return False
+        try:
+            search_score_row = RepositorySearchScore.get(repository=repo)
+            search_score_row.last_updated = datetime.now()
+            search_score_row.score = normalized_score
+            search_score_row.save()
+            return True
+        except RepositorySearchScore.DoesNotExist:
+            RepositorySearchScore.create(
+                repository=repo, score=normalized_score, last_updated=today
+            )
+            return True
+    except IntegrityError:
+        logger.debug("RepositorySearchScore row already existed; skipping")
+        return False
diff --git a/data/model/service_keys.py b/data/model/service_keys.py
index eb460299b..67ca282ae 100644
--- a/data/model/service_keys.py
+++ b/data/model/service_keys.py
@@ -8,198 +8,258 @@ from Crypto.PublicKey import RSA
 from jwkest.jwk import RSAKey
 
 from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval
-from data.model import (ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, ServiceNameInvalid,
-                        db_transaction, config)
-from data.model.notification import create_notification, delete_all_notifications_by_path_prefix
+from data.model import (
+    ServiceKeyDoesNotExist,
+    ServiceKeyAlreadyApproved,
+    ServiceNameInvalid,
+    db_transaction,
+    config,
+)
+from data.model.notification import (
+    create_notification,
+    delete_all_notifications_by_path_prefix,
+)
 from util.security.fingerprint import canonical_kid
 
 
-_SERVICE_NAME_REGEX = re.compile(r'^[a-z0-9_]+$')
+_SERVICE_NAME_REGEX = re.compile(r"^[a-z0-9_]+$")
+
 
 def _expired_keys_clause(service):
-  return ((ServiceKey.service == service) &
-          (ServiceKey.expiration_date <= datetime.utcnow()))
+    return (ServiceKey.service == service) & (
+        ServiceKey.expiration_date <= datetime.utcnow()
+    )
 
 
 def _stale_expired_keys_service_clause(service):
-  return ((ServiceKey.service == service) & _stale_expired_keys_clause())
+    return (ServiceKey.service == service) & _stale_expired_keys_clause()
 
 
 def _stale_expired_keys_clause():
-  expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC'])
-  return (ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl))
+    expired_ttl = timedelta(seconds=config.app_config["EXPIRED_SERVICE_KEY_TTL_SEC"])
+    return ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl)
 
 
 def _stale_unapproved_keys_clause(service):
-  unapproved_ttl = timedelta(seconds=config.app_config['UNAPPROVED_SERVICE_KEY_TTL_SEC'])
-  return ((ServiceKey.service == service) &
-          (ServiceKey.approval >> None) &
-          (ServiceKey.created_date <= (datetime.utcnow() - unapproved_ttl)))
+    unapproved_ttl = timedelta(
+        seconds=config.app_config["UNAPPROVED_SERVICE_KEY_TTL_SEC"]
+    )
+    return (
+        (ServiceKey.service == service)
+        & (ServiceKey.approval >> None)
+        & (ServiceKey.created_date <= (datetime.utcnow() - unapproved_ttl))
+    )
 
 
 def _gc_expired(service):
-  ServiceKey.delete().where(_stale_expired_keys_service_clause(service) |
-                            _stale_unapproved_keys_clause(service)).execute()
+    ServiceKey.delete().where(
+        _stale_expired_keys_service_clause(service)
+        | _stale_unapproved_keys_clause(service)
+    ).execute()
 
 
 def _verify_service_name(service_name):
-  if not _SERVICE_NAME_REGEX.match(service_name):
-    raise ServiceNameInvalid
+    if not _SERVICE_NAME_REGEX.match(service_name):
+        raise ServiceNameInvalid
 
 
 def _notify_superusers(key):
-  notification_metadata = {
-    'name': key.name,
-    'kid': key.kid,
-    'service': key.service,
-    'jwk': key.jwk,
-    'metadata': key.metadata,
-    'created_date': timegm(key.created_date.utctimetuple()),
-  }
+    notification_metadata = {
+        "name": key.name,
+        "kid": key.kid,
+        "service": key.service,
+        "jwk": key.jwk,
+        "metadata": key.metadata,
+        "created_date": timegm(key.created_date.utctimetuple()),
+    }
 
-  if key.expiration_date is not None:
-    notification_metadata['expiration_date'] = timegm(key.expiration_date.utctimetuple())
+    if key.expiration_date is not None:
+        notification_metadata["expiration_date"] = timegm(
+            key.expiration_date.utctimetuple()
+        )
 
-  if len(config.app_config['SUPER_USERS']) > 0:
-    superusers = User.select().where(User.username << config.app_config['SUPER_USERS'])
-    for superuser in superusers:
-      create_notification('service_key_submitted', superuser, metadata=notification_metadata,
-                          lookup_path='/service_key_approval/{0}/{1}'.format(key.kid, superuser.id))
+    if len(config.app_config["SUPER_USERS"]) > 0:
+        superusers = User.select().where(
+            User.username << config.app_config["SUPER_USERS"]
+        )
+        for superuser in superusers:
+            create_notification(
+                "service_key_submitted",
+                superuser,
+                metadata=notification_metadata,
+                lookup_path="/service_key_approval/{0}/{1}".format(
+                    key.kid, superuser.id
+                ),
+            )
 
 
-def create_service_key(name, kid, service, jwk, metadata, expiration_date, rotation_duration=None):
-  _verify_service_name(service)
-  _gc_expired(service)
+def create_service_key(
+    name, kid, service, jwk, metadata, expiration_date, rotation_duration=None
+):
+    _verify_service_name(service)
+    _gc_expired(service)
 
-  key = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
-                          expiration_date=expiration_date, rotation_duration=rotation_duration)
+    key = ServiceKey.create(
+        name=name,
+        kid=kid,
+        service=service,
+        jwk=jwk,
+        metadata=metadata,
+        expiration_date=expiration_date,
+        rotation_duration=rotation_duration,
+    )
 
-  _notify_superusers(key)
-  return key
+    _notify_superusers(key)
+    return key
 
 
-def generate_service_key(service, expiration_date, kid=None, name='', metadata=None,
-                         rotation_duration=None):
-  private_key = RSA.generate(2048)
-  jwk = RSAKey(key=private_key.publickey()).serialize()
-  if kid is None:
-    kid = canonical_kid(jwk)
+def generate_service_key(
+    service, expiration_date, kid=None, name="", metadata=None, rotation_duration=None
+):
+    private_key = RSA.generate(2048)
+    jwk = RSAKey(key=private_key.publickey()).serialize()
+    if kid is None:
+        kid = canonical_kid(jwk)
 
-  key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date,
-                           rotation_duration=rotation_duration)
-  return (private_key, key)
+    key = create_service_key(
+        name,
+        kid,
+        service,
+        jwk,
+        metadata or {},
+        expiration_date,
+        rotation_duration=rotation_duration,
+    )
+    return (private_key, key)
 
 
 def replace_service_key(old_kid, kid, jwk, metadata, expiration_date):
-  try:
-    with db_transaction():
-      key = db_for_update(ServiceKey.select().where(ServiceKey.kid == old_kid)).get()
-      key.metadata.update(metadata)
+    try:
+        with db_transaction():
+            key = db_for_update(
+                ServiceKey.select().where(ServiceKey.kid == old_kid)
+            ).get()
+            key.metadata.update(metadata)
 
-      ServiceKey.create(name=key.name, kid=kid, service=key.service, jwk=jwk,
-                        metadata=key.metadata, expiration_date=expiration_date,
-                        rotation_duration=key.rotation_duration, approval=key.approval)
-      key.delete_instance()
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+            ServiceKey.create(
+                name=key.name,
+                kid=kid,
+                service=key.service,
+                jwk=jwk,
+                metadata=key.metadata,
+                expiration_date=expiration_date,
+                rotation_duration=key.rotation_duration,
+                approval=key.approval,
+            )
+            key.delete_instance()
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
 
-  _notify_superusers(key)
-  delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(old_kid))
-  _gc_expired(key.service)
+    _notify_superusers(key)
+    delete_all_notifications_by_path_prefix("/service_key_approval/{0}".format(old_kid))
+    _gc_expired(key.service)
 
 
 def update_service_key(kid, name=None, metadata=None):
-  try:
-    with db_transaction():
-      key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
-      if name is not None:
-        key.name = name
+    try:
+        with db_transaction():
+            key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
+            if name is not None:
+                key.name = name
 
-      if metadata is not None:
-        key.metadata.update(metadata)
+            if metadata is not None:
+                key.metadata.update(metadata)
 
-      key.save()
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+            key.save()
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
 
 
 def delete_service_key(kid):
-  try:
-    key = ServiceKey.get(kid=kid)
-    ServiceKey.delete().where(ServiceKey.kid == kid).execute()
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+    try:
+        key = ServiceKey.get(kid=kid)
+        ServiceKey.delete().where(ServiceKey.kid == kid).execute()
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
 
-  delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
-  _gc_expired(key.service)
-  return key
+    delete_all_notifications_by_path_prefix("/service_key_approval/{0}".format(kid))
+    _gc_expired(key.service)
+    return key
 
 
 def set_key_expiration(kid, expiration_date):
-  try:
-    service_key = get_service_key(kid, alive_only=False, approved_only=False)
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+    try:
+        service_key = get_service_key(kid, alive_only=False, approved_only=False)
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
 
-  service_key.expiration_date = expiration_date
-  service_key.save()
+    service_key.expiration_date = expiration_date
+    service_key.save()
 
 
-def approve_service_key(kid, approval_type, approver=None, notes=''):
-  try:
-    with db_transaction():
-      key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
-      if key.approval is not None:
-        raise ServiceKeyAlreadyApproved
+def approve_service_key(kid, approval_type, approver=None, notes=""):
+    try:
+        with db_transaction():
+            key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
+            if key.approval is not None:
+                raise ServiceKeyAlreadyApproved
 
-      approval = ServiceKeyApproval.create(approver=approver, approval_type=approval_type,
-                                           notes=notes)
-      key.approval = approval
-      key.save()
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+            approval = ServiceKeyApproval.create(
+                approver=approver, approval_type=approval_type, notes=notes
+            )
+            key.approval = approval
+            key.save()
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
 
-  delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
-  return key
+    delete_all_notifications_by_path_prefix("/service_key_approval/{0}".format(kid))
+    return key
 
 
-def _list_service_keys_query(kid=None, service=None, approved_only=True, alive_only=True,
-                             approval_type=None):
-  query = ServiceKey.select().join(ServiceKeyApproval, JOIN.LEFT_OUTER)
+def _list_service_keys_query(
+    kid=None, service=None, approved_only=True, alive_only=True, approval_type=None
+):
+    query = ServiceKey.select().join(ServiceKeyApproval, JOIN.LEFT_OUTER)
 
-  if approved_only:
-    query = query.where(~(ServiceKey.approval >> None))
+    if approved_only:
+        query = query.where(~(ServiceKey.approval >> None))
 
-  if alive_only:
-    query = query.where((ServiceKey.expiration_date > datetime.utcnow()) |
-                        (ServiceKey.expiration_date >> None))
+    if alive_only:
+        query = query.where(
+            (ServiceKey.expiration_date > datetime.utcnow())
+            | (ServiceKey.expiration_date >> None)
+        )
 
-  if approval_type is not None:
-    query = query.where(ServiceKeyApproval.approval_type == approval_type)
+    if approval_type is not None:
+        query = query.where(ServiceKeyApproval.approval_type == approval_type)
 
-  if service is not None:
-    query = query.where(ServiceKey.service == service)
-    query = query.where(~(_expired_keys_clause(service)) |
-                        ~(_stale_unapproved_keys_clause(service)))
+    if service is not None:
+        query = query.where(ServiceKey.service == service)
+        query = query.where(
+            ~(_expired_keys_clause(service)) | ~(_stale_unapproved_keys_clause(service))
+        )
 
-  if kid is not None:
-    query = query.where(ServiceKey.kid == kid)
+    if kid is not None:
+        query = query.where(ServiceKey.kid == kid)
 
-  query = query.where(~(_stale_expired_keys_clause()) | (ServiceKey.expiration_date >> None))
-  return query
+    query = query.where(
+        ~(_stale_expired_keys_clause()) | (ServiceKey.expiration_date >> None)
+    )
+    return query
 
 
 def list_all_keys():
-  return list(_list_service_keys_query(approved_only=False, alive_only=False))
+    return list(_list_service_keys_query(approved_only=False, alive_only=False))
 
 
 def list_service_keys(service):
-  return list(_list_service_keys_query(service=service))
+    return list(_list_service_keys_query(service=service))
 
 
 def get_service_key(kid, service=None, alive_only=True, approved_only=True):
-  try:
-    return _list_service_keys_query(kid=kid, service=service, approved_only=approved_only,
-                                    alive_only=alive_only).get()
-  except ServiceKey.DoesNotExist:
-    raise ServiceKeyDoesNotExist
+    try:
+        return _list_service_keys_query(
+            kid=kid, service=service, approved_only=approved_only, alive_only=alive_only
+        ).get()
+    except ServiceKey.DoesNotExist:
+        raise ServiceKeyDoesNotExist
diff --git a/data/model/sqlalchemybridge.py b/data/model/sqlalchemybridge.py
index e469eff00..780e1643c 100644
--- a/data/model/sqlalchemybridge.py
+++ b/data/model/sqlalchemybridge.py
@@ -1,94 +1,125 @@
-from sqlalchemy import (Table, MetaData, Column, ForeignKey, Integer, String, Boolean, Text,
-                        DateTime, Date, BigInteger, Index, text)
-from peewee import (PrimaryKeyField, CharField, BooleanField, DateTimeField, TextField,
-                    ForeignKeyField, BigIntegerField, IntegerField, DateField)
+from sqlalchemy import (
+    Table,
+    MetaData,
+    Column,
+    ForeignKey,
+    Integer,
+    String,
+    Boolean,
+    Text,
+    DateTime,
+    Date,
+    BigInteger,
+    Index,
+    text,
+)
+from peewee import (
+    PrimaryKeyField,
+    CharField,
+    BooleanField,
+    DateTimeField,
+    TextField,
+    ForeignKeyField,
+    BigIntegerField,
+    IntegerField,
+    DateField,
+)
 
 
-OPTIONS_TO_COPY = [
-  'null',
-  'default',
-  'primary_key',
-]
+OPTIONS_TO_COPY = ["null", "default", "primary_key"]
 
 
-OPTION_TRANSLATIONS = {
-  'null': 'nullable',
-}
+OPTION_TRANSLATIONS = {"null": "nullable"}
+
 
 def gen_sqlalchemy_metadata(peewee_model_list):
-  metadata = MetaData(naming_convention={
-    "ix": 'ix_%(column_0_label)s',
-    "uq": "uq_%(table_name)s_%(column_0_name)s",
-    "fk": "fk_%(table_name)s_%(column_0_name)s_%(referred_table_name)s",
-    "pk": "pk_%(table_name)s"
-  })
+    metadata = MetaData(
+        naming_convention={
+            "ix": "ix_%(column_0_label)s",
+            "uq": "uq_%(table_name)s_%(column_0_name)s",
+            "fk": "fk_%(table_name)s_%(column_0_name)s_%(referred_table_name)s",
+            "pk": "pk_%(table_name)s",
+        }
+    )
 
-  for model in peewee_model_list:
-    meta = model._meta
+    for model in peewee_model_list:
+        meta = model._meta
 
-    all_indexes = set(meta.indexes)
-    fulltext_indexes = []
+        all_indexes = set(meta.indexes)
+        fulltext_indexes = []
 
-    columns = []
-    for field in meta.sorted_fields:
-      alchemy_type = None
-      col_args = []
-      col_kwargs = {}
-      if isinstance(field, PrimaryKeyField):
-        alchemy_type = Integer
-      elif isinstance(field, CharField):
-        alchemy_type = String(field.max_length)
-      elif isinstance(field, BooleanField):
-        alchemy_type = Boolean
-      elif isinstance(field, DateTimeField):
-        alchemy_type = DateTime
-      elif isinstance(field, DateField):
-        alchemy_type = Date
-      elif isinstance(field, TextField):
-        alchemy_type = Text
-      elif isinstance(field, ForeignKeyField):
-        alchemy_type = Integer
-        all_indexes.add(((field.name, ), field.unique))
-        if not field.deferred:
-          target_name = '%s.%s' % (field.rel_model._meta.table_name, field.rel_field.column_name)
-          col_args.append(ForeignKey(target_name))
-      elif isinstance(field, BigIntegerField):
-        alchemy_type = BigInteger
-      elif isinstance(field, IntegerField):
-        alchemy_type = Integer
-      else:
-        raise RuntimeError('Unknown column type: %s' % field)
+        columns = []
+        for field in meta.sorted_fields:
+            alchemy_type = None
+            col_args = []
+            col_kwargs = {}
+            if isinstance(field, PrimaryKeyField):
+                alchemy_type = Integer
+            elif isinstance(field, CharField):
+                alchemy_type = String(field.max_length)
+            elif isinstance(field, BooleanField):
+                alchemy_type = Boolean
+            elif isinstance(field, DateTimeField):
+                alchemy_type = DateTime
+            elif isinstance(field, DateField):
+                alchemy_type = Date
+            elif isinstance(field, TextField):
+                alchemy_type = Text
+            elif isinstance(field, ForeignKeyField):
+                alchemy_type = Integer
+                all_indexes.add(((field.name,), field.unique))
+                if not field.deferred:
+                    target_name = "%s.%s" % (
+                        field.rel_model._meta.table_name,
+                        field.rel_field.column_name,
+                    )
+                    col_args.append(ForeignKey(target_name))
+            elif isinstance(field, BigIntegerField):
+                alchemy_type = BigInteger
+            elif isinstance(field, IntegerField):
+                alchemy_type = Integer
+            else:
+                raise RuntimeError("Unknown column type: %s" % field)
 
-      if hasattr(field, '__fulltext__'):
-        # Add the fulltext index for the field, based on whether we are under MySQL or Postgres.
-        fulltext_indexes.append(field.name)
+            if hasattr(field, "__fulltext__"):
+                # Add the fulltext index for the field, based on whether we are under MySQL or Postgres.
+                fulltext_indexes.append(field.name)
 
-      for option_name in OPTIONS_TO_COPY:
-        alchemy_option_name = (OPTION_TRANSLATIONS[option_name]
-                               if option_name in OPTION_TRANSLATIONS else option_name)
-        if alchemy_option_name not in col_kwargs:
-          option_val = getattr(field, option_name)
-          col_kwargs[alchemy_option_name] = option_val
+            for option_name in OPTIONS_TO_COPY:
+                alchemy_option_name = (
+                    OPTION_TRANSLATIONS[option_name]
+                    if option_name in OPTION_TRANSLATIONS
+                    else option_name
+                )
+                if alchemy_option_name not in col_kwargs:
+                    option_val = getattr(field, option_name)
+                    col_kwargs[alchemy_option_name] = option_val
 
-      if field.unique or field.index:
-        all_indexes.add(((field.name, ), field.unique))
+            if field.unique or field.index:
+                all_indexes.add(((field.name,), field.unique))
 
-      new_col = Column(field.column_name, alchemy_type, *col_args, **col_kwargs)
-      columns.append(new_col)
+            new_col = Column(field.column_name, alchemy_type, *col_args, **col_kwargs)
+            columns.append(new_col)
 
-    new_table = Table(meta.table_name, metadata, *columns)
+        new_table = Table(meta.table_name, metadata, *columns)
 
-    for col_prop_names, unique in all_indexes:
-      col_names = [meta.fields[prop_name].column_name for prop_name in col_prop_names]
-      index_name = '%s_%s' % (meta.table_name, '_'.join(col_names))
-      col_refs = [getattr(new_table.c, col_name) for col_name in col_names]
-      Index(index_name, *col_refs, unique=unique)
+        for col_prop_names, unique in all_indexes:
+            col_names = [
+                meta.fields[prop_name].column_name for prop_name in col_prop_names
+            ]
+            index_name = "%s_%s" % (meta.table_name, "_".join(col_names))
+            col_refs = [getattr(new_table.c, col_name) for col_name in col_names]
+            Index(index_name, *col_refs, unique=unique)
 
-    for col_field_name in fulltext_indexes:
-      index_name = '%s_%s__fulltext' % (meta.table_name, col_field_name)
-      col_ref = getattr(new_table.c, col_field_name)
-      Index(index_name, col_ref, postgresql_ops={col_field_name: 'gin_trgm_ops'},
-                                 postgresql_using='gin',
-                                 mysql_prefix='FULLTEXT')
+        for col_field_name in fulltext_indexes:
+            index_name = "%s_%s__fulltext" % (meta.table_name, col_field_name)
+            col_ref = getattr(new_table.c, col_field_name)
+            Index(
+                index_name,
+                col_ref,
+                postgresql_ops={col_field_name: "gin_trgm_ops"},
+                postgresql_using="gin",
+                mysql_prefix="FULLTEXT",
+            )
 
-  return metadata
+    return metadata
diff --git a/data/model/storage.py b/data/model/storage.py
index adfa54cd9..646f3f9fc 100644
--- a/data/model/storage.py
+++ b/data/model/storage.py
@@ -4,370 +4,450 @@ from peewee import SQL, IntegrityError
 from cachetools.func import lru_cache
 from collections import namedtuple
 
-from data.model import (config, db_transaction, InvalidImageException, TorrentInfoDoesNotExist,
-                        DataModelException, _basequery)
-from data.database import (ImageStorage, Image, ImageStoragePlacement, ImageStorageLocation,
-                           ImageStorageTransformation, ImageStorageSignature,
-                           ImageStorageSignatureKind, Repository, Namespace, TorrentInfo, ApprBlob,
-                           ensure_under_transaction, ManifestBlob)
+from data.model import (
+    config,
+    db_transaction,
+    InvalidImageException,
+    TorrentInfoDoesNotExist,
+    DataModelException,
+    _basequery,
+)
+from data.database import (
+    ImageStorage,
+    Image,
+    ImageStoragePlacement,
+    ImageStorageLocation,
+    ImageStorageTransformation,
+    ImageStorageSignature,
+    ImageStorageSignatureKind,
+    Repository,
+    Namespace,
+    TorrentInfo,
+    ApprBlob,
+    ensure_under_transaction,
+    ManifestBlob,
+)
 
 
 logger = logging.getLogger(__name__)
 
-_Location = namedtuple('location', ['id', 'name'])
+_Location = namedtuple("location", ["id", "name"])
+
 
 @lru_cache(maxsize=1)
 def get_image_locations():
-  location_map = {}
-  for location in ImageStorageLocation.select():
-    location_tuple = _Location(location.id, location.name)
-    location_map[location.id] = location_tuple
-    location_map[location.name] = location_tuple
+    location_map = {}
+    for location in ImageStorageLocation.select():
+        location_tuple = _Location(location.id, location.name)
+        location_map[location.id] = location_tuple
+        location_map[location.name] = location_tuple
 
-  return location_map
+    return location_map
 
 
 def get_image_location_for_name(location_name):
-  locations = get_image_locations()
-  return locations[location_name]
+    locations = get_image_locations()
+    return locations[location_name]
 
 
 def get_image_location_for_id(location_id):
-  locations = get_image_locations()
-  return locations[location_id]
+    locations = get_image_locations()
+    return locations[location_id]
 
 
 def add_storage_placement(storage, location_name):
-  """ Adds a storage placement for the given storage at the given location. """
-  location = get_image_location_for_name(location_name)
-  try:
-    ImageStoragePlacement.create(location=location.id, storage=storage)
-  except IntegrityError:
-    # Placement already exists. Nothing to do.
-    pass
+    """ Adds a storage placement for the given storage at the given location. """
+    location = get_image_location_for_name(location_name)
+    try:
+        ImageStoragePlacement.create(location=location.id, storage=storage)
+    except IntegrityError:
+        # Placement already exists. Nothing to do.
+        pass
 
 
 def _orphaned_storage_query(candidate_ids):
-  """ Returns the subset of the candidate ImageStorage IDs representing storages that are no
+    """ Returns the subset of the candidate ImageStorage IDs representing storages that are no
       longer referenced by images.
   """
-  # Issue a union query to find all storages that are still referenced by a candidate storage. This
-  # is much faster than the group_by and having call we used to use here.
-  nonorphaned_queries = []
-  for counter, candidate_id in enumerate(candidate_ids):
-    query_alias = 'q{0}'.format(counter)
+    # Issue a union query to find all storages that are still referenced by a candidate storage. This
+    # is much faster than the group_by and having call we used to use here.
+    nonorphaned_queries = []
+    for counter, candidate_id in enumerate(candidate_ids):
+        query_alias = "q{0}".format(counter)
 
-    # TODO: remove the join with Image once fully on the OCI data model.
-    storage_subq = (ImageStorage
-                    .select(ImageStorage.id)
-                    .join(Image)
-                    .where(ImageStorage.id == candidate_id)
-                    .limit(1)
-                    .alias(query_alias))
+        # TODO: remove the join with Image once fully on the OCI data model.
+        storage_subq = (
+            ImageStorage.select(ImageStorage.id)
+            .join(Image)
+            .where(ImageStorage.id == candidate_id)
+            .limit(1)
+            .alias(query_alias)
+        )
 
-    nonorphaned_queries.append(ImageStorage
-                               .select(SQL('*'))
-                               .from_(storage_subq))
+        nonorphaned_queries.append(ImageStorage.select(SQL("*")).from_(storage_subq))
 
-    manifest_storage_subq = (ImageStorage
-                             .select(ImageStorage.id)
-                             .join(ManifestBlob)
-                             .where(ImageStorage.id == candidate_id)
-                             .limit(1)
-                             .alias(query_alias))
+        manifest_storage_subq = (
+            ImageStorage.select(ImageStorage.id)
+            .join(ManifestBlob)
+            .where(ImageStorage.id == candidate_id)
+            .limit(1)
+            .alias(query_alias)
+        )
 
-    nonorphaned_queries.append(ImageStorage
-                               .select(SQL('*'))
-                               .from_(manifest_storage_subq))
+        nonorphaned_queries.append(
+            ImageStorage.select(SQL("*")).from_(manifest_storage_subq)
+        )
 
-  # Build the set of storages that are missing. These storages are orphaned.
-  nonorphaned_storage_ids = {storage.id for storage
-                             in _basequery.reduce_as_tree(nonorphaned_queries)}
-  return list(candidate_ids - nonorphaned_storage_ids)
+    # Build the set of storages that are missing. These storages are orphaned.
+    nonorphaned_storage_ids = {
+        storage.id for storage in _basequery.reduce_as_tree(nonorphaned_queries)
+    }
+    return list(candidate_ids - nonorphaned_storage_ids)
 
 
 def garbage_collect_storage(storage_id_whitelist):
-  """ Performs GC on a possible subset of the storage's with the IDs found in the
+    """ Performs GC on a possible subset of the storage's with the IDs found in the
       whitelist. The storages in the whitelist will be checked, and any orphaned will
       be removed, with those IDs being returned.
   """
-  if len(storage_id_whitelist) == 0:
-    return []
+    if len(storage_id_whitelist) == 0:
+        return []
 
-  def placements_to_filtered_paths_set(placements_list):
-    """ Returns the list of paths to remove from storage, filtered from the given placements
+    def placements_to_filtered_paths_set(placements_list):
+        """ Returns the list of paths to remove from storage, filtered from the given placements
         query by removing any CAS paths that are still referenced by storage(s) in the database.
     """
-    with ensure_under_transaction():
-      if not placements_list:
-        return set()
+        with ensure_under_transaction():
+            if not placements_list:
+                return set()
 
-      # Find the content checksums not referenced by other storages. Any that are, we cannot
-      # remove.
-      content_checksums = set([placement.storage.content_checksum for placement in placements_list
-                               if placement.storage.cas_path])
+            # Find the content checksums not referenced by other storages. Any that are, we cannot
+            # remove.
+            content_checksums = set(
+                [
+                    placement.storage.content_checksum
+                    for placement in placements_list
+                    if placement.storage.cas_path
+                ]
+            )
 
-      unreferenced_checksums = set()
-      if content_checksums:
-        # Check the current image storage.
-        query = (ImageStorage
-                 .select(ImageStorage.content_checksum)
-                 .where(ImageStorage.content_checksum << list(content_checksums)))
-        is_referenced_checksums = set([image_storage.content_checksum for image_storage in query])
-        if is_referenced_checksums:
-          logger.warning('GC attempted to remove CAS checksums %s, which are still IS referenced',
-                         is_referenced_checksums)
+            unreferenced_checksums = set()
+            if content_checksums:
+                # Check the current image storage.
+                query = ImageStorage.select(ImageStorage.content_checksum).where(
+                    ImageStorage.content_checksum << list(content_checksums)
+                )
+                is_referenced_checksums = set(
+                    [image_storage.content_checksum for image_storage in query]
+                )
+                if is_referenced_checksums:
+                    logger.warning(
+                        "GC attempted to remove CAS checksums %s, which are still IS referenced",
+                        is_referenced_checksums,
+                    )
 
-        # Check the ApprBlob table as well.
-        query = ApprBlob.select(ApprBlob.digest).where(ApprBlob.digest << list(content_checksums))
-        appr_blob_referenced_checksums = set([blob.digest for blob in query])
-        if appr_blob_referenced_checksums:
-          logger.warning('GC attempted to remove CAS checksums %s, which are ApprBlob referenced',
-                         appr_blob_referenced_checksums)
+                # Check the ApprBlob table as well.
+                query = ApprBlob.select(ApprBlob.digest).where(
+                    ApprBlob.digest << list(content_checksums)
+                )
+                appr_blob_referenced_checksums = set([blob.digest for blob in query])
+                if appr_blob_referenced_checksums:
+                    logger.warning(
+                        "GC attempted to remove CAS checksums %s, which are ApprBlob referenced",
+                        appr_blob_referenced_checksums,
+                    )
 
-        unreferenced_checksums = (content_checksums - appr_blob_referenced_checksums -
-                                  is_referenced_checksums)
+                unreferenced_checksums = (
+                    content_checksums
+                    - appr_blob_referenced_checksums
+                    - is_referenced_checksums
+                )
 
-      # Return all placements for all image storages found not at a CAS path or with a content
-      # checksum that is referenced.
-      return {(get_image_location_for_id(placement.location_id).name,
-               get_layer_path(placement.storage))
-               for placement in placements_list
-               if not placement.storage.cas_path or
-                  placement.storage.content_checksum in unreferenced_checksums}
+            # Return all placements for all image storages found not at a CAS path or with a content
+            # checksum that is referenced.
+            return {
+                (
+                    get_image_location_for_id(placement.location_id).name,
+                    get_layer_path(placement.storage),
+                )
+                for placement in placements_list
+                if not placement.storage.cas_path
+                or placement.storage.content_checksum in unreferenced_checksums
+            }
 
-  # Note: Both of these deletes must occur in the same transaction (unfortunately) because a
-  # storage without any placement is invalid, and a placement cannot exist without a storage.
-  # TODO: We might want to allow for null storages on placements, which would allow us to
-  # delete the storages, then delete the placements in a non-transaction.
-  logger.debug('Garbage collecting storages from candidates: %s', storage_id_whitelist)
-  with db_transaction():
-    orphaned_storage_ids = _orphaned_storage_query(storage_id_whitelist)
-    if len(orphaned_storage_ids) == 0:
-      # Nothing to GC.
-      return []
+    # Note: Both of these deletes must occur in the same transaction (unfortunately) because a
+    # storage without any placement is invalid, and a placement cannot exist without a storage.
+    # TODO: We might want to allow for null storages on placements, which would allow us to
+    # delete the storages, then delete the placements in a non-transaction.
+    logger.debug(
+        "Garbage collecting storages from candidates: %s", storage_id_whitelist
+    )
+    with db_transaction():
+        orphaned_storage_ids = _orphaned_storage_query(storage_id_whitelist)
+        if len(orphaned_storage_ids) == 0:
+            # Nothing to GC.
+            return []
 
-    placements_to_remove = list(ImageStoragePlacement
-                                .select(ImageStoragePlacement, ImageStorage)
-                                .join(ImageStorage)
-                                .where(ImageStorage.id << orphaned_storage_ids))
+        placements_to_remove = list(
+            ImageStoragePlacement.select(ImageStoragePlacement, ImageStorage)
+            .join(ImageStorage)
+            .where(ImageStorage.id << orphaned_storage_ids)
+        )
 
-    # Remove the placements for orphaned storages
-    if len(placements_to_remove) > 0:
-      placement_ids_to_remove = [placement.id for placement in placements_to_remove]
-      placements_removed = (ImageStoragePlacement
-                            .delete()
-                            .where(ImageStoragePlacement.id << placement_ids_to_remove)
-                            .execute())
-      logger.debug('Removed %s image storage placements', placements_removed)
+        # Remove the placements for orphaned storages
+        if len(placements_to_remove) > 0:
+            placement_ids_to_remove = [
+                placement.id for placement in placements_to_remove
+            ]
+            placements_removed = (
+                ImageStoragePlacement.delete()
+                .where(ImageStoragePlacement.id << placement_ids_to_remove)
+                .execute()
+            )
+            logger.debug("Removed %s image storage placements", placements_removed)
 
-    # Remove all orphaned storages
-    torrents_removed = (TorrentInfo
-                        .delete()
-                        .where(TorrentInfo.storage << orphaned_storage_ids)
-                        .execute())
-    logger.debug('Removed %s torrent info records', torrents_removed)
+        # Remove all orphaned storages
+        torrents_removed = (
+            TorrentInfo.delete()
+            .where(TorrentInfo.storage << orphaned_storage_ids)
+            .execute()
+        )
+        logger.debug("Removed %s torrent info records", torrents_removed)
 
-    signatures_removed = (ImageStorageSignature
-                          .delete()
-                          .where(ImageStorageSignature.storage << orphaned_storage_ids)
-                          .execute())
-    logger.debug('Removed %s image storage signatures', signatures_removed)
+        signatures_removed = (
+            ImageStorageSignature.delete()
+            .where(ImageStorageSignature.storage << orphaned_storage_ids)
+            .execute()
+        )
+        logger.debug("Removed %s image storage signatures", signatures_removed)
 
-    storages_removed = (ImageStorage
-                        .delete()
-                        .where(ImageStorage.id << orphaned_storage_ids)
-                        .execute())
-    logger.debug('Removed %s image storage records', storages_removed)
+        storages_removed = (
+            ImageStorage.delete()
+            .where(ImageStorage.id << orphaned_storage_ids)
+            .execute()
+        )
+        logger.debug("Removed %s image storage records", storages_removed)
 
-    # Determine the paths to remove. We cannot simply remove all paths matching storages, as CAS
-    # can share the same path. We further filter these paths by checking for any storages still in
-    # the database with the same content checksum.
-    paths_to_remove = placements_to_filtered_paths_set(placements_to_remove)
+        # Determine the paths to remove. We cannot simply remove all paths matching storages, as CAS
+        # can share the same path. We further filter these paths by checking for any storages still in
+        # the database with the same content checksum.
+        paths_to_remove = placements_to_filtered_paths_set(placements_to_remove)
 
-  # We are going to make the conscious decision to not delete image storage blobs inside
-  # transactions.
-  # This may end up producing garbage in s3, trading off for higher availability in the database.
-  for location_name, image_path in paths_to_remove:
-    logger.debug('Removing %s from %s', image_path, location_name)
-    config.store.remove({location_name}, image_path)
+    # We are going to make the conscious decision to not delete image storage blobs inside
+    # transactions.
+    # This may end up producing garbage in s3, trading off for higher availability in the database.
+    for location_name, image_path in paths_to_remove:
+        logger.debug("Removing %s from %s", image_path, location_name)
+        config.store.remove({location_name}, image_path)
 
-  return orphaned_storage_ids
+    return orphaned_storage_ids
 
 
 def create_v1_storage(location_name):
-  storage = ImageStorage.create(cas_path=False, uploading=True)
-  location = get_image_location_for_name(location_name)
-  ImageStoragePlacement.create(location=location.id, storage=storage)
-  storage.locations = {location_name}
-  return storage
+    storage = ImageStorage.create(cas_path=False, uploading=True)
+    location = get_image_location_for_name(location_name)
+    ImageStoragePlacement.create(location=location.id, storage=storage)
+    storage.locations = {location_name}
+    return storage
 
 
 def find_or_create_storage_signature(storage, signature_kind_name):
-  found = lookup_storage_signature(storage, signature_kind_name)
-  if found is None:
-    kind = ImageStorageSignatureKind.get(name=signature_kind_name)
-    found = ImageStorageSignature.create(storage=storage, kind=kind)
+    found = lookup_storage_signature(storage, signature_kind_name)
+    if found is None:
+        kind = ImageStorageSignatureKind.get(name=signature_kind_name)
+        found = ImageStorageSignature.create(storage=storage, kind=kind)
 
-  return found
+    return found
 
 
 def lookup_storage_signature(storage, signature_kind_name):
-  kind = ImageStorageSignatureKind.get(name=signature_kind_name)
-  try:
-    return (ImageStorageSignature
-            .select()
-            .where(ImageStorageSignature.storage == storage, ImageStorageSignature.kind == kind)
-            .get())
-  except ImageStorageSignature.DoesNotExist:
-    return None
+    kind = ImageStorageSignatureKind.get(name=signature_kind_name)
+    try:
+        return (
+            ImageStorageSignature.select()
+            .where(
+                ImageStorageSignature.storage == storage,
+                ImageStorageSignature.kind == kind,
+            )
+            .get()
+        )
+    except ImageStorageSignature.DoesNotExist:
+        return None
 
 
 def _get_storage(query_modifier):
-  query = (ImageStoragePlacement
-           .select(ImageStoragePlacement, ImageStorage)
-           .switch(ImageStoragePlacement)
-           .join(ImageStorage))
+    query = (
+        ImageStoragePlacement.select(ImageStoragePlacement, ImageStorage)
+        .switch(ImageStoragePlacement)
+        .join(ImageStorage)
+    )
 
-  placements = list(query_modifier(query))
+    placements = list(query_modifier(query))
 
-  if not placements:
-    raise InvalidImageException()
+    if not placements:
+        raise InvalidImageException()
 
-  found = placements[0].storage
-  found.locations = {get_image_location_for_id(placement.location_id).name
-                     for placement in placements}
-  return found
+    found = placements[0].storage
+    found.locations = {
+        get_image_location_for_id(placement.location_id).name
+        for placement in placements
+    }
+    return found
 
 
 def get_storage_by_uuid(storage_uuid):
-  def filter_to_uuid(query):
-    return query.where(ImageStorage.uuid == storage_uuid)
+    def filter_to_uuid(query):
+        return query.where(ImageStorage.uuid == storage_uuid)
 
-  try:
-    return _get_storage(filter_to_uuid)
-  except InvalidImageException:
-    raise InvalidImageException('No storage found with uuid: %s', storage_uuid)
+    try:
+        return _get_storage(filter_to_uuid)
+    except InvalidImageException:
+        raise InvalidImageException("No storage found with uuid: %s", storage_uuid)
 
 
 def get_layer_path(storage_record):
-  """ Returns the path in the storage engine to the layer data referenced by the storage row. """
-  assert storage_record.cas_path is not None
-  return get_layer_path_for_storage(storage_record.uuid, storage_record.cas_path,
-                                    storage_record.content_checksum)
+    """ Returns the path in the storage engine to the layer data referenced by the storage row. """
+    assert storage_record.cas_path is not None
+    return get_layer_path_for_storage(
+        storage_record.uuid, storage_record.cas_path, storage_record.content_checksum
+    )
 
 
 def get_layer_path_for_storage(storage_uuid, cas_path, content_checksum):
-  """ Returns the path in the storage engine to the layer data referenced by the storage
+    """ Returns the path in the storage engine to the layer data referenced by the storage
       information. """
-  store = config.store
-  if not cas_path:
-    logger.debug('Serving layer from legacy v1 path for storage %s', storage_uuid)
-    return store.v1_image_layer_path(storage_uuid)
+    store = config.store
+    if not cas_path:
+        logger.debug("Serving layer from legacy v1 path for storage %s", storage_uuid)
+        return store.v1_image_layer_path(storage_uuid)
 
-  return store.blob_path(content_checksum)
+    return store.blob_path(content_checksum)
 
 
 def lookup_repo_storages_by_content_checksum(repo, checksums, by_manifest=False):
-  """ Looks up repository storages (without placements) matching the given repository
+    """ Looks up repository storages (without placements) matching the given repository
       and checksum. """
-  if not checksums:
-    return []
+    if not checksums:
+        return []
 
-  # There may be many duplicates of the checksums, so for performance reasons we are going
-  # to use a union to select just one storage with each checksum
-  queries = []
+    # There may be many duplicates of the checksums, so for performance reasons we are going
+    # to use a union to select just one storage with each checksum
+    queries = []
 
-  for counter, checksum in enumerate(set(checksums)):
-    query_alias = 'q{0}'.format(counter)
+    for counter, checksum in enumerate(set(checksums)):
+        query_alias = "q{0}".format(counter)
 
-    # TODO: Remove once we have a new-style model for tracking temp uploaded blobs and
-    # all legacy tables have been removed.
-    if by_manifest:
-      candidate_subq = (ImageStorage
-                        .select(ImageStorage.id, ImageStorage.content_checksum,
-                                ImageStorage.image_size, ImageStorage.uuid, ImageStorage.cas_path,
-                                ImageStorage.uncompressed_size, ImageStorage.uploading)
-                        .join(ManifestBlob)
-                        .where(ManifestBlob.repository == repo,
-                               ImageStorage.content_checksum == checksum)
-                        .limit(1)
-                        .alias(query_alias))
-    else:
-      candidate_subq = (ImageStorage
-                        .select(ImageStorage.id, ImageStorage.content_checksum,
-                                ImageStorage.image_size, ImageStorage.uuid, ImageStorage.cas_path,
-                                ImageStorage.uncompressed_size, ImageStorage.uploading)
-                        .join(Image)
-                        .where(Image.repository == repo, ImageStorage.content_checksum == checksum)
-                        .limit(1)
-                        .alias(query_alias))
+        # TODO: Remove once we have a new-style model for tracking temp uploaded blobs and
+        # all legacy tables have been removed.
+        if by_manifest:
+            candidate_subq = (
+                ImageStorage.select(
+                    ImageStorage.id,
+                    ImageStorage.content_checksum,
+                    ImageStorage.image_size,
+                    ImageStorage.uuid,
+                    ImageStorage.cas_path,
+                    ImageStorage.uncompressed_size,
+                    ImageStorage.uploading,
+                )
+                .join(ManifestBlob)
+                .where(
+                    ManifestBlob.repository == repo,
+                    ImageStorage.content_checksum == checksum,
+                )
+                .limit(1)
+                .alias(query_alias)
+            )
+        else:
+            candidate_subq = (
+                ImageStorage.select(
+                    ImageStorage.id,
+                    ImageStorage.content_checksum,
+                    ImageStorage.image_size,
+                    ImageStorage.uuid,
+                    ImageStorage.cas_path,
+                    ImageStorage.uncompressed_size,
+                    ImageStorage.uploading,
+                )
+                .join(Image)
+                .where(
+                    Image.repository == repo, ImageStorage.content_checksum == checksum
+                )
+                .limit(1)
+                .alias(query_alias)
+            )
 
-    queries.append(ImageStorage
-                   .select(SQL('*'))
-                   .from_(candidate_subq))
+        queries.append(ImageStorage.select(SQL("*")).from_(candidate_subq))
 
-  return _basequery.reduce_as_tree(queries)
+    return _basequery.reduce_as_tree(queries)
 
 
-def set_image_storage_metadata(docker_image_id, namespace_name, repository_name, image_size,
-                               uncompressed_size):
-  """ Sets metadata that is specific to the binary storage of the data, irrespective of how it
+def set_image_storage_metadata(
+    docker_image_id, namespace_name, repository_name, image_size, uncompressed_size
+):
+    """ Sets metadata that is specific to the binary storage of the data, irrespective of how it
       is used in the layer tree.
   """
-  if image_size is None:
-    raise DataModelException('Empty image size field')
+    if image_size is None:
+        raise DataModelException("Empty image size field")
 
-  try:
-    image = (Image
-             .select(Image, ImageStorage)
-             .join(Repository)
-             .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-             .switch(Image)
-             .join(ImageStorage)
-             .where(Repository.name == repository_name, Namespace.username == namespace_name,
-                    Image.docker_image_id == docker_image_id)
-             .get())
-  except ImageStorage.DoesNotExist:
-    raise InvalidImageException('No image with specified id and repository')
+    try:
+        image = (
+            Image.select(Image, ImageStorage)
+            .join(Repository)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .switch(Image)
+            .join(ImageStorage)
+            .where(
+                Repository.name == repository_name,
+                Namespace.username == namespace_name,
+                Image.docker_image_id == docker_image_id,
+            )
+            .get()
+        )
+    except ImageStorage.DoesNotExist:
+        raise InvalidImageException("No image with specified id and repository")
 
-  # We MUST do this here, it can't be done in the corresponding image call because the storage
-  # has not yet been pushed
-  image.aggregate_size = _basequery.calculate_image_aggregate_size(image.ancestors, image_size,
-                                                                   image.parent)
-  image.save()
+    # We MUST do this here, it can't be done in the corresponding image call because the storage
+    # has not yet been pushed
+    image.aggregate_size = _basequery.calculate_image_aggregate_size(
+        image.ancestors, image_size, image.parent
+    )
+    image.save()
 
-  image.storage.image_size = image_size
-  image.storage.uncompressed_size = uncompressed_size
-  image.storage.save()
-  return image.storage
+    image.storage.image_size = image_size
+    image.storage.uncompressed_size = uncompressed_size
+    image.storage.save()
+    return image.storage
 
 
 def get_storage_locations(uuid):
-  query = (ImageStoragePlacement
-           .select()
-           .join(ImageStorage)
-           .where(ImageStorage.uuid == uuid))
+    query = (
+        ImageStoragePlacement.select()
+        .join(ImageStorage)
+        .where(ImageStorage.uuid == uuid)
+    )
 
-  return [get_image_location_for_id(placement.location_id).name for placement in query]
+    return [
+        get_image_location_for_id(placement.location_id).name for placement in query
+    ]
 
 
 def save_torrent_info(storage_object, piece_length, pieces):
-  try:
-    return TorrentInfo.get(storage=storage_object, piece_length=piece_length)
-  except TorrentInfo.DoesNotExist:
     try:
-      return TorrentInfo.create(storage=storage_object, piece_length=piece_length, pieces=pieces)
-    except IntegrityError:
-      # TorrentInfo already exists for this storage.
-      return TorrentInfo.get(storage=storage_object, piece_length=piece_length)
+        return TorrentInfo.get(storage=storage_object, piece_length=piece_length)
+    except TorrentInfo.DoesNotExist:
+        try:
+            return TorrentInfo.create(
+                storage=storage_object, piece_length=piece_length, pieces=pieces
+            )
+        except IntegrityError:
+            # TorrentInfo already exists for this storage.
+            return TorrentInfo.get(storage=storage_object, piece_length=piece_length)
 
 
 def get_torrent_info(blob):
-  try:
-    return (TorrentInfo
-            .select()
-            .where(TorrentInfo.storage == blob)
-            .get())
-  except TorrentInfo.DoesNotExist:
-    raise TorrentInfoDoesNotExist
+    try:
+        return TorrentInfo.select().where(TorrentInfo.storage == blob).get()
+    except TorrentInfo.DoesNotExist:
+        raise TorrentInfoDoesNotExist
diff --git a/data/model/tag.py b/data/model/tag.py
index 437a9765b..a9e043dd7 100644
--- a/data/model/tag.py
+++ b/data/model/tag.py
@@ -5,14 +5,39 @@ from datetime import datetime
 from uuid import uuid4
 
 from peewee import IntegrityError, JOIN, fn
-from data.model import (image, storage, db_transaction, DataModelException, _basequery,
-                        InvalidManifestException, TagAlreadyCreatedException, StaleTagException,
-                        config)
-from data.database import (RepositoryTag, Repository, Image, ImageStorage, Namespace, TagManifest,
-                           RepositoryNotification, Label, TagManifestLabel, get_epoch_timestamp,
-                           db_for_update, Manifest, ManifestLabel, ManifestBlob,
-                           ManifestLegacyImage, TagManifestToManifest,
-                           TagManifestLabelMap, TagToRepositoryTag, Tag, get_epoch_timestamp_ms)
+from data.model import (
+    image,
+    storage,
+    db_transaction,
+    DataModelException,
+    _basequery,
+    InvalidManifestException,
+    TagAlreadyCreatedException,
+    StaleTagException,
+    config,
+)
+from data.database import (
+    RepositoryTag,
+    Repository,
+    Image,
+    ImageStorage,
+    Namespace,
+    TagManifest,
+    RepositoryNotification,
+    Label,
+    TagManifestLabel,
+    get_epoch_timestamp,
+    db_for_update,
+    Manifest,
+    ManifestLabel,
+    ManifestBlob,
+    ManifestLegacyImage,
+    TagManifestToManifest,
+    TagManifestLabelMap,
+    TagToRepositoryTag,
+    Tag,
+    get_epoch_timestamp_ms,
+)
 from util.timedeltastring import convert_to_timedelta
 
 
@@ -20,797 +45,971 @@ logger = logging.getLogger(__name__)
 
 
 def get_max_id_for_sec_scan():
-  """ Gets the maximum id for security scanning """
-  return RepositoryTag.select(fn.Max(RepositoryTag.id)).scalar()
+    """ Gets the maximum id for security scanning """
+    return RepositoryTag.select(fn.Max(RepositoryTag.id)).scalar()
 
 
 def get_min_id_for_sec_scan(version):
-  """ Gets the minimum id for a security scanning """
-  return _tag_alive(RepositoryTag
-                    .select(fn.Min(RepositoryTag.id))
-                    .join(Image)
-                    .where(Image.security_indexed_engine < version)).scalar()
+    """ Gets the minimum id for a security scanning """
+    return _tag_alive(
+        RepositoryTag.select(fn.Min(RepositoryTag.id))
+        .join(Image)
+        .where(Image.security_indexed_engine < version)
+    ).scalar()
 
 
 def get_tag_pk_field():
-  """ Returns the primary key for Image DB model """
-  return RepositoryTag.id
+    """ Returns the primary key for Image DB model """
+    return RepositoryTag.id
 
 
 def get_tags_images_eligible_for_scan(clair_version):
-  Parent = Image.alias()
-  ParentImageStorage = ImageStorage.alias()
+    Parent = Image.alias()
+    ParentImageStorage = ImageStorage.alias()
 
-  return _tag_alive(RepositoryTag
-                    .select(Image, ImageStorage, Parent, ParentImageStorage, RepositoryTag)
-                    .join(Image, on=(RepositoryTag.image == Image.id))
-                    .join(ImageStorage, on=(Image.storage == ImageStorage.id))
-                    .switch(Image)
-                    .join(Parent, JOIN.LEFT_OUTER, on=(Image.parent == Parent.id))
-                    .join(ParentImageStorage, JOIN.LEFT_OUTER, on=(ParentImageStorage.id == Parent.storage))
-                    .where(RepositoryTag.hidden == False)
-                    .where(Image.security_indexed_engine < clair_version))
+    return _tag_alive(
+        RepositoryTag.select(
+            Image, ImageStorage, Parent, ParentImageStorage, RepositoryTag
+        )
+        .join(Image, on=(RepositoryTag.image == Image.id))
+        .join(ImageStorage, on=(Image.storage == ImageStorage.id))
+        .switch(Image)
+        .join(Parent, JOIN.LEFT_OUTER, on=(Image.parent == Parent.id))
+        .join(
+            ParentImageStorage,
+            JOIN.LEFT_OUTER,
+            on=(ParentImageStorage.id == Parent.storage),
+        )
+        .where(RepositoryTag.hidden == False)
+        .where(Image.security_indexed_engine < clair_version)
+    )
 
 
 def _tag_alive(query, now_ts=None):
-  if now_ts is None:
-    now_ts = get_epoch_timestamp()
-  return query.where((RepositoryTag.lifetime_end_ts >> None) |
-                     (RepositoryTag.lifetime_end_ts > now_ts))
+    if now_ts is None:
+        now_ts = get_epoch_timestamp()
+    return query.where(
+        (RepositoryTag.lifetime_end_ts >> None)
+        | (RepositoryTag.lifetime_end_ts > now_ts)
+    )
 
 
 def filter_has_repository_event(query, event):
-  """ Filters the query by ensuring the repositories returned have the given event. """
-  return (query
-          .join(Repository)
-          .join(RepositoryNotification)
-          .where(RepositoryNotification.event == event))
+    """ Filters the query by ensuring the repositories returned have the given event. """
+    return (
+        query.join(Repository)
+        .join(RepositoryNotification)
+        .where(RepositoryNotification.event == event)
+    )
 
 
 def filter_tags_have_repository_event(query, event):
-  """ Filters the query by ensuring the repository tags live in a repository that has the given
+    """ Filters the query by ensuring the repository tags live in a repository that has the given
       event. Also returns the image storage for the tag's image and orders the results by
       lifetime_start_ts.
   """
-  query = filter_has_repository_event(query, event)
-  query = query.switch(RepositoryTag).join(Image).join(ImageStorage)
-  query = query.switch(RepositoryTag).order_by(RepositoryTag.lifetime_start_ts.desc())
-  return query
+    query = filter_has_repository_event(query, event)
+    query = query.switch(RepositoryTag).join(Image).join(ImageStorage)
+    query = query.switch(RepositoryTag).order_by(RepositoryTag.lifetime_start_ts.desc())
+    return query
 
 
 _MAX_SUB_QUERIES = 100
 _MAX_IMAGE_LOOKUP_COUNT = 500
 
-def get_matching_tags_for_images(image_pairs, filter_images=None, filter_tags=None,
-                                 selections=None):
-  """ Returns all tags that contain the images with the given docker_image_id and storage_uuid,
+
+def get_matching_tags_for_images(
+    image_pairs, filter_images=None, filter_tags=None, selections=None
+):
+    """ Returns all tags that contain the images with the given docker_image_id and storage_uuid,
       as specified as an iterable of pairs. """
-  if not image_pairs:
-    return []
+    if not image_pairs:
+        return []
 
-  image_pairs_set = set(image_pairs)
+    image_pairs_set = set(image_pairs)
 
-  # Find all possible matching image+storages.
-  images = []
+    # Find all possible matching image+storages.
+    images = []
 
-  while image_pairs:
-    image_pairs_slice = image_pairs[:_MAX_IMAGE_LOOKUP_COUNT]
+    while image_pairs:
+        image_pairs_slice = image_pairs[:_MAX_IMAGE_LOOKUP_COUNT]
 
-    ids = [pair[0] for pair in image_pairs_slice]
-    uuids = [pair[1] for pair in image_pairs_slice]
+        ids = [pair[0] for pair in image_pairs_slice]
+        uuids = [pair[1] for pair in image_pairs_slice]
 
-    images_query = (Image
-                    .select(Image.id, Image.docker_image_id, Image.ancestors, ImageStorage.uuid)
-                    .join(ImageStorage)
-                    .where(Image.docker_image_id << ids, ImageStorage.uuid << uuids)
-                    .switch(Image))
+        images_query = (
+            Image.select(
+                Image.id, Image.docker_image_id, Image.ancestors, ImageStorage.uuid
+            )
+            .join(ImageStorage)
+            .where(Image.docker_image_id << ids, ImageStorage.uuid << uuids)
+            .switch(Image)
+        )
 
-    if filter_images is not None:
-      images_query = filter_images(images_query)
+        if filter_images is not None:
+            images_query = filter_images(images_query)
 
-    images.extend(list(images_query))
-    image_pairs = image_pairs[_MAX_IMAGE_LOOKUP_COUNT:]
+        images.extend(list(images_query))
+        image_pairs = image_pairs[_MAX_IMAGE_LOOKUP_COUNT:]
 
-  # Filter down to those images actually in the pairs set and build the set of queries to run.
-  individual_image_queries = []
+    # Filter down to those images actually in the pairs set and build the set of queries to run.
+    individual_image_queries = []
 
-  for img in images:
-    # Make sure the image found is in the set of those requested, and that we haven't already
-    # processed it. We need this check because the query above checks for images with matching
-    # IDs OR storage UUIDs, rather than the expected ID+UUID pair. We do this for efficiency
-    # reasons, and it is highly unlikely we'll find an image with a mismatch, but we need this
-    # check to be absolutely sure.
-    pair = (img.docker_image_id, img.storage.uuid)
-    if pair not in image_pairs_set:
-      continue
+    for img in images:
+        # Make sure the image found is in the set of those requested, and that we haven't already
+        # processed it. We need this check because the query above checks for images with matching
+        # IDs OR storage UUIDs, rather than the expected ID+UUID pair. We do this for efficiency
+        # reasons, and it is highly unlikely we'll find an image with a mismatch, but we need this
+        # check to be absolutely sure.
+        pair = (img.docker_image_id, img.storage.uuid)
+        if pair not in image_pairs_set:
+            continue
 
-    # Remove the pair so we don't try it again.
-    image_pairs_set.remove(pair)
+        # Remove the pair so we don't try it again.
+        image_pairs_set.remove(pair)
 
-    ancestors_str = '%s%s/%%' % (img.ancestors, img.id)
-    query = (Image
-             .select(Image.id)
-             .where((Image.id == img.id) | (Image.ancestors ** ancestors_str)))
+        ancestors_str = "%s%s/%%" % (img.ancestors, img.id)
+        query = Image.select(Image.id).where(
+            (Image.id == img.id) | (Image.ancestors ** ancestors_str)
+        )
 
-    individual_image_queries.append(query)
+        individual_image_queries.append(query)
 
-  if not individual_image_queries:
-    return []
+    if not individual_image_queries:
+        return []
 
-  # Shard based on the max subquery count. This is used to prevent going over the DB's max query
-  # size, as well as to prevent the DB from locking up on a massive query.
-  sharded_queries = []
-  while individual_image_queries:
-    shard = individual_image_queries[:_MAX_SUB_QUERIES]
-    sharded_queries.append(_basequery.reduce_as_tree(shard))
-    individual_image_queries = individual_image_queries[_MAX_SUB_QUERIES:]
+    # Shard based on the max subquery count. This is used to prevent going over the DB's max query
+    # size, as well as to prevent the DB from locking up on a massive query.
+    sharded_queries = []
+    while individual_image_queries:
+        shard = individual_image_queries[:_MAX_SUB_QUERIES]
+        sharded_queries.append(_basequery.reduce_as_tree(shard))
+        individual_image_queries = individual_image_queries[_MAX_SUB_QUERIES:]
 
-  # Collect IDs of the tags found for each query.
-  tags = {}
-  for query in sharded_queries:
-    ImageAlias = Image.alias()
-    tag_query = (_tag_alive(RepositoryTag
-                            .select(*(selections or []))
-                            .distinct()
-                            .join(ImageAlias)
-                            .where(RepositoryTag.hidden == False)
-                            .where(ImageAlias.id << query)
-                            .switch(RepositoryTag)))
+    # Collect IDs of the tags found for each query.
+    tags = {}
+    for query in sharded_queries:
+        ImageAlias = Image.alias()
+        tag_query = _tag_alive(
+            RepositoryTag.select(*(selections or []))
+            .distinct()
+            .join(ImageAlias)
+            .where(RepositoryTag.hidden == False)
+            .where(ImageAlias.id << query)
+            .switch(RepositoryTag)
+        )
 
-    if filter_tags is not None:
-      tag_query = filter_tags(tag_query)
+        if filter_tags is not None:
+            tag_query = filter_tags(tag_query)
 
-    for tag in tag_query:
-      tags[tag.id] = tag
+        for tag in tag_query:
+            tags[tag.id] = tag
 
-  return tags.values()
+    return tags.values()
 
 
 def get_matching_tags(docker_image_id, storage_uuid, *args):
-  """ Returns a query pointing to all tags that contain the image with the
+    """ Returns a query pointing to all tags that contain the image with the
       given docker_image_id and storage_uuid. """
-  image_row = image.get_image_with_storage(docker_image_id, storage_uuid)
-  if image_row is None:
-    return RepositoryTag.select().where(RepositoryTag.id < 0) # Empty query.
+    image_row = image.get_image_with_storage(docker_image_id, storage_uuid)
+    if image_row is None:
+        return RepositoryTag.select().where(RepositoryTag.id < 0)  # Empty query.
 
-  ancestors_str = '%s%s/%%' % (image_row.ancestors, image_row.id)
-  return _tag_alive(RepositoryTag
-                    .select(*args)
-                    .distinct()
-                    .join(Image)
-                    .join(ImageStorage)
-                    .where(RepositoryTag.hidden == False)
-                    .where((Image.id == image_row.id) |
-                           (Image.ancestors ** ancestors_str)))
+    ancestors_str = "%s%s/%%" % (image_row.ancestors, image_row.id)
+    return _tag_alive(
+        RepositoryTag.select(*args)
+        .distinct()
+        .join(Image)
+        .join(ImageStorage)
+        .where(RepositoryTag.hidden == False)
+        .where((Image.id == image_row.id) | (Image.ancestors ** ancestors_str))
+    )
 
 
 def get_tags_for_image(image_id, *args):
-  return _tag_alive(RepositoryTag
-                    .select(*args)
-                    .distinct()
-                    .where(RepositoryTag.image == image_id,
-                           RepositoryTag.hidden == False))
+    return _tag_alive(
+        RepositoryTag.select(*args)
+        .distinct()
+        .where(RepositoryTag.image == image_id, RepositoryTag.hidden == False)
+    )
 
 
 def get_tag_manifest_digests(tags):
-  """ Returns a map from tag ID to its associated manifest digest, if any. """
-  if not tags:
-    return dict()
+    """ Returns a map from tag ID to its associated manifest digest, if any. """
+    if not tags:
+        return dict()
 
-  manifests = (TagManifest
-               .select(TagManifest.tag, TagManifest.digest)
-               .where(TagManifest.tag << [t.id for t in tags]))
+    manifests = TagManifest.select(TagManifest.tag, TagManifest.digest).where(
+        TagManifest.tag << [t.id for t in tags]
+    )
 
-  return {manifest.tag_id: manifest.digest for manifest in manifests}
+    return {manifest.tag_id: manifest.digest for manifest in manifests}
 
 
 def list_active_repo_tags(repo, start_id=None, limit=None, include_images=True):
-  """ Returns all of the active, non-hidden tags in a repository, joined to they images
+    """ Returns all of the active, non-hidden tags in a repository, joined to they images
       and (if present), their manifest.
   """
-  if include_images:
-    query = _tag_alive(RepositoryTag
-                       .select(RepositoryTag, Image, ImageStorage, TagManifest.digest)
-                       .join(Image)
-                       .join(ImageStorage)
-                       .where(RepositoryTag.repository == repo, RepositoryTag.hidden == False)
-                       .switch(RepositoryTag)
-                       .join(TagManifest, JOIN.LEFT_OUTER)
-                       .order_by(RepositoryTag.id))
-  else:
-    query = _tag_alive(RepositoryTag
-                       .select(RepositoryTag)
-                       .where(RepositoryTag.repository == repo, RepositoryTag.hidden == False)
-                       .order_by(RepositoryTag.id))
+    if include_images:
+        query = _tag_alive(
+            RepositoryTag.select(RepositoryTag, Image, ImageStorage, TagManifest.digest)
+            .join(Image)
+            .join(ImageStorage)
+            .where(RepositoryTag.repository == repo, RepositoryTag.hidden == False)
+            .switch(RepositoryTag)
+            .join(TagManifest, JOIN.LEFT_OUTER)
+            .order_by(RepositoryTag.id)
+        )
+    else:
+        query = _tag_alive(
+            RepositoryTag.select(RepositoryTag)
+            .where(RepositoryTag.repository == repo, RepositoryTag.hidden == False)
+            .order_by(RepositoryTag.id)
+        )
 
-  if start_id is not None:
-    query = query.where(RepositoryTag.id >= start_id)
+    if start_id is not None:
+        query = query.where(RepositoryTag.id >= start_id)
 
-  if limit is not None:
-    query = query.limit(limit)
+    if limit is not None:
+        query = query.limit(limit)
 
-  return query
+    return query
 
 
-def list_repository_tags(namespace_name, repository_name, include_hidden=False,
-                         include_storage=False):
-  to_select = (RepositoryTag, Image)
-  if include_storage:
-    to_select = (RepositoryTag, Image, ImageStorage)
+def list_repository_tags(
+    namespace_name, repository_name, include_hidden=False, include_storage=False
+):
+    to_select = (RepositoryTag, Image)
+    if include_storage:
+        to_select = (RepositoryTag, Image, ImageStorage)
 
-  query = _tag_alive(RepositoryTag
-                     .select(*to_select)
-                     .join(Repository)
-                     .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                     .switch(RepositoryTag)
-                     .join(Image)
-                     .where(Repository.name == repository_name,
-                            Namespace.username == namespace_name))
+    query = _tag_alive(
+        RepositoryTag.select(*to_select)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .switch(RepositoryTag)
+        .join(Image)
+        .where(Repository.name == repository_name, Namespace.username == namespace_name)
+    )
 
-  if not include_hidden:
-    query = query.where(RepositoryTag.hidden == False)
+    if not include_hidden:
+        query = query.where(RepositoryTag.hidden == False)
 
-  if include_storage:
-    query = query.switch(Image).join(ImageStorage)
+    if include_storage:
+        query = query.switch(Image).join(ImageStorage)
 
-  return query
+    return query
 
 
-def create_or_update_tag(namespace_name, repository_name, tag_name, tag_docker_image_id,
-                         reversion=False, now_ms=None):
-  try:
-    repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  except Repository.DoesNotExist:
-    raise DataModelException('Invalid repository %s/%s' % (namespace_name, repository_name))
-
-  return create_or_update_tag_for_repo(repo.id, tag_name, tag_docker_image_id, reversion=reversion,
-                                       now_ms=now_ms)
-
-def create_or_update_tag_for_repo(repository_id, tag_name, tag_docker_image_id, reversion=False,
-                                  oci_manifest=None, now_ms=None):
-  now_ms = now_ms or get_epoch_timestamp_ms()
-  now_ts = int(now_ms / 1000)
-
-  with db_transaction():
+def create_or_update_tag(
+    namespace_name,
+    repository_name,
+    tag_name,
+    tag_docker_image_id,
+    reversion=False,
+    now_ms=None,
+):
     try:
-      tag = db_for_update(_tag_alive(RepositoryTag
-                                     .select()
-                                     .where(RepositoryTag.repository == repository_id,
-                                            RepositoryTag.name == tag_name), now_ts)).get()
-      tag.lifetime_end_ts = now_ts
-      tag.save()
+        repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    except Repository.DoesNotExist:
+        raise DataModelException(
+            "Invalid repository %s/%s" % (namespace_name, repository_name)
+        )
 
-      # Check for an OCI tag.
-      try:
-        oci_tag = db_for_update(Tag
-                                .select()
-                                .join(TagToRepositoryTag)
-                                .where(TagToRepositoryTag.repository_tag == tag)).get()
-        oci_tag.lifetime_end_ms = now_ms
-        oci_tag.save()
-      except Tag.DoesNotExist:
-        pass
-    except RepositoryTag.DoesNotExist:
-      pass
-    except IntegrityError:
-      msg = 'Tag with name %s was stale when we tried to update it; Please retry the push'
-      raise StaleTagException(msg % tag_name)
+    return create_or_update_tag_for_repo(
+        repo.id, tag_name, tag_docker_image_id, reversion=reversion, now_ms=now_ms
+    )
 
-    try:
-      image_obj = Image.get(Image.docker_image_id == tag_docker_image_id,
-                            Image.repository == repository_id)
-    except Image.DoesNotExist:
-      raise DataModelException('Invalid image with id: %s' % tag_docker_image_id)
 
-    try:
-      created = RepositoryTag.create(repository=repository_id, image=image_obj, name=tag_name,
-                                     lifetime_start_ts=now_ts, reversion=reversion)
-      if oci_manifest:
-        # Create the OCI tag as well.
-        oci_tag = Tag.create(repository=repository_id, manifest=oci_manifest, name=tag_name,
-                             lifetime_start_ms=now_ms, reversion=reversion,
-                             tag_kind=Tag.tag_kind.get_id('tag'))
-        TagToRepositoryTag.create(tag=oci_tag, repository_tag=created, repository=repository_id)
+def create_or_update_tag_for_repo(
+    repository_id,
+    tag_name,
+    tag_docker_image_id,
+    reversion=False,
+    oci_manifest=None,
+    now_ms=None,
+):
+    now_ms = now_ms or get_epoch_timestamp_ms()
+    now_ts = int(now_ms / 1000)
 
-      return created
-    except IntegrityError:
-      msg = 'Tag with name %s and lifetime start %s already exists'
-      raise TagAlreadyCreatedException(msg % (tag_name, now_ts))
+    with db_transaction():
+        try:
+            tag = db_for_update(
+                _tag_alive(
+                    RepositoryTag.select().where(
+                        RepositoryTag.repository == repository_id,
+                        RepositoryTag.name == tag_name,
+                    ),
+                    now_ts,
+                )
+            ).get()
+            tag.lifetime_end_ts = now_ts
+            tag.save()
+
+            # Check for an OCI tag.
+            try:
+                oci_tag = db_for_update(
+                    Tag.select()
+                    .join(TagToRepositoryTag)
+                    .where(TagToRepositoryTag.repository_tag == tag)
+                ).get()
+                oci_tag.lifetime_end_ms = now_ms
+                oci_tag.save()
+            except Tag.DoesNotExist:
+                pass
+        except RepositoryTag.DoesNotExist:
+            pass
+        except IntegrityError:
+            msg = "Tag with name %s was stale when we tried to update it; Please retry the push"
+            raise StaleTagException(msg % tag_name)
+
+        try:
+            image_obj = Image.get(
+                Image.docker_image_id == tag_docker_image_id,
+                Image.repository == repository_id,
+            )
+        except Image.DoesNotExist:
+            raise DataModelException("Invalid image with id: %s" % tag_docker_image_id)
+
+        try:
+            created = RepositoryTag.create(
+                repository=repository_id,
+                image=image_obj,
+                name=tag_name,
+                lifetime_start_ts=now_ts,
+                reversion=reversion,
+            )
+            if oci_manifest:
+                # Create the OCI tag as well.
+                oci_tag = Tag.create(
+                    repository=repository_id,
+                    manifest=oci_manifest,
+                    name=tag_name,
+                    lifetime_start_ms=now_ms,
+                    reversion=reversion,
+                    tag_kind=Tag.tag_kind.get_id("tag"),
+                )
+                TagToRepositoryTag.create(
+                    tag=oci_tag, repository_tag=created, repository=repository_id
+                )
+
+            return created
+        except IntegrityError:
+            msg = "Tag with name %s and lifetime start %s already exists"
+            raise TagAlreadyCreatedException(msg % (tag_name, now_ts))
 
 
 def create_temporary_hidden_tag(repo, image_obj, expiration_s):
-  """ Create a tag with a defined timeline, that will not appear in the UI or CLI. Returns the name
+    """ Create a tag with a defined timeline, that will not appear in the UI or CLI. Returns the name
       of the temporary tag. """
-  now_ts = get_epoch_timestamp()
-  expire_ts = now_ts + expiration_s
-  tag_name = str(uuid4())
-  RepositoryTag.create(repository=repo, image=image_obj, name=tag_name, lifetime_start_ts=now_ts,
-                       lifetime_end_ts=expire_ts, hidden=True)
-  return tag_name
+    now_ts = get_epoch_timestamp()
+    expire_ts = now_ts + expiration_s
+    tag_name = str(uuid4())
+    RepositoryTag.create(
+        repository=repo,
+        image=image_obj,
+        name=tag_name,
+        lifetime_start_ts=now_ts,
+        lifetime_end_ts=expire_ts,
+        hidden=True,
+    )
+    return tag_name
 
 
 def lookup_unrecoverable_tags(repo):
-  """ Returns the tags  in a repository that are expired and past their time machine recovery
+    """ Returns the tags  in a repository that are expired and past their time machine recovery
       period. """
-  expired_clause = get_epoch_timestamp() - Namespace.removed_tag_expiration_s
-  return (RepositoryTag
-          .select()
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(RepositoryTag.repository == repo)
-          .where(~(RepositoryTag.lifetime_end_ts >> None),
-                   RepositoryTag.lifetime_end_ts <= expired_clause))
+    expired_clause = get_epoch_timestamp() - Namespace.removed_tag_expiration_s
+    return (
+        RepositoryTag.select()
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(RepositoryTag.repository == repo)
+        .where(
+            ~(RepositoryTag.lifetime_end_ts >> None),
+            RepositoryTag.lifetime_end_ts <= expired_clause,
+        )
+    )
 
 
 def delete_tag(namespace_name, repository_name, tag_name, now_ms=None):
-  now_ms = now_ms or get_epoch_timestamp_ms()
-  now_ts = int(now_ms / 1000)
+    now_ms = now_ms or get_epoch_timestamp_ms()
+    now_ts = int(now_ms / 1000)
 
-  with db_transaction():
-    try:
-      query = _tag_alive(RepositoryTag
-                         .select(RepositoryTag, Repository)
-                         .join(Repository)
-                         .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                         .where(Repository.name == repository_name,
-                                Namespace.username == namespace_name,
-                                RepositoryTag.name == tag_name), now_ts)
-      found = db_for_update(query).get()
-    except RepositoryTag.DoesNotExist:
-      msg = ('Invalid repository tag \'%s\' on repository \'%s/%s\'' %
-             (tag_name, namespace_name, repository_name))
-      raise DataModelException(msg)
+    with db_transaction():
+        try:
+            query = _tag_alive(
+                RepositoryTag.select(RepositoryTag, Repository)
+                .join(Repository)
+                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+                .where(
+                    Repository.name == repository_name,
+                    Namespace.username == namespace_name,
+                    RepositoryTag.name == tag_name,
+                ),
+                now_ts,
+            )
+            found = db_for_update(query).get()
+        except RepositoryTag.DoesNotExist:
+            msg = "Invalid repository tag '%s' on repository '%s/%s'" % (
+                tag_name,
+                namespace_name,
+                repository_name,
+            )
+            raise DataModelException(msg)
 
-    found.lifetime_end_ts = now_ts
-    found.save()
+        found.lifetime_end_ts = now_ts
+        found.save()
 
-    try:
-      oci_tag_query = TagToRepositoryTag.select().where(TagToRepositoryTag.repository_tag == found)
-      oci_tag = db_for_update(oci_tag_query).get().tag
-      oci_tag.lifetime_end_ms = now_ms
-      oci_tag.save()
-    except TagToRepositoryTag.DoesNotExist:
-      pass
+        try:
+            oci_tag_query = TagToRepositoryTag.select().where(
+                TagToRepositoryTag.repository_tag == found
+            )
+            oci_tag = db_for_update(oci_tag_query).get().tag
+            oci_tag.lifetime_end_ms = now_ms
+            oci_tag.save()
+        except TagToRepositoryTag.DoesNotExist:
+            pass
 
-    return found
+        return found
 
 
 def _get_repo_tag_image(tag_name, include_storage, modifier):
-  query = Image.select().join(RepositoryTag)
+    query = Image.select().join(RepositoryTag)
 
-  if include_storage:
-    query = (Image
-             .select(Image, ImageStorage)
-             .join(ImageStorage)
-             .switch(Image)
-             .join(RepositoryTag))
+    if include_storage:
+        query = (
+            Image.select(Image, ImageStorage)
+            .join(ImageStorage)
+            .switch(Image)
+            .join(RepositoryTag)
+        )
 
-  images = _tag_alive(modifier(query.where(RepositoryTag.name == tag_name)))
-  if not images:
-    raise DataModelException('Unable to find image for tag.')
-  else:
-    return images[0]
+    images = _tag_alive(modifier(query.where(RepositoryTag.name == tag_name)))
+    if not images:
+        raise DataModelException("Unable to find image for tag.")
+    else:
+        return images[0]
 
 
 def get_repo_tag_image(repo, tag_name, include_storage=False):
-  def modifier(query):
-    return query.where(RepositoryTag.repository == repo)
+    def modifier(query):
+        return query.where(RepositoryTag.repository == repo)
 
-  return _get_repo_tag_image(tag_name, include_storage, modifier)
+    return _get_repo_tag_image(tag_name, include_storage, modifier)
 
 
 def get_tag_image(namespace_name, repository_name, tag_name, include_storage=False):
-  def modifier(query):
-    return (query
-            .switch(RepositoryTag)
+    def modifier(query):
+        return (
+            query.switch(RepositoryTag)
             .join(Repository)
             .join(Namespace)
-            .where(Namespace.username == namespace_name, Repository.name == repository_name))
+            .where(
+                Namespace.username == namespace_name, Repository.name == repository_name
+            )
+        )
 
-  return _get_repo_tag_image(tag_name, include_storage, modifier)
+    return _get_repo_tag_image(tag_name, include_storage, modifier)
 
 
-def list_repository_tag_history(repo_obj, page=1, size=100, specific_tag=None, active_tags_only=False, since_time=None):
-  # Only available on OCI model
-  if since_time is not None:
-    raise NotImplementedError
+def list_repository_tag_history(
+    repo_obj,
+    page=1,
+    size=100,
+    specific_tag=None,
+    active_tags_only=False,
+    since_time=None,
+):
+    # Only available on OCI model
+    if since_time is not None:
+        raise NotImplementedError
 
-  query = (RepositoryTag
-           .select(RepositoryTag, Image, ImageStorage)
-           .join(Image)
-           .join(ImageStorage)
-           .switch(RepositoryTag)
-           .where(RepositoryTag.repository == repo_obj)
-           .where(RepositoryTag.hidden == False)
-           .order_by(RepositoryTag.lifetime_start_ts.desc(), RepositoryTag.name)
-           .limit(size + 1)
-           .offset(size * (page - 1)))
+    query = (
+        RepositoryTag.select(RepositoryTag, Image, ImageStorage)
+        .join(Image)
+        .join(ImageStorage)
+        .switch(RepositoryTag)
+        .where(RepositoryTag.repository == repo_obj)
+        .where(RepositoryTag.hidden == False)
+        .order_by(RepositoryTag.lifetime_start_ts.desc(), RepositoryTag.name)
+        .limit(size + 1)
+        .offset(size * (page - 1))
+    )
 
-  if active_tags_only:
-    query = _tag_alive(query)
+    if active_tags_only:
+        query = _tag_alive(query)
 
-  if specific_tag:
-    query = query.where(RepositoryTag.name == specific_tag)
+    if specific_tag:
+        query = query.where(RepositoryTag.name == specific_tag)
 
-  tags = list(query)
-  if not tags:
-    return [], {}, False
+    tags = list(query)
+    if not tags:
+        return [], {}, False
 
-  manifest_map = get_tag_manifest_digests(tags)
-  return tags[0:size], manifest_map, len(tags) > size
+    manifest_map = get_tag_manifest_digests(tags)
+    return tags[0:size], manifest_map, len(tags) > size
 
 
 def restore_tag_to_manifest(repo_obj, tag_name, manifest_digest):
-  """ Restores a tag to a specific manifest digest. """
-  with db_transaction():
-    # Verify that the manifest digest already existed under this repository under the
-    # tag.
-    try:
-      tag_manifest = (TagManifest
-                      .select(TagManifest, RepositoryTag, Image)
-                      .join(RepositoryTag)
-                      .join(Image)
-                      .where(RepositoryTag.repository == repo_obj)
-                      .where(RepositoryTag.name == tag_name)
-                      .where(TagManifest.digest == manifest_digest)
-                      .get())
-    except TagManifest.DoesNotExist:
-      raise DataModelException('Cannot restore to unknown or invalid digest')
+    """ Restores a tag to a specific manifest digest. """
+    with db_transaction():
+        # Verify that the manifest digest already existed under this repository under the
+        # tag.
+        try:
+            tag_manifest = (
+                TagManifest.select(TagManifest, RepositoryTag, Image)
+                .join(RepositoryTag)
+                .join(Image)
+                .where(RepositoryTag.repository == repo_obj)
+                .where(RepositoryTag.name == tag_name)
+                .where(TagManifest.digest == manifest_digest)
+                .get()
+            )
+        except TagManifest.DoesNotExist:
+            raise DataModelException("Cannot restore to unknown or invalid digest")
 
-    # Lookup the existing image, if any.
-    try:
-      existing_image = get_repo_tag_image(repo_obj, tag_name)
-    except DataModelException:
-      existing_image = None
+        # Lookup the existing image, if any.
+        try:
+            existing_image = get_repo_tag_image(repo_obj, tag_name)
+        except DataModelException:
+            existing_image = None
 
-    docker_image_id = tag_manifest.tag.image.docker_image_id
-    oci_manifest = None
-    try:
-      oci_manifest = Manifest.get(repository=repo_obj, digest=manifest_digest)
-    except Manifest.DoesNotExist:
-      pass
+        docker_image_id = tag_manifest.tag.image.docker_image_id
+        oci_manifest = None
+        try:
+            oci_manifest = Manifest.get(repository=repo_obj, digest=manifest_digest)
+        except Manifest.DoesNotExist:
+            pass
 
-    # Change the tag and tag manifest to point to the updated image.
-    updated_tag = create_or_update_tag_for_repo(repo_obj, tag_name, docker_image_id,
-                                                reversion=True, oci_manifest=oci_manifest)
-    tag_manifest.tag = updated_tag
-    tag_manifest.save()
-    return existing_image
+        # Change the tag and tag manifest to point to the updated image.
+        updated_tag = create_or_update_tag_for_repo(
+            repo_obj,
+            tag_name,
+            docker_image_id,
+            reversion=True,
+            oci_manifest=oci_manifest,
+        )
+        tag_manifest.tag = updated_tag
+        tag_manifest.save()
+        return existing_image
 
 
 def restore_tag_to_image(repo_obj, tag_name, docker_image_id):
-  """ Restores a tag to a specific image ID. """
-  with db_transaction():
-    # Verify that the image ID already existed under this repository under the
-    # tag.
-    try:
-      (RepositoryTag
-       .select()
-       .join(Image)
-       .where(RepositoryTag.repository == repo_obj)
-       .where(RepositoryTag.name == tag_name)
-       .where(Image.docker_image_id == docker_image_id)
-       .get())
-    except RepositoryTag.DoesNotExist:
-      raise DataModelException('Cannot restore to unknown or invalid image')
+    """ Restores a tag to a specific image ID. """
+    with db_transaction():
+        # Verify that the image ID already existed under this repository under the
+        # tag.
+        try:
+            (
+                RepositoryTag.select()
+                .join(Image)
+                .where(RepositoryTag.repository == repo_obj)
+                .where(RepositoryTag.name == tag_name)
+                .where(Image.docker_image_id == docker_image_id)
+                .get()
+            )
+        except RepositoryTag.DoesNotExist:
+            raise DataModelException("Cannot restore to unknown or invalid image")
 
-    # Lookup the existing image, if any.
-    try:
-      existing_image = get_repo_tag_image(repo_obj, tag_name)
-    except DataModelException:
-      existing_image = None
+        # Lookup the existing image, if any.
+        try:
+            existing_image = get_repo_tag_image(repo_obj, tag_name)
+        except DataModelException:
+            existing_image = None
 
-    create_or_update_tag_for_repo(repo_obj, tag_name, docker_image_id, reversion=True)
-    return existing_image
+        create_or_update_tag_for_repo(
+            repo_obj, tag_name, docker_image_id, reversion=True
+        )
+        return existing_image
 
 
-def store_tag_manifest_for_testing(namespace_name, repository_name, tag_name, manifest,
-                                   leaf_layer_id, storage_id_map):
-  """ Stores a tag manifest for a specific tag name in the database. Returns the TagManifest
+def store_tag_manifest_for_testing(
+    namespace_name, repository_name, tag_name, manifest, leaf_layer_id, storage_id_map
+):
+    """ Stores a tag manifest for a specific tag name in the database. Returns the TagManifest
       object, as well as a boolean indicating whether the TagManifest was created.
   """
-  try:
-    repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  except Repository.DoesNotExist:
-    raise DataModelException('Invalid repository %s/%s' % (namespace_name, repository_name))
+    try:
+        repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    except Repository.DoesNotExist:
+        raise DataModelException(
+            "Invalid repository %s/%s" % (namespace_name, repository_name)
+        )
 
-  return store_tag_manifest_for_repo(repo.id, tag_name, manifest, leaf_layer_id, storage_id_map)
+    return store_tag_manifest_for_repo(
+        repo.id, tag_name, manifest, leaf_layer_id, storage_id_map
+    )
 
 
-def store_tag_manifest_for_repo(repository_id, tag_name, manifest, leaf_layer_id, storage_id_map,
-                                reversion=False):
-  """ Stores a tag manifest for a specific tag name in the database. Returns the TagManifest
+def store_tag_manifest_for_repo(
+    repository_id, tag_name, manifest, leaf_layer_id, storage_id_map, reversion=False
+):
+    """ Stores a tag manifest for a specific tag name in the database. Returns the TagManifest
       object, as well as a boolean indicating whether the TagManifest was created.
   """
-  # Create the new-style OCI manifest and its blobs.
-  oci_manifest = _populate_manifest_and_blobs(repository_id, manifest, storage_id_map,
-                                              leaf_layer_id=leaf_layer_id)
+    # Create the new-style OCI manifest and its blobs.
+    oci_manifest = _populate_manifest_and_blobs(
+        repository_id, manifest, storage_id_map, leaf_layer_id=leaf_layer_id
+    )
 
-  # Create the tag for the tag manifest.
-  tag = create_or_update_tag_for_repo(repository_id, tag_name, leaf_layer_id,
-                                      reversion=reversion, oci_manifest=oci_manifest)
+    # Create the tag for the tag manifest.
+    tag = create_or_update_tag_for_repo(
+        repository_id,
+        tag_name,
+        leaf_layer_id,
+        reversion=reversion,
+        oci_manifest=oci_manifest,
+    )
 
-  # Add a tag manifest pointing to that tag.
-  try:
-    manifest = TagManifest.get(digest=manifest.digest)
-    manifest.tag = tag
-    manifest.save()
-    return manifest, False
-  except TagManifest.DoesNotExist:
-    created = _associate_manifest(tag, oci_manifest)
-    return created, True
+    # Add a tag manifest pointing to that tag.
+    try:
+        manifest = TagManifest.get(digest=manifest.digest)
+        manifest.tag = tag
+        manifest.save()
+        return manifest, False
+    except TagManifest.DoesNotExist:
+        created = _associate_manifest(tag, oci_manifest)
+        return created, True
 
 
 def get_active_tag(namespace, repo_name, tag_name):
-  return _tag_alive(RepositoryTag
-                    .select()
-                    .join(Repository)
-                    .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-                    .where(RepositoryTag.name == tag_name, Repository.name == repo_name,
-                           Namespace.username == namespace)).get()
+    return _tag_alive(
+        RepositoryTag.select()
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(
+            RepositoryTag.name == tag_name,
+            Repository.name == repo_name,
+            Namespace.username == namespace,
+        )
+    ).get()
+
 
 def get_active_tag_for_repo(repo, tag_name):
-  try:
-    return _tag_alive(RepositoryTag
-                      .select(RepositoryTag, Image, ImageStorage)
-                      .join(Image)
-                      .join(ImageStorage)
-                      .where(RepositoryTag.name == tag_name,
-                             RepositoryTag.repository == repo,
-                             RepositoryTag.hidden == False)).get()
-  except RepositoryTag.DoesNotExist:
-    return None
+    try:
+        return _tag_alive(
+            RepositoryTag.select(RepositoryTag, Image, ImageStorage)
+            .join(Image)
+            .join(ImageStorage)
+            .where(
+                RepositoryTag.name == tag_name,
+                RepositoryTag.repository == repo,
+                RepositoryTag.hidden == False,
+            )
+        ).get()
+    except RepositoryTag.DoesNotExist:
+        return None
+
 
 def get_expired_tag_in_repo(repo, tag_name):
-  return (RepositoryTag
-          .select()
-          .where(RepositoryTag.name == tag_name, RepositoryTag.repository == repo)
-          .where(~(RepositoryTag.lifetime_end_ts >> None))
-          .where(RepositoryTag.lifetime_end_ts <= get_epoch_timestamp())
-          .get())
+    return (
+        RepositoryTag.select()
+        .where(RepositoryTag.name == tag_name, RepositoryTag.repository == repo)
+        .where(~(RepositoryTag.lifetime_end_ts >> None))
+        .where(RepositoryTag.lifetime_end_ts <= get_epoch_timestamp())
+        .get()
+    )
 
 
 def get_possibly_expired_tag(namespace, repo_name, tag_name):
-  return (RepositoryTag
-          .select()
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(RepositoryTag.name == tag_name, Repository.name == repo_name,
-                 Namespace.username == namespace)).get()
+    return (
+        RepositoryTag.select()
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(
+            RepositoryTag.name == tag_name,
+            Repository.name == repo_name,
+            Namespace.username == namespace,
+        )
+    ).get()
+
 
 def associate_generated_tag_manifest_with_tag(tag, manifest, storage_id_map):
-  oci_manifest = _populate_manifest_and_blobs(tag.repository, manifest, storage_id_map)
+    oci_manifest = _populate_manifest_and_blobs(
+        tag.repository, manifest, storage_id_map
+    )
 
-  with db_transaction():
-    try:
-      (Tag
-        .select()
-        .join(TagToRepositoryTag)
-        .where(TagToRepositoryTag.repository_tag == tag)).get()
-    except Tag.DoesNotExist:
-      oci_tag = Tag.create(repository=tag.repository, manifest=oci_manifest, name=tag.name,
-                            reversion=tag.reversion,
-                            lifetime_start_ms=tag.lifetime_start_ts * 1000,
-                            lifetime_end_ms=(tag.lifetime_end_ts * 1000
-                                            if tag.lifetime_end_ts else None),
-                            tag_kind=Tag.tag_kind.get_id('tag'))
-      TagToRepositoryTag.create(tag=oci_tag, repository_tag=tag, repository=tag.repository)
+    with db_transaction():
+        try:
+            (
+                Tag.select()
+                .join(TagToRepositoryTag)
+                .where(TagToRepositoryTag.repository_tag == tag)
+            ).get()
+        except Tag.DoesNotExist:
+            oci_tag = Tag.create(
+                repository=tag.repository,
+                manifest=oci_manifest,
+                name=tag.name,
+                reversion=tag.reversion,
+                lifetime_start_ms=tag.lifetime_start_ts * 1000,
+                lifetime_end_ms=(
+                    tag.lifetime_end_ts * 1000 if tag.lifetime_end_ts else None
+                ),
+                tag_kind=Tag.tag_kind.get_id("tag"),
+            )
+            TagToRepositoryTag.create(
+                tag=oci_tag, repository_tag=tag, repository=tag.repository
+            )
 
-    return _associate_manifest(tag, oci_manifest)
+        return _associate_manifest(tag, oci_manifest)
 
 
 def _associate_manifest(tag, oci_manifest):
-  with db_transaction():
-    tag_manifest = TagManifest.create(tag=tag, digest=oci_manifest.digest,
-                                      json_data=oci_manifest.manifest_bytes)
-    TagManifestToManifest.create(tag_manifest=tag_manifest, manifest=oci_manifest)
-    return tag_manifest
+    with db_transaction():
+        tag_manifest = TagManifest.create(
+            tag=tag, digest=oci_manifest.digest, json_data=oci_manifest.manifest_bytes
+        )
+        TagManifestToManifest.create(tag_manifest=tag_manifest, manifest=oci_manifest)
+        return tag_manifest
 
 
-def _populate_manifest_and_blobs(repository, manifest, storage_id_map, leaf_layer_id=None):
-  leaf_layer_id = leaf_layer_id or manifest.leaf_layer_v1_image_id
-  try:
-    legacy_image = Image.get(Image.docker_image_id == leaf_layer_id,
-                             Image.repository == repository)
-  except Image.DoesNotExist:
-    raise DataModelException('Invalid image with id: %s' % leaf_layer_id)
+def _populate_manifest_and_blobs(
+    repository, manifest, storage_id_map, leaf_layer_id=None
+):
+    leaf_layer_id = leaf_layer_id or manifest.leaf_layer_v1_image_id
+    try:
+        legacy_image = Image.get(
+            Image.docker_image_id == leaf_layer_id, Image.repository == repository
+        )
+    except Image.DoesNotExist:
+        raise DataModelException("Invalid image with id: %s" % leaf_layer_id)
 
-  storage_ids = set()
-  for blob_digest in manifest.local_blob_digests:
-    image_storage_id = storage_id_map.get(blob_digest)
-    if image_storage_id is None:
-      logger.error('Missing blob for manifest `%s` in: %s', blob_digest, storage_id_map)
-      raise DataModelException('Missing blob for manifest `%s`' % blob_digest)
+    storage_ids = set()
+    for blob_digest in manifest.local_blob_digests:
+        image_storage_id = storage_id_map.get(blob_digest)
+        if image_storage_id is None:
+            logger.error(
+                "Missing blob for manifest `%s` in: %s", blob_digest, storage_id_map
+            )
+            raise DataModelException("Missing blob for manifest `%s`" % blob_digest)
 
-    if image_storage_id in storage_ids:
-      continue
+        if image_storage_id in storage_ids:
+            continue
 
-    storage_ids.add(image_storage_id)
+        storage_ids.add(image_storage_id)
 
-  return populate_manifest(repository, manifest, legacy_image, storage_ids)
+    return populate_manifest(repository, manifest, legacy_image, storage_ids)
 
 
 def populate_manifest(repository, manifest, legacy_image, storage_ids):
-  """ Populates the rows for the manifest, including its blobs and legacy image. """
-  media_type = Manifest.media_type.get_id(manifest.media_type)
+    """ Populates the rows for the manifest, including its blobs and legacy image. """
+    media_type = Manifest.media_type.get_id(manifest.media_type)
 
-  # Check for an existing manifest. If present, return it.
-  try:
-    return Manifest.get(repository=repository, digest=manifest.digest)
-  except Manifest.DoesNotExist:
-    pass
-
-  with db_transaction():
+    # Check for an existing manifest. If present, return it.
     try:
-      manifest_row = Manifest.create(digest=manifest.digest, repository=repository,
-                                     manifest_bytes=manifest.bytes.as_encoded_str(),
-                                     media_type=media_type)
-    except IntegrityError as ie:
-      logger.debug('Got integrity error when trying to write manifest: %s', ie)
-      return Manifest.get(repository=repository, digest=manifest.digest)
+        return Manifest.get(repository=repository, digest=manifest.digest)
+    except Manifest.DoesNotExist:
+        pass
 
-    ManifestLegacyImage.create(manifest=manifest_row, repository=repository, image=legacy_image)
+    with db_transaction():
+        try:
+            manifest_row = Manifest.create(
+                digest=manifest.digest,
+                repository=repository,
+                manifest_bytes=manifest.bytes.as_encoded_str(),
+                media_type=media_type,
+            )
+        except IntegrityError as ie:
+            logger.debug("Got integrity error when trying to write manifest: %s", ie)
+            return Manifest.get(repository=repository, digest=manifest.digest)
 
-    blobs_to_insert = [dict(manifest=manifest_row, repository=repository,
-                            blob=storage_id) for storage_id in storage_ids]
-    if blobs_to_insert:
-      ManifestBlob.insert_many(blobs_to_insert).execute()
+        ManifestLegacyImage.create(
+            manifest=manifest_row, repository=repository, image=legacy_image
+        )
 
-    return manifest_row
+        blobs_to_insert = [
+            dict(manifest=manifest_row, repository=repository, blob=storage_id)
+            for storage_id in storage_ids
+        ]
+        if blobs_to_insert:
+            ManifestBlob.insert_many(blobs_to_insert).execute()
+
+        return manifest_row
 
 
 def get_tag_manifest(tag):
-  try:
-    return TagManifest.get(tag=tag)
-  except TagManifest.DoesNotExist:
-    return None
+    try:
+        return TagManifest.get(tag=tag)
+    except TagManifest.DoesNotExist:
+        return None
 
 
 def load_tag_manifest(namespace, repo_name, tag_name):
-  try:
-    return (_load_repo_manifests(namespace, repo_name)
+    try:
+        return (
+            _load_repo_manifests(namespace, repo_name)
             .where(RepositoryTag.name == tag_name)
-            .get())
-  except TagManifest.DoesNotExist:
-    msg = 'Manifest not found for tag {0} in repo {1}/{2}'.format(tag_name, namespace, repo_name)
-    raise InvalidManifestException(msg)
+            .get()
+        )
+    except TagManifest.DoesNotExist:
+        msg = "Manifest not found for tag {0} in repo {1}/{2}".format(
+            tag_name, namespace, repo_name
+        )
+        raise InvalidManifestException(msg)
 
 
 def delete_manifest_by_digest(namespace, repo_name, digest):
-  tag_manifests = list(_load_repo_manifests(namespace, repo_name)
-                       .where(TagManifest.digest == digest))
+    tag_manifests = list(
+        _load_repo_manifests(namespace, repo_name).where(TagManifest.digest == digest)
+    )
 
-  now_ms = get_epoch_timestamp_ms()
-  for tag_manifest in tag_manifests:
-    try:
-      tag = _tag_alive(RepositoryTag.select().where(RepositoryTag.id == tag_manifest.tag_id)).get()
-      delete_tag(namespace, repo_name, tag_manifest.tag.name, now_ms)
-    except RepositoryTag.DoesNotExist:
-      pass
+    now_ms = get_epoch_timestamp_ms()
+    for tag_manifest in tag_manifests:
+        try:
+            tag = _tag_alive(
+                RepositoryTag.select().where(RepositoryTag.id == tag_manifest.tag_id)
+            ).get()
+            delete_tag(namespace, repo_name, tag_manifest.tag.name, now_ms)
+        except RepositoryTag.DoesNotExist:
+            pass
 
-  return [tag_manifest.tag for tag_manifest in tag_manifests]
+    return [tag_manifest.tag for tag_manifest in tag_manifests]
 
 
 def load_manifest_by_digest(namespace, repo_name, digest, allow_dead=False):
-  try:
-    return (_load_repo_manifests(namespace, repo_name, allow_dead=allow_dead)
+    try:
+        return (
+            _load_repo_manifests(namespace, repo_name, allow_dead=allow_dead)
             .where(TagManifest.digest == digest)
-            .get())
-  except TagManifest.DoesNotExist:
-    msg = 'Manifest not found with digest {0} in repo {1}/{2}'.format(digest, namespace, repo_name)
-    raise InvalidManifestException(msg)
+            .get()
+        )
+    except TagManifest.DoesNotExist:
+        msg = "Manifest not found with digest {0} in repo {1}/{2}".format(
+            digest, namespace, repo_name
+        )
+        raise InvalidManifestException(msg)
 
 
 def _load_repo_manifests(namespace, repo_name, allow_dead=False):
-  query = (TagManifest
-           .select(TagManifest, RepositoryTag)
-           .join(RepositoryTag)
-           .join(Image)
-           .join(Repository)
-           .join(Namespace, on=(Namespace.id == Repository.namespace_user))
-           .where(Repository.name == repo_name, Namespace.username == namespace))
+    query = (
+        TagManifest.select(TagManifest, RepositoryTag)
+        .join(RepositoryTag)
+        .join(Image)
+        .join(Repository)
+        .join(Namespace, on=(Namespace.id == Repository.namespace_user))
+        .where(Repository.name == repo_name, Namespace.username == namespace)
+    )
 
-  if not allow_dead:
-    query = _tag_alive(query)
+    if not allow_dead:
+        query = _tag_alive(query)
 
-  return query
+    return query
 
-def change_repository_tag_expiration(namespace_name, repo_name, tag_name, expiration_date):
-  """ Changes the expiration of the tag with the given name to the given expiration datetime. If
+
+def change_repository_tag_expiration(
+    namespace_name, repo_name, tag_name, expiration_date
+):
+    """ Changes the expiration of the tag with the given name to the given expiration datetime. If
       the expiration datetime is None, then the tag is marked as not expiring.
   """
-  try:
-    tag = get_active_tag(namespace_name, repo_name, tag_name)
-    return change_tag_expiration(tag, expiration_date)
-  except RepositoryTag.DoesNotExist:
-    return (None, False)
+    try:
+        tag = get_active_tag(namespace_name, repo_name, tag_name)
+        return change_tag_expiration(tag, expiration_date)
+    except RepositoryTag.DoesNotExist:
+        return (None, False)
 
 
 def set_tag_expiration_for_manifest(tag_manifest, expiration_sec):
-  """
+    """
   Changes the expiration of the tag that points to the given manifest to be its lifetime start +
   the expiration seconds.
   """
-  expiration_time_ts = tag_manifest.tag.lifetime_start_ts + expiration_sec
-  expiration_date = datetime.utcfromtimestamp(expiration_time_ts)
-  return change_tag_expiration(tag_manifest.tag, expiration_date)
+    expiration_time_ts = tag_manifest.tag.lifetime_start_ts + expiration_sec
+    expiration_date = datetime.utcfromtimestamp(expiration_time_ts)
+    return change_tag_expiration(tag_manifest.tag, expiration_date)
 
 
 def change_tag_expiration(tag, expiration_date):
-  """ Changes the expiration of the given tag to the given expiration datetime. If
+    """ Changes the expiration of the given tag to the given expiration datetime. If
       the expiration datetime is None, then the tag is marked as not expiring.
   """
-  end_ts = None
-  min_expire_sec = convert_to_timedelta(config.app_config.get('LABELED_EXPIRATION_MINIMUM', '1h'))
-  max_expire_sec = convert_to_timedelta(config.app_config.get('LABELED_EXPIRATION_MAXIMUM', '104w'))
+    end_ts = None
+    min_expire_sec = convert_to_timedelta(
+        config.app_config.get("LABELED_EXPIRATION_MINIMUM", "1h")
+    )
+    max_expire_sec = convert_to_timedelta(
+        config.app_config.get("LABELED_EXPIRATION_MAXIMUM", "104w")
+    )
 
-  if expiration_date is not None:
-    offset = timegm(expiration_date.utctimetuple()) - tag.lifetime_start_ts
-    offset = min(max(offset, min_expire_sec.total_seconds()), max_expire_sec.total_seconds())
-    end_ts = tag.lifetime_start_ts + offset
+    if expiration_date is not None:
+        offset = timegm(expiration_date.utctimetuple()) - tag.lifetime_start_ts
+        offset = min(
+            max(offset, min_expire_sec.total_seconds()), max_expire_sec.total_seconds()
+        )
+        end_ts = tag.lifetime_start_ts + offset
 
-  if end_ts == tag.lifetime_end_ts:
-    return (None, True)
+    if end_ts == tag.lifetime_end_ts:
+        return (None, True)
 
-  return set_tag_end_ts(tag, end_ts)
+    return set_tag_end_ts(tag, end_ts)
 
 
 def set_tag_end_ts(tag, end_ts):
-  """ Sets the end timestamp for a tag. Should only be called by change_tag_expiration
+    """ Sets the end timestamp for a tag. Should only be called by change_tag_expiration
       or tests.
   """
-  end_ms = end_ts * 1000 if end_ts is not None else None
+    end_ms = end_ts * 1000 if end_ts is not None else None
 
-  with db_transaction():
-    # Note: We check not just the ID of the tag but also its lifetime_end_ts, to ensure that it has
-    # not changed while we were updating it expiration.
-    result = (RepositoryTag
-              .update(lifetime_end_ts=end_ts)
-              .where(RepositoryTag.id == tag.id,
-                     RepositoryTag.lifetime_end_ts == tag.lifetime_end_ts)
-              .execute())
+    with db_transaction():
+        # Note: We check not just the ID of the tag but also its lifetime_end_ts, to ensure that it has
+        # not changed while we were updating it expiration.
+        result = (
+            RepositoryTag.update(lifetime_end_ts=end_ts)
+            .where(
+                RepositoryTag.id == tag.id,
+                RepositoryTag.lifetime_end_ts == tag.lifetime_end_ts,
+            )
+            .execute()
+        )
 
-    # Check for a mapping to an OCI tag.
-    try:
-      oci_tag = (Tag
-                 .select()
-                 .join(TagToRepositoryTag)
-                 .where(TagToRepositoryTag.repository_tag == tag)
-                 .get())
+        # Check for a mapping to an OCI tag.
+        try:
+            oci_tag = (
+                Tag.select()
+                .join(TagToRepositoryTag)
+                .where(TagToRepositoryTag.repository_tag == tag)
+                .get()
+            )
 
-      (Tag
-       .update(lifetime_end_ms=end_ms)
-       .where(Tag.id == oci_tag.id,
-              Tag.lifetime_end_ms == oci_tag.lifetime_end_ms)
-       .execute())
-    except Tag.DoesNotExist:
-      pass
+            (
+                Tag.update(lifetime_end_ms=end_ms)
+                .where(
+                    Tag.id == oci_tag.id, Tag.lifetime_end_ms == oci_tag.lifetime_end_ms
+                )
+                .execute()
+            )
+        except Tag.DoesNotExist:
+            pass
 
-    return (tag.lifetime_end_ts, result > 0)
+        return (tag.lifetime_end_ts, result > 0)
 
 
 def find_matching_tag(repo_id, tag_names):
-  """ Finds the most recently pushed alive tag in the repository with one of the given names,
+    """ Finds the most recently pushed alive tag in the repository with one of the given names,
       if any.
   """
-  try:
-    return (_tag_alive(RepositoryTag
-                       .select()
-                       .where(RepositoryTag.repository == repo_id,
-                              RepositoryTag.name << list(tag_names))
-                       .order_by(RepositoryTag.lifetime_start_ts.desc()))
-            .get())
-  except RepositoryTag.DoesNotExist:
-    return None
+    try:
+        return _tag_alive(
+            RepositoryTag.select()
+            .where(
+                RepositoryTag.repository == repo_id,
+                RepositoryTag.name << list(tag_names),
+            )
+            .order_by(RepositoryTag.lifetime_start_ts.desc())
+        ).get()
+    except RepositoryTag.DoesNotExist:
+        return None
 
 
 def get_most_recent_tag(repo_id):
-  """ Returns the most recently pushed alive tag in the repository, or None if none. """
-  try:
-    return (_tag_alive(RepositoryTag
-                       .select()
-                       .where(RepositoryTag.repository == repo_id, RepositoryTag.hidden == False)
-                       .order_by(RepositoryTag.lifetime_start_ts.desc()))
-            .get())
-  except RepositoryTag.DoesNotExist:
-    return None
+    """ Returns the most recently pushed alive tag in the repository, or None if none. """
+    try:
+        return _tag_alive(
+            RepositoryTag.select()
+            .where(RepositoryTag.repository == repo_id, RepositoryTag.hidden == False)
+            .order_by(RepositoryTag.lifetime_start_ts.desc())
+        ).get()
+    except RepositoryTag.DoesNotExist:
+        return None
diff --git a/data/model/team.py b/data/model/team.py
index 4988d74ac..3dca6fd15 100644
--- a/data/model/team.py
+++ b/data/model/team.py
@@ -5,10 +5,26 @@ import uuid
 from datetime import datetime
 from peewee import fn
 
-from data.database import (Team, TeamMember, TeamRole, User, TeamMemberInvite, RepositoryPermission,
-                           TeamSync, LoginService, FederatedLogin, db_random_func, db_transaction)
-from data.model import (DataModelException, InvalidTeamException, UserAlreadyInTeam,
-                        InvalidTeamMemberException, _basequery)
+from data.database import (
+    Team,
+    TeamMember,
+    TeamRole,
+    User,
+    TeamMemberInvite,
+    RepositoryPermission,
+    TeamSync,
+    LoginService,
+    FederatedLogin,
+    db_random_func,
+    db_transaction,
+)
+from data.model import (
+    DataModelException,
+    InvalidTeamException,
+    UserAlreadyInTeam,
+    InvalidTeamMemberException,
+    _basequery,
+)
 from data.text import prefix_search
 from util.validation import validate_username
 from util.morecollections import AttrDict
@@ -17,503 +33,567 @@ from util.morecollections import AttrDict
 MIN_TEAMNAME_LENGTH = 2
 MAX_TEAMNAME_LENGTH = 255
 
-VALID_TEAMNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$'
+VALID_TEAMNAME_REGEX = r"^([a-z0-9]+(?:[._-][a-z0-9]+)*)$"
 
 
 def validate_team_name(teamname):
-  if not re.match(VALID_TEAMNAME_REGEX, teamname):
-    return (False, 'Namespace must match expression ' + VALID_TEAMNAME_REGEX)
+    if not re.match(VALID_TEAMNAME_REGEX, teamname):
+        return (False, "Namespace must match expression " + VALID_TEAMNAME_REGEX)
 
-  length_match = (len(teamname) >= MIN_TEAMNAME_LENGTH and len(teamname) <= MAX_TEAMNAME_LENGTH)
-  if not length_match:
-    return (False, 'Team must be between %s and %s characters in length' %
-            (MIN_TEAMNAME_LENGTH, MAX_TEAMNAME_LENGTH))
+    length_match = (
+        len(teamname) >= MIN_TEAMNAME_LENGTH and len(teamname) <= MAX_TEAMNAME_LENGTH
+    )
+    if not length_match:
+        return (
+            False,
+            "Team must be between %s and %s characters in length"
+            % (MIN_TEAMNAME_LENGTH, MAX_TEAMNAME_LENGTH),
+        )
 
-  return (True, '')
+    return (True, "")
 
 
-def create_team(name, org_obj, team_role_name, description=''):
-  (teamname_valid, teamname_issue) = validate_team_name(name)
-  if not teamname_valid:
-    raise InvalidTeamException('Invalid team name %s: %s' % (name, teamname_issue))
+def create_team(name, org_obj, team_role_name, description=""):
+    (teamname_valid, teamname_issue) = validate_team_name(name)
+    if not teamname_valid:
+        raise InvalidTeamException("Invalid team name %s: %s" % (name, teamname_issue))
 
-  if not org_obj.organization:
-    raise InvalidTeamException('Specified organization %s was not an organization' %
-                               org_obj.username)
+    if not org_obj.organization:
+        raise InvalidTeamException(
+            "Specified organization %s was not an organization" % org_obj.username
+        )
 
-  team_role = TeamRole.get(TeamRole.name == team_role_name)
-  return Team.create(name=name, organization=org_obj, role=team_role,
-                     description=description)
+    team_role = TeamRole.get(TeamRole.name == team_role_name)
+    return Team.create(
+        name=name, organization=org_obj, role=team_role, description=description
+    )
 
 
 def add_user_to_team(user_obj, team):
-  try:
-    return TeamMember.create(user=user_obj, team=team)
-  except Exception:
-    raise UserAlreadyInTeam('User %s is already a member of team %s' %
-                            (user_obj.username, team.name))
+    try:
+        return TeamMember.create(user=user_obj, team=team)
+    except Exception:
+        raise UserAlreadyInTeam(
+            "User %s is already a member of team %s" % (user_obj.username, team.name)
+        )
 
 
 def remove_user_from_team(org_name, team_name, username, removed_by_username):
-  Org = User.alias()
-  joined = TeamMember.select().join(User).switch(TeamMember).join(Team)
-  with_role = joined.join(TeamRole)
-  with_org = with_role.switch(Team).join(Org,
-                                         on=(Org.id == Team.organization))
-  found = list(with_org.where(User.username == username,
-                              Org.username == org_name,
-                              Team.name == team_name))
+    Org = User.alias()
+    joined = TeamMember.select().join(User).switch(TeamMember).join(Team)
+    with_role = joined.join(TeamRole)
+    with_org = with_role.switch(Team).join(Org, on=(Org.id == Team.organization))
+    found = list(
+        with_org.where(
+            User.username == username, Org.username == org_name, Team.name == team_name
+        )
+    )
 
-  if not found:
-    raise DataModelException('User %s does not belong to team %s' %
-                             (username, team_name))
+    if not found:
+        raise DataModelException(
+            "User %s does not belong to team %s" % (username, team_name)
+        )
 
-  if username == removed_by_username:
-    admin_team_query = __get_user_admin_teams(org_name, username)
-    admin_team_names = {team.name for team in admin_team_query}
-    if team_name in admin_team_names and len(admin_team_names) <= 1:
-      msg = 'User cannot remove themselves from their only admin team.'
-      raise DataModelException(msg)
+    if username == removed_by_username:
+        admin_team_query = __get_user_admin_teams(org_name, username)
+        admin_team_names = {team.name for team in admin_team_query}
+        if team_name in admin_team_names and len(admin_team_names) <= 1:
+            msg = "User cannot remove themselves from their only admin team."
+            raise DataModelException(msg)
 
-  user_in_team = found[0]
-  user_in_team.delete_instance()
+    user_in_team = found[0]
+    user_in_team.delete_instance()
 
 
 def set_team_org_permission(team, team_role_name, set_by_username):
-  if team.role.name == 'admin' and team_role_name != 'admin':
-    # We need to make sure we're not removing the users only admin role
-    user_admin_teams = __get_user_admin_teams(team.organization.username, set_by_username)
-    admin_team_set = {admin_team.name for admin_team in user_admin_teams}
-    if team.name in admin_team_set and len(admin_team_set) <= 1:
-      msg = (('Cannot remove admin from team \'%s\' because calling user ' +
-              'would no longer have admin on org \'%s\'') %
-             (team.name, team.organization.username))
-      raise DataModelException(msg)
+    if team.role.name == "admin" and team_role_name != "admin":
+        # We need to make sure we're not removing the users only admin role
+        user_admin_teams = __get_user_admin_teams(
+            team.organization.username, set_by_username
+        )
+        admin_team_set = {admin_team.name for admin_team in user_admin_teams}
+        if team.name in admin_team_set and len(admin_team_set) <= 1:
+            msg = (
+                "Cannot remove admin from team '%s' because calling user "
+                + "would no longer have admin on org '%s'"
+            ) % (team.name, team.organization.username)
+            raise DataModelException(msg)
 
-  new_role = TeamRole.get(TeamRole.name == team_role_name)
-  team.role = new_role
-  team.save()
-  return team
+    new_role = TeamRole.get(TeamRole.name == team_role_name)
+    team.role = new_role
+    team.save()
+    return team
 
 
 def __get_user_admin_teams(org_name, username):
-  Org = User.alias()
-  user_teams = Team.select().join(TeamMember).join(User)
-  with_org = user_teams.switch(Team).join(Org,
-                                          on=(Org.id == Team.organization))
-  with_role = with_org.switch(Team).join(TeamRole)
-  admin_teams = with_role.where(User.username == username,
-                                Org.username == org_name,
-                                TeamRole.name == 'admin')
-  return admin_teams
+    Org = User.alias()
+    user_teams = Team.select().join(TeamMember).join(User)
+    with_org = user_teams.switch(Team).join(Org, on=(Org.id == Team.organization))
+    with_role = with_org.switch(Team).join(TeamRole)
+    admin_teams = with_role.where(
+        User.username == username, Org.username == org_name, TeamRole.name == "admin"
+    )
+    return admin_teams
 
 
 def remove_team(org_name, team_name, removed_by_username):
-  joined = Team.select(Team, TeamRole).join(User).switch(Team).join(TeamRole)
+    joined = Team.select(Team, TeamRole).join(User).switch(Team).join(TeamRole)
 
-  found = list(joined.where(User.organization == True,
-                            User.username == org_name,
-                            Team.name == team_name))
-  if not found:
-    raise InvalidTeamException('Team \'%s\' is not a team in org \'%s\'' %
-                               (team_name, org_name))
+    found = list(
+        joined.where(
+            User.organization == True, User.username == org_name, Team.name == team_name
+        )
+    )
+    if not found:
+        raise InvalidTeamException(
+            "Team '%s' is not a team in org '%s'" % (team_name, org_name)
+        )
 
-  team = found[0]
-  if team.role.name == 'admin':
-    admin_teams = list(__get_user_admin_teams(org_name, removed_by_username))
-    if len(admin_teams) <= 1:
-      # The team we are trying to remove is the only admin team containing this user.
-      msg = "Deleting team '%s' would remove admin ability for user '%s' in organization '%s'"
-      raise DataModelException(msg % (team_name, removed_by_username, org_name))
+    team = found[0]
+    if team.role.name == "admin":
+        admin_teams = list(__get_user_admin_teams(org_name, removed_by_username))
+        if len(admin_teams) <= 1:
+            # The team we are trying to remove is the only admin team containing this user.
+            msg = "Deleting team '%s' would remove admin ability for user '%s' in organization '%s'"
+            raise DataModelException(msg % (team_name, removed_by_username, org_name))
 
-  team.delete_instance(recursive=True, delete_nullable=True)
+    team.delete_instance(recursive=True, delete_nullable=True)
 
 
-def add_or_invite_to_team(inviter, team, user_obj=None, email=None, requires_invite=True):
-  # If the user is a member of the organization, then we simply add the
-  # user directly to the team. Otherwise, an invite is created for the user/email.
-  # We return None if the user was directly added and the invite object if the user was invited.
-  if user_obj and requires_invite:
-    orgname = team.organization.username
+def add_or_invite_to_team(
+    inviter, team, user_obj=None, email=None, requires_invite=True
+):
+    # If the user is a member of the organization, then we simply add the
+    # user directly to the team. Otherwise, an invite is created for the user/email.
+    # We return None if the user was directly added and the invite object if the user was invited.
+    if user_obj and requires_invite:
+        orgname = team.organization.username
 
-    # If the user is part of the organization (or a robot), then no invite is required.
-    if user_obj.robot:
-      requires_invite = False
-      if not user_obj.username.startswith(orgname + '+'):
-        raise InvalidTeamMemberException('Cannot add the specified robot to this team, ' +
-                                         'as it is not a member of the organization')
-    else:
-      query = (TeamMember
-               .select()
-               .where(TeamMember.user == user_obj)
-               .join(Team)
-               .join(User)
-               .where(User.username == orgname, User.organization == True))
-      requires_invite = not any(query)
+        # If the user is part of the organization (or a robot), then no invite is required.
+        if user_obj.robot:
+            requires_invite = False
+            if not user_obj.username.startswith(orgname + "+"):
+                raise InvalidTeamMemberException(
+                    "Cannot add the specified robot to this team, "
+                    + "as it is not a member of the organization"
+                )
+        else:
+            query = (
+                TeamMember.select()
+                .where(TeamMember.user == user_obj)
+                .join(Team)
+                .join(User)
+                .where(User.username == orgname, User.organization == True)
+            )
+            requires_invite = not any(query)
 
-  # If we have a valid user and no invite is required, simply add the user to the team.
-  if user_obj and not requires_invite:
-    add_user_to_team(user_obj, team)
-    return None
+    # If we have a valid user and no invite is required, simply add the user to the team.
+    if user_obj and not requires_invite:
+        add_user_to_team(user_obj, team)
+        return None
 
-  email_address = email if not user_obj else None
-  return TeamMemberInvite.create(user=user_obj, email=email_address, team=team, inviter=inviter)
+    email_address = email if not user_obj else None
+    return TeamMemberInvite.create(
+        user=user_obj, email=email_address, team=team, inviter=inviter
+    )
 
 
 def get_matching_user_teams(team_prefix, user_obj, limit=10):
-  team_prefix_search = prefix_search(Team.name, team_prefix)
-  query = (Team
-           .select(Team.id.distinct(), Team)
-           .join(User)
-           .switch(Team)
-           .join(TeamMember)
-           .where(TeamMember.user == user_obj, team_prefix_search)
-           .limit(limit))
+    team_prefix_search = prefix_search(Team.name, team_prefix)
+    query = (
+        Team.select(Team.id.distinct(), Team)
+        .join(User)
+        .switch(Team)
+        .join(TeamMember)
+        .where(TeamMember.user == user_obj, team_prefix_search)
+        .limit(limit)
+    )
 
-  return query
+    return query
 
 
 def get_organization_team(orgname, teamname):
-  joined = Team.select().join(User)
-  query = joined.where(Team.name == teamname, User.organization == True,
-                       User.username == orgname).limit(1)
-  result = list(query)
-  if not result:
-    raise InvalidTeamException('Team does not exist: %s/%s', orgname,
-                               teamname)
+    joined = Team.select().join(User)
+    query = joined.where(
+        Team.name == teamname, User.organization == True, User.username == orgname
+    ).limit(1)
+    result = list(query)
+    if not result:
+        raise InvalidTeamException("Team does not exist: %s/%s", orgname, teamname)
 
-  return result[0]
+    return result[0]
 
 
 def get_matching_admined_teams(team_prefix, user_obj, limit=10):
-  team_prefix_search = prefix_search(Team.name, team_prefix)
-  admined_orgs = (_basequery.get_user_organizations(user_obj.username)
-                  .switch(Team)
-                  .join(TeamRole)
-                  .where(TeamRole.name == 'admin'))
+    team_prefix_search = prefix_search(Team.name, team_prefix)
+    admined_orgs = (
+        _basequery.get_user_organizations(user_obj.username)
+        .switch(Team)
+        .join(TeamRole)
+        .where(TeamRole.name == "admin")
+    )
 
-  query = (Team
-           .select(Team.id.distinct(), Team)
-           .join(User)
-           .switch(Team)
-           .join(TeamMember)
-           .where(team_prefix_search, Team.organization << (admined_orgs))
-           .limit(limit))
+    query = (
+        Team.select(Team.id.distinct(), Team)
+        .join(User)
+        .switch(Team)
+        .join(TeamMember)
+        .where(team_prefix_search, Team.organization << (admined_orgs))
+        .limit(limit)
+    )
 
-  return query
+    return query
 
 
 def get_matching_teams(team_prefix, organization):
-  team_prefix_search = prefix_search(Team.name, team_prefix)
-  query = Team.select().where(team_prefix_search, Team.organization == organization)
-  return query.limit(10)
+    team_prefix_search = prefix_search(Team.name, team_prefix)
+    query = Team.select().where(team_prefix_search, Team.organization == organization)
+    return query.limit(10)
 
 
 def get_teams_within_org(organization, has_external_auth=False):
-  """ Returns a AttrDict of team info (id, name, description), its role under the org,
+    """ Returns a AttrDict of team info (id, name, description), its role under the org,
       the number of repositories on which it has permission, and the number of members.
   """
-  query = (Team.select()
-           .where(Team.organization == organization)
-           .join(TeamRole))
+    query = Team.select().where(Team.organization == organization).join(TeamRole)
 
-  def _team_view(team):
-    return {
-      'id': team.id,
-      'name': team.name,
-      'description': team.description,
-      'role_name': Team.role.get_name(team.role_id),
+    def _team_view(team):
+        return {
+            "id": team.id,
+            "name": team.name,
+            "description": team.description,
+            "role_name": Team.role.get_name(team.role_id),
+            "repo_count": 0,
+            "member_count": 0,
+            "is_synced": False,
+        }
 
-      'repo_count': 0,
-      'member_count': 0,
+    teams = {team.id: _team_view(team) for team in query}
+    if not teams:
+        # Just in case. Should ideally never happen.
+        return []
 
-      'is_synced': False,
-    }
+    # Add repository permissions count.
+    permission_tuples = (
+        RepositoryPermission.select(
+            RepositoryPermission.team, fn.Count(RepositoryPermission.id)
+        )
+        .where(RepositoryPermission.team << teams.keys())
+        .group_by(RepositoryPermission.team)
+        .tuples()
+    )
 
-  teams = {team.id: _team_view(team) for team in query}
-  if not teams:
-    # Just in case. Should ideally never happen.
-    return []
+    for perm_tuple in permission_tuples:
+        teams[perm_tuple[0]]["repo_count"] = perm_tuple[1]
 
-  # Add repository permissions count.
-  permission_tuples = (RepositoryPermission.select(RepositoryPermission.team,
-                                                   fn.Count(RepositoryPermission.id))
-                       .where(RepositoryPermission.team << teams.keys())
-                       .group_by(RepositoryPermission.team)
-                       .tuples())
+    # Add the member count.
+    members_tuples = (
+        TeamMember.select(TeamMember.team, fn.Count(TeamMember.id))
+        .where(TeamMember.team << teams.keys())
+        .group_by(TeamMember.team)
+        .tuples()
+    )
 
-  for perm_tuple in permission_tuples:
-    teams[perm_tuple[0]]['repo_count'] = perm_tuple[1]
+    for member_tuple in members_tuples:
+        teams[member_tuple[0]]["member_count"] = member_tuple[1]
 
-  # Add the member count.
-  members_tuples = (TeamMember.select(TeamMember.team,
-                                      fn.Count(TeamMember.id))
-                    .where(TeamMember.team << teams.keys())
-                    .group_by(TeamMember.team)
-                    .tuples())
+    # Add syncing information.
+    if has_external_auth:
+        sync_query = TeamSync.select(TeamSync.team).where(TeamSync.team << teams.keys())
+        for team_sync in sync_query:
+            teams[team_sync.team_id]["is_synced"] = True
 
-  for member_tuple in members_tuples:
-    teams[member_tuple[0]]['member_count'] = member_tuple[1]
-
-  # Add syncing information.
-  if has_external_auth:
-    sync_query = TeamSync.select(TeamSync.team).where(TeamSync.team << teams.keys())
-    for team_sync in sync_query:
-      teams[team_sync.team_id]['is_synced'] = True
-
-  return [AttrDict(team_info) for team_info in teams.values()]
+    return [AttrDict(team_info) for team_info in teams.values()]
 
 
 def get_user_teams_within_org(username, organization):
-  joined = Team.select().join(TeamMember).join(User)
-  return joined.where(Team.organization == organization,
-                      User.username == username)
+    joined = Team.select().join(TeamMember).join(User)
+    return joined.where(Team.organization == organization, User.username == username)
 
 
 def list_organization_members_by_teams(organization):
-  query = (TeamMember
-           .select(Team, User)
-           .join(Team)
-           .switch(TeamMember)
-           .join(User)
-           .where(Team.organization == organization))
-  return query
+    query = (
+        TeamMember.select(Team, User)
+        .join(Team)
+        .switch(TeamMember)
+        .join(User)
+        .where(Team.organization == organization)
+    )
+    return query
 
 
 def get_organization_team_member_invites(teamid):
-  joined = TeamMemberInvite.select().join(Team).join(User)
-  query = joined.where(Team.id == teamid)
-  return query
+    joined = TeamMemberInvite.select().join(Team).join(User)
+    query = joined.where(Team.id == teamid)
+    return query
 
 
 def delete_team_email_invite(team, email):
-  try:
-    found = TeamMemberInvite.get(TeamMemberInvite.email == email, TeamMemberInvite.team == team)
-  except TeamMemberInvite.DoesNotExist:
-    return False
+    try:
+        found = TeamMemberInvite.get(
+            TeamMemberInvite.email == email, TeamMemberInvite.team == team
+        )
+    except TeamMemberInvite.DoesNotExist:
+        return False
 
-  found.delete_instance()
-  return True
+    found.delete_instance()
+    return True
 
 
 def delete_team_user_invite(team, user_obj):
-  try:
-    found = TeamMemberInvite.get(TeamMemberInvite.user == user_obj, TeamMemberInvite.team == team)
-  except TeamMemberInvite.DoesNotExist:
-    return False
+    try:
+        found = TeamMemberInvite.get(
+            TeamMemberInvite.user == user_obj, TeamMemberInvite.team == team
+        )
+    except TeamMemberInvite.DoesNotExist:
+        return False
 
-  found.delete_instance()
-  return True
+    found.delete_instance()
+    return True
 
 
 def lookup_team_invites_by_email(email):
-  return TeamMemberInvite.select().where(TeamMemberInvite.email == email)
+    return TeamMemberInvite.select().where(TeamMemberInvite.email == email)
 
 
 def lookup_team_invites(user_obj):
-  return TeamMemberInvite.select().where(TeamMemberInvite.user == user_obj)
+    return TeamMemberInvite.select().where(TeamMemberInvite.user == user_obj)
 
 
 def lookup_team_invite(code, user_obj=None):
- # Lookup the invite code.
-  try:
-    found = TeamMemberInvite.get(TeamMemberInvite.invite_token == code)
-  except TeamMemberInvite.DoesNotExist:
-    raise DataModelException('Invalid confirmation code.')
+    # Lookup the invite code.
+    try:
+        found = TeamMemberInvite.get(TeamMemberInvite.invite_token == code)
+    except TeamMemberInvite.DoesNotExist:
+        raise DataModelException("Invalid confirmation code.")
 
-  if user_obj and found.user != user_obj:
-    raise DataModelException('Invalid confirmation code.')
+    if user_obj and found.user != user_obj:
+        raise DataModelException("Invalid confirmation code.")
 
-  return found
+    return found
 
 
 def delete_team_invite(code, user_obj=None):
-  found = lookup_team_invite(code, user_obj)
+    found = lookup_team_invite(code, user_obj)
 
-  team = found.team
-  inviter = found.inviter
+    team = found.team
+    inviter = found.inviter
 
-  found.delete_instance()
+    found.delete_instance()
 
-  return (team, inviter)
+    return (team, inviter)
 
 
 def find_matching_team_invite(code, user_obj):
-  """ Finds a team invite with the given code that applies to the given user and returns it or
+    """ Finds a team invite with the given code that applies to the given user and returns it or
       raises a DataModelException if not found. """
-  found = lookup_team_invite(code)
+    found = lookup_team_invite(code)
 
-  # If the invite is for a specific user, we have to confirm that here.
-  if found.user is not None and found.user != user_obj:
-    message = """This invite is intended for user "%s".
-                 Please login to that account and try again.""" % found.user.username
-    raise DataModelException(message)
+    # If the invite is for a specific user, we have to confirm that here.
+    if found.user is not None and found.user != user_obj:
+        message = (
+            """This invite is intended for user "%s".
+                 Please login to that account and try again."""
+            % found.user.username
+        )
+        raise DataModelException(message)
 
-  return found
+    return found
 
 
 def find_organization_invites(organization, user_obj):
-  """ Finds all organization team invites for the given user under the given organization. """
-  invite_check = (TeamMemberInvite.user == user_obj)
-  if user_obj.verified:
-    invite_check = invite_check | (TeamMemberInvite.email == user_obj.email)
+    """ Finds all organization team invites for the given user under the given organization. """
+    invite_check = TeamMemberInvite.user == user_obj
+    if user_obj.verified:
+        invite_check = invite_check | (TeamMemberInvite.email == user_obj.email)
 
-  query = (TeamMemberInvite
-           .select()
-           .join(Team)
-           .where(invite_check, Team.organization == organization))
-  return query
+    query = (
+        TeamMemberInvite.select()
+        .join(Team)
+        .where(invite_check, Team.organization == organization)
+    )
+    return query
 
 
 def confirm_team_invite(code, user_obj):
-  """ Confirms the given team invite code for the given user by adding the user to the team
+    """ Confirms the given team invite code for the given user by adding the user to the team
       and deleting the code. Raises a DataModelException if the code was not found or does
       not apply to the given user. If the user is invited to two or more teams under the
       same organization, they are automatically confirmed for all of them. """
-  found = find_matching_team_invite(code, user_obj)
+    found = find_matching_team_invite(code, user_obj)
 
-  # Find all matching invitations for the user under the organization.
-  code_found = False
-  for invite in find_organization_invites(found.team.organization, user_obj):
-    # Add the user to the team.
-    try:
-      code_found = True
-      add_user_to_team(user_obj, invite.team)
-    except UserAlreadyInTeam:
-      # Ignore.
-      pass
+    # Find all matching invitations for the user under the organization.
+    code_found = False
+    for invite in find_organization_invites(found.team.organization, user_obj):
+        # Add the user to the team.
+        try:
+            code_found = True
+            add_user_to_team(user_obj, invite.team)
+        except UserAlreadyInTeam:
+            # Ignore.
+            pass
 
-    # Delete the invite and return the team.
-    invite.delete_instance()
+        # Delete the invite and return the team.
+        invite.delete_instance()
 
-  if not code_found:
-    if found.user:
-      message = """This invite is intended for user "%s".
-                   Please login to that account and try again.""" % found.user.username
-      raise DataModelException(message)
-    else:
-      message = """This invite is intended for email "%s".
-                   Please login to that account and try again.""" % found.email
-      raise DataModelException(message)
+    if not code_found:
+        if found.user:
+            message = (
+                """This invite is intended for user "%s".
+                   Please login to that account and try again."""
+                % found.user.username
+            )
+            raise DataModelException(message)
+        else:
+            message = (
+                """This invite is intended for email "%s".
+                   Please login to that account and try again."""
+                % found.email
+            )
+            raise DataModelException(message)
 
-  team = found.team
-  inviter = found.inviter
-  return (team, inviter)
+    team = found.team
+    inviter = found.inviter
+    return (team, inviter)
 
 
 def get_federated_team_member_mapping(team, login_service_name):
-  """ Returns a dict of all federated IDs for all team members in the team whose users are
+    """ Returns a dict of all federated IDs for all team members in the team whose users are
       bound to the login service within the given name. The dictionary is from federated service
       identifier (username) to their Quay User table ID.
   """
-  login_service = LoginService.get(name=login_service_name)
+    login_service = LoginService.get(name=login_service_name)
 
-  query = (FederatedLogin
-           .select(FederatedLogin.service_ident, User.id)
-           .join(User)
-           .join(TeamMember)
-           .join(Team)
-           .where(Team.id == team, User.robot == False, FederatedLogin.service == login_service))
-  return dict(query.tuples())
+    query = (
+        FederatedLogin.select(FederatedLogin.service_ident, User.id)
+        .join(User)
+        .join(TeamMember)
+        .join(Team)
+        .where(
+            Team.id == team,
+            User.robot == False,
+            FederatedLogin.service == login_service,
+        )
+    )
+    return dict(query.tuples())
 
 
 def list_team_users(team):
-  """ Returns an iterator of all the *users* found in a team. Does not include robots. """
-  return (User
-          .select()
-          .join(TeamMember)
-          .join(Team)
-          .where(Team.id == team, User.robot == False))
+    """ Returns an iterator of all the *users* found in a team. Does not include robots. """
+    return (
+        User.select()
+        .join(TeamMember)
+        .join(Team)
+        .where(Team.id == team, User.robot == False)
+    )
 
 
 def list_team_robots(team):
-  """ Returns an iterator of all the *robots* found in a team. Does not include users. """
-  return (User
-          .select()
-          .join(TeamMember)
-          .join(Team)
-          .where(Team.id == team, User.robot == True))
+    """ Returns an iterator of all the *robots* found in a team. Does not include users. """
+    return (
+        User.select()
+        .join(TeamMember)
+        .join(Team)
+        .where(Team.id == team, User.robot == True)
+    )
 
 
 def set_team_syncing(team, login_service_name, config):
-  """ Sets the given team to sync to the given service using the given config. """
-  login_service = LoginService.get(name=login_service_name)
-  return TeamSync.create(team=team, transaction_id='', service=login_service,
-                         config=json.dumps(config))
+    """ Sets the given team to sync to the given service using the given config. """
+    login_service = LoginService.get(name=login_service_name)
+    return TeamSync.create(
+        team=team, transaction_id="", service=login_service, config=json.dumps(config)
+    )
 
 
 def remove_team_syncing(orgname, teamname):
-  """ Removes syncing on the team matching the given organization name and team name. """
-  existing = get_team_sync_information(orgname, teamname)
-  if existing:
-    existing.delete_instance()
+    """ Removes syncing on the team matching the given organization name and team name. """
+    existing = get_team_sync_information(orgname, teamname)
+    if existing:
+        existing.delete_instance()
 
 
 def get_stale_team(stale_timespan):
-  """ Returns a team that is setup to sync to an external group, and who has not been synced in
+    """ Returns a team that is setup to sync to an external group, and who has not been synced in
       now - stale_timespan. Returns None if none found.
   """
-  stale_at = datetime.now() - stale_timespan
+    stale_at = datetime.now() - stale_timespan
 
-  try:
-    candidates = (TeamSync
-                  .select(TeamSync.id)
-                  .where((TeamSync.last_updated <= stale_at) | (TeamSync.last_updated >> None))
-                  .limit(500)
-                  .alias('candidates'))
+    try:
+        candidates = (
+            TeamSync.select(TeamSync.id)
+            .where(
+                (TeamSync.last_updated <= stale_at) | (TeamSync.last_updated >> None)
+            )
+            .limit(500)
+            .alias("candidates")
+        )
 
-    found = (TeamSync
-             .select(candidates.c.id)
-             .from_(candidates)
-             .order_by(db_random_func())
-             .get())
+        found = (
+            TeamSync.select(candidates.c.id)
+            .from_(candidates)
+            .order_by(db_random_func())
+            .get()
+        )
 
-    if found is None:
-      return
+        if found is None:
+            return
 
-    return TeamSync.select(TeamSync, Team).join(Team).where(TeamSync.id == found.id).get()
-  except TeamSync.DoesNotExist:
-    return None
+        return (
+            TeamSync.select(TeamSync, Team)
+            .join(Team)
+            .where(TeamSync.id == found.id)
+            .get()
+        )
+    except TeamSync.DoesNotExist:
+        return None
 
 
 def get_team_sync_information(orgname, teamname):
-  """ Returns the team syncing information for the team with the given name under the organization
+    """ Returns the team syncing information for the team with the given name under the organization
       with the given name or None if none.
   """
-  query = (TeamSync
-           .select(TeamSync, LoginService)
-           .join(Team)
-           .join(User)
-           .switch(TeamSync)
-           .join(LoginService)
-           .where(Team.name == teamname, User.organization == True, User.username == orgname))
+    query = (
+        TeamSync.select(TeamSync, LoginService)
+        .join(Team)
+        .join(User)
+        .switch(TeamSync)
+        .join(LoginService)
+        .where(
+            Team.name == teamname, User.organization == True, User.username == orgname
+        )
+    )
 
-  try:
-    return query.get()
-  except TeamSync.DoesNotExist:
-    return None
+    try:
+        return query.get()
+    except TeamSync.DoesNotExist:
+        return None
 
 
 def update_sync_status(team_sync_info):
-  """ Attempts to update the transaction ID and last updated time on a TeamSync object. If the
+    """ Attempts to update the transaction ID and last updated time on a TeamSync object. If the
       transaction ID on the entry in the DB does not match that found on the object, this method
       returns False, which indicates another caller updated it first.
   """
-  new_transaction_id = str(uuid.uuid4())
-  query = (TeamSync
-           .update(transaction_id=new_transaction_id, last_updated=datetime.now())
-           .where(TeamSync.id == team_sync_info.id,
-                  TeamSync.transaction_id == team_sync_info.transaction_id))
-  return query.execute() == 1
+    new_transaction_id = str(uuid.uuid4())
+    query = TeamSync.update(
+        transaction_id=new_transaction_id, last_updated=datetime.now()
+    ).where(
+        TeamSync.id == team_sync_info.id,
+        TeamSync.transaction_id == team_sync_info.transaction_id,
+    )
+    return query.execute() == 1
 
 
 def delete_members_not_present(team, member_id_set):
-  """ Deletes all members of the given team that are not found in the member ID set. """
-  with db_transaction():
-    user_ids = set([u.id for u in list_team_users(team)])
-    to_delete = list(user_ids - member_id_set)
-    if to_delete:
-      query = TeamMember.delete().where(TeamMember.team == team, TeamMember.user << to_delete)
-      return query.execute()
+    """ Deletes all members of the given team that are not found in the member ID set. """
+    with db_transaction():
+        user_ids = set([u.id for u in list_team_users(team)])
+        to_delete = list(user_ids - member_id_set)
+        if to_delete:
+            query = TeamMember.delete().where(
+                TeamMember.team == team, TeamMember.user << to_delete
+            )
+            return query.execute()
 
-  return 0
+    return 0
diff --git a/data/model/test/test_appspecifictoken.py b/data/model/test/test_appspecifictoken.py
index 96a7491f5..abfea13b7 100644
--- a/data/model/test/test_appspecifictoken.py
+++ b/data/model/test/test_appspecifictoken.py
@@ -12,115 +12,112 @@ from util.timedeltastring import convert_to_timedelta
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('expiration', [
-  (None),
-  ('-1m'),
-  ('-1d'),
-  ('-1w'),
-  ('10m'),
-  ('10d'),
-  ('10w'),
-])
+
+@pytest.mark.parametrize(
+    "expiration", [(None), ("-1m"), ("-1d"), ("-1w"), ("10m"), ("10d"), ("10w")]
+)
 def test_gc(expiration, initialized_db):
-  user = model.user.get_user('devtable')
+    user = model.user.get_user("devtable")
 
-  expiration_date = None
-  is_expired = False
-  if expiration:
-    if expiration[0] == '-':
-      is_expired = True
-      expiration_date = datetime.now() - convert_to_timedelta(expiration[1:])
-    else:
-      expiration_date = datetime.now() + convert_to_timedelta(expiration)
+    expiration_date = None
+    is_expired = False
+    if expiration:
+        if expiration[0] == "-":
+            is_expired = True
+            expiration_date = datetime.now() - convert_to_timedelta(expiration[1:])
+        else:
+            expiration_date = datetime.now() + convert_to_timedelta(expiration)
 
-  # Create a token.
-  token = create_token(user, 'Some token', expiration=expiration_date)
+    # Create a token.
+    token = create_token(user, "Some token", expiration=expiration_date)
 
-  # GC tokens.
-  gc_expired_tokens(timedelta(seconds=0))
+    # GC tokens.
+    gc_expired_tokens(timedelta(seconds=0))
 
-  # Ensure the token was GCed if expired and not if it wasn't.
-  assert (access_valid_token(get_full_token_string(token)) is None) == is_expired
+    # Ensure the token was GCed if expired and not if it wasn't.
+    assert (access_valid_token(get_full_token_string(token)) is None) == is_expired
 
 
 def test_access_token(initialized_db):
-  user = model.user.get_user('devtable')
+    user = model.user.get_user("devtable")
 
-  # Create a token.
-  token = create_token(user, 'Some token')
-  assert token.last_accessed is None
+    # Create a token.
+    token = create_token(user, "Some token")
+    assert token.last_accessed is None
 
-  # Lookup the token.
-  token = access_valid_token(get_full_token_string(token))
-  assert token.last_accessed is not None
+    # Lookup the token.
+    token = access_valid_token(get_full_token_string(token))
+    assert token.last_accessed is not None
 
-  # Revoke the token.
-  revoke_token(token)
+    # Revoke the token.
+    revoke_token(token)
 
-  # Ensure it cannot be accessed
-  assert access_valid_token(get_full_token_string(token)) is None
+    # Ensure it cannot be accessed
+    assert access_valid_token(get_full_token_string(token)) is None
 
 
 def test_expiring_soon(initialized_db):
-  user = model.user.get_user('devtable')
+    user = model.user.get_user("devtable")
 
-  # Create some tokens.
-  create_token(user, 'Some token')
-  exp_token = create_token(user, 'Some expiring token', datetime.now() + convert_to_timedelta('1d'))
-  create_token(user, 'Some other token', expiration=datetime.now() + convert_to_timedelta('2d'))
+    # Create some tokens.
+    create_token(user, "Some token")
+    exp_token = create_token(
+        user, "Some expiring token", datetime.now() + convert_to_timedelta("1d")
+    )
+    create_token(
+        user, "Some other token", expiration=datetime.now() + convert_to_timedelta("2d")
+    )
 
-  # Get the token expiring soon.
-  expiring_soon = get_expiring_tokens(user, convert_to_timedelta('25h'))
-  assert expiring_soon
-  assert len(expiring_soon) == 1
-  assert expiring_soon[0].id == exp_token.id
+    # Get the token expiring soon.
+    expiring_soon = get_expiring_tokens(user, convert_to_timedelta("25h"))
+    assert expiring_soon
+    assert len(expiring_soon) == 1
+    assert expiring_soon[0].id == exp_token.id
 
-  expiring_soon = get_expiring_tokens(user, convert_to_timedelta('49h'))
-  assert expiring_soon
-  assert len(expiring_soon) == 2
+    expiring_soon = get_expiring_tokens(user, convert_to_timedelta("49h"))
+    assert expiring_soon
+    assert len(expiring_soon) == 2
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def app_config():
-  with patch.dict(_config.app_config, {}, clear=True):
-    yield _config.app_config
-
-@pytest.mark.parametrize('expiration', [
-  (None),
-  ('10m'),
-  ('10d'),
-  ('10w'),
-])
-@pytest.mark.parametrize('default_expiration', [
-  (None),
-  ('10m'),
-  ('10d'),
-  ('10w'),
-])
-def test_create_access_token(expiration, default_expiration, initialized_db, app_config):
-  user = model.user.get_user('devtable')
-  expiration_date = datetime.now() + convert_to_timedelta(expiration) if expiration else None
-  with patch.dict(_config.app_config, {}, clear=True):
-    app_config['APP_SPECIFIC_TOKEN_EXPIRATION'] = default_expiration
-    if expiration:
-      exp_token = create_token(user, 'Some token', expiration=expiration_date)
-      assert exp_token.expiration == expiration_date
-    else:
-      exp_token = create_token(user, 'Some token')
-      assert (exp_token.expiration is None) == (default_expiration is None)
+    with patch.dict(_config.app_config, {}, clear=True):
+        yield _config.app_config
 
 
-@pytest.mark.parametrize('invalid_token', [
-  '',
-  'foo',
-  'a' * 40,
-  'b' * 40,
-  '%s%s' % ('b' * 40, 'a' * 40),
-  '%s%s' % ('a' * 39, 'b' * 40),
-  '%s%s' % ('a' * 40, 'b' * 39),
-  '%s%s' % ('a' * 40, 'b' * 41),
-])
+@pytest.mark.parametrize("expiration", [(None), ("10m"), ("10d"), ("10w")])
+@pytest.mark.parametrize("default_expiration", [(None), ("10m"), ("10d"), ("10w")])
+def test_create_access_token(
+    expiration, default_expiration, initialized_db, app_config
+):
+    user = model.user.get_user("devtable")
+    expiration_date = (
+        datetime.now() + convert_to_timedelta(expiration) if expiration else None
+    )
+    with patch.dict(_config.app_config, {}, clear=True):
+        app_config["APP_SPECIFIC_TOKEN_EXPIRATION"] = default_expiration
+        if expiration:
+            exp_token = create_token(user, "Some token", expiration=expiration_date)
+            assert exp_token.expiration == expiration_date
+        else:
+            exp_token = create_token(user, "Some token")
+            assert (exp_token.expiration is None) == (default_expiration is None)
+
+
+@pytest.mark.parametrize(
+    "invalid_token",
+    [
+        "",
+        "foo",
+        "a" * 40,
+        "b" * 40,
+        "%s%s" % ("b" * 40, "a" * 40),
+        "%s%s" % ("a" * 39, "b" * 40),
+        "%s%s" % ("a" * 40, "b" * 39),
+        "%s%s" % ("a" * 40, "b" * 41),
+    ],
+)
 def test_invalid_access_token(invalid_token, initialized_db):
-  user = model.user.get_user('devtable')
-  token = access_valid_token(invalid_token)
-  assert token is None
+    user = model.user.get_user("devtable")
+    token = access_valid_token(invalid_token)
+    assert token is None
diff --git a/data/model/test/test_basequery.py b/data/model/test/test_basequery.py
index 84e248327..9a3d9567a 100644
--- a/data/model/test/test_basequery.py
+++ b/data/model/test/test_basequery.py
@@ -11,97 +11,101 @@ from util.names import parse_robot_username
 
 from test.fixtures import *
 
-def _is_team_member(team, user):
-  return user.id in [member.user_id for member in
-                     TeamMember.select().where(TeamMember.team == team)]
 
-def _get_visible_repositories_for_user(user, repo_kind='image', include_public=False,
-                                       namespace=None):
-  """ Returns all repositories directly visible to the given user, by either repo permission,
+def _is_team_member(team, user):
+    return user.id in [
+        member.user_id for member in TeamMember.select().where(TeamMember.team == team)
+    ]
+
+
+def _get_visible_repositories_for_user(
+    user, repo_kind="image", include_public=False, namespace=None
+):
+    """ Returns all repositories directly visible to the given user, by either repo permission,
       or the user being the admin of a namespace.
   """
-  for repo in Repository.select():
-    if repo_kind is not None and repo.kind.name != repo_kind:
-      continue
+    for repo in Repository.select():
+        if repo_kind is not None and repo.kind.name != repo_kind:
+            continue
 
-    if namespace is not None and repo.namespace_user.username != namespace:
-      continue
+        if namespace is not None and repo.namespace_user.username != namespace:
+            continue
 
-    if include_public and repo.visibility.name == 'public':
-      yield repo
-      continue
+        if include_public and repo.visibility.name == "public":
+            yield repo
+            continue
 
-    # Direct repo permission.
-    try:
-      RepositoryPermission.get(repository=repo, user=user).get()
-      yield repo
-      continue
-    except RepositoryPermission.DoesNotExist:
-      pass
+        # Direct repo permission.
+        try:
+            RepositoryPermission.get(repository=repo, user=user).get()
+            yield repo
+            continue
+        except RepositoryPermission.DoesNotExist:
+            pass
 
-    # Team permission.
-    found_in_team = False
-    for perm in RepositoryPermission.select().where(RepositoryPermission.repository == repo):
-      if perm.team and _is_team_member(perm.team, user):
-        found_in_team = True
-        break
+        # Team permission.
+        found_in_team = False
+        for perm in RepositoryPermission.select().where(
+            RepositoryPermission.repository == repo
+        ):
+            if perm.team and _is_team_member(perm.team, user):
+                found_in_team = True
+                break
 
-    if found_in_team:
-      yield repo
-      continue
+        if found_in_team:
+            yield repo
+            continue
 
-    # Org namespace admin permission.
-    if user in get_admin_users(repo.namespace_user):
-      yield repo
-      continue
+        # Org namespace admin permission.
+        if user in get_admin_users(repo.namespace_user):
+            yield repo
+            continue
 
 
-@pytest.mark.parametrize('username', [
-  'devtable',
-  'devtable+dtrobot',
-  'public',
-  'reader',
-])
-@pytest.mark.parametrize('include_public', [
-  True,
-  False
-])
-@pytest.mark.parametrize('filter_to_namespace', [
-  True,
-  False
-])
-@pytest.mark.parametrize('repo_kind', [
-  None,
-  'image',
-  'application',
-])
-def test_filter_repositories(username, include_public, filter_to_namespace, repo_kind,
-                             initialized_db):
-  namespace = username if filter_to_namespace else None
-  if '+' in username and filter_to_namespace:
-    namespace, _ = parse_robot_username(username)
+@pytest.mark.parametrize(
+    "username", ["devtable", "devtable+dtrobot", "public", "reader"]
+)
+@pytest.mark.parametrize("include_public", [True, False])
+@pytest.mark.parametrize("filter_to_namespace", [True, False])
+@pytest.mark.parametrize("repo_kind", [None, "image", "application"])
+def test_filter_repositories(
+    username, include_public, filter_to_namespace, repo_kind, initialized_db
+):
+    namespace = username if filter_to_namespace else None
+    if "+" in username and filter_to_namespace:
+        namespace, _ = parse_robot_username(username)
 
-  user = get_namespace_user(username)
-  query = (Repository
-           .select()
-           .distinct()
-           .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-           .switch(Repository)
-           .join(RepositoryPermission, JOIN.LEFT_OUTER))
+    user = get_namespace_user(username)
+    query = (
+        Repository.select()
+        .distinct()
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .switch(Repository)
+        .join(RepositoryPermission, JOIN.LEFT_OUTER)
+    )
 
-  # Prime the cache.
-  Repository.kind.get_id('image')
+    # Prime the cache.
+    Repository.kind.get_id("image")
 
-  with assert_query_count(1):
-    found = list(filter_to_repos_for_user(query, user.id,
-                                          namespace=namespace,
-                                          include_public=include_public,
-                                          repo_kind=repo_kind))
+    with assert_query_count(1):
+        found = list(
+            filter_to_repos_for_user(
+                query,
+                user.id,
+                namespace=namespace,
+                include_public=include_public,
+                repo_kind=repo_kind,
+            )
+        )
 
-  expected = list(_get_visible_repositories_for_user(user,
-                                                     repo_kind=repo_kind,
-                                                     namespace=namespace,
-                                                     include_public=include_public))
+    expected = list(
+        _get_visible_repositories_for_user(
+            user,
+            repo_kind=repo_kind,
+            namespace=namespace,
+            include_public=include_public,
+        )
+    )
 
-  assert len(found) == len(expected)
-  assert {r.id for r in found} == {r.id for r in expected}
+    assert len(found) == len(expected)
+    assert {r.id for r in found} == {r.id for r in expected}
diff --git a/data/model/test/test_build.py b/data/model/test/test_build.py
index c43d6e683..7fe95a7f9 100644
--- a/data/model/test/test_build.py
+++ b/data/model/test/test_build.py
@@ -3,105 +3,137 @@ import pytest
 from mock import patch
 
 from data.database import BUILD_PHASE, RepositoryBuildTrigger, RepositoryBuild
-from data.model.build import (update_trigger_disable_status, create_repository_build,
-                              get_repository_build, update_phase_then_close)
+from data.model.build import (
+    update_trigger_disable_status,
+    create_repository_build,
+    get_repository_build,
+    update_phase_then_close,
+)
 from test.fixtures import *
 
 TEST_FAIL_THRESHOLD = 5
 TEST_INTERNAL_ERROR_THRESHOLD = 2
 
-@pytest.mark.parametrize('starting_failure_count, starting_error_count, status, expected_reason', [
-  (0, 0, BUILD_PHASE.COMPLETE, None),
-  (10, 10, BUILD_PHASE.COMPLETE, None),
 
-  (TEST_FAIL_THRESHOLD - 1, TEST_INTERNAL_ERROR_THRESHOLD - 1, BUILD_PHASE.COMPLETE, None),
-  (TEST_FAIL_THRESHOLD - 1, 0, BUILD_PHASE.ERROR, 'successive_build_failures'),
-  (0, TEST_INTERNAL_ERROR_THRESHOLD - 1, BUILD_PHASE.INTERNAL_ERROR,
-   'successive_build_internal_errors'),
-])
-def test_update_trigger_disable_status(starting_failure_count, starting_error_count, status,
-                                       expected_reason, initialized_db):
-  test_config = {
-    'SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD': TEST_FAIL_THRESHOLD,
-    'SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD': TEST_INTERNAL_ERROR_THRESHOLD,
-  }
+@pytest.mark.parametrize(
+    "starting_failure_count, starting_error_count, status, expected_reason",
+    [
+        (0, 0, BUILD_PHASE.COMPLETE, None),
+        (10, 10, BUILD_PHASE.COMPLETE, None),
+        (
+            TEST_FAIL_THRESHOLD - 1,
+            TEST_INTERNAL_ERROR_THRESHOLD - 1,
+            BUILD_PHASE.COMPLETE,
+            None,
+        ),
+        (TEST_FAIL_THRESHOLD - 1, 0, BUILD_PHASE.ERROR, "successive_build_failures"),
+        (
+            0,
+            TEST_INTERNAL_ERROR_THRESHOLD - 1,
+            BUILD_PHASE.INTERNAL_ERROR,
+            "successive_build_internal_errors",
+        ),
+    ],
+)
+def test_update_trigger_disable_status(
+    starting_failure_count,
+    starting_error_count,
+    status,
+    expected_reason,
+    initialized_db,
+):
+    test_config = {
+        "SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD": TEST_FAIL_THRESHOLD,
+        "SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD": TEST_INTERNAL_ERROR_THRESHOLD,
+    }
 
-  trigger = model.build.list_build_triggers('devtable', 'building')[0]
-  trigger.successive_failure_count = starting_failure_count
-  trigger.successive_internal_error_count = starting_error_count
-  trigger.enabled = True
-  trigger.save()
+    trigger = model.build.list_build_triggers("devtable", "building")[0]
+    trigger.successive_failure_count = starting_failure_count
+    trigger.successive_internal_error_count = starting_error_count
+    trigger.enabled = True
+    trigger.save()
 
-  with patch('data.model.config.app_config', test_config):
-    update_trigger_disable_status(trigger, status)
-    updated_trigger = RepositoryBuildTrigger.get(uuid=trigger.uuid)
+    with patch("data.model.config.app_config", test_config):
+        update_trigger_disable_status(trigger, status)
+        updated_trigger = RepositoryBuildTrigger.get(uuid=trigger.uuid)
 
-    assert updated_trigger.enabled == (expected_reason is None)
+        assert updated_trigger.enabled == (expected_reason is None)
 
-    if expected_reason is not None:
-      assert updated_trigger.disabled_reason.name == expected_reason
-    else:
-      assert updated_trigger.disabled_reason is None
-      assert updated_trigger.successive_failure_count == 0
-      assert updated_trigger.successive_internal_error_count == 0
+        if expected_reason is not None:
+            assert updated_trigger.disabled_reason.name == expected_reason
+        else:
+            assert updated_trigger.disabled_reason is None
+            assert updated_trigger.successive_failure_count == 0
+            assert updated_trigger.successive_internal_error_count == 0
 
 
 def test_archivable_build_logs(initialized_db):
-  # Make sure there are no archivable logs.
-  result = model.build.get_archivable_build()
-  assert result is None
+    # Make sure there are no archivable logs.
+    result = model.build.get_archivable_build()
+    assert result is None
 
-  # Add a build that cannot (yet) be archived.
-  repo = model.repository.get_repository('devtable', 'simple')
-  token = model.token.create_access_token(repo, 'write')
-  created = RepositoryBuild.create(repository=repo, access_token=token,
-                                   phase=model.build.BUILD_PHASE.WAITING,
-                                   logs_archived=False, job_config='{}',
-                                   display_name='')
+    # Add a build that cannot (yet) be archived.
+    repo = model.repository.get_repository("devtable", "simple")
+    token = model.token.create_access_token(repo, "write")
+    created = RepositoryBuild.create(
+        repository=repo,
+        access_token=token,
+        phase=model.build.BUILD_PHASE.WAITING,
+        logs_archived=False,
+        job_config="{}",
+        display_name="",
+    )
 
-  # Make sure there are no archivable logs.
-  result = model.build.get_archivable_build()
-  assert result is None
+    # Make sure there are no archivable logs.
+    result = model.build.get_archivable_build()
+    assert result is None
 
-  # Change the build to being complete.
-  created.phase = model.build.BUILD_PHASE.COMPLETE
-  created.save()
+    # Change the build to being complete.
+    created.phase = model.build.BUILD_PHASE.COMPLETE
+    created.save()
 
-  # Make sure we now find an archivable build.
-  result = model.build.get_archivable_build()
-  assert result.id == created.id
+    # Make sure we now find an archivable build.
+    result = model.build.get_archivable_build()
+    assert result.id == created.id
 
 
 def test_update_build_phase(initialized_db):
-  build = create_build(model.repository.get_repository("devtable", "building"))
+    build = create_build(model.repository.get_repository("devtable", "building"))
 
-  repo_build = get_repository_build(build.uuid)
+    repo_build = get_repository_build(build.uuid)
 
-  assert repo_build.phase == BUILD_PHASE.WAITING
-  assert update_phase_then_close(build.uuid, BUILD_PHASE.COMPLETE)
+    assert repo_build.phase == BUILD_PHASE.WAITING
+    assert update_phase_then_close(build.uuid, BUILD_PHASE.COMPLETE)
 
-  repo_build = get_repository_build(build.uuid)
-  assert repo_build.phase == BUILD_PHASE.COMPLETE
+    repo_build = get_repository_build(build.uuid)
+    assert repo_build.phase == BUILD_PHASE.COMPLETE
 
-  repo_build.delete_instance()
-  assert not update_phase_then_close(repo_build.uuid, BUILD_PHASE.PULLING)
+    repo_build.delete_instance()
+    assert not update_phase_then_close(repo_build.uuid, BUILD_PHASE.PULLING)
 
 
 def create_build(repository):
-  new_token = model.token.create_access_token(repository, 'write', 'build-worker')
-  repo = 'ci.devtable.com:5000/%s/%s' % (repository.namespace_user.username, repository.name)
-  job_config = {
-    'repository': repo,
-    'docker_tags': ['latest'],
-    'build_subdir': '',
-    'trigger_metadata': {
-      'commit': '3482adc5822c498e8f7db2e361e8d57b3d77ddd9',
-      'ref': 'refs/heads/master',
-      'default_branch': 'master'
+    new_token = model.token.create_access_token(repository, "write", "build-worker")
+    repo = "ci.devtable.com:5000/%s/%s" % (
+        repository.namespace_user.username,
+        repository.name,
+    )
+    job_config = {
+        "repository": repo,
+        "docker_tags": ["latest"],
+        "build_subdir": "",
+        "trigger_metadata": {
+            "commit": "3482adc5822c498e8f7db2e361e8d57b3d77ddd9",
+            "ref": "refs/heads/master",
+            "default_branch": "master",
+        },
     }
-  }
-  build = create_repository_build(repository, new_token, job_config,
-                                  '68daeebd-a5b9-457f-80a0-4363b882f8ea',
-                                  "build_name")
-  build.save()
-  return build
+    build = create_repository_build(
+        repository,
+        new_token,
+        job_config,
+        "68daeebd-a5b9-457f-80a0-4363b882f8ea",
+        "build_name",
+    )
+    build.save()
+    return build
diff --git a/data/model/test/test_gc.py b/data/model/test/test_gc.py
index 79d13779e..656b75bbb 100644
--- a/data/model/test/test_gc.py
+++ b/data/model/test/test_gc.py
@@ -13,9 +13,19 @@ from playhouse.test_utils import assert_query_count
 from freezegun import freeze_time
 
 from data import model, database
-from data.database import (Image, ImageStorage, DerivedStorageForImage, Label, TagManifestLabel,
-                           ApprBlob, Manifest, TagManifestToManifest, ManifestBlob, Tag,
-                           TagToRepositoryTag)
+from data.database import (
+    Image,
+    ImageStorage,
+    DerivedStorageForImage,
+    Label,
+    TagManifestLabel,
+    ApprBlob,
+    Manifest,
+    TagManifestToManifest,
+    ManifestBlob,
+    Tag,
+    TagToRepositoryTag,
+)
 from data.model.oci.test.test_oci_manifest import create_manifest_for_testing
 from image.docker.schema1 import DockerSchema1ManifestBuilder
 from image.docker.schema2.manifest import DockerSchema2ManifestBuilder
@@ -25,701 +35,787 @@ from util.bytes import Bytes
 from test.fixtures import *
 
 
-ADMIN_ACCESS_USER = 'devtable'
-PUBLIC_USER = 'public'
+ADMIN_ACCESS_USER = "devtable"
+PUBLIC_USER = "public"
+
+REPO = "somerepo"
 
-REPO = 'somerepo'
 
 def _set_tag_expiration_policy(namespace, expiration_s):
-  namespace_user = model.user.get_user(namespace)
-  model.user.change_user_tag_expiration(namespace_user, expiration_s)
+    namespace_user = model.user.get_user(namespace)
+    model.user.change_user_tag_expiration(namespace_user, expiration_s)
 
 
 @pytest.fixture()
 def default_tag_policy(initialized_db):
-  _set_tag_expiration_policy(ADMIN_ACCESS_USER, 0)
-  _set_tag_expiration_policy(PUBLIC_USER, 0)
+    _set_tag_expiration_policy(ADMIN_ACCESS_USER, 0)
+    _set_tag_expiration_policy(PUBLIC_USER, 0)
 
 
 def create_image(docker_image_id, repository_obj, username):
-  preferred = storage.preferred_locations[0]
-  image = model.image.find_create_or_link_image(docker_image_id, repository_obj, username, {},
-                                                preferred)
-  image.storage.uploading = False
-  image.storage.save()
+    preferred = storage.preferred_locations[0]
+    image = model.image.find_create_or_link_image(
+        docker_image_id, repository_obj, username, {}, preferred
+    )
+    image.storage.uploading = False
+    image.storage.save()
 
-  # Create derived images as well.
-  model.image.find_or_create_derived_storage(image, 'squash', preferred)
-  model.image.find_or_create_derived_storage(image, 'aci', preferred)
-
-  # Add some torrent info.
-  try:
-    database.TorrentInfo.get(storage=image.storage)
-  except database.TorrentInfo.DoesNotExist:
-    model.storage.save_torrent_info(image.storage, 1, 'helloworld')
-
-  # Add some additional placements to the image.
-  for location_name in ['local_eu']:
-    location = database.ImageStorageLocation.get(name=location_name)
+    # Create derived images as well.
+    model.image.find_or_create_derived_storage(image, "squash", preferred)
+    model.image.find_or_create_derived_storage(image, "aci", preferred)
 
+    # Add some torrent info.
     try:
-      database.ImageStoragePlacement.get(location=location, storage=image.storage)
-    except:
-      continue
+        database.TorrentInfo.get(storage=image.storage)
+    except database.TorrentInfo.DoesNotExist:
+        model.storage.save_torrent_info(image.storage, 1, "helloworld")
 
-    database.ImageStoragePlacement.create(location=location, storage=image.storage)
+    # Add some additional placements to the image.
+    for location_name in ["local_eu"]:
+        location = database.ImageStorageLocation.get(name=location_name)
 
-  return image.storage
+        try:
+            database.ImageStoragePlacement.get(location=location, storage=image.storage)
+        except:
+            continue
+
+        database.ImageStoragePlacement.create(location=location, storage=image.storage)
+
+    return image.storage
 
 
 def store_tag_manifest(namespace, repo_name, tag_name, image_id):
-  builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name)
-  storage_id_map = {}
-  try:
-    image_storage = ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).get()
-    builder.add_layer(image_storage.content_checksum, '{"id": "foo"}')
-    storage_id_map[image_storage.content_checksum] = image_storage.id
-  except ImageStorage.DoesNotExist:
-    pass
+    builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name)
+    storage_id_map = {}
+    try:
+        image_storage = (
+            ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).get()
+        )
+        builder.add_layer(image_storage.content_checksum, '{"id": "foo"}')
+        storage_id_map[image_storage.content_checksum] = image_storage.id
+    except ImageStorage.DoesNotExist:
+        pass
 
-  manifest = builder.build(docker_v2_signing_key)
-  manifest_row, _ = model.tag.store_tag_manifest_for_testing(namespace, repo_name, tag_name,
-                                                             manifest, image_id, storage_id_map)
-  return manifest_row
+    manifest = builder.build(docker_v2_signing_key)
+    manifest_row, _ = model.tag.store_tag_manifest_for_testing(
+        namespace, repo_name, tag_name, manifest, image_id, storage_id_map
+    )
+    return manifest_row
 
 
 def create_repository(namespace=ADMIN_ACCESS_USER, name=REPO, **kwargs):
-  user = model.user.get_user(namespace)
-  repo = model.repository.create_repository(namespace, name, user)
+    user = model.user.get_user(namespace)
+    repo = model.repository.create_repository(namespace, name, user)
 
-  # Populate the repository with the tags.
-  image_map = {}
-  for tag_name in kwargs:
-    image_ids = kwargs[tag_name]
-    parent = None
+    # Populate the repository with the tags.
+    image_map = {}
+    for tag_name in kwargs:
+        image_ids = kwargs[tag_name]
+        parent = None
 
-    for image_id in image_ids:
-      if not image_id in image_map:
-        image_map[image_id] = create_image(image_id, repo, namespace)
+        for image_id in image_ids:
+            if not image_id in image_map:
+                image_map[image_id] = create_image(image_id, repo, namespace)
 
-      v1_metadata = {
-        'id': image_id,
-      }
-      if parent is not None:
-        v1_metadata['parent'] = parent.docker_image_id
+            v1_metadata = {"id": image_id}
+            if parent is not None:
+                v1_metadata["parent"] = parent.docker_image_id
 
-      # Set the ancestors for the image.
-      parent = model.image.set_image_metadata(image_id, namespace, name, '', '', '', v1_metadata,
-                                              parent=parent)
+            # Set the ancestors for the image.
+            parent = model.image.set_image_metadata(
+                image_id, namespace, name, "", "", "", v1_metadata, parent=parent
+            )
 
-    # Set the tag for the image.
-    tag_manifest = store_tag_manifest(namespace, name, tag_name, image_ids[-1])
+        # Set the tag for the image.
+        tag_manifest = store_tag_manifest(namespace, name, tag_name, image_ids[-1])
 
-    # Add some labels to the tag.
-    model.label.create_manifest_label(tag_manifest, 'foo', 'bar', 'manifest')
-    model.label.create_manifest_label(tag_manifest, 'meh', 'grah', 'manifest')
+        # Add some labels to the tag.
+        model.label.create_manifest_label(tag_manifest, "foo", "bar", "manifest")
+        model.label.create_manifest_label(tag_manifest, "meh", "grah", "manifest")
 
-  return repo
+    return repo
 
 
 def gc_now(repository):
-  assert model.gc.garbage_collect_repo(repository)
+    assert model.gc.garbage_collect_repo(repository)
 
 
 def delete_tag(repository, tag, perform_gc=True, expect_gc=True):
-  model.tag.delete_tag(repository.namespace_user.username, repository.name, tag)
-  if perform_gc:
-    assert model.gc.garbage_collect_repo(repository) == expect_gc
+    model.tag.delete_tag(repository.namespace_user.username, repository.name, tag)
+    if perform_gc:
+        assert model.gc.garbage_collect_repo(repository) == expect_gc
 
 
 def move_tag(repository, tag, docker_image_id, expect_gc=True):
-  model.tag.create_or_update_tag(repository.namespace_user.username, repository.name, tag,
-                                 docker_image_id)
-  assert model.gc.garbage_collect_repo(repository) == expect_gc
+    model.tag.create_or_update_tag(
+        repository.namespace_user.username, repository.name, tag, docker_image_id
+    )
+    assert model.gc.garbage_collect_repo(repository) == expect_gc
 
 
 def assert_not_deleted(repository, *args):
-  for docker_image_id in args:
-    assert model.image.get_image_by_id(repository.namespace_user.username, repository.name,
-                                       docker_image_id)
+    for docker_image_id in args:
+        assert model.image.get_image_by_id(
+            repository.namespace_user.username, repository.name, docker_image_id
+        )
 
 
 def assert_deleted(repository, *args):
-  for docker_image_id in args:
-    try:
-      # Verify the image is missing when accessed by the repository.
-      model.image.get_image_by_id(repository.namespace_user.username, repository.name,
-                                  docker_image_id)
-    except model.DataModelException:
-      return
+    for docker_image_id in args:
+        try:
+            # Verify the image is missing when accessed by the repository.
+            model.image.get_image_by_id(
+                repository.namespace_user.username, repository.name, docker_image_id
+            )
+        except model.DataModelException:
+            return
 
-    assert False, 'Expected image %s to be deleted' % docker_image_id
+        assert False, "Expected image %s to be deleted" % docker_image_id
 
 
 def _get_dangling_storage_count():
-  storage_ids = set([current.id for current in ImageStorage.select()])
-  referenced_by_image = set([image.storage_id for image in Image.select()])
-  referenced_by_manifest = set([blob.blob_id for blob in ManifestBlob.select()])
-  referenced_by_derived = set([derived.derivative_id
-                               for derived in DerivedStorageForImage.select()])
-  return len(storage_ids - referenced_by_image - referenced_by_derived - referenced_by_manifest)
+    storage_ids = set([current.id for current in ImageStorage.select()])
+    referenced_by_image = set([image.storage_id for image in Image.select()])
+    referenced_by_manifest = set([blob.blob_id for blob in ManifestBlob.select()])
+    referenced_by_derived = set(
+        [derived.derivative_id for derived in DerivedStorageForImage.select()]
+    )
+    return len(
+        storage_ids
+        - referenced_by_image
+        - referenced_by_derived
+        - referenced_by_manifest
+    )
 
 
 def _get_dangling_label_count():
-  return len(_get_dangling_labels())
+    return len(_get_dangling_labels())
 
 
 def _get_dangling_labels():
-  label_ids = set([current.id for current in Label.select()])
-  referenced_by_manifest = set([mlabel.label_id for mlabel in TagManifestLabel.select()])
-  return label_ids - referenced_by_manifest
+    label_ids = set([current.id for current in Label.select()])
+    referenced_by_manifest = set(
+        [mlabel.label_id for mlabel in TagManifestLabel.select()]
+    )
+    return label_ids - referenced_by_manifest
 
 
 def _get_dangling_manifest_count():
-  manifest_ids = set([current.id for current in Manifest.select()])
-  referenced_by_tag_manifest = set([tmt.manifest_id for tmt in TagManifestToManifest.select()])
-  return len(manifest_ids - referenced_by_tag_manifest)
-
+    manifest_ids = set([current.id for current in Manifest.select()])
+    referenced_by_tag_manifest = set(
+        [tmt.manifest_id for tmt in TagManifestToManifest.select()]
+    )
+    return len(manifest_ids - referenced_by_tag_manifest)
 
 
 @contextmanager
 def assert_gc_integrity(expect_storage_removed=True, check_oci_tags=True):
-  """ Specialized assertion for ensuring that GC cleans up all dangling storages
+    """ Specialized assertion for ensuring that GC cleans up all dangling storages
       and labels, invokes the callback for images removed and doesn't invoke the
       callback for images *not* removed.
   """
-  # Add a callback for when images are removed.
-  removed_image_storages = []
-  model.config.register_image_cleanup_callback(removed_image_storages.extend)
+    # Add a callback for when images are removed.
+    removed_image_storages = []
+    model.config.register_image_cleanup_callback(removed_image_storages.extend)
 
-  # Store the number of dangling storages and labels.
-  existing_storage_count = _get_dangling_storage_count()
-  existing_label_count = _get_dangling_label_count()
-  existing_manifest_count = _get_dangling_manifest_count()
-  yield
+    # Store the number of dangling storages and labels.
+    existing_storage_count = _get_dangling_storage_count()
+    existing_label_count = _get_dangling_label_count()
+    existing_manifest_count = _get_dangling_manifest_count()
+    yield
 
-  # Ensure the number of dangling storages, manifests and labels has not changed.
-  updated_storage_count = _get_dangling_storage_count()
-  assert updated_storage_count == existing_storage_count
+    # Ensure the number of dangling storages, manifests and labels has not changed.
+    updated_storage_count = _get_dangling_storage_count()
+    assert updated_storage_count == existing_storage_count
 
-  updated_label_count = _get_dangling_label_count()
-  assert updated_label_count == existing_label_count, _get_dangling_labels()
+    updated_label_count = _get_dangling_label_count()
+    assert updated_label_count == existing_label_count, _get_dangling_labels()
 
-  updated_manifest_count = _get_dangling_manifest_count()
-  assert updated_manifest_count == existing_manifest_count
+    updated_manifest_count = _get_dangling_manifest_count()
+    assert updated_manifest_count == existing_manifest_count
 
-  # Ensure that for each call to the image+storage cleanup callback, the image and its
-  # storage is not found *anywhere* in the database.
-  for removed_image_and_storage in removed_image_storages:
-    with pytest.raises(Image.DoesNotExist):
-      Image.get(id=removed_image_and_storage.id)
+    # Ensure that for each call to the image+storage cleanup callback, the image and its
+    # storage is not found *anywhere* in the database.
+    for removed_image_and_storage in removed_image_storages:
+        with pytest.raises(Image.DoesNotExist):
+            Image.get(id=removed_image_and_storage.id)
 
-    # Ensure that image storages are only removed if not shared.
-    shared = Image.select().where(Image.storage == removed_image_and_storage.storage_id).count()
-    if shared == 0:
-      shared = (ManifestBlob
-                .select()
+        # Ensure that image storages are only removed if not shared.
+        shared = (
+            Image.select()
+            .where(Image.storage == removed_image_and_storage.storage_id)
+            .count()
+        )
+        if shared == 0:
+            shared = (
+                ManifestBlob.select()
                 .where(ManifestBlob.blob == removed_image_and_storage.storage_id)
-                .count())
+                .count()
+            )
 
-    if shared == 0:
-      with pytest.raises(ImageStorage.DoesNotExist):
-        ImageStorage.get(id=removed_image_and_storage.storage_id)
+        if shared == 0:
+            with pytest.raises(ImageStorage.DoesNotExist):
+                ImageStorage.get(id=removed_image_and_storage.storage_id)
 
-      with pytest.raises(ImageStorage.DoesNotExist):
-        ImageStorage.get(uuid=removed_image_and_storage.storage.uuid)
+            with pytest.raises(ImageStorage.DoesNotExist):
+                ImageStorage.get(uuid=removed_image_and_storage.storage.uuid)
 
-  # Ensure all CAS storage is in the storage engine.
-  preferred = storage.preferred_locations[0]
-  for storage_row in ImageStorage.select():
-    if storage_row.cas_path:
-      storage.get_content({preferred}, storage.blob_path(storage_row.content_checksum))
+    # Ensure all CAS storage is in the storage engine.
+    preferred = storage.preferred_locations[0]
+    for storage_row in ImageStorage.select():
+        if storage_row.cas_path:
+            storage.get_content(
+                {preferred}, storage.blob_path(storage_row.content_checksum)
+            )
 
-  for blob_row in ApprBlob.select():
-    storage.get_content({preferred}, storage.blob_path(blob_row.digest))
+    for blob_row in ApprBlob.select():
+        storage.get_content({preferred}, storage.blob_path(blob_row.digest))
 
-  # Ensure there are no danglings OCI tags.
-  if check_oci_tags:
-    oci_tags = {t.id for t in Tag.select()}
-    referenced_oci_tags = {t.tag_id for t in TagToRepositoryTag.select()}
-    assert not oci_tags - referenced_oci_tags
+    # Ensure there are no danglings OCI tags.
+    if check_oci_tags:
+        oci_tags = {t.id for t in Tag.select()}
+        referenced_oci_tags = {t.tag_id for t in TagToRepositoryTag.select()}
+        assert not oci_tags - referenced_oci_tags
 
-  # Ensure all tags have valid manifests.
-  for manifest in {t.manifest for t in Tag.select()}:
-    # Ensure that the manifest's blobs all exist.
-    found_blobs = {b.blob.content_checksum
-                   for b in ManifestBlob.select().where(ManifestBlob.manifest == manifest)}
+    # Ensure all tags have valid manifests.
+    for manifest in {t.manifest for t in Tag.select()}:
+        # Ensure that the manifest's blobs all exist.
+        found_blobs = {
+            b.blob.content_checksum
+            for b in ManifestBlob.select().where(ManifestBlob.manifest == manifest)
+        }
 
-    parsed = parse_manifest_from_bytes(Bytes.for_string_or_unicode(manifest.manifest_bytes),
-                                       manifest.media_type.name)
-    assert set(parsed.local_blob_digests) == found_blobs
+        parsed = parse_manifest_from_bytes(
+            Bytes.for_string_or_unicode(manifest.manifest_bytes),
+            manifest.media_type.name,
+        )
+        assert set(parsed.local_blob_digests) == found_blobs
 
 
 def test_has_garbage(default_tag_policy, initialized_db):
-  """ Remove all existing repositories, then add one without garbage, check, then add one with
+    """ Remove all existing repositories, then add one without garbage, check, then add one with
       garbage, and check again.
   """
-  # Delete all existing repos.
-  for repo in database.Repository.select().order_by(database.Repository.id):
-    assert model.gc.purge_repository(repo.namespace_user.username, repo.name)
+    # Delete all existing repos.
+    for repo in database.Repository.select().order_by(database.Repository.id):
+        assert model.gc.purge_repository(repo.namespace_user.username, repo.name)
 
-  # Change the time machine expiration on the namespace.
-  (database.User
-   .update(removed_tag_expiration_s=1000000000)
-   .where(database.User.username == ADMIN_ACCESS_USER)
-   .execute())
+    # Change the time machine expiration on the namespace.
+    (
+        database.User.update(removed_tag_expiration_s=1000000000)
+        .where(database.User.username == ADMIN_ACCESS_USER)
+        .execute()
+    )
 
-  # Create a repository without any garbage.
-  repository = create_repository(latest=['i1', 'i2', 'i3'])
+    # Create a repository without any garbage.
+    repository = create_repository(latest=["i1", "i2", "i3"])
 
-  # Ensure that no repositories are returned by the has garbage check.
-  assert model.repository.find_repository_with_garbage(1000000000) is None
+    # Ensure that no repositories are returned by the has garbage check.
+    assert model.repository.find_repository_with_garbage(1000000000) is None
 
-  # Delete a tag.
-  delete_tag(repository, 'latest', perform_gc=False)
+    # Delete a tag.
+    delete_tag(repository, "latest", perform_gc=False)
 
-  # There should still not be any repositories with garbage, due to time machine.
-  assert model.repository.find_repository_with_garbage(1000000000) is None
+    # There should still not be any repositories with garbage, due to time machine.
+    assert model.repository.find_repository_with_garbage(1000000000) is None
 
-  # Change the time machine expiration on the namespace.
-  (database.User
-   .update(removed_tag_expiration_s=0)
-   .where(database.User.username == ADMIN_ACCESS_USER)
-   .execute())
+    # Change the time machine expiration on the namespace.
+    (
+        database.User.update(removed_tag_expiration_s=0)
+        .where(database.User.username == ADMIN_ACCESS_USER)
+        .execute()
+    )
 
-  # Now we should find the repository for GC.
-  repository = model.repository.find_repository_with_garbage(0)
-  assert repository is not None
-  assert repository.name == REPO
+    # Now we should find the repository for GC.
+    repository = model.repository.find_repository_with_garbage(0)
+    assert repository is not None
+    assert repository.name == REPO
 
-  # GC the repository.
-  assert model.gc.garbage_collect_repo(repository)
+    # GC the repository.
+    assert model.gc.garbage_collect_repo(repository)
 
-  # There should now be no repositories with garbage.
-  assert model.repository.find_repository_with_garbage(0) is None
+    # There should now be no repositories with garbage.
+    assert model.repository.find_repository_with_garbage(0) is None
 
 
 def test_find_garbage_policy_functions(default_tag_policy, initialized_db):
-  with assert_query_count(1):
-    one_policy = model.repository.get_random_gc_policy()
-    all_policies = model.repository._get_gc_expiration_policies()
-    assert one_policy in all_policies
+    with assert_query_count(1):
+        one_policy = model.repository.get_random_gc_policy()
+        all_policies = model.repository._get_gc_expiration_policies()
+        assert one_policy in all_policies
 
 
 def test_one_tag(default_tag_policy, initialized_db):
-  """ Create a repository with a single tag, then remove that tag and verify that the repository
+    """ Create a repository with a single tag, then remove that tag and verify that the repository
       is now empty. """
-  with assert_gc_integrity():
-    repository = create_repository(latest=['i1', 'i2', 'i3'])
-    delete_tag(repository, 'latest')
-    assert_deleted(repository, 'i1', 'i2', 'i3')
+    with assert_gc_integrity():
+        repository = create_repository(latest=["i1", "i2", "i3"])
+        delete_tag(repository, "latest")
+        assert_deleted(repository, "i1", "i2", "i3")
 
 
 def test_two_tags_unshared_images(default_tag_policy, initialized_db):
-  """ Repository has two tags with no shared images between them. """
-  with assert_gc_integrity():
-    repository = create_repository(latest=['i1', 'i2', 'i3'], other=['f1', 'f2'])
-    delete_tag(repository, 'latest')
-    assert_deleted(repository, 'i1', 'i2', 'i3')
-    assert_not_deleted(repository, 'f1', 'f2')
+    """ Repository has two tags with no shared images between them. """
+    with assert_gc_integrity():
+        repository = create_repository(latest=["i1", "i2", "i3"], other=["f1", "f2"])
+        delete_tag(repository, "latest")
+        assert_deleted(repository, "i1", "i2", "i3")
+        assert_not_deleted(repository, "f1", "f2")
 
 
 def test_two_tags_shared_images(default_tag_policy, initialized_db):
-  """ Repository has two tags with shared images. Deleting the tag should only remove the
+    """ Repository has two tags with shared images. Deleting the tag should only remove the
       unshared images.
   """
-  with assert_gc_integrity():
-    repository = create_repository(latest=['i1', 'i2', 'i3'], other=['i1', 'f1'])
-    delete_tag(repository, 'latest')
-    assert_deleted(repository, 'i2', 'i3')
-    assert_not_deleted(repository, 'i1', 'f1')
+    with assert_gc_integrity():
+        repository = create_repository(latest=["i1", "i2", "i3"], other=["i1", "f1"])
+        delete_tag(repository, "latest")
+        assert_deleted(repository, "i2", "i3")
+        assert_not_deleted(repository, "i1", "f1")
 
 
 def test_unrelated_repositories(default_tag_policy, initialized_db):
-  """ Two repositories with different images. Removing the tag from one leaves the other's
+    """ Two repositories with different images. Removing the tag from one leaves the other's
       images intact.
   """
-  with assert_gc_integrity():
-    repository1 = create_repository(latest=['i1', 'i2', 'i3'], name='repo1')
-    repository2 = create_repository(latest=['j1', 'j2', 'j3'], name='repo2')
+    with assert_gc_integrity():
+        repository1 = create_repository(latest=["i1", "i2", "i3"], name="repo1")
+        repository2 = create_repository(latest=["j1", "j2", "j3"], name="repo2")
 
-    delete_tag(repository1, 'latest')
+        delete_tag(repository1, "latest")
 
-    assert_deleted(repository1, 'i1', 'i2', 'i3')
-    assert_not_deleted(repository2, 'j1', 'j2', 'j3')
+        assert_deleted(repository1, "i1", "i2", "i3")
+        assert_not_deleted(repository2, "j1", "j2", "j3")
 
 
 def test_related_repositories(default_tag_policy, initialized_db):
-  """ Two repositories with shared images. Removing the tag from one leaves the other's
+    """ Two repositories with shared images. Removing the tag from one leaves the other's
       images intact.
   """
-  with assert_gc_integrity():
-    repository1 = create_repository(latest=['i1', 'i2', 'i3'], name='repo1')
-    repository2 = create_repository(latest=['i1', 'i2', 'j1'], name='repo2')
+    with assert_gc_integrity():
+        repository1 = create_repository(latest=["i1", "i2", "i3"], name="repo1")
+        repository2 = create_repository(latest=["i1", "i2", "j1"], name="repo2")
 
-    delete_tag(repository1, 'latest')
+        delete_tag(repository1, "latest")
 
-    assert_deleted(repository1, 'i3')
-    assert_not_deleted(repository2, 'i1', 'i2', 'j1')
+        assert_deleted(repository1, "i3")
+        assert_not_deleted(repository2, "i1", "i2", "j1")
 
 
 def test_inaccessible_repositories(default_tag_policy, initialized_db):
-  """ Two repositories under different namespaces should result in the images being deleted
+    """ Two repositories under different namespaces should result in the images being deleted
       but not completely removed from the database.
   """
-  with assert_gc_integrity():
-    repository1 = create_repository(namespace=ADMIN_ACCESS_USER, latest=['i1', 'i2', 'i3'])
-    repository2 = create_repository(namespace=PUBLIC_USER, latest=['i1', 'i2', 'i3'])
+    with assert_gc_integrity():
+        repository1 = create_repository(
+            namespace=ADMIN_ACCESS_USER, latest=["i1", "i2", "i3"]
+        )
+        repository2 = create_repository(
+            namespace=PUBLIC_USER, latest=["i1", "i2", "i3"]
+        )
 
-    delete_tag(repository1, 'latest')
-    assert_deleted(repository1, 'i1', 'i2', 'i3')
-    assert_not_deleted(repository2, 'i1', 'i2', 'i3')
+        delete_tag(repository1, "latest")
+        assert_deleted(repository1, "i1", "i2", "i3")
+        assert_not_deleted(repository2, "i1", "i2", "i3")
 
 
 def test_many_multiple_shared_images(default_tag_policy, initialized_db):
-  """ Repository has multiple tags with shared images. Delete all but one tag.
+    """ Repository has multiple tags with shared images. Delete all but one tag.
   """
-  with assert_gc_integrity():
-    repository = create_repository(latest=['i1', 'i2', 'i3', 'i4', 'i5', 'i6', 'i7', 'i8', 'j0'],
-                                   master=['i1', 'i2', 'i3', 'i4', 'i5', 'i6', 'i7', 'i8', 'j1'])
+    with assert_gc_integrity():
+        repository = create_repository(
+            latest=["i1", "i2", "i3", "i4", "i5", "i6", "i7", "i8", "j0"],
+            master=["i1", "i2", "i3", "i4", "i5", "i6", "i7", "i8", "j1"],
+        )
 
-    # Delete tag latest. Should only delete j0, since it is not shared.
-    delete_tag(repository, 'latest')
+        # Delete tag latest. Should only delete j0, since it is not shared.
+        delete_tag(repository, "latest")
 
-    assert_deleted(repository, 'j0')
-    assert_not_deleted(repository, 'i1', 'i2', 'i3', 'i4', 'i5', 'i6', 'i7', 'i8', 'j1')
+        assert_deleted(repository, "j0")
+        assert_not_deleted(
+            repository, "i1", "i2", "i3", "i4", "i5", "i6", "i7", "i8", "j1"
+        )
 
-    # Delete tag master. Should delete the rest of the images.
-    delete_tag(repository, 'master')
+        # Delete tag master. Should delete the rest of the images.
+        delete_tag(repository, "master")
 
-    assert_deleted(repository, 'i1', 'i2', 'i3', 'i4', 'i5', 'i6', 'i7', 'i8', 'j1')
+        assert_deleted(repository, "i1", "i2", "i3", "i4", "i5", "i6", "i7", "i8", "j1")
 
 
 def test_multiple_shared_images(default_tag_policy, initialized_db):
-  """ Repository has multiple tags with shared images. Selectively deleting the tags, and
+    """ Repository has multiple tags with shared images. Selectively deleting the tags, and
       verifying at each step.
   """
-  with assert_gc_integrity():
-    repository = create_repository(latest=['i1', 'i2', 'i3'], other=['i1', 'f1', 'f2'],
-                                   third=['t1', 't2', 't3'], fourth=['i1', 'f1'])
+    with assert_gc_integrity():
+        repository = create_repository(
+            latest=["i1", "i2", "i3"],
+            other=["i1", "f1", "f2"],
+            third=["t1", "t2", "t3"],
+            fourth=["i1", "f1"],
+        )
 
-    # Current state:
-    # latest -> i3->i2->i1
-    # other -> f2->f1->i1
-    # third -> t3->t2->t1
-    # fourth -> f1->i1
+        # Current state:
+        # latest -> i3->i2->i1
+        # other -> f2->f1->i1
+        # third -> t3->t2->t1
+        # fourth -> f1->i1
 
-    # Delete tag other. Should delete f2, since it is not shared.
-    delete_tag(repository, 'other')
-    assert_deleted(repository, 'f2')
-    assert_not_deleted(repository, 'i1', 'i2', 'i3', 't1', 't2', 't3', 'f1')
+        # Delete tag other. Should delete f2, since it is not shared.
+        delete_tag(repository, "other")
+        assert_deleted(repository, "f2")
+        assert_not_deleted(repository, "i1", "i2", "i3", "t1", "t2", "t3", "f1")
 
-    # Current state:
-    # latest -> i3->i2->i1
-    # third -> t3->t2->t1
-    # fourth -> f1->i1
+        # Current state:
+        # latest -> i3->i2->i1
+        # third -> t3->t2->t1
+        # fourth -> f1->i1
 
-    # Move tag fourth to i3. This should remove f1 since it is no longer referenced.
-    move_tag(repository, 'fourth', 'i3')
-    assert_deleted(repository, 'f1')
-    assert_not_deleted(repository, 'i1', 'i2', 'i3', 't1', 't2', 't3')
+        # Move tag fourth to i3. This should remove f1 since it is no longer referenced.
+        move_tag(repository, "fourth", "i3")
+        assert_deleted(repository, "f1")
+        assert_not_deleted(repository, "i1", "i2", "i3", "t1", "t2", "t3")
 
-    # Current state:
-    # latest -> i3->i2->i1
-    # third -> t3->t2->t1
-    # fourth -> i3->i2->i1
+        # Current state:
+        # latest -> i3->i2->i1
+        # third -> t3->t2->t1
+        # fourth -> i3->i2->i1
 
-    # Delete tag 'latest'. This should do nothing since fourth is on the same branch.
-    delete_tag(repository, 'latest')
-    assert_not_deleted(repository, 'i1', 'i2', 'i3', 't1', 't2', 't3')
+        # Delete tag 'latest'. This should do nothing since fourth is on the same branch.
+        delete_tag(repository, "latest")
+        assert_not_deleted(repository, "i1", "i2", "i3", "t1", "t2", "t3")
 
-    # Current state:
-    # third -> t3->t2->t1
-    # fourth -> i3->i2->i1
+        # Current state:
+        # third -> t3->t2->t1
+        # fourth -> i3->i2->i1
 
-    # Delete tag 'third'. This should remove t1->t3.
-    delete_tag(repository, 'third')
-    assert_deleted(repository, 't1', 't2', 't3')
-    assert_not_deleted(repository, 'i1', 'i2', 'i3')
+        # Delete tag 'third'. This should remove t1->t3.
+        delete_tag(repository, "third")
+        assert_deleted(repository, "t1", "t2", "t3")
+        assert_not_deleted(repository, "i1", "i2", "i3")
 
-    # Current state:
-    # fourth -> i3->i2->i1
+        # Current state:
+        # fourth -> i3->i2->i1
 
-    # Add tag to i1.
-    move_tag(repository, 'newtag', 'i1', expect_gc=False)
-    assert_not_deleted(repository, 'i1', 'i2', 'i3')
+        # Add tag to i1.
+        move_tag(repository, "newtag", "i1", expect_gc=False)
+        assert_not_deleted(repository, "i1", "i2", "i3")
 
-    # Current state:
-    # fourth -> i3->i2->i1
-    # newtag -> i1
+        # Current state:
+        # fourth -> i3->i2->i1
+        # newtag -> i1
 
-    # Delete tag 'fourth'. This should remove i2 and i3.
-    delete_tag(repository, 'fourth')
-    assert_deleted(repository, 'i2', 'i3')
-    assert_not_deleted(repository, 'i1')
+        # Delete tag 'fourth'. This should remove i2 and i3.
+        delete_tag(repository, "fourth")
+        assert_deleted(repository, "i2", "i3")
+        assert_not_deleted(repository, "i1")
 
-    # Current state:
-    # newtag -> i1
+        # Current state:
+        # newtag -> i1
 
-    # Delete tag 'newtag'. This should remove the remaining image.
-    delete_tag(repository, 'newtag')
-    assert_deleted(repository, 'i1')
+        # Delete tag 'newtag'. This should remove the remaining image.
+        delete_tag(repository, "newtag")
+        assert_deleted(repository, "i1")
 
-    # Current state:
-    # (Empty)
+        # Current state:
+        # (Empty)
 
 
 def test_empty_gc(default_tag_policy, initialized_db):
-  with assert_gc_integrity(expect_storage_removed=False):
-    repository = create_repository(latest=['i1', 'i2', 'i3'], other=['i1', 'f1', 'f2'],
-                                   third=['t1', 't2', 't3'], fourth=['i1', 'f1'])
+    with assert_gc_integrity(expect_storage_removed=False):
+        repository = create_repository(
+            latest=["i1", "i2", "i3"],
+            other=["i1", "f1", "f2"],
+            third=["t1", "t2", "t3"],
+            fourth=["i1", "f1"],
+        )
 
-    assert not model.gc.garbage_collect_repo(repository)
-    assert_not_deleted(repository, 'i1', 'i2', 'i3', 't1', 't2', 't3', 'f1', 'f2')
+        assert not model.gc.garbage_collect_repo(repository)
+        assert_not_deleted(repository, "i1", "i2", "i3", "t1", "t2", "t3", "f1", "f2")
 
 
 def test_time_machine_no_gc(default_tag_policy, initialized_db):
-  """ Repository has two tags with shared images. Deleting the tag should not remove any images
+    """ Repository has two tags with shared images. Deleting the tag should not remove any images
   """
-  with assert_gc_integrity(expect_storage_removed=False):
-    repository = create_repository(latest=['i1', 'i2', 'i3'], other=['i1', 'f1'])
-    _set_tag_expiration_policy(repository.namespace_user.username, 60*60*24)
+    with assert_gc_integrity(expect_storage_removed=False):
+        repository = create_repository(latest=["i1", "i2", "i3"], other=["i1", "f1"])
+        _set_tag_expiration_policy(repository.namespace_user.username, 60 * 60 * 24)
 
-    delete_tag(repository, 'latest', expect_gc=False)
-    assert_not_deleted(repository, 'i2', 'i3')
-    assert_not_deleted(repository, 'i1', 'f1')
+        delete_tag(repository, "latest", expect_gc=False)
+        assert_not_deleted(repository, "i2", "i3")
+        assert_not_deleted(repository, "i1", "f1")
 
 
 def test_time_machine_gc(default_tag_policy, initialized_db):
-  """ Repository has two tags with shared images. Deleting the second tag should cause the images
+    """ Repository has two tags with shared images. Deleting the second tag should cause the images
       for the first deleted tag to gc.
   """
-  now = datetime.utcnow()
+    now = datetime.utcnow()
 
-  with assert_gc_integrity():
-    with freeze_time(now):
-      repository = create_repository(latest=['i1', 'i2', 'i3'], other=['i1', 'f1'])
+    with assert_gc_integrity():
+        with freeze_time(now):
+            repository = create_repository(
+                latest=["i1", "i2", "i3"], other=["i1", "f1"]
+            )
 
-      _set_tag_expiration_policy(repository.namespace_user.username, 1)
+            _set_tag_expiration_policy(repository.namespace_user.username, 1)
 
-      delete_tag(repository, 'latest', expect_gc=False)
-      assert_not_deleted(repository, 'i2', 'i3')
-      assert_not_deleted(repository, 'i1', 'f1')
+            delete_tag(repository, "latest", expect_gc=False)
+            assert_not_deleted(repository, "i2", "i3")
+            assert_not_deleted(repository, "i1", "f1")
 
-    with freeze_time(now + timedelta(seconds=2)):
-      # This will cause the images associated with latest to gc
-      delete_tag(repository, 'other')
-      assert_deleted(repository, 'i2', 'i3')
-      assert_not_deleted(repository, 'i1', 'f1')
+        with freeze_time(now + timedelta(seconds=2)):
+            # This will cause the images associated with latest to gc
+            delete_tag(repository, "other")
+            assert_deleted(repository, "i2", "i3")
+            assert_not_deleted(repository, "i1", "f1")
 
 
 def test_images_shared_storage(default_tag_policy, initialized_db):
-  """ Repository with two tags, both with the same shared storage. Deleting the first
+    """ Repository with two tags, both with the same shared storage. Deleting the first
       tag should delete the first image, but *not* its storage.
   """
-  with assert_gc_integrity(expect_storage_removed=False):
-    repository = create_repository()
+    with assert_gc_integrity(expect_storage_removed=False):
+        repository = create_repository()
 
-    # Add two tags, each with their own image, but with the same storage.
-    image_storage = model.storage.create_v1_storage(storage.preferred_locations[0])
+        # Add two tags, each with their own image, but with the same storage.
+        image_storage = model.storage.create_v1_storage(storage.preferred_locations[0])
 
-    first_image = Image.create(docker_image_id='i1',
-                               repository=repository, storage=image_storage,
-                               ancestors='/')
+        first_image = Image.create(
+            docker_image_id="i1",
+            repository=repository,
+            storage=image_storage,
+            ancestors="/",
+        )
 
-    second_image = Image.create(docker_image_id='i2',
-                                repository=repository, storage=image_storage,
-                                ancestors='/')
+        second_image = Image.create(
+            docker_image_id="i2",
+            repository=repository,
+            storage=image_storage,
+            ancestors="/",
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'first', first_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "first",
+            first_image.docker_image_id,
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'second', second_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "second",
+            second_image.docker_image_id,
+        )
 
-    # Delete the first tag.
-    delete_tag(repository, 'first')
-    assert_deleted(repository, 'i1')
-    assert_not_deleted(repository, 'i2')
+        # Delete the first tag.
+        delete_tag(repository, "first")
+        assert_deleted(repository, "i1")
+        assert_not_deleted(repository, "i2")
 
 
 def test_image_with_cas(default_tag_policy, initialized_db):
-  """ A repository with a tag pointing to an image backed by CAS. Deleting and GCing the tag
+    """ A repository with a tag pointing to an image backed by CAS. Deleting and GCing the tag
       should result in the storage and its CAS data being removed.
   """
-  with assert_gc_integrity(expect_storage_removed=True):
-    repository = create_repository()
+    with assert_gc_integrity(expect_storage_removed=True):
+        repository = create_repository()
 
-    # Create an image storage record under CAS.
-    content = 'hello world'
-    digest = 'sha256:' + hashlib.sha256(content).hexdigest()
-    preferred = storage.preferred_locations[0]
-    storage.put_content({preferred}, storage.blob_path(digest), content)
+        # Create an image storage record under CAS.
+        content = "hello world"
+        digest = "sha256:" + hashlib.sha256(content).hexdigest()
+        preferred = storage.preferred_locations[0]
+        storage.put_content({preferred}, storage.blob_path(digest), content)
 
-    image_storage = database.ImageStorage.create(content_checksum=digest, uploading=False)
-    location = database.ImageStorageLocation.get(name=preferred)
-    database.ImageStoragePlacement.create(location=location, storage=image_storage)
+        image_storage = database.ImageStorage.create(
+            content_checksum=digest, uploading=False
+        )
+        location = database.ImageStorageLocation.get(name=preferred)
+        database.ImageStoragePlacement.create(location=location, storage=image_storage)
 
-    # Ensure the CAS path exists.
-    assert storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path exists.
+        assert storage.exists({preferred}, storage.blob_path(digest))
 
-    # Create the image and the tag.
-    first_image = Image.create(docker_image_id='i1',
-                               repository=repository, storage=image_storage,
-                               ancestors='/')
+        # Create the image and the tag.
+        first_image = Image.create(
+            docker_image_id="i1",
+            repository=repository,
+            storage=image_storage,
+            ancestors="/",
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'first', first_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "first",
+            first_image.docker_image_id,
+        )
 
-    assert_not_deleted(repository, 'i1')
+        assert_not_deleted(repository, "i1")
 
-    # Delete the tag.
-    delete_tag(repository, 'first')
-    assert_deleted(repository, 'i1')
+        # Delete the tag.
+        delete_tag(repository, "first")
+        assert_deleted(repository, "i1")
 
-    # Ensure the CAS path is gone.
-    assert not storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path is gone.
+        assert not storage.exists({preferred}, storage.blob_path(digest))
 
 
 def test_images_shared_cas(default_tag_policy, initialized_db):
-  """ A repository, each two tags, pointing to the same image, which has image storage
+    """ A repository, each two tags, pointing to the same image, which has image storage
       with the same *CAS path*, but *distinct records*. Deleting the first tag should delete the
       first image, and its storage, but not the file in storage, as it shares its CAS path.
   """
-  with assert_gc_integrity(expect_storage_removed=True):
-    repository = create_repository()
+    with assert_gc_integrity(expect_storage_removed=True):
+        repository = create_repository()
 
-    # Create two image storage records with the same content checksum.
-    content = 'hello world'
-    digest = 'sha256:' + hashlib.sha256(content).hexdigest()
-    preferred = storage.preferred_locations[0]
-    storage.put_content({preferred}, storage.blob_path(digest), content)
+        # Create two image storage records with the same content checksum.
+        content = "hello world"
+        digest = "sha256:" + hashlib.sha256(content).hexdigest()
+        preferred = storage.preferred_locations[0]
+        storage.put_content({preferred}, storage.blob_path(digest), content)
 
-    is1 = database.ImageStorage.create(content_checksum=digest, uploading=False)
-    is2 = database.ImageStorage.create(content_checksum=digest, uploading=False)
+        is1 = database.ImageStorage.create(content_checksum=digest, uploading=False)
+        is2 = database.ImageStorage.create(content_checksum=digest, uploading=False)
 
-    location = database.ImageStorageLocation.get(name=preferred)
+        location = database.ImageStorageLocation.get(name=preferred)
 
-    database.ImageStoragePlacement.create(location=location, storage=is1)
-    database.ImageStoragePlacement.create(location=location, storage=is2)
+        database.ImageStoragePlacement.create(location=location, storage=is1)
+        database.ImageStoragePlacement.create(location=location, storage=is2)
 
-    # Ensure the CAS path exists.
-    assert storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path exists.
+        assert storage.exists({preferred}, storage.blob_path(digest))
 
-    # Create two images in the repository, and two tags, each pointing to one of the storages.
-    first_image = Image.create(docker_image_id='i1',
-                               repository=repository, storage=is1,
-                               ancestors='/')
+        # Create two images in the repository, and two tags, each pointing to one of the storages.
+        first_image = Image.create(
+            docker_image_id="i1", repository=repository, storage=is1, ancestors="/"
+        )
 
-    second_image = Image.create(docker_image_id='i2',
-                                repository=repository, storage=is2,
-                                ancestors='/')
+        second_image = Image.create(
+            docker_image_id="i2", repository=repository, storage=is2, ancestors="/"
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'first', first_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "first",
+            first_image.docker_image_id,
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'second', second_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "second",
+            second_image.docker_image_id,
+        )
 
-    assert_not_deleted(repository, 'i1', 'i2')
+        assert_not_deleted(repository, "i1", "i2")
 
-    # Delete the first tag.
-    delete_tag(repository, 'first')
-    assert_deleted(repository, 'i1')
-    assert_not_deleted(repository, 'i2')
+        # Delete the first tag.
+        delete_tag(repository, "first")
+        assert_deleted(repository, "i1")
+        assert_not_deleted(repository, "i2")
 
-    # Ensure the CAS path still exists.
-    assert storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path still exists.
+        assert storage.exists({preferred}, storage.blob_path(digest))
 
 
 def test_images_shared_cas_with_new_blob_table(default_tag_policy, initialized_db):
-  """ A repository with a tag and image that shares its CAS path with a record in the new Blob
+    """ A repository with a tag and image that shares its CAS path with a record in the new Blob
       table. Deleting the first tag should delete the first image, and its storage, but not the
       file in storage, as it shares its CAS path with the blob row.
   """
-  with assert_gc_integrity(expect_storage_removed=True):
-    repository = create_repository()
+    with assert_gc_integrity(expect_storage_removed=True):
+        repository = create_repository()
 
-    # Create two image storage records with the same content checksum.
-    content = 'hello world'
-    digest = 'sha256:' + hashlib.sha256(content).hexdigest()
-    preferred = storage.preferred_locations[0]
-    storage.put_content({preferred}, storage.blob_path(digest), content)
+        # Create two image storage records with the same content checksum.
+        content = "hello world"
+        digest = "sha256:" + hashlib.sha256(content).hexdigest()
+        preferred = storage.preferred_locations[0]
+        storage.put_content({preferred}, storage.blob_path(digest), content)
 
-    media_type = database.MediaType.get(name='text/plain')
+        media_type = database.MediaType.get(name="text/plain")
 
-    is1 = database.ImageStorage.create(content_checksum=digest, uploading=False)
-    database.ApprBlob.create(digest=digest, size=0, media_type=media_type)
+        is1 = database.ImageStorage.create(content_checksum=digest, uploading=False)
+        database.ApprBlob.create(digest=digest, size=0, media_type=media_type)
 
-    location = database.ImageStorageLocation.get(name=preferred)
-    database.ImageStoragePlacement.create(location=location, storage=is1)
+        location = database.ImageStorageLocation.get(name=preferred)
+        database.ImageStoragePlacement.create(location=location, storage=is1)
 
-    # Ensure the CAS path exists.
-    assert storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path exists.
+        assert storage.exists({preferred}, storage.blob_path(digest))
 
-    # Create the image in the repository, and the tag.
-    first_image = Image.create(docker_image_id='i1',
-                               repository=repository, storage=is1,
-                               ancestors='/')
+        # Create the image in the repository, and the tag.
+        first_image = Image.create(
+            docker_image_id="i1", repository=repository, storage=is1, ancestors="/"
+        )
 
-    store_tag_manifest(repository.namespace_user.username, repository.name,
-                       'first', first_image.docker_image_id)
+        store_tag_manifest(
+            repository.namespace_user.username,
+            repository.name,
+            "first",
+            first_image.docker_image_id,
+        )
 
-    assert_not_deleted(repository, 'i1')
+        assert_not_deleted(repository, "i1")
 
-    # Delete the tag.
-    delete_tag(repository, 'first')
-    assert_deleted(repository, 'i1')
+        # Delete the tag.
+        delete_tag(repository, "first")
+        assert_deleted(repository, "i1")
 
-    # Ensure the CAS path still exists, as it is referenced by the Blob table
-    assert storage.exists({preferred}, storage.blob_path(digest))
+        # Ensure the CAS path still exists, as it is referenced by the Blob table
+        assert storage.exists({preferred}, storage.blob_path(digest))
 
 
 def test_purge_repo(app):
-  """ Test that app registers delete_metadata function on repository deletions """
-  with assert_gc_integrity():
-    with patch('app.tuf_metadata_api') as mock_tuf:
-      model.gc.purge_repository("ns", "repo")
-      assert mock_tuf.delete_metadata.called_with("ns", "repo")
+    """ Test that app registers delete_metadata function on repository deletions """
+    with assert_gc_integrity():
+        with patch("app.tuf_metadata_api") as mock_tuf:
+            model.gc.purge_repository("ns", "repo")
+            assert mock_tuf.delete_metadata.called_with("ns", "repo")
 
 
 def test_super_long_image_chain_gc(app, default_tag_policy):
-  """ Test that a super long chain of images all gets properly GCed. """
-  with assert_gc_integrity():
-    images = ['i%s' % i for i in range(0, 100)]
-    repository = create_repository(latest=images)
-    delete_tag(repository, 'latest')
+    """ Test that a super long chain of images all gets properly GCed. """
+    with assert_gc_integrity():
+        images = ["i%s" % i for i in range(0, 100)]
+        repository = create_repository(latest=images)
+        delete_tag(repository, "latest")
 
-    # Ensure the repository is now empty.
-    assert_deleted(repository, *images)
+        # Ensure the repository is now empty.
+        assert_deleted(repository, *images)
 
 
 def test_manifest_v2_shared_config_and_blobs(app, default_tag_policy):
-  """ Test that GCing a tag that refers to a V2 manifest with the same config and some shared
+    """ Test that GCing a tag that refers to a V2 manifest with the same config and some shared
       blobs as another manifest ensures that the config blob and shared blob are NOT GCed.
   """
-  repo = model.repository.create_repository('devtable', 'newrepo', None)
-  manifest1, built1 = create_manifest_for_testing(repo, differentiation_field='1',
-                                                  include_shared_blob=True)
-  manifest2, built2 = create_manifest_for_testing(repo, differentiation_field='2',
-                                                  include_shared_blob=True)
+    repo = model.repository.create_repository("devtable", "newrepo", None)
+    manifest1, built1 = create_manifest_for_testing(
+        repo, differentiation_field="1", include_shared_blob=True
+    )
+    manifest2, built2 = create_manifest_for_testing(
+        repo, differentiation_field="2", include_shared_blob=True
+    )
 
-  assert set(built1.local_blob_digests).intersection(built2.local_blob_digests)
-  assert built1.config.digest == built2.config.digest
+    assert set(built1.local_blob_digests).intersection(built2.local_blob_digests)
+    assert built1.config.digest == built2.config.digest
 
-  # Create tags pointing to the manifests.
-  model.oci.tag.retarget_tag('tag1', manifest1)
-  model.oci.tag.retarget_tag('tag2', manifest2)
+    # Create tags pointing to the manifests.
+    model.oci.tag.retarget_tag("tag1", manifest1)
+    model.oci.tag.retarget_tag("tag2", manifest2)
 
-  with assert_gc_integrity(expect_storage_removed=True, check_oci_tags=False):
-    # Delete tag2.
-    model.oci.tag.delete_tag(repo, 'tag2')
-    assert model.gc.garbage_collect_repo(repo)
+    with assert_gc_integrity(expect_storage_removed=True, check_oci_tags=False):
+        # Delete tag2.
+        model.oci.tag.delete_tag(repo, "tag2")
+        assert model.gc.garbage_collect_repo(repo)
 
-  # Ensure the blobs for manifest1 still all exist.
-  preferred = storage.preferred_locations[0]
-  for blob_digest in built1.local_blob_digests:
-    storage_row = ImageStorage.get(content_checksum=blob_digest)
+    # Ensure the blobs for manifest1 still all exist.
+    preferred = storage.preferred_locations[0]
+    for blob_digest in built1.local_blob_digests:
+        storage_row = ImageStorage.get(content_checksum=blob_digest)
 
-    assert storage_row.cas_path
-    storage.get_content({preferred}, storage.blob_path(storage_row.content_checksum))
+        assert storage_row.cas_path
+        storage.get_content(
+            {preferred}, storage.blob_path(storage_row.content_checksum)
+        )
diff --git a/data/model/test/test_image.py b/data/model/test/test_image.py
index 9442a23eb..e7c3f79e1 100644
--- a/data/model/test/test_image.py
+++ b/data/model/test/test_image.py
@@ -6,99 +6,110 @@ from playhouse.test_utils import assert_query_count
 
 from test.fixtures import *
 
+
 @pytest.fixture()
 def images(initialized_db):
-  images = image.get_repository_images('devtable', 'simple')
-  assert len(images)
-  return images
+    images = image.get_repository_images("devtable", "simple")
+    assert len(images)
+    return images
 
 
 def test_get_image_with_storage(images, initialized_db):
-  for current in images:
-    storage_uuid = current.storage.uuid
+    for current in images:
+        storage_uuid = current.storage.uuid
 
-    with assert_query_count(1):
-      retrieved = image.get_image_with_storage(current.docker_image_id, storage_uuid)
-      assert retrieved.id == current.id
-      assert retrieved.storage.uuid == storage_uuid
+        with assert_query_count(1):
+            retrieved = image.get_image_with_storage(
+                current.docker_image_id, storage_uuid
+            )
+            assert retrieved.id == current.id
+            assert retrieved.storage.uuid == storage_uuid
 
 
 def test_get_parent_images(images, initialized_db):
-  for current in images:
-    if not len(current.ancestor_id_list()):
-      continue
+    for current in images:
+        if not len(current.ancestor_id_list()):
+            continue
 
-    with assert_query_count(1):
-      parent_images = list(image.get_parent_images('devtable', 'simple', current))
+        with assert_query_count(1):
+            parent_images = list(image.get_parent_images("devtable", "simple", current))
 
-    assert len(parent_images) == len(current.ancestor_id_list())
-    assert set(current.ancestor_id_list()) == {i.id for i in parent_images}
+        assert len(parent_images) == len(current.ancestor_id_list())
+        assert set(current.ancestor_id_list()) == {i.id for i in parent_images}
 
-    for parent in parent_images:
-      with assert_query_count(0):
-        assert parent.storage.id
+        for parent in parent_images:
+            with assert_query_count(0):
+                assert parent.storage.id
 
 
 def test_get_image(images, initialized_db):
-  for current in images:
-    repo = current.repository
+    for current in images:
+        repo = current.repository
 
-    with assert_query_count(1):
-      found = image.get_image(repo, current.docker_image_id)
+        with assert_query_count(1):
+            found = image.get_image(repo, current.docker_image_id)
 
-    assert found.id == current.id
+        assert found.id == current.id
 
 
 def test_placements(images, initialized_db):
-  with assert_query_count(1):
-    placements_map = image.get_placements_for_images(images)
+    with assert_query_count(1):
+        placements_map = image.get_placements_for_images(images)
 
-  for current in images:
-    assert current.storage.id in placements_map
+    for current in images:
+        assert current.storage.id in placements_map
 
-    with assert_query_count(2):
-      expected_image, expected_placements = image.get_image_and_placements('devtable', 'simple',
-                                                                           current.docker_image_id)
+        with assert_query_count(2):
+            expected_image, expected_placements = image.get_image_and_placements(
+                "devtable", "simple", current.docker_image_id
+            )
 
-    assert expected_image.id == current.id
-    assert len(expected_placements) == len(placements_map.get(current.storage.id))
-    assert ({p.id for p in expected_placements} == 
-            {p.id for p in placements_map.get(current.storage.id)})
+        assert expected_image.id == current.id
+        assert len(expected_placements) == len(placements_map.get(current.storage.id))
+        assert {p.id for p in expected_placements} == {
+            p.id for p in placements_map.get(current.storage.id)
+        }
 
 
 def test_get_repo_image(images, initialized_db):
-  for current in images:
-    with assert_query_count(1):
-      found = image.get_repo_image('devtable', 'simple', current.docker_image_id)
+    for current in images:
+        with assert_query_count(1):
+            found = image.get_repo_image("devtable", "simple", current.docker_image_id)
 
-    assert found.id == current.id
-    with assert_query_count(1):
-      assert found.storage.id
+        assert found.id == current.id
+        with assert_query_count(1):
+            assert found.storage.id
 
 
 def test_get_repo_image_and_storage(images, initialized_db):
-  for current in images:
-    with assert_query_count(1):
-      found = image.get_repo_image_and_storage('devtable', 'simple', current.docker_image_id)
+    for current in images:
+        with assert_query_count(1):
+            found = image.get_repo_image_and_storage(
+                "devtable", "simple", current.docker_image_id
+            )
 
-    assert found.id == current.id
-    with assert_query_count(0):
-      assert found.storage.id
+        assert found.id == current.id
+        with assert_query_count(0):
+            assert found.storage.id
 
 
 def test_get_repository_images_without_placements(images, initialized_db):
-  ancestors_map = defaultdict(list)
-  for img in images:
-    current = img.parent
-    while current is not None:
-      ancestors_map[current.id].append(img.id)
-      current = current.parent
+    ancestors_map = defaultdict(list)
+    for img in images:
+        current = img.parent
+        while current is not None:
+            ancestors_map[current.id].append(img.id)
+            current = current.parent
 
-  for current in images:
-    repo = current.repository
+    for current in images:
+        repo = current.repository
 
-    with assert_query_count(1):
-      found = list(image.get_repository_images_without_placements(repo, with_ancestor=current))
+        with assert_query_count(1):
+            found = list(
+                image.get_repository_images_without_placements(
+                    repo, with_ancestor=current
+                )
+            )
 
-    assert len(found) == len(ancestors_map[current.id]) + 1
-    assert {i.id for i in found} == set(ancestors_map[current.id] + [current.id])
+        assert len(found) == len(ancestors_map[current.id]) + 1
+        assert {i.id for i in found} == set(ancestors_map[current.id] + [current.id])
diff --git a/data/model/test/test_image_sharing.py b/data/model/test/test_image_sharing.py
index 239500b10..2490fe7cc 100644
--- a/data/model/test/test_image_sharing.py
+++ b/data/model/test/test_image_sharing.py
@@ -6,210 +6,315 @@ from storage.distributedstorage import DistributedStorage
 from storage.fakestorage import FakeStorage
 from test.fixtures import *
 
-NO_ACCESS_USER = 'freshuser'
-READ_ACCESS_USER = 'reader'
-ADMIN_ACCESS_USER = 'devtable'
-PUBLIC_USER = 'public'
-RANDOM_USER = 'randomuser'
-OUTSIDE_ORG_USER = 'outsideorg'
+NO_ACCESS_USER = "freshuser"
+READ_ACCESS_USER = "reader"
+ADMIN_ACCESS_USER = "devtable"
+PUBLIC_USER = "public"
+RANDOM_USER = "randomuser"
+OUTSIDE_ORG_USER = "outsideorg"
 
-ADMIN_ROBOT_USER = 'devtable+dtrobot'
+ADMIN_ROBOT_USER = "devtable+dtrobot"
 
-ORGANIZATION = 'buynlarge'
+ORGANIZATION = "buynlarge"
 
-REPO = 'devtable/simple'
-PUBLIC_REPO = 'public/publicrepo'
-RANDOM_REPO = 'randomuser/randomrepo'
+REPO = "devtable/simple"
+PUBLIC_REPO = "public/publicrepo"
+RANDOM_REPO = "randomuser/randomrepo"
 
-OUTSIDE_ORG_REPO = 'outsideorg/coolrepo'
+OUTSIDE_ORG_REPO = "outsideorg/coolrepo"
 
-ORG_REPO = 'buynlarge/orgrepo'
-ANOTHER_ORG_REPO = 'buynlarge/anotherorgrepo'
+ORG_REPO = "buynlarge/orgrepo"
+ANOTHER_ORG_REPO = "buynlarge/anotherorgrepo"
 
 # Note: The shared repo has devtable as admin, public as a writer and reader as a reader.
-SHARED_REPO = 'devtable/shared'
+SHARED_REPO = "devtable/shared"
 
 
 @pytest.fixture()
 def storage(app):
-  return DistributedStorage({'local_us': FakeStorage(None)}, preferred_locations=['local_us'])
+    return DistributedStorage(
+        {"local_us": FakeStorage(None)}, preferred_locations=["local_us"]
+    )
 
 
-def createStorage(storage, docker_image_id, repository=REPO, username=ADMIN_ACCESS_USER):
-  repository_obj = model.repository.get_repository(repository.split('/')[0],
-                                                   repository.split('/')[1])
-  preferred = storage.preferred_locations[0]
-  image = model.image.find_create_or_link_image(docker_image_id, repository_obj, username, {},
-                                                preferred)
-  image.storage.uploading = False
-  image.storage.save()
-  return image.storage
+def createStorage(
+    storage, docker_image_id, repository=REPO, username=ADMIN_ACCESS_USER
+):
+    repository_obj = model.repository.get_repository(
+        repository.split("/")[0], repository.split("/")[1]
+    )
+    preferred = storage.preferred_locations[0]
+    image = model.image.find_create_or_link_image(
+        docker_image_id, repository_obj, username, {}, preferred
+    )
+    image.storage.uploading = False
+    image.storage.save()
+    return image.storage
 
 
-def assertSameStorage(storage, docker_image_id, existing_storage, repository=REPO,
-                      username=ADMIN_ACCESS_USER):
-  new_storage = createStorage(storage, docker_image_id, repository, username)
-  assert existing_storage.id == new_storage.id
+def assertSameStorage(
+    storage,
+    docker_image_id,
+    existing_storage,
+    repository=REPO,
+    username=ADMIN_ACCESS_USER,
+):
+    new_storage = createStorage(storage, docker_image_id, repository, username)
+    assert existing_storage.id == new_storage.id
 
 
-def assertDifferentStorage(storage, docker_image_id, existing_storage, repository=REPO,
-                           username=ADMIN_ACCESS_USER):
-  new_storage = createStorage(storage, docker_image_id, repository, username)
-  assert existing_storage.id != new_storage.id
+def assertDifferentStorage(
+    storage,
+    docker_image_id,
+    existing_storage,
+    repository=REPO,
+    username=ADMIN_ACCESS_USER,
+):
+    new_storage = createStorage(storage, docker_image_id, repository, username)
+    assert existing_storage.id != new_storage.id
 
 
 def test_same_user(storage, initialized_db):
-  """ The same user creates two images, each which should be shared in the same repo. This is a
+    """ The same user creates two images, each which should be shared in the same repo. This is a
     sanity check. """
 
-  # Create a reference to a new docker ID => new image.
-  first_storage_id = createStorage(storage, 'first-image')
+    # Create a reference to a new docker ID => new image.
+    first_storage_id = createStorage(storage, "first-image")
 
-  # Create a reference to the same docker ID => same image.
-  assertSameStorage(storage, 'first-image', first_storage_id)
+    # Create a reference to the same docker ID => same image.
+    assertSameStorage(storage, "first-image", first_storage_id)
 
-  # Create a reference to another new docker ID => new image.
-  second_storage_id = createStorage(storage, 'second-image')
+    # Create a reference to another new docker ID => new image.
+    second_storage_id = createStorage(storage, "second-image")
 
-  # Create a reference to that same docker ID => same image.
-  assertSameStorage(storage, 'second-image', second_storage_id)
+    # Create a reference to that same docker ID => same image.
+    assertSameStorage(storage, "second-image", second_storage_id)
 
-  # Make sure the images are different.
-  assert first_storage_id != second_storage_id
+    # Make sure the images are different.
+    assert first_storage_id != second_storage_id
 
 
 def test_no_user_private_repo(storage, initialized_db):
-  """ If no user is specified (token case usually), then no sharing can occur on a private repo. """
-  # Create a reference to a new docker ID => new image.
-  first_storage = createStorage(storage, 'the-image', username=None, repository=SHARED_REPO)
+    """ If no user is specified (token case usually), then no sharing can occur on a private repo. """
+    # Create a reference to a new docker ID => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=None, repository=SHARED_REPO
+    )
 
-  # Create a areference to the same docker ID, but since no username => new image.
-  assertDifferentStorage(storage, 'the-image', first_storage, username=None, repository=RANDOM_REPO)
+    # Create a areference to the same docker ID, but since no username => new image.
+    assertDifferentStorage(
+        storage, "the-image", first_storage, username=None, repository=RANDOM_REPO
+    )
 
 
 def test_no_user_public_repo(storage, initialized_db):
-  """ If no user is specified (token case usually), then no sharing can occur on a private repo except when the image is first public. """
-  # Create a reference to a new docker ID => new image.
-  first_storage = createStorage(storage, 'the-image', username=None, repository=PUBLIC_REPO)
+    """ If no user is specified (token case usually), then no sharing can occur on a private repo except when the image is first public. """
+    # Create a reference to a new docker ID => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=None, repository=PUBLIC_REPO
+    )
 
-  # Create a areference to the same docker ID. Since no username, we'd expect different but the first image is public so => shaed image.
-  assertSameStorage(storage, 'the-image', first_storage, username=None, repository=RANDOM_REPO)
+    # Create a areference to the same docker ID. Since no username, we'd expect different but the first image is public so => shaed image.
+    assertSameStorage(
+        storage, "the-image", first_storage, username=None, repository=RANDOM_REPO
+    )
 
 
 def test_different_user_same_repo(storage, initialized_db):
-  """ Two different users create the same image in the same repo. """
+    """ Two different users create the same image in the same repo. """
 
-  # Create a reference to a new docker ID under the first user => new image.
-  first_storage = createStorage(storage, 'the-image', username=PUBLIC_USER, repository=SHARED_REPO)
+    # Create a reference to a new docker ID under the first user => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=PUBLIC_USER, repository=SHARED_REPO
+    )
 
-  # Create a reference to the *same* docker ID under the second user => same image.
-  assertSameStorage(storage, 'the-image', first_storage, username=ADMIN_ACCESS_USER, repository=SHARED_REPO)
+    # Create a reference to the *same* docker ID under the second user => same image.
+    assertSameStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=ADMIN_ACCESS_USER,
+        repository=SHARED_REPO,
+    )
 
 
 def test_different_repo_no_shared_access(storage, initialized_db):
-  """ Neither user has access to the other user's repository. """
+    """ Neither user has access to the other user's repository. """
 
-  # Create a reference to a new docker ID under the first user => new image.
-  first_storage_id = createStorage(storage, 'the-image', username=RANDOM_USER, repository=RANDOM_REPO)
+    # Create a reference to a new docker ID under the first user => new image.
+    first_storage_id = createStorage(
+        storage, "the-image", username=RANDOM_USER, repository=RANDOM_REPO
+    )
 
-  # Create a reference to the *same* docker ID under the second user => new image.
-  second_storage_id = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=REPO)
+    # Create a reference to the *same* docker ID under the second user => new image.
+    second_storage_id = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=REPO
+    )
 
-  # Verify that the users do not share storage.
-  assert first_storage_id != second_storage_id
+    # Verify that the users do not share storage.
+    assert first_storage_id != second_storage_id
 
 
 def test_public_than_private(storage, initialized_db):
-  """ An image is created publicly then used privately, so it should be shared. """
+    """ An image is created publicly then used privately, so it should be shared. """
 
-  # Create a reference to a new docker ID under the first user => new image.
-  first_storage = createStorage(storage, 'the-image', username=PUBLIC_USER, repository=PUBLIC_REPO)
+    # Create a reference to a new docker ID under the first user => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=PUBLIC_USER, repository=PUBLIC_REPO
+    )
 
-  # Create a reference to the *same* docker ID under the second user => same image, since the first was public.
-  assertSameStorage(storage, 'the-image', first_storage, username=ADMIN_ACCESS_USER, repository=REPO)
+    # Create a reference to the *same* docker ID under the second user => same image, since the first was public.
+    assertSameStorage(
+        storage, "the-image", first_storage, username=ADMIN_ACCESS_USER, repository=REPO
+    )
 
 
 def test_private_than_public(storage, initialized_db):
-  """ An image is created privately then used publicly, so it should *not* be shared. """
+    """ An image is created privately then used publicly, so it should *not* be shared. """
 
-  # Create a reference to a new docker ID under the first user => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=REPO)
+    # Create a reference to a new docker ID under the first user => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=REPO
+    )
 
-  # Create a reference to the *same* docker ID under the second user => new image, since the first was private.
-  assertDifferentStorage(storage, 'the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
+    # Create a reference to the *same* docker ID under the second user => new image, since the first was private.
+    assertDifferentStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=PUBLIC_USER,
+        repository=PUBLIC_REPO,
+    )
 
 
 def test_different_repo_with_access(storage, initialized_db):
-  """ An image is created in one repo (SHARED_REPO) which the user (PUBLIC_USER) has access to. Later, the
+    """ An image is created in one repo (SHARED_REPO) which the user (PUBLIC_USER) has access to. Later, the
       image is created in another repo (PUBLIC_REPO) that the user also has access to. The image should
       be shared since the user has access.
   """
-  # Create the image in the shared repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=SHARED_REPO)
+    # Create the image in the shared repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=SHARED_REPO
+    )
 
-  # Create the image in the other user's repo, but since the user (PUBLIC) still has access to the shared
-  # repository, they should reuse the storage.
-  assertSameStorage(storage, 'the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
+    # Create the image in the other user's repo, but since the user (PUBLIC) still has access to the shared
+    # repository, they should reuse the storage.
+    assertSameStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=PUBLIC_USER,
+        repository=PUBLIC_REPO,
+    )
 
 
 def test_org_access(storage, initialized_db):
-  """ An image is accessible by being a member of the organization. """
+    """ An image is accessible by being a member of the organization. """
 
-  # Create the new image under the org's repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
+    # Create the new image under the org's repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=ORG_REPO
+    )
 
-  # Create an image under the user's repo, but since the user has access to the organization => shared image.
-  assertSameStorage(storage, 'the-image', first_storage, username=ADMIN_ACCESS_USER, repository=REPO)
+    # Create an image under the user's repo, but since the user has access to the organization => shared image.
+    assertSameStorage(
+        storage, "the-image", first_storage, username=ADMIN_ACCESS_USER, repository=REPO
+    )
 
-  # Ensure that the user's robot does not have access, since it is not on the permissions list for the repo.
-  assertDifferentStorage(storage, 'the-image', first_storage, username=ADMIN_ROBOT_USER, repository=SHARED_REPO)
+    # Ensure that the user's robot does not have access, since it is not on the permissions list for the repo.
+    assertDifferentStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=ADMIN_ROBOT_USER,
+        repository=SHARED_REPO,
+    )
 
 
 def test_org_access_different_user(storage, initialized_db):
-  """ An image is accessible by being a member of the organization. """
+    """ An image is accessible by being a member of the organization. """
 
-  # Create the new image under the org's repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
+    # Create the new image under the org's repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=ORG_REPO
+    )
 
-  # Create an image under a user's repo, but since the user has access to the organization => shared image.
-  assertSameStorage(storage, 'the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
+    # Create an image under a user's repo, but since the user has access to the organization => shared image.
+    assertSameStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=PUBLIC_USER,
+        repository=PUBLIC_REPO,
+    )
 
-  # Also verify for reader.
-  assertSameStorage(storage, 'the-image', first_storage, username=READ_ACCESS_USER, repository=PUBLIC_REPO)
+    # Also verify for reader.
+    assertSameStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=READ_ACCESS_USER,
+        repository=PUBLIC_REPO,
+    )
 
 
 def test_org_no_access(storage, initialized_db):
-  """ An image is not accessible if not a member of the organization. """
+    """ An image is not accessible if not a member of the organization. """
 
-  # Create the new image under the org's repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
+    # Create the new image under the org's repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=ORG_REPO
+    )
 
-  # Create an image under a user's repo. Since the user is not a member of the organization => new image.
-  assertDifferentStorage(storage, 'the-image', first_storage, username=RANDOM_USER, repository=RANDOM_REPO)
+    # Create an image under a user's repo. Since the user is not a member of the organization => new image.
+    assertDifferentStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=RANDOM_USER,
+        repository=RANDOM_REPO,
+    )
 
 
 def test_org_not_team_member_with_access(storage, initialized_db):
-  """ An image is accessible to a user specifically listed as having permission on the org repo. """
+    """ An image is accessible to a user specifically listed as having permission on the org repo. """
 
-  # Create the new image under the org's repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
+    # Create the new image under the org's repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=ORG_REPO
+    )
 
-  # Create an image under a user's repo. Since the user has read access on that repo, they can see the image => shared image.
-  assertSameStorage(storage, 'the-image', first_storage, username=OUTSIDE_ORG_USER, repository=OUTSIDE_ORG_REPO)
+    # Create an image under a user's repo. Since the user has read access on that repo, they can see the image => shared image.
+    assertSameStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=OUTSIDE_ORG_USER,
+        repository=OUTSIDE_ORG_REPO,
+    )
 
 
 def test_org_not_team_member_with_no_access(storage, initialized_db):
-  """ A user that has access to one org repo but not another and is not a team member. """
+    """ A user that has access to one org repo but not another and is not a team member. """
 
-  # Create the new image under the org's repo => new image.
-  first_storage = createStorage(storage, 'the-image', username=ADMIN_ACCESS_USER, repository=ANOTHER_ORG_REPO)
+    # Create the new image under the org's repo => new image.
+    first_storage = createStorage(
+        storage, "the-image", username=ADMIN_ACCESS_USER, repository=ANOTHER_ORG_REPO
+    )
+
+    # Create an image under a user's repo. The user doesn't have access to the repo (ANOTHER_ORG_REPO) so => new image.
+    assertDifferentStorage(
+        storage,
+        "the-image",
+        first_storage,
+        username=OUTSIDE_ORG_USER,
+        repository=OUTSIDE_ORG_REPO,
+    )
 
-  # Create an image under a user's repo. The user doesn't have access to the repo (ANOTHER_ORG_REPO) so => new image.
-  assertDifferentStorage(storage, 'the-image', first_storage, username=OUTSIDE_ORG_USER, repository=OUTSIDE_ORG_REPO)
 
 def test_no_link_to_uploading(storage, initialized_db):
-  still_uploading = createStorage(storage, 'an-image', repository=PUBLIC_REPO)
-  still_uploading.uploading = True
-  still_uploading.save()
+    still_uploading = createStorage(storage, "an-image", repository=PUBLIC_REPO)
+    still_uploading.uploading = True
+    still_uploading.save()
 
-  assertDifferentStorage(storage, 'an-image', still_uploading)
+    assertDifferentStorage(storage, "an-image", still_uploading)
diff --git a/data/model/test/test_log.py b/data/model/test/test_log.py
index 7ced0bb91..21c84e655 100644
--- a/data/model/test/test_log.py
+++ b/data/model/test/test_log.py
@@ -8,73 +8,101 @@ from mock import patch, Mock, DEFAULT, sentinel
 from peewee import PeeweeException
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def app_config():
-  with patch.dict(_config.app_config, {}, clear=True):
-    yield _config.app_config
+    with patch.dict(_config.app_config, {}, clear=True):
+        yield _config.app_config
+
 
 @pytest.fixture()
 def logentry_kind():
-  kinds = {'pull_repo': 'pull_repo_kind',  'push_repo': 'push_repo_kind'}
-  with patch('data.model.log.get_log_entry_kinds', return_value=kinds, spec=True):
-    yield kinds
+    kinds = {"pull_repo": "pull_repo_kind", "push_repo": "push_repo_kind"}
+    with patch("data.model.log.get_log_entry_kinds", return_value=kinds, spec=True):
+        yield kinds
+
 
 @pytest.fixture()
 def logentry(logentry_kind):
-  with patch('data.database.LogEntry3.create', spec=True):
-    yield LogEntry3
+    with patch("data.database.LogEntry3.create", spec=True):
+        yield LogEntry3
+
 
 @pytest.fixture()
 def user():
-  with patch.multiple('data.database.User', username=DEFAULT, get=DEFAULT, select=DEFAULT) as user:
-    user['get'].return_value = Mock(id='mock_user_id')
-    user['select'].return_value.tuples.return_value.get.return_value = ['default_user_id']
-    yield User
+    with patch.multiple(
+        "data.database.User", username=DEFAULT, get=DEFAULT, select=DEFAULT
+    ) as user:
+        user["get"].return_value = Mock(id="mock_user_id")
+        user["select"].return_value.tuples.return_value.get.return_value = [
+            "default_user_id"
+        ]
+        yield User
 
-@pytest.mark.parametrize('action_kind', [('pull'), ('oops')])
+
+@pytest.mark.parametrize("action_kind", [("pull"), ("oops")])
 def test_log_action_unknown_action(action_kind):
-  ''' test unknown action types throw an exception when logged '''
-  with pytest.raises(Exception):
-    log_action(action_kind, None)
+    """ test unknown action types throw an exception when logged """
+    with pytest.raises(Exception):
+        log_action(action_kind, None)
 
 
-@pytest.mark.parametrize('user_or_org_name,account_id,account', [
-  ('my_test_org', 'N/A',             'mock_user_id'   ),
-  (None,          'test_account_id', 'test_account_id'),
-  (None,           None,             'default_user_id')
-])
-@pytest.mark.parametrize('unlogged_pulls_ok,action_kind,db_exception,throws', [
-  (False, 'pull_repo', None,            False),
-  (False, 'push_repo', None,            False),
-  (False, 'pull_repo', PeeweeException, True ),
-  (False, 'push_repo', PeeweeException, True ),
+@pytest.mark.parametrize(
+    "user_or_org_name,account_id,account",
+    [
+        ("my_test_org", "N/A", "mock_user_id"),
+        (None, "test_account_id", "test_account_id"),
+        (None, None, "default_user_id"),
+    ],
+)
+@pytest.mark.parametrize(
+    "unlogged_pulls_ok,action_kind,db_exception,throws",
+    [
+        (False, "pull_repo", None, False),
+        (False, "push_repo", None, False),
+        (False, "pull_repo", PeeweeException, True),
+        (False, "push_repo", PeeweeException, True),
+        (True, "pull_repo", PeeweeException, False),
+        (True, "push_repo", PeeweeException, True),
+        (True, "pull_repo", Exception, True),
+        (True, "push_repo", Exception, True),
+    ],
+)
+def test_log_action(
+    user_or_org_name,
+    account_id,
+    account,
+    unlogged_pulls_ok,
+    action_kind,
+    db_exception,
+    throws,
+    app_config,
+    logentry,
+    user,
+):
+    log_args = {
+        "performer": Mock(id="TEST_PERFORMER_ID"),
+        "repository": Mock(id="TEST_REPO"),
+        "ip": "TEST_IP",
+        "metadata": {"test_key": "test_value"},
+        "timestamp": "TEST_TIMESTAMP",
+    }
+    app_config["SERVICE_LOG_ACCOUNT_ID"] = account_id
+    app_config["ALLOW_PULLS_WITHOUT_STRICT_LOGGING"] = unlogged_pulls_ok
 
-  (True,  'pull_repo', PeeweeException, False),
-  (True,  'push_repo', PeeweeException, True ),
-  (True,  'pull_repo', Exception,       True ),
-  (True,  'push_repo', Exception,       True )
-])
-def test_log_action(user_or_org_name, account_id, account, unlogged_pulls_ok, action_kind,
-                      db_exception, throws, app_config, logentry, user):
-  log_args = {
-    'performer'  : Mock(id='TEST_PERFORMER_ID'),
-    'repository' : Mock(id='TEST_REPO'),
-    'ip'         : 'TEST_IP',
-    'metadata'   : { 'test_key' : 'test_value' },
-    'timestamp'  : 'TEST_TIMESTAMP'
-  }
-  app_config['SERVICE_LOG_ACCOUNT_ID'] = account_id
-  app_config['ALLOW_PULLS_WITHOUT_STRICT_LOGGING'] = unlogged_pulls_ok
+    logentry.create.side_effect = db_exception
 
-  logentry.create.side_effect = db_exception
+    if throws:
+        with pytest.raises(db_exception):
+            log_action(action_kind, user_or_org_name, **log_args)
+    else:
+        log_action(action_kind, user_or_org_name, **log_args)
 
-  if throws:
-    with pytest.raises(db_exception):
-      log_action(action_kind, user_or_org_name, **log_args)
-  else:
-    log_action(action_kind, user_or_org_name, **log_args)
-
-  logentry.create.assert_called_once_with(kind=action_kind+'_kind', account=account,
-                                          performer='TEST_PERFORMER_ID', repository='TEST_REPO',
-                                          ip='TEST_IP', metadata_json='{"test_key": "test_value"}',
-                                          datetime='TEST_TIMESTAMP')
+    logentry.create.assert_called_once_with(
+        kind=action_kind + "_kind",
+        account=account,
+        performer="TEST_PERFORMER_ID",
+        repository="TEST_REPO",
+        ip="TEST_IP",
+        metadata_json='{"test_key": "test_value"}',
+        datetime="TEST_TIMESTAMP",
+    )
diff --git a/data/model/test/test_model_blob.py b/data/model/test/test_model_blob.py
index b6053b353..13ed37d51 100644
--- a/data/model/test/test_model_blob.py
+++ b/data/model/test/test_model_blob.py
@@ -3,49 +3,58 @@ from data import model, database
 
 from test.fixtures import *
 
-ADMIN_ACCESS_USER = 'devtable'
-REPO = 'simple'
+ADMIN_ACCESS_USER = "devtable"
+REPO = "simple"
+
 
 def test_store_blob(initialized_db):
-  location = database.ImageStorageLocation.select().get()
+    location = database.ImageStorageLocation.select().get()
 
-  # Create a new blob at a unique digest.
-  digest = 'somecooldigest'
-  blob_storage = model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, digest,
-                                                            location, 1024, 0, 5000)
-  assert blob_storage.content_checksum == digest
-  assert blob_storage.image_size == 1024
-  assert blob_storage.uncompressed_size == 5000
+    # Create a new blob at a unique digest.
+    digest = "somecooldigest"
+    blob_storage = model.blob.store_blob_record_and_temp_link(
+        ADMIN_ACCESS_USER, REPO, digest, location, 1024, 0, 5000
+    )
+    assert blob_storage.content_checksum == digest
+    assert blob_storage.image_size == 1024
+    assert blob_storage.uncompressed_size == 5000
 
-  # Link to the same digest.
-  blob_storage2 = model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, digest,
-                                                             location, 2048, 0, 6000)
-  assert blob_storage2.id == blob_storage.id
+    # Link to the same digest.
+    blob_storage2 = model.blob.store_blob_record_and_temp_link(
+        ADMIN_ACCESS_USER, REPO, digest, location, 2048, 0, 6000
+    )
+    assert blob_storage2.id == blob_storage.id
 
-  # The sizes should be unchanged.
-  assert blob_storage2.image_size == 1024
-  assert blob_storage2.uncompressed_size == 5000
+    # The sizes should be unchanged.
+    assert blob_storage2.image_size == 1024
+    assert blob_storage2.uncompressed_size == 5000
 
-  # Add a new digest, ensure it has a new record.
-  otherdigest = 'anotherdigest'
-  blob_storage3 = model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, otherdigest,
-                                                             location, 1234, 0, 5678)
-  assert blob_storage3.id != blob_storage.id
-  assert blob_storage3.image_size == 1234
-  assert blob_storage3.uncompressed_size == 5678
+    # Add a new digest, ensure it has a new record.
+    otherdigest = "anotherdigest"
+    blob_storage3 = model.blob.store_blob_record_and_temp_link(
+        ADMIN_ACCESS_USER, REPO, otherdigest, location, 1234, 0, 5678
+    )
+    assert blob_storage3.id != blob_storage.id
+    assert blob_storage3.image_size == 1234
+    assert blob_storage3.uncompressed_size == 5678
 
 
 def test_get_or_create_shared_blob(initialized_db):
-  shared = model.blob.get_or_create_shared_blob('sha256:abcdef', 'somecontent', storage)
-  assert shared.content_checksum == 'sha256:abcdef'
+    shared = model.blob.get_or_create_shared_blob(
+        "sha256:abcdef", "somecontent", storage
+    )
+    assert shared.content_checksum == "sha256:abcdef"
 
-  again = model.blob.get_or_create_shared_blob('sha256:abcdef', 'somecontent', storage)
-  assert shared == again
+    again = model.blob.get_or_create_shared_blob(
+        "sha256:abcdef", "somecontent", storage
+    )
+    assert shared == again
 
 
 def test_lookup_repo_storages_by_content_checksum(initialized_db):
-  for image in database.Image.select():
-    found = model.storage.lookup_repo_storages_by_content_checksum(image.repository,
-                                                                   [image.storage.content_checksum])
-    assert len(found) == 1
-    assert found[0].content_checksum == image.storage.content_checksum
+    for image in database.Image.select():
+        found = model.storage.lookup_repo_storages_by_content_checksum(
+            image.repository, [image.storage.content_checksum]
+        )
+        assert len(found) == 1
+        assert found[0].content_checksum == image.storage.content_checksum
diff --git a/data/model/test/test_modelutil.py b/data/model/test/test_modelutil.py
index 5da72be4a..1f2bb1447 100644
--- a/data/model/test/test_modelutil.py
+++ b/data/model/test/test_modelutil.py
@@ -4,47 +4,38 @@ from data.database import Role
 from data.model.modelutil import paginate
 from test.fixtures import *
 
-@pytest.mark.parametrize('page_size', [
-  10,
-  20,
-  50,
-  100,
-  200,
-  500,
-  1000,
-])
-@pytest.mark.parametrize('descending', [
-  False,
-  True,
-])
+
+@pytest.mark.parametrize("page_size", [10, 20, 50, 100, 200, 500, 1000])
+@pytest.mark.parametrize("descending", [False, True])
 def test_paginate(page_size, descending, initialized_db):
-  # Add a bunch of rows into a test table (`Role`).
-  for i in range(0, 522):
-    Role.create(name='testrole%s' % i)
+    # Add a bunch of rows into a test table (`Role`).
+    for i in range(0, 522):
+        Role.create(name="testrole%s" % i)
 
-  query = Role.select().where(Role.name ** 'testrole%')
-  all_matching_roles = list(query)
-  assert len(all_matching_roles) == 522
+    query = Role.select().where(Role.name ** "testrole%")
+    all_matching_roles = list(query)
+    assert len(all_matching_roles) == 522
 
-  # Paginate a query to lookup roles.
-  collected = []
-  page_token = None
-  while True:
-    results, page_token = paginate(query, Role, limit=page_size, descending=descending,
-                                   page_token=page_token)
-    assert len(results) <= page_size
-    collected.extend(results)
+    # Paginate a query to lookup roles.
+    collected = []
+    page_token = None
+    while True:
+        results, page_token = paginate(
+            query, Role, limit=page_size, descending=descending, page_token=page_token
+        )
+        assert len(results) <= page_size
+        collected.extend(results)
 
-    if page_token is None:
-      break
+        if page_token is None:
+            break
 
-    assert len(results) == page_size
+        assert len(results) == page_size
 
-    for index, result in enumerate(results[1:]):
-      if descending:
-        assert result.id < results[index].id
-      else:
-        assert result.id > results[index].id
+        for index, result in enumerate(results[1:]):
+            if descending:
+                assert result.id < results[index].id
+            else:
+                assert result.id > results[index].id
 
-  assert len(collected) == len(all_matching_roles)
-  assert {c.id for c in collected} == {a.id for a in all_matching_roles}
+    assert len(collected) == len(all_matching_roles)
+    assert {c.id for c in collected} == {a.id for a in all_matching_roles}
diff --git a/data/model/test/test_organization.py b/data/model/test/test_organization.py
index 153814765..3c0a11c75 100644
--- a/data/model/test/test_organization.py
+++ b/data/model/test/test_organization.py
@@ -5,18 +5,16 @@ from data.model.user import mark_namespace_for_deletion
 from data.queue import WorkQueue
 from test.fixtures import *
 
-@pytest.mark.parametrize('deleted', [
-  (True),
-  (False),
-])
+
+@pytest.mark.parametrize("deleted", [(True), (False)])
 def test_get_organizations(deleted, initialized_db):
-  # Delete an org.
-  deleted_org = get_organization('sellnsmall')
-  queue = WorkQueue('testgcnamespace', lambda db: db.transaction())
-  mark_namespace_for_deletion(deleted_org, [], queue)
+    # Delete an org.
+    deleted_org = get_organization("sellnsmall")
+    queue = WorkQueue("testgcnamespace", lambda db: db.transaction())
+    mark_namespace_for_deletion(deleted_org, [], queue)
 
-  orgs = get_organizations(deleted=deleted)
-  assert orgs
+    orgs = get_organizations(deleted=deleted)
+    assert orgs
 
-  deleted_found = [org for org in orgs if org.id == deleted_org.id]
-  assert bool(deleted_found) == deleted
+    deleted_found = [org for org in orgs if org.id == deleted_org.id]
+    assert bool(deleted_found) == deleted
diff --git a/data/model/test/test_repo_mirroring.py b/data/model/test/test_repo_mirroring.py
index 6a3f808e3..a05696a3a 100644
--- a/data/model/test/test_repo_mirroring.py
+++ b/data/model/test/test_repo_mirroring.py
@@ -4,232 +4,265 @@ from jsonschema import ValidationError
 
 from data.database import RepoMirrorConfig, RepoMirrorStatus, User
 from data import model
-from data.model.repo_mirror import (create_mirroring_rule, get_eligible_mirrors, update_sync_status_to_cancel,
-                                    MAX_SYNC_RETRIES, release_mirror)
+from data.model.repo_mirror import (
+    create_mirroring_rule,
+    get_eligible_mirrors,
+    update_sync_status_to_cancel,
+    MAX_SYNC_RETRIES,
+    release_mirror,
+)
 
 from test.fixtures import *
 
 
 def create_mirror_repo_robot(rules, repo_name="repo"):
-  try:
-    user = User.get(User.username == "mirror")
-  except User.DoesNotExist:
-    user = create_user_noverify("mirror", "mirror@example.com", email_required=False)
+    try:
+        user = User.get(User.username == "mirror")
+    except User.DoesNotExist:
+        user = create_user_noverify(
+            "mirror", "mirror@example.com", email_required=False
+        )
 
-  try:
-    robot = lookup_robot("mirror+robot")
-  except model.InvalidRobotException:
-    robot, _ = create_robot("robot", user)
+    try:
+        robot = lookup_robot("mirror+robot")
+    except model.InvalidRobotException:
+        robot, _ = create_robot("robot", user)
 
-  repo = create_repository("mirror", repo_name, None, repo_kind="image", visibility="public")
-  repo.save()
+    repo = create_repository(
+        "mirror", repo_name, None, repo_kind="image", visibility="public"
+    )
+    repo.save()
 
-  rule = model.repo_mirror.create_mirroring_rule(repo, rules)
+    rule = model.repo_mirror.create_mirroring_rule(repo, rules)
 
-  mirror_kwargs = {
-    "repository": repo,
-    "root_rule": rule,
-    "internal_robot": robot,
-    "external_reference": "registry.example.com/namespace/repository",
-    "sync_interval": timedelta(days=1).total_seconds()
-  }
-  mirror = enable_mirroring_for_repository(**mirror_kwargs)
-  mirror.sync_status = RepoMirrorStatus.NEVER_RUN
-  mirror.sync_start_date = datetime.utcnow() - timedelta(days=1)
-  mirror.sync_retries_remaining = 3
-  mirror.save()
+    mirror_kwargs = {
+        "repository": repo,
+        "root_rule": rule,
+        "internal_robot": robot,
+        "external_reference": "registry.example.com/namespace/repository",
+        "sync_interval": timedelta(days=1).total_seconds(),
+    }
+    mirror = enable_mirroring_for_repository(**mirror_kwargs)
+    mirror.sync_status = RepoMirrorStatus.NEVER_RUN
+    mirror.sync_start_date = datetime.utcnow() - timedelta(days=1)
+    mirror.sync_retries_remaining = 3
+    mirror.save()
 
-  return (mirror, repo)
+    return (mirror, repo)
 
 
 def disable_existing_mirrors():
-  mirrors = RepoMirrorConfig.select().execute()
-  for mirror in mirrors:
-    mirror.is_enabled = False
-    mirror.save()
+    mirrors = RepoMirrorConfig.select().execute()
+    for mirror in mirrors:
+        mirror.is_enabled = False
+        mirror.save()
 
 
 def test_eligible_oldest_first(initialized_db):
-  """
+    """
   Eligible mirror candidates should be returned with the oldest (earliest created) first.
   """
 
-  disable_existing_mirrors()
-  mirror_first, repo_first = create_mirror_repo_robot(["updated", "created"], repo_name="first")
-  mirror_second, repo_second = create_mirror_repo_robot(["updated", "created"], repo_name="second")
-  mirror_third, repo_third = create_mirror_repo_robot(["updated", "created"], repo_name="third")
+    disable_existing_mirrors()
+    mirror_first, repo_first = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="first"
+    )
+    mirror_second, repo_second = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="second"
+    )
+    mirror_third, repo_third = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="third"
+    )
 
-  candidates = get_eligible_mirrors()
+    candidates = get_eligible_mirrors()
 
-  assert len(candidates) == 3
-  assert candidates[0] == mirror_first
-  assert candidates[1] == mirror_second
-  assert candidates[2] == mirror_third
+    assert len(candidates) == 3
+    assert candidates[0] == mirror_first
+    assert candidates[1] == mirror_second
+    assert candidates[2] == mirror_third
 
 
 def test_eligible_includes_expired_syncing(initialized_db):
-  """
+    """
   Mirrors that have an end time in the past are eligible even if their state indicates still syncing.
   """
 
-  disable_existing_mirrors()
-  mirror_first, repo_first = create_mirror_repo_robot(["updated", "created"], repo_name="first")
-  mirror_second, repo_second = create_mirror_repo_robot(["updated", "created"], repo_name="second")
-  mirror_third, repo_third = create_mirror_repo_robot(["updated", "created"], repo_name="third")
-  mirror_fourth, repo_third = create_mirror_repo_robot(["updated", "created"], repo_name="fourth")
+    disable_existing_mirrors()
+    mirror_first, repo_first = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="first"
+    )
+    mirror_second, repo_second = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="second"
+    )
+    mirror_third, repo_third = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="third"
+    )
+    mirror_fourth, repo_third = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="fourth"
+    )
 
-  mirror_second.sync_expiration_date = datetime.utcnow() - timedelta(hours=1)
-  mirror_second.sync_status = RepoMirrorStatus.SYNCING
-  mirror_second.save()
+    mirror_second.sync_expiration_date = datetime.utcnow() - timedelta(hours=1)
+    mirror_second.sync_status = RepoMirrorStatus.SYNCING
+    mirror_second.save()
 
-  mirror_fourth.sync_expiration_date = datetime.utcnow() + timedelta(hours=1)
-  mirror_fourth.sync_status = RepoMirrorStatus.SYNCING
-  mirror_fourth.save()
+    mirror_fourth.sync_expiration_date = datetime.utcnow() + timedelta(hours=1)
+    mirror_fourth.sync_status = RepoMirrorStatus.SYNCING
+    mirror_fourth.save()
 
-  candidates = get_eligible_mirrors()
+    candidates = get_eligible_mirrors()
 
-  assert len(candidates) == 3
-  assert candidates[0] == mirror_first
-  assert candidates[1] == mirror_second
-  assert candidates[2] == mirror_third
+    assert len(candidates) == 3
+    assert candidates[0] == mirror_first
+    assert candidates[1] == mirror_second
+    assert candidates[2] == mirror_third
 
 
 def test_eligible_includes_immediate(initialized_db):
-  """
+    """
   Mirrors that are SYNC_NOW, regardless of starting time
   """
 
-  disable_existing_mirrors()
-  mirror_first, repo_first = create_mirror_repo_robot(["updated", "created"], repo_name="first")
-  mirror_second, repo_second = create_mirror_repo_robot(["updated", "created"], repo_name="second")
-  mirror_third, repo_third = create_mirror_repo_robot(["updated", "created"], repo_name="third")
-  mirror_fourth, repo_third = create_mirror_repo_robot(["updated", "created"], repo_name="fourth")
-  mirror_future, _ = create_mirror_repo_robot(["updated", "created"], repo_name="future")
-  mirror_past, _ = create_mirror_repo_robot(["updated", "created"], repo_name="past")
+    disable_existing_mirrors()
+    mirror_first, repo_first = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="first"
+    )
+    mirror_second, repo_second = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="second"
+    )
+    mirror_third, repo_third = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="third"
+    )
+    mirror_fourth, repo_third = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="fourth"
+    )
+    mirror_future, _ = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="future"
+    )
+    mirror_past, _ = create_mirror_repo_robot(["updated", "created"], repo_name="past")
 
-  mirror_future.sync_start_date = datetime.utcnow() + timedelta(hours=6)
-  mirror_future.sync_status = RepoMirrorStatus.SYNC_NOW
-  mirror_future.save()
+    mirror_future.sync_start_date = datetime.utcnow() + timedelta(hours=6)
+    mirror_future.sync_status = RepoMirrorStatus.SYNC_NOW
+    mirror_future.save()
 
-  mirror_past.sync_start_date = datetime.utcnow() - timedelta(hours=6)
-  mirror_past.sync_status = RepoMirrorStatus.SYNC_NOW
-  mirror_past.save()
+    mirror_past.sync_start_date = datetime.utcnow() - timedelta(hours=6)
+    mirror_past.sync_status = RepoMirrorStatus.SYNC_NOW
+    mirror_past.save()
 
-  mirror_fourth.sync_expiration_date = datetime.utcnow() + timedelta(hours=1)
-  mirror_fourth.sync_status = RepoMirrorStatus.SYNCING
-  mirror_fourth.save()
+    mirror_fourth.sync_expiration_date = datetime.utcnow() + timedelta(hours=1)
+    mirror_fourth.sync_status = RepoMirrorStatus.SYNCING
+    mirror_fourth.save()
 
-  candidates = get_eligible_mirrors()
+    candidates = get_eligible_mirrors()
 
-  assert len(candidates) == 5
-  assert candidates[0] == mirror_first
-  assert candidates[1] == mirror_second
-  assert candidates[2] == mirror_third
-  assert candidates[3] == mirror_past
-  assert candidates[4] == mirror_future
+    assert len(candidates) == 5
+    assert candidates[0] == mirror_first
+    assert candidates[1] == mirror_second
+    assert candidates[2] == mirror_third
+    assert candidates[3] == mirror_past
+    assert candidates[4] == mirror_future
 
 
 def test_create_rule_validations(initialized_db):
-  mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="first")
+    mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="first")
 
-  with pytest.raises(ValidationError):
-    create_mirroring_rule(repo, None)
+    with pytest.raises(ValidationError):
+        create_mirroring_rule(repo, None)
 
-  with pytest.raises(ValidationError):
-    create_mirroring_rule(repo, "['tag1', 'tag2']")
+    with pytest.raises(ValidationError):
+        create_mirroring_rule(repo, "['tag1', 'tag2']")
 
-  with pytest.raises(ValidationError):
-    create_mirroring_rule(repo, ['tag1', 'tag2'], rule_type=None)
+    with pytest.raises(ValidationError):
+        create_mirroring_rule(repo, ["tag1", "tag2"], rule_type=None)
 
 
 def test_long_registry_passwords(initialized_db):
-  """
+    """
   Verify that long passwords, such as Base64 JWT used by Redhat's Registry, work as expected.
   """
-  MAX_PASSWORD_LENGTH = 1024
+    MAX_PASSWORD_LENGTH = 1024
 
-  username = ''.join('a' for _ in range(MAX_PASSWORD_LENGTH))
-  password = ''.join('b' for _ in range(MAX_PASSWORD_LENGTH))
-  assert len(username) == MAX_PASSWORD_LENGTH
-  assert len(password) == MAX_PASSWORD_LENGTH
+    username = "".join("a" for _ in range(MAX_PASSWORD_LENGTH))
+    password = "".join("b" for _ in range(MAX_PASSWORD_LENGTH))
+    assert len(username) == MAX_PASSWORD_LENGTH
+    assert len(password) == MAX_PASSWORD_LENGTH
 
-  repo = model.repository.get_repository('devtable', 'mirrored')
-  assert repo
+    repo = model.repository.get_repository("devtable", "mirrored")
+    assert repo
 
-  existing_mirror_conf = model.repo_mirror.get_mirror(repo)
-  assert existing_mirror_conf
+    existing_mirror_conf = model.repo_mirror.get_mirror(repo)
+    assert existing_mirror_conf
 
-  assert model.repo_mirror.change_credentials(repo, username, password)
+    assert model.repo_mirror.change_credentials(repo, username, password)
 
-  updated_mirror_conf = model.repo_mirror.get_mirror(repo)
-  assert updated_mirror_conf
+    updated_mirror_conf = model.repo_mirror.get_mirror(repo)
+    assert updated_mirror_conf
 
-  assert updated_mirror_conf.external_registry_username.decrypt() == username
-  assert updated_mirror_conf.external_registry_password.decrypt() == password
+    assert updated_mirror_conf.external_registry_username.decrypt() == username
+    assert updated_mirror_conf.external_registry_password.decrypt() == password
 
 
 def test_sync_status_to_cancel(initialized_db):
-  """
+    """
   SYNCING and SYNC_NOW mirrors may be canceled, ending in NEVER_RUN
   """
 
-  disable_existing_mirrors()
-  mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="cancel")
+    disable_existing_mirrors()
+    mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="cancel")
 
-  mirror.sync_status = RepoMirrorStatus.SYNCING
-  mirror.save()
-  updated = update_sync_status_to_cancel(mirror)
-  assert updated is not None
-  assert updated.sync_status == RepoMirrorStatus.NEVER_RUN
+    mirror.sync_status = RepoMirrorStatus.SYNCING
+    mirror.save()
+    updated = update_sync_status_to_cancel(mirror)
+    assert updated is not None
+    assert updated.sync_status == RepoMirrorStatus.NEVER_RUN
 
-  mirror.sync_status = RepoMirrorStatus.SYNC_NOW
-  mirror.save()
-  updated = update_sync_status_to_cancel(mirror)
-  assert updated is not None
-  assert updated.sync_status == RepoMirrorStatus.NEVER_RUN
+    mirror.sync_status = RepoMirrorStatus.SYNC_NOW
+    mirror.save()
+    updated = update_sync_status_to_cancel(mirror)
+    assert updated is not None
+    assert updated.sync_status == RepoMirrorStatus.NEVER_RUN
 
-  mirror.sync_status = RepoMirrorStatus.FAIL
-  mirror.save()
-  updated = update_sync_status_to_cancel(mirror)
-  assert updated is None
+    mirror.sync_status = RepoMirrorStatus.FAIL
+    mirror.save()
+    updated = update_sync_status_to_cancel(mirror)
+    assert updated is None
 
-  mirror.sync_status = RepoMirrorStatus.NEVER_RUN
-  mirror.save()
-  updated = update_sync_status_to_cancel(mirror)
-  assert updated is None
+    mirror.sync_status = RepoMirrorStatus.NEVER_RUN
+    mirror.save()
+    updated = update_sync_status_to_cancel(mirror)
+    assert updated is None
 
-  mirror.sync_status = RepoMirrorStatus.SUCCESS
-  mirror.save()
-  updated = update_sync_status_to_cancel(mirror)
-  assert updated is None
+    mirror.sync_status = RepoMirrorStatus.SUCCESS
+    mirror.save()
+    updated = update_sync_status_to_cancel(mirror)
+    assert updated is None
 
 
 def test_release_mirror(initialized_db):
-  """
+    """
   Mirrors that are SYNC_NOW, regardless of starting time
   """
 
-  disable_existing_mirrors()
-  mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="first")
+    disable_existing_mirrors()
+    mirror, repo = create_mirror_repo_robot(["updated", "created"], repo_name="first")
 
-  # mysql rounds the milliseconds on update so force that to happen now
-  query = (RepoMirrorConfig
-           .update(sync_start_date=mirror.sync_start_date)
-           .where(RepoMirrorConfig.id == mirror.id))
-  query.execute()
-  mirror = RepoMirrorConfig.get_by_id(mirror.id)
-  original_sync_start_date = mirror.sync_start_date
+    # mysql rounds the milliseconds on update so force that to happen now
+    query = RepoMirrorConfig.update(sync_start_date=mirror.sync_start_date).where(
+        RepoMirrorConfig.id == mirror.id
+    )
+    query.execute()
+    mirror = RepoMirrorConfig.get_by_id(mirror.id)
+    original_sync_start_date = mirror.sync_start_date
 
-  assert mirror.sync_retries_remaining == 3
+    assert mirror.sync_retries_remaining == 3
 
-  mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
-  assert mirror.sync_retries_remaining == 2
-  assert mirror.sync_start_date == original_sync_start_date
+    mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
+    assert mirror.sync_retries_remaining == 2
+    assert mirror.sync_start_date == original_sync_start_date
 
-  mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
-  assert mirror.sync_retries_remaining == 1
-  assert mirror.sync_start_date == original_sync_start_date
+    mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
+    assert mirror.sync_retries_remaining == 1
+    assert mirror.sync_start_date == original_sync_start_date
 
-  mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
-  assert mirror.sync_retries_remaining == 3
-  assert mirror.sync_start_date > original_sync_start_date
+    mirror = release_mirror(mirror, RepoMirrorStatus.FAIL)
+    assert mirror.sync_retries_remaining == 3
+    assert mirror.sync_start_date > original_sync_start_date
diff --git a/data/model/test/test_repository.py b/data/model/test/test_repository.py
index 25e8b7cf2..4ef87f287 100644
--- a/data/model/test/test_repository.py
+++ b/data/model/test/test_repository.py
@@ -11,39 +11,46 @@ from test.fixtures import *
 
 
 def test_duplicate_repository_different_kinds(initialized_db):
-  # Create an image repo.
-  create_repository('devtable', 'somenewrepo', None, repo_kind='image')
+    # Create an image repo.
+    create_repository("devtable", "somenewrepo", None, repo_kind="image")
 
-  # Try to create an app repo with the same name, which should fail.
-  with pytest.raises(IntegrityError):
-    create_repository('devtable', 'somenewrepo', None, repo_kind='application')
+    # Try to create an app repo with the same name, which should fail.
+    with pytest.raises(IntegrityError):
+        create_repository("devtable", "somenewrepo", None, repo_kind="application")
 
 
 def test_is_empty(initialized_db):
-  create_repository('devtable', 'somenewrepo', None, repo_kind='image')
+    create_repository("devtable", "somenewrepo", None, repo_kind="image")
 
-  assert is_empty('devtable', 'somenewrepo')
-  assert not is_empty('devtable', 'simple')
+    assert is_empty("devtable", "somenewrepo")
+    assert not is_empty("devtable", "simple")
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('mysql') >= 0, 
-                    reason='MySQL requires specialized indexing of newly created repos')
-@pytest.mark.parametrize('query', [
-  (''),
-  ('e'),
-])
-@pytest.mark.parametrize('authed_username', [
-  (None),
-  ('devtable'),
-])
+
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI", "").find("mysql") >= 0,
+    reason="MySQL requires specialized indexing of newly created repos",
+)
+@pytest.mark.parametrize("query", [(""), ("e")])
+@pytest.mark.parametrize("authed_username", [(None), ("devtable")])
 def test_search_pagination(query, authed_username, initialized_db):
-  # Create some public repos.
-  repo1 = create_repository('devtable', 'somenewrepo', None, repo_kind='image', visibility='public')
-  repo2 = create_repository('devtable', 'somenewrepo2', None, repo_kind='image', visibility='public')
-  repo3 = create_repository('devtable', 'somenewrepo3', None, repo_kind='image', visibility='public')
+    # Create some public repos.
+    repo1 = create_repository(
+        "devtable", "somenewrepo", None, repo_kind="image", visibility="public"
+    )
+    repo2 = create_repository(
+        "devtable", "somenewrepo2", None, repo_kind="image", visibility="public"
+    )
+    repo3 = create_repository(
+        "devtable", "somenewrepo3", None, repo_kind="image", visibility="public"
+    )
 
-  repositories = get_filtered_matching_repositories(query, filter_username=authed_username)
-  assert len(repositories) > 3
+    repositories = get_filtered_matching_repositories(
+        query, filter_username=authed_username
+    )
+    assert len(repositories) > 3
 
-  next_repos = get_filtered_matching_repositories(query, filter_username=authed_username, offset=1)
-  assert repositories[0].id != next_repos[0].id
-  assert repositories[1].id == next_repos[0].id
+    next_repos = get_filtered_matching_repositories(
+        query, filter_username=authed_username, offset=1
+    )
+    assert repositories[0].id != next_repos[0].id
+    assert repositories[1].id == next_repos[0].id
diff --git a/data/model/test/test_repositoryactioncount.py b/data/model/test/test_repositoryactioncount.py
index bdad4e315..7433109d4 100644
--- a/data/model/test/test_repositoryactioncount.py
+++ b/data/model/test/test_repositoryactioncount.py
@@ -7,32 +7,37 @@ from data.model.repository import create_repository
 from data.model.repositoryactioncount import update_repository_score, SEARCH_BUCKETS
 from test.fixtures import *
 
-@pytest.mark.parametrize('bucket_sums,expected_score', [
-  ((0, 0, 0, 0), 0),
 
-  ((1, 6, 24, 152), 100),
-  ((2, 6, 24, 152), 101),
-  ((1, 6, 24, 304), 171),
-
-  ((100, 480, 24, 152), 703),
-  ((1, 6, 24, 15200), 7131),
-
-  ((300, 500, 1000, 0), 1733),
-  ((5000, 0, 0, 0), 5434),
-])
+@pytest.mark.parametrize(
+    "bucket_sums,expected_score",
+    [
+        ((0, 0, 0, 0), 0),
+        ((1, 6, 24, 152), 100),
+        ((2, 6, 24, 152), 101),
+        ((1, 6, 24, 304), 171),
+        ((100, 480, 24, 152), 703),
+        ((1, 6, 24, 15200), 7131),
+        ((300, 500, 1000, 0), 1733),
+        ((5000, 0, 0, 0), 5434),
+    ],
+)
 def test_update_repository_score(bucket_sums, expected_score, initialized_db):
-  # Create a new repository.
-  repo = create_repository('devtable', 'somenewrepo', None, repo_kind='image')
+    # Create a new repository.
+    repo = create_repository("devtable", "somenewrepo", None, repo_kind="image")
 
-  # Delete the RAC created in create_repository.
-  RepositoryActionCount.delete().where(RepositoryActionCount.repository == repo).execute()
+    # Delete the RAC created in create_repository.
+    RepositoryActionCount.delete().where(
+        RepositoryActionCount.repository == repo
+    ).execute()
 
-  # Add RAC rows for each of the buckets.
-  for index, bucket in enumerate(SEARCH_BUCKETS):
-    for day in range(0, bucket.days):
-      RepositoryActionCount.create(repository=repo,
-                                   count=(bucket_sums[index] / bucket.days * 1.0),
-                                   date=date.today() - bucket.delta + timedelta(days=day))
+    # Add RAC rows for each of the buckets.
+    for index, bucket in enumerate(SEARCH_BUCKETS):
+        for day in range(0, bucket.days):
+            RepositoryActionCount.create(
+                repository=repo,
+                count=(bucket_sums[index] / bucket.days * 1.0),
+                date=date.today() - bucket.delta + timedelta(days=day),
+            )
 
-  assert update_repository_score(repo)
-  assert RepositorySearchScore.get(repository=repo).score == expected_score
+    assert update_repository_score(repo)
+    assert RepositorySearchScore.get(repository=repo).score == expected_score
diff --git a/data/model/test/test_tag.py b/data/model/test/test_tag.py
index 2f5adf773..75f53023e 100644
--- a/data/model/test/test_tag.py
+++ b/data/model/test/test_tag.py
@@ -8,14 +8,34 @@ import pytest
 from mock import patch
 
 from app import docker_v2_signing_key
-from data.database import (Image, RepositoryTag, ImageStorage, Repository, Manifest, ManifestBlob,
-                           ManifestLegacyImage, TagManifestToManifest, Tag, TagToRepositoryTag)
+from data.database import (
+    Image,
+    RepositoryTag,
+    ImageStorage,
+    Repository,
+    Manifest,
+    ManifestBlob,
+    ManifestLegacyImage,
+    TagManifestToManifest,
+    Tag,
+    TagToRepositoryTag,
+)
 from data.model.repository import create_repository
-from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag,
-                            get_matching_tags, _tag_alive, get_matching_tags_for_images,
-                            change_tag_expiration, get_active_tag, store_tag_manifest_for_testing,
-                            get_most_recent_tag, get_active_tag_for_repo,
-                            create_or_update_tag_for_repo, set_tag_end_ts)
+from data.model.tag import (
+    list_active_repo_tags,
+    create_or_update_tag,
+    delete_tag,
+    get_matching_tags,
+    _tag_alive,
+    get_matching_tags_for_images,
+    change_tag_expiration,
+    get_active_tag,
+    store_tag_manifest_for_testing,
+    get_most_recent_tag,
+    get_active_tag_for_repo,
+    create_or_update_tag_for_repo,
+    set_tag_end_ts,
+)
 from data.model.image import find_create_or_link_image
 from image.docker.schema1 import DockerSchema1ManifestBuilder
 from util.timedeltastring import convert_to_timedelta
@@ -24,333 +44,369 @@ from test.fixtures import *
 
 
 def _get_expected_tags(image):
-  expected_query = (RepositoryTag
-                    .select()
-                    .join(Image)
-                    .where(RepositoryTag.hidden == False)
-                    .where((Image.id == image.id) | (Image.ancestors ** ('%%/%s/%%' % image.id))))
-  return set([tag.id for tag in _tag_alive(expected_query)])
+    expected_query = (
+        RepositoryTag.select()
+        .join(Image)
+        .where(RepositoryTag.hidden == False)
+        .where((Image.id == image.id) | (Image.ancestors ** ("%%/%s/%%" % image.id)))
+    )
+    return set([tag.id for tag in _tag_alive(expected_query)])
 
 
-@pytest.mark.parametrize('max_subqueries,max_image_lookup_count', [
-  (1, 1),
-  (10, 10),
-  (100, 500),
-])
+@pytest.mark.parametrize(
+    "max_subqueries,max_image_lookup_count", [(1, 1), (10, 10), (100, 500)]
+)
 def test_get_matching_tags(max_subqueries, max_image_lookup_count, initialized_db):
-  with patch('data.model.tag._MAX_SUB_QUERIES', max_subqueries):
-    with patch('data.model.tag._MAX_IMAGE_LOOKUP_COUNT', max_image_lookup_count):
-      # Test for every image in the test database.
-      for image in Image.select(Image, ImageStorage).join(ImageStorage):
-        matching_query = get_matching_tags(image.docker_image_id, image.storage.uuid)
-        matching_tags = set([tag.id for tag in matching_query])
-        expected_tags = _get_expected_tags(image)
-        assert matching_tags == expected_tags, "mismatch for image %s" % image.id
+    with patch("data.model.tag._MAX_SUB_QUERIES", max_subqueries):
+        with patch("data.model.tag._MAX_IMAGE_LOOKUP_COUNT", max_image_lookup_count):
+            # Test for every image in the test database.
+            for image in Image.select(Image, ImageStorage).join(ImageStorage):
+                matching_query = get_matching_tags(
+                    image.docker_image_id, image.storage.uuid
+                )
+                matching_tags = set([tag.id for tag in matching_query])
+                expected_tags = _get_expected_tags(image)
+                assert matching_tags == expected_tags, (
+                    "mismatch for image %s" % image.id
+                )
 
-        oci_tags = list(Tag
-                        .select()
-                        .join(TagToRepositoryTag)
-                        .where(TagToRepositoryTag.repository_tag << expected_tags))
-        assert len(oci_tags) == len(expected_tags)        
+                oci_tags = list(
+                    Tag.select()
+                    .join(TagToRepositoryTag)
+                    .where(TagToRepositoryTag.repository_tag << expected_tags)
+                )
+                assert len(oci_tags) == len(expected_tags)
 
 
-@pytest.mark.parametrize('max_subqueries,max_image_lookup_count', [
-  (1, 1),
-  (10, 10),
-  (100, 500),
-])
-def test_get_matching_tag_ids_for_images(max_subqueries, max_image_lookup_count, initialized_db):
-  with patch('data.model.tag._MAX_SUB_QUERIES', max_subqueries):
-    with patch('data.model.tag._MAX_IMAGE_LOOKUP_COUNT', max_image_lookup_count):
-      # Try for various sets of the first N images.
-      for count in [5, 10, 15]:
-        pairs = []
-        expected_tags_ids = set()
-        for image in Image.select(Image, ImageStorage).join(ImageStorage):
-          if len(pairs) >= count:
-            break
+@pytest.mark.parametrize(
+    "max_subqueries,max_image_lookup_count", [(1, 1), (10, 10), (100, 500)]
+)
+def test_get_matching_tag_ids_for_images(
+    max_subqueries, max_image_lookup_count, initialized_db
+):
+    with patch("data.model.tag._MAX_SUB_QUERIES", max_subqueries):
+        with patch("data.model.tag._MAX_IMAGE_LOOKUP_COUNT", max_image_lookup_count):
+            # Try for various sets of the first N images.
+            for count in [5, 10, 15]:
+                pairs = []
+                expected_tags_ids = set()
+                for image in Image.select(Image, ImageStorage).join(ImageStorage):
+                    if len(pairs) >= count:
+                        break
 
-          pairs.append((image.docker_image_id, image.storage.uuid))
-          expected_tags_ids.update(_get_expected_tags(image))
+                    pairs.append((image.docker_image_id, image.storage.uuid))
+                    expected_tags_ids.update(_get_expected_tags(image))
 
-        matching_tags_ids = set([tag.id for tag in get_matching_tags_for_images(pairs)])
-        assert matching_tags_ids == expected_tags_ids
+                matching_tags_ids = set(
+                    [tag.id for tag in get_matching_tags_for_images(pairs)]
+                )
+                assert matching_tags_ids == expected_tags_ids
 
 
-@pytest.mark.parametrize('max_subqueries,max_image_lookup_count', [
-  (1, 1),
-  (10, 10),
-  (100, 500),
-])
-def test_get_matching_tag_ids_for_all_images(max_subqueries, max_image_lookup_count, initialized_db):
-  with patch('data.model.tag._MAX_SUB_QUERIES', max_subqueries):
-    with patch('data.model.tag._MAX_IMAGE_LOOKUP_COUNT', max_image_lookup_count):
-      pairs = []
-      for image in Image.select(Image, ImageStorage).join(ImageStorage):
-        pairs.append((image.docker_image_id, image.storage.uuid))
+@pytest.mark.parametrize(
+    "max_subqueries,max_image_lookup_count", [(1, 1), (10, 10), (100, 500)]
+)
+def test_get_matching_tag_ids_for_all_images(
+    max_subqueries, max_image_lookup_count, initialized_db
+):
+    with patch("data.model.tag._MAX_SUB_QUERIES", max_subqueries):
+        with patch("data.model.tag._MAX_IMAGE_LOOKUP_COUNT", max_image_lookup_count):
+            pairs = []
+            for image in Image.select(Image, ImageStorage).join(ImageStorage):
+                pairs.append((image.docker_image_id, image.storage.uuid))
 
-      expected_tags_ids = set([tag.id for tag in _tag_alive(RepositoryTag.select())])
-      matching_tags_ids = set([tag.id for tag in get_matching_tags_for_images(pairs)])
+            expected_tags_ids = set(
+                [tag.id for tag in _tag_alive(RepositoryTag.select())]
+            )
+            matching_tags_ids = set(
+                [tag.id for tag in get_matching_tags_for_images(pairs)]
+            )
 
-      # Ensure every alive tag was found.
-      assert matching_tags_ids == expected_tags_ids
+            # Ensure every alive tag was found.
+            assert matching_tags_ids == expected_tags_ids
 
 
 def test_get_matching_tag_ids_images_filtered(initialized_db):
-  def filter_query(query):
-    return query.join(Repository).where(Repository.name == 'simple')
+    def filter_query(query):
+        return query.join(Repository).where(Repository.name == "simple")
 
-  filtered_images = filter_query(Image
-                                 .select(Image, ImageStorage)
-                                 .join(RepositoryTag)
-                                 .switch(Image)
-                                 .join(ImageStorage)
-                                 .switch(Image))
+    filtered_images = filter_query(
+        Image.select(Image, ImageStorage)
+        .join(RepositoryTag)
+        .switch(Image)
+        .join(ImageStorage)
+        .switch(Image)
+    )
 
-  expected_tags_query = _tag_alive(filter_query(RepositoryTag
-                                                .select()))
+    expected_tags_query = _tag_alive(filter_query(RepositoryTag.select()))
 
-  pairs = []
-  for image in filtered_images:
-    pairs.append((image.docker_image_id, image.storage.uuid))
+    pairs = []
+    for image in filtered_images:
+        pairs.append((image.docker_image_id, image.storage.uuid))
 
-  matching_tags = get_matching_tags_for_images(pairs, filter_images=filter_query,
-                                               filter_tags=filter_query)
+    matching_tags = get_matching_tags_for_images(
+        pairs, filter_images=filter_query, filter_tags=filter_query
+    )
 
-  expected_tag_ids = set([tag.id for tag in expected_tags_query])
-  matching_tags_ids = set([tag.id for tag in matching_tags])
+    expected_tag_ids = set([tag.id for tag in expected_tags_query])
+    matching_tags_ids = set([tag.id for tag in matching_tags])
 
-  # Ensure every alive tag was found.
-  assert matching_tags_ids == expected_tag_ids
+    # Ensure every alive tag was found.
+    assert matching_tags_ids == expected_tag_ids
 
 
 def _get_oci_tag(tag):
-  return (Tag
-          .select()
-          .join(TagToRepositoryTag)
-          .where(TagToRepositoryTag.repository_tag == tag)).get()
+    return (
+        Tag.select()
+        .join(TagToRepositoryTag)
+        .where(TagToRepositoryTag.repository_tag == tag)
+    ).get()
 
 
 def assert_tags(repository, *args):
-  tags = list(list_active_repo_tags(repository))
-  assert len(tags) == len(args)
+    tags = list(list_active_repo_tags(repository))
+    assert len(tags) == len(args)
 
-  tags_dict = {}
-  for tag in tags:
-    assert not tag.name in tags_dict
-    assert not tag.hidden
-    assert not tag.lifetime_end_ts or tag.lifetime_end_ts > time()
+    tags_dict = {}
+    for tag in tags:
+        assert not tag.name in tags_dict
+        assert not tag.hidden
+        assert not tag.lifetime_end_ts or tag.lifetime_end_ts > time()
 
-    tags_dict[tag.name] = tag
+        tags_dict[tag.name] = tag
 
-    oci_tag = _get_oci_tag(tag)
-    assert oci_tag.name == tag.name
-    assert not oci_tag.hidden
-    assert oci_tag.reversion == tag.reversion
+        oci_tag = _get_oci_tag(tag)
+        assert oci_tag.name == tag.name
+        assert not oci_tag.hidden
+        assert oci_tag.reversion == tag.reversion
 
-    if tag.lifetime_end_ts:
-      assert oci_tag.lifetime_end_ms == (tag.lifetime_end_ts * 1000)
-    else:
-      assert oci_tag.lifetime_end_ms is None
+        if tag.lifetime_end_ts:
+            assert oci_tag.lifetime_end_ms == (tag.lifetime_end_ts * 1000)
+        else:
+            assert oci_tag.lifetime_end_ms is None
 
-  for expected in args:
-    assert expected in tags_dict
+    for expected in args:
+        assert expected in tags_dict
 
 
 def test_create_reversion_tag(initialized_db):
-  repository = create_repository('devtable', 'somenewrepo', None)
-  manifest = Manifest.get()
-  image1 = find_create_or_link_image('foobarimage1', repository, None, {}, 'local_us')
+    repository = create_repository("devtable", "somenewrepo", None)
+    manifest = Manifest.get()
+    image1 = find_create_or_link_image("foobarimage1", repository, None, {}, "local_us")
 
-  footag = create_or_update_tag_for_repo(repository, 'foo', image1.docker_image_id,
-                                         oci_manifest=manifest, reversion=True)
-  assert footag.reversion
+    footag = create_or_update_tag_for_repo(
+        repository, "foo", image1.docker_image_id, oci_manifest=manifest, reversion=True
+    )
+    assert footag.reversion
 
-  oci_tag = _get_oci_tag(footag)
-  assert oci_tag.name == footag.name
-  assert not oci_tag.hidden
-  assert oci_tag.reversion == footag.reversion
+    oci_tag = _get_oci_tag(footag)
+    assert oci_tag.name == footag.name
+    assert not oci_tag.hidden
+    assert oci_tag.reversion == footag.reversion
 
 
 def test_list_active_tags(initialized_db):
-  # Create a new repository.
-  repository = create_repository('devtable', 'somenewrepo', None)
-  manifest = Manifest.get()
+    # Create a new repository.
+    repository = create_repository("devtable", "somenewrepo", None)
+    manifest = Manifest.get()
 
-  # Create some images.
-  image1 = find_create_or_link_image('foobarimage1', repository, None, {}, 'local_us')
-  image2 = find_create_or_link_image('foobarimage2', repository, None, {}, 'local_us')
+    # Create some images.
+    image1 = find_create_or_link_image("foobarimage1", repository, None, {}, "local_us")
+    image2 = find_create_or_link_image("foobarimage2", repository, None, {}, "local_us")
 
-  # Make sure its tags list is empty.
-  assert_tags(repository)
+    # Make sure its tags list is empty.
+    assert_tags(repository)
 
-  # Add some new tags.
-  footag = create_or_update_tag_for_repo(repository, 'foo', image1.docker_image_id,
-                                         oci_manifest=manifest)
-  bartag = create_or_update_tag_for_repo(repository, 'bar', image1.docker_image_id,
-                                         oci_manifest=manifest)
+    # Add some new tags.
+    footag = create_or_update_tag_for_repo(
+        repository, "foo", image1.docker_image_id, oci_manifest=manifest
+    )
+    bartag = create_or_update_tag_for_repo(
+        repository, "bar", image1.docker_image_id, oci_manifest=manifest
+    )
 
-  # Since timestamps are stored on a second-granularity, we need to make the tags "start"
-  # before "now", so when we recreate them below, they don't conflict.
-  footag.lifetime_start_ts -= 5
-  footag.save()
+    # Since timestamps are stored on a second-granularity, we need to make the tags "start"
+    # before "now", so when we recreate them below, they don't conflict.
+    footag.lifetime_start_ts -= 5
+    footag.save()
 
-  bartag.lifetime_start_ts -= 5
-  bartag.save()
+    bartag.lifetime_start_ts -= 5
+    bartag.save()
 
-  footag_oci = _get_oci_tag(footag)
-  footag_oci.lifetime_start_ms -= 5000
-  footag_oci.save()
+    footag_oci = _get_oci_tag(footag)
+    footag_oci.lifetime_start_ms -= 5000
+    footag_oci.save()
 
-  bartag_oci = _get_oci_tag(bartag)
-  bartag_oci.lifetime_start_ms -= 5000
-  bartag_oci.save()
+    bartag_oci = _get_oci_tag(bartag)
+    bartag_oci.lifetime_start_ms -= 5000
+    bartag_oci.save()
 
-  # Make sure they are returned.
-  assert_tags(repository, 'foo', 'bar')
+    # Make sure they are returned.
+    assert_tags(repository, "foo", "bar")
 
-  # Set the expirations to be explicitly empty.
-  set_tag_end_ts(footag, None)
-  set_tag_end_ts(bartag, None)
+    # Set the expirations to be explicitly empty.
+    set_tag_end_ts(footag, None)
+    set_tag_end_ts(bartag, None)
 
-  # Make sure they are returned.
-  assert_tags(repository, 'foo', 'bar')
+    # Make sure they are returned.
+    assert_tags(repository, "foo", "bar")
 
-  # Mark as a tag as expiring in the far future, and make sure it is still returned.
-  set_tag_end_ts(footag, footag.lifetime_start_ts + 10000000)
+    # Mark as a tag as expiring in the far future, and make sure it is still returned.
+    set_tag_end_ts(footag, footag.lifetime_start_ts + 10000000)
 
-  # Make sure they are returned.
-  assert_tags(repository, 'foo', 'bar')
+    # Make sure they are returned.
+    assert_tags(repository, "foo", "bar")
 
-  # Delete a tag and make sure it isn't returned.
-  footag = delete_tag('devtable', 'somenewrepo', 'foo')
-  set_tag_end_ts(footag, footag.lifetime_end_ts - 4)
+    # Delete a tag and make sure it isn't returned.
+    footag = delete_tag("devtable", "somenewrepo", "foo")
+    set_tag_end_ts(footag, footag.lifetime_end_ts - 4)
 
-  assert_tags(repository, 'bar')
+    assert_tags(repository, "bar")
 
-  # Add a new foo again.
-  footag = create_or_update_tag_for_repo(repository, 'foo', image1.docker_image_id,
-                                         oci_manifest=manifest)
-  footag.lifetime_start_ts -= 3
-  footag.save()
+    # Add a new foo again.
+    footag = create_or_update_tag_for_repo(
+        repository, "foo", image1.docker_image_id, oci_manifest=manifest
+    )
+    footag.lifetime_start_ts -= 3
+    footag.save()
 
-  footag_oci = _get_oci_tag(footag)
-  footag_oci.lifetime_start_ms -= 3000
-  footag_oci.save()
+    footag_oci = _get_oci_tag(footag)
+    footag_oci.lifetime_start_ms -= 3000
+    footag_oci.save()
 
-  assert_tags(repository, 'foo', 'bar')
+    assert_tags(repository, "foo", "bar")
 
-  # Mark as a tag as expiring in the far future, and make sure it is still returned.
-  set_tag_end_ts(footag, footag.lifetime_start_ts + 10000000)
+    # Mark as a tag as expiring in the far future, and make sure it is still returned.
+    set_tag_end_ts(footag, footag.lifetime_start_ts + 10000000)
 
-  # Make sure they are returned.
-  assert_tags(repository, 'foo', 'bar')
+    # Make sure they are returned.
+    assert_tags(repository, "foo", "bar")
 
-  # "Move" foo by updating it and make sure we don't get duplicates.
-  create_or_update_tag_for_repo(repository, 'foo', image2.docker_image_id, oci_manifest=manifest)
-  assert_tags(repository, 'foo', 'bar')
+    # "Move" foo by updating it and make sure we don't get duplicates.
+    create_or_update_tag_for_repo(
+        repository, "foo", image2.docker_image_id, oci_manifest=manifest
+    )
+    assert_tags(repository, "foo", "bar")
 
 
-@pytest.mark.parametrize('expiration_offset, expected_offset', [
-  (None, None),
-  ('0s', '1h'),
-  ('30m', '1h'),
-  ('2h', '2h'),
-  ('2w', '2w'),
-  ('200w', '104w'),
-])
+@pytest.mark.parametrize(
+    "expiration_offset, expected_offset",
+    [
+        (None, None),
+        ("0s", "1h"),
+        ("30m", "1h"),
+        ("2h", "2h"),
+        ("2w", "2w"),
+        ("200w", "104w"),
+    ],
+)
 def test_change_tag_expiration(expiration_offset, expected_offset, initialized_db):
-  repository = create_repository('devtable', 'somenewrepo', None)
-  image1 = find_create_or_link_image('foobarimage1', repository, None, {}, 'local_us')
+    repository = create_repository("devtable", "somenewrepo", None)
+    image1 = find_create_or_link_image("foobarimage1", repository, None, {}, "local_us")
 
-  manifest = Manifest.get()
-  footag = create_or_update_tag_for_repo(repository, 'foo', image1.docker_image_id,
-                                         oci_manifest=manifest)
+    manifest = Manifest.get()
+    footag = create_or_update_tag_for_repo(
+        repository, "foo", image1.docker_image_id, oci_manifest=manifest
+    )
 
-  expiration_date = None
-  if expiration_offset is not None:
-    expiration_date = datetime.utcnow() + convert_to_timedelta(expiration_offset)
+    expiration_date = None
+    if expiration_offset is not None:
+        expiration_date = datetime.utcnow() + convert_to_timedelta(expiration_offset)
 
-  assert change_tag_expiration(footag, expiration_date)
+    assert change_tag_expiration(footag, expiration_date)
 
-  # Lookup the tag again.
-  footag_updated = get_active_tag('devtable', 'somenewrepo', 'foo')
-  oci_tag = _get_oci_tag(footag_updated)
+    # Lookup the tag again.
+    footag_updated = get_active_tag("devtable", "somenewrepo", "foo")
+    oci_tag = _get_oci_tag(footag_updated)
 
-  if expected_offset is None:
-    assert footag_updated.lifetime_end_ts is None
-    assert oci_tag.lifetime_end_ms is None
-  else:
-    start_date = datetime.utcfromtimestamp(footag_updated.lifetime_start_ts)
-    end_date = datetime.utcfromtimestamp(footag_updated.lifetime_end_ts)
-    expected_end_date = start_date + convert_to_timedelta(expected_offset)
-    assert (expected_end_date - end_date).total_seconds() < 5 # variance in test
+    if expected_offset is None:
+        assert footag_updated.lifetime_end_ts is None
+        assert oci_tag.lifetime_end_ms is None
+    else:
+        start_date = datetime.utcfromtimestamp(footag_updated.lifetime_start_ts)
+        end_date = datetime.utcfromtimestamp(footag_updated.lifetime_end_ts)
+        expected_end_date = start_date + convert_to_timedelta(expected_offset)
+        assert (expected_end_date - end_date).total_seconds() < 5  # variance in test
 
-    assert oci_tag.lifetime_end_ms == (footag_updated.lifetime_end_ts * 1000)
+        assert oci_tag.lifetime_end_ms == (footag_updated.lifetime_end_ts * 1000)
 
 
 def random_storages():
-  return list(ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).limit(10))
+    return list(
+        ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).limit(10)
+    )
 
 
 def repeated_storages():
-  storages = list(ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).limit(5))
-  return storages + storages
+    storages = list(
+        ImageStorage.select().where(~(ImageStorage.content_checksum >> None)).limit(5)
+    )
+    return storages + storages
 
 
-@pytest.mark.parametrize('get_storages', [
-  random_storages,
-  repeated_storages,
-])
+@pytest.mark.parametrize("get_storages", [random_storages, repeated_storages])
 def test_store_tag_manifest(get_storages, initialized_db):
-  # Create a manifest with some layers.
-  builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'sometag')
+    # Create a manifest with some layers.
+    builder = DockerSchema1ManifestBuilder("devtable", "simple", "sometag")
 
-  storages = get_storages()
-  assert storages
+    storages = get_storages()
+    assert storages
 
-  repo = model.repository.get_repository('devtable', 'simple')
-  storage_id_map = {}
-  for index, storage in enumerate(storages):
-    image_id = 'someimage%s' % index
-    builder.add_layer(storage.content_checksum, json.dumps({'id': image_id}))
-    find_create_or_link_image(image_id, repo, 'devtable', {}, 'local_us')
-    storage_id_map[storage.content_checksum] = storage.id
+    repo = model.repository.get_repository("devtable", "simple")
+    storage_id_map = {}
+    for index, storage in enumerate(storages):
+        image_id = "someimage%s" % index
+        builder.add_layer(storage.content_checksum, json.dumps({"id": image_id}))
+        find_create_or_link_image(image_id, repo, "devtable", {}, "local_us")
+        storage_id_map[storage.content_checksum] = storage.id
 
-  manifest = builder.build(docker_v2_signing_key)
-  tag_manifest, _ = store_tag_manifest_for_testing('devtable', 'simple', 'sometag', manifest,
-                                                   manifest.leaf_layer_v1_image_id, storage_id_map)
+    manifest = builder.build(docker_v2_signing_key)
+    tag_manifest, _ = store_tag_manifest_for_testing(
+        "devtable",
+        "simple",
+        "sometag",
+        manifest,
+        manifest.leaf_layer_v1_image_id,
+        storage_id_map,
+    )
 
-  # Ensure we have the new-model expected rows.
-  mapping_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
+    # Ensure we have the new-model expected rows.
+    mapping_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
 
-  assert mapping_row.manifest is not None
-  assert mapping_row.manifest.manifest_bytes == manifest.bytes.as_encoded_str()
-  assert mapping_row.manifest.digest == str(manifest.digest)
+    assert mapping_row.manifest is not None
+    assert mapping_row.manifest.manifest_bytes == manifest.bytes.as_encoded_str()
+    assert mapping_row.manifest.digest == str(manifest.digest)
 
-  blob_rows = {m.blob_id for m in
-               ManifestBlob.select().where(ManifestBlob.manifest == mapping_row.manifest)}
-  assert blob_rows == {s.id for s in storages}
+    blob_rows = {
+        m.blob_id
+        for m in ManifestBlob.select().where(
+            ManifestBlob.manifest == mapping_row.manifest
+        )
+    }
+    assert blob_rows == {s.id for s in storages}
 
-  assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image
+    assert (
+        ManifestLegacyImage.get(manifest=mapping_row.manifest).image
+        == tag_manifest.tag.image
+    )
 
 
 def test_get_most_recent_tag(initialized_db):
-  # Create a hidden tag that is the most recent.
-  repo = model.repository.get_repository('devtable', 'simple')
-  image = model.tag.get_tag_image('devtable', 'simple', 'latest')
-  model.tag.create_temporary_hidden_tag(repo, image, 10000000)
+    # Create a hidden tag that is the most recent.
+    repo = model.repository.get_repository("devtable", "simple")
+    image = model.tag.get_tag_image("devtable", "simple", "latest")
+    model.tag.create_temporary_hidden_tag(repo, image, 10000000)
 
-  # Ensure we find a non-hidden tag.
-  found = model.tag.get_most_recent_tag(repo)
-  assert not found.hidden
+    # Ensure we find a non-hidden tag.
+    found = model.tag.get_most_recent_tag(repo)
+    assert not found.hidden
 
 
 def test_get_active_tag_for_repo(initialized_db):
-  repo = model.repository.get_repository('devtable', 'simple')
-  image = model.tag.get_tag_image('devtable', 'simple', 'latest')
-  hidden_tag = model.tag.create_temporary_hidden_tag(repo, image, 10000000)
+    repo = model.repository.get_repository("devtable", "simple")
+    image = model.tag.get_tag_image("devtable", "simple", "latest")
+    hidden_tag = model.tag.create_temporary_hidden_tag(repo, image, 10000000)
 
-  # Ensure get active tag for repo cannot find it.
-  assert model.tag.get_active_tag_for_repo(repo, hidden_tag) is None
-  assert model.tag.get_active_tag_for_repo(repo, 'latest') is not None
+    # Ensure get active tag for repo cannot find it.
+    assert model.tag.get_active_tag_for_repo(repo, hidden_tag) is None
+    assert model.tag.get_active_tag_for_repo(repo, "latest") is not None
diff --git a/data/model/test/test_team.py b/data/model/test/test_team.py
index 88b08855c..ea2a62f25 100644
--- a/data/model/test/test_team.py
+++ b/data/model/test/test_team.py
@@ -1,61 +1,69 @@
 import pytest
 
-from data.model.team import (add_or_invite_to_team, create_team, confirm_team_invite,
-                             list_team_users, validate_team_name)
+from data.model.team import (
+    add_or_invite_to_team,
+    create_team,
+    confirm_team_invite,
+    list_team_users,
+    validate_team_name,
+)
 from data.model.organization import create_organization
 from data.model.user import get_user, create_user_noverify
 
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('name, is_valid', [
-  ('', False),
-  ('f', False),
-  ('fo', True),
-  ('f' * 255, True),
-  ('f' * 256, False),
-  (' ', False),
-  ('helloworld', True),
-  ('hello_world', True),
-  ('hello-world', True),
-  ('hello world', False),
-  ('HelloWorld', False),
-])
+@pytest.mark.parametrize(
+    "name, is_valid",
+    [
+        ("", False),
+        ("f", False),
+        ("fo", True),
+        ("f" * 255, True),
+        ("f" * 256, False),
+        (" ", False),
+        ("helloworld", True),
+        ("hello_world", True),
+        ("hello-world", True),
+        ("hello world", False),
+        ("HelloWorld", False),
+    ],
+)
 def test_validate_team_name(name, is_valid):
-  result, _ = validate_team_name(name)
-  assert result == is_valid
+    result, _ = validate_team_name(name)
+    assert result == is_valid
 
 
 def is_in_team(team, user):
-  return user.username in {u.username for u in list_team_users(team)}
+    return user.username in {u.username for u in list_team_users(team)}
 
 
 def test_invite_to_team(initialized_db):
-  first_user = get_user('devtable')
-  second_user = create_user_noverify('newuser', 'foo@example.com')
+    first_user = get_user("devtable")
+    second_user = create_user_noverify("newuser", "foo@example.com")
 
-  def run_invite_flow(orgname):
-    # Create an org owned by `devtable`.
-    org = create_organization(orgname, orgname + '@example.com', first_user)
+    def run_invite_flow(orgname):
+        # Create an org owned by `devtable`.
+        org = create_organization(orgname, orgname + "@example.com", first_user)
 
-    # Create another team and add `devtable` to it. Since `devtable` is already
-    # in the org, it should be done directly.
-    other_team = create_team('otherteam', org, 'admin')
-    invite = add_or_invite_to_team(first_user, other_team, user_obj=first_user)
-    assert invite is None
-    assert is_in_team(other_team, first_user)
+        # Create another team and add `devtable` to it. Since `devtable` is already
+        # in the org, it should be done directly.
+        other_team = create_team("otherteam", org, "admin")
+        invite = add_or_invite_to_team(first_user, other_team, user_obj=first_user)
+        assert invite is None
+        assert is_in_team(other_team, first_user)
 
-    # Try to add `newuser` to the team, which should require an invite.
-    invite = add_or_invite_to_team(first_user, other_team, user_obj=second_user)
-    assert invite is not None
-    assert not is_in_team(other_team, second_user)
+        # Try to add `newuser` to the team, which should require an invite.
+        invite = add_or_invite_to_team(first_user, other_team, user_obj=second_user)
+        assert invite is not None
+        assert not is_in_team(other_team, second_user)
 
-    # Accept the invite.
-    confirm_team_invite(invite.invite_token, second_user)
-    assert is_in_team(other_team, second_user)
+        # Accept the invite.
+        confirm_team_invite(invite.invite_token, second_user)
+        assert is_in_team(other_team, second_user)
 
-  # Run for a new org.
-  run_invite_flow('firstorg')
+    # Run for a new org.
+    run_invite_flow("firstorg")
 
-  # Create another org and repeat, ensuring the same operations perform the same way.
-  run_invite_flow('secondorg')
+    # Create another org and repeat, ensuring the same operations perform the same way.
+    run_invite_flow("secondorg")
diff --git a/data/model/test/test_user.py b/data/model/test/test_user.py
index 4f124b7f3..6b878a47e 100644
--- a/data/model/test/test_user.py
+++ b/data/model/test/test_user.py
@@ -21,185 +21,188 @@ from util.timedeltastring import convert_to_timedelta
 from util.security.token import encode_public_private_token
 from test.fixtures import *
 
+
 def test_create_user_with_expiration(initialized_db):
-  with patch('data.model.config.app_config', {'DEFAULT_TAG_EXPIRATION': '1h'}):
-    user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
-    assert user.removed_tag_expiration_s == 60 * 60
+    with patch("data.model.config.app_config", {"DEFAULT_TAG_EXPIRATION": "1h"}):
+        user = create_user_noverify("foobar", "foo@example.com", email_required=False)
+        assert user.removed_tag_expiration_s == 60 * 60
 
-@pytest.mark.parametrize('token_lifetime, time_since', [
-  ('1m', '2m'),
-  ('2m', '1m'),
-  ('1h', '1m'),
-])
+
+@pytest.mark.parametrize(
+    "token_lifetime, time_since", [("1m", "2m"), ("2m", "1m"), ("1h", "1m")]
+)
 def test_validation_code(token_lifetime, time_since, initialized_db):
-  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
-  created = datetime.now() - convert_to_timedelta(time_since)
-  verification_code, unhashed = Credential.generate()
-  confirmation = EmailConfirmation.create(user=user, pw_reset=True,
-                                          created=created, verification_code=verification_code)
-  encoded = encode_public_private_token(confirmation.code, unhashed)
+    user = create_user_noverify("foobar", "foo@example.com", email_required=False)
+    created = datetime.now() - convert_to_timedelta(time_since)
+    verification_code, unhashed = Credential.generate()
+    confirmation = EmailConfirmation.create(
+        user=user, pw_reset=True, created=created, verification_code=verification_code
+    )
+    encoded = encode_public_private_token(confirmation.code, unhashed)
 
-  with patch('data.model.config.app_config', {'USER_RECOVERY_TOKEN_LIFETIME': token_lifetime}):
-    result = validate_reset_code(encoded)
-    expect_success = convert_to_timedelta(token_lifetime) >= convert_to_timedelta(time_since)
-    assert expect_success == (result is not None)
+    with patch(
+        "data.model.config.app_config", {"USER_RECOVERY_TOKEN_LIFETIME": token_lifetime}
+    ):
+        result = validate_reset_code(encoded)
+        expect_success = convert_to_timedelta(token_lifetime) >= convert_to_timedelta(
+            time_since
+        )
+        assert expect_success == (result is not None)
 
 
-@pytest.mark.parametrize('disabled', [
-  (True),
-  (False),
-])
-@pytest.mark.parametrize('deleted', [
-  (True),
-  (False),
-])
+@pytest.mark.parametrize("disabled", [(True), (False)])
+@pytest.mark.parametrize("deleted", [(True), (False)])
 def test_get_active_users(disabled, deleted, initialized_db):
-  # Delete a user.
-  deleted_user = model.user.get_user('public')
-  queue = WorkQueue('testgcnamespace', lambda db: db.transaction())
-  mark_namespace_for_deletion(deleted_user, [], queue)
+    # Delete a user.
+    deleted_user = model.user.get_user("public")
+    queue = WorkQueue("testgcnamespace", lambda db: db.transaction())
+    mark_namespace_for_deletion(deleted_user, [], queue)
 
-  users = get_active_users(disabled=disabled, deleted=deleted)
-  deleted_found = [user for user in users if user.id == deleted_user.id]
-  assert bool(deleted_found) == (deleted and disabled)
+    users = get_active_users(disabled=disabled, deleted=deleted)
+    deleted_found = [user for user in users if user.id == deleted_user.id]
+    assert bool(deleted_found) == (deleted and disabled)
 
-  for user in users:
-    if not disabled:
-      assert user.enabled
+    for user in users:
+        if not disabled:
+            assert user.enabled
 
 
 def test_mark_namespace_for_deletion(initialized_db):
-  def create_transaction(db):
-    return db.transaction()
+    def create_transaction(db):
+        return db.transaction()
 
-  # Create a user and then mark it for deletion.
-  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
+    # Create a user and then mark it for deletion.
+    user = create_user_noverify("foobar", "foo@example.com", email_required=False)
 
-  # Add some robots.
-  create_robot('foo', user)
-  create_robot('bar', user)
+    # Add some robots.
+    create_robot("foo", user)
+    create_robot("bar", user)
 
-  assert lookup_robot('foobar+foo') is not None
-  assert lookup_robot('foobar+bar') is not None
-  assert len(list(list_namespace_robots('foobar'))) == 2
+    assert lookup_robot("foobar+foo") is not None
+    assert lookup_robot("foobar+bar") is not None
+    assert len(list(list_namespace_robots("foobar"))) == 2
 
-  # Mark the user for deletion.
-  queue = WorkQueue('testgcnamespace', create_transaction)
-  mark_namespace_for_deletion(user, [], queue)
+    # Mark the user for deletion.
+    queue = WorkQueue("testgcnamespace", create_transaction)
+    mark_namespace_for_deletion(user, [], queue)
 
-  # Ensure the older user is still in the DB.
-  older_user = User.get(id=user.id)
-  assert older_user.username != 'foobar'
+    # Ensure the older user is still in the DB.
+    older_user = User.get(id=user.id)
+    assert older_user.username != "foobar"
 
-  # Ensure the robots are deleted.
-  with pytest.raises(InvalidRobotException):
-    assert lookup_robot('foobar+foo')
+    # Ensure the robots are deleted.
+    with pytest.raises(InvalidRobotException):
+        assert lookup_robot("foobar+foo")
 
-  with pytest.raises(InvalidRobotException):
-    assert lookup_robot('foobar+bar')
+    with pytest.raises(InvalidRobotException):
+        assert lookup_robot("foobar+bar")
 
-  assert len(list(list_namespace_robots(older_user.username))) == 0
+    assert len(list(list_namespace_robots(older_user.username))) == 0
 
-  # Ensure we can create a user with the same namespace again.
-  new_user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
-  assert new_user.id != user.id
+    # Ensure we can create a user with the same namespace again.
+    new_user = create_user_noverify("foobar", "foo@example.com", email_required=False)
+    assert new_user.id != user.id
 
-  # Ensure the older user is still in the DB.
-  assert User.get(id=user.id).username != 'foobar'
+    # Ensure the older user is still in the DB.
+    assert User.get(id=user.id).username != "foobar"
 
 
 def test_delete_namespace_via_marker(initialized_db):
-  def create_transaction(db):
-    return db.transaction()
+    def create_transaction(db):
+        return db.transaction()
 
-  # Create a user and then mark it for deletion.
-  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
+    # Create a user and then mark it for deletion.
+    user = create_user_noverify("foobar", "foo@example.com", email_required=False)
 
-  # Add some repositories.
-  create_repository('foobar', 'somerepo', user)
-  create_repository('foobar', 'anotherrepo', user)
+    # Add some repositories.
+    create_repository("foobar", "somerepo", user)
+    create_repository("foobar", "anotherrepo", user)
 
-  # Mark the user for deletion.
-  queue = WorkQueue('testgcnamespace', create_transaction)
-  marker_id = mark_namespace_for_deletion(user, [], queue)
+    # Mark the user for deletion.
+    queue = WorkQueue("testgcnamespace", create_transaction)
+    marker_id = mark_namespace_for_deletion(user, [], queue)
 
-  # Delete the user.
-  delete_namespace_via_marker(marker_id, [])
+    # Delete the user.
+    delete_namespace_via_marker(marker_id, [])
 
-  # Ensure the user was actually deleted.
-  with pytest.raises(User.DoesNotExist):
-    User.get(id=user.id)
+    # Ensure the user was actually deleted.
+    with pytest.raises(User.DoesNotExist):
+        User.get(id=user.id)
 
-  with pytest.raises(DeletedNamespace.DoesNotExist):
-    DeletedNamespace.get(id=marker_id)
+    with pytest.raises(DeletedNamespace.DoesNotExist):
+        DeletedNamespace.get(id=marker_id)
 
 
 def test_delete_robot(initialized_db):
-  # Create a robot account.
-  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
-  robot, _ = create_robot('foo', user)
+    # Create a robot account.
+    user = create_user_noverify("foobar", "foo@example.com", email_required=False)
+    robot, _ = create_robot("foo", user)
 
-  # Add some notifications and other rows pointing to the robot.
-  create_notification('repo_push', robot)
+    # Add some notifications and other rows pointing to the robot.
+    create_notification("repo_push", robot)
 
-  team = create_team('someteam', get_organization('buynlarge'), 'member')
-  add_user_to_team(robot, team)
+    team = create_team("someteam", get_organization("buynlarge"), "member")
+    add_user_to_team(robot, team)
 
-  # Ensure the robot exists.
-  assert lookup_robot(robot.username).id == robot.id
+    # Ensure the robot exists.
+    assert lookup_robot(robot.username).id == robot.id
 
-  # Delete the robot.
-  delete_robot(robot.username)
+    # Delete the robot.
+    delete_robot(robot.username)
 
-  # Ensure it is gone.
-  with pytest.raises(InvalidRobotException):
-    lookup_robot(robot.username)
+    # Ensure it is gone.
+    with pytest.raises(InvalidRobotException):
+        lookup_robot(robot.username)
 
 
 def test_get_matching_users(initialized_db):
-  # Exact match.
-  for user in User.select().where(User.organization == False, User.robot == False):
-    assert list(get_matching_users(user.username))[0].username == user.username
+    # Exact match.
+    for user in User.select().where(User.organization == False, User.robot == False):
+        assert list(get_matching_users(user.username))[0].username == user.username
 
-  # Prefix matching.
-  for user in User.select().where(User.organization == False, User.robot == False):
-    assert user.username in [r.username for r in get_matching_users(user.username[:2])]
+    # Prefix matching.
+    for user in User.select().where(User.organization == False, User.robot == False):
+        assert user.username in [
+            r.username for r in get_matching_users(user.username[:2])
+        ]
 
 
 def test_get_matching_users_with_same_prefix(initialized_db):
-  # Create a bunch of users with the same prefix.
-  for index in range(0, 20):
-    create_user_noverify('foo%s' % index, 'foo%s@example.com' % index, email_required=False)
+    # Create a bunch of users with the same prefix.
+    for index in range(0, 20):
+        create_user_noverify(
+            "foo%s" % index, "foo%s@example.com" % index, email_required=False
+        )
 
-  # For each user, ensure that lookup of the exact name is found first.
-  for index in range(0, 20):
-    username = 'foo%s' % index
-    assert list(get_matching_users(username))[0].username == username
+    # For each user, ensure that lookup of the exact name is found first.
+    for index in range(0, 20):
+        username = "foo%s" % index
+        assert list(get_matching_users(username))[0].username == username
 
-  # Prefix matching.
-  found = list(get_matching_users('foo', limit=50))
-  assert len(found) == 20
+    # Prefix matching.
+    found = list(get_matching_users("foo", limit=50))
+    assert len(found) == 20
 
 
 def test_robot(initialized_db):
-  # Create a robot account.
-  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
-  robot, token = create_robot('foo', user)
-  assert retrieve_robot_token(robot) == token
+    # Create a robot account.
+    user = create_user_noverify("foobar", "foo@example.com", email_required=False)
+    robot, token = create_robot("foo", user)
+    assert retrieve_robot_token(robot) == token
 
-  # Ensure we can retrieve its information.
-  found = lookup_robot('foobar+foo')
-  assert found == robot
+    # Ensure we can retrieve its information.
+    found = lookup_robot("foobar+foo")
+    assert found == robot
 
-  creds = get_pull_credentials('foobar+foo')
-  assert creds is not None
-  assert creds['username'] == 'foobar+foo'
-  assert creds['password'] == token
+    creds = get_pull_credentials("foobar+foo")
+    assert creds is not None
+    assert creds["username"] == "foobar+foo"
+    assert creds["password"] == token
 
-  assert verify_robot('foobar+foo', token) == robot
+    assert verify_robot("foobar+foo", token) == robot
 
-  with pytest.raises(InvalidRobotException):
-    assert verify_robot('foobar+foo', 'someothertoken')
+    with pytest.raises(InvalidRobotException):
+        assert verify_robot("foobar+foo", "someothertoken")
 
-  with pytest.raises(InvalidRobotException):
-    assert verify_robot('foobar+unknownbot', token)
+    with pytest.raises(InvalidRobotException):
+        assert verify_robot("foobar+unknownbot", token)
diff --git a/data/model/test/test_visible_repos.py b/data/model/test/test_visible_repos.py
index 9e5e7cbf5..b037a2d6f 100644
--- a/data/model/test/test_visible_repos.py
+++ b/data/model/test/test_visible_repos.py
@@ -3,87 +3,89 @@ from data import model
 from test.fixtures import *
 
 
-NO_ACCESS_USER = 'freshuser'
-READ_ACCESS_USER = 'reader'
-ADMIN_ACCESS_USER = 'devtable'
-PUBLIC_USER = 'public'
-RANDOM_USER = 'randomuser'
-OUTSIDE_ORG_USER = 'outsideorg'
+NO_ACCESS_USER = "freshuser"
+READ_ACCESS_USER = "reader"
+ADMIN_ACCESS_USER = "devtable"
+PUBLIC_USER = "public"
+RANDOM_USER = "randomuser"
+OUTSIDE_ORG_USER = "outsideorg"
 
-ADMIN_ROBOT_USER = 'devtable+dtrobot'
+ADMIN_ROBOT_USER = "devtable+dtrobot"
 
-ORGANIZATION = 'buynlarge'
+ORGANIZATION = "buynlarge"
 
-SIMPLE_REPO = 'simple'
-PUBLIC_REPO = 'publicrepo'
-RANDOM_REPO = 'randomrepo'
+SIMPLE_REPO = "simple"
+PUBLIC_REPO = "publicrepo"
+RANDOM_REPO = "randomrepo"
 
-OUTSIDE_ORG_REPO = 'coolrepo'
+OUTSIDE_ORG_REPO = "coolrepo"
 
-ORG_REPO = 'orgrepo'
-ANOTHER_ORG_REPO = 'anotherorgrepo'
+ORG_REPO = "orgrepo"
+ANOTHER_ORG_REPO = "anotherorgrepo"
 
 # Note: The shared repo has devtable as admin, public as a writer and reader as a reader.
-SHARED_REPO = 'shared'
+SHARED_REPO = "shared"
 
 
 def assertDoesNotHaveRepo(username, name):
-  repos = list(model.repository.get_visible_repositories(username))
-  names = [repo.name for repo in repos]
-  assert not name in names
+    repos = list(model.repository.get_visible_repositories(username))
+    names = [repo.name for repo in repos]
+    assert not name in names
 
 
 def assertHasRepo(username, name):
-  repos = list(model.repository.get_visible_repositories(username))
-  names = [repo.name for repo in repos]
-  assert name in names
+    repos = list(model.repository.get_visible_repositories(username))
+    names = [repo.name for repo in repos]
+    assert name in names
 
 
 def test_noaccess(initialized_db):
-  repos = list(model.repository.get_visible_repositories(NO_ACCESS_USER))
-  names = [repo.name for repo in repos]
-  assert not names
+    repos = list(model.repository.get_visible_repositories(NO_ACCESS_USER))
+    names = [repo.name for repo in repos]
+    assert not names
 
-  # Try retrieving public repos now.
-  repos = list(model.repository.get_visible_repositories(NO_ACCESS_USER, include_public=True))
-  names = [repo.name for repo in repos]
-  assert PUBLIC_REPO in names
+    # Try retrieving public repos now.
+    repos = list(
+        model.repository.get_visible_repositories(NO_ACCESS_USER, include_public=True)
+    )
+    names = [repo.name for repo in repos]
+    assert PUBLIC_REPO in names
 
 
 def test_public(initialized_db):
-  assertHasRepo(PUBLIC_USER, PUBLIC_REPO)
-  assertHasRepo(PUBLIC_USER, SHARED_REPO)
+    assertHasRepo(PUBLIC_USER, PUBLIC_REPO)
+    assertHasRepo(PUBLIC_USER, SHARED_REPO)
 
-  assertDoesNotHaveRepo(PUBLIC_USER, SIMPLE_REPO)
-  assertDoesNotHaveRepo(PUBLIC_USER, RANDOM_REPO)
-  assertDoesNotHaveRepo(PUBLIC_USER, OUTSIDE_ORG_REPO)
+    assertDoesNotHaveRepo(PUBLIC_USER, SIMPLE_REPO)
+    assertDoesNotHaveRepo(PUBLIC_USER, RANDOM_REPO)
+    assertDoesNotHaveRepo(PUBLIC_USER, OUTSIDE_ORG_REPO)
 
 
 def test_reader(initialized_db):
-  assertHasRepo(READ_ACCESS_USER, SHARED_REPO)
-  assertHasRepo(READ_ACCESS_USER, ORG_REPO)
+    assertHasRepo(READ_ACCESS_USER, SHARED_REPO)
+    assertHasRepo(READ_ACCESS_USER, ORG_REPO)
 
-  assertDoesNotHaveRepo(READ_ACCESS_USER, SIMPLE_REPO)
-  assertDoesNotHaveRepo(READ_ACCESS_USER, RANDOM_REPO)
-  assertDoesNotHaveRepo(READ_ACCESS_USER, OUTSIDE_ORG_REPO)
-  assertDoesNotHaveRepo(READ_ACCESS_USER, PUBLIC_REPO)
+    assertDoesNotHaveRepo(READ_ACCESS_USER, SIMPLE_REPO)
+    assertDoesNotHaveRepo(READ_ACCESS_USER, RANDOM_REPO)
+    assertDoesNotHaveRepo(READ_ACCESS_USER, OUTSIDE_ORG_REPO)
+    assertDoesNotHaveRepo(READ_ACCESS_USER, PUBLIC_REPO)
 
 
 def test_random(initialized_db):
-  assertHasRepo(RANDOM_USER, RANDOM_REPO)
+    assertHasRepo(RANDOM_USER, RANDOM_REPO)
 
-  assertDoesNotHaveRepo(RANDOM_USER, SIMPLE_REPO)
-  assertDoesNotHaveRepo(RANDOM_USER, SHARED_REPO)
-  assertDoesNotHaveRepo(RANDOM_USER, ORG_REPO)
-  assertDoesNotHaveRepo(RANDOM_USER, ANOTHER_ORG_REPO)
-  assertDoesNotHaveRepo(RANDOM_USER, PUBLIC_REPO)
+    assertDoesNotHaveRepo(RANDOM_USER, SIMPLE_REPO)
+    assertDoesNotHaveRepo(RANDOM_USER, SHARED_REPO)
+    assertDoesNotHaveRepo(RANDOM_USER, ORG_REPO)
+    assertDoesNotHaveRepo(RANDOM_USER, ANOTHER_ORG_REPO)
+    assertDoesNotHaveRepo(RANDOM_USER, PUBLIC_REPO)
 
 
 def test_admin(initialized_db):
-  assertHasRepo(ADMIN_ACCESS_USER, SIMPLE_REPO)
-  assertHasRepo(ADMIN_ACCESS_USER, SHARED_REPO)
+    assertHasRepo(ADMIN_ACCESS_USER, SIMPLE_REPO)
+    assertHasRepo(ADMIN_ACCESS_USER, SHARED_REPO)
 
-  assertHasRepo(ADMIN_ACCESS_USER, ORG_REPO)
-  assertHasRepo(ADMIN_ACCESS_USER, ANOTHER_ORG_REPO)
+    assertHasRepo(ADMIN_ACCESS_USER, ORG_REPO)
+    assertHasRepo(ADMIN_ACCESS_USER, ANOTHER_ORG_REPO)
 
-  assertDoesNotHaveRepo(ADMIN_ACCESS_USER, OUTSIDE_ORG_REPO)
+    assertDoesNotHaveRepo(ADMIN_ACCESS_USER, OUTSIDE_ORG_REPO)
diff --git a/data/model/token.py b/data/model/token.py
index 82661cdef..cb6f91ca8 100644
--- a/data/model/token.py
+++ b/data/model/token.py
@@ -3,8 +3,14 @@ import logging
 from peewee import JOIN
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from data.database import (AccessToken, AccessTokenKind, Repository, Namespace, Role,
-                           RepositoryBuildTrigger)
+from data.database import (
+    AccessToken,
+    AccessTokenKind,
+    Repository,
+    Namespace,
+    Role,
+    RepositoryBuildTrigger,
+)
 from data.model import DataModelException, _basequery, InvalidTokenException
 
 
@@ -16,90 +22,97 @@ ACCESS_TOKEN_CODE_MINIMUM_LENGTH = 32
 
 
 def create_access_token(repo, role, kind=None, friendly_name=None):
-  role = Role.get(Role.name == role)
-  kind_ref = None
-  if kind is not None:
-    kind_ref = AccessTokenKind.get(AccessTokenKind.name == kind)
+    role = Role.get(Role.name == role)
+    kind_ref = None
+    if kind is not None:
+        kind_ref = AccessTokenKind.get(AccessTokenKind.name == kind)
 
-  new_token = AccessToken.create(repository=repo, temporary=True, role=role, kind=kind_ref,
-                                 friendly_name=friendly_name)
+    new_token = AccessToken.create(
+        repository=repo,
+        temporary=True,
+        role=role,
+        kind=kind_ref,
+        friendly_name=friendly_name,
+    )
 
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-    new_token.code = new_token.token_name + new_token.token_code.decrypt()
-    new_token.save()
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+        new_token.code = new_token.token_name + new_token.token_code.decrypt()
+        new_token.save()
 
-  return new_token
+    return new_token
 
 
-def create_delegate_token(namespace_name, repository_name, friendly_name,
-                          role='read'):
-  read_only = Role.get(name=role)
-  repo = _basequery.get_existing_repository(namespace_name, repository_name)
-  new_token = AccessToken.create(repository=repo, role=read_only,
-                                 friendly_name=friendly_name, temporary=False)
+def create_delegate_token(namespace_name, repository_name, friendly_name, role="read"):
+    read_only = Role.get(name=role)
+    repo = _basequery.get_existing_repository(namespace_name, repository_name)
+    new_token = AccessToken.create(
+        repository=repo, role=read_only, friendly_name=friendly_name, temporary=False
+    )
 
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-    new_token.code = new_token.token_name + new_token.token_code.decrypt()
-    new_token.save()
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+        new_token.code = new_token.token_name + new_token.token_code.decrypt()
+        new_token.save()
 
-  return new_token
+    return new_token
 
 
 def load_token_data(code):
-  """ Load the permissions for any token by code. """
-  token_name = code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
-  token_code = code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:]
+    """ Load the permissions for any token by code. """
+    token_name = code[:ACCESS_TOKEN_NAME_PREFIX_LENGTH]
+    token_code = code[ACCESS_TOKEN_NAME_PREFIX_LENGTH:]
 
-  if not token_name or not token_code:
-    raise InvalidTokenException('Invalid delegate token code: %s' % code)
+    if not token_name or not token_code:
+        raise InvalidTokenException("Invalid delegate token code: %s" % code)
 
-  # Try loading by name and then comparing the code.
-  assert token_name
-  try:
-    found = (AccessToken
-             .select(AccessToken, Repository, Namespace, Role)
-             .join(Role)
-             .switch(AccessToken)
-             .join(Repository)
-             .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-             .where(AccessToken.token_name == token_name)
-             .get())
-
-    assert token_code
-    if found.token_code is None or not found.token_code.matches(token_code):
-      raise InvalidTokenException('Invalid delegate token code: %s' % code)
-
-    assert len(token_code) >= ACCESS_TOKEN_CODE_MINIMUM_LENGTH
-    return found
-  except AccessToken.DoesNotExist:
-    pass
-
-  # Legacy: Try loading the full code directly.
-  # TODO(remove-unenc): Remove this once migrated.
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+    # Try loading by name and then comparing the code.
+    assert token_name
     try:
-      return (AccessToken
-              .select(AccessToken, Repository, Namespace, Role)
-              .join(Role)
-              .switch(AccessToken)
-              .join(Repository)
-              .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-              .where(AccessToken.code == code)
-              .get())
-    except AccessToken.DoesNotExist:
-      raise InvalidTokenException('Invalid delegate token code: %s' % code)
+        found = (
+            AccessToken.select(AccessToken, Repository, Namespace, Role)
+            .join(Role)
+            .switch(AccessToken)
+            .join(Repository)
+            .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+            .where(AccessToken.token_name == token_name)
+            .get()
+        )
 
-  raise InvalidTokenException('Invalid delegate token code: %s' % code)
+        assert token_code
+        if found.token_code is None or not found.token_code.matches(token_code):
+            raise InvalidTokenException("Invalid delegate token code: %s" % code)
+
+        assert len(token_code) >= ACCESS_TOKEN_CODE_MINIMUM_LENGTH
+        return found
+    except AccessToken.DoesNotExist:
+        pass
+
+    # Legacy: Try loading the full code directly.
+    # TODO(remove-unenc): Remove this once migrated.
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+        try:
+            return (
+                AccessToken.select(AccessToken, Repository, Namespace, Role)
+                .join(Role)
+                .switch(AccessToken)
+                .join(Repository)
+                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+                .where(AccessToken.code == code)
+                .get()
+            )
+        except AccessToken.DoesNotExist:
+            raise InvalidTokenException("Invalid delegate token code: %s" % code)
+
+    raise InvalidTokenException("Invalid delegate token code: %s" % code)
 
 
 def get_full_token_string(token):
-  """ Returns the full string to use for this token to login. """
-  if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-    if token.token_name is None:
-      return token.code
+    """ Returns the full string to use for this token to login. """
+    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+        if token.token_name is None:
+            return token.code
 
-  assert token.token_name
-  token_code = token.token_code.decrypt()
-  assert len(token.token_name) == ACCESS_TOKEN_NAME_PREFIX_LENGTH
-  assert len(token_code) >= ACCESS_TOKEN_CODE_MINIMUM_LENGTH
-  return '%s%s' % (token.token_name, token_code)
+    assert token.token_name
+    token_code = token.token_code.decrypt()
+    assert len(token.token_name) == ACCESS_TOKEN_NAME_PREFIX_LENGTH
+    assert len(token_code) >= ACCESS_TOKEN_CODE_MINIMUM_LENGTH
+    return "%s%s" % (token.token_name, token_code)
diff --git a/data/model/user.py b/data/model/user.py
index 7e9ed81b1..dd8c549cc 100644
--- a/data/model/user.py
+++ b/data/model/user.py
@@ -9,24 +9,60 @@ from uuid import uuid4
 from datetime import datetime, timedelta
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from data.database import (User, LoginService, FederatedLogin, RepositoryPermission, TeamMember,
-                           Team, Repository, TupleSelector, TeamRole, Namespace, Visibility,
-                           EmailConfirmation, Role, db_for_update, random_string_generator,
-                           UserRegion, ImageStorageLocation,
-                           ServiceKeyApproval, OAuthApplication, RepositoryBuildTrigger,
-                           UserPromptKind, UserPrompt, UserPromptTypes, DeletedNamespace,
-                           RobotAccountMetadata, NamespaceGeoRestriction, RepoMirrorConfig,
-                           RobotAccountToken)
+from data.database import (
+    User,
+    LoginService,
+    FederatedLogin,
+    RepositoryPermission,
+    TeamMember,
+    Team,
+    Repository,
+    TupleSelector,
+    TeamRole,
+    Namespace,
+    Visibility,
+    EmailConfirmation,
+    Role,
+    db_for_update,
+    random_string_generator,
+    UserRegion,
+    ImageStorageLocation,
+    ServiceKeyApproval,
+    OAuthApplication,
+    RepositoryBuildTrigger,
+    UserPromptKind,
+    UserPrompt,
+    UserPromptTypes,
+    DeletedNamespace,
+    RobotAccountMetadata,
+    NamespaceGeoRestriction,
+    RepoMirrorConfig,
+    RobotAccountToken,
+)
 from data.readreplica import ReadOnlyModeException
-from data.model import (DataModelException, InvalidPasswordException, InvalidRobotException,
-                        InvalidUsernameException, InvalidEmailAddressException,
-                        TooManyLoginAttemptsException, db_transaction,
-                        notification, config, repository, _basequery, gc)
+from data.model import (
+    DataModelException,
+    InvalidPasswordException,
+    InvalidRobotException,
+    InvalidUsernameException,
+    InvalidEmailAddressException,
+    TooManyLoginAttemptsException,
+    db_transaction,
+    notification,
+    config,
+    repository,
+    _basequery,
+    gc,
+)
 from data.fields import Credential
 from data.text import prefix_search
 from util.names import format_robot_username, parse_robot_username
-from util.validation import (validate_username, validate_email, validate_password,
-                             INVALID_PASSWORD_MESSAGE)
+from util.validation import (
+    validate_username,
+    validate_email,
+    validate_password,
+    INVALID_PASSWORD_MESSAGE,
+)
 from util.backoff import exponential_backoff
 from util.timedeltastring import convert_to_timedelta
 from util.unicode import remove_unicode
@@ -38,1180 +74,1394 @@ logger = logging.getLogger(__name__)
 
 EXPONENTIAL_BACKOFF_SCALE = timedelta(seconds=1)
 
+
 def hash_password(password, salt=None):
-  salt = salt or bcrypt.gensalt()
-  return bcrypt.hashpw(password.encode('utf-8'), salt)
-
-def create_user(username, password, email, auto_verify=False, email_required=True, prompts=tuple(),
-                is_possible_abuser=False):
-  """ Creates a regular user, if allowed. """
-  if not validate_password(password):
-    raise InvalidPasswordException(INVALID_PASSWORD_MESSAGE)
-
-  created = create_user_noverify(username, email, email_required=email_required, prompts=prompts,
-                                 is_possible_abuser=is_possible_abuser)
-  created.password_hash = hash_password(password)
-  created.verified = auto_verify
-  created.save()
-
-  return created
+    salt = salt or bcrypt.gensalt()
+    return bcrypt.hashpw(password.encode("utf-8"), salt)
 
 
-def create_user_noverify(username, email, email_required=True, prompts=tuple(),
-                         is_possible_abuser=False):
-  if email_required:
-    if not validate_email(email):
-      raise InvalidEmailAddressException('Invalid email address: %s' % email)
-  else:
-    # If email addresses are not required and none was specified, then we just use a unique
-    # ID to ensure that the database consistency check remains intact.
-    email = email or str(uuid.uuid4())
+def create_user(
+    username,
+    password,
+    email,
+    auto_verify=False,
+    email_required=True,
+    prompts=tuple(),
+    is_possible_abuser=False,
+):
+    """ Creates a regular user, if allowed. """
+    if not validate_password(password):
+        raise InvalidPasswordException(INVALID_PASSWORD_MESSAGE)
 
-  (username_valid, username_issue) = validate_username(username)
-  if not username_valid:
-    raise InvalidUsernameException('Invalid namespace %s: %s' % (username, username_issue))
+    created = create_user_noverify(
+        username,
+        email,
+        email_required=email_required,
+        prompts=prompts,
+        is_possible_abuser=is_possible_abuser,
+    )
+    created.password_hash = hash_password(password)
+    created.verified = auto_verify
+    created.save()
 
-  try:
-    existing = User.get((User.username == username) | (User.email == email))
-    logger.info('Existing user with same username or email.')
+    return created
 
-    # A user already exists with either the same username or email
-    if existing.username == username:
-      assert not existing.robot
 
-      msg = 'Username has already been taken by an organization and cannot be reused: %s' % username
-      if not existing.organization:
-        msg = 'Username has already been taken by user cannot be reused: %s' % username
+def create_user_noverify(
+    username, email, email_required=True, prompts=tuple(), is_possible_abuser=False
+):
+    if email_required:
+        if not validate_email(email):
+            raise InvalidEmailAddressException("Invalid email address: %s" % email)
+    else:
+        # If email addresses are not required and none was specified, then we just use a unique
+        # ID to ensure that the database consistency check remains intact.
+        email = email or str(uuid.uuid4())
 
-      raise InvalidUsernameException(msg)
+    (username_valid, username_issue) = validate_username(username)
+    if not username_valid:
+        raise InvalidUsernameException(
+            "Invalid namespace %s: %s" % (username, username_issue)
+        )
 
-    raise InvalidEmailAddressException('Email has already been used: %s' % email)
-  except User.DoesNotExist:
-    # This is actually the happy path
-    logger.debug('Email and username are unique!')
+    try:
+        existing = User.get((User.username == username) | (User.email == email))
+        logger.info("Existing user with same username or email.")
 
-  # Create the user.
-  try:
-    default_expr_s = _convert_to_s(config.app_config['DEFAULT_TAG_EXPIRATION'])
-    default_max_builds = config.app_config.get('DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT')
-    threat_max_builds = config.app_config.get('THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT')
+        # A user already exists with either the same username or email
+        if existing.username == username:
+            assert not existing.robot
 
-    if is_possible_abuser and threat_max_builds is not None:
-      default_max_builds = threat_max_builds
+            msg = (
+                "Username has already been taken by an organization and cannot be reused: %s"
+                % username
+            )
+            if not existing.organization:
+                msg = (
+                    "Username has already been taken by user cannot be reused: %s"
+                    % username
+                )
 
-    new_user = User.create(username=username, email=email, removed_tag_expiration_s=default_expr_s,
-                           maximum_queued_builds_count=default_max_builds)
-    for prompt in prompts:
-      create_user_prompt(new_user, prompt)
+            raise InvalidUsernameException(msg)
+
+        raise InvalidEmailAddressException("Email has already been used: %s" % email)
+    except User.DoesNotExist:
+        # This is actually the happy path
+        logger.debug("Email and username are unique!")
+
+    # Create the user.
+    try:
+        default_expr_s = _convert_to_s(config.app_config["DEFAULT_TAG_EXPIRATION"])
+        default_max_builds = config.app_config.get(
+            "DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT"
+        )
+        threat_max_builds = config.app_config.get(
+            "THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT"
+        )
+
+        if is_possible_abuser and threat_max_builds is not None:
+            default_max_builds = threat_max_builds
+
+        new_user = User.create(
+            username=username,
+            email=email,
+            removed_tag_expiration_s=default_expr_s,
+            maximum_queued_builds_count=default_max_builds,
+        )
+        for prompt in prompts:
+            create_user_prompt(new_user, prompt)
+
+        return new_user
+    except Exception as ex:
+        raise DataModelException(ex.message)
 
-    return new_user
-  except Exception as ex:
-    raise DataModelException(ex.message)
 
 def increase_maximum_build_count(user, maximum_queued_builds_count):
-  """ Increases the maximum number of allowed builds on the namespace, if greater than that
+    """ Increases the maximum number of allowed builds on the namespace, if greater than that
       already present.
   """
-  if (user.maximum_queued_builds_count is not None and
-      maximum_queued_builds_count > user.maximum_queued_builds_count):
-    user.maximum_queued_builds_count = maximum_queued_builds_count
-    user.save()
+    if (
+        user.maximum_queued_builds_count is not None
+        and maximum_queued_builds_count > user.maximum_queued_builds_count
+    ):
+        user.maximum_queued_builds_count = maximum_queued_builds_count
+        user.save()
+
 
 def is_username_unique(test_username):
-  try:
-    User.get((User.username == test_username))
-    return False
-  except User.DoesNotExist:
-    return True
+    try:
+        User.get((User.username == test_username))
+        return False
+    except User.DoesNotExist:
+        return True
 
 
 def change_password(user, new_password):
-  if not validate_password(new_password):
-    raise InvalidPasswordException(INVALID_PASSWORD_MESSAGE)
+    if not validate_password(new_password):
+        raise InvalidPasswordException(INVALID_PASSWORD_MESSAGE)
 
-  pw_hash = hash_password(new_password)
-  user.invalid_login_attempts = 0
-  user.password_hash = pw_hash
-  invalidate_all_sessions(user)
+    pw_hash = hash_password(new_password)
+    user.invalid_login_attempts = 0
+    user.password_hash = pw_hash
+    invalidate_all_sessions(user)
 
-  # Remove any password required notifications for the user.
-  notification.delete_notifications_by_kind(user, 'password_required')
+    # Remove any password required notifications for the user.
+    notification.delete_notifications_by_kind(user, "password_required")
 
 
 def get_default_user_prompts(features):
-  prompts = set()
-  if features.USER_METADATA:
-    prompts.add(UserPromptTypes.ENTER_NAME)
-    prompts.add(UserPromptTypes.ENTER_COMPANY)
+    prompts = set()
+    if features.USER_METADATA:
+        prompts.add(UserPromptTypes.ENTER_NAME)
+        prompts.add(UserPromptTypes.ENTER_COMPANY)
 
-  return prompts
+    return prompts
 
 
 def has_user_prompts(user):
-  try:
-    UserPrompt.select().where(UserPrompt.user == user).get()
-    return True
-  except UserPrompt.DoesNotExist:
-    return False
+    try:
+        UserPrompt.select().where(UserPrompt.user == user).get()
+        return True
+    except UserPrompt.DoesNotExist:
+        return False
 
 
 def has_user_prompt(user, prompt_name):
-  prompt_kind = UserPromptKind.get(name=prompt_name)
+    prompt_kind = UserPromptKind.get(name=prompt_name)
 
-  try:
-    UserPrompt.get(user=user, kind=prompt_kind)
-    return True
-  except UserPrompt.DoesNotExist:
-    return False
+    try:
+        UserPrompt.get(user=user, kind=prompt_kind)
+        return True
+    except UserPrompt.DoesNotExist:
+        return False
 
 
 def create_user_prompt(user, prompt_name):
-  prompt_kind = UserPromptKind.get(name=prompt_name)
-  return UserPrompt.create(user=user, kind=prompt_kind)
+    prompt_kind = UserPromptKind.get(name=prompt_name)
+    return UserPrompt.create(user=user, kind=prompt_kind)
 
 
 def remove_user_prompt(user, prompt_name):
-  prompt_kind = UserPromptKind.get(name=prompt_name)
-  UserPrompt.delete().where(UserPrompt.user == user, UserPrompt.kind == prompt_kind).execute()
+    prompt_kind = UserPromptKind.get(name=prompt_name)
+    UserPrompt.delete().where(
+        UserPrompt.user == user, UserPrompt.kind == prompt_kind
+    ).execute()
 
 
 def get_user_prompts(user):
-  query = UserPrompt.select().where(UserPrompt.user == user).join(UserPromptKind)
-  return [prompt.kind.name for prompt in query]
+    query = UserPrompt.select().where(UserPrompt.user == user).join(UserPromptKind)
+    return [prompt.kind.name for prompt in query]
 
 
 def change_username(user_id, new_username):
-  (username_valid, username_issue) = validate_username(new_username)
-  if not username_valid:
-    raise InvalidUsernameException('Invalid username %s: %s' % (new_username, username_issue))
+    (username_valid, username_issue) = validate_username(new_username)
+    if not username_valid:
+        raise InvalidUsernameException(
+            "Invalid username %s: %s" % (new_username, username_issue)
+        )
 
-  with db_transaction():
-    # Reload the user for update
-    user = db_for_update(User.select().where(User.id == user_id)).get()
+    with db_transaction():
+        # Reload the user for update
+        user = db_for_update(User.select().where(User.id == user_id)).get()
 
-    # Rename the robots
-    for robot in db_for_update(_list_entity_robots(user.username, include_metadata=False,
-                                                   include_token=False)):
-      _, robot_shortname = parse_robot_username(robot.username)
-      new_robot_name = format_robot_username(new_username, robot_shortname)
-      robot.username = new_robot_name
-      robot.save()
+        # Rename the robots
+        for robot in db_for_update(
+            _list_entity_robots(
+                user.username, include_metadata=False, include_token=False
+            )
+        ):
+            _, robot_shortname = parse_robot_username(robot.username)
+            new_robot_name = format_robot_username(new_username, robot_shortname)
+            robot.username = new_robot_name
+            robot.save()
 
-    # Rename the user
-    user.username = new_username
+        # Rename the user
+        user.username = new_username
+        user.save()
+
+        # Remove any prompts for username.
+        remove_user_prompt(user, "confirm_username")
+
+        return user
+
+
+def change_invoice_email_address(user, invoice_email_address):
+    # Note: We null out the address if it is an empty string.
+    user.invoice_email_address = invoice_email_address or None
     user.save()
 
-    # Remove any prompts for username.
-    remove_user_prompt(user, 'confirm_username')
+
+def change_send_invoice_email(user, invoice_email):
+    user.invoice_email = invoice_email
+    user.save()
+
+
+def _convert_to_s(timespan_string):
+    """ Returns the given timespan string (e.g. `2w` or `45s`) into seconds. """
+    return convert_to_timedelta(timespan_string).total_seconds()
+
+
+def change_user_tag_expiration(user, tag_expiration_s):
+    """ Changes the tag expiration on the given user/org. Note that the specified expiration must
+      be within the configured TAG_EXPIRATION_OPTIONS or this method will raise a
+      DataModelException.
+  """
+    allowed_options = [
+        _convert_to_s(o) for o in config.app_config["TAG_EXPIRATION_OPTIONS"]
+    ]
+    if tag_expiration_s not in allowed_options:
+        raise DataModelException("Invalid tag expiration option")
+
+    user.removed_tag_expiration_s = tag_expiration_s
+    user.save()
+
+
+def update_email(user, new_email, auto_verify=False):
+    try:
+        user.email = new_email
+        user.verified = auto_verify
+        user.save()
+    except IntegrityError:
+        raise DataModelException("E-mail address already used")
+
+
+def update_enabled(user, set_enabled):
+    user.enabled = set_enabled
+    user.save()
+
+
+def create_robot(robot_shortname, parent, description="", unstructured_metadata=None):
+    (username_valid, username_issue) = validate_username(robot_shortname)
+    if not username_valid:
+        raise InvalidRobotException(
+            "The name for the robot '%s' is invalid: %s"
+            % (robot_shortname, username_issue)
+        )
+
+    username = format_robot_username(parent.username, robot_shortname)
+
+    try:
+        User.get(User.username == username)
+
+        msg = "Existing robot with name: %s" % username
+        logger.info(msg)
+        raise InvalidRobotException(msg)
+    except User.DoesNotExist:
+        pass
+
+    service = LoginService.get(name="quayrobot")
+    try:
+        with db_transaction():
+            created = User.create(
+                username=username, email=str(uuid.uuid4()), robot=True
+            )
+            token = random_string_generator(length=64)()
+            RobotAccountToken.create(robot_account=created, token=token)
+            FederatedLogin.create(
+                user=created, service=service, service_ident="robot:%s" % created.id
+            )
+            RobotAccountMetadata.create(
+                robot_account=created,
+                description=description[0:255],
+                unstructured_json=unstructured_metadata or {},
+            )
+            return created, token
+    except Exception as ex:
+        raise DataModelException(ex.message)
+
+
+def get_or_create_robot_metadata(robot):
+    defaults = dict(description="", unstructured_json={})
+    metadata, _ = RobotAccountMetadata.get_or_create(
+        robot_account=robot, defaults=defaults
+    )
+    return metadata
+
+
+def update_robot_metadata(robot, description="", unstructured_json=None):
+    """ Updates the description and user-specified unstructured metadata associated
+      with a robot account to that specified. """
+    metadata = get_or_create_robot_metadata(robot)
+    metadata.description = description
+    metadata.unstructured_json = unstructured_json or metadata.unstructured_json or {}
+    metadata.save()
+
+
+def retrieve_robot_token(robot):
+    """ Returns the decrypted token for the given robot. """
+    try:
+        token = RobotAccountToken.get(robot_account=robot).token.decrypt()
+    except RobotAccountToken.DoesNotExist:
+        if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+            # For legacy only.
+            token = robot.email
+        else:
+            raise
+
+    return token
+
+
+def get_robot_and_metadata(robot_shortname, parent):
+    """ Returns a tuple of the robot matching the given shortname, its token, and its metadata. """
+    robot_username = format_robot_username(parent.username, robot_shortname)
+    robot, metadata = lookup_robot_and_metadata(robot_username)
+    token = retrieve_robot_token(robot)
+    return robot, token, metadata
+
+
+def lookup_robot(robot_username):
+    try:
+        return User.get(username=robot_username, robot=True)
+    except User.DoesNotExist:
+        raise InvalidRobotException(
+            "Could not find robot with username: %s" % robot_username
+        )
+
+
+def lookup_robot_and_metadata(robot_username):
+    robot = lookup_robot(robot_username)
+    return robot, get_or_create_robot_metadata(robot)
+
+
+def get_matching_robots(name_prefix, username, limit=10):
+    admined_orgs = (
+        _basequery.get_user_organizations(username)
+        .switch(Team)
+        .join(TeamRole)
+        .where(TeamRole.name == "admin")
+    )
+
+    prefix_checks = False
+
+    for org in admined_orgs:
+        org_search = prefix_search(User.username, org.username + "+" + name_prefix)
+        prefix_checks = prefix_checks | org_search
+
+    user_search = prefix_search(User.username, username + "+" + name_prefix)
+    prefix_checks = prefix_checks | user_search
+
+    return User.select().where(prefix_checks).limit(limit)
+
+
+def verify_robot(robot_username, password):
+    try:
+        password = remove_unicode(password)
+    except UnicodeEncodeError:
+        msg = (
+            "Could not find robot with username: %s and supplied password."
+            % robot_username
+        )
+        raise InvalidRobotException(msg)
+
+    result = parse_robot_username(robot_username)
+    if result is None:
+        raise InvalidRobotException("%s is an invalid robot name" % robot_username)
+
+    robot = lookup_robot(robot_username)
+    assert robot.robot
+
+    # Lookup the token for the robot.
+    try:
+        token_data = RobotAccountToken.get(robot_account=robot)
+        if not token_data.token.matches(password):
+            msg = (
+                "Could not find robot with username: %s and supplied password."
+                % robot_username
+            )
+            raise InvalidRobotException(msg)
+    except RobotAccountToken.DoesNotExist:
+        # TODO(remove-unenc): Remove once migrated.
+        if not ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
+            raise InvalidRobotException(msg)
+
+        if password.find("robot:") >= 0:
+            # Just to be sure.
+            raise InvalidRobotException(msg)
+
+        query = (
+            User.select()
+            .join(FederatedLogin)
+            .join(LoginService)
+            .where(
+                FederatedLogin.service_ident == password,
+                LoginService.name == "quayrobot",
+                User.username == robot_username,
+            )
+        )
+
+        try:
+            robot = query.get()
+        except User.DoesNotExist:
+            msg = (
+                "Could not find robot with username: %s and supplied password."
+                % robot_username
+            )
+            raise InvalidRobotException(msg)
+
+    # Find the owner user and ensure it is not disabled.
+    try:
+        owner = User.get(User.username == result[0])
+    except User.DoesNotExist:
+        raise InvalidRobotException("Robot %s owner does not exist" % robot_username)
+
+    if not owner.enabled:
+        raise InvalidRobotException(
+            "This user has been disabled. Please contact your administrator."
+        )
+
+    # Mark that the robot was accessed.
+    _basequery.update_last_accessed(robot)
+
+    return robot
+
+
+def regenerate_robot_token(robot_shortname, parent):
+    robot_username = format_robot_username(parent.username, robot_shortname)
+
+    robot, metadata = lookup_robot_and_metadata(robot_username)
+    password = random_string_generator(length=64)()
+    robot.email = str(uuid4())
+    robot.uuid = str(uuid4())
+
+    service = LoginService.get(name="quayrobot")
+    login = FederatedLogin.get(
+        FederatedLogin.user == robot, FederatedLogin.service == service
+    )
+    login.service_ident = "robot:%s" % (robot.id)
+
+    try:
+        token_data = RobotAccountToken.get(robot_account=robot)
+    except RobotAccountToken.DoesNotExist:
+        token_data = RobotAccountToken.create(robot_account=robot)
+
+    token_data.token = password
+
+    with db_transaction():
+        token_data.save()
+        login.save()
+        robot.save()
+
+    return robot, password, metadata
+
+
+def delete_robot(robot_username):
+    try:
+        robot = User.get(username=robot_username, robot=True)
+        robot.delete_instance(recursive=True, delete_nullable=True)
+
+    except User.DoesNotExist:
+        raise InvalidRobotException(
+            "Could not find robot with username: %s" % robot_username
+        )
+
+
+def list_namespace_robots(namespace):
+    """ Returns all the robots found under the given namespace. """
+    return _list_entity_robots(namespace)
+
+
+def _list_entity_robots(entity_name, include_metadata=True, include_token=True):
+    """ Return the list of robots for the specified entity. This MUST return a query, not a
+      materialized list so that callers can use db_for_update.
+  """
+    # TODO(remove-unenc): Remove FederatedLogin and LEFT_OUTER on RobotAccountToken once migration
+    # is complete.
+    if include_metadata or include_token:
+        query = (
+            User.select(User, RobotAccountToken, FederatedLogin, RobotAccountMetadata)
+            .join(FederatedLogin)
+            .switch(User)
+            .join(RobotAccountMetadata, JOIN.LEFT_OUTER)
+            .switch(User)
+            .join(RobotAccountToken, JOIN.LEFT_OUTER)
+            .where(User.robot == True, User.username ** (entity_name + "+%"))
+        )
+    else:
+        query = User.select(User).where(
+            User.robot == True, User.username ** (entity_name + "+%")
+        )
+
+    return query
+
+
+def list_entity_robot_permission_teams(
+    entity_name, limit=None, include_permissions=False
+):
+    query = _list_entity_robots(entity_name)
+
+    # TODO(remove-unenc): Remove FederatedLogin once migration is complete.
+    fields = [
+        User.username,
+        User.creation_date,
+        User.last_accessed,
+        RobotAccountToken.token,
+        FederatedLogin.service_ident,
+        RobotAccountMetadata.description,
+        RobotAccountMetadata.unstructured_json,
+    ]
+    if include_permissions:
+        query = (
+            query.join(
+                RepositoryPermission,
+                JOIN.LEFT_OUTER,
+                on=(RepositoryPermission.user == FederatedLogin.user),
+            )
+            .join(Repository, JOIN.LEFT_OUTER)
+            .switch(User)
+            .join(TeamMember, JOIN.LEFT_OUTER)
+            .join(Team, JOIN.LEFT_OUTER)
+        )
+
+        fields.append(Repository.name)
+        fields.append(Team.name)
+
+    query = query.limit(limit).order_by(User.last_accessed.desc())
+    return TupleSelector(query, fields)
+
+
+def update_user_metadata(user, metadata=None):
+    """ Updates the metadata associated with the user, including his/her name and company. """
+    metadata = metadata if metadata is not None else {}
+
+    with db_transaction():
+        if "given_name" in metadata:
+            user.given_name = metadata["given_name"]
+
+        if "family_name" in metadata:
+            user.family_name = metadata["family_name"]
+
+        if "company" in metadata:
+            user.company = metadata["company"]
+
+        if "location" in metadata:
+            user.location = metadata["location"]
+
+        user.save()
+
+        # Remove any prompts associated with the user's metadata being needed.
+        remove_user_prompt(user, UserPromptTypes.ENTER_NAME)
+        remove_user_prompt(user, UserPromptTypes.ENTER_COMPANY)
+
+
+def _get_login_service(service_id):
+    try:
+        return LoginService.get(LoginService.name == service_id)
+    except LoginService.DoesNotExist:
+        return LoginService.create(name=service_id)
+
+
+def create_federated_user(
+    username,
+    email,
+    service_id,
+    service_ident,
+    set_password_notification,
+    metadata={},
+    email_required=True,
+    confirm_username=True,
+    prompts=tuple(),
+):
+    prompts = set(prompts)
+
+    if confirm_username:
+        prompts.add(UserPromptTypes.CONFIRM_USERNAME)
+
+    new_user = create_user_noverify(
+        username, email, email_required=email_required, prompts=prompts
+    )
+    new_user.verified = True
+    new_user.save()
+
+    FederatedLogin.create(
+        user=new_user,
+        service=_get_login_service(service_id),
+        service_ident=service_ident,
+        metadata_json=json.dumps(metadata),
+    )
+
+    if set_password_notification:
+        notification.create_notification("password_required", new_user)
+
+    return new_user
+
+
+def attach_federated_login(user, service_id, service_ident, metadata=None):
+    service = _get_login_service(service_id)
+    FederatedLogin.create(
+        user=user,
+        service=service,
+        service_ident=service_ident,
+        metadata_json=json.dumps(metadata or {}),
+    )
+    return user
+
+
+def verify_federated_login(service_id, service_ident):
+    try:
+        found = (
+            FederatedLogin.select(FederatedLogin, User)
+            .join(LoginService)
+            .switch(FederatedLogin)
+            .join(User)
+            .where(
+                FederatedLogin.service_ident == service_ident,
+                LoginService.name == service_id,
+            )
+            .get()
+        )
+
+        # Mark that the user was accessed.
+        _basequery.update_last_accessed(found.user)
+
+        return found.user
+    except FederatedLogin.DoesNotExist:
+        return None
+
+
+def list_federated_logins(user):
+    selected = FederatedLogin.select(
+        FederatedLogin.service_ident, LoginService.name, FederatedLogin.metadata_json
+    )
+    joined = selected.join(LoginService)
+    return joined.where(LoginService.name != "quayrobot", FederatedLogin.user == user)
+
+
+def lookup_federated_login(user, service_name):
+    try:
+        return (
+            list_federated_logins(user).where(LoginService.name == service_name).get()
+        )
+    except FederatedLogin.DoesNotExist:
+        return None
+
+
+def create_confirm_email_code(user, new_email=None):
+    if new_email:
+        if not validate_email(new_email):
+            raise InvalidEmailAddressException("Invalid email address: %s" % new_email)
+
+    verification_code, unhashed = Credential.generate()
+    code = EmailConfirmation.create(
+        user=user,
+        email_confirm=True,
+        new_email=new_email,
+        verification_code=verification_code,
+    )
+    return encode_public_private_token(code.code, unhashed)
+
+
+def confirm_user_email(token):
+    # TODO(remove-unenc): Remove allow_public_only once migrated.
+    allow_public_only = ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
+    result = decode_public_private_token(token, allow_public_only=allow_public_only)
+    if not result:
+        raise DataModelException("Invalid email confirmation code")
+
+    try:
+        code = EmailConfirmation.get(
+            EmailConfirmation.code == result.public_code,
+            EmailConfirmation.email_confirm == True,
+        )
+    except EmailConfirmation.DoesNotExist:
+        raise DataModelException("Invalid email confirmation code")
+
+    if result.private_token and not code.verification_code.matches(
+        result.private_token
+    ):
+        raise DataModelException("Invalid email confirmation code")
+
+    user = code.user
+    user.verified = True
+
+    old_email = None
+    new_email = code.new_email
+    if new_email and new_email != old_email:
+        if find_user_by_email(new_email):
+            raise DataModelException("E-mail address already used")
+
+        old_email = user.email
+        user.email = new_email
+
+    with db_transaction():
+        user.save()
+        code.delete_instance()
+
+    return user, new_email, old_email
+
+
+def create_reset_password_email_code(email):
+    try:
+        user = User.get(User.email == email)
+    except User.DoesNotExist:
+        raise InvalidEmailAddressException("Email address was not found")
+
+    if user.organization:
+        raise InvalidEmailAddressException("Organizations can not have passwords")
+
+    verification_code, unhashed = Credential.generate()
+    code = EmailConfirmation.create(
+        user=user, pw_reset=True, verification_code=verification_code
+    )
+    return encode_public_private_token(code.code, unhashed)
+
+
+def validate_reset_code(token):
+    # TODO(remove-unenc): Remove allow_public_only once migrated.
+    allow_public_only = ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
+    result = decode_public_private_token(token, allow_public_only=allow_public_only)
+    if not result:
+        return None
+
+    # Find the reset code.
+    try:
+        code = EmailConfirmation.get(
+            EmailConfirmation.code == result.public_code,
+            EmailConfirmation.pw_reset == True,
+        )
+    except EmailConfirmation.DoesNotExist:
+        return None
+
+    if result.private_token and not code.verification_code.matches(
+        result.private_token
+    ):
+        return None
+
+    # Make sure the code is not expired.
+    max_lifetime_duration = convert_to_timedelta(
+        config.app_config["USER_RECOVERY_TOKEN_LIFETIME"]
+    )
+    if code.created + max_lifetime_duration < datetime.now():
+        code.delete_instance()
+        return None
+
+    # Verify the user and return the code.
+    user = code.user
+
+    with db_transaction():
+        if not user.verified:
+            user.verified = True
+            user.save()
+
+        code.delete_instance()
 
     return user
 
 
-def change_invoice_email_address(user, invoice_email_address):
-  # Note: We null out the address if it is an empty string.
-  user.invoice_email_address = invoice_email_address or None
-  user.save()
-
-
-def change_send_invoice_email(user, invoice_email):
-  user.invoice_email = invoice_email
-  user.save()
-
-
-def _convert_to_s(timespan_string):
-  """ Returns the given timespan string (e.g. `2w` or `45s`) into seconds. """
-  return convert_to_timedelta(timespan_string).total_seconds()
-
-
-def change_user_tag_expiration(user, tag_expiration_s):
-  """ Changes the tag expiration on the given user/org. Note that the specified expiration must
-      be within the configured TAG_EXPIRATION_OPTIONS or this method will raise a
-      DataModelException.
-  """
-  allowed_options = [_convert_to_s(o) for o in config.app_config['TAG_EXPIRATION_OPTIONS']]
-  if tag_expiration_s not in allowed_options:
-    raise DataModelException('Invalid tag expiration option')
-
-  user.removed_tag_expiration_s = tag_expiration_s
-  user.save()
-
-
-def update_email(user, new_email, auto_verify=False):
-  try:
-    user.email = new_email
-    user.verified = auto_verify
-    user.save()
-  except IntegrityError:
-    raise DataModelException('E-mail address already used')
-
-
-def update_enabled(user, set_enabled):
-  user.enabled = set_enabled
-  user.save()
-
-
-def create_robot(robot_shortname, parent, description='', unstructured_metadata=None):
-  (username_valid, username_issue) = validate_username(robot_shortname)
-  if not username_valid:
-    raise InvalidRobotException('The name for the robot \'%s\' is invalid: %s' %
-                                (robot_shortname, username_issue))
-
-  username = format_robot_username(parent.username, robot_shortname)
-
-  try:
-    User.get(User.username == username)
-
-    msg = 'Existing robot with name: %s' % username
-    logger.info(msg)
-    raise InvalidRobotException(msg)
-  except User.DoesNotExist:
-    pass
-
-  service = LoginService.get(name='quayrobot')
-  try:
-    with db_transaction():
-      created = User.create(username=username, email=str(uuid.uuid4()), robot=True)
-      token = random_string_generator(length=64)()
-      RobotAccountToken.create(robot_account=created, token=token)
-      FederatedLogin.create(user=created, service=service, service_ident='robot:%s' % created.id)
-      RobotAccountMetadata.create(robot_account=created, description=description[0:255],
-                                  unstructured_json=unstructured_metadata or {})
-      return created, token
-  except Exception as ex:
-    raise DataModelException(ex.message)
-
-
-def get_or_create_robot_metadata(robot):
-  defaults = dict(description='', unstructured_json={})
-  metadata, _ = RobotAccountMetadata.get_or_create(robot_account=robot, defaults=defaults)
-  return metadata
-
-
-def update_robot_metadata(robot, description='', unstructured_json=None):
-  """ Updates the description and user-specified unstructured metadata associated
-      with a robot account to that specified. """
-  metadata = get_or_create_robot_metadata(robot)
-  metadata.description = description
-  metadata.unstructured_json = unstructured_json or metadata.unstructured_json or {}
-  metadata.save()
-
-
-def retrieve_robot_token(robot):
-  """ Returns the decrypted token for the given robot. """
-  try:
-    token = RobotAccountToken.get(robot_account=robot).token.decrypt()
-  except RobotAccountToken.DoesNotExist:
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-      # For legacy only.
-      token = robot.email
-    else:
-      raise
-
-  return token
-
-
-def get_robot_and_metadata(robot_shortname, parent):
-  """ Returns a tuple of the robot matching the given shortname, its token, and its metadata. """
-  robot_username = format_robot_username(parent.username, robot_shortname)
-  robot, metadata = lookup_robot_and_metadata(robot_username)
-  token = retrieve_robot_token(robot)
-  return robot, token, metadata
-
-
-def lookup_robot(robot_username):
-  try:
-    return User.get(username=robot_username, robot=True)
-  except User.DoesNotExist:
-    raise InvalidRobotException('Could not find robot with username: %s' % robot_username)
-
-
-def lookup_robot_and_metadata(robot_username):
-  robot = lookup_robot(robot_username)
-  return robot, get_or_create_robot_metadata(robot)
-
-
-def get_matching_robots(name_prefix, username, limit=10):
-  admined_orgs = (_basequery.get_user_organizations(username)
-                  .switch(Team)
-                  .join(TeamRole)
-                  .where(TeamRole.name == 'admin'))
-
-  prefix_checks = False
-
-  for org in admined_orgs:
-    org_search =  prefix_search(User.username, org.username + '+' + name_prefix)
-    prefix_checks = prefix_checks | org_search
-
-  user_search =  prefix_search(User.username, username + '+' + name_prefix)
-  prefix_checks = prefix_checks | user_search
-
-  return User.select().where(prefix_checks).limit(limit)
-
-
-def verify_robot(robot_username, password):
-  try:
-    password = remove_unicode(password)
-  except UnicodeEncodeError:
-    msg = ('Could not find robot with username: %s and supplied password.' %
-            robot_username)
-    raise InvalidRobotException(msg)
-
-  result = parse_robot_username(robot_username)
-  if result is None:
-    raise InvalidRobotException('%s is an invalid robot name' % robot_username)
-
-  robot = lookup_robot(robot_username)
-  assert robot.robot
-
-  # Lookup the token for the robot.
-  try:
-    token_data = RobotAccountToken.get(robot_account=robot)
-    if not token_data.token.matches(password):
-      msg = ('Could not find robot with username: %s and supplied password.' %
-             robot_username)
-      raise InvalidRobotException(msg)
-  except RobotAccountToken.DoesNotExist:
-    # TODO(remove-unenc): Remove once migrated.
-    if not ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-      raise InvalidRobotException(msg)
-
-    if password.find('robot:') >= 0:
-      # Just to be sure.
-      raise InvalidRobotException(msg)
-
-    query = (User
-             .select()
-             .join(FederatedLogin)
-             .join(LoginService)
-             .where(FederatedLogin.service_ident == password, LoginService.name == 'quayrobot',
-                    User.username == robot_username))
-
-    try:
-      robot = query.get()
-    except User.DoesNotExist:
-      msg = ('Could not find robot with username: %s and supplied password.' %
-             robot_username)
-      raise InvalidRobotException(msg)
-
-  # Find the owner user and ensure it is not disabled.
-  try:
-    owner = User.get(User.username == result[0])
-  except User.DoesNotExist:
-    raise InvalidRobotException('Robot %s owner does not exist' % robot_username)
-
-  if not owner.enabled:
-    raise InvalidRobotException('This user has been disabled. Please contact your administrator.')
-
-  # Mark that the robot was accessed.
-  _basequery.update_last_accessed(robot)
-
-  return robot
-
-def regenerate_robot_token(robot_shortname, parent):
-  robot_username = format_robot_username(parent.username, robot_shortname)
-
-  robot, metadata = lookup_robot_and_metadata(robot_username)
-  password = random_string_generator(length=64)()
-  robot.email = str(uuid4())
-  robot.uuid = str(uuid4())
-
-  service = LoginService.get(name='quayrobot')
-  login = FederatedLogin.get(FederatedLogin.user == robot, FederatedLogin.service == service)
-  login.service_ident = 'robot:%s' % (robot.id)
-
-  try:
-    token_data = RobotAccountToken.get(robot_account=robot)
-  except RobotAccountToken.DoesNotExist:
-    token_data = RobotAccountToken.create(robot_account=robot)
-
-  token_data.token = password
-
-  with db_transaction():
-    token_data.save()
-    login.save()
-    robot.save()
-
-  return robot, password, metadata
-
-
-def delete_robot(robot_username):
-  try:
-    robot = User.get(username=robot_username, robot=True)
-    robot.delete_instance(recursive=True, delete_nullable=True)
-
-  except User.DoesNotExist:
-    raise InvalidRobotException('Could not find robot with username: %s' %
-                                robot_username)
-
-
-def list_namespace_robots(namespace):
-  """ Returns all the robots found under the given namespace. """
-  return _list_entity_robots(namespace)
-
-
-def _list_entity_robots(entity_name, include_metadata=True, include_token=True):
-  """ Return the list of robots for the specified entity. This MUST return a query, not a
-      materialized list so that callers can use db_for_update.
-  """
-  # TODO(remove-unenc): Remove FederatedLogin and LEFT_OUTER on RobotAccountToken once migration
-  # is complete.
-  if include_metadata or include_token:
-      query = (User
-               .select(User, RobotAccountToken, FederatedLogin, RobotAccountMetadata)
-               .join(FederatedLogin)
-               .switch(User)
-               .join(RobotAccountMetadata, JOIN.LEFT_OUTER)
-               .switch(User)
-               .join(RobotAccountToken, JOIN.LEFT_OUTER)
-               .where(User.robot == True, User.username ** (entity_name + '+%')))
-  else:
-      query = (User
-               .select(User)
-               .where(User.robot == True, User.username ** (entity_name + '+%')))
-
-  return query
-
-
-def list_entity_robot_permission_teams(entity_name, limit=None, include_permissions=False):
-  query = (_list_entity_robots(entity_name))
-
-  # TODO(remove-unenc): Remove FederatedLogin once migration is complete.
-  fields = [User.username, User.creation_date, User.last_accessed, RobotAccountToken.token,
-            FederatedLogin.service_ident, RobotAccountMetadata.description,
-            RobotAccountMetadata.unstructured_json]
-  if include_permissions:
-    query = (query
-             .join(RepositoryPermission, JOIN.LEFT_OUTER,
-                   on=(RepositoryPermission.user == FederatedLogin.user))
-             .join(Repository, JOIN.LEFT_OUTER)
-             .switch(User)
-             .join(TeamMember, JOIN.LEFT_OUTER)
-             .join(Team, JOIN.LEFT_OUTER))
-
-    fields.append(Repository.name)
-    fields.append(Team.name)
-
-  query = query.limit(limit).order_by(User.last_accessed.desc())
-  return TupleSelector(query, fields)
-
-
-def update_user_metadata(user, metadata=None):
-  """ Updates the metadata associated with the user, including his/her name and company. """
-  metadata = metadata if metadata is not None else {}
-
-  with db_transaction():
-    if 'given_name' in metadata:
-      user.given_name = metadata['given_name']
-
-    if 'family_name' in metadata:
-      user.family_name = metadata['family_name']
-
-    if 'company' in metadata:
-      user.company = metadata['company']
-
-    if 'location' in metadata:
-      user.location = metadata['location']
-
-    user.save()
-
-    # Remove any prompts associated with the user's metadata being needed.
-    remove_user_prompt(user, UserPromptTypes.ENTER_NAME)
-    remove_user_prompt(user, UserPromptTypes.ENTER_COMPANY)
-
-
-def _get_login_service(service_id):
-  try:
-    return LoginService.get(LoginService.name == service_id)
-  except LoginService.DoesNotExist:
-    return LoginService.create(name=service_id)
-
-
-def create_federated_user(username, email, service_id, service_ident,
-                          set_password_notification, metadata={},
-                          email_required=True, confirm_username=True,
-                          prompts=tuple()):
-  prompts = set(prompts)
-
-  if confirm_username:
-    prompts.add(UserPromptTypes.CONFIRM_USERNAME)
-
-  new_user = create_user_noverify(username, email, email_required=email_required, prompts=prompts)
-  new_user.verified = True
-  new_user.save()
-
-  FederatedLogin.create(user=new_user, service=_get_login_service(service_id),
-                        service_ident=service_ident,
-                        metadata_json=json.dumps(metadata))
-
-  if set_password_notification:
-    notification.create_notification('password_required', new_user)
-
-  return new_user
-
-
-def attach_federated_login(user, service_id, service_ident, metadata=None):
-  service = _get_login_service(service_id)
-  FederatedLogin.create(user=user, service=service, service_ident=service_ident,
-                        metadata_json=json.dumps(metadata or {}))
-  return user
-
-
-def verify_federated_login(service_id, service_ident):
-  try:
-    found = (FederatedLogin
-             .select(FederatedLogin, User)
-             .join(LoginService)
-             .switch(FederatedLogin).join(User)
-             .where(FederatedLogin.service_ident == service_ident, LoginService.name == service_id)
-             .get())
-
-    # Mark that the user was accessed.
-    _basequery.update_last_accessed(found.user)
-
-    return found.user
-  except FederatedLogin.DoesNotExist:
-    return None
-
-
-def list_federated_logins(user):
-  selected = FederatedLogin.select(FederatedLogin.service_ident,
-                                   LoginService.name, FederatedLogin.metadata_json)
-  joined = selected.join(LoginService)
-  return joined.where(LoginService.name != 'quayrobot',
-                      FederatedLogin.user == user)
-
-
-def lookup_federated_login(user, service_name):
-  try:
-    return list_federated_logins(user).where(LoginService.name == service_name).get()
-  except FederatedLogin.DoesNotExist:
-    return None
-
-
-def create_confirm_email_code(user, new_email=None):
-  if new_email:
-    if not validate_email(new_email):
-      raise InvalidEmailAddressException('Invalid email address: %s' %
-                                         new_email)
-
-  verification_code, unhashed = Credential.generate()
-  code = EmailConfirmation.create(user=user,
-                                  email_confirm=True,
-                                  new_email=new_email,
-                                  verification_code=verification_code)
-  return encode_public_private_token(code.code, unhashed)
-
-
-def confirm_user_email(token):
-  # TODO(remove-unenc): Remove allow_public_only once migrated.
-  allow_public_only = ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
-  result = decode_public_private_token(token, allow_public_only=allow_public_only)
-  if not result:
-    raise DataModelException('Invalid email confirmation code')
-
-  try:
-    code = EmailConfirmation.get(EmailConfirmation.code == result.public_code,
-                                 EmailConfirmation.email_confirm == True)
-  except EmailConfirmation.DoesNotExist:
-    raise DataModelException('Invalid email confirmation code')
-
-  if result.private_token and not code.verification_code.matches(result.private_token):
-    raise DataModelException('Invalid email confirmation code')
-
-  user = code.user
-  user.verified = True
-
-  old_email = None
-  new_email = code.new_email
-  if new_email and new_email != old_email:
-    if find_user_by_email(new_email):
-      raise DataModelException('E-mail address already used')
-
-    old_email = user.email
-    user.email = new_email
-
-  with db_transaction():
-    user.save()
-    code.delete_instance()
-
-  return user, new_email, old_email
-
-
-def create_reset_password_email_code(email):
-  try:
-    user = User.get(User.email == email)
-  except User.DoesNotExist:
-    raise InvalidEmailAddressException('Email address was not found')
-
-  if user.organization:
-    raise InvalidEmailAddressException('Organizations can not have passwords')
-
-  verification_code, unhashed = Credential.generate()
-  code = EmailConfirmation.create(user=user, pw_reset=True, verification_code=verification_code)
-  return encode_public_private_token(code.code, unhashed)
-
-
-def validate_reset_code(token):
-  # TODO(remove-unenc): Remove allow_public_only once migrated.
-  allow_public_only = ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
-  result = decode_public_private_token(token, allow_public_only=allow_public_only)
-  if not result:
-    return None
-
-  # Find the reset code.
-  try:
-    code = EmailConfirmation.get(EmailConfirmation.code == result.public_code,
-                                 EmailConfirmation.pw_reset == True)
-  except EmailConfirmation.DoesNotExist:
-    return None
-
-  if result.private_token and not code.verification_code.matches(result.private_token):
-    return None
-
-  # Make sure the code is not expired.
-  max_lifetime_duration = convert_to_timedelta(config.app_config['USER_RECOVERY_TOKEN_LIFETIME'])
-  if code.created + max_lifetime_duration < datetime.now():
-    code.delete_instance()
-    return None
-
-  # Verify the user and return the code.
-  user = code.user
-
-  with db_transaction():
-    if not user.verified:
-      user.verified = True
-      user.save()
-
-    code.delete_instance()
-
-  return user
-
-
 def find_user_by_email(email):
-  try:
-    return User.get(User.email == email)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.email == email)
+    except User.DoesNotExist:
+        return None
 
 
 def get_nonrobot_user(username):
-  try:
-    return User.get(User.username == username, User.organization == False, User.robot == False)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(
+            User.username == username, User.organization == False, User.robot == False
+        )
+    except User.DoesNotExist:
+        return None
 
 
 def get_user(username):
-  try:
-    return User.get(User.username == username, User.organization == False)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.username == username, User.organization == False)
+    except User.DoesNotExist:
+        return None
 
 
 def get_namespace_user(username):
-  try:
-    return User.get(User.username == username)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.username == username)
+    except User.DoesNotExist:
+        return None
 
 
 def get_user_or_org(username):
-  try:
-    return User.get(User.username == username, User.robot == False)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.username == username, User.robot == False)
+    except User.DoesNotExist:
+        return None
 
 
 def get_user_by_id(user_db_id):
-  try:
-    return User.get(User.id == user_db_id, User.organization == False)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.id == user_db_id, User.organization == False)
+    except User.DoesNotExist:
+        return None
 
 
 def get_user_map_by_ids(namespace_ids):
-  id_user = {namespace_id: None for namespace_id in namespace_ids}
-  users = User.select().where(User.id << namespace_ids, User.organization == False)
-  for user in users:
-    id_user[user.id] = user
+    id_user = {namespace_id: None for namespace_id in namespace_ids}
+    users = User.select().where(User.id << namespace_ids, User.organization == False)
+    for user in users:
+        id_user[user.id] = user
+
+    return id_user
 
-  return id_user
 
 def get_namespace_user_by_user_id(namespace_user_db_id):
-  try:
-    return User.get(User.id == namespace_user_db_id, User.robot == False)
-  except User.DoesNotExist:
-    raise InvalidUsernameException('User with id does not exist: %s' % namespace_user_db_id)
+    try:
+        return User.get(User.id == namespace_user_db_id, User.robot == False)
+    except User.DoesNotExist:
+        raise InvalidUsernameException(
+            "User with id does not exist: %s" % namespace_user_db_id
+        )
 
 
 def get_namespace_by_user_id(namespace_user_db_id):
-  try:
-    return User.get(User.id == namespace_user_db_id, User.robot == False).username
-  except User.DoesNotExist:
-    raise InvalidUsernameException('User with id does not exist: %s' % namespace_user_db_id)
+    try:
+        return User.get(User.id == namespace_user_db_id, User.robot == False).username
+    except User.DoesNotExist:
+        raise InvalidUsernameException(
+            "User with id does not exist: %s" % namespace_user_db_id
+        )
 
 
 def get_user_by_uuid(user_uuid):
-  try:
-    return User.get(User.uuid == user_uuid, User.organization == False)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.uuid == user_uuid, User.organization == False)
+    except User.DoesNotExist:
+        return None
 
 
 def get_user_or_org_by_customer_id(customer_id):
-  try:
-    return User.get(User.stripe_id == customer_id)
-  except User.DoesNotExist:
-    return None
+    try:
+        return User.get(User.stripe_id == customer_id)
+    except User.DoesNotExist:
+        return None
+
 
 def invalidate_all_sessions(user):
-  """ Invalidates all existing user sessions by rotating the user's UUID. """
-  if not user:
-    return
+    """ Invalidates all existing user sessions by rotating the user's UUID. """
+    if not user:
+        return
+
+    user.uuid = str(uuid4())
+    user.save()
 
-  user.uuid = str(uuid4())
-  user.save()
 
 def get_matching_user_namespaces(namespace_prefix, username, limit=10):
-  namespace_user = get_namespace_user(username)
-  namespace_user_id = namespace_user.id if namespace_user is not None else None
+    namespace_user = get_namespace_user(username)
+    namespace_user_id = namespace_user.id if namespace_user is not None else None
 
-  namespace_search = prefix_search(Namespace.username, namespace_prefix)
-  base_query = (Namespace
-                .select()
-                .distinct()
-                .join(Repository, on=(Repository.namespace_user == Namespace.id))
-                .join(RepositoryPermission, JOIN.LEFT_OUTER)
-                .where(namespace_search))
+    namespace_search = prefix_search(Namespace.username, namespace_prefix)
+    base_query = (
+        Namespace.select()
+        .distinct()
+        .join(Repository, on=(Repository.namespace_user == Namespace.id))
+        .join(RepositoryPermission, JOIN.LEFT_OUTER)
+        .where(namespace_search)
+    )
 
-  return _basequery.filter_to_repos_for_user(base_query, namespace_user_id).limit(limit)
+    return _basequery.filter_to_repos_for_user(base_query, namespace_user_id).limit(
+        limit
+    )
 
-def get_matching_users(username_prefix, robot_namespace=None, organization=None, limit=20,
-                       exact_matches_only=False):
-  # Lookup the exact match first. This ensures that the exact match is not cut off by the list
-  # limit.
-  updated_limit = limit
-  exact_match = list(_get_matching_users(username_prefix, robot_namespace, organization, limit=1,
-                                         exact_matches_only=True))
-  if exact_match:
-    updated_limit -= 1
-    yield exact_match[0]
 
-  # Perform the remainder of the lookup.
-  if updated_limit:
-    for result in _get_matching_users(username_prefix, robot_namespace, organization, updated_limit,
-                                      exact_matches_only):
-      if exact_match and result.username == exact_match[0].username:
-        continue
+def get_matching_users(
+    username_prefix,
+    robot_namespace=None,
+    organization=None,
+    limit=20,
+    exact_matches_only=False,
+):
+    # Lookup the exact match first. This ensures that the exact match is not cut off by the list
+    # limit.
+    updated_limit = limit
+    exact_match = list(
+        _get_matching_users(
+            username_prefix,
+            robot_namespace,
+            organization,
+            limit=1,
+            exact_matches_only=True,
+        )
+    )
+    if exact_match:
+        updated_limit -= 1
+        yield exact_match[0]
 
-      yield result
+    # Perform the remainder of the lookup.
+    if updated_limit:
+        for result in _get_matching_users(
+            username_prefix,
+            robot_namespace,
+            organization,
+            updated_limit,
+            exact_matches_only,
+        ):
+            if exact_match and result.username == exact_match[0].username:
+                continue
 
-def _get_matching_users(username_prefix, robot_namespace=None, organization=None, limit=20,
-                        exact_matches_only=False):
-  user_search = prefix_search(User.username, username_prefix)
-  if exact_matches_only:
-    user_search = (User.username == username_prefix)
+            yield result
 
-  direct_user_query = (user_search & (User.organization == False) & (User.robot == False))
 
-  if robot_namespace:
-    robot_prefix = format_robot_username(robot_namespace, username_prefix)
-    robot_search = prefix_search(User.username, robot_prefix)
-    direct_user_query = ((robot_search & (User.robot == True)) | direct_user_query)
+def _get_matching_users(
+    username_prefix,
+    robot_namespace=None,
+    organization=None,
+    limit=20,
+    exact_matches_only=False,
+):
+    user_search = prefix_search(User.username, username_prefix)
+    if exact_matches_only:
+        user_search = User.username == username_prefix
 
-  query = (User
-           .select(User.id, User.username, User.email, User.robot)
-           .group_by(User.id, User.username, User.email, User.robot)
-           .where(direct_user_query))
+    direct_user_query = (
+        user_search & (User.organization == False) & (User.robot == False)
+    )
 
-  if organization:
-    query = (query
-             .select(User.id, User.username, User.email, User.robot, fn.Sum(Team.id))
-             .join(TeamMember, JOIN.LEFT_OUTER)
-             .join(Team, JOIN.LEFT_OUTER, on=((Team.id == TeamMember.team) &
-                                              (Team.organization == organization)))
-             .order_by(User.robot.desc()))
+    if robot_namespace:
+        robot_prefix = format_robot_username(robot_namespace, username_prefix)
+        robot_search = prefix_search(User.username, robot_prefix)
+        direct_user_query = (robot_search & (User.robot == True)) | direct_user_query
 
-  class MatchingUserResult(object):
-    def __init__(self, *args):
-      self.id = args[0]
-      self.username = args[1]
-      self.email = args[2]
-      self.robot = args[3]
+    query = (
+        User.select(User.id, User.username, User.email, User.robot)
+        .group_by(User.id, User.username, User.email, User.robot)
+        .where(direct_user_query)
+    )
 
-      if organization:
-        self.is_org_member = (args[3] != None)
-      else:
-        self.is_org_member = None
+    if organization:
+        query = (
+            query.select(
+                User.id, User.username, User.email, User.robot, fn.Sum(Team.id)
+            )
+            .join(TeamMember, JOIN.LEFT_OUTER)
+            .join(
+                Team,
+                JOIN.LEFT_OUTER,
+                on=((Team.id == TeamMember.team) & (Team.organization == organization)),
+            )
+            .order_by(User.robot.desc())
+        )
 
-  return (MatchingUserResult(*args) for args in query.tuples().limit(limit))
+    class MatchingUserResult(object):
+        def __init__(self, *args):
+            self.id = args[0]
+            self.username = args[1]
+            self.email = args[2]
+            self.robot = args[3]
+
+            if organization:
+                self.is_org_member = args[3] != None
+            else:
+                self.is_org_member = None
+
+    return (MatchingUserResult(*args) for args in query.tuples().limit(limit))
 
 
 def verify_user(username_or_email, password):
-  """ Verifies that the given username/email + password pair is valid. If the username or e-mail
+    """ Verifies that the given username/email + password pair is valid. If the username or e-mail
       address is invalid, returns None. If the password specified does not match for the given user,
       either returns None or raises TooManyLoginAttemptsException if there have been too many
       invalid login attempts. Returns the user object if the login was valid.
   """
 
-  # Make sure we didn't get any unicode for the username.
-  try:
-    str(username_or_email)
-  except ValueError:
-    return None
+    # Make sure we didn't get any unicode for the username.
+    try:
+        str(username_or_email)
+    except ValueError:
+        return None
 
-  # Fetch the user with the matching username or e-mail address.
-  try:
-    fetched = User.get((User.username == username_or_email) | (User.email == username_or_email))
-  except User.DoesNotExist:
-    return None
+    # Fetch the user with the matching username or e-mail address.
+    try:
+        fetched = User.get(
+            (User.username == username_or_email) | (User.email == username_or_email)
+        )
+    except User.DoesNotExist:
+        return None
 
-  # If the user has any invalid login attempts, check to see if we are within the exponential
-  # backoff window for the user. If so, we raise an exception indicating that the user cannot
-  # login.
-  now = datetime.utcnow()
-  if fetched.invalid_login_attempts > 0:
-    can_retry_at = exponential_backoff(fetched.invalid_login_attempts, EXPONENTIAL_BACKOFF_SCALE,
-                                       fetched.last_invalid_login)
-
-    if can_retry_at > now:
-      retry_after = can_retry_at - now
-      raise TooManyLoginAttemptsException('Too many login attempts.', retry_after.total_seconds())
-
-  # Hash the given password and compare it to the specified password.
-  if (fetched.password_hash and
-      hash_password(password, fetched.password_hash) == fetched.password_hash):
-
-    # If the user previously had any invalid login attempts, clear them out now.
+    # If the user has any invalid login attempts, check to see if we are within the exponential
+    # backoff window for the user. If so, we raise an exception indicating that the user cannot
+    # login.
+    now = datetime.utcnow()
     if fetched.invalid_login_attempts > 0:
-      try:
-        (User
-         .update(invalid_login_attempts=0)
-         .where(User.id == fetched.id)
-         .execute())
+        can_retry_at = exponential_backoff(
+            fetched.invalid_login_attempts,
+            EXPONENTIAL_BACKOFF_SCALE,
+            fetched.last_invalid_login,
+        )
 
-        # Mark that the user was accessed.
-        _basequery.update_last_accessed(fetched)
-      except ReadOnlyModeException:
+        if can_retry_at > now:
+            retry_after = can_retry_at - now
+            raise TooManyLoginAttemptsException(
+                "Too many login attempts.", retry_after.total_seconds()
+            )
+
+    # Hash the given password and compare it to the specified password.
+    if (
+        fetched.password_hash
+        and hash_password(password, fetched.password_hash) == fetched.password_hash
+    ):
+
+        # If the user previously had any invalid login attempts, clear them out now.
+        if fetched.invalid_login_attempts > 0:
+            try:
+                (
+                    User.update(invalid_login_attempts=0)
+                    .where(User.id == fetched.id)
+                    .execute()
+                )
+
+                # Mark that the user was accessed.
+                _basequery.update_last_accessed(fetched)
+            except ReadOnlyModeException:
+                pass
+
+        # Return the valid user.
+        return fetched
+
+    # Otherwise, update the user's invalid login attempts.
+    try:
+        (
+            User.update(
+                invalid_login_attempts=User.invalid_login_attempts + 1,
+                last_invalid_login=now,
+            )
+            .where(User.id == fetched.id)
+            .execute()
+        )
+    except ReadOnlyModeException:
         pass
 
-    # Return the valid user.
-    return fetched
-
-  # Otherwise, update the user's invalid login attempts.
-  try:
-    (User
-     .update(invalid_login_attempts=User.invalid_login_attempts+1, last_invalid_login=now)
-     .where(User.id == fetched.id)
-     .execute())
-  except ReadOnlyModeException:
-    pass
-
-  # We weren't able to authorize the user
-  return None
+    # We weren't able to authorize the user
+    return None
 
 
 def get_all_repo_users(namespace_name, repository_name):
-  return (RepositoryPermission
-          .select(User, Role, RepositoryPermission)
-          .join(User)
-          .switch(RepositoryPermission)
-          .join(Role)
-          .switch(RepositoryPermission)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    return (
+        RepositoryPermission.select(User, Role, RepositoryPermission)
+        .join(User)
+        .switch(RepositoryPermission)
+        .join(Role)
+        .switch(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
 
 def get_all_repo_users_transitive_via_teams(namespace_name, repository_name):
-  return (User
-          .select()
-          .distinct()
-          .join(TeamMember)
-          .join(Team)
-          .join(RepositoryPermission)
-          .join(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == namespace_name, Repository.name == repository_name))
+    return (
+        User.select()
+        .distinct()
+        .join(TeamMember)
+        .join(Team)
+        .join(RepositoryPermission)
+        .join(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == namespace_name, Repository.name == repository_name)
+    )
 
 
 def get_all_repo_users_transitive(namespace_name, repository_name):
-  # Load the users found via teams and directly via permissions.
-  via_teams = get_all_repo_users_transitive_via_teams(namespace_name, repository_name)
-  directly = [perm.user for perm in get_all_repo_users(namespace_name, repository_name)]
+    # Load the users found via teams and directly via permissions.
+    via_teams = get_all_repo_users_transitive_via_teams(namespace_name, repository_name)
+    directly = [
+        perm.user for perm in get_all_repo_users(namespace_name, repository_name)
+    ]
 
-  # Filter duplicates.
-  user_set = set()
+    # Filter duplicates.
+    user_set = set()
 
-  def check_add(u):
-    if u.username in user_set:
-      return False
+    def check_add(u):
+        if u.username in user_set:
+            return False
 
-    user_set.add(u.username)
-    return True
+        user_set.add(u.username)
+        return True
 
-  return [user for user in list(directly) + list(via_teams) if check_add(user)]
+    return [user for user in list(directly) + list(via_teams) if check_add(user)]
 
 
 def get_private_repo_count(username):
-  return (Repository
-          .select()
-          .join(Visibility)
-          .switch(Repository)
-          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
-          .where(Namespace.username == username, Visibility.name == 'private')
-          .count())
+    return (
+        Repository.select()
+        .join(Visibility)
+        .switch(Repository)
+        .join(Namespace, on=(Repository.namespace_user == Namespace.id))
+        .where(Namespace.username == username, Visibility.name == "private")
+        .count()
+    )
 
 
 def get_active_users(disabled=True, deleted=False):
-  query = (User
-           .select()
-           .where(User.organization == False, User.robot == False))
+    query = User.select().where(User.organization == False, User.robot == False)
 
-  if not disabled:
-    query = query.where(User.enabled == True)
+    if not disabled:
+        query = query.where(User.enabled == True)
 
-  if not deleted:
-    query = query.where(User.id.not_in(DeletedNamespace.select(DeletedNamespace.namespace)))
+    if not deleted:
+        query = query.where(
+            User.id.not_in(DeletedNamespace.select(DeletedNamespace.namespace))
+        )
 
-  return query
+    return query
 
 
 def get_active_user_count():
-  return get_active_users().count()
+    return get_active_users().count()
 
 
 def get_robot_count():
-  return User.select().where(User.robot == True).count()
+    return User.select().where(User.robot == True).count()
 
 
 def detach_external_login(user, service_name):
-  try:
-    service = LoginService.get(name=service_name)
-  except LoginService.DoesNotExist:
-    return
+    try:
+        service = LoginService.get(name=service_name)
+    except LoginService.DoesNotExist:
+        return
 
-  FederatedLogin.delete().where(FederatedLogin.user == user,
-                                FederatedLogin.service == service).execute()
+    FederatedLogin.delete().where(
+        FederatedLogin.user == user, FederatedLogin.service == service
+    ).execute()
 
 
 def get_solely_admined_organizations(user_obj):
-  """ Returns the organizations admined solely by the given user. """
-  orgs = (User.select()
-          .where(User.organization == True)
-          .join(Team)
-          .join(TeamRole)
-          .where(TeamRole.name == 'admin')
-          .switch(Team)
-          .join(TeamMember)
-          .where(TeamMember.user == user_obj)
-          .distinct())
+    """ Returns the organizations admined solely by the given user. """
+    orgs = (
+        User.select()
+        .where(User.organization == True)
+        .join(Team)
+        .join(TeamRole)
+        .where(TeamRole.name == "admin")
+        .switch(Team)
+        .join(TeamMember)
+        .where(TeamMember.user == user_obj)
+        .distinct()
+    )
 
-  # Filter to organizations where the user is the sole admin.
-  solely_admined = []
-  for org in orgs:
-    admin_user_count = (TeamMember.select()
-                        .join(Team)
-                        .join(TeamRole)
-                        .where(Team.organization == org, TeamRole.name == 'admin')
-                        .switch(TeamMember)
-                        .join(User)
-                        .where(User.robot == False)
-                        .distinct()
-                        .count())
+    # Filter to organizations where the user is the sole admin.
+    solely_admined = []
+    for org in orgs:
+        admin_user_count = (
+            TeamMember.select()
+            .join(Team)
+            .join(TeamRole)
+            .where(Team.organization == org, TeamRole.name == "admin")
+            .switch(TeamMember)
+            .join(User)
+            .where(User.robot == False)
+            .distinct()
+            .count()
+        )
 
-    if admin_user_count == 1:
-      solely_admined.append(org)
+        if admin_user_count == 1:
+            solely_admined.append(org)
 
-  return solely_admined
+    return solely_admined
 
 
 def mark_namespace_for_deletion(user, queues, namespace_gc_queue, force=False):
-  """ Marks a namespace (as referenced by the given user) for deletion. A queue item will be added
+    """ Marks a namespace (as referenced by the given user) for deletion. A queue item will be added
       to delete the namespace's repositories and storage, while the namespace itself will be
       renamed, disabled, and delinked from other tables.
   """
-  if not user.enabled:
-    return None
+    if not user.enabled:
+        return None
 
-  if not force and not user.organization:
-    # Ensure that the user is not the sole admin for any organizations. If so, then the user
-    # cannot be deleted before those organizations are deleted or reassigned.
-    organizations = get_solely_admined_organizations(user)
-    if len(organizations) > 0:
-      message = 'Cannot delete %s as you are the only admin for organizations: ' % user.username
-      for index, org in enumerate(organizations):
-        if index > 0:
-          message = message + ', '
+    if not force and not user.organization:
+        # Ensure that the user is not the sole admin for any organizations. If so, then the user
+        # cannot be deleted before those organizations are deleted or reassigned.
+        organizations = get_solely_admined_organizations(user)
+        if len(organizations) > 0:
+            message = (
+                "Cannot delete %s as you are the only admin for organizations: "
+                % user.username
+            )
+            for index, org in enumerate(organizations):
+                if index > 0:
+                    message = message + ", "
 
-        message = message + org.username
+                message = message + org.username
 
-      raise DataModelException(message)
+            raise DataModelException(message)
 
-  # Delete all queue items for the user.
-  for queue in queues:
-    queue.delete_namespaced_items(user.username)
+    # Delete all queue items for the user.
+    for queue in queues:
+        queue.delete_namespaced_items(user.username)
 
-  # Delete non-repository related items. This operation is very quick, so we can do so here.
-  _delete_user_linked_data(user)
+    # Delete non-repository related items. This operation is very quick, so we can do so here.
+    _delete_user_linked_data(user)
 
-  with db_transaction():
-    original_username = user.username
-    user = db_for_update(User.select().where(User.id == user.id)).get()
+    with db_transaction():
+        original_username = user.username
+        user = db_for_update(User.select().where(User.id == user.id)).get()
 
-    # Mark the namespace as deleted and ready for GC.
-    try:
-      marker = DeletedNamespace.create(namespace=user,
-                                       original_username=original_username,
-                                       original_email=user.email)
-    except IntegrityError:
-      return
-    
-    # Disable the namespace itself, and replace its various unique fields with UUIDs.
-    user.enabled = False
-    user.username = str(uuid4())
-    user.email = str(uuid4())
-    user.save()
+        # Mark the namespace as deleted and ready for GC.
+        try:
+            marker = DeletedNamespace.create(
+                namespace=user,
+                original_username=original_username,
+                original_email=user.email,
+            )
+        except IntegrityError:
+            return
 
-  # Add a queueitem to delete the namespace.
-  marker.queue_id = namespace_gc_queue.put([str(user.id)], json.dumps({
-    'marker_id': marker.id,
-    'original_username': original_username,
-  }))
-  marker.save()
-  return marker.id
+        # Disable the namespace itself, and replace its various unique fields with UUIDs.
+        user.enabled = False
+        user.username = str(uuid4())
+        user.email = str(uuid4())
+        user.save()
+
+    # Add a queueitem to delete the namespace.
+    marker.queue_id = namespace_gc_queue.put(
+        [str(user.id)],
+        json.dumps({"marker_id": marker.id, "original_username": original_username}),
+    )
+    marker.save()
+    return marker.id
 
 
 def delete_namespace_via_marker(marker_id, queues):
-  """ Deletes a namespace referenced by the given DeletedNamespace marker ID. """
-  try:
-    marker = DeletedNamespace.get(id=marker_id)
-  except DeletedNamespace.DoesNotExist:
-    return
+    """ Deletes a namespace referenced by the given DeletedNamespace marker ID. """
+    try:
+        marker = DeletedNamespace.get(id=marker_id)
+    except DeletedNamespace.DoesNotExist:
+        return
 
-  delete_user(marker.namespace, queues)
+    delete_user(marker.namespace, queues)
 
 
 def delete_user(user, queues):
-  """ Deletes a user/organization/robot. Should *not* be called by any user-facing API. Instead,
+    """ Deletes a user/organization/robot. Should *not* be called by any user-facing API. Instead,
       mark_namespace_for_deletion should be used, and the queue should call this method.
   """
-  # Delete all queue items for the user.
-  for queue in queues:
-    queue.delete_namespaced_items(user.username)
+    # Delete all queue items for the user.
+    for queue in queues:
+        queue.delete_namespaced_items(user.username)
 
-  # Delete any repositories under the user's namespace.
-  for repo in list(Repository.select().where(Repository.namespace_user == user)):
-    gc.purge_repository(user.username, repo.name)
+    # Delete any repositories under the user's namespace.
+    for repo in list(Repository.select().where(Repository.namespace_user == user)):
+        gc.purge_repository(user.username, repo.name)
 
-  # Delete non-repository related items.
-  _delete_user_linked_data(user)
+    # Delete non-repository related items.
+    _delete_user_linked_data(user)
 
-  # Delete the user itself.
-  user.delete_instance(recursive=True, delete_nullable=True)
+    # Delete the user itself.
+    user.delete_instance(recursive=True, delete_nullable=True)
 
 
 def _delete_user_linked_data(user):
-  if user.organization:
-    # Delete the organization's teams.
+    if user.organization:
+        # Delete the organization's teams.
+        with db_transaction():
+            for team in Team.select().where(Team.organization == user):
+                team.delete_instance(recursive=True)
+
+        # Delete any OAuth approvals and tokens associated with the user.
+        with db_transaction():
+            for app in OAuthApplication.select().where(
+                OAuthApplication.organization == user
+            ):
+                app.delete_instance(recursive=True)
+    else:
+        # Remove the user from any teams in which they are a member.
+        TeamMember.delete().where(TeamMember.user == user).execute()
+
+    # Delete any repository buildtriggers where the user is the connected user.
     with db_transaction():
-      for team in Team.select().where(Team.organization == user):
-        team.delete_instance(recursive=True)
+        triggers = RepositoryBuildTrigger.select().where(
+            RepositoryBuildTrigger.connected_user == user
+        )
+        for trigger in triggers:
+            trigger.delete_instance(recursive=True, delete_nullable=False)
 
-    # Delete any OAuth approvals and tokens associated with the user.
+    # Delete any mirrors with robots owned by this user.
     with db_transaction():
-      for app in OAuthApplication.select().where(OAuthApplication.organization == user):
-        app.delete_instance(recursive=True)
-  else:
-    # Remove the user from any teams in which they are a member.
-    TeamMember.delete().where(TeamMember.user == user).execute()
+        robots = list(list_namespace_robots(user.username))
+        RepoMirrorConfig.delete().where(
+            RepoMirrorConfig.internal_robot << robots
+        ).execute()
 
-  # Delete any repository buildtriggers where the user is the connected user.
-  with db_transaction():
-    triggers = RepositoryBuildTrigger.select().where(RepositoryBuildTrigger.connected_user == user)
-    for trigger in triggers:
-      trigger.delete_instance(recursive=True, delete_nullable=False)
+    # Delete any robots owned by this user.
+    with db_transaction():
+        robots = list(list_namespace_robots(user.username))
+        for robot in robots:
+            robot.delete_instance(recursive=True, delete_nullable=True)
 
-  # Delete any mirrors with robots owned by this user.
-  with db_transaction():
-    robots = list(list_namespace_robots(user.username))
-    RepoMirrorConfig.delete().where(RepoMirrorConfig.internal_robot << robots).execute()
-
-  # Delete any robots owned by this user.
-  with db_transaction():
-    robots = list(list_namespace_robots(user.username))
-    for robot in robots:
-      robot.delete_instance(recursive=True, delete_nullable=True)
-
-  # Null out any service key approvals. We technically lose information here, but its better than
-  # falling and only occurs if a superuser is being deleted.
-  ServiceKeyApproval.update(approver=None).where(ServiceKeyApproval.approver == user).execute()
+    # Null out any service key approvals. We technically lose information here, but its better than
+    # falling and only occurs if a superuser is being deleted.
+    ServiceKeyApproval.update(approver=None).where(
+        ServiceKeyApproval.approver == user
+    ).execute()
 
 
 def get_pull_credentials(robotname):
-  """ Returns the pull credentials for a robot with the given name. """
-  try:
-    robot = lookup_robot(robotname)
-  except InvalidRobotException:
-    return None
+    """ Returns the pull credentials for a robot with the given name. """
+    try:
+        robot = lookup_robot(robotname)
+    except InvalidRobotException:
+        return None
 
-  token = retrieve_robot_token(robot)
+    token = retrieve_robot_token(robot)
+
+    return {
+        "username": robot.username,
+        "password": token,
+        "registry": "%s://%s/v1/"
+        % (
+            config.app_config["PREFERRED_URL_SCHEME"],
+            config.app_config["SERVER_HOSTNAME"],
+        ),
+    }
 
-  return {
-    'username': robot.username,
-    'password': token,
-    'registry': '%s://%s/v1/' % (config.app_config['PREFERRED_URL_SCHEME'],
-                                 config.app_config['SERVER_HOSTNAME']),
-  }
 
 def get_region_locations(user):
-  """ Returns the locations defined as preferred storage for the given user. """
-  query = UserRegion.select().join(ImageStorageLocation).where(UserRegion.user == user)
-  return set([region.location.name for region in query])
+    """ Returns the locations defined as preferred storage for the given user. """
+    query = (
+        UserRegion.select().join(ImageStorageLocation).where(UserRegion.user == user)
+    )
+    return set([region.location.name for region in query])
+
 
 def get_federated_logins(user_ids, service_name):
-  """ Returns all federated logins for the given user ids under the given external service. """
-  if not user_ids:
-    return []
+    """ Returns all federated logins for the given user ids under the given external service. """
+    if not user_ids:
+        return []
 
-  return (FederatedLogin
-          .select()
-          .join(User)
-          .switch(FederatedLogin)
-          .join(LoginService)
-          .where(FederatedLogin.user << user_ids,
-                 LoginService.name == service_name))
+    return (
+        FederatedLogin.select()
+        .join(User)
+        .switch(FederatedLogin)
+        .join(LoginService)
+        .where(FederatedLogin.user << user_ids, LoginService.name == service_name)
+    )
 
 
 def list_namespace_geo_restrictions(namespace_name):
-  """ Returns all of the defined geographic restrictions for the given namespace. """
-  return (NamespaceGeoRestriction
-          .select()
-          .join(User)
-          .where(User.username == namespace_name))
+    """ Returns all of the defined geographic restrictions for the given namespace. """
+    return (
+        NamespaceGeoRestriction.select()
+        .join(User)
+        .where(User.username == namespace_name)
+    )
 
 
 def get_minimum_user_id():
-  return User.select(fn.Min(User.id)).tuples().get()[0]
+    return User.select(fn.Min(User.id)).tuples().get()[0]
 
 
 class LoginWrappedDBUser(UserMixin):
-  def __init__(self, user_uuid, db_user=None):
-    self._uuid = user_uuid
-    self._db_user = db_user
+    def __init__(self, user_uuid, db_user=None):
+        self._uuid = user_uuid
+        self._db_user = db_user
 
-  def db_user(self):
-    if not self._db_user:
-      self._db_user = get_user_by_uuid(self._uuid)
-    return self._db_user
+    def db_user(self):
+        if not self._db_user:
+            self._db_user = get_user_by_uuid(self._uuid)
+        return self._db_user
 
-  @property
-  def is_authenticated(self):
-    return self.db_user() is not None
+    @property
+    def is_authenticated(self):
+        return self.db_user() is not None
 
-  @property
-  def is_active(self):
-    return self.db_user() and self.db_user().verified
+    @property
+    def is_active(self):
+        return self.db_user() and self.db_user().verified
 
-  def get_id(self):
-    return unicode(self._uuid)
+    def get_id(self):
+        return unicode(self._uuid)
diff --git a/data/queue.py b/data/queue.py
index 289f4ad64..0a42a8320 100644
--- a/data/queue.py
+++ b/data/queue.py
@@ -12,367 +12,427 @@ DEFAULT_BATCH_SIZE = 1000
 
 
 class BuildMetricQueueReporter(object):
-  """ Metric queue reporter for the build system. """
-  def __init__(self, metric_queue):
-    self._metric_queue = metric_queue
+    """ Metric queue reporter for the build system. """
 
-  def __call__(self, currently_processing, running_count, total_count):
-    need_capacity_count = total_count - running_count
-    self._metric_queue.put_deprecated('BuildCapacityShortage', need_capacity_count, unit='Count')
-    self._metric_queue.build_capacity_shortage.Set(need_capacity_count)
+    def __init__(self, metric_queue):
+        self._metric_queue = metric_queue
 
-    building_percent = 100 if currently_processing else 0
-    self._metric_queue.percent_building.Set(building_percent)
+    def __call__(self, currently_processing, running_count, total_count):
+        need_capacity_count = total_count - running_count
+        self._metric_queue.put_deprecated(
+            "BuildCapacityShortage", need_capacity_count, unit="Count"
+        )
+        self._metric_queue.build_capacity_shortage.Set(need_capacity_count)
+
+        building_percent = 100 if currently_processing else 0
+        self._metric_queue.percent_building.Set(building_percent)
 
 
 class WorkQueue(object):
-  """ Work queue defines methods for interacting with a queue backed by the database. """
-  def __init__(self, queue_name, transaction_factory,
-               canonical_name_match_list=None, reporter=None, metric_queue=None,
-               has_namespace=False):
-    self._queue_name = queue_name
-    self._reporter = reporter
-    self._metric_queue = metric_queue
-    self._transaction_factory = transaction_factory
-    self._currently_processing = False
-    self._has_namespaced_items = has_namespace
+    """ Work queue defines methods for interacting with a queue backed by the database. """
 
-    if canonical_name_match_list is None:
-      self._canonical_name_match_list = []
-    else:
-      self._canonical_name_match_list = canonical_name_match_list
+    def __init__(
+        self,
+        queue_name,
+        transaction_factory,
+        canonical_name_match_list=None,
+        reporter=None,
+        metric_queue=None,
+        has_namespace=False,
+    ):
+        self._queue_name = queue_name
+        self._reporter = reporter
+        self._metric_queue = metric_queue
+        self._transaction_factory = transaction_factory
+        self._currently_processing = False
+        self._has_namespaced_items = has_namespace
 
-  @staticmethod
-  def _canonical_name(name_list):
-    return '/'.join(name_list) + '/'
+        if canonical_name_match_list is None:
+            self._canonical_name_match_list = []
+        else:
+            self._canonical_name_match_list = canonical_name_match_list
 
-  @classmethod
-  def _running_jobs(cls, now, name_match_query):
-    return (cls
-            ._running_jobs_where(QueueItem.select(QueueItem.queue_name), now)
-            .where(QueueItem.queue_name ** name_match_query))
+    @staticmethod
+    def _canonical_name(name_list):
+        return "/".join(name_list) + "/"
 
-  @classmethod
-  def _available_jobs(cls, now, name_match_query):
-    return (cls
-            ._available_jobs_where(QueueItem.select(), now)
-            .where(QueueItem.queue_name ** name_match_query))
+    @classmethod
+    def _running_jobs(cls, now, name_match_query):
+        return cls._running_jobs_where(
+            QueueItem.select(QueueItem.queue_name), now
+        ).where(QueueItem.queue_name ** name_match_query)
 
-  @staticmethod
-  def _running_jobs_where(query, now):
-    return query.where(QueueItem.available == False, QueueItem.processing_expires > now)
+    @classmethod
+    def _available_jobs(cls, now, name_match_query):
+        return cls._available_jobs_where(QueueItem.select(), now).where(
+            QueueItem.queue_name ** name_match_query
+        )
 
-  @staticmethod
-  def _available_jobs_where(query, now):
-    return query.where(QueueItem.available_after <= now,
-                       ((QueueItem.available == True) | (QueueItem.processing_expires <= now)),
-                       QueueItem.retries_remaining > 0)
+    @staticmethod
+    def _running_jobs_where(query, now):
+        return query.where(
+            QueueItem.available == False, QueueItem.processing_expires > now
+        )
 
-  @classmethod
-  def _available_jobs_not_running(cls, now, name_match_query, running_query):
-    return (cls
-            ._available_jobs(now, name_match_query)
-            .where(~(QueueItem.queue_name << running_query)))
+    @staticmethod
+    def _available_jobs_where(query, now):
+        return query.where(
+            QueueItem.available_after <= now,
+            ((QueueItem.available == True) | (QueueItem.processing_expires <= now)),
+            QueueItem.retries_remaining > 0,
+        )
 
-  def num_alive_jobs(self, canonical_name_list):
-    """
+    @classmethod
+    def _available_jobs_not_running(cls, now, name_match_query, running_query):
+        return cls._available_jobs(now, name_match_query).where(
+            ~(QueueItem.queue_name << running_query)
+        )
+
+    def num_alive_jobs(self, canonical_name_list):
+        """
     Returns the number of alive queue items with a given prefix.
     """
-    def strip_slash(name):
-      return name.lstrip('/')
-    canonical_name_list = map(strip_slash, canonical_name_list)
-    canonical_name_query = '/'.join([self._queue_name] + canonical_name_list) + '%'
 
-    return (QueueItem
-            .select()
+        def strip_slash(name):
+            return name.lstrip("/")
+
+        canonical_name_list = map(strip_slash, canonical_name_list)
+        canonical_name_query = "/".join([self._queue_name] + canonical_name_list) + "%"
+
+        return (
+            QueueItem.select()
             .where(QueueItem.queue_name ** canonical_name_query)
             .where(QueueItem.retries_remaining > 0)
-            .count())
+            .count()
+        )
 
-  def num_available_jobs_between(self, available_min_time, available_max_time, canonical_name_list):
-    """
+    def num_available_jobs_between(
+        self, available_min_time, available_max_time, canonical_name_list
+    ):
+        """
     Returns the number of available queue items with a given prefix, between the two provided times.
     """
-    def strip_slash(name):
-      return name.lstrip('/')
-    canonical_name_list = map(strip_slash, canonical_name_list)
 
-    available = self._available_jobs(available_max_time,
-                                     '/'.join([self._queue_name] + canonical_name_list) + '%')
+        def strip_slash(name):
+            return name.lstrip("/")
 
-    return available.where(QueueItem.available_after >= available_min_time).count()
+        canonical_name_list = map(strip_slash, canonical_name_list)
 
-  def _name_match_query(self):
-    return '%s%%' % self._canonical_name([self._queue_name] + self._canonical_name_match_list)
+        available = self._available_jobs(
+            available_max_time, "/".join([self._queue_name] + canonical_name_list) + "%"
+        )
 
-  @staticmethod
-  def _item_by_id_for_update(queue_id):
-    return db_for_update(QueueItem.select().where(QueueItem.id == queue_id)).get()
+        return available.where(QueueItem.available_after >= available_min_time).count()
 
-  def get_metrics(self):
-    now = datetime.utcnow()
-    name_match_query = self._name_match_query()
+    def _name_match_query(self):
+        return "%s%%" % self._canonical_name(
+            [self._queue_name] + self._canonical_name_match_list
+        )
 
-    running_query = self._running_jobs(now, name_match_query)
-    running_count = running_query.distinct().count()
+    @staticmethod
+    def _item_by_id_for_update(queue_id):
+        return db_for_update(QueueItem.select().where(QueueItem.id == queue_id)).get()
 
-    available_query = self._available_jobs(now, name_match_query)
-    available_count = available_query.select(QueueItem.queue_name).distinct().count()
+    def get_metrics(self):
+        now = datetime.utcnow()
+        name_match_query = self._name_match_query()
 
-    available_not_running_query = self._available_jobs_not_running(now, name_match_query,
-                                                                   running_query)
-    available_not_running_count = (available_not_running_query
-                                   .select(QueueItem.queue_name)
-                                   .distinct()
-                                   .count())
+        running_query = self._running_jobs(now, name_match_query)
+        running_count = running_query.distinct().count()
 
-    return (running_count, available_not_running_count, available_count)
+        available_query = self._available_jobs(now, name_match_query)
+        available_count = (
+            available_query.select(QueueItem.queue_name).distinct().count()
+        )
 
-  def update_metrics(self):
-    if self._reporter is None and self._metric_queue is None:
-      return
+        available_not_running_query = self._available_jobs_not_running(
+            now, name_match_query, running_query
+        )
+        available_not_running_count = (
+            available_not_running_query.select(QueueItem.queue_name).distinct().count()
+        )
 
-    (running_count, available_not_running_count, available_count) = self.get_metrics()
+        return (running_count, available_not_running_count, available_count)
 
-    if self._metric_queue:
-      self._metric_queue.work_queue_running.Set(running_count, labelvalues=[self._queue_name])
-      self._metric_queue.work_queue_available.Set(available_count, labelvalues=[self._queue_name])
-      self._metric_queue.work_queue_available_not_running.Set(available_not_running_count,
-                                                              labelvalues=[self._queue_name])
+    def update_metrics(self):
+        if self._reporter is None and self._metric_queue is None:
+            return
 
+        (
+            running_count,
+            available_not_running_count,
+            available_count,
+        ) = self.get_metrics()
 
-    if self._reporter:
-      self._reporter(self._currently_processing, running_count,
-                     running_count + available_not_running_count)
+        if self._metric_queue:
+            self._metric_queue.work_queue_running.Set(
+                running_count, labelvalues=[self._queue_name]
+            )
+            self._metric_queue.work_queue_available.Set(
+                available_count, labelvalues=[self._queue_name]
+            )
+            self._metric_queue.work_queue_available_not_running.Set(
+                available_not_running_count, labelvalues=[self._queue_name]
+            )
 
-  def has_retries_remaining(self, item_id):
-    """ Returns whether the queue item with the given id has any retries remaining. If the
+        if self._reporter:
+            self._reporter(
+                self._currently_processing,
+                running_count,
+                running_count + available_not_running_count,
+            )
+
+    def has_retries_remaining(self, item_id):
+        """ Returns whether the queue item with the given id has any retries remaining. If the
         queue item does not exist, returns False. """
-    with self._transaction_factory(db):
-      try:
-        return QueueItem.get(id=item_id).retries_remaining > 0
-      except QueueItem.DoesNotExist:
-        return False
+        with self._transaction_factory(db):
+            try:
+                return QueueItem.get(id=item_id).retries_remaining > 0
+            except QueueItem.DoesNotExist:
+                return False
 
-  def delete_namespaced_items(self, namespace, subpath=None):
-    """ Deletes all items in this queue that exist under the given namespace. """
-    if not self._has_namespaced_items:
-      return False
+    def delete_namespaced_items(self, namespace, subpath=None):
+        """ Deletes all items in this queue that exist under the given namespace. """
+        if not self._has_namespaced_items:
+            return False
 
-    subpath_query = '%s/' % subpath if subpath else ''
-    queue_prefix = '%s/%s/%s%%' % (self._queue_name, namespace, subpath_query)
-    return QueueItem.delete().where(QueueItem.queue_name ** queue_prefix).execute()
+        subpath_query = "%s/" % subpath if subpath else ""
+        queue_prefix = "%s/%s/%s%%" % (self._queue_name, namespace, subpath_query)
+        return QueueItem.delete().where(QueueItem.queue_name ** queue_prefix).execute()
 
-  def alive(self, canonical_name_list):
-    """
+    def alive(self, canonical_name_list):
+        """
     Returns True if a job matching the canonical name list is currently processing
     or available.
     """
-    canonical_name = self._canonical_name([self._queue_name] + canonical_name_list)
-    try:
-      select_query = QueueItem.select().where(QueueItem.queue_name == canonical_name)
-      now = datetime.utcnow()
+        canonical_name = self._canonical_name([self._queue_name] + canonical_name_list)
+        try:
+            select_query = QueueItem.select().where(
+                QueueItem.queue_name == canonical_name
+            )
+            now = datetime.utcnow()
 
-      overall_query = (self._available_jobs_where(select_query.clone(), now) |
-                       self._running_jobs_where(select_query.clone(), now))
-      overall_query.get()
-      return True
-    except QueueItem.DoesNotExist:
-      return False
+            overall_query = self._available_jobs_where(
+                select_query.clone(), now
+            ) | self._running_jobs_where(select_query.clone(), now)
+            overall_query.get()
+            return True
+        except QueueItem.DoesNotExist:
+            return False
 
-  def _queue_dict(self, canonical_name_list, message, available_after, retries_remaining):
-    return dict(
-      queue_name=self._canonical_name([self._queue_name] + canonical_name_list),
-      body=message,
-      retries_remaining=retries_remaining,
-      available_after=datetime.utcnow() + timedelta(seconds=available_after or 0),
-    )
+    def _queue_dict(
+        self, canonical_name_list, message, available_after, retries_remaining
+    ):
+        return dict(
+            queue_name=self._canonical_name([self._queue_name] + canonical_name_list),
+            body=message,
+            retries_remaining=retries_remaining,
+            available_after=datetime.utcnow() + timedelta(seconds=available_after or 0),
+        )
 
-  @contextmanager
-  def batch_insert(self, batch_size=DEFAULT_BATCH_SIZE):
-    items_to_insert = []
-    def batch_put(canonical_name_list, message, available_after=0, retries_remaining=5):
-      """
+    @contextmanager
+    def batch_insert(self, batch_size=DEFAULT_BATCH_SIZE):
+        items_to_insert = []
+
+        def batch_put(
+            canonical_name_list, message, available_after=0, retries_remaining=5
+        ):
+            """
       Put an item, if it shouldn't be processed for some number of seconds,
       specify that amount as available_after. Returns the ID of the queue item added.
       """
-      items_to_insert.append(self._queue_dict(canonical_name_list, message, available_after,
-                                              retries_remaining))
+            items_to_insert.append(
+                self._queue_dict(
+                    canonical_name_list, message, available_after, retries_remaining
+                )
+            )
 
-    yield batch_put
+        yield batch_put
 
-    # Chunk the inserted items into batch_size chunks and insert_many
-    remaining = list(items_to_insert)
-    while remaining:
-      QueueItem.insert_many(remaining[0:batch_size]).execute()
-      remaining = remaining[batch_size:]
+        # Chunk the inserted items into batch_size chunks and insert_many
+        remaining = list(items_to_insert)
+        while remaining:
+            QueueItem.insert_many(remaining[0:batch_size]).execute()
+            remaining = remaining[batch_size:]
 
-  def put(self, canonical_name_list, message, available_after=0, retries_remaining=5):
-    """
+    def put(self, canonical_name_list, message, available_after=0, retries_remaining=5):
+        """
     Put an item, if it shouldn't be processed for some number of seconds,
     specify that amount as available_after. Returns the ID of the queue item added.
     """
-    item = QueueItem.create(**self._queue_dict(canonical_name_list, message, available_after,
-                                               retries_remaining))
-    return str(item.id)
+        item = QueueItem.create(
+            **self._queue_dict(
+                canonical_name_list, message, available_after, retries_remaining
+            )
+        )
+        return str(item.id)
 
-  def _select_available_item(self, ordering_required, now):
-    """ Selects an available queue item from the queue table and returns it, if any. If none,
+    def _select_available_item(self, ordering_required, now):
+        """ Selects an available queue item from the queue table and returns it, if any. If none,
         return None.
     """
-    name_match_query = self._name_match_query()
+        name_match_query = self._name_match_query()
 
-    try:
-      if ordering_required:
-        # The previous solution to this used a select for update in a
-        # transaction to prevent multiple instances from processing the
-        # same queue item. This suffered performance problems. This solution
-        # instead has instances attempt to update the potential queue item to be
-        # unavailable. However, since their update clause is restricted to items
-        # that are available=False, only one instance's update will succeed, and
-        # it will have a changed row count of 1. Instances that have 0 changed
-        # rows know that another instance is already handling that item.
-        running = self._running_jobs(now, name_match_query)
-        avail = self._available_jobs_not_running(now, name_match_query, running)
-        return avail.order_by(QueueItem.id).get()
-      else:
-        # If we don't require ordering, we grab a random item from any of the first 50 available.
-        subquery = self._available_jobs(now, name_match_query).limit(50).alias('j1')
-        return (QueueItem
-                .select()
-                .join(subquery, on=QueueItem.id == subquery.c.id)
-                .order_by(db_random_func())
-                .get())
+        try:
+            if ordering_required:
+                # The previous solution to this used a select for update in a
+                # transaction to prevent multiple instances from processing the
+                # same queue item. This suffered performance problems. This solution
+                # instead has instances attempt to update the potential queue item to be
+                # unavailable. However, since their update clause is restricted to items
+                # that are available=False, only one instance's update will succeed, and
+                # it will have a changed row count of 1. Instances that have 0 changed
+                # rows know that another instance is already handling that item.
+                running = self._running_jobs(now, name_match_query)
+                avail = self._available_jobs_not_running(now, name_match_query, running)
+                return avail.order_by(QueueItem.id).get()
+            else:
+                # If we don't require ordering, we grab a random item from any of the first 50 available.
+                subquery = (
+                    self._available_jobs(now, name_match_query).limit(50).alias("j1")
+                )
+                return (
+                    QueueItem.select()
+                    .join(subquery, on=QueueItem.id == subquery.c.id)
+                    .order_by(db_random_func())
+                    .get()
+                )
 
-    except QueueItem.DoesNotExist:
-      # No available queue item was found.
-      return None
+        except QueueItem.DoesNotExist:
+            # No available queue item was found.
+            return None
 
-  def _attempt_to_claim_item(self, db_item, now, processing_time):
-    """ Attempts to claim the specified queue item for this instance. Returns True on success and
+    def _attempt_to_claim_item(self, db_item, now, processing_time):
+        """ Attempts to claim the specified queue item for this instance. Returns True on success and
         False on failure.
 
         Note that the underlying QueueItem row in the database will be changed on success, but
         the db_item object given as a parameter will *not* have its fields updated.
     """
 
-    # Try to claim the item. We do so by updating the item's information only if its current
-    # state ID matches that returned in the previous query. Since all updates to the QueueItem
-    # must change the state ID, this is guarenteed to only succeed if the item has not yet been
-    # claimed by another caller.
-    #
-    # Note that we use this method because InnoDB takes locks on *every* clause in the WHERE when
-    # performing the update. Previously, we would check all these columns, resulting in a bunch
-    # of lock contention. This change mitigates the problem significantly by only checking two
-    # columns (id and state_id), both of which should be absolutely unique at all times.
-    set_unavailable_query = (QueueItem
-                             .update(available=False,
-                                     processing_expires=now + timedelta(seconds=processing_time),
-                                     retries_remaining=QueueItem.retries_remaining - 1,
-                                     state_id=str(uuid.uuid4()))
-                             .where(QueueItem.id == db_item.id,
-                                    QueueItem.state_id == db_item.state_id))
+        # Try to claim the item. We do so by updating the item's information only if its current
+        # state ID matches that returned in the previous query. Since all updates to the QueueItem
+        # must change the state ID, this is guarenteed to only succeed if the item has not yet been
+        # claimed by another caller.
+        #
+        # Note that we use this method because InnoDB takes locks on *every* clause in the WHERE when
+        # performing the update. Previously, we would check all these columns, resulting in a bunch
+        # of lock contention. This change mitigates the problem significantly by only checking two
+        # columns (id and state_id), both of which should be absolutely unique at all times.
+        set_unavailable_query = QueueItem.update(
+            available=False,
+            processing_expires=now + timedelta(seconds=processing_time),
+            retries_remaining=QueueItem.retries_remaining - 1,
+            state_id=str(uuid.uuid4()),
+        ).where(QueueItem.id == db_item.id, QueueItem.state_id == db_item.state_id)
 
-    changed = set_unavailable_query.execute()
-    return changed == 1
+        changed = set_unavailable_query.execute()
+        return changed == 1
 
-
-  def get(self, processing_time=300, ordering_required=False):
-    """
+    def get(self, processing_time=300, ordering_required=False):
+        """
     Get an available item and mark it as unavailable for the default of five
     minutes. The result of this method must always be composed of simple
     python objects which are JSON serializable for network portability reasons.
     """
-    now = datetime.utcnow()
+        now = datetime.utcnow()
 
-    # Select an available queue item.
-    db_item = self._select_available_item(ordering_required, now)
-    if db_item is None:
-      self._currently_processing = False
-      return None
+        # Select an available queue item.
+        db_item = self._select_available_item(ordering_required, now)
+        if db_item is None:
+            self._currently_processing = False
+            return None
 
-    # Attempt to claim the item for this instance.
-    was_claimed = self._attempt_to_claim_item(db_item, now, processing_time)
-    if not was_claimed:
-      self._currently_processing = False
-      return None
+        # Attempt to claim the item for this instance.
+        was_claimed = self._attempt_to_claim_item(db_item, now, processing_time)
+        if not was_claimed:
+            self._currently_processing = False
+            return None
 
-    self._currently_processing = True
+        self._currently_processing = True
 
-    # Return a view of the queue item rather than an active db object
-    return AttrDict({
-      'id': db_item.id,
-      'body': db_item.body,
-      'retries_remaining': db_item.retries_remaining - 1,
-    })
+        # Return a view of the queue item rather than an active db object
+        return AttrDict(
+            {
+                "id": db_item.id,
+                "body": db_item.body,
+                "retries_remaining": db_item.retries_remaining - 1,
+            }
+        )
 
-  def cancel(self, item_id):
-    """ Attempts to cancel the queue item with the given ID from the queue. Returns true on success
+    def cancel(self, item_id):
+        """ Attempts to cancel the queue item with the given ID from the queue. Returns true on success
         and false if the queue item could not be canceled.
     """
-    count_removed = QueueItem.delete().where(QueueItem.id == item_id).execute()
-    return count_removed > 0
+        count_removed = QueueItem.delete().where(QueueItem.id == item_id).execute()
+        return count_removed > 0
 
-  def complete(self, completed_item):
-    self._currently_processing = not self.cancel(completed_item.id)
+    def complete(self, completed_item):
+        self._currently_processing = not self.cancel(completed_item.id)
 
-  def incomplete(self, incomplete_item, retry_after=300, restore_retry=False):
-    with self._transaction_factory(db):
-      retry_date = datetime.utcnow() + timedelta(seconds=retry_after)
+    def incomplete(self, incomplete_item, retry_after=300, restore_retry=False):
+        with self._transaction_factory(db):
+            retry_date = datetime.utcnow() + timedelta(seconds=retry_after)
 
-      try:
-        incomplete_item_obj = self._item_by_id_for_update(incomplete_item.id)
-        incomplete_item_obj.available_after = retry_date
-        incomplete_item_obj.available = True
+            try:
+                incomplete_item_obj = self._item_by_id_for_update(incomplete_item.id)
+                incomplete_item_obj.available_after = retry_date
+                incomplete_item_obj.available = True
 
-        if restore_retry:
-          incomplete_item_obj.retries_remaining += 1
+                if restore_retry:
+                    incomplete_item_obj.retries_remaining += 1
 
-        incomplete_item_obj.save()
-        self._currently_processing = False
-        return incomplete_item_obj.retries_remaining > 0
-      except QueueItem.DoesNotExist:
-        return False
+                incomplete_item_obj.save()
+                self._currently_processing = False
+                return incomplete_item_obj.retries_remaining > 0
+            except QueueItem.DoesNotExist:
+                return False
 
-  def extend_processing(self, item, seconds_from_now, minimum_extension=MINIMUM_EXTENSION,
-                        updated_data=None):
-    with self._transaction_factory(db):
-      try:
-        queue_item = self._item_by_id_for_update(item.id)
-        new_expiration = datetime.utcnow() + timedelta(seconds=seconds_from_now)
-        has_change = False
+    def extend_processing(
+        self,
+        item,
+        seconds_from_now,
+        minimum_extension=MINIMUM_EXTENSION,
+        updated_data=None,
+    ):
+        with self._transaction_factory(db):
+            try:
+                queue_item = self._item_by_id_for_update(item.id)
+                new_expiration = datetime.utcnow() + timedelta(seconds=seconds_from_now)
+                has_change = False
 
-        # Only actually write the new expiration to the db if it moves the expiration some minimum
-        if new_expiration - queue_item.processing_expires > minimum_extension:
-          queue_item.processing_expires = new_expiration
-          has_change = True
+                # Only actually write the new expiration to the db if it moves the expiration some minimum
+                if new_expiration - queue_item.processing_expires > minimum_extension:
+                    queue_item.processing_expires = new_expiration
+                    has_change = True
 
-        if updated_data is not None and queue_item.body != updated_data:
-          queue_item.body = updated_data
-          has_change = True
+                if updated_data is not None and queue_item.body != updated_data:
+                    queue_item.body = updated_data
+                    has_change = True
 
-        if has_change:
-          queue_item.save()
+                if has_change:
+                    queue_item.save()
 
-        return has_change
-      except QueueItem.DoesNotExist:
-        return False
+                return has_change
+            except QueueItem.DoesNotExist:
+                return False
 
 
 def delete_expired(expiration_threshold, deletion_threshold, batch_size):
-  """
+    """
   Deletes all queue items that are older than the provided expiration threshold in batches of the
   provided size. If there are less items than the deletion threshold, this method does nothing.
 
   Returns the number of items deleted.
   """
-  to_delete = list(QueueItem
-                   .select()
-                   .where(QueueItem.processing_expires <= expiration_threshold)
-                   .limit(batch_size))
+    to_delete = list(
+        QueueItem.select()
+        .where(QueueItem.processing_expires <= expiration_threshold)
+        .limit(batch_size)
+    )
 
-  if len(to_delete) < deletion_threshold:
-    return 0
+    if len(to_delete) < deletion_threshold:
+        return 0
 
-  QueueItem.delete().where(QueueItem.id << to_delete).execute()
-  return len(to_delete)
+    QueueItem.delete().where(QueueItem.id << to_delete).execute()
+    return len(to_delete)
diff --git a/data/readreplica.py b/data/readreplica.py
index 33abff2ed..1dfb6d26a 100644
--- a/data/readreplica.py
+++ b/data/readreplica.py
@@ -4,46 +4,48 @@ from collections import namedtuple
 
 from peewee import Model, SENTINEL, OperationalError, Proxy
 
-ReadOnlyConfig = namedtuple('ReadOnlyConfig', ['is_readonly', 'read_replicas'])
+ReadOnlyConfig = namedtuple("ReadOnlyConfig", ["is_readonly", "read_replicas"])
+
 
 class ReadOnlyModeException(Exception):
-  """ Exception raised if a write operation was attempted when in read only mode.
+    """ Exception raised if a write operation was attempted when in read only mode.
   """
 
 
 class AutomaticFailoverWrapper(object):
-  """ Class which wraps a peewee database driver and (optionally) a second driver.
+    """ Class which wraps a peewee database driver and (optionally) a second driver.
       When executing SQL, if an OperationalError occurs, if a second driver is given,
       the query is attempted again on the fallback DB. Otherwise, the exception is raised.
   """
-  def __init__(self, primary_db, fallback_db=None):
-    self._primary_db = primary_db
-    self._fallback_db = fallback_db
 
-  def __getattr__(self, attribute):
-    if attribute != 'execute_sql' and hasattr(self._primary_db, attribute):
-      return getattr(self._primary_db, attribute)
+    def __init__(self, primary_db, fallback_db=None):
+        self._primary_db = primary_db
+        self._fallback_db = fallback_db
 
-    return getattr(self, attribute)
+    def __getattr__(self, attribute):
+        if attribute != "execute_sql" and hasattr(self._primary_db, attribute):
+            return getattr(self._primary_db, attribute)
 
-  def execute(self, query, commit=SENTINEL, **context_options):
-    ctx = self.get_sql_context(**context_options)
-    sql, params = ctx.sql(query).query()
-    return self.execute_sql(sql, params, commit=commit)
+        return getattr(self, attribute)
 
-  def execute_sql(self, sql, params=None, commit=SENTINEL):
-    try:
-      return self._primary_db.execute_sql(sql, params, commit)
-    except OperationalError:
-      if self._fallback_db is not None:
+    def execute(self, query, commit=SENTINEL, **context_options):
+        ctx = self.get_sql_context(**context_options)
+        sql, params = ctx.sql(query).query()
+        return self.execute_sql(sql, params, commit=commit)
+
+    def execute_sql(self, sql, params=None, commit=SENTINEL):
         try:
-          return self._fallback_db.execute_sql(sql, params, commit)
+            return self._primary_db.execute_sql(sql, params, commit)
         except OperationalError:
-          raise
+            if self._fallback_db is not None:
+                try:
+                    return self._fallback_db.execute_sql(sql, params, commit)
+                except OperationalError:
+                    raise
 
 
 class ReadReplicaSupportedModel(Model):
-  """ Base model for peewee data models that support using a read replica for SELECT
+    """ Base model for peewee data models that support using a read replica for SELECT
       requests not under transactions, and automatic failover to the master if the
       read replica fails.
 
@@ -57,73 +59,74 @@ class ReadReplicaSupportedModel(Model):
       If the system is configured into read only mode, then all non-read-only queries
       will raise a ReadOnlyModeException.
   """
-  @classmethod
-  def _read_only_config(cls):
-    read_only_config = getattr(cls._meta, 'read_only_config', None)
-    if read_only_config is None:
-      return ReadOnlyConfig(False, [])
 
-    if isinstance(read_only_config, Proxy) and read_only_config.obj is None:
-      return ReadOnlyConfig(False, [])
+    @classmethod
+    def _read_only_config(cls):
+        read_only_config = getattr(cls._meta, "read_only_config", None)
+        if read_only_config is None:
+            return ReadOnlyConfig(False, [])
 
-    return read_only_config.obj or ReadOnlyConfig(False, [])
+        if isinstance(read_only_config, Proxy) and read_only_config.obj is None:
+            return ReadOnlyConfig(False, [])
 
-  @classmethod
-  def _in_readonly_mode(cls):
-    return cls._read_only_config().is_readonly
+        return read_only_config.obj or ReadOnlyConfig(False, [])
 
-  @classmethod
-  def _select_database(cls):
-    """ Selects a read replica database if we're configured to support read replicas.
+    @classmethod
+    def _in_readonly_mode(cls):
+        return cls._read_only_config().is_readonly
+
+    @classmethod
+    def _select_database(cls):
+        """ Selects a read replica database if we're configured to support read replicas.
         Otherwise, selects the master database.
     """
-    # Select the master DB if read replica support is not enabled.
-    read_only_config = cls._read_only_config()
-    if not read_only_config.read_replicas:
-      return cls._meta.database
+        # Select the master DB if read replica support is not enabled.
+        read_only_config = cls._read_only_config()
+        if not read_only_config.read_replicas:
+            return cls._meta.database
 
-    # Select the master DB if we're ever under a transaction.
-    if cls._meta.database.transaction_depth() > 0:
-      return cls._meta.database
+        # Select the master DB if we're ever under a transaction.
+        if cls._meta.database.transaction_depth() > 0:
+            return cls._meta.database
 
-    # Otherwise, return a read replica database with auto-retry onto the main database.
-    replicas = read_only_config.read_replicas
-    selected_read_replica = replicas[random.randrange(len(replicas))]
-    return AutomaticFailoverWrapper(selected_read_replica, cls._meta.database)
+        # Otherwise, return a read replica database with auto-retry onto the main database.
+        replicas = read_only_config.read_replicas
+        selected_read_replica = replicas[random.randrange(len(replicas))]
+        return AutomaticFailoverWrapper(selected_read_replica, cls._meta.database)
 
-  @classmethod
-  def select(cls, *args, **kwargs):
-    query = super(ReadReplicaSupportedModel, cls).select(*args, **kwargs)
-    query._database = cls._select_database()
-    return query
+    @classmethod
+    def select(cls, *args, **kwargs):
+        query = super(ReadReplicaSupportedModel, cls).select(*args, **kwargs)
+        query._database = cls._select_database()
+        return query
 
-  @classmethod
-  def insert(cls, *args, **kwargs):
-    query = super(ReadReplicaSupportedModel, cls).insert(*args, **kwargs)
-    if cls._in_readonly_mode():
-      raise ReadOnlyModeException()
-    return query
+    @classmethod
+    def insert(cls, *args, **kwargs):
+        query = super(ReadReplicaSupportedModel, cls).insert(*args, **kwargs)
+        if cls._in_readonly_mode():
+            raise ReadOnlyModeException()
+        return query
 
-  @classmethod
-  def update(cls, *args, **kwargs):
-    query = super(ReadReplicaSupportedModel, cls).update(*args, **kwargs)
-    if cls._in_readonly_mode():
-      raise ReadOnlyModeException()
-    return query
+    @classmethod
+    def update(cls, *args, **kwargs):
+        query = super(ReadReplicaSupportedModel, cls).update(*args, **kwargs)
+        if cls._in_readonly_mode():
+            raise ReadOnlyModeException()
+        return query
 
-  @classmethod
-  def delete(cls, *args, **kwargs):
-    query = super(ReadReplicaSupportedModel, cls).delete(*args, **kwargs)
-    if cls._in_readonly_mode():
-      raise ReadOnlyModeException()
-    return query
+    @classmethod
+    def delete(cls, *args, **kwargs):
+        query = super(ReadReplicaSupportedModel, cls).delete(*args, **kwargs)
+        if cls._in_readonly_mode():
+            raise ReadOnlyModeException()
+        return query
 
-  @classmethod
-  def raw(cls, *args, **kwargs):
-    query = super(ReadReplicaSupportedModel, cls).raw(*args, **kwargs)
-    if query._sql.lower().startswith('select '):
-      query._database = cls._select_database()
-    elif cls._in_readonly_mode():
-      raise ReadOnlyModeException()
+    @classmethod
+    def raw(cls, *args, **kwargs):
+        query = super(ReadReplicaSupportedModel, cls).raw(*args, **kwargs)
+        if query._sql.lower().startswith("select "):
+            query._database = cls._select_database()
+        elif cls._in_readonly_mode():
+            raise ReadOnlyModeException()
 
-    return query
+        return query
diff --git a/data/registry_model/__init__.py b/data/registry_model/__init__.py
index ffac9dd59..5c841c1dc 100644
--- a/data/registry_model/__init__.py
+++ b/data/registry_model/__init__.py
@@ -9,35 +9,48 @@ logger = logging.getLogger(__name__)
 
 
 class RegistryModelProxy(object):
-  def __init__(self):
-    self._model = oci_model if os.getenv('OCI_DATA_MODEL') == 'true' else pre_oci_model
+    def __init__(self):
+        self._model = (
+            oci_model if os.getenv("OCI_DATA_MODEL") == "true" else pre_oci_model
+        )
 
-  def setup_split(self, oci_model_proportion, oci_whitelist, v22_whitelist, upgrade_mode):
-    if os.getenv('OCI_DATA_MODEL') == 'true':
-      return
+    def setup_split(
+        self, oci_model_proportion, oci_whitelist, v22_whitelist, upgrade_mode
+    ):
+        if os.getenv("OCI_DATA_MODEL") == "true":
+            return
 
-    if upgrade_mode == 'complete':
-      logger.info('===============================')
-      logger.info('Full V2_2 + OCI model is enabled')
-      logger.info('===============================')
-      self._model = oci_model
-      return
+        if upgrade_mode == "complete":
+            logger.info("===============================")
+            logger.info("Full V2_2 + OCI model is enabled")
+            logger.info("===============================")
+            self._model = oci_model
+            return
 
-    logger.info('===============================')
-    logger.info('Split registry model: OCI %s proportion and whitelist `%s` and V22 whitelist `%s`',
-                oci_model_proportion, oci_whitelist, v22_whitelist)
-    logger.info('===============================')
-    self._model = SplitModel(oci_model_proportion, oci_whitelist, v22_whitelist,
-                             upgrade_mode == 'post-oci-rollout')
+        logger.info("===============================")
+        logger.info(
+            "Split registry model: OCI %s proportion and whitelist `%s` and V22 whitelist `%s`",
+            oci_model_proportion,
+            oci_whitelist,
+            v22_whitelist,
+        )
+        logger.info("===============================")
+        self._model = SplitModel(
+            oci_model_proportion,
+            oci_whitelist,
+            v22_whitelist,
+            upgrade_mode == "post-oci-rollout",
+        )
 
-  def set_for_testing(self, use_oci_model):
-    self._model = oci_model if use_oci_model else pre_oci_model
-    logger.debug('Changed registry model to `%s` for testing', self._model)
+    def set_for_testing(self, use_oci_model):
+        self._model = oci_model if use_oci_model else pre_oci_model
+        logger.debug("Changed registry model to `%s` for testing", self._model)
+
+    def __getattr__(self, attr):
+        return getattr(self._model, attr)
 
-  def __getattr__(self, attr):
-    return getattr(self._model, attr)
 
 registry_model = RegistryModelProxy()
-logger.info('===============================')
-logger.info('Using registry model `%s`', registry_model._model)
-logger.info('===============================')
+logger.info("===============================")
+logger.info("Using registry model `%s`", registry_model._model)
+logger.info("===============================")
diff --git a/data/registry_model/blobuploader.py b/data/registry_model/blobuploader.py
index 5f99d3ec8..d4760b1f6 100644
--- a/data/registry_model/blobuploader.py
+++ b/data/registry_model/blobuploader.py
@@ -18,115 +18,140 @@ from util.registry.torrent import PieceHasher
 logger = logging.getLogger(__name__)
 
 
-BLOB_CONTENT_TYPE = 'application/octet-stream'
+BLOB_CONTENT_TYPE = "application/octet-stream"
 
 
 class BlobUploadException(Exception):
-  """ Base for all exceptions raised when uploading blobs. """
+    """ Base for all exceptions raised when uploading blobs. """
+
 
 class BlobRangeMismatchException(BlobUploadException):
-  """ Exception raised if the range to be uploaded does not match. """
+    """ Exception raised if the range to be uploaded does not match. """
+
 
 class BlobDigestMismatchException(BlobUploadException):
-  """ Exception raised if the digest requested does not match that of the contents uploaded. """
+    """ Exception raised if the digest requested does not match that of the contents uploaded. """
+
 
 class BlobTooLargeException(BlobUploadException):
-  """ Exception raised if the data uploaded exceeds the maximum_blob_size. """
-  def __init__(self, uploaded, max_allowed):
-    super(BlobTooLargeException, self).__init__()
-    self.uploaded = uploaded
-    self.max_allowed = max_allowed
+    """ Exception raised if the data uploaded exceeds the maximum_blob_size. """
+
+    def __init__(self, uploaded, max_allowed):
+        super(BlobTooLargeException, self).__init__()
+        self.uploaded = uploaded
+        self.max_allowed = max_allowed
 
 
-BlobUploadSettings = namedtuple('BlobUploadSettings', ['maximum_blob_size', 'bittorrent_piece_size',
-                                                       'committed_blob_expiration'])
+BlobUploadSettings = namedtuple(
+    "BlobUploadSettings",
+    ["maximum_blob_size", "bittorrent_piece_size", "committed_blob_expiration"],
+)
 
 
-def create_blob_upload(repository_ref, storage, settings, extra_blob_stream_handlers=None):
-  """ Creates a new blob upload in the specified repository and returns a manager for interacting
+def create_blob_upload(
+    repository_ref, storage, settings, extra_blob_stream_handlers=None
+):
+    """ Creates a new blob upload in the specified repository and returns a manager for interacting
       with that upload. Returns None if a new blob upload could not be started.
   """
-  location_name = storage.preferred_locations[0]
-  new_upload_uuid, upload_metadata = storage.initiate_chunked_upload(location_name)
-  blob_upload = registry_model.create_blob_upload(repository_ref, new_upload_uuid, location_name,
-                                                  upload_metadata)
-  if blob_upload is None:
-    return None
+    location_name = storage.preferred_locations[0]
+    new_upload_uuid, upload_metadata = storage.initiate_chunked_upload(location_name)
+    blob_upload = registry_model.create_blob_upload(
+        repository_ref, new_upload_uuid, location_name, upload_metadata
+    )
+    if blob_upload is None:
+        return None
 
-  return _BlobUploadManager(repository_ref, blob_upload, settings, storage,
-                            extra_blob_stream_handlers)
+    return _BlobUploadManager(
+        repository_ref, blob_upload, settings, storage, extra_blob_stream_handlers
+    )
 
 
 def retrieve_blob_upload_manager(repository_ref, blob_upload_id, storage, settings):
-  """ Retrieves the manager for an in-progress blob upload with the specified ID under the given
+    """ Retrieves the manager for an in-progress blob upload with the specified ID under the given
       repository or None if none.
   """
-  blob_upload = registry_model.lookup_blob_upload(repository_ref, blob_upload_id)
-  if blob_upload is None:
-    return None
+    blob_upload = registry_model.lookup_blob_upload(repository_ref, blob_upload_id)
+    if blob_upload is None:
+        return None
+
+    return _BlobUploadManager(repository_ref, blob_upload, settings, storage)
 
-  return _BlobUploadManager(repository_ref, blob_upload, settings, storage)
 
 @contextmanager
 def complete_when_uploaded(blob_upload):
-  """ Wraps the given blob upload in a context manager that completes the upload when the context
+    """ Wraps the given blob upload in a context manager that completes the upload when the context
       closes.
   """
-  try:
-    yield blob_upload
-  except Exception as ex:
-    logger.exception('Exception when uploading blob `%s`', blob_upload.blob_upload_id)
-    raise ex
-  finally:
-    # Cancel the upload if something went wrong or it was not commit to a blob.
-    if blob_upload.committed_blob is None:
-      blob_upload.cancel_upload()
+    try:
+        yield blob_upload
+    except Exception as ex:
+        logger.exception(
+            "Exception when uploading blob `%s`", blob_upload.blob_upload_id
+        )
+        raise ex
+    finally:
+        # Cancel the upload if something went wrong or it was not commit to a blob.
+        if blob_upload.committed_blob is None:
+            blob_upload.cancel_upload()
+
 
 @contextmanager
 def upload_blob(repository_ref, storage, settings, extra_blob_stream_handlers=None):
-  """ Starts a new blob upload in the specified repository and yields a manager for interacting
+    """ Starts a new blob upload in the specified repository and yields a manager for interacting
       with that upload. When the context manager completes, the blob upload is deleted, whether
       committed to a blob or not. Yields None if a blob upload could not be started.
   """
-  created = create_blob_upload(repository_ref, storage, settings, extra_blob_stream_handlers)
-  if not created:
-    yield None
-    return
+    created = create_blob_upload(
+        repository_ref, storage, settings, extra_blob_stream_handlers
+    )
+    if not created:
+        yield None
+        return
 
-  try:
-    yield created
-  except Exception as ex:
-    logger.exception('Exception when uploading blob `%s`', created.blob_upload_id)
-    raise ex
-  finally:
-    # Cancel the upload if something went wrong or it was not commit to a blob.
-    if created.committed_blob is None:
-      created.cancel_upload()
+    try:
+        yield created
+    except Exception as ex:
+        logger.exception("Exception when uploading blob `%s`", created.blob_upload_id)
+        raise ex
+    finally:
+        # Cancel the upload if something went wrong or it was not commit to a blob.
+        if created.committed_blob is None:
+            created.cancel_upload()
 
 
 class _BlobUploadManager(object):
-  """ Defines a helper class for easily interacting with blob uploads in progress, including
+    """ Defines a helper class for easily interacting with blob uploads in progress, including
       handling of database and storage calls.
   """
-  def __init__(self, repository_ref, blob_upload, settings, storage,
-               extra_blob_stream_handlers=None):
-    assert repository_ref is not None
-    assert blob_upload is not None
 
-    self.repository_ref = repository_ref
-    self.blob_upload = blob_upload
-    self.settings = settings
-    self.storage = storage
-    self.extra_blob_stream_handlers = extra_blob_stream_handlers
-    self.committed_blob = None
+    def __init__(
+        self,
+        repository_ref,
+        blob_upload,
+        settings,
+        storage,
+        extra_blob_stream_handlers=None,
+    ):
+        assert repository_ref is not None
+        assert blob_upload is not None
 
-  @property
-  def blob_upload_id(self):
-    """ Returns the unique ID for the blob upload. """
-    return self.blob_upload.upload_id
+        self.repository_ref = repository_ref
+        self.blob_upload = blob_upload
+        self.settings = settings
+        self.storage = storage
+        self.extra_blob_stream_handlers = extra_blob_stream_handlers
+        self.committed_blob = None
 
-  def upload_chunk(self, app_config, input_fp, start_offset=0, length=-1, metric_queue=None):
-    """ Uploads a chunk of data found in the given input file-like interface. start_offset and
+    @property
+    def blob_upload_id(self):
+        """ Returns the unique ID for the blob upload. """
+        return self.blob_upload.upload_id
+
+    def upload_chunk(
+        self, app_config, input_fp, start_offset=0, length=-1, metric_queue=None
+    ):
+        """ Uploads a chunk of data found in the given input file-like interface. start_offset and
         length are optional and should match a range header if any was given.
 
         If metric_queue is given, the upload time and chunk size are written into the metrics in
@@ -135,201 +160,250 @@ class _BlobUploadManager(object):
         Returns the total number of bytes uploaded after this upload has completed. Raises
         a BlobUploadException if the upload failed.
     """
-    assert start_offset is not None
-    assert length is not None
+        assert start_offset is not None
+        assert length is not None
 
-    if start_offset > 0 and start_offset > self.blob_upload.byte_count:
-      logger.error('start_offset provided greater than blob_upload.byte_count')
-      raise BlobRangeMismatchException()
+        if start_offset > 0 and start_offset > self.blob_upload.byte_count:
+            logger.error("start_offset provided greater than blob_upload.byte_count")
+            raise BlobRangeMismatchException()
 
-    # Ensure that we won't go over the allowed maximum size for blobs.
-    max_blob_size = bitmath.parse_string_unsafe(self.settings.maximum_blob_size)
-    uploaded = bitmath.Byte(length + start_offset)
-    if length > -1 and uploaded > max_blob_size:
-      raise BlobTooLargeException(uploaded=uploaded.bytes, max_allowed=max_blob_size.bytes)
+        # Ensure that we won't go over the allowed maximum size for blobs.
+        max_blob_size = bitmath.parse_string_unsafe(self.settings.maximum_blob_size)
+        uploaded = bitmath.Byte(length + start_offset)
+        if length > -1 and uploaded > max_blob_size:
+            raise BlobTooLargeException(
+                uploaded=uploaded.bytes, max_allowed=max_blob_size.bytes
+            )
 
-    location_set = {self.blob_upload.location_name}
-    upload_error = None
-    with CloseForLongOperation(app_config):
-      if start_offset > 0 and start_offset < self.blob_upload.byte_count:
-        # Skip the bytes which were received on a previous push, which are already stored and
-        # included in the sha calculation
-        overlap_size = self.blob_upload.byte_count - start_offset
-        input_fp = StreamSlice(input_fp, overlap_size)
+        location_set = {self.blob_upload.location_name}
+        upload_error = None
+        with CloseForLongOperation(app_config):
+            if start_offset > 0 and start_offset < self.blob_upload.byte_count:
+                # Skip the bytes which were received on a previous push, which are already stored and
+                # included in the sha calculation
+                overlap_size = self.blob_upload.byte_count - start_offset
+                input_fp = StreamSlice(input_fp, overlap_size)
 
-        # Update our upload bounds to reflect the skipped portion of the overlap
-        start_offset = self.blob_upload.byte_count
-        length = max(length - overlap_size, 0)
+                # Update our upload bounds to reflect the skipped portion of the overlap
+                start_offset = self.blob_upload.byte_count
+                length = max(length - overlap_size, 0)
 
-      # We use this to escape early in case we have already processed all of the bytes the user
-      # wants to upload.
-      if length == 0:
-        return self.blob_upload.byte_count
+            # We use this to escape early in case we have already processed all of the bytes the user
+            # wants to upload.
+            if length == 0:
+                return self.blob_upload.byte_count
 
-      input_fp = wrap_with_handler(input_fp, self.blob_upload.sha_state.update)
+            input_fp = wrap_with_handler(input_fp, self.blob_upload.sha_state.update)
 
-      if self.extra_blob_stream_handlers:
-        for handler in self.extra_blob_stream_handlers:
-          input_fp = wrap_with_handler(input_fp, handler)
+            if self.extra_blob_stream_handlers:
+                for handler in self.extra_blob_stream_handlers:
+                    input_fp = wrap_with_handler(input_fp, handler)
 
-      # Add a hasher for calculating SHA1s for torrents if this is the first chunk and/or we have
-      # already calculated hash data for the previous chunk(s).
-      piece_hasher = None
-      if self.blob_upload.chunk_count == 0 or self.blob_upload.piece_sha_state:
-        initial_sha1_value = self.blob_upload.piece_sha_state or resumablehashlib.sha1()
-        initial_sha1_pieces_value = self.blob_upload.piece_hashes or ''
+            # Add a hasher for calculating SHA1s for torrents if this is the first chunk and/or we have
+            # already calculated hash data for the previous chunk(s).
+            piece_hasher = None
+            if self.blob_upload.chunk_count == 0 or self.blob_upload.piece_sha_state:
+                initial_sha1_value = (
+                    self.blob_upload.piece_sha_state or resumablehashlib.sha1()
+                )
+                initial_sha1_pieces_value = self.blob_upload.piece_hashes or ""
 
-        piece_hasher = PieceHasher(self.settings.bittorrent_piece_size, start_offset,
-                                   initial_sha1_pieces_value, initial_sha1_value)
-        input_fp = wrap_with_handler(input_fp, piece_hasher.update)
+                piece_hasher = PieceHasher(
+                    self.settings.bittorrent_piece_size,
+                    start_offset,
+                    initial_sha1_pieces_value,
+                    initial_sha1_value,
+                )
+                input_fp = wrap_with_handler(input_fp, piece_hasher.update)
 
-      # If this is the first chunk and we're starting at the 0 offset, add a handler to gunzip the
-      # stream so we can determine the uncompressed size. We'll throw out this data if another chunk
-      # comes in, but in the common case the docker client only sends one chunk.
-      size_info = None
-      if start_offset == 0 and self.blob_upload.chunk_count == 0:
-        size_info, fn = calculate_size_handler()
-        input_fp = wrap_with_handler(input_fp, fn)
+            # If this is the first chunk and we're starting at the 0 offset, add a handler to gunzip the
+            # stream so we can determine the uncompressed size. We'll throw out this data if another chunk
+            # comes in, but in the common case the docker client only sends one chunk.
+            size_info = None
+            if start_offset == 0 and self.blob_upload.chunk_count == 0:
+                size_info, fn = calculate_size_handler()
+                input_fp = wrap_with_handler(input_fp, fn)
 
-      start_time = time.time()
-      length_written, new_metadata, upload_error = self.storage.stream_upload_chunk(
-        location_set,
-        self.blob_upload.upload_id,
-        start_offset,
-        length,
-        input_fp,
-        self.blob_upload.storage_metadata,
-        content_type=BLOB_CONTENT_TYPE,
-      )
+            start_time = time.time()
+            length_written, new_metadata, upload_error = self.storage.stream_upload_chunk(
+                location_set,
+                self.blob_upload.upload_id,
+                start_offset,
+                length,
+                input_fp,
+                self.blob_upload.storage_metadata,
+                content_type=BLOB_CONTENT_TYPE,
+            )
 
-      if upload_error is not None:
-        logger.error('storage.stream_upload_chunk returned error %s', upload_error)
-        raise BlobUploadException(upload_error)
+            if upload_error is not None:
+                logger.error(
+                    "storage.stream_upload_chunk returned error %s", upload_error
+                )
+                raise BlobUploadException(upload_error)
 
-      # Update the chunk upload time and push bytes metrics.
-      if metric_queue is not None:
-        metric_queue.chunk_upload_time.Observe(time.time() - start_time, labelvalues=[
-          length_written, list(location_set)[0]])
+            # Update the chunk upload time and push bytes metrics.
+            if metric_queue is not None:
+                metric_queue.chunk_upload_time.Observe(
+                    time.time() - start_time,
+                    labelvalues=[length_written, list(location_set)[0]],
+                )
 
-        metric_queue.push_byte_count.Inc(length_written)
+                metric_queue.push_byte_count.Inc(length_written)
 
-    # Ensure we have not gone beyond the max layer size.
-    new_blob_bytes = self.blob_upload.byte_count + length_written
-    new_blob_size = bitmath.Byte(new_blob_bytes)
-    if new_blob_size > max_blob_size:
-      raise BlobTooLargeException(uploaded=new_blob_size, max_allowed=max_blob_size.bytes)
+        # Ensure we have not gone beyond the max layer size.
+        new_blob_bytes = self.blob_upload.byte_count + length_written
+        new_blob_size = bitmath.Byte(new_blob_bytes)
+        if new_blob_size > max_blob_size:
+            raise BlobTooLargeException(
+                uploaded=new_blob_size, max_allowed=max_blob_size.bytes
+            )
 
-    # If we determined an uncompressed size and this is the first chunk, add it to the blob.
-    # Otherwise, we clear the size from the blob as it was uploaded in multiple chunks.
-    uncompressed_byte_count = self.blob_upload.uncompressed_byte_count
-    if size_info is not None and self.blob_upload.chunk_count == 0 and size_info.is_valid:
-      uncompressed_byte_count = size_info.uncompressed_size
-    elif length_written > 0:
-      # Otherwise, if we wrote some bytes and the above conditions were not met, then we don't
-      # know the uncompressed size.
-      uncompressed_byte_count = None
+        # If we determined an uncompressed size and this is the first chunk, add it to the blob.
+        # Otherwise, we clear the size from the blob as it was uploaded in multiple chunks.
+        uncompressed_byte_count = self.blob_upload.uncompressed_byte_count
+        if (
+            size_info is not None
+            and self.blob_upload.chunk_count == 0
+            and size_info.is_valid
+        ):
+            uncompressed_byte_count = size_info.uncompressed_size
+        elif length_written > 0:
+            # Otherwise, if we wrote some bytes and the above conditions were not met, then we don't
+            # know the uncompressed size.
+            uncompressed_byte_count = None
 
-    piece_hashes = None
-    piece_sha_state = None
-    if piece_hasher is not None:
-      piece_hashes = piece_hasher.piece_hashes
-      piece_sha_state = piece_hasher.hash_fragment
+        piece_hashes = None
+        piece_sha_state = None
+        if piece_hasher is not None:
+            piece_hashes = piece_hasher.piece_hashes
+            piece_sha_state = piece_hasher.hash_fragment
 
-    self.blob_upload = registry_model.update_blob_upload(self.blob_upload,
-                                                         uncompressed_byte_count,
-                                                         piece_hashes,
-                                                         piece_sha_state,
-                                                         new_metadata,
-                                                         new_blob_bytes,
-                                                         self.blob_upload.chunk_count + 1,
-                                                         self.blob_upload.sha_state)
-    if self.blob_upload is None:
-      raise BlobUploadException('Could not complete upload of chunk')
+        self.blob_upload = registry_model.update_blob_upload(
+            self.blob_upload,
+            uncompressed_byte_count,
+            piece_hashes,
+            piece_sha_state,
+            new_metadata,
+            new_blob_bytes,
+            self.blob_upload.chunk_count + 1,
+            self.blob_upload.sha_state,
+        )
+        if self.blob_upload is None:
+            raise BlobUploadException("Could not complete upload of chunk")
 
-    return new_blob_bytes
+        return new_blob_bytes
 
-  def cancel_upload(self):
-    """ Cancels the blob upload, deleting any data uploaded and removing the upload itself. """
-    if self.blob_upload is None:
-      return
+    def cancel_upload(self):
+        """ Cancels the blob upload, deleting any data uploaded and removing the upload itself. """
+        if self.blob_upload is None:
+            return
 
-    # Tell storage to cancel the chunked upload, deleting its contents.
-    self.storage.cancel_chunked_upload({self.blob_upload.location_name},
-                                       self.blob_upload.upload_id,
-                                       self.blob_upload.storage_metadata)
+        # Tell storage to cancel the chunked upload, deleting its contents.
+        self.storage.cancel_chunked_upload(
+            {self.blob_upload.location_name},
+            self.blob_upload.upload_id,
+            self.blob_upload.storage_metadata,
+        )
 
-    # Remove the blob upload record itself.
-    registry_model.delete_blob_upload(self.blob_upload)
+        # Remove the blob upload record itself.
+        registry_model.delete_blob_upload(self.blob_upload)
 
-  def commit_to_blob(self, app_config, expected_digest=None):
-    """ Commits the blob upload to a blob under the repository. The resulting blob will be marked
+    def commit_to_blob(self, app_config, expected_digest=None):
+        """ Commits the blob upload to a blob under the repository. The resulting blob will be marked
         to not be GCed for some period of time (as configured by `committed_blob_expiration`).
 
         If expected_digest is specified, the content digest of the data uploaded for the blob is
         compared to that given and, if it does not match, a BlobDigestMismatchException is
         raised. The digest given must be of type `Digest` and not a string.
     """
-    # Compare the content digest.
-    if expected_digest is not None:
-      self._validate_digest(expected_digest)
+        # Compare the content digest.
+        if expected_digest is not None:
+            self._validate_digest(expected_digest)
 
-    # Finalize the storage.
-    storage_already_existed = self._finalize_blob_storage(app_config)
+        # Finalize the storage.
+        storage_already_existed = self._finalize_blob_storage(app_config)
 
-    # Convert the upload to a blob.
-    computed_digest_str = digest_tools.sha256_digest_from_hashlib(self.blob_upload.sha_state)
+        # Convert the upload to a blob.
+        computed_digest_str = digest_tools.sha256_digest_from_hashlib(
+            self.blob_upload.sha_state
+        )
 
-    with db_transaction():
-      blob = registry_model.commit_blob_upload(self.blob_upload, computed_digest_str,
-                                               self.settings.committed_blob_expiration)
-      if blob is None:
-        return None
+        with db_transaction():
+            blob = registry_model.commit_blob_upload(
+                self.blob_upload,
+                computed_digest_str,
+                self.settings.committed_blob_expiration,
+            )
+            if blob is None:
+                return None
 
-      # Save torrent hash information (if available).
-      if self.blob_upload.piece_sha_state is not None and not storage_already_existed:
-        piece_bytes = self.blob_upload.piece_hashes + self.blob_upload.piece_sha_state.digest()
-        registry_model.set_torrent_info(blob, self.settings.bittorrent_piece_size, piece_bytes)
+            # Save torrent hash information (if available).
+            if (
+                self.blob_upload.piece_sha_state is not None
+                and not storage_already_existed
+            ):
+                piece_bytes = (
+                    self.blob_upload.piece_hashes
+                    + self.blob_upload.piece_sha_state.digest()
+                )
+                registry_model.set_torrent_info(
+                    blob, self.settings.bittorrent_piece_size, piece_bytes
+                )
 
-    self.committed_blob = blob
-    return blob
+        self.committed_blob = blob
+        return blob
 
-  def _validate_digest(self, expected_digest):
-    """
+    def _validate_digest(self, expected_digest):
+        """
     Verifies that the digest's SHA matches that of the uploaded data.
     """
-    computed_digest = digest_tools.sha256_digest_from_hashlib(self.blob_upload.sha_state)
-    if not digest_tools.digests_equal(computed_digest, expected_digest):
-      logger.error('Digest mismatch for upload %s: Expected digest %s, found digest %s',
-                   self.blob_upload.upload_id, expected_digest, computed_digest)
-      raise BlobDigestMismatchException()
+        computed_digest = digest_tools.sha256_digest_from_hashlib(
+            self.blob_upload.sha_state
+        )
+        if not digest_tools.digests_equal(computed_digest, expected_digest):
+            logger.error(
+                "Digest mismatch for upload %s: Expected digest %s, found digest %s",
+                self.blob_upload.upload_id,
+                expected_digest,
+                computed_digest,
+            )
+            raise BlobDigestMismatchException()
 
-  def _finalize_blob_storage(self, app_config):
-    """
+    def _finalize_blob_storage(self, app_config):
+        """
     When an upload is successful, this ends the uploading process from the
     storage's perspective.
 
     Returns True if the blob already existed.
     """
-    computed_digest = digest_tools.sha256_digest_from_hashlib(self.blob_upload.sha_state)
-    final_blob_location = digest_tools.content_path(computed_digest)
+        computed_digest = digest_tools.sha256_digest_from_hashlib(
+            self.blob_upload.sha_state
+        )
+        final_blob_location = digest_tools.content_path(computed_digest)
 
-    # Close the database connection before we perform this operation, as it can take a while
-    # and we shouldn't hold the connection during that time.
-    with CloseForLongOperation(app_config):
-      # Move the storage into place, or if this was a re-upload, cancel it
-      already_existed = self.storage.exists({self.blob_upload.location_name}, final_blob_location)
-      if already_existed:
-        # It already existed, clean up our upload which served as proof that the
-        # uploader had the blob.
-        self.storage.cancel_chunked_upload({self.blob_upload.location_name},
-                                           self.blob_upload.upload_id,
-                                           self.blob_upload.storage_metadata)
-      else:
-        # We were the first ones to upload this image (at least to this location)
-        # Let's copy it into place
-        self.storage.complete_chunked_upload({self.blob_upload.location_name},
-                                             self.blob_upload.upload_id,
-                                             final_blob_location,
-                                             self.blob_upload.storage_metadata)
+        # Close the database connection before we perform this operation, as it can take a while
+        # and we shouldn't hold the connection during that time.
+        with CloseForLongOperation(app_config):
+            # Move the storage into place, or if this was a re-upload, cancel it
+            already_existed = self.storage.exists(
+                {self.blob_upload.location_name}, final_blob_location
+            )
+            if already_existed:
+                # It already existed, clean up our upload which served as proof that the
+                # uploader had the blob.
+                self.storage.cancel_chunked_upload(
+                    {self.blob_upload.location_name},
+                    self.blob_upload.upload_id,
+                    self.blob_upload.storage_metadata,
+                )
+            else:
+                # We were the first ones to upload this image (at least to this location)
+                # Let's copy it into place
+                self.storage.complete_chunked_upload(
+                    {self.blob_upload.location_name},
+                    self.blob_upload.upload_id,
+                    final_blob_location,
+                    self.blob_upload.storage_metadata,
+                )
 
-    return already_existed
+        return already_existed
diff --git a/data/registry_model/datatype.py b/data/registry_model/datatype.py
index 091776bb1..43b996285 100644
--- a/data/registry_model/datatype.py
+++ b/data/registry_model/datatype.py
@@ -2,85 +2,93 @@
 
 from functools import wraps, total_ordering
 
+
 class FromDictionaryException(Exception):
-  """ Exception raised if constructing a data type from a dictionary fails due to
+    """ Exception raised if constructing a data type from a dictionary fails due to
       missing data.
   """
 
+
 def datatype(name, static_fields):
-  """ Defines a base class for a datatype that will represent a row from the database,
+    """ Defines a base class for a datatype that will represent a row from the database,
       in an abstracted form.
   """
-  @total_ordering
-  class DataType(object):
-    __name__ = name
 
-    def __init__(self, **kwargs):
-      self._db_id = kwargs.pop('db_id', None)
-      self._inputs = kwargs.pop('inputs', None)
-      self._fields = kwargs
+    @total_ordering
+    class DataType(object):
+        __name__ = name
 
-      for name in static_fields:
-        assert name in self._fields, 'Missing field %s' % name
+        def __init__(self, **kwargs):
+            self._db_id = kwargs.pop("db_id", None)
+            self._inputs = kwargs.pop("inputs", None)
+            self._fields = kwargs
 
-    def __eq__(self, other):
-      return self._db_id == other._db_id
+            for name in static_fields:
+                assert name in self._fields, "Missing field %s" % name
 
-    def __lt__(self, other):
-      return self._db_id < other._db_id
+        def __eq__(self, other):
+            return self._db_id == other._db_id
 
-    def __getattr__(self, name):
-      if name in static_fields:
-        return self._fields[name]
+        def __lt__(self, other):
+            return self._db_id < other._db_id
 
-      raise AttributeError('Unknown field `%s`' % name)
+        def __getattr__(self, name):
+            if name in static_fields:
+                return self._fields[name]
 
-    def __repr__(self):
-      return '<%s> #%s' % (name, self._db_id)
+            raise AttributeError("Unknown field `%s`" % name)
 
-    @classmethod
-    def from_dict(cls, dict_data):
-      try:
-        return cls(**dict_data)
-      except:
-        raise FromDictionaryException()
+        def __repr__(self):
+            return "<%s> #%s" % (name, self._db_id)
 
-    def asdict(self):
-      dictionary_rep = dict(self._fields)
-      assert ('db_id' not in dictionary_rep and
-              'inputs' not in dictionary_rep)
+        @classmethod
+        def from_dict(cls, dict_data):
+            try:
+                return cls(**dict_data)
+            except:
+                raise FromDictionaryException()
 
-      dictionary_rep['db_id'] = self._db_id
-      dictionary_rep['inputs'] = self._inputs
-      return dictionary_rep
+        def asdict(self):
+            dictionary_rep = dict(self._fields)
+            assert "db_id" not in dictionary_rep and "inputs" not in dictionary_rep
 
-  return DataType
+            dictionary_rep["db_id"] = self._db_id
+            dictionary_rep["inputs"] = self._inputs
+            return dictionary_rep
+
+    return DataType
 
 
 def requiresinput(input_name):
-  """ Marks a property on the data type as requiring an input to be invoked. """
-  def inner(func):
-    @wraps(func)
-    def wrapper(self, *args, **kwargs):
-      if self._inputs.get(input_name) is None:
-        raise Exception('Cannot invoke function with missing input `%s`' % input_name)
+    """ Marks a property on the data type as requiring an input to be invoked. """
 
-      kwargs[input_name] = self._inputs[input_name]
-      result = func(self, *args, **kwargs)
-      return result
+    def inner(func):
+        @wraps(func)
+        def wrapper(self, *args, **kwargs):
+            if self._inputs.get(input_name) is None:
+                raise Exception(
+                    "Cannot invoke function with missing input `%s`" % input_name
+                )
 
-    return wrapper
-  return inner
+            kwargs[input_name] = self._inputs[input_name]
+            result = func(self, *args, **kwargs)
+            return result
+
+        return wrapper
+
+    return inner
 
 
 def optionalinput(input_name):
-  """ Marks a property on the data type as having an input be optional when invoked. """
-  def inner(func):
-    @wraps(func)
-    def wrapper(self, *args, **kwargs):
-      kwargs[input_name] = self._inputs.get(input_name)
-      result = func(self, *args, **kwargs)
-      return result
+    """ Marks a property on the data type as having an input be optional when invoked. """
 
-    return wrapper
-  return inner
+    def inner(func):
+        @wraps(func)
+        def wrapper(self, *args, **kwargs):
+            kwargs[input_name] = self._inputs.get(input_name)
+            result = func(self, *args, **kwargs)
+            return result
+
+        return wrapper
+
+    return inner
diff --git a/data/registry_model/datatypes.py b/data/registry_model/datatypes.py
index b732fbefc..94caec410 100644
--- a/data/registry_model/datatypes.py
+++ b/data/registry_model/datatypes.py
@@ -15,490 +15,606 @@ from image.docker.schema2 import DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
 from util.bytes import Bytes
 
 
-class RepositoryReference(datatype('Repository', [])):
-  """ RepositoryReference is a reference to a repository, passed to registry interface methods. """
-  @classmethod
-  def for_repo_obj(cls, repo_obj, namespace_name=None, repo_name=None, is_free_namespace=None,
-                   state=None):
-    if repo_obj is None:
-      return None
+class RepositoryReference(datatype("Repository", [])):
+    """ RepositoryReference is a reference to a repository, passed to registry interface methods. """
 
-    return RepositoryReference(db_id=repo_obj.id,
-                               inputs=dict(
-                                 kind=model.repository.get_repo_kind_name(repo_obj),
-                                 is_public=model.repository.is_repository_public(repo_obj),
-                                 namespace_name=namespace_name,
-                                 repo_name=repo_name,
-                                 is_free_namespace=is_free_namespace,
-                                 state=state
-                               ))
+    @classmethod
+    def for_repo_obj(
+        cls,
+        repo_obj,
+        namespace_name=None,
+        repo_name=None,
+        is_free_namespace=None,
+        state=None,
+    ):
+        if repo_obj is None:
+            return None
 
-  @classmethod
-  def for_id(cls, repo_id, namespace_name=None, repo_name=None, is_free_namespace=None, state=None):
-    return RepositoryReference(db_id=repo_id,
-                               inputs=dict(
-                                 kind=None,
-                                 is_public=None,
-                                 namespace_name=namespace_name,
-                                 repo_name=repo_name,
-                                 is_free_namespace=is_free_namespace,
-                                 state=state
-                              ))
+        return RepositoryReference(
+            db_id=repo_obj.id,
+            inputs=dict(
+                kind=model.repository.get_repo_kind_name(repo_obj),
+                is_public=model.repository.is_repository_public(repo_obj),
+                namespace_name=namespace_name,
+                repo_name=repo_name,
+                is_free_namespace=is_free_namespace,
+                state=state,
+            ),
+        )
 
-  @property
-  @lru_cache(maxsize=1)
-  def _repository_obj(self):
-    return model.repository.lookup_repository(self._db_id)
+    @classmethod
+    def for_id(
+        cls,
+        repo_id,
+        namespace_name=None,
+        repo_name=None,
+        is_free_namespace=None,
+        state=None,
+    ):
+        return RepositoryReference(
+            db_id=repo_id,
+            inputs=dict(
+                kind=None,
+                is_public=None,
+                namespace_name=namespace_name,
+                repo_name=repo_name,
+                is_free_namespace=is_free_namespace,
+                state=state,
+            ),
+        )
 
-  @property
-  @optionalinput('kind')
-  def kind(self, kind):
-    """ Returns the kind of the repository. """
-    return kind or model.repository.get_repo_kind_name(self._repositry_obj)
+    @property
+    @lru_cache(maxsize=1)
+    def _repository_obj(self):
+        return model.repository.lookup_repository(self._db_id)
 
-  @property
-  @optionalinput('is_public')
-  def is_public(self, is_public):
-    """ Returns whether the repository is public. """
-    if is_public is not None:
-      return is_public
+    @property
+    @optionalinput("kind")
+    def kind(self, kind):
+        """ Returns the kind of the repository. """
+        return kind or model.repository.get_repo_kind_name(self._repositry_obj)
 
-    return model.repository.is_repository_public(self._repository_obj)
+    @property
+    @optionalinput("is_public")
+    def is_public(self, is_public):
+        """ Returns whether the repository is public. """
+        if is_public is not None:
+            return is_public
 
-  @property
-  def trust_enabled(self):
-    """ Returns whether trust is enabled in this repository. """
-    repository = self._repository_obj
-    if repository is None:
-      return None
+        return model.repository.is_repository_public(self._repository_obj)
 
-    return repository.trust_enabled
+    @property
+    def trust_enabled(self):
+        """ Returns whether trust is enabled in this repository. """
+        repository = self._repository_obj
+        if repository is None:
+            return None
 
-  @property
-  def id(self):
-    """ Returns the database ID of the repository. """
-    return self._db_id
+        return repository.trust_enabled
 
-  @property
-  @optionalinput('namespace_name')
-  def namespace_name(self, namespace_name=None):
-    """ Returns the namespace name of this repository.
+    @property
+    def id(self):
+        """ Returns the database ID of the repository. """
+        return self._db_id
+
+    @property
+    @optionalinput("namespace_name")
+    def namespace_name(self, namespace_name=None):
+        """ Returns the namespace name of this repository.
     """
-    if namespace_name is not None:
-      return namespace_name
+        if namespace_name is not None:
+            return namespace_name
 
-    repository = self._repository_obj
-    if repository is None:
-      return None
+        repository = self._repository_obj
+        if repository is None:
+            return None
 
-    return repository.namespace_user.username
+        return repository.namespace_user.username
 
-  @property
-  @optionalinput('is_free_namespace')
-  def is_free_namespace(self, is_free_namespace=None):
-    """ Returns whether the namespace of the repository is on a free plan.
+    @property
+    @optionalinput("is_free_namespace")
+    def is_free_namespace(self, is_free_namespace=None):
+        """ Returns whether the namespace of the repository is on a free plan.
     """
-    if is_free_namespace is not None:
-      return is_free_namespace
+        if is_free_namespace is not None:
+            return is_free_namespace
 
-    repository = self._repository_obj
-    if repository is None:
-      return None
+        repository = self._repository_obj
+        if repository is None:
+            return None
 
-    return repository.namespace_user.stripe_id is None
+        return repository.namespace_user.stripe_id is None
 
-  @property
-  @optionalinput('repo_name')
-  def name(self, repo_name=None):
-    """ Returns the name of this repository.
+    @property
+    @optionalinput("repo_name")
+    def name(self, repo_name=None):
+        """ Returns the name of this repository.
     """
-    if repo_name is not None:
-      return repo_name
+        if repo_name is not None:
+            return repo_name
 
-    repository = self._repository_obj
-    if repository is None:
-      return None
+        repository = self._repository_obj
+        if repository is None:
+            return None
 
-    return repository.name
+        return repository.name
 
-  @property
-  @optionalinput('state')
-  def state(self, state=None):
-    """ Return the state of the Repository. """
-    if state is not None:
-      return state
+    @property
+    @optionalinput("state")
+    def state(self, state=None):
+        """ Return the state of the Repository. """
+        if state is not None:
+            return state
 
-    repository = self._repository_obj
-    if repository is None:
-      return None
+        repository = self._repository_obj
+        if repository is None:
+            return None
 
-    return repository.state
+        return repository.state
 
 
-class Label(datatype('Label', ['key', 'value', 'uuid', 'source_type_name', 'media_type_name'])):
-  """ Label represents a label on a manifest. """
-  @classmethod
-  def for_label(cls, label):
-    if label is None:
-      return None
+class Label(
+    datatype("Label", ["key", "value", "uuid", "source_type_name", "media_type_name"])
+):
+    """ Label represents a label on a manifest. """
 
-    return Label(db_id=label.id, key=label.key, value=label.value,
-                 uuid=label.uuid, media_type_name=label.media_type.name,
-                 source_type_name=label.source_type.name)
+    @classmethod
+    def for_label(cls, label):
+        if label is None:
+            return None
+
+        return Label(
+            db_id=label.id,
+            key=label.key,
+            value=label.value,
+            uuid=label.uuid,
+            media_type_name=label.media_type.name,
+            source_type_name=label.source_type.name,
+        )
 
 
-class ShallowTag(datatype('ShallowTag', ['name'])):
-  """ ShallowTag represents a tag in a repository, but only contains basic information. """
-  @classmethod
-  def for_tag(cls, tag):
-    if tag is None:
-      return None
+class ShallowTag(datatype("ShallowTag", ["name"])):
+    """ ShallowTag represents a tag in a repository, but only contains basic information. """
 
-    return ShallowTag(db_id=tag.id, name=tag.name)
+    @classmethod
+    def for_tag(cls, tag):
+        if tag is None:
+            return None
 
-  @classmethod
-  def for_repository_tag(cls, repository_tag):
-    if repository_tag is None:
-      return None
+        return ShallowTag(db_id=tag.id, name=tag.name)
 
-    return ShallowTag(db_id=repository_tag.id, name=repository_tag.name)
+    @classmethod
+    def for_repository_tag(cls, repository_tag):
+        if repository_tag is None:
+            return None
 
-  @property
-  def id(self):
-    """ The ID of this tag for pagination purposes only. """
-    return self._db_id
+        return ShallowTag(db_id=repository_tag.id, name=repository_tag.name)
+
+    @property
+    def id(self):
+        """ The ID of this tag for pagination purposes only. """
+        return self._db_id
 
 
-class Tag(datatype('Tag', ['name', 'reversion', 'manifest_digest', 'lifetime_start_ts',
-                           'lifetime_end_ts', 'lifetime_start_ms', 'lifetime_end_ms'])):
-  """ Tag represents a tag in a repository, which points to a manifest or image. """
-  @classmethod
-  def for_tag(cls, tag, legacy_image=None):
-    if tag is None:
-      return None
+class Tag(
+    datatype(
+        "Tag",
+        [
+            "name",
+            "reversion",
+            "manifest_digest",
+            "lifetime_start_ts",
+            "lifetime_end_ts",
+            "lifetime_start_ms",
+            "lifetime_end_ms",
+        ],
+    )
+):
+    """ Tag represents a tag in a repository, which points to a manifest or image. """
 
-    return Tag(db_id=tag.id,
-               name=tag.name,
-               reversion=tag.reversion,
-               lifetime_start_ms=tag.lifetime_start_ms,
-               lifetime_end_ms=tag.lifetime_end_ms,
-               lifetime_start_ts=tag.lifetime_start_ms / 1000,
-               lifetime_end_ts=tag.lifetime_end_ms / 1000 if tag.lifetime_end_ms else None,
-               manifest_digest=tag.manifest.digest,
-               inputs=dict(legacy_image=legacy_image,
-                           manifest=tag.manifest,
-                           repository=RepositoryReference.for_id(tag.repository_id)))
+    @classmethod
+    def for_tag(cls, tag, legacy_image=None):
+        if tag is None:
+            return None
 
-  @classmethod
-  def for_repository_tag(cls, repository_tag, manifest_digest=None, legacy_image=None):
-    if repository_tag is None:
-      return None
+        return Tag(
+            db_id=tag.id,
+            name=tag.name,
+            reversion=tag.reversion,
+            lifetime_start_ms=tag.lifetime_start_ms,
+            lifetime_end_ms=tag.lifetime_end_ms,
+            lifetime_start_ts=tag.lifetime_start_ms / 1000,
+            lifetime_end_ts=tag.lifetime_end_ms / 1000 if tag.lifetime_end_ms else None,
+            manifest_digest=tag.manifest.digest,
+            inputs=dict(
+                legacy_image=legacy_image,
+                manifest=tag.manifest,
+                repository=RepositoryReference.for_id(tag.repository_id),
+            ),
+        )
 
-    return Tag(db_id=repository_tag.id,
-               name=repository_tag.name,
-               reversion=repository_tag.reversion,
-               lifetime_start_ts=repository_tag.lifetime_start_ts,
-               lifetime_end_ts=repository_tag.lifetime_end_ts,
-               lifetime_start_ms=repository_tag.lifetime_start_ts * 1000,
-               lifetime_end_ms=(repository_tag.lifetime_end_ts * 1000
-                                if repository_tag.lifetime_end_ts else None),
-               manifest_digest=manifest_digest,
-               inputs=dict(legacy_image=legacy_image,
-                           repository=RepositoryReference.for_id(repository_tag.repository_id)))
+    @classmethod
+    def for_repository_tag(
+        cls, repository_tag, manifest_digest=None, legacy_image=None
+    ):
+        if repository_tag is None:
+            return None
 
-  @property
-  @requiresinput('manifest')
-  def _manifest(self, manifest):
-    """ Returns the manifest for this tag. Will only apply to new-style OCI tags. """
-    return manifest
+        return Tag(
+            db_id=repository_tag.id,
+            name=repository_tag.name,
+            reversion=repository_tag.reversion,
+            lifetime_start_ts=repository_tag.lifetime_start_ts,
+            lifetime_end_ts=repository_tag.lifetime_end_ts,
+            lifetime_start_ms=repository_tag.lifetime_start_ts * 1000,
+            lifetime_end_ms=(
+                repository_tag.lifetime_end_ts * 1000
+                if repository_tag.lifetime_end_ts
+                else None
+            ),
+            manifest_digest=manifest_digest,
+            inputs=dict(
+                legacy_image=legacy_image,
+                repository=RepositoryReference.for_id(repository_tag.repository_id),
+            ),
+        )
 
-  @property
-  @optionalinput('manifest')
-  def manifest(self, manifest):
-    """ Returns the manifest for this tag or None if none. Will only apply to new-style OCI tags.
+    @property
+    @requiresinput("manifest")
+    def _manifest(self, manifest):
+        """ Returns the manifest for this tag. Will only apply to new-style OCI tags. """
+        return manifest
+
+    @property
+    @optionalinput("manifest")
+    def manifest(self, manifest):
+        """ Returns the manifest for this tag or None if none. Will only apply to new-style OCI tags.
     """
-    return Manifest.for_manifest(manifest, self.legacy_image_if_present)
+        return Manifest.for_manifest(manifest, self.legacy_image_if_present)
 
-  @property
-  @requiresinput('repository')
-  def repository(self, repository):
-    """ Returns the repository under which this tag lives.
+    @property
+    @requiresinput("repository")
+    def repository(self, repository):
+        """ Returns the repository under which this tag lives.
     """
-    return repository
+        return repository
 
-  @property
-  @requiresinput('legacy_image')
-  def legacy_image(self, legacy_image):
-    """ Returns the legacy Docker V1-style image for this tag. Note that this
+    @property
+    @requiresinput("legacy_image")
+    def legacy_image(self, legacy_image):
+        """ Returns the legacy Docker V1-style image for this tag. Note that this
         will be None for tags whose manifests point to other manifests instead of images.
     """
-    return legacy_image
+        return legacy_image
 
-  @property
-  @optionalinput('legacy_image')
-  def legacy_image_if_present(self, legacy_image):
-    """ Returns the legacy Docker V1-style image for this tag. Note that this
+    @property
+    @optionalinput("legacy_image")
+    def legacy_image_if_present(self, legacy_image):
+        """ Returns the legacy Docker V1-style image for this tag. Note that this
         will be None for tags whose manifests point to other manifests instead of images.
     """
-    return legacy_image
+        return legacy_image
 
-  @property
-  def id(self):
-    """ The ID of this tag for pagination purposes only. """
-    return self._db_id
+    @property
+    def id(self):
+        """ The ID of this tag for pagination purposes only. """
+        return self._db_id
 
 
-class Manifest(datatype('Manifest', ['digest', 'media_type', 'internal_manifest_bytes'])):
-  """ Manifest represents a manifest in a repository. """
-  @classmethod
-  def for_tag_manifest(cls, tag_manifest, legacy_image=None):
-    if tag_manifest is None:
-      return None
+class Manifest(
+    datatype("Manifest", ["digest", "media_type", "internal_manifest_bytes"])
+):
+    """ Manifest represents a manifest in a repository. """
 
-    return Manifest(db_id=tag_manifest.id, digest=tag_manifest.digest,
-                    internal_manifest_bytes=Bytes.for_string_or_unicode(tag_manifest.json_data),
-                    media_type=DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE, # Always in legacy.
-                    inputs=dict(legacy_image=legacy_image, tag_manifest=True))
+    @classmethod
+    def for_tag_manifest(cls, tag_manifest, legacy_image=None):
+        if tag_manifest is None:
+            return None
 
-  @classmethod
-  def for_manifest(cls, manifest, legacy_image):
-    if manifest is None:
-      return None
+        return Manifest(
+            db_id=tag_manifest.id,
+            digest=tag_manifest.digest,
+            internal_manifest_bytes=Bytes.for_string_or_unicode(tag_manifest.json_data),
+            media_type=DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,  # Always in legacy.
+            inputs=dict(legacy_image=legacy_image, tag_manifest=True),
+        )
 
-    # NOTE: `manifest_bytes` will be None if not selected by certain join queries.
-    manifest_bytes = (Bytes.for_string_or_unicode(manifest.manifest_bytes)
-                      if manifest.manifest_bytes is not None else None)
-    return Manifest(db_id=manifest.id,
-                    digest=manifest.digest,
-                    internal_manifest_bytes=manifest_bytes,
-                    media_type=ManifestTable.media_type.get_name(manifest.media_type_id),
-                    inputs=dict(legacy_image=legacy_image, tag_manifest=False))
+    @classmethod
+    def for_manifest(cls, manifest, legacy_image):
+        if manifest is None:
+            return None
 
-  @property
-  @requiresinput('tag_manifest')
-  def _is_tag_manifest(self, tag_manifest):
-    return tag_manifest
+        # NOTE: `manifest_bytes` will be None if not selected by certain join queries.
+        manifest_bytes = (
+            Bytes.for_string_or_unicode(manifest.manifest_bytes)
+            if manifest.manifest_bytes is not None
+            else None
+        )
+        return Manifest(
+            db_id=manifest.id,
+            digest=manifest.digest,
+            internal_manifest_bytes=manifest_bytes,
+            media_type=ManifestTable.media_type.get_name(manifest.media_type_id),
+            inputs=dict(legacy_image=legacy_image, tag_manifest=False),
+        )
 
-  @property
-  @requiresinput('legacy_image')
-  def legacy_image(self, legacy_image):
-    """ Returns the legacy Docker V1-style image for this manifest.
+    @property
+    @requiresinput("tag_manifest")
+    def _is_tag_manifest(self, tag_manifest):
+        return tag_manifest
+
+    @property
+    @requiresinput("legacy_image")
+    def legacy_image(self, legacy_image):
+        """ Returns the legacy Docker V1-style image for this manifest.
     """
-    return legacy_image
+        return legacy_image
 
-  @property
-  @optionalinput('legacy_image')
-  def legacy_image_if_present(self, legacy_image):
-    """ Returns the legacy Docker V1-style image for this manifest.  Note that this
+    @property
+    @optionalinput("legacy_image")
+    def legacy_image_if_present(self, legacy_image):
+        """ Returns the legacy Docker V1-style image for this manifest.  Note that this
         will be None for manifests that point to other manifests instead of images.
     """
-    return legacy_image
+        return legacy_image
 
-  def get_parsed_manifest(self, validate=True):
-    """ Returns the parsed manifest for this manifest. """
-    assert self.internal_manifest_bytes
-    return parse_manifest_from_bytes(self.internal_manifest_bytes, self.media_type,
-                                     validate=validate)
+    def get_parsed_manifest(self, validate=True):
+        """ Returns the parsed manifest for this manifest. """
+        assert self.internal_manifest_bytes
+        return parse_manifest_from_bytes(
+            self.internal_manifest_bytes, self.media_type, validate=validate
+        )
 
-  @property
-  def layers_compressed_size(self):
-    """ Returns the total compressed size of the layers in the manifest or None if this could not
+    @property
+    def layers_compressed_size(self):
+        """ Returns the total compressed size of the layers in the manifest or None if this could not
         be computed.
     """
-    try:
-      return self.get_parsed_manifest().layers_compressed_size
-    except ManifestException:
-      return None
+        try:
+            return self.get_parsed_manifest().layers_compressed_size
+        except ManifestException:
+            return None
 
-  @property
-  def is_manifest_list(self):
-    """ Returns True if this manifest points to a list (instead of an image). """
-    return self.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
+    @property
+    def is_manifest_list(self):
+        """ Returns True if this manifest points to a list (instead of an image). """
+        return self.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
 
 
-class LegacyImage(datatype('LegacyImage', ['docker_image_id', 'created', 'comment', 'command',
-                                           'image_size', 'aggregate_size', 'uploading',
-                                           'v1_metadata_string'])):
-  """ LegacyImage represents a Docker V1-style image found in a repository. """
-  @classmethod
-  def for_image(cls, image, images_map=None, tags_map=None, blob=None):
-    if image is None:
-      return None
+class LegacyImage(
+    datatype(
+        "LegacyImage",
+        [
+            "docker_image_id",
+            "created",
+            "comment",
+            "command",
+            "image_size",
+            "aggregate_size",
+            "uploading",
+            "v1_metadata_string",
+        ],
+    )
+):
+    """ LegacyImage represents a Docker V1-style image found in a repository. """
 
-    return LegacyImage(db_id=image.id,
-                       inputs=dict(images_map=images_map, tags_map=tags_map,
-                                   ancestor_id_list=image.ancestor_id_list(),
-                                   blob=blob),
-                       docker_image_id=image.docker_image_id,
-                       created=image.created,
-                       comment=image.comment,
-                       command=image.command,
-                       v1_metadata_string=image.v1_json_metadata,
-                       image_size=image.storage.image_size,
-                       aggregate_size=image.aggregate_size,
-                       uploading=image.storage.uploading)
+    @classmethod
+    def for_image(cls, image, images_map=None, tags_map=None, blob=None):
+        if image is None:
+            return None
 
-  @property
-  def id(self):
-    """ Returns the database ID of the legacy image. """
-    return self._db_id
+        return LegacyImage(
+            db_id=image.id,
+            inputs=dict(
+                images_map=images_map,
+                tags_map=tags_map,
+                ancestor_id_list=image.ancestor_id_list(),
+                blob=blob,
+            ),
+            docker_image_id=image.docker_image_id,
+            created=image.created,
+            comment=image.comment,
+            command=image.command,
+            v1_metadata_string=image.v1_json_metadata,
+            image_size=image.storage.image_size,
+            aggregate_size=image.aggregate_size,
+            uploading=image.storage.uploading,
+        )
 
-  @property
-  @requiresinput('images_map')
-  @requiresinput('ancestor_id_list')
-  def parents(self, images_map, ancestor_id_list):
-    """ Returns the parent images for this image. Raises an exception if the parents have
+    @property
+    def id(self):
+        """ Returns the database ID of the legacy image. """
+        return self._db_id
+
+    @property
+    @requiresinput("images_map")
+    @requiresinput("ancestor_id_list")
+    def parents(self, images_map, ancestor_id_list):
+        """ Returns the parent images for this image. Raises an exception if the parents have
         not been loaded before this property is invoked. Parents are returned starting at the
         leaf image.
     """
-    return [LegacyImage.for_image(images_map[ancestor_id], images_map=images_map)
+        return [
+            LegacyImage.for_image(images_map[ancestor_id], images_map=images_map)
             for ancestor_id in reversed(ancestor_id_list)
-            if images_map.get(ancestor_id)]
+            if images_map.get(ancestor_id)
+        ]
 
-  @property
-  @requiresinput('blob')
-  def blob(self, blob):
-    """ Returns the blob for this image. Raises an exception if the blob has
+    @property
+    @requiresinput("blob")
+    def blob(self, blob):
+        """ Returns the blob for this image. Raises an exception if the blob has
         not been loaded before this property is invoked.
     """
-    return blob
+        return blob
 
-  @property
-  @requiresinput('tags_map')
-  def tags(self, tags_map):
-    """ Returns the tags pointing to this image. Raises an exception if the tags have
+    @property
+    @requiresinput("tags_map")
+    def tags(self, tags_map):
+        """ Returns the tags pointing to this image. Raises an exception if the tags have
         not been loaded before this property is invoked.
     """
-    tags = tags_map.get(self._db_id)
-    if not tags:
-      return []
+        tags = tags_map.get(self._db_id)
+        if not tags:
+            return []
 
-    return [Tag.for_repository_tag(tag) for tag in tags]
+        return [Tag.for_repository_tag(tag) for tag in tags]
 
 
 @unique
 class SecurityScanStatus(Enum):
-  """ Security scan status enum """
-  SCANNED = 'scanned'
-  FAILED = 'failed'
-  QUEUED = 'queued'
-  UNSUPPORTED = 'unsupported'
+    """ Security scan status enum """
+
+    SCANNED = "scanned"
+    FAILED = "failed"
+    QUEUED = "queued"
+    UNSUPPORTED = "unsupported"
 
 
-class ManifestLayer(namedtuple('ManifestLayer', ['layer_info', 'blob'])):
-  """ Represents a single layer in a manifest. The `layer_info` data will be manifest-type specific,
+class ManifestLayer(namedtuple("ManifestLayer", ["layer_info", "blob"])):
+    """ Represents a single layer in a manifest. The `layer_info` data will be manifest-type specific,
       but will have a few expected fields (such as `digest`). The `blob` represents the associated
       blob for this layer, optionally with placements. If the layer is a remote layer, the blob will
       be None.
   """
 
-  def estimated_size(self, estimate_multiplier):
-    """ Returns the estimated size of this layer. If the layers' blob has an uncompressed size,
+    def estimated_size(self, estimate_multiplier):
+        """ Returns the estimated size of this layer. If the layers' blob has an uncompressed size,
         it is used. Otherwise, the compressed_size field in the layer is multiplied by the
         multiplier.
     """
-    if self.blob.uncompressed_size:
-      return self.blob.uncompressed_size
+        if self.blob.uncompressed_size:
+            return self.blob.uncompressed_size
 
-    return (self.layer_info.compressed_size or 0) * estimate_multiplier
+        return (self.layer_info.compressed_size or 0) * estimate_multiplier
 
 
-class Blob(datatype('Blob', ['uuid', 'digest', 'compressed_size', 'uncompressed_size',
-                             'uploading'])):
-  """ Blob represents a content-addressable piece of storage. """
-  @classmethod
-  def for_image_storage(cls, image_storage, storage_path, placements=None):
-    if image_storage is None:
-      return None
+class Blob(
+    datatype(
+        "Blob", ["uuid", "digest", "compressed_size", "uncompressed_size", "uploading"]
+    )
+):
+    """ Blob represents a content-addressable piece of storage. """
 
-    return Blob(db_id=image_storage.id,
-                uuid=image_storage.uuid,
-                inputs=dict(placements=placements, storage_path=storage_path),
-                digest=image_storage.content_checksum,
-                compressed_size=image_storage.image_size,
-                uncompressed_size=image_storage.uncompressed_size,
-                uploading=image_storage.uploading)
+    @classmethod
+    def for_image_storage(cls, image_storage, storage_path, placements=None):
+        if image_storage is None:
+            return None
 
-  @property
-  @requiresinput('storage_path')
-  def storage_path(self, storage_path):
-    """ Returns the path of this blob in storage. """
-    # TODO: change this to take in the storage engine?
-    return storage_path
+        return Blob(
+            db_id=image_storage.id,
+            uuid=image_storage.uuid,
+            inputs=dict(placements=placements, storage_path=storage_path),
+            digest=image_storage.content_checksum,
+            compressed_size=image_storage.image_size,
+            uncompressed_size=image_storage.uncompressed_size,
+            uploading=image_storage.uploading,
+        )
 
-  @property
-  @requiresinput('placements')
-  def placements(self, placements):
-    """ Returns all the storage placements at which the Blob can be found. """
-    return placements
+    @property
+    @requiresinput("storage_path")
+    def storage_path(self, storage_path):
+        """ Returns the path of this blob in storage. """
+        # TODO: change this to take in the storage engine?
+        return storage_path
+
+    @property
+    @requiresinput("placements")
+    def placements(self, placements):
+        """ Returns all the storage placements at which the Blob can be found. """
+        return placements
 
 
-class DerivedImage(datatype('DerivedImage', ['verb', 'varying_metadata', 'blob'])):
-  """ DerivedImage represents an image derived from a manifest via some form of verb. """
-  @classmethod
-  def for_derived_storage(cls, derived, verb, varying_metadata, blob):
-    return DerivedImage(db_id=derived.id,
-                        verb=verb,
-                        varying_metadata=varying_metadata,
-                        blob=blob)
+class DerivedImage(datatype("DerivedImage", ["verb", "varying_metadata", "blob"])):
+    """ DerivedImage represents an image derived from a manifest via some form of verb. """
 
-  @property
-  def unique_id(self):
-    """ Returns a unique ID for this derived image. This call will consistently produce the same
+    @classmethod
+    def for_derived_storage(cls, derived, verb, varying_metadata, blob):
+        return DerivedImage(
+            db_id=derived.id, verb=verb, varying_metadata=varying_metadata, blob=blob
+        )
+
+    @property
+    def unique_id(self):
+        """ Returns a unique ID for this derived image. This call will consistently produce the same
         unique ID across calls in the same code base.
     """
-    return hashlib.sha256('%s:%s' % (self.verb, self._db_id)).hexdigest()
+        return hashlib.sha256("%s:%s" % (self.verb, self._db_id)).hexdigest()
 
 
-class TorrentInfo(datatype('TorrentInfo', ['pieces', 'piece_length'])):
-  """ TorrentInfo represents information to pull a blob via torrent. """
-  @classmethod
-  def for_torrent_info(cls, torrent_info):
-    return TorrentInfo(db_id=torrent_info.id,
-                       pieces=torrent_info.pieces,
-                       piece_length=torrent_info.piece_length)
+class TorrentInfo(datatype("TorrentInfo", ["pieces", "piece_length"])):
+    """ TorrentInfo represents information to pull a blob via torrent. """
+
+    @classmethod
+    def for_torrent_info(cls, torrent_info):
+        return TorrentInfo(
+            db_id=torrent_info.id,
+            pieces=torrent_info.pieces,
+            piece_length=torrent_info.piece_length,
+        )
 
 
-class BlobUpload(datatype('BlobUpload', ['upload_id', 'byte_count', 'uncompressed_byte_count',
-                                         'chunk_count', 'sha_state', 'location_name',
-                                         'storage_metadata', 'piece_sha_state', 'piece_hashes'])):
-  """ BlobUpload represents information about an in-progress upload to create a blob. """
-  @classmethod
-  def for_upload(cls, blob_upload, location_name=None):
-    return BlobUpload(db_id=blob_upload.id,
-                      upload_id=blob_upload.uuid,
-                      byte_count=blob_upload.byte_count,
-                      uncompressed_byte_count=blob_upload.uncompressed_byte_count,
-                      chunk_count=blob_upload.chunk_count,
-                      sha_state=blob_upload.sha_state,
-                      location_name=location_name or blob_upload.location.name,
-                      storage_metadata=blob_upload.storage_metadata,
-                      piece_sha_state=blob_upload.piece_sha_state,
-                      piece_hashes=blob_upload.piece_hashes)
+class BlobUpload(
+    datatype(
+        "BlobUpload",
+        [
+            "upload_id",
+            "byte_count",
+            "uncompressed_byte_count",
+            "chunk_count",
+            "sha_state",
+            "location_name",
+            "storage_metadata",
+            "piece_sha_state",
+            "piece_hashes",
+        ],
+    )
+):
+    """ BlobUpload represents information about an in-progress upload to create a blob. """
+
+    @classmethod
+    def for_upload(cls, blob_upload, location_name=None):
+        return BlobUpload(
+            db_id=blob_upload.id,
+            upload_id=blob_upload.uuid,
+            byte_count=blob_upload.byte_count,
+            uncompressed_byte_count=blob_upload.uncompressed_byte_count,
+            chunk_count=blob_upload.chunk_count,
+            sha_state=blob_upload.sha_state,
+            location_name=location_name or blob_upload.location.name,
+            storage_metadata=blob_upload.storage_metadata,
+            piece_sha_state=blob_upload.piece_sha_state,
+            piece_hashes=blob_upload.piece_hashes,
+        )
 
 
-class LikelyVulnerableTag(datatype('LikelyVulnerableTag', ['layer_id', 'name'])):
-  """ LikelyVulnerableTag represents a tag in a repository that is likely vulnerable to a notified
+class LikelyVulnerableTag(datatype("LikelyVulnerableTag", ["layer_id", "name"])):
+    """ LikelyVulnerableTag represents a tag in a repository that is likely vulnerable to a notified
       vulnerability.
   """
-  # TODO: Remove all of this once we're on the new security model exclusively.
-  @classmethod
-  def for_tag(cls, tag, repository, docker_image_id, storage_uuid):
-    layer_id = '%s.%s' % (docker_image_id, storage_uuid)
-    return LikelyVulnerableTag(db_id=tag.id,
-                               name=tag.name,
-                               layer_id=layer_id,
-                               inputs=dict(repository=repository))
 
-  @classmethod
-  def for_repository_tag(cls, tag, repository):
-    tag_layer_id = '%s.%s' % (tag.image.docker_image_id, tag.image.storage.uuid)
-    return LikelyVulnerableTag(db_id=tag.id,
-                               name=tag.name,
-                               layer_id=tag_layer_id,
-                               inputs=dict(repository=repository))
+    # TODO: Remove all of this once we're on the new security model exclusively.
+    @classmethod
+    def for_tag(cls, tag, repository, docker_image_id, storage_uuid):
+        layer_id = "%s.%s" % (docker_image_id, storage_uuid)
+        return LikelyVulnerableTag(
+            db_id=tag.id,
+            name=tag.name,
+            layer_id=layer_id,
+            inputs=dict(repository=repository),
+        )
 
-  @property
-  @requiresinput('repository')
-  def repository(self, repository):
-    return RepositoryReference.for_repo_obj(repository)
+    @classmethod
+    def for_repository_tag(cls, tag, repository):
+        tag_layer_id = "%s.%s" % (tag.image.docker_image_id, tag.image.storage.uuid)
+        return LikelyVulnerableTag(
+            db_id=tag.id,
+            name=tag.name,
+            layer_id=tag_layer_id,
+            inputs=dict(repository=repository),
+        )
+
+    @property
+    @requiresinput("repository")
+    def repository(self, repository):
+        return RepositoryReference.for_repo_obj(repository)
diff --git a/data/registry_model/interface.py b/data/registry_model/interface.py
index 8862f88bc..505cd3899 100644
--- a/data/registry_model/interface.py
+++ b/data/registry_model/interface.py
@@ -1,64 +1,80 @@
 from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
+
 @add_metaclass(ABCMeta)
 class RegistryDataInterface(object):
-  """ Interface for code to work with the registry data model. The registry data model consists
+    """ Interface for code to work with the registry data model. The registry data model consists
       of all tables that store registry-specific information, such as Manifests, Blobs, Images,
       and Labels.
   """
-  @abstractmethod
-  def supports_schema2(self, namespace_name):
-    """ Returns whether the implementation of the data interface supports schema 2 format
+
+    @abstractmethod
+    def supports_schema2(self, namespace_name):
+        """ Returns whether the implementation of the data interface supports schema 2 format
         manifests. """
 
-  @abstractmethod
-  def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
-    """ Returns the legacy image ID for the tag with a legacy images in
+    @abstractmethod
+    def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
+        """ Returns the legacy image ID for the tag with a legacy images in
         the repository. Returns None if None.
     """
 
-  @abstractmethod
-  def get_legacy_tags_map(self, repository_ref, storage):
-    """ Returns a map from tag name to its legacy image ID, for all tags with legacy images in
+    @abstractmethod
+    def get_legacy_tags_map(self, repository_ref, storage):
+        """ Returns a map from tag name to its legacy image ID, for all tags with legacy images in
         the repository. Note that this can be a *very* heavy operation.
     """
 
-  @abstractmethod
-  def find_matching_tag(self, repository_ref, tag_names):
-    """ Finds an alive tag in the repository matching one of the given tag names and returns it
+    @abstractmethod
+    def find_matching_tag(self, repository_ref, tag_names):
+        """ Finds an alive tag in the repository matching one of the given tag names and returns it
         or None if none.
     """
 
-  @abstractmethod
-  def get_most_recent_tag(self, repository_ref):
-    """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
+    @abstractmethod
+    def get_most_recent_tag(self, repository_ref):
+        """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
         None.
     """
 
-  @abstractmethod
-  def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
-    """ Looks up and returns a reference to the repository with the given namespace and name,
+    @abstractmethod
+    def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
+        """ Looks up and returns a reference to the repository with the given namespace and name,
         or None if none. """
 
-  @abstractmethod
-  def get_manifest_for_tag(self, tag, backfill_if_necessary=False, include_legacy_image=False):
-    """ Returns the manifest associated with the given tag. """
+    @abstractmethod
+    def get_manifest_for_tag(
+        self, tag, backfill_if_necessary=False, include_legacy_image=False
+    ):
+        """ Returns the manifest associated with the given tag. """
 
-  @abstractmethod
-  def lookup_manifest_by_digest(self, repository_ref, manifest_digest, allow_dead=False,
-                                include_legacy_image=False, require_available=False):
-    """ Looks up the manifest with the given digest under the given repository and returns it
+    @abstractmethod
+    def lookup_manifest_by_digest(
+        self,
+        repository_ref,
+        manifest_digest,
+        allow_dead=False,
+        include_legacy_image=False,
+        require_available=False,
+    ):
+        """ Looks up the manifest with the given digest under the given repository and returns it
         or None if none. If allow_dead is True, manifests pointed to by dead tags will also
         be returned. If require_available is True, a temporary tag will be added onto the
         returned manifest (before it is returned) to ensure it is available until another
         tagging or manifest operation is taken.
     """
 
-  @abstractmethod
-  def create_manifest_and_retarget_tag(self, repository_ref, manifest_interface_instance, tag_name,
-                                       storage, raise_on_error=False):
-    """ Creates a manifest in a repository, adding all of the necessary data in the model.
+    @abstractmethod
+    def create_manifest_and_retarget_tag(
+        self,
+        repository_ref,
+        manifest_interface_instance,
+        tag_name,
+        storage,
+        raise_on_error=False,
+    ):
+        """ Creates a manifest in a repository, adding all of the necessary data in the model.
 
         The `manifest_interface_instance` parameter must be an instance of the manifest
         interface as returned by the image/docker package.
@@ -69,275 +85,317 @@ class RegistryDataInterface(object):
         Returns a reference to the (created manifest, tag) or (None, None) on error.
     """
 
-  @abstractmethod
-  def get_legacy_images(self, repository_ref):
-    """
+    @abstractmethod
+    def get_legacy_images(self, repository_ref):
+        """
     Returns an iterator of all the LegacyImage's defined in the matching repository.
     """
 
-  @abstractmethod
-  def get_legacy_image(self, repository_ref, docker_image_id, include_parents=False,
-                       include_blob=False):
-    """
+    @abstractmethod
+    def get_legacy_image(
+        self, repository_ref, docker_image_id, include_parents=False, include_blob=False
+    ):
+        """
     Returns the matching LegacyImages under the matching repository, if any. If none,
     returns None.
     """
 
-  @abstractmethod
-  def create_manifest_label(self, manifest, key, value, source_type_name, media_type_name=None):
-    """ Creates a label on the manifest with the given key and value.
+    @abstractmethod
+    def create_manifest_label(
+        self, manifest, key, value, source_type_name, media_type_name=None
+    ):
+        """ Creates a label on the manifest with the given key and value.
 
         Can raise InvalidLabelKeyException or InvalidMediaTypeException depending
         on the validation errors.
     """
 
-  @abstractmethod
-  def batch_create_manifest_labels(self, manifest):
-    """ Returns a context manager for batch creation of labels on a manifest.
+    @abstractmethod
+    def batch_create_manifest_labels(self, manifest):
+        """ Returns a context manager for batch creation of labels on a manifest.
 
         Can raise InvalidLabelKeyException or InvalidMediaTypeException depending
         on the validation errors.
     """
 
-  @abstractmethod
-  def list_manifest_labels(self, manifest, key_prefix=None):
-    """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
+    @abstractmethod
+    def list_manifest_labels(self, manifest, key_prefix=None):
+        """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
         labels returned to those keys that start with the given prefix.
     """
 
-  @abstractmethod
-  def get_manifest_label(self, manifest, label_uuid):
-    """ Returns the label with the specified UUID on the manifest or None if none. """
+    @abstractmethod
+    def get_manifest_label(self, manifest, label_uuid):
+        """ Returns the label with the specified UUID on the manifest or None if none. """
 
-  @abstractmethod
-  def delete_manifest_label(self, manifest, label_uuid):
-    """ Delete the label with the specified UUID on the manifest. Returns the label deleted
+    @abstractmethod
+    def delete_manifest_label(self, manifest, label_uuid):
+        """ Delete the label with the specified UUID on the manifest. Returns the label deleted
         or None if none.
     """
 
-  @abstractmethod
-  def lookup_cached_active_repository_tags(self, model_cache, repository_ref, start_pagination_id,
-                                           limit):
-    """
+    @abstractmethod
+    def lookup_cached_active_repository_tags(
+        self, model_cache, repository_ref, start_pagination_id, limit
+    ):
+        """
     Returns a page of active tags in a repository. Note that the tags returned by this method
     are ShallowTag objects, which only contain the tag name. This method will automatically cache
     the result and check the cache before making a call.
     """
 
-  @abstractmethod
-  def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
-    """
+    @abstractmethod
+    def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
+        """
     Returns a page of active tags in a repository. Note that the tags returned by this method
     are ShallowTag objects, which only contain the tag name.
     """
 
-  @abstractmethod
-  def list_all_active_repository_tags(self, repository_ref, include_legacy_images=False):
-    """
+    @abstractmethod
+    def list_all_active_repository_tags(
+        self, repository_ref, include_legacy_images=False
+    ):
+        """
     Returns a list of all the active tags in the repository. Note that this is a *HEAVY*
     operation on repositories with a lot of tags, and should only be used for testing or
     where other more specific operations are not possible.
     """
 
-  @abstractmethod
-  def list_repository_tag_history(self, repository_ref, page=1, size=100, specific_tag_name=None,
-                                  active_tags_only=False, since_time_ms=None):
-    """
+    @abstractmethod
+    def list_repository_tag_history(
+        self,
+        repository_ref,
+        page=1,
+        size=100,
+        specific_tag_name=None,
+        active_tags_only=False,
+        since_time_ms=None,
+    ):
+        """
     Returns the history of all tags in the repository (unless filtered). This includes tags that
     have been made in-active due to newer versions of those tags coming into service.
     """
 
-  @abstractmethod
-  def get_most_recent_tag_lifetime_start(self, repository_refs): 
-    """ 
+    @abstractmethod
+    def get_most_recent_tag_lifetime_start(self, repository_refs):
+        """ 
     Returns a map from repository ID to the last modified time ( seconds from epoch, UTC) 
     for each repository in the given repository reference list.
     """
 
-  @abstractmethod
-  def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
-    """
+    @abstractmethod
+    def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
+        """
     Returns the latest, *active* tag found in the repository, with the matching name
     or None if none.
     """
 
-  @abstractmethod
-  def has_expired_tag(self, repository_ref, tag_name):
-    """
+    @abstractmethod
+    def has_expired_tag(self, repository_ref, tag_name):
+        """
     Returns true if and only if the repository contains a tag with the given name that is expired.
     """
 
-  @abstractmethod
-  def retarget_tag(self, repository_ref, tag_name, manifest_or_legacy_image,
-                   storage, legacy_manifest_key, is_reversion=False):
-    """
+    @abstractmethod
+    def retarget_tag(
+        self,
+        repository_ref,
+        tag_name,
+        manifest_or_legacy_image,
+        storage,
+        legacy_manifest_key,
+        is_reversion=False,
+    ):
+        """
     Creates, updates or moves a tag to a new entry in history, pointing to the manifest or
     legacy image specified. If is_reversion is set to True, this operation is considered a
     reversion over a previous tag move operation. Returns the updated Tag or None on error.
     """
 
-  @abstractmethod
-  def delete_tag(self, repository_ref, tag_name):
-    """
+    @abstractmethod
+    def delete_tag(self, repository_ref, tag_name):
+        """
     Deletes the latest, *active* tag with the given name in the repository.
     """
 
-  @abstractmethod
-  def delete_tags_for_manifest(self, manifest):
-    """
+    @abstractmethod
+    def delete_tags_for_manifest(self, manifest):
+        """
     Deletes all tags pointing to the given manifest, making the manifest inaccessible for pulling.
     Returns the tags deleted, if any. Returns None on error.
     """
 
-  @abstractmethod
-  def change_repository_tag_expiration(self, tag, expiration_date):
-    """ Sets the expiration date of the tag under the matching repository to that given. If the
+    @abstractmethod
+    def change_repository_tag_expiration(self, tag, expiration_date):
+        """ Sets the expiration date of the tag under the matching repository to that given. If the
         expiration date is None, then the tag will not expire. Returns a tuple of the previous
         expiration timestamp in seconds (if any), and whether the operation succeeded.
     """
 
-  @abstractmethod
-  def get_legacy_images_owned_by_tag(self, tag):
-    """ Returns all legacy images *solely owned and used* by the given tag. """
+    @abstractmethod
+    def get_legacy_images_owned_by_tag(self, tag):
+        """ Returns all legacy images *solely owned and used* by the given tag. """
 
-  @abstractmethod
-  def get_security_status(self, manifest_or_legacy_image):
-    """ Returns the security status for the given manifest or legacy image or None if none. """
+    @abstractmethod
+    def get_security_status(self, manifest_or_legacy_image):
+        """ Returns the security status for the given manifest or legacy image or None if none. """
 
-  @abstractmethod
-  def reset_security_status(self, manifest_or_legacy_image):
-    """ Resets the security status for the given manifest or legacy image, ensuring that it will
+    @abstractmethod
+    def reset_security_status(self, manifest_or_legacy_image):
+        """ Resets the security status for the given manifest or legacy image, ensuring that it will
         get re-indexed.
     """
 
-  @abstractmethod
-  def backfill_manifest_for_tag(self, tag):
-    """ Backfills a manifest for the V1 tag specified.
+    @abstractmethod
+    def backfill_manifest_for_tag(self, tag):
+        """ Backfills a manifest for the V1 tag specified.
         If a manifest already exists for the tag, returns that manifest.
 
         NOTE: This method will only be necessary until we've completed the backfill, at which point
         it should be removed.
     """
 
-  @abstractmethod
-  def is_existing_disabled_namespace(self, namespace_name):
-    """ Returns whether the given namespace exists and is disabled. """
+    @abstractmethod
+    def is_existing_disabled_namespace(self, namespace_name):
+        """ Returns whether the given namespace exists and is disabled. """
 
-  @abstractmethod
-  def is_namespace_enabled(self, namespace_name):
-    """ Returns whether the given namespace exists and is enabled. """
+    @abstractmethod
+    def is_namespace_enabled(self, namespace_name):
+        """ Returns whether the given namespace exists and is enabled. """
 
-  @abstractmethod
-  def get_manifest_local_blobs(self, manifest, include_placements=False):
-    """ Returns the set of local blobs for the given manifest or None if none. """
+    @abstractmethod
+    def get_manifest_local_blobs(self, manifest, include_placements=False):
+        """ Returns the set of local blobs for the given manifest or None if none. """
 
-  @abstractmethod
-  def list_manifest_layers(self, manifest, storage, include_placements=False):
-    """ Returns an *ordered list* of the layers found in the manifest, starting at the base
+    @abstractmethod
+    def list_manifest_layers(self, manifest, storage, include_placements=False):
+        """ Returns an *ordered list* of the layers found in the manifest, starting at the base
         and working towards the leaf, including the associated Blob and its placements
         (if specified). The layer information in `layer_info` will be of type
         `image.docker.types.ManifestImageLayer`. Should not be called for a manifest list.
     """
 
-  @abstractmethod
-  def list_parsed_manifest_layers(self, repository_ref, parsed_manifest, storage,
-                                  include_placements=False):
-    """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
+    @abstractmethod
+    def list_parsed_manifest_layers(
+        self, repository_ref, parsed_manifest, storage, include_placements=False
+    ):
+        """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
         and working towards the leaf, including the associated Blob and its placements
         (if specified). The layer information in `layer_info` will be of type
         `image.docker.types.ManifestImageLayer`. Should not be called for a manifest list.
     """
 
-  @abstractmethod
-  def lookup_derived_image(self, manifest, verb, storage, varying_metadata=None,
-                           include_placements=False):
-    """
+    @abstractmethod
+    def lookup_derived_image(
+        self, manifest, verb, storage, varying_metadata=None, include_placements=False
+    ):
+        """
     Looks up the derived image for the given manifest, verb and optional varying metadata and
     returns it or None if none.
     """
 
-  @abstractmethod
-  def lookup_or_create_derived_image(self, manifest, verb, storage_location, storage,
-                                     varying_metadata=None, include_placements=False):
-    """
+    @abstractmethod
+    def lookup_or_create_derived_image(
+        self,
+        manifest,
+        verb,
+        storage_location,
+        storage,
+        varying_metadata=None,
+        include_placements=False,
+    ):
+        """
     Looks up the derived image for the given maniest, verb and optional varying metadata
     and returns it. If none exists, a new derived image is created.
     """
 
-  @abstractmethod
-  def get_derived_image_signature(self, derived_image, signer_name):
-    """
+    @abstractmethod
+    def get_derived_image_signature(self, derived_image, signer_name):
+        """
     Returns the signature associated with the derived image and a specific signer or None if none.
     """
 
-  @abstractmethod
-  def set_derived_image_signature(self, derived_image, signer_name, signature):
-    """
+    @abstractmethod
+    def set_derived_image_signature(self, derived_image, signer_name, signature):
+        """
     Sets the calculated signature for the given derived image and signer to that specified.
     """
 
-  @abstractmethod
-  def delete_derived_image(self, derived_image):
-    """
+    @abstractmethod
+    def delete_derived_image(self, derived_image):
+        """
     Deletes a derived image and all of its storage.
     """
 
-  @abstractmethod
-  def set_derived_image_size(self, derived_image, compressed_size):
-    """
+    @abstractmethod
+    def set_derived_image_size(self, derived_image, compressed_size):
+        """
     Sets the compressed size on the given derived image.
     """
 
-  @abstractmethod
-  def get_torrent_info(self, blob):
-    """
+    @abstractmethod
+    def get_torrent_info(self, blob):
+        """
     Returns the torrent information associated with the given blob or None if none.
     """
 
-  @abstractmethod
-  def set_torrent_info(self, blob, piece_length, pieces):
-    """
+    @abstractmethod
+    def set_torrent_info(self, blob, piece_length, pieces):
+        """
     Sets the torrent infomation associated with the given blob to that specified.
     """
 
-  @abstractmethod
-  def get_repo_blob_by_digest(self, repository_ref, blob_digest, include_placements=False):
-    """
+    @abstractmethod
+    def get_repo_blob_by_digest(
+        self, repository_ref, blob_digest, include_placements=False
+    ):
+        """
     Returns the blob in the repository with the given digest, if any or None if none. Note that
     there may be multiple records in the same repository for the same blob digest, so the return
     value of this function may change.
     """
 
-  @abstractmethod
-  def create_blob_upload(self, repository_ref, upload_id, location_name, storage_metadata):
-    """ Creates a new blob upload and returns a reference. If the blob upload could not be
+    @abstractmethod
+    def create_blob_upload(
+        self, repository_ref, upload_id, location_name, storage_metadata
+    ):
+        """ Creates a new blob upload and returns a reference. If the blob upload could not be
         created, returns None. """
 
-  @abstractmethod
-  def lookup_blob_upload(self, repository_ref, blob_upload_id):
-    """ Looks up the blob upload with the given ID under the specified repository and returns it
+    @abstractmethod
+    def lookup_blob_upload(self, repository_ref, blob_upload_id):
+        """ Looks up the blob upload with the given ID under the specified repository and returns it
         or None if none.
     """
 
-  @abstractmethod
-  def update_blob_upload(self, blob_upload, uncompressed_byte_count, piece_hashes, piece_sha_state,
-                         storage_metadata, byte_count, chunk_count, sha_state):
-    """ Updates the fields of the blob upload to match those given. Returns the updated blob upload
+    @abstractmethod
+    def update_blob_upload(
+        self,
+        blob_upload,
+        uncompressed_byte_count,
+        piece_hashes,
+        piece_sha_state,
+        storage_metadata,
+        byte_count,
+        chunk_count,
+        sha_state,
+    ):
+        """ Updates the fields of the blob upload to match those given. Returns the updated blob upload
         or None if the record does not exists.
     """
 
-  @abstractmethod
-  def delete_blob_upload(self, blob_upload):
-    """ Deletes a blob upload record. """
+    @abstractmethod
+    def delete_blob_upload(self, blob_upload):
+        """ Deletes a blob upload record. """
 
-  @abstractmethod
-  def commit_blob_upload(self, blob_upload, blob_digest_str, blob_expiration_seconds):
-    """ Commits the blob upload into a blob and sets an expiration before that blob will be GCed.
+    @abstractmethod
+    def commit_blob_upload(self, blob_upload, blob_digest_str, blob_expiration_seconds):
+        """ Commits the blob upload into a blob and sets an expiration before that blob will be GCed.
     """
 
-  @abstractmethod
-  def mount_blob_into_repository(self, blob, target_repository_ref, expiration_sec):
-    """
+    @abstractmethod
+    def mount_blob_into_repository(self, blob, target_repository_ref, expiration_sec):
+        """
     Mounts the blob from another repository into the specified target repository, and adds an
     expiration before that blob is automatically GCed. This function is useful during push
     operations if an existing blob from another repository is being pushed. Returns False if
@@ -346,39 +404,43 @@ class RegistryDataInterface(object):
     endpoints/v2/blob.py).
     """
 
-  @abstractmethod
-  def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
-    """
+    @abstractmethod
+    def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
+        """
     Sets the expiration on all tags that point to the given manifest to that specified.
     """
 
-  @abstractmethod
-  def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
-    """ Returns the schema 1 version of this manifest, or None if none. """
+    @abstractmethod
+    def get_schema1_parsed_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, storage
+    ):
+        """ Returns the schema 1 version of this manifest, or None if none. """
 
-  @abstractmethod
-  def create_manifest_with_temp_tag(self, repository_ref, manifest_interface_instance,
-                                    expiration_sec, storage):
-    """ Creates a manifest under the repository and sets a temporary tag to point to it.
+    @abstractmethod
+    def create_manifest_with_temp_tag(
+        self, repository_ref, manifest_interface_instance, expiration_sec, storage
+    ):
+        """ Creates a manifest under the repository and sets a temporary tag to point to it.
         Returns the manifest object created or None on error.
     """
 
-  @abstractmethod
-  def get_cached_namespace_region_blacklist(self, model_cache, namespace_name):
-    """ Returns a cached set of ISO country codes blacklisted for pulls for the namespace
+    @abstractmethod
+    def get_cached_namespace_region_blacklist(self, model_cache, namespace_name):
+        """ Returns a cached set of ISO country codes blacklisted for pulls for the namespace
         or None if the list could not be loaded.
     """
 
-  @abstractmethod
-  def convert_manifest(self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes,
-                       storage):
-    """ Attempts to convert the specified into a parsed manifest with a media type
+    @abstractmethod
+    def convert_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes, storage
+    ):
+        """ Attempts to convert the specified into a parsed manifest with a media type
         in the allowed_mediatypes set. If not possible, or an error occurs, returns None.
     """
 
-  @abstractmethod
-  def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
-    """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
+    @abstractmethod
+    def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
+        """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
         which have been registered for vulnerability_found notifications. Returns an iterator
         of LikelyVulnerableTag instances.
     """
diff --git a/data/registry_model/label_handlers.py b/data/registry_model/label_handlers.py
index 96afe0d94..18190334c 100644
--- a/data/registry_model/label_handlers.py
+++ b/data/registry_model/label_handlers.py
@@ -4,25 +4,25 @@ from util.timedeltastring import convert_to_timedelta
 
 logger = logging.getLogger(__name__)
 
+
 def _expires_after(label_dict, manifest, model):
-  """ Sets the expiration of a manifest based on the quay.expires-in label. """
-  try:
-    timedelta = convert_to_timedelta(label_dict['value'])
-  except ValueError:
-    logger.exception('Could not convert %s to timedeltastring', label_dict['value'])
-    return
+    """ Sets the expiration of a manifest based on the quay.expires-in label. """
+    try:
+        timedelta = convert_to_timedelta(label_dict["value"])
+    except ValueError:
+        logger.exception("Could not convert %s to timedeltastring", label_dict["value"])
+        return
 
-  total_seconds = timedelta.total_seconds()
-  logger.debug('Labeling manifest %s with expiration of %s', manifest, total_seconds)
-  model.set_tags_expiration_for_manifest(manifest, total_seconds)
+    total_seconds = timedelta.total_seconds()
+    logger.debug("Labeling manifest %s with expiration of %s", manifest, total_seconds)
+    model.set_tags_expiration_for_manifest(manifest, total_seconds)
 
 
-_LABEL_HANDLERS = {
-  'quay.expires-after': _expires_after,
-}
+_LABEL_HANDLERS = {"quay.expires-after": _expires_after}
+
 
 def apply_label_to_manifest(label_dict, manifest, model):
-  """ Runs the handler defined, if any, for the given label. """
-  handler = _LABEL_HANDLERS.get(label_dict['key'])
-  if handler is not None:
-    handler(label_dict, manifest, model)
+    """ Runs the handler defined, if any, for the given label. """
+    handler = _LABEL_HANDLERS.get(label_dict["key"])
+    if handler is not None:
+        handler(label_dict, manifest, model)
diff --git a/data/registry_model/manifestbuilder.py b/data/registry_model/manifestbuilder.py
index 384ecb604..a704e65f7 100644
--- a/data/registry_model/manifestbuilder.py
+++ b/data/registry_model/manifestbuilder.py
@@ -13,208 +13,250 @@ from image.docker.schema2 import EMPTY_LAYER_BLOB_DIGEST
 
 logger = logging.getLogger(__name__)
 
-ManifestLayer = namedtuple('ManifestLayer', ['layer_id', 'v1_metadata_string', 'db_id'])
-_BuilderState = namedtuple('_BuilderState', ['builder_id', 'images', 'tags', 'checksums',
-                                             'temp_storages'])
+ManifestLayer = namedtuple("ManifestLayer", ["layer_id", "v1_metadata_string", "db_id"])
+_BuilderState = namedtuple(
+    "_BuilderState", ["builder_id", "images", "tags", "checksums", "temp_storages"]
+)
 
-_SESSION_KEY = '__manifestbuilder'
+_SESSION_KEY = "__manifestbuilder"
 
 
 def create_manifest_builder(repository_ref, storage, legacy_signing_key):
-  """ Creates a new manifest builder for populating manifests under the specified repository
+    """ Creates a new manifest builder for populating manifests under the specified repository
       and returns it. Returns None if the builder could not be constructed.
   """
-  builder_id = str(uuid.uuid4())
-  builder = _ManifestBuilder(repository_ref, _BuilderState(builder_id, {}, {}, {}, []), storage,
-                             legacy_signing_key)
-  builder._save_to_session()
-  return builder
+    builder_id = str(uuid.uuid4())
+    builder = _ManifestBuilder(
+        repository_ref,
+        _BuilderState(builder_id, {}, {}, {}, []),
+        storage,
+        legacy_signing_key,
+    )
+    builder._save_to_session()
+    return builder
 
 
 def lookup_manifest_builder(repository_ref, builder_id, storage, legacy_signing_key):
-  """ Looks up the manifest builder with the given ID under the specified repository and returns
+    """ Looks up the manifest builder with the given ID under the specified repository and returns
       it or None if none.
   """
-  builder_state_tuple = session.get(_SESSION_KEY)
-  if builder_state_tuple is None:
-    return None
+    builder_state_tuple = session.get(_SESSION_KEY)
+    if builder_state_tuple is None:
+        return None
 
-  builder_state = _BuilderState(*builder_state_tuple)
-  if builder_state.builder_id != builder_id:
-    return None
+    builder_state = _BuilderState(*builder_state_tuple)
+    if builder_state.builder_id != builder_id:
+        return None
 
-  return _ManifestBuilder(repository_ref, builder_state, storage, legacy_signing_key)
+    return _ManifestBuilder(repository_ref, builder_state, storage, legacy_signing_key)
 
 
 class _ManifestBuilder(object):
-  """ Helper class which provides an interface for bookkeeping the layers and configuration of
+    """ Helper class which provides an interface for bookkeeping the layers and configuration of
       manifests being constructed.
   """
-  def __init__(self, repository_ref, builder_state, storage, legacy_signing_key):
-    self._repository_ref = repository_ref
-    self._builder_state = builder_state
-    self._storage = storage
-    self._legacy_signing_key = legacy_signing_key
 
-  @property
-  def builder_id(self):
-    """ Returns the unique ID for this builder. """
-    return self._builder_state.builder_id
+    def __init__(self, repository_ref, builder_state, storage, legacy_signing_key):
+        self._repository_ref = repository_ref
+        self._builder_state = builder_state
+        self._storage = storage
+        self._legacy_signing_key = legacy_signing_key
 
-  @property
-  def committed_tags(self):
-    """ Returns the tags committed by this builder, if any. """
-    return [registry_model.get_repo_tag(self._repository_ref, tag_name, include_legacy_image=True)
-            for tag_name in self._builder_state.tags.keys()]
+    @property
+    def builder_id(self):
+        """ Returns the unique ID for this builder. """
+        return self._builder_state.builder_id
 
-  def start_layer(self, layer_id, v1_metadata_string, location_name, calling_user,
-                  temp_tag_expiration):
-    """ Starts a new layer with the given ID to be placed into a manifest. Returns the layer
+    @property
+    def committed_tags(self):
+        """ Returns the tags committed by this builder, if any. """
+        return [
+            registry_model.get_repo_tag(
+                self._repository_ref, tag_name, include_legacy_image=True
+            )
+            for tag_name in self._builder_state.tags.keys()
+        ]
+
+    def start_layer(
+        self,
+        layer_id,
+        v1_metadata_string,
+        location_name,
+        calling_user,
+        temp_tag_expiration,
+    ):
+        """ Starts a new layer with the given ID to be placed into a manifest. Returns the layer
         started or None if an error occurred.
     """
-    # Ensure the repository still exists.
-    repository = model.repository.lookup_repository(self._repository_ref._db_id)
-    if repository is None:
-      return None
+        # Ensure the repository still exists.
+        repository = model.repository.lookup_repository(self._repository_ref._db_id)
+        if repository is None:
+            return None
 
-    namespace_name = repository.namespace_user.username
-    repo_name = repository.name
+        namespace_name = repository.namespace_user.username
+        repo_name = repository.name
 
-    try:
-      v1_metadata = json.loads(v1_metadata_string)
-    except ValueError:
-      logger.exception('Exception when trying to parse V1 metadata JSON for layer %s', layer_id)
-      return None
-    except TypeError:
-      logger.exception('Exception when trying to parse V1 metadata JSON for layer %s', layer_id)
-      return None
+        try:
+            v1_metadata = json.loads(v1_metadata_string)
+        except ValueError:
+            logger.exception(
+                "Exception when trying to parse V1 metadata JSON for layer %s", layer_id
+            )
+            return None
+        except TypeError:
+            logger.exception(
+                "Exception when trying to parse V1 metadata JSON for layer %s", layer_id
+            )
+            return None
 
-    # Sanity check that the ID matches the v1 metadata.
-    if layer_id != v1_metadata['id']:
-      return None
+        # Sanity check that the ID matches the v1 metadata.
+        if layer_id != v1_metadata["id"]:
+            return None
 
-    # Ensure the parent already exists in the repository.
-    parent_id = v1_metadata.get('parent', None)
-    parent_image = None
+        # Ensure the parent already exists in the repository.
+        parent_id = v1_metadata.get("parent", None)
+        parent_image = None
 
-    if parent_id is not None:
-      parent_image = model.image.get_repo_image(namespace_name, repo_name, parent_id)
-      if parent_image is None:
-        return None
+        if parent_id is not None:
+            parent_image = model.image.get_repo_image(
+                namespace_name, repo_name, parent_id
+            )
+            if parent_image is None:
+                return None
 
-    # Check to see if this layer already exists in the repository. If so, we can skip the creation.
-    existing_image = registry_model.get_legacy_image(self._repository_ref, layer_id)
-    if existing_image is not None:
-      self._builder_state.images[layer_id] = existing_image.id
-      self._save_to_session()
-      return ManifestLayer(layer_id, v1_metadata_string, existing_image.id)
+        # Check to see if this layer already exists in the repository. If so, we can skip the creation.
+        existing_image = registry_model.get_legacy_image(self._repository_ref, layer_id)
+        if existing_image is not None:
+            self._builder_state.images[layer_id] = existing_image.id
+            self._save_to_session()
+            return ManifestLayer(layer_id, v1_metadata_string, existing_image.id)
 
-    with db_transaction():
-      # Otherwise, create a new legacy image and point a temporary tag at it.
-      created = model.image.find_create_or_link_image(layer_id, repository, calling_user, {},
-                                                      location_name)
-      model.tag.create_temporary_hidden_tag(repository, created, temp_tag_expiration)
+        with db_transaction():
+            # Otherwise, create a new legacy image and point a temporary tag at it.
+            created = model.image.find_create_or_link_image(
+                layer_id, repository, calling_user, {}, location_name
+            )
+            model.tag.create_temporary_hidden_tag(
+                repository, created, temp_tag_expiration
+            )
 
-      # Save its V1 metadata.
-      command_list = v1_metadata.get('container_config', {}).get('Cmd', None)
-      command = json.dumps(command_list) if command_list else None
+            # Save its V1 metadata.
+            command_list = v1_metadata.get("container_config", {}).get("Cmd", None)
+            command = json.dumps(command_list) if command_list else None
 
-      model.image.set_image_metadata(layer_id, namespace_name, repo_name,
-                                     v1_metadata.get('created'),
-                                     v1_metadata.get('comment'),
-                                     command, v1_metadata_string,
-                                     parent=parent_image)
+            model.image.set_image_metadata(
+                layer_id,
+                namespace_name,
+                repo_name,
+                v1_metadata.get("created"),
+                v1_metadata.get("comment"),
+                command,
+                v1_metadata_string,
+                parent=parent_image,
+            )
 
-    # Save the changes to the builder.
-    self._builder_state.images[layer_id] = created.id
-    self._save_to_session()
+        # Save the changes to the builder.
+        self._builder_state.images[layer_id] = created.id
+        self._save_to_session()
 
-    return ManifestLayer(layer_id, v1_metadata_string, created.id)
+        return ManifestLayer(layer_id, v1_metadata_string, created.id)
 
-  def lookup_layer(self, layer_id):
-    """ Returns a layer with the given ID under this builder. If none exists, returns None. """
-    if layer_id not in self._builder_state.images:
-      return None
+    def lookup_layer(self, layer_id):
+        """ Returns a layer with the given ID under this builder. If none exists, returns None. """
+        if layer_id not in self._builder_state.images:
+            return None
 
-    image = model.image.get_image_by_db_id(self._builder_state.images[layer_id])
-    if image is None:
-      return None
+        image = model.image.get_image_by_db_id(self._builder_state.images[layer_id])
+        if image is None:
+            return None
 
-    return ManifestLayer(layer_id, image.v1_json_metadata, image.id)
+        return ManifestLayer(layer_id, image.v1_json_metadata, image.id)
 
-  def assign_layer_blob(self, layer, blob, computed_checksums):
-    """ Assigns a blob to a layer. """
-    assert blob
-    assert not blob.uploading
+    def assign_layer_blob(self, layer, blob, computed_checksums):
+        """ Assigns a blob to a layer. """
+        assert blob
+        assert not blob.uploading
 
-    repo_image = model.image.get_image_by_db_id(layer.db_id)
-    if repo_image is None:
-      return None
+        repo_image = model.image.get_image_by_db_id(layer.db_id)
+        if repo_image is None:
+            return None
 
-    with db_transaction():
-      existing_storage = repo_image.storage
-      repo_image.storage = blob._db_id
-      repo_image.save()
+        with db_transaction():
+            existing_storage = repo_image.storage
+            repo_image.storage = blob._db_id
+            repo_image.save()
 
-      if existing_storage.uploading:
-        self._builder_state.temp_storages.append(existing_storage.id)
+            if existing_storage.uploading:
+                self._builder_state.temp_storages.append(existing_storage.id)
 
-    self._builder_state.checksums[layer.layer_id] = computed_checksums
-    self._save_to_session()
-    return True
+        self._builder_state.checksums[layer.layer_id] = computed_checksums
+        self._save_to_session()
+        return True
 
-  def validate_layer_checksum(self, layer, checksum):
-    """ Returns whether the checksum for a layer matches that specified.
+    def validate_layer_checksum(self, layer, checksum):
+        """ Returns whether the checksum for a layer matches that specified.
     """
-    return checksum in self.get_layer_checksums(layer)
+        return checksum in self.get_layer_checksums(layer)
 
-  def get_layer_checksums(self, layer):
-    """ Returns the registered defined for the layer, if any. """
-    return self._builder_state.checksums.get(layer.layer_id) or []
+    def get_layer_checksums(self, layer):
+        """ Returns the registered defined for the layer, if any. """
+        return self._builder_state.checksums.get(layer.layer_id) or []
 
-  def save_precomputed_checksum(self, layer, checksum):
-    """ Saves a precomputed checksum for a layer. """
-    checksums = self._builder_state.checksums.get(layer.layer_id) or []
-    checksums.append(checksum)
-    self._builder_state.checksums[layer.layer_id] = checksums
-    self._save_to_session()
+    def save_precomputed_checksum(self, layer, checksum):
+        """ Saves a precomputed checksum for a layer. """
+        checksums = self._builder_state.checksums.get(layer.layer_id) or []
+        checksums.append(checksum)
+        self._builder_state.checksums[layer.layer_id] = checksums
+        self._save_to_session()
 
-  def commit_tag_and_manifest(self, tag_name, layer):
-    """ Commits a new tag + manifest for that tag to the repository with the given name,
+    def commit_tag_and_manifest(self, tag_name, layer):
+        """ Commits a new tag + manifest for that tag to the repository with the given name,
         pointing to the given layer.
     """
-    legacy_image = registry_model.get_legacy_image(self._repository_ref, layer.layer_id)
-    if legacy_image is None:
-      return None
+        legacy_image = registry_model.get_legacy_image(
+            self._repository_ref, layer.layer_id
+        )
+        if legacy_image is None:
+            return None
 
-    tag = registry_model.retarget_tag(self._repository_ref, tag_name, legacy_image, self._storage,
-                                      self._legacy_signing_key)
-    if tag is None:
-      return None
+        tag = registry_model.retarget_tag(
+            self._repository_ref,
+            tag_name,
+            legacy_image,
+            self._storage,
+            self._legacy_signing_key,
+        )
+        if tag is None:
+            return None
 
-    self._builder_state.tags[tag_name] = tag._db_id
-    self._save_to_session()
-    return tag
+        self._builder_state.tags[tag_name] = tag._db_id
+        self._save_to_session()
+        return tag
 
-  def done(self):
-    """ Marks the manifest builder as complete and disposes of any state. This call is optional
+    def done(self):
+        """ Marks the manifest builder as complete and disposes of any state. This call is optional
         and it is expected manifest builders will eventually time out if unused for an
         extended period of time.
     """
-    temp_storages = self._builder_state.temp_storages
-    for storage_id in temp_storages:
-      try:
-        storage = ImageStorage.get(id=storage_id)
-        if storage.uploading and storage.content_checksum != EMPTY_LAYER_BLOB_DIGEST:
-          # Delete all the placements pointing to the storage.
-          ImageStoragePlacement.delete().where(ImageStoragePlacement.storage == storage).execute()
+        temp_storages = self._builder_state.temp_storages
+        for storage_id in temp_storages:
+            try:
+                storage = ImageStorage.get(id=storage_id)
+                if (
+                    storage.uploading
+                    and storage.content_checksum != EMPTY_LAYER_BLOB_DIGEST
+                ):
+                    # Delete all the placements pointing to the storage.
+                    ImageStoragePlacement.delete().where(
+                        ImageStoragePlacement.storage == storage
+                    ).execute()
 
-          # Delete the storage.
-          storage.delete_instance()
-      except ImageStorage.DoesNotExist:
-        pass
+                    # Delete the storage.
+                    storage.delete_instance()
+            except ImageStorage.DoesNotExist:
+                pass
 
-    session.pop(_SESSION_KEY, None)
+        session.pop(_SESSION_KEY, None)
 
-  def _save_to_session(self):
-    session[_SESSION_KEY] = self._builder_state
+    def _save_to_session(self):
+        session[_SESSION_KEY] = self._builder_state
diff --git a/data/registry_model/modelsplitter.py b/data/registry_model/modelsplitter.py
index 675a66928..f4864fed7 100644
--- a/data/registry_model/modelsplitter.py
+++ b/data/registry_model/modelsplitter.py
@@ -12,101 +12,129 @@ logger = logging.getLogger(__name__)
 
 
 class SplitModel(object):
-  def __init__(self, oci_model_proportion, oci_namespace_whitelist, v22_namespace_whitelist,
-               oci_only_mode):
-    self.v22_namespace_whitelist = set(v22_namespace_whitelist)
+    def __init__(
+        self,
+        oci_model_proportion,
+        oci_namespace_whitelist,
+        v22_namespace_whitelist,
+        oci_only_mode,
+    ):
+        self.v22_namespace_whitelist = set(v22_namespace_whitelist)
 
-    self.oci_namespace_whitelist = set(oci_namespace_whitelist)
-    self.oci_namespace_whitelist.update(v22_namespace_whitelist)
+        self.oci_namespace_whitelist = set(oci_namespace_whitelist)
+        self.oci_namespace_whitelist.update(v22_namespace_whitelist)
 
-    self.oci_model_proportion = oci_model_proportion
-    self.oci_only_mode = oci_only_mode
+        self.oci_model_proportion = oci_model_proportion
+        self.oci_only_mode = oci_only_mode
 
-  def supports_schema2(self, namespace_name):
-    """ Returns whether the implementation of the data interface supports schema 2 format
+    def supports_schema2(self, namespace_name):
+        """ Returns whether the implementation of the data interface supports schema 2 format
         manifests. """
-    return namespace_name in self.v22_namespace_whitelist
+        return namespace_name in self.v22_namespace_whitelist
 
-  def _namespace_from_kwargs(self, args_dict):
-    if 'namespace_name' in args_dict:
-      return args_dict['namespace_name']
+    def _namespace_from_kwargs(self, args_dict):
+        if "namespace_name" in args_dict:
+            return args_dict["namespace_name"]
 
-    if 'repository_ref' in args_dict:
-      return args_dict['repository_ref'].namespace_name
+        if "repository_ref" in args_dict:
+            return args_dict["repository_ref"].namespace_name
 
-    if 'tag' in args_dict:
-      return args_dict['tag'].repository.namespace_name
+        if "tag" in args_dict:
+            return args_dict["tag"].repository.namespace_name
 
-    if 'manifest' in args_dict:
-      manifest = args_dict['manifest']
-      if manifest._is_tag_manifest:
-        return TagManifest.get(id=manifest._db_id).tag.repository.namespace_user.username
-      else:
-        return Manifest.get(id=manifest._db_id).repository.namespace_user.username
+        if "manifest" in args_dict:
+            manifest = args_dict["manifest"]
+            if manifest._is_tag_manifest:
+                return TagManifest.get(
+                    id=manifest._db_id
+                ).tag.repository.namespace_user.username
+            else:
+                return Manifest.get(
+                    id=manifest._db_id
+                ).repository.namespace_user.username
 
-    if 'manifest_or_legacy_image' in args_dict:
-      manifest_or_legacy_image = args_dict['manifest_or_legacy_image']
-      if isinstance(manifest_or_legacy_image, LegacyImage):
-        return Image.get(id=manifest_or_legacy_image._db_id).repository.namespace_user.username
-      else:
-        manifest = manifest_or_legacy_image
-        if manifest._is_tag_manifest:
-          return TagManifest.get(id=manifest._db_id).tag.repository.namespace_user.username
-        else:
-          return Manifest.get(id=manifest._db_id).repository.namespace_user.username
+        if "manifest_or_legacy_image" in args_dict:
+            manifest_or_legacy_image = args_dict["manifest_or_legacy_image"]
+            if isinstance(manifest_or_legacy_image, LegacyImage):
+                return Image.get(
+                    id=manifest_or_legacy_image._db_id
+                ).repository.namespace_user.username
+            else:
+                manifest = manifest_or_legacy_image
+                if manifest._is_tag_manifest:
+                    return TagManifest.get(
+                        id=manifest._db_id
+                    ).tag.repository.namespace_user.username
+                else:
+                    return Manifest.get(
+                        id=manifest._db_id
+                    ).repository.namespace_user.username
 
-    if 'derived_image' in args_dict:
-      return (DerivedStorageForImage
-              .get(id=args_dict['derived_image']._db_id)
-              .source_image
-              .repository
-              .namespace_user
-              .username)
+        if "derived_image" in args_dict:
+            return DerivedStorageForImage.get(
+                id=args_dict["derived_image"]._db_id
+            ).source_image.repository.namespace_user.username
 
-    if 'blob' in args_dict:
-      return '' # Blob functions are shared, so no need to do anything.
+        if "blob" in args_dict:
+            return ""  # Blob functions are shared, so no need to do anything.
 
-    if 'blob_upload' in args_dict:
-      return '' # Blob functions are shared, so no need to do anything.
+        if "blob_upload" in args_dict:
+            return ""  # Blob functions are shared, so no need to do anything.
 
-    raise Exception('Unknown namespace for dict `%s`' % args_dict)
+        raise Exception("Unknown namespace for dict `%s`" % args_dict)
 
-  def __getattr__(self, attr):
-    def method(*args, **kwargs):
-      if self.oci_model_proportion >= 1.0:
-        if self.oci_only_mode:
-          logger.debug('Calling method `%s` under full OCI data model for all namespaces', attr)
-          return getattr(oci_model, attr)(*args, **kwargs)
-        else:
-          logger.debug('Calling method `%s` under compat OCI data model for all namespaces', attr)
-          return getattr(back_compat_oci_model, attr)(*args, **kwargs)
+    def __getattr__(self, attr):
+        def method(*args, **kwargs):
+            if self.oci_model_proportion >= 1.0:
+                if self.oci_only_mode:
+                    logger.debug(
+                        "Calling method `%s` under full OCI data model for all namespaces",
+                        attr,
+                    )
+                    return getattr(oci_model, attr)(*args, **kwargs)
+                else:
+                    logger.debug(
+                        "Calling method `%s` under compat OCI data model for all namespaces",
+                        attr,
+                    )
+                    return getattr(back_compat_oci_model, attr)(*args, **kwargs)
 
-      argnames = inspect.getargspec(getattr(back_compat_oci_model, attr))[0]
-      if not argnames and isinstance(args[0], ManifestDataType):
-        args_dict = dict(manifest=args[0])
-      else:
-        args_dict = {argnames[index + 1]: value for index, value in enumerate(args)}
+            argnames = inspect.getargspec(getattr(back_compat_oci_model, attr))[0]
+            if not argnames and isinstance(args[0], ManifestDataType):
+                args_dict = dict(manifest=args[0])
+            else:
+                args_dict = {
+                    argnames[index + 1]: value for index, value in enumerate(args)
+                }
 
-      if attr in ['yield_tags_for_vulnerability_notification', 'get_most_recent_tag_lifetime_start']:
-        use_oci = self.oci_model_proportion >= 1.0
-        namespace_name = '(implicit for ' + attr + ')'
-      else:
-        namespace_name = self._namespace_from_kwargs(args_dict)
-        use_oci = namespace_name in self.oci_namespace_whitelist
+            if attr in [
+                "yield_tags_for_vulnerability_notification",
+                "get_most_recent_tag_lifetime_start",
+            ]:
+                use_oci = self.oci_model_proportion >= 1.0
+                namespace_name = "(implicit for " + attr + ")"
+            else:
+                namespace_name = self._namespace_from_kwargs(args_dict)
+                use_oci = namespace_name in self.oci_namespace_whitelist
 
-        if not use_oci and self.oci_model_proportion:
-          # Hash the namespace name and see if it falls into the proportion bucket.
-          bucket = (int(hashlib.md5(namespace_name).hexdigest(), 16) % 100)
-          if bucket <= int(self.oci_model_proportion * 100):
-            logger.debug('Enabling OCI for namespace `%s` in proportional bucket',
-                         namespace_name)
-            use_oci = True
+                if not use_oci and self.oci_model_proportion:
+                    # Hash the namespace name and see if it falls into the proportion bucket.
+                    bucket = int(hashlib.md5(namespace_name).hexdigest(), 16) % 100
+                    if bucket <= int(self.oci_model_proportion * 100):
+                        logger.debug(
+                            "Enabling OCI for namespace `%s` in proportional bucket",
+                            namespace_name,
+                        )
+                        use_oci = True
 
-      if use_oci:
-        logger.debug('Calling method `%s` under OCI data model for namespace `%s`',
-                     attr, namespace_name)
-        return getattr(back_compat_oci_model, attr)(*args, **kwargs)
-      else:
-        return getattr(pre_oci_model, attr)(*args, **kwargs)
+            if use_oci:
+                logger.debug(
+                    "Calling method `%s` under OCI data model for namespace `%s`",
+                    attr,
+                    namespace_name,
+                )
+                return getattr(back_compat_oci_model, attr)(*args, **kwargs)
+            else:
+                return getattr(pre_oci_model, attr)(*args, **kwargs)
 
-    return method
+        return method
diff --git a/data/registry_model/registry_oci_model.py b/data/registry_model/registry_oci_model.py
index 8821a747b..1e3cf0f12 100644
--- a/data/registry_model/registry_oci_model.py
+++ b/data/registry_model/registry_oci_model.py
@@ -10,8 +10,16 @@ from data.model import oci, DataModelException
 from data.model.oci.retriever import RepositoryContentRetriever
 from data.database import db_transaction, Image, IMAGE_NOT_SCANNED_ENGINE_VERSION
 from data.registry_model.interface import RegistryDataInterface
-from data.registry_model.datatypes import (Tag, Manifest, LegacyImage, Label, SecurityScanStatus,
-                                           Blob, ShallowTag, LikelyVulnerableTag)
+from data.registry_model.datatypes import (
+    Tag,
+    Manifest,
+    LegacyImage,
+    Label,
+    SecurityScanStatus,
+    Blob,
+    ShallowTag,
+    LikelyVulnerableTag,
+)
 from data.registry_model.shared import SharedModel
 from data.registry_model.label_handlers import apply_label_to_manifest
 from image.docker import ManifestException
@@ -23,265 +31,346 @@ logger = logging.getLogger(__name__)
 
 
 class OCIModel(SharedModel, RegistryDataInterface):
-  """
+    """
   OCIModel implements the data model for the registry API using a database schema
   after it was changed to support the OCI specification.
   """
-  def __init__(self, oci_model_only=True):
-    self.oci_model_only = oci_model_only
 
-  def supports_schema2(self, namespace_name):
-    """ Returns whether the implementation of the data interface supports schema 2 format
+    def __init__(self, oci_model_only=True):
+        self.oci_model_only = oci_model_only
+
+    def supports_schema2(self, namespace_name):
+        """ Returns whether the implementation of the data interface supports schema 2 format
         manifests. """
-    return True
+        return True
 
-  def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
-    """ Returns the legacy image ID for the tag with a legacy images in
+    def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
+        """ Returns the legacy image ID for the tag with a legacy images in
         the repository. Returns None if None.
     """
-    tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
-    if tag is None:
-      return None
+        tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
+        if tag is None:
+            return None
 
-    if tag.legacy_image_if_present is not None:
-      return tag.legacy_image_if_present.docker_image_id
+        if tag.legacy_image_if_present is not None:
+            return tag.legacy_image_if_present.docker_image_id
 
-    if tag.manifest.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
-      # See if we can lookup a schema1 legacy image.
-      v1_compatible = self.get_schema1_parsed_manifest(tag.manifest, '', '', '', storage)
-      if v1_compatible is not None:
-        return v1_compatible.leaf_layer_v1_image_id
+        if tag.manifest.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
+            # See if we can lookup a schema1 legacy image.
+            v1_compatible = self.get_schema1_parsed_manifest(
+                tag.manifest, "", "", "", storage
+            )
+            if v1_compatible is not None:
+                return v1_compatible.leaf_layer_v1_image_id
 
-    return None
+        return None
 
-  def get_legacy_tags_map(self, repository_ref, storage):
-    """ Returns a map from tag name to its legacy image ID, for all tags with legacy images in
+    def get_legacy_tags_map(self, repository_ref, storage):
+        """ Returns a map from tag name to its legacy image ID, for all tags with legacy images in
         the repository. Note that this can be a *very* heavy operation.
     """
-    tags = oci.tag.list_alive_tags(repository_ref._db_id)
-    legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
+        tags = oci.tag.list_alive_tags(repository_ref._db_id)
+        legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
 
-    tags_map = {}
-    for tag in tags:
-      legacy_image = legacy_images_map.get(tag.id)
-      if legacy_image is not None:
-        tags_map[tag.name] = legacy_image.docker_image_id
-      else:
-        manifest = Manifest.for_manifest(tag.manifest, None)
-        if legacy_image is None and manifest.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
-          # See if we can lookup a schema1 legacy image.
-          v1_compatible = self.get_schema1_parsed_manifest(manifest, '', '', '', storage)
-          if v1_compatible is not None:
-            v1_id = v1_compatible.leaf_layer_v1_image_id
-            if v1_id is not None:
-              tags_map[tag.name] = v1_id
+        tags_map = {}
+        for tag in tags:
+            legacy_image = legacy_images_map.get(tag.id)
+            if legacy_image is not None:
+                tags_map[tag.name] = legacy_image.docker_image_id
+            else:
+                manifest = Manifest.for_manifest(tag.manifest, None)
+                if (
+                    legacy_image is None
+                    and manifest.media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
+                ):
+                    # See if we can lookup a schema1 legacy image.
+                    v1_compatible = self.get_schema1_parsed_manifest(
+                        manifest, "", "", "", storage
+                    )
+                    if v1_compatible is not None:
+                        v1_id = v1_compatible.leaf_layer_v1_image_id
+                        if v1_id is not None:
+                            tags_map[tag.name] = v1_id
 
-    return tags_map
+        return tags_map
 
-  def _get_legacy_compatible_image_for_manifest(self, manifest, storage):
-    # Check for a legacy image directly on the manifest.
-    if manifest.media_type != DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
-      return oci.shared.get_legacy_image_for_manifest(manifest._db_id)
-    
-    # Otherwise, lookup a legacy image associated with the v1-compatible manifest
-    # in the list.
-    try:
-      manifest_obj = database.Manifest.get(id=manifest._db_id)
-    except database.Manifest.DoesNotExist:
-      logger.exception('Could not find manifest for manifest `%s`', manifest._db_id)
-      return None
+    def _get_legacy_compatible_image_for_manifest(self, manifest, storage):
+        # Check for a legacy image directly on the manifest.
+        if manifest.media_type != DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
+            return oci.shared.get_legacy_image_for_manifest(manifest._db_id)
 
-    # See if we can lookup a schema1 legacy image.
-    v1_compatible = self.get_schema1_parsed_manifest(manifest, '', '', '', storage)
-    if v1_compatible is None:
-      return None
+        # Otherwise, lookup a legacy image associated with the v1-compatible manifest
+        # in the list.
+        try:
+            manifest_obj = database.Manifest.get(id=manifest._db_id)
+        except database.Manifest.DoesNotExist:
+            logger.exception(
+                "Could not find manifest for manifest `%s`", manifest._db_id
+            )
+            return None
 
-    v1_id = v1_compatible.leaf_layer_v1_image_id
-    if v1_id is None:
-      return None
+        # See if we can lookup a schema1 legacy image.
+        v1_compatible = self.get_schema1_parsed_manifest(manifest, "", "", "", storage)
+        if v1_compatible is None:
+            return None
 
-    return model.image.get_image(manifest_obj.repository_id, v1_id)
+        v1_id = v1_compatible.leaf_layer_v1_image_id
+        if v1_id is None:
+            return None
 
-  def find_matching_tag(self, repository_ref, tag_names):
-    """ Finds an alive tag in the repository matching one of the given tag names and returns it
+        return model.image.get_image(manifest_obj.repository_id, v1_id)
+
+    def find_matching_tag(self, repository_ref, tag_names):
+        """ Finds an alive tag in the repository matching one of the given tag names and returns it
         or None if none.
     """
-    found_tag = oci.tag.find_matching_tag(repository_ref._db_id, tag_names)
-    assert found_tag is None or not found_tag.hidden
-    return Tag.for_tag(found_tag)
+        found_tag = oci.tag.find_matching_tag(repository_ref._db_id, tag_names)
+        assert found_tag is None or not found_tag.hidden
+        return Tag.for_tag(found_tag)
 
-  def get_most_recent_tag(self, repository_ref):
-    """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
+    def get_most_recent_tag(self, repository_ref):
+        """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
         None.
     """
-    found_tag = oci.tag.get_most_recent_tag(repository_ref._db_id)
-    assert found_tag is None or not found_tag.hidden
-    return Tag.for_tag(found_tag)
+        found_tag = oci.tag.get_most_recent_tag(repository_ref._db_id)
+        assert found_tag is None or not found_tag.hidden
+        return Tag.for_tag(found_tag)
 
-  def get_manifest_for_tag(self, tag, backfill_if_necessary=False, include_legacy_image=False):
-    """ Returns the manifest associated with the given tag. """
-    legacy_image = None
-    if include_legacy_image:
-      legacy_image = oci.shared.get_legacy_image_for_manifest(tag._manifest)
+    def get_manifest_for_tag(
+        self, tag, backfill_if_necessary=False, include_legacy_image=False
+    ):
+        """ Returns the manifest associated with the given tag. """
+        legacy_image = None
+        if include_legacy_image:
+            legacy_image = oci.shared.get_legacy_image_for_manifest(tag._manifest)
 
-    return Manifest.for_manifest(tag._manifest, LegacyImage.for_image(legacy_image))
+        return Manifest.for_manifest(tag._manifest, LegacyImage.for_image(legacy_image))
 
-  def lookup_manifest_by_digest(self, repository_ref, manifest_digest, allow_dead=False,
-                                include_legacy_image=False, require_available=False):
-    """ Looks up the manifest with the given digest under the given repository and returns it
+    def lookup_manifest_by_digest(
+        self,
+        repository_ref,
+        manifest_digest,
+        allow_dead=False,
+        include_legacy_image=False,
+        require_available=False,
+    ):
+        """ Looks up the manifest with the given digest under the given repository and returns it
         or None if none. """
-    manifest = oci.manifest.lookup_manifest(repository_ref._db_id, manifest_digest,
-                                            allow_dead=allow_dead,
-                                            require_available=require_available)
-    if manifest is None:
-      return None
+        manifest = oci.manifest.lookup_manifest(
+            repository_ref._db_id,
+            manifest_digest,
+            allow_dead=allow_dead,
+            require_available=require_available,
+        )
+        if manifest is None:
+            return None
 
-    legacy_image = None
-    if include_legacy_image:
-      try:
-        legacy_image_id = database.ManifestLegacyImage.get(manifest=manifest).image.docker_image_id
-        legacy_image = self.get_legacy_image(repository_ref, legacy_image_id, include_parents=True)
-      except database.ManifestLegacyImage.DoesNotExist:
-        pass
+        legacy_image = None
+        if include_legacy_image:
+            try:
+                legacy_image_id = database.ManifestLegacyImage.get(
+                    manifest=manifest
+                ).image.docker_image_id
+                legacy_image = self.get_legacy_image(
+                    repository_ref, legacy_image_id, include_parents=True
+                )
+            except database.ManifestLegacyImage.DoesNotExist:
+                pass
 
-    return Manifest.for_manifest(manifest, legacy_image)
+        return Manifest.for_manifest(manifest, legacy_image)
 
-  def create_manifest_label(self, manifest, key, value, source_type_name, media_type_name=None):
-    """ Creates a label on the manifest with the given key and value. """
-    label_data = dict(key=key, value=value, source_type_name=source_type_name,
-                      media_type_name=media_type_name)
+    def create_manifest_label(
+        self, manifest, key, value, source_type_name, media_type_name=None
+    ):
+        """ Creates a label on the manifest with the given key and value. """
+        label_data = dict(
+            key=key,
+            value=value,
+            source_type_name=source_type_name,
+            media_type_name=media_type_name,
+        )
 
-    # Create the label itself.
-    label = oci.label.create_manifest_label(manifest._db_id, key, value, source_type_name,
-                                            media_type_name,
-                                            adjust_old_model=not self.oci_model_only)
-    if label is None:
-      return None
-
-    # Apply any changes to the manifest that the label prescribes.
-    apply_label_to_manifest(label_data, manifest, self)
-
-    return Label.for_label(label)
-
-  @contextmanager
-  def batch_create_manifest_labels(self, manifest):
-    """ Returns a context manager for batch creation of labels on a manifest.
-
-        Can raise InvalidLabelKeyException or InvalidMediaTypeException depending
-        on the validation errors.
-    """
-    labels_to_add = []
-    def add_label(key, value, source_type_name, media_type_name=None):
-      labels_to_add.append(dict(key=key, value=value, source_type_name=source_type_name,
-                                media_type_name=media_type_name))
-
-    yield add_label
-
-    # TODO: make this truly batch once we've fully transitioned to V2_2 and no longer need
-    # the mapping tables.
-    for label_data in labels_to_add:
-      with db_transaction():
         # Create the label itself.
-        oci.label.create_manifest_label(manifest._db_id, **label_data)
+        label = oci.label.create_manifest_label(
+            manifest._db_id,
+            key,
+            value,
+            source_type_name,
+            media_type_name,
+            adjust_old_model=not self.oci_model_only,
+        )
+        if label is None:
+            return None
 
         # Apply any changes to the manifest that the label prescribes.
         apply_label_to_manifest(label_data, manifest, self)
 
-  def list_manifest_labels(self, manifest, key_prefix=None):
-    """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
+        return Label.for_label(label)
+
+    @contextmanager
+    def batch_create_manifest_labels(self, manifest):
+        """ Returns a context manager for batch creation of labels on a manifest.
+
+        Can raise InvalidLabelKeyException or InvalidMediaTypeException depending
+        on the validation errors.
+    """
+        labels_to_add = []
+
+        def add_label(key, value, source_type_name, media_type_name=None):
+            labels_to_add.append(
+                dict(
+                    key=key,
+                    value=value,
+                    source_type_name=source_type_name,
+                    media_type_name=media_type_name,
+                )
+            )
+
+        yield add_label
+
+        # TODO: make this truly batch once we've fully transitioned to V2_2 and no longer need
+        # the mapping tables.
+        for label_data in labels_to_add:
+            with db_transaction():
+                # Create the label itself.
+                oci.label.create_manifest_label(manifest._db_id, **label_data)
+
+                # Apply any changes to the manifest that the label prescribes.
+                apply_label_to_manifest(label_data, manifest, self)
+
+    def list_manifest_labels(self, manifest, key_prefix=None):
+        """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
         labels returned to those keys that start with the given prefix.
     """
-    labels = oci.label.list_manifest_labels(manifest._db_id, prefix_filter=key_prefix)
-    return [Label.for_label(l) for l in labels]
+        labels = oci.label.list_manifest_labels(
+            manifest._db_id, prefix_filter=key_prefix
+        )
+        return [Label.for_label(l) for l in labels]
 
-  def get_manifest_label(self, manifest, label_uuid):
-    """ Returns the label with the specified UUID on the manifest or None if none. """
-    return Label.for_label(oci.label.get_manifest_label(label_uuid, manifest._db_id))
+    def get_manifest_label(self, manifest, label_uuid):
+        """ Returns the label with the specified UUID on the manifest or None if none. """
+        return Label.for_label(
+            oci.label.get_manifest_label(label_uuid, manifest._db_id)
+        )
 
-  def delete_manifest_label(self, manifest, label_uuid):
-    """ Delete the label with the specified UUID on the manifest. Returns the label deleted
+    def delete_manifest_label(self, manifest, label_uuid):
+        """ Delete the label with the specified UUID on the manifest. Returns the label deleted
         or None if none.
     """
-    return Label.for_label(oci.label.delete_manifest_label(label_uuid, manifest._db_id))
+        return Label.for_label(
+            oci.label.delete_manifest_label(label_uuid, manifest._db_id)
+        )
 
-  def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
-    """
+    def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
+        """
     Returns a page of actvie tags in a repository. Note that the tags returned by this method
     are ShallowTag objects, which only contain the tag name.
     """
-    tags = oci.tag.lookup_alive_tags_shallow(repository_ref._db_id, start_pagination_id, limit)
-    return [ShallowTag.for_tag(tag) for tag in tags]
+        tags = oci.tag.lookup_alive_tags_shallow(
+            repository_ref._db_id, start_pagination_id, limit
+        )
+        return [ShallowTag.for_tag(tag) for tag in tags]
 
-  def list_all_active_repository_tags(self, repository_ref, include_legacy_images=False):
-    """
+    def list_all_active_repository_tags(
+        self, repository_ref, include_legacy_images=False
+    ):
+        """
     Returns a list of all the active tags in the repository. Note that this is a *HEAVY*
     operation on repositories with a lot of tags, and should only be used for testing or
     where other more specific operations are not possible.
     """
-    tags = list(oci.tag.list_alive_tags(repository_ref._db_id))
-    legacy_images_map = {}
-    if include_legacy_images:
-      legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
+        tags = list(oci.tag.list_alive_tags(repository_ref._db_id))
+        legacy_images_map = {}
+        if include_legacy_images:
+            legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
 
-    return [Tag.for_tag(tag, legacy_image=LegacyImage.for_image(legacy_images_map.get(tag.id)))
-            for tag in tags]
+        return [
+            Tag.for_tag(
+                tag, legacy_image=LegacyImage.for_image(legacy_images_map.get(tag.id))
+            )
+            for tag in tags
+        ]
 
-  def list_repository_tag_history(self, repository_ref, page=1, size=100, specific_tag_name=None,
-                                  active_tags_only=False, since_time_ms=None):
-    """
+    def list_repository_tag_history(
+        self,
+        repository_ref,
+        page=1,
+        size=100,
+        specific_tag_name=None,
+        active_tags_only=False,
+        since_time_ms=None,
+    ):
+        """
     Returns the history of all tags in the repository (unless filtered). This includes tags that
     have been made in-active due to newer versions of those tags coming into service.
     """
-    tags, has_more = oci.tag.list_repository_tag_history(repository_ref._db_id,
-                                                         page, size,
-                                                         specific_tag_name,
-                                                         active_tags_only,
-                                                         since_time_ms)
+        tags, has_more = oci.tag.list_repository_tag_history(
+            repository_ref._db_id,
+            page,
+            size,
+            specific_tag_name,
+            active_tags_only,
+            since_time_ms,
+        )
 
-    # TODO: do we need legacy images here?
-    legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
-    return [Tag.for_tag(tag, LegacyImage.for_image(legacy_images_map.get(tag.id))) for tag in tags], has_more
+        # TODO: do we need legacy images here?
+        legacy_images_map = oci.tag.get_legacy_images_for_tags(tags)
+        return (
+            [
+                Tag.for_tag(tag, LegacyImage.for_image(legacy_images_map.get(tag.id)))
+                for tag in tags
+            ],
+            has_more,
+        )
 
-  def has_expired_tag(self, repository_ref, tag_name):
-    """
+    def has_expired_tag(self, repository_ref, tag_name):
+        """
     Returns true if and only if the repository contains a tag with the given name that is expired.
     """
-    return bool(oci.tag.get_expired_tag(repository_ref._db_id, tag_name))
+        return bool(oci.tag.get_expired_tag(repository_ref._db_id, tag_name))
 
-  def get_most_recent_tag_lifetime_start(self, repository_refs): 
-    """ 
+    def get_most_recent_tag_lifetime_start(self, repository_refs):
+        """ 
     Returns a map from repository ID to the last modified time (in s) for each repository in the
     given repository reference list.
     """
-    if not repository_refs:
-      return {}
+        if not repository_refs:
+            return {}
 
-    toSeconds = lambda ms: ms / 1000 if ms is not None else None
-    last_modified = oci.tag.get_most_recent_tag_lifetime_start([r.id for r in repository_refs])
+        toSeconds = lambda ms: ms / 1000 if ms is not None else None
+        last_modified = oci.tag.get_most_recent_tag_lifetime_start(
+            [r.id for r in repository_refs]
+        )
 
-    return {repo_id: toSeconds(ms) for repo_id, ms in last_modified.items()}
+        return {repo_id: toSeconds(ms) for repo_id, ms in last_modified.items()}
 
-  def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
-    """
+    def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
+        """
     Returns the latest, *active* tag found in the repository, with the matching name
     or None if none.
     """
-    assert isinstance(tag_name, basestring)
+        assert isinstance(tag_name, basestring)
 
-    tag = oci.tag.get_tag(repository_ref._db_id, tag_name)
-    if tag is None:
-      return None
+        tag = oci.tag.get_tag(repository_ref._db_id, tag_name)
+        if tag is None:
+            return None
 
-    legacy_image = None
-    if include_legacy_image:
-      legacy_images = oci.tag.get_legacy_images_for_tags([tag])
-      legacy_image = legacy_images.get(tag.id)
+        legacy_image = None
+        if include_legacy_image:
+            legacy_images = oci.tag.get_legacy_images_for_tags([tag])
+            legacy_image = legacy_images.get(tag.id)
 
-    return Tag.for_tag(tag, legacy_image=LegacyImage.for_image(legacy_image))
+        return Tag.for_tag(tag, legacy_image=LegacyImage.for_image(legacy_image))
 
-  def create_manifest_and_retarget_tag(self, repository_ref, manifest_interface_instance, tag_name,
-                                       storage, raise_on_error=False):
-    """ Creates a manifest in a repository, adding all of the necessary data in the model.
+    def create_manifest_and_retarget_tag(
+        self,
+        repository_ref,
+        manifest_interface_instance,
+        tag_name,
+        storage,
+        raise_on_error=False,
+    ):
+        """ Creates a manifest in a repository, adding all of the necessary data in the model.
 
         The `manifest_interface_instance` parameter must be an instance of the manifest
         interface as returned by the image/docker package.
@@ -293,376 +382,463 @@ class OCIModel(SharedModel, RegistryDataInterface):
         raise_on_error is set to True, in which case a CreateManifestException may also be
         raised.
     """
-    # Get or create the manifest itself.
-    created_manifest = oci.manifest.get_or_create_manifest(repository_ref._db_id,
-                                                           manifest_interface_instance,
-                                                           storage,
-                                                           for_tagging=True,
-                                                           raise_on_error=raise_on_error)
-    if created_manifest is None:
-      return (None, None)
+        # Get or create the manifest itself.
+        created_manifest = oci.manifest.get_or_create_manifest(
+            repository_ref._db_id,
+            manifest_interface_instance,
+            storage,
+            for_tagging=True,
+            raise_on_error=raise_on_error,
+        )
+        if created_manifest is None:
+            return (None, None)
 
-    # Re-target the tag to it.
-    tag = oci.tag.retarget_tag(tag_name, created_manifest.manifest,
-                               adjust_old_model=not self.oci_model_only)
-    if tag is None:
-      return (None, None)
+        # Re-target the tag to it.
+        tag = oci.tag.retarget_tag(
+            tag_name,
+            created_manifest.manifest,
+            adjust_old_model=not self.oci_model_only,
+        )
+        if tag is None:
+            return (None, None)
 
-    legacy_image = oci.shared.get_legacy_image_for_manifest(created_manifest.manifest)
-    li = LegacyImage.for_image(legacy_image)
-    wrapped_manifest = Manifest.for_manifest(created_manifest.manifest, li)
+        legacy_image = oci.shared.get_legacy_image_for_manifest(
+            created_manifest.manifest
+        )
+        li = LegacyImage.for_image(legacy_image)
+        wrapped_manifest = Manifest.for_manifest(created_manifest.manifest, li)
 
-    # Apply any labels that should modify the created tag.
-    if created_manifest.labels_to_apply:
-      for key, value in created_manifest.labels_to_apply.iteritems():
-        apply_label_to_manifest(dict(key=key, value=value), wrapped_manifest, self)
+        # Apply any labels that should modify the created tag.
+        if created_manifest.labels_to_apply:
+            for key, value in created_manifest.labels_to_apply.iteritems():
+                apply_label_to_manifest(
+                    dict(key=key, value=value), wrapped_manifest, self
+                )
 
-      # Reload the tag in case any updates were applied.
-      tag = database.Tag.get(id=tag.id)
+            # Reload the tag in case any updates were applied.
+            tag = database.Tag.get(id=tag.id)
 
-    return (wrapped_manifest, Tag.for_tag(tag, li))
+        return (wrapped_manifest, Tag.for_tag(tag, li))
 
-  def retarget_tag(self, repository_ref, tag_name, manifest_or_legacy_image, storage,
-                   legacy_manifest_key, is_reversion=False):
-    """
+    def retarget_tag(
+        self,
+        repository_ref,
+        tag_name,
+        manifest_or_legacy_image,
+        storage,
+        legacy_manifest_key,
+        is_reversion=False,
+    ):
+        """
     Creates, updates or moves a tag to a new entry in history, pointing to the manifest or
     legacy image specified. If is_reversion is set to True, this operation is considered a
     reversion over a previous tag move operation. Returns the updated Tag or None on error.
     """
-    assert legacy_manifest_key is not None
-    manifest_id = manifest_or_legacy_image._db_id
-    if isinstance(manifest_or_legacy_image, LegacyImage):
-      # If a legacy image was required, build a new manifest for it and move the tag to that.
-      try:
-        image_row = database.Image.get(id=manifest_or_legacy_image._db_id)
-      except database.Image.DoesNotExist:
-        return None
+        assert legacy_manifest_key is not None
+        manifest_id = manifest_or_legacy_image._db_id
+        if isinstance(manifest_or_legacy_image, LegacyImage):
+            # If a legacy image was required, build a new manifest for it and move the tag to that.
+            try:
+                image_row = database.Image.get(id=manifest_or_legacy_image._db_id)
+            except database.Image.DoesNotExist:
+                return None
 
-      manifest_instance = self._build_manifest_for_legacy_image(tag_name, image_row)
-      if manifest_instance is None:
-        return None
+            manifest_instance = self._build_manifest_for_legacy_image(
+                tag_name, image_row
+            )
+            if manifest_instance is None:
+                return None
 
-      created = oci.manifest.get_or_create_manifest(repository_ref._db_id, manifest_instance,
-                                                    storage)
-      if created is None:
-        return None
+            created = oci.manifest.get_or_create_manifest(
+                repository_ref._db_id, manifest_instance, storage
+            )
+            if created is None:
+                return None
 
-      manifest_id = created.manifest.id
-    else:
-      # If the manifest is a schema 1 manifest and its tag name does not match that
-      # specified, then we need to create a new manifest, but with that tag name.
-      if manifest_or_legacy_image.media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-        try:
-          parsed = manifest_or_legacy_image.get_parsed_manifest()
-        except ManifestException:
-          logger.exception('Could not parse manifest `%s` in retarget_tag',
-                           manifest_or_legacy_image._db_id)
-          return None
+            manifest_id = created.manifest.id
+        else:
+            # If the manifest is a schema 1 manifest and its tag name does not match that
+            # specified, then we need to create a new manifest, but with that tag name.
+            if manifest_or_legacy_image.media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
+                try:
+                    parsed = manifest_or_legacy_image.get_parsed_manifest()
+                except ManifestException:
+                    logger.exception(
+                        "Could not parse manifest `%s` in retarget_tag",
+                        manifest_or_legacy_image._db_id,
+                    )
+                    return None
 
-        if parsed.tag != tag_name:
-          logger.debug('Rewriting manifest `%s` for tag named `%s`',
-                       manifest_or_legacy_image._db_id, tag_name)
+                if parsed.tag != tag_name:
+                    logger.debug(
+                        "Rewriting manifest `%s` for tag named `%s`",
+                        manifest_or_legacy_image._db_id,
+                        tag_name,
+                    )
 
-          repository_id = repository_ref._db_id
-          updated = parsed.with_tag_name(tag_name, legacy_manifest_key)
-          assert updated.is_signed
+                    repository_id = repository_ref._db_id
+                    updated = parsed.with_tag_name(tag_name, legacy_manifest_key)
+                    assert updated.is_signed
 
-          created = oci.manifest.get_or_create_manifest(repository_id, updated, storage)
-          if created is None:
-            return None
+                    created = oci.manifest.get_or_create_manifest(
+                        repository_id, updated, storage
+                    )
+                    if created is None:
+                        return None
 
-          manifest_id = created.manifest.id
+                    manifest_id = created.manifest.id
 
-    tag = oci.tag.retarget_tag(tag_name, manifest_id, is_reversion=is_reversion)
-    legacy_image = LegacyImage.for_image(oci.shared.get_legacy_image_for_manifest(manifest_id))
-    return Tag.for_tag(tag, legacy_image)
+        tag = oci.tag.retarget_tag(tag_name, manifest_id, is_reversion=is_reversion)
+        legacy_image = LegacyImage.for_image(
+            oci.shared.get_legacy_image_for_manifest(manifest_id)
+        )
+        return Tag.for_tag(tag, legacy_image)
 
-  def delete_tag(self, repository_ref, tag_name):
-    """
+    def delete_tag(self, repository_ref, tag_name):
+        """
     Deletes the latest, *active* tag with the given name in the repository.
     """
-    deleted_tag = oci.tag.delete_tag(repository_ref._db_id, tag_name)
-    if deleted_tag is None:
-      # TODO: This is only needed because preoci raises an exception. Remove and fix
-      # expected status codes once PreOCIModel is gone.
-      msg = ('Invalid repository tag \'%s\' on repository' % tag_name)
-      raise DataModelException(msg)
+        deleted_tag = oci.tag.delete_tag(repository_ref._db_id, tag_name)
+        if deleted_tag is None:
+            # TODO: This is only needed because preoci raises an exception. Remove and fix
+            # expected status codes once PreOCIModel is gone.
+            msg = "Invalid repository tag '%s' on repository" % tag_name
+            raise DataModelException(msg)
 
-    return Tag.for_tag(deleted_tag)
+        return Tag.for_tag(deleted_tag)
 
-  def delete_tags_for_manifest(self, manifest):
-    """
+    def delete_tags_for_manifest(self, manifest):
+        """
     Deletes all tags pointing to the given manifest, making the manifest inaccessible for pulling.
     Returns the tags deleted, if any. Returns None on error.
     """
-    deleted_tags = oci.tag.delete_tags_for_manifest(manifest._db_id)
-    return [Tag.for_tag(tag) for tag in deleted_tags]
+        deleted_tags = oci.tag.delete_tags_for_manifest(manifest._db_id)
+        return [Tag.for_tag(tag) for tag in deleted_tags]
 
-  def change_repository_tag_expiration(self, tag, expiration_date):
-    """ Sets the expiration date of the tag under the matching repository to that given. If the
+    def change_repository_tag_expiration(self, tag, expiration_date):
+        """ Sets the expiration date of the tag under the matching repository to that given. If the
         expiration date is None, then the tag will not expire. Returns a tuple of the previous
         expiration timestamp in seconds (if any), and whether the operation succeeded.
     """
-    return oci.tag.change_tag_expiration(tag._db_id, expiration_date)
+        return oci.tag.change_tag_expiration(tag._db_id, expiration_date)
 
-  def get_legacy_images_owned_by_tag(self, tag):
-    """ Returns all legacy images *solely owned and used* by the given tag. """
-    tag_obj = oci.tag.get_tag_by_id(tag._db_id)
-    if tag_obj is None:
-      return None
+    def get_legacy_images_owned_by_tag(self, tag):
+        """ Returns all legacy images *solely owned and used* by the given tag. """
+        tag_obj = oci.tag.get_tag_by_id(tag._db_id)
+        if tag_obj is None:
+            return None
 
-    tags = oci.tag.list_alive_tags(tag_obj.repository_id)
-    legacy_images = oci.tag.get_legacy_images_for_tags(tags)
+        tags = oci.tag.list_alive_tags(tag_obj.repository_id)
+        legacy_images = oci.tag.get_legacy_images_for_tags(tags)
 
-    tag_legacy_image = legacy_images.get(tag._db_id)
-    if tag_legacy_image is None:
-      return None
+        tag_legacy_image = legacy_images.get(tag._db_id)
+        if tag_legacy_image is None:
+            return None
 
-    assert isinstance(tag_legacy_image, Image)
+        assert isinstance(tag_legacy_image, Image)
 
-    # Collect the IDs of all images that the tag uses.
-    tag_image_ids = set()
-    tag_image_ids.add(tag_legacy_image.id)
-    tag_image_ids.update(tag_legacy_image.ancestor_id_list())
+        # Collect the IDs of all images that the tag uses.
+        tag_image_ids = set()
+        tag_image_ids.add(tag_legacy_image.id)
+        tag_image_ids.update(tag_legacy_image.ancestor_id_list())
 
-    # Remove any images shared by other tags.
-    for current in tags:
-      if current == tag_obj:
-        continue
+        # Remove any images shared by other tags.
+        for current in tags:
+            if current == tag_obj:
+                continue
 
-      current_image = legacy_images.get(current.id)
-      if current_image is None:
-        continue
+            current_image = legacy_images.get(current.id)
+            if current_image is None:
+                continue
 
-      tag_image_ids.discard(current_image.id)
-      tag_image_ids = tag_image_ids.difference(current_image.ancestor_id_list())
-      if not tag_image_ids:
-        return []
+            tag_image_ids.discard(current_image.id)
+            tag_image_ids = tag_image_ids.difference(current_image.ancestor_id_list())
+            if not tag_image_ids:
+                return []
 
-    if not tag_image_ids:
-      return []
+        if not tag_image_ids:
+            return []
 
-    # Load the images we need to return.
-    images = database.Image.select().where(database.Image.id << list(tag_image_ids))
-    all_image_ids = set()
-    for image in images:
-      all_image_ids.add(image.id)
-      all_image_ids.update(image.ancestor_id_list())
+        # Load the images we need to return.
+        images = database.Image.select().where(database.Image.id << list(tag_image_ids))
+        all_image_ids = set()
+        for image in images:
+            all_image_ids.add(image.id)
+            all_image_ids.update(image.ancestor_id_list())
 
-    # Build a map of all the images and their parents.
-    images_map = {}
-    all_images = database.Image.select().where(database.Image.id << list(all_image_ids))
-    for image in all_images:
-      images_map[image.id] = image
+        # Build a map of all the images and their parents.
+        images_map = {}
+        all_images = database.Image.select().where(
+            database.Image.id << list(all_image_ids)
+        )
+        for image in all_images:
+            images_map[image.id] = image
 
-    return [LegacyImage.for_image(image, images_map=images_map) for image in images]
+        return [LegacyImage.for_image(image, images_map=images_map) for image in images]
 
-  def get_security_status(self, manifest_or_legacy_image):
-    """ Returns the security status for the given manifest or legacy image or None if none. """
-    image = None
+    def get_security_status(self, manifest_or_legacy_image):
+        """ Returns the security status for the given manifest or legacy image or None if none. """
+        image = None
 
-    if isinstance(manifest_or_legacy_image, Manifest):
-      image = oci.shared.get_legacy_image_for_manifest(manifest_or_legacy_image._db_id)
-      if image is None:
-        return SecurityScanStatus.UNSUPPORTED
-    else:
-      try:
-        image = database.Image.get(id=manifest_or_legacy_image._db_id)
-      except database.Image.DoesNotExist:
-        return None
+        if isinstance(manifest_or_legacy_image, Manifest):
+            image = oci.shared.get_legacy_image_for_manifest(
+                manifest_or_legacy_image._db_id
+            )
+            if image is None:
+                return SecurityScanStatus.UNSUPPORTED
+        else:
+            try:
+                image = database.Image.get(id=manifest_or_legacy_image._db_id)
+            except database.Image.DoesNotExist:
+                return None
 
-    if image.security_indexed_engine is not None and image.security_indexed_engine >= 0:
-      return SecurityScanStatus.SCANNED if image.security_indexed else SecurityScanStatus.FAILED
+        if (
+            image.security_indexed_engine is not None
+            and image.security_indexed_engine >= 0
+        ):
+            return (
+                SecurityScanStatus.SCANNED
+                if image.security_indexed
+                else SecurityScanStatus.FAILED
+            )
 
-    return SecurityScanStatus.QUEUED
+        return SecurityScanStatus.QUEUED
 
-  def reset_security_status(self, manifest_or_legacy_image):
-    """ Resets the security status for the given manifest or legacy image, ensuring that it will
+    def reset_security_status(self, manifest_or_legacy_image):
+        """ Resets the security status for the given manifest or legacy image, ensuring that it will
         get re-indexed.
     """
-    image = None
+        image = None
 
-    if isinstance(manifest_or_legacy_image, Manifest):
-      image = oci.shared.get_legacy_image_for_manifest(manifest_or_legacy_image._db_id)
-      if image is None:
-        return None
-    else:
-      try:
-        image = database.Image.get(id=manifest_or_legacy_image._db_id)
-      except database.Image.DoesNotExist:
-        return None
+        if isinstance(manifest_or_legacy_image, Manifest):
+            image = oci.shared.get_legacy_image_for_manifest(
+                manifest_or_legacy_image._db_id
+            )
+            if image is None:
+                return None
+        else:
+            try:
+                image = database.Image.get(id=manifest_or_legacy_image._db_id)
+            except database.Image.DoesNotExist:
+                return None
 
-    assert image
-    image.security_indexed = False
-    image.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
-    image.save()
+        assert image
+        image.security_indexed = False
+        image.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
+        image.save()
 
-  def backfill_manifest_for_tag(self, tag):
-    """ Backfills a manifest for the V1 tag specified.
+    def backfill_manifest_for_tag(self, tag):
+        """ Backfills a manifest for the V1 tag specified.
         If a manifest already exists for the tag, returns that manifest.
 
         NOTE: This method will only be necessary until we've completed the backfill, at which point
         it should be removed.
     """
-    # Nothing to do for OCI tags.
-    manifest = tag.manifest
-    if manifest is None:
-      return None
+        # Nothing to do for OCI tags.
+        manifest = tag.manifest
+        if manifest is None:
+            return None
 
-    legacy_image = oci.shared.get_legacy_image_for_manifest(manifest)
-    return Manifest.for_manifest(manifest, LegacyImage.for_image(legacy_image))
+        legacy_image = oci.shared.get_legacy_image_for_manifest(manifest)
+        return Manifest.for_manifest(manifest, LegacyImage.for_image(legacy_image))
 
-  def list_manifest_layers(self, manifest, storage, include_placements=False):
-    try:
-      manifest_obj = database.Manifest.get(id=manifest._db_id)
-    except database.Manifest.DoesNotExist:
-      logger.exception('Could not find manifest for manifest `%s`', manifest._db_id)
-      return None
+    def list_manifest_layers(self, manifest, storage, include_placements=False):
+        try:
+            manifest_obj = database.Manifest.get(id=manifest._db_id)
+        except database.Manifest.DoesNotExist:
+            logger.exception(
+                "Could not find manifest for manifest `%s`", manifest._db_id
+            )
+            return None
 
-    try:
-      parsed = manifest.get_parsed_manifest()
-    except ManifestException:
-      logger.exception('Could not parse and validate manifest `%s`', manifest._db_id)
-      return None
+        try:
+            parsed = manifest.get_parsed_manifest()
+        except ManifestException:
+            logger.exception(
+                "Could not parse and validate manifest `%s`", manifest._db_id
+            )
+            return None
 
-    return self._list_manifest_layers(manifest_obj.repository_id, parsed, storage,
-                                      include_placements, by_manifest=True)
+        return self._list_manifest_layers(
+            manifest_obj.repository_id,
+            parsed,
+            storage,
+            include_placements,
+            by_manifest=True,
+        )
 
-  def lookup_derived_image(self, manifest, verb, storage, varying_metadata=None,
-                           include_placements=False):
-    """
+    def lookup_derived_image(
+        self, manifest, verb, storage, varying_metadata=None, include_placements=False
+    ):
+        """
     Looks up the derived image for the given manifest, verb and optional varying metadata and
     returns it or None if none.
     """
-    legacy_image = self._get_legacy_compatible_image_for_manifest(manifest, storage)
-    if legacy_image is None:
-      return None
+        legacy_image = self._get_legacy_compatible_image_for_manifest(manifest, storage)
+        if legacy_image is None:
+            return None
 
-    derived = model.image.find_derived_storage_for_image(legacy_image, verb, varying_metadata)
-    return self._build_derived(derived, verb, varying_metadata, include_placements)
+        derived = model.image.find_derived_storage_for_image(
+            legacy_image, verb, varying_metadata
+        )
+        return self._build_derived(derived, verb, varying_metadata, include_placements)
 
-  def lookup_or_create_derived_image(self, manifest, verb, storage_location, storage,
-                                    varying_metadata=None,
-                                     include_placements=False):
-    """
+    def lookup_or_create_derived_image(
+        self,
+        manifest,
+        verb,
+        storage_location,
+        storage,
+        varying_metadata=None,
+        include_placements=False,
+    ):
+        """
     Looks up the derived image for the given maniest, verb and optional varying metadata
     and returns it. If none exists, a new derived image is created.
     """
-    legacy_image = self._get_legacy_compatible_image_for_manifest(manifest, storage)
-    if legacy_image is None:
-      return None
+        legacy_image = self._get_legacy_compatible_image_for_manifest(manifest, storage)
+        if legacy_image is None:
+            return None
 
-    derived = model.image.find_or_create_derived_storage(legacy_image, verb, storage_location,
-                                                         varying_metadata)
-    return self._build_derived(derived, verb, varying_metadata, include_placements)
+        derived = model.image.find_or_create_derived_storage(
+            legacy_image, verb, storage_location, varying_metadata
+        )
+        return self._build_derived(derived, verb, varying_metadata, include_placements)
 
-  def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
-    """
+    def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
+        """
     Sets the expiration on all tags that point to the given manifest to that specified.
     """
-    oci.tag.set_tag_expiration_sec_for_manifest(manifest._db_id, expiration_sec)
+        oci.tag.set_tag_expiration_sec_for_manifest(manifest._db_id, expiration_sec)
 
-  def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
-    """ Returns the schema 1 manifest for this manifest, or None if none. """
-    try:
-      parsed = manifest.get_parsed_manifest()
-    except ManifestException:
-      return None
+    def get_schema1_parsed_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, storage
+    ):
+        """ Returns the schema 1 manifest for this manifest, or None if none. """
+        try:
+            parsed = manifest.get_parsed_manifest()
+        except ManifestException:
+            return None
 
-    try:
-      manifest_row = database.Manifest.get(id=manifest._db_id)
-    except database.Manifest.DoesNotExist:
-      return None
+        try:
+            manifest_row = database.Manifest.get(id=manifest._db_id)
+        except database.Manifest.DoesNotExist:
+            return None
 
-    retriever = RepositoryContentRetriever(manifest_row.repository_id, storage)
-    return parsed.get_schema1_manifest(namespace_name, repo_name, tag_name, retriever)
+        retriever = RepositoryContentRetriever(manifest_row.repository_id, storage)
+        return parsed.get_schema1_manifest(
+            namespace_name, repo_name, tag_name, retriever
+        )
 
-  def convert_manifest(self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes,
-                       storage):
-    try:
-      parsed = manifest.get_parsed_manifest()
-    except ManifestException:
-      return None
+    def convert_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes, storage
+    ):
+        try:
+            parsed = manifest.get_parsed_manifest()
+        except ManifestException:
+            return None
 
-    try:
-      manifest_row = database.Manifest.get(id=manifest._db_id)
-    except database.Manifest.DoesNotExist:
-      return None
+        try:
+            manifest_row = database.Manifest.get(id=manifest._db_id)
+        except database.Manifest.DoesNotExist:
+            return None
 
-    retriever = RepositoryContentRetriever(manifest_row.repository_id, storage)
-    return parsed.convert_manifest(allowed_mediatypes, namespace_name, repo_name, tag_name,
-                                   retriever)
+        retriever = RepositoryContentRetriever(manifest_row.repository_id, storage)
+        return parsed.convert_manifest(
+            allowed_mediatypes, namespace_name, repo_name, tag_name, retriever
+        )
 
-  def create_manifest_with_temp_tag(self, repository_ref, manifest_interface_instance,
-                                    expiration_sec, storage):
-    """ Creates a manifest under the repository and sets a temporary tag to point to it.
+    def create_manifest_with_temp_tag(
+        self, repository_ref, manifest_interface_instance, expiration_sec, storage
+    ):
+        """ Creates a manifest under the repository and sets a temporary tag to point to it.
         Returns the manifest object created or None on error.
     """
-    # Get or create the manifest itself. get_or_create_manifest will take care of the
-    # temporary tag work.
-    created_manifest = oci.manifest.get_or_create_manifest(repository_ref._db_id,
-                                                           manifest_interface_instance,
-                                                           storage,
-                                                           temp_tag_expiration_sec=expiration_sec)
-    if created_manifest is None:
-      return None
+        # Get or create the manifest itself. get_or_create_manifest will take care of the
+        # temporary tag work.
+        created_manifest = oci.manifest.get_or_create_manifest(
+            repository_ref._db_id,
+            manifest_interface_instance,
+            storage,
+            temp_tag_expiration_sec=expiration_sec,
+        )
+        if created_manifest is None:
+            return None
 
-    legacy_image = oci.shared.get_legacy_image_for_manifest(created_manifest.manifest)
-    li = LegacyImage.for_image(legacy_image)
-    return Manifest.for_manifest(created_manifest.manifest, li)
+        legacy_image = oci.shared.get_legacy_image_for_manifest(
+            created_manifest.manifest
+        )
+        li = LegacyImage.for_image(legacy_image)
+        return Manifest.for_manifest(created_manifest.manifest, li)
 
-  def get_repo_blob_by_digest(self, repository_ref, blob_digest, include_placements=False):
-    """
+    def get_repo_blob_by_digest(
+        self, repository_ref, blob_digest, include_placements=False
+    ):
+        """
     Returns the blob in the repository with the given digest, if any or None if none. Note that
     there may be multiple records in the same repository for the same blob digest, so the return
     value of this function may change.
     """
-    image_storage = self._get_shared_storage(blob_digest)
-    if image_storage is None:
-      image_storage = oci.blob.get_repository_blob_by_digest(repository_ref._db_id, blob_digest)
-      if image_storage is None:
-        return None
+        image_storage = self._get_shared_storage(blob_digest)
+        if image_storage is None:
+            image_storage = oci.blob.get_repository_blob_by_digest(
+                repository_ref._db_id, blob_digest
+            )
+            if image_storage is None:
+                return None
 
-      assert image_storage.cas_path is not None
+            assert image_storage.cas_path is not None
 
-    placements = None
-    if include_placements:
-      placements = list(model.storage.get_storage_locations(image_storage.uuid))
+        placements = None
+        if include_placements:
+            placements = list(model.storage.get_storage_locations(image_storage.uuid))
 
-    return Blob.for_image_storage(image_storage,
-                                  storage_path=model.storage.get_layer_path(image_storage),
-                                  placements=placements)
+        return Blob.for_image_storage(
+            image_storage,
+            storage_path=model.storage.get_layer_path(image_storage),
+            placements=placements,
+        )
 
-  def list_parsed_manifest_layers(self, repository_ref, parsed_manifest, storage,
-                                  include_placements=False):
-    """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
+    def list_parsed_manifest_layers(
+        self, repository_ref, parsed_manifest, storage, include_placements=False
+    ):
+        """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
         and working towards the leaf, including the associated Blob and its placements
         (if specified).
     """
-    return self._list_manifest_layers(repository_ref._db_id, parsed_manifest, storage,
-                                      include_placements=include_placements,
-                                      by_manifest=True)
+        return self._list_manifest_layers(
+            repository_ref._db_id,
+            parsed_manifest,
+            storage,
+            include_placements=include_placements,
+            by_manifest=True,
+        )
 
-  def get_manifest_local_blobs(self, manifest, include_placements=False):
-    """ Returns the set of local blobs for the given manifest or None if none. """
-    try:
-      manifest_row = database.Manifest.get(id=manifest._db_id)
-    except database.Manifest.DoesNotExist:
-      return None
+    def get_manifest_local_blobs(self, manifest, include_placements=False):
+        """ Returns the set of local blobs for the given manifest or None if none. """
+        try:
+            manifest_row = database.Manifest.get(id=manifest._db_id)
+        except database.Manifest.DoesNotExist:
+            return None
 
-    return self._get_manifest_local_blobs(manifest, manifest_row.repository_id, include_placements,
-                                          by_manifest=True)
+        return self._get_manifest_local_blobs(
+            manifest, manifest_row.repository_id, include_placements, by_manifest=True
+        )
 
-  def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
-    """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
+    def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
+        """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
         which have been registered for vulnerability_found notifications. Returns an iterator
         of LikelyVulnerableTag instances.
     """
-    for docker_image_id, storage_uuid in layer_id_pairs:
-      tags = oci.tag.lookup_notifiable_tags_for_legacy_image(docker_image_id, storage_uuid,
-                                                             'vulnerability_found')
-      for tag in tags:
-        yield LikelyVulnerableTag.for_tag(tag, tag.repository, docker_image_id, storage_uuid)
+        for docker_image_id, storage_uuid in layer_id_pairs:
+            tags = oci.tag.lookup_notifiable_tags_for_legacy_image(
+                docker_image_id, storage_uuid, "vulnerability_found"
+            )
+            for tag in tags:
+                yield LikelyVulnerableTag.for_tag(
+                    tag, tag.repository, docker_image_id, storage_uuid
+                )
+
 
 oci_model = OCIModel()
 back_compat_oci_model = OCIModel(oci_model_only=False)
diff --git a/data/registry_model/registry_pre_oci_model.py b/data/registry_model/registry_pre_oci_model.py
index ec69328d5..798455a43 100644
--- a/data/registry_model/registry_pre_oci_model.py
+++ b/data/registry_model/registry_pre_oci_model.py
@@ -9,9 +9,17 @@ from data import database
 from data import model
 from data.database import db_transaction, IMAGE_NOT_SCANNED_ENGINE_VERSION
 from data.registry_model.interface import RegistryDataInterface
-from data.registry_model.datatypes import (Tag, Manifest, LegacyImage, Label, SecurityScanStatus,
-                                           Blob, RepositoryReference, ShallowTag,
-                                           LikelyVulnerableTag)
+from data.registry_model.datatypes import (
+    Tag,
+    Manifest,
+    LegacyImage,
+    Label,
+    SecurityScanStatus,
+    Blob,
+    RepositoryReference,
+    ShallowTag,
+    LikelyVulnerableTag,
+)
 from data.registry_model.shared import SharedModel
 from data.registry_model.label_handlers import apply_label_to_manifest
 from image.docker.schema1 import ManifestException, DockerSchema1Manifest
@@ -22,86 +30,108 @@ logger = logging.getLogger(__name__)
 
 
 class PreOCIModel(SharedModel, RegistryDataInterface):
-  """
+    """
   PreOCIModel implements the data model for the registry API using a database schema
   before it was changed to support the OCI specification.
   """
-  def supports_schema2(self, namespace_name):
-    """ Returns whether the implementation of the data interface supports schema 2 format
-        manifests. """
-    return False
 
-  def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
-    """ Returns the legacy image ID for the tag with a legacy images in
+    def supports_schema2(self, namespace_name):
+        """ Returns whether the implementation of the data interface supports schema 2 format
+        manifests. """
+        return False
+
+    def get_tag_legacy_image_id(self, repository_ref, tag_name, storage):
+        """ Returns the legacy image ID for the tag with a legacy images in
         the repository. Returns None if None.
     """
-    tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
-    if tag is None:
-      return None
+        tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
+        if tag is None:
+            return None
 
-    return tag.legacy_image.docker_image_id
+        return tag.legacy_image.docker_image_id
 
-  def get_legacy_tags_map(self, repository_ref, storage):
-    """ Returns a map from tag name to its legacy image, for all tags with legacy images in
+    def get_legacy_tags_map(self, repository_ref, storage):
+        """ Returns a map from tag name to its legacy image, for all tags with legacy images in
         the repository.
     """
-    tags = self.list_all_active_repository_tags(repository_ref, include_legacy_images=True)
-    return {tag.name: tag.legacy_image.docker_image_id for tag in tags}
+        tags = self.list_all_active_repository_tags(
+            repository_ref, include_legacy_images=True
+        )
+        return {tag.name: tag.legacy_image.docker_image_id for tag in tags}
 
-  def find_matching_tag(self, repository_ref, tag_names):
-    """ Finds an alive tag in the repository matching one of the given tag names and returns it
+    def find_matching_tag(self, repository_ref, tag_names):
+        """ Finds an alive tag in the repository matching one of the given tag names and returns it
         or None if none.
     """
-    found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
-    assert found_tag is None or not found_tag.hidden
-    return Tag.for_repository_tag(found_tag)
+        found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
+        assert found_tag is None or not found_tag.hidden
+        return Tag.for_repository_tag(found_tag)
 
-  def get_most_recent_tag(self, repository_ref):
-    """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
+    def get_most_recent_tag(self, repository_ref):
+        """ Returns the most recently pushed alive tag in the repository, if any. If none, returns
         None.
     """
-    found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
-    assert found_tag is None or not found_tag.hidden
-    return Tag.for_repository_tag(found_tag)
+        found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
+        assert found_tag is None or not found_tag.hidden
+        return Tag.for_repository_tag(found_tag)
 
-  def get_manifest_for_tag(self, tag, backfill_if_necessary=False, include_legacy_image=False):
-    """ Returns the manifest associated with the given tag. """
-    try:
-      tag_manifest = database.TagManifest.get(tag_id=tag._db_id)
-    except database.TagManifest.DoesNotExist:
-      if backfill_if_necessary:
-        return self.backfill_manifest_for_tag(tag)
+    def get_manifest_for_tag(
+        self, tag, backfill_if_necessary=False, include_legacy_image=False
+    ):
+        """ Returns the manifest associated with the given tag. """
+        try:
+            tag_manifest = database.TagManifest.get(tag_id=tag._db_id)
+        except database.TagManifest.DoesNotExist:
+            if backfill_if_necessary:
+                return self.backfill_manifest_for_tag(tag)
 
-      return None
+            return None
 
-    return Manifest.for_tag_manifest(tag_manifest)
+        return Manifest.for_tag_manifest(tag_manifest)
 
-  def lookup_manifest_by_digest(self, repository_ref, manifest_digest, allow_dead=False,
-                                include_legacy_image=False, require_available=False):
-    """ Looks up the manifest with the given digest under the given repository and returns it
+    def lookup_manifest_by_digest(
+        self,
+        repository_ref,
+        manifest_digest,
+        allow_dead=False,
+        include_legacy_image=False,
+        require_available=False,
+    ):
+        """ Looks up the manifest with the given digest under the given repository and returns it
         or None if none. """
-    repo = model.repository.lookup_repository(repository_ref._db_id)
-    if repo is None:
-      return None
+        repo = model.repository.lookup_repository(repository_ref._db_id)
+        if repo is None:
+            return None
 
-    try:
-      tag_manifest = model.tag.load_manifest_by_digest(repo.namespace_user.username,
-                                                       repo.name,
-                                                       manifest_digest,
-                                                       allow_dead=allow_dead)
-    except model.tag.InvalidManifestException:
-      return None
+        try:
+            tag_manifest = model.tag.load_manifest_by_digest(
+                repo.namespace_user.username,
+                repo.name,
+                manifest_digest,
+                allow_dead=allow_dead,
+            )
+        except model.tag.InvalidManifestException:
+            return None
 
-    legacy_image = None
-    if include_legacy_image:
-      legacy_image = self.get_legacy_image(repository_ref, tag_manifest.tag.image.docker_image_id,
-                                           include_parents=True)
+        legacy_image = None
+        if include_legacy_image:
+            legacy_image = self.get_legacy_image(
+                repository_ref,
+                tag_manifest.tag.image.docker_image_id,
+                include_parents=True,
+            )
 
-    return Manifest.for_tag_manifest(tag_manifest, legacy_image)
+        return Manifest.for_tag_manifest(tag_manifest, legacy_image)
 
-  def create_manifest_and_retarget_tag(self, repository_ref, manifest_interface_instance, tag_name,
-                                       storage, raise_on_error=False):
-    """ Creates a manifest in a repository, adding all of the necessary data in the model.
+    def create_manifest_and_retarget_tag(
+        self,
+        repository_ref,
+        manifest_interface_instance,
+        tag_name,
+        storage,
+        raise_on_error=False,
+    ):
+        """ Creates a manifest in a repository, adding all of the necessary data in the model.
 
         The `manifest_interface_instance` parameter must be an instance of the manifest
         interface as returned by the image/docker package.
@@ -111,584 +141,726 @@ class PreOCIModel(SharedModel, RegistryDataInterface):
 
         Returns a reference to the (created manifest, tag) or (None, None) on error.
     """
-    # NOTE: Only Schema1 is supported by the pre_oci_model.
-    assert isinstance(manifest_interface_instance, DockerSchema1Manifest)
-    if not manifest_interface_instance.layers:
-      return None, None
+        # NOTE: Only Schema1 is supported by the pre_oci_model.
+        assert isinstance(manifest_interface_instance, DockerSchema1Manifest)
+        if not manifest_interface_instance.layers:
+            return None, None
 
-    # Ensure all the blobs in the manifest exist.
-    digests = manifest_interface_instance.checksums
-    query = self._lookup_repo_storages_by_content_checksum(repository_ref._db_id, digests)
-    blob_map = {s.content_checksum: s for s in query}
-    for layer in manifest_interface_instance.layers:
-      digest_str = str(layer.digest)
-      if digest_str not in blob_map:
-        return None, None
-
-    # Lookup all the images and their parent images (if any) inside the manifest.
-    # This will let us know which v1 images we need to synthesize and which ones are invalid.
-    docker_image_ids = list(manifest_interface_instance.legacy_image_ids)
-    images_query = model.image.lookup_repository_images(repository_ref._db_id, docker_image_ids)
-    image_storage_map = {i.docker_image_id: i.storage for i in images_query}
-
-    # Rewrite any v1 image IDs that do not match the checksum in the database.
-    try:
-      rewritten_images = manifest_interface_instance.rewrite_invalid_image_ids(image_storage_map)
-      rewritten_images = list(rewritten_images)
-      parent_image_map = {}
-
-      for rewritten_image in rewritten_images:
-        if not rewritten_image.image_id in image_storage_map:
-          parent_image = None
-          if rewritten_image.parent_image_id:
-            parent_image = parent_image_map.get(rewritten_image.parent_image_id)
-            if parent_image is None:
-              parent_image = model.image.get_image(repository_ref._db_id,
-                                                   rewritten_image.parent_image_id)
-              if parent_image is None:
+        # Ensure all the blobs in the manifest exist.
+        digests = manifest_interface_instance.checksums
+        query = self._lookup_repo_storages_by_content_checksum(
+            repository_ref._db_id, digests
+        )
+        blob_map = {s.content_checksum: s for s in query}
+        for layer in manifest_interface_instance.layers:
+            digest_str = str(layer.digest)
+            if digest_str not in blob_map:
                 return None, None
 
-          synthesized = model.image.synthesize_v1_image(
+        # Lookup all the images and their parent images (if any) inside the manifest.
+        # This will let us know which v1 images we need to synthesize and which ones are invalid.
+        docker_image_ids = list(manifest_interface_instance.legacy_image_ids)
+        images_query = model.image.lookup_repository_images(
+            repository_ref._db_id, docker_image_ids
+        )
+        image_storage_map = {i.docker_image_id: i.storage for i in images_query}
+
+        # Rewrite any v1 image IDs that do not match the checksum in the database.
+        try:
+            rewritten_images = manifest_interface_instance.rewrite_invalid_image_ids(
+                image_storage_map
+            )
+            rewritten_images = list(rewritten_images)
+            parent_image_map = {}
+
+            for rewritten_image in rewritten_images:
+                if not rewritten_image.image_id in image_storage_map:
+                    parent_image = None
+                    if rewritten_image.parent_image_id:
+                        parent_image = parent_image_map.get(
+                            rewritten_image.parent_image_id
+                        )
+                        if parent_image is None:
+                            parent_image = model.image.get_image(
+                                repository_ref._db_id, rewritten_image.parent_image_id
+                            )
+                            if parent_image is None:
+                                return None, None
+
+                    synthesized = model.image.synthesize_v1_image(
+                        repository_ref._db_id,
+                        blob_map[rewritten_image.content_checksum].id,
+                        blob_map[rewritten_image.content_checksum].image_size,
+                        rewritten_image.image_id,
+                        rewritten_image.created,
+                        rewritten_image.comment,
+                        rewritten_image.command,
+                        rewritten_image.compat_json,
+                        parent_image,
+                    )
+
+                    parent_image_map[rewritten_image.image_id] = synthesized
+        except ManifestException:
+            logger.exception("exception when rewriting v1 metadata")
+            return None, None
+
+        # Store the manifest pointing to the tag.
+        leaf_layer_id = rewritten_images[-1].image_id
+        tag_manifest, newly_created = model.tag.store_tag_manifest_for_repo(
             repository_ref._db_id,
-            blob_map[rewritten_image.content_checksum].id,
-            blob_map[rewritten_image.content_checksum].image_size,
-            rewritten_image.image_id,
-            rewritten_image.created,
-            rewritten_image.comment,
-            rewritten_image.command,
-            rewritten_image.compat_json,
-            parent_image,
-          )
+            tag_name,
+            manifest_interface_instance,
+            leaf_layer_id,
+            blob_map,
+        )
 
-          parent_image_map[rewritten_image.image_id] = synthesized
-    except ManifestException:
-      logger.exception("exception when rewriting v1 metadata")
-      return None, None
+        manifest = Manifest.for_tag_manifest(tag_manifest)
 
-    # Store the manifest pointing to the tag.
-    leaf_layer_id = rewritten_images[-1].image_id
-    tag_manifest, newly_created = model.tag.store_tag_manifest_for_repo(repository_ref._db_id,
-                                                                        tag_name,
-                                                                        manifest_interface_instance,
-                                                                        leaf_layer_id,
-                                                                        blob_map)
+        # Save the labels on the manifest.
+        repo_tag = tag_manifest.tag
+        if newly_created:
+            has_labels = False
+            with self.batch_create_manifest_labels(manifest) as add_label:
+                if add_label is None:
+                    return None, None
 
-    manifest = Manifest.for_tag_manifest(tag_manifest)
+                for key, value in manifest_interface_instance.layers[
+                    -1
+                ].v1_metadata.labels.iteritems():
+                    media_type = "application/json" if is_json(value) else "text/plain"
+                    add_label(key, value, "manifest", media_type)
+                    has_labels = True
 
-    # Save the labels on the manifest.
-    repo_tag = tag_manifest.tag
-    if newly_created:
-      has_labels = False
-      with self.batch_create_manifest_labels(manifest) as add_label:
-        if add_label is None:
-          return None, None
+            # Reload the tag in case any updates were applied.
+            if has_labels:
+                repo_tag = database.RepositoryTag.get(id=repo_tag.id)
 
-        for key, value in manifest_interface_instance.layers[-1].v1_metadata.labels.iteritems():
-          media_type = 'application/json' if is_json(value) else 'text/plain'
-          add_label(key, value, 'manifest', media_type)
-          has_labels = True
+        return manifest, Tag.for_repository_tag(repo_tag)
 
-      # Reload the tag in case any updates were applied.
-      if has_labels:
-        repo_tag = database.RepositoryTag.get(id=repo_tag.id)
+    def create_manifest_label(
+        self, manifest, key, value, source_type_name, media_type_name=None
+    ):
+        """ Creates a label on the manifest with the given key and value. """
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            return None
 
-    return manifest, Tag.for_repository_tag(repo_tag)
+        label_data = dict(
+            key=key,
+            value=value,
+            source_type_name=source_type_name,
+            media_type_name=media_type_name,
+        )
 
-  def create_manifest_label(self, manifest, key, value, source_type_name, media_type_name=None):
-    """ Creates a label on the manifest with the given key and value. """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      return None
+        with db_transaction():
+            # Create the label itself.
+            label = model.label.create_manifest_label(
+                tag_manifest, key, value, source_type_name, media_type_name
+            )
 
-    label_data = dict(key=key, value=value, source_type_name=source_type_name,
-                      media_type_name=media_type_name)
+            # Apply any changes to the manifest that the label prescribes.
+            apply_label_to_manifest(label_data, manifest, self)
 
-    with db_transaction():
-      # Create the label itself.
-      label = model.label.create_manifest_label(tag_manifest, key, value, source_type_name,
-                                                media_type_name)
+        return Label.for_label(label)
 
-      # Apply any changes to the manifest that the label prescribes.
-      apply_label_to_manifest(label_data, manifest, self)
-
-    return Label.for_label(label)
-
-  @contextmanager
-  def batch_create_manifest_labels(self, manifest):
-    """ Returns a context manager for batch creation of labels on a manifest.
+    @contextmanager
+    def batch_create_manifest_labels(self, manifest):
+        """ Returns a context manager for batch creation of labels on a manifest.
 
         Can raise InvalidLabelKeyException or InvalidMediaTypeException depending
         on the validation errors.
     """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      yield None
-      return
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            yield None
+            return
 
-    labels_to_add = []
-    def add_label(key, value, source_type_name, media_type_name=None):
-      labels_to_add.append(dict(key=key, value=value, source_type_name=source_type_name,
-                                media_type_name=media_type_name))
+        labels_to_add = []
 
-    yield add_label
+        def add_label(key, value, source_type_name, media_type_name=None):
+            labels_to_add.append(
+                dict(
+                    key=key,
+                    value=value,
+                    source_type_name=source_type_name,
+                    media_type_name=media_type_name,
+                )
+            )
 
-    # TODO: make this truly batch once we've fully transitioned to V2_2 and no longer need
-    # the mapping tables.
-    for label in labels_to_add:
-      with db_transaction():
-        # Create the label itself.
-        model.label.create_manifest_label(tag_manifest, **label)
+        yield add_label
 
-        # Apply any changes to the manifest that the label prescribes.
-        apply_label_to_manifest(label, manifest, self)
+        # TODO: make this truly batch once we've fully transitioned to V2_2 and no longer need
+        # the mapping tables.
+        for label in labels_to_add:
+            with db_transaction():
+                # Create the label itself.
+                model.label.create_manifest_label(tag_manifest, **label)
 
-  def list_manifest_labels(self, manifest, key_prefix=None):
-    """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
+                # Apply any changes to the manifest that the label prescribes.
+                apply_label_to_manifest(label, manifest, self)
+
+    def list_manifest_labels(self, manifest, key_prefix=None):
+        """ Returns all labels found on the manifest. If specified, the key_prefix will filter the
         labels returned to those keys that start with the given prefix.
     """
-    labels = model.label.list_manifest_labels(manifest._db_id, prefix_filter=key_prefix)
-    return [Label.for_label(l) for l in labels]
+        labels = model.label.list_manifest_labels(
+            manifest._db_id, prefix_filter=key_prefix
+        )
+        return [Label.for_label(l) for l in labels]
 
-  def get_manifest_label(self, manifest, label_uuid):
-    """ Returns the label with the specified UUID on the manifest or None if none. """
-    return Label.for_label(model.label.get_manifest_label(label_uuid, manifest._db_id))
+    def get_manifest_label(self, manifest, label_uuid):
+        """ Returns the label with the specified UUID on the manifest or None if none. """
+        return Label.for_label(
+            model.label.get_manifest_label(label_uuid, manifest._db_id)
+        )
 
-  def delete_manifest_label(self, manifest, label_uuid):
-    """ Delete the label with the specified UUID on the manifest. Returns the label deleted
+    def delete_manifest_label(self, manifest, label_uuid):
+        """ Delete the label with the specified UUID on the manifest. Returns the label deleted
         or None if none.
     """
-    return Label.for_label(model.label.delete_manifest_label(label_uuid, manifest._db_id))
+        return Label.for_label(
+            model.label.delete_manifest_label(label_uuid, manifest._db_id)
+        )
 
-  def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
-    """
+    def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
+        """
     Returns a page of actvie tags in a repository. Note that the tags returned by this method
     are ShallowTag objects, which only contain the tag name.
     """
-    tags = model.tag.list_active_repo_tags(repository_ref._db_id, include_images=False,
-                                           start_id=start_pagination_id, limit=limit)
-    return [ShallowTag.for_repository_tag(tag) for tag in tags]
+        tags = model.tag.list_active_repo_tags(
+            repository_ref._db_id,
+            include_images=False,
+            start_id=start_pagination_id,
+            limit=limit,
+        )
+        return [ShallowTag.for_repository_tag(tag) for tag in tags]
 
-  def list_all_active_repository_tags(self, repository_ref, include_legacy_images=False):
-    """
+    def list_all_active_repository_tags(
+        self, repository_ref, include_legacy_images=False
+    ):
+        """
     Returns a list of all the active tags in the repository. Note that this is a *HEAVY*
     operation on repositories with a lot of tags, and should only be used for testing or
     where other more specific operations are not possible.
     """
-    if not include_legacy_images:
-      tags = model.tag.list_active_repo_tags(repository_ref._db_id, include_images=False)
-      return [Tag.for_repository_tag(tag) for tag in tags]
+        if not include_legacy_images:
+            tags = model.tag.list_active_repo_tags(
+                repository_ref._db_id, include_images=False
+            )
+            return [Tag.for_repository_tag(tag) for tag in tags]
 
-    tags = model.tag.list_active_repo_tags(repository_ref._db_id)
-    return [Tag.for_repository_tag(tag,
-                                   legacy_image=LegacyImage.for_image(tag.image),
-                                   manifest_digest=(tag.tagmanifest.digest
-                                                    if hasattr(tag, 'tagmanifest')
-                                                    else None))
-            for tag in tags]
+        tags = model.tag.list_active_repo_tags(repository_ref._db_id)
+        return [
+            Tag.for_repository_tag(
+                tag,
+                legacy_image=LegacyImage.for_image(tag.image),
+                manifest_digest=(
+                    tag.tagmanifest.digest if hasattr(tag, "tagmanifest") else None
+                ),
+            )
+            for tag in tags
+        ]
 
-  def list_repository_tag_history(self, repository_ref, page=1, size=100, specific_tag_name=None,
-                                  active_tags_only=False, since_time_ms=None):
-    """
+    def list_repository_tag_history(
+        self,
+        repository_ref,
+        page=1,
+        size=100,
+        specific_tag_name=None,
+        active_tags_only=False,
+        since_time_ms=None,
+    ):
+        """
     Returns the history of all tags in the repository (unless filtered). This includes tags that
     have been made in-active due to newer versions of those tags coming into service.
     """
 
-    # Only available on OCI model
-    if since_time_ms is not None:
-      raise NotImplementedError
+        # Only available on OCI model
+        if since_time_ms is not None:
+            raise NotImplementedError
 
-    tags, manifest_map, has_more = model.tag.list_repository_tag_history(repository_ref._db_id,
-                                                                         page, size,
-                                                                         specific_tag_name,
-                                                                         active_tags_only)
-    return [Tag.for_repository_tag(tag, manifest_map.get(tag.id),
-                                   legacy_image=LegacyImage.for_image(tag.image))
-            for tag in tags], has_more
+        tags, manifest_map, has_more = model.tag.list_repository_tag_history(
+            repository_ref._db_id, page, size, specific_tag_name, active_tags_only
+        )
+        return (
+            [
+                Tag.for_repository_tag(
+                    tag,
+                    manifest_map.get(tag.id),
+                    legacy_image=LegacyImage.for_image(tag.image),
+                )
+                for tag in tags
+            ],
+            has_more,
+        )
 
-  def has_expired_tag(self, repository_ref, tag_name):
-    """
+    def has_expired_tag(self, repository_ref, tag_name):
+        """
     Returns true if and only if the repository contains a tag with the given name that is expired.
     """
-    try:
-      model.tag.get_expired_tag_in_repo(repository_ref._db_id, tag_name)
-      return True
-    except database.RepositoryTag.DoesNotExist:
-      return False
+        try:
+            model.tag.get_expired_tag_in_repo(repository_ref._db_id, tag_name)
+            return True
+        except database.RepositoryTag.DoesNotExist:
+            return False
 
-  def get_most_recent_tag_lifetime_start(self, repository_refs): 
-    """ 
+    def get_most_recent_tag_lifetime_start(self, repository_refs):
+        """ 
     Returns a map from repository ID to the last modified time (in s) for each repository in the
     given repository reference list.
     """
-    if not repository_refs:
-      return {}
+        if not repository_refs:
+            return {}
 
-    tuples = (database.RepositoryTag.select(database.RepositoryTag.repository, 
-                                            fn.Max(database.RepositoryTag.lifetime_start_ts))
-                                    .where(database.RepositoryTag.repository << [r.id for r in repository_refs])
-                                    .group_by(database.RepositoryTag.repository)
-                                    .tuples())
+        tuples = (
+            database.RepositoryTag.select(
+                database.RepositoryTag.repository,
+                fn.Max(database.RepositoryTag.lifetime_start_ts),
+            )
+            .where(database.RepositoryTag.repository << [r.id for r in repository_refs])
+            .group_by(database.RepositoryTag.repository)
+            .tuples()
+        )
 
-    return {repo_id: seconds for repo_id, seconds in tuples}
+        return {repo_id: seconds for repo_id, seconds in tuples}
 
-  def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
-    """
+    def get_repo_tag(self, repository_ref, tag_name, include_legacy_image=False):
+        """
     Returns the latest, *active* tag found in the repository, with the matching name
     or None if none.
     """
-    assert isinstance(tag_name, basestring)
-    tag = model.tag.get_active_tag_for_repo(repository_ref._db_id, tag_name)
-    if tag is None:
-      return None
+        assert isinstance(tag_name, basestring)
+        tag = model.tag.get_active_tag_for_repo(repository_ref._db_id, tag_name)
+        if tag is None:
+            return None
 
-    legacy_image = LegacyImage.for_image(tag.image) if include_legacy_image else None
-    tag_manifest = model.tag.get_tag_manifest(tag)
-    manifest_digest = tag_manifest.digest if tag_manifest else None
-    return Tag.for_repository_tag(tag, legacy_image=legacy_image, manifest_digest=manifest_digest)
+        legacy_image = (
+            LegacyImage.for_image(tag.image) if include_legacy_image else None
+        )
+        tag_manifest = model.tag.get_tag_manifest(tag)
+        manifest_digest = tag_manifest.digest if tag_manifest else None
+        return Tag.for_repository_tag(
+            tag, legacy_image=legacy_image, manifest_digest=manifest_digest
+        )
 
-  def retarget_tag(self, repository_ref, tag_name, manifest_or_legacy_image, storage,
-                   legacy_manifest_key, is_reversion=False):
-    """
+    def retarget_tag(
+        self,
+        repository_ref,
+        tag_name,
+        manifest_or_legacy_image,
+        storage,
+        legacy_manifest_key,
+        is_reversion=False,
+    ):
+        """
     Creates, updates or moves a tag to a new entry in history, pointing to the manifest or
     legacy image specified. If is_reversion is set to True, this operation is considered a
     reversion over a previous tag move operation. Returns the updated Tag or None on error.
     """
-    # TODO: unify this.
-    assert legacy_manifest_key is not None
-    if not is_reversion:
-      if isinstance(manifest_or_legacy_image, Manifest):
-        raise NotImplementedError('Not yet implemented')
-      else:
-        model.tag.create_or_update_tag_for_repo(repository_ref._db_id, tag_name,
-                                                manifest_or_legacy_image.docker_image_id)
-    else:
-      if isinstance(manifest_or_legacy_image, Manifest):
-        model.tag.restore_tag_to_manifest(repository_ref._db_id, tag_name,
-                                          manifest_or_legacy_image.digest)
-      else:
-        model.tag.restore_tag_to_image(repository_ref._db_id, tag_name,
-                                       manifest_or_legacy_image.docker_image_id)
+        # TODO: unify this.
+        assert legacy_manifest_key is not None
+        if not is_reversion:
+            if isinstance(manifest_or_legacy_image, Manifest):
+                raise NotImplementedError("Not yet implemented")
+            else:
+                model.tag.create_or_update_tag_for_repo(
+                    repository_ref._db_id,
+                    tag_name,
+                    manifest_or_legacy_image.docker_image_id,
+                )
+        else:
+            if isinstance(manifest_or_legacy_image, Manifest):
+                model.tag.restore_tag_to_manifest(
+                    repository_ref._db_id, tag_name, manifest_or_legacy_image.digest
+                )
+            else:
+                model.tag.restore_tag_to_image(
+                    repository_ref._db_id,
+                    tag_name,
+                    manifest_or_legacy_image.docker_image_id,
+                )
 
-    # Generate a manifest for the tag, if necessary.
-    tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
-    if tag is None:
-      return None
+        # Generate a manifest for the tag, if necessary.
+        tag = self.get_repo_tag(repository_ref, tag_name, include_legacy_image=True)
+        if tag is None:
+            return None
 
-    self.backfill_manifest_for_tag(tag)
-    return tag
+        self.backfill_manifest_for_tag(tag)
+        return tag
 
-  def delete_tag(self, repository_ref, tag_name):
-    """
+    def delete_tag(self, repository_ref, tag_name):
+        """
     Deletes the latest, *active* tag with the given name in the repository.
     """
-    repo = model.repository.lookup_repository(repository_ref._db_id)
-    if repo is None:
-      return None
+        repo = model.repository.lookup_repository(repository_ref._db_id)
+        if repo is None:
+            return None
 
-    deleted_tag = model.tag.delete_tag(repo.namespace_user.username, repo.name, tag_name)
-    return Tag.for_repository_tag(deleted_tag)
+        deleted_tag = model.tag.delete_tag(
+            repo.namespace_user.username, repo.name, tag_name
+        )
+        return Tag.for_repository_tag(deleted_tag)
 
-  def delete_tags_for_manifest(self, manifest):
-    """
+    def delete_tags_for_manifest(self, manifest):
+        """
     Deletes all tags pointing to the given manifest, making the manifest inaccessible for pulling.
     Returns the tags deleted, if any. Returns None on error.
     """
-    try:
-      tagmanifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      return None
+        try:
+            tagmanifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            return None
 
-    namespace_name = tagmanifest.tag.repository.namespace_user.username
-    repo_name = tagmanifest.tag.repository.name
-    tags = model.tag.delete_manifest_by_digest(namespace_name, repo_name, manifest.digest)
-    return [Tag.for_repository_tag(tag) for tag in tags]
+        namespace_name = tagmanifest.tag.repository.namespace_user.username
+        repo_name = tagmanifest.tag.repository.name
+        tags = model.tag.delete_manifest_by_digest(
+            namespace_name, repo_name, manifest.digest
+        )
+        return [Tag.for_repository_tag(tag) for tag in tags]
 
-  def change_repository_tag_expiration(self, tag, expiration_date):
-    """ Sets the expiration date of the tag under the matching repository to that given. If the
+    def change_repository_tag_expiration(self, tag, expiration_date):
+        """ Sets the expiration date of the tag under the matching repository to that given. If the
         expiration date is None, then the tag will not expire. Returns a tuple of the previous
         expiration timestamp in seconds (if any), and whether the operation succeeded.
     """
-    try:
-      tag_obj = database.RepositoryTag.get(id=tag._db_id)
-    except database.RepositoryTag.DoesNotExist:
-      return (None, False)
+        try:
+            tag_obj = database.RepositoryTag.get(id=tag._db_id)
+        except database.RepositoryTag.DoesNotExist:
+            return (None, False)
 
-    return model.tag.change_tag_expiration(tag_obj, expiration_date)
+        return model.tag.change_tag_expiration(tag_obj, expiration_date)
 
-  def get_legacy_images_owned_by_tag(self, tag):
-    """ Returns all legacy images *solely owned and used* by the given tag. """
-    try:
-      tag_obj = database.RepositoryTag.get(id=tag._db_id)
-    except database.RepositoryTag.DoesNotExist:
-      return None
+    def get_legacy_images_owned_by_tag(self, tag):
+        """ Returns all legacy images *solely owned and used* by the given tag. """
+        try:
+            tag_obj = database.RepositoryTag.get(id=tag._db_id)
+        except database.RepositoryTag.DoesNotExist:
+            return None
 
-    # Collect the IDs of all images that the tag uses.
-    tag_image_ids = set()
-    tag_image_ids.add(tag_obj.image.id)
-    tag_image_ids.update(tag_obj.image.ancestor_id_list())
+        # Collect the IDs of all images that the tag uses.
+        tag_image_ids = set()
+        tag_image_ids.add(tag_obj.image.id)
+        tag_image_ids.update(tag_obj.image.ancestor_id_list())
 
-    # Remove any images shared by other tags.
-    for current_tag in model.tag.list_active_repo_tags(tag_obj.repository_id):
-      if current_tag == tag_obj:
-        continue
+        # Remove any images shared by other tags.
+        for current_tag in model.tag.list_active_repo_tags(tag_obj.repository_id):
+            if current_tag == tag_obj:
+                continue
 
-      tag_image_ids.discard(current_tag.image.id)
-      tag_image_ids = tag_image_ids.difference(current_tag.image.ancestor_id_list())
-      if not tag_image_ids:
-        return []
+            tag_image_ids.discard(current_tag.image.id)
+            tag_image_ids = tag_image_ids.difference(
+                current_tag.image.ancestor_id_list()
+            )
+            if not tag_image_ids:
+                return []
 
-    if not tag_image_ids:
-      return []
+        if not tag_image_ids:
+            return []
 
-    # Load the images we need to return.
-    images = database.Image.select().where(database.Image.id << list(tag_image_ids))
-    all_image_ids = set()
-    for image in images:
-      all_image_ids.add(image.id)
-      all_image_ids.update(image.ancestor_id_list())
+        # Load the images we need to return.
+        images = database.Image.select().where(database.Image.id << list(tag_image_ids))
+        all_image_ids = set()
+        for image in images:
+            all_image_ids.add(image.id)
+            all_image_ids.update(image.ancestor_id_list())
 
-    # Build a map of all the images and their parents.
-    images_map = {}
-    all_images = database.Image.select().where(database.Image.id << list(all_image_ids))
-    for image in all_images:
-      images_map[image.id] = image
+        # Build a map of all the images and their parents.
+        images_map = {}
+        all_images = database.Image.select().where(
+            database.Image.id << list(all_image_ids)
+        )
+        for image in all_images:
+            images_map[image.id] = image
 
-    return [LegacyImage.for_image(image, images_map=images_map) for image in images]
+        return [LegacyImage.for_image(image, images_map=images_map) for image in images]
 
-  def get_security_status(self, manifest_or_legacy_image):
-    """ Returns the security status for the given manifest or legacy image or None if none. """
-    image = None
+    def get_security_status(self, manifest_or_legacy_image):
+        """ Returns the security status for the given manifest or legacy image or None if none. """
+        image = None
 
-    if isinstance(manifest_or_legacy_image, Manifest):
-      try:
-        tag_manifest = database.TagManifest.get(id=manifest_or_legacy_image._db_id)
-        image = tag_manifest.tag.image
-      except database.TagManifest.DoesNotExist:
-        return None
-    else:
-      try:
-        image = database.Image.get(id=manifest_or_legacy_image._db_id)
-      except database.Image.DoesNotExist:
-        return None
+        if isinstance(manifest_or_legacy_image, Manifest):
+            try:
+                tag_manifest = database.TagManifest.get(
+                    id=manifest_or_legacy_image._db_id
+                )
+                image = tag_manifest.tag.image
+            except database.TagManifest.DoesNotExist:
+                return None
+        else:
+            try:
+                image = database.Image.get(id=manifest_or_legacy_image._db_id)
+            except database.Image.DoesNotExist:
+                return None
 
-    if image.security_indexed_engine is not None and image.security_indexed_engine >= 0:
-      return SecurityScanStatus.SCANNED if image.security_indexed else SecurityScanStatus.FAILED
+        if (
+            image.security_indexed_engine is not None
+            and image.security_indexed_engine >= 0
+        ):
+            return (
+                SecurityScanStatus.SCANNED
+                if image.security_indexed
+                else SecurityScanStatus.FAILED
+            )
 
-    return SecurityScanStatus.QUEUED
+        return SecurityScanStatus.QUEUED
 
-  def reset_security_status(self, manifest_or_legacy_image):
-    """ Resets the security status for the given manifest or legacy image, ensuring that it will
+    def reset_security_status(self, manifest_or_legacy_image):
+        """ Resets the security status for the given manifest or legacy image, ensuring that it will
         get re-indexed.
     """
-    image = None
+        image = None
 
-    if isinstance(manifest_or_legacy_image, Manifest):
-      try:
-        tag_manifest = database.TagManifest.get(id=manifest_or_legacy_image._db_id)
-        image = tag_manifest.tag.image
-      except database.TagManifest.DoesNotExist:
-        return None
-    else:
-      try:
-        image = database.Image.get(id=manifest_or_legacy_image._db_id)
-      except database.Image.DoesNotExist:
-        return None
+        if isinstance(manifest_or_legacy_image, Manifest):
+            try:
+                tag_manifest = database.TagManifest.get(
+                    id=manifest_or_legacy_image._db_id
+                )
+                image = tag_manifest.tag.image
+            except database.TagManifest.DoesNotExist:
+                return None
+        else:
+            try:
+                image = database.Image.get(id=manifest_or_legacy_image._db_id)
+            except database.Image.DoesNotExist:
+                return None
 
-    assert image
-    image.security_indexed = False
-    image.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
-    image.save()
+        assert image
+        image.security_indexed = False
+        image.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
+        image.save()
 
-  def backfill_manifest_for_tag(self, tag):
-    """ Backfills a manifest for the V1 tag specified.
+    def backfill_manifest_for_tag(self, tag):
+        """ Backfills a manifest for the V1 tag specified.
         If a manifest already exists for the tag, returns that manifest.
 
         NOTE: This method will only be necessary until we've completed the backfill, at which point
         it should be removed.
     """
-    # Ensure that there isn't already a manifest for the tag.
-    tag_manifest = model.tag.get_tag_manifest(tag._db_id)
-    if tag_manifest is not None:
-      return Manifest.for_tag_manifest(tag_manifest)
+        # Ensure that there isn't already a manifest for the tag.
+        tag_manifest = model.tag.get_tag_manifest(tag._db_id)
+        if tag_manifest is not None:
+            return Manifest.for_tag_manifest(tag_manifest)
 
-    # Create the manifest.
-    try:
-      tag_obj = database.RepositoryTag.get(id=tag._db_id)
-    except database.RepositoryTag.DoesNotExist:
-      return None
+        # Create the manifest.
+        try:
+            tag_obj = database.RepositoryTag.get(id=tag._db_id)
+        except database.RepositoryTag.DoesNotExist:
+            return None
 
-    assert not tag_obj.hidden
+        assert not tag_obj.hidden
 
-    repo = tag_obj.repository
+        repo = tag_obj.repository
 
-    # Write the manifest to the DB.
-    manifest = self._build_manifest_for_legacy_image(tag_obj.name, tag_obj.image)
-    if manifest is None:
-      return None
+        # Write the manifest to the DB.
+        manifest = self._build_manifest_for_legacy_image(tag_obj.name, tag_obj.image)
+        if manifest is None:
+            return None
 
-    blob_query = self._lookup_repo_storages_by_content_checksum(repo, manifest.checksums)
-    storage_map = {blob.content_checksum: blob.id for blob in blob_query}
-    try:
-      tag_manifest = model.tag.associate_generated_tag_manifest_with_tag(tag_obj, manifest,
-                                                                         storage_map)
-      assert tag_manifest
-    except IntegrityError:
-      tag_manifest = model.tag.get_tag_manifest(tag_obj)
+        blob_query = self._lookup_repo_storages_by_content_checksum(
+            repo, manifest.checksums
+        )
+        storage_map = {blob.content_checksum: blob.id for blob in blob_query}
+        try:
+            tag_manifest = model.tag.associate_generated_tag_manifest_with_tag(
+                tag_obj, manifest, storage_map
+            )
+            assert tag_manifest
+        except IntegrityError:
+            tag_manifest = model.tag.get_tag_manifest(tag_obj)
 
-    return Manifest.for_tag_manifest(tag_manifest)
+        return Manifest.for_tag_manifest(tag_manifest)
 
-  def list_manifest_layers(self, manifest, storage, include_placements=False):
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      logger.exception('Could not find tag manifest for manifest `%s`', manifest._db_id)
-      return None
+    def list_manifest_layers(self, manifest, storage, include_placements=False):
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            logger.exception(
+                "Could not find tag manifest for manifest `%s`", manifest._db_id
+            )
+            return None
 
-    try:
-      parsed = manifest.get_parsed_manifest()
-    except ManifestException:
-      logger.exception('Could not parse and validate manifest `%s`', manifest._db_id)
-      return None
+        try:
+            parsed = manifest.get_parsed_manifest()
+        except ManifestException:
+            logger.exception(
+                "Could not parse and validate manifest `%s`", manifest._db_id
+            )
+            return None
 
-    repo_ref = RepositoryReference.for_id(tag_manifest.tag.repository_id)
-    return self.list_parsed_manifest_layers(repo_ref, parsed, storage, include_placements)
+        repo_ref = RepositoryReference.for_id(tag_manifest.tag.repository_id)
+        return self.list_parsed_manifest_layers(
+            repo_ref, parsed, storage, include_placements
+        )
 
-  def lookup_derived_image(self, manifest, verb, storage, varying_metadata=None,
-                           include_placements=False):
-    """
+    def lookup_derived_image(
+        self, manifest, verb, storage, varying_metadata=None, include_placements=False
+    ):
+        """
     Looks up the derived image for the given manifest, verb and optional varying metadata and
     returns it or None if none.
     """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      logger.exception('Could not find tag manifest for manifest `%s`', manifest._db_id)
-      return None
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            logger.exception(
+                "Could not find tag manifest for manifest `%s`", manifest._db_id
+            )
+            return None
 
-    repo_image = tag_manifest.tag.image
-    derived = model.image.find_derived_storage_for_image(repo_image, verb, varying_metadata)
-    return self._build_derived(derived, verb, varying_metadata, include_placements)
+        repo_image = tag_manifest.tag.image
+        derived = model.image.find_derived_storage_for_image(
+            repo_image, verb, varying_metadata
+        )
+        return self._build_derived(derived, verb, varying_metadata, include_placements)
 
-  def lookup_or_create_derived_image(self, manifest, verb, storage_location, storage,
-                                     varying_metadata=None, include_placements=False):
-    """
+    def lookup_or_create_derived_image(
+        self,
+        manifest,
+        verb,
+        storage_location,
+        storage,
+        varying_metadata=None,
+        include_placements=False,
+    ):
+        """
     Looks up the derived image for the given maniest, verb and optional varying metadata
     and returns it. If none exists, a new derived image is created.
     """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      logger.exception('Could not find tag manifest for manifest `%s`', manifest._db_id)
-      return None
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            logger.exception(
+                "Could not find tag manifest for manifest `%s`", manifest._db_id
+            )
+            return None
 
-    repo_image = tag_manifest.tag.image
-    derived = model.image.find_or_create_derived_storage(repo_image, verb, storage_location,
-                                                         varying_metadata)
-    return self._build_derived(derived, verb, varying_metadata, include_placements)
+        repo_image = tag_manifest.tag.image
+        derived = model.image.find_or_create_derived_storage(
+            repo_image, verb, storage_location, varying_metadata
+        )
+        return self._build_derived(derived, verb, varying_metadata, include_placements)
 
-  def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
-    """
+    def set_tags_expiration_for_manifest(self, manifest, expiration_sec):
+        """
     Sets the expiration on all tags that point to the given manifest to that specified.
     """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      return
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            return
 
-    model.tag.set_tag_expiration_for_manifest(tag_manifest, expiration_sec)
+        model.tag.set_tag_expiration_for_manifest(tag_manifest, expiration_sec)
 
-  def get_schema1_parsed_manifest(self, manifest, namespace_name, repo_name, tag_name, storage):
-    """ Returns the schema 1 version of this manifest, or None if none. """
-    try:
-      return manifest.get_parsed_manifest()
-    except ManifestException:
-      return None
+    def get_schema1_parsed_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, storage
+    ):
+        """ Returns the schema 1 version of this manifest, or None if none. """
+        try:
+            return manifest.get_parsed_manifest()
+        except ManifestException:
+            return None
 
-  def convert_manifest(self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes,
-                       storage):
-    try:
-      parsed = manifest.get_parsed_manifest()
-    except ManifestException:
-      return None
+    def convert_manifest(
+        self, manifest, namespace_name, repo_name, tag_name, allowed_mediatypes, storage
+    ):
+        try:
+            parsed = manifest.get_parsed_manifest()
+        except ManifestException:
+            return None
 
-    try:
-      return parsed.convert_manifest(allowed_mediatypes, namespace_name, repo_name, tag_name, None)
-    except ManifestException:
-      return None
+        try:
+            return parsed.convert_manifest(
+                allowed_mediatypes, namespace_name, repo_name, tag_name, None
+            )
+        except ManifestException:
+            return None
 
-  def create_manifest_with_temp_tag(self, repository_ref, manifest_interface_instance,
-                                    expiration_sec, storage):
-    """ Creates a manifest under the repository and sets a temporary tag to point to it.
+    def create_manifest_with_temp_tag(
+        self, repository_ref, manifest_interface_instance, expiration_sec, storage
+    ):
+        """ Creates a manifest under the repository and sets a temporary tag to point to it.
         Returns the manifest object created or None on error.
     """
-    raise NotImplementedError('Unsupported in pre OCI model')
+        raise NotImplementedError("Unsupported in pre OCI model")
 
-  def get_repo_blob_by_digest(self, repository_ref, blob_digest, include_placements=False):
-    """
+    def get_repo_blob_by_digest(
+        self, repository_ref, blob_digest, include_placements=False
+    ):
+        """
     Returns the blob in the repository with the given digest, if any or None if none. Note that
     there may be multiple records in the same repository for the same blob digest, so the return
     value of this function may change.
     """
-    image_storage = self._get_shared_storage(blob_digest)
-    if image_storage is None:
-      try:
-        image_storage = model.blob.get_repository_blob_by_digest(repository_ref._db_id, blob_digest)
-      except model.BlobDoesNotExist:
-        return None
+        image_storage = self._get_shared_storage(blob_digest)
+        if image_storage is None:
+            try:
+                image_storage = model.blob.get_repository_blob_by_digest(
+                    repository_ref._db_id, blob_digest
+                )
+            except model.BlobDoesNotExist:
+                return None
 
-    assert image_storage.cas_path is not None
+        assert image_storage.cas_path is not None
 
-    placements = None
-    if include_placements:
-      placements = list(model.storage.get_storage_locations(image_storage.uuid))
+        placements = None
+        if include_placements:
+            placements = list(model.storage.get_storage_locations(image_storage.uuid))
 
-    return Blob.for_image_storage(image_storage,
-                                  storage_path=model.storage.get_layer_path(image_storage),
-                                  placements=placements)
+        return Blob.for_image_storage(
+            image_storage,
+            storage_path=model.storage.get_layer_path(image_storage),
+            placements=placements,
+        )
 
-  def list_parsed_manifest_layers(self, repository_ref, parsed_manifest, storage,
-                                  include_placements=False):
-    """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
+    def list_parsed_manifest_layers(
+        self, repository_ref, parsed_manifest, storage, include_placements=False
+    ):
+        """ Returns an *ordered list* of the layers found in the parsed manifest, starting at the base
         and working towards the leaf, including the associated Blob and its placements
         (if specified).
     """
-    return self._list_manifest_layers(repository_ref._db_id, parsed_manifest, storage,
-                                      include_placements=include_placements)
+        return self._list_manifest_layers(
+            repository_ref._db_id,
+            parsed_manifest,
+            storage,
+            include_placements=include_placements,
+        )
 
-  def get_manifest_local_blobs(self, manifest, include_placements=False):
-    """ Returns the set of local blobs for the given manifest or None if none. """
-    try:
-      tag_manifest = database.TagManifest.get(id=manifest._db_id)
-    except database.TagManifest.DoesNotExist:
-      return None
+    def get_manifest_local_blobs(self, manifest, include_placements=False):
+        """ Returns the set of local blobs for the given manifest or None if none. """
+        try:
+            tag_manifest = database.TagManifest.get(id=manifest._db_id)
+        except database.TagManifest.DoesNotExist:
+            return None
 
-    return self._get_manifest_local_blobs(manifest, tag_manifest.tag.repository_id,
-                                          include_placements)
+        return self._get_manifest_local_blobs(
+            manifest, tag_manifest.tag.repository_id, include_placements
+        )
 
-  def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
-    """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
+    def yield_tags_for_vulnerability_notification(self, layer_id_pairs):
+        """ Yields tags that contain one (or more) of the given layer ID pairs, in repositories
         which have been registered for vulnerability_found notifications. Returns an iterator
         of LikelyVulnerableTag instances.
     """
-    event = database.ExternalNotificationEvent.get(name='vulnerability_found')
+        event = database.ExternalNotificationEvent.get(name="vulnerability_found")
 
-    def filter_notifying_repos(query):
-      return model.tag.filter_has_repository_event(query, event)
+        def filter_notifying_repos(query):
+            return model.tag.filter_has_repository_event(query, event)
 
-    def filter_and_order(query):
-      return model.tag.filter_tags_have_repository_event(query, event)
+        def filter_and_order(query):
+            return model.tag.filter_tags_have_repository_event(query, event)
 
-    # Find the matching tags.
-    tags = model.tag.get_matching_tags_for_images(layer_id_pairs,
-                                                  selections=[database.RepositoryTag,
-                                                              database.Image,
-                                                              database.ImageStorage],
-                                                  filter_images=filter_notifying_repos,
-                                                  filter_tags=filter_and_order)
-    for tag in tags:
-      yield LikelyVulnerableTag.for_repository_tag(tag, tag.repository)
+        # Find the matching tags.
+        tags = model.tag.get_matching_tags_for_images(
+            layer_id_pairs,
+            selections=[database.RepositoryTag, database.Image, database.ImageStorage],
+            filter_images=filter_notifying_repos,
+            filter_tags=filter_and_order,
+        )
+        for tag in tags:
+            yield LikelyVulnerableTag.for_repository_tag(tag, tag.repository)
 
 
 pre_oci_model = PreOCIModel()
diff --git a/data/registry_model/shared.py b/data/registry_model/shared.py
index 82a01aa67..51df3e22e 100644
--- a/data/registry_model/shared.py
+++ b/data/registry_model/shared.py
@@ -10,500 +10,626 @@ from data.cache import cache_key
 from data.model.oci.retriever import RepositoryContentRetriever
 from data.model.blob import get_shared_blob
 from data.registry_model.datatype import FromDictionaryException
-from data.registry_model.datatypes import (RepositoryReference, Blob, TorrentInfo, BlobUpload,
-                                           LegacyImage, ManifestLayer, DerivedImage, ShallowTag)
+from data.registry_model.datatypes import (
+    RepositoryReference,
+    Blob,
+    TorrentInfo,
+    BlobUpload,
+    LegacyImage,
+    ManifestLayer,
+    DerivedImage,
+    ShallowTag,
+)
 from image.docker.schema1 import ManifestException, DockerSchema1ManifestBuilder
 from image.docker.schema2 import EMPTY_LAYER_BLOB_DIGEST
 
 logger = logging.getLogger(__name__)
 
 # The maximum size for generated manifest after which we remove extra metadata.
-MAXIMUM_GENERATED_MANIFEST_SIZE = 3 * 1024 * 1024 # 3 MB
+MAXIMUM_GENERATED_MANIFEST_SIZE = 3 * 1024 * 1024  # 3 MB
+
 
 class SharedModel:
-  """
+    """
   SharedModel implements those data model operations for the registry API that are unchanged
   between the old and new data models.
   """
-  def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
-    """ Looks up and returns a reference to the repository with the given namespace and name,
+
+    def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
+        """ Looks up and returns a reference to the repository with the given namespace and name,
         or None if none. """
-    repo = model.repository.get_repository(namespace_name, repo_name, kind_filter=kind_filter)
-    state = repo.state if repo is not None else None
-    return RepositoryReference.for_repo_obj(repo, namespace_name, repo_name,
-                                            repo.namespace_user.stripe_id is None if repo else None,
-                                            state=state)
+        repo = model.repository.get_repository(
+            namespace_name, repo_name, kind_filter=kind_filter
+        )
+        state = repo.state if repo is not None else None
+        return RepositoryReference.for_repo_obj(
+            repo,
+            namespace_name,
+            repo_name,
+            repo.namespace_user.stripe_id is None if repo else None,
+            state=state,
+        )
 
-  def is_existing_disabled_namespace(self, namespace_name):
-    """ Returns whether the given namespace exists and is disabled. """
-    namespace = model.user.get_namespace_user(namespace_name)
-    return namespace is not None and not namespace.enabled
+    def is_existing_disabled_namespace(self, namespace_name):
+        """ Returns whether the given namespace exists and is disabled. """
+        namespace = model.user.get_namespace_user(namespace_name)
+        return namespace is not None and not namespace.enabled
 
-  def is_namespace_enabled(self, namespace_name):
-    """ Returns whether the given namespace exists and is enabled. """
-    namespace = model.user.get_namespace_user(namespace_name)
-    return namespace is not None and namespace.enabled
+    def is_namespace_enabled(self, namespace_name):
+        """ Returns whether the given namespace exists and is enabled. """
+        namespace = model.user.get_namespace_user(namespace_name)
+        return namespace is not None and namespace.enabled
 
-  def get_derived_image_signature(self, derived_image, signer_name):
-    """
+    def get_derived_image_signature(self, derived_image, signer_name):
+        """
     Returns the signature associated with the derived image and a specific signer or None if none.
     """
-    try:
-      derived_storage = database.DerivedStorageForImage.get(id=derived_image._db_id)
-    except database.DerivedStorageForImage.DoesNotExist:
-      return None
+        try:
+            derived_storage = database.DerivedStorageForImage.get(
+                id=derived_image._db_id
+            )
+        except database.DerivedStorageForImage.DoesNotExist:
+            return None
 
-    storage = derived_storage.derivative
-    signature_entry = model.storage.lookup_storage_signature(storage, signer_name)
-    if signature_entry is None:
-      return None
+        storage = derived_storage.derivative
+        signature_entry = model.storage.lookup_storage_signature(storage, signer_name)
+        if signature_entry is None:
+            return None
 
-    return signature_entry.signature
+        return signature_entry.signature
 
-  def set_derived_image_signature(self, derived_image, signer_name, signature):
-    """
+    def set_derived_image_signature(self, derived_image, signer_name, signature):
+        """
     Sets the calculated signature for the given derived image and signer to that specified.
     """
-    try:
-      derived_storage = database.DerivedStorageForImage.get(id=derived_image._db_id)
-    except database.DerivedStorageForImage.DoesNotExist:
-      return None
+        try:
+            derived_storage = database.DerivedStorageForImage.get(
+                id=derived_image._db_id
+            )
+        except database.DerivedStorageForImage.DoesNotExist:
+            return None
 
-    storage = derived_storage.derivative
-    signature_entry = model.storage.find_or_create_storage_signature(storage, signer_name)
-    signature_entry.signature = signature
-    signature_entry.uploading = False
-    signature_entry.save()
+        storage = derived_storage.derivative
+        signature_entry = model.storage.find_or_create_storage_signature(
+            storage, signer_name
+        )
+        signature_entry.signature = signature
+        signature_entry.uploading = False
+        signature_entry.save()
 
-  def delete_derived_image(self, derived_image):
-    """
+    def delete_derived_image(self, derived_image):
+        """
     Deletes a derived image and all of its storage.
     """
-    try:
-      derived_storage = database.DerivedStorageForImage.get(id=derived_image._db_id)
-    except database.DerivedStorageForImage.DoesNotExist:
-      return None
+        try:
+            derived_storage = database.DerivedStorageForImage.get(
+                id=derived_image._db_id
+            )
+        except database.DerivedStorageForImage.DoesNotExist:
+            return None
 
-    model.image.delete_derived_storage(derived_storage)
+        model.image.delete_derived_storage(derived_storage)
 
-  def set_derived_image_size(self, derived_image, compressed_size):
-    """
+    def set_derived_image_size(self, derived_image, compressed_size):
+        """
     Sets the compressed size on the given derived image.
     """
-    try:
-      derived_storage = database.DerivedStorageForImage.get(id=derived_image._db_id)
-    except database.DerivedStorageForImage.DoesNotExist:
-      return None
+        try:
+            derived_storage = database.DerivedStorageForImage.get(
+                id=derived_image._db_id
+            )
+        except database.DerivedStorageForImage.DoesNotExist:
+            return None
 
-    storage_entry = derived_storage.derivative
-    storage_entry.image_size = compressed_size
-    storage_entry.uploading = False
-    storage_entry.save()
+        storage_entry = derived_storage.derivative
+        storage_entry.image_size = compressed_size
+        storage_entry.uploading = False
+        storage_entry.save()
 
-  def get_torrent_info(self, blob):
-    """
+    def get_torrent_info(self, blob):
+        """
     Returns the torrent information associated with the given blob or None if none.
     """
-    try:
-      image_storage = database.ImageStorage.get(id=blob._db_id)
-    except database.ImageStorage.DoesNotExist:
-      return None
+        try:
+            image_storage = database.ImageStorage.get(id=blob._db_id)
+        except database.ImageStorage.DoesNotExist:
+            return None
 
-    try:
-      torrent_info = model.storage.get_torrent_info(image_storage)
-    except model.TorrentInfoDoesNotExist:
-      return None
+        try:
+            torrent_info = model.storage.get_torrent_info(image_storage)
+        except model.TorrentInfoDoesNotExist:
+            return None
 
-    return TorrentInfo.for_torrent_info(torrent_info)
+        return TorrentInfo.for_torrent_info(torrent_info)
 
-  def set_torrent_info(self, blob, piece_length, pieces):
-    """
+    def set_torrent_info(self, blob, piece_length, pieces):
+        """
     Sets the torrent infomation associated with the given blob to that specified.
     """
-    try:
-      image_storage = database.ImageStorage.get(id=blob._db_id)
-    except database.ImageStorage.DoesNotExist:
-      return None
+        try:
+            image_storage = database.ImageStorage.get(id=blob._db_id)
+        except database.ImageStorage.DoesNotExist:
+            return None
 
-    torrent_info = model.storage.save_torrent_info(image_storage, piece_length, pieces)
-    return TorrentInfo.for_torrent_info(torrent_info)
+        torrent_info = model.storage.save_torrent_info(
+            image_storage, piece_length, pieces
+        )
+        return TorrentInfo.for_torrent_info(torrent_info)
 
-  @abstractmethod
-  def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
-    pass
+    @abstractmethod
+    def lookup_active_repository_tags(self, repository_ref, start_pagination_id, limit):
+        pass
 
-  def lookup_cached_active_repository_tags(self, model_cache, repository_ref, start_pagination_id,
-                                           limit):
-    """
+    def lookup_cached_active_repository_tags(
+        self, model_cache, repository_ref, start_pagination_id, limit
+    ):
+        """
     Returns a page of active tags in a repository. Note that the tags returned by this method
     are ShallowTag objects, which only contain the tag name. This method will automatically cache
     the result and check the cache before making a call.
     """
-    def load_tags():
-      tags = self.lookup_active_repository_tags(repository_ref, start_pagination_id, limit)
-      return [tag.asdict() for tag in tags]
 
-    tags_cache_key = cache_key.for_active_repo_tags(repository_ref._db_id, start_pagination_id,
-                                                    limit)
-    result = model_cache.retrieve(tags_cache_key, load_tags)
+        def load_tags():
+            tags = self.lookup_active_repository_tags(
+                repository_ref, start_pagination_id, limit
+            )
+            return [tag.asdict() for tag in tags]
 
-    try:
-      return [ShallowTag.from_dict(tag_dict) for tag_dict in result]
-    except FromDictionaryException:
-      return self.lookup_active_repository_tags(repository_ref, start_pagination_id, limit)
+        tags_cache_key = cache_key.for_active_repo_tags(
+            repository_ref._db_id, start_pagination_id, limit
+        )
+        result = model_cache.retrieve(tags_cache_key, load_tags)
 
-  def get_cached_namespace_region_blacklist(self, model_cache, namespace_name):
-    """ Returns a cached set of ISO country codes blacklisted for pulls for the namespace
+        try:
+            return [ShallowTag.from_dict(tag_dict) for tag_dict in result]
+        except FromDictionaryException:
+            return self.lookup_active_repository_tags(
+                repository_ref, start_pagination_id, limit
+            )
+
+    def get_cached_namespace_region_blacklist(self, model_cache, namespace_name):
+        """ Returns a cached set of ISO country codes blacklisted for pulls for the namespace
         or None if the list could not be loaded.
     """
 
-    def load_blacklist():
-      restrictions = model.user.list_namespace_geo_restrictions(namespace_name)
-      if restrictions is None:
-        return None
+        def load_blacklist():
+            restrictions = model.user.list_namespace_geo_restrictions(namespace_name)
+            if restrictions is None:
+                return None
 
-      return [restriction.restricted_region_iso_code for restriction in restrictions]
+            return [
+                restriction.restricted_region_iso_code for restriction in restrictions
+            ]
 
-    blacklist_cache_key = cache_key.for_namespace_geo_restrictions(namespace_name)
-    result = model_cache.retrieve(blacklist_cache_key, load_blacklist)
-    if result is None:
-      return None
+        blacklist_cache_key = cache_key.for_namespace_geo_restrictions(namespace_name)
+        result = model_cache.retrieve(blacklist_cache_key, load_blacklist)
+        if result is None:
+            return None
 
-    return set(result)
+        return set(result)
 
-  def get_cached_repo_blob(self, model_cache, namespace_name, repo_name, blob_digest):
-    """
+    def get_cached_repo_blob(self, model_cache, namespace_name, repo_name, blob_digest):
+        """
     Returns the blob in the repository with the given digest if any or None if none.
     Caches the result in the caching system.
     """
-    def load_blob():
-      repository_ref = self.lookup_repository(namespace_name, repo_name)
-      if repository_ref is None:
-        return None
 
-      blob_found = self.get_repo_blob_by_digest(repository_ref, blob_digest,
-                                                include_placements=True)
-      if blob_found is None:
-        return None
+        def load_blob():
+            repository_ref = self.lookup_repository(namespace_name, repo_name)
+            if repository_ref is None:
+                return None
 
-      return blob_found.asdict()
+            blob_found = self.get_repo_blob_by_digest(
+                repository_ref, blob_digest, include_placements=True
+            )
+            if blob_found is None:
+                return None
 
-    blob_cache_key = cache_key.for_repository_blob(namespace_name, repo_name, blob_digest, 2)
-    blob_dict = model_cache.retrieve(blob_cache_key, load_blob)
+            return blob_found.asdict()
 
-    try:
-      return Blob.from_dict(blob_dict) if blob_dict is not None else None
-    except FromDictionaryException:
-      # The data was stale in some way. Simply reload.
-      repository_ref = self.lookup_repository(namespace_name, repo_name)
-      if repository_ref is None:
-        return None
+        blob_cache_key = cache_key.for_repository_blob(
+            namespace_name, repo_name, blob_digest, 2
+        )
+        blob_dict = model_cache.retrieve(blob_cache_key, load_blob)
 
-      return self.get_repo_blob_by_digest(repository_ref, blob_digest, include_placements=True)
+        try:
+            return Blob.from_dict(blob_dict) if blob_dict is not None else None
+        except FromDictionaryException:
+            # The data was stale in some way. Simply reload.
+            repository_ref = self.lookup_repository(namespace_name, repo_name)
+            if repository_ref is None:
+                return None
 
-  @abstractmethod
-  def get_repo_blob_by_digest(self, repository_ref, blob_digest, include_placements=False):
-    pass
+            return self.get_repo_blob_by_digest(
+                repository_ref, blob_digest, include_placements=True
+            )
 
-  def create_blob_upload(self, repository_ref, new_upload_id, location_name, storage_metadata):
-    """ Creates a new blob upload and returns a reference. If the blob upload could not be
+    @abstractmethod
+    def get_repo_blob_by_digest(
+        self, repository_ref, blob_digest, include_placements=False
+    ):
+        pass
+
+    def create_blob_upload(
+        self, repository_ref, new_upload_id, location_name, storage_metadata
+    ):
+        """ Creates a new blob upload and returns a reference. If the blob upload could not be
         created, returns None. """
-    repo = model.repository.lookup_repository(repository_ref._db_id)
-    if repo is None:
-      return None
+        repo = model.repository.lookup_repository(repository_ref._db_id)
+        if repo is None:
+            return None
 
-    try:
-      upload_record = model.blob.initiate_upload_for_repo(repo, new_upload_id, location_name,
-                                                          storage_metadata)
-      return BlobUpload.for_upload(upload_record, location_name=location_name)
-    except database.Repository.DoesNotExist:
-      return None
+        try:
+            upload_record = model.blob.initiate_upload_for_repo(
+                repo, new_upload_id, location_name, storage_metadata
+            )
+            return BlobUpload.for_upload(upload_record, location_name=location_name)
+        except database.Repository.DoesNotExist:
+            return None
 
-  def lookup_blob_upload(self, repository_ref, blob_upload_id):
-    """ Looks up the blob upload withn the given ID under the specified repository and returns it
+    def lookup_blob_upload(self, repository_ref, blob_upload_id):
+        """ Looks up the blob upload withn the given ID under the specified repository and returns it
         or None if none.
     """
-    upload_record = model.blob.get_blob_upload_by_uuid(blob_upload_id)
-    if upload_record is None:
-      return None
+        upload_record = model.blob.get_blob_upload_by_uuid(blob_upload_id)
+        if upload_record is None:
+            return None
 
-    return BlobUpload.for_upload(upload_record)
+        return BlobUpload.for_upload(upload_record)
 
-  def update_blob_upload(self, blob_upload, uncompressed_byte_count, piece_hashes, piece_sha_state,
-                         storage_metadata, byte_count, chunk_count, sha_state):
-    """ Updates the fields of the blob upload to match those given. Returns the updated blob upload
+    def update_blob_upload(
+        self,
+        blob_upload,
+        uncompressed_byte_count,
+        piece_hashes,
+        piece_sha_state,
+        storage_metadata,
+        byte_count,
+        chunk_count,
+        sha_state,
+    ):
+        """ Updates the fields of the blob upload to match those given. Returns the updated blob upload
         or None if the record does not exists.
     """
-    upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
-    if upload_record is None:
-      return None
+        upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
+        if upload_record is None:
+            return None
 
-    upload_record.uncompressed_byte_count = uncompressed_byte_count
-    upload_record.piece_hashes = piece_hashes
-    upload_record.piece_sha_state = piece_sha_state
-    upload_record.storage_metadata = storage_metadata
-    upload_record.byte_count = byte_count
-    upload_record.chunk_count = chunk_count
-    upload_record.sha_state = sha_state
-    upload_record.save()
-    return BlobUpload.for_upload(upload_record)
+        upload_record.uncompressed_byte_count = uncompressed_byte_count
+        upload_record.piece_hashes = piece_hashes
+        upload_record.piece_sha_state = piece_sha_state
+        upload_record.storage_metadata = storage_metadata
+        upload_record.byte_count = byte_count
+        upload_record.chunk_count = chunk_count
+        upload_record.sha_state = sha_state
+        upload_record.save()
+        return BlobUpload.for_upload(upload_record)
 
-  def delete_blob_upload(self, blob_upload):
-    """ Deletes a blob upload record. """
-    upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
-    if upload_record is not None:
-      upload_record.delete_instance()
+    def delete_blob_upload(self, blob_upload):
+        """ Deletes a blob upload record. """
+        upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
+        if upload_record is not None:
+            upload_record.delete_instance()
 
-  def commit_blob_upload(self, blob_upload, blob_digest_str, blob_expiration_seconds):
-    """ Commits the blob upload into a blob and sets an expiration before that blob will be GCed.
+    def commit_blob_upload(self, blob_upload, blob_digest_str, blob_expiration_seconds):
+        """ Commits the blob upload into a blob and sets an expiration before that blob will be GCed.
     """
-    upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
-    if upload_record is None:
-      return None
+        upload_record = model.blob.get_blob_upload_by_uuid(blob_upload.upload_id)
+        if upload_record is None:
+            return None
 
-    repository_id = upload_record.repository_id
+        repository_id = upload_record.repository_id
 
-    # Create the blob and temporarily tag it.
-    location_obj = model.storage.get_image_location_for_name(blob_upload.location_name)
-    blob_record = model.blob.store_blob_record_and_temp_link_in_repo(
-      repository_id, blob_digest_str, location_obj.id, blob_upload.byte_count,
-      blob_expiration_seconds, blob_upload.uncompressed_byte_count)
+        # Create the blob and temporarily tag it.
+        location_obj = model.storage.get_image_location_for_name(
+            blob_upload.location_name
+        )
+        blob_record = model.blob.store_blob_record_and_temp_link_in_repo(
+            repository_id,
+            blob_digest_str,
+            location_obj.id,
+            blob_upload.byte_count,
+            blob_expiration_seconds,
+            blob_upload.uncompressed_byte_count,
+        )
 
-    # Delete the blob upload.
-    upload_record.delete_instance()
-    return Blob.for_image_storage(blob_record,
-                                  storage_path=model.storage.get_layer_path(blob_record))
+        # Delete the blob upload.
+        upload_record.delete_instance()
+        return Blob.for_image_storage(
+            blob_record, storage_path=model.storage.get_layer_path(blob_record)
+        )
 
-  def mount_blob_into_repository(self, blob, target_repository_ref, expiration_sec):
-    """
+    def mount_blob_into_repository(self, blob, target_repository_ref, expiration_sec):
+        """
     Mounts the blob from another repository into the specified target repository, and adds an
     expiration before that blob is automatically GCed. This function is useful during push
     operations if an existing blob from another repository is being pushed. Returns False if
     the mounting fails.
     """
-    storage = model.blob.temp_link_blob(target_repository_ref._db_id, blob.digest, expiration_sec)
-    return bool(storage)
+        storage = model.blob.temp_link_blob(
+            target_repository_ref._db_id, blob.digest, expiration_sec
+        )
+        return bool(storage)
 
-  def get_legacy_images(self, repository_ref):
-    """
+    def get_legacy_images(self, repository_ref):
+        """
     Returns an iterator of all the LegacyImage's defined in the matching repository.
     """
-    repo = model.repository.lookup_repository(repository_ref._db_id)
-    if repo is None:
-      return None
+        repo = model.repository.lookup_repository(repository_ref._db_id)
+        if repo is None:
+            return None
 
-    all_images = model.image.get_repository_images_without_placements(repo)
-    all_images_map = {image.id: image for image in all_images}
+        all_images = model.image.get_repository_images_without_placements(repo)
+        all_images_map = {image.id: image for image in all_images}
 
-    all_tags = model.tag.list_repository_tags(repo.namespace_user.username, repo.name)
-    tags_by_image_id = defaultdict(list)
-    for tag in all_tags:
-      tags_by_image_id[tag.image_id].append(tag)
+        all_tags = model.tag.list_repository_tags(
+            repo.namespace_user.username, repo.name
+        )
+        tags_by_image_id = defaultdict(list)
+        for tag in all_tags:
+            tags_by_image_id[tag.image_id].append(tag)
 
-    return [LegacyImage.for_image(image, images_map=all_images_map, tags_map=tags_by_image_id)
-            for image in all_images]
+        return [
+            LegacyImage.for_image(
+                image, images_map=all_images_map, tags_map=tags_by_image_id
+            )
+            for image in all_images
+        ]
 
-  def get_legacy_image(self, repository_ref, docker_image_id, include_parents=False,
-                       include_blob=False):
-    """
+    def get_legacy_image(
+        self, repository_ref, docker_image_id, include_parents=False, include_blob=False
+    ):
+        """
     Returns the matching LegacyImages under the matching repository, if any. If none,
     returns None.
     """
-    repo = model.repository.lookup_repository(repository_ref._db_id)
-    if repo is None:
-      return None
+        repo = model.repository.lookup_repository(repository_ref._db_id)
+        if repo is None:
+            return None
 
-    image = model.image.get_image(repository_ref._db_id, docker_image_id)
-    if image is None:
-      return None
+        image = model.image.get_image(repository_ref._db_id, docker_image_id)
+        if image is None:
+            return None
 
-    parent_images_map = None
-    if include_parents:
-      parent_images = model.image.get_parent_images(repo.namespace_user.username, repo.name, image)
-      parent_images_map = {image.id: image for image in parent_images}
+        parent_images_map = None
+        if include_parents:
+            parent_images = model.image.get_parent_images(
+                repo.namespace_user.username, repo.name, image
+            )
+            parent_images_map = {image.id: image for image in parent_images}
 
-    blob = None
-    if include_blob:
-      placements = list(model.storage.get_storage_locations(image.storage.uuid))
-      blob = Blob.for_image_storage(image.storage,
-                                    storage_path=model.storage.get_layer_path(image.storage),
-                                    placements=placements)
+        blob = None
+        if include_blob:
+            placements = list(model.storage.get_storage_locations(image.storage.uuid))
+            blob = Blob.for_image_storage(
+                image.storage,
+                storage_path=model.storage.get_layer_path(image.storage),
+                placements=placements,
+            )
 
-    return LegacyImage.for_image(image, images_map=parent_images_map, blob=blob)
+        return LegacyImage.for_image(image, images_map=parent_images_map, blob=blob)
 
-  def _get_manifest_local_blobs(self, manifest, repo_id, include_placements=False,
-                                by_manifest=False):
-    parsed = manifest.get_parsed_manifest()
-    if parsed is None:
-      return None
+    def _get_manifest_local_blobs(
+        self, manifest, repo_id, include_placements=False, by_manifest=False
+    ):
+        parsed = manifest.get_parsed_manifest()
+        if parsed is None:
+            return None
 
-    local_blob_digests = list(set(parsed.local_blob_digests))
-    if not len(local_blob_digests):
-      return []
+        local_blob_digests = list(set(parsed.local_blob_digests))
+        if not len(local_blob_digests):
+            return []
 
-    blob_query = self._lookup_repo_storages_by_content_checksum(repo_id, local_blob_digests,
-                                                                by_manifest=by_manifest)
-    blobs = []
-    for image_storage in blob_query:
-      placements = None
-      if include_placements:
-        placements = list(model.storage.get_storage_locations(image_storage.uuid))
+        blob_query = self._lookup_repo_storages_by_content_checksum(
+            repo_id, local_blob_digests, by_manifest=by_manifest
+        )
+        blobs = []
+        for image_storage in blob_query:
+            placements = None
+            if include_placements:
+                placements = list(
+                    model.storage.get_storage_locations(image_storage.uuid)
+                )
 
-      blob = Blob.for_image_storage(image_storage,
-                                    storage_path=model.storage.get_layer_path(image_storage),
-                                    placements=placements)
-      blobs.append(blob)
+            blob = Blob.for_image_storage(
+                image_storage,
+                storage_path=model.storage.get_layer_path(image_storage),
+                placements=placements,
+            )
+            blobs.append(blob)
 
-    return blobs
+        return blobs
 
-  def _list_manifest_layers(self, repo_id, parsed, storage, include_placements=False,
-                            by_manifest=False):
-    """ Returns an *ordered list* of the layers found in the manifest, starting at the base and
+    def _list_manifest_layers(
+        self, repo_id, parsed, storage, include_placements=False, by_manifest=False
+    ):
+        """ Returns an *ordered list* of the layers found in the manifest, starting at the base and
         working towards the leaf, including the associated Blob and its placements (if specified).
         Returns None if the manifest could not be parsed and validated.
     """
-    assert not parsed.is_manifest_list
+        assert not parsed.is_manifest_list
 
-    retriever = RepositoryContentRetriever(repo_id, storage)
-    requires_empty_blob = parsed.get_requires_empty_layer_blob(retriever)
+        retriever = RepositoryContentRetriever(repo_id, storage)
+        requires_empty_blob = parsed.get_requires_empty_layer_blob(retriever)
 
-    storage_map = {}
-    blob_digests = list(parsed.local_blob_digests)
-    if requires_empty_blob:
-      blob_digests.append(EMPTY_LAYER_BLOB_DIGEST)
+        storage_map = {}
+        blob_digests = list(parsed.local_blob_digests)
+        if requires_empty_blob:
+            blob_digests.append(EMPTY_LAYER_BLOB_DIGEST)
 
-    if blob_digests:
-      blob_query = self._lookup_repo_storages_by_content_checksum(repo_id, blob_digests,
-                                                                  by_manifest=by_manifest)
-      storage_map = {blob.content_checksum: blob for blob in blob_query}
+        if blob_digests:
+            blob_query = self._lookup_repo_storages_by_content_checksum(
+                repo_id, blob_digests, by_manifest=by_manifest
+            )
+            storage_map = {blob.content_checksum: blob for blob in blob_query}
 
+        layers = parsed.get_layers(retriever)
+        if layers is None:
+            logger.error("Could not load layers for manifest `%s`", parsed.digest)
+            return None
 
-    layers = parsed.get_layers(retriever)
-    if layers is None:
-      logger.error('Could not load layers for manifest `%s`', parsed.digest)
-      return None
+        manifest_layers = []
+        for layer in layers:
+            if layer.is_remote:
+                manifest_layers.append(ManifestLayer(layer, None))
+                continue
 
-    manifest_layers = []
-    for layer in layers:
-      if layer.is_remote:
-        manifest_layers.append(ManifestLayer(layer, None))
-        continue
+            digest_str = str(layer.blob_digest)
+            if digest_str not in storage_map:
+                logger.error(
+                    "Missing digest `%s` for manifest `%s`",
+                    layer.blob_digest,
+                    parsed.digest,
+                )
+                return None
+
+            image_storage = storage_map[digest_str]
+            assert image_storage.cas_path is not None
+            assert image_storage.image_size is not None
+
+            placements = None
+            if include_placements:
+                placements = list(
+                    model.storage.get_storage_locations(image_storage.uuid)
+                )
+
+            blob = Blob.for_image_storage(
+                image_storage,
+                storage_path=model.storage.get_layer_path(image_storage),
+                placements=placements,
+            )
+            manifest_layers.append(ManifestLayer(layer, blob))
+
+        return manifest_layers
+
+    def _build_derived(self, derived, verb, varying_metadata, include_placements):
+        if derived is None:
+            return None
+
+        derived_storage = derived.derivative
+        placements = None
+        if include_placements:
+            placements = list(model.storage.get_storage_locations(derived_storage.uuid))
+
+        blob = Blob.for_image_storage(
+            derived_storage,
+            storage_path=model.storage.get_layer_path(derived_storage),
+            placements=placements,
+        )
+
+        return DerivedImage.for_derived_storage(derived, verb, varying_metadata, blob)
+
+    def _build_manifest_for_legacy_image(self, tag_name, legacy_image_row):
+        import features
+
+        from app import app, docker_v2_signing_key
+
+        repo = legacy_image_row.repository
+        namespace_name = repo.namespace_user.username
+        repo_name = repo.name
+
+        # Find the v1 metadata for this image and its parents.
+        try:
+            parents = model.image.get_parent_images(
+                namespace_name, repo_name, legacy_image_row
+            )
+        except model.DataModelException:
+            logger.exception(
+                "Could not load parent images for legacy image %s", legacy_image_row.id
+            )
+            return None
+
+        # If the manifest is being generated under the library namespace, then we make its namespace
+        # empty.
+        manifest_namespace = namespace_name
+        if (
+            features.LIBRARY_SUPPORT
+            and namespace_name == app.config["LIBRARY_NAMESPACE"]
+        ):
+            manifest_namespace = ""
+
+        # Create and populate the manifest builder
+        builder = DockerSchema1ManifestBuilder(manifest_namespace, repo_name, tag_name)
+
+        # Add the leaf layer
+        builder.add_layer(
+            legacy_image_row.storage.content_checksum, legacy_image_row.v1_json_metadata
+        )
+        if legacy_image_row.storage.uploading:
+            logger.error(
+                "Cannot add an uploading storage row: %s", legacy_image_row.storage.id
+            )
+            return None
+
+        for parent_image in parents:
+            if parent_image.storage.uploading:
+                logger.error(
+                    "Cannot add an uploading storage row: %s",
+                    legacy_image_row.storage.id,
+                )
+                return None
+
+            builder.add_layer(
+                parent_image.storage.content_checksum, parent_image.v1_json_metadata
+            )
+
+        try:
+            built_manifest = builder.build(docker_v2_signing_key)
+
+            # If the generated manifest is greater than the maximum size, regenerate it with
+            # intermediate metadata layers stripped down to their bare essentials.
+            if (
+                len(built_manifest.bytes.as_encoded_str())
+                > MAXIMUM_GENERATED_MANIFEST_SIZE
+            ):
+                built_manifest = builder.with_metadata_removed().build(
+                    docker_v2_signing_key
+                )
+
+            if (
+                len(built_manifest.bytes.as_encoded_str())
+                > MAXIMUM_GENERATED_MANIFEST_SIZE
+            ):
+                logger.error("Legacy image is too large to generate manifest")
+                return None
+
+            return built_manifest
+        except ManifestException as me:
+            logger.exception(
+                "Got exception when trying to build manifest for legacy image %s",
+                legacy_image_row,
+            )
+            return None
+
+    def _get_shared_storage(self, blob_digest):
+        """ Returns an ImageStorage row for the blob digest if it is a globally shared storage. """
+        # If the EMPTY_LAYER_BLOB_DIGEST is in the checksums, look it up directly. Since we have
+        # so many duplicate copies in the database currently, looking it up bound to a repository
+        # can be incredibly slow, and, since it is defined as a globally shared layer, this is extra
+        # work we don't need to do.
+        if blob_digest == EMPTY_LAYER_BLOB_DIGEST:
+            return get_shared_blob(EMPTY_LAYER_BLOB_DIGEST)
 
-      digest_str = str(layer.blob_digest)
-      if digest_str not in storage_map:
-        logger.error('Missing digest `%s` for manifest `%s`', layer.blob_digest, parsed.digest)
         return None
 
-      image_storage = storage_map[digest_str]
-      assert image_storage.cas_path is not None
-      assert image_storage.image_size is not None
+    def _lookup_repo_storages_by_content_checksum(
+        self, repo, checksums, by_manifest=False
+    ):
+        checksums = set(checksums)
 
-      placements = None
-      if include_placements:
-        placements = list(model.storage.get_storage_locations(image_storage.uuid))
+        # Load any shared storages first.
+        extra_storages = []
+        for checksum in list(checksums):
+            shared_storage = self._get_shared_storage(checksum)
+            if shared_storage is not None:
+                extra_storages.append(shared_storage)
+                checksums.remove(checksum)
 
-      blob = Blob.for_image_storage(image_storage,
-                                    storage_path=model.storage.get_layer_path(image_storage),
-                                    placements=placements)
-      manifest_layers.append(ManifestLayer(layer, blob))
-
-    return manifest_layers
-
-  def _build_derived(self, derived, verb, varying_metadata, include_placements):
-    if derived is None:
-      return None
-
-    derived_storage = derived.derivative
-    placements = None
-    if include_placements:
-      placements = list(model.storage.get_storage_locations(derived_storage.uuid))
-
-    blob = Blob.for_image_storage(derived_storage,
-                                  storage_path=model.storage.get_layer_path(derived_storage),
-                                  placements=placements)
-
-    return DerivedImage.for_derived_storage(derived, verb, varying_metadata, blob)
-
-  def _build_manifest_for_legacy_image(self, tag_name, legacy_image_row):
-    import features
-
-    from app import app, docker_v2_signing_key
-
-    repo = legacy_image_row.repository
-    namespace_name = repo.namespace_user.username
-    repo_name = repo.name
-
-    # Find the v1 metadata for this image and its parents.
-    try:
-      parents = model.image.get_parent_images(namespace_name, repo_name, legacy_image_row)
-    except model.DataModelException:
-      logger.exception('Could not load parent images for legacy image %s', legacy_image_row.id)
-      return None
-
-    # If the manifest is being generated under the library namespace, then we make its namespace
-    # empty.
-    manifest_namespace = namespace_name
-    if features.LIBRARY_SUPPORT and namespace_name == app.config['LIBRARY_NAMESPACE']:
-      manifest_namespace = ''
-
-    # Create and populate the manifest builder
-    builder = DockerSchema1ManifestBuilder(manifest_namespace, repo_name, tag_name)
-
-    # Add the leaf layer
-    builder.add_layer(legacy_image_row.storage.content_checksum, legacy_image_row.v1_json_metadata)
-    if legacy_image_row.storage.uploading:
-      logger.error('Cannot add an uploading storage row: %s', legacy_image_row.storage.id)
-      return None
-
-    for parent_image in parents:
-      if parent_image.storage.uploading:
-        logger.error('Cannot add an uploading storage row: %s', legacy_image_row.storage.id)
-        return None
-
-      builder.add_layer(parent_image.storage.content_checksum, parent_image.v1_json_metadata)
-
-    try:
-      built_manifest = builder.build(docker_v2_signing_key)
-
-      # If the generated manifest is greater than the maximum size, regenerate it with
-      # intermediate metadata layers stripped down to their bare essentials.
-      if len(built_manifest.bytes.as_encoded_str()) > MAXIMUM_GENERATED_MANIFEST_SIZE:
-        built_manifest = builder.with_metadata_removed().build(docker_v2_signing_key)
-
-      if len(built_manifest.bytes.as_encoded_str()) > MAXIMUM_GENERATED_MANIFEST_SIZE:
-        logger.error('Legacy image is too large to generate manifest')
-        return None
-
-      return built_manifest
-    except ManifestException as me:
-      logger.exception('Got exception when trying to build manifest for legacy image %s',
-                       legacy_image_row)
-      return None
-
-  def _get_shared_storage(self, blob_digest):
-    """ Returns an ImageStorage row for the blob digest if it is a globally shared storage. """
-    # If the EMPTY_LAYER_BLOB_DIGEST is in the checksums, look it up directly. Since we have
-    # so many duplicate copies in the database currently, looking it up bound to a repository
-    # can be incredibly slow, and, since it is defined as a globally shared layer, this is extra
-    # work we don't need to do.
-    if blob_digest == EMPTY_LAYER_BLOB_DIGEST:
-      return get_shared_blob(EMPTY_LAYER_BLOB_DIGEST)
-
-    return None
-
-  def _lookup_repo_storages_by_content_checksum(self, repo, checksums, by_manifest=False):
-    checksums = set(checksums)
-
-    # Load any shared storages first.
-    extra_storages = []
-    for checksum in list(checksums):
-      shared_storage = self._get_shared_storage(checksum)
-      if shared_storage is not None:
-        extra_storages.append(shared_storage)
-        checksums.remove(checksum)
-
-    found = []
-    if checksums:
-      found = list(model.storage.lookup_repo_storages_by_content_checksum(repo, checksums,
-                                                                          by_manifest=by_manifest))
-    return found + extra_storages
+        found = []
+        if checksums:
+            found = list(
+                model.storage.lookup_repo_storages_by_content_checksum(
+                    repo, checksums, by_manifest=by_manifest
+                )
+            )
+        return found + extra_storages
diff --git a/data/registry_model/test/test_blobuploader.py b/data/registry_model/test/test_blobuploader.py
index 8b539c617..d60c2e247 100644
--- a/data/registry_model/test/test_blobuploader.py
+++ b/data/registry_model/test/test_blobuploader.py
@@ -7,139 +7,144 @@ from contextlib import closing
 
 import pytest
 
-from data.registry_model.blobuploader import (retrieve_blob_upload_manager,
-                                              upload_blob, BlobUploadException,
-                                              BlobDigestMismatchException, BlobTooLargeException,
-                                              BlobUploadSettings)
+from data.registry_model.blobuploader import (
+    retrieve_blob_upload_manager,
+    upload_blob,
+    BlobUploadException,
+    BlobDigestMismatchException,
+    BlobTooLargeException,
+    BlobUploadSettings,
+)
 from data.registry_model.registry_pre_oci_model import PreOCIModel
 
 from storage.distributedstorage import DistributedStorage
 from storage.fakestorage import FakeStorage
 from test.fixtures import *
 
+
 @pytest.fixture()
 def pre_oci_model(initialized_db):
-  return PreOCIModel()
+    return PreOCIModel()
 
-@pytest.mark.parametrize('chunk_count', [
-  0,
-  1,
-  2,
-  10,
-])
-@pytest.mark.parametrize('subchunk', [
-  True,
-  False,
-])
+
+@pytest.mark.parametrize("chunk_count", [0, 1, 2, 10])
+@pytest.mark.parametrize("subchunk", [True, False])
 def test_basic_upload_blob(chunk_count, subchunk, pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('2M', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("2M", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  data = ''
-  with upload_blob(repository_ref, storage, settings) as manager:
-    assert manager
-    assert manager.blob_upload_id
+    data = ""
+    with upload_blob(repository_ref, storage, settings) as manager:
+        assert manager
+        assert manager.blob_upload_id
 
-    for index in range(0, chunk_count):
-      chunk_data = os.urandom(100)
-      data += chunk_data
+        for index in range(0, chunk_count):
+            chunk_data = os.urandom(100)
+            data += chunk_data
 
-      if subchunk:
-        manager.upload_chunk(app_config, BytesIO(chunk_data))
-        manager.upload_chunk(app_config, BytesIO(chunk_data), (index * 100) + 50)
-      else:
-        manager.upload_chunk(app_config, BytesIO(chunk_data))
+            if subchunk:
+                manager.upload_chunk(app_config, BytesIO(chunk_data))
+                manager.upload_chunk(
+                    app_config, BytesIO(chunk_data), (index * 100) + 50
+                )
+            else:
+                manager.upload_chunk(app_config, BytesIO(chunk_data))
 
-    blob = manager.commit_to_blob(app_config)
+        blob = manager.commit_to_blob(app_config)
 
-  # Check the blob.
-  assert blob.compressed_size == len(data)
-  assert not blob.uploading
-  assert blob.digest == 'sha256:' + hashlib.sha256(data).hexdigest()
+    # Check the blob.
+    assert blob.compressed_size == len(data)
+    assert not blob.uploading
+    assert blob.digest == "sha256:" + hashlib.sha256(data).hexdigest()
 
-  # Ensure the blob exists in storage and has the expected data.
-  assert storage.get_content(['local_us'], blob.storage_path) == data
+    # Ensure the blob exists in storage and has the expected data.
+    assert storage.get_content(["local_us"], blob.storage_path) == data
 
 
 def test_cancel_upload(pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('2M', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("2M", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  blob_upload_id = None
-  with upload_blob(repository_ref, storage, settings) as manager:
-    blob_upload_id = manager.blob_upload_id
-    assert pre_oci_model.lookup_blob_upload(repository_ref, blob_upload_id) is not None
+    blob_upload_id = None
+    with upload_blob(repository_ref, storage, settings) as manager:
+        blob_upload_id = manager.blob_upload_id
+        assert (
+            pre_oci_model.lookup_blob_upload(repository_ref, blob_upload_id) is not None
+        )
 
-    manager.upload_chunk(app_config, BytesIO('hello world'))
+        manager.upload_chunk(app_config, BytesIO("hello world"))
 
-  # Since the blob was not comitted, the upload should be deleted.
-  assert blob_upload_id
-  assert pre_oci_model.lookup_blob_upload(repository_ref, blob_upload_id) is None
+    # Since the blob was not comitted, the upload should be deleted.
+    assert blob_upload_id
+    assert pre_oci_model.lookup_blob_upload(repository_ref, blob_upload_id) is None
 
 
 def test_too_large(pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('1K', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("1K", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  with upload_blob(repository_ref, storage, settings) as manager:
-    with pytest.raises(BlobTooLargeException):
-      manager.upload_chunk(app_config, BytesIO(os.urandom(1024 * 1024 * 2)))
+    with upload_blob(repository_ref, storage, settings) as manager:
+        with pytest.raises(BlobTooLargeException):
+            manager.upload_chunk(app_config, BytesIO(os.urandom(1024 * 1024 * 2)))
 
 
 def test_extra_blob_stream_handlers(pre_oci_model):
-  handler1_result = []
-  handler2_result = []
+    handler1_result = []
+    handler2_result = []
 
-  def handler1(bytes):
-    handler1_result.append(bytes)
+    def handler1(bytes):
+        handler1_result.append(bytes)
 
-  def handler2(bytes):
-    handler2_result.append(bytes)
+    def handler2(bytes):
+        handler2_result.append(bytes)
 
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('1K', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("1K", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  with upload_blob(repository_ref, storage, settings,
-                   extra_blob_stream_handlers=[handler1, handler2]) as manager:
-    manager.upload_chunk(app_config, BytesIO('hello '))
-    manager.upload_chunk(app_config, BytesIO('world'))
+    with upload_blob(
+        repository_ref,
+        storage,
+        settings,
+        extra_blob_stream_handlers=[handler1, handler2],
+    ) as manager:
+        manager.upload_chunk(app_config, BytesIO("hello "))
+        manager.upload_chunk(app_config, BytesIO("world"))
 
-  assert ''.join(handler1_result) == 'hello world'
-  assert ''.join(handler2_result) == 'hello world'
+    assert "".join(handler1_result) == "hello world"
+    assert "".join(handler2_result) == "hello world"
 
 
 def valid_tar_gz(contents):
-  with closing(BytesIO()) as layer_data:
-    with closing(tarfile.open(fileobj=layer_data, mode='w|gz')) as tar_file:
-      tar_file_info = tarfile.TarInfo(name='somefile')
-      tar_file_info.type = tarfile.REGTYPE
-      tar_file_info.size = len(contents)
-      tar_file_info.mtime = 1
-      tar_file.addfile(tar_file_info, BytesIO(contents))
+    with closing(BytesIO()) as layer_data:
+        with closing(tarfile.open(fileobj=layer_data, mode="w|gz")) as tar_file:
+            tar_file_info = tarfile.TarInfo(name="somefile")
+            tar_file_info.type = tarfile.REGTYPE
+            tar_file_info.size = len(contents)
+            tar_file_info.mtime = 1
+            tar_file.addfile(tar_file_info, BytesIO(contents))
 
-    layer_bytes = layer_data.getvalue()
-  return layer_bytes
+        layer_bytes = layer_data.getvalue()
+    return layer_bytes
 
 
 def test_uncompressed_size(pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('1K', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("1K", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  with upload_blob(repository_ref, storage, settings) as manager:
-    manager.upload_chunk(app_config, BytesIO(valid_tar_gz('hello world')))
+    with upload_blob(repository_ref, storage, settings) as manager:
+        manager.upload_chunk(app_config, BytesIO(valid_tar_gz("hello world")))
 
-    blob = manager.commit_to_blob(app_config)
-
-  assert blob.compressed_size is not None
-  assert blob.uncompressed_size is not None
+        blob = manager.commit_to_blob(app_config)
 
+    assert blob.compressed_size is not None
+    assert blob.uncompressed_size is not None
diff --git a/data/registry_model/test/test_interface.py b/data/registry_model/test/test_interface.py
index 8255ade6d..a0092f578 100644
--- a/data/registry_model/test/test_interface.py
+++ b/data/registry_model/test/test_interface.py
@@ -14,10 +14,21 @@ from playhouse.test_utils import assert_query_count
 
 from app import docker_v2_signing_key, storage
 from data import model
-from data.database import (TagManifestLabelMap, TagManifestToManifest, Manifest, ManifestBlob,
-                           ManifestLegacyImage, ManifestLabel,
-                           TagManifest, TagManifestLabel, DerivedStorageForImage,
-                           TorrentInfo, Tag, TagToRepositoryTag, ImageStorageLocation)
+from data.database import (
+    TagManifestLabelMap,
+    TagManifestToManifest,
+    Manifest,
+    ManifestBlob,
+    ManifestLegacyImage,
+    ManifestLabel,
+    TagManifest,
+    TagManifestLabel,
+    DerivedStorageForImage,
+    TorrentInfo,
+    Tag,
+    TagToRepositoryTag,
+    ImageStorageLocation,
+)
 from data.cache.impl import InMemoryDataModelCache
 from data.registry_model.registry_pre_oci_model import PreOCIModel
 from data.registry_model.registry_oci_model import OCIModel
@@ -26,8 +37,11 @@ from data.registry_model.blobuploader import upload_blob, BlobUploadSettings
 from data.registry_model.modelsplitter import SplitModel
 from data.model.blob import store_blob_record_and_temp_link
 from image.docker.types import ManifestImageLayer
-from image.docker.schema1 import (DockerSchema1ManifestBuilder, DOCKER_SCHEMA1_CONTENT_TYPES,
-                                  DockerSchema1Manifest)
+from image.docker.schema1 import (
+    DockerSchema1ManifestBuilder,
+    DOCKER_SCHEMA1_CONTENT_TYPES,
+    DockerSchema1Manifest,
+)
 from image.docker.schema2.manifest import DockerSchema2ManifestBuilder
 from image.docker.schema2.list import DockerSchema2ManifestListBuilder
 from util.bytes import Bytes
@@ -35,1061 +49,1256 @@ from util.bytes import Bytes
 from test.fixtures import *
 
 
-@pytest.fixture(params=[PreOCIModel(), OCIModel(), OCIModel(oci_model_only=False),
-                        SplitModel(0, {'devtable'}, {'buynlarge'}, False),
-                        SplitModel(1.0, {'devtable'}, {'buynlarge'}, False),
-                        SplitModel(1.0, {'devtable'}, {'buynlarge'}, True)])
+@pytest.fixture(
+    params=[
+        PreOCIModel(),
+        OCIModel(),
+        OCIModel(oci_model_only=False),
+        SplitModel(0, {"devtable"}, {"buynlarge"}, False),
+        SplitModel(1.0, {"devtable"}, {"buynlarge"}, False),
+        SplitModel(1.0, {"devtable"}, {"buynlarge"}, True),
+    ]
+)
 def registry_model(request, initialized_db):
-  return request.param
+    return request.param
+
 
 @pytest.fixture()
 def pre_oci_model(initialized_db):
-  return PreOCIModel()
+    return PreOCIModel()
+
 
 @pytest.fixture()
 def oci_model(initialized_db):
-  return OCIModel()
+    return OCIModel()
 
 
-@pytest.mark.parametrize('names, expected', [
-  (['unknown'], None),
-  (['latest'], {'latest'}),
-  (['latest', 'prod'], {'latest', 'prod'}),
-  (['latest', 'prod', 'another'], {'latest', 'prod'}),
-  (['foo', 'prod'], {'prod'}),
-])
+@pytest.mark.parametrize(
+    "names, expected",
+    [
+        (["unknown"], None),
+        (["latest"], {"latest"}),
+        (["latest", "prod"], {"latest", "prod"}),
+        (["latest", "prod", "another"], {"latest", "prod"}),
+        (["foo", "prod"], {"prod"}),
+    ],
+)
 def test_find_matching_tag(names, expected, registry_model):
-  repo = model.repository.get_repository('devtable', 'simple')
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found = registry_model.find_matching_tag(repository_ref, names)
-  if expected is None:
-    assert found is None
-  else:
-    assert found.name in expected
-    assert found.repository.namespace_name == 'devtable'
-    assert found.repository.name == 'simple'
+    repo = model.repository.get_repository("devtable", "simple")
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found = registry_model.find_matching_tag(repository_ref, names)
+    if expected is None:
+        assert found is None
+    else:
+        assert found.name in expected
+        assert found.repository.namespace_name == "devtable"
+        assert found.repository.name == "simple"
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name, expected', [
-  ('devtable', 'simple', {'latest', 'prod'}),
-  ('buynlarge', 'orgrepo', {'latest', 'prod'}),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name, expected",
+    [
+        ("devtable", "simple", {"latest", "prod"}),
+        ("buynlarge", "orgrepo", {"latest", "prod"}),
+    ],
+)
 def test_get_most_recent_tag(repo_namespace, repo_name, expected, registry_model):
-  repo = model.repository.get_repository(repo_namespace, repo_name)
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found = registry_model.get_most_recent_tag(repository_ref)
-  if expected is None:
-    assert found is None
-  else:
-    assert found.name in expected
+    repo = model.repository.get_repository(repo_namespace, repo_name)
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found = registry_model.get_most_recent_tag(repository_ref)
+    if expected is None:
+        assert found is None
+    else:
+        assert found.name in expected
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name, expected', [
-  ('devtable', 'simple', True),
-  ('buynlarge', 'orgrepo', True),
-  ('buynlarge', 'unknownrepo', False),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name, expected",
+    [
+        ("devtable", "simple", True),
+        ("buynlarge", "orgrepo", True),
+        ("buynlarge", "unknownrepo", False),
+    ],
+)
 def test_lookup_repository(repo_namespace, repo_name, expected, registry_model):
-  repo_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  if expected:
-    assert repo_ref
-  else:
-    assert repo_ref is None
+    repo_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    if expected:
+        assert repo_ref
+    else:
+        assert repo_ref is None
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('buynlarge', 'orgrepo'),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name", [("devtable", "simple"), ("buynlarge", "orgrepo")]
+)
 def test_lookup_manifests(repo_namespace, repo_name, registry_model):
-  repo = model.repository.get_repository(repo_namespace, repo_name)
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found_tag = registry_model.find_matching_tag(repository_ref, ['latest'])
-  found_manifest = registry_model.get_manifest_for_tag(found_tag)
-  found = registry_model.lookup_manifest_by_digest(repository_ref, found_manifest.digest,
-                                                   include_legacy_image=True)
-  assert found._db_id == found_manifest._db_id
-  assert found.digest == found_manifest.digest
-  assert found.legacy_image
-  assert found.legacy_image.parents
+    repo = model.repository.get_repository(repo_namespace, repo_name)
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found_tag = registry_model.find_matching_tag(repository_ref, ["latest"])
+    found_manifest = registry_model.get_manifest_for_tag(found_tag)
+    found = registry_model.lookup_manifest_by_digest(
+        repository_ref, found_manifest.digest, include_legacy_image=True
+    )
+    assert found._db_id == found_manifest._db_id
+    assert found.digest == found_manifest.digest
+    assert found.legacy_image
+    assert found.legacy_image.parents
 
-  schema1_parsed = registry_model.get_schema1_parsed_manifest(found, 'foo', 'bar', 'baz', storage)
-  assert schema1_parsed is not None
+    schema1_parsed = registry_model.get_schema1_parsed_manifest(
+        found, "foo", "bar", "baz", storage
+    )
+    assert schema1_parsed is not None
 
 
 def test_lookup_unknown_manifest(registry_model):
-  repo = model.repository.get_repository('devtable', 'simple')
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found = registry_model.lookup_manifest_by_digest(repository_ref, 'sha256:deadbeef')
-  assert found is None
+    repo = model.repository.get_repository("devtable", "simple")
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found = registry_model.lookup_manifest_by_digest(repository_ref, "sha256:deadbeef")
+    assert found is None
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
 def test_legacy_images(repo_namespace, repo_name, registry_model):
-  repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  legacy_images = registry_model.get_legacy_images(repository_ref)
-  assert len(legacy_images)
+    repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    legacy_images = registry_model.get_legacy_images(repository_ref)
+    assert len(legacy_images)
 
-  found_tags = set()
-  for image in legacy_images:
-    found_image = registry_model.get_legacy_image(repository_ref, image.docker_image_id,
-                                                  include_parents=True)
+    found_tags = set()
+    for image in legacy_images:
+        found_image = registry_model.get_legacy_image(
+            repository_ref, image.docker_image_id, include_parents=True
+        )
 
-    with assert_query_count(5 if found_image.parents else 4):
-      found_image = registry_model.get_legacy_image(repository_ref, image.docker_image_id,
-                                                    include_parents=True, include_blob=True)
-      assert found_image.docker_image_id == image.docker_image_id
-      assert found_image.parents == image.parents
-      assert found_image.blob
-      assert found_image.blob.placements
+        with assert_query_count(5 if found_image.parents else 4):
+            found_image = registry_model.get_legacy_image(
+                repository_ref,
+                image.docker_image_id,
+                include_parents=True,
+                include_blob=True,
+            )
+            assert found_image.docker_image_id == image.docker_image_id
+            assert found_image.parents == image.parents
+            assert found_image.blob
+            assert found_image.blob.placements
 
-    # Check that the tags list can be retrieved.
-    assert image.tags is not None
-    found_tags.update({tag.name for tag in image.tags})
+        # Check that the tags list can be retrieved.
+        assert image.tags is not None
+        found_tags.update({tag.name for tag in image.tags})
 
-    # Check against the actual DB row.
-    model_image = model.image.get_image(repository_ref._db_id, found_image.docker_image_id)
-    assert model_image.id == found_image._db_id
-    assert ([pid for pid in reversed(model_image.ancestor_id_list())] ==
-            [p._db_id for p in found_image.parents])
+        # Check against the actual DB row.
+        model_image = model.image.get_image(
+            repository_ref._db_id, found_image.docker_image_id
+        )
+        assert model_image.id == found_image._db_id
+        assert [pid for pid in reversed(model_image.ancestor_id_list())] == [
+            p._db_id for p in found_image.parents
+        ]
 
-    # Try without parents and ensure it raises an exception.
-    found_image = registry_model.get_legacy_image(repository_ref, image.docker_image_id,
-                                                  include_parents=False)
-    with pytest.raises(Exception):
-      assert not found_image.parents
+        # Try without parents and ensure it raises an exception.
+        found_image = registry_model.get_legacy_image(
+            repository_ref, image.docker_image_id, include_parents=False
+        )
+        with pytest.raises(Exception):
+            assert not found_image.parents
 
-  assert found_tags
+    assert found_tags
 
-  unknown = registry_model.get_legacy_image(repository_ref, 'unknown', include_parents=True)
-  assert unknown is None
+    unknown = registry_model.get_legacy_image(
+        repository_ref, "unknown", include_parents=True
+    )
+    assert unknown is None
 
 
 def test_manifest_labels(registry_model):
-  repo = model.repository.get_repository('devtable', 'simple')
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found_tag = registry_model.find_matching_tag(repository_ref, ['latest'])
-  found_manifest = registry_model.get_manifest_for_tag(found_tag)
+    repo = model.repository.get_repository("devtable", "simple")
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found_tag = registry_model.find_matching_tag(repository_ref, ["latest"])
+    found_manifest = registry_model.get_manifest_for_tag(found_tag)
 
-  # Create a new label.
-  created = registry_model.create_manifest_label(found_manifest, 'foo', 'bar', 'api')
-  assert created.key == 'foo'
-  assert created.value == 'bar'
-  assert created.source_type_name == 'api'
-  assert created.media_type_name == 'text/plain'
+    # Create a new label.
+    created = registry_model.create_manifest_label(found_manifest, "foo", "bar", "api")
+    assert created.key == "foo"
+    assert created.value == "bar"
+    assert created.source_type_name == "api"
+    assert created.media_type_name == "text/plain"
 
-  # Ensure we can look it up.
-  assert registry_model.get_manifest_label(found_manifest, created.uuid) == created
+    # Ensure we can look it up.
+    assert registry_model.get_manifest_label(found_manifest, created.uuid) == created
 
-  # Ensure it is in our list of labels.
-  assert created in registry_model.list_manifest_labels(found_manifest)
-  assert created in registry_model.list_manifest_labels(found_manifest, key_prefix='fo')
+    # Ensure it is in our list of labels.
+    assert created in registry_model.list_manifest_labels(found_manifest)
+    assert created in registry_model.list_manifest_labels(
+        found_manifest, key_prefix="fo"
+    )
 
-  # Ensure it is *not* in our filtered list.
-  assert created not in registry_model.list_manifest_labels(found_manifest, key_prefix='ba')
+    # Ensure it is *not* in our filtered list.
+    assert created not in registry_model.list_manifest_labels(
+        found_manifest, key_prefix="ba"
+    )
 
-  # Delete the label and ensure it is gone.
-  assert registry_model.delete_manifest_label(found_manifest, created.uuid)
-  assert registry_model.get_manifest_label(found_manifest, created.uuid) is None
-  assert created not in registry_model.list_manifest_labels(found_manifest)
+    # Delete the label and ensure it is gone.
+    assert registry_model.delete_manifest_label(found_manifest, created.uuid)
+    assert registry_model.get_manifest_label(found_manifest, created.uuid) is None
+    assert created not in registry_model.list_manifest_labels(found_manifest)
 
 
 def test_manifest_label_handlers(registry_model):
-  repo = model.repository.get_repository('devtable', 'simple')
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found_tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  found_manifest = registry_model.get_manifest_for_tag(found_tag)
+    repo = model.repository.get_repository("devtable", "simple")
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found_tag = registry_model.get_repo_tag(repository_ref, "latest")
+    found_manifest = registry_model.get_manifest_for_tag(found_tag)
 
-  # Ensure the tag has no expiration.
-  assert found_tag.lifetime_end_ts is None
+    # Ensure the tag has no expiration.
+    assert found_tag.lifetime_end_ts is None
 
-  # Create a new label with an expires-after.
-  registry_model.create_manifest_label(found_manifest, 'quay.expires-after', '2h', 'api')
+    # Create a new label with an expires-after.
+    registry_model.create_manifest_label(
+        found_manifest, "quay.expires-after", "2h", "api"
+    )
 
-  # Ensure the tag now has an expiration.
-  updated_tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  assert updated_tag.lifetime_end_ts == (updated_tag.lifetime_start_ts + (60 * 60 * 2))
+    # Ensure the tag now has an expiration.
+    updated_tag = registry_model.get_repo_tag(repository_ref, "latest")
+    assert updated_tag.lifetime_end_ts == (
+        updated_tag.lifetime_start_ts + (60 * 60 * 2)
+    )
 
 
 def test_batch_labels(registry_model):
-  repo = model.repository.get_repository('devtable', 'history')
-  repository_ref = RepositoryReference.for_repo_obj(repo)
-  found_tag = registry_model.find_matching_tag(repository_ref, ['latest'])
-  found_manifest = registry_model.get_manifest_for_tag(found_tag)
+    repo = model.repository.get_repository("devtable", "history")
+    repository_ref = RepositoryReference.for_repo_obj(repo)
+    found_tag = registry_model.find_matching_tag(repository_ref, ["latest"])
+    found_manifest = registry_model.get_manifest_for_tag(found_tag)
 
-  with registry_model.batch_create_manifest_labels(found_manifest) as add_label:
-    add_label('foo', '1', 'api')
-    add_label('bar', '2', 'api')
-    add_label('baz', '3', 'api')
+    with registry_model.batch_create_manifest_labels(found_manifest) as add_label:
+        add_label("foo", "1", "api")
+        add_label("bar", "2", "api")
+        add_label("baz", "3", "api")
 
-  # Ensure we can look them up.
-  assert len(registry_model.list_manifest_labels(found_manifest)) == 3
+    # Ensure we can look them up.
+    assert len(registry_model.list_manifest_labels(found_manifest)) == 3
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
 def test_repository_tags(repo_namespace, repo_name, registry_model):
-  repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  tags = registry_model.list_all_active_repository_tags(repository_ref, include_legacy_images=True)
-  assert len(tags)
+    repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    tags = registry_model.list_all_active_repository_tags(
+        repository_ref, include_legacy_images=True
+    )
+    assert len(tags)
 
-  tags_map = registry_model.get_legacy_tags_map(repository_ref, storage)
+    tags_map = registry_model.get_legacy_tags_map(repository_ref, storage)
 
-  for tag in tags:
-    found_tag = registry_model.get_repo_tag(repository_ref, tag.name, include_legacy_image=True)
-    assert found_tag == tag
+    for tag in tags:
+        found_tag = registry_model.get_repo_tag(
+            repository_ref, tag.name, include_legacy_image=True
+        )
+        assert found_tag == tag
 
-    if found_tag.legacy_image is None:
-      continue
+        if found_tag.legacy_image is None:
+            continue
 
-    found_image = registry_model.get_legacy_image(repository_ref,
-                                                  found_tag.legacy_image.docker_image_id)
-    assert found_image == found_tag.legacy_image
-    assert tag.name in tags_map
-    assert tags_map[tag.name] == found_image.docker_image_id
+        found_image = registry_model.get_legacy_image(
+            repository_ref, found_tag.legacy_image.docker_image_id
+        )
+        assert found_image == found_tag.legacy_image
+        assert tag.name in tags_map
+        assert tags_map[tag.name] == found_image.docker_image_id
 
 
-@pytest.mark.parametrize('namespace, name, expected_tag_count, has_expired', [
-  ('devtable', 'simple', 2, False),
-  ('devtable', 'history', 2, True),
-  ('devtable', 'gargantuan', 8, False),
-  ('public', 'publicrepo', 1, False),
-])
-def test_repository_tag_history(namespace, name, expected_tag_count, has_expired, registry_model):
-  # Pre-cache media type loads to ensure consistent query count.
-  Manifest.media_type.get_name(1)
+@pytest.mark.parametrize(
+    "namespace, name, expected_tag_count, has_expired",
+    [
+        ("devtable", "simple", 2, False),
+        ("devtable", "history", 2, True),
+        ("devtable", "gargantuan", 8, False),
+        ("public", "publicrepo", 1, False),
+    ],
+)
+def test_repository_tag_history(
+    namespace, name, expected_tag_count, has_expired, registry_model
+):
+    # Pre-cache media type loads to ensure consistent query count.
+    Manifest.media_type.get_name(1)
 
-  repository_ref = registry_model.lookup_repository(namespace, name)
-  with assert_query_count(2):
-    history, has_more = registry_model.list_repository_tag_history(repository_ref)
-    assert not has_more
-    assert len(history) == expected_tag_count
+    repository_ref = registry_model.lookup_repository(namespace, name)
+    with assert_query_count(2):
+        history, has_more = registry_model.list_repository_tag_history(repository_ref)
+        assert not has_more
+        assert len(history) == expected_tag_count
 
-    for tag in history:
-      # Retrieve the manifest to ensure it doesn't issue extra queries.
-      tag.manifest
+        for tag in history:
+            # Retrieve the manifest to ensure it doesn't issue extra queries.
+            tag.manifest
 
-  if has_expired:
-    # Ensure the latest tag is marked expired, since there is an expired one.
-    with assert_query_count(1):
-      assert registry_model.has_expired_tag(repository_ref, 'latest')
+    if has_expired:
+        # Ensure the latest tag is marked expired, since there is an expired one.
+        with assert_query_count(1):
+            assert registry_model.has_expired_tag(repository_ref, "latest")
 
 
-@pytest.mark.parametrize('repositories, expected_tag_count', [
-  ([], 0),
-  ([('devtable', 'simple'), ('devtable', 'building')], 1),
-])
-def test_get_most_recent_tag_lifetime_start(repositories, expected_tag_count, registry_model):
-  last_modified_map = registry_model.get_most_recent_tag_lifetime_start(
-    [registry_model.lookup_repository(name, namespace) for name, namespace in repositories]
-  )
+@pytest.mark.parametrize(
+    "repositories, expected_tag_count",
+    [([], 0), ([("devtable", "simple"), ("devtable", "building")], 1)],
+)
+def test_get_most_recent_tag_lifetime_start(
+    repositories, expected_tag_count, registry_model
+):
+    last_modified_map = registry_model.get_most_recent_tag_lifetime_start(
+        [
+            registry_model.lookup_repository(name, namespace)
+            for name, namespace in repositories
+        ]
+    )
 
-  assert len(last_modified_map) == expected_tag_count
-  for repo_id, last_modified in last_modified_map.items():
-    tag = registry_model.get_most_recent_tag(RepositoryReference.for_id(repo_id))
-    assert last_modified == tag.lifetime_start_ms / 1000
+    assert len(last_modified_map) == expected_tag_count
+    for repo_id, last_modified in last_modified_map.items():
+        tag = registry_model.get_most_recent_tag(RepositoryReference.for_id(repo_id))
+        assert last_modified == tag.lifetime_start_ms / 1000
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
-@pytest.mark.parametrize('via_manifest', [
-  False,
-  True,
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
+@pytest.mark.parametrize("via_manifest", [False, True])
 def test_delete_tags(repo_namespace, repo_name, via_manifest, registry_model):
-  repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  tags = registry_model.list_all_active_repository_tags(repository_ref)
-  assert len(tags)
+    repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    tags = registry_model.list_all_active_repository_tags(repository_ref)
+    assert len(tags)
 
-  # Save history before the deletions.
-  previous_history, _ = registry_model.list_repository_tag_history(repository_ref, size=1000)
-  assert len(previous_history) >= len(tags)
+    # Save history before the deletions.
+    previous_history, _ = registry_model.list_repository_tag_history(
+        repository_ref, size=1000
+    )
+    assert len(previous_history) >= len(tags)
 
-  # Delete every tag in the repository.
-  for tag in tags:
-    if via_manifest:
-      assert registry_model.delete_tag(repository_ref, tag.name)
-    else:
-      manifest = registry_model.get_manifest_for_tag(tag)
-      if manifest is not None:
-        assert registry_model.delete_tags_for_manifest(manifest)
+    # Delete every tag in the repository.
+    for tag in tags:
+        if via_manifest:
+            assert registry_model.delete_tag(repository_ref, tag.name)
+        else:
+            manifest = registry_model.get_manifest_for_tag(tag)
+            if manifest is not None:
+                assert registry_model.delete_tags_for_manifest(manifest)
 
-    # Make sure the tag is no longer found.
-    # TODO: Uncomment once we're done with the SplitModel.
-    #with assert_query_count(1):
-    found_tag = registry_model.get_repo_tag(repository_ref, tag.name, include_legacy_image=True)
-    assert found_tag is None
+        # Make sure the tag is no longer found.
+        # TODO: Uncomment once we're done with the SplitModel.
+        # with assert_query_count(1):
+        found_tag = registry_model.get_repo_tag(
+            repository_ref, tag.name, include_legacy_image=True
+        )
+        assert found_tag is None
 
-  # Ensure all tags have been deleted.
-  tags = registry_model.list_all_active_repository_tags(repository_ref)
-  assert not len(tags)
+    # Ensure all tags have been deleted.
+    tags = registry_model.list_all_active_repository_tags(repository_ref)
+    assert not len(tags)
 
-  # Ensure that the tags all live in history.
-  history, _ = registry_model.list_repository_tag_history(repository_ref, size=1000)
-  assert len(history) == len(previous_history)
+    # Ensure that the tags all live in history.
+    history, _ = registry_model.list_repository_tag_history(repository_ref, size=1000)
+    assert len(history) == len(previous_history)
 
 
-@pytest.mark.parametrize('use_manifest', [
-  True,
-  False,
-])
+@pytest.mark.parametrize("use_manifest", [True, False])
 def test_retarget_tag_history(use_manifest, registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'history')
-  history, _ = registry_model.list_repository_tag_history(repository_ref)
+    repository_ref = registry_model.lookup_repository("devtable", "history")
+    history, _ = registry_model.list_repository_tag_history(repository_ref)
 
-  if use_manifest:
-    manifest_or_legacy_image = registry_model.lookup_manifest_by_digest(repository_ref,
-                                                                        history[0].manifest_digest,
-                                                                        allow_dead=True)
-  else:
-    manifest_or_legacy_image = history[0].legacy_image
+    if use_manifest:
+        manifest_or_legacy_image = registry_model.lookup_manifest_by_digest(
+            repository_ref, history[0].manifest_digest, allow_dead=True
+        )
+    else:
+        manifest_or_legacy_image = history[0].legacy_image
 
-  # Retarget the tag.
-  assert manifest_or_legacy_image
-  updated_tag = registry_model.retarget_tag(repository_ref, 'latest', manifest_or_legacy_image,
-                                            storage, docker_v2_signing_key, is_reversion=True)
+    # Retarget the tag.
+    assert manifest_or_legacy_image
+    updated_tag = registry_model.retarget_tag(
+        repository_ref,
+        "latest",
+        manifest_or_legacy_image,
+        storage,
+        docker_v2_signing_key,
+        is_reversion=True,
+    )
 
-  # Ensure the tag has changed targets.
-  if use_manifest:
-    assert updated_tag.manifest_digest == manifest_or_legacy_image.digest
-  else:
-    assert updated_tag.legacy_image == manifest_or_legacy_image
+    # Ensure the tag has changed targets.
+    if use_manifest:
+        assert updated_tag.manifest_digest == manifest_or_legacy_image.digest
+    else:
+        assert updated_tag.legacy_image == manifest_or_legacy_image
 
-  # Ensure history has been updated.
-  new_history, _ = registry_model.list_repository_tag_history(repository_ref)
-  assert len(new_history) == len(history) + 1
+    # Ensure history has been updated.
+    new_history, _ = registry_model.list_repository_tag_history(repository_ref)
+    assert len(new_history) == len(history) + 1
 
 
 def test_retarget_tag_schema1(oci_model):
-  repository_ref = oci_model.lookup_repository('devtable', 'simple')
-  latest_tag = oci_model.get_repo_tag(repository_ref, 'latest')
-  manifest = oci_model.get_manifest_for_tag(latest_tag)
+    repository_ref = oci_model.lookup_repository("devtable", "simple")
+    latest_tag = oci_model.get_repo_tag(repository_ref, "latest")
+    manifest = oci_model.get_manifest_for_tag(latest_tag)
 
-  existing_parsed = manifest.get_parsed_manifest()
+    existing_parsed = manifest.get_parsed_manifest()
 
-  # Retarget a new tag to the manifest.
-  updated_tag = oci_model.retarget_tag(repository_ref, 'somenewtag', manifest, storage,
-                                       docker_v2_signing_key)
-  assert updated_tag
-  assert updated_tag.name == 'somenewtag'
+    # Retarget a new tag to the manifest.
+    updated_tag = oci_model.retarget_tag(
+        repository_ref, "somenewtag", manifest, storage, docker_v2_signing_key
+    )
+    assert updated_tag
+    assert updated_tag.name == "somenewtag"
 
-  updated_manifest = oci_model.get_manifest_for_tag(updated_tag)
-  parsed = updated_manifest.get_parsed_manifest()
-  assert parsed.namespace == 'devtable'
-  assert parsed.repo_name == 'simple'
-  assert parsed.tag == 'somenewtag'
+    updated_manifest = oci_model.get_manifest_for_tag(updated_tag)
+    parsed = updated_manifest.get_parsed_manifest()
+    assert parsed.namespace == "devtable"
+    assert parsed.repo_name == "simple"
+    assert parsed.tag == "somenewtag"
 
-  assert parsed.layers == existing_parsed.layers
+    assert parsed.layers == existing_parsed.layers
 
-  # Ensure the tag has changed targets.
-  assert oci_model.get_repo_tag(repository_ref, 'somenewtag') == updated_tag
+    # Ensure the tag has changed targets.
+    assert oci_model.get_repo_tag(repository_ref, "somenewtag") == updated_tag
 
 
 def test_change_repository_tag_expiration(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  assert tag.lifetime_end_ts is None
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tag = registry_model.get_repo_tag(repository_ref, "latest")
+    assert tag.lifetime_end_ts is None
 
-  new_datetime = datetime.utcnow() + timedelta(days=2)
-  previous, okay = registry_model.change_repository_tag_expiration(tag, new_datetime)
+    new_datetime = datetime.utcnow() + timedelta(days=2)
+    previous, okay = registry_model.change_repository_tag_expiration(tag, new_datetime)
 
-  assert okay
-  assert previous is None
+    assert okay
+    assert previous is None
 
-  tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  assert tag.lifetime_end_ts is not None
+    tag = registry_model.get_repo_tag(repository_ref, "latest")
+    assert tag.lifetime_end_ts is not None
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name, expected_non_empty', [
-  ('devtable', 'simple', []),
-  ('devtable', 'complex', ['prod', 'v2.0']),
-  ('devtable', 'history', ['latest']),
-  ('buynlarge', 'orgrepo', []),
-  ('devtable', 'gargantuan', ['v2.0', 'v3.0', 'v4.0', 'v5.0', 'v6.0']),
-])
-def test_get_legacy_images_owned_by_tag(repo_namespace, repo_name, expected_non_empty,
-                                        registry_model):
-  repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  tags = registry_model.list_all_active_repository_tags(repository_ref)
-  assert len(tags)
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name, expected_non_empty",
+    [
+        ("devtable", "simple", []),
+        ("devtable", "complex", ["prod", "v2.0"]),
+        ("devtable", "history", ["latest"]),
+        ("buynlarge", "orgrepo", []),
+        ("devtable", "gargantuan", ["v2.0", "v3.0", "v4.0", "v5.0", "v6.0"]),
+    ],
+)
+def test_get_legacy_images_owned_by_tag(
+    repo_namespace, repo_name, expected_non_empty, registry_model
+):
+    repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    tags = registry_model.list_all_active_repository_tags(repository_ref)
+    assert len(tags)
 
-  non_empty = set()
-  for tag in tags:
-    if registry_model.get_legacy_images_owned_by_tag(tag):
-      non_empty.add(tag.name)
+    non_empty = set()
+    for tag in tags:
+        if registry_model.get_legacy_images_owned_by_tag(tag):
+            non_empty.add(tag.name)
 
-  assert non_empty == set(expected_non_empty)
+    assert non_empty == set(expected_non_empty)
 
 
 def test_get_security_status(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tags = registry_model.list_all_active_repository_tags(repository_ref, include_legacy_images=True)
-  assert len(tags)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tags = registry_model.list_all_active_repository_tags(
+        repository_ref, include_legacy_images=True
+    )
+    assert len(tags)
 
-  for tag in tags:
-    assert registry_model.get_security_status(tag.legacy_image)
-    registry_model.reset_security_status(tag.legacy_image)
-    assert registry_model.get_security_status(tag.legacy_image)
+    for tag in tags:
+        assert registry_model.get_security_status(tag.legacy_image)
+        registry_model.reset_security_status(tag.legacy_image)
+        assert registry_model.get_security_status(tag.legacy_image)
 
 
 @pytest.fixture()
 def clear_rows(initialized_db):
-  # Remove all new-style rows so we can backfill.
-  TagToRepositoryTag.delete().execute()
-  Tag.delete().execute()
-  TagManifestLabelMap.delete().execute()
-  ManifestLabel.delete().execute()
-  ManifestBlob.delete().execute()
-  ManifestLegacyImage.delete().execute()
-  TagManifestToManifest.delete().execute()
-  Manifest.delete().execute()
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    # Remove all new-style rows so we can backfill.
+    TagToRepositoryTag.delete().execute()
+    Tag.delete().execute()
+    TagManifestLabelMap.delete().execute()
+    ManifestLabel.delete().execute()
+    ManifestBlob.delete().execute()
+    ManifestLegacyImage.delete().execute()
+    TagManifestToManifest.delete().execute()
+    Manifest.delete().execute()
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
-def test_backfill_manifest_for_tag(repo_namespace, repo_name, clear_rows, pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository(repo_namespace, repo_name)
-  tags, has_more = pre_oci_model.list_repository_tag_history(repository_ref, size=2500)
-  assert tags
-  assert not has_more
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
+def test_backfill_manifest_for_tag(
+    repo_namespace, repo_name, clear_rows, pre_oci_model
+):
+    repository_ref = pre_oci_model.lookup_repository(repo_namespace, repo_name)
+    tags, has_more = pre_oci_model.list_repository_tag_history(
+        repository_ref, size=2500
+    )
+    assert tags
+    assert not has_more
 
-  for tag in tags:
-    assert not tag.manifest_digest
-    assert pre_oci_model.backfill_manifest_for_tag(tag)
+    for tag in tags:
+        assert not tag.manifest_digest
+        assert pre_oci_model.backfill_manifest_for_tag(tag)
 
-  tags, _ = pre_oci_model.list_repository_tag_history(repository_ref)
-  assert tags
-  for tag in tags:
-    assert tag.manifest_digest
+    tags, _ = pre_oci_model.list_repository_tag_history(repository_ref)
+    assert tags
+    for tag in tags:
+        assert tag.manifest_digest
 
-    manifest = pre_oci_model.get_manifest_for_tag(tag)
-    assert manifest
+        manifest = pre_oci_model.get_manifest_for_tag(tag)
+        assert manifest
 
-    legacy_image = pre_oci_model.get_legacy_image(repository_ref, tag.legacy_image.docker_image_id,
-                                                  include_parents=True)
+        legacy_image = pre_oci_model.get_legacy_image(
+            repository_ref, tag.legacy_image.docker_image_id, include_parents=True
+        )
 
-    parsed_manifest = manifest.get_parsed_manifest()
-    assert parsed_manifest.leaf_layer_v1_image_id == legacy_image.docker_image_id
-    assert parsed_manifest.parent_image_ids == {p.docker_image_id for p in legacy_image.parents}
+        parsed_manifest = manifest.get_parsed_manifest()
+        assert parsed_manifest.leaf_layer_v1_image_id == legacy_image.docker_image_id
+        assert parsed_manifest.parent_image_ids == {
+            p.docker_image_id for p in legacy_image.parents
+        }
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
-def test_backfill_manifest_on_lookup(repo_namespace, repo_name, clear_rows, pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository(repo_namespace, repo_name)
-  tags = pre_oci_model.list_all_active_repository_tags(repository_ref)
-  assert tags
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
+def test_backfill_manifest_on_lookup(
+    repo_namespace, repo_name, clear_rows, pre_oci_model
+):
+    repository_ref = pre_oci_model.lookup_repository(repo_namespace, repo_name)
+    tags = pre_oci_model.list_all_active_repository_tags(repository_ref)
+    assert tags
 
-  for tag in tags:
-    assert not tag.manifest_digest
-    assert not pre_oci_model.get_manifest_for_tag(tag)
+    for tag in tags:
+        assert not tag.manifest_digest
+        assert not pre_oci_model.get_manifest_for_tag(tag)
 
-    manifest = pre_oci_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
-    assert manifest
+        manifest = pre_oci_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
+        assert manifest
 
-    updated_tag = pre_oci_model.get_repo_tag(repository_ref, tag.name)
-    assert updated_tag.manifest_digest == manifest.digest
+        updated_tag = pre_oci_model.get_repo_tag(repository_ref, tag.name)
+        assert updated_tag.manifest_digest == manifest.digest
 
 
-@pytest.mark.parametrize('namespace, expect_enabled', [
-  ('devtable', True),
-  ('buynlarge', True),
-
-  ('disabled', False),
-])
+@pytest.mark.parametrize(
+    "namespace, expect_enabled",
+    [("devtable", True), ("buynlarge", True), ("disabled", False)],
+)
 def test_is_namespace_enabled(namespace, expect_enabled, registry_model):
-  assert registry_model.is_namespace_enabled(namespace) == expect_enabled
+    assert registry_model.is_namespace_enabled(namespace) == expect_enabled
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name', [
-  ('devtable', 'simple'),
-  ('devtable', 'complex'),
-  ('devtable', 'history'),
-  ('buynlarge', 'orgrepo'),
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name",
+    [
+        ("devtable", "simple"),
+        ("devtable", "complex"),
+        ("devtable", "history"),
+        ("buynlarge", "orgrepo"),
+    ],
+)
 def test_layers_and_blobs(repo_namespace, repo_name, registry_model):
-  repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-  tags = registry_model.list_all_active_repository_tags(repository_ref)
-  assert tags
+    repository_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+    tags = registry_model.list_all_active_repository_tags(repository_ref)
+    assert tags
 
-  for tag in tags:
-    manifest = registry_model.get_manifest_for_tag(tag)
-    assert manifest
+    for tag in tags:
+        manifest = registry_model.get_manifest_for_tag(tag)
+        assert manifest
 
-    parsed = manifest.get_parsed_manifest()
-    assert parsed
+        parsed = manifest.get_parsed_manifest()
+        assert parsed
 
-    layers = registry_model.list_parsed_manifest_layers(repository_ref, parsed, storage)
-    assert layers
+        layers = registry_model.list_parsed_manifest_layers(
+            repository_ref, parsed, storage
+        )
+        assert layers
 
-    layers = registry_model.list_parsed_manifest_layers(repository_ref, parsed, storage,
-                                                        include_placements=True)
-    assert layers
+        layers = registry_model.list_parsed_manifest_layers(
+            repository_ref, parsed, storage, include_placements=True
+        )
+        assert layers
 
-    for index, manifest_layer in enumerate(layers):
-      assert manifest_layer.blob.storage_path
-      assert manifest_layer.blob.placements
+        for index, manifest_layer in enumerate(layers):
+            assert manifest_layer.blob.storage_path
+            assert manifest_layer.blob.placements
 
-      repo_blob = registry_model.get_repo_blob_by_digest(repository_ref, manifest_layer.blob.digest)
-      assert repo_blob.digest == manifest_layer.blob.digest
+            repo_blob = registry_model.get_repo_blob_by_digest(
+                repository_ref, manifest_layer.blob.digest
+            )
+            assert repo_blob.digest == manifest_layer.blob.digest
 
-      assert manifest_layer.estimated_size(1) is not None
-      assert isinstance(manifest_layer.layer_info, ManifestImageLayer)
+            assert manifest_layer.estimated_size(1) is not None
+            assert isinstance(manifest_layer.layer_info, ManifestImageLayer)
 
-    blobs = registry_model.get_manifest_local_blobs(manifest, include_placements=True)
-    assert {b.digest for b in blobs} == set(parsed.local_blob_digests)
+        blobs = registry_model.get_manifest_local_blobs(
+            manifest, include_placements=True
+        )
+        assert {b.digest for b in blobs} == set(parsed.local_blob_digests)
 
 
 def test_manifest_remote_layers(oci_model):
-  # Create a config blob for testing.
-  config_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    # Create a config blob for testing.
+    config_json = json.dumps(
+        {
+            "config": {},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                }
+            ],
+        }
+    )
 
-  app_config = {'TESTING': True}
-  repository_ref = oci_model.lookup_repository('devtable', 'simple')
-  with upload_blob(repository_ref, storage, BlobUploadSettings(500, 500, 500)) as upload:
-    upload.upload_chunk(app_config, BytesIO(config_json))
-    blob = upload.commit_to_blob(app_config)
+    app_config = {"TESTING": True}
+    repository_ref = oci_model.lookup_repository("devtable", "simple")
+    with upload_blob(
+        repository_ref, storage, BlobUploadSettings(500, 500, 500)
+    ) as upload:
+        upload.upload_chunk(app_config, BytesIO(config_json))
+        blob = upload.commit_to_blob(app_config)
 
-  # Create the manifest in the repo.
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(blob.digest, blob.compressed_size)
-  builder.add_layer('sha256:abcd', 1234, urls=['http://hello/world'])
-  manifest = builder.build()
+    # Create the manifest in the repo.
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(blob.digest, blob.compressed_size)
+    builder.add_layer("sha256:abcd", 1234, urls=["http://hello/world"])
+    manifest = builder.build()
 
-  created_manifest, _ = oci_model.create_manifest_and_retarget_tag(repository_ref, manifest,
-                                                                   'sometag', storage)
-  assert created_manifest
+    created_manifest, _ = oci_model.create_manifest_and_retarget_tag(
+        repository_ref, manifest, "sometag", storage
+    )
+    assert created_manifest
 
-  layers = oci_model.list_parsed_manifest_layers(repository_ref,
-                                                 created_manifest.get_parsed_manifest(),
-                                                 storage)
-  assert len(layers) == 1
-  assert layers[0].layer_info.is_remote
-  assert layers[0].layer_info.urls == ['http://hello/world']
-  assert layers[0].blob is None
+    layers = oci_model.list_parsed_manifest_layers(
+        repository_ref, created_manifest.get_parsed_manifest(), storage
+    )
+    assert len(layers) == 1
+    assert layers[0].layer_info.is_remote
+    assert layers[0].layer_info.urls == ["http://hello/world"]
+    assert layers[0].blob is None
 
 
 def test_derived_image(registry_model):
-  # Clear all existing derived storage.
-  DerivedStorageForImage.delete().execute()
+    # Clear all existing derived storage.
+    DerivedStorageForImage.delete().execute()
 
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  manifest = registry_model.get_manifest_for_tag(tag)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tag = registry_model.get_repo_tag(repository_ref, "latest")
+    manifest = registry_model.get_manifest_for_tag(tag)
 
-  # Ensure the squashed image doesn't exist.
-  assert registry_model.lookup_derived_image(manifest, 'squash', storage, {}) is None
+    # Ensure the squashed image doesn't exist.
+    assert registry_model.lookup_derived_image(manifest, "squash", storage, {}) is None
 
-  # Create a new one.
-  squashed = registry_model.lookup_or_create_derived_image(manifest, 'squash',
-                                                           'local_us', storage, {})
-  assert registry_model.lookup_or_create_derived_image(manifest, 'squash',
-                                                       'local_us', storage, {}) == squashed
-  assert squashed.unique_id
+    # Create a new one.
+    squashed = registry_model.lookup_or_create_derived_image(
+        manifest, "squash", "local_us", storage, {}
+    )
+    assert (
+        registry_model.lookup_or_create_derived_image(
+            manifest, "squash", "local_us", storage, {}
+        )
+        == squashed
+    )
+    assert squashed.unique_id
 
-  # Check and set the size.
-  assert squashed.blob.compressed_size is None
-  registry_model.set_derived_image_size(squashed, 1234)
+    # Check and set the size.
+    assert squashed.blob.compressed_size is None
+    registry_model.set_derived_image_size(squashed, 1234)
 
-  found = registry_model.lookup_derived_image(manifest, 'squash', storage, {})
-  assert found.blob.compressed_size == 1234
-  assert found.unique_id == squashed.unique_id
+    found = registry_model.lookup_derived_image(manifest, "squash", storage, {})
+    assert found.blob.compressed_size == 1234
+    assert found.unique_id == squashed.unique_id
 
-  # Ensure its returned now.
-  assert found == squashed
+    # Ensure its returned now.
+    assert found == squashed
 
-  # Ensure different metadata results in a different derived image.
-  found = registry_model.lookup_derived_image(manifest, 'squash', storage, {'foo': 'bar'})
-  assert found is None
+    # Ensure different metadata results in a different derived image.
+    found = registry_model.lookup_derived_image(
+        manifest, "squash", storage, {"foo": "bar"}
+    )
+    assert found is None
 
-  squashed_foo = registry_model.lookup_or_create_derived_image(manifest, 'squash', 'local_us',
-                                                               storage, {'foo': 'bar'})
-  assert squashed_foo != squashed
+    squashed_foo = registry_model.lookup_or_create_derived_image(
+        manifest, "squash", "local_us", storage, {"foo": "bar"}
+    )
+    assert squashed_foo != squashed
 
-  found = registry_model.lookup_derived_image(manifest, 'squash', storage, {'foo': 'bar'})
-  assert found == squashed_foo
+    found = registry_model.lookup_derived_image(
+        manifest, "squash", storage, {"foo": "bar"}
+    )
+    assert found == squashed_foo
 
-  assert squashed.unique_id != squashed_foo.unique_id
+    assert squashed.unique_id != squashed_foo.unique_id
 
-  # Lookup with placements.
-  squashed = registry_model.lookup_or_create_derived_image(manifest, 'squash', 'local_us',
-                                                           storage, {}, include_placements=True)
-  assert squashed.blob.placements
+    # Lookup with placements.
+    squashed = registry_model.lookup_or_create_derived_image(
+        manifest, "squash", "local_us", storage, {}, include_placements=True
+    )
+    assert squashed.blob.placements
 
-  # Delete the derived image.
-  registry_model.delete_derived_image(squashed)
-  assert registry_model.lookup_derived_image(manifest, 'squash', storage, {}) is None
+    # Delete the derived image.
+    registry_model.delete_derived_image(squashed)
+    assert registry_model.lookup_derived_image(manifest, "squash", storage, {}) is None
 
 
 def test_derived_image_signatures(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  manifest = registry_model.get_manifest_for_tag(tag)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tag = registry_model.get_repo_tag(repository_ref, "latest")
+    manifest = registry_model.get_manifest_for_tag(tag)
 
-  derived = registry_model.lookup_derived_image(manifest, 'squash', storage, {})
-  assert derived
+    derived = registry_model.lookup_derived_image(manifest, "squash", storage, {})
+    assert derived
 
-  signature = registry_model.get_derived_image_signature(derived, 'gpg2')
-  assert signature is None
+    signature = registry_model.get_derived_image_signature(derived, "gpg2")
+    assert signature is None
 
-  registry_model.set_derived_image_signature(derived, 'gpg2', 'foo')
-  assert registry_model.get_derived_image_signature(derived, 'gpg2') == 'foo'
+    registry_model.set_derived_image_signature(derived, "gpg2", "foo")
+    assert registry_model.get_derived_image_signature(derived, "gpg2") == "foo"
 
 
 def test_derived_image_for_manifest_list(oci_model):
-  # Clear all existing derived storage.
-  DerivedStorageForImage.delete().execute()
+    # Clear all existing derived storage.
+    DerivedStorageForImage.delete().execute()
 
-  # Create a config blob for testing.
-  config_json = json.dumps({
-    'config': {},
-    "rootfs": {
-      "type": "layers",
-      "diff_ids": []
-    },
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "do something",
-      },
-    ],
-  })
+    # Create a config blob for testing.
+    config_json = json.dumps(
+        {
+            "config": {},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "do something",
+                }
+            ],
+        }
+    )
 
-  app_config = {'TESTING': True}
-  repository_ref = oci_model.lookup_repository('devtable', 'simple')
-  with upload_blob(repository_ref, storage, BlobUploadSettings(500, 500, 500)) as upload:
-    upload.upload_chunk(app_config, BytesIO(config_json))
-    blob = upload.commit_to_blob(app_config)
+    app_config = {"TESTING": True}
+    repository_ref = oci_model.lookup_repository("devtable", "simple")
+    with upload_blob(
+        repository_ref, storage, BlobUploadSettings(500, 500, 500)
+    ) as upload:
+        upload.upload_chunk(app_config, BytesIO(config_json))
+        blob = upload.commit_to_blob(app_config)
 
-  # Create the manifest in the repo.
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(blob.digest, blob.compressed_size)
-  builder.add_layer(blob.digest, blob.compressed_size)
-  amd64_manifest = builder.build()
+    # Create the manifest in the repo.
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(blob.digest, blob.compressed_size)
+    builder.add_layer(blob.digest, blob.compressed_size)
+    amd64_manifest = builder.build()
 
-  oci_model.create_manifest_and_retarget_tag(repository_ref, amd64_manifest, 'submanifest', storage)
+    oci_model.create_manifest_and_retarget_tag(
+        repository_ref, amd64_manifest, "submanifest", storage
+    )
 
-  # Create a manifest list, pointing to at least one amd64+linux manifest.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(amd64_manifest, 'amd64', 'linux')
-  manifestlist = builder.build()
+    # Create a manifest list, pointing to at least one amd64+linux manifest.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(amd64_manifest, "amd64", "linux")
+    manifestlist = builder.build()
 
-  oci_model.create_manifest_and_retarget_tag(repository_ref, manifestlist, 'listtag', storage)
-  manifest = oci_model.get_manifest_for_tag(oci_model.get_repo_tag(repository_ref, 'listtag'))
-  assert manifest
-  assert manifest.get_parsed_manifest().is_manifest_list
+    oci_model.create_manifest_and_retarget_tag(
+        repository_ref, manifestlist, "listtag", storage
+    )
+    manifest = oci_model.get_manifest_for_tag(
+        oci_model.get_repo_tag(repository_ref, "listtag")
+    )
+    assert manifest
+    assert manifest.get_parsed_manifest().is_manifest_list
 
-  # Ensure the squashed image doesn't exist.
-  assert oci_model.lookup_derived_image(manifest, 'squash', storage, {}) is None
+    # Ensure the squashed image doesn't exist.
+    assert oci_model.lookup_derived_image(manifest, "squash", storage, {}) is None
 
-  # Create a new one.
-  squashed = oci_model.lookup_or_create_derived_image(manifest, 'squash', 'local_us', storage, {})
-  assert squashed.unique_id
-  assert oci_model.lookup_or_create_derived_image(manifest, 'squash',
-                                                  'local_us', storage, {}) == squashed
+    # Create a new one.
+    squashed = oci_model.lookup_or_create_derived_image(
+        manifest, "squash", "local_us", storage, {}
+    )
+    assert squashed.unique_id
+    assert (
+        oci_model.lookup_or_create_derived_image(
+            manifest, "squash", "local_us", storage, {}
+        )
+        == squashed
+    )
 
-  # Perform lookup.
-  assert oci_model.lookup_derived_image(manifest, 'squash', storage, {}) == squashed
+    # Perform lookup.
+    assert oci_model.lookup_derived_image(manifest, "squash", storage, {}) == squashed
 
 
 def test_torrent_info(registry_model):
-  # Remove all existing info.
-  TorrentInfo.delete().execute()
+    # Remove all existing info.
+    TorrentInfo.delete().execute()
 
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  manifest = registry_model.get_manifest_for_tag(tag)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tag = registry_model.get_repo_tag(repository_ref, "latest")
+    manifest = registry_model.get_manifest_for_tag(tag)
 
-  blobs = registry_model.get_manifest_local_blobs(manifest)
-  assert blobs
+    blobs = registry_model.get_manifest_local_blobs(manifest)
+    assert blobs
 
-  assert registry_model.get_torrent_info(blobs[0]) is None
-  registry_model.set_torrent_info(blobs[0], 2, 'foo')
+    assert registry_model.get_torrent_info(blobs[0]) is None
+    registry_model.set_torrent_info(blobs[0], 2, "foo")
 
-  # Set it again exactly, which should be a no-op.
-  registry_model.set_torrent_info(blobs[0], 2, 'foo')
+    # Set it again exactly, which should be a no-op.
+    registry_model.set_torrent_info(blobs[0], 2, "foo")
 
-  # Check the information we've set.
-  torrent_info = registry_model.get_torrent_info(blobs[0])
-  assert torrent_info is not None
-  assert torrent_info.piece_length == 2
-  assert torrent_info.pieces == 'foo'
+    # Check the information we've set.
+    torrent_info = registry_model.get_torrent_info(blobs[0])
+    assert torrent_info is not None
+    assert torrent_info.piece_length == 2
+    assert torrent_info.pieces == "foo"
 
-  # Try setting it again. Nothing should happen.
-  registry_model.set_torrent_info(blobs[0], 3, 'bar')
+    # Try setting it again. Nothing should happen.
+    registry_model.set_torrent_info(blobs[0], 3, "bar")
 
-  torrent_info = registry_model.get_torrent_info(blobs[0])
-  assert torrent_info is not None
-  assert torrent_info.piece_length == 2
-  assert torrent_info.pieces == 'foo'
+    torrent_info = registry_model.get_torrent_info(blobs[0])
+    assert torrent_info is not None
+    assert torrent_info.piece_length == 2
+    assert torrent_info.pieces == "foo"
 
 
 def test_blob_uploads(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
 
-  blob_upload = registry_model.create_blob_upload(repository_ref, str(uuid.uuid4()),
-                                                 'local_us', {'some': 'metadata'})
-  assert blob_upload
-  assert blob_upload.storage_metadata == {'some': 'metadata'}
-  assert blob_upload.location_name == 'local_us'
+    blob_upload = registry_model.create_blob_upload(
+        repository_ref, str(uuid.uuid4()), "local_us", {"some": "metadata"}
+    )
+    assert blob_upload
+    assert blob_upload.storage_metadata == {"some": "metadata"}
+    assert blob_upload.location_name == "local_us"
 
-  # Ensure we can find the blob upload.
-  assert registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id) == blob_upload
+    # Ensure we can find the blob upload.
+    assert (
+        registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
+        == blob_upload
+    )
 
-  # Update and ensure the changes are saved.
-  assert registry_model.update_blob_upload(blob_upload, 1, 'the-pieces_hash',
-                                          blob_upload.piece_sha_state,
-                                          {'new': 'metadata'}, 2, 3,
-                                          blob_upload.sha_state)
+    # Update and ensure the changes are saved.
+    assert registry_model.update_blob_upload(
+        blob_upload,
+        1,
+        "the-pieces_hash",
+        blob_upload.piece_sha_state,
+        {"new": "metadata"},
+        2,
+        3,
+        blob_upload.sha_state,
+    )
 
-  updated = registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
-  assert updated
-  assert updated.uncompressed_byte_count == 1
-  assert updated.piece_hashes == 'the-pieces_hash'
-  assert updated.storage_metadata == {'new': 'metadata'}
-  assert updated.byte_count == 2
-  assert updated.chunk_count == 3
+    updated = registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
+    assert updated
+    assert updated.uncompressed_byte_count == 1
+    assert updated.piece_hashes == "the-pieces_hash"
+    assert updated.storage_metadata == {"new": "metadata"}
+    assert updated.byte_count == 2
+    assert updated.chunk_count == 3
 
-  # Delete the upload.
-  registry_model.delete_blob_upload(blob_upload)
+    # Delete the upload.
+    registry_model.delete_blob_upload(blob_upload)
 
-  # Ensure it can no longer be found.
-  assert not registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
+    # Ensure it can no longer be found.
+    assert not registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
 
 
 def test_commit_blob_upload(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  blob_upload = registry_model.create_blob_upload(repository_ref, str(uuid.uuid4()),
-                                                 'local_us', {'some': 'metadata'})
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    blob_upload = registry_model.create_blob_upload(
+        repository_ref, str(uuid.uuid4()), "local_us", {"some": "metadata"}
+    )
 
-  # Commit the blob upload and make sure it is written as a blob.
-  digest = 'sha256:' + hashlib.sha256('hello').hexdigest()
-  blob = registry_model.commit_blob_upload(blob_upload, digest, 60)
-  assert blob.digest == digest
+    # Commit the blob upload and make sure it is written as a blob.
+    digest = "sha256:" + hashlib.sha256("hello").hexdigest()
+    blob = registry_model.commit_blob_upload(blob_upload, digest, 60)
+    assert blob.digest == digest
 
-  # Ensure the upload can no longer be found.
-  assert not registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
+    # Ensure the upload can no longer be found.
+    assert not registry_model.lookup_blob_upload(repository_ref, blob_upload.upload_id)
 
 
 # TODO: Re-enable for OCI model once we have a new table for temporary blobs.
 def test_mount_blob_into_repository(pre_oci_model):
-  repository_ref = pre_oci_model.lookup_repository('devtable', 'simple')
-  latest_tag = pre_oci_model.get_repo_tag(repository_ref, 'latest')
-  manifest = pre_oci_model.get_manifest_for_tag(latest_tag)
+    repository_ref = pre_oci_model.lookup_repository("devtable", "simple")
+    latest_tag = pre_oci_model.get_repo_tag(repository_ref, "latest")
+    manifest = pre_oci_model.get_manifest_for_tag(latest_tag)
 
-  target_repository_ref = pre_oci_model.lookup_repository('devtable', 'complex')
+    target_repository_ref = pre_oci_model.lookup_repository("devtable", "complex")
 
-  blobs = pre_oci_model.get_manifest_local_blobs(manifest, include_placements=True)
-  assert blobs
+    blobs = pre_oci_model.get_manifest_local_blobs(manifest, include_placements=True)
+    assert blobs
 
-  for blob in blobs:
-    # Ensure the blob doesn't exist under the repository.
-    assert not pre_oci_model.get_repo_blob_by_digest(target_repository_ref, blob.digest)
+    for blob in blobs:
+        # Ensure the blob doesn't exist under the repository.
+        assert not pre_oci_model.get_repo_blob_by_digest(
+            target_repository_ref, blob.digest
+        )
 
-    # Mount the blob into the repository.
-    assert pre_oci_model.mount_blob_into_repository(blob, target_repository_ref, 60)
+        # Mount the blob into the repository.
+        assert pre_oci_model.mount_blob_into_repository(blob, target_repository_ref, 60)
 
-    # Ensure it now exists.
-    found = pre_oci_model.get_repo_blob_by_digest(target_repository_ref, blob.digest)
-    assert found == blob
+        # Ensure it now exists.
+        found = pre_oci_model.get_repo_blob_by_digest(
+            target_repository_ref, blob.digest
+        )
+        assert found == blob
 
 
 class SomeException(Exception):
-  pass
+    pass
 
 
 def test_get_cached_repo_blob(registry_model):
-  model_cache = InMemoryDataModelCache()
+    model_cache = InMemoryDataModelCache()
 
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  latest_tag = registry_model.get_repo_tag(repository_ref, 'latest')
-  manifest = registry_model.get_manifest_for_tag(latest_tag)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    latest_tag = registry_model.get_repo_tag(repository_ref, "latest")
+    manifest = registry_model.get_manifest_for_tag(latest_tag)
 
-  blobs = registry_model.get_manifest_local_blobs(manifest, include_placements=True)
-  assert blobs
+    blobs = registry_model.get_manifest_local_blobs(manifest, include_placements=True)
+    assert blobs
 
-  blob = blobs[0]
+    blob = blobs[0]
 
-  # Load a blob to add it to the cache.
-  found = registry_model.get_cached_repo_blob(model_cache, 'devtable', 'simple', blob.digest)
-  assert found.digest == blob.digest
-  assert found.uuid == blob.uuid
-  assert found.compressed_size == blob.compressed_size
-  assert found.uncompressed_size == blob.uncompressed_size
-  assert found.uploading == blob.uploading
-  assert found.placements == blob.placements
+    # Load a blob to add it to the cache.
+    found = registry_model.get_cached_repo_blob(
+        model_cache, "devtable", "simple", blob.digest
+    )
+    assert found.digest == blob.digest
+    assert found.uuid == blob.uuid
+    assert found.compressed_size == blob.compressed_size
+    assert found.uncompressed_size == blob.uncompressed_size
+    assert found.uploading == blob.uploading
+    assert found.placements == blob.placements
 
-  # Disconnect from the database by overwriting the connection.
-  def fail(x, y):
-    raise SomeException('Not connected!')
+    # Disconnect from the database by overwriting the connection.
+    def fail(x, y):
+        raise SomeException("Not connected!")
 
-  with patch('data.registry_model.registry_pre_oci_model.model.blob.get_repository_blob_by_digest',
-             fail):
-    with patch('data.registry_model.registry_oci_model.model.oci.blob.get_repository_blob_by_digest',
-              fail):
-      # Make sure we can load again, which should hit the cache.
-      cached = registry_model.get_cached_repo_blob(model_cache, 'devtable', 'simple', blob.digest)
-      assert cached.digest == blob.digest
-      assert cached.uuid == blob.uuid
-      assert cached.compressed_size == blob.compressed_size
-      assert cached.uncompressed_size == blob.uncompressed_size
-      assert cached.uploading == blob.uploading
-      assert cached.placements == blob.placements
+    with patch(
+        "data.registry_model.registry_pre_oci_model.model.blob.get_repository_blob_by_digest",
+        fail,
+    ):
+        with patch(
+            "data.registry_model.registry_oci_model.model.oci.blob.get_repository_blob_by_digest",
+            fail,
+        ):
+            # Make sure we can load again, which should hit the cache.
+            cached = registry_model.get_cached_repo_blob(
+                model_cache, "devtable", "simple", blob.digest
+            )
+            assert cached.digest == blob.digest
+            assert cached.uuid == blob.uuid
+            assert cached.compressed_size == blob.compressed_size
+            assert cached.uncompressed_size == blob.uncompressed_size
+            assert cached.uploading == blob.uploading
+            assert cached.placements == blob.placements
 
-      # Try another blob, which should fail since the DB is not connected and the cache
-      # does not contain the blob.
-      with pytest.raises(SomeException):
-        registry_model.get_cached_repo_blob(model_cache, 'devtable', 'simple', 'some other digest')
+            # Try another blob, which should fail since the DB is not connected and the cache
+            # does not contain the blob.
+            with pytest.raises(SomeException):
+                registry_model.get_cached_repo_blob(
+                    model_cache, "devtable", "simple", "some other digest"
+                )
 
 
 def test_create_manifest_and_retarget_tag(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  latest_tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
-  manifest = registry_model.get_manifest_for_tag(latest_tag).get_parsed_manifest()
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    latest_tag = registry_model.get_repo_tag(
+        repository_ref, "latest", include_legacy_image=True
+    )
+    manifest = registry_model.get_manifest_for_tag(latest_tag).get_parsed_manifest()
 
-  builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'anothertag')
-  builder.add_layer(manifest.blob_digests[0],
-                    '{"id": "%s"}' % latest_tag.legacy_image.docker_image_id)
-  sample_manifest = builder.build(docker_v2_signing_key)
-  assert sample_manifest is not None
+    builder = DockerSchema1ManifestBuilder("devtable", "simple", "anothertag")
+    builder.add_layer(
+        manifest.blob_digests[0],
+        '{"id": "%s"}' % latest_tag.legacy_image.docker_image_id,
+    )
+    sample_manifest = builder.build(docker_v2_signing_key)
+    assert sample_manifest is not None
 
-  another_manifest, tag = registry_model.create_manifest_and_retarget_tag(repository_ref,
-                                                                          sample_manifest,
-                                                                          'anothertag',
-                                                                          storage)
-  assert another_manifest is not None
-  assert tag is not None
+    another_manifest, tag = registry_model.create_manifest_and_retarget_tag(
+        repository_ref, sample_manifest, "anothertag", storage
+    )
+    assert another_manifest is not None
+    assert tag is not None
 
-  assert tag.name == 'anothertag'
-  assert another_manifest.get_parsed_manifest().manifest_dict == sample_manifest.manifest_dict
+    assert tag.name == "anothertag"
+    assert (
+        another_manifest.get_parsed_manifest().manifest_dict
+        == sample_manifest.manifest_dict
+    )
 
 
 def test_get_schema1_parsed_manifest(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  latest_tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
-  manifest = registry_model.get_manifest_for_tag(latest_tag)
-  assert registry_model.get_schema1_parsed_manifest(manifest, '', '', '', storage)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    latest_tag = registry_model.get_repo_tag(
+        repository_ref, "latest", include_legacy_image=True
+    )
+    manifest = registry_model.get_manifest_for_tag(latest_tag)
+    assert registry_model.get_schema1_parsed_manifest(manifest, "", "", "", storage)
 
 
 def test_convert_manifest(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  latest_tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
-  manifest = registry_model.get_manifest_for_tag(latest_tag)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    latest_tag = registry_model.get_repo_tag(
+        repository_ref, "latest", include_legacy_image=True
+    )
+    manifest = registry_model.get_manifest_for_tag(latest_tag)
 
-  mediatypes = DOCKER_SCHEMA1_CONTENT_TYPES
-  assert registry_model.convert_manifest(manifest, '', '', '', mediatypes, storage)
+    mediatypes = DOCKER_SCHEMA1_CONTENT_TYPES
+    assert registry_model.convert_manifest(manifest, "", "", "", mediatypes, storage)
 
-  mediatypes = []
-  assert registry_model.convert_manifest(manifest, '', '', '', mediatypes, storage) is None
+    mediatypes = []
+    assert (
+        registry_model.convert_manifest(manifest, "", "", "", mediatypes, storage)
+        is None
+    )
 
 
 def test_create_manifest_and_retarget_tag_with_labels(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  latest_tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
-  manifest = registry_model.get_manifest_for_tag(latest_tag).get_parsed_manifest()
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    latest_tag = registry_model.get_repo_tag(
+        repository_ref, "latest", include_legacy_image=True
+    )
+    manifest = registry_model.get_manifest_for_tag(latest_tag).get_parsed_manifest()
 
-  json_metadata = {
-    'id': latest_tag.legacy_image.docker_image_id,
-    'config': {
-      'Labels': {
-        'quay.expires-after': '2w',
-      },
-    },
-  }
+    json_metadata = {
+        "id": latest_tag.legacy_image.docker_image_id,
+        "config": {"Labels": {"quay.expires-after": "2w"}},
+    }
 
-  builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'anothertag')
-  builder.add_layer(manifest.blob_digests[0], json.dumps(json_metadata))
-  sample_manifest = builder.build(docker_v2_signing_key)
-  assert sample_manifest is not None
+    builder = DockerSchema1ManifestBuilder("devtable", "simple", "anothertag")
+    builder.add_layer(manifest.blob_digests[0], json.dumps(json_metadata))
+    sample_manifest = builder.build(docker_v2_signing_key)
+    assert sample_manifest is not None
 
-  another_manifest, tag = registry_model.create_manifest_and_retarget_tag(repository_ref,
-                                                                          sample_manifest,
-                                                                          'anothertag',
-                                                                          storage)
-  assert another_manifest is not None
-  assert tag is not None
+    another_manifest, tag = registry_model.create_manifest_and_retarget_tag(
+        repository_ref, sample_manifest, "anothertag", storage
+    )
+    assert another_manifest is not None
+    assert tag is not None
 
-  assert tag.name == 'anothertag'
-  assert another_manifest.get_parsed_manifest().manifest_dict == sample_manifest.manifest_dict
-
-  # Ensure the labels were applied.
-  assert tag.lifetime_end_ms is not None
+    assert tag.name == "anothertag"
+    assert (
+        another_manifest.get_parsed_manifest().manifest_dict
+        == sample_manifest.manifest_dict
+    )
 
+    # Ensure the labels were applied.
+    assert tag.lifetime_end_ms is not None
 
 
 def _populate_blob(digest):
-  location = ImageStorageLocation.get(name='local_us')
-  store_blob_record_and_temp_link('devtable', 'simple', digest, location, 1, 120)
+    location = ImageStorageLocation.get(name="local_us")
+    store_blob_record_and_temp_link("devtable", "simple", digest, location, 1, 120)
 
 
 def test_known_issue_schema1(registry_model):
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  path = os.path.join(test_dir, '../../../image/docker/test/validate_manifest_known_issue.json')
-  with open(path, 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    path = os.path.join(
+        test_dir, "../../../image/docker/test/validate_manifest_known_issue.json"
+    )
+    with open(path, "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
+    manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
 
-  for blob_digest in manifest.local_blob_digests:
-    _populate_blob(blob_digest)
+    for blob_digest in manifest.local_blob_digests:
+        _populate_blob(blob_digest)
 
-  digest = manifest.digest
-  assert digest == 'sha256:44518f5a4d1cb5b7a6347763116fb6e10f6a8563b6c40bb389a0a982f0a9f47a'
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:44518f5a4d1cb5b7a6347763116fb6e10f6a8563b6c40bb389a0a982f0a9f47a"
+    )
 
-  # Create the manifest in the database.
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  created_manifest, _ = registry_model.create_manifest_and_retarget_tag(repository_ref, manifest,
-                                                                        'latest', storage)
-  assert created_manifest
-  assert created_manifest.digest == manifest.digest
-  assert (created_manifest.internal_manifest_bytes.as_encoded_str() ==
-          manifest.bytes.as_encoded_str())
+    # Create the manifest in the database.
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    created_manifest, _ = registry_model.create_manifest_and_retarget_tag(
+        repository_ref, manifest, "latest", storage
+    )
+    assert created_manifest
+    assert created_manifest.digest == manifest.digest
+    assert (
+        created_manifest.internal_manifest_bytes.as_encoded_str()
+        == manifest.bytes.as_encoded_str()
+    )
 
-  # Look it up again and validate.
-  found = registry_model.lookup_manifest_by_digest(repository_ref, manifest.digest, allow_dead=True)
-  assert found
-  assert found.digest == digest
-  assert found.internal_manifest_bytes.as_encoded_str() == manifest.bytes.as_encoded_str()
-  assert found.get_parsed_manifest().digest == digest
+    # Look it up again and validate.
+    found = registry_model.lookup_manifest_by_digest(
+        repository_ref, manifest.digest, allow_dead=True
+    )
+    assert found
+    assert found.digest == digest
+    assert (
+        found.internal_manifest_bytes.as_encoded_str()
+        == manifest.bytes.as_encoded_str()
+    )
+    assert found.get_parsed_manifest().digest == digest
 
 
 def test_unicode_emoji(registry_model):
-  builder = DockerSchema1ManifestBuilder('devtable', 'simple', 'latest')
-  builder.add_layer('sha256:abcde', json.dumps({
-    'id': 'someid',
-    'author': u'😱',
-  }, ensure_ascii=False))
+    builder = DockerSchema1ManifestBuilder("devtable", "simple", "latest")
+    builder.add_layer(
+        "sha256:abcde", json.dumps({"id": "someid", "author": u"😱"}, ensure_ascii=False)
+    )
 
-  manifest = builder.build(ensure_ascii=False)
-  manifest._validate()
+    manifest = builder.build(ensure_ascii=False)
+    manifest._validate()
 
-  for blob_digest in manifest.local_blob_digests:
-    _populate_blob(blob_digest)
+    for blob_digest in manifest.local_blob_digests:
+        _populate_blob(blob_digest)
 
-  # Create the manifest in the database.
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  created_manifest, _ = registry_model.create_manifest_and_retarget_tag(repository_ref, manifest,
-                                                                        'latest', storage)
-  assert created_manifest
-  assert created_manifest.digest == manifest.digest
-  assert (created_manifest.internal_manifest_bytes.as_encoded_str() ==
-          manifest.bytes.as_encoded_str())
+    # Create the manifest in the database.
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    created_manifest, _ = registry_model.create_manifest_and_retarget_tag(
+        repository_ref, manifest, "latest", storage
+    )
+    assert created_manifest
+    assert created_manifest.digest == manifest.digest
+    assert (
+        created_manifest.internal_manifest_bytes.as_encoded_str()
+        == manifest.bytes.as_encoded_str()
+    )
 
-  # Look it up again and validate.
-  found = registry_model.lookup_manifest_by_digest(repository_ref, manifest.digest, allow_dead=True)
-  assert found
-  assert found.digest == manifest.digest
-  assert found.internal_manifest_bytes.as_encoded_str() == manifest.bytes.as_encoded_str()
-  assert found.get_parsed_manifest().digest == manifest.digest
+    # Look it up again and validate.
+    found = registry_model.lookup_manifest_by_digest(
+        repository_ref, manifest.digest, allow_dead=True
+    )
+    assert found
+    assert found.digest == manifest.digest
+    assert (
+        found.internal_manifest_bytes.as_encoded_str()
+        == manifest.bytes.as_encoded_str()
+    )
+    assert found.get_parsed_manifest().digest == manifest.digest
 
 
 def test_lookup_active_repository_tags(oci_model):
-  repository_ref = oci_model.lookup_repository('devtable', 'simple')
-  latest_tag = oci_model.get_repo_tag(repository_ref, 'latest')
-  manifest = oci_model.get_manifest_for_tag(latest_tag)
+    repository_ref = oci_model.lookup_repository("devtable", "simple")
+    latest_tag = oci_model.get_repo_tag(repository_ref, "latest")
+    manifest = oci_model.get_manifest_for_tag(latest_tag)
 
-  tag_count = 500
+    tag_count = 500
 
-  # Create a bunch of tags.
-  tags_expected = set()
-  for index in range(0, tag_count):
-    tags_expected.add('somenewtag%s' % index)
-    oci_model.retarget_tag(repository_ref, 'somenewtag%s' % index, manifest, storage,
-                           docker_v2_signing_key)
+    # Create a bunch of tags.
+    tags_expected = set()
+    for index in range(0, tag_count):
+        tags_expected.add("somenewtag%s" % index)
+        oci_model.retarget_tag(
+            repository_ref,
+            "somenewtag%s" % index,
+            manifest,
+            storage,
+            docker_v2_signing_key,
+        )
 
-  assert tags_expected
+    assert tags_expected
 
-  # List the tags.
-  tags_found = set()
-  tag_id = None
-  while True:
-    tags = oci_model.lookup_active_repository_tags(repository_ref, tag_id, 11)
-    assert len(tags) <= 11
-    for tag in tags[0:10]:
-      assert tag.name not in tags_found
-      if tag.name in tags_expected:
-        tags_found.add(tag.name)
-        tags_expected.remove(tag.name)
+    # List the tags.
+    tags_found = set()
+    tag_id = None
+    while True:
+        tags = oci_model.lookup_active_repository_tags(repository_ref, tag_id, 11)
+        assert len(tags) <= 11
+        for tag in tags[0:10]:
+            assert tag.name not in tags_found
+            if tag.name in tags_expected:
+                tags_found.add(tag.name)
+                tags_expected.remove(tag.name)
 
-    if len(tags) < 11:
-      break
+        if len(tags) < 11:
+            break
 
-    tag_id = tags[10].id
+        tag_id = tags[10].id
 
-  # Make sure we've found all the tags.
-  assert tags_found
-  assert not tags_expected
+    # Make sure we've found all the tags.
+    assert tags_found
+    assert not tags_expected
 
 
 def test_yield_tags_for_vulnerability_notification(registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'complex')
+    repository_ref = registry_model.lookup_repository("devtable", "complex")
 
-  # Check for all legacy images under the tags and ensure not raised because
-  # no notification is yet registered.
-  for tag in registry_model.list_all_active_repository_tags(repository_ref,
-                                                            include_legacy_images=True):
-    image = registry_model.get_legacy_image(repository_ref, tag.legacy_image.docker_image_id,
-                                            include_blob=True)
-    pairs = [(image.docker_image_id, image.blob.uuid)]
-    results = list(registry_model.yield_tags_for_vulnerability_notification(pairs))
-    assert not len(results)
+    # Check for all legacy images under the tags and ensure not raised because
+    # no notification is yet registered.
+    for tag in registry_model.list_all_active_repository_tags(
+        repository_ref, include_legacy_images=True
+    ):
+        image = registry_model.get_legacy_image(
+            repository_ref, tag.legacy_image.docker_image_id, include_blob=True
+        )
+        pairs = [(image.docker_image_id, image.blob.uuid)]
+        results = list(registry_model.yield_tags_for_vulnerability_notification(pairs))
+        assert not len(results)
 
-  # Register a notification.
-  model.notification.create_repo_notification(repository_ref.id, 'vulnerability_found', 'email',
-                                              {}, {})
+    # Register a notification.
+    model.notification.create_repo_notification(
+        repository_ref.id, "vulnerability_found", "email", {}, {}
+    )
 
-  # Check again.
-  for tag in registry_model.list_all_active_repository_tags(repository_ref,
-                                                            include_legacy_images=True):
-    image = registry_model.get_legacy_image(repository_ref, tag.legacy_image.docker_image_id,
-                                            include_blob=True, include_parents=True)
+    # Check again.
+    for tag in registry_model.list_all_active_repository_tags(
+        repository_ref, include_legacy_images=True
+    ):
+        image = registry_model.get_legacy_image(
+            repository_ref,
+            tag.legacy_image.docker_image_id,
+            include_blob=True,
+            include_parents=True,
+        )
 
-    # Check for every parent of the image.
-    for current in image.parents:
-      img = registry_model.get_legacy_image(repository_ref, current.docker_image_id,
-                                            include_blob=True)
-      pairs = [(img.docker_image_id, img.blob.uuid)]
-      results = list(registry_model.yield_tags_for_vulnerability_notification(pairs))
-      assert len(results) > 0
-      assert tag.name in {t.name for t in results}
+        # Check for every parent of the image.
+        for current in image.parents:
+            img = registry_model.get_legacy_image(
+                repository_ref, current.docker_image_id, include_blob=True
+            )
+            pairs = [(img.docker_image_id, img.blob.uuid)]
+            results = list(
+                registry_model.yield_tags_for_vulnerability_notification(pairs)
+            )
+            assert len(results) > 0
+            assert tag.name in {t.name for t in results}
 
-    # Check for the image itself.
-    pairs = [(image.docker_image_id, image.blob.uuid)]
-    results = list(registry_model.yield_tags_for_vulnerability_notification(pairs))
-    assert len(results) > 0
-    assert tag.name in {t.name for t in results}
+        # Check for the image itself.
+        pairs = [(image.docker_image_id, image.blob.uuid)]
+        results = list(registry_model.yield_tags_for_vulnerability_notification(pairs))
+        assert len(results) > 0
+        assert tag.name in {t.name for t in results}
diff --git a/data/registry_model/test/test_manifestbuilder.py b/data/registry_model/test/test_manifestbuilder.py
index 538731b8d..663699454 100644
--- a/data/registry_model/test/test_manifestbuilder.py
+++ b/data/registry_model/test/test_manifestbuilder.py
@@ -10,7 +10,10 @@ from mock import patch
 from app import docker_v2_signing_key
 
 from data.registry_model.blobuploader import BlobUploadSettings, upload_blob
-from data.registry_model.manifestbuilder import create_manifest_builder, lookup_manifest_builder
+from data.registry_model.manifestbuilder import (
+    create_manifest_builder,
+    lookup_manifest_builder,
+)
 from data.registry_model.registry_pre_oci_model import PreOCIModel
 from data.registry_model.registry_oci_model import OCIModel
 
@@ -21,84 +24,116 @@ from test.fixtures import *
 
 @pytest.fixture(params=[PreOCIModel, OCIModel])
 def registry_model(request, initialized_db):
-  return request.param()
+    return request.param()
 
 
 @pytest.fixture()
 def fake_session():
-  with patch('data.registry_model.manifestbuilder.session', {}):
-    yield
+    with patch("data.registry_model.manifestbuilder.session", {}):
+        yield
 
 
-@pytest.mark.parametrize('layers', [
-  pytest.param([('someid', None, 'some data')], id='Single layer'),
-  pytest.param([('parentid', None, 'some parent data'),
-                ('someid', 'parentid', 'some data')],
-               id='Multi layer'),
-])
+@pytest.mark.parametrize(
+    "layers",
+    [
+        pytest.param([("someid", None, "some data")], id="Single layer"),
+        pytest.param(
+            [
+                ("parentid", None, "some parent data"),
+                ("someid", "parentid", "some data"),
+            ],
+            id="Multi layer",
+        ),
+    ],
+)
 def test_build_manifest(layers, fake_session, registry_model):
-  repository_ref = registry_model.lookup_repository('devtable', 'complex')
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  settings = BlobUploadSettings('2M', 512 * 1024, 3600)
-  app_config = {'TESTING': True}
+    repository_ref = registry_model.lookup_repository("devtable", "complex")
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    settings = BlobUploadSettings("2M", 512 * 1024, 3600)
+    app_config = {"TESTING": True}
 
-  builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
-  assert lookup_manifest_builder(repository_ref, 'anotherid', storage,
-                                 docker_v2_signing_key) is None
-  assert lookup_manifest_builder(repository_ref, builder.builder_id, storage,
-                                 docker_v2_signing_key) is not None
+    builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
+    assert (
+        lookup_manifest_builder(
+            repository_ref, "anotherid", storage, docker_v2_signing_key
+        )
+        is None
+    )
+    assert (
+        lookup_manifest_builder(
+            repository_ref, builder.builder_id, storage, docker_v2_signing_key
+        )
+        is not None
+    )
 
-  blobs_by_layer = {}
-  for layer_id, parent_id, layer_bytes in layers:
-    # Start a new layer.
-    assert builder.start_layer(layer_id, json.dumps({'id': layer_id, 'parent': parent_id}),
-                               'local_us', None, 60)
+    blobs_by_layer = {}
+    for layer_id, parent_id, layer_bytes in layers:
+        # Start a new layer.
+        assert builder.start_layer(
+            layer_id,
+            json.dumps({"id": layer_id, "parent": parent_id}),
+            "local_us",
+            None,
+            60,
+        )
 
-    checksum = hashlib.sha1(layer_bytes).hexdigest()
+        checksum = hashlib.sha1(layer_bytes).hexdigest()
 
-    # Assign it a blob.
-    with upload_blob(repository_ref, storage, settings) as uploader:
-      uploader.upload_chunk(app_config, BytesIO(layer_bytes))
-      blob = uploader.commit_to_blob(app_config)
-      blobs_by_layer[layer_id] = blob
-      builder.assign_layer_blob(builder.lookup_layer(layer_id), blob, [checksum])
+        # Assign it a blob.
+        with upload_blob(repository_ref, storage, settings) as uploader:
+            uploader.upload_chunk(app_config, BytesIO(layer_bytes))
+            blob = uploader.commit_to_blob(app_config)
+            blobs_by_layer[layer_id] = blob
+            builder.assign_layer_blob(builder.lookup_layer(layer_id), blob, [checksum])
 
-    # Validate the checksum.
-    assert builder.validate_layer_checksum(builder.lookup_layer(layer_id), checksum)
+        # Validate the checksum.
+        assert builder.validate_layer_checksum(builder.lookup_layer(layer_id), checksum)
 
-  # Commit the manifest to a tag.
-  tag = builder.commit_tag_and_manifest('somenewtag', builder.lookup_layer(layers[-1][0]))
-  assert tag
-  assert tag in builder.committed_tags
+    # Commit the manifest to a tag.
+    tag = builder.commit_tag_and_manifest(
+        "somenewtag", builder.lookup_layer(layers[-1][0])
+    )
+    assert tag
+    assert tag in builder.committed_tags
 
-  # Mark the builder as done.
-  builder.done()
+    # Mark the builder as done.
+    builder.done()
 
-  # Verify the legacy image for the tag.
-  found = registry_model.get_repo_tag(repository_ref, 'somenewtag', include_legacy_image=True)
-  assert found
-  assert found.name == 'somenewtag'
-  assert found.legacy_image.docker_image_id == layers[-1][0]
+    # Verify the legacy image for the tag.
+    found = registry_model.get_repo_tag(
+        repository_ref, "somenewtag", include_legacy_image=True
+    )
+    assert found
+    assert found.name == "somenewtag"
+    assert found.legacy_image.docker_image_id == layers[-1][0]
 
-  # Verify the blob and manifest.
-  manifest = registry_model.get_manifest_for_tag(found)
-  assert manifest
+    # Verify the blob and manifest.
+    manifest = registry_model.get_manifest_for_tag(found)
+    assert manifest
 
-  parsed = manifest.get_parsed_manifest()
-  assert len(list(parsed.layers)) == len(layers)
+    parsed = manifest.get_parsed_manifest()
+    assert len(list(parsed.layers)) == len(layers)
 
-  for index, (layer_id, parent_id, layer_bytes) in enumerate(layers):
-    assert list(parsed.blob_digests)[index] == blobs_by_layer[layer_id].digest
-    assert list(parsed.layers)[index].v1_metadata.image_id == layer_id
-    assert list(parsed.layers)[index].v1_metadata.parent_image_id == parent_id
+    for index, (layer_id, parent_id, layer_bytes) in enumerate(layers):
+        assert list(parsed.blob_digests)[index] == blobs_by_layer[layer_id].digest
+        assert list(parsed.layers)[index].v1_metadata.image_id == layer_id
+        assert list(parsed.layers)[index].v1_metadata.parent_image_id == parent_id
 
-  assert parsed.leaf_layer_v1_image_id == layers[-1][0]
+    assert parsed.leaf_layer_v1_image_id == layers[-1][0]
 
 
 def test_build_manifest_missing_parent(fake_session, registry_model):
-  storage = DistributedStorage({'local_us': FakeStorage(None)}, ['local_us'])
-  repository_ref = registry_model.lookup_repository('devtable', 'complex')
-  builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
+    storage = DistributedStorage({"local_us": FakeStorage(None)}, ["local_us"])
+    repository_ref = registry_model.lookup_repository("devtable", "complex")
+    builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
 
-  assert builder.start_layer('somelayer', json.dumps({'id': 'somelayer', 'parent': 'someparent'}),
-                             'local_us', None, 60) is None
+    assert (
+        builder.start_layer(
+            "somelayer",
+            json.dumps({"id": "somelayer", "parent": "someparent"}),
+            "local_us",
+            None,
+            60,
+        )
+        is None
+    )
diff --git a/data/runmigration.py b/data/runmigration.py
index f4126aba1..31eeb86e9 100644
--- a/data/runmigration.py
+++ b/data/runmigration.py
@@ -5,23 +5,24 @@ from alembic.script import ScriptDirectory
 from alembic.environment import EnvironmentContext
 from alembic.migration import __name__ as migration_name
 
+
 def run_alembic_migration(db_uri, log_handler=None, setup_app=True):
-  if log_handler:
-    logging.getLogger(migration_name).addHandler(log_handler)
+    if log_handler:
+        logging.getLogger(migration_name).addHandler(log_handler)
 
-  config = Config()
-  config.set_main_option("script_location", "data:migrations")
-  config.set_main_option("db_uri", db_uri)
+    config = Config()
+    config.set_main_option("script_location", "data:migrations")
+    config.set_main_option("db_uri", db_uri)
 
-  if setup_app:
-      config.set_main_option('alembic_setup_app', 'True')
-  else:
-      config.set_main_option('alembic_setup_app', '')
+    if setup_app:
+        config.set_main_option("alembic_setup_app", "True")
+    else:
+        config.set_main_option("alembic_setup_app", "")
 
-  script = ScriptDirectory.from_config(config)
+    script = ScriptDirectory.from_config(config)
 
-  def fn(rev, context):
-    return script._upgrade_revs('head', rev)
+    def fn(rev, context):
+        return script._upgrade_revs("head", rev)
 
-  with EnvironmentContext(config, script, fn=fn, destination_rev='head'):
-    script.run_env()
\ No newline at end of file
+    with EnvironmentContext(config, script, fn=fn, destination_rev="head"):
+        script.run_env()
diff --git a/data/test/test_encryption.py b/data/test/test_encryption.py
index f6ec8a94b..6bc9fefc6 100644
--- a/data/test/test_encryption.py
+++ b/data/test/test_encryption.py
@@ -4,44 +4,48 @@ import pytest
 
 from data.encryption import FieldEncrypter, _VERSIONS, DecryptionFailureException
 
-@pytest.mark.parametrize('test_data', [
-  '',
-  'hello world',
-  'wassup?!',
-  'IGZ2Y8KUN3EFWAZZXR3D7U4V5NXDVYZI5VGU6STPB6KM83PAB8WRGM32RD9FW0C0',
-  'JLRFBYS1EHKUE73S99HWOQWNPGLUZTBRF5HQEFUJS5BK3XVB54RNXYV4AUMJXCMC',
-  'a' * 3,
-  'a' * 4,
-  'a' * 5,
-  'a' * 31,
-  'a' * 32,
-  'a' * 33,
-  'a' * 150,
-  u'😇',
-])
-@pytest.mark.parametrize('version', _VERSIONS.keys())
-@pytest.mark.parametrize('secret_key', [
-  u'test1234',
-  'test1234',
-  'thisisanothercoolsecretkeyhere',
-  '107383705745765174750346070528443780244192102846031525796571939503548634055845',
-])
-@pytest.mark.parametrize('use_valid_key', [
-  True,
-  False,
-])
+
+@pytest.mark.parametrize(
+    "test_data",
+    [
+        "",
+        "hello world",
+        "wassup?!",
+        "IGZ2Y8KUN3EFWAZZXR3D7U4V5NXDVYZI5VGU6STPB6KM83PAB8WRGM32RD9FW0C0",
+        "JLRFBYS1EHKUE73S99HWOQWNPGLUZTBRF5HQEFUJS5BK3XVB54RNXYV4AUMJXCMC",
+        "a" * 3,
+        "a" * 4,
+        "a" * 5,
+        "a" * 31,
+        "a" * 32,
+        "a" * 33,
+        "a" * 150,
+        u"😇",
+    ],
+)
+@pytest.mark.parametrize("version", _VERSIONS.keys())
+@pytest.mark.parametrize(
+    "secret_key",
+    [
+        u"test1234",
+        "test1234",
+        "thisisanothercoolsecretkeyhere",
+        "107383705745765174750346070528443780244192102846031525796571939503548634055845",
+    ],
+)
+@pytest.mark.parametrize("use_valid_key", [True, False])
 def test_encryption(test_data, version, secret_key, use_valid_key):
-  encrypter = FieldEncrypter(secret_key, version)
-  encrypted = encrypter.encrypt_value(test_data, field_max_length=255)
-  assert encrypted != test_data
+    encrypter = FieldEncrypter(secret_key, version)
+    encrypted = encrypter.encrypt_value(test_data, field_max_length=255)
+    assert encrypted != test_data
 
-  if use_valid_key:
-    decrypted = encrypter.decrypt_value(encrypted)
-    assert decrypted == test_data
+    if use_valid_key:
+        decrypted = encrypter.decrypt_value(encrypted)
+        assert decrypted == test_data
 
-    with pytest.raises(DecryptionFailureException):
-      encrypter.decrypt_value('somerandomvalue')
-  else:
-    decrypter = FieldEncrypter('some other key', version)
-    with pytest.raises(DecryptionFailureException):
-      decrypter.decrypt_value(encrypted)
+        with pytest.raises(DecryptionFailureException):
+            encrypter.decrypt_value("somerandomvalue")
+    else:
+        decrypter = FieldEncrypter("some other key", version)
+        with pytest.raises(DecryptionFailureException):
+            decrypter.decrypt_value(encrypted)
diff --git a/data/test/test_queue.py b/data/test/test_queue.py
index 36f61b502..0ed829213 100644
--- a/data/test/test_queue.py
+++ b/data/test/test_queue.py
@@ -12,409 +12,454 @@ from data.queue import WorkQueue, MINIMUM_EXTENSION
 
 from test.fixtures import *
 
-QUEUE_NAME = 'testqueuename'
+QUEUE_NAME = "testqueuename"
 
 
 class SaveLastCountReporter(object):
-  def __init__(self):
-    self.currently_processing = None
-    self.running_count = None
-    self.total = None
+    def __init__(self):
+        self.currently_processing = None
+        self.running_count = None
+        self.total = None
 
-  def __call__(self, currently_processing, running_count, total_jobs):
-    self.currently_processing = currently_processing
-    self.running_count = running_count
-    self.total = total_jobs
+    def __call__(self, currently_processing, running_count, total_jobs):
+        self.currently_processing = currently_processing
+        self.running_count = running_count
+        self.total = total_jobs
 
 
 class AutoUpdatingQueue(object):
-  def __init__(self, queue_to_wrap):
-    self._queue = queue_to_wrap
+    def __init__(self, queue_to_wrap):
+        self._queue = queue_to_wrap
 
-  def _wrapper(self, func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      to_return = func(*args, **kwargs)
-      self._queue.update_metrics()
-      return to_return
-    return wrapper
+    def _wrapper(self, func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            to_return = func(*args, **kwargs)
+            self._queue.update_metrics()
+            return to_return
 
-  def __getattr__(self, attr_name):
-    method_or_attr = getattr(self._queue, attr_name)
-    if callable(method_or_attr):
-      return self._wrapper(method_or_attr)
-    else:
-      return method_or_attr
+        return wrapper
+
+    def __getattr__(self, attr_name):
+        method_or_attr = getattr(self._queue, attr_name)
+        if callable(method_or_attr):
+            return self._wrapper(method_or_attr)
+        else:
+            return method_or_attr
 
 
-TEST_MESSAGE_1 = json.dumps({'data': 1})
-TEST_MESSAGE_2 = json.dumps({'data': 2})
-TEST_MESSAGES = [json.dumps({'data': str(i)}) for i in range(1, 101)]
+TEST_MESSAGE_1 = json.dumps({"data": 1})
+TEST_MESSAGE_2 = json.dumps({"data": 2})
+TEST_MESSAGES = [json.dumps({"data": str(i)}) for i in range(1, 101)]
 
 
 @contextmanager
 def fake_transaction(arg):
-  yield
+    yield
+
 
 @pytest.fixture()
 def reporter():
-  return SaveLastCountReporter()
+    return SaveLastCountReporter()
 
 
 @pytest.fixture()
 def transaction_factory():
-  return fake_transaction
+    return fake_transaction
 
 
 @pytest.fixture()
 def queue(reporter, transaction_factory, initialized_db):
-  return AutoUpdatingQueue(WorkQueue(QUEUE_NAME, transaction_factory, reporter=reporter))
+    return AutoUpdatingQueue(
+        WorkQueue(QUEUE_NAME, transaction_factory, reporter=reporter)
+    )
 
 
 def test_get_single_item(queue, reporter, transaction_factory):
-  # Add a single item to the queue.
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
+    # Add a single item to the queue.
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
 
-  # Have two "instances" retrieve an item to claim. Since there is only one, both calls should
-  # return the same item.
-  now = datetime.utcnow()
-  first_item = queue._select_available_item(False, now)
-  second_item = queue._select_available_item(False, now)
+    # Have two "instances" retrieve an item to claim. Since there is only one, both calls should
+    # return the same item.
+    now = datetime.utcnow()
+    first_item = queue._select_available_item(False, now)
+    second_item = queue._select_available_item(False, now)
 
-  assert first_item.id == second_item.id
-  assert first_item.state_id == second_item.state_id
+    assert first_item.id == second_item.id
+    assert first_item.state_id == second_item.state_id
 
-  # Have both "instances" now try to claim the item. Only one should succeed.
-  first_claimed = queue._attempt_to_claim_item(first_item, now, 300)
-  second_claimed = queue._attempt_to_claim_item(first_item, now, 300)
+    # Have both "instances" now try to claim the item. Only one should succeed.
+    first_claimed = queue._attempt_to_claim_item(first_item, now, 300)
+    second_claimed = queue._attempt_to_claim_item(first_item, now, 300)
 
-  assert first_claimed
-  assert not second_claimed
+    assert first_claimed
+    assert not second_claimed
 
-  # Ensure the item is no longer available.
-  assert queue.get() is None
+    # Ensure the item is no longer available.
+    assert queue.get() is None
+
+    # Ensure the item's state ID has changed.
+    assert first_item.state_id != QueueItem.get().state_id
 
-  # Ensure the item's state ID has changed.
-  assert first_item.state_id != QueueItem.get().state_id
 
 def test_extend_processing(queue, reporter, transaction_factory):
-  # Add and retrieve a queue item.
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  queue_item = queue.get(processing_time=10)
-  assert queue_item is not None
+    # Add and retrieve a queue item.
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    queue_item = queue.get(processing_time=10)
+    assert queue_item is not None
 
-  existing_db_item = QueueItem.get(id=queue_item.id)
+    existing_db_item = QueueItem.get(id=queue_item.id)
 
-  # Call extend processing with a timedelta less than the minimum and ensure its
-  # processing_expires and state_id do not change.
-  changed = queue.extend_processing(queue_item, 10 + MINIMUM_EXTENSION.total_seconds() - 1)
-  assert not changed
+    # Call extend processing with a timedelta less than the minimum and ensure its
+    # processing_expires and state_id do not change.
+    changed = queue.extend_processing(
+        queue_item, 10 + MINIMUM_EXTENSION.total_seconds() - 1
+    )
+    assert not changed
 
-  updated_db_item = QueueItem.get(id=queue_item.id)
+    updated_db_item = QueueItem.get(id=queue_item.id)
 
-  assert existing_db_item.processing_expires == updated_db_item.processing_expires
-  assert existing_db_item.state_id == updated_db_item.state_id
+    assert existing_db_item.processing_expires == updated_db_item.processing_expires
+    assert existing_db_item.state_id == updated_db_item.state_id
 
-  # Call extend processing with a timedelta greater than the minimum and ensure its
-  # processing_expires and state_id are changed.
-  changed = queue.extend_processing(queue_item, 10 + MINIMUM_EXTENSION.total_seconds() + 1)
-  assert changed
+    # Call extend processing with a timedelta greater than the minimum and ensure its
+    # processing_expires and state_id are changed.
+    changed = queue.extend_processing(
+        queue_item, 10 + MINIMUM_EXTENSION.total_seconds() + 1
+    )
+    assert changed
 
-  updated_db_item = QueueItem.get(id=queue_item.id)
+    updated_db_item = QueueItem.get(id=queue_item.id)
 
-  assert existing_db_item.processing_expires != updated_db_item.processing_expires
-  assert existing_db_item.state_id != updated_db_item.state_id
+    assert existing_db_item.processing_expires != updated_db_item.processing_expires
+    assert existing_db_item.state_id != updated_db_item.state_id
 
-  # Call extend processing with a timedelta less than the minimum but also with new data and
-  # ensure its processing_expires and state_id are changed.
-  changed = queue.extend_processing(queue_item, 10 + MINIMUM_EXTENSION.total_seconds() - 1,
-                                    updated_data='newbody')
-  assert changed
+    # Call extend processing with a timedelta less than the minimum but also with new data and
+    # ensure its processing_expires and state_id are changed.
+    changed = queue.extend_processing(
+        queue_item, 10 + MINIMUM_EXTENSION.total_seconds() - 1, updated_data="newbody"
+    )
+    assert changed
 
-  updated_db_item = QueueItem.get(id=queue_item.id)
+    updated_db_item = QueueItem.get(id=queue_item.id)
+
+    assert existing_db_item.processing_expires != updated_db_item.processing_expires
+    assert existing_db_item.state_id != updated_db_item.state_id
+    assert updated_db_item.body == "newbody"
 
-  assert existing_db_item.processing_expires != updated_db_item.processing_expires
-  assert existing_db_item.state_id != updated_db_item.state_id
-  assert updated_db_item.body == 'newbody'
 
 def test_same_canonical_names(queue, reporter, transaction_factory):
-  assert reporter.currently_processing is None
-  assert reporter.running_count is None
-  assert reporter.total is None
+    assert reporter.currently_processing is None
+    assert reporter.running_count is None
+    assert reporter.total is None
 
-  id_1 = int(queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1))
-  id_2 = int(queue.put(['abc', 'def'], TEST_MESSAGE_2, available_after=-1))
-  assert id_1 + 1 == id_2
-  assert not reporter.currently_processing
-  assert reporter.running_count == 0
-  assert reporter.total == 1
+    id_1 = int(queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1))
+    id_2 = int(queue.put(["abc", "def"], TEST_MESSAGE_2, available_after=-1))
+    assert id_1 + 1 == id_2
+    assert not reporter.currently_processing
+    assert reporter.running_count == 0
+    assert reporter.total == 1
 
-  one = queue.get(ordering_required=True)
-  assert one is not None
-  assert one.body == TEST_MESSAGE_1
-  assert reporter.currently_processing
-  assert reporter.running_count == 1
-  assert reporter.total == 1
+    one = queue.get(ordering_required=True)
+    assert one is not None
+    assert one.body == TEST_MESSAGE_1
+    assert reporter.currently_processing
+    assert reporter.running_count == 1
+    assert reporter.total == 1
 
-  two_fail = queue.get(ordering_required=True)
-  assert two_fail is None
-  assert reporter.running_count == 1
-  assert reporter.total == 1
+    two_fail = queue.get(ordering_required=True)
+    assert two_fail is None
+    assert reporter.running_count == 1
+    assert reporter.total == 1
 
-  queue.complete(one)
-  assert not reporter.currently_processing
-  assert reporter.running_count == 0
-  assert reporter.total == 1
+    queue.complete(one)
+    assert not reporter.currently_processing
+    assert reporter.running_count == 0
+    assert reporter.total == 1
+
+    two = queue.get(ordering_required=True)
+    assert two is not None
+    assert reporter.currently_processing
+    assert two.body == TEST_MESSAGE_2
+    assert reporter.running_count == 1
+    assert reporter.total == 1
 
-  two = queue.get(ordering_required=True)
-  assert two is not None
-  assert reporter.currently_processing
-  assert two.body == TEST_MESSAGE_2
-  assert reporter.running_count == 1
-  assert reporter.total == 1
 
 def test_different_canonical_names(queue, reporter, transaction_factory):
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  queue.put(['abc', 'ghi'], TEST_MESSAGE_2, available_after=-1)
-  assert reporter.running_count == 0
-  assert reporter.total == 2
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    queue.put(["abc", "ghi"], TEST_MESSAGE_2, available_after=-1)
+    assert reporter.running_count == 0
+    assert reporter.total == 2
 
-  one = queue.get(ordering_required=True)
-  assert one is not None
-  assert one.body == TEST_MESSAGE_1
-  assert reporter.running_count == 1
-  assert reporter.total == 2
+    one = queue.get(ordering_required=True)
+    assert one is not None
+    assert one.body == TEST_MESSAGE_1
+    assert reporter.running_count == 1
+    assert reporter.total == 2
+
+    two = queue.get(ordering_required=True)
+    assert two is not None
+    assert two.body == TEST_MESSAGE_2
+    assert reporter.running_count == 2
+    assert reporter.total == 2
 
-  two = queue.get(ordering_required=True)
-  assert two is not None
-  assert two.body == TEST_MESSAGE_2
-  assert reporter.running_count == 2
-  assert reporter.total == 2
 
 def test_canonical_name(queue, reporter, transaction_factory):
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  queue.put(['abc', 'def', 'ghi'], TEST_MESSAGE_1, available_after=-1)
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    queue.put(["abc", "def", "ghi"], TEST_MESSAGE_1, available_after=-1)
 
-  one = queue.get(ordering_required=True)
-  assert QUEUE_NAME + '/abc/def/' != one
+    one = queue.get(ordering_required=True)
+    assert QUEUE_NAME + "/abc/def/" != one
+
+    two = queue.get(ordering_required=True)
+    assert QUEUE_NAME + "/abc/def/ghi/" != two
 
-  two = queue.get(ordering_required=True)
-  assert QUEUE_NAME + '/abc/def/ghi/' != two
 
 def test_expiration(queue, reporter, transaction_factory):
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  assert reporter.running_count == 0
-  assert reporter.total == 1
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    assert reporter.running_count == 0
+    assert reporter.total == 1
 
-  one = queue.get(processing_time=0.5, ordering_required=True)
-  assert one is not None
-  assert reporter.running_count == 1
-  assert reporter.total == 1
+    one = queue.get(processing_time=0.5, ordering_required=True)
+    assert one is not None
+    assert reporter.running_count == 1
+    assert reporter.total == 1
 
-  one_fail = queue.get(ordering_required=True)
-  assert one_fail is None
+    one_fail = queue.get(ordering_required=True)
+    assert one_fail is None
 
-  time.sleep(1)
-  queue.update_metrics()
-  assert reporter.running_count == 0
-  assert reporter.total == 1
+    time.sleep(1)
+    queue.update_metrics()
+    assert reporter.running_count == 0
+    assert reporter.total == 1
+
+    one_again = queue.get(ordering_required=True)
+    assert one_again is not None
+    assert reporter.running_count == 1
+    assert reporter.total == 1
 
-  one_again = queue.get(ordering_required=True)
-  assert one_again is not None
-  assert reporter.running_count == 1
-  assert reporter.total == 1
 
 def test_alive(queue, reporter, transaction_factory):
-  # No queue item = not alive.
-  assert not queue.alive(['abc', 'def'])
+    # No queue item = not alive.
+    assert not queue.alive(["abc", "def"])
 
-  # Add a queue item.
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  assert queue.alive(['abc', 'def'])
+    # Add a queue item.
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    assert queue.alive(["abc", "def"])
 
-  # Retrieve the queue item.
-  queue_item = queue.get()
-  assert queue_item is not None
-  assert queue.alive(['abc', 'def'])
+    # Retrieve the queue item.
+    queue_item = queue.get()
+    assert queue_item is not None
+    assert queue.alive(["abc", "def"])
 
-  # Make sure it is running by trying to retrieve it again.
-  assert queue.get() is None
+    # Make sure it is running by trying to retrieve it again.
+    assert queue.get() is None
+
+    # Delete the queue item.
+    queue.complete(queue_item)
+    assert not queue.alive(["abc", "def"])
 
-  # Delete the queue item.
-  queue.complete(queue_item)
-  assert not queue.alive(['abc', 'def'])
 
 def test_specialized_queue(queue, reporter, transaction_factory):
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-  queue.put(['def', 'def'], TEST_MESSAGE_2, available_after=-1)
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+    queue.put(["def", "def"], TEST_MESSAGE_2, available_after=-1)
 
-  my_queue = AutoUpdatingQueue(WorkQueue(QUEUE_NAME, transaction_factory, ['def']))
+    my_queue = AutoUpdatingQueue(WorkQueue(QUEUE_NAME, transaction_factory, ["def"]))
 
-  two = my_queue.get(ordering_required=True)
-  assert two is not None
-  assert two.body == TEST_MESSAGE_2
+    two = my_queue.get(ordering_required=True)
+    assert two is not None
+    assert two.body == TEST_MESSAGE_2
 
-  one_fail = my_queue.get(ordering_required=True)
-  assert one_fail is None
+    one_fail = my_queue.get(ordering_required=True)
+    assert one_fail is None
+
+    one = queue.get(ordering_required=True)
+    assert one is not None
+    assert one.body == TEST_MESSAGE_1
 
-  one = queue.get(ordering_required=True)
-  assert one is not None
-  assert one.body == TEST_MESSAGE_1
 
 def test_random_queue_no_duplicates(queue, reporter, transaction_factory):
-  for msg in TEST_MESSAGES:
-    queue.put(['abc', 'def'], msg, available_after=-1)
-  seen = set()
+    for msg in TEST_MESSAGES:
+        queue.put(["abc", "def"], msg, available_after=-1)
+    seen = set()
 
-  for _ in range(1, 101):
-    item = queue.get()
-    json_body = json.loads(item.body)
-    msg = str(json_body['data'])
-    assert msg not in seen
-    seen.add(msg)
+    for _ in range(1, 101):
+        item = queue.get()
+        json_body = json.loads(item.body)
+        msg = str(json_body["data"])
+        assert msg not in seen
+        seen.add(msg)
+
+    for body in TEST_MESSAGES:
+        json_body = json.loads(body)
+        msg = str(json_body["data"])
+        assert msg in seen
 
-  for body in TEST_MESSAGES:
-    json_body = json.loads(body)
-    msg = str(json_body['data'])
-    assert msg in seen
 
 def test_bulk_insert(queue, reporter, transaction_factory):
-  assert reporter.currently_processing is None
-  assert reporter.running_count is None
-  assert reporter.total is None
+    assert reporter.currently_processing is None
+    assert reporter.running_count is None
+    assert reporter.total is None
 
-  with queue.batch_insert() as queue_put:
-    queue_put(['abc', 'def'], TEST_MESSAGE_1, available_after=-1)
-    queue_put(['abc', 'def'], TEST_MESSAGE_2, available_after=-1)
+    with queue.batch_insert() as queue_put:
+        queue_put(["abc", "def"], TEST_MESSAGE_1, available_after=-1)
+        queue_put(["abc", "def"], TEST_MESSAGE_2, available_after=-1)
 
-  queue.update_metrics()
-  assert not reporter.currently_processing
-  assert reporter.running_count == 0
-  assert reporter.total == 1
+    queue.update_metrics()
+    assert not reporter.currently_processing
+    assert reporter.running_count == 0
+    assert reporter.total == 1
 
-  with queue.batch_insert() as queue_put:
-    queue_put(['abd', 'def'], TEST_MESSAGE_1, available_after=-1)
-    queue_put(['abd', 'ghi'], TEST_MESSAGE_2, available_after=-1)
+    with queue.batch_insert() as queue_put:
+        queue_put(["abd", "def"], TEST_MESSAGE_1, available_after=-1)
+        queue_put(["abd", "ghi"], TEST_MESSAGE_2, available_after=-1)
+
+    queue.update_metrics()
+    assert not reporter.currently_processing
+    assert reporter.running_count == 0
+    assert reporter.total == 3
 
-  queue.update_metrics()
-  assert not reporter.currently_processing
-  assert reporter.running_count == 0
-  assert reporter.total == 3
 
 def test_num_available_between(queue, reporter, transaction_factory):
-  now = datetime.utcnow()
-  queue.put(['abc', 'def'], TEST_MESSAGE_1, available_after=-10)
-  queue.put(['abc', 'ghi'], TEST_MESSAGE_2, available_after=-5)
+    now = datetime.utcnow()
+    queue.put(["abc", "def"], TEST_MESSAGE_1, available_after=-10)
+    queue.put(["abc", "ghi"], TEST_MESSAGE_2, available_after=-5)
 
-  # Partial results
-  count = queue.num_available_jobs_between(now-timedelta(seconds=8), now, ['abc'])
-  assert count == 1
+    # Partial results
+    count = queue.num_available_jobs_between(now - timedelta(seconds=8), now, ["abc"])
+    assert count == 1
 
-  # All results
-  count = queue.num_available_jobs_between(now-timedelta(seconds=20), now, ['/abc'])
-  assert count == 2
+    # All results
+    count = queue.num_available_jobs_between(now - timedelta(seconds=20), now, ["/abc"])
+    assert count == 2
+
+    # No results
+    count = queue.num_available_jobs_between(now, now, "abc")
+    assert count == 0
 
-  # No results
-  count = queue.num_available_jobs_between(now, now, 'abc')
-  assert count == 0
 
 def test_incomplete(queue, reporter, transaction_factory):
-  # Add an item.
-  queue.put(['somenamespace', 'abc', 'def'], TEST_MESSAGE_1, available_after=-10)
+    # Add an item.
+    queue.put(["somenamespace", "abc", "def"], TEST_MESSAGE_1, available_after=-10)
 
-  now = datetime.utcnow()
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 1
+    now = datetime.utcnow()
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 1
 
-  # Retrieve it.
-  item = queue.get()
-  assert item is not None
-  assert reporter.currently_processing
+    # Retrieve it.
+    item = queue.get()
+    assert item is not None
+    assert reporter.currently_processing
 
-  # Mark it as incomplete.
-  queue.incomplete(item, retry_after=-1)
-  assert not reporter.currently_processing
+    # Mark it as incomplete.
+    queue.incomplete(item, retry_after=-1)
+    assert not reporter.currently_processing
 
-  # Retrieve again to ensure it is once again available.
-  same_item = queue.get()
-  assert same_item is not None
-  assert reporter.currently_processing
+    # Retrieve again to ensure it is once again available.
+    same_item = queue.get()
+    assert same_item is not None
+    assert reporter.currently_processing
+
+    assert item.id == same_item.id
 
-  assert item.id == same_item.id
 
 def test_complete(queue, reporter, transaction_factory):
-  # Add an item.
-  queue.put(['somenamespace', 'abc', 'def'], TEST_MESSAGE_1, available_after=-10)
+    # Add an item.
+    queue.put(["somenamespace", "abc", "def"], TEST_MESSAGE_1, available_after=-10)
 
-  now = datetime.utcnow()
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 1
+    now = datetime.utcnow()
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 1
 
-  # Retrieve it.
-  item = queue.get()
-  assert item is not None
-  assert reporter.currently_processing
+    # Retrieve it.
+    item = queue.get()
+    assert item is not None
+    assert reporter.currently_processing
+
+    # Mark it as complete.
+    queue.complete(item)
+    assert not reporter.currently_processing
 
-  # Mark it as complete.
-  queue.complete(item)
-  assert not reporter.currently_processing
 
 def test_cancel(queue, reporter, transaction_factory):
-  # Add an item.
-  queue.put(['somenamespace', 'abc', 'def'], TEST_MESSAGE_1, available_after=-10)
-  queue.put(['somenamespace', 'abc', 'def'], TEST_MESSAGE_2, available_after=-5)
+    # Add an item.
+    queue.put(["somenamespace", "abc", "def"], TEST_MESSAGE_1, available_after=-10)
+    queue.put(["somenamespace", "abc", "def"], TEST_MESSAGE_2, available_after=-5)
 
-  now = datetime.utcnow()
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 2
+    now = datetime.utcnow()
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 2
 
-  # Retrieve it.
-  item = queue.get()
-  assert item is not None
+    # Retrieve it.
+    item = queue.get()
+    assert item is not None
 
-  # Make sure we can cancel it.
-  assert queue.cancel(item.id)
+    # Make sure we can cancel it.
+    assert queue.cancel(item.id)
 
-  now = datetime.utcnow()
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 1
+    now = datetime.utcnow()
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 1
+
+    # Make sure it is gone.
+    assert not queue.cancel(item.id)
 
-  # Make sure it is gone.
-  assert not queue.cancel(item.id)
 
 def test_deleted_namespaced_items(queue, reporter, transaction_factory):
-  queue = AutoUpdatingQueue(WorkQueue(QUEUE_NAME, transaction_factory,
-                                      reporter=reporter,
-                                      has_namespace=True))
+    queue = AutoUpdatingQueue(
+        WorkQueue(
+            QUEUE_NAME, transaction_factory, reporter=reporter, has_namespace=True
+        )
+    )
 
-  queue.put(['somenamespace', 'abc', 'def'], TEST_MESSAGE_1, available_after=-10)
-  queue.put(['somenamespace', 'abc', 'ghi'], TEST_MESSAGE_2, available_after=-5)
-  queue.put(['anothernamespace', 'abc', 'def'], TEST_MESSAGE_1, available_after=-10)
+    queue.put(["somenamespace", "abc", "def"], TEST_MESSAGE_1, available_after=-10)
+    queue.put(["somenamespace", "abc", "ghi"], TEST_MESSAGE_2, available_after=-5)
+    queue.put(["anothernamespace", "abc", "def"], TEST_MESSAGE_1, available_after=-10)
 
-  # Ensure we have 2 items under `somenamespace` and 1 item under `anothernamespace`.
-  now = datetime.utcnow()
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 2
+    # Ensure we have 2 items under `somenamespace` and 1 item under `anothernamespace`.
+    now = datetime.utcnow()
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 2
 
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/anothernamespace'])
-  assert count == 1
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/anothernamespace"]
+    )
+    assert count == 1
 
-  # Delete all `somenamespace` items.
-  queue.delete_namespaced_items('somenamespace')
+    # Delete all `somenamespace` items.
+    queue.delete_namespaced_items("somenamespace")
 
-  # Check the updated counts.
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 0
+    # Check the updated counts.
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 0
 
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/anothernamespace'])
-  assert count == 1
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/anothernamespace"]
+    )
+    assert count == 1
 
-  # Delete all `anothernamespace` items.
-  queue.delete_namespaced_items('anothernamespace')
+    # Delete all `anothernamespace` items.
+    queue.delete_namespaced_items("anothernamespace")
 
-  # Check the updated counts.
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/somenamespace'])
-  assert count == 0
+    # Check the updated counts.
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/somenamespace"]
+    )
+    assert count == 0
 
-  count = queue.num_available_jobs_between(now - timedelta(seconds=60), now, ['/anothernamespace'])
-  assert count == 0
+    count = queue.num_available_jobs_between(
+        now - timedelta(seconds=60), now, ["/anothernamespace"]
+    )
+    assert count == 0
diff --git a/data/test/test_readreplica.py b/data/test/test_readreplica.py
index 7f7111d2a..94ad1328a 100644
--- a/data/test/test_readreplica.py
+++ b/data/test/test_readreplica.py
@@ -11,92 +11,88 @@ from test.testconfig import FakeTransaction
 from test.fixtures import *
 
 
-@pytest.mark.skipif(bool(os.environ.get('TEST_DATABASE_URI')), reason='Testing requires SQLite')
+@pytest.mark.skipif(
+    bool(os.environ.get("TEST_DATABASE_URI")), reason="Testing requires SQLite"
+)
 def test_readreplica(init_db_path, tmpdir_factory):
-  primary_file = str(tmpdir_factory.mktemp("data").join("primary.db"))
-  replica_file = str(tmpdir_factory.mktemp("data").join("replica.db"))
+    primary_file = str(tmpdir_factory.mktemp("data").join("primary.db"))
+    replica_file = str(tmpdir_factory.mktemp("data").join("replica.db"))
 
-  # Copy the initialized database to two different locations.
-  shutil.copy2(init_db_path, primary_file)
-  shutil.copy2(init_db_path, replica_file)
+    # Copy the initialized database to two different locations.
+    shutil.copy2(init_db_path, primary_file)
+    shutil.copy2(init_db_path, replica_file)
 
-  db_config = {
-    'DB_URI': 'sqlite:///{0}'.format(primary_file),
-    'DB_READ_REPLICAS': [
-      {'DB_URI': 'sqlite:///{0}'.format(replica_file)},
-    ],
-    "DB_CONNECTION_ARGS": {
-      'threadlocals': True,
-      'autorollback': True,
-    },
-    "DB_TRANSACTION_FACTORY": lambda x: FakeTransaction(),
-    "FOR_TESTING": True,
-    "DATABASE_SECRET_KEY": "anothercrazykey!",
-  }
+    db_config = {
+        "DB_URI": "sqlite:///{0}".format(primary_file),
+        "DB_READ_REPLICAS": [{"DB_URI": "sqlite:///{0}".format(replica_file)}],
+        "DB_CONNECTION_ARGS": {"threadlocals": True, "autorollback": True},
+        "DB_TRANSACTION_FACTORY": lambda x: FakeTransaction(),
+        "FOR_TESTING": True,
+        "DATABASE_SECRET_KEY": "anothercrazykey!",
+    }
 
-  # Initialize the DB with the primary and the replica.
-  configure(db_config)
-  assert not read_only_config.obj.is_readonly
-  assert read_only_config.obj.read_replicas
+    # Initialize the DB with the primary and the replica.
+    configure(db_config)
+    assert not read_only_config.obj.is_readonly
+    assert read_only_config.obj.read_replicas
 
-  # Ensure we can read the data.
-  devtable_user = User.get(username='devtable')
-  assert devtable_user.username == 'devtable'
+    # Ensure we can read the data.
+    devtable_user = User.get(username="devtable")
+    assert devtable_user.username == "devtable"
 
-  # Configure with a bad primary. Reading should still work since we're hitting the replica.
-  db_config['DB_URI'] = 'sqlite:///does/not/exist'
-  configure(db_config)
+    # Configure with a bad primary. Reading should still work since we're hitting the replica.
+    db_config["DB_URI"] = "sqlite:///does/not/exist"
+    configure(db_config)
 
-  assert not read_only_config.obj.is_readonly
-  assert read_only_config.obj.read_replicas
+    assert not read_only_config.obj.is_readonly
+    assert read_only_config.obj.read_replicas
 
-  devtable_user = User.get(username='devtable')
-  assert devtable_user.username == 'devtable'
+    devtable_user = User.get(username="devtable")
+    assert devtable_user.username == "devtable"
 
-  # Try to change some data. This should fail because the primary is broken.
-  with pytest.raises(OperationalError):
-    devtable_user.email = 'newlychanged'
+    # Try to change some data. This should fail because the primary is broken.
+    with pytest.raises(OperationalError):
+        devtable_user.email = "newlychanged"
+        devtable_user.save()
+
+    # Fix the primary and try again.
+    db_config["DB_URI"] = "sqlite:///{0}".format(primary_file)
+    configure(db_config)
+
+    assert not read_only_config.obj.is_readonly
+    assert read_only_config.obj.read_replicas
+
+    devtable_user.email = "newlychanged"
     devtable_user.save()
 
-  # Fix the primary and try again.
-  db_config['DB_URI'] = 'sqlite:///{0}'.format(primary_file)
-  configure(db_config)
+    # Mark the system as readonly.
+    db_config["DB_URI"] = "sqlite:///{0}".format(primary_file)
+    db_config["REGISTRY_STATE"] = "readonly"
+    configure(db_config)
 
-  assert not read_only_config.obj.is_readonly
-  assert read_only_config.obj.read_replicas
+    assert read_only_config.obj.is_readonly
+    assert read_only_config.obj.read_replicas
 
-  devtable_user.email = 'newlychanged'
-  devtable_user.save()
+    # Ensure all write operations raise a readonly mode exception.
+    with pytest.raises(ReadOnlyModeException):
+        devtable_user.email = "newlychanged2"
+        devtable_user.save()
 
-  # Mark the system as readonly.
-  db_config['DB_URI'] = 'sqlite:///{0}'.format(primary_file)
-  db_config['REGISTRY_STATE'] = 'readonly'
-  configure(db_config)
+    with pytest.raises(ReadOnlyModeException):
+        User.create(username="foo")
 
-  assert read_only_config.obj.is_readonly
-  assert read_only_config.obj.read_replicas
+    with pytest.raises(ReadOnlyModeException):
+        User.delete().where(User.username == "foo").execute()
 
-  # Ensure all write operations raise a readonly mode exception.
-  with pytest.raises(ReadOnlyModeException):
-    devtable_user.email = 'newlychanged2'
-    devtable_user.save()
+    with pytest.raises(ReadOnlyModeException):
+        User.update(username="bar").where(User.username == "foo").execute()
 
-  with pytest.raises(ReadOnlyModeException):
-    User.create(username='foo')
-
-  with pytest.raises(ReadOnlyModeException):
-    User.delete().where(User.username == 'foo').execute()
-
-  with pytest.raises(ReadOnlyModeException):
-    User.update(username='bar').where(User.username == 'foo').execute()
-
-  # Reset the config on the DB, so we don't mess up other tests.
-  configure({
-    'DB_URI': 'sqlite:///{0}'.format(primary_file),
-    "DB_CONNECTION_ARGS": {
-      'threadlocals': True,
-      'autorollback': True,
-    },
-    "DB_TRANSACTION_FACTORY": lambda x: FakeTransaction(),
-    "DATABASE_SECRET_KEY": "anothercrazykey!",
-  })
+    # Reset the config on the DB, so we don't mess up other tests.
+    configure(
+        {
+            "DB_URI": "sqlite:///{0}".format(primary_file),
+            "DB_CONNECTION_ARGS": {"threadlocals": True, "autorollback": True},
+            "DB_TRANSACTION_FACTORY": lambda x: FakeTransaction(),
+            "DATABASE_SECRET_KEY": "anothercrazykey!",
+        }
+    )
diff --git a/data/test/test_text.py b/data/test/test_text.py
index 14b4519d1..bd73c38a2 100644
--- a/data/test/test_text.py
+++ b/data/test/test_text.py
@@ -4,26 +4,31 @@ from data.text import match_mysql, match_like
 from data.database import Repository
 from test.fixtures import *
 
-@pytest.mark.parametrize('input', [
-  ('hello world'),
-  ('hello \' world'),
-  ('hello " world'),
-  ('hello ` world'),
-])
+
+@pytest.mark.parametrize(
+    "input", [("hello world"), ("hello ' world"), ('hello " world'), ("hello ` world")]
+)
 def test_mysql_text_escaping(input):
-  query, values = Repository.select().where(match_mysql(Repository.description, input)).sql()
-  assert input not in query
+    query, values = (
+        Repository.select().where(match_mysql(Repository.description, input)).sql()
+    )
+    assert input not in query
 
 
-@pytest.mark.parametrize('input, expected', [
-  ('hello world', 'hello world'),
-  ('hello \'world', 'hello world'),
-  ('hello "world', 'hello world'),
-  ('hello `world', 'hello world'),
-  ('hello !world', 'hello !!world'),
-  ('hello %world', 'hello !%world'),
-])
+@pytest.mark.parametrize(
+    "input, expected",
+    [
+        ("hello world", "hello world"),
+        ("hello 'world", "hello world"),
+        ('hello "world', "hello world"),
+        ("hello `world", "hello world"),
+        ("hello !world", "hello !!world"),
+        ("hello %world", "hello !%world"),
+    ],
+)
 def test_postgres_text_escaping(input, expected):
-  query, values = Repository.select().where(match_like(Repository.description, input)).sql()
-  assert input not in query
-  assert values[0] == '%' + expected + '%'
+    query, values = (
+        Repository.select().where(match_like(Repository.description, input)).sql()
+    )
+    assert input not in query
+    assert values[0] == "%" + expected + "%"
diff --git a/data/test/test_userfiles.py b/data/test/test_userfiles.py
index 671011e58..c832855b7 100644
--- a/data/test/test_userfiles.py
+++ b/data/test/test_userfiles.py
@@ -7,48 +7,54 @@ from data.userfiles import DelegateUserfiles, Userfiles
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('prefix,path,expected', [
-  ('test', 'foo', 'test/foo'),
-  ('test', 'bar', 'test/bar'),
-  ('test', '/bar', 'test/bar'),
-  ('test', '../foo', 'test/foo'),
-  ('test', 'foo/bar/baz', 'test/baz'),
-  ('test', 'foo/../baz', 'test/baz'),
-
-  (None, 'foo', 'foo'),
-  (None, 'foo/bar/baz', 'baz'),
-])
+@pytest.mark.parametrize(
+    "prefix,path,expected",
+    [
+        ("test", "foo", "test/foo"),
+        ("test", "bar", "test/bar"),
+        ("test", "/bar", "test/bar"),
+        ("test", "../foo", "test/foo"),
+        ("test", "foo/bar/baz", "test/baz"),
+        ("test", "foo/../baz", "test/baz"),
+        (None, "foo", "foo"),
+        (None, "foo/bar/baz", "baz"),
+    ],
+)
 def test_filepath(prefix, path, expected):
-  userfiles = DelegateUserfiles(None, None, 'local_us', prefix)
-  assert userfiles.get_file_id_path(path) == expected
+    userfiles = DelegateUserfiles(None, None, "local_us", prefix)
+    assert userfiles.get_file_id_path(path) == expected
 
 
 def test_lookup_userfile(app, client):
-  uuid = 'deadbeef-dead-beef-dead-beefdeadbeef'
-  bad_uuid = 'deadduck-dead-duck-dead-duckdeadduck'
-  upper_uuid = 'DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF'
+    uuid = "deadbeef-dead-beef-dead-beefdeadbeef"
+    bad_uuid = "deadduck-dead-duck-dead-duckdeadduck"
+    upper_uuid = "DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF"
 
-  def _stream_read_file(locations, path):
-    if path.find(uuid) > 0 or path.find(upper_uuid) > 0:
-      return BytesIO("hello world")
+    def _stream_read_file(locations, path):
+        if path.find(uuid) > 0 or path.find(upper_uuid) > 0:
+            return BytesIO("hello world")
 
-    raise IOError('Not found!')
+        raise IOError("Not found!")
 
-  storage_mock = Mock()
-  storage_mock.stream_read_file = _stream_read_file
+    storage_mock = Mock()
+    storage_mock.stream_read_file = _stream_read_file
 
-  app.config['USERFILES_PATH'] = 'foo'
-  Userfiles(app, distributed_storage=storage_mock, path='mockuserfiles',
-            handler_name='mockuserfiles')
+    app.config["USERFILES_PATH"] = "foo"
+    Userfiles(
+        app,
+        distributed_storage=storage_mock,
+        path="mockuserfiles",
+        handler_name="mockuserfiles",
+    )
 
-  rv = client.open('/mockuserfiles/' + uuid, method='GET')
-  assert rv.status_code == 200
+    rv = client.open("/mockuserfiles/" + uuid, method="GET")
+    assert rv.status_code == 200
 
-  rv = client.open('/mockuserfiles/' + upper_uuid, method='GET')
-  assert rv.status_code == 200
+    rv = client.open("/mockuserfiles/" + upper_uuid, method="GET")
+    assert rv.status_code == 200
 
-  rv = client.open('/mockuserfiles/' + bad_uuid, method='GET')
-  assert rv.status_code == 404
+    rv = client.open("/mockuserfiles/" + bad_uuid, method="GET")
+    assert rv.status_code == 404
 
-  rv = client.open('/mockuserfiles/foo/bar/baz', method='GET')
-  assert rv.status_code == 404
+    rv = client.open("/mockuserfiles/foo/bar/baz", method="GET")
+    assert rv.status_code == 404
diff --git a/data/text.py b/data/text.py
index 9fa6bbf3e..9ef4449d2 100644
--- a/data/text.py
+++ b/data/text.py
@@ -1,53 +1,59 @@
 from peewee import NodeList, SQL, fn, TextField, Field
 
+
 def _escape_wildcard(search_query):
-  """ Escapes the wildcards found in the given search query so that they are treated as *characters*
+    """ Escapes the wildcards found in the given search query so that they are treated as *characters*
       rather than wildcards when passed to a LIKE or ILIKE clause with an ESCAPE '!'.
   """
-  search_query = (search_query
-                  .replace('!', '!!')
-                  .replace('%', '!%')
-                  .replace('_', '!_')
-                  .replace('[', '!['))
+    search_query = (
+        search_query.replace("!", "!!")
+        .replace("%", "!%")
+        .replace("_", "!_")
+        .replace("[", "![")
+    )
 
-  # Just to be absolutely sure.
-  search_query = search_query.replace('\'', '')
-  search_query = search_query.replace('"', '')
-  search_query = search_query.replace('`', '')
+    # Just to be absolutely sure.
+    search_query = search_query.replace("'", "")
+    search_query = search_query.replace('"', "")
+    search_query = search_query.replace("`", "")
 
-  return search_query
+    return search_query
 
 
 def prefix_search(field, prefix_query):
-  """ Returns the wildcard match for searching for the given prefix query. """
-  # Escape the known wildcard characters.
-  prefix_query = _escape_wildcard(prefix_query)
-  return Field.__pow__(field, NodeList((prefix_query + '%', SQL("ESCAPE '!'"))))
+    """ Returns the wildcard match for searching for the given prefix query. """
+    # Escape the known wildcard characters.
+    prefix_query = _escape_wildcard(prefix_query)
+    return Field.__pow__(field, NodeList((prefix_query + "%", SQL("ESCAPE '!'"))))
 
 
 def match_mysql(field, search_query):
-  """ Generates a full-text match query using a Match operation, which is needed for MySQL.
+    """ Generates a full-text match query using a Match operation, which is needed for MySQL.
   """
-  if field.name.find('`') >= 0: # Just to be safe.
-    raise Exception("How did field name '%s' end up containing a backtick?" % field.name)
+    if field.name.find("`") >= 0:  # Just to be safe.
+        raise Exception(
+            "How did field name '%s' end up containing a backtick?" % field.name
+        )
 
-  # Note: There is a known bug in MySQL (https://bugs.mysql.com/bug.php?id=78485) that causes
-  # queries of the form `*` to raise a parsing error. If found, simply filter out.
-  search_query = search_query.replace('*', '')
+    # Note: There is a known bug in MySQL (https://bugs.mysql.com/bug.php?id=78485) that causes
+    # queries of the form `*` to raise a parsing error. If found, simply filter out.
+    search_query = search_query.replace("*", "")
 
-  # Just to be absolutely sure.
-  search_query = search_query.replace('\'', '')
-  search_query = search_query.replace('"', '')
-  search_query = search_query.replace('`', '')
+    # Just to be absolutely sure.
+    search_query = search_query.replace("'", "")
+    search_query = search_query.replace('"', "")
+    search_query = search_query.replace("`", "")
 
-  return NodeList((fn.MATCH(SQL("`%s`" % field.name)), fn.AGAINST(SQL('%s', [search_query]))),
-                  parens=True)
+    return NodeList(
+        (fn.MATCH(SQL("`%s`" % field.name)), fn.AGAINST(SQL("%s", [search_query]))),
+        parens=True,
+    )
 
 
 def match_like(field, search_query):
-  """ Generates a full-text match query using an ILIKE operation, which is needed for SQLite and
+    """ Generates a full-text match query using an ILIKE operation, which is needed for SQLite and
       Postgres.
   """
-  escaped_query = _escape_wildcard(search_query)
-  clause = NodeList(('%' + escaped_query + '%', SQL("ESCAPE '!'")))
-  return Field.__pow__(field, clause)
+    escaped_query = _escape_wildcard(search_query)
+    clause = NodeList(("%" + escaped_query + "%", SQL("ESCAPE '!'")))
+    return Field.__pow__(field, clause)
diff --git a/data/userevent.py b/data/userevent.py
index b4f340e5e..384c18f45 100644
--- a/data/userevent.py
+++ b/data/userevent.py
@@ -6,149 +6,156 @@ import redis
 
 logger = logging.getLogger(__name__)
 
+
 class CannotReadUserEventsException(Exception):
-  """ Exception raised if user events cannot be read. """
+    """ Exception raised if user events cannot be read. """
+
 
 class UserEventBuilder(object):
-  """
+    """
   Defines a helper class for constructing UserEvent and UserEventListener
   instances.
   """
-  def __init__(self, redis_config):
-    self._redis_config = redis_config
 
-  def get_event(self, username):
-    return UserEvent(self._redis_config, username)
+    def __init__(self, redis_config):
+        self._redis_config = redis_config
 
-  def get_listener(self, username, events):
-    return UserEventListener(self._redis_config, username, events)
+    def get_event(self, username):
+        return UserEvent(self._redis_config, username)
+
+    def get_listener(self, username, events):
+        return UserEventListener(self._redis_config, username, events)
 
 
 class UserEventsBuilderModule(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    redis_config = app.config.get('USER_EVENTS_REDIS')
-    if not redis_config:
-      # This is the old key name.
-      redis_config = {
-        'host': app.config.get('USER_EVENTS_REDIS_HOSTNAME'),
-      }
+    def init_app(self, app):
+        redis_config = app.config.get("USER_EVENTS_REDIS")
+        if not redis_config:
+            # This is the old key name.
+            redis_config = {"host": app.config.get("USER_EVENTS_REDIS_HOSTNAME")}
 
-    user_events = UserEventBuilder(redis_config)
+        user_events = UserEventBuilder(redis_config)
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['userevents'] = user_events
-    return user_events
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["userevents"] = user_events
+        return user_events
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 class UserEvent(object):
-  """
+    """
   Defines a helper class for publishing to realtime user events
   as backed by Redis.
   """
-  def __init__(self, redis_config, username):
-    self._redis = redis.StrictRedis(socket_connect_timeout=2, socket_timeout=2, **redis_config)
-    self._username = username
 
-  @staticmethod
-  def _user_event_key(username, event_id):
-    return 'user/%s/events/%s' % (username, event_id)
+    def __init__(self, redis_config, username):
+        self._redis = redis.StrictRedis(
+            socket_connect_timeout=2, socket_timeout=2, **redis_config
+        )
+        self._username = username
 
-  def publish_event_data_sync(self, event_id, data_obj):
-    return self._redis.publish(self._user_event_key(self._username, event_id), json.dumps(data_obj))
+    @staticmethod
+    def _user_event_key(username, event_id):
+        return "user/%s/events/%s" % (username, event_id)
 
-  def publish_event_data(self, event_id, data_obj):
-    """
+    def publish_event_data_sync(self, event_id, data_obj):
+        return self._redis.publish(
+            self._user_event_key(self._username, event_id), json.dumps(data_obj)
+        )
+
+    def publish_event_data(self, event_id, data_obj):
+        """
     Publishes the serialized form of the data object for the given event. Note that this occurs
     in a thread to prevent blocking.
     """
-    def conduct():
-      try:
-        self.publish_event_data_sync(event_id, data_obj)
-        logger.debug('Published user event %s: %s', event_id, data_obj)
-      except redis.RedisError:
-        logger.exception('Could not publish user event')
 
-    thread = threading.Thread(target=conduct)
-    thread.start()
+        def conduct():
+            try:
+                self.publish_event_data_sync(event_id, data_obj)
+                logger.debug("Published user event %s: %s", event_id, data_obj)
+            except redis.RedisError:
+                logger.exception("Could not publish user event")
+
+        thread = threading.Thread(target=conduct)
+        thread.start()
 
 
 class UserEventListener(object):
-  """
+    """
   Defines a helper class for subscribing to realtime user events as
   backed by Redis.
   """
-  def __init__(self, redis_config, username, events=None):
-    events = events or set([])
-    channels = [self._user_event_key(username, e) for e in events]
 
-    args = dict(redis_config)
-    args.update({'socket_connect_timeout': 5,
-                 'single_connection_client': True})
+    def __init__(self, redis_config, username, events=None):
+        events = events or set([])
+        channels = [self._user_event_key(username, e) for e in events]
 
-    try:
-      self._redis = redis.StrictRedis(**args)
-      self._pubsub = self._redis.pubsub(ignore_subscribe_messages=True)
-      self._pubsub.subscribe(channels)
-    except redis.RedisError as re:
-      logger.exception('Could not reach user events redis: %s', re)
-      raise CannotReadUserEventsException
+        args = dict(redis_config)
+        args.update({"socket_connect_timeout": 5, "single_connection_client": True})
 
-  @staticmethod
-  def _user_event_key(username, event_id):
-    return 'user/%s/events/%s' % (username, event_id)
+        try:
+            self._redis = redis.StrictRedis(**args)
+            self._pubsub = self._redis.pubsub(ignore_subscribe_messages=True)
+            self._pubsub.subscribe(channels)
+        except redis.RedisError as re:
+            logger.exception("Could not reach user events redis: %s", re)
+            raise CannotReadUserEventsException
 
-  def event_stream(self):
-    """
+    @staticmethod
+    def _user_event_key(username, event_id):
+        return "user/%s/events/%s" % (username, event_id)
+
+    def event_stream(self):
+        """
     Starts listening for events on the channel(s), yielding for each event
     found. Will yield a "pulse" event (a custom event we've decided) as a heartbeat
     every few seconds.
     """
-    while True:
-      pubsub = self._pubsub
-      if pubsub is None:
-        raise StopIteration
+        while True:
+            pubsub = self._pubsub
+            if pubsub is None:
+                raise StopIteration
 
-      try:
-        item = pubsub.get_message(ignore_subscribe_messages=True, timeout=5)
-      except redis.RedisError:
-        item = None
+            try:
+                item = pubsub.get_message(ignore_subscribe_messages=True, timeout=5)
+            except redis.RedisError:
+                item = None
 
-      if item is None:
-        yield 'pulse', {}
-      else:
-        channel = item['channel']
-        event_id = channel.split('/')[3] # user/{username}/{events}/{id}
-        data = None
+            if item is None:
+                yield "pulse", {}
+            else:
+                channel = item["channel"]
+                event_id = channel.split("/")[3]  # user/{username}/{events}/{id}
+                data = None
 
-        try:
-          data = json.loads(item['data'] or '{}')
-        except ValueError:
-          continue
+                try:
+                    data = json.loads(item["data"] or "{}")
+                except ValueError:
+                    continue
 
-        if data:
-          yield event_id, data
+                if data:
+                    yield event_id, data
 
-  def stop(self):
-    """
+    def stop(self):
+        """
     Unsubscribes from the channel(s). Should be called once the connection
     has terminated.
     """
-    if self._pubsub is not None:
-      self._pubsub.unsubscribe()
-      self._pubsub.close()
-    if self._redis is not None:
-      self._redis.close()
+        if self._pubsub is not None:
+            self._pubsub.unsubscribe()
+            self._pubsub.close()
+        if self._redis is not None:
+            self._redis.close()
 
-    self._pubsub = None
-    self._redis = None
+        self._pubsub = None
+        self._redis = None
diff --git a/data/userfiles.py b/data/userfiles.py
index 1803c94ef..617e3dd7a 100644
--- a/data/userfiles.py
+++ b/data/userfiles.py
@@ -16,145 +16,183 @@ logger = logging.getLogger(__name__)
 
 
 class UserfilesHandlers(View):
-  methods = ['GET', 'PUT']
+    methods = ["GET", "PUT"]
 
-  def __init__(self, distributed_storage, location, files):
-    self._storage = distributed_storage
-    self._files = files
-    self._locations = {location}
-    self._magic = magic.Magic(mime=True)
+    def __init__(self, distributed_storage, location, files):
+        self._storage = distributed_storage
+        self._files = files
+        self._locations = {location}
+        self._magic = magic.Magic(mime=True)
 
-  def get(self, file_id):
-    path = self._files.get_file_id_path(file_id)
-    try:
-      file_stream = self._storage.stream_read_file(self._locations, path)
-      buffered = BufferedReader(file_stream)
-      file_header_bytes = buffered.peek(1024)
-      return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes),
-                       as_attachment=True, attachment_filename=file_id)
-    except IOError:
-      logger.exception('Error reading user file')
-      abort(404)
+    def get(self, file_id):
+        path = self._files.get_file_id_path(file_id)
+        try:
+            file_stream = self._storage.stream_read_file(self._locations, path)
+            buffered = BufferedReader(file_stream)
+            file_header_bytes = buffered.peek(1024)
+            return send_file(
+                buffered,
+                mimetype=self._magic.from_buffer(file_header_bytes),
+                as_attachment=True,
+                attachment_filename=file_id,
+            )
+        except IOError:
+            logger.exception("Error reading user file")
+            abort(404)
 
-  def put(self, file_id):
-    input_stream = request.stream
-    if request.headers.get('transfer-encoding') == 'chunked':
-      # Careful, might work only with WSGI servers supporting chunked
-      # encoding (Gunicorn)
-      input_stream = request.environ['wsgi.input']
+    def put(self, file_id):
+        input_stream = request.stream
+        if request.headers.get("transfer-encoding") == "chunked":
+            # Careful, might work only with WSGI servers supporting chunked
+            # encoding (Gunicorn)
+            input_stream = request.environ["wsgi.input"]
 
-    c_type = request.headers.get('Content-Type', None)
+        c_type = request.headers.get("Content-Type", None)
 
-    path = self._files.get_file_id_path(file_id)
-    self._storage.stream_write(self._locations, path, input_stream, c_type)
+        path = self._files.get_file_id_path(file_id)
+        self._storage.stream_write(self._locations, path, input_stream, c_type)
 
-    return make_response('Okay')
+        return make_response("Okay")
 
-  def dispatch_request(self, file_id):
-    if request.method == 'GET':
-      return self.get(file_id)
-    elif request.method == 'PUT':
-      return self.put(file_id)
+    def dispatch_request(self, file_id):
+        if request.method == "GET":
+            return self.get(file_id)
+        elif request.method == "PUT":
+            return self.put(file_id)
 
 
 class MissingHandlerException(Exception):
-  pass
+    pass
 
 
 class DelegateUserfiles(object):
-  def __init__(self, app, distributed_storage, location, path, handler_name=None):
-    self._app = app
-    self._storage = distributed_storage
-    self._locations = {location}
-    self._prefix = path
-    self._handler_name = handler_name
+    def __init__(self, app, distributed_storage, location, path, handler_name=None):
+        self._app = app
+        self._storage = distributed_storage
+        self._locations = {location}
+        self._prefix = path
+        self._handler_name = handler_name
 
-  def _build_url_adapter(self):
-    return self._app.url_map.bind(self._app.config['SERVER_HOSTNAME'],
-                                  script_name=self._app.config['APPLICATION_ROOT'] or '/',
-                                  url_scheme=self._app.config['PREFERRED_URL_SCHEME'])
+    def _build_url_adapter(self):
+        return self._app.url_map.bind(
+            self._app.config["SERVER_HOSTNAME"],
+            script_name=self._app.config["APPLICATION_ROOT"] or "/",
+            url_scheme=self._app.config["PREFERRED_URL_SCHEME"],
+        )
 
-  def get_file_id_path(self, file_id):
-    # Note: We use basename here to prevent paths with ..'s and absolute paths.
-    return os.path.join(self._prefix or '', os.path.basename(file_id))
+    def get_file_id_path(self, file_id):
+        # Note: We use basename here to prevent paths with ..'s and absolute paths.
+        return os.path.join(self._prefix or "", os.path.basename(file_id))
 
-  def prepare_for_drop(self, mime_type, requires_cors=True):
-    """ Returns a signed URL to upload a file to our bucket. """
-    logger.debug('Requested upload url with content type: %s' % mime_type)
-    file_id = str(uuid4())
-    path = self.get_file_id_path(file_id)
-    url = self._storage.get_direct_upload_url(self._locations, path, mime_type, requires_cors)
+    def prepare_for_drop(self, mime_type, requires_cors=True):
+        """ Returns a signed URL to upload a file to our bucket. """
+        logger.debug("Requested upload url with content type: %s" % mime_type)
+        file_id = str(uuid4())
+        path = self.get_file_id_path(file_id)
+        url = self._storage.get_direct_upload_url(
+            self._locations, path, mime_type, requires_cors
+        )
 
-    if url is None:
-      if self._handler_name is None:
-        raise MissingHandlerException()
+        if url is None:
+            if self._handler_name is None:
+                raise MissingHandlerException()
 
-      with self._app.app_context() as ctx:
-        ctx.url_adapter = self._build_url_adapter()
-        file_relative_url = url_for(self._handler_name, file_id=file_id)
-        file_url = urlparse.urljoin(get_app_url(self._app.config), file_relative_url)
-        return (file_url, file_id)
+            with self._app.app_context() as ctx:
+                ctx.url_adapter = self._build_url_adapter()
+                file_relative_url = url_for(self._handler_name, file_id=file_id)
+                file_url = urlparse.urljoin(
+                    get_app_url(self._app.config), file_relative_url
+                )
+                return (file_url, file_id)
 
-    return (url, file_id)
+        return (url, file_id)
 
-  def store_file(self, file_like_obj, content_type, content_encoding=None, file_id=None):
-    if file_id is None:
-      file_id = str(uuid4())
+    def store_file(
+        self, file_like_obj, content_type, content_encoding=None, file_id=None
+    ):
+        if file_id is None:
+            file_id = str(uuid4())
 
-    path = self.get_file_id_path(file_id)
-    self._storage.stream_write(self._locations, path, file_like_obj, content_type,
-                               content_encoding)
-    return file_id
+        path = self.get_file_id_path(file_id)
+        self._storage.stream_write(
+            self._locations, path, file_like_obj, content_type, content_encoding
+        )
+        return file_id
 
-  def get_file_url(self, file_id, remote_ip, expires_in=300, requires_cors=False):
-    path = self.get_file_id_path(file_id)
-    url = self._storage.get_direct_download_url(self._locations, path, remote_ip, expires_in,
-                                                requires_cors)
+    def get_file_url(self, file_id, remote_ip, expires_in=300, requires_cors=False):
+        path = self.get_file_id_path(file_id)
+        url = self._storage.get_direct_download_url(
+            self._locations, path, remote_ip, expires_in, requires_cors
+        )
 
-    if url is None:
-      if self._handler_name is None:
-        raise MissingHandlerException()
+        if url is None:
+            if self._handler_name is None:
+                raise MissingHandlerException()
 
-      with self._app.app_context() as ctx:
-        ctx.url_adapter = self._build_url_adapter()
-        file_relative_url = url_for(self._handler_name, file_id=file_id)
-        return urlparse.urljoin(get_app_url(self._app.config), file_relative_url)
+            with self._app.app_context() as ctx:
+                ctx.url_adapter = self._build_url_adapter()
+                file_relative_url = url_for(self._handler_name, file_id=file_id)
+                return urlparse.urljoin(
+                    get_app_url(self._app.config), file_relative_url
+                )
 
-    return url
+        return url
 
-  def get_file_checksum(self, file_id):
-    path = self.get_file_id_path(file_id)
-    return self._storage.get_checksum(self._locations, path)
+    def get_file_checksum(self, file_id):
+        path = self.get_file_id_path(file_id)
+        return self._storage.get_checksum(self._locations, path)
 
 
 class Userfiles(object):
-  def __init__(self, app=None, distributed_storage=None, path='userfiles',
-               handler_name='userfiles_handler'):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app, distributed_storage, path=path, handler_name=handler_name)
-    else:
-      self.state = None
+    def __init__(
+        self,
+        app=None,
+        distributed_storage=None,
+        path="userfiles",
+        handler_name="userfiles_handler",
+    ):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(
+                app, distributed_storage, path=path, handler_name=handler_name
+            )
+        else:
+            self.state = None
 
-  def init_app(self, app, distributed_storage, path='userfiles', handler_name='userfiles_handler'):
-    location = app.config.get('USERFILES_LOCATION')
-    userfiles_path = app.config.get('USERFILES_PATH', None)
+    def init_app(
+        self,
+        app,
+        distributed_storage,
+        path="userfiles",
+        handler_name="userfiles_handler",
+    ):
+        location = app.config.get("USERFILES_LOCATION")
+        userfiles_path = app.config.get("USERFILES_PATH", None)
 
-    if userfiles_path is not None:
-      userfiles = DelegateUserfiles(app, distributed_storage, location, userfiles_path,
-                                    handler_name=handler_name)
+        if userfiles_path is not None:
+            userfiles = DelegateUserfiles(
+                app,
+                distributed_storage,
+                location,
+                userfiles_path,
+                handler_name=handler_name,
+            )
 
-      app.add_url_rule('/%s/<regex("[0-9a-zA-Z-]+"):file_id>' % path,
-                       view_func=UserfilesHandlers.as_view(handler_name,
-                                                           distributed_storage=distributed_storage,
-                                                           location=location,
-                                                           files=userfiles))
+            app.add_url_rule(
+                '/%s/<regex("[0-9a-zA-Z-]+"):file_id>' % path,
+                view_func=UserfilesHandlers.as_view(
+                    handler_name,
+                    distributed_storage=distributed_storage,
+                    location=location,
+                    files=userfiles,
+                ),
+            )
 
-      # register extension with app
-      app.extensions = getattr(app, 'extensions', {})
-      app.extensions['userfiles'] = userfiles
+            # register extension with app
+            app.extensions = getattr(app, "extensions", {})
+            app.extensions["userfiles"] = userfiles
 
-    return userfiles
+        return userfiles
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/data/users/__init__.py b/data/users/__init__.py
index 78e025028..b9eb748f4 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -17,165 +17,193 @@ from util.security.secret import convert_secret_key
 
 logger = logging.getLogger(__name__)
 
+
 def get_federated_service_name(authentication_type):
-  if authentication_type == 'LDAP':
-    return 'ldap'
+    if authentication_type == "LDAP":
+        return "ldap"
 
-  if authentication_type == 'JWT':
-    return 'jwtauthn'
+    if authentication_type == "JWT":
+        return "jwtauthn"
 
-  if authentication_type == 'Keystone':
-    return 'keystone'
+    if authentication_type == "Keystone":
+        return "keystone"
 
-  if authentication_type == 'AppToken':
-    return None
+    if authentication_type == "AppToken":
+        return None
 
-  if authentication_type == 'Database':
-    return None
+    if authentication_type == "Database":
+        return None
 
-  raise Exception('Unknown auth type: %s' % authentication_type)
+    raise Exception("Unknown auth type: %s" % authentication_type)
 
 
-LDAP_CERT_FILENAME = 'ldap.crt'
+LDAP_CERT_FILENAME = "ldap.crt"
+
 
 def get_users_handler(config, _, override_config_dir):
-  """ Returns a users handler for the authentication configured in the given config object. """
-  authentication_type = config.get('AUTHENTICATION_TYPE', 'Database')
+    """ Returns a users handler for the authentication configured in the given config object. """
+    authentication_type = config.get("AUTHENTICATION_TYPE", "Database")
 
-  if authentication_type == 'Database':
-    return DatabaseUsers()
+    if authentication_type == "Database":
+        return DatabaseUsers()
 
-  if authentication_type == 'LDAP':
-    ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
-    base_dn = config.get('LDAP_BASE_DN')
-    admin_dn = config.get('LDAP_ADMIN_DN')
-    admin_passwd = config.get('LDAP_ADMIN_PASSWD')
-    user_rdn = config.get('LDAP_USER_RDN', [])
-    uid_attr = config.get('LDAP_UID_ATTR', 'uid')
-    email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
-    secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', [])
-    timeout = config.get('LDAP_TIMEOUT')
-    network_timeout = config.get('LDAP_NETWORK_TIMEOUT')
+    if authentication_type == "LDAP":
+        ldap_uri = config.get("LDAP_URI", "ldap://localhost")
+        base_dn = config.get("LDAP_BASE_DN")
+        admin_dn = config.get("LDAP_ADMIN_DN")
+        admin_passwd = config.get("LDAP_ADMIN_PASSWD")
+        user_rdn = config.get("LDAP_USER_RDN", [])
+        uid_attr = config.get("LDAP_UID_ATTR", "uid")
+        email_attr = config.get("LDAP_EMAIL_ATTR", "mail")
+        secondary_user_rdns = config.get("LDAP_SECONDARY_USER_RDNS", [])
+        timeout = config.get("LDAP_TIMEOUT")
+        network_timeout = config.get("LDAP_NETWORK_TIMEOUT")
 
-    allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
-    return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
-                     allow_tls_fallback, secondary_user_rdns=secondary_user_rdns,
-                     requires_email=features.MAILING, timeout=timeout,
-                     network_timeout=network_timeout)
+        allow_tls_fallback = config.get("LDAP_ALLOW_INSECURE_FALLBACK", False)
+        return LDAPUsers(
+            ldap_uri,
+            base_dn,
+            admin_dn,
+            admin_passwd,
+            user_rdn,
+            uid_attr,
+            email_attr,
+            allow_tls_fallback,
+            secondary_user_rdns=secondary_user_rdns,
+            requires_email=features.MAILING,
+            timeout=timeout,
+            network_timeout=network_timeout,
+        )
 
-  if authentication_type == 'JWT':
-    verify_url = config.get('JWT_VERIFY_ENDPOINT')
-    issuer = config.get('JWT_AUTH_ISSUER')
-    max_fresh_s = config.get('JWT_AUTH_MAX_FRESH_S', 300)
+    if authentication_type == "JWT":
+        verify_url = config.get("JWT_VERIFY_ENDPOINT")
+        issuer = config.get("JWT_AUTH_ISSUER")
+        max_fresh_s = config.get("JWT_AUTH_MAX_FRESH_S", 300)
 
-    query_url = config.get('JWT_QUERY_ENDPOINT', None)
-    getuser_url = config.get('JWT_GETUSER_ENDPOINT', None)
+        query_url = config.get("JWT_QUERY_ENDPOINT", None)
+        getuser_url = config.get("JWT_GETUSER_ENDPOINT", None)
 
-    return ExternalJWTAuthN(verify_url, query_url, getuser_url, issuer, override_config_dir,
-                            config['HTTPCLIENT'], max_fresh_s,
-                            requires_email=features.MAILING)
+        return ExternalJWTAuthN(
+            verify_url,
+            query_url,
+            getuser_url,
+            issuer,
+            override_config_dir,
+            config["HTTPCLIENT"],
+            max_fresh_s,
+            requires_email=features.MAILING,
+        )
 
-  if authentication_type == 'Keystone':
-    auth_url = config.get('KEYSTONE_AUTH_URL')
-    auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
-    timeout = config.get('KEYSTONE_AUTH_TIMEOUT')
-    keystone_admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
-    keystone_admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
-    keystone_admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
-    return get_keystone_users(auth_version, auth_url, keystone_admin_username,
-                              keystone_admin_password, keystone_admin_tenant, timeout,
-                              requires_email=features.MAILING)
+    if authentication_type == "Keystone":
+        auth_url = config.get("KEYSTONE_AUTH_URL")
+        auth_version = int(config.get("KEYSTONE_AUTH_VERSION", 2))
+        timeout = config.get("KEYSTONE_AUTH_TIMEOUT")
+        keystone_admin_username = config.get("KEYSTONE_ADMIN_USERNAME")
+        keystone_admin_password = config.get("KEYSTONE_ADMIN_PASSWORD")
+        keystone_admin_tenant = config.get("KEYSTONE_ADMIN_TENANT")
+        return get_keystone_users(
+            auth_version,
+            auth_url,
+            keystone_admin_username,
+            keystone_admin_password,
+            keystone_admin_tenant,
+            timeout,
+            requires_email=features.MAILING,
+        )
 
-  if authentication_type == 'AppToken':
-    if features.DIRECT_LOGIN:
-      raise Exception('Direct login feature must be disabled to use AppToken internal auth')
+    if authentication_type == "AppToken":
+        if features.DIRECT_LOGIN:
+            raise Exception(
+                "Direct login feature must be disabled to use AppToken internal auth"
+            )
 
-    if not features.APP_SPECIFIC_TOKENS:
-      raise Exception('AppToken internal auth requires app specific token support to be enabled')
+        if not features.APP_SPECIFIC_TOKENS:
+            raise Exception(
+                "AppToken internal auth requires app specific token support to be enabled"
+            )
 
-    return AppTokenInternalAuth()
+        return AppTokenInternalAuth()
+
+    raise RuntimeError("Unknown authentication type: %s" % authentication_type)
 
-  raise RuntimeError('Unknown authentication type: %s' % authentication_type)
 
 class UserAuthentication(object):
-  def __init__(self, app=None, config_provider=None, override_config_dir=None):
-    self.secret_key = None
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app, config_provider, override_config_dir)
-    else:
-      self.state = None
+    def __init__(self, app=None, config_provider=None, override_config_dir=None):
+        self.secret_key = None
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app, config_provider, override_config_dir)
+        else:
+            self.state = None
 
-  def init_app(self, app, config_provider, override_config_dir):
-    self.secret_key = convert_secret_key(app.config['SECRET_KEY'])
-    users = get_users_handler(app.config, config_provider, override_config_dir)
+    def init_app(self, app, config_provider, override_config_dir):
+        self.secret_key = convert_secret_key(app.config["SECRET_KEY"])
+        users = get_users_handler(app.config, config_provider, override_config_dir)
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['authentication'] = users
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["authentication"] = users
 
-    return users
+        return users
 
-  def encrypt_user_password(self, password):
-    """ Returns an encrypted version of the user's password. """
-    data = {
-      'password': password
-    }
+    def encrypt_user_password(self, password):
+        """ Returns an encrypted version of the user's password. """
+        data = {"password": password}
 
-    message = json.dumps(data)
-    cipher = AESCipher(self.secret_key)
-    return cipher.encrypt(message)
+        message = json.dumps(data)
+        cipher = AESCipher(self.secret_key)
+        return cipher.encrypt(message)
 
-  def _decrypt_user_password(self, encrypted):
-    """ Attempts to decrypt the given password and returns it. """
-    cipher = AESCipher(self.secret_key)
+    def _decrypt_user_password(self, encrypted):
+        """ Attempts to decrypt the given password and returns it. """
+        cipher = AESCipher(self.secret_key)
 
-    try:
-      message = cipher.decrypt(encrypted)
-    except ValueError:
-      return None
-    except TypeError:
-      return None
+        try:
+            message = cipher.decrypt(encrypted)
+        except ValueError:
+            return None
+        except TypeError:
+            return None
 
-    try:
-      data = json.loads(message)
-    except ValueError:
-      return None
+        try:
+            data = json.loads(message)
+        except ValueError:
+            return None
 
-    return data.get('password', encrypted)
+        return data.get("password", encrypted)
 
-  def ping(self):
-    """ Returns whether the authentication engine is reachable and working. """
-    return self.state.ping()
+    def ping(self):
+        """ Returns whether the authentication engine is reachable and working. """
+        return self.state.ping()
 
-  @property
-  def federated_service(self):
-    """ Returns the name of the federated service for the auth system. If none, should return None.
+    @property
+    def federated_service(self):
+        """ Returns the name of the federated service for the auth system. If none, should return None.
     """
-    return self.state.federated_service
+        return self.state.federated_service
 
-  @property
-  def requires_distinct_cli_password(self):
-    """ Returns whether this auth system requires a distinct CLI password to be created,
+    @property
+    def requires_distinct_cli_password(self):
+        """ Returns whether this auth system requires a distinct CLI password to be created,
         in-system, before the CLI can be used. """
-    return self.state.requires_distinct_cli_password
+        return self.state.requires_distinct_cli_password
 
-  @property
-  def supports_encrypted_credentials(self):
-    """ Returns whether this auth system supports using encrypted credentials. """
-    return self.state.supports_encrypted_credentials
+    @property
+    def supports_encrypted_credentials(self):
+        """ Returns whether this auth system supports using encrypted credentials. """
+        return self.state.supports_encrypted_credentials
 
-  def has_password_set(self, username):
-    """ Returns whether the user has a password set in the auth system. """
-    return self.state.has_password_set(username)
+    def has_password_set(self, username):
+        """ Returns whether the user has a password set in the auth system. """
+        return self.state.has_password_set(username)
 
-  @property
-  def supports_fresh_login(self):
-    """ Returns whether this auth system supports the fresh login check. """
-    return self.state.supports_fresh_login
+    @property
+    def supports_fresh_login(self):
+        """ Returns whether this auth system supports the fresh login check. """
+        return self.state.supports_fresh_login
 
-  def query_users(self, query, limit=20):
-    """ Performs a lookup against the user system for the specified query. The returned tuple
+    def query_users(self, query, limit=20):
+        """ Performs a lookup against the user system for the specified query. The returned tuple
         will be of the form (results, federated_login_id, err_msg). If the method is unsupported,
         the results portion of the tuple will be None instead of empty list.
 
@@ -185,79 +213,91 @@ class UserAuthentication(object):
 
         Results will be in the form of objects's with username and email fields.
     """
-    return self.state.query_users(query, limit)
+        return self.state.query_users(query, limit)
 
-  def link_user(self, username_or_email):
-    """ Returns a tuple containing the database user record linked to the given username/email
+    def link_user(self, username_or_email):
+        """ Returns a tuple containing the database user record linked to the given username/email
         and any error that occurred when trying to link the user.
     """
-    return self.state.link_user(username_or_email)
+        return self.state.link_user(username_or_email)
 
-  def get_and_link_federated_user_info(self, user_info, internal_create=False):
-    """ Returns a tuple containing the database user record linked to the given UserInformation
+    def get_and_link_federated_user_info(self, user_info, internal_create=False):
+        """ Returns a tuple containing the database user record linked to the given UserInformation
         pair and any error that occurred when trying to link the user.
 
         If `internal_create` is True, the caller is an internal user creation process (such
         as team syncing), and the "can a user be created" check will be bypassed.
     """
-    return self.state.get_and_link_federated_user_info(user_info, internal_create=internal_create)
+        return self.state.get_and_link_federated_user_info(
+            user_info, internal_create=internal_create
+        )
 
-  def confirm_existing_user(self, username, password):
-    """ Verifies that the given password matches to the given DB username. Unlike
+    def confirm_existing_user(self, username, password):
+        """ Verifies that the given password matches to the given DB username. Unlike
         verify_credentials, this call first translates the DB user via the FederatedLogin table
         (where applicable).
     """
-    return self.state.confirm_existing_user(username, password)
+        return self.state.confirm_existing_user(username, password)
 
-  def verify_credentials(self, username_or_email, password):
-    """ Verifies that the given username and password credentials are valid. """
-    return self.state.verify_credentials(username_or_email, password)
+    def verify_credentials(self, username_or_email, password):
+        """ Verifies that the given username and password credentials are valid. """
+        return self.state.verify_credentials(username_or_email, password)
 
-  def check_group_lookup_args(self, group_lookup_args):
-    """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
+    def check_group_lookup_args(self, group_lookup_args):
+        """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
         of a boolean status and an error message (if any).
     """
-    return self.state.check_group_lookup_args(group_lookup_args)
+        return self.state.check_group_lookup_args(group_lookup_args)
 
-  def service_metadata(self):
-    """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
+    def service_metadata(self):
+        """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
         For example, LDAP returns the base DN so we can display to the user during sync setup.
     """
-    return self.state.service_metadata()
+        return self.state.service_metadata()
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    """ Returns a tuple of an iterator over all the members of the group matching the given lookup
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        """ Returns a tuple of an iterator over all the members of the group matching the given lookup
         args dictionary, or the error that occurred if the initial call failed or is unsupported.
         The format of the lookup args dictionary is specific to the implementation.
         Each result in the iterator is a tuple of (UserInformation, error_message), and only
         one will be not-None.
     """
-    return self.state.iterate_group_members(group_lookup_args, page_size=page_size,
-                                            disable_pagination=disable_pagination)
+        return self.state.iterate_group_members(
+            group_lookup_args,
+            page_size=page_size,
+            disable_pagination=disable_pagination,
+        )
 
-  def verify_and_link_user(self, username_or_email, password, basic_auth=False):
-    """ Verifies that the given username and password credentials are valid and, if so,
+    def verify_and_link_user(self, username_or_email, password, basic_auth=False):
+        """ Verifies that the given username and password credentials are valid and, if so,
         creates or links the database user to the federated identity. """
-    # First try to decode the password as a signed token.
-    if basic_auth:
-      decrypted = self._decrypt_user_password(password)
-      if decrypted is None:
-        # This is a normal password.
-        if features.REQUIRE_ENCRYPTED_BASIC_AUTH:
-          msg = ('Client login with unencrypted passwords is disabled. Please generate an ' +
-                 'encrypted password in the user admin panel for use here.')
-          return (None, msg)
-      else:
-        password = decrypted
+        # First try to decode the password as a signed token.
+        if basic_auth:
+            decrypted = self._decrypt_user_password(password)
+            if decrypted is None:
+                # This is a normal password.
+                if features.REQUIRE_ENCRYPTED_BASIC_AUTH:
+                    msg = (
+                        "Client login with unencrypted passwords is disabled. Please generate an "
+                        + "encrypted password in the user admin panel for use here."
+                    )
+                    return (None, msg)
+            else:
+                password = decrypted
 
-    (result, err_msg) = self.state.verify_and_link_user(username_or_email, password)
-    if not result:
-      return (result, err_msg)
+        (result, err_msg) = self.state.verify_and_link_user(username_or_email, password)
+        if not result:
+            return (result, err_msg)
 
-    if not result.enabled:
-      return (None, 'This user has been disabled. Please contact your administrator.')
+        if not result.enabled:
+            return (
+                None,
+                "This user has been disabled. Please contact your administrator.",
+            )
 
-    return (result, err_msg)
+        return (result, err_msg)
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/data/users/apptoken.py b/data/users/apptoken.py
index c306e7064..3aa8b09bb 100644
--- a/data/users/apptoken.py
+++ b/data/users/apptoken.py
@@ -8,60 +8,64 @@ from util.security.jwtutil import InvalidTokenError
 
 logger = logging.getLogger(__name__)
 
+
 class AppTokenInternalAuth(object):
-  """ Forces all internal credential login to go through an app token, by disabling all other
+    """ Forces all internal credential login to go through an app token, by disabling all other
       access.
   """
-  @property
-  def supports_fresh_login(self):
-    # Since there is no password.
-    return False
 
-  @property
-  def federated_service(self):
-    return None
+    @property
+    def supports_fresh_login(self):
+        # Since there is no password.
+        return False
 
-  @property
-  def requires_distinct_cli_password(self):
-    # Since there is no supported "password".
-    return False
+    @property
+    def federated_service(self):
+        return None
 
-  def has_password_set(self, username):
-    # Since there is no supported "password".
-    return False
+    @property
+    def requires_distinct_cli_password(self):
+        # Since there is no supported "password".
+        return False
 
-  @property
-  def supports_encrypted_credentials(self):
-    # Since there is no supported "password".
-    return False
+    def has_password_set(self, username):
+        # Since there is no supported "password".
+        return False
 
-  def verify_credentials(self, username_or_email, id_token):
-    return (None, 'An application specific token is required to login')
+    @property
+    def supports_encrypted_credentials(self):
+        # Since there is no supported "password".
+        return False
 
-  def verify_and_link_user(self, username_or_email, password):
-    return self.verify_credentials(username_or_email, password)
+    def verify_credentials(self, username_or_email, id_token):
+        return (None, "An application specific token is required to login")
 
-  def confirm_existing_user(self, username, password):
-    return self.verify_credentials(username, password)
+    def verify_and_link_user(self, username_or_email, password):
+        return self.verify_credentials(username_or_email, password)
 
-  def link_user(self, username_or_email):
-    return (None, 'Unsupported for this authentication system')
+    def confirm_existing_user(self, username, password):
+        return self.verify_credentials(username, password)
 
-  def get_and_link_federated_user_info(self, user_info):
-    return (None, 'Unsupported for this authentication system')
+    def link_user(self, username_or_email):
+        return (None, "Unsupported for this authentication system")
 
-  def query_users(self, query, limit):
-    return (None, '', '')
+    def get_and_link_federated_user_info(self, user_info):
+        return (None, "Unsupported for this authentication system")
 
-  def check_group_lookup_args(self, group_lookup_args):
-    return (False, 'Not supported')
+    def query_users(self, query, limit):
+        return (None, "", "")
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    return (None, 'Not supported')
+    def check_group_lookup_args(self, group_lookup_args):
+        return (False, "Not supported")
 
-  def service_metadata(self):
-    return {}
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        return (None, "Not supported")
 
-  def ping(self):
-    """ Always assumed to be working. If the DB is broken, other checks will handle it. """
-    return (True, None)
+    def service_metadata(self):
+        return {}
+
+    def ping(self):
+        """ Always assumed to be working. If the DB is broken, other checks will handle it. """
+        return (True, None)
diff --git a/data/users/database.py b/data/users/database.py
index 2a1780429..581cdff49 100644
--- a/data/users/database.py
+++ b/data/users/database.py
@@ -1,66 +1,69 @@
 from data import model
 
+
 class DatabaseUsers(object):
-  @property
-  def federated_service(self):
-    return None
+    @property
+    def federated_service(self):
+        return None
 
-  @property
-  def supports_fresh_login(self):
-    return True
+    @property
+    def supports_fresh_login(self):
+        return True
 
-  def ping(self):
-    """ Always assumed to be working. If the DB is broken, other checks will handle it. """
-    return (True, None)
+    def ping(self):
+        """ Always assumed to be working. If the DB is broken, other checks will handle it. """
+        return (True, None)
 
-  @property
-  def supports_encrypted_credentials(self):
-    return True
+    @property
+    def supports_encrypted_credentials(self):
+        return True
 
-  def has_password_set(self, username):
-    user = model.user.get_user(username)
-    return user and user.password_hash is not None
+    def has_password_set(self, username):
+        user = model.user.get_user(username)
+        return user and user.password_hash is not None
 
-  @property
-  def requires_distinct_cli_password(self):
-    # Since the database stores its own password.
-    return True
+    @property
+    def requires_distinct_cli_password(self):
+        # Since the database stores its own password.
+        return True
 
-  def verify_credentials(self, username_or_email, password):
-    """ Simply delegate to the model implementation. """
-    result = model.user.verify_user(username_or_email, password)
-    if not result:
-      return (None, 'Invalid Username or Password')
+    def verify_credentials(self, username_or_email, password):
+        """ Simply delegate to the model implementation. """
+        result = model.user.verify_user(username_or_email, password)
+        if not result:
+            return (None, "Invalid Username or Password")
 
-    return (result, None)
+        return (result, None)
 
-  def verify_and_link_user(self, username_or_email, password):
-    """ Simply delegate to the model implementation. """
-    return self.verify_credentials(username_or_email, password)
+    def verify_and_link_user(self, username_or_email, password):
+        """ Simply delegate to the model implementation. """
+        return self.verify_credentials(username_or_email, password)
 
-  def confirm_existing_user(self, username, password):
-    return self.verify_credentials(username, password)
+    def confirm_existing_user(self, username, password):
+        return self.verify_credentials(username, password)
 
-  def link_user(self, username_or_email):
-    """ Never used since all users being added are already, by definition, in the database. """
-    return (None, 'Unsupported for this authentication system')
+    def link_user(self, username_or_email):
+        """ Never used since all users being added are already, by definition, in the database. """
+        return (None, "Unsupported for this authentication system")
 
-  def get_and_link_federated_user_info(self, user_info, internal_create=False):
-    """ Never used since all users being added are already, by definition, in the database. """
-    return (None, 'Unsupported for this authentication system')
+    def get_and_link_federated_user_info(self, user_info, internal_create=False):
+        """ Never used since all users being added are already, by definition, in the database. """
+        return (None, "Unsupported for this authentication system")
 
-  def query_users(self, query, limit):
-    """ No need to implement, as we already query for users directly in the database. """
-    return (None, '', '')
+    def query_users(self, query, limit):
+        """ No need to implement, as we already query for users directly in the database. """
+        return (None, "", "")
 
-  def check_group_lookup_args(self, group_lookup_args):
-    """ Never used since all groups, by definition, are in the database. """
-    return (False, 'Not supported')
+    def check_group_lookup_args(self, group_lookup_args):
+        """ Never used since all groups, by definition, are in the database. """
+        return (False, "Not supported")
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    """ Never used since all groups, by definition, are in the database. """
-    return (None, 'Not supported')
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        """ Never used since all groups, by definition, are in the database. """
+        return (None, "Not supported")
 
-  def service_metadata(self):
-    """ Never used since database has no metadata """
-    return {}
+    def service_metadata(self):
+        """ Never used since database has no metadata """
+        return {}
diff --git a/data/users/externaljwt.py b/data/users/externaljwt.py
index 7f2fea255..0475e4581 100644
--- a/data/users/externaljwt.py
+++ b/data/users/externaljwt.py
@@ -10,119 +10,152 @@ logger = logging.getLogger(__name__)
 
 
 class ExternalJWTAuthN(FederatedUsers):
-  """ Delegates authentication to a REST endpoint that returns JWTs. """
-  PUBLIC_KEY_FILENAME = 'jwt-authn.cert'
+    """ Delegates authentication to a REST endpoint that returns JWTs. """
 
-  def __init__(self, verify_url, query_url, getuser_url, issuer, override_config_dir, http_client,
-               max_fresh_s, public_key_path=None, requires_email=True):
-    super(ExternalJWTAuthN, self).__init__('jwtauthn', requires_email)
-    self.verify_url = verify_url
-    self.query_url = query_url
-    self.getuser_url = getuser_url
+    PUBLIC_KEY_FILENAME = "jwt-authn.cert"
 
-    self.issuer = issuer
-    self.client = http_client
-    self.max_fresh_s = max_fresh_s
-    self.requires_email = requires_email
+    def __init__(
+        self,
+        verify_url,
+        query_url,
+        getuser_url,
+        issuer,
+        override_config_dir,
+        http_client,
+        max_fresh_s,
+        public_key_path=None,
+        requires_email=True,
+    ):
+        super(ExternalJWTAuthN, self).__init__("jwtauthn", requires_email)
+        self.verify_url = verify_url
+        self.query_url = query_url
+        self.getuser_url = getuser_url
 
-    default_key_path = os.path.join(override_config_dir, ExternalJWTAuthN.PUBLIC_KEY_FILENAME)
-    public_key_path = public_key_path or default_key_path
-    if not os.path.exists(public_key_path):
-      error_message = ('JWT Authentication public key file "%s" not found' % public_key_path)
+        self.issuer = issuer
+        self.client = http_client
+        self.max_fresh_s = max_fresh_s
+        self.requires_email = requires_email
 
-      raise Exception(error_message)
+        default_key_path = os.path.join(
+            override_config_dir, ExternalJWTAuthN.PUBLIC_KEY_FILENAME
+        )
+        public_key_path = public_key_path or default_key_path
+        if not os.path.exists(public_key_path):
+            error_message = (
+                'JWT Authentication public key file "%s" not found' % public_key_path
+            )
 
-    self.public_key_path = public_key_path
+            raise Exception(error_message)
 
-    with open(public_key_path) as public_key_file:
-      self.public_key = public_key_file.read()
+        self.public_key_path = public_key_path
 
-  def has_password_set(self, username):
-    return True
+        with open(public_key_path) as public_key_file:
+            self.public_key = public_key_file.read()
 
-  def ping(self):
-    result = self.client.get(self.getuser_url, timeout=2)
-    # We expect a 401 or 403 of some kind, since we explicitly don't send an auth header
-    if result.status_code // 100 != 4:
-      return (False, result.text or 'Could not reach JWT authn endpoint')
+    def has_password_set(self, username):
+        return True
 
-    return (True, None)
+    def ping(self):
+        result = self.client.get(self.getuser_url, timeout=2)
+        # We expect a 401 or 403 of some kind, since we explicitly don't send an auth header
+        if result.status_code // 100 != 4:
+            return (False, result.text or "Could not reach JWT authn endpoint")
 
-  def get_user(self, username_or_email):
-    if self.getuser_url is None:
-      return (None, 'No endpoint defined for retrieving user')
+        return (True, None)
 
-    (payload, err_msg) = self._execute_call(self.getuser_url, 'quay.io/jwtauthn/getuser',
-                                            params=dict(username=username_or_email))
-    if err_msg is not None:
-      return (None, err_msg)
+    def get_user(self, username_or_email):
+        if self.getuser_url is None:
+            return (None, "No endpoint defined for retrieving user")
 
-    if not 'sub' in payload:
-      raise Exception('Missing sub field in JWT')
+        (payload, err_msg) = self._execute_call(
+            self.getuser_url,
+            "quay.io/jwtauthn/getuser",
+            params=dict(username=username_or_email),
+        )
+        if err_msg is not None:
+            return (None, err_msg)
 
-    if self.requires_email and not 'email' in payload:
-      raise Exception('Missing email field in JWT')
+        if not "sub" in payload:
+            raise Exception("Missing sub field in JWT")
 
-    # Parse out the username and email.
-    user_info = UserInformation(username=payload['sub'], email=payload.get('email'),
-                                id=payload['sub'])
-    return (user_info, None)
+        if self.requires_email and not "email" in payload:
+            raise Exception("Missing email field in JWT")
 
+        # Parse out the username and email.
+        user_info = UserInformation(
+            username=payload["sub"], email=payload.get("email"), id=payload["sub"]
+        )
+        return (user_info, None)
 
-  def query_users(self, query, limit=20):
-    if self.query_url is None:
-      return (None, self.federated_service, 'No endpoint defined for querying users')
+    def query_users(self, query, limit=20):
+        if self.query_url is None:
+            return (
+                None,
+                self.federated_service,
+                "No endpoint defined for querying users",
+            )
 
-    (payload, err_msg) = self._execute_call(self.query_url, 'quay.io/jwtauthn/query',
-                                            params=dict(query=query, limit=limit))
-    if err_msg is not None:
-      return (None, self.federated_service, err_msg)
+        (payload, err_msg) = self._execute_call(
+            self.query_url,
+            "quay.io/jwtauthn/query",
+            params=dict(query=query, limit=limit),
+        )
+        if err_msg is not None:
+            return (None, self.federated_service, err_msg)
 
-    query_results = []
-    for result in payload['results'][0:limit]:
-      user_info = UserInformation(username=result['username'], email=result.get('email'),
-                                  id=result['username'])
-      query_results.append(user_info)
+        query_results = []
+        for result in payload["results"][0:limit]:
+            user_info = UserInformation(
+                username=result["username"],
+                email=result.get("email"),
+                id=result["username"],
+            )
+            query_results.append(user_info)
 
-    return (query_results, self.federated_service, None)
+        return (query_results, self.federated_service, None)
 
+    def verify_credentials(self, username_or_email, password):
+        (payload, err_msg) = self._execute_call(
+            self.verify_url, "quay.io/jwtauthn", auth=(username_or_email, password)
+        )
+        if err_msg is not None:
+            return (None, err_msg)
 
-  def verify_credentials(self, username_or_email, password):
-    (payload, err_msg) = self._execute_call(self.verify_url, 'quay.io/jwtauthn',
-                                            auth=(username_or_email, password))
-    if err_msg is not None:
-      return (None, err_msg)
+        if not "sub" in payload:
+            raise Exception("Missing sub field in JWT")
 
-    if not 'sub' in payload:
-      raise Exception('Missing sub field in JWT')
+        if self.requires_email and not "email" in payload:
+            raise Exception("Missing email field in JWT")
 
-    if self.requires_email and not 'email' in payload:
-      raise Exception('Missing email field in JWT')
+        user_info = UserInformation(
+            username=payload["sub"], email=payload.get("email"), id=payload["sub"]
+        )
+        return (user_info, None)
 
-    user_info = UserInformation(username=payload['sub'], email=payload.get('email'),
-                                id=payload['sub'])
-    return (user_info, None)
+    def _execute_call(self, url, aud, auth=None, params=None):
+        """ Executes a call to the external JWT auth provider. """
+        result = self.client.get(url, timeout=2, auth=auth, params=params)
+        if result.status_code != 200:
+            return (None, result.text or "Could not make JWT auth call")
 
+        try:
+            result_data = json.loads(result.text)
+        except ValueError:
+            raise Exception("Returned JWT body for url %s does not contain JSON", url)
 
-  def _execute_call(self, url, aud, auth=None, params=None):
-    """ Executes a call to the external JWT auth provider. """
-    result = self.client.get(url, timeout=2, auth=auth, params=params)
-    if result.status_code != 200:
-      return (None, result.text or 'Could not make JWT auth call')
-
-    try:
-      result_data = json.loads(result.text)
-    except ValueError:
-      raise Exception('Returned JWT body for url %s does not contain JSON', url)
-
-    # Load the JWT returned.
-    encoded = result_data.get('token', '')
-    exp_limit_options = jwtutil.exp_max_s_option(self.max_fresh_s)
-    try:
-      payload = jwtutil.decode(encoded, self.public_key, algorithms=['RS256'],
-                               audience=aud, issuer=self.issuer,
-                               options=exp_limit_options)
-      return (payload, None)
-    except jwtutil.InvalidTokenError:
-      logger.exception('Exception when decoding returned JWT for url %s', url)
-      return (None, 'Exception when decoding returned JWT')
+        # Load the JWT returned.
+        encoded = result_data.get("token", "")
+        exp_limit_options = jwtutil.exp_max_s_option(self.max_fresh_s)
+        try:
+            payload = jwtutil.decode(
+                encoded,
+                self.public_key,
+                algorithms=["RS256"],
+                audience=aud,
+                issuer=self.issuer,
+                options=exp_limit_options,
+            )
+            return (payload, None)
+        except jwtutil.InvalidTokenError:
+            logger.exception("Exception when decoding returned JWT for url %s", url)
+            return (None, "Exception when decoding returned JWT")
diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index c1242e5d1..0fcfe81cf 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -11,403 +11,519 @@ from util.itertoolrecipes import take
 
 logger = logging.getLogger(__name__)
 
-_DEFAULT_NETWORK_TIMEOUT = 10.0 # seconds
-_DEFAULT_TIMEOUT = 10.0 # seconds
+_DEFAULT_NETWORK_TIMEOUT = 10.0  # seconds
+_DEFAULT_TIMEOUT = 10.0  # seconds
 _DEFAULT_PAGE_SIZE = 1000
 
 
 class LDAPConnectionBuilder(object):
-  def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False,
-               timeout=None, network_timeout=None):
-    self._ldap_uri = ldap_uri
-    self._user_dn = user_dn
-    self._user_pw = user_pw
-    self._allow_tls_fallback = allow_tls_fallback
-    self._timeout = timeout
-    self._network_timeout = network_timeout
+    def __init__(
+        self,
+        ldap_uri,
+        user_dn,
+        user_pw,
+        allow_tls_fallback=False,
+        timeout=None,
+        network_timeout=None,
+    ):
+        self._ldap_uri = ldap_uri
+        self._user_dn = user_dn
+        self._user_pw = user_pw
+        self._allow_tls_fallback = allow_tls_fallback
+        self._timeout = timeout
+        self._network_timeout = network_timeout
 
-  def get_connection(self):
-    return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback,
-                          self._timeout, self._network_timeout)
+    def get_connection(self):
+        return LDAPConnection(
+            self._ldap_uri,
+            self._user_dn,
+            self._user_pw,
+            self._allow_tls_fallback,
+            self._timeout,
+            self._network_timeout,
+        )
 
 
 class LDAPConnection(object):
-  def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False,
-               timeout=None, network_timeout=None):
-    self._ldap_uri = ldap_uri
-    self._user_dn = user_dn
-    self._user_pw = user_pw
-    self._allow_tls_fallback = allow_tls_fallback
-    self._timeout = timeout
-    self._network_timeout = network_timeout
-    self._conn = None
+    def __init__(
+        self,
+        ldap_uri,
+        user_dn,
+        user_pw,
+        allow_tls_fallback=False,
+        timeout=None,
+        network_timeout=None,
+    ):
+        self._ldap_uri = ldap_uri
+        self._user_dn = user_dn
+        self._user_pw = user_pw
+        self._allow_tls_fallback = allow_tls_fallback
+        self._timeout = timeout
+        self._network_timeout = network_timeout
+        self._conn = None
 
-  def __enter__(self):
-    trace_level = 2 if os.environ.get('USERS_DEBUG') == '1' else 0
+    def __enter__(self):
+        trace_level = 2 if os.environ.get("USERS_DEBUG") == "1" else 0
 
-    self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
-    self._conn.set_option(ldap.OPT_REFERRALS, 1)
-    self._conn.set_option(ldap.OPT_NETWORK_TIMEOUT,
-                          self._network_timeout or _DEFAULT_NETWORK_TIMEOUT)
-    self._conn.set_option(ldap.OPT_TIMEOUT, self._timeout or _DEFAULT_TIMEOUT)
+        self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
+        self._conn.set_option(ldap.OPT_REFERRALS, 1)
+        self._conn.set_option(
+            ldap.OPT_NETWORK_TIMEOUT, self._network_timeout or _DEFAULT_NETWORK_TIMEOUT
+        )
+        self._conn.set_option(ldap.OPT_TIMEOUT, self._timeout or _DEFAULT_TIMEOUT)
 
-    if self._allow_tls_fallback:
-      logger.debug('TLS Fallback enabled in LDAP')
-      self._conn.set_option(ldap.OPT_X_TLS_TRY, 1)
+        if self._allow_tls_fallback:
+            logger.debug("TLS Fallback enabled in LDAP")
+            self._conn.set_option(ldap.OPT_X_TLS_TRY, 1)
 
-    self._conn.simple_bind_s(self._user_dn, self._user_pw)
-    return self._conn
+        self._conn.simple_bind_s(self._user_dn, self._user_pw)
+        return self._conn
 
-  def __exit__(self, exc_type, value, tb):
-    self._conn.unbind_s()
+    def __exit__(self, exc_type, value, tb):
+        self._conn.unbind_s()
 
 
 class LDAPUsers(FederatedUsers):
-  _LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs'])
+    _LDAPResult = namedtuple("LDAPResult", ["dn", "attrs"])
 
-  def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
-               allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True,
-               timeout=None, network_timeout=None, force_no_pagination=False):
-    super(LDAPUsers, self).__init__('ldap', requires_email)
+    def __init__(
+        self,
+        ldap_uri,
+        base_dn,
+        admin_dn,
+        admin_passwd,
+        user_rdn,
+        uid_attr,
+        email_attr,
+        allow_tls_fallback=False,
+        secondary_user_rdns=None,
+        requires_email=True,
+        timeout=None,
+        network_timeout=None,
+        force_no_pagination=False,
+    ):
+        super(LDAPUsers, self).__init__("ldap", requires_email)
 
-    self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback,
-                                       timeout, network_timeout)
-    self._ldap_uri = ldap_uri
-    self._uid_attr = uid_attr
-    self._email_attr = email_attr
-    self._allow_tls_fallback = allow_tls_fallback
-    self._requires_email = requires_email
-    self._force_no_pagination = force_no_pagination
+        self._ldap = LDAPConnectionBuilder(
+            ldap_uri,
+            admin_dn,
+            admin_passwd,
+            allow_tls_fallback,
+            timeout,
+            network_timeout,
+        )
+        self._ldap_uri = ldap_uri
+        self._uid_attr = uid_attr
+        self._email_attr = email_attr
+        self._allow_tls_fallback = allow_tls_fallback
+        self._requires_email = requires_email
+        self._force_no_pagination = force_no_pagination
 
-    # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
-    # is a list of RDN strings.
-    relative_user_dns = [','.join(user_rdn)] + (secondary_user_rdns or [])
+        # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
+        # is a list of RDN strings.
+        relative_user_dns = [",".join(user_rdn)] + (secondary_user_rdns or [])
 
-    def get_full_rdn(relative_dn):
-      prefix = relative_dn.split(',') if relative_dn else []
-      return ','.join(prefix + base_dn)
+        def get_full_rdn(relative_dn):
+            prefix = relative_dn.split(",") if relative_dn else []
+            return ",".join(prefix + base_dn)
 
-    # Create the set of full DN paths.
-    self._user_dns = [get_full_rdn(relative_dn) for relative_dn in relative_user_dns]
-    self._base_dn = ','.join(base_dn)
+        # Create the set of full DN paths.
+        self._user_dns = [
+            get_full_rdn(relative_dn) for relative_dn in relative_user_dns
+        ]
+        self._base_dn = ",".join(base_dn)
 
-  def _get_ldap_referral_dn(self, referral_exception):
-    logger.debug('Got referral: %s', referral_exception.args[0])
-    if not referral_exception.args[0] or not referral_exception.args[0].get('info'):
-      logger.debug('LDAP referral missing info block')
-      return None
+    def _get_ldap_referral_dn(self, referral_exception):
+        logger.debug("Got referral: %s", referral_exception.args[0])
+        if not referral_exception.args[0] or not referral_exception.args[0].get("info"):
+            logger.debug("LDAP referral missing info block")
+            return None
 
-    referral_info = referral_exception.args[0]['info']
-    if not referral_info.startswith('Referral:\n'):
-      logger.debug('LDAP referral missing Referral header')
-      return None
+        referral_info = referral_exception.args[0]["info"]
+        if not referral_info.startswith("Referral:\n"):
+            logger.debug("LDAP referral missing Referral header")
+            return None
 
-    referral_uri = referral_info[len('Referral:\n'):]
-    if not referral_uri.startswith('ldap:///'):
-      logger.debug('LDAP referral URI does not start with ldap:///')
-      return None
+        referral_uri = referral_info[len("Referral:\n") :]
+        if not referral_uri.startswith("ldap:///"):
+            logger.debug("LDAP referral URI does not start with ldap:///")
+            return None
 
-    referral_dn = referral_uri[len('ldap:///'):]
-    return referral_dn
+        referral_dn = referral_uri[len("ldap:///") :]
+        return referral_dn
 
-  def _ldap_user_search_with_rdn(self, conn, username_or_email, user_search_dn, suffix=''):
-    query = u'(|({0}={2}{3})({1}={2}{3}))'.format(self._uid_attr, self._email_attr,
-                                                  escape_filter_chars(username_or_email),
-                                                  suffix)
-    logger.debug('Conducting user search: %s under %s', query, user_search_dn)
-    try:
-      return (conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8')), None)
-    except ldap.REFERRAL as re:
-      referral_dn = self._get_ldap_referral_dn(re)
-      if not referral_dn:
-        return (None, 'Failed to follow referral when looking up username')
-
-      try:
-        subquery = u'(%s=%s)' % (self._uid_attr, username_or_email)
-        return (conn.search_s(referral_dn, ldap.SCOPE_BASE, subquery), None)
-      except ldap.LDAPError:
-        logger.debug('LDAP referral search exception')
-        return (None, 'Username not found')
-
-    except ldap.LDAPError:
-      logger.debug('LDAP search exception')
-      return (None, 'Username not found')
-
-  def _ldap_user_search(self, username_or_email, limit=20, suffix=''):
-    if not username_or_email:
-      return (None, 'Empty username/email')
-
-    # Verify the admin connection works first. We do this here to avoid wrapping
-    # the entire block in the INVALID CREDENTIALS check.
-    try:
-      with self._ldap.get_connection():
-        pass
-    except ldap.INVALID_CREDENTIALS:
-      return (None, 'LDAP Admin dn or password is invalid')
-
-    with self._ldap.get_connection() as conn:
-      logger.debug('Incoming username or email param: %s', username_or_email.__repr__())
-
-      for user_search_dn in self._user_dns:
-        (pairs, err_msg) = self._ldap_user_search_with_rdn(conn, username_or_email, user_search_dn,
-                                                           suffix=suffix)
-        if pairs is not None and len(pairs) > 0:
-          break
-
-      if err_msg is not None:
-        return (None, err_msg)
-
-      logger.debug('Found matching pairs: %s', pairs)
-      results = [LDAPUsers._LDAPResult(*pair) for pair in take(limit, pairs)]
-
-      # Filter out pairs without DNs. Some LDAP impls will return such pairs.
-      with_dns = [result for result in results if result.dn]
-      return (with_dns, None)
-
-  def _ldap_single_user_search(self, username_or_email):
-    with_dns, err_msg = self._ldap_user_search(username_or_email)
-    if err_msg is not None:
-      return (None, err_msg)
-
-    # Make sure we have at least one result.
-    if len(with_dns) < 1:
-      return (None, 'Username not found')
-
-    # If we have found a single pair, then return it.
-    if len(with_dns) == 1:
-      return (with_dns[0], None)
-
-    # Otherwise, there are multiple pairs with DNs, so find the one with the mail
-    # attribute (if any).
-    with_mail = [result for result in with_dns if result.attrs.get(self._email_attr)]
-    return (with_mail[0] if with_mail else with_dns[0], None)
-
-  def _build_user_information(self, response):
-    if not response.get(self._uid_attr):
-      return (None, 'Missing uid field "%s" in user record' % self._uid_attr)
-
-    if self._requires_email and not response.get(self._email_attr):
-      return (None, 'Missing mail field "%s" in user record' % self._email_attr)
-
-    username = response[self._uid_attr][0].decode('utf-8')
-    email = response.get(self._email_attr, [None])[0]
-    return (UserInformation(username=username, email=email, id=username), None)
-
-  def ping(self):
-    try:
-      with self._ldap.get_connection():
-        pass
-    except ldap.INVALID_CREDENTIALS:
-      return (False, 'LDAP Admin dn or password is invalid')
-    except ldap.LDAPError as lde:
-      logger.exception('Exception when trying to health check LDAP')
-      return (False, lde.message)
-
-    return (True, None)
-
-  def at_least_one_user_exists(self):
-    logger.debug('Checking if any users exist in LDAP')
-    try:
-      with self._ldap.get_connection():
-        pass
-    except ldap.INVALID_CREDENTIALS:
-      return (None, 'LDAP Admin dn or password is invalid')
-
-    has_pagination = not self._force_no_pagination
-    with self._ldap.get_connection() as conn:
-      for user_search_dn in self._user_dns:
-        lc = ldap.controls.libldap.SimplePagedResultsControl(criticality=True, size=1, cookie='')
+    def _ldap_user_search_with_rdn(
+        self, conn, username_or_email, user_search_dn, suffix=""
+    ):
+        query = u"(|({0}={2}{3})({1}={2}{3}))".format(
+            self._uid_attr,
+            self._email_attr,
+            escape_filter_chars(username_or_email),
+            suffix,
+        )
+        logger.debug("Conducting user search: %s under %s", query, user_search_dn)
         try:
-          if has_pagination:
-            msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, serverctrls=[lc])
-            _, rdata, _, serverctrls = conn.result3(msgid)
-          else:
-            msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE)
-            _, rdata = conn.result(msgid)
+            return (
+                conn.search_s(
+                    user_search_dn, ldap.SCOPE_SUBTREE, query.encode("utf-8")
+                ),
+                None,
+            )
+        except ldap.REFERRAL as re:
+            referral_dn = self._get_ldap_referral_dn(re)
+            if not referral_dn:
+                return (None, "Failed to follow referral when looking up username")
 
-          for entry in rdata: # Handles both lists and iterators.
-            return (True, None)
+            try:
+                subquery = u"(%s=%s)" % (self._uid_attr, username_or_email)
+                return (conn.search_s(referral_dn, ldap.SCOPE_BASE, subquery), None)
+            except ldap.LDAPError:
+                logger.debug("LDAP referral search exception")
+                return (None, "Username not found")
 
-        except ldap.LDAPError as lde:
-          return (False, str(lde) or 'Could not find DN %s' % user_search_dn)
+        except ldap.LDAPError:
+            logger.debug("LDAP search exception")
+            return (None, "Username not found")
 
-    return (False, None)
+    def _ldap_user_search(self, username_or_email, limit=20, suffix=""):
+        if not username_or_email:
+            return (None, "Empty username/email")
 
-  def get_user(self, username_or_email):
-    """ Looks up a username or email in LDAP. """
-    logger.debug('Looking up LDAP username or email %s', username_or_email)
-    (found_user, err_msg) = self._ldap_single_user_search(username_or_email)
-    if err_msg is not None:
-      return (None, err_msg)
-
-    logger.debug('Found user for LDAP username or email %s', username_or_email)
-    _, found_response = found_user
-    return self._build_user_information(found_response)
-
-  def query_users(self, query, limit=20):
-    """ Queries LDAP for matching users. """
-    if not query:
-      return (None, self.federated_service, 'Empty query')
-
-    logger.debug('Got query %s with limit %s', query, limit)
-    (results, err_msg) = self._ldap_user_search(query, limit=limit, suffix='*')
-    if err_msg is not None:
-      return (None, self.federated_service, err_msg)
-
-    final_results = []
-    for result in results[0:limit]:
-      credentials, err_msg = self._build_user_information(result.attrs)
-      if err_msg is not None:
-        continue
-
-      final_results.append(credentials)
-
-    logger.debug('For query %s found results %s', query, final_results)
-    return (final_results, self.federated_service, None)
-
-  def verify_credentials(self, username_or_email, password):
-    """ Verify the credentials with LDAP. """
-    # Make sure that even if the server supports anonymous binds, we don't allow it
-    if not password:
-      return (None, 'Anonymous binding not allowed')
-
-    (found_user, err_msg) = self._ldap_single_user_search(username_or_email)
-    if found_user is None:
-      return (None, err_msg)
-
-    found_dn, found_response = found_user
-    logger.debug('Found user for LDAP username %s; validating password', username_or_email)
-    logger.debug('DN %s found: %s', found_dn, found_response)
-
-    # First validate the password by binding as the user
-    try:
-      with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8'),
-                          self._allow_tls_fallback):
-        pass
-    except ldap.REFERRAL as re:
-      referral_dn = self._get_ldap_referral_dn(re)
-      if not referral_dn:
-        return (None, 'Invalid username')
-
-      try:
-        with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8'),
-                            self._allow_tls_fallback):
-          pass
-      except ldap.INVALID_CREDENTIALS:
-        logger.debug('Invalid LDAP credentials')
-        return (None, 'Invalid password')
-
-    except ldap.INVALID_CREDENTIALS:
-      logger.debug('Invalid LDAP credentials')
-      return (None, 'Invalid password')
-
-    return self._build_user_information(found_response)
-
-  def service_metadata(self):
-    return {
-      'base_dn': self._base_dn,
-    }
-
-  def check_group_lookup_args(self, group_lookup_args, disable_pagination=False):
-    if not group_lookup_args.get('group_dn'):
-      return (False, 'Missing group_dn')
-
-    (it, err) = self.iterate_group_members(group_lookup_args, page_size=1,
-                                           disable_pagination=disable_pagination)
-    if err is not None:
-      return (False, err)
-
-    if not next(it, False):
-      return (False, 'Group does not exist or is empty')
-
-    return (True, None)
-
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    try:
-      with self._ldap.get_connection():
-        pass
-    except ldap.INVALID_CREDENTIALS:
-      return (None, 'LDAP Admin dn or password is invalid')
-
-    group_dn = group_lookup_args['group_dn']
-    page_size = page_size or _DEFAULT_PAGE_SIZE
-    return (self._iterate_members(group_dn, page_size, disable_pagination), None)
-
-  def _iterate_members(self, group_dn, page_size, disable_pagination):
-    has_pagination = not(self._force_no_pagination or disable_pagination)
-    with self._ldap.get_connection() as conn:
-      search_flt = filter_format('(memberOf=%s,%s)', (group_dn, self._base_dn))
-      attributes = [self._uid_attr, self._email_attr]
-
-      for user_search_dn in self._user_dns:
-        lc = ldap.controls.libldap.SimplePagedResultsControl(criticality=True, size=page_size,
-                                                             cookie='')
-
-        # Conduct the initial search for users that are a member of the group.
-        logger.debug('Conducting LDAP search of DN: %s and filter %s', user_search_dn, search_flt)
+        # Verify the admin connection works first. We do this here to avoid wrapping
+        # the entire block in the INVALID CREDENTIALS check.
         try:
-          if has_pagination:
-            msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
-                                    serverctrls=[lc], attrlist=attributes)
-          else:
-            msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
+            with self._ldap.get_connection():
+                pass
+        except ldap.INVALID_CREDENTIALS:
+            return (None, "LDAP Admin dn or password is invalid")
+
+        with self._ldap.get_connection() as conn:
+            logger.debug(
+                "Incoming username or email param: %s", username_or_email.__repr__()
+            )
+
+            for user_search_dn in self._user_dns:
+                (pairs, err_msg) = self._ldap_user_search_with_rdn(
+                    conn, username_or_email, user_search_dn, suffix=suffix
+                )
+                if pairs is not None and len(pairs) > 0:
+                    break
+
+            if err_msg is not None:
+                return (None, err_msg)
+
+            logger.debug("Found matching pairs: %s", pairs)
+            results = [LDAPUsers._LDAPResult(*pair) for pair in take(limit, pairs)]
+
+            # Filter out pairs without DNs. Some LDAP impls will return such pairs.
+            with_dns = [result for result in results if result.dn]
+            return (with_dns, None)
+
+    def _ldap_single_user_search(self, username_or_email):
+        with_dns, err_msg = self._ldap_user_search(username_or_email)
+        if err_msg is not None:
+            return (None, err_msg)
+
+        # Make sure we have at least one result.
+        if len(with_dns) < 1:
+            return (None, "Username not found")
+
+        # If we have found a single pair, then return it.
+        if len(with_dns) == 1:
+            return (with_dns[0], None)
+
+        # Otherwise, there are multiple pairs with DNs, so find the one with the mail
+        # attribute (if any).
+        with_mail = [
+            result for result in with_dns if result.attrs.get(self._email_attr)
+        ]
+        return (with_mail[0] if with_mail else with_dns[0], None)
+
+    def _build_user_information(self, response):
+        if not response.get(self._uid_attr):
+            return (None, 'Missing uid field "%s" in user record' % self._uid_attr)
+
+        if self._requires_email and not response.get(self._email_attr):
+            return (None, 'Missing mail field "%s" in user record' % self._email_attr)
+
+        username = response[self._uid_attr][0].decode("utf-8")
+        email = response.get(self._email_attr, [None])[0]
+        return (UserInformation(username=username, email=email, id=username), None)
+
+    def ping(self):
+        try:
+            with self._ldap.get_connection():
+                pass
+        except ldap.INVALID_CREDENTIALS:
+            return (False, "LDAP Admin dn or password is invalid")
         except ldap.LDAPError as lde:
-          logger.exception('Got error when trying to search %s with filter %s: %s',
-                           user_search_dn, search_flt, lde.message)
-          break
+            logger.exception("Exception when trying to health check LDAP")
+            return (False, lde.message)
 
-        while True:
-          try:
-            if has_pagination:
-              _, rdata, _, serverctrls = conn.result3(msgid)
-            else:
-              _, rdata = conn.result(msgid)
+        return (True, None)
 
-            # Yield any users found.
-            found_results = 0
-            for userdata in rdata:
-              found_results = found_results + 1
-              yield self._build_user_information(userdata[1])
+    def at_least_one_user_exists(self):
+        logger.debug("Checking if any users exist in LDAP")
+        try:
+            with self._ldap.get_connection():
+                pass
+        except ldap.INVALID_CREDENTIALS:
+            return (None, "LDAP Admin dn or password is invalid")
 
-            logger.debug('Found %s users in group %s; %s', found_results, user_search_dn,
-                         search_flt)
-          except ldap.NO_SUCH_OBJECT as nsoe:
-            logger.debug('NSO when trying to lookup results of search %s with filter %s: %s',
-                         user_search_dn, search_flt, nsoe.message)
-          except ldap.LDAPError as lde:
-            logger.exception('Error when trying to lookup results of search %s with filter %s: %s',
-                             user_search_dn, search_flt, lde.message)
-            break
+        has_pagination = not self._force_no_pagination
+        with self._ldap.get_connection() as conn:
+            for user_search_dn in self._user_dns:
+                lc = ldap.controls.libldap.SimplePagedResultsControl(
+                    criticality=True, size=1, cookie=""
+                )
+                try:
+                    if has_pagination:
+                        msgid = conn.search_ext(
+                            user_search_dn, ldap.SCOPE_SUBTREE, serverctrls=[lc]
+                        )
+                        _, rdata, _, serverctrls = conn.result3(msgid)
+                    else:
+                        msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE)
+                        _, rdata = conn.result(msgid)
 
-          # If no additional results, nothing more to do.
-          if not found_results:
-            break
+                    for entry in rdata:  # Handles both lists and iterators.
+                        return (True, None)
 
-          # If pagination is disabled, nothing more to do.
-          if not has_pagination:
-            logger.debug('Pagination is disabled, no further queries')
-            break
+                except ldap.LDAPError as lde:
+                    return (False, str(lde) or "Could not find DN %s" % user_search_dn)
 
-          # Filter down the controls with which the server responded, looking for the paging
-          # control type. If not found, then the server does not support pagination and we already
-          # got all of the results.
-          pctrls = [control for control in serverctrls
-                    if control.controlType == ldap.controls.SimplePagedResultsControl.controlType]
+        return (False, None)
 
-          if pctrls:
-            # Server supports pagination. Update the cookie so the next search finds the next page,
-            # then conduct the next search.
-            cookie = lc.cookie = pctrls[0].cookie
-            if cookie:
-              logger.debug('Pagination is supported for this LDAP server; trying next page')
-              msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
-                                      serverctrls=[lc], attrlist=attributes)
-              continue
-            else:
-              # No additional results.
-              logger.debug('Pagination is supported for this LDAP server but on last page')
-              break
-          else:
-            # Pagination is not supported.
-            logger.debug('Pagination is not supported for this LDAP server')
-            break
+    def get_user(self, username_or_email):
+        """ Looks up a username or email in LDAP. """
+        logger.debug("Looking up LDAP username or email %s", username_or_email)
+        (found_user, err_msg) = self._ldap_single_user_search(username_or_email)
+        if err_msg is not None:
+            return (None, err_msg)
+
+        logger.debug("Found user for LDAP username or email %s", username_or_email)
+        _, found_response = found_user
+        return self._build_user_information(found_response)
+
+    def query_users(self, query, limit=20):
+        """ Queries LDAP for matching users. """
+        if not query:
+            return (None, self.federated_service, "Empty query")
+
+        logger.debug("Got query %s with limit %s", query, limit)
+        (results, err_msg) = self._ldap_user_search(query, limit=limit, suffix="*")
+        if err_msg is not None:
+            return (None, self.federated_service, err_msg)
+
+        final_results = []
+        for result in results[0:limit]:
+            credentials, err_msg = self._build_user_information(result.attrs)
+            if err_msg is not None:
+                continue
+
+            final_results.append(credentials)
+
+        logger.debug("For query %s found results %s", query, final_results)
+        return (final_results, self.federated_service, None)
+
+    def verify_credentials(self, username_or_email, password):
+        """ Verify the credentials with LDAP. """
+        # Make sure that even if the server supports anonymous binds, we don't allow it
+        if not password:
+            return (None, "Anonymous binding not allowed")
+
+        (found_user, err_msg) = self._ldap_single_user_search(username_or_email)
+        if found_user is None:
+            return (None, err_msg)
+
+        found_dn, found_response = found_user
+        logger.debug(
+            "Found user for LDAP username %s; validating password", username_or_email
+        )
+        logger.debug("DN %s found: %s", found_dn, found_response)
+
+        # First validate the password by binding as the user
+        try:
+            with LDAPConnection(
+                self._ldap_uri,
+                found_dn,
+                password.encode("utf-8"),
+                self._allow_tls_fallback,
+            ):
+                pass
+        except ldap.REFERRAL as re:
+            referral_dn = self._get_ldap_referral_dn(re)
+            if not referral_dn:
+                return (None, "Invalid username")
+
+            try:
+                with LDAPConnection(
+                    self._ldap_uri,
+                    referral_dn,
+                    password.encode("utf-8"),
+                    self._allow_tls_fallback,
+                ):
+                    pass
+            except ldap.INVALID_CREDENTIALS:
+                logger.debug("Invalid LDAP credentials")
+                return (None, "Invalid password")
+
+        except ldap.INVALID_CREDENTIALS:
+            logger.debug("Invalid LDAP credentials")
+            return (None, "Invalid password")
+
+        return self._build_user_information(found_response)
+
+    def service_metadata(self):
+        return {"base_dn": self._base_dn}
+
+    def check_group_lookup_args(self, group_lookup_args, disable_pagination=False):
+        if not group_lookup_args.get("group_dn"):
+            return (False, "Missing group_dn")
+
+        (it, err) = self.iterate_group_members(
+            group_lookup_args, page_size=1, disable_pagination=disable_pagination
+        )
+        if err is not None:
+            return (False, err)
+
+        if not next(it, False):
+            return (False, "Group does not exist or is empty")
+
+        return (True, None)
+
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        try:
+            with self._ldap.get_connection():
+                pass
+        except ldap.INVALID_CREDENTIALS:
+            return (None, "LDAP Admin dn or password is invalid")
+
+        group_dn = group_lookup_args["group_dn"]
+        page_size = page_size or _DEFAULT_PAGE_SIZE
+        return (self._iterate_members(group_dn, page_size, disable_pagination), None)
+
+    def _iterate_members(self, group_dn, page_size, disable_pagination):
+        has_pagination = not (self._force_no_pagination or disable_pagination)
+        with self._ldap.get_connection() as conn:
+            search_flt = filter_format("(memberOf=%s,%s)", (group_dn, self._base_dn))
+            attributes = [self._uid_attr, self._email_attr]
+
+            for user_search_dn in self._user_dns:
+                lc = ldap.controls.libldap.SimplePagedResultsControl(
+                    criticality=True, size=page_size, cookie=""
+                )
+
+                # Conduct the initial search for users that are a member of the group.
+                logger.debug(
+                    "Conducting LDAP search of DN: %s and filter %s",
+                    user_search_dn,
+                    search_flt,
+                )
+                try:
+                    if has_pagination:
+                        msgid = conn.search_ext(
+                            user_search_dn,
+                            ldap.SCOPE_SUBTREE,
+                            search_flt,
+                            serverctrls=[lc],
+                            attrlist=attributes,
+                        )
+                    else:
+                        msgid = conn.search(
+                            user_search_dn,
+                            ldap.SCOPE_SUBTREE,
+                            search_flt,
+                            attrlist=attributes,
+                        )
+                except ldap.LDAPError as lde:
+                    logger.exception(
+                        "Got error when trying to search %s with filter %s: %s",
+                        user_search_dn,
+                        search_flt,
+                        lde.message,
+                    )
+                    break
+
+                while True:
+                    try:
+                        if has_pagination:
+                            _, rdata, _, serverctrls = conn.result3(msgid)
+                        else:
+                            _, rdata = conn.result(msgid)
+
+                        # Yield any users found.
+                        found_results = 0
+                        for userdata in rdata:
+                            found_results = found_results + 1
+                            yield self._build_user_information(userdata[1])
+
+                        logger.debug(
+                            "Found %s users in group %s; %s",
+                            found_results,
+                            user_search_dn,
+                            search_flt,
+                        )
+                    except ldap.NO_SUCH_OBJECT as nsoe:
+                        logger.debug(
+                            "NSO when trying to lookup results of search %s with filter %s: %s",
+                            user_search_dn,
+                            search_flt,
+                            nsoe.message,
+                        )
+                    except ldap.LDAPError as lde:
+                        logger.exception(
+                            "Error when trying to lookup results of search %s with filter %s: %s",
+                            user_search_dn,
+                            search_flt,
+                            lde.message,
+                        )
+                        break
+
+                    # If no additional results, nothing more to do.
+                    if not found_results:
+                        break
+
+                    # If pagination is disabled, nothing more to do.
+                    if not has_pagination:
+                        logger.debug("Pagination is disabled, no further queries")
+                        break
+
+                    # Filter down the controls with which the server responded, looking for the paging
+                    # control type. If not found, then the server does not support pagination and we already
+                    # got all of the results.
+                    pctrls = [
+                        control
+                        for control in serverctrls
+                        if control.controlType
+                        == ldap.controls.SimplePagedResultsControl.controlType
+                    ]
+
+                    if pctrls:
+                        # Server supports pagination. Update the cookie so the next search finds the next page,
+                        # then conduct the next search.
+                        cookie = lc.cookie = pctrls[0].cookie
+                        if cookie:
+                            logger.debug(
+                                "Pagination is supported for this LDAP server; trying next page"
+                            )
+                            msgid = conn.search_ext(
+                                user_search_dn,
+                                ldap.SCOPE_SUBTREE,
+                                search_flt,
+                                serverctrls=[lc],
+                                attrlist=attributes,
+                            )
+                            continue
+                        else:
+                            # No additional results.
+                            logger.debug(
+                                "Pagination is supported for this LDAP server but on last page"
+                            )
+                            break
+                    else:
+                        # Pagination is not supported.
+                        logger.debug("Pagination is not supported for this LDAP server")
+                        break
diff --git a/data/users/federated.py b/data/users/federated.py
index 87210bccd..795875cfa 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -9,146 +9,167 @@ from util.validation import generate_valid_usernames
 
 logger = logging.getLogger(__name__)
 
-UserInformation = namedtuple('UserInformation', ['username', 'email', 'id'])
+UserInformation = namedtuple("UserInformation", ["username", "email", "id"])
+
+DISABLED_MESSAGE = (
+    "User creation is disabled. Please contact your administrator to gain access."
+)
 
-DISABLED_MESSAGE = 'User creation is disabled. Please contact your administrator to gain access.'
 
 class FederatedUsers(object):
-  """ Base class for all federated users systems. """
+    """ Base class for all federated users systems. """
 
-  def __init__(self, federated_service, requires_email):
-    self._federated_service = federated_service
-    self._requires_email = requires_email
+    def __init__(self, federated_service, requires_email):
+        self._federated_service = federated_service
+        self._requires_email = requires_email
 
-  @property
-  def federated_service(self):
-    return self._federated_service
+    @property
+    def federated_service(self):
+        return self._federated_service
 
-  @property
-  def supports_fresh_login(self):
-    return True
+    @property
+    def supports_fresh_login(self):
+        return True
 
-  @property
-  def supports_encrypted_credentials(self):
-    return True
+    @property
+    def supports_encrypted_credentials(self):
+        return True
 
-  def has_password_set(self, username):
-    return True
+    def has_password_set(self, username):
+        return True
 
-  @property
-  def requires_distinct_cli_password(self):
-    # Since the federated auth provides a password which works on the CLI.
-    return False
+    @property
+    def requires_distinct_cli_password(self):
+        # Since the federated auth provides a password which works on the CLI.
+        return False
 
-  def get_user(self, username_or_email):
-    """ Retrieves the user with the given username or email, returning a tuple containing
+    def get_user(self, username_or_email):
+        """ Retrieves the user with the given username or email, returning a tuple containing
         a UserInformation (if success) and the error message (on failure).
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def verify_credentials(self, username_or_email, password):
-    """ Verifies the given credentials against the backing federated service, returning
+    def verify_credentials(self, username_or_email, password):
+        """ Verifies the given credentials against the backing federated service, returning
         a tuple containing a UserInformation (on success) and the error message (on failure).
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def query_users(self, query, limit=20):
-    """ If implemented, get_user must be implemented as well. """
-    return (None, 'Not supported')
+    def query_users(self, query, limit=20):
+        """ If implemented, get_user must be implemented as well. """
+        return (None, "Not supported")
 
-  def link_user(self, username_or_email):
-    (user_info, err_msg) = self.get_user(username_or_email)
-    if user_info is None:
-      return (None, err_msg)
+    def link_user(self, username_or_email):
+        (user_info, err_msg) = self.get_user(username_or_email)
+        if user_info is None:
+            return (None, err_msg)
 
-    return self.get_and_link_federated_user_info(user_info)
+        return self.get_and_link_federated_user_info(user_info)
 
-  def get_and_link_federated_user_info(self, user_info, internal_create=False):
-    return self._get_and_link_federated_user_info(user_info.username, user_info.email,
-                                                  internal_create=internal_create)
+    def get_and_link_federated_user_info(self, user_info, internal_create=False):
+        return self._get_and_link_federated_user_info(
+            user_info.username, user_info.email, internal_create=internal_create
+        )
 
-  def verify_and_link_user(self, username_or_email, password):
-    """ Verifies the given credentials and, if valid, creates/links a database user to the
+    def verify_and_link_user(self, username_or_email, password):
+        """ Verifies the given credentials and, if valid, creates/links a database user to the
         associated federated service.
     """
-    (credentials, err_msg) = self.verify_credentials(username_or_email, password)
-    if credentials is None:
-      return (None, err_msg)
+        (credentials, err_msg) = self.verify_credentials(username_or_email, password)
+        if credentials is None:
+            return (None, err_msg)
 
-    return self._get_and_link_federated_user_info(credentials.username, credentials.email)
+        return self._get_and_link_federated_user_info(
+            credentials.username, credentials.email
+        )
 
-  def confirm_existing_user(self, username, password):
-    """ Confirms that the given *database* username and service password are valid for the linked
+    def confirm_existing_user(self, username, password):
+        """ Confirms that the given *database* username and service password are valid for the linked
         service. This method is used when the federated service's username is not known.
     """
-    db_user = model.user.get_user(username)
-    if not db_user:
-      return (None, 'Invalid user')
+        db_user = model.user.get_user(username)
+        if not db_user:
+            return (None, "Invalid user")
 
-    federated_login = model.user.lookup_federated_login(db_user, self._federated_service)
-    if not federated_login:
-      return (None, 'Invalid user')
+        federated_login = model.user.lookup_federated_login(
+            db_user, self._federated_service
+        )
+        if not federated_login:
+            return (None, "Invalid user")
 
-    (credentials, err_msg) = self.verify_credentials(federated_login.service_ident, password)
-    if credentials is None:
-      return (None, err_msg)
+        (credentials, err_msg) = self.verify_credentials(
+            federated_login.service_ident, password
+        )
+        if credentials is None:
+            return (None, err_msg)
 
-    return (db_user, None)
+        return (db_user, None)
 
-  def service_metadata(self):
-    """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
+    def service_metadata(self):
+        """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine.
         For example, LDAP returns the base DN so we can display to the user during sync setup.
     """
-    return {}
+        return {}
 
-  def check_group_lookup_args(self, group_lookup_args):
-    """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
+    def check_group_lookup_args(self, group_lookup_args):
+        """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting
         of a boolean status and an error message (if any).
     """
-    return (False, 'Not supported')
+        return (False, "Not supported")
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    """ Returns an iterator over all the members of the group matching the given lookup args
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        """ Returns an iterator over all the members of the group matching the given lookup args
         dictionary. The format of the lookup args dictionary is specific to the implementation.
     """
-    return (None, 'Not supported')
+        return (None, "Not supported")
 
-  def _get_and_link_federated_user_info(self, username, email, internal_create=False):
-    db_user = model.user.verify_federated_login(self._federated_service, username)
-    if not db_user:
-      
-      # Fetch list of blacklisted domains
-      blacklisted_domains = model.config.app_config.get('BLACKLISTED_EMAIL_DOMAINS')
+    def _get_and_link_federated_user_info(self, username, email, internal_create=False):
+        db_user = model.user.verify_federated_login(self._federated_service, username)
+        if not db_user:
 
-      # We must create the user in our db. Check to see if this is allowed (except for internal
-      # creation, which is always allowed).
-      if not internal_create and not can_create_user(email, blacklisted_domains):
-        return (None, DISABLED_MESSAGE)
+            # Fetch list of blacklisted domains
+            blacklisted_domains = model.config.app_config.get(
+                "BLACKLISTED_EMAIL_DOMAINS"
+            )
 
-      valid_username = None
-      for valid_username in generate_valid_usernames(username):
-        if model.user.is_username_unique(valid_username):
-          break
+            # We must create the user in our db. Check to see if this is allowed (except for internal
+            # creation, which is always allowed).
+            if not internal_create and not can_create_user(email, blacklisted_domains):
+                return (None, DISABLED_MESSAGE)
 
-      if not valid_username:
-        logger.error('Unable to pick a username for user: %s', username)
-        return (None, 'Unable to pick a username. Please report this to your administrator.')
+            valid_username = None
+            for valid_username in generate_valid_usernames(username):
+                if model.user.is_username_unique(valid_username):
+                    break
 
-      prompts = model.user.get_default_user_prompts(features)
-      try:
-        db_user = model.user.create_federated_user(valid_username, email, self._federated_service,
-                                                   username,
-                                                   set_password_notification=False,
-                                                   email_required=self._requires_email,
-                                                   confirm_username=features.USERNAME_CONFIRMATION,
-                                                   prompts=prompts)
-      except model.InvalidEmailAddressException as iae:
-        return (None, str(iae))
+            if not valid_username:
+                logger.error("Unable to pick a username for user: %s", username)
+                return (
+                    None,
+                    "Unable to pick a username. Please report this to your administrator.",
+                )
 
-    else:
-      # Update the db attributes from the federated service.
-      if email and db_user.email != email:
-        db_user.email = email
-        db_user.save()
+            prompts = model.user.get_default_user_prompts(features)
+            try:
+                db_user = model.user.create_federated_user(
+                    valid_username,
+                    email,
+                    self._federated_service,
+                    username,
+                    set_password_notification=False,
+                    email_required=self._requires_email,
+                    confirm_username=features.USERNAME_CONFIRMATION,
+                    prompts=prompts,
+                )
+            except model.InvalidEmailAddressException as iae:
+                return (None, str(iae))
 
-    return (db_user, None)
+        else:
+            # Update the db attributes from the federated service.
+            if email and db_user.email != email:
+                db_user.email = email
+                db_user.save()
+
+        return (db_user, None)
diff --git a/data/users/keystone.py b/data/users/keystone.py
index b8e581e77..64dff0e78 100644
--- a/data/users/keystone.py
+++ b/data/users/keystone.py
@@ -7,7 +7,9 @@ from keystoneauth1 import session
 from keystoneauth1.exceptions import ClientException
 from keystoneclient.v2_0 import client as client_v2
 from keystoneclient.v3 import client as client_v3
-from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
+from keystoneclient.exceptions import (
+    AuthorizationFailure as KeystoneAuthorizationFailure,
+)
 from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
 from keystoneclient.exceptions import NotFound as KeystoneNotFound
 from data.users.federated import FederatedUsers, UserInformation
@@ -15,286 +17,370 @@ from util.itertoolrecipes import take
 
 logger = logging.getLogger(__name__)
 
-DEFAULT_TIMEOUT = 10 # seconds
+DEFAULT_TIMEOUT = 10  # seconds
 
-def get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
-                       timeout=None, requires_email=True):
-  if auth_version == 3:
-    return KeystoneV3Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
-                           requires_email)
-  else:
-    return KeystoneV2Users(auth_url, admin_username, admin_password, admin_tenant, timeout,
-                           requires_email)
+
+def get_keystone_users(
+    auth_version,
+    auth_url,
+    admin_username,
+    admin_password,
+    admin_tenant,
+    timeout=None,
+    requires_email=True,
+):
+    if auth_version == 3:
+        return KeystoneV3Users(
+            auth_url,
+            admin_username,
+            admin_password,
+            admin_tenant,
+            timeout,
+            requires_email,
+        )
+    else:
+        return KeystoneV2Users(
+            auth_url,
+            admin_username,
+            admin_password,
+            admin_tenant,
+            timeout,
+            requires_email,
+        )
 
 
 class KeystoneV2Users(FederatedUsers):
-  """ Delegates authentication to OpenStack Keystone V2. """
-  def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
-               requires_email=True):
-    super(KeystoneV2Users, self).__init__('keystone', requires_email)
-    self.auth_url = auth_url
-    self.admin_username = admin_username
-    self.admin_password = admin_password
-    self.admin_tenant = admin_tenant
-    self.timeout = timeout or DEFAULT_TIMEOUT
-    self.debug = os.environ.get('USERS_DEBUG') == '1'
-    self.requires_email = requires_email
+    """ Delegates authentication to OpenStack Keystone V2. """
 
-  def _get_client(self, username, password, tenant_name=None):
-    if tenant_name:
-      auth = keystone_v2_auth.Password(auth_url=self.auth_url,
-                                       username=username,
-                                       password=password,
-                                       tenant_name=tenant_name)
-    else:
-      auth = keystone_v2_auth.Password(auth_url=self.auth_url,
-                                       username=username,
-                                       password=password)
+    def __init__(
+        self,
+        auth_url,
+        admin_username,
+        admin_password,
+        admin_tenant,
+        timeout=None,
+        requires_email=True,
+    ):
+        super(KeystoneV2Users, self).__init__("keystone", requires_email)
+        self.auth_url = auth_url
+        self.admin_username = admin_username
+        self.admin_password = admin_password
+        self.admin_tenant = admin_tenant
+        self.timeout = timeout or DEFAULT_TIMEOUT
+        self.debug = os.environ.get("USERS_DEBUG") == "1"
+        self.requires_email = requires_email
 
-    sess = session.Session(auth=auth)
-    client = client_v2.Client(session=sess,
-                              timeout=self.timeout,
-                              debug=self.debug)
-    return client, sess
+    def _get_client(self, username, password, tenant_name=None):
+        if tenant_name:
+            auth = keystone_v2_auth.Password(
+                auth_url=self.auth_url,
+                username=username,
+                password=password,
+                tenant_name=tenant_name,
+            )
+        else:
+            auth = keystone_v2_auth.Password(
+                auth_url=self.auth_url, username=username, password=password
+            )
 
-  def ping(self):
-    try:
-      _, sess = self._get_client(self.admin_username, self.admin_password, self.admin_tenant)
-      assert sess.get_user_id() # Make sure we loaded a valid user.
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized admin')
-      return (False, 'Keystone admin credentials are invalid: %s' % kut.message)
-    except ClientException as e:
-      logger.exception('Keystone unauthorized admin')
-      return (False, 'Keystone ping check failed: %s' % e.message)
+        sess = session.Session(auth=auth)
+        client = client_v2.Client(session=sess, timeout=self.timeout, debug=self.debug)
+        return client, sess
 
-    return (True, None)
+    def ping(self):
+        try:
+            _, sess = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            assert sess.get_user_id()  # Make sure we loaded a valid user.
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized admin")
+            return (False, "Keystone admin credentials are invalid: %s" % kut.message)
+        except ClientException as e:
+            logger.exception("Keystone unauthorized admin")
+            return (False, "Keystone ping check failed: %s" % e.message)
 
-  def at_least_one_user_exists(self):
-    logger.debug('Checking if any users exist in Keystone')
-    try:
-      keystone_client, _ = self._get_client(self.admin_username, self.admin_password,
-                                            self.admin_tenant)
-      user_list = keystone_client.users.list(tenant_id=self.admin_tenant, limit=1)
+        return (True, None)
 
-      if len(user_list) < 1:
-        return (False, None)
+    def at_least_one_user_exists(self):
+        logger.debug("Checking if any users exist in Keystone")
+        try:
+            keystone_client, _ = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            user_list = keystone_client.users.list(tenant_id=self.admin_tenant, limit=1)
 
-      return (True, None)
-    except ClientException as e:
-      # Catch exceptions to give the user our custom error message
-      logger.exception('Unable to list users in Keystone')
-      return (False, e.message)
+            if len(user_list) < 1:
+                return (False, None)
 
-  def verify_credentials(self, username_or_email, password):
-    try:
-      _, sess = self._get_client(username_or_email, password)
-      user_id = sess.get_user_id()
-    except KeystoneAuthorizationFailure as kaf:
-      logger.exception('Keystone auth failure for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
-    except ClientException as ex:
-      logger.exception('Keystone unauthorized for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
+            return (True, None)
+        except ClientException as e:
+            # Catch exceptions to give the user our custom error message
+            logger.exception("Unable to list users in Keystone")
+            return (False, e.message)
 
-    if user_id is None:
-      return (None, 'Invalid username or password')
+    def verify_credentials(self, username_or_email, password):
+        try:
+            _, sess = self._get_client(username_or_email, password)
+            user_id = sess.get_user_id()
+        except KeystoneAuthorizationFailure as kaf:
+            logger.exception("Keystone auth failure for user: %s", username_or_email)
+            return (None, "Invalid username or password")
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized for user: %s", username_or_email)
+            return (None, "Invalid username or password")
+        except ClientException as ex:
+            logger.exception("Keystone unauthorized for user: %s", username_or_email)
+            return (None, "Invalid username or password")
 
-    try:
-      admin_client, _ = self._get_client(self.admin_username, self.admin_password,
-                                         self.admin_tenant)
-      user = admin_client.users.get(user_id)
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized admin')
-      return (None, 'Keystone admin credentials are invalid: %s' % kut.message)
+        if user_id is None:
+            return (None, "Invalid username or password")
 
-    if self.requires_email and not hasattr(user, 'email'):
-      return (None, 'Missing email field for user %s' % user_id)
+        try:
+            admin_client, _ = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            user = admin_client.users.get(user_id)
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized admin")
+            return (None, "Keystone admin credentials are invalid: %s" % kut.message)
 
-    email = user.email if hasattr(user, 'email') else None
-    return (UserInformation(username=username_or_email, email=email, id=user_id), None)
+        if self.requires_email and not hasattr(user, "email"):
+            return (None, "Missing email field for user %s" % user_id)
 
-  def query_users(self, query, limit=20):
-    return (None, self.federated_service, 'Unsupported in Keystone V2')
+        email = user.email if hasattr(user, "email") else None
+        return (
+            UserInformation(username=username_or_email, email=email, id=user_id),
+            None,
+        )
 
-  def get_user(self, username_or_email):
-    return (None, 'Unsupported in Keystone V2')
+    def query_users(self, query, limit=20):
+        return (None, self.federated_service, "Unsupported in Keystone V2")
+
+    def get_user(self, username_or_email):
+        return (None, "Unsupported in Keystone V2")
 
 
 class KeystoneV3Users(FederatedUsers):
-  """ Delegates authentication to OpenStack Keystone V3. """
-  def __init__(self, auth_url, admin_username, admin_password, admin_tenant, timeout=None,
-               requires_email=True, project_domain_id='default', user_domain_id='default'):
-    super(KeystoneV3Users, self).__init__('keystone', requires_email)
-    self.auth_url = auth_url
-    self.admin_username = admin_username
-    self.admin_password = admin_password
-    self.admin_tenant = admin_tenant
-    self.project_domain_id = project_domain_id
-    self.user_domain_id = user_domain_id
-    self.timeout = timeout or DEFAULT_TIMEOUT
-    self.debug = os.environ.get('USERS_DEBUG') == '1'
-    self.requires_email = requires_email
+    """ Delegates authentication to OpenStack Keystone V3. """
 
-  def _get_client(self, username, password, project_name=None):
-    if project_name:
-      auth = keystone_v3_auth.Password(auth_url=self.auth_url,
-                                       username=username,
-                                       password=password,
-                                       project_name=project_name,
-                                       project_domain_id=self.project_domain_id,
-                                       user_domain_id=self.user_domain_id)
-    else:
-      auth = keystone_v3_auth.Password(auth_url=self.auth_url,
-                                       username=username,
-                                       password=password,
-                                       user_domain_id=self.user_domain_id)
+    def __init__(
+        self,
+        auth_url,
+        admin_username,
+        admin_password,
+        admin_tenant,
+        timeout=None,
+        requires_email=True,
+        project_domain_id="default",
+        user_domain_id="default",
+    ):
+        super(KeystoneV3Users, self).__init__("keystone", requires_email)
+        self.auth_url = auth_url
+        self.admin_username = admin_username
+        self.admin_password = admin_password
+        self.admin_tenant = admin_tenant
+        self.project_domain_id = project_domain_id
+        self.user_domain_id = user_domain_id
+        self.timeout = timeout or DEFAULT_TIMEOUT
+        self.debug = os.environ.get("USERS_DEBUG") == "1"
+        self.requires_email = requires_email
 
-    sess = session.Session(auth=auth)
-    client = client_v3.Client(session=sess,
-                              timeout=self.timeout,
-                              debug=self.debug)
-    return client, sess
+    def _get_client(self, username, password, project_name=None):
+        if project_name:
+            auth = keystone_v3_auth.Password(
+                auth_url=self.auth_url,
+                username=username,
+                password=password,
+                project_name=project_name,
+                project_domain_id=self.project_domain_id,
+                user_domain_id=self.user_domain_id,
+            )
+        else:
+            auth = keystone_v3_auth.Password(
+                auth_url=self.auth_url,
+                username=username,
+                password=password,
+                user_domain_id=self.user_domain_id,
+            )
 
-  def ping(self):
-    try:
-      _, sess = self._get_client(self.admin_username, self.admin_password)
-      assert sess.get_user_id() # Make sure we loaded a valid user.
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized admin')
-      return (False, 'Keystone admin credentials are invalid: %s' % kut.message)
-    except ClientException as cle:
-      logger.exception('Keystone unauthorized admin')
-      return (False, 'Keystone ping check failed: %s' % cle.message)
+        sess = session.Session(auth=auth)
+        client = client_v3.Client(session=sess, timeout=self.timeout, debug=self.debug)
+        return client, sess
 
-    return (True, None)
+    def ping(self):
+        try:
+            _, sess = self._get_client(self.admin_username, self.admin_password)
+            assert sess.get_user_id()  # Make sure we loaded a valid user.
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized admin")
+            return (False, "Keystone admin credentials are invalid: %s" % kut.message)
+        except ClientException as cle:
+            logger.exception("Keystone unauthorized admin")
+            return (False, "Keystone ping check failed: %s" % cle.message)
 
-  def at_least_one_user_exists(self):
-    logger.debug('Checking if any users exist in admin tenant in Keystone')
-    try:
-      # Just make sure the admin can connect to the project.
-      self._get_client(self.admin_username, self.admin_password, self.admin_tenant)
-      return (True, None)
-    except ClientException as cle:
-      # Catch exceptions to give the user our custom error message
-      logger.exception('Unable to list users in Keystone')
-      return (False, cle.message)
+        return (True, None)
 
-  def verify_credentials(self, username_or_email, password):
-    try:
-      keystone_client, sess = self._get_client(username_or_email, password)
-      user_id = sess.get_user_id()
-      assert user_id
+    def at_least_one_user_exists(self):
+        logger.debug("Checking if any users exist in admin tenant in Keystone")
+        try:
+            # Just make sure the admin can connect to the project.
+            self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            return (True, None)
+        except ClientException as cle:
+            # Catch exceptions to give the user our custom error message
+            logger.exception("Unable to list users in Keystone")
+            return (False, cle.message)
 
-      keystone_client, sess = self._get_client(self.admin_username, self.admin_password,
-                                               self.admin_tenant)
-      user = keystone_client.users.get(user_id)
-      if self.requires_email and not hasattr(user, 'email'):
-        return (None, 'Missing email field for user %s' % user_id)
+    def verify_credentials(self, username_or_email, password):
+        try:
+            keystone_client, sess = self._get_client(username_or_email, password)
+            user_id = sess.get_user_id()
+            assert user_id
 
-      return (self._user_info(user), None)
-    except KeystoneAuthorizationFailure as kaf:
-      logger.exception('Keystone auth failure for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
-    except ClientException as cle:
-      logger.exception('Keystone unauthorized for user: %s', username_or_email)
-      return (None, 'Invalid username or password')
+            keystone_client, sess = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            user = keystone_client.users.get(user_id)
+            if self.requires_email and not hasattr(user, "email"):
+                return (None, "Missing email field for user %s" % user_id)
 
-  def get_user(self, username_or_email):
-    users_found, _, err_msg = self.query_users(username_or_email)
-    if err_msg is not None:
-      return (None, err_msg)
+            return (self._user_info(user), None)
+        except KeystoneAuthorizationFailure as kaf:
+            logger.exception("Keystone auth failure for user: %s", username_or_email)
+            return (None, "Invalid username or password")
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized for user: %s", username_or_email)
+            return (None, "Invalid username or password")
+        except ClientException as cle:
+            logger.exception("Keystone unauthorized for user: %s", username_or_email)
+            return (None, "Invalid username or password")
 
-    if len(users_found) != 1:
-      return (None, 'Single user not found')
+    def get_user(self, username_or_email):
+        users_found, _, err_msg = self.query_users(username_or_email)
+        if err_msg is not None:
+            return (None, err_msg)
 
-    user = users_found[0]
-    if self.requires_email and not user.email:
-      return (None, 'Missing email field for user %s' % user.id)
+        if len(users_found) != 1:
+            return (None, "Single user not found")
 
-    return (user, None)
+        user = users_found[0]
+        if self.requires_email and not user.email:
+            return (None, "Missing email field for user %s" % user.id)
 
-  def check_group_lookup_args(self, group_lookup_args):
-    if not group_lookup_args.get('group_id'):
-      return (False, 'Missing group_id')
+        return (user, None)
 
-    group_id = group_lookup_args['group_id']
-    return self._check_group(group_id)
+    def check_group_lookup_args(self, group_lookup_args):
+        if not group_lookup_args.get("group_id"):
+            return (False, "Missing group_id")
 
-  def _check_group(self, group_id):
-    try:
-      admin_client, _ = self._get_client(self.admin_username, self.admin_password,
-                                         self.admin_tenant)
-      return (bool(admin_client.groups.get(group_id)), None)
-    except KeystoneNotFound:
-      return (False, 'Group not found')
-    except KeystoneAuthorizationFailure as kaf:
-      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
-      return (False, kaf.message or 'Invalid admin username or password')
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
-      return (False, kut.message or 'Invalid admin username or password')
-    except ClientException as cle:
-      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
-      return (False, cle.message or 'Invalid admin username or password')
+        group_id = group_lookup_args["group_id"]
+        return self._check_group(group_id)
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    group_id = group_lookup_args['group_id']
+    def _check_group(self, group_id):
+        try:
+            admin_client, _ = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            return (bool(admin_client.groups.get(group_id)), None)
+        except KeystoneNotFound:
+            return (False, "Group not found")
+        except KeystoneAuthorizationFailure as kaf:
+            logger.exception(
+                "Keystone auth failure for admin user for group lookup %s", group_id
+            )
+            return (False, kaf.message or "Invalid admin username or password")
+        except KeystoneUnauthorized as kut:
+            logger.exception(
+                "Keystone unauthorized for admin user for group lookup %s", group_id
+            )
+            return (False, kut.message or "Invalid admin username or password")
+        except ClientException as cle:
+            logger.exception(
+                "Keystone unauthorized for admin user for group lookup %s", group_id
+            )
+            return (False, cle.message or "Invalid admin username or password")
 
-    (status, err) = self._check_group(group_id)
-    if not status:
-      return (None, err)
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        group_id = group_lookup_args["group_id"]
 
-    try:
-      admin_client, _ = self._get_client(self.admin_username, self.admin_password,
-                                         self.admin_tenant)
-      user_info_iterator = admin_client.users.list(group=group_id)
-      def iterator():
-        for user in user_info_iterator:
-          yield (self._user_info(user), None)
+        (status, err) = self._check_group(group_id)
+        if not status:
+            return (None, err)
 
-      return (iterator(), None)
-    except KeystoneAuthorizationFailure as kaf:
-      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
-      return (False, kaf.message or 'Invalid admin username or password')
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
-      return (False, kut.message or 'Invalid admin username or password')
-    except ClientException as cle:
-      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
-      return (False, cle.message or 'Invalid admin username or password')
+        try:
+            admin_client, _ = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+            user_info_iterator = admin_client.users.list(group=group_id)
 
-  @staticmethod
-  def _user_info(user):
-    email = user.email if hasattr(user, 'email') else None
-    return UserInformation(user.name, email, user.id)
+            def iterator():
+                for user in user_info_iterator:
+                    yield (self._user_info(user), None)
 
-  def query_users(self, query, limit=20):
-    if len(query) < 3:
-      return ([], self.federated_service, None)
+            return (iterator(), None)
+        except KeystoneAuthorizationFailure as kaf:
+            logger.exception(
+                "Keystone auth failure for admin user for group lookup %s", group_id
+            )
+            return (False, kaf.message or "Invalid admin username or password")
+        except KeystoneUnauthorized as kut:
+            logger.exception(
+                "Keystone unauthorized for admin user for group lookup %s", group_id
+            )
+            return (False, kut.message or "Invalid admin username or password")
+        except ClientException as cle:
+            logger.exception(
+                "Keystone unauthorized for admin user for group lookup %s", group_id
+            )
+            return (False, cle.message or "Invalid admin username or password")
 
-    try:
-      admin_client, _ = self._get_client(self.admin_username, self.admin_password,
-                                         self.admin_tenant)
+    @staticmethod
+    def _user_info(user):
+        email = user.email if hasattr(user, "email") else None
+        return UserInformation(user.name, email, user.id)
 
-      found_users = list(take(limit, admin_client.users.list(name=query)))
-      logger.debug('For Keystone query %s found users: %s', query, found_users)
-      if not found_users:
-        return ([], self.federated_service, None)
+    def query_users(self, query, limit=20):
+        if len(query) < 3:
+            return ([], self.federated_service, None)
 
-      return ([self._user_info(user) for user in found_users], self.federated_service, None)
-    except KeystoneAuthorizationFailure as kaf:
-      logger.exception('Keystone auth failure for admin user for query %s', query)
-      return (None, self.federated_service, kaf.message or 'Invalid admin username or password')
-    except KeystoneUnauthorized as kut:
-      logger.exception('Keystone unauthorized for admin user for query %s', query)
-      return (None, self.federated_service, kut.message or 'Invalid admin username or password')
-    except ClientException as cle:
-      logger.exception('Keystone unauthorized for admin user for query %s', query)
-      return (None, self.federated_service, cle.message or 'Invalid admin username or password')
+        try:
+            admin_client, _ = self._get_client(
+                self.admin_username, self.admin_password, self.admin_tenant
+            )
+
+            found_users = list(take(limit, admin_client.users.list(name=query)))
+            logger.debug("For Keystone query %s found users: %s", query, found_users)
+            if not found_users:
+                return ([], self.federated_service, None)
+
+            return (
+                [self._user_info(user) for user in found_users],
+                self.federated_service,
+                None,
+            )
+        except KeystoneAuthorizationFailure as kaf:
+            logger.exception("Keystone auth failure for admin user for query %s", query)
+            return (
+                None,
+                self.federated_service,
+                kaf.message or "Invalid admin username or password",
+            )
+        except KeystoneUnauthorized as kut:
+            logger.exception("Keystone unauthorized for admin user for query %s", query)
+            return (
+                None,
+                self.federated_service,
+                kut.message or "Invalid admin username or password",
+            )
+        except ClientException as cle:
+            logger.exception("Keystone unauthorized for admin user for query %s", query)
+            return (
+                None,
+                self.federated_service,
+                cle.message or "Invalid admin username or password",
+            )
diff --git a/data/users/shared.py b/data/users/shared.py
index 8f1cc09df..fd507837e 100644
--- a/data/users/shared.py
+++ b/data/users/shared.py
@@ -7,24 +7,24 @@ from data import model
 
 
 def can_create_user(email_address, blacklisted_domains=None):
-  """ Returns true if a user with the specified e-mail address can be created. """
+    """ Returns true if a user with the specified e-mail address can be created. """
 
-  if features.BLACKLISTED_EMAILS and email_address and '@' in email_address:
-    blacklisted_domains = blacklisted_domains or []
-    _, email_domain = email_address.split('@', 1)
-    extracted = tldextract.extract(email_domain)
-    if extracted.registered_domain.lower() in blacklisted_domains:
-      return False
+    if features.BLACKLISTED_EMAILS and email_address and "@" in email_address:
+        blacklisted_domains = blacklisted_domains or []
+        _, email_domain = email_address.split("@", 1)
+        extracted = tldextract.extract(email_domain)
+        if extracted.registered_domain.lower() in blacklisted_domains:
+            return False
 
-  if not features.USER_CREATION:
-    return False
+    if not features.USER_CREATION:
+        return False
 
-  if features.INVITE_ONLY_USER_CREATION:
-    if not email_address:
-      return False
+    if features.INVITE_ONLY_USER_CREATION:
+        if not email_address:
+            return False
 
-    # Check to see that there is an invite for the e-mail address.
-    return bool(model.team.lookup_team_invites_by_email(email_address))
+        # Check to see that there is an invite for the e-mail address.
+        return bool(model.team.lookup_team_invites_by_email(email_address))
 
-  # Otherwise the user can be created (assuming it doesn't already exist, of course)
-  return True
+    # Otherwise the user can be created (assuming it doesn't already exist, of course)
+    return True
diff --git a/data/users/teamsync.py b/data/users/teamsync.py
index 2ab0fea10..d122e6924 100644
--- a/data/users/teamsync.py
+++ b/data/users/teamsync.py
@@ -10,127 +10,180 @@ MAX_TEAMS_PER_ITERATION = 500
 
 
 def sync_teams_to_groups(authentication, stale_cutoff):
-  """ Performs team syncing by looking up any stale team(s) found, and performing the sync
+    """ Performs team syncing by looking up any stale team(s) found, and performing the sync
       operation on them.
   """
-  logger.debug('Looking up teams to sync to groups')
+    logger.debug("Looking up teams to sync to groups")
 
-  sync_team_tried = set()
-  while len(sync_team_tried) < MAX_TEAMS_PER_ITERATION:
-    # Find a stale team.
-    stale_team_sync = model.team.get_stale_team(stale_cutoff)
-    if not stale_team_sync:
-      logger.debug('No additional stale team found; sleeping')
-      return
+    sync_team_tried = set()
+    while len(sync_team_tried) < MAX_TEAMS_PER_ITERATION:
+        # Find a stale team.
+        stale_team_sync = model.team.get_stale_team(stale_cutoff)
+        if not stale_team_sync:
+            logger.debug("No additional stale team found; sleeping")
+            return
 
-    # Make sure we don't try to reprocess a team on this iteration.
-    if stale_team_sync.id in sync_team_tried:
-      break
+        # Make sure we don't try to reprocess a team on this iteration.
+        if stale_team_sync.id in sync_team_tried:
+            break
 
-    sync_team_tried.add(stale_team_sync.id)
+        sync_team_tried.add(stale_team_sync.id)
 
-    # Sync the team.
-    sync_successful = sync_team(authentication, stale_team_sync)
-    if not sync_successful:
-      return
+        # Sync the team.
+        sync_successful = sync_team(authentication, stale_team_sync)
+        if not sync_successful:
+            return
 
 
 def sync_team(authentication, stale_team_sync):
-  """ Performs synchronization of a team (as referenced by the TeamSync stale_team_sync).
+    """ Performs synchronization of a team (as referenced by the TeamSync stale_team_sync).
       Returns True on success and False otherwise.
   """
-  sync_config = json.loads(stale_team_sync.config)
-  logger.info('Syncing team `%s` under organization %s via %s (#%s)', stale_team_sync.team.name,
-              stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id,
-              extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
+    sync_config = json.loads(stale_team_sync.config)
+    logger.info(
+        "Syncing team `%s` under organization %s via %s (#%s)",
+        stale_team_sync.team.name,
+        stale_team_sync.team.organization.username,
+        sync_config,
+        stale_team_sync.team_id,
+        extra={"team": stale_team_sync.team_id, "sync_config": sync_config},
+    )
 
-  # Load all the existing members of the team in Quay that are bound to the auth service.
-  existing_users = model.team.get_federated_team_member_mapping(stale_team_sync.team,
-                                                                authentication.federated_service)
+    # Load all the existing members of the team in Quay that are bound to the auth service.
+    existing_users = model.team.get_federated_team_member_mapping(
+        stale_team_sync.team, authentication.federated_service
+    )
 
-  logger.debug('Existing membership of %s for team `%s` under organization %s via %s (#%s)',
-               len(existing_users), stale_team_sync.team.name,
-               stale_team_sync.team.organization.username, sync_config, stale_team_sync.team_id,
-               extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
-                      'existing_member_count': len(existing_users)})
+    logger.debug(
+        "Existing membership of %s for team `%s` under organization %s via %s (#%s)",
+        len(existing_users),
+        stale_team_sync.team.name,
+        stale_team_sync.team.organization.username,
+        sync_config,
+        stale_team_sync.team_id,
+        extra={
+            "team": stale_team_sync.team_id,
+            "sync_config": sync_config,
+            "existing_member_count": len(existing_users),
+        },
+    )
 
-  # Load all the members of the team from the authenication system.
-  (member_iterator, err) = authentication.iterate_group_members(sync_config)
-  if err is not None:
-    logger.error('Got error when trying to iterate group members with config %s: %s',
-                 sync_config, err)
-    return False
-
-  # Collect all the members currently found in the group, adding them to the team as we go
-  # along.
-  group_membership = set()
-  for (member_info, err) in member_iterator:
+    # Load all the members of the team from the authenication system.
+    (member_iterator, err) = authentication.iterate_group_members(sync_config)
     if err is not None:
-      logger.error('Got error when trying to construct a member: %s', err)
-      continue
+        logger.error(
+            "Got error when trying to iterate group members with config %s: %s",
+            sync_config,
+            err,
+        )
+        return False
 
-    # If the member is already in the team, nothing more to do.
-    if member_info.username in existing_users:
-      logger.debug('Member %s already in team `%s` under organization %s via %s (#%s)',
-                   member_info.username, stale_team_sync.team.name,
-                   stale_team_sync.team.organization.username, sync_config,
-                   stale_team_sync.team_id,
-                   extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
-                          'member': member_info.username})
+    # Collect all the members currently found in the group, adding them to the team as we go
+    # along.
+    group_membership = set()
+    for (member_info, err) in member_iterator:
+        if err is not None:
+            logger.error("Got error when trying to construct a member: %s", err)
+            continue
 
-      group_membership.add(existing_users[member_info.username])
-      continue
+        # If the member is already in the team, nothing more to do.
+        if member_info.username in existing_users:
+            logger.debug(
+                "Member %s already in team `%s` under organization %s via %s (#%s)",
+                member_info.username,
+                stale_team_sync.team.name,
+                stale_team_sync.team.organization.username,
+                sync_config,
+                stale_team_sync.team_id,
+                extra={
+                    "team": stale_team_sync.team_id,
+                    "sync_config": sync_config,
+                    "member": member_info.username,
+                },
+            )
 
-    # Retrieve the Quay user associated with the member info.
-    (quay_user, err) = authentication.get_and_link_federated_user_info(member_info,
-                                                                       internal_create=True)
-    if err is not None:
-      logger.error('Could not link external user %s to an internal user: %s',
-                   member_info.username, err,
-                   extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
-                          'member': member_info.username, 'error': err})
-      continue
+            group_membership.add(existing_users[member_info.username])
+            continue
 
-    # Add the user to the membership set.
-    group_membership.add(quay_user.id)
+        # Retrieve the Quay user associated with the member info.
+        (quay_user, err) = authentication.get_and_link_federated_user_info(
+            member_info, internal_create=True
+        )
+        if err is not None:
+            logger.error(
+                "Could not link external user %s to an internal user: %s",
+                member_info.username,
+                err,
+                extra={
+                    "team": stale_team_sync.team_id,
+                    "sync_config": sync_config,
+                    "member": member_info.username,
+                    "error": err,
+                },
+            )
+            continue
 
-    # Add the user to the team.
-    try:
-      logger.info('Adding member %s to team `%s` under organization %s via %s (#%s)',
-                  quay_user.username, stale_team_sync.team.name,
-                  stale_team_sync.team.organization.username, sync_config,
-                  stale_team_sync.team_id,
-                  extra={'team': stale_team_sync.team_id, 'sync_config': sync_config,
-                         'member': quay_user.username})
+        # Add the user to the membership set.
+        group_membership.add(quay_user.id)
 
-      model.team.add_user_to_team(quay_user, stale_team_sync.team)
-    except model.UserAlreadyInTeam:
-      # If the user is already present, nothing more to do for them.
-      pass
+        # Add the user to the team.
+        try:
+            logger.info(
+                "Adding member %s to team `%s` under organization %s via %s (#%s)",
+                quay_user.username,
+                stale_team_sync.team.name,
+                stale_team_sync.team.organization.username,
+                sync_config,
+                stale_team_sync.team_id,
+                extra={
+                    "team": stale_team_sync.team_id,
+                    "sync_config": sync_config,
+                    "member": quay_user.username,
+                },
+            )
 
-  # Update the transaction and last_updated time of the team sync. Only if it matches
-  # the current value will we then perform the deletion step.
-  got_transaction_handle = model.team.update_sync_status(stale_team_sync)
-  if not got_transaction_handle:
-    # Another worker updated this team. Nothing more to do.
-    logger.debug('Another worker synced team `%s` under organization %s via %s (#%s)',
-                 stale_team_sync.team.name,
-                 stale_team_sync.team.organization.username, sync_config,
-                 stale_team_sync.team_id,
-                 extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
+            model.team.add_user_to_team(quay_user, stale_team_sync.team)
+        except model.UserAlreadyInTeam:
+            # If the user is already present, nothing more to do for them.
+            pass
+
+    # Update the transaction and last_updated time of the team sync. Only if it matches
+    # the current value will we then perform the deletion step.
+    got_transaction_handle = model.team.update_sync_status(stale_team_sync)
+    if not got_transaction_handle:
+        # Another worker updated this team. Nothing more to do.
+        logger.debug(
+            "Another worker synced team `%s` under organization %s via %s (#%s)",
+            stale_team_sync.team.name,
+            stale_team_sync.team.organization.username,
+            sync_config,
+            stale_team_sync.team_id,
+            extra={"team": stale_team_sync.team_id, "sync_config": sync_config},
+        )
+        return True
+
+    # Delete any team members not found in the backing auth system.
+    logger.debug(
+        "Deleting stale members for team `%s` under organization %s via %s (#%s)",
+        stale_team_sync.team.name,
+        stale_team_sync.team.organization.username,
+        sync_config,
+        stale_team_sync.team_id,
+        extra={"team": stale_team_sync.team_id, "sync_config": sync_config},
+    )
+
+    deleted = model.team.delete_members_not_present(
+        stale_team_sync.team, group_membership
+    )
+
+    # Done!
+    logger.info(
+        "Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted",
+        stale_team_sync.team.name,
+        stale_team_sync.team.organization.username,
+        sync_config,
+        stale_team_sync.team_id,
+        deleted,
+        extra={"team": stale_team_sync.team_id, "sync_config": sync_config},
+    )
     return True
-
-  # Delete any team members not found in the backing auth system.
-  logger.debug('Deleting stale members for team `%s` under organization %s via %s (#%s)',
-               stale_team_sync.team.name, stale_team_sync.team.organization.username,
-               sync_config, stale_team_sync.team_id,
-               extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
-
-  deleted = model.team.delete_members_not_present(stale_team_sync.team, group_membership)
-
-  # Done!
-  logger.info('Finishing sync for team `%s` under organization %s via %s (#%s): %s deleted',
-              stale_team_sync.team.name, stale_team_sync.team.organization.username,
-              sync_config, stale_team_sync.team_id, deleted,
-              extra={'team': stale_team_sync.team_id, 'sync_config': sync_config})
-  return True
diff --git a/data/users/test/test_shared.py b/data/users/test/test_shared.py
index d211fb485..18d2eb9cb 100644
--- a/data/users/test/test_shared.py
+++ b/data/users/test/test_shared.py
@@ -7,49 +7,67 @@ from data.users.shared import can_create_user
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('open_creation, invite_only, email, has_invite, can_create', [
-  # Open user creation => always allowed.
-  (True, False, None, False, True),
 
-  # Open user creation => always allowed.
-  (True, False, 'foo@example.com', False, True),
+@pytest.mark.parametrize(
+    "open_creation, invite_only, email, has_invite, can_create",
+    [
+        # Open user creation => always allowed.
+        (True, False, None, False, True),
+        # Open user creation => always allowed.
+        (True, False, "foo@example.com", False, True),
+        # Invite only user creation + no invite => disallowed.
+        (True, True, None, False, False),
+        # Invite only user creation + no invite => disallowed.
+        (True, True, "foo@example.com", False, False),
+        # Invite only user creation + invite => allowed.
+        (True, True, "foo@example.com", True, True),
+        # No open creation => Disallowed.
+        (False, True, "foo@example.com", False, False),
+        (False, True, "foo@example.com", True, False),
+        # Blacklisted emails => Disallowed.
+        (True, False, "foo@blacklisted.com", False, False),
+        (True, False, "foo@blacklisted.org", False, False),
+        (True, False, "foo@BlAcKlIsTeD.CoM", False, False),  # Verify Capitalization
+        (True, False, u"foo@mail.bLacklisted.Com", False, False),  # Verify unicode
+        (True, False, "foo@blacklisted.net", False, True),  # Avoid False Positives
+        (
+            True,
+            False,
+            "foo@myblacklisted.com",
+            False,
+            True,
+        ),  # Avoid partial domain matches
+        (
+            True,
+            False,
+            "fooATblacklisted.com",
+            False,
+            True,
+        ),  # Ignore invalid email addresses
+    ],
+)
+@pytest.mark.parametrize("blacklisting_enabled", [True, False])
+def test_can_create_user(
+    open_creation, invite_only, email, has_invite, can_create, blacklisting_enabled, app
+):
 
-  # Invite only user creation + no invite => disallowed.
-  (True, True, None, False, False),
+    # Mock list of blacklisted domains
+    blacklisted_domains = ["blacklisted.com", "blacklisted.org"]
 
-  # Invite only user creation + no invite => disallowed.
-  (True, True, 'foo@example.com', False, False),
+    if has_invite:
+        inviter = model.user.get_user("devtable")
+        team = model.team.get_organization_team("buynlarge", "owners")
+        model.team.add_or_invite_to_team(inviter, team, email=email)
 
-  # Invite only user creation + invite => allowed.
-  (True, True, 'foo@example.com', True, True),
-
-  # No open creation => Disallowed.
-  (False, True, 'foo@example.com', False, False),
-  (False, True, 'foo@example.com', True, False),
-
-  # Blacklisted emails => Disallowed.
-  (True, False, 'foo@blacklisted.com', False, False),
-  (True, False, 'foo@blacklisted.org', False, False),
-  (True, False, 'foo@BlAcKlIsTeD.CoM', False, False),  # Verify Capitalization
-  (True, False, u'foo@mail.bLacklisted.Com', False, False),  # Verify unicode
-  (True, False, 'foo@blacklisted.net', False, True),  # Avoid False Positives
-  (True, False, 'foo@myblacklisted.com', False, True),  # Avoid partial domain matches
-  (True, False, 'fooATblacklisted.com', False, True),  # Ignore invalid email addresses
-])
-@pytest.mark.parametrize('blacklisting_enabled', [True, False])
-def test_can_create_user(open_creation, invite_only, email, has_invite, can_create, blacklisting_enabled, app):
-
-  # Mock list of blacklisted domains
-  blacklisted_domains = ['blacklisted.com', 'blacklisted.org']
-
-  if has_invite:
-    inviter = model.user.get_user('devtable')
-    team = model.team.get_organization_team('buynlarge', 'owners')
-    model.team.add_or_invite_to_team(inviter, team, email=email)
-
-  with patch('features.USER_CREATION', open_creation):
-    with patch('features.INVITE_ONLY_USER_CREATION', invite_only):
-      with patch('features.BLACKLISTED_EMAILS', blacklisting_enabled):
-        if email and any(domain in email.lower() for domain in blacklisted_domains) and not blacklisting_enabled:
-            can_create = True  # blacklisted domains can be used, if blacklisting is disabled
-        assert can_create_user(email, blacklisted_domains) == can_create
+    with patch("features.USER_CREATION", open_creation):
+        with patch("features.INVITE_ONLY_USER_CREATION", invite_only):
+            with patch("features.BLACKLISTED_EMAILS", blacklisting_enabled):
+                if (
+                    email
+                    and any(domain in email.lower() for domain in blacklisted_domains)
+                    and not blacklisting_enabled
+                ):
+                    can_create = (
+                        True
+                    )  # blacklisted domains can be used, if blacklisting is disabled
+                assert can_create_user(email, blacklisted_domains) == can_create
diff --git a/data/users/test/test_teamsync.py b/data/users/test/test_teamsync.py
index 470c31707..da531e547 100644
--- a/data/users/test/test_teamsync.py
+++ b/data/users/test/test_teamsync.py
@@ -15,318 +15,365 @@ from util.names import parse_robot_username
 
 from test.fixtures import *
 
-_FAKE_AUTH = 'fake'
+_FAKE_AUTH = "fake"
+
 
 class FakeUsers(FederatedUsers):
-  def __init__(self, group_members):
-    super(FakeUsers, self).__init__(_FAKE_AUTH, False)
-    self.group_tuples = [(m, None) for m in group_members]
+    def __init__(self, group_members):
+        super(FakeUsers, self).__init__(_FAKE_AUTH, False)
+        self.group_tuples = [(m, None) for m in group_members]
 
-  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
-    return (self.group_tuples, None)
+    def iterate_group_members(
+        self, group_lookup_args, page_size=None, disable_pagination=False
+    ):
+        return (self.group_tuples, None)
 
 
 @pytest.fixture(params=[True, False])
 def user_creation(request):
-  with patch('features.USER_CREATION', request.param):
-    yield
+    with patch("features.USER_CREATION", request.param):
+        yield
 
 
 @pytest.fixture(params=[True, False])
 def invite_only_user_creation(request):
-  with patch('features.INVITE_ONLY_USER_CREATION', request.param):
-    yield
+    with patch("features.INVITE_ONLY_USER_CREATION", request.param):
+        yield
 
 
 @pytest.fixture(params=[True, False])
 def blacklisted_emails(request):
-  mock_blacklisted_domains = {'BLACKLISTED_EMAIL_DOMAINS': ['blacklisted.com', 'blacklisted.net']}
-  with patch('features.BLACKLISTED_EMAILS', request.param):
-    with patch.dict('data.model.config.app_config', mock_blacklisted_domains):
-      yield
+    mock_blacklisted_domains = {
+        "BLACKLISTED_EMAIL_DOMAINS": ["blacklisted.com", "blacklisted.net"]
+    }
+    with patch("features.BLACKLISTED_EMAILS", request.param):
+        with patch.dict("data.model.config.app_config", mock_blacklisted_domains):
+            yield
 
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('postgres') >= 0,
-                    reason="Postgres fails when existing members are added under the savepoint")
-@pytest.mark.parametrize('starting_membership,group_membership,expected_membership', [
-  # Empty team + single member in group => Single member in team.
-  ([],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['someuser']),
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI", "").find("postgres") >= 0,
+    reason="Postgres fails when existing members are added under the savepoint",
+)
+@pytest.mark.parametrize(
+    "starting_membership,group_membership,expected_membership",
+    [
+        # Empty team + single member in group => Single member in team.
+        (
+            [],
+            [UserInformation("someuser", "someuser", "someuser@devtable.com")],
+            ["someuser"],
+        ),
+        # Team with a Quay user + empty group => empty team.
+        ([("someuser", None)], [], []),
+        # Team with an existing external user + user is in the group => no changes.
+        (
+            [("someuser", "someuser")],
+            [UserInformation("someuser", "someuser", "someuser@devtable.com")],
+            ["someuser"],
+        ),
+        # Team with an existing external user (with a different Quay username) + user is in the group.
+        # => no changes
+        (
+            [("anotherquayname", "someuser")],
+            [UserInformation("someuser", "someuser", "someuser@devtable.com")],
+            ["someuser"],
+        ),
+        # Team missing a few members that are in the group => members added.
+        (
+            [("someuser", "someuser")],
+            [
+                UserInformation(
+                    "anotheruser", "anotheruser", "anotheruser@devtable.com"
+                ),
+                UserInformation("someuser", "someuser", "someuser@devtable.com"),
+                UserInformation("thirduser", "thirduser", "thirduser@devtable.com"),
+            ],
+            ["anotheruser", "someuser", "thirduser"],
+        ),
+        # Team has a few extra members no longer in the group => members removed.
+        (
+            [
+                ("anotheruser", "anotheruser"),
+                ("someuser", "someuser"),
+                ("thirduser", "thirduser"),
+                ("nontestuser", None),
+            ],
+            [UserInformation("thirduser", "thirduser", "thirduser@devtable.com")],
+            ["thirduser"],
+        ),
+        # Team has different membership than the group => members added and removed.
+        (
+            [
+                ("anotheruser", "anotheruser"),
+                ("someuser", "someuser"),
+                ("nontestuser", None),
+            ],
+            [
+                UserInformation(
+                    "anotheruser", "anotheruser", "anotheruser@devtable.com"
+                ),
+                UserInformation(
+                    "missinguser", "missinguser", "missinguser@devtable.com"
+                ),
+            ],
+            ["anotheruser", "missinguser"],
+        ),
+        # Team has same membership but some robots => robots remain and no other changes.
+        (
+            [
+                ("someuser", "someuser"),
+                ("buynlarge+anotherbot", None),
+                ("buynlarge+somerobot", None),
+            ],
+            [UserInformation("someuser", "someuser", "someuser@devtable.com")],
+            ["someuser", "buynlarge+somerobot", "buynlarge+anotherbot"],
+        ),
+        # Team has an extra member and some robots => member removed and robots remain.
+        (
+            [
+                ("someuser", "someuser"),
+                ("buynlarge+anotherbot", None),
+                ("buynlarge+somerobot", None),
+            ],
+            [
+                # No members.
+            ],
+            ["buynlarge+somerobot", "buynlarge+anotherbot"],
+        ),
+        # Team has a different member and some robots => member changed and robots remain.
+        (
+            [
+                ("someuser", "someuser"),
+                ("buynlarge+anotherbot", None),
+                ("buynlarge+somerobot", None),
+            ],
+            [UserInformation("anotheruser", "anotheruser", "anotheruser@devtable.com")],
+            ["anotheruser", "buynlarge+somerobot", "buynlarge+anotherbot"],
+        ),
+        # Team with an existing external user (with a different Quay username) + user is in the group.
+        # => no changes and robots remain.
+        (
+            [("anotherquayname", "someuser"), ("buynlarge+anotherbot", None)],
+            [UserInformation("someuser", "someuser", "someuser@devtable.com")],
+            ["someuser", "buynlarge+anotherbot"],
+        ),
+        # Team which returns the same member twice, as pagination in some engines (like LDAP) is not
+        # stable.
+        (
+            [],
+            [
+                UserInformation("someuser", "someuser", "someuser@devtable.com"),
+                UserInformation(
+                    "anotheruser", "anotheruser", "anotheruser@devtable.com"
+                ),
+                UserInformation("someuser", "someuser", "someuser@devtable.com"),
+            ],
+            ["anotheruser", "someuser"],
+        ),
+    ],
+)
+def test_syncing(
+    user_creation,
+    invite_only_user_creation,
+    starting_membership,
+    group_membership,
+    expected_membership,
+    blacklisted_emails,
+    app,
+):
+    org = model.organization.get_organization("buynlarge")
 
-  # Team with a Quay user + empty group => empty team.
-  ([('someuser', None)],
-   [],
-   []),
+    # Necessary for the fake auth entries to be created in FederatedLogin.
+    database.LoginService.create(name=_FAKE_AUTH)
 
-  # Team with an existing external user + user is in the group => no changes.
-  ([
-    ('someuser', 'someuser'),
-   ],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['someuser']),
+    # Assert the team is empty, so we have a clean slate.
+    sync_team_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert len(list(model.team.list_team_users(sync_team_info.team))) == 0
 
-  # Team with an existing external user (with a different Quay username) + user is in the group.
-  # => no changes
-  ([
-    ('anotherquayname', 'someuser'),
-   ],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['someuser']),
+    # Add the existing starting members to the team.
+    for starting_member in starting_membership:
+        (quay_username, fakeauth_username) = starting_member
+        if "+" in quay_username:
+            # Add a robot.
+            (_, shortname) = parse_robot_username(quay_username)
+            robot, _ = model.user.create_robot(shortname, org)
+            model.team.add_user_to_team(robot, sync_team_info.team)
+        else:
+            email = quay_username + "@devtable.com"
 
-  # Team missing a few members that are in the group => members added.
-  ([('someuser', 'someuser')],
-   [
-     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-     UserInformation('thirduser', 'thirduser', 'thirduser@devtable.com'),
-   ],
-   ['anotheruser', 'someuser', 'thirduser']),
+            if fakeauth_username is None:
+                quay_user = model.user.create_user_noverify(quay_username, email)
+            else:
+                quay_user = model.user.create_federated_user(
+                    quay_username, email, _FAKE_AUTH, fakeauth_username, False
+                )
 
-  # Team has a few extra members no longer in the group => members removed.
-  ([
-    ('anotheruser', 'anotheruser'),
-    ('someuser', 'someuser'),
-    ('thirduser', 'thirduser'),
-    ('nontestuser', None),
-   ],
-   [
-     UserInformation('thirduser', 'thirduser', 'thirduser@devtable.com'),
-   ],
-   ['thirduser']),
+            model.team.add_user_to_team(quay_user, sync_team_info.team)
 
-  # Team has different membership than the group => members added and removed.
-  ([
-    ('anotheruser', 'anotheruser'),
-    ('someuser', 'someuser'),
-    ('nontestuser', None),
-   ],
-   [
-     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
-     UserInformation('missinguser', 'missinguser', 'missinguser@devtable.com'),
-   ],
-   ['anotheruser', 'missinguser']),
+    # Call syncing on the team.
+    fake_auth = FakeUsers(group_membership)
+    assert sync_team(fake_auth, sync_team_info)
 
-  # Team has same membership but some robots => robots remain and no other changes.
-  ([
-    ('someuser', 'someuser'),
-    ('buynlarge+anotherbot', None),
-    ('buynlarge+somerobot', None),
-   ],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['someuser', 'buynlarge+somerobot', 'buynlarge+anotherbot']),
+    # Ensure the last updated time and transaction_id's have changed.
+    updated_sync_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert updated_sync_info.last_updated is not None
+    assert updated_sync_info.transaction_id != sync_team_info.transaction_id
 
-  # Team has an extra member and some robots => member removed and robots remain.
-  ([
-    ('someuser', 'someuser'),
-    ('buynlarge+anotherbot', None),
-    ('buynlarge+somerobot', None),
-   ],
-   [
-     # No members.
-   ],
-   ['buynlarge+somerobot', 'buynlarge+anotherbot']),
+    users_expected = set([name for name in expected_membership if "+" not in name])
+    robots_expected = set([name for name in expected_membership if "+" in name])
+    assert len(users_expected) + len(robots_expected) == len(expected_membership)
 
-  # Team has a different member and some robots => member changed and robots remain.
-  ([
-    ('someuser', 'someuser'),
-    ('buynlarge+anotherbot', None),
-    ('buynlarge+somerobot', None),
-   ],
-   [
-     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
-   ],
-   ['anotheruser', 'buynlarge+somerobot', 'buynlarge+anotherbot']),
+    # Check that the team's users match those expected.
+    service_user_map = model.team.get_federated_team_member_mapping(
+        sync_team_info.team, _FAKE_AUTH
+    )
+    assert set(service_user_map.keys()) == users_expected
 
-  # Team with an existing external user (with a different Quay username) + user is in the group.
-  # => no changes and robots remain.
-  ([
-    ('anotherquayname', 'someuser'),
-    ('buynlarge+anotherbot', None),
-   ],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['someuser', 'buynlarge+anotherbot']),
+    quay_users = model.team.list_team_users(sync_team_info.team)
+    assert len(quay_users) == len(users_expected)
 
-  # Team which returns the same member twice, as pagination in some engines (like LDAP) is not
-  # stable.
-  ([],
-   [
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-     UserInformation('anotheruser', 'anotheruser', 'anotheruser@devtable.com'),
-     UserInformation('someuser', 'someuser', 'someuser@devtable.com'),
-   ],
-   ['anotheruser', 'someuser']),
-])
-def test_syncing(user_creation, invite_only_user_creation, starting_membership, group_membership,
-                 expected_membership, blacklisted_emails, app):
-  org = model.organization.get_organization('buynlarge')
+    for quay_user in quay_users:
+        fakeauth_record = model.user.lookup_federated_login(quay_user, _FAKE_AUTH)
+        assert fakeauth_record is not None
+        assert fakeauth_record.service_ident in users_expected
+        assert service_user_map[fakeauth_record.service_ident] == quay_user.id
 
-  # Necessary for the fake auth entries to be created in FederatedLogin.
-  database.LoginService.create(name=_FAKE_AUTH)
-
-  # Assert the team is empty, so we have a clean slate.
-  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert len(list(model.team.list_team_users(sync_team_info.team))) == 0
-
-  # Add the existing starting members to the team.
-  for starting_member in starting_membership:
-    (quay_username, fakeauth_username) = starting_member
-    if '+' in quay_username:
-      # Add a robot.
-      (_, shortname) = parse_robot_username(quay_username)
-      robot, _ = model.user.create_robot(shortname, org)
-      model.team.add_user_to_team(robot, sync_team_info.team)
-    else:
-      email = quay_username + '@devtable.com'
-
-      if fakeauth_username is None:
-        quay_user = model.user.create_user_noverify(quay_username, email)
-      else:
-        quay_user = model.user.create_federated_user(quay_username, email, _FAKE_AUTH,
-                                                      fakeauth_username, False)
-
-      model.team.add_user_to_team(quay_user, sync_team_info.team)
-
-  # Call syncing on the team.
-  fake_auth = FakeUsers(group_membership)
-  assert sync_team(fake_auth, sync_team_info)
-
-  # Ensure the last updated time and transaction_id's have changed.
-  updated_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert updated_sync_info.last_updated is not None
-  assert updated_sync_info.transaction_id != sync_team_info.transaction_id
-
-  users_expected = set([name for name in expected_membership if '+' not in name])
-  robots_expected = set([name for name in expected_membership if '+' in name])
-  assert len(users_expected) + len(robots_expected) == len(expected_membership)
-
-  # Check that the team's users match those expected.
-  service_user_map = model.team.get_federated_team_member_mapping(sync_team_info.team,
-                                                                  _FAKE_AUTH)
-  assert set(service_user_map.keys()) == users_expected
-
-  quay_users = model.team.list_team_users(sync_team_info.team)
-  assert len(quay_users) == len(users_expected)
-
-  for quay_user in quay_users:
-    fakeauth_record = model.user.lookup_federated_login(quay_user, _FAKE_AUTH)
-    assert fakeauth_record is not None
-    assert fakeauth_record.service_ident in users_expected
-    assert service_user_map[fakeauth_record.service_ident] == quay_user.id
-
-  # Check that the team's robots match those expected.
-  robots_found = set([r.username for r in model.team.list_team_robots(sync_team_info.team)])
-  assert robots_expected == robots_found
+    # Check that the team's robots match those expected.
+    robots_found = set(
+        [r.username for r in model.team.list_team_robots(sync_team_info.team)]
+    )
+    assert robots_expected == robots_found
 
 
-def test_sync_teams_to_groups(user_creation, invite_only_user_creation, blacklisted_emails, app):
-  # Necessary for the fake auth entries to be created in FederatedLogin.
-  database.LoginService.create(name=_FAKE_AUTH)
+def test_sync_teams_to_groups(
+    user_creation, invite_only_user_creation, blacklisted_emails, app
+):
+    # Necessary for the fake auth entries to be created in FederatedLogin.
+    database.LoginService.create(name=_FAKE_AUTH)
 
-  # Assert the team has not yet been updated.
-  sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert sync_team_info.last_updated is None
+    # Assert the team has not yet been updated.
+    sync_team_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert sync_team_info.last_updated is None
 
-  # Call to sync all teams.
-  fake_auth = FakeUsers([])
-  sync_teams_to_groups(fake_auth, timedelta(seconds=1))
+    # Call to sync all teams.
+    fake_auth = FakeUsers([])
+    sync_teams_to_groups(fake_auth, timedelta(seconds=1))
 
-  # Ensure the team was synced.
-  updated_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert updated_sync_info.last_updated is not None
-  assert updated_sync_info.transaction_id != sync_team_info.transaction_id
+    # Ensure the team was synced.
+    updated_sync_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert updated_sync_info.last_updated is not None
+    assert updated_sync_info.transaction_id != sync_team_info.transaction_id
 
-  # Set the stale threshold to a high amount and ensure the team is not resynced.
-  current_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  current_info.last_updated = datetime.now() - timedelta(seconds=2)
-  current_info.save()
+    # Set the stale threshold to a high amount and ensure the team is not resynced.
+    current_info = model.team.get_team_sync_information("buynlarge", "synced")
+    current_info.last_updated = datetime.now() - timedelta(seconds=2)
+    current_info.save()
 
-  sync_teams_to_groups(fake_auth, timedelta(seconds=120))
+    sync_teams_to_groups(fake_auth, timedelta(seconds=120))
 
-  third_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert third_sync_info.transaction_id == updated_sync_info.transaction_id
+    third_sync_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert third_sync_info.transaction_id == updated_sync_info.transaction_id
 
-  # Set the stale threshold to 10 seconds, and ensure the team is resynced, after making it
-  # "updated" 20s ago.
-  current_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  current_info.last_updated = datetime.now() - timedelta(seconds=20)
-  current_info.save()
+    # Set the stale threshold to 10 seconds, and ensure the team is resynced, after making it
+    # "updated" 20s ago.
+    current_info = model.team.get_team_sync_information("buynlarge", "synced")
+    current_info.last_updated = datetime.now() - timedelta(seconds=20)
+    current_info.save()
 
-  sync_teams_to_groups(fake_auth, timedelta(seconds=10))
+    sync_teams_to_groups(fake_auth, timedelta(seconds=10))
 
-  fourth_sync_info = model.team.get_team_sync_information('buynlarge', 'synced')
-  assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id
+    fourth_sync_info = model.team.get_team_sync_information("buynlarge", "synced")
+    assert fourth_sync_info.transaction_id != updated_sync_info.transaction_id
 
 
-@pytest.mark.parametrize('auth_system_builder,config', [
-  (mock_ldap, {'group_dn': 'cn=AwesomeFolk'}),
-  (fake_keystone, {'group_id': 'somegroupid'}),
-])
-def test_teamsync_end_to_end(user_creation, invite_only_user_creation, auth_system_builder, config,
-                             blacklisted_emails, app):
-  with auth_system_builder() as auth:
-    # Create an new team to sync.
-    org = model.organization.get_organization('buynlarge')
-    new_synced_team = model.team.create_team('synced2', org, 'member', 'Some synced team.')
-    sync_team_info = model.team.set_team_syncing(new_synced_team, auth.federated_service, config)
+@pytest.mark.parametrize(
+    "auth_system_builder,config",
+    [
+        (mock_ldap, {"group_dn": "cn=AwesomeFolk"}),
+        (fake_keystone, {"group_id": "somegroupid"}),
+    ],
+)
+def test_teamsync_end_to_end(
+    user_creation,
+    invite_only_user_creation,
+    auth_system_builder,
+    config,
+    blacklisted_emails,
+    app,
+):
+    with auth_system_builder() as auth:
+        # Create an new team to sync.
+        org = model.organization.get_organization("buynlarge")
+        new_synced_team = model.team.create_team(
+            "synced2", org, "member", "Some synced team."
+        )
+        sync_team_info = model.team.set_team_syncing(
+            new_synced_team, auth.federated_service, config
+        )
 
-    # Sync the team.
-    assert sync_team(auth, sync_team_info)
+        # Sync the team.
+        assert sync_team(auth, sync_team_info)
 
-    # Ensure we now have members.
-    msg = 'Auth system: %s' % auth.federated_service
-    sync_team_info = model.team.get_team_sync_information('buynlarge', 'synced2')
-    team_members = list(model.team.list_team_users(sync_team_info.team))
-    assert len(team_members) > 1, msg
+        # Ensure we now have members.
+        msg = "Auth system: %s" % auth.federated_service
+        sync_team_info = model.team.get_team_sync_information("buynlarge", "synced2")
+        team_members = list(model.team.list_team_users(sync_team_info.team))
+        assert len(team_members) > 1, msg
 
-    it, _ = auth.iterate_group_members(config)
-    assert len(team_members) == len(list(it)), msg
+        it, _ = auth.iterate_group_members(config)
+        assert len(team_members) == len(list(it)), msg
 
-    sync_team_info.last_updated = datetime.now() - timedelta(hours=6)
-    sync_team_info.save()
+        sync_team_info.last_updated = datetime.now() - timedelta(hours=6)
+        sync_team_info.save()
 
-    # Remove one of the members and force a sync again to ensure we re-link the correct users.
-    first_member = team_members[0]
-    model.team.remove_user_from_team('buynlarge', 'synced2', first_member.username, 'devtable')
+        # Remove one of the members and force a sync again to ensure we re-link the correct users.
+        first_member = team_members[0]
+        model.team.remove_user_from_team(
+            "buynlarge", "synced2", first_member.username, "devtable"
+        )
 
-    team_members2 = list(model.team.list_team_users(sync_team_info.team))
-    assert len(team_members2) == 1, msg
-    assert sync_team(auth, sync_team_info)
+        team_members2 = list(model.team.list_team_users(sync_team_info.team))
+        assert len(team_members2) == 1, msg
+        assert sync_team(auth, sync_team_info)
 
-    team_members3 = list(model.team.list_team_users(sync_team_info.team))
-    assert len(team_members3) > 1, msg
-    assert set([m.id for m in team_members]) == set([m.id for m in team_members3])
+        team_members3 = list(model.team.list_team_users(sync_team_info.team))
+        assert len(team_members3) > 1, msg
+        assert set([m.id for m in team_members]) == set([m.id for m in team_members3])
 
 
-@pytest.mark.parametrize('auth_system_builder,config', [
-  (mock_ldap, {'group_dn': 'cn=AwesomeFolk'}),
-  (fake_keystone, {'group_id': 'somegroupid'}),
-])
-def test_teamsync_existing_email(user_creation, invite_only_user_creation, auth_system_builder,
-                                 blacklisted_emails, config, app):
-  with auth_system_builder() as auth:
-    # Create an new team to sync.
-    org = model.organization.get_organization('buynlarge')
-    new_synced_team = model.team.create_team('synced2', org, 'member', 'Some synced team.')
-    sync_team_info = model.team.set_team_syncing(new_synced_team, auth.federated_service, config)
+@pytest.mark.parametrize(
+    "auth_system_builder,config",
+    [
+        (mock_ldap, {"group_dn": "cn=AwesomeFolk"}),
+        (fake_keystone, {"group_id": "somegroupid"}),
+    ],
+)
+def test_teamsync_existing_email(
+    user_creation,
+    invite_only_user_creation,
+    auth_system_builder,
+    blacklisted_emails,
+    config,
+    app,
+):
+    with auth_system_builder() as auth:
+        # Create an new team to sync.
+        org = model.organization.get_organization("buynlarge")
+        new_synced_team = model.team.create_team(
+            "synced2", org, "member", "Some synced team."
+        )
+        sync_team_info = model.team.set_team_syncing(
+            new_synced_team, auth.federated_service, config
+        )
 
-    # Add a new *unlinked* user with the same email address as one of the team members.
-    it, _ = auth.iterate_group_members(config)
-    members = list(it)
-    model.user.create_user_noverify('someusername', members[0][0].email)
+        # Add a new *unlinked* user with the same email address as one of the team members.
+        it, _ = auth.iterate_group_members(config)
+        members = list(it)
+        model.user.create_user_noverify("someusername", members[0][0].email)
 
-    # Sync the team and ensure it doesn't fail.
-    assert sync_team(auth, sync_team_info)
+        # Sync the team and ensure it doesn't fail.
+        assert sync_team(auth, sync_team_info)
 
-    team_members = list(model.team.list_team_users(sync_team_info.team))
-    assert len(team_members) > 0
+        team_members = list(model.team.list_team_users(sync_team_info.team))
+        assert len(team_members) > 0
diff --git a/data/users/test/test_users.py b/data/users/test/test_users.py
index 81f6660bd..6dbe30f24 100644
--- a/data/users/test/test_users.py
+++ b/data/users/test/test_users.py
@@ -11,89 +11,95 @@ from test.test_external_jwt_authn import fake_jwt
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('auth_system_builder, user1, user2', [
-  (mock_ldap, ('someuser', 'somepass'), ('testy', 'password')),
-  (fake_keystone, ('cool.user', 'password'), ('some.neat.user', 'foobar')),
-])
+
+@pytest.mark.parametrize(
+    "auth_system_builder, user1, user2",
+    [
+        (mock_ldap, ("someuser", "somepass"), ("testy", "password")),
+        (fake_keystone, ("cool.user", "password"), ("some.neat.user", "foobar")),
+    ],
+)
 def test_auth_createuser(auth_system_builder, user1, user2, config, app):
-  with auth_system_builder() as auth:
-    # Login as a user and ensure a row in the database is created for them.
-    user, err = auth.verify_and_link_user(*user1)
-    assert err is None
-    assert user
+    with auth_system_builder() as auth:
+        # Login as a user and ensure a row in the database is created for them.
+        user, err = auth.verify_and_link_user(*user1)
+        assert err is None
+        assert user
 
-    federated_info = model.user.lookup_federated_login(user, auth.federated_service)
-    assert federated_info is not None
+        federated_info = model.user.lookup_federated_login(user, auth.federated_service)
+        assert federated_info is not None
 
-    # Disable user creation.
-    with patch('features.USER_CREATION', False):
-      # Ensure that the existing user can login.
-      user_again, err = auth.verify_and_link_user(*user1)
-      assert err is None
-      assert user_again.id == user.id
+        # Disable user creation.
+        with patch("features.USER_CREATION", False):
+            # Ensure that the existing user can login.
+            user_again, err = auth.verify_and_link_user(*user1)
+            assert err is None
+            assert user_again.id == user.id
 
-      # Ensure that a new user cannot.
-      new_user, err = auth.verify_and_link_user(*user2)
-      assert new_user is None
-      assert err == DISABLED_MESSAGE
+            # Ensure that a new user cannot.
+            new_user, err = auth.verify_and_link_user(*user2)
+            assert new_user is None
+            assert err == DISABLED_MESSAGE
 
 
 @pytest.mark.parametrize(
-  'email, blacklisting_enabled, can_create',
-  [
-    # Blacklisting Enabled, Blacklisted Domain => Blocked
-    ('foo@blacklisted.net', True, False),
-    ('foo@blacklisted.com', True, False),
-
-    # Blacklisting Enabled, similar to blacklisted domain => Allowed
-    ('foo@notblacklisted.com', True, True),
-    ('foo@blacklisted.org', True, True),
-
-    # Blacklisting *Disabled*, Blacklisted Domain => Allowed
-    ('foo@blacklisted.com', False, True),
-    ('foo@blacklisted.net', False, True),
-  ]
+    "email, blacklisting_enabled, can_create",
+    [
+        # Blacklisting Enabled, Blacklisted Domain => Blocked
+        ("foo@blacklisted.net", True, False),
+        ("foo@blacklisted.com", True, False),
+        # Blacklisting Enabled, similar to blacklisted domain => Allowed
+        ("foo@notblacklisted.com", True, True),
+        ("foo@blacklisted.org", True, True),
+        # Blacklisting *Disabled*, Blacklisted Domain => Allowed
+        ("foo@blacklisted.com", False, True),
+        ("foo@blacklisted.net", False, True),
+    ],
 )
-@pytest.mark.parametrize('auth_system_builder', [mock_ldap, fake_keystone, fake_jwt])
-def test_createuser_with_blacklist(auth_system_builder, email, blacklisting_enabled, can_create, config, app):
-  """Verify email blacklisting with User Creation"""
+@pytest.mark.parametrize("auth_system_builder", [mock_ldap, fake_keystone, fake_jwt])
+def test_createuser_with_blacklist(
+    auth_system_builder, email, blacklisting_enabled, can_create, config, app
+):
+    """Verify email blacklisting with User Creation"""
 
-  MOCK_CONFIG = {'BLACKLISTED_EMAIL_DOMAINS': ['blacklisted.com', 'blacklisted.net']}
-  MOCK_PASSWORD = 'somepass'
+    MOCK_CONFIG = {"BLACKLISTED_EMAIL_DOMAINS": ["blacklisted.com", "blacklisted.net"]}
+    MOCK_PASSWORD = "somepass"
 
-  with auth_system_builder() as auth:
-    with patch('features.BLACKLISTED_EMAILS', blacklisting_enabled):
-      with patch.dict('data.model.config.app_config', MOCK_CONFIG):
-        with patch('features.USER_CREATION', True):
-          new_user, err = auth.verify_and_link_user(email, MOCK_PASSWORD)
-          if can_create:
-            assert err is None
-            assert new_user
-          else:
-            assert err
-            assert new_user is None
+    with auth_system_builder() as auth:
+        with patch("features.BLACKLISTED_EMAILS", blacklisting_enabled):
+            with patch.dict("data.model.config.app_config", MOCK_CONFIG):
+                with patch("features.USER_CREATION", True):
+                    new_user, err = auth.verify_and_link_user(email, MOCK_PASSWORD)
+                    if can_create:
+                        assert err is None
+                        assert new_user
+                    else:
+                        assert err
+                        assert new_user is None
 
 
-@pytest.mark.parametrize('auth_system_builder,auth_kwargs', [
-  (mock_ldap, {}),
-  (fake_keystone, {'version': 3}),
-  (fake_keystone, {'version': 2}),
-  (fake_jwt, {}),
-])
+@pytest.mark.parametrize(
+    "auth_system_builder,auth_kwargs",
+    [
+        (mock_ldap, {}),
+        (fake_keystone, {"version": 3}),
+        (fake_keystone, {"version": 2}),
+        (fake_jwt, {}),
+    ],
+)
 def test_ping(auth_system_builder, auth_kwargs, app):
-  with auth_system_builder(**auth_kwargs) as auth:
-    status, err = auth.ping()
-    assert status
-    assert err is None
+    with auth_system_builder(**auth_kwargs) as auth:
+        status, err = auth.ping()
+        assert status
+        assert err is None
 
 
-@pytest.mark.parametrize('auth_system_builder,auth_kwargs', [
-  (mock_ldap, {}),
-  (fake_keystone, {'version': 3}),
-  (fake_keystone, {'version': 2}),
-])
+@pytest.mark.parametrize(
+    "auth_system_builder,auth_kwargs",
+    [(mock_ldap, {}), (fake_keystone, {"version": 3}), (fake_keystone, {"version": 2})],
+)
 def test_at_least_one_user_exists(auth_system_builder, auth_kwargs, app):
-  with auth_system_builder(**auth_kwargs) as auth:
-    status, err = auth.at_least_one_user_exists()
-    assert status
-    assert err is None
+    with auth_system_builder(**auth_kwargs) as auth:
+        status, err = auth.at_least_one_user_exists()
+        assert status
+        assert err is None
diff --git a/digest/digest_tools.py b/digest/digest_tools.py
index 212088236..3e0fc3d9e 100644
--- a/digest/digest_tools.py
+++ b/digest/digest_tools.py
@@ -3,80 +3,85 @@ import os.path
 import hashlib
 
 
-DIGEST_PATTERN = r'([A-Za-z0-9_+.-]+):([A-Fa-f0-9]+)'
-REPLACE_WITH_PATH = re.compile(r'[+.]')
-REPLACE_DOUBLE_SLASHES = re.compile(r'/+')
+DIGEST_PATTERN = r"([A-Za-z0-9_+.-]+):([A-Fa-f0-9]+)"
+REPLACE_WITH_PATH = re.compile(r"[+.]")
+REPLACE_DOUBLE_SLASHES = re.compile(r"/+")
+
 
 class InvalidDigestException(RuntimeError):
-  pass
+    pass
 
 
 class Digest(object):
-  DIGEST_REGEX = re.compile(DIGEST_PATTERN)
+    DIGEST_REGEX = re.compile(DIGEST_PATTERN)
 
-  def __init__(self, hash_alg, hash_bytes):
-    self._hash_alg = hash_alg
-    self._hash_bytes = hash_bytes
+    def __init__(self, hash_alg, hash_bytes):
+        self._hash_alg = hash_alg
+        self._hash_bytes = hash_bytes
 
-  def __str__(self):
-    return '{0}:{1}'.format(self._hash_alg, self._hash_bytes)
+    def __str__(self):
+        return "{0}:{1}".format(self._hash_alg, self._hash_bytes)
 
-  def __eq__(self, rhs):
-    return isinstance(rhs, Digest) and str(self) == str(rhs)
+    def __eq__(self, rhs):
+        return isinstance(rhs, Digest) and str(self) == str(rhs)
 
-  @staticmethod
-  def parse_digest(digest):
-    """ Returns the digest parsed out to its components. """
-    match = Digest.DIGEST_REGEX.match(digest)
-    if match is None or match.end() != len(digest):
-      raise InvalidDigestException('Not a valid digest: %s', digest)
+    @staticmethod
+    def parse_digest(digest):
+        """ Returns the digest parsed out to its components. """
+        match = Digest.DIGEST_REGEX.match(digest)
+        if match is None or match.end() != len(digest):
+            raise InvalidDigestException("Not a valid digest: %s", digest)
 
-    return Digest(match.group(1), match.group(2))
+        return Digest(match.group(1), match.group(2))
 
-  @property
-  def hash_alg(self):
-    return self._hash_alg
+    @property
+    def hash_alg(self):
+        return self._hash_alg
 
-  @property
-  def hash_bytes(self):
-    return self._hash_bytes
+    @property
+    def hash_bytes(self):
+        return self._hash_bytes
 
 
 def content_path(digest):
-  """ Returns a relative path to the parsed digest. """
-  parsed = Digest.parse_digest(digest)
-  components = []
+    """ Returns a relative path to the parsed digest. """
+    parsed = Digest.parse_digest(digest)
+    components = []
 
-  # Generate a prefix which is always two characters, and which will be filled with leading zeros
-  # if the input does not contain at least two characters. e.g. ABC -> AB, A -> 0A
-  prefix = parsed.hash_bytes[0:2].zfill(2)
-  pathish = REPLACE_WITH_PATH.sub('/', parsed.hash_alg)
-  normalized = REPLACE_DOUBLE_SLASHES.sub('/', pathish).lstrip('/')
-  components.extend([normalized, prefix, parsed.hash_bytes])
-  return os.path.join(*components)
+    # Generate a prefix which is always two characters, and which will be filled with leading zeros
+    # if the input does not contain at least two characters. e.g. ABC -> AB, A -> 0A
+    prefix = parsed.hash_bytes[0:2].zfill(2)
+    pathish = REPLACE_WITH_PATH.sub("/", parsed.hash_alg)
+    normalized = REPLACE_DOUBLE_SLASHES.sub("/", pathish).lstrip("/")
+    components.extend([normalized, prefix, parsed.hash_bytes])
+    return os.path.join(*components)
 
 
 def sha256_digest(content):
-  """ Returns a sha256 hash of the content bytes in digest form. """
-  def single_chunk_generator():
-    yield content
-  return sha256_digest_from_generator(single_chunk_generator())
+    """ Returns a sha256 hash of the content bytes in digest form. """
+
+    def single_chunk_generator():
+        yield content
+
+    return sha256_digest_from_generator(single_chunk_generator())
 
 
 def sha256_digest_from_generator(content_generator):
-  """ Reads all of the data from the iterator and creates a sha256 digest from the content
+    """ Reads all of the data from the iterator and creates a sha256 digest from the content
   """
-  digest = hashlib.sha256()
-  for chunk in content_generator:
-    digest.update(chunk)
-  return 'sha256:{0}'.format(digest.hexdigest())
+    digest = hashlib.sha256()
+    for chunk in content_generator:
+        digest.update(chunk)
+    return "sha256:{0}".format(digest.hexdigest())
 
 
 def sha256_digest_from_hashlib(sha256_hash_obj):
-  return 'sha256:{0}'.format(sha256_hash_obj.hexdigest())
+    return "sha256:{0}".format(sha256_hash_obj.hexdigest())
 
 
 def digests_equal(lhs_digest_string, rhs_digest_string):
-  """ Parse and compare the two digests, returns True if the digests are equal, False otherwise.
+    """ Parse and compare the two digests, returns True if the digests are equal, False otherwise.
   """
-  return Digest.parse_digest(lhs_digest_string) == Digest.parse_digest(rhs_digest_string)
+    return Digest.parse_digest(lhs_digest_string) == Digest.parse_digest(
+        rhs_digest_string
+    )
diff --git a/digest/test/test_digest_tools.py b/digest/test/test_digest_tools.py
index b04f64c6f..1e3792ff3 100644
--- a/digest/test/test_digest_tools.py
+++ b/digest/test/test_digest_tools.py
@@ -2,42 +2,52 @@ import pytest
 
 from digest.digest_tools import Digest, content_path, InvalidDigestException
 
-@pytest.mark.parametrize('digest, output_args', [
-  ('tarsum.v123123+sha1:123deadbeef', ('tarsum.v123123+sha1', '123deadbeef')),
-  ('tarsum.v1+sha256:123123', ('tarsum.v1+sha256', '123123')),
-  ('tarsum.v0+md5:abc', ('tarsum.v0+md5', 'abc')),
-  ('tarsum+sha1:abc', ('tarsum+sha1', 'abc')),
-  ('sha1:123deadbeef', ('sha1', '123deadbeef')),
-  ('sha256:123123', ('sha256', '123123')),
-  ('md5:abc', ('md5', 'abc')),
-])
+
+@pytest.mark.parametrize(
+    "digest, output_args",
+    [
+        ("tarsum.v123123+sha1:123deadbeef", ("tarsum.v123123+sha1", "123deadbeef")),
+        ("tarsum.v1+sha256:123123", ("tarsum.v1+sha256", "123123")),
+        ("tarsum.v0+md5:abc", ("tarsum.v0+md5", "abc")),
+        ("tarsum+sha1:abc", ("tarsum+sha1", "abc")),
+        ("sha1:123deadbeef", ("sha1", "123deadbeef")),
+        ("sha256:123123", ("sha256", "123123")),
+        ("md5:abc", ("md5", "abc")),
+    ],
+)
 def test_parse_good(digest, output_args):
-  assert Digest.parse_digest(digest) == Digest(*output_args)
-  assert str(Digest.parse_digest(digest)) == digest
+    assert Digest.parse_digest(digest) == Digest(*output_args)
+    assert str(Digest.parse_digest(digest)) == digest
 
 
-@pytest.mark.parametrize('bad_digest', [
-  'tarsum.v+md5:abc:',
-  'sha1:123deadbeefzxczxv',
-  'sha256123123',
-  'tarsum.v1+',
-  'tarsum.v1123+sha1:',
-])
+@pytest.mark.parametrize(
+    "bad_digest",
+    [
+        "tarsum.v+md5:abc:",
+        "sha1:123deadbeefzxczxv",
+        "sha256123123",
+        "tarsum.v1+",
+        "tarsum.v1123+sha1:",
+    ],
+)
 def test_parse_fail(bad_digest):
-  with pytest.raises(InvalidDigestException):
-    Digest.parse_digest(bad_digest)
+    with pytest.raises(InvalidDigestException):
+        Digest.parse_digest(bad_digest)
 
 
-@pytest.mark.parametrize('digest, path', [
-  ('tarsum.v123123+sha1:123deadbeef', 'tarsum/v123123/sha1/12/123deadbeef'),
-  ('tarsum.v1+sha256:123123', 'tarsum/v1/sha256/12/123123'),
-  ('tarsum.v0+md5:abc', 'tarsum/v0/md5/ab/abc'),
-  ('sha1:123deadbeef', 'sha1/12/123deadbeef'),
-  ('sha256:123123', 'sha256/12/123123'),
-  ('md5:abc', 'md5/ab/abc'),
-  ('md5:1', 'md5/01/1'),
-  ('md5.....+++:1', 'md5/01/1'),
-  ('.md5.:1', 'md5/01/1'),
-])
+@pytest.mark.parametrize(
+    "digest, path",
+    [
+        ("tarsum.v123123+sha1:123deadbeef", "tarsum/v123123/sha1/12/123deadbeef"),
+        ("tarsum.v1+sha256:123123", "tarsum/v1/sha256/12/123123"),
+        ("tarsum.v0+md5:abc", "tarsum/v0/md5/ab/abc"),
+        ("sha1:123deadbeef", "sha1/12/123deadbeef"),
+        ("sha256:123123", "sha256/12/123123"),
+        ("md5:abc", "md5/ab/abc"),
+        ("md5:1", "md5/01/1"),
+        ("md5.....+++:1", "md5/01/1"),
+        (".md5.:1", "md5/01/1"),
+    ],
+)
 def test_paths(digest, path):
-  assert content_path(digest) == path
+    assert content_path(digest) == path
diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py
index 8dcabe6a3..a263a37a3 100644
--- a/endpoints/api/__init__.py
+++ b/endpoints/api/__init__.py
@@ -11,20 +11,36 @@ from flask_restful.utils.cors import crossdomain
 from jsonschema import validate, ValidationError
 
 from app import app, metric_queue, authentication
-from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
-                              AdministerRepositoryPermission, UserReadPermission,
-                              UserAdminPermission)
+from auth.permissions import (
+    ReadRepositoryPermission,
+    ModifyRepositoryPermission,
+    AdministerRepositoryPermission,
+    UserReadPermission,
+    UserAdminPermission,
+)
 from auth import scopes
-from auth.auth_context import (get_authenticated_context, get_authenticated_user,
-                               get_validated_oauth_token)
+from auth.auth_context import (
+    get_authenticated_context,
+    get_authenticated_user,
+    get_validated_oauth_token,
+)
 from auth.decorators import process_oauth
 from data import model as data_model
 from data.logs_model import logs_model
 from data.database import RepositoryState
 from endpoints.csrf import csrf_protect
-from endpoints.exception import (Unauthorized, InvalidRequest, InvalidResponse,
-                                 FreshLoginRequired, NotFound)
-from endpoints.decorators import check_anon_protection, require_xhr_from_browser, check_readonly
+from endpoints.exception import (
+    Unauthorized,
+    InvalidRequest,
+    InvalidResponse,
+    FreshLoginRequired,
+    NotFound,
+)
+from endpoints.decorators import (
+    check_anon_protection,
+    require_xhr_from_browser,
+    check_readonly,
+)
 from util.metrics.metricqueue import time_decorator
 from util.names import parse_namespace_repository
 from util.pagination import encrypt_page_token, decrypt_page_token
@@ -33,253 +49,297 @@ from __init__models_pre_oci import pre_oci_model as model
 
 
 logger = logging.getLogger(__name__)
-api_bp = Blueprint('api', __name__)
+api_bp = Blueprint("api", __name__)
 
 
-CROSS_DOMAIN_HEADERS = ['Authorization', 'Content-Type', 'X-Requested-With']
+CROSS_DOMAIN_HEADERS = ["Authorization", "Content-Type", "X-Requested-With"]
+
 
 class ApiExceptionHandlingApi(Api):
-  @crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS)
-  def handle_error(self, error):
-    return super(ApiExceptionHandlingApi, self).handle_error(error)
+    @crossdomain(origin="*", headers=CROSS_DOMAIN_HEADERS)
+    def handle_error(self, error):
+        return super(ApiExceptionHandlingApi, self).handle_error(error)
 
 
 api = ApiExceptionHandlingApi()
 api.init_app(api_bp)
-api.decorators = [csrf_protect(),
-                  crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS),
-                  process_oauth, time_decorator(api_bp.name, metric_queue),
-                  require_xhr_from_browser]
+api.decorators = [
+    csrf_protect(),
+    crossdomain(origin="*", headers=CROSS_DOMAIN_HEADERS),
+    process_oauth,
+    time_decorator(api_bp.name, metric_queue),
+    require_xhr_from_browser,
+]
 
 
 def resource(*urls, **kwargs):
-  def wrapper(api_resource):
-    if not api_resource:
-      return None
+    def wrapper(api_resource):
+        if not api_resource:
+            return None
 
-    api_resource.registered = True
-    api.add_resource(api_resource, *urls, **kwargs)
-    return api_resource
-  return wrapper
+        api_resource.registered = True
+        api.add_resource(api_resource, *urls, **kwargs)
+        return api_resource
+
+    return wrapper
 
 
 def show_if(value):
-  def f(inner):
-    if hasattr(inner, 'registered') and inner.registered:
-      msg = ('API endpoint %s is already registered; please switch the ' +
-             '@show_if to be *below* the @resource decorator')
-      raise Exception(msg % inner)
+    def f(inner):
+        if hasattr(inner, "registered") and inner.registered:
+            msg = (
+                "API endpoint %s is already registered; please switch the "
+                + "@show_if to be *below* the @resource decorator"
+            )
+            raise Exception(msg % inner)
 
-    if not value:
-      return None
+        if not value:
+            return None
 
-    return inner
-  return f
+        return inner
+
+    return f
 
 
 def hide_if(value):
-  def f(inner):
-    if hasattr(inner, 'registered') and inner.registered:
-      msg = ('API endpoint %s is already registered; please switch the ' +
-             '@hide_if to be *below* the @resource decorator')
-      raise Exception(msg % inner)
+    def f(inner):
+        if hasattr(inner, "registered") and inner.registered:
+            msg = (
+                "API endpoint %s is already registered; please switch the "
+                + "@hide_if to be *below* the @resource decorator"
+            )
+            raise Exception(msg % inner)
 
-    if value:
-      return None
+        if value:
+            return None
 
-    return inner
-  return f
+        return inner
+
+    return f
 
 
 def truthy_bool(param):
-  return param not in {False, 'false', 'False', '0', 'FALSE', '', 'null'}
+    return param not in {False, "false", "False", "0", "FALSE", "", "null"}
 
 
 def format_date(date):
-  """ Output an RFC822 date format. """
-  if date is None:
-    return None
-  return formatdate(timegm(date.utctimetuple()))
+    """ Output an RFC822 date format. """
+    if date is None:
+        return None
+    return formatdate(timegm(date.utctimetuple()))
 
 
 def add_method_metadata(name, value):
-  def modifier(func):
-    if func is None:
-      return None
+    def modifier(func):
+        if func is None:
+            return None
 
-    if '__api_metadata' not in dir(func):
-      func.__api_metadata = {}
-    func.__api_metadata[name] = value
-    return func
-  return modifier
+        if "__api_metadata" not in dir(func):
+            func.__api_metadata = {}
+        func.__api_metadata[name] = value
+        return func
+
+    return modifier
 
 
 def method_metadata(func, name):
-  if func is None:
+    if func is None:
+        return None
+
+    if "__api_metadata" in dir(func):
+        return func.__api_metadata.get(name, None)
     return None
 
-  if '__api_metadata' in dir(func):
-    return func.__api_metadata.get(name, None)
-  return None
 
-
-
-nickname = partial(add_method_metadata, 'nickname')
-related_user_resource = partial(add_method_metadata, 'related_user_resource')
-internal_only = add_method_metadata('internal', True)
+nickname = partial(add_method_metadata, "nickname")
+related_user_resource = partial(add_method_metadata, "related_user_resource")
+internal_only = add_method_metadata("internal", True)
 
 
 def path_param(name, description):
-  def add_param(func):
-    if not func:
-      return func
+    def add_param(func):
+        if not func:
+            return func
 
-    if '__api_path_params' not in dir(func):
-      func.__api_path_params = {}
-    func.__api_path_params[name] = {
-      'name': name,
-      'description': description
-    }
-    return func
-  return add_param
+        if "__api_path_params" not in dir(func):
+            func.__api_path_params = {}
+        func.__api_path_params[name] = {"name": name, "description": description}
+        return func
+
+    return add_param
 
 
-def query_param(name, help_str, type=reqparse.text_type, default=None,
-                choices=(), required=False):
-  def add_param(func):
-    if '__api_query_params' not in dir(func):
-      func.__api_query_params = []
-    func.__api_query_params.append({
-      'name': name,
-      'type': type,
-      'help': help_str,
-      'default': default,
-      'choices': choices,
-      'required': required,
-      'location': ('args')
-    })
-    return func
-  return add_param
+def query_param(
+    name, help_str, type=reqparse.text_type, default=None, choices=(), required=False
+):
+    def add_param(func):
+        if "__api_query_params" not in dir(func):
+            func.__api_query_params = []
+        func.__api_query_params.append(
+            {
+                "name": name,
+                "type": type,
+                "help": help_str,
+                "default": default,
+                "choices": choices,
+                "required": required,
+                "location": ("args"),
+            }
+        )
+        return func
 
-def page_support(page_token_kwarg='page_token', parsed_args_kwarg='parsed_args'):
-  def inner(func):
-    """ Adds pagination support to an API endpoint. The decorated API will have an
+    return add_param
+
+
+def page_support(page_token_kwarg="page_token", parsed_args_kwarg="parsed_args"):
+    def inner(func):
+        """ Adds pagination support to an API endpoint. The decorated API will have an
         added query parameter named 'next_page'. Works in tandem with the
         modelutil paginate method.
     """
-    @wraps(func)
-    @query_param('next_page', 'The page token for the next page', type=str)
-    def wrapper(self, *args, **kwargs):
-      # Note: if page_token is None, we'll receive the first page of results back.
-      page_token = decrypt_page_token(kwargs[parsed_args_kwarg]['next_page'])
-      kwargs[page_token_kwarg] = page_token
 
-      (result, next_page_token) = func(self, *args, **kwargs)
-      if next_page_token is not None:
-        result['next_page'] = encrypt_page_token(next_page_token)
+        @wraps(func)
+        @query_param("next_page", "The page token for the next page", type=str)
+        def wrapper(self, *args, **kwargs):
+            # Note: if page_token is None, we'll receive the first page of results back.
+            page_token = decrypt_page_token(kwargs[parsed_args_kwarg]["next_page"])
+            kwargs[page_token_kwarg] = page_token
 
-      return result
-    return wrapper
-  return inner
+            (result, next_page_token) = func(self, *args, **kwargs)
+            if next_page_token is not None:
+                result["next_page"] = encrypt_page_token(next_page_token)
 
-def parse_args(kwarg_name='parsed_args'):
-  def inner(func):
-    @wraps(func)
-    def wrapper(self, *args, **kwargs):
-      if '__api_query_params' not in dir(func):
-        abort(500)
+            return result
 
-      parser = reqparse.RequestParser()
-      for arg_spec in func.__api_query_params:
-        parser.add_argument(**arg_spec)
-      kwargs[kwarg_name] = parser.parse_args()
+        return wrapper
+
+    return inner
+
+
+def parse_args(kwarg_name="parsed_args"):
+    def inner(func):
+        @wraps(func)
+        def wrapper(self, *args, **kwargs):
+            if "__api_query_params" not in dir(func):
+                abort(500)
+
+            parser = reqparse.RequestParser()
+            for arg_spec in func.__api_query_params:
+                parser.add_argument(**arg_spec)
+            kwargs[kwarg_name] = parser.parse_args()
+
+            return func(self, *args, **kwargs)
+
+        return wrapper
+
+    return inner
 
-      return func(self, *args, **kwargs)
-    return wrapper
-  return inner
 
 def parse_repository_name(func):
-  @wraps(func)
-  def wrapper(repository, *args, **kwargs):
-    (namespace, repository) = parse_namespace_repository(repository, app.config['LIBRARY_NAMESPACE'])
-    return func(namespace, repository, *args, **kwargs)
-  return wrapper
+    @wraps(func)
+    def wrapper(repository, *args, **kwargs):
+        (namespace, repository) = parse_namespace_repository(
+            repository, app.config["LIBRARY_NAMESPACE"]
+        )
+        return func(namespace, repository, *args, **kwargs)
+
+    return wrapper
 
 
 class ApiResource(Resource):
-  registered = False
-  method_decorators = [check_anon_protection, check_readonly]
+    registered = False
+    method_decorators = [check_anon_protection, check_readonly]
 
-  def options(self):
-    return None, 200
+    def options(self):
+        return None, 200
 
 
 class RepositoryParamResource(ApiResource):
-  method_decorators = [check_anon_protection, parse_repository_name, check_readonly]
+    method_decorators = [check_anon_protection, parse_repository_name, check_readonly]
 
 
 def disallow_for_app_repositories(func):
-  @wraps(func)
-  def wrapped(self, namespace_name, repository_name, *args, **kwargs):
-    # Lookup the repository with the given namespace and name and ensure it is not an application
-    # repository.
-    if model.is_app_repository(namespace_name, repository_name):
-      abort(501)
+    @wraps(func)
+    def wrapped(self, namespace_name, repository_name, *args, **kwargs):
+        # Lookup the repository with the given namespace and name and ensure it is not an application
+        # repository.
+        if model.is_app_repository(namespace_name, repository_name):
+            abort(501)
 
-    return func(self, namespace_name, repository_name, *args, **kwargs)
+        return func(self, namespace_name, repository_name, *args, **kwargs)
 
-  return wrapped
+    return wrapped
 
 
 def disallow_for_non_normal_repositories(func):
-  @wraps(func)
-  def wrapped(self, namespace_name, repository_name, *args, **kwargs):
-    repo = data_model.repository.get_repository(namespace_name, repository_name)
-    if repo and repo.state != RepositoryState.NORMAL:
-      abort(503, message='Repository is in read only or mirror mode: %s' % repo.state)
+    @wraps(func)
+    def wrapped(self, namespace_name, repository_name, *args, **kwargs):
+        repo = data_model.repository.get_repository(namespace_name, repository_name)
+        if repo and repo.state != RepositoryState.NORMAL:
+            abort(
+                503,
+                message="Repository is in read only or mirror mode: %s" % repo.state,
+            )
 
-    return func(self, namespace_name, repository_name, *args, **kwargs)
-  return wrapped
+        return func(self, namespace_name, repository_name, *args, **kwargs)
+
+    return wrapped
 
 
 def require_repo_permission(permission_class, scope, allow_public=False):
-  def wrapper(func):
-    @add_method_metadata('oauth2_scope', scope)
-    @wraps(func)
-    def wrapped(self, namespace, repository, *args, **kwargs):
-      logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace,
-                   repository)
-      permission = permission_class(namespace, repository)
-      if (permission.can() or
-          (allow_public and
-           model.repository_is_public(namespace, repository))):
-        return func(self, namespace, repository, *args, **kwargs)
-      raise Unauthorized()
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @add_method_metadata("oauth2_scope", scope)
+        @wraps(func)
+        def wrapped(self, namespace, repository, *args, **kwargs):
+            logger.debug(
+                "Checking permission %s for repo: %s/%s",
+                permission_class,
+                namespace,
+                repository,
+            )
+            permission = permission_class(namespace, repository)
+            if permission.can() or (
+                allow_public and model.repository_is_public(namespace, repository)
+            ):
+                return func(self, namespace, repository, *args, **kwargs)
+            raise Unauthorized()
+
+        return wrapped
+
+    return wrapper
 
 
-require_repo_read = require_repo_permission(ReadRepositoryPermission, scopes.READ_REPO, True)
-require_repo_write = require_repo_permission(ModifyRepositoryPermission, scopes.WRITE_REPO)
-require_repo_admin = require_repo_permission(AdministerRepositoryPermission, scopes.ADMIN_REPO)
+require_repo_read = require_repo_permission(
+    ReadRepositoryPermission, scopes.READ_REPO, True
+)
+require_repo_write = require_repo_permission(
+    ModifyRepositoryPermission, scopes.WRITE_REPO
+)
+require_repo_admin = require_repo_permission(
+    AdministerRepositoryPermission, scopes.ADMIN_REPO
+)
 
 
 def require_user_permission(permission_class, scope=None):
-  def wrapper(func):
-    @add_method_metadata('oauth2_scope', scope)
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      user = get_authenticated_user()
-      if not user:
-        raise Unauthorized()
+    def wrapper(func):
+        @add_method_metadata("oauth2_scope", scope)
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            user = get_authenticated_user()
+            if not user:
+                raise Unauthorized()
 
-      logger.debug('Checking permission %s for user %s', permission_class, user.username)
-      permission = permission_class(user.username)
-      if permission.can():
-        return func(self, *args, **kwargs)
-      raise Unauthorized()
-    return wrapped
-  return wrapper
+            logger.debug(
+                "Checking permission %s for user %s", permission_class, user.username
+            )
+            permission = permission_class(user.username)
+            if permission.can():
+                return func(self, *args, **kwargs)
+            raise Unauthorized()
+
+        return wrapped
+
+    return wrapper
 
 
 require_user_read = require_user_permission(UserReadPermission, scopes.READ_USER)
@@ -287,136 +347,151 @@ require_user_admin = require_user_permission(UserAdminPermission, scopes.ADMIN_U
 
 
 def verify_not_prod(func):
-  @add_method_metadata('enterprise_only', True)
-  @wraps(func)
-  def wrapped(*args, **kwargs):
-    # Verify that we are not running on a production (i.e. hosted) stack. If so, we fail.
-    # This should never happen (because of the feature-flag on SUPER_USERS), but we want to be
-    # absolutely sure.
-    if app.config['SERVER_HOSTNAME'].find('quay.io') >= 0:
-      logger.error('!!! Super user method called IN PRODUCTION !!!')
-      raise NotFound()
+    @add_method_metadata("enterprise_only", True)
+    @wraps(func)
+    def wrapped(*args, **kwargs):
+        # Verify that we are not running on a production (i.e. hosted) stack. If so, we fail.
+        # This should never happen (because of the feature-flag on SUPER_USERS), but we want to be
+        # absolutely sure.
+        if app.config["SERVER_HOSTNAME"].find("quay.io") >= 0:
+            logger.error("!!! Super user method called IN PRODUCTION !!!")
+            raise NotFound()
 
-    return func(*args, **kwargs)
+        return func(*args, **kwargs)
 
-  return wrapped
+    return wrapped
 
 
 def require_fresh_login(func):
-  @add_method_metadata('requires_fresh_login', True)
-  @wraps(func)
-  def wrapped(*args, **kwargs):
-    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
+    @add_method_metadata("requires_fresh_login", True)
+    @wraps(func)
+    def wrapped(*args, **kwargs):
+        user = get_authenticated_user()
+        if not user:
+            raise Unauthorized()
 
-    if get_validated_oauth_token():
-      return func(*args, **kwargs)
+        if get_validated_oauth_token():
+            return func(*args, **kwargs)
 
-    logger.debug('Checking fresh login for user %s', user.username)
+        logger.debug("Checking fresh login for user %s", user.username)
 
-    last_login = session.get('login_time', datetime.datetime.min)
-    valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10)
+        last_login = session.get("login_time", datetime.datetime.min)
+        valid_span = datetime.datetime.now() - datetime.timedelta(minutes=10)
 
-    if (not user.password_hash or last_login >= valid_span or
-        not authentication.supports_fresh_login):
-      return func(*args, **kwargs)
+        if (
+            not user.password_hash
+            or last_login >= valid_span
+            or not authentication.supports_fresh_login
+        ):
+            return func(*args, **kwargs)
 
-    raise FreshLoginRequired()
-  return wrapped
+        raise FreshLoginRequired()
+
+    return wrapped
 
 
 def require_scope(scope_object):
-  def wrapper(func):
-    @add_method_metadata('oauth2_scope', scope_object)
-    @wraps(func)
-    def wrapped(*args, **kwargs):
-      return func(*args, **kwargs)
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @add_method_metadata("oauth2_scope", scope_object)
+        @wraps(func)
+        def wrapped(*args, **kwargs):
+            return func(*args, **kwargs)
+
+        return wrapped
+
+    return wrapper
 
 
 def max_json_size(max_size):
-  def wrapper(func):
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      if request.is_json and len(request.get_data()) > max_size:
-        raise InvalidRequest()
-        
-      return func(self, *args, **kwargs)
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            if request.is_json and len(request.get_data()) > max_size:
+                raise InvalidRequest()
+
+            return func(self, *args, **kwargs)
+
+        return wrapped
+
+    return wrapper
 
 
 def validate_json_request(schema_name, optional=False):
-  def wrapper(func):
-    @add_method_metadata('request_schema', schema_name)
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      schema = self.schemas[schema_name]
-      try:
-        json_data = request.get_json()
-        if json_data is None:
-          if not optional:
-            raise InvalidRequest('Missing JSON body')
-        else:
-          validate(json_data, schema)
-        return func(self, *args, **kwargs)
-      except ValidationError as ex:
-        raise InvalidRequest(str(ex))
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @add_method_metadata("request_schema", schema_name)
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            schema = self.schemas[schema_name]
+            try:
+                json_data = request.get_json()
+                if json_data is None:
+                    if not optional:
+                        raise InvalidRequest("Missing JSON body")
+                else:
+                    validate(json_data, schema)
+                return func(self, *args, **kwargs)
+            except ValidationError as ex:
+                raise InvalidRequest(str(ex))
+
+        return wrapped
+
+    return wrapper
 
 
 def request_error(exception=None, **kwargs):
-  data = kwargs.copy()
-  message = 'Request error.'
-  if exception:
-    message = str(exception)
+    data = kwargs.copy()
+    message = "Request error."
+    if exception:
+        message = str(exception)
 
-  message = data.pop('message', message)
-  raise InvalidRequest(message, data)
+    message = data.pop("message", message)
+    raise InvalidRequest(message, data)
 
 
 def log_action(kind, user_or_orgname, metadata=None, repo=None, repo_name=None):
-  if not metadata:
-    metadata = {}
+    if not metadata:
+        metadata = {}
 
-  oauth_token = get_validated_oauth_token()
-  if oauth_token:
-    metadata['oauth_token_id'] = oauth_token.id
-    metadata['oauth_token_application_id'] = oauth_token.application.client_id
-    metadata['oauth_token_application'] = oauth_token.application.name
+    oauth_token = get_validated_oauth_token()
+    if oauth_token:
+        metadata["oauth_token_id"] = oauth_token.id
+        metadata["oauth_token_application_id"] = oauth_token.application.client_id
+        metadata["oauth_token_application"] = oauth_token.application.name
 
-  performer = get_authenticated_user()
+    performer = get_authenticated_user()
 
-  if repo_name is not None:
-    repo = data_model.repository.get_repository(user_or_orgname, repo_name)
+    if repo_name is not None:
+        repo = data_model.repository.get_repository(user_or_orgname, repo_name)
 
-  logs_model.log_action(kind, user_or_orgname,
-                        repository=repo,
-                        performer=performer,
-                        ip=get_request_ip(),
-                        metadata=metadata)
+    logs_model.log_action(
+        kind,
+        user_or_orgname,
+        repository=repo,
+        performer=performer,
+        ip=get_request_ip(),
+        metadata=metadata,
+    )
 
 
 def define_json_response(schema_name):
-  def wrapper(func):
-    @add_method_metadata('response_schema', schema_name)
-    @wraps(func)
-    def wrapped(self, *args, **kwargs):
-      schema = self.schemas[schema_name]
-      resp = func(self, *args, **kwargs)
+    def wrapper(func):
+        @add_method_metadata("response_schema", schema_name)
+        @wraps(func)
+        def wrapped(self, *args, **kwargs):
+            schema = self.schemas[schema_name]
+            resp = func(self, *args, **kwargs)
 
-      if app.config['TESTING']:
-        try:
-          validate(resp, schema)
-        except ValidationError as ex:
-          raise InvalidResponse(str(ex))
+            if app.config["TESTING"]:
+                try:
+                    validate(resp, schema)
+                except ValidationError as ex:
+                    raise InvalidResponse(str(ex))
 
-      return resp
-    return wrapped
-  return wrapper
+            return resp
+
+        return wrapped
+
+    return wrapper
 
 
 import endpoints.api.appspecifictokens
diff --git a/endpoints/api/__init__models_interface.py b/endpoints/api/__init__models_interface.py
index 974d9e0e1..d8575c283 100644
--- a/endpoints/api/__init__models_interface.py
+++ b/endpoints/api/__init__models_interface.py
@@ -2,16 +2,16 @@ from abc import ABCMeta, abstractmethod
 
 from six import add_metaclass
 
-  
+
 @add_metaclass(ABCMeta)
 class InitDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by __init__.
   """
 
-  @abstractmethod
-  def is_app_repository(self, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def is_app_repository(self, namespace_name, repository_name):
+        """
     
     Args:
       namespace_name: namespace or user 
@@ -20,11 +20,11 @@ class InitDataInterface(object):
     Returns:
       Boolean
     """
-    pass
-  
-  @abstractmethod
-  def repository_is_public(self, namespace_name, repository_name):
-    """
+        pass
+
+    @abstractmethod
+    def repository_is_public(self, namespace_name, repository_name):
+        """
     
     Args:
       namespace_name: namespace or user 
@@ -33,11 +33,13 @@ class InitDataInterface(object):
     Returns:
       Boolean
     """
-    pass
-    
-  @abstractmethod
-  def log_action(self, kind, namespace_name, repository_name, performer, ip, metadata):
-    """
+        pass
+
+    @abstractmethod
+    def log_action(
+        self, kind, namespace_name, repository_name, performer, ip, metadata
+    ):
+        """
     
     Args:
       kind: type of log
@@ -50,5 +52,4 @@ class InitDataInterface(object):
     Returns:
       None
     """
-    pass
-
+        pass
diff --git a/endpoints/api/__init__models_pre_oci.py b/endpoints/api/__init__models_pre_oci.py
index f14e7267c..146d6f4eb 100644
--- a/endpoints/api/__init__models_pre_oci.py
+++ b/endpoints/api/__init__models_pre_oci.py
@@ -3,17 +3,31 @@ from __init__models_interface import InitDataInterface
 from data import model
 from data.logs_model import logs_model
 
+
 class PreOCIModel(InitDataInterface):
-  def is_app_repository(self, namespace_name, repository_name):
-    return model.repository.get_repository(namespace_name, repository_name,
-                                           kind_filter='application') is not None
+    def is_app_repository(self, namespace_name, repository_name):
+        return (
+            model.repository.get_repository(
+                namespace_name, repository_name, kind_filter="application"
+            )
+            is not None
+        )
 
-  def repository_is_public(self, namespace_name, repository_name):
-    return model.repository.repository_is_public(namespace_name, repository_name)
+    def repository_is_public(self, namespace_name, repository_name):
+        return model.repository.repository_is_public(namespace_name, repository_name)
+
+    def log_action(
+        self, kind, namespace_name, repository_name, performer, ip, metadata
+    ):
+        repository = model.repository.get_repository(namespace_name, repository_name)
+        logs_model.log_action(
+            kind,
+            namespace_name,
+            performer=performer,
+            ip=ip,
+            metadata=metadata,
+            repository=repository,
+        )
 
-  def log_action(self, kind, namespace_name, repository_name, performer, ip, metadata):
-    repository = model.repository.get_repository(namespace_name, repository_name)
-    logs_model.log_action(kind, namespace_name, performer=performer, ip=ip, metadata=metadata,
-                          repository=repository)
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/appspecifictokens.py b/endpoints/api/appspecifictokens.py
index 1e886c385..a5c5d4fd3 100644
--- a/endpoints/api/appspecifictokens.py
+++ b/endpoints/api/appspecifictokens.py
@@ -11,123 +11,143 @@ import features
 from app import app
 from auth.auth_context import get_authenticated_user
 from data import model
-from endpoints.api import (ApiResource, nickname, resource, validate_json_request,
-                           log_action, require_user_admin, require_fresh_login,
-                           path_param, NotFound, format_date, show_if, query_param, parse_args,
-                           truthy_bool)
+from endpoints.api import (
+    ApiResource,
+    nickname,
+    resource,
+    validate_json_request,
+    log_action,
+    require_user_admin,
+    require_fresh_login,
+    path_param,
+    NotFound,
+    format_date,
+    show_if,
+    query_param,
+    parse_args,
+    truthy_bool,
+)
 from util.timedeltastring import convert_to_timedelta
 
 logger = logging.getLogger(__name__)
 
 
 def token_view(token, include_code=False):
-  data = {
-    'uuid': token.uuid,
-    'title': token.title,
-    'last_accessed': format_date(token.last_accessed),
-    'created': format_date(token.created),
-    'expiration': format_date(token.expiration),
-  }
+    data = {
+        "uuid": token.uuid,
+        "title": token.title,
+        "last_accessed": format_date(token.last_accessed),
+        "created": format_date(token.created),
+        "expiration": format_date(token.expiration),
+    }
 
-  if include_code:
-    data.update({
-      'token_code': model.appspecifictoken.get_full_token_string(token),
-    })
+    if include_code:
+        data.update({"token_code": model.appspecifictoken.get_full_token_string(token)})
 
-  return data
+    return data
 
 
 # The default window to use when looking up tokens that will be expiring.
-_DEFAULT_TOKEN_EXPIRATION_WINDOW = '4w'
+_DEFAULT_TOKEN_EXPIRATION_WINDOW = "4w"
 
 
-@resource('/v1/user/apptoken')
+@resource("/v1/user/apptoken")
 @show_if(features.APP_SPECIFIC_TOKENS)
 class AppTokens(ApiResource):
-  """ Lists all app specific tokens for a user """
-  schemas = {
-    'NewToken': {
-      'type': 'object',
-      'required': [
-        'title',
-      ],
-      'properties': {
-        'title': {
-          'type': 'string',
-          'description': 'The user-defined title for the token',
-        },
-      }
-    },
-  }
+    """ Lists all app specific tokens for a user """
 
-  @require_user_admin
-  @nickname('listAppTokens')
-  @parse_args()
-  @query_param('expiring', 'If true, only returns those tokens expiring soon', type=truthy_bool)
-  def get(self, parsed_args):
-    """ Lists the app specific tokens for the user. """
-    expiring = parsed_args['expiring']
-    if expiring:
-      expiration = app.config.get('APP_SPECIFIC_TOKEN_EXPIRATION')
-      token_expiration = convert_to_timedelta(expiration or _DEFAULT_TOKEN_EXPIRATION_WINDOW)
-      seconds = math.ceil(token_expiration.total_seconds() * 0.1) or 1
-      soon = timedelta(seconds=seconds)
-      tokens = model.appspecifictoken.get_expiring_tokens(get_authenticated_user(), soon)
-    else:
-      tokens = model.appspecifictoken.list_tokens(get_authenticated_user())
-
-    return {
-      'tokens': [token_view(token, include_code=False) for token in tokens],
-      'only_expiring': expiring,
+    schemas = {
+        "NewToken": {
+            "type": "object",
+            "required": ["title"],
+            "properties": {
+                "title": {
+                    "type": "string",
+                    "description": "The user-defined title for the token",
+                }
+            },
+        }
     }
 
-  @require_user_admin
-  @require_fresh_login
-  @nickname('createAppToken')
-  @validate_json_request('NewToken')
-  def post(self):
-    """ Create a new app specific token for user. """
-    title = request.get_json()['title']
-    token = model.appspecifictoken.create_token(get_authenticated_user(), title)
+    @require_user_admin
+    @nickname("listAppTokens")
+    @parse_args()
+    @query_param(
+        "expiring", "If true, only returns those tokens expiring soon", type=truthy_bool
+    )
+    def get(self, parsed_args):
+        """ Lists the app specific tokens for the user. """
+        expiring = parsed_args["expiring"]
+        if expiring:
+            expiration = app.config.get("APP_SPECIFIC_TOKEN_EXPIRATION")
+            token_expiration = convert_to_timedelta(
+                expiration or _DEFAULT_TOKEN_EXPIRATION_WINDOW
+            )
+            seconds = math.ceil(token_expiration.total_seconds() * 0.1) or 1
+            soon = timedelta(seconds=seconds)
+            tokens = model.appspecifictoken.get_expiring_tokens(
+                get_authenticated_user(), soon
+            )
+        else:
+            tokens = model.appspecifictoken.list_tokens(get_authenticated_user())
 
-    log_action('create_app_specific_token', get_authenticated_user().username,
-               {'app_specific_token_title': token.title,
-                'app_specific_token': token.uuid})
+        return {
+            "tokens": [token_view(token, include_code=False) for token in tokens],
+            "only_expiring": expiring,
+        }
 
-    return {
-      'token': token_view(token, include_code=True),
-    }
+    @require_user_admin
+    @require_fresh_login
+    @nickname("createAppToken")
+    @validate_json_request("NewToken")
+    def post(self):
+        """ Create a new app specific token for user. """
+        title = request.get_json()["title"]
+        token = model.appspecifictoken.create_token(get_authenticated_user(), title)
+
+        log_action(
+            "create_app_specific_token",
+            get_authenticated_user().username,
+            {"app_specific_token_title": token.title, "app_specific_token": token.uuid},
+        )
+
+        return {"token": token_view(token, include_code=True)}
 
 
-@resource('/v1/user/apptoken/<token_uuid>')
+@resource("/v1/user/apptoken/<token_uuid>")
 @show_if(features.APP_SPECIFIC_TOKENS)
-@path_param('token_uuid', 'The uuid of the app specific token')
+@path_param("token_uuid", "The uuid of the app specific token")
 class AppToken(ApiResource):
-  """ Provides operations on an app specific token """
-  @require_user_admin
-  @require_fresh_login
-  @nickname('getAppToken')
-  def get(self, token_uuid):
-    """ Returns a specific app token for the user. """
-    token = model.appspecifictoken.get_token_by_uuid(token_uuid, owner=get_authenticated_user())
-    if token is None:
-      raise NotFound()
+    """ Provides operations on an app specific token """
 
-    return {
-      'token': token_view(token, include_code=True),
-    }
+    @require_user_admin
+    @require_fresh_login
+    @nickname("getAppToken")
+    def get(self, token_uuid):
+        """ Returns a specific app token for the user. """
+        token = model.appspecifictoken.get_token_by_uuid(
+            token_uuid, owner=get_authenticated_user()
+        )
+        if token is None:
+            raise NotFound()
 
-  @require_user_admin
-  @require_fresh_login
-  @nickname('revokeAppToken')
-  def delete(self, token_uuid):
-    """ Revokes a specific app token for the user. """
-    token = model.appspecifictoken.revoke_token_by_uuid(token_uuid, owner=get_authenticated_user())
-    if token is None:
-      raise NotFound()
+        return {"token": token_view(token, include_code=True)}
 
-    log_action('revoke_app_specific_token', get_authenticated_user().username,
-               {'app_specific_token_title': token.title,
-                'app_specific_token': token.uuid})
+    @require_user_admin
+    @require_fresh_login
+    @nickname("revokeAppToken")
+    def delete(self, token_uuid):
+        """ Revokes a specific app token for the user. """
+        token = model.appspecifictoken.revoke_token_by_uuid(
+            token_uuid, owner=get_authenticated_user()
+        )
+        if token is None:
+            raise NotFound()
 
-    return '', 204
+        log_action(
+            "revoke_app_specific_token",
+            get_authenticated_user().username,
+            {"app_specific_token_title": token.title, "app_specific_token": token.uuid},
+        )
+
+        return "", 204
diff --git a/endpoints/api/billing.py b/endpoints/api/billing.py
index db7158d12..eda3a301b 100644
--- a/endpoints/api/billing.py
+++ b/endpoints/api/billing.py
@@ -4,9 +4,20 @@ import stripe
 
 from flask import request
 from app import billing
-from endpoints.api import (resource, nickname, ApiResource, validate_json_request, log_action,
-                           related_user_resource, internal_only, require_user_admin, show_if, 
-                           path_param, require_scope, abort)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    validate_json_request,
+    log_action,
+    related_user_resource,
+    internal_only,
+    require_user_admin,
+    show_if,
+    path_param,
+    require_scope,
+    abort,
+)
 from endpoints.exception import Unauthorized, NotFound
 from endpoints.api.subscribe import subscribe, subscription_view
 from auth.permissions import AdministerOrganizationPermission
@@ -19,589 +30,587 @@ import features
 import uuid
 import json
 
+
 def get_namespace_plan(namespace):
-  """ Returns the plan of the given namespace. """
-  namespace_user = model.user.get_namespace_user(namespace)
-  if namespace_user is None:
-    return None
+    """ Returns the plan of the given namespace. """
+    namespace_user = model.user.get_namespace_user(namespace)
+    if namespace_user is None:
+        return None
 
-  if not namespace_user.stripe_id:
-    return None
+    if not namespace_user.stripe_id:
+        return None
 
-  # Ask Stripe for the subscribed plan.
-  # TODO: Can we cache this or make it faster somehow?
-  try:
-    cus = billing.Customer.retrieve(namespace_user.stripe_id)
-  except stripe.error.APIConnectionError:
-    abort(503, message='Cannot contact Stripe')
+    # Ask Stripe for the subscribed plan.
+    # TODO: Can we cache this or make it faster somehow?
+    try:
+        cus = billing.Customer.retrieve(namespace_user.stripe_id)
+    except stripe.error.APIConnectionError:
+        abort(503, message="Cannot contact Stripe")
 
-  if not cus.subscription:
-    return None
+    if not cus.subscription:
+        return None
 
-  return get_plan(cus.subscription.plan.id)
+    return get_plan(cus.subscription.plan.id)
 
 
 def lookup_allowed_private_repos(namespace):
-  """ Returns false if the given namespace has used its allotment of private repositories. """
-  current_plan = get_namespace_plan(namespace)
-  if current_plan is None:
-    return False
+    """ Returns false if the given namespace has used its allotment of private repositories. """
+    current_plan = get_namespace_plan(namespace)
+    if current_plan is None:
+        return False
 
-  # Find the number of private repositories used by the namespace and compare it to the
-  # plan subscribed.
-  private_repos = model.user.get_private_repo_count(namespace)
+    # Find the number of private repositories used by the namespace and compare it to the
+    # plan subscribed.
+    private_repos = model.user.get_private_repo_count(namespace)
 
-  return private_repos < current_plan['privateRepos']
+    return private_repos < current_plan["privateRepos"]
 
 
 def carderror_response(e):
-  return {'carderror': str(e)}, 402
+    return {"carderror": str(e)}, 402
 
 
 def get_card(user):
-  card_info = {
-    'is_valid': False
-  }
+    card_info = {"is_valid": False}
 
-  if user.stripe_id:
-    try:
-      cus = billing.Customer.retrieve(user.stripe_id)
-    except stripe.error.APIConnectionError as e:
-      abort(503, message='Cannot contact Stripe')
+    if user.stripe_id:
+        try:
+            cus = billing.Customer.retrieve(user.stripe_id)
+        except stripe.error.APIConnectionError as e:
+            abort(503, message="Cannot contact Stripe")
 
-    if cus and cus.default_card:
-      # Find the default card.
-      default_card = None
-      for card in cus.cards.data:
-        if card.id == cus.default_card:
-          default_card = card
-          break
+        if cus and cus.default_card:
+            # Find the default card.
+            default_card = None
+            for card in cus.cards.data:
+                if card.id == cus.default_card:
+                    default_card = card
+                    break
 
-      if default_card:
-        card_info = {
-          'owner': default_card.name,
-          'type': default_card.type,
-          'last4': default_card.last4,
-          'exp_month': default_card.exp_month,
-          'exp_year': default_card.exp_year
-        }
+            if default_card:
+                card_info = {
+                    "owner": default_card.name,
+                    "type": default_card.type,
+                    "last4": default_card.last4,
+                    "exp_month": default_card.exp_month,
+                    "exp_year": default_card.exp_year,
+                }
 
-  return {'card': card_info}
+    return {"card": card_info}
 
 
 def set_card(user, token):
-  if user.stripe_id:
-    try:
-      cus = billing.Customer.retrieve(user.stripe_id)
-    except stripe.error.APIConnectionError as e:
-      abort(503, message='Cannot contact Stripe')
+    if user.stripe_id:
+        try:
+            cus = billing.Customer.retrieve(user.stripe_id)
+        except stripe.error.APIConnectionError as e:
+            abort(503, message="Cannot contact Stripe")
 
-    if cus:
-      try:
-        cus.card = token
-        cus.save()
-      except stripe.error.CardError as exc:
-        return carderror_response(exc)
-      except stripe.error.InvalidRequestError as exc:
-        return carderror_response(exc)
-      except stripe.error.APIConnectionError as e:
-        return carderror_response(e)
+        if cus:
+            try:
+                cus.card = token
+                cus.save()
+            except stripe.error.CardError as exc:
+                return carderror_response(exc)
+            except stripe.error.InvalidRequestError as exc:
+                return carderror_response(exc)
+            except stripe.error.APIConnectionError as e:
+                return carderror_response(e)
 
-  return get_card(user)
+    return get_card(user)
 
 
 def get_invoices(customer_id):
-  def invoice_view(i):
-    return {
-      'id': i.id,
-      'date': i.date,
-      'period_start': i.period_start,
-      'period_end': i.period_end,
-      'paid': i.paid,
-      'amount_due': i.amount_due,
-      'next_payment_attempt': i.next_payment_attempt,
-      'attempted': i.attempted,
-      'closed': i.closed,
-      'total': i.total,
-      'plan': i.lines.data[0].plan.id if i.lines.data[0].plan else None
-    }
+    def invoice_view(i):
+        return {
+            "id": i.id,
+            "date": i.date,
+            "period_start": i.period_start,
+            "period_end": i.period_end,
+            "paid": i.paid,
+            "amount_due": i.amount_due,
+            "next_payment_attempt": i.next_payment_attempt,
+            "attempted": i.attempted,
+            "closed": i.closed,
+            "total": i.total,
+            "plan": i.lines.data[0].plan.id if i.lines.data[0].plan else None,
+        }
 
-  try:
-    invoices = billing.Invoice.list(customer=customer_id, count=12)
-  except stripe.error.APIConnectionError as e:
-    abort(503, message='Cannot contact Stripe')
+    try:
+        invoices = billing.Invoice.list(customer=customer_id, count=12)
+    except stripe.error.APIConnectionError as e:
+        abort(503, message="Cannot contact Stripe")
 
-  return {
-    'invoices': [invoice_view(i) for i in invoices.data]
-  }
+    return {"invoices": [invoice_view(i) for i in invoices.data]}
 
 
 def get_invoice_fields(user):
-  try:
-    cus = billing.Customer.retrieve(user.stripe_id)
-  except stripe.error.APIConnectionError:
-    abort(503, message='Cannot contact Stripe')
+    try:
+        cus = billing.Customer.retrieve(user.stripe_id)
+    except stripe.error.APIConnectionError:
+        abort(503, message="Cannot contact Stripe")
 
-  if not 'metadata' in cus:
-    cus.metadata = {}
+    if not "metadata" in cus:
+        cus.metadata = {}
 
-  return json.loads(cus.metadata.get('invoice_fields') or '[]'), cus
+    return json.loads(cus.metadata.get("invoice_fields") or "[]"), cus
 
 
 def create_billing_invoice_field(user, title, value):
-  new_field = {
-    'uuid': str(uuid.uuid4()).split('-')[0],
-    'title': title,
-    'value': value
-  }
+    new_field = {
+        "uuid": str(uuid.uuid4()).split("-")[0],
+        "title": title,
+        "value": value,
+    }
 
-  invoice_fields, cus = get_invoice_fields(user)
-  invoice_fields.append(new_field)
+    invoice_fields, cus = get_invoice_fields(user)
+    invoice_fields.append(new_field)
 
-  if not 'metadata' in cus:
-    cus.metadata = {}
+    if not "metadata" in cus:
+        cus.metadata = {}
 
-  cus.metadata['invoice_fields'] = json.dumps(invoice_fields)
-  cus.save()
-  return new_field
+    cus.metadata["invoice_fields"] = json.dumps(invoice_fields)
+    cus.save()
+    return new_field
 
 
 def delete_billing_invoice_field(user, field_uuid):
-  invoice_fields, cus = get_invoice_fields(user)
-  invoice_fields = [field for field in invoice_fields if not field['uuid'] == field_uuid]
+    invoice_fields, cus = get_invoice_fields(user)
+    invoice_fields = [
+        field for field in invoice_fields if not field["uuid"] == field_uuid
+    ]
 
-  if not 'metadata' in cus:
-    cus.metadata = {}
+    if not "metadata" in cus:
+        cus.metadata = {}
 
-  cus.metadata['invoice_fields'] = json.dumps(invoice_fields)
-  cus.save()
-  return True
+    cus.metadata["invoice_fields"] = json.dumps(invoice_fields)
+    cus.save()
+    return True
 
 
-@resource('/v1/plans/')
+@resource("/v1/plans/")
 @show_if(features.BILLING)
 class ListPlans(ApiResource):
-  """ Resource for listing the available plans. """
-  @nickname('listPlans')
-  def get(self):
-    """ List the avaialble plans. """
-    return {
-      'plans': PLANS,
-    }
+    """ Resource for listing the available plans. """
+
+    @nickname("listPlans")
+    def get(self):
+        """ List the avaialble plans. """
+        return {"plans": PLANS}
 
 
-@resource('/v1/user/card')
+@resource("/v1/user/card")
 @internal_only
 @show_if(features.BILLING)
 class UserCard(ApiResource):
-  """ Resource for managing a user's credit card. """
-  schemas = {
-    'UserCard': {
-      'id': 'UserCard',
-      'type': 'object',
-      'description': 'Description of a user card',
-      'required': [
-        'token',
-      ],
-      'properties': {
-        'token': {
-          'type': 'string',
-          'description': 'Stripe token that is generated by stripe checkout.js',
-        },
-      },
-    },
-  }
+    """ Resource for managing a user's credit card. """
 
-  @require_user_admin
-  @nickname('getUserCard')
-  def get(self):
-    """ Get the user's credit card. """
-    user = get_authenticated_user()
-    return get_card(user)
+    schemas = {
+        "UserCard": {
+            "id": "UserCard",
+            "type": "object",
+            "description": "Description of a user card",
+            "required": ["token"],
+            "properties": {
+                "token": {
+                    "type": "string",
+                    "description": "Stripe token that is generated by stripe checkout.js",
+                }
+            },
+        }
+    }
 
-  @require_user_admin
-  @nickname('setUserCard')
-  @validate_json_request('UserCard')
-  def post(self):
-    """ Update the user's credit card. """
-    user = get_authenticated_user()
-    token = request.get_json()['token']
-    response = set_card(user, token)
-    log_action('account_change_cc', user.username)
-    return response
+    @require_user_admin
+    @nickname("getUserCard")
+    def get(self):
+        """ Get the user's credit card. """
+        user = get_authenticated_user()
+        return get_card(user)
+
+    @require_user_admin
+    @nickname("setUserCard")
+    @validate_json_request("UserCard")
+    def post(self):
+        """ Update the user's credit card. """
+        user = get_authenticated_user()
+        token = request.get_json()["token"]
+        response = set_card(user, token)
+        log_action("account_change_cc", user.username)
+        return response
 
 
-@resource('/v1/organization/<orgname>/card')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/card")
+@path_param("orgname", "The name of the organization")
 @internal_only
 @related_user_resource(UserCard)
 @show_if(features.BILLING)
 class OrganizationCard(ApiResource):
-  """ Resource for managing an organization's credit card. """
-  schemas = {
-    'OrgCard': {
-      'id': 'OrgCard',
-      'type': 'object',
-      'description': 'Description of a user card',
-      'required': [
-        'token',
-      ],
-      'properties': {
-        'token': {
-          'type': 'string',
-          'description': 'Stripe token that is generated by stripe checkout.js',
-        },
-      },
-    },
-  }
+    """ Resource for managing an organization's credit card. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrgCard')
-  def get(self, orgname):
-    """ Get the organization's credit card. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      return get_card(organization)
+    schemas = {
+        "OrgCard": {
+            "id": "OrgCard",
+            "type": "object",
+            "description": "Description of a user card",
+            "required": ["token"],
+            "properties": {
+                "token": {
+                    "type": "string",
+                    "description": "Stripe token that is generated by stripe checkout.js",
+                }
+            },
+        }
+    }
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrgCard")
+    def get(self, orgname):
+        """ Get the organization's credit card. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            return get_card(organization)
 
-  @nickname('setOrgCard')
-  @validate_json_request('OrgCard')
-  def post(self, orgname):
-    """ Update the orgnaization's credit card. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      token = request.get_json()['token']
-      response = set_card(organization, token)
-      log_action('account_change_cc', orgname)
-      return response
+        raise Unauthorized()
 
-    raise Unauthorized()
+    @nickname("setOrgCard")
+    @validate_json_request("OrgCard")
+    def post(self, orgname):
+        """ Update the orgnaization's credit card. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            token = request.get_json()["token"]
+            response = set_card(organization, token)
+            log_action("account_change_cc", orgname)
+            return response
+
+        raise Unauthorized()
 
 
-@resource('/v1/user/plan')
+@resource("/v1/user/plan")
 @internal_only
 @show_if(features.BILLING)
 class UserPlan(ApiResource):
-  """ Resource for managing a user's subscription. """
-  schemas = {
-    'UserSubscription': {
-      'id': 'UserSubscription',
-      'type': 'object',
-      'description': 'Description of a user card',
-      'required': [
-        'plan',
-      ],
-      'properties': {
-        'token': {
-          'type': 'string',
-          'description': 'Stripe token that is generated by stripe checkout.js',
-        },
-        'plan': {
-          'type': 'string',
-          'description': 'Plan name to which the user wants to subscribe',
-        },
-      },
-    },
-  }
+    """ Resource for managing a user's subscription. """
 
-  @require_user_admin
-  @nickname('updateUserSubscription')
-  @validate_json_request('UserSubscription')
-  def put(self):
-    """ Create or update the user's subscription. """
-    request_data = request.get_json()
-    plan = request_data['plan']
-    token = request_data['token'] if 'token' in request_data else None
-    user = get_authenticated_user()
-    return subscribe(user, plan, token, False)  # Business features not required
-
-  @require_user_admin
-  @nickname('getUserSubscription')
-  def get(self):
-    """ Fetch any existing subscription for the user. """
-    cus = None
-    user = get_authenticated_user()
-    private_repos = model.user.get_private_repo_count(user.username)
-
-    if user.stripe_id:
-      try:
-        cus = billing.Customer.retrieve(user.stripe_id)
-      except stripe.error.APIConnectionError as e:
-        abort(503, message='Cannot contact Stripe')
-
-      if cus.subscription:
-        return subscription_view(cus.subscription, private_repos)
-
-    return {
-      'hasSubscription': False,
-      'isExistingCustomer': cus is not None,
-      'plan': 'free',
-      'usedPrivateRepos': private_repos,
+    schemas = {
+        "UserSubscription": {
+            "id": "UserSubscription",
+            "type": "object",
+            "description": "Description of a user card",
+            "required": ["plan"],
+            "properties": {
+                "token": {
+                    "type": "string",
+                    "description": "Stripe token that is generated by stripe checkout.js",
+                },
+                "plan": {
+                    "type": "string",
+                    "description": "Plan name to which the user wants to subscribe",
+                },
+            },
+        }
     }
 
+    @require_user_admin
+    @nickname("updateUserSubscription")
+    @validate_json_request("UserSubscription")
+    def put(self):
+        """ Create or update the user's subscription. """
+        request_data = request.get_json()
+        plan = request_data["plan"]
+        token = request_data["token"] if "token" in request_data else None
+        user = get_authenticated_user()
+        return subscribe(user, plan, token, False)  # Business features not required
 
-@resource('/v1/organization/<orgname>/plan')
-@path_param('orgname', 'The name of the organization')
+    @require_user_admin
+    @nickname("getUserSubscription")
+    def get(self):
+        """ Fetch any existing subscription for the user. """
+        cus = None
+        user = get_authenticated_user()
+        private_repos = model.user.get_private_repo_count(user.username)
+
+        if user.stripe_id:
+            try:
+                cus = billing.Customer.retrieve(user.stripe_id)
+            except stripe.error.APIConnectionError as e:
+                abort(503, message="Cannot contact Stripe")
+
+            if cus.subscription:
+                return subscription_view(cus.subscription, private_repos)
+
+        return {
+            "hasSubscription": False,
+            "isExistingCustomer": cus is not None,
+            "plan": "free",
+            "usedPrivateRepos": private_repos,
+        }
+
+
+@resource("/v1/organization/<orgname>/plan")
+@path_param("orgname", "The name of the organization")
 @internal_only
 @related_user_resource(UserPlan)
 @show_if(features.BILLING)
 class OrganizationPlan(ApiResource):
-  """ Resource for managing a org's subscription. """
-  schemas = {
-    'OrgSubscription': {
-      'id': 'OrgSubscription',
-      'type': 'object',
-      'description': 'Description of a user card',
-      'required': [
-        'plan',
-      ],
-      'properties': {
-        'token': {
-          'type': 'string',
-          'description': 'Stripe token that is generated by stripe checkout.js',
-        },
-        'plan': {
-          'type': 'string',
-          'description': 'Plan name to which the user wants to subscribe',
-        },
-      },
-    },
-  }
+    """ Resource for managing a org's subscription. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('updateOrgSubscription')
-  @validate_json_request('OrgSubscription')
-  def put(self, orgname):
-    """ Create or update the org's subscription. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      request_data = request.get_json()
-      plan = request_data['plan']
-      token = request_data['token'] if 'token' in request_data else None
-      organization = model.organization.get_organization(orgname)
-      return subscribe(organization, plan, token, True)  # Business plan required
+    schemas = {
+        "OrgSubscription": {
+            "id": "OrgSubscription",
+            "type": "object",
+            "description": "Description of a user card",
+            "required": ["plan"],
+            "properties": {
+                "token": {
+                    "type": "string",
+                    "description": "Stripe token that is generated by stripe checkout.js",
+                },
+                "plan": {
+                    "type": "string",
+                    "description": "Plan name to which the user wants to subscribe",
+                },
+            },
+        }
+    }
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("updateOrgSubscription")
+    @validate_json_request("OrgSubscription")
+    def put(self, orgname):
+        """ Create or update the org's subscription. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            request_data = request.get_json()
+            plan = request_data["plan"]
+            token = request_data["token"] if "token" in request_data else None
+            organization = model.organization.get_organization(orgname)
+            return subscribe(organization, plan, token, True)  # Business plan required
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrgSubscription')
-  def get(self, orgname):
-    """ Fetch any existing subscription for the org. """
-    cus = None
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      private_repos = model.user.get_private_repo_count(orgname)
-      organization = model.organization.get_organization(orgname)
-      if organization.stripe_id:
-        try:
-          cus = billing.Customer.retrieve(organization.stripe_id)
-        except stripe.error.APIConnectionError as e:
-          abort(503, message='Cannot contact Stripe')
+        raise Unauthorized()
 
-        if cus.subscription:
-          return subscription_view(cus.subscription, private_repos)
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrgSubscription")
+    def get(self, orgname):
+        """ Fetch any existing subscription for the org. """
+        cus = None
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            private_repos = model.user.get_private_repo_count(orgname)
+            organization = model.organization.get_organization(orgname)
+            if organization.stripe_id:
+                try:
+                    cus = billing.Customer.retrieve(organization.stripe_id)
+                except stripe.error.APIConnectionError as e:
+                    abort(503, message="Cannot contact Stripe")
 
-      return {
-        'hasSubscription': False,
-        'isExistingCustomer': cus is not None,
-        'plan': 'free',
-        'usedPrivateRepos': private_repos,
-      }
+                if cus.subscription:
+                    return subscription_view(cus.subscription, private_repos)
 
-    raise Unauthorized()
+            return {
+                "hasSubscription": False,
+                "isExistingCustomer": cus is not None,
+                "plan": "free",
+                "usedPrivateRepos": private_repos,
+            }
+
+        raise Unauthorized()
 
 
-@resource('/v1/user/invoices')
+@resource("/v1/user/invoices")
 @internal_only
 @show_if(features.BILLING)
 class UserInvoiceList(ApiResource):
-  """ Resource for listing a user's invoices. """
-  @require_user_admin
-  @nickname('listUserInvoices')
-  def get(self):
-    """ List the invoices for the current user. """
-    user = get_authenticated_user()
-    if not user.stripe_id:
-      raise NotFound()
+    """ Resource for listing a user's invoices. """
 
-    return get_invoices(user.stripe_id)
+    @require_user_admin
+    @nickname("listUserInvoices")
+    def get(self):
+        """ List the invoices for the current user. """
+        user = get_authenticated_user()
+        if not user.stripe_id:
+            raise NotFound()
+
+        return get_invoices(user.stripe_id)
 
 
-@resource('/v1/organization/<orgname>/invoices')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/invoices")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserInvoiceList)
 @show_if(features.BILLING)
 class OrganizationInvoiceList(ApiResource):
-  """ Resource for listing an orgnaization's invoices. """
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('listOrgInvoices')
-  def get(self, orgname):
-    """ List the invoices for the specified orgnaization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      if not organization.stripe_id:
-        raise NotFound()
+    """ Resource for listing an orgnaization's invoices. """
 
-      return get_invoices(organization.stripe_id)
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("listOrgInvoices")
+    def get(self, orgname):
+        """ List the invoices for the specified orgnaization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            if not organization.stripe_id:
+                raise NotFound()
 
-    raise Unauthorized()
+            return get_invoices(organization.stripe_id)
+
+        raise Unauthorized()
 
 
-@resource('/v1/user/invoice/fields')
+@resource("/v1/user/invoice/fields")
 @internal_only
 @show_if(features.BILLING)
 class UserInvoiceFieldList(ApiResource):
-  """ Resource for listing and creating a user's custom invoice fields. """
-  schemas = {
-    'InvoiceField': {
-      'id': 'InvoiceField',
-      'type': 'object',
-      'description': 'Description of an invoice field',
-      'required': [
-        'title', 'value'
-      ],
-      'properties': {
-        'title': {
-          'type': 'string',
-          'description': 'The title of the field being added',
-        },
-        'value': {
-          'type': 'string',
-          'description': 'The value of the field being added',
-        },
-      },
-    },
-  }
+    """ Resource for listing and creating a user's custom invoice fields. """
 
-  @require_user_admin
-  @nickname('listUserInvoiceFields')
-  def get(self):
-    """ List the invoice fields for the current user. """
-    user = get_authenticated_user()
-    if not user.stripe_id:
-      raise NotFound()
+    schemas = {
+        "InvoiceField": {
+            "id": "InvoiceField",
+            "type": "object",
+            "description": "Description of an invoice field",
+            "required": ["title", "value"],
+            "properties": {
+                "title": {
+                    "type": "string",
+                    "description": "The title of the field being added",
+                },
+                "value": {
+                    "type": "string",
+                    "description": "The value of the field being added",
+                },
+            },
+        }
+    }
 
-    return {'fields': get_invoice_fields(user)[0]}
+    @require_user_admin
+    @nickname("listUserInvoiceFields")
+    def get(self):
+        """ List the invoice fields for the current user. """
+        user = get_authenticated_user()
+        if not user.stripe_id:
+            raise NotFound()
 
-  @require_user_admin
-  @nickname('createUserInvoiceField')
-  @validate_json_request('InvoiceField')
-  def post(self):
-    """ Creates a new invoice field. """
-    user = get_authenticated_user()
-    if not user.stripe_id:
-      raise NotFound()
+        return {"fields": get_invoice_fields(user)[0]}
 
-    data = request.get_json()
-    created_field = create_billing_invoice_field(user, data['title'], data['value'])
-    return created_field
+    @require_user_admin
+    @nickname("createUserInvoiceField")
+    @validate_json_request("InvoiceField")
+    def post(self):
+        """ Creates a new invoice field. """
+        user = get_authenticated_user()
+        if not user.stripe_id:
+            raise NotFound()
+
+        data = request.get_json()
+        created_field = create_billing_invoice_field(user, data["title"], data["value"])
+        return created_field
 
 
-@resource('/v1/user/invoice/field/<field_uuid>')
+@resource("/v1/user/invoice/field/<field_uuid>")
 @internal_only
 @show_if(features.BILLING)
 class UserInvoiceField(ApiResource):
-  """ Resource for deleting a user's custom invoice fields. """
-  @require_user_admin
-  @nickname('deleteUserInvoiceField')
-  def delete(self, field_uuid):
-    """ Deletes the invoice field for the current user. """
-    user = get_authenticated_user()
-    if not user.stripe_id:
-      raise NotFound()
+    """ Resource for deleting a user's custom invoice fields. """
 
-    result = delete_billing_invoice_field(user, field_uuid)
-    if not result:
-      abort(404)
+    @require_user_admin
+    @nickname("deleteUserInvoiceField")
+    def delete(self, field_uuid):
+        """ Deletes the invoice field for the current user. """
+        user = get_authenticated_user()
+        if not user.stripe_id:
+            raise NotFound()
 
-    return 'Okay', 201
+        result = delete_billing_invoice_field(user, field_uuid)
+        if not result:
+            abort(404)
+
+        return "Okay", 201
 
 
-@resource('/v1/organization/<orgname>/invoice/fields')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/invoice/fields")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserInvoiceFieldList)
 @internal_only
 @show_if(features.BILLING)
 class OrganizationInvoiceFieldList(ApiResource):
-  """ Resource for listing and creating an organization's custom invoice fields. """
-  schemas = {
-    'InvoiceField': {
-      'id': 'InvoiceField',
-      'type': 'object',
-      'description': 'Description of an invoice field',
-      'required': [
-        'title', 'value'
-      ],
-      'properties': {
-        'title': {
-          'type': 'string',
-          'description': 'The title of the field being added',
-        },
-        'value': {
-          'type': 'string',
-          'description': 'The value of the field being added',
-        },
-      },
-    },
-  }
+    """ Resource for listing and creating an organization's custom invoice fields. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('listOrgInvoiceFields')
-  def get(self, orgname):
-    """ List the invoice fields for the organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      if not organization.stripe_id:
-        raise NotFound()
+    schemas = {
+        "InvoiceField": {
+            "id": "InvoiceField",
+            "type": "object",
+            "description": "Description of an invoice field",
+            "required": ["title", "value"],
+            "properties": {
+                "title": {
+                    "type": "string",
+                    "description": "The title of the field being added",
+                },
+                "value": {
+                    "type": "string",
+                    "description": "The value of the field being added",
+                },
+            },
+        }
+    }
 
-      return {'fields': get_invoice_fields(organization)[0]}
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("listOrgInvoiceFields")
+    def get(self, orgname):
+        """ List the invoice fields for the organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            if not organization.stripe_id:
+                raise NotFound()
 
-    abort(403)
+            return {"fields": get_invoice_fields(organization)[0]}
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('createOrgInvoiceField')
-  @validate_json_request('InvoiceField')
-  def post(self, orgname):
-    """ Creates a new invoice field. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      if not organization.stripe_id:
-        raise NotFound()
+        abort(403)
 
-      data = request.get_json()
-      created_field = create_billing_invoice_field(organization, data['title'], data['value'])
-      return created_field
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("createOrgInvoiceField")
+    @validate_json_request("InvoiceField")
+    def post(self, orgname):
+        """ Creates a new invoice field. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            if not organization.stripe_id:
+                raise NotFound()
 
-    abort(403)
+            data = request.get_json()
+            created_field = create_billing_invoice_field(
+                organization, data["title"], data["value"]
+            )
+            return created_field
+
+        abort(403)
 
 
-@resource('/v1/organization/<orgname>/invoice/field/<field_uuid>')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/invoice/field/<field_uuid>")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserInvoiceField)
 @internal_only
 @show_if(features.BILLING)
 class OrganizationInvoiceField(ApiResource):
-  """ Resource for deleting an organization's custom invoice fields. """
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrgInvoiceField')
-  def delete(self, orgname, field_uuid):
-    """ Deletes the invoice field for the current user. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      if not organization.stripe_id:
-        raise NotFound()
+    """ Resource for deleting an organization's custom invoice fields. """
 
-      result = delete_billing_invoice_field(organization, field_uuid)
-      if not result:
-        abort(404)
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrgInvoiceField")
+    def delete(self, orgname, field_uuid):
+        """ Deletes the invoice field for the current user. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            if not organization.stripe_id:
+                raise NotFound()
 
-      return 'Okay', 201
+            result = delete_billing_invoice_field(organization, field_uuid)
+            if not result:
+                abort(404)
 
-    abort(403)
+            return "Okay", 201
+
+        abort(403)
diff --git a/endpoints/api/build.py b/endpoints/api/build.py
index d7fb55ae1..d3f88f119 100644
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@@ -11,20 +11,42 @@ from urlparse import urlparse
 import features
 
 from app import userfiles as user_files, build_logs, log_archive, dockerfile_build_queue
-from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
-                              AdministerRepositoryPermission, AdministerOrganizationPermission,
-                              SuperUserPermission)
+from auth.permissions import (
+    ReadRepositoryPermission,
+    ModifyRepositoryPermission,
+    AdministerRepositoryPermission,
+    AdministerOrganizationPermission,
+    SuperUserPermission,
+)
 from buildtrigger.basehandler import BuildTriggerHandler
 from data import database
 from data import model
 from data.buildlogs import BuildStatusRetrievalError
-from endpoints.api import (RepositoryParamResource, parse_args, query_param, nickname, resource,
-                           require_repo_read, require_repo_write, validate_json_request,
-                           ApiResource, internal_only, format_date, api, path_param,
-                           require_repo_admin, abort, disallow_for_app_repositories,
-                           disallow_for_non_normal_repositories)
-from endpoints.building import (start_build, PreparedBuild, MaximumBuildsQueuedException,
-                                BuildTriggerDisabledException)
+from endpoints.api import (
+    RepositoryParamResource,
+    parse_args,
+    query_param,
+    nickname,
+    resource,
+    require_repo_read,
+    require_repo_write,
+    validate_json_request,
+    ApiResource,
+    internal_only,
+    format_date,
+    api,
+    path_param,
+    require_repo_admin,
+    abort,
+    disallow_for_app_repositories,
+    disallow_for_non_normal_repositories,
+)
+from endpoints.building import (
+    start_build,
+    PreparedBuild,
+    MaximumBuildsQueuedException,
+    BuildTriggerDisabledException,
+)
 from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.names import parse_robot_username
 from util.request import get_request_ip
@@ -33,453 +55,477 @@ logger = logging.getLogger(__name__)
 
 
 def get_trigger_config(trigger):
-  try:
-    return json.loads(trigger.config)
-  except:
-    return {}
+    try:
+        return json.loads(trigger.config)
+    except:
+        return {}
 
 
 def get_job_config(build_obj):
-  try:
-    return json.loads(build_obj.job_config)
-  except:
-    return {}
+    try:
+        return json.loads(build_obj.job_config)
+    except:
+        return {}
 
 
 def user_view(user):
-  return {
-    'name': user.username,
-    'kind': 'user',
-    'is_robot': user.robot,
-  }
+    return {"name": user.username, "kind": "user", "is_robot": user.robot}
 
 
 def trigger_view(trigger, can_read=False, can_admin=False, for_build=False):
-  if trigger and trigger.uuid:
-    build_trigger = BuildTriggerHandler.get_handler(trigger)
-    build_source = build_trigger.config.get('build_source')
+    if trigger and trigger.uuid:
+        build_trigger = BuildTriggerHandler.get_handler(trigger)
+        build_source = build_trigger.config.get("build_source")
 
-    repo_url = build_trigger.get_repository_url() if build_source else None
-    can_read = can_read or can_admin
+        repo_url = build_trigger.get_repository_url() if build_source else None
+        can_read = can_read or can_admin
 
-    trigger_data = {
-      'id': trigger.uuid,
-      'service': trigger.service.name,
-      'is_active': build_trigger.is_active(),
+        trigger_data = {
+            "id": trigger.uuid,
+            "service": trigger.service.name,
+            "is_active": build_trigger.is_active(),
+            "build_source": build_source if can_read else None,
+            "repository_url": repo_url if can_read else None,
+            "config": build_trigger.config if can_admin else {},
+            "can_invoke": can_admin,
+            "enabled": trigger.enabled,
+            "disabled_reason": trigger.disabled_reason.name
+            if trigger.disabled_reason
+            else None,
+        }
 
-      'build_source': build_source if can_read else None,
-      'repository_url': repo_url if can_read else None,
+        if not for_build and can_admin and trigger.pull_robot:
+            trigger_data["pull_robot"] = user_view(trigger.pull_robot)
 
-      'config': build_trigger.config if can_admin else {},
-      'can_invoke': can_admin,
-      'enabled': trigger.enabled,
-      'disabled_reason': trigger.disabled_reason.name if trigger.disabled_reason else None,
-    }
+        return trigger_data
 
-    if not for_build and can_admin and trigger.pull_robot:
-      trigger_data['pull_robot'] = user_view(trigger.pull_robot)
-
-    return trigger_data
-
-  return None
+    return None
 
 
 def _get_build_status(build_obj):
-  """ Returns the updated build phase, status and (if any) error for the build object. """
-  phase = build_obj.phase
-  status = {}
-  error = None
+    """ Returns the updated build phase, status and (if any) error for the build object. """
+    phase = build_obj.phase
+    status = {}
+    error = None
 
-  # If the build is currently running, then load its "real-time" status from Redis.
-  if not database.BUILD_PHASE.is_terminal_phase(phase):
-    try:
-      status = build_logs.get_status(build_obj.uuid)
-    except BuildStatusRetrievalError as bsre:
-      phase = 'cannot_load'
-      if SuperUserPermission().can():
-        error = str(bsre)
-      else:
-        error = 'Redis may be down. Please contact support.'
+    # If the build is currently running, then load its "real-time" status from Redis.
+    if not database.BUILD_PHASE.is_terminal_phase(phase):
+        try:
+            status = build_logs.get_status(build_obj.uuid)
+        except BuildStatusRetrievalError as bsre:
+            phase = "cannot_load"
+            if SuperUserPermission().can():
+                error = str(bsre)
+            else:
+                error = "Redis may be down. Please contact support."
 
-    if phase != 'cannot_load':
-      # If the status contains a heartbeat, then check to see if has been written in the last few
-      # minutes. If not, then the build timed out.
-      if status is not None and 'heartbeat' in status and status['heartbeat']:
-        heartbeat = datetime.datetime.utcfromtimestamp(status['heartbeat'])
-        if datetime.datetime.utcnow() - heartbeat > datetime.timedelta(minutes=1):
-          phase = database.BUILD_PHASE.INTERNAL_ERROR
+        if phase != "cannot_load":
+            # If the status contains a heartbeat, then check to see if has been written in the last few
+            # minutes. If not, then the build timed out.
+            if status is not None and "heartbeat" in status and status["heartbeat"]:
+                heartbeat = datetime.datetime.utcfromtimestamp(status["heartbeat"])
+                if datetime.datetime.utcnow() - heartbeat > datetime.timedelta(
+                    minutes=1
+                ):
+                    phase = database.BUILD_PHASE.INTERNAL_ERROR
 
-  # If the phase is internal error, return 'expired' instead if the number of retries
-  # on the queue item is 0.
-  if phase == database.BUILD_PHASE.INTERNAL_ERROR:
-    retry = (build_obj.queue_id and
-             dockerfile_build_queue.has_retries_remaining(build_obj.queue_id))
-    if not retry:
-      phase = 'expired'
+    # If the phase is internal error, return 'expired' instead if the number of retries
+    # on the queue item is 0.
+    if phase == database.BUILD_PHASE.INTERNAL_ERROR:
+        retry = build_obj.queue_id and dockerfile_build_queue.has_retries_remaining(
+            build_obj.queue_id
+        )
+        if not retry:
+            phase = "expired"
 
-  return (phase, status, error)
+    return (phase, status, error)
 
 
 def build_status_view(build_obj):
-  phase, status, error = _get_build_status(build_obj)
-  repo_namespace = build_obj.repository.namespace_user.username
-  repo_name = build_obj.repository.name
+    phase, status, error = _get_build_status(build_obj)
+    repo_namespace = build_obj.repository.namespace_user.username
+    repo_name = build_obj.repository.name
 
-  can_read = ReadRepositoryPermission(repo_namespace, repo_name).can()
-  can_write = ModifyRepositoryPermission(repo_namespace, repo_name).can()
-  can_admin = AdministerRepositoryPermission(repo_namespace, repo_name).can()
+    can_read = ReadRepositoryPermission(repo_namespace, repo_name).can()
+    can_write = ModifyRepositoryPermission(repo_namespace, repo_name).can()
+    can_admin = AdministerRepositoryPermission(repo_namespace, repo_name).can()
 
-  job_config = get_job_config(build_obj)
+    job_config = get_job_config(build_obj)
 
-  resp = {
-    'id': build_obj.uuid,
-    'phase': phase,
-    'started': format_date(build_obj.started),
-    'display_name': build_obj.display_name,
-    'status': status or {},
-    'subdirectory': job_config.get('build_subdir', ''),
-    'dockerfile_path': job_config.get('build_subdir', ''),
-    'context': job_config.get('context', ''),
-    'tags': job_config.get('docker_tags', []),
-    'manual_user': job_config.get('manual_user', None),
-    'is_writer': can_write,
-    'trigger': trigger_view(build_obj.trigger, can_read, can_admin, for_build=True),
-    'trigger_metadata': job_config.get('trigger_metadata', None) if can_read else None,
-    'resource_key': build_obj.resource_key,
-    'pull_robot': user_view(build_obj.pull_robot) if build_obj.pull_robot else None,
-    'repository': {
-      'namespace': repo_namespace,
-      'name': repo_name
-    },
-    'error': error,
-  }
+    resp = {
+        "id": build_obj.uuid,
+        "phase": phase,
+        "started": format_date(build_obj.started),
+        "display_name": build_obj.display_name,
+        "status": status or {},
+        "subdirectory": job_config.get("build_subdir", ""),
+        "dockerfile_path": job_config.get("build_subdir", ""),
+        "context": job_config.get("context", ""),
+        "tags": job_config.get("docker_tags", []),
+        "manual_user": job_config.get("manual_user", None),
+        "is_writer": can_write,
+        "trigger": trigger_view(build_obj.trigger, can_read, can_admin, for_build=True),
+        "trigger_metadata": job_config.get("trigger_metadata", None)
+        if can_read
+        else None,
+        "resource_key": build_obj.resource_key,
+        "pull_robot": user_view(build_obj.pull_robot) if build_obj.pull_robot else None,
+        "repository": {"namespace": repo_namespace, "name": repo_name},
+        "error": error,
+    }
 
-  if can_write or features.READER_BUILD_LOGS:
-    if build_obj.resource_key is not None:
-      resp['archive_url'] = user_files.get_file_url(build_obj.resource_key, 
-                                                    get_request_ip(), requires_cors=True)
-    elif job_config.get('archive_url', None):
-      resp['archive_url'] = job_config['archive_url']
+    if can_write or features.READER_BUILD_LOGS:
+        if build_obj.resource_key is not None:
+            resp["archive_url"] = user_files.get_file_url(
+                build_obj.resource_key, get_request_ip(), requires_cors=True
+            )
+        elif job_config.get("archive_url", None):
+            resp["archive_url"] = job_config["archive_url"]
 
-  return resp
+    return resp
 
 
-@resource('/v1/repository/<apirepopath:repository>/build/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/build/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryBuildList(RepositoryParamResource):
-  """ Resource related to creating and listing repository builds. """
-  schemas = {
-    'RepositoryBuildRequest': {
-      'type': 'object',
-      'description': 'Description of a new repository build.',
-      'properties': {
-        'file_id': {
-          'type': 'string',
-          'description': 'The file id that was generated when the build spec was uploaded',
-        },
-        'archive_url': {
-          'type': 'string',
-          'description': 'The URL of the .tar.gz to build. Must start with "http" or "https".',
-        },
-        'subdirectory': {
-          'type': 'string',
-          'description': 'Subdirectory in which the Dockerfile can be found. You can only specify this or dockerfile_path',
-        },
-        'dockerfile_path': {
-          'type': 'string',
-          'description': 'Path to a dockerfile. You can only specify this or subdirectory.',
-        },
-        'context': {
-          'type': 'string',
-          'description': 'Pass in the context for the dockerfile. This is optional.',
-        },
-        'pull_robot': {
-          'type': 'string',
-          'description': 'Username of a Quay robot account to use as pull credentials',
-        },
-        'docker_tags': {
-          'type': 'array',
-          'description': 'The tags to which the built images will be pushed. ' +
-                         'If none specified, "latest" is used.',
-          'items': {
-            'type': 'string'
-          },
-          'minItems': 1,
-          'uniqueItems': True
+    """ Resource related to creating and listing repository builds. """
+
+    schemas = {
+        "RepositoryBuildRequest": {
+            "type": "object",
+            "description": "Description of a new repository build.",
+            "properties": {
+                "file_id": {
+                    "type": "string",
+                    "description": "The file id that was generated when the build spec was uploaded",
+                },
+                "archive_url": {
+                    "type": "string",
+                    "description": 'The URL of the .tar.gz to build. Must start with "http" or "https".',
+                },
+                "subdirectory": {
+                    "type": "string",
+                    "description": "Subdirectory in which the Dockerfile can be found. You can only specify this or dockerfile_path",
+                },
+                "dockerfile_path": {
+                    "type": "string",
+                    "description": "Path to a dockerfile. You can only specify this or subdirectory.",
+                },
+                "context": {
+                    "type": "string",
+                    "description": "Pass in the context for the dockerfile. This is optional.",
+                },
+                "pull_robot": {
+                    "type": "string",
+                    "description": "Username of a Quay robot account to use as pull credentials",
+                },
+                "docker_tags": {
+                    "type": "array",
+                    "description": "The tags to which the built images will be pushed. "
+                    + 'If none specified, "latest" is used.',
+                    "items": {"type": "string"},
+                    "minItems": 1,
+                    "uniqueItems": True,
+                },
+            },
         }
-      },
-    },
-  }
-
-  @require_repo_read
-  @parse_args()
-  @query_param('limit', 'The maximum number of builds to return', type=int, default=5)
-  @query_param('since', 'Returns all builds since the given unix timecode', type=int, default=None)
-  @nickname('getRepoBuilds')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository, parsed_args):
-    """ Get the list of repository builds. """
-    limit = parsed_args.get('limit', 5)
-    since = parsed_args.get('since', None)
-
-    if since is not None:
-      since = datetime.datetime.utcfromtimestamp(since)
-
-    builds = model.build.list_repository_builds(namespace, repository, limit, since=since)
-    return {
-      'builds': [build_status_view(build) for build in builds]
     }
 
-  @require_repo_write
-  @nickname('requestRepoBuild')
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @validate_json_request('RepositoryBuildRequest')
-  def post(self, namespace, repository):
-    """ Request that a repository be built and pushed from the specified input. """
-    logger.debug('User requested repository initialization.')
-    request_json = request.get_json()
+    @require_repo_read
+    @parse_args()
+    @query_param("limit", "The maximum number of builds to return", type=int, default=5)
+    @query_param(
+        "since",
+        "Returns all builds since the given unix timecode",
+        type=int,
+        default=None,
+    )
+    @nickname("getRepoBuilds")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository, parsed_args):
+        """ Get the list of repository builds. """
+        limit = parsed_args.get("limit", 5)
+        since = parsed_args.get("since", None)
 
-    dockerfile_id = request_json.get('file_id', None)
-    archive_url = request_json.get('archive_url', None)
+        if since is not None:
+            since = datetime.datetime.utcfromtimestamp(since)
 
-    if not dockerfile_id and not archive_url:
-      raise InvalidRequest('file_id or archive_url required')
+        builds = model.build.list_repository_builds(
+            namespace, repository, limit, since=since
+        )
+        return {"builds": [build_status_view(build) for build in builds]}
 
-    if archive_url:
-      archive_match = None
-      try:
-        archive_match = urlparse(archive_url)
-      except ValueError:
-        pass
+    @require_repo_write
+    @nickname("requestRepoBuild")
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @validate_json_request("RepositoryBuildRequest")
+    def post(self, namespace, repository):
+        """ Request that a repository be built and pushed from the specified input. """
+        logger.debug("User requested repository initialization.")
+        request_json = request.get_json()
 
-      if not archive_match:
-        raise InvalidRequest('Invalid Archive URL: Must be a valid URI')
+        dockerfile_id = request_json.get("file_id", None)
+        archive_url = request_json.get("archive_url", None)
 
-      scheme = archive_match.scheme
-      if scheme != 'http' and scheme != 'https':
-        raise InvalidRequest('Invalid Archive URL: Must be http or https')
+        if not dockerfile_id and not archive_url:
+            raise InvalidRequest("file_id or archive_url required")
 
-    context, subdir = self.get_dockerfile_context(request_json)
-    tags = request_json.get('docker_tags', ['latest'])
-    pull_robot_name = request_json.get('pull_robot', None)
+        if archive_url:
+            archive_match = None
+            try:
+                archive_match = urlparse(archive_url)
+            except ValueError:
+                pass
+
+            if not archive_match:
+                raise InvalidRequest("Invalid Archive URL: Must be a valid URI")
+
+            scheme = archive_match.scheme
+            if scheme != "http" and scheme != "https":
+                raise InvalidRequest("Invalid Archive URL: Must be http or https")
+
+        context, subdir = self.get_dockerfile_context(request_json)
+        tags = request_json.get("docker_tags", ["latest"])
+        pull_robot_name = request_json.get("pull_robot", None)
+
+        # Verify the security behind the pull robot.
+        if pull_robot_name:
+            result = parse_robot_username(pull_robot_name)
+            if result:
+                try:
+                    model.user.lookup_robot(pull_robot_name)
+                except model.InvalidRobotException:
+                    raise NotFound()
+
+                # Make sure the user has administer permissions for the robot's namespace.
+                (robot_namespace, _) = result
+                if not AdministerOrganizationPermission(robot_namespace).can():
+                    raise Unauthorized()
+            else:
+                raise Unauthorized()
+
+        # Check if the dockerfile resource has already been used. If so, then it
+        # can only be reused if the user has access to the repository in which the
+        # dockerfile was previously built.
+        if dockerfile_id:
+            associated_repository = model.build.get_repository_for_resource(
+                dockerfile_id
+            )
+            if associated_repository:
+                if not ModifyRepositoryPermission(
+                    associated_repository.namespace_user.username,
+                    associated_repository.name,
+                ):
+                    raise Unauthorized()
+
+        # Start the build.
+        repo = model.repository.get_repository(namespace, repository)
+        if repo is None:
+            raise NotFound()
 
-    # Verify the security behind the pull robot.
-    if pull_robot_name:
-      result = parse_robot_username(pull_robot_name)
-      if result:
         try:
-          model.user.lookup_robot(pull_robot_name)
-        except model.InvalidRobotException:
-          raise NotFound()
+            build_name = (
+                user_files.get_file_checksum(dockerfile_id)
+                if dockerfile_id
+                else hashlib.sha224(archive_url).hexdigest()[0:7]
+            )
+        except IOError:
+            raise InvalidRequest(
+                "File %s could not be found or is invalid" % dockerfile_id
+            )
 
-        # Make sure the user has administer permissions for the robot's namespace.
-        (robot_namespace, _) = result
-        if not AdministerOrganizationPermission(robot_namespace).can():
-          raise Unauthorized()
-      else:
-        raise Unauthorized()
+        prepared = PreparedBuild()
+        prepared.build_name = build_name
+        prepared.dockerfile_id = dockerfile_id
+        prepared.archive_url = archive_url
+        prepared.tags = tags
+        prepared.subdirectory = subdir
+        prepared.context = context
+        prepared.is_manual = True
+        prepared.metadata = {}
+        try:
+            build_request = start_build(repo, prepared, pull_robot_name=pull_robot_name)
+        except MaximumBuildsQueuedException:
+            abort(429, message="Maximum queued build rate exceeded.")
+        except BuildTriggerDisabledException:
+            abort(400, message="Build trigger is disabled")
 
-    # Check if the dockerfile resource has already been used. If so, then it
-    # can only be reused if the user has access to the repository in which the
-    # dockerfile was previously built.
-    if dockerfile_id:
-      associated_repository = model.build.get_repository_for_resource(dockerfile_id)
-      if associated_repository:
-        if not ModifyRepositoryPermission(associated_repository.namespace_user.username,
-                                          associated_repository.name):
-          raise Unauthorized()
+        resp = build_status_view(build_request)
+        repo_string = "%s/%s" % (namespace, repository)
+        headers = {
+            "Location": api.url_for(
+                RepositoryBuildStatus,
+                repository=repo_string,
+                build_uuid=build_request.uuid,
+            )
+        }
+        return resp, 201, headers
 
-    # Start the build.
-    repo = model.repository.get_repository(namespace, repository)
-    if repo is None:
-      raise NotFound()
+    @staticmethod
+    def get_dockerfile_context(request_json):
+        context = request_json["context"] if "context" in request_json else os.path.sep
+        if "dockerfile_path" in request_json:
+            subdir = request_json["dockerfile_path"]
+            if "context" not in request_json:
+                context = os.path.dirname(subdir)
+            return context, subdir
 
-    try:
-      build_name = (user_files.get_file_checksum(dockerfile_id)
-                    if dockerfile_id
-                    else hashlib.sha224(archive_url).hexdigest()[0:7])
-    except IOError:
-      raise InvalidRequest('File %s could not be found or is invalid' %  dockerfile_id)
+        if "subdirectory" in request_json:
+            subdir = request_json["subdirectory"]
+            context = subdir
+            if not subdir.endswith(os.path.sep):
+                subdir += os.path.sep
 
-    prepared = PreparedBuild()
-    prepared.build_name = build_name
-    prepared.dockerfile_id = dockerfile_id
-    prepared.archive_url = archive_url
-    prepared.tags = tags
-    prepared.subdirectory = subdir
-    prepared.context = context
-    prepared.is_manual = True
-    prepared.metadata = {}
-    try:
-      build_request = start_build(repo, prepared, pull_robot_name=pull_robot_name)
-    except MaximumBuildsQueuedException:
-      abort(429, message='Maximum queued build rate exceeded.')
-    except BuildTriggerDisabledException:
-      abort(400, message='Build trigger is disabled')
+            subdir += "Dockerfile"
+        else:
+            if context.endswith(os.path.sep):
+                subdir = context + "Dockerfile"
+            else:
+                subdir = context + os.path.sep + "Dockerfile"
 
-    resp = build_status_view(build_request)
-    repo_string = '%s/%s' % (namespace, repository)
-    headers = {
-      'Location': api.url_for(RepositoryBuildStatus, repository=repo_string,
-                              build_uuid=build_request.uuid),
-    }
-    return resp, 201, headers
+        return context, subdir
 
-  @staticmethod
-  def get_dockerfile_context(request_json):
-    context = request_json['context'] if 'context' in request_json else os.path.sep
-    if 'dockerfile_path' in request_json:
-      subdir = request_json['dockerfile_path']
-      if 'context' not in request_json:
-        context = os.path.dirname(subdir)
-      return context, subdir
 
-    if 'subdirectory' in request_json:
-      subdir = request_json['subdirectory']
-      context = subdir
-      if not subdir.endswith(os.path.sep):
-        subdir += os.path.sep
-
-      subdir += 'Dockerfile'
-    else:
-      if context.endswith(os.path.sep):
-        subdir = context + 'Dockerfile'
-      else:
-        subdir = context + os.path.sep + 'Dockerfile'
-
-    return context, subdir
-
-@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/repository/<apirepopath:repository>/build/<build_uuid>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("build_uuid", "The UUID of the build")
 class RepositoryBuildResource(RepositoryParamResource):
-  """ Resource for dealing with repository builds. """
-  @require_repo_read
-  @nickname('getRepoBuild')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository, build_uuid):
-    """ Returns information about a build. """
-    try:
-      build = model.build.get_repository_build(build_uuid)
-    except model.build.InvalidRepositoryBuildException:
-      raise NotFound()
+    """ Resource for dealing with repository builds. """
 
-    if build.repository.name != repository or build.repository.namespace_user.username != namespace:
-      raise NotFound()
+    @require_repo_read
+    @nickname("getRepoBuild")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository, build_uuid):
+        """ Returns information about a build. """
+        try:
+            build = model.build.get_repository_build(build_uuid)
+        except model.build.InvalidRepositoryBuildException:
+            raise NotFound()
 
-    return build_status_view(build)
+        if (
+            build.repository.name != repository
+            or build.repository.namespace_user.username != namespace
+        ):
+            raise NotFound()
 
-  @require_repo_admin
-  @nickname('cancelRepoBuild')
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  def delete(self, namespace, repository, build_uuid):
-    """ Cancels a repository build. """
-    try:
-      build = model.build.get_repository_build(build_uuid)
-    except model.build.InvalidRepositoryBuildException:
-      raise NotFound()
+        return build_status_view(build)
 
-    if build.repository.name != repository or build.repository.namespace_user.username != namespace:
-      raise NotFound()
+    @require_repo_admin
+    @nickname("cancelRepoBuild")
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    def delete(self, namespace, repository, build_uuid):
+        """ Cancels a repository build. """
+        try:
+            build = model.build.get_repository_build(build_uuid)
+        except model.build.InvalidRepositoryBuildException:
+            raise NotFound()
 
-    if model.build.cancel_repository_build(build, dockerfile_build_queue):
-      return 'Okay', 201
-    else:
-      raise InvalidRequest('Build is currently running or has finished')
+        if (
+            build.repository.name != repository
+            or build.repository.namespace_user.username != namespace
+        ):
+            raise NotFound()
+
+        if model.build.cancel_repository_build(build, dockerfile_build_queue):
+            return "Okay", 201
+        else:
+            raise InvalidRequest("Build is currently running or has finished")
 
 
-@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>/status')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/repository/<apirepopath:repository>/build/<build_uuid>/status")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("build_uuid", "The UUID of the build")
 class RepositoryBuildStatus(RepositoryParamResource):
-  """ Resource for dealing with repository build status. """
-  @require_repo_read
-  @nickname('getRepoBuildStatus')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository, build_uuid):
-    """ Return the status for the builds specified by the build uuids. """
-    build = model.build.get_repository_build(build_uuid)
-    if (not build or build.repository.name != repository or
-        build.repository.namespace_user.username != namespace):
-      raise NotFound()
+    """ Resource for dealing with repository build status. """
 
-    return build_status_view(build)
+    @require_repo_read
+    @nickname("getRepoBuildStatus")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository, build_uuid):
+        """ Return the status for the builds specified by the build uuids. """
+        build = model.build.get_repository_build(build_uuid)
+        if (
+            not build
+            or build.repository.name != repository
+            or build.repository.namespace_user.username != namespace
+        ):
+            raise NotFound()
+
+        return build_status_view(build)
 
 
 def get_logs_or_log_url(build):
-  # If the logs have been archived, just return a URL of the completed archive
-  if build.logs_archived:
-    return {
-      'logs_url': log_archive.get_file_url(build.uuid, get_request_ip(), requires_cors=True)
-    }
-  start = int(request.args.get('start', 0))
+    # If the logs have been archived, just return a URL of the completed archive
+    if build.logs_archived:
+        return {
+            "logs_url": log_archive.get_file_url(
+                build.uuid, get_request_ip(), requires_cors=True
+            )
+        }
+    start = int(request.args.get("start", 0))
 
-  try:
-    count, logs = build_logs.get_log_entries(build.uuid, start)
-  except BuildStatusRetrievalError:
-    count, logs = (0, [])
+    try:
+        count, logs = build_logs.get_log_entries(build.uuid, start)
+    except BuildStatusRetrievalError:
+        count, logs = (0, [])
 
-  response_obj = {}
-  response_obj.update({
-    'start': start,
-    'total': count,
-    'logs': [log for log in logs],
-  })
+    response_obj = {}
+    response_obj.update({"start": start, "total": count, "logs": [log for log in logs]})
 
-  return response_obj
+    return response_obj
 
 
-@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>/logs')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/repository/<apirepopath:repository>/build/<build_uuid>/logs")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("build_uuid", "The UUID of the build")
 class RepositoryBuildLogs(RepositoryParamResource):
-  """ Resource for loading repository build logs. """
-  @require_repo_read
-  @nickname('getRepoBuildLogs')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository, build_uuid):
-    """ Return the build logs for the build specified by the build uuid. """
-    can_write = ModifyRepositoryPermission(namespace, repository).can()
-    if not features.READER_BUILD_LOGS and not can_write:
-      raise Unauthorized()
+    """ Resource for loading repository build logs. """
 
-    build = model.build.get_repository_build(build_uuid)
-    if (not build or build.repository.name != repository or
-        build.repository.namespace_user.username != namespace):
-      raise NotFound()
+    @require_repo_read
+    @nickname("getRepoBuildLogs")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository, build_uuid):
+        """ Return the build logs for the build specified by the build uuid. """
+        can_write = ModifyRepositoryPermission(namespace, repository).can()
+        if not features.READER_BUILD_LOGS and not can_write:
+            raise Unauthorized()
 
-    return get_logs_or_log_url(build)
+        build = model.build.get_repository_build(build_uuid)
+        if (
+            not build
+            or build.repository.name != repository
+            or build.repository.namespace_user.username != namespace
+        ):
+            raise NotFound()
+
+        return get_logs_or_log_url(build)
 
 
-@resource('/v1/filedrop/')
+@resource("/v1/filedrop/")
 @internal_only
 class FileDropResource(ApiResource):
-  """ Custom verb for setting up a client side file transfer. """
-  schemas = {
-    'FileDropRequest': {
-      'type': 'object',
-      'description': 'Description of the file that the user wishes to upload.',
-      'required': [
-        'mimeType',
-      ],
-      'properties': {
-        'mimeType': {
-          'type': 'string',
-          'description': 'Type of the file which is about to be uploaded',
-        },
-      },
-    },
-  }
+    """ Custom verb for setting up a client side file transfer. """
 
-  @nickname('getFiledropUrl')
-  @validate_json_request('FileDropRequest')
-  def post(self):
-    """ Request a URL to which a file may be uploaded. """
-    mime_type = request.get_json()['mimeType']
-    (url, file_id) = user_files.prepare_for_drop(mime_type, requires_cors=True)
-    return {
-      'url': url,
-      'file_id': str(file_id),
+    schemas = {
+        "FileDropRequest": {
+            "type": "object",
+            "description": "Description of the file that the user wishes to upload.",
+            "required": ["mimeType"],
+            "properties": {
+                "mimeType": {
+                    "type": "string",
+                    "description": "Type of the file which is about to be uploaded",
+                }
+            },
+        }
     }
+
+    @nickname("getFiledropUrl")
+    @validate_json_request("FileDropRequest")
+    def post(self):
+        """ Request a URL to which a file may be uploaded. """
+        mime_type = request.get_json()["mimeType"]
+        (url, file_id) = user_files.prepare_for_drop(mime_type, requires_cors=True)
+        return {"url": url, "file_id": str(file_id)}
diff --git a/endpoints/api/discovery.py b/endpoints/api/discovery.py
index 66e7c74a3..45f8f476e 100644
--- a/endpoints/api/discovery.py
+++ b/endpoints/api/discovery.py
@@ -11,324 +11,337 @@ from flask_restful import reqparse
 
 from app import app
 from auth import scopes
-from endpoints.api import (ApiResource, resource, method_metadata, nickname, truthy_bool,
-                           parse_args, query_param)
+from endpoints.api import (
+    ApiResource,
+    resource,
+    method_metadata,
+    nickname,
+    truthy_bool,
+    parse_args,
+    query_param,
+)
 from endpoints.decorators import anon_allowed
 
 
 logger = logging.getLogger(__name__)
 
 
-PARAM_REGEX = re.compile(r'<([^:>]+:)*([\w]+)>')
+PARAM_REGEX = re.compile(r"<([^:>]+:)*([\w]+)>")
 
 
 TYPE_CONVERTER = {
-  truthy_bool: 'boolean',
-  str: 'string',
-  basestring: 'string',
-  reqparse.text_type: 'string',
-  int: 'integer',
+    truthy_bool: "boolean",
+    str: "string",
+    basestring: "string",
+    reqparse.text_type: "string",
+    int: "integer",
 }
 
-PREFERRED_URL_SCHEME = app.config['PREFERRED_URL_SCHEME']
-SERVER_HOSTNAME = app.config['SERVER_HOSTNAME']
+PREFERRED_URL_SCHEME = app.config["PREFERRED_URL_SCHEME"]
+SERVER_HOSTNAME = app.config["SERVER_HOSTNAME"]
 
 
 def fully_qualified_name(method_view_class):
-  return '%s.%s' % (method_view_class.__module__, method_view_class.__name__)
+    return "%s.%s" % (method_view_class.__module__, method_view_class.__name__)
 
 
 def swagger_route_data(include_internal=False, compact=False):
-  def swagger_parameter(name, description, kind='path', param_type='string', required=True,
-                        enum=None, schema=None):
-    # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#parameterObject
-    parameter_info = {
-      'name': name,
-      'in': kind,
-      'required': required
-    }
+    def swagger_parameter(
+        name,
+        description,
+        kind="path",
+        param_type="string",
+        required=True,
+        enum=None,
+        schema=None,
+    ):
+        # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#parameterObject
+        parameter_info = {"name": name, "in": kind, "required": required}
 
-    if not compact:
-      parameter_info['description'] = description or ''
+        if not compact:
+            parameter_info["description"] = description or ""
 
-    if schema:
-      parameter_info['schema'] = {
-        '$ref': '#/definitions/%s' % schema
-      }
-    else:
-      parameter_info['type'] = param_type
-
-    if enum is not None and len(list(enum)) > 0:
-      parameter_info['enum'] = list(enum)
-
-    return parameter_info
-
-  paths = {}
-  models = {}
-  tags = []
-  tags_added = set()
-  operationIds = set()
-
-  for rule in app.url_map.iter_rules():
-    endpoint_method = app.view_functions[rule.endpoint]
-
-    # Verify that we have a view class for this API method.
-    if not 'view_class' in dir(endpoint_method):
-      continue
-
-    view_class = endpoint_method.view_class
-
-    # Hide the class if it is internal.
-    internal = method_metadata(view_class, 'internal')
-    if not include_internal and internal:
-      continue
-
-    # Build the tag.
-    parts = fully_qualified_name(view_class).split('.')
-    tag_name = parts[-2]
-    if not tag_name in tags_added:
-      tags_added.add(tag_name)
-      tags.append({
-        'name': tag_name,
-        'description': (sys.modules[view_class.__module__].__doc__ or '').strip()
-      })
-
-    # Build the Swagger data for the path.
-    swagger_path = PARAM_REGEX.sub(r'{\2}', rule.rule)
-    full_name = fully_qualified_name(view_class)
-    path_swagger = {
-      'x-name': full_name,
-      'x-path': swagger_path,
-      'x-tag': tag_name
-    }
-
-    if include_internal:
-      related_user_res = method_metadata(view_class, 'related_user_resource')
-      if related_user_res is not None:
-        path_swagger['x-user-related'] = fully_qualified_name(related_user_res)
-
-    paths[swagger_path] = path_swagger
-
-    # Add any global path parameters.
-    param_data_map = view_class.__api_path_params if '__api_path_params' in dir(view_class) else {}
-    if param_data_map:
-      path_parameters_swagger = []
-      for path_parameter in param_data_map:
-        description = param_data_map[path_parameter].get('description')
-        path_parameters_swagger.append(swagger_parameter(path_parameter, description))
-
-      path_swagger['parameters'] = path_parameters_swagger
-
-    # Add the individual HTTP operations.
-    method_names = list(rule.methods.difference(['HEAD', 'OPTIONS']))
-    for method_name in method_names:
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#operation-object
-      method = getattr(view_class, method_name.lower(), None)
-      if method is None:
-        logger.debug('Unable to find method for %s in class %s', method_name, view_class)
-        continue
-
-      operationId = method_metadata(method, 'nickname')
-      operation_swagger = {
-        'operationId': operationId,
-        'parameters': [],
-      }
-
-      if operationId is None:
-        continue
-
-      if operationId in operationIds:
-        raise Exception('Duplicate operation Id: %s' % operationId)
-
-      operationIds.add(operationId)
-
-      if not compact:
-        operation_swagger.update({
-          'description': method.__doc__.strip() if method.__doc__ else '',
-          'tags': [tag_name]
-        })
-
-      # Mark the method as internal.
-      internal = method_metadata(method, 'internal')
-      if internal is not None:
-        operation_swagger['x-internal'] = True
-
-      if include_internal:
-        requires_fresh_login = method_metadata(method, 'requires_fresh_login')
-        if requires_fresh_login is not None:
-          operation_swagger['x-requires-fresh-login'] = True
-
-      # Add the path parameters.
-      if rule.arguments:
-        for path_parameter in rule.arguments:
-          description = param_data_map.get(path_parameter, {}).get('description')
-          operation_swagger['parameters'].append(swagger_parameter(path_parameter, description))
-
-      # Add the query parameters.
-      if '__api_query_params' in dir(method):
-        for query_parameter_info in method.__api_query_params:
-          name = query_parameter_info['name']
-          description = query_parameter_info['help']
-          param_type = TYPE_CONVERTER[query_parameter_info['type']]
-          required = query_parameter_info['required']
-
-          operation_swagger['parameters'].append(
-            swagger_parameter(name, description, kind='query',
-                              param_type=param_type,
-                              required=required,
-                              enum=query_parameter_info['choices']))
-
-      # Add the OAuth security block.
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#securityRequirementObject
-      scope = method_metadata(method, 'oauth2_scope')
-      if scope and not compact:
-        operation_swagger['security'] = [{'oauth2_implicit': [scope.scope]}]
-
-      # Add the responses block.
-      # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#responsesObject
-      response_schema_name = method_metadata(method, 'response_schema')
-      if not compact:
-        if response_schema_name:
-          models[response_schema_name] = view_class.schemas[response_schema_name]
-
-        models['ApiError'] = {
-          'type': 'object',
-          'properties': {
-            'status': {
-              'type': 'integer',
-              'description': 'Status code of the response.'
-            },
-            'type': {
-              'type': 'string',
-              'description': 'Reference to the type of the error.'
-            },
-            'detail': {
-              'type': 'string',
-              'description': 'Details about the specific instance of the error.'
-            },
-            'title': {
-              'type': 'string',
-              'description': 'Unique error code to identify the type of error.'
-            },
-            'error_message': {
-              'type': 'string',
-              'description': 'Deprecated; alias for detail'
-            },
-            'error_type': {
-              'type': 'string',
-              'description': 'Deprecated; alias for detail'
-            }
-          },
-          'required': [
-            'status',
-            'type',
-            'title',
-          ]
-        }
-
-        responses = {
-          '400': {
-            'description': 'Bad Request',
-          },
-
-          '401': {
-            'description': 'Session required',
-          },
-
-          '403': {
-            'description': 'Unauthorized access',
-          },
-
-          '404': {
-            'description': 'Not found',
-          },
-        }
-
-        for _, body in responses.items():
-          body['schema'] = {'$ref':  '#/definitions/ApiError'}
-
-        if method_name == 'DELETE':
-          responses['204'] = {
-            'description': 'Deleted'
-          }
-        elif method_name == 'POST':
-          responses['201'] = {
-            'description': 'Successful creation'
-          }
+        if schema:
+            parameter_info["schema"] = {"$ref": "#/definitions/%s" % schema}
         else:
-          responses['200'] = {
-            'description': 'Successful invocation'
-          }
+            parameter_info["type"] = param_type
 
-          if response_schema_name:
-            responses['200']['schema'] = {
-              '$ref': '#/definitions/%s' % response_schema_name
+        if enum is not None and len(list(enum)) > 0:
+            parameter_info["enum"] = list(enum)
+
+        return parameter_info
+
+    paths = {}
+    models = {}
+    tags = []
+    tags_added = set()
+    operationIds = set()
+
+    for rule in app.url_map.iter_rules():
+        endpoint_method = app.view_functions[rule.endpoint]
+
+        # Verify that we have a view class for this API method.
+        if not "view_class" in dir(endpoint_method):
+            continue
+
+        view_class = endpoint_method.view_class
+
+        # Hide the class if it is internal.
+        internal = method_metadata(view_class, "internal")
+        if not include_internal and internal:
+            continue
+
+        # Build the tag.
+        parts = fully_qualified_name(view_class).split(".")
+        tag_name = parts[-2]
+        if not tag_name in tags_added:
+            tags_added.add(tag_name)
+            tags.append(
+                {
+                    "name": tag_name,
+                    "description": (
+                        sys.modules[view_class.__module__].__doc__ or ""
+                    ).strip(),
+                }
+            )
+
+        # Build the Swagger data for the path.
+        swagger_path = PARAM_REGEX.sub(r"{\2}", rule.rule)
+        full_name = fully_qualified_name(view_class)
+        path_swagger = {"x-name": full_name, "x-path": swagger_path, "x-tag": tag_name}
+
+        if include_internal:
+            related_user_res = method_metadata(view_class, "related_user_resource")
+            if related_user_res is not None:
+                path_swagger["x-user-related"] = fully_qualified_name(related_user_res)
+
+        paths[swagger_path] = path_swagger
+
+        # Add any global path parameters.
+        param_data_map = (
+            view_class.__api_path_params
+            if "__api_path_params" in dir(view_class)
+            else {}
+        )
+        if param_data_map:
+            path_parameters_swagger = []
+            for path_parameter in param_data_map:
+                description = param_data_map[path_parameter].get("description")
+                path_parameters_swagger.append(
+                    swagger_parameter(path_parameter, description)
+                )
+
+            path_swagger["parameters"] = path_parameters_swagger
+
+        # Add the individual HTTP operations.
+        method_names = list(rule.methods.difference(["HEAD", "OPTIONS"]))
+        for method_name in method_names:
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#operation-object
+            method = getattr(view_class, method_name.lower(), None)
+            if method is None:
+                logger.debug(
+                    "Unable to find method for %s in class %s", method_name, view_class
+                )
+                continue
+
+            operationId = method_metadata(method, "nickname")
+            operation_swagger = {"operationId": operationId, "parameters": []}
+
+            if operationId is None:
+                continue
+
+            if operationId in operationIds:
+                raise Exception("Duplicate operation Id: %s" % operationId)
+
+            operationIds.add(operationId)
+
+            if not compact:
+                operation_swagger.update(
+                    {
+                        "description": method.__doc__.strip() if method.__doc__ else "",
+                        "tags": [tag_name],
+                    }
+                )
+
+            # Mark the method as internal.
+            internal = method_metadata(method, "internal")
+            if internal is not None:
+                operation_swagger["x-internal"] = True
+
+            if include_internal:
+                requires_fresh_login = method_metadata(method, "requires_fresh_login")
+                if requires_fresh_login is not None:
+                    operation_swagger["x-requires-fresh-login"] = True
+
+            # Add the path parameters.
+            if rule.arguments:
+                for path_parameter in rule.arguments:
+                    description = param_data_map.get(path_parameter, {}).get(
+                        "description"
+                    )
+                    operation_swagger["parameters"].append(
+                        swagger_parameter(path_parameter, description)
+                    )
+
+            # Add the query parameters.
+            if "__api_query_params" in dir(method):
+                for query_parameter_info in method.__api_query_params:
+                    name = query_parameter_info["name"]
+                    description = query_parameter_info["help"]
+                    param_type = TYPE_CONVERTER[query_parameter_info["type"]]
+                    required = query_parameter_info["required"]
+
+                    operation_swagger["parameters"].append(
+                        swagger_parameter(
+                            name,
+                            description,
+                            kind="query",
+                            param_type=param_type,
+                            required=required,
+                            enum=query_parameter_info["choices"],
+                        )
+                    )
+
+            # Add the OAuth security block.
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#securityRequirementObject
+            scope = method_metadata(method, "oauth2_scope")
+            if scope and not compact:
+                operation_swagger["security"] = [{"oauth2_implicit": [scope.scope]}]
+
+            # Add the responses block.
+            # https://github.com/swagger-api/swagger-spec/blob/master/versions/2.0.md#responsesObject
+            response_schema_name = method_metadata(method, "response_schema")
+            if not compact:
+                if response_schema_name:
+                    models[response_schema_name] = view_class.schemas[
+                        response_schema_name
+                    ]
+
+                models["ApiError"] = {
+                    "type": "object",
+                    "properties": {
+                        "status": {
+                            "type": "integer",
+                            "description": "Status code of the response.",
+                        },
+                        "type": {
+                            "type": "string",
+                            "description": "Reference to the type of the error.",
+                        },
+                        "detail": {
+                            "type": "string",
+                            "description": "Details about the specific instance of the error.",
+                        },
+                        "title": {
+                            "type": "string",
+                            "description": "Unique error code to identify the type of error.",
+                        },
+                        "error_message": {
+                            "type": "string",
+                            "description": "Deprecated; alias for detail",
+                        },
+                        "error_type": {
+                            "type": "string",
+                            "description": "Deprecated; alias for detail",
+                        },
+                    },
+                    "required": ["status", "type", "title"],
+                }
+
+                responses = {
+                    "400": {"description": "Bad Request"},
+                    "401": {"description": "Session required"},
+                    "403": {"description": "Unauthorized access"},
+                    "404": {"description": "Not found"},
+                }
+
+                for _, body in responses.items():
+                    body["schema"] = {"$ref": "#/definitions/ApiError"}
+
+                if method_name == "DELETE":
+                    responses["204"] = {"description": "Deleted"}
+                elif method_name == "POST":
+                    responses["201"] = {"description": "Successful creation"}
+                else:
+                    responses["200"] = {"description": "Successful invocation"}
+
+                    if response_schema_name:
+                        responses["200"]["schema"] = {
+                            "$ref": "#/definitions/%s" % response_schema_name
+                        }
+
+                operation_swagger["responses"] = responses
+
+            # Add the request block.
+            request_schema_name = method_metadata(method, "request_schema")
+            if request_schema_name and not compact:
+                models[request_schema_name] = view_class.schemas[request_schema_name]
+
+                operation_swagger["parameters"].append(
+                    swagger_parameter(
+                        "body",
+                        "Request body contents.",
+                        kind="body",
+                        schema=request_schema_name,
+                    )
+                )
+
+            # Add the operation to the parent path.
+            if not internal or (internal and include_internal):
+                path_swagger[method_name.lower()] = operation_swagger
+
+    tags.sort(key=lambda t: t["name"])
+    paths = OrderedDict(sorted(paths.items(), key=lambda p: p[1]["x-tag"]))
+
+    if compact:
+        return {"paths": paths}
+
+    swagger_data = {
+        "swagger": "2.0",
+        "host": SERVER_HOSTNAME,
+        "basePath": "/",
+        "schemes": [PREFERRED_URL_SCHEME],
+        "info": {
+            "version": "v1",
+            "title": "Quay Frontend",
+            "description": (
+                "This API allows you to perform many of the operations required to work "
+                "with Quay repositories, users, and organizations. You can find out more "
+                'at <a href="https://quay.io">Quay</a>.'
+            ),
+            "termsOfService": "https://quay.io/tos",
+            "contact": {"email": "support@quay.io"},
+        },
+        "securityDefinitions": {
+            "oauth2_implicit": {
+                "type": "oauth2",
+                "flow": "implicit",
+                "authorizationUrl": "%s://%s/oauth/authorize"
+                % (PREFERRED_URL_SCHEME, SERVER_HOSTNAME),
+                "scopes": {
+                    scope.scope: scope.description
+                    for scope in scopes.app_scopes(app.config).values()
+                },
             }
+        },
+        "paths": paths,
+        "definitions": models,
+        "tags": tags,
+    }
 
-        operation_swagger['responses'] = responses
+    return swagger_data
 
 
-      # Add the request block.
-      request_schema_name = method_metadata(method, 'request_schema')
-      if request_schema_name and not compact:
-        models[request_schema_name] = view_class.schemas[request_schema_name]
-
-        operation_swagger['parameters'].append(
-          swagger_parameter('body', 'Request body contents.', kind='body',
-                            schema=request_schema_name))
-
-      # Add the operation to the parent path.
-      if not internal or (internal and include_internal):
-        path_swagger[method_name.lower()] = operation_swagger
-
-  tags.sort(key=lambda t: t['name'])
-  paths = OrderedDict(sorted(paths.items(), key=lambda p: p[1]['x-tag']))
-
-  if compact:
-    return {'paths': paths}
-
-  swagger_data = {
-    'swagger': '2.0',
-    'host': SERVER_HOSTNAME,
-    'basePath': '/',
-    'schemes': [
-      PREFERRED_URL_SCHEME
-    ],
-    'info': {
-      'version': 'v1',
-      'title': 'Quay Frontend',
-      'description': ('This API allows you to perform many of the operations required to work '
-                      'with Quay repositories, users, and organizations. You can find out more '
-                      'at <a href="https://quay.io">Quay</a>.'),
-      'termsOfService': 'https://quay.io/tos',
-      'contact': {
-        'email': 'support@quay.io'
-      }
-    },
-    'securityDefinitions': {
-      'oauth2_implicit': {
-        "type": "oauth2",
-        "flow": "implicit",
-        "authorizationUrl": "%s://%s/oauth/authorize" % (PREFERRED_URL_SCHEME, SERVER_HOSTNAME),
-        'scopes': {scope.scope:scope.description
-                   for scope in scopes.app_scopes(app.config).values()},
-      },
-    },
-    'paths': paths,
-    'definitions': models,
-    'tags': tags
-  }
-
-  return swagger_data
-
-
-@resource('/v1/discovery')
+@resource("/v1/discovery")
 class DiscoveryResource(ApiResource):
-  """Ability to inspect the API for usage information and documentation."""
-  @parse_args()
-  @query_param('internal', 'Whether to include internal APIs.', type=truthy_bool, default=False)
-  @nickname('discovery')
-  @anon_allowed
-  def get(self, parsed_args):
-    """ List all of the API endpoints available in the swagger API format."""
-    return swagger_route_data(parsed_args['internal'])
+    """Ability to inspect the API for usage information and documentation."""
+
+    @parse_args()
+    @query_param(
+        "internal", "Whether to include internal APIs.", type=truthy_bool, default=False
+    )
+    @nickname("discovery")
+    @anon_allowed
+    def get(self, parsed_args):
+        """ List all of the API endpoints available in the swagger API format."""
+        return swagger_route_data(parsed_args["internal"])
diff --git a/endpoints/api/error.py b/endpoints/api/error.py
index bfa80efe2..210f728ed 100644
--- a/endpoints/api/error.py
+++ b/endpoints/api/error.py
@@ -1,61 +1,63 @@
 """ Error details API """
 from flask import url_for
 
-from endpoints.api import (resource, nickname, ApiResource, path_param,
-                           define_json_response)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    path_param,
+    define_json_response,
+)
 from endpoints.exception import NotFound, ApiErrorType, ERROR_DESCRIPTION
 
+
 def error_view(error_type):
-  return {
-    'type': url_for('api.error', error_type=error_type, _external=True),
-    'title': error_type,
-    'description': ERROR_DESCRIPTION[error_type]
-  }
+    return {
+        "type": url_for("api.error", error_type=error_type, _external=True),
+        "title": error_type,
+        "description": ERROR_DESCRIPTION[error_type],
+    }
 
 
-@resource('/v1/error/<error_type>')
-@path_param('error_type', 'The error code identifying the type of error.')
+@resource("/v1/error/<error_type>")
+@path_param("error_type", "The error code identifying the type of error.")
 class Error(ApiResource):
-  """ Resource for Error Descriptions"""
-  schemas = {
-    'ApiErrorDescription': {
-      'type': 'object',
-      'description': 'Description of an error',
-      'required': [
-        'type',
-        'description',
-        'title',
-      ],
-      'properties': {
-        'type': {
-          'type': 'string',
-          'description': 'A reference to the error type resource'
-        },
-        'title': {
-          'type': 'string',
-          'description': (
-            'The title of the error. Can be used to uniquely identify the kind'
-            ' of error.'
-          ),
-          'enum': list(ApiErrorType.__members__)
-        },
-        'description': {
-          'type': 'string',
-          'description': (
-            'A more detailed description of the error that may include help for'
-            ' fixing the issue.'
-          )
+    """ Resource for Error Descriptions"""
+
+    schemas = {
+        "ApiErrorDescription": {
+            "type": "object",
+            "description": "Description of an error",
+            "required": ["type", "description", "title"],
+            "properties": {
+                "type": {
+                    "type": "string",
+                    "description": "A reference to the error type resource",
+                },
+                "title": {
+                    "type": "string",
+                    "description": (
+                        "The title of the error. Can be used to uniquely identify the kind"
+                        " of error."
+                    ),
+                    "enum": list(ApiErrorType.__members__),
+                },
+                "description": {
+                    "type": "string",
+                    "description": (
+                        "A more detailed description of the error that may include help for"
+                        " fixing the issue."
+                    ),
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @define_json_response('ApiErrorDescription')
-  @nickname('getErrorDescription')
-  def get(self, error_type):
-    """ Get a detailed description of the error """
-    if error_type in ERROR_DESCRIPTION.keys():
-      return error_view(error_type)
-
-    raise NotFound()
+    @define_json_response("ApiErrorDescription")
+    @nickname("getErrorDescription")
+    def get(self, error_type):
+        """ Get a detailed description of the error """
+        if error_type in ERROR_DESCRIPTION.keys():
+            return error_view(error_type)
 
+        raise NotFound()
diff --git a/endpoints/api/globalmessages.py b/endpoints/api/globalmessages.py
index 43ea58083..035886857 100644
--- a/endpoints/api/globalmessages.py
+++ b/endpoints/api/globalmessages.py
@@ -6,123 +6,127 @@ from flask import request
 import features
 from auth import scopes
 from auth.permissions import SuperUserPermission
-from endpoints.api import (ApiResource, resource, nickname,
-                           require_fresh_login, verify_not_prod, validate_json_request,
-                           require_scope, show_if,)
+from endpoints.api import (
+    ApiResource,
+    resource,
+    nickname,
+    require_fresh_login,
+    verify_not_prod,
+    validate_json_request,
+    require_scope,
+    show_if,
+)
 from globalmessages_models_pre_oci import pre_oci_model as model
 
 
-@resource('/v1/messages')
+@resource("/v1/messages")
 class GlobalUserMessages(ApiResource):
-  """ Resource for getting a list of super user messages """
-  schemas = {
-    'GetMessage': {
-      'id': 'GetMessage',
-      'type': 'object',
-      'description': 'Messages that a super user has saved in the past',
-      'properties': {
-        'message': {
-          'type': 'array',
-          'description': 'A list of messages',
-          'itemType': {
-            'type': 'object',
-            'properties': {
-              'uuid': {
-                'type': 'string',
-                'description': 'The message id',
-              },
-              'content': {
-                'type': 'string',
-                'description': 'The actual message',
-              },
-              'media_type': {
-                'type': 'string',
-                'description': 'The media type of the message',
-                'enum': ['text/plain', 'text/markdown'],
-              },
-              'severity': {
-                'type': 'string',
-                'description': 'The severity of the message',
-                'enum': ['info', 'warning', 'error'],
-              },
-            },
-          },
-        },
-      },
-    },
-    'CreateMessage': {
-      'id': 'CreateMessage',
-      'type': 'object',
-      'description': 'Create a new message',
-      'properties': {
-        'message': {
-          'type': 'object',
-          'description': 'A single message',
-          'required': [
-            'content',
-            'media_type',
-            'severity',
-          ],
-          'properties': {
-            'content': {
-              'type': 'string',
-              'description': 'The actual message',
-            },
-            'media_type': {
-              'type': 'string',
-              'description': 'The media type of the message',
-              'enum': ['text/plain', 'text/markdown'],
-            },
-            'severity': {
-              'type': 'string',
-              'description': 'The severity of the message',
-              'enum': ['info', 'warning', 'error'],
-            },
-          },
-        },
-      },
-    }
-  }
+    """ Resource for getting a list of super user messages """
 
-  @nickname('getGlobalMessages')
-  def get(self):
-    """ Return a super users messages """
-    return {
-      'messages': [m.to_dict() for m in model.get_all_messages()],
+    schemas = {
+        "GetMessage": {
+            "id": "GetMessage",
+            "type": "object",
+            "description": "Messages that a super user has saved in the past",
+            "properties": {
+                "message": {
+                    "type": "array",
+                    "description": "A list of messages",
+                    "itemType": {
+                        "type": "object",
+                        "properties": {
+                            "uuid": {"type": "string", "description": "The message id"},
+                            "content": {
+                                "type": "string",
+                                "description": "The actual message",
+                            },
+                            "media_type": {
+                                "type": "string",
+                                "description": "The media type of the message",
+                                "enum": ["text/plain", "text/markdown"],
+                            },
+                            "severity": {
+                                "type": "string",
+                                "description": "The severity of the message",
+                                "enum": ["info", "warning", "error"],
+                            },
+                        },
+                    },
+                }
+            },
+        },
+        "CreateMessage": {
+            "id": "CreateMessage",
+            "type": "object",
+            "description": "Create a new message",
+            "properties": {
+                "message": {
+                    "type": "object",
+                    "description": "A single message",
+                    "required": ["content", "media_type", "severity"],
+                    "properties": {
+                        "content": {
+                            "type": "string",
+                            "description": "The actual message",
+                        },
+                        "media_type": {
+                            "type": "string",
+                            "description": "The media type of the message",
+                            "enum": ["text/plain", "text/markdown"],
+                        },
+                        "severity": {
+                            "type": "string",
+                            "description": "The severity of the message",
+                            "enum": ["info", "warning", "error"],
+                        },
+                    },
+                }
+            },
+        },
     }
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('createGlobalMessage')
-  @validate_json_request('CreateMessage')
-  @require_scope(scopes.SUPERUSER)
-  def post(self):
-    """ Create a message """
-    if not features.SUPER_USERS:
-      abort(404)
+    @nickname("getGlobalMessages")
+    def get(self):
+        """ Return a super users messages """
+        return {"messages": [m.to_dict() for m in model.get_all_messages()]}
 
-    if SuperUserPermission().can():
-      message_req = request.get_json()['message']
-      message = model.create_message(message_req['severity'], message_req['media_type'], message_req['content'])
-      if message is None:
-        abort(400)
-      return make_response('', 201)
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("createGlobalMessage")
+    @validate_json_request("CreateMessage")
+    @require_scope(scopes.SUPERUSER)
+    def post(self):
+        """ Create a message """
+        if not features.SUPER_USERS:
+            abort(404)
 
-    abort(403)
+        if SuperUserPermission().can():
+            message_req = request.get_json()["message"]
+            message = model.create_message(
+                message_req["severity"],
+                message_req["media_type"],
+                message_req["content"],
+            )
+            if message is None:
+                abort(400)
+            return make_response("", 201)
+
+        abort(403)
 
 
-@resource('/v1/message/<uuid>')
+@resource("/v1/message/<uuid>")
 @show_if(features.SUPER_USERS)
 class GlobalUserMessage(ApiResource):
-  """ Resource for managing individual messages """
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('deleteGlobalMessage')
-  @require_scope(scopes.SUPERUSER)
-  def delete(self, uuid):
-    """ Delete a message """
-    if SuperUserPermission().can():
-      model.delete_message(uuid)
-      return make_response('', 204)
+    """ Resource for managing individual messages """
 
-    abort(403)
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("deleteGlobalMessage")
+    @require_scope(scopes.SUPERUSER)
+    def delete(self, uuid):
+        """ Delete a message """
+        if SuperUserPermission().can():
+            model.delete_message(uuid)
+            return make_response("", 204)
+
+        abort(403)
diff --git a/endpoints/api/globalmessages_models_interface.py b/endpoints/api/globalmessages_models_interface.py
index 679462c1d..53e2da412 100644
--- a/endpoints/api/globalmessages_models_interface.py
+++ b/endpoints/api/globalmessages_models_interface.py
@@ -3,52 +3,45 @@ from collections import namedtuple
 
 from six import add_metaclass
 
-class GlobalMessage(
-  namedtuple('GlobalMessage', [
-    'uuid',
-    'content',
-    'severity',
-    'media_type_name',
-  ])):
-  
-  def to_dict(self):
-    return {
-      'uuid': self.uuid,
-      'content': self.content,
-      'severity': self.severity,
-      'media_type': self.media_type_name,
-    }
 
+class GlobalMessage(
+    namedtuple("GlobalMessage", ["uuid", "content", "severity", "media_type_name"])
+):
+    def to_dict(self):
+        return {
+            "uuid": self.uuid,
+            "content": self.content,
+            "severity": self.severity,
+            "media_type": self.media_type_name,
+        }
 
 
 @add_metaclass(ABCMeta)
 class GlobalMessageDataInterface(object):
-  """
+    """
   Data interface for globalmessages API
   """
-  
-  @abstractmethod
-  def get_all_messages(self):
-    """
+
+    @abstractmethod
+    def get_all_messages(self):
+        """
     
     Returns:
     list(GlobalMessage)
     """
-  
-  @abstractmethod
-  def create_message(self, severity, media_type_name, content):
-    """
+
+    @abstractmethod
+    def create_message(self, severity, media_type_name, content):
+        """
     
     Returns:
     GlobalMessage or None
     """
-  
-  @abstractmethod
-  def delete_message(self, uuid):
-    """
+
+    @abstractmethod
+    def delete_message(self, uuid):
+        """
     
     Returns:
     void
     """
-  
-  
\ No newline at end of file
diff --git a/endpoints/api/globalmessages_models_pre_oci.py b/endpoints/api/globalmessages_models_pre_oci.py
index d9a623f1b..2b0f35444 100644
--- a/endpoints/api/globalmessages_models_pre_oci.py
+++ b/endpoints/api/globalmessages_models_pre_oci.py
@@ -3,31 +3,31 @@ from data import model
 
 
 class GlobalMessagePreOCI(GlobalMessageDataInterface):
-  
-  def get_all_messages(self):
-    messages = model.message.get_messages()
-    return [self._message(m) for m in messages]
-  
-  def create_message(self, severity, media_type_name, content):
-    message = {
-      'severity': severity,
-      'media_type': media_type_name,
-      'content': content
-    }
-    messages = model.message.create([message])
-    return self._message(messages[0])
-  
-  def delete_message(self, uuid):
-    model.message.delete_message([uuid])
-  
-  def _message(self, message_obj):
-    if message_obj is None:
-      return None
-    return GlobalMessage(
-      uuid=message_obj.uuid,
-      content=message_obj.content,
-      severity=message_obj.severity,
-      media_type_name=message_obj.media_type.name,
-    )
-  
-pre_oci_model = GlobalMessagePreOCI()
\ No newline at end of file
+    def get_all_messages(self):
+        messages = model.message.get_messages()
+        return [self._message(m) for m in messages]
+
+    def create_message(self, severity, media_type_name, content):
+        message = {
+            "severity": severity,
+            "media_type": media_type_name,
+            "content": content,
+        }
+        messages = model.message.create([message])
+        return self._message(messages[0])
+
+    def delete_message(self, uuid):
+        model.message.delete_message([uuid])
+
+    def _message(self, message_obj):
+        if message_obj is None:
+            return None
+        return GlobalMessage(
+            uuid=message_obj.uuid,
+            content=message_obj.content,
+            severity=message_obj.severity,
+            media_type_name=message_obj.media_type.name,
+        )
+
+
+pre_oci_model = GlobalMessagePreOCI()
diff --git a/endpoints/api/image.py b/endpoints/api/image.py
index 3a9dcd82c..bf24d91e2 100644
--- a/endpoints/api/image.py
+++ b/endpoints/api/image.py
@@ -2,76 +2,85 @@
 import json
 
 from data.registry_model import registry_model
-from endpoints.api import (resource, nickname, require_repo_read, RepositoryParamResource,
-                           path_param, disallow_for_app_repositories, format_date)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_read,
+    RepositoryParamResource,
+    path_param,
+    disallow_for_app_repositories,
+    format_date,
+)
 from endpoints.exception import NotFound
 
 
 def image_dict(image, with_history=False, with_tags=False):
-  parsed_command = None
-  if image.command:
-    try:
-      parsed_command = json.loads(image.command)
-    except (ValueError, TypeError):
-      parsed_command = {'error': 'Could not parse command'}
+    parsed_command = None
+    if image.command:
+        try:
+            parsed_command = json.loads(image.command)
+        except (ValueError, TypeError):
+            parsed_command = {"error": "Could not parse command"}
 
-  image_data = {
-    'id': image.docker_image_id,
-    'created': format_date(image.created),
-    'comment': image.comment,
-    'command': parsed_command,
-    'size': image.image_size,
-    'uploading': image.uploading,
-    'sort_index': len(image.parents),
-  }
+    image_data = {
+        "id": image.docker_image_id,
+        "created": format_date(image.created),
+        "comment": image.comment,
+        "command": parsed_command,
+        "size": image.image_size,
+        "uploading": image.uploading,
+        "sort_index": len(image.parents),
+    }
 
-  if with_tags:
-    image_data['tags'] = [tag.name for tag in image.tags]
+    if with_tags:
+        image_data["tags"] = [tag.name for tag in image.tags]
 
-  if with_history:
-    image_data['history'] = [image_dict(parent) for parent in image.parents]
+    if with_history:
+        image_data["history"] = [image_dict(parent) for parent in image.parents]
 
-  # Calculate the ancestors string, with the DBID's replaced with the docker IDs.
-  parent_docker_ids = [parent_image.docker_image_id for parent_image in image.parents]
-  image_data['ancestors'] = '/{0}/'.format('/'.join(parent_docker_ids))
-  return image_data
+    # Calculate the ancestors string, with the DBID's replaced with the docker IDs.
+    parent_docker_ids = [parent_image.docker_image_id for parent_image in image.parents]
+    image_data["ancestors"] = "/{0}/".format("/".join(parent_docker_ids))
+    return image_data
 
 
-@resource('/v1/repository/<apirepopath:repository>/image/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/image/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryImageList(RepositoryParamResource):
-  """ Resource for listing repository images. """
+    """ Resource for listing repository images. """
 
-  @require_repo_read
-  @nickname('listRepositoryImages')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository):
-    """ List the images for the specified repository. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @require_repo_read
+    @nickname("listRepositoryImages")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository):
+        """ List the images for the specified repository. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    images = registry_model.get_legacy_images(repo_ref)
-    return {'images': [image_dict(image, with_tags=True) for image in images]}
+        images = registry_model.get_legacy_images(repo_ref)
+        return {"images": [image_dict(image, with_tags=True) for image in images]}
 
 
-@resource('/v1/repository/<apirepopath:repository>/image/<image_id>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('image_id', 'The Docker image ID')
+@resource("/v1/repository/<apirepopath:repository>/image/<image_id>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("image_id", "The Docker image ID")
 class RepositoryImage(RepositoryParamResource):
-  """ Resource for handling repository images. """
+    """ Resource for handling repository images. """
 
-  @require_repo_read
-  @nickname('getImage')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository, image_id):
-    """ Get the information available for the specified image. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @require_repo_read
+    @nickname("getImage")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository, image_id):
+        """ Get the information available for the specified image. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    image = registry_model.get_legacy_image(repo_ref, image_id, include_parents=True)
-    if image is None:
-      raise NotFound()
+        image = registry_model.get_legacy_image(
+            repo_ref, image_id, include_parents=True
+        )
+        if image is None:
+            raise NotFound()
 
-    return image_dict(image, with_history=True)
+        return image_dict(image, with_history=True)
diff --git a/endpoints/api/logs.py b/endpoints/api/logs.py
index 1760a2e9b..e4e27b94e 100644
--- a/endpoints/api/logs.py
+++ b/endpoints/api/logs.py
@@ -11,334 +11,440 @@ from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data.logs_model import logs_model
 from data.registry_model import registry_model
-from endpoints.api import (resource, nickname, ApiResource, query_param, parse_args,
-                           RepositoryParamResource, require_repo_admin, related_user_resource,
-                           format_date, require_user_admin, path_param, require_scope, page_support,
-                           validate_json_request, InvalidRequest, show_if)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    query_param,
+    parse_args,
+    RepositoryParamResource,
+    require_repo_admin,
+    related_user_resource,
+    format_date,
+    require_user_admin,
+    path_param,
+    require_scope,
+    page_support,
+    validate_json_request,
+    InvalidRequest,
+    show_if,
+)
 from endpoints.exception import Unauthorized, NotFound
 
 
 LOGS_PER_PAGE = 20
-SERVICE_LEVEL_LOG_KINDS = set(['service_key_create', 'service_key_approve', 'service_key_delete',
-                               'service_key_modify', 'service_key_extend', 'service_key_rotate'])
+SERVICE_LEVEL_LOG_KINDS = set(
+    [
+        "service_key_create",
+        "service_key_approve",
+        "service_key_delete",
+        "service_key_modify",
+        "service_key_extend",
+        "service_key_rotate",
+    ]
+)
 
 
 def _parse_datetime(dt_string):
-  if not dt_string:
-    return None
+    if not dt_string:
+        return None
 
-  try:
-    return datetime.strptime(dt_string + ' UTC', '%m/%d/%Y %Z')
-  except ValueError:
-    return None
+    try:
+        return datetime.strptime(dt_string + " UTC", "%m/%d/%Y %Z")
+    except ValueError:
+        return None
 
 
 def _validate_logs_arguments(start_time, end_time):
-  start_time = _parse_datetime(start_time) or (datetime.today() - timedelta(days=1))
-  end_time = _parse_datetime(end_time) or datetime.today()
-  end_time = end_time + timedelta(days=1)
-  return start_time, end_time
+    start_time = _parse_datetime(start_time) or (datetime.today() - timedelta(days=1))
+    end_time = _parse_datetime(end_time) or datetime.today()
+    end_time = end_time + timedelta(days=1)
+    return start_time, end_time
 
 
-def _get_logs(start_time, end_time, performer_name=None, repository_name=None, namespace_name=None,
-              page_token=None, filter_kinds=None):
-  (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
-  log_entry_page = logs_model.lookup_logs(start_time, end_time, performer_name, repository_name,
-                                          namespace_name, filter_kinds, page_token,
-                                          app.config['ACTION_LOG_MAX_PAGE'])
-  include_namespace = namespace_name is None and repository_name is None
-  return {
-    'start_time': format_date(start_time),
-    'end_time': format_date(end_time),
-    'logs': [log.to_dict(avatar, include_namespace) for log in log_entry_page.logs],
-  }, log_entry_page.next_page_token
+def _get_logs(
+    start_time,
+    end_time,
+    performer_name=None,
+    repository_name=None,
+    namespace_name=None,
+    page_token=None,
+    filter_kinds=None,
+):
+    (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
+    log_entry_page = logs_model.lookup_logs(
+        start_time,
+        end_time,
+        performer_name,
+        repository_name,
+        namespace_name,
+        filter_kinds,
+        page_token,
+        app.config["ACTION_LOG_MAX_PAGE"],
+    )
+    include_namespace = namespace_name is None and repository_name is None
+    return (
+        {
+            "start_time": format_date(start_time),
+            "end_time": format_date(end_time),
+            "logs": [
+                log.to_dict(avatar, include_namespace) for log in log_entry_page.logs
+            ],
+        },
+        log_entry_page.next_page_token,
+    )
 
 
-def _get_aggregate_logs(start_time, end_time, performer_name=None, repository=None, namespace=None,
-                        filter_kinds=None):
-  (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
-  aggregated_logs = logs_model.get_aggregated_log_counts(start_time, end_time,
-                                                         performer_name=performer_name,
-                                                         repository_name=repository,
-                                                         namespace_name=namespace,
-                                                         filter_kinds=filter_kinds)
+def _get_aggregate_logs(
+    start_time,
+    end_time,
+    performer_name=None,
+    repository=None,
+    namespace=None,
+    filter_kinds=None,
+):
+    (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
+    aggregated_logs = logs_model.get_aggregated_log_counts(
+        start_time,
+        end_time,
+        performer_name=performer_name,
+        repository_name=repository,
+        namespace_name=namespace,
+        filter_kinds=filter_kinds,
+    )
 
-  return {
-    'aggregated': [log.to_dict() for log in aggregated_logs]
-  }
+    return {"aggregated": [log.to_dict() for log in aggregated_logs]}
 
 
-@resource('/v1/repository/<apirepopath:repository>/logs')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/logs")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryLogs(RepositoryParamResource):
-  """ Resource for fetching logs for the specific repository. """
+    """ Resource for fetching logs for the specific repository. """
 
-  @require_repo_admin
-  @nickname('listRepoLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @page_support()
-  def get(self, namespace, repository, page_token, parsed_args):
-    """ List the logs for the specified repository. """
-    if registry_model.lookup_repository(namespace, repository) is None:
-      raise NotFound()
+    @require_repo_admin
+    @nickname("listRepoLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @page_support()
+    def get(self, namespace, repository, page_token, parsed_args):
+        """ List the logs for the specified repository. """
+        if registry_model.lookup_repository(namespace, repository) is None:
+            raise NotFound()
 
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
-    return _get_logs(start_time, end_time,
-                     repository_name=repository,
-                     page_token=page_token,
-                     namespace_name=namespace)
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
+        return _get_logs(
+            start_time,
+            end_time,
+            repository_name=repository,
+            page_token=page_token,
+            namespace_name=namespace,
+        )
 
 
-@resource('/v1/user/logs')
+@resource("/v1/user/logs")
 class UserLogs(ApiResource):
-  """ Resource for fetching logs for the current user. """
+    """ Resource for fetching logs for the current user. """
 
-  @require_user_admin
-  @nickname('listUserLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('performer', 'Username for which to filter logs.', type=str)
-  @page_support()
-  def get(self, parsed_args, page_token):
-    """ List the logs for the current user. """
-    performer_name = parsed_args['performer']
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
+    @require_user_admin
+    @nickname("listUserLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param("performer", "Username for which to filter logs.", type=str)
+    @page_support()
+    def get(self, parsed_args, page_token):
+        """ List the logs for the current user. """
+        performer_name = parsed_args["performer"]
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
 
-    user = get_authenticated_user()
-    return _get_logs(start_time, end_time,
-                     performer_name=performer_name,
-                     namespace_name=user.username,
-                     page_token=page_token,
-                     filter_kinds=SERVICE_LEVEL_LOG_KINDS)
+        user = get_authenticated_user()
+        return _get_logs(
+            start_time,
+            end_time,
+            performer_name=performer_name,
+            namespace_name=user.username,
+            page_token=page_token,
+            filter_kinds=SERVICE_LEVEL_LOG_KINDS,
+        )
 
 
-@resource('/v1/organization/<orgname>/logs')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/logs")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserLogs)
 class OrgLogs(ApiResource):
-  """ Resource for fetching logs for the entire organization. """
+    """ Resource for fetching logs for the entire organization. """
 
-  @nickname('listOrgLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('performer', 'Username for which to filter logs.', type=str)
-  @page_support()
-  @require_scope(scopes.ORG_ADMIN)
-  def get(self, orgname, page_token, parsed_args):
-    """ List the logs for the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      performer_name = parsed_args['performer']
-      start_time = parsed_args['starttime']
-      end_time = parsed_args['endtime']
+    @nickname("listOrgLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param("performer", "Username for which to filter logs.", type=str)
+    @page_support()
+    @require_scope(scopes.ORG_ADMIN)
+    def get(self, orgname, page_token, parsed_args):
+        """ List the logs for the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            performer_name = parsed_args["performer"]
+            start_time = parsed_args["starttime"]
+            end_time = parsed_args["endtime"]
 
-      return _get_logs(start_time, end_time,
-                       namespace_name=orgname,
-                       performer_name=performer_name,
-                       page_token=page_token)
+            return _get_logs(
+                start_time,
+                end_time,
+                namespace_name=orgname,
+                performer_name=performer_name,
+                page_token=page_token,
+            )
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/repository/<apirepopath:repository>/aggregatelogs')
+@resource("/v1/repository/<apirepopath:repository>/aggregatelogs")
 @show_if(features.AGGREGATED_LOG_COUNT_RETRIEVAL)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryAggregateLogs(RepositoryParamResource):
-  """ Resource for fetching aggregated logs for the specific repository. """
+    """ Resource for fetching aggregated logs for the specific repository. """
 
-  @require_repo_admin
-  @nickname('getAggregateRepoLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  def get(self, namespace, repository, parsed_args):
-    """ Returns the aggregated logs for the specified repository. """
-    if registry_model.lookup_repository(namespace, repository) is None:
-      raise NotFound()
+    @require_repo_admin
+    @nickname("getAggregateRepoLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    def get(self, namespace, repository, parsed_args):
+        """ Returns the aggregated logs for the specified repository. """
+        if registry_model.lookup_repository(namespace, repository) is None:
+            raise NotFound()
 
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
-    return _get_aggregate_logs(start_time, end_time,
-                               repository=repository,
-                               namespace=namespace)
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
+        return _get_aggregate_logs(
+            start_time, end_time, repository=repository, namespace=namespace
+        )
 
 
-@resource('/v1/user/aggregatelogs')
+@resource("/v1/user/aggregatelogs")
 @show_if(features.AGGREGATED_LOG_COUNT_RETRIEVAL)
 class UserAggregateLogs(ApiResource):
-  """ Resource for fetching aggregated logs for the current user. """
+    """ Resource for fetching aggregated logs for the current user. """
 
-  @require_user_admin
-  @nickname('getAggregateUserLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('performer', 'Username for which to filter logs.', type=str)
-  def get(self, parsed_args):
-    """ Returns the aggregated logs for the current user. """
-    performer_name = parsed_args['performer']
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
+    @require_user_admin
+    @nickname("getAggregateUserLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param("performer", "Username for which to filter logs.", type=str)
+    def get(self, parsed_args):
+        """ Returns the aggregated logs for the current user. """
+        performer_name = parsed_args["performer"]
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
 
-    user = get_authenticated_user()
-    return _get_aggregate_logs(start_time, end_time,
-                               performer_name=performer_name,
-                               namespace=user.username,
-                               filter_kinds=SERVICE_LEVEL_LOG_KINDS)
+        user = get_authenticated_user()
+        return _get_aggregate_logs(
+            start_time,
+            end_time,
+            performer_name=performer_name,
+            namespace=user.username,
+            filter_kinds=SERVICE_LEVEL_LOG_KINDS,
+        )
 
 
-@resource('/v1/organization/<orgname>/aggregatelogs')
+@resource("/v1/organization/<orgname>/aggregatelogs")
 @show_if(features.AGGREGATED_LOG_COUNT_RETRIEVAL)
-@path_param('orgname', 'The name of the organization')
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserLogs)
 class OrgAggregateLogs(ApiResource):
-  """ Resource for fetching aggregate logs for the entire organization. """
+    """ Resource for fetching aggregate logs for the entire organization. """
 
-  @nickname('getAggregateOrgLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('performer', 'Username for which to filter logs.', type=str)
-  @require_scope(scopes.ORG_ADMIN)
-  def get(self, orgname, parsed_args):
-    """ Gets the aggregated logs for the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      performer_name = parsed_args['performer']
-      start_time = parsed_args['starttime']
-      end_time = parsed_args['endtime']
+    @nickname("getAggregateOrgLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param("performer", "Username for which to filter logs.", type=str)
+    @require_scope(scopes.ORG_ADMIN)
+    def get(self, orgname, parsed_args):
+        """ Gets the aggregated logs for the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            performer_name = parsed_args["performer"]
+            start_time = parsed_args["starttime"]
+            end_time = parsed_args["endtime"]
 
-      return _get_aggregate_logs(start_time, end_time,
-                                 namespace=orgname,
-                                 performer_name=performer_name)
+            return _get_aggregate_logs(
+                start_time, end_time, namespace=orgname, performer_name=performer_name
+            )
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
 EXPORT_LOGS_SCHEMA = {
-  'type': 'object',
-  'description': 'Configuration for an export logs operation',
-  'properties': {
-    'callback_url': {
-      'type': 'string',
-      'description': 'The callback URL to invoke with a link to the exported logs',
+    "type": "object",
+    "description": "Configuration for an export logs operation",
+    "properties": {
+        "callback_url": {
+            "type": "string",
+            "description": "The callback URL to invoke with a link to the exported logs",
+        },
+        "callback_email": {
+            "type": "string",
+            "description": "The e-mail address at which to e-mail a link to the exported logs",
+        },
     },
-    'callback_email': {
-      'type': 'string',
-      'description': 'The e-mail address at which to e-mail a link to the exported logs',
-    },
-  },
 }
 
 
-def _queue_logs_export(start_time, end_time, options, namespace_name, repository_name=None):
-  callback_url = options.get('callback_url')
-  if callback_url:
-    if not callback_url.startswith('https://') and not callback_url.startswith('http://'):
-      raise InvalidRequest('Invalid callback URL')
+def _queue_logs_export(
+    start_time, end_time, options, namespace_name, repository_name=None
+):
+    callback_url = options.get("callback_url")
+    if callback_url:
+        if not callback_url.startswith("https://") and not callback_url.startswith(
+            "http://"
+        ):
+            raise InvalidRequest("Invalid callback URL")
 
-  callback_email = options.get('callback_email')
-  if callback_email:
-    if callback_email.find('@') < 0:
-      raise InvalidRequest('Invalid callback e-mail')
+    callback_email = options.get("callback_email")
+    if callback_email:
+        if callback_email.find("@") < 0:
+            raise InvalidRequest("Invalid callback e-mail")
 
-  (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
-  export_id = logs_model.queue_logs_export(start_time, end_time, export_action_logs_queue,
-                                           namespace_name, repository_name, callback_url,
-                                           callback_email)
-  if export_id is None:
-    raise InvalidRequest('Invalid export request')
+    (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
+    export_id = logs_model.queue_logs_export(
+        start_time,
+        end_time,
+        export_action_logs_queue,
+        namespace_name,
+        repository_name,
+        callback_url,
+        callback_email,
+    )
+    if export_id is None:
+        raise InvalidRequest("Invalid export request")
 
-  return export_id
+    return export_id
 
 
-@resource('/v1/repository/<apirepopath:repository>/exportlogs')
+@resource("/v1/repository/<apirepopath:repository>/exportlogs")
 @show_if(features.LOG_EXPORT)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class ExportRepositoryLogs(RepositoryParamResource):
-  """ Resource for exporting the logs for the specific repository. """
-  schemas = {
-    'ExportLogs': EXPORT_LOGS_SCHEMA
-  }
+    """ Resource for exporting the logs for the specific repository. """
 
-  @require_repo_admin
-  @nickname('exportRepoLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @validate_json_request('ExportLogs')
-  def post(self, namespace, repository, parsed_args):
-    """ Queues an export of the logs for the specified repository. """
-    if registry_model.lookup_repository(namespace, repository) is None:
-      raise NotFound()
+    schemas = {"ExportLogs": EXPORT_LOGS_SCHEMA}
 
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
-    export_id = _queue_logs_export(start_time, end_time, request.get_json(), namespace,
-                                   repository_name=repository)
-    return {
-      'export_id': export_id,
-    }
+    @require_repo_admin
+    @nickname("exportRepoLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @validate_json_request("ExportLogs")
+    def post(self, namespace, repository, parsed_args):
+        """ Queues an export of the logs for the specified repository. """
+        if registry_model.lookup_repository(namespace, repository) is None:
+            raise NotFound()
+
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
+        export_id = _queue_logs_export(
+            start_time,
+            end_time,
+            request.get_json(),
+            namespace,
+            repository_name=repository,
+        )
+        return {"export_id": export_id}
 
 
-@resource('/v1/user/exportlogs')
+@resource("/v1/user/exportlogs")
 @show_if(features.LOG_EXPORT)
 class ExportUserLogs(ApiResource):
-  """ Resource for exporting the logs for the current user repository. """
-  schemas = {
-    'ExportLogs': EXPORT_LOGS_SCHEMA
-  }
+    """ Resource for exporting the logs for the current user repository. """
 
-  @require_user_admin
-  @nickname('exportUserLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @validate_json_request('ExportLogs')
-  def post(self, parsed_args):
-    """ Returns the aggregated logs for the current user. """
-    start_time = parsed_args['starttime']
-    end_time = parsed_args['endtime']
+    schemas = {"ExportLogs": EXPORT_LOGS_SCHEMA}
 
-    user = get_authenticated_user()
-    export_id = _queue_logs_export(start_time, end_time, request.get_json(), user.username)
-    return {
-      'export_id': export_id,
-    }
+    @require_user_admin
+    @nickname("exportUserLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @validate_json_request("ExportLogs")
+    def post(self, parsed_args):
+        """ Returns the aggregated logs for the current user. """
+        start_time = parsed_args["starttime"]
+        end_time = parsed_args["endtime"]
+
+        user = get_authenticated_user()
+        export_id = _queue_logs_export(
+            start_time, end_time, request.get_json(), user.username
+        )
+        return {"export_id": export_id}
 
 
-@resource('/v1/organization/<orgname>/exportlogs')
+@resource("/v1/organization/<orgname>/exportlogs")
 @show_if(features.LOG_EXPORT)
-@path_param('orgname', 'The name of the organization')
+@path_param("orgname", "The name of the organization")
 @related_user_resource(ExportUserLogs)
 class ExportOrgLogs(ApiResource):
-  """ Resource for exporting the logs for an entire organization. """
-  schemas = {
-    'ExportLogs': EXPORT_LOGS_SCHEMA
-  }
+    """ Resource for exporting the logs for an entire organization. """
 
-  @nickname('exportOrgLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @query_param('endtime', 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str)
-  @require_scope(scopes.ORG_ADMIN)
-  @validate_json_request('ExportLogs')
-  def post(self, orgname, parsed_args):
-    """ Exports the logs for the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      start_time = parsed_args['starttime']
-      end_time = parsed_args['endtime']
+    schemas = {"ExportLogs": EXPORT_LOGS_SCHEMA}
 
-      export_id = _queue_logs_export(start_time, end_time, request.get_json(), orgname)
-      return {
-        'export_id': export_id,
-      }
+    @nickname("exportOrgLogs")
+    @parse_args()
+    @query_param(
+        "starttime", 'Earliest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @query_param(
+        "endtime", 'Latest time for logs. Format: "%m/%d/%Y" in UTC.', type=str
+    )
+    @require_scope(scopes.ORG_ADMIN)
+    @validate_json_request("ExportLogs")
+    def post(self, orgname, parsed_args):
+        """ Exports the logs for the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            start_time = parsed_args["starttime"]
+            end_time = parsed_args["endtime"]
 
-    raise Unauthorized()
+            export_id = _queue_logs_export(
+                start_time, end_time, request.get_json(), orgname
+            )
+            return {"export_id": export_id}
+
+        raise Unauthorized()
diff --git a/endpoints/api/manifest.py b/endpoints/api/manifest.py
index 1370fa743..c3e0aa79a 100644
--- a/endpoints/api/manifest.py
+++ b/endpoints/api/manifest.py
@@ -8,266 +8,291 @@ from app import label_validator, storage
 from data.model import InvalidLabelKeyException, InvalidMediaTypeException
 from data.registry_model import registry_model
 from digest import digest_tools
-from endpoints.api import (resource, nickname, require_repo_read, require_repo_write,
-                           RepositoryParamResource, log_action, validate_json_request,
-                           path_param, parse_args, query_param, abort, api,
-                           disallow_for_app_repositories, format_date,
-                           disallow_for_non_normal_repositories)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_read,
+    require_repo_write,
+    RepositoryParamResource,
+    log_action,
+    validate_json_request,
+    path_param,
+    parse_args,
+    query_param,
+    abort,
+    api,
+    disallow_for_app_repositories,
+    format_date,
+    disallow_for_non_normal_repositories,
+)
 from endpoints.api.image import image_dict
 from endpoints.exception import NotFound
 from util.validation import VALID_LABEL_KEY_REGEX
 
 
-BASE_MANIFEST_ROUTE = '/v1/repository/<apirepopath:repository>/manifest/<regex("{0}"):manifestref>'
+BASE_MANIFEST_ROUTE = (
+    '/v1/repository/<apirepopath:repository>/manifest/<regex("{0}"):manifestref>'
+)
 MANIFEST_DIGEST_ROUTE = BASE_MANIFEST_ROUTE.format(digest_tools.DIGEST_PATTERN)
-ALLOWED_LABEL_MEDIA_TYPES = ['text/plain', 'application/json']
+ALLOWED_LABEL_MEDIA_TYPES = ["text/plain", "application/json"]
 
 
 logger = logging.getLogger(__name__)
 
+
 def _label_dict(label):
-  return {
-    'id': label.uuid,
-    'key': label.key,
-    'value': label.value,
-    'source_type': label.source_type_name,
-    'media_type': label.media_type_name,
-  }
+    return {
+        "id": label.uuid,
+        "key": label.key,
+        "value": label.value,
+        "source_type": label.source_type_name,
+        "media_type": label.media_type_name,
+    }
 
 
 def _layer_dict(manifest_layer, index):
-  # NOTE: The `command` in the layer is either a JSON string of an array (schema 1) or
-  # a single string (schema 2). The block below normalizes it to have the same format.
-  command = None
-  if manifest_layer.command:
-    try:
-      command = json.loads(manifest_layer.command)
-    except (TypeError, ValueError):
-      command = [manifest_layer.command]
+    # NOTE: The `command` in the layer is either a JSON string of an array (schema 1) or
+    # a single string (schema 2). The block below normalizes it to have the same format.
+    command = None
+    if manifest_layer.command:
+        try:
+            command = json.loads(manifest_layer.command)
+        except (TypeError, ValueError):
+            command = [manifest_layer.command]
 
-  return {
-    'index': index,
-    'compressed_size': manifest_layer.compressed_size,
-    'is_remote': manifest_layer.is_remote,
-    'urls': manifest_layer.urls,
-    'command': command,
-    'comment': manifest_layer.comment,
-    'author': manifest_layer.author,
-    'blob_digest': str(manifest_layer.blob_digest),
-    'created_datetime': format_date(manifest_layer.created_datetime),
-  }
+    return {
+        "index": index,
+        "compressed_size": manifest_layer.compressed_size,
+        "is_remote": manifest_layer.is_remote,
+        "urls": manifest_layer.urls,
+        "command": command,
+        "comment": manifest_layer.comment,
+        "author": manifest_layer.author,
+        "blob_digest": str(manifest_layer.blob_digest),
+        "created_datetime": format_date(manifest_layer.created_datetime),
+    }
 
 
 def _manifest_dict(manifest):
-  image = None
-  if manifest.legacy_image_if_present is not None:
-    image = image_dict(manifest.legacy_image, with_history=True)
+    image = None
+    if manifest.legacy_image_if_present is not None:
+        image = image_dict(manifest.legacy_image, with_history=True)
 
-  layers = None
-  if not manifest.is_manifest_list:
-    layers = registry_model.list_manifest_layers(manifest, storage)
-    if layers is None:
-      logger.debug('Missing layers for manifest `%s`', manifest.digest)
-      abort(404)
+    layers = None
+    if not manifest.is_manifest_list:
+        layers = registry_model.list_manifest_layers(manifest, storage)
+        if layers is None:
+            logger.debug("Missing layers for manifest `%s`", manifest.digest)
+            abort(404)
 
-  return {
-    'digest': manifest.digest,
-    'is_manifest_list': manifest.is_manifest_list,
-    'manifest_data': manifest.internal_manifest_bytes.as_unicode(),
-    'image': image,
-    'layers': ([_layer_dict(lyr.layer_info, idx) for idx, lyr in enumerate(layers)]
-               if layers else None),
-  }
+    return {
+        "digest": manifest.digest,
+        "is_manifest_list": manifest.is_manifest_list,
+        "manifest_data": manifest.internal_manifest_bytes.as_unicode(),
+        "image": image,
+        "layers": (
+            [_layer_dict(lyr.layer_info, idx) for idx, lyr in enumerate(layers)]
+            if layers
+            else None
+        ),
+    }
 
 
 @resource(MANIFEST_DIGEST_ROUTE)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('manifestref', 'The digest of the manifest')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("manifestref", "The digest of the manifest")
 class RepositoryManifest(RepositoryParamResource):
-  """ Resource for retrieving a specific repository manifest. """
-  @require_repo_read
-  @nickname('getRepoManifest')
-  @disallow_for_app_repositories
-  def get(self, namespace_name, repository_name, manifestref):
-    repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
-    if repo_ref is None:
-      raise NotFound()
+    """ Resource for retrieving a specific repository manifest. """
 
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref,
-                                                        include_legacy_image=True)
-    if manifest is None:
-      raise NotFound()
+    @require_repo_read
+    @nickname("getRepoManifest")
+    @disallow_for_app_repositories
+    def get(self, namespace_name, repository_name, manifestref):
+        repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
+        if repo_ref is None:
+            raise NotFound()
 
-    return _manifest_dict(manifest)
+        manifest = registry_model.lookup_manifest_by_digest(
+            repo_ref, manifestref, include_legacy_image=True
+        )
+        if manifest is None:
+            raise NotFound()
+
+        return _manifest_dict(manifest)
 
 
-@resource(MANIFEST_DIGEST_ROUTE + '/labels')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('manifestref', 'The digest of the manifest')
+@resource(MANIFEST_DIGEST_ROUTE + "/labels")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("manifestref", "The digest of the manifest")
 class RepositoryManifestLabels(RepositoryParamResource):
-  """ Resource for listing the labels on a specific repository manifest. """
-  schemas = {
-    'AddLabel': {
-      'type': 'object',
-      'description': 'Adds a label to a manifest',
-      'required': [
-        'key',
-        'value',
-        'media_type',
-      ],
-      'properties': {
-        'key': {
-          'type': 'string',
-          'description': 'The key for the label',
-        },
-        'value': {
-          'type': 'string',
-          'description': 'The value for the label',
-        },
-        'media_type': {
-          'type': ['string', 'null'],
-          'description': 'The media type for this label',
-          'enum': ALLOWED_LABEL_MEDIA_TYPES + [None],
-        },
-      },
-    },
-  }
+    """ Resource for listing the labels on a specific repository manifest. """
 
-  @require_repo_read
-  @nickname('listManifestLabels')
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('filter', 'If specified, only labels matching the given prefix will be returned',
-               type=str, default=None)
-  def get(self, namespace_name, repository_name, manifestref, parsed_args):
-    repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
-    if repo_ref is None:
-      raise NotFound()
-
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
-    if manifest is None:
-      raise NotFound()
-
-    labels = registry_model.list_manifest_labels(manifest, parsed_args['filter'])
-    if labels is None:
-      raise NotFound()
-
-    return {
-      'labels': [_label_dict(label) for label in labels]
+    schemas = {
+        "AddLabel": {
+            "type": "object",
+            "description": "Adds a label to a manifest",
+            "required": ["key", "value", "media_type"],
+            "properties": {
+                "key": {"type": "string", "description": "The key for the label"},
+                "value": {"type": "string", "description": "The value for the label"},
+                "media_type": {
+                    "type": ["string", "null"],
+                    "description": "The media type for this label",
+                    "enum": ALLOWED_LABEL_MEDIA_TYPES + [None],
+                },
+            },
+        }
     }
 
-  @require_repo_write
-  @nickname('addManifestLabel')
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @validate_json_request('AddLabel')
-  def post(self, namespace_name, repository_name, manifestref):
-    """ Adds a new label into the tag manifest. """
-    label_data = request.get_json()
+    @require_repo_read
+    @nickname("listManifestLabels")
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param(
+        "filter",
+        "If specified, only labels matching the given prefix will be returned",
+        type=str,
+        default=None,
+    )
+    def get(self, namespace_name, repository_name, manifestref, parsed_args):
+        repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
+        if repo_ref is None:
+            raise NotFound()
 
-    # Check for any reserved prefixes.
-    if label_validator.has_reserved_prefix(label_data['key']):
-      abort(400, message='Label has a reserved prefix')
+        manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
+        if manifest is None:
+            raise NotFound()
 
-    repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
-    if repo_ref is None:
-      raise NotFound()
+        labels = registry_model.list_manifest_labels(manifest, parsed_args["filter"])
+        if labels is None:
+            raise NotFound()
 
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
-    if manifest is None:
-      raise NotFound()
+        return {"labels": [_label_dict(label) for label in labels]}
 
-    label = None
-    try:
-      label = registry_model.create_manifest_label(manifest,
-                                                   label_data['key'],
-                                                   label_data['value'],
-                                                   'api',
-                                                   label_data['media_type'])
-    except InvalidLabelKeyException:
-      message = ('Label is of an invalid format or missing please ' +
-                 'use %s format for labels' % VALID_LABEL_KEY_REGEX)
-      abort(400, message=message)
-    except InvalidMediaTypeException:
-      message = 'Media type is invalid please use a valid media type: text/plain, application/json'
-      abort(400, message=message)
+    @require_repo_write
+    @nickname("addManifestLabel")
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @validate_json_request("AddLabel")
+    def post(self, namespace_name, repository_name, manifestref):
+        """ Adds a new label into the tag manifest. """
+        label_data = request.get_json()
 
-    if label is None:
-      raise NotFound()
+        # Check for any reserved prefixes.
+        if label_validator.has_reserved_prefix(label_data["key"]):
+            abort(400, message="Label has a reserved prefix")
 
-    metadata = {
-      'id': label.uuid,
-      'key': label.key,
-      'value': label.value,
-      'manifest_digest': manifestref,
-      'media_type': label.media_type_name,
-      'namespace': namespace_name,
-      'repo': repository_name,
-    }
+        repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
+        if repo_ref is None:
+            raise NotFound()
 
-    log_action('manifest_label_add', namespace_name, metadata, repo_name=repository_name)
+        manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
+        if manifest is None:
+            raise NotFound()
 
-    resp = {'label': _label_dict(label)}
-    repo_string = '%s/%s' % (namespace_name, repository_name)
-    headers = {
-      'Location': api.url_for(ManageRepositoryManifestLabel, repository=repo_string,
-                              manifestref=manifestref, labelid=label.uuid),
-    }
-    return resp, 201, headers
+        label = None
+        try:
+            label = registry_model.create_manifest_label(
+                manifest,
+                label_data["key"],
+                label_data["value"],
+                "api",
+                label_data["media_type"],
+            )
+        except InvalidLabelKeyException:
+            message = (
+                "Label is of an invalid format or missing please "
+                + "use %s format for labels" % VALID_LABEL_KEY_REGEX
+            )
+            abort(400, message=message)
+        except InvalidMediaTypeException:
+            message = "Media type is invalid please use a valid media type: text/plain, application/json"
+            abort(400, message=message)
+
+        if label is None:
+            raise NotFound()
+
+        metadata = {
+            "id": label.uuid,
+            "key": label.key,
+            "value": label.value,
+            "manifest_digest": manifestref,
+            "media_type": label.media_type_name,
+            "namespace": namespace_name,
+            "repo": repository_name,
+        }
+
+        log_action(
+            "manifest_label_add", namespace_name, metadata, repo_name=repository_name
+        )
+
+        resp = {"label": _label_dict(label)}
+        repo_string = "%s/%s" % (namespace_name, repository_name)
+        headers = {
+            "Location": api.url_for(
+                ManageRepositoryManifestLabel,
+                repository=repo_string,
+                manifestref=manifestref,
+                labelid=label.uuid,
+            )
+        }
+        return resp, 201, headers
 
 
-@resource(MANIFEST_DIGEST_ROUTE + '/labels/<labelid>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('manifestref', 'The digest of the manifest')
-@path_param('labelid', 'The ID of the label')
+@resource(MANIFEST_DIGEST_ROUTE + "/labels/<labelid>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("manifestref", "The digest of the manifest")
+@path_param("labelid", "The ID of the label")
 class ManageRepositoryManifestLabel(RepositoryParamResource):
-  """ Resource for managing the labels on a specific repository manifest. """
-  @require_repo_read
-  @nickname('getManifestLabel')
-  @disallow_for_app_repositories
-  def get(self, namespace_name, repository_name, manifestref, labelid):
-    """ Retrieves the label with the specific ID under the manifest. """
-    repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
-    if repo_ref is None:
-      raise NotFound()
+    """ Resource for managing the labels on a specific repository manifest. """
 
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
-    if manifest is None:
-      raise NotFound()
+    @require_repo_read
+    @nickname("getManifestLabel")
+    @disallow_for_app_repositories
+    def get(self, namespace_name, repository_name, manifestref, labelid):
+        """ Retrieves the label with the specific ID under the manifest. """
+        repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
+        if repo_ref is None:
+            raise NotFound()
 
-    label = registry_model.get_manifest_label(manifest, labelid)
-    if label is None:
-      raise NotFound()
+        manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
+        if manifest is None:
+            raise NotFound()
 
-    return _label_dict(label)
+        label = registry_model.get_manifest_label(manifest, labelid)
+        if label is None:
+            raise NotFound()
 
+        return _label_dict(label)
 
-  @require_repo_write
-  @nickname('deleteManifestLabel')
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  def delete(self, namespace_name, repository_name, manifestref, labelid):
-    """ Deletes an existing label from a manifest. """
-    repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
-    if repo_ref is None:
-      raise NotFound()
+    @require_repo_write
+    @nickname("deleteManifestLabel")
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    def delete(self, namespace_name, repository_name, manifestref, labelid):
+        """ Deletes an existing label from a manifest. """
+        repo_ref = registry_model.lookup_repository(namespace_name, repository_name)
+        if repo_ref is None:
+            raise NotFound()
 
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
-    if manifest is None:
-      raise NotFound()
+        manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref)
+        if manifest is None:
+            raise NotFound()
 
-    deleted = registry_model.delete_manifest_label(manifest, labelid)
-    if deleted is None:
-      raise NotFound()
+        deleted = registry_model.delete_manifest_label(manifest, labelid)
+        if deleted is None:
+            raise NotFound()
 
-    metadata = {
-      'id': labelid,
-      'key': deleted.key,
-      'value': deleted.value,
-      'manifest_digest': manifestref,
-      'namespace': namespace_name,
-      'repo': repository_name,
-    }
+        metadata = {
+            "id": labelid,
+            "key": deleted.key,
+            "value": deleted.value,
+            "manifest_digest": manifestref,
+            "namespace": namespace_name,
+            "repo": repository_name,
+        }
 
-    log_action('manifest_label_delete', namespace_name, metadata, repo_name=repository_name)
-    return '', 204
+        log_action(
+            "manifest_label_delete", namespace_name, metadata, repo_name=repository_name
+        )
+        return "", 204
diff --git a/endpoints/api/mirror.py b/endpoints/api/mirror.py
index cac7f9caa..cd782dced 100644
--- a/endpoints/api/mirror.py
+++ b/endpoints/api/mirror.py
@@ -11,387 +11,511 @@ import features
 
 from auth.auth_context import get_authenticated_user
 from data import model
-from endpoints.api import (RepositoryParamResource, nickname, path_param, require_repo_admin,
-                           resource, validate_json_request, define_json_response, show_if,
-                           format_date)
+from endpoints.api import (
+    RepositoryParamResource,
+    nickname,
+    path_param,
+    require_repo_admin,
+    resource,
+    validate_json_request,
+    define_json_response,
+    show_if,
+    format_date,
+)
 from endpoints.exception import NotFound
 from util.audit import track_and_log, wrap_repository
 from util.names import parse_robot_username
 
 
 common_properties = {
-  'is_enabled': {
-    'type': 'boolean',
-    'description': 'Used to enable or disable synchronizations.',
-  },
-  'external_reference': {
-    'type': 'string',
-    'description': 'Location of the external repository.'
-  },
-  'external_registry_username': {
-    'type': ['string', 'null'],
-    'description': 'Username used to authenticate with external registry.',
-  },
-  'external_registry_password': {
-    'type': ['string', 'null'],
-    'description': 'Password used to authenticate with external registry.',
-  },
-  'sync_start_date': {
-    'type': 'string',
-    'description': 'Determines the next time this repository is ready for synchronization.',
-  },
-  'sync_interval': {
-    'type': 'integer',
-    'minimum': 0,
-    'description': 'Number of seconds after next_start_date to begin synchronizing.'
-  },
-  'robot_username': {
-    'type': 'string',
-    'description': 'Username of robot which will be used for image pushes.'
-  },
-  'root_rule': {
-    'type': 'object',
-    'description': 'Tag mirror rule',
-    'required': [
-      'rule_type',
-      'rule_value'
-    ],
-    'properties': {
-      'rule_type': {
-        'type': 'string',
-        'description': 'Rule type must be "TAG_GLOB_CSV"'
-      },
-      'rule_value': {
-        'type': 'array',
-        'description': 'Array of tag patterns',
-        'items': {
-          'type': 'string'
-        }
-      }
+    "is_enabled": {
+        "type": "boolean",
+        "description": "Used to enable or disable synchronizations.",
+    },
+    "external_reference": {
+        "type": "string",
+        "description": "Location of the external repository.",
+    },
+    "external_registry_username": {
+        "type": ["string", "null"],
+        "description": "Username used to authenticate with external registry.",
+    },
+    "external_registry_password": {
+        "type": ["string", "null"],
+        "description": "Password used to authenticate with external registry.",
+    },
+    "sync_start_date": {
+        "type": "string",
+        "description": "Determines the next time this repository is ready for synchronization.",
+    },
+    "sync_interval": {
+        "type": "integer",
+        "minimum": 0,
+        "description": "Number of seconds after next_start_date to begin synchronizing.",
+    },
+    "robot_username": {
+        "type": "string",
+        "description": "Username of robot which will be used for image pushes.",
+    },
+    "root_rule": {
+        "type": "object",
+        "description": "Tag mirror rule",
+        "required": ["rule_type", "rule_value"],
+        "properties": {
+            "rule_type": {
+                "type": "string",
+                "description": 'Rule type must be "TAG_GLOB_CSV"',
+            },
+            "rule_value": {
+                "type": "array",
+                "description": "Array of tag patterns",
+                "items": {"type": "string"},
+            },
+        },
+        "description": "A list of glob-patterns used to determine which tags should be synchronized.",
+    },
+    "external_registry_config": {
+        "type": "object",
+        "properties": {
+            "verify_tls": {
+                "type": "boolean",
+                "description": (
+                    "Determines whether HTTPs is required and the certificate is verified when "
+                    "communicating with the external repository."
+                ),
+            },
+            "proxy": {
+                "type": "object",
+                "description": "Proxy configuration for use during synchronization.",
+                "properties": {
+                    "https_proxy": {
+                        "type": ["string", "null"],
+                        "description": "Value for HTTPS_PROXY environment variable during sync.",
+                    },
+                    "http_proxy": {
+                        "type": ["string", "null"],
+                        "description": "Value for HTTP_PROXY environment variable during sync.",
+                    },
+                    "no_proxy": {
+                        "type": ["string", "null"],
+                        "description": "Value for NO_PROXY environment variable during sync.",
+                    },
+                },
+            },
+        },
     },
-    'description': 'A list of glob-patterns used to determine which tags should be synchronized.'
-  },
-  'external_registry_config': {
-    'type': 'object',
-    'properties': {
-      'verify_tls': {
-        'type': 'boolean',
-        'description': (
-          'Determines whether HTTPs is required and the certificate is verified when '
-          'communicating with the external repository.'
-        ),
-      },
-      'proxy': {
-        'type': 'object',
-        'description': 'Proxy configuration for use during synchronization.',
-        'properties': {
-          'https_proxy': {
-            'type': ['string', 'null'],
-            'description': 'Value for HTTPS_PROXY environment variable during sync.'
-          },
-          'http_proxy': {
-            'type': ['string', 'null'],
-            'description': 'Value for HTTP_PROXY environment variable during sync.'
-          },
-          'no_proxy': {
-            'type': ['string', 'null'],
-            'description': 'Value for NO_PROXY environment variable during sync.'
-          }
-        }
-      }
-    }
-  }
 }
 
 
-@resource('/v1/repository/<apirepopath:repository>/mirror/sync-now')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/mirror/sync-now")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 @show_if(features.REPO_MIRROR)
 class RepoMirrorSyncNowResource(RepositoryParamResource):
-  """ A resource for managing RepoMirrorConfig.sync_status """
+    """ A resource for managing RepoMirrorConfig.sync_status """
 
-  @require_repo_admin
-  @nickname('syncNow')
-  def post(self, namespace_name, repository_name):
-    """ Update the sync_status for a given Repository's mirroring configuration. """
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
+    @require_repo_admin
+    @nickname("syncNow")
+    def post(self, namespace_name, repository_name):
+        """ Update the sync_status for a given Repository's mirroring configuration. """
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    mirror = model.repo_mirror.get_mirror(repository=repo)
-    if not mirror:
-      raise NotFound()
+        mirror = model.repo_mirror.get_mirror(repository=repo)
+        if not mirror:
+            raise NotFound()
 
-    if mirror and model.repo_mirror.update_sync_status_to_sync_now(mirror):
-      track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed="sync_status", to="SYNC_NOW")
-      return '', 204
+        if mirror and model.repo_mirror.update_sync_status_to_sync_now(mirror):
+            track_and_log(
+                "repo_mirror_config_changed",
+                wrap_repository(repo),
+                changed="sync_status",
+                to="SYNC_NOW",
+            )
+            return "", 204
 
-    raise NotFound()
+        raise NotFound()
 
 
-@resource('/v1/repository/<apirepopath:repository>/mirror/sync-cancel')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/mirror/sync-cancel")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 @show_if(features.REPO_MIRROR)
 class RepoMirrorSyncCancelResource(RepositoryParamResource):
-  """ A resource for managing RepoMirrorConfig.sync_status """
+    """ A resource for managing RepoMirrorConfig.sync_status """
 
-  @require_repo_admin
-  @nickname('syncCancel')
-  def post(self, namespace_name, repository_name):
-    """ Update the sync_status for a given Repository's mirroring configuration. """
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
+    @require_repo_admin
+    @nickname("syncCancel")
+    def post(self, namespace_name, repository_name):
+        """ Update the sync_status for a given Repository's mirroring configuration. """
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    mirror = model.repo_mirror.get_mirror(repository=repo)
-    if not mirror:
-      raise NotFound()
+        mirror = model.repo_mirror.get_mirror(repository=repo)
+        if not mirror:
+            raise NotFound()
 
-    if mirror and model.repo_mirror.update_sync_status_to_cancel(mirror):
-      track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed="sync_status", to="SYNC_CANCEL")
-      return '', 204
+        if mirror and model.repo_mirror.update_sync_status_to_cancel(mirror):
+            track_and_log(
+                "repo_mirror_config_changed",
+                wrap_repository(repo),
+                changed="sync_status",
+                to="SYNC_CANCEL",
+            )
+            return "", 204
 
-    raise NotFound()
+        raise NotFound()
 
 
-@resource('/v1/repository/<apirepopath:repository>/mirror')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/mirror")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 @show_if(features.REPO_MIRROR)
 class RepoMirrorResource(RepositoryParamResource):
-  """
+    """
   Resource for managing repository mirroring.
   """
-  schemas = {
-    'CreateMirrorConfig': {
-      'description': 'Create the repository mirroring configuration.',
-      'type': 'object',
-      'required': [
-        'external_reference',
-        'sync_interval',
-        'sync_start_date',
-        'root_rule'
-      ],
-      'properties': common_properties
-    },
-    'UpdateMirrorConfig': {
-      'description': 'Update the repository mirroring configuration.',
-      'type': 'object',
-      'properties': common_properties
-    },
-    'ViewMirrorConfig': {
-      'description': 'View the repository mirroring configuration.',
-      'type': 'object',
-      'required': [
-        'is_enabled',
-        'mirror_type',
-        'external_reference',
-        'external_registry_username',
-        'external_registry_config',
-        'sync_interval',
-        'sync_start_date',
-        'sync_expiration_date',
-        'sync_retries_remaining',
-        'sync_status',
-        'root_rule',
-        'robot_username',
-      ],
-      'properties': common_properties
-    }
-  }
 
-  @require_repo_admin
-  @define_json_response('ViewMirrorConfig')
-  @nickname('getRepoMirrorConfig')
-  def get(self, namespace_name, repository_name):
-    """ Return the Mirror configuration for a given Repository. """
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
-
-    mirror = model.repo_mirror.get_mirror(repo)
-    if not mirror:
-      raise NotFound()
-
-    # Transformations
-    rules = mirror.root_rule.rule_value
-    username = self._decrypt_username(mirror.external_registry_username)
-    sync_start_date = self._dt_to_string(mirror.sync_start_date)
-    sync_expiration_date = self._dt_to_string(mirror.sync_expiration_date)
-    robot = mirror.internal_robot.username if mirror.internal_robot is not None else None
-
-    return {
-      'is_enabled': mirror.is_enabled,
-      'mirror_type': mirror.mirror_type.name,
-      'external_reference': mirror.external_reference,
-      'external_registry_username': username,
-      'external_registry_config': mirror.external_registry_config or {},
-      'sync_interval': mirror.sync_interval,
-      'sync_start_date': sync_start_date,
-      'sync_expiration_date': sync_expiration_date,
-      'sync_retries_remaining': mirror.sync_retries_remaining,
-      'sync_status': mirror.sync_status.name,
-      'root_rule': {
-        'rule_type': 'TAG_GLOB_CSV',
-        'rule_value': rules
-      },
-      'robot_username': robot,
+    schemas = {
+        "CreateMirrorConfig": {
+            "description": "Create the repository mirroring configuration.",
+            "type": "object",
+            "required": [
+                "external_reference",
+                "sync_interval",
+                "sync_start_date",
+                "root_rule",
+            ],
+            "properties": common_properties,
+        },
+        "UpdateMirrorConfig": {
+            "description": "Update the repository mirroring configuration.",
+            "type": "object",
+            "properties": common_properties,
+        },
+        "ViewMirrorConfig": {
+            "description": "View the repository mirroring configuration.",
+            "type": "object",
+            "required": [
+                "is_enabled",
+                "mirror_type",
+                "external_reference",
+                "external_registry_username",
+                "external_registry_config",
+                "sync_interval",
+                "sync_start_date",
+                "sync_expiration_date",
+                "sync_retries_remaining",
+                "sync_status",
+                "root_rule",
+                "robot_username",
+            ],
+            "properties": common_properties,
+        },
     }
 
-  @require_repo_admin
-  @nickname('createRepoMirrorConfig')
-  @validate_json_request('CreateMirrorConfig')
-  def post(self, namespace_name, repository_name):
-    """ Create a RepoMirrorConfig for a given Repository. """
-    # TODO: Tidy up this function
-    # TODO: Specify only the data we want to pass on when creating the RepoMirrorConfig. Avoid
-    #       the possibility of data injection.
+    @require_repo_admin
+    @define_json_response("ViewMirrorConfig")
+    @nickname("getRepoMirrorConfig")
+    def get(self, namespace_name, repository_name):
+        """ Return the Mirror configuration for a given Repository. """
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
+        mirror = model.repo_mirror.get_mirror(repo)
+        if not mirror:
+            raise NotFound()
 
-    if model.repo_mirror.get_mirror(repo):
-      return {'detail': 'Mirror configuration already exits for repository %s/%s' % (
-        namespace_name, repository_name)}, 409
+        # Transformations
+        rules = mirror.root_rule.rule_value
+        username = self._decrypt_username(mirror.external_registry_username)
+        sync_start_date = self._dt_to_string(mirror.sync_start_date)
+        sync_expiration_date = self._dt_to_string(mirror.sync_expiration_date)
+        robot = (
+            mirror.internal_robot.username
+            if mirror.internal_robot is not None
+            else None
+        )
 
-    data = request.get_json()
+        return {
+            "is_enabled": mirror.is_enabled,
+            "mirror_type": mirror.mirror_type.name,
+            "external_reference": mirror.external_reference,
+            "external_registry_username": username,
+            "external_registry_config": mirror.external_registry_config or {},
+            "sync_interval": mirror.sync_interval,
+            "sync_start_date": sync_start_date,
+            "sync_expiration_date": sync_expiration_date,
+            "sync_retries_remaining": mirror.sync_retries_remaining,
+            "sync_status": mirror.sync_status.name,
+            "root_rule": {"rule_type": "TAG_GLOB_CSV", "rule_value": rules},
+            "robot_username": robot,
+        }
 
-    data['sync_start_date'] = self._string_to_dt(data['sync_start_date'])
+    @require_repo_admin
+    @nickname("createRepoMirrorConfig")
+    @validate_json_request("CreateMirrorConfig")
+    def post(self, namespace_name, repository_name):
+        """ Create a RepoMirrorConfig for a given Repository. """
+        # TODO: Tidy up this function
+        # TODO: Specify only the data we want to pass on when creating the RepoMirrorConfig. Avoid
+        #       the possibility of data injection.
 
-    rule = model.repo_mirror.create_rule(repo, data['root_rule']['rule_value'])
-    del data['root_rule']
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    # Verify the robot is part of the Repository's namespace
-    robot = self._setup_robot_for_mirroring(namespace_name, repository_name, data['robot_username'])
-    del data['robot_username']
+        if model.repo_mirror.get_mirror(repo):
+            return (
+                {
+                    "detail": "Mirror configuration already exits for repository %s/%s"
+                    % (namespace_name, repository_name)
+                },
+                409,
+            )
 
-    mirror = model.repo_mirror.enable_mirroring_for_repository(repo, root_rule=rule,
-                                                               internal_robot=robot, **data)
-    if mirror:
-      track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_reference', to=data['external_reference'])
-      return '', 201
-    else:
-      # TODO: Determine appropriate Response
-      return {'detail': 'RepoMirrorConfig already exists for this repository.'}, 409
+        data = request.get_json()
 
-  @require_repo_admin
-  @validate_json_request('UpdateMirrorConfig')
-  @nickname('changeRepoMirrorConfig')
-  def put(self, namespace_name, repository_name):
-    """ Allow users to modifying the repository's mirroring configuration. """
-    values = request.get_json()
+        data["sync_start_date"] = self._string_to_dt(data["sync_start_date"])
 
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
+        rule = model.repo_mirror.create_rule(repo, data["root_rule"]["rule_value"])
+        del data["root_rule"]
 
-    mirror = model.repo_mirror.get_mirror(repo)
-    if not mirror:
-      raise NotFound()
+        # Verify the robot is part of the Repository's namespace
+        robot = self._setup_robot_for_mirroring(
+            namespace_name, repository_name, data["robot_username"]
+        )
+        del data["robot_username"]
 
-    if 'is_enabled' in values:
-      if values['is_enabled'] == True:
-        if model.repo_mirror.enable_mirror(repo):
-          track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='is_enabled', to=True)
-      if values['is_enabled'] == False:
-        if model.repo_mirror.disable_mirror(repo):
-          track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='is_enabled', to=False)
-
-    if 'external_reference' in values:
-      if values['external_reference'] == '':
-        return {'detail': 'Empty string is an invalid repository location.'}, 400
-      if model.repo_mirror.change_remote(repo, values['external_reference']):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_reference', to=values['external_reference'])
-
-    if 'robot_username' in values:
-      robot_username = values['robot_username']
-      robot = self._setup_robot_for_mirroring(namespace_name, repository_name, robot_username)
-      if model.repo_mirror.set_mirroring_robot(repo, robot):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='robot_username', to=robot_username)
-
-    if 'sync_start_date' in values:
-      try:
-        sync_start_date = self._string_to_dt(values['sync_start_date'])
-      except ValueError as e:
-        return {'detail': 'Incorrect DateTime format for sync_start_date.'}, 400
-      if model.repo_mirror.change_sync_start_date(repo, sync_start_date):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='sync_start_date', to=sync_start_date)
-
-    if 'sync_interval' in values:
-      if model.repo_mirror.change_sync_interval(repo, values['sync_interval']):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='sync_interval', to=values['sync_interval'])
-
-    if 'external_registry_username' in values and 'external_registry_password' in values:
-      username = values['external_registry_username']
-      password = values['external_registry_password']
-      if username is None and password is not None:
-        return {'detail': 'Unable to delete username while setting a password.'}, 400
-      if model.repo_mirror.change_credentials(repo, username, password):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_registry_username', to=username)
-        if password is None:
-          track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_registry_password', to=None)
+        mirror = model.repo_mirror.enable_mirroring_for_repository(
+            repo, root_rule=rule, internal_robot=robot, **data
+        )
+        if mirror:
+            track_and_log(
+                "repo_mirror_config_changed",
+                wrap_repository(repo),
+                changed="external_reference",
+                to=data["external_reference"],
+            )
+            return "", 201
         else:
-          track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_registry_password', to="********")
+            # TODO: Determine appropriate Response
+            return (
+                {"detail": "RepoMirrorConfig already exists for this repository."},
+                409,
+            )
 
-    elif 'external_registry_username' in values:
-      username = values['external_registry_username']
-      if model.repo_mirror.change_username(repo, username):
-        track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='external_registry_username', to=username)
+    @require_repo_admin
+    @validate_json_request("UpdateMirrorConfig")
+    @nickname("changeRepoMirrorConfig")
+    def put(self, namespace_name, repository_name):
+        """ Allow users to modifying the repository's mirroring configuration. """
+        values = request.get_json()
 
-    # Do not allow specifying a password without setting a username
-    if 'external_registry_password' in values and 'external_registry_username' not in values:
-      return {'detail': 'Unable to set a new password without also specifying a username.'}, 400
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    if 'external_registry_config' in values:
-      external_registry_config = values.get('external_registry_config', {})
+        mirror = model.repo_mirror.get_mirror(repo)
+        if not mirror:
+            raise NotFound()
 
-      if 'verify_tls' in external_registry_config:
-        updates = {'verify_tls': external_registry_config['verify_tls']}
-        if model.repo_mirror.change_external_registry_config(repo, updates):
-          track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='verify_tls', to=external_registry_config['verify_tls'])
+        if "is_enabled" in values:
+            if values["is_enabled"] == True:
+                if model.repo_mirror.enable_mirror(repo):
+                    track_and_log(
+                        "repo_mirror_config_changed",
+                        wrap_repository(repo),
+                        changed="is_enabled",
+                        to=True,
+                    )
+            if values["is_enabled"] == False:
+                if model.repo_mirror.disable_mirror(repo):
+                    track_and_log(
+                        "repo_mirror_config_changed",
+                        wrap_repository(repo),
+                        changed="is_enabled",
+                        to=False,
+                    )
 
-      if 'proxy' in external_registry_config:
-          proxy_values = external_registry_config.get('proxy', {})
+        if "external_reference" in values:
+            if values["external_reference"] == "":
+                return (
+                    {"detail": "Empty string is an invalid repository location."},
+                    400,
+                )
+            if model.repo_mirror.change_remote(repo, values["external_reference"]):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="external_reference",
+                    to=values["external_reference"],
+                )
 
-          if 'http_proxy' in proxy_values:
-            updates = {'proxy': {'http_proxy': proxy_values['http_proxy']}}
-            if model.repo_mirror.change_external_registry_config(repo, updates):
-              track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='http_proxy', to=proxy_values['http_proxy'])
+        if "robot_username" in values:
+            robot_username = values["robot_username"]
+            robot = self._setup_robot_for_mirroring(
+                namespace_name, repository_name, robot_username
+            )
+            if model.repo_mirror.set_mirroring_robot(repo, robot):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="robot_username",
+                    to=robot_username,
+                )
 
-          if 'https_proxy' in proxy_values:
-            updates = {'proxy': {'https_proxy': proxy_values['https_proxy']}}
-            if model.repo_mirror.change_external_registry_config(repo, updates):
-              track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='https_proxy', to=proxy_values['https_proxy'])
+        if "sync_start_date" in values:
+            try:
+                sync_start_date = self._string_to_dt(values["sync_start_date"])
+            except ValueError as e:
+                return {"detail": "Incorrect DateTime format for sync_start_date."}, 400
+            if model.repo_mirror.change_sync_start_date(repo, sync_start_date):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="sync_start_date",
+                    to=sync_start_date,
+                )
 
-          if 'no_proxy' in proxy_values:
-            updates = {'proxy': {'no_proxy': proxy_values['no_proxy']}}
-            if model.repo_mirror.change_external_registry_config(repo, updates):
-              track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed='no_proxy', to=proxy_values['no_proxy'])
+        if "sync_interval" in values:
+            if model.repo_mirror.change_sync_interval(repo, values["sync_interval"]):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="sync_interval",
+                    to=values["sync_interval"],
+                )
 
-    return '', 201
+        if (
+            "external_registry_username" in values
+            and "external_registry_password" in values
+        ):
+            username = values["external_registry_username"]
+            password = values["external_registry_password"]
+            if username is None and password is not None:
+                return (
+                    {"detail": "Unable to delete username while setting a password."},
+                    400,
+                )
+            if model.repo_mirror.change_credentials(repo, username, password):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="external_registry_username",
+                    to=username,
+                )
+                if password is None:
+                    track_and_log(
+                        "repo_mirror_config_changed",
+                        wrap_repository(repo),
+                        changed="external_registry_password",
+                        to=None,
+                    )
+                else:
+                    track_and_log(
+                        "repo_mirror_config_changed",
+                        wrap_repository(repo),
+                        changed="external_registry_password",
+                        to="********",
+                    )
 
-  def _setup_robot_for_mirroring(self, namespace_name, repo_name, robot_username):
-    """ Validate robot exists and give write permissions. """
-    robot = model.user.lookup_robot(robot_username)
-    assert robot.robot
+        elif "external_registry_username" in values:
+            username = values["external_registry_username"]
+            if model.repo_mirror.change_username(repo, username):
+                track_and_log(
+                    "repo_mirror_config_changed",
+                    wrap_repository(repo),
+                    changed="external_registry_username",
+                    to=username,
+                )
 
-    namespace, _ = parse_robot_username(robot_username)
-    if namespace != namespace_name:
-      raise model.DataModelException('Invalid robot')
+        # Do not allow specifying a password without setting a username
+        if (
+            "external_registry_password" in values
+            and "external_registry_username" not in values
+        ):
+            return (
+                {
+                    "detail": "Unable to set a new password without also specifying a username."
+                },
+                400,
+            )
 
-    # Ensure the robot specified has access to the repository. If not, grant it.
-    permissions = model.permission.get_user_repository_permissions(robot, namespace_name, repo_name)
-    if not permissions or permissions[0].role.name == 'read':
-      model.permission.set_user_repo_permission(robot.username, namespace_name, repo_name, 'write')
+        if "external_registry_config" in values:
+            external_registry_config = values.get("external_registry_config", {})
 
-    return robot
+            if "verify_tls" in external_registry_config:
+                updates = {"verify_tls": external_registry_config["verify_tls"]}
+                if model.repo_mirror.change_external_registry_config(repo, updates):
+                    track_and_log(
+                        "repo_mirror_config_changed",
+                        wrap_repository(repo),
+                        changed="verify_tls",
+                        to=external_registry_config["verify_tls"],
+                    )
 
-  def _string_to_dt(self, string):
-    """ Convert String to correct DateTime format. """
-    if string is None:
-      return None
+            if "proxy" in external_registry_config:
+                proxy_values = external_registry_config.get("proxy", {})
 
-    """
+                if "http_proxy" in proxy_values:
+                    updates = {"proxy": {"http_proxy": proxy_values["http_proxy"]}}
+                    if model.repo_mirror.change_external_registry_config(repo, updates):
+                        track_and_log(
+                            "repo_mirror_config_changed",
+                            wrap_repository(repo),
+                            changed="http_proxy",
+                            to=proxy_values["http_proxy"],
+                        )
+
+                if "https_proxy" in proxy_values:
+                    updates = {"proxy": {"https_proxy": proxy_values["https_proxy"]}}
+                    if model.repo_mirror.change_external_registry_config(repo, updates):
+                        track_and_log(
+                            "repo_mirror_config_changed",
+                            wrap_repository(repo),
+                            changed="https_proxy",
+                            to=proxy_values["https_proxy"],
+                        )
+
+                if "no_proxy" in proxy_values:
+                    updates = {"proxy": {"no_proxy": proxy_values["no_proxy"]}}
+                    if model.repo_mirror.change_external_registry_config(repo, updates):
+                        track_and_log(
+                            "repo_mirror_config_changed",
+                            wrap_repository(repo),
+                            changed="no_proxy",
+                            to=proxy_values["no_proxy"],
+                        )
+
+        return "", 201
+
+    def _setup_robot_for_mirroring(self, namespace_name, repo_name, robot_username):
+        """ Validate robot exists and give write permissions. """
+        robot = model.user.lookup_robot(robot_username)
+        assert robot.robot
+
+        namespace, _ = parse_robot_username(robot_username)
+        if namespace != namespace_name:
+            raise model.DataModelException("Invalid robot")
+
+        # Ensure the robot specified has access to the repository. If not, grant it.
+        permissions = model.permission.get_user_repository_permissions(
+            robot, namespace_name, repo_name
+        )
+        if not permissions or permissions[0].role.name == "read":
+            model.permission.set_user_repo_permission(
+                robot.username, namespace_name, repo_name, "write"
+            )
+
+        return robot
+
+    def _string_to_dt(self, string):
+        """ Convert String to correct DateTime format. """
+        if string is None:
+            return None
+
+        """
     # TODO: Use RFC2822. This doesn't work consistently.
     # TODO: Move this to same module as `format_date` once fixed.
     tup = parsedate_tz(string)
@@ -401,67 +525,71 @@ class RepoMirrorResource(RepositoryParamResource):
     dt = datetime.fromtimestamp(ts, pytz.UTC)
     return dt
     """
-    assert isinstance(string, (str, unicode))
-    dt = datetime.strptime(string, "%Y-%m-%dT%H:%M:%SZ")
-    return dt
+        assert isinstance(string, (str, unicode))
+        dt = datetime.strptime(string, "%Y-%m-%dT%H:%M:%SZ")
+        return dt
 
-  def _dt_to_string(self, dt):
-    """ Convert DateTime to correctly formatted String."""
-    if dt is None:
-      return None
+    def _dt_to_string(self, dt):
+        """ Convert DateTime to correctly formatted String."""
+        if dt is None:
+            return None
 
-    """
+        """
     # TODO: Use RFC2822. Need to make it work bi-directionally.
     return format_date(dt)
     """
 
-    assert isinstance(dt, datetime)
-    string = dt.isoformat() + 'Z'
-    return string
+        assert isinstance(dt, datetime)
+        string = dt.isoformat() + "Z"
+        return string
 
-  def _decrypt_username(self, username):
-    if username is None:
-      return None
-    return username.decrypt()
+    def _decrypt_username(self, username):
+        if username is None:
+            return None
+        return username.decrypt()
 
 
-@resource('/v1/repository/<apirepopath:repository>/mirror/rules')
+@resource("/v1/repository/<apirepopath:repository>/mirror/rules")
 @show_if(features.REPO_MIRROR)
 class ManageRepoMirrorRule(RepositoryParamResource):
-  """
+    """
   Operations to manage a single Repository Mirroring Rule.
   TODO: At the moment, we are only dealing with a single rule associated with the mirror.
         This should change to update the rule and address it using its UUID.
   """
-  schemas = {
-    'MirrorRule': {
-      'type': 'object',
-      'description': 'A rule used to define how a repository is mirrored.',
-      'required': ['root_rule'],
-      'properties': {
-        'root_rule': common_properties['root_rule']
-      }
-    }
-  }
 
-  @require_repo_admin
-  @nickname('changeRepoMirrorRule')
-  @validate_json_request('MirrorRule')
-  def put(self, namespace_name, repository_name):
-    """
+    schemas = {
+        "MirrorRule": {
+            "type": "object",
+            "description": "A rule used to define how a repository is mirrored.",
+            "required": ["root_rule"],
+            "properties": {"root_rule": common_properties["root_rule"]},
+        }
+    }
+
+    @require_repo_admin
+    @nickname("changeRepoMirrorRule")
+    @validate_json_request("MirrorRule")
+    def put(self, namespace_name, repository_name):
+        """
     Update an existing RepoMirrorRule
     """
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      raise NotFound()
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            raise NotFound()
 
-    rule = model.repo_mirror.get_root_rule(repo)
-    if not rule:
-      return {'detail': 'The rule appears to be missing.'}, 400
+        rule = model.repo_mirror.get_root_rule(repo)
+        if not rule:
+            return {"detail": "The rule appears to be missing."}, 400
 
-    data = request.get_json()
-    if model.repo_mirror.change_rule_value(rule, data['root_rule']['rule_value']):
-      track_and_log('repo_mirror_config_changed', wrap_repository(repo), changed="mirror_rule", to=data['root_rule']['rule_value'])
-      return 200
-    else:
-      return {'detail': 'Unable to update rule.'}, 400
+        data = request.get_json()
+        if model.repo_mirror.change_rule_value(rule, data["root_rule"]["rule_value"]):
+            track_and_log(
+                "repo_mirror_config_changed",
+                wrap_repository(repo),
+                changed="mirror_rule",
+                to=data["root_rule"]["rule_value"],
+            )
+            return 200
+        else:
+            return {"detail": "Unable to update rule."}, 400
diff --git a/endpoints/api/organization.py b/endpoints/api/organization.py
index e53bba6b9..4df3b87db 100644
--- a/endpoints/api/organization.py
+++ b/endpoints/api/organization.py
@@ -8,15 +8,38 @@ from flask import request
 import features
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from app import (billing as stripe, avatar, all_queues, authentication, namespace_gc_queue,
-                 ip_resolver, app)
-from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           related_user_resource, internal_only, require_user_admin, log_action,
-                           show_if, path_param, require_scope, require_fresh_login)
+from app import (
+    billing as stripe,
+    avatar,
+    all_queues,
+    authentication,
+    namespace_gc_queue,
+    ip_resolver,
+    app,
+)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    validate_json_request,
+    request_error,
+    related_user_resource,
+    internal_only,
+    require_user_admin,
+    log_action,
+    show_if,
+    path_param,
+    require_scope,
+    require_fresh_login,
+)
 from endpoints.exception import Unauthorized, NotFound
 from endpoints.api.user import User, PrivateRepositories
-from auth.permissions import (AdministerOrganizationPermission, OrganizationMemberPermission,
-                              CreateRepositoryPermission, ViewTeamPermission)
+from auth.permissions import (
+    AdministerOrganizationPermission,
+    OrganizationMemberPermission,
+    CreateRepositoryPermission,
+    ViewTeamPermission,
+)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
@@ -29,712 +52,742 @@ logger = logging.getLogger(__name__)
 
 
 def team_view(orgname, team):
-  return {
-    'name': team.name,
-    'description': team.description,
-    'role': team.role_name,
-    'avatar': avatar.get_data_for_team(team),
-    'can_view': ViewTeamPermission(orgname, team.name).can(),
-
-    'repo_count': team.repo_count,
-    'member_count': team.member_count,
-
-    'is_synced': team.is_synced,
-  }
+    return {
+        "name": team.name,
+        "description": team.description,
+        "role": team.role_name,
+        "avatar": avatar.get_data_for_team(team),
+        "can_view": ViewTeamPermission(orgname, team.name).can(),
+        "repo_count": team.repo_count,
+        "member_count": team.member_count,
+        "is_synced": team.is_synced,
+    }
 
 
 def org_view(o, teams):
-  is_admin = AdministerOrganizationPermission(o.username).can()
-  is_member = OrganizationMemberPermission(o.username).can()
+    is_admin = AdministerOrganizationPermission(o.username).can()
+    is_member = OrganizationMemberPermission(o.username).can()
 
-  view = {
-    'name': o.username,
-    'email': o.email if is_admin else '',
-    'avatar': avatar.get_data_for_user(o),
-    'is_admin': is_admin,
-    'is_member': is_member
-  }
+    view = {
+        "name": o.username,
+        "email": o.email if is_admin else "",
+        "avatar": avatar.get_data_for_user(o),
+        "is_admin": is_admin,
+        "is_member": is_member,
+    }
 
-  if teams is not None:
-    teams = sorted(teams, key=lambda team: team.id)
-    view['teams'] = {t.name : team_view(o.username, t) for t in teams}
-    view['ordered_teams'] = [team.name for team in teams]
+    if teams is not None:
+        teams = sorted(teams, key=lambda team: team.id)
+        view["teams"] = {t.name: team_view(o.username, t) for t in teams}
+        view["ordered_teams"] = [team.name for team in teams]
 
-  if is_admin:
-    view['invoice_email'] = o.invoice_email
-    view['invoice_email_address'] = o.invoice_email_address
-    view['tag_expiration_s'] = o.removed_tag_expiration_s
-    view['is_free_account'] = o.stripe_id is None
+    if is_admin:
+        view["invoice_email"] = o.invoice_email
+        view["invoice_email_address"] = o.invoice_email_address
+        view["tag_expiration_s"] = o.removed_tag_expiration_s
+        view["is_free_account"] = o.stripe_id is None
 
-  return view
+    return view
 
 
-@resource('/v1/organization/')
+@resource("/v1/organization/")
 class OrganizationList(ApiResource):
-  """ Resource for creating organizations. """
-  schemas = {
-    'NewOrg': {
-      'type': 'object',
-      'description': 'Description of a new organization.',
-      'required': [
-        'name',
-      ],
-      'properties': {
-        'name': {
-          'type': 'string',
-          'description': 'Organization username',
-        },
-        'email': {
-          'type': 'string',
-          'description': 'Organization contact email',
-        },
-        'recaptcha_response': {
-          'type': 'string',
-          'description': 'The (may be disabled) recaptcha response code for verification',
-        },
-      },
-    },
-  }
+    """ Resource for creating organizations. """
 
-  @require_user_admin
-  @nickname('createOrganization')
-  @validate_json_request('NewOrg')
-  def post(self):
-    """ Create a new organization. """
-    user = get_authenticated_user()
-    org_data = request.get_json()
-    existing = None
+    schemas = {
+        "NewOrg": {
+            "type": "object",
+            "description": "Description of a new organization.",
+            "required": ["name"],
+            "properties": {
+                "name": {"type": "string", "description": "Organization username"},
+                "email": {
+                    "type": "string",
+                    "description": "Organization contact email",
+                },
+                "recaptcha_response": {
+                    "type": "string",
+                    "description": "The (may be disabled) recaptcha response code for verification",
+                },
+            },
+        }
+    }
 
-    try:
-      existing = model.organization.get_organization(org_data['name'])
-    except model.InvalidOrganizationException:
-      pass
+    @require_user_admin
+    @nickname("createOrganization")
+    @validate_json_request("NewOrg")
+    def post(self):
+        """ Create a new organization. """
+        user = get_authenticated_user()
+        org_data = request.get_json()
+        existing = None
 
-    if not existing:
-      existing = model.user.get_user(org_data['name'])
+        try:
+            existing = model.organization.get_organization(org_data["name"])
+        except model.InvalidOrganizationException:
+            pass
 
-    if existing:
-      msg = 'A user or organization with this name already exists'
-      raise request_error(message=msg)
+        if not existing:
+            existing = model.user.get_user(org_data["name"])
 
-    if features.MAILING and not org_data.get('email'):
-      raise request_error(message='Email address is required')
+        if existing:
+            msg = "A user or organization with this name already exists"
+            raise request_error(message=msg)
 
-    # If recaptcha is enabled, then verify the user is a human.
-    if features.RECAPTCHA:
-      recaptcha_response = org_data.get('recaptcha_response', '')
-      result = recaptcha2.verify(app.config['RECAPTCHA_SECRET_KEY'],
-                                 recaptcha_response,
-                                 get_request_ip())
+        if features.MAILING and not org_data.get("email"):
+            raise request_error(message="Email address is required")
 
-      if not result['success']:
-        return {
-          'message': 'Are you a bot? If not, please revalidate the captcha.'
-        }, 400
+        # If recaptcha is enabled, then verify the user is a human.
+        if features.RECAPTCHA:
+            recaptcha_response = org_data.get("recaptcha_response", "")
+            result = recaptcha2.verify(
+                app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
+            )
 
-    is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
-    try:
-      model.organization.create_organization(org_data['name'], org_data.get('email'), user,
-                                             email_required=features.MAILING,
-                                             is_possible_abuser=is_possible_abuser)
-      return 'Created', 201
-    except model.DataModelException as ex:
-      raise request_error(exception=ex)
+            if not result["success"]:
+                return (
+                    {
+                        "message": "Are you a bot? If not, please revalidate the captcha."
+                    },
+                    400,
+                )
+
+        is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
+        try:
+            model.organization.create_organization(
+                org_data["name"],
+                org_data.get("email"),
+                user,
+                email_required=features.MAILING,
+                is_possible_abuser=is_possible_abuser,
+            )
+            return "Created", 201
+        except model.DataModelException as ex:
+            raise request_error(exception=ex)
 
 
-@resource('/v1/organization/<orgname>')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(User)
 class Organization(ApiResource):
-  """ Resource for managing organizations. """
-  schemas = {
-    'UpdateOrg': {
-      'type': 'object',
-      'description': 'Description of updates for an existing organization',
-      'properties': {
-        'email': {
-          'type': 'string',
-          'description': 'Organization contact email',
-        },
-        'invoice_email': {
-          'type': 'boolean',
-          'description': 'Whether the organization desires to receive emails for invoices',
-        },
-        'invoice_email_address': {
-          'type': ['string', 'null'],
-          'description': 'The email address at which to receive invoices',
-        },
-        'tag_expiration_s': {
-          'type': 'integer',
-          'minimum': 0,
-          'description': 'The number of seconds for tag expiration',
-        },
-      },
-    },
-  }
+    """ Resource for managing organizations. """
 
-  @nickname('getOrganization')
-  def get(self, orgname):
-    """ Get the details for the specified organization """
-    try:
-      org = model.organization.get_organization(orgname)
-    except model.InvalidOrganizationException:
-      raise NotFound()
+    schemas = {
+        "UpdateOrg": {
+            "type": "object",
+            "description": "Description of updates for an existing organization",
+            "properties": {
+                "email": {
+                    "type": "string",
+                    "description": "Organization contact email",
+                },
+                "invoice_email": {
+                    "type": "boolean",
+                    "description": "Whether the organization desires to receive emails for invoices",
+                },
+                "invoice_email_address": {
+                    "type": ["string", "null"],
+                    "description": "The email address at which to receive invoices",
+                },
+                "tag_expiration_s": {
+                    "type": "integer",
+                    "minimum": 0,
+                    "description": "The number of seconds for tag expiration",
+                },
+            },
+        }
+    }
 
-    teams = None
-    if OrganizationMemberPermission(orgname).can():
-      has_syncing = features.TEAM_SYNCING and bool(authentication.federated_service)
-      teams = model.team.get_teams_within_org(org, has_syncing)
+    @nickname("getOrganization")
+    def get(self, orgname):
+        """ Get the details for the specified organization """
+        try:
+            org = model.organization.get_organization(orgname)
+        except model.InvalidOrganizationException:
+            raise NotFound()
 
-    return org_view(org, teams)
+        teams = None
+        if OrganizationMemberPermission(orgname).can():
+            has_syncing = features.TEAM_SYNCING and bool(
+                authentication.federated_service
+            )
+            teams = model.team.get_teams_within_org(org, has_syncing)
+
+        return org_view(org, teams)
+
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("changeOrganizationDetails")
+    @validate_json_request("UpdateOrg")
+    def put(self, orgname):
+        """ Change the details for the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
+
+            org_data = request.get_json()
+            if "invoice_email" in org_data:
+                logger.debug(
+                    "Changing invoice_email for organization: %s", org.username
+                )
+                model.user.change_send_invoice_email(org, org_data["invoice_email"])
+
+            if (
+                "invoice_email_address" in org_data
+                and org_data["invoice_email_address"] != org.invoice_email_address
+            ):
+                new_email = org_data["invoice_email_address"]
+                logger.debug(
+                    "Changing invoice email address for organization: %s", org.username
+                )
+                model.user.change_invoice_email_address(org, new_email)
+
+            if "email" in org_data and org_data["email"] != org.email:
+                new_email = org_data["email"]
+                if model.user.find_user_by_email(new_email):
+                    raise request_error(message="E-mail address already used")
+
+                logger.debug(
+                    "Changing email address for organization: %s", org.username
+                )
+                model.user.update_email(org, new_email)
+
+            if features.CHANGE_TAG_EXPIRATION and "tag_expiration_s" in org_data:
+                logger.debug(
+                    "Changing organization tag expiration to: %ss",
+                    org_data["tag_expiration_s"],
+                )
+                model.user.change_user_tag_expiration(org, org_data["tag_expiration_s"])
+
+            teams = model.team.get_teams_within_org(org)
+            return org_view(org, teams)
+        raise Unauthorized()
+
+    @require_scope(scopes.ORG_ADMIN)
+    @require_fresh_login
+    @nickname("deleteAdminedOrganization")
+    def delete(self, orgname):
+        """ Deletes the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
+
+            model.user.mark_namespace_for_deletion(org, all_queues, namespace_gc_queue)
+            return "", 204
+
+        raise Unauthorized()
 
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('changeOrganizationDetails')
-  @validate_json_request('UpdateOrg')
-  def put(self, orgname):
-    """ Change the details for the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
-
-      org_data = request.get_json()
-      if 'invoice_email' in org_data:
-        logger.debug('Changing invoice_email for organization: %s', org.username)
-        model.user.change_send_invoice_email(org, org_data['invoice_email'])
-
-      if ('invoice_email_address' in org_data and
-          org_data['invoice_email_address'] != org.invoice_email_address):
-        new_email = org_data['invoice_email_address']
-        logger.debug('Changing invoice email address for organization: %s', org.username)
-        model.user.change_invoice_email_address(org, new_email)
-
-      if 'email' in org_data and org_data['email'] != org.email:
-        new_email = org_data['email']
-        if model.user.find_user_by_email(new_email):
-          raise request_error(message='E-mail address already used')
-
-        logger.debug('Changing email address for organization: %s', org.username)
-        model.user.update_email(org, new_email)
-
-      if features.CHANGE_TAG_EXPIRATION and 'tag_expiration_s' in org_data:
-        logger.debug('Changing organization tag expiration to: %ss', org_data['tag_expiration_s'])
-        model.user.change_user_tag_expiration(org, org_data['tag_expiration_s'])
-
-      teams = model.team.get_teams_within_org(org)
-      return org_view(org, teams)
-    raise Unauthorized()
-
-
-  @require_scope(scopes.ORG_ADMIN)
-  @require_fresh_login
-  @nickname('deleteAdminedOrganization')
-  def delete(self, orgname):
-    """ Deletes the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
-
-      model.user.mark_namespace_for_deletion(org, all_queues, namespace_gc_queue)
-      return '', 204
-
-    raise Unauthorized()
-
-
-@resource('/v1/organization/<orgname>/private')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/private")
+@path_param("orgname", "The name of the organization")
 @internal_only
 @related_user_resource(PrivateRepositories)
 @show_if(features.BILLING)
 class OrgPrivateRepositories(ApiResource):
-  """ Custom verb to compute whether additional private repositories are available. """
+    """ Custom verb to compute whether additional private repositories are available. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationPrivateAllowed')
-  def get(self, orgname):
-    """ Return whether or not this org is allowed to create new private repositories. """
-    permission = CreateRepositoryPermission(orgname)
-    if permission.can():
-      organization = model.organization.get_organization(orgname)
-      private_repos = model.user.get_private_repo_count(organization.username)
-      data = {
-        'privateAllowed': False
-      }
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationPrivateAllowed")
+    def get(self, orgname):
+        """ Return whether or not this org is allowed to create new private repositories. """
+        permission = CreateRepositoryPermission(orgname)
+        if permission.can():
+            organization = model.organization.get_organization(orgname)
+            private_repos = model.user.get_private_repo_count(organization.username)
+            data = {"privateAllowed": False}
 
-      if organization.stripe_id:
-        cus = stripe.Customer.retrieve(organization.stripe_id)
-        if cus.subscription:
-          repos_allowed = 0
-          plan = get_plan(cus.subscription.plan.id)
-          if plan:
-            repos_allowed = plan['privateRepos']
+            if organization.stripe_id:
+                cus = stripe.Customer.retrieve(organization.stripe_id)
+                if cus.subscription:
+                    repos_allowed = 0
+                    plan = get_plan(cus.subscription.plan.id)
+                    if plan:
+                        repos_allowed = plan["privateRepos"]
 
-          data['privateAllowed'] = (private_repos < repos_allowed)
+                    data["privateAllowed"] = private_repos < repos_allowed
+
+            if AdministerOrganizationPermission(orgname).can():
+                data["privateCount"] = private_repos
+
+            return data
+
+        raise Unauthorized()
 
 
-      if AdministerOrganizationPermission(orgname).can():
-        data['privateCount'] = private_repos
-
-      return data
-
-    raise Unauthorized()
-
-
-@resource('/v1/organization/<orgname>/collaborators')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/collaborators")
+@path_param("orgname", "The name of the organization")
 class OrganizationCollaboratorList(ApiResource):
-  """ Resource for listing outside collaborators of an organization.
+    """ Resource for listing outside collaborators of an organization.
 
   Collaborators are users that do not belong to any team in the
   organiztion, but who have direct permissions on one or more
   repositories belonging to the organization.
   """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationCollaborators')
-  def get(self, orgname):
-    """ List outside collaborators of the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if not permission.can():
-      raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationCollaborators")
+    def get(self, orgname):
+        """ List outside collaborators of the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if not permission.can():
+            raise Unauthorized()
 
-    try:
-      org = model.organization.get_organization(orgname)
-    except model.InvalidOrganizationException:
-      raise NotFound()
+        try:
+            org = model.organization.get_organization(orgname)
+        except model.InvalidOrganizationException:
+            raise NotFound()
 
-    all_perms = model.permission.list_organization_member_permissions(org)
-    membership = model.team.list_organization_members_by_teams(org)
+        all_perms = model.permission.list_organization_member_permissions(org)
+        membership = model.team.list_organization_members_by_teams(org)
 
-    org_members = set(m.user.username for m in membership)
+        org_members = set(m.user.username for m in membership)
 
-    collaborators = {}
-    for perm in all_perms:
-      username = perm.user.username
+        collaborators = {}
+        for perm in all_perms:
+            username = perm.user.username
 
-      # Only interested in non-member permissions.
-      if username in org_members:
-        continue
+            # Only interested in non-member permissions.
+            if username in org_members:
+                continue
 
-      if username not in collaborators:
-        collaborators[username] = {
-          'kind': 'user',
-          'name': username,
-          'avatar': avatar.get_data_for_user(perm.user),
-          'repositories': [],
-        }
+            if username not in collaborators:
+                collaborators[username] = {
+                    "kind": "user",
+                    "name": username,
+                    "avatar": avatar.get_data_for_user(perm.user),
+                    "repositories": [],
+                }
 
-      collaborators[username]['repositories'].append(perm.repository.name)
+            collaborators[username]["repositories"].append(perm.repository.name)
 
-    return {'collaborators': collaborators.values()}
+        return {"collaborators": collaborators.values()}
 
 
-@resource('/v1/organization/<orgname>/members')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/members")
+@path_param("orgname", "The name of the organization")
 class OrganizationMemberList(ApiResource):
-  """ Resource for listing the members of an organization. """
+    """ Resource for listing the members of an organization. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationMembers')
-  def get(self, orgname):
-    """ List the human members of the specified organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationMembers")
+    def get(self, orgname):
+        """ List the human members of the specified organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      # Loop to create the members dictionary. Note that the members collection
-      # will return an entry for *every team* a member is on, so we will have
-      # duplicate keys (which is why we pre-build the dictionary).
-      members_dict = {}
-      members = model.team.list_organization_members_by_teams(org)
-      for member in members:
-        if member.user.robot:
-          continue
+            # Loop to create the members dictionary. Note that the members collection
+            # will return an entry for *every team* a member is on, so we will have
+            # duplicate keys (which is why we pre-build the dictionary).
+            members_dict = {}
+            members = model.team.list_organization_members_by_teams(org)
+            for member in members:
+                if member.user.robot:
+                    continue
 
-        if not member.user.username in members_dict:
-          member_data = {
-            'name': member.user.username,
-            'kind': 'user',
-            'avatar': avatar.get_data_for_user(member.user),
-            'teams': [],
-            'repositories': []
-          }
+                if not member.user.username in members_dict:
+                    member_data = {
+                        "name": member.user.username,
+                        "kind": "user",
+                        "avatar": avatar.get_data_for_user(member.user),
+                        "teams": [],
+                        "repositories": [],
+                    }
 
-          members_dict[member.user.username] = member_data
+                    members_dict[member.user.username] = member_data
 
-        members_dict[member.user.username]['teams'].append({
-          'name': member.team.name,
-          'avatar': avatar.get_data_for_team(member.team),
-        })
+                members_dict[member.user.username]["teams"].append(
+                    {
+                        "name": member.team.name,
+                        "avatar": avatar.get_data_for_team(member.team),
+                    }
+                )
 
-      # Loop to add direct repository permissions.
-      for permission in model.permission.list_organization_member_permissions(org):
-        username = permission.user.username
-        if not username in members_dict:
-          continue
+            # Loop to add direct repository permissions.
+            for permission in model.permission.list_organization_member_permissions(
+                org
+            ):
+                username = permission.user.username
+                if not username in members_dict:
+                    continue
 
-        members_dict[username]['repositories'].append(permission.repository.name)
+                members_dict[username]["repositories"].append(
+                    permission.repository.name
+                )
 
-      return {'members': members_dict.values()}
+            return {"members": members_dict.values()}
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-
-@resource('/v1/organization/<orgname>/members/<membername>')
-@path_param('orgname', 'The name of the organization')
-@path_param('membername', 'The username of the organization member')
+@resource("/v1/organization/<orgname>/members/<membername>")
+@path_param("orgname", "The name of the organization")
+@path_param("membername", "The username of the organization member")
 class OrganizationMember(ApiResource):
-  """ Resource for managing individual organization members. """
+    """ Resource for managing individual organization members. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationMember')
-  def get(self, orgname, membername):
-    """ Retrieves the details of a member of the organization.
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationMember")
+    def get(self, orgname, membername):
+        """ Retrieves the details of a member of the organization.
     """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      # Lookup the user.
-      member = model.user.get_user(membername)
-      if not member:
-        raise NotFound()
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            # Lookup the user.
+            member = model.user.get_user(membername)
+            if not member:
+                raise NotFound()
 
-      organization = model.user.get_user_or_org(orgname)
-      if not organization:
-        raise NotFound()
+            organization = model.user.get_user_or_org(orgname)
+            if not organization:
+                raise NotFound()
 
-      # Lookup the user's information in the organization.
-      teams = list(model.team.get_user_teams_within_org(membername, organization))
-      if not teams:
-        # 404 if the user is not a robot under the organization, as that means the referenced
-        # user or robot is not a member of this organization.
-        if not member.robot:
-          raise NotFound()
+            # Lookup the user's information in the organization.
+            teams = list(model.team.get_user_teams_within_org(membername, organization))
+            if not teams:
+                # 404 if the user is not a robot under the organization, as that means the referenced
+                # user or robot is not a member of this organization.
+                if not member.robot:
+                    raise NotFound()
 
-        namespace, _ = parse_robot_username(member.username)
-        if namespace != orgname:
-          raise NotFound()
+                namespace, _ = parse_robot_username(member.username)
+                if namespace != orgname:
+                    raise NotFound()
 
-      repo_permissions = model.permission.list_organization_member_permissions(organization, member)
+            repo_permissions = model.permission.list_organization_member_permissions(
+                organization, member
+            )
 
-      def local_team_view(team):
-        return {
-          'name': team.name,
-          'avatar': avatar.get_data_for_team(team),
-        }
+            def local_team_view(team):
+                return {"name": team.name, "avatar": avatar.get_data_for_team(team)}
 
-      return {
-        'name': member.username,
-        'kind': 'robot' if member.robot else 'user',
-        'avatar': avatar.get_data_for_user(member),
-        'teams': [local_team_view(team) for team in teams],
-        'repositories': [permission.repository.name for permission in repo_permissions]
-      }
+            return {
+                "name": member.username,
+                "kind": "robot" if member.robot else "user",
+                "avatar": avatar.get_data_for_user(member),
+                "teams": [local_team_view(team) for team in teams],
+                "repositories": [
+                    permission.repository.name for permission in repo_permissions
+                ],
+            }
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('removeOrganizationMember')
-  def delete(self, orgname, membername):
-    """ Removes a member from an organization, revoking all its repository
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("removeOrganizationMember")
+    def delete(self, orgname, membername):
+        """ Removes a member from an organization, revoking all its repository
         priviledges and removing it from all teams in the organization.
     """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      # Lookup the user.
-      user = model.user.get_nonrobot_user(membername)
-      if not user:
-        raise NotFound()
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            # Lookup the user.
+            user = model.user.get_nonrobot_user(membername)
+            if not user:
+                raise NotFound()
 
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      # Remove the user from the organization.
-      model.organization.remove_organization_member(org, user)
-      return '', 204
+            # Remove the user from the organization.
+            model.organization.remove_organization_member(org, user)
+            return "", 204
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/app/<client_id>')
-@path_param('client_id', 'The OAuth client ID')
+@resource("/v1/app/<client_id>")
+@path_param("client_id", "The OAuth client ID")
 class ApplicationInformation(ApiResource):
-  """ Resource that returns public information about a registered application. """
+    """ Resource that returns public information about a registered application. """
 
-  @nickname('getApplicationInformation')
-  def get(self, client_id):
-    """ Get information on the specified application. """
-    application = model.oauth.get_application_for_client_id(client_id)
-    if not application:
-      raise NotFound()
+    @nickname("getApplicationInformation")
+    def get(self, client_id):
+        """ Get information on the specified application. """
+        application = model.oauth.get_application_for_client_id(client_id)
+        if not application:
+            raise NotFound()
 
-    app_email = application.avatar_email or application.organization.email
-    app_data = avatar.get_data(application.name, app_email, 'app')
+        app_email = application.avatar_email or application.organization.email
+        app_data = avatar.get_data(application.name, app_email, "app")
 
-    return {
-      'name': application.name,
-      'description': application.description,
-      'uri': application.application_uri,
-      'avatar': app_data,
-      'organization': org_view(application.organization, [])
-    }
+        return {
+            "name": application.name,
+            "description": application.description,
+            "uri": application.application_uri,
+            "avatar": app_data,
+            "organization": org_view(application.organization, []),
+        }
 
 
 def app_view(application):
-  is_admin = AdministerOrganizationPermission(application.organization.username).can()
-  client_secret = None
-  if is_admin:
-    # TODO(remove-unenc): Remove legacy lookup.
+    is_admin = AdministerOrganizationPermission(application.organization.username).can()
     client_secret = None
-    if application.secure_client_secret is not None:
-      client_secret = application.secure_client_secret.decrypt()
+    if is_admin:
+        # TODO(remove-unenc): Remove legacy lookup.
+        client_secret = None
+        if application.secure_client_secret is not None:
+            client_secret = application.secure_client_secret.decrypt()
 
-    if ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS) and client_secret is None:
-      client_secret = application.client_secret
+        if (
+            ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS)
+            and client_secret is None
+        ):
+            client_secret = application.client_secret
 
-  assert (client_secret is not None) == is_admin
-  return {
-    'name': application.name,
-    'description': application.description,
-    'application_uri': application.application_uri,
-    'client_id': application.client_id,
-    'client_secret': client_secret,
-    'redirect_uri': application.redirect_uri if is_admin else None,
-    'avatar_email': application.avatar_email if is_admin else None,
-  }
+    assert (client_secret is not None) == is_admin
+    return {
+        "name": application.name,
+        "description": application.description,
+        "application_uri": application.application_uri,
+        "client_id": application.client_id,
+        "client_secret": client_secret,
+        "redirect_uri": application.redirect_uri if is_admin else None,
+        "avatar_email": application.avatar_email if is_admin else None,
+    }
 
 
-@resource('/v1/organization/<orgname>/applications')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/applications")
+@path_param("orgname", "The name of the organization")
 class OrganizationApplications(ApiResource):
-  """ Resource for managing applications defined by an organization. """
-  schemas = {
-    'NewApp': {
-      'type': 'object',
-      'description': 'Description of a new organization application.',
-      'required': [
-        'name',
-      ],
-      'properties': {
-        'name': {
-          'type': 'string',
-          'description': 'The name of the application',
-        },
-        'redirect_uri': {
-          'type': 'string',
-          'description': 'The URI for the application\'s OAuth redirect',
-        },
-        'application_uri': {
-          'type': 'string',
-          'description': 'The URI for the application\'s homepage',
-        },
-        'description': {
-          'type': 'string',
-          'description': 'The human-readable description for the application',
-        },
-        'avatar_email': {
-          'type': 'string',
-          'description': 'The e-mail address of the avatar to use for the application',
+    """ Resource for managing applications defined by an organization. """
+
+    schemas = {
+        "NewApp": {
+            "type": "object",
+            "description": "Description of a new organization application.",
+            "required": ["name"],
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "description": "The name of the application",
+                },
+                "redirect_uri": {
+                    "type": "string",
+                    "description": "The URI for the application's OAuth redirect",
+                },
+                "application_uri": {
+                    "type": "string",
+                    "description": "The URI for the application's homepage",
+                },
+                "description": {
+                    "type": "string",
+                    "description": "The human-readable description for the application",
+                },
+                "avatar_email": {
+                    "type": "string",
+                    "description": "The e-mail address of the avatar to use for the application",
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationApplications')
-  def get(self, orgname):
-    """ List the applications for the specified organization """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationApplications")
+    def get(self, orgname):
+        """ List the applications for the specified organization """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      applications = model.oauth.list_applications_for_org(org)
-      return {'applications': [app_view(application) for application in applications]}
+            applications = model.oauth.list_applications_for_org(org)
+            return {
+                "applications": [app_view(application) for application in applications]
+            }
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('createOrganizationApplication')
-  @validate_json_request('NewApp')
-  def post(self, orgname):
-    """ Creates a new application under this organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("createOrganizationApplication")
+    @validate_json_request("NewApp")
+    def post(self, orgname):
+        """ Creates a new application under this organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      app_data = request.get_json()
-      application = model.oauth.create_application(org, app_data['name'],
-                                             app_data.get('application_uri', ''),
-                                             app_data.get('redirect_uri', ''),
-                                             description=app_data.get('description', ''),
-                                             avatar_email=app_data.get('avatar_email', None))
+            app_data = request.get_json()
+            application = model.oauth.create_application(
+                org,
+                app_data["name"],
+                app_data.get("application_uri", ""),
+                app_data.get("redirect_uri", ""),
+                description=app_data.get("description", ""),
+                avatar_email=app_data.get("avatar_email", None),
+            )
 
-      app_data.update({
-        'application_name': application.name,
-        'client_id': application.client_id
-      })
+            app_data.update(
+                {
+                    "application_name": application.name,
+                    "client_id": application.client_id,
+                }
+            )
 
-      log_action('create_application', orgname, app_data)
+            log_action("create_application", orgname, app_data)
 
-      return app_view(application)
-    raise Unauthorized()
+            return app_view(application)
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/applications/<client_id>')
-@path_param('orgname', 'The name of the organization')
-@path_param('client_id', 'The OAuth client ID')
+@resource("/v1/organization/<orgname>/applications/<client_id>")
+@path_param("orgname", "The name of the organization")
+@path_param("client_id", "The OAuth client ID")
 class OrganizationApplicationResource(ApiResource):
-  """ Resource for managing an application defined by an organizations. """
-  schemas = {
-    'UpdateApp': {
-      'type': 'object',
-      'description': 'Description of an updated application.',
-      'required': [
-        'name',
-        'redirect_uri',
-        'application_uri'
-      ],
-      'properties': {
-        'name': {
-          'type': 'string',
-          'description': 'The name of the application',
-        },
-        'redirect_uri': {
-          'type': 'string',
-          'description': 'The URI for the application\'s OAuth redirect',
-        },
-        'application_uri': {
-          'type': 'string',
-          'description': 'The URI for the application\'s homepage',
-        },
-        'description': {
-          'type': 'string',
-          'description': 'The human-readable description for the application',
-        },
-        'avatar_email': {
-          'type': 'string',
-          'description': 'The e-mail address of the avatar to use for the application',
+    """ Resource for managing an application defined by an organizations. """
+
+    schemas = {
+        "UpdateApp": {
+            "type": "object",
+            "description": "Description of an updated application.",
+            "required": ["name", "redirect_uri", "application_uri"],
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "description": "The name of the application",
+                },
+                "redirect_uri": {
+                    "type": "string",
+                    "description": "The URI for the application's OAuth redirect",
+                },
+                "application_uri": {
+                    "type": "string",
+                    "description": "The URI for the application's homepage",
+                },
+                "description": {
+                    "type": "string",
+                    "description": "The human-readable description for the application",
+                },
+                "avatar_email": {
+                    "type": "string",
+                    "description": "The e-mail address of the avatar to use for the application",
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationApplication')
-  def get(self, orgname, client_id):
-    """ Retrieves the application with the specified client_id under the specified organization """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationApplication")
+    def get(self, orgname, client_id):
+        """ Retrieves the application with the specified client_id under the specified organization """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      application = model.oauth.lookup_application(org, client_id)
-      if not application:
-        raise NotFound()
+            application = model.oauth.lookup_application(org, client_id)
+            if not application:
+                raise NotFound()
 
-      return app_view(application)
+            return app_view(application)
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('updateOrganizationApplication')
-  @validate_json_request('UpdateApp')
-  def put(self, orgname, client_id):
-    """ Updates an application under this organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("updateOrganizationApplication")
+    @validate_json_request("UpdateApp")
+    def put(self, orgname, client_id):
+        """ Updates an application under this organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      application = model.oauth.lookup_application(org, client_id)
-      if not application:
-        raise NotFound()
+            application = model.oauth.lookup_application(org, client_id)
+            if not application:
+                raise NotFound()
 
-      app_data = request.get_json()
-      application.name = app_data['name']
-      application.application_uri = app_data['application_uri']
-      application.redirect_uri = app_data['redirect_uri']
-      application.description = app_data.get('description', '')
-      application.avatar_email = app_data.get('avatar_email', None)
-      application.save()
+            app_data = request.get_json()
+            application.name = app_data["name"]
+            application.application_uri = app_data["application_uri"]
+            application.redirect_uri = app_data["redirect_uri"]
+            application.description = app_data.get("description", "")
+            application.avatar_email = app_data.get("avatar_email", None)
+            application.save()
 
-      app_data.update({
-        'application_name': application.name,
-        'client_id': application.client_id
-      })
+            app_data.update(
+                {
+                    "application_name": application.name,
+                    "client_id": application.client_id,
+                }
+            )
 
-      log_action('update_application', orgname, app_data)
+            log_action("update_application", orgname, app_data)
 
-      return app_view(application)
-    raise Unauthorized()
+            return app_view(application)
+        raise Unauthorized()
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrganizationApplication')
-  def delete(self, orgname, client_id):
-    """ Deletes the application under this organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrganizationApplication")
+    def delete(self, orgname, client_id):
+        """ Deletes the application under this organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      application = model.oauth.delete_application(org, client_id)
-      if not application:
-        raise NotFound()
+            application = model.oauth.delete_application(org, client_id)
+            if not application:
+                raise NotFound()
 
-      log_action('delete_application', orgname,
-                 {'application_name': application.name, 'client_id': client_id})
+            log_action(
+                "delete_application",
+                orgname,
+                {"application_name": application.name, "client_id": client_id},
+            )
 
-      return '', 204
-    raise Unauthorized()
+            return "", 204
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/applications/<client_id>/resetclientsecret')
-@path_param('orgname', 'The name of the organization')
-@path_param('client_id', 'The OAuth client ID')
+@resource("/v1/organization/<orgname>/applications/<client_id>/resetclientsecret")
+@path_param("orgname", "The name of the organization")
+@path_param("client_id", "The OAuth client ID")
 @internal_only
 class OrganizationApplicationResetClientSecret(ApiResource):
-  """ Custom verb for resetting the client secret of an application. """
-  @nickname('resetOrganizationApplicationClientSecret')
-  def post(self, orgname, client_id):
-    """ Resets the client secret of the application. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    """ Custom verb for resetting the client secret of an application. """
 
-      application = model.oauth.lookup_application(org, client_id)
-      if not application:
-        raise NotFound()
+    @nickname("resetOrganizationApplicationClientSecret")
+    def post(self, orgname, client_id):
+        """ Resets the client secret of the application. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      application = model.oauth.reset_client_secret(application)
-      log_action('reset_application_client_secret', orgname,
-                 {'application_name': application.name, 'client_id': client_id})
+            application = model.oauth.lookup_application(org, client_id)
+            if not application:
+                raise NotFound()
 
-      return app_view(application)
-    raise Unauthorized()
+            application = model.oauth.reset_client_secret(application)
+            log_action(
+                "reset_application_client_secret",
+                orgname,
+                {"application_name": application.name, "client_id": client_id},
+            )
+
+            return app_view(application)
+        raise Unauthorized()
diff --git a/endpoints/api/permission.py b/endpoints/api/permission.py
index e85c6480e..365638d36 100644
--- a/endpoints/api/permission.py
+++ b/endpoints/api/permission.py
@@ -4,8 +4,16 @@ import logging
 
 from flask import request
 
-from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           log_action, request_error, validate_json_request, path_param)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_admin,
+    RepositoryParamResource,
+    log_action,
+    request_error,
+    validate_json_request,
+    path_param,
+)
 from endpoints.exception import NotFound
 from permission_models_pre_oci import pre_oci_model as model
 from permission_models_interface import DeleteException, SaveException
@@ -13,197 +21,232 @@ from permission_models_interface import DeleteException, SaveException
 logger = logging.getLogger(__name__)
 
 
-@resource('/v1/repository/<apirepopath:repository>/permissions/team/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/permissions/team/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryTeamPermissionList(RepositoryParamResource):
-  """ Resource for repository team permissions. """
-  @require_repo_admin
-  @nickname('listRepoTeamPermissions')
-  def get(self, namespace_name, repository_name):
-    """ List all team permission. """
-    repo_perms = model.get_repo_permissions_by_team(namespace_name, repository_name)
+    """ Resource for repository team permissions. """
 
-    return {
-      'permissions': {repo_perm.team_name: repo_perm.to_dict()
-                      for repo_perm in repo_perms}
-    }
+    @require_repo_admin
+    @nickname("listRepoTeamPermissions")
+    def get(self, namespace_name, repository_name):
+        """ List all team permission. """
+        repo_perms = model.get_repo_permissions_by_team(namespace_name, repository_name)
+
+        return {
+            "permissions": {
+                repo_perm.team_name: repo_perm.to_dict() for repo_perm in repo_perms
+            }
+        }
 
 
-@resource('/v1/repository/<apirepopath:repository>/permissions/user/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/permissions/user/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryUserPermissionList(RepositoryParamResource):
-  """ Resource for repository user permissions. """
-  @require_repo_admin
-  @nickname('listRepoUserPermissions')
-  def get(self, namespace_name, repository_name):
-    """ List all user permissions. """
-    perms = model.get_repo_permissions_by_user(namespace_name, repository_name)
-    return {'permissions': {p.username: p.to_dict() for p in perms}}
+    """ Resource for repository user permissions. """
+
+    @require_repo_admin
+    @nickname("listRepoUserPermissions")
+    def get(self, namespace_name, repository_name):
+        """ List all user permissions. """
+        perms = model.get_repo_permissions_by_user(namespace_name, repository_name)
+        return {"permissions": {p.username: p.to_dict() for p in perms}}
 
 
-@resource('/v1/repository/<apirepopath:repository>/permissions/user/<username>/transitive')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('username', 'The username of the user to which the permissions apply')
+@resource(
+    "/v1/repository/<apirepopath:repository>/permissions/user/<username>/transitive"
+)
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("username", "The username of the user to which the permissions apply")
 class RepositoryUserTransitivePermission(RepositoryParamResource):
-  """ Resource for retrieving whether a user has access to a repository, either directly
+    """ Resource for retrieving whether a user has access to a repository, either directly
       or via a team. """
-  @require_repo_admin
-  @nickname('getUserTransitivePermission')
-  def get(self, namespace_name, repository_name, username):
-    """ Get the fetch the permission for the specified user. """
-    
-    roles = model.get_repo_roles(username, namespace_name, repository_name)
-    
-    if not roles:
-      raise NotFound
-    
-    return {
-      'permissions': [r.to_dict() for r in roles]
+
+    @require_repo_admin
+    @nickname("getUserTransitivePermission")
+    def get(self, namespace_name, repository_name, username):
+        """ Get the fetch the permission for the specified user. """
+
+        roles = model.get_repo_roles(username, namespace_name, repository_name)
+
+        if not roles:
+            raise NotFound
+
+        return {"permissions": [r.to_dict() for r in roles]}
+
+
+@resource("/v1/repository/<apirepopath:repository>/permissions/user/<username>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("username", "The username of the user to which the permission applies")
+class RepositoryUserPermission(RepositoryParamResource):
+    """ Resource for managing individual user permissions. """
+
+    schemas = {
+        "UserPermission": {
+            "type": "object",
+            "description": "Description of a user permission.",
+            "required": ["role"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to use for the user",
+                    "enum": ["read", "write", "admin"],
+                }
+            },
+        }
     }
 
+    @require_repo_admin
+    @nickname("getUserPermissions")
+    def get(self, namespace_name, repository_name, username):
+        """ Get the permission for the specified user. """
+        logger.debug(
+            "Get repo: %s/%s permissions for user %s",
+            namespace_name,
+            repository_name,
+            username,
+        )
+        perm = model.get_repo_permission_for_user(
+            username, namespace_name, repository_name
+        )
+        return perm.to_dict()
 
-@resource('/v1/repository/<apirepopath:repository>/permissions/user/<username>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('username', 'The username of the user to which the permission applies')
-class RepositoryUserPermission(RepositoryParamResource):
-  """ Resource for managing individual user permissions. """
-  schemas = {
-    'UserPermission': {
-      'type': 'object',
-      'description': 'Description of a user permission.',
-      'required': [
-        'role',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Role to use for the user',
-          'enum': [
-            'read',
-            'write',
-            'admin',
-          ],
-        },
-      },
-    },
-  }
+    @require_repo_admin
+    @nickname("changeUserPermissions")
+    @validate_json_request("UserPermission")
+    def put(
+        self, namespace_name, repository_name, username
+    ):  # Also needs to respond to post
+        """ Update the perimssions for an existing repository. """
+        new_permission = request.get_json()
 
-  @require_repo_admin
-  @nickname('getUserPermissions')
-  def get(self, namespace_name, repository_name, username):
-    """ Get the permission for the specified user. """
-    logger.debug('Get repo: %s/%s permissions for user %s', namespace_name, repository_name, username)
-    perm = model.get_repo_permission_for_user(username, namespace_name, repository_name)
-    return perm.to_dict()
+        logger.debug(
+            "Setting permission to: %s for user %s", new_permission["role"], username
+        )
 
-  @require_repo_admin
-  @nickname('changeUserPermissions')
-  @validate_json_request('UserPermission')
-  def put(self, namespace_name, repository_name, username):  # Also needs to respond to post
-    """ Update the perimssions for an existing repository. """
-    new_permission = request.get_json()
+        try:
+            perm = model.set_repo_permission_for_user(
+                username, namespace_name, repository_name, new_permission["role"]
+            )
+            resp = perm.to_dict()
+        except SaveException as ex:
+            raise request_error(exception=ex)
 
-    logger.debug('Setting permission to: %s for user %s', new_permission['role'], username)
+        log_action(
+            "change_repo_permission",
+            namespace_name,
+            {
+                "username": username,
+                "repo": repository_name,
+                "namespace": namespace_name,
+                "role": new_permission["role"],
+            },
+            repo_name=repository_name,
+        )
 
-    try:
-      perm = model.set_repo_permission_for_user(username, namespace_name, repository_name,
-                                                new_permission['role'])
-      resp = perm.to_dict()
-    except SaveException as ex:
-      raise request_error(exception=ex)
+        return resp, 200
 
-    log_action('change_repo_permission', namespace_name,
-               {'username': username, 'repo': repository_name,
-                'namespace': namespace_name,
-                'role': new_permission['role']},
-                repo_name=repository_name)
+    @require_repo_admin
+    @nickname("deleteUserPermissions")
+    def delete(self, namespace_name, repository_name, username):
+        """ Delete the permission for the user. """
+        try:
+            model.delete_repo_permission_for_user(
+                username, namespace_name, repository_name
+            )
+        except DeleteException as ex:
+            raise request_error(exception=ex)
 
-    return resp, 200
+        log_action(
+            "delete_repo_permission",
+            namespace_name,
+            {
+                "username": username,
+                "repo": repository_name,
+                "namespace": namespace_name,
+            },
+            repo_name=repository_name,
+        )
 
-  @require_repo_admin
-  @nickname('deleteUserPermissions')
-  def delete(self, namespace_name, repository_name, username):
-    """ Delete the permission for the user. """
-    try:
-      model.delete_repo_permission_for_user(username, namespace_name, repository_name)
-    except DeleteException as ex:
-      raise request_error(exception=ex)
-
-    log_action('delete_repo_permission', namespace_name,
-               {'username': username, 'repo': repository_name, 'namespace': namespace_name},
-               repo_name=repository_name)
-
-    return '', 204
+        return "", 204
 
 
-@resource('/v1/repository/<apirepopath:repository>/permissions/team/<teamname>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('teamname', 'The name of the team to which the permission applies')
+@resource("/v1/repository/<apirepopath:repository>/permissions/team/<teamname>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("teamname", "The name of the team to which the permission applies")
 class RepositoryTeamPermission(RepositoryParamResource):
-  """ Resource for managing individual team permissions. """
-  schemas = {
-    'TeamPermission': {
-      'type': 'object',
-      'description': 'Description of a team permission.',
-      'required': [
-        'role',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Role to use for the team',
-          'enum': [
-            'read',
-            'write',
-            'admin',
-          ],
-        },
-      },
-    },
-  }
+    """ Resource for managing individual team permissions. """
 
-  @require_repo_admin
-  @nickname('getTeamPermissions')
-  def get(self, namespace_name, repository_name, teamname):
-    """ Fetch the permission for the specified team. """
-    logger.debug('Get repo: %s/%s permissions for team %s', namespace_name, repository_name, teamname)
-    role = model.get_repo_role_for_team(teamname, namespace_name, repository_name)
-    return role.to_dict()
+    schemas = {
+        "TeamPermission": {
+            "type": "object",
+            "description": "Description of a team permission.",
+            "required": ["role"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to use for the team",
+                    "enum": ["read", "write", "admin"],
+                }
+            },
+        }
+    }
 
-  @require_repo_admin
-  @nickname('changeTeamPermissions')
-  @validate_json_request('TeamPermission')
-  def put(self, namespace_name, repository_name, teamname):
-    """ Update the existing team permission. """
-    new_permission = request.get_json()
+    @require_repo_admin
+    @nickname("getTeamPermissions")
+    def get(self, namespace_name, repository_name, teamname):
+        """ Fetch the permission for the specified team. """
+        logger.debug(
+            "Get repo: %s/%s permissions for team %s",
+            namespace_name,
+            repository_name,
+            teamname,
+        )
+        role = model.get_repo_role_for_team(teamname, namespace_name, repository_name)
+        return role.to_dict()
 
-    logger.debug('Setting permission to: %s for team %s', new_permission['role'], teamname)
+    @require_repo_admin
+    @nickname("changeTeamPermissions")
+    @validate_json_request("TeamPermission")
+    def put(self, namespace_name, repository_name, teamname):
+        """ Update the existing team permission. """
+        new_permission = request.get_json()
 
-    try:
-      perm = model.set_repo_permission_for_team(teamname, namespace_name, repository_name,
-                                                new_permission['role'])
-      resp = perm.to_dict()
-    except SaveException as ex:
-      raise request_error(exception=ex)
-    
+        logger.debug(
+            "Setting permission to: %s for team %s", new_permission["role"], teamname
+        )
 
-    log_action('change_repo_permission', namespace_name,
-               {'team': teamname, 'repo': repository_name,
-                'role': new_permission['role']},
-               repo_name=repository_name)
-    return resp, 200
+        try:
+            perm = model.set_repo_permission_for_team(
+                teamname, namespace_name, repository_name, new_permission["role"]
+            )
+            resp = perm.to_dict()
+        except SaveException as ex:
+            raise request_error(exception=ex)
 
-  @require_repo_admin
-  @nickname('deleteTeamPermissions')
-  def delete(self, namespace_name, repository_name, teamname):
-    """ Delete the permission for the specified team. """
-    try:
-      model.delete_repo_permission_for_team(teamname, namespace_name, repository_name)
-    except DeleteException as ex:
-      raise request_error(exception=ex)
-    
-    log_action('delete_repo_permission', namespace_name,
-               {'team': teamname, 'repo': repository_name},
-               repo_name=repository_name)
+        log_action(
+            "change_repo_permission",
+            namespace_name,
+            {"team": teamname, "repo": repository_name, "role": new_permission["role"]},
+            repo_name=repository_name,
+        )
+        return resp, 200
 
-    return '', 204
+    @require_repo_admin
+    @nickname("deleteTeamPermissions")
+    def delete(self, namespace_name, repository_name, teamname):
+        """ Delete the permission for the specified team. """
+        try:
+            model.delete_repo_permission_for_team(
+                teamname, namespace_name, repository_name
+            )
+        except DeleteException as ex:
+            raise request_error(exception=ex)
+
+        log_action(
+            "delete_repo_permission",
+            namespace_name,
+            {"team": teamname, "repo": repository_name},
+            repo_name=repository_name,
+        )
+
+        return "", 204
diff --git a/endpoints/api/permission_models_interface.py b/endpoints/api/permission_models_interface.py
index 49c24744c..acb3e9e6e 100644
--- a/endpoints/api/permission_models_interface.py
+++ b/endpoints/api/permission_models_interface.py
@@ -6,81 +6,70 @@ from six import add_metaclass
 
 
 class SaveException(Exception):
-  def __init__(self, other):
-    self.traceback = sys.exc_info()
-    super(SaveException, self).__init__(str(other))
+    def __init__(self, other):
+        self.traceback = sys.exc_info()
+        super(SaveException, self).__init__(str(other))
+
 
 class DeleteException(Exception):
-  def __init__(self, other):
-    self.traceback = sys.exc_info()
-    super(DeleteException, self).__init__(str(other))
+    def __init__(self, other):
+        self.traceback = sys.exc_info()
+        super(DeleteException, self).__init__(str(other))
 
 
-class Role(namedtuple('Role', ['role_name'])):
-  def to_dict(self):
-    return {
-      'role': self.role_name,
-    }
-
-class UserPermission(namedtuple('UserPermission', [
-      'role_name',
-      'username',
-      'is_robot',
-      'avatar',
-      'is_org_member',
-      'has_org',
-    ])):
-  
-  def to_dict(self):
-    perm_dict = {
-      'role': self.role_name,
-      'name': self.username,
-      'is_robot': self.is_robot,
-      'avatar': self.avatar,
-    }
-    if self.has_org:
-      perm_dict['is_org_member'] = self.is_org_member 
-    return perm_dict 
-    
-
-class RobotPermission(namedtuple('RobotPermission', [
-  'role_name',
-  'username',
-  'is_robot',
-  'is_org_member',
-])):
-  
-  def to_dict(self, user=None, team=None, org_members=None):
-    return {
-      'role': self.role_name,
-      'name': self.username,
-      'is_robot': True,
-      'is_org_member': self.is_org_member,
-    }
+class Role(namedtuple("Role", ["role_name"])):
+    def to_dict(self):
+        return {"role": self.role_name}
 
 
-class TeamPermission(namedtuple('TeamPermission', [
-  'role_name',
-  'team_name',
-  'avatar',
-])):
+class UserPermission(
+    namedtuple(
+        "UserPermission",
+        ["role_name", "username", "is_robot", "avatar", "is_org_member", "has_org"],
+    )
+):
+    def to_dict(self):
+        perm_dict = {
+            "role": self.role_name,
+            "name": self.username,
+            "is_robot": self.is_robot,
+            "avatar": self.avatar,
+        }
+        if self.has_org:
+            perm_dict["is_org_member"] = self.is_org_member
+        return perm_dict
+
+
+class RobotPermission(
+    namedtuple(
+        "RobotPermission", ["role_name", "username", "is_robot", "is_org_member"]
+    )
+):
+    def to_dict(self, user=None, team=None, org_members=None):
+        return {
+            "role": self.role_name,
+            "name": self.username,
+            "is_robot": True,
+            "is_org_member": self.is_org_member,
+        }
+
+
+class TeamPermission(
+    namedtuple("TeamPermission", ["role_name", "team_name", "avatar"])
+):
+    def to_dict(self):
+        return {"role": self.role_name, "name": self.team_name, "avatar": self.avatar}
 
-  def to_dict(self):
-    return {
-      'role': self.role_name,
-      'name': self.team_name,
-      'avatar': self.avatar,
-    }
 
 @add_metaclass(ABCMeta)
 class PermissionDataInterface(object):
-  """
+    """
   Data interface used by permissions API
   """
-  
-  @abstractmethod
-  def get_repo_permissions_by_user(self, namespace_name, repository_name):
-    """
+
+    @abstractmethod
+    def get_repo_permissions_by_user(self, namespace_name, repository_name):
+        """
     
     Args:
       namespace_name: string
@@ -90,9 +79,9 @@ class PermissionDataInterface(object):
       list(UserPermission)
     """
 
-  @abstractmethod
-  def get_repo_roles(self, username, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def get_repo_roles(self, username, namespace_name, repository_name):
+        """
     
     Args:
       username: string
@@ -101,11 +90,11 @@ class PermissionDataInterface(object):
 
     Returns:
       list(Role) or None
-    """  
-  
-  @abstractmethod
-  def get_repo_permission_for_user(self, username, namespace_name, repository_name):
     """
+
+    @abstractmethod
+    def get_repo_permission_for_user(self, username, namespace_name, repository_name):
+        """
     
     Args:
       username: string
@@ -115,10 +104,12 @@ class PermissionDataInterface(object):
     Returns:
       UserPermission
     """
-  
-  @abstractmethod
-  def set_repo_permission_for_user(self, username, namespace_name, repository_name, role_name):
-    """
+
+    @abstractmethod
+    def set_repo_permission_for_user(
+        self, username, namespace_name, repository_name, role_name
+    ):
+        """
     
     Args:
       username: string
@@ -133,9 +124,11 @@ class PermissionDataInterface(object):
       SaveException
     """
 
-  @abstractmethod
-  def delete_repo_permission_for_user(self, username, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def delete_repo_permission_for_user(
+        self, username, namespace_name, repository_name
+    ):
+        """
     
     Args:
       username: string
@@ -149,9 +142,9 @@ class PermissionDataInterface(object):
       DeleteException
     """
 
-  @abstractmethod
-  def get_repo_permissions_by_team(self, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def get_repo_permissions_by_team(self, namespace_name, repository_name):
+        """
     
     Args:
       namespace_name: string
@@ -161,9 +154,9 @@ class PermissionDataInterface(object):
       list(TeamPermission)
     """
 
-  @abstractmethod
-  def get_repo_role_for_team(self, team_name, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def get_repo_role_for_team(self, team_name, namespace_name, repository_name):
+        """
     
     Args:
       team_name: string
@@ -174,9 +167,11 @@ class PermissionDataInterface(object):
       Role
     """
 
-  @abstractmethod
-  def set_repo_permission_for_team(self, team_name, namespace_name, repository_name, permission):
-    """
+    @abstractmethod
+    def set_repo_permission_for_team(
+        self, team_name, namespace_name, repository_name, permission
+    ):
+        """
     
     Args:
       team_name: string
@@ -191,9 +186,11 @@ class PermissionDataInterface(object):
       SaveException
     """
 
-  @abstractmethod
-  def delete_repo_permission_for_team(self, team_name, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def delete_repo_permission_for_team(
+        self, team_name, namespace_name, repository_name
+    ):
+        """
     
     Args:
       team_name: string
@@ -205,4 +202,4 @@ class PermissionDataInterface(object):
       
     Raises:
       DeleteException
-    """
\ No newline at end of file
+    """
diff --git a/endpoints/api/permission_models_pre_oci.py b/endpoints/api/permission_models_pre_oci.py
index 1f19cad10..63f57d5f6 100644
--- a/endpoints/api/permission_models_pre_oci.py
+++ b/endpoints/api/permission_models_pre_oci.py
@@ -1,115 +1,168 @@
 from app import avatar
 from data import model
-from permission_models_interface import PermissionDataInterface, UserPermission, TeamPermission, Role, SaveException, DeleteException
+from permission_models_interface import (
+    PermissionDataInterface,
+    UserPermission,
+    TeamPermission,
+    Role,
+    SaveException,
+    DeleteException,
+)
 
 
 class PreOCIModel(PermissionDataInterface):
-  """
+    """
   PreOCIModel implements the data model for Permission using a database schema
   before it was changed to support the OCI specification.
   """
 
-  def get_repo_permissions_by_user(self, namespace_name, repository_name):
-    org = None
-    try:
-      org = model.organization.get_organization(namespace_name)  # Will raise an error if not org
-    except model.InvalidOrganizationException:
-      # This repository isn't under an org
-      pass
+    def get_repo_permissions_by_user(self, namespace_name, repository_name):
+        org = None
+        try:
+            org = model.organization.get_organization(
+                namespace_name
+            )  # Will raise an error if not org
+        except model.InvalidOrganizationException:
+            # This repository isn't under an org
+            pass
 
-    # Load the permissions.
-    repo_perms = model.user.get_all_repo_users(namespace_name, repository_name)
-    
-    if org:
-      users_filter = {perm.user for perm in repo_perms}
-      org_members = model.organization.get_organization_member_set(org, users_filter=users_filter)
-    
-    def is_org_member(user):
-      if not org:
-        return False
+        # Load the permissions.
+        repo_perms = model.user.get_all_repo_users(namespace_name, repository_name)
 
-      return user.robot or user.username in org_members
-      
-    return [self._user_permission(perm, org is not None, is_org_member(perm.user)) for perm in repo_perms]
-            
-  def get_repo_roles(self, username, namespace_name, repository_name):
-    user = model.user.get_user(username)
-    if not user:
-      return None
+        if org:
+            users_filter = {perm.user for perm in repo_perms}
+            org_members = model.organization.get_organization_member_set(
+                org, users_filter=users_filter
+            )
 
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if not repo:
-      return None
-    
-    return [self._role(r) for r in model.permission.get_user_repo_permissions(user, repo)] 
+        def is_org_member(user):
+            if not org:
+                return False
 
-  def get_repo_permission_for_user(self, username, namespace_name, repository_name):
-    perm = model.permission.get_user_reponame_permission(username, namespace_name, repository_name)
-    org = None
-    try:
-      org = model.organization.get_organization(namespace_name)
-      org_members = model.organization.get_organization_member_set(org, users_filter={perm.user})
-      is_org_member = perm.user.robot or perm.user.username in org_members
-    except model.InvalidOrganizationException:
-      # This repository is not part of an organization
-      is_org_member = False
-      
-    return self._user_permission(perm, org is not None, is_org_member)
+            return user.robot or user.username in org_members
 
-  def set_repo_permission_for_user(self, username, namespace_name, repository_name, role_name):
-    try:
-      perm = model.permission.set_user_repo_permission(username, namespace_name, repository_name, role_name)
-      org = None
-      try:
-        org = model.organization.get_organization(namespace_name)
-        org_members = model.organization.get_organization_member_set(org, users_filter={perm.user})
-        is_org_member = perm.user.robot or perm.user.username in org_members
-      except model.InvalidOrganizationException:
-        # This repository is not part of an organization
-        is_org_member = False
-      return self._user_permission(perm, org is not None, is_org_member)
-    except model.DataModelException as ex:
-      raise SaveException(ex)
+        return [
+            self._user_permission(perm, org is not None, is_org_member(perm.user))
+            for perm in repo_perms
+        ]
 
-  def delete_repo_permission_for_user(self, username, namespace_name, repository_name):
-    try:
-      model.permission.delete_user_permission(username, namespace_name, repository_name)
-    except model.DataModelException as ex:
-      raise DeleteException(ex)
+    def get_repo_roles(self, username, namespace_name, repository_name):
+        user = model.user.get_user(username)
+        if not user:
+            return None
 
-  def get_repo_permissions_by_team(self, namespace_name, repository_name):
-    repo_perms = model.permission.get_all_repo_teams(namespace_name, repository_name)
-    return [self._team_permission(perm, perm.team.name) for perm in repo_perms]  
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if not repo:
+            return None
 
-  def get_repo_role_for_team(self, team_name, namespace_name, repository_name):
-    return self._role(model.permission.get_team_reponame_permission(team_name, namespace_name, repository_name))
+        return [
+            self._role(r)
+            for r in model.permission.get_user_repo_permissions(user, repo)
+        ]
 
-  def set_repo_permission_for_team(self, team_name, namespace_name, repository_name, role_name):
-    try:
-      return self._team_permission(model.permission.set_team_repo_permission(team_name, namespace_name, repository_name, role_name), team_name)
-    except model.DataModelException as ex:
-      raise SaveException(ex)
+    def get_repo_permission_for_user(self, username, namespace_name, repository_name):
+        perm = model.permission.get_user_reponame_permission(
+            username, namespace_name, repository_name
+        )
+        org = None
+        try:
+            org = model.organization.get_organization(namespace_name)
+            org_members = model.organization.get_organization_member_set(
+                org, users_filter={perm.user}
+            )
+            is_org_member = perm.user.robot or perm.user.username in org_members
+        except model.InvalidOrganizationException:
+            # This repository is not part of an organization
+            is_org_member = False
+
+        return self._user_permission(perm, org is not None, is_org_member)
+
+    def set_repo_permission_for_user(
+        self, username, namespace_name, repository_name, role_name
+    ):
+        try:
+            perm = model.permission.set_user_repo_permission(
+                username, namespace_name, repository_name, role_name
+            )
+            org = None
+            try:
+                org = model.organization.get_organization(namespace_name)
+                org_members = model.organization.get_organization_member_set(
+                    org, users_filter={perm.user}
+                )
+                is_org_member = perm.user.robot or perm.user.username in org_members
+            except model.InvalidOrganizationException:
+                # This repository is not part of an organization
+                is_org_member = False
+            return self._user_permission(perm, org is not None, is_org_member)
+        except model.DataModelException as ex:
+            raise SaveException(ex)
+
+    def delete_repo_permission_for_user(
+        self, username, namespace_name, repository_name
+    ):
+        try:
+            model.permission.delete_user_permission(
+                username, namespace_name, repository_name
+            )
+        except model.DataModelException as ex:
+            raise DeleteException(ex)
+
+    def get_repo_permissions_by_team(self, namespace_name, repository_name):
+        repo_perms = model.permission.get_all_repo_teams(
+            namespace_name, repository_name
+        )
+        return [self._team_permission(perm, perm.team.name) for perm in repo_perms]
+
+    def get_repo_role_for_team(self, team_name, namespace_name, repository_name):
+        return self._role(
+            model.permission.get_team_reponame_permission(
+                team_name, namespace_name, repository_name
+            )
+        )
+
+    def set_repo_permission_for_team(
+        self, team_name, namespace_name, repository_name, role_name
+    ):
+        try:
+            return self._team_permission(
+                model.permission.set_team_repo_permission(
+                    team_name, namespace_name, repository_name, role_name
+                ),
+                team_name,
+            )
+        except model.DataModelException as ex:
+            raise SaveException(ex)
+
+    def delete_repo_permission_for_team(
+        self, team_name, namespace_name, repository_name
+    ):
+        try:
+            model.permission.delete_team_permission(
+                team_name, namespace_name, repository_name
+            )
+        except model.DataModelException as ex:
+            raise DeleteException(ex)
+
+    def _role(self, permission_obj):
+        return Role(role_name=permission_obj.role.name)
+
+    def _user_permission(self, permission_obj, has_org, is_org_member):
+        return UserPermission(
+            role_name=permission_obj.role.name,
+            username=permission_obj.user.username,
+            is_robot=permission_obj.user.robot,
+            avatar=avatar.get_data_for_user(permission_obj.user),
+            is_org_member=is_org_member,
+            has_org=has_org,
+        )
+
+    def _team_permission(self, permission_obj, team_name):
+        return TeamPermission(
+            role_name=permission_obj.role.name,
+            team_name=permission_obj.team.name,
+            avatar=avatar.get_data_for_team(permission_obj.team),
+        )
 
-  def delete_repo_permission_for_team(self, team_name, namespace_name, repository_name):
-    try:
-      model.permission.delete_team_permission(team_name, namespace_name, repository_name)
-    except model.DataModelException as ex:
-      raise DeleteException(ex)
-    
-  def _role(self, permission_obj):
-    return Role(role_name=permission_obj.role.name)
-  
-  def _user_permission(self, permission_obj, has_org, is_org_member):
-    return UserPermission(role_name=permission_obj.role.name, 
-                          username=permission_obj.user.username, 
-                          is_robot=permission_obj.user.robot, 
-                          avatar=avatar.get_data_for_user(permission_obj.user), 
-                          is_org_member=is_org_member,
-                          has_org=has_org)
-  
-  def _team_permission(self, permission_obj, team_name):
-    return TeamPermission(role_name=permission_obj.role.name,
-                          team_name=permission_obj.team.name,
-                          avatar=avatar.get_data_for_team(permission_obj.team))
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/prototype.py b/endpoints/api/prototype.py
index 2944aab60..512e0710c 100644
--- a/endpoints/api/prototype.py
+++ b/endpoints/api/prototype.py
@@ -2,8 +2,16 @@
 
 from flask import request
 
-from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           log_action, path_param, require_scope)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    validate_json_request,
+    request_error,
+    log_action,
+    path_param,
+    require_scope,
+)
 from endpoints.exception import Unauthorized, NotFound
 from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
@@ -13,258 +21,270 @@ from app import avatar
 
 
 def prototype_view(proto, org_members):
-  def prototype_user_view(user):
+    def prototype_user_view(user):
+        return {
+            "name": user.username,
+            "is_robot": user.robot,
+            "kind": "user",
+            "is_org_member": user.robot or user.username in org_members,
+            "avatar": avatar.get_data_for_user(user),
+        }
+
+    if proto.delegate_user:
+        delegate_view = prototype_user_view(proto.delegate_user)
+    else:
+        delegate_view = {
+            "name": proto.delegate_team.name,
+            "kind": "team",
+            "avatar": avatar.get_data_for_team(proto.delegate_team),
+        }
+
     return {
-      'name': user.username,
-      'is_robot': user.robot,
-      'kind': 'user',
-      'is_org_member': user.robot or user.username in org_members,
-      'avatar': avatar.get_data_for_user(user)
+        "activating_user": (
+            prototype_user_view(proto.activating_user)
+            if proto.activating_user
+            else None
+        ),
+        "delegate": delegate_view,
+        "role": proto.role.name,
+        "id": proto.uuid,
     }
 
-  if proto.delegate_user:
-    delegate_view = prototype_user_view(proto.delegate_user)
-  else:
-    delegate_view = {
-      'name': proto.delegate_team.name,
-      'kind': 'team',
-      'avatar': avatar.get_data_for_team(proto.delegate_team)
-    }
-
-  return {
-    'activating_user': (prototype_user_view(proto.activating_user)
-                        if proto.activating_user else None),
-    'delegate': delegate_view,
-    'role': proto.role.name,
-    'id': proto.uuid,
-  }
 
 def log_prototype_action(action_kind, orgname, prototype, **kwargs):
-  username = get_authenticated_user().username
-  log_params = {
-    'prototypeid': prototype.uuid,
-    'username': username,
-    'activating_username': (prototype.activating_user.username
-                            if prototype.activating_user else None),
-    'role': prototype.role.name
-  }
+    username = get_authenticated_user().username
+    log_params = {
+        "prototypeid": prototype.uuid,
+        "username": username,
+        "activating_username": (
+            prototype.activating_user.username if prototype.activating_user else None
+        ),
+        "role": prototype.role.name,
+    }
 
-  for key, value in kwargs.items():
-    log_params[key] = value
+    for key, value in kwargs.items():
+        log_params[key] = value
 
-  if prototype.delegate_user:
-    log_params['delegate_user'] = prototype.delegate_user.username
-  elif prototype.delegate_team:
-    log_params['delegate_team'] = prototype.delegate_team.name
+    if prototype.delegate_user:
+        log_params["delegate_user"] = prototype.delegate_user.username
+    elif prototype.delegate_team:
+        log_params["delegate_team"] = prototype.delegate_team.name
 
-  log_action(action_kind, orgname, log_params)
+    log_action(action_kind, orgname, log_params)
 
 
-@resource('/v1/organization/<orgname>/prototypes')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/prototypes")
+@path_param("orgname", "The name of the organization")
 class PermissionPrototypeList(ApiResource):
-  """ Resource for listing and creating permission prototypes. """
-  schemas = {
-    'NewPrototype': {
-      'type': 'object',
-      'description': 'Description of a new prototype',
-      'required': [
-        'role',
-        'delegate',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Role that should be applied to the delegate',
-          'enum': [
-            'read',
-            'write',
-            'admin',
-          ],
-        },
-        'activating_user': {
-          'type': 'object',
-          'description': 'Repository creating user to whom the rule should apply',
-          'required': [
-            'name',
-          ],
-          'properties': {
-            'name': {
-              'type': 'string',
-              'description': 'The username for the activating_user',
+    """ Resource for listing and creating permission prototypes. """
+
+    schemas = {
+        "NewPrototype": {
+            "type": "object",
+            "description": "Description of a new prototype",
+            "required": ["role", "delegate"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role that should be applied to the delegate",
+                    "enum": ["read", "write", "admin"],
+                },
+                "activating_user": {
+                    "type": "object",
+                    "description": "Repository creating user to whom the rule should apply",
+                    "required": ["name"],
+                    "properties": {
+                        "name": {
+                            "type": "string",
+                            "description": "The username for the activating_user",
+                        }
+                    },
+                },
+                "delegate": {
+                    "type": "object",
+                    "description": "Information about the user or team to which the rule grants access",
+                    "required": ["name", "kind"],
+                    "properties": {
+                        "name": {
+                            "type": "string",
+                            "description": "The name for the delegate team or user",
+                        },
+                        "kind": {
+                            "type": "string",
+                            "description": "Whether the delegate is a user or a team",
+                            "enum": ["user", "team"],
+                        },
+                    },
+                },
             },
-          },
-        },
-        'delegate': {
-          'type': 'object',
-          'description': 'Information about the user or team to which the rule grants access',
-          'required': [
-            'name',
-            'kind',
-          ],
-          'properties': {
-            'name': {
-              'type': 'string',
-              'description': 'The name for the delegate team or user',
-            },
-            'kind': {
-              'type': 'string',
-              'description': 'Whether the delegate is a user or a team',
-              'enum': [
-                'user',
-                'team',
-              ],
-            },
-          },
-        },
-      },
-    },
-  }
+        }
+    }
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrganizationPrototypePermissions')
-  def get(self, orgname):
-    """ List the existing prototypes for this organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrganizationPrototypePermissions")
+    def get(self, orgname):
+        """ List the existing prototypes for this organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      permissions = model.permission.get_prototype_permissions(org)
+            permissions = model.permission.get_prototype_permissions(org)
 
-      users_filter = ({p.activating_user for p in permissions} |
-                      {p.delegate_user for p in permissions})
-      org_members = model.organization.get_organization_member_set(org, users_filter=users_filter)
-      return {'prototypes': [prototype_view(p, org_members)  for p in permissions]}
+            users_filter = {p.activating_user for p in permissions} | {
+                p.delegate_user for p in permissions
+            }
+            org_members = model.organization.get_organization_member_set(
+                org, users_filter=users_filter
+            )
+            return {"prototypes": [prototype_view(p, org_members) for p in permissions]}
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('createOrganizationPrototypePermission')
-  @validate_json_request('NewPrototype')
-  def post(self, orgname):
-    """ Create a new permission prototype. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("createOrganizationPrototypePermission")
+    @validate_json_request("NewPrototype")
+    def post(self, orgname):
+        """ Create a new permission prototype. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      details = request.get_json()
-      activating_username = None
+            details = request.get_json()
+            activating_username = None
 
-      if ('activating_user' in details and details['activating_user'] and
-          'name' in details['activating_user']):
-        activating_username = details['activating_user']['name']
+            if (
+                "activating_user" in details
+                and details["activating_user"]
+                and "name" in details["activating_user"]
+            ):
+                activating_username = details["activating_user"]["name"]
 
-      delegate = details['delegate'] if 'delegate' in details else {}
-      delegate_kind = delegate.get('kind', None)
-      delegate_name = delegate.get('name', None)
+            delegate = details["delegate"] if "delegate" in details else {}
+            delegate_kind = delegate.get("kind", None)
+            delegate_name = delegate.get("name", None)
 
-      delegate_username = delegate_name if delegate_kind == 'user' else None
-      delegate_teamname = delegate_name if delegate_kind == 'team' else None
+            delegate_username = delegate_name if delegate_kind == "user" else None
+            delegate_teamname = delegate_name if delegate_kind == "team" else None
 
-      activating_user = (model.user.get_user(activating_username) if activating_username else None)
-      delegate_user = (model.user.get_user(delegate_username) if delegate_username else None)
-      delegate_team = (model.team.get_organization_team(orgname, delegate_teamname)
-                       if delegate_teamname else None)
+            activating_user = (
+                model.user.get_user(activating_username)
+                if activating_username
+                else None
+            )
+            delegate_user = (
+                model.user.get_user(delegate_username) if delegate_username else None
+            )
+            delegate_team = (
+                model.team.get_organization_team(orgname, delegate_teamname)
+                if delegate_teamname
+                else None
+            )
 
-      if activating_username and not activating_user:
-        raise request_error(message='Unknown activating user')
+            if activating_username and not activating_user:
+                raise request_error(message="Unknown activating user")
 
-      if not delegate_user and not delegate_team:
-        raise request_error(message='Missing delegate user or team')
+            if not delegate_user and not delegate_team:
+                raise request_error(message="Missing delegate user or team")
 
-      role_name = details['role']
+            role_name = details["role"]
 
-      prototype = model.permission.add_prototype_permission(org, role_name, activating_user,
-                                                            delegate_user, delegate_team)
-      log_prototype_action('create_prototype_permission', orgname, prototype)
+            prototype = model.permission.add_prototype_permission(
+                org, role_name, activating_user, delegate_user, delegate_team
+            )
+            log_prototype_action("create_prototype_permission", orgname, prototype)
 
-      users_filter = {prototype.activating_user, prototype.delegate_user}
-      org_members = model.organization.get_organization_member_set(org, users_filter=users_filter)
-      return prototype_view(prototype, org_members)
+            users_filter = {prototype.activating_user, prototype.delegate_user}
+            org_members = model.organization.get_organization_member_set(
+                org, users_filter=users_filter
+            )
+            return prototype_view(prototype, org_members)
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/prototypes/<prototypeid>')
-@path_param('orgname', 'The name of the organization')
-@path_param('prototypeid', 'The ID of the prototype')
+@resource("/v1/organization/<orgname>/prototypes/<prototypeid>")
+@path_param("orgname", "The name of the organization")
+@path_param("prototypeid", "The ID of the prototype")
 class PermissionPrototype(ApiResource):
-  """ Resource for managingin individual permission prototypes. """
-  schemas = {
-    'PrototypeUpdate': {
-      'type': 'object',
-      'description': 'Description of a the new prototype role',
-      'required': [
-        'role',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Role that should be applied to the permission',
-          'enum': [
-            'read',
-            'write',
-            'admin',
-          ],
-        },
-      },
-    },
-  }
+    """ Resource for managingin individual permission prototypes. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrganizationPrototypePermission')
-  def delete(self, orgname, prototypeid):
-    """ Delete an existing permission prototype. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+    schemas = {
+        "PrototypeUpdate": {
+            "type": "object",
+            "description": "Description of a the new prototype role",
+            "required": ["role"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role that should be applied to the permission",
+                    "enum": ["read", "write", "admin"],
+                }
+            },
+        }
+    }
 
-      prototype = model.permission.delete_prototype_permission(org, prototypeid)
-      if not prototype:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrganizationPrototypePermission")
+    def delete(self, orgname, prototypeid):
+        """ Delete an existing permission prototype. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      log_prototype_action('delete_prototype_permission', orgname, prototype)
+            prototype = model.permission.delete_prototype_permission(org, prototypeid)
+            if not prototype:
+                raise NotFound()
 
-      return '', 204
+            log_prototype_action("delete_prototype_permission", orgname, prototype)
 
-    raise Unauthorized()
+            return "", 204
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('updateOrganizationPrototypePermission')
-  @validate_json_request('PrototypeUpdate')
-  def put(self, orgname, prototypeid):
-    """ Update the role of an existing permission prototype. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        org = model.organization.get_organization(orgname)
-      except model.InvalidOrganizationException:
-        raise NotFound()
+        raise Unauthorized()
 
-      existing = model.permission.get_prototype_permission(org, prototypeid)
-      if not existing:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("updateOrganizationPrototypePermission")
+    @validate_json_request("PrototypeUpdate")
+    def put(self, orgname, prototypeid):
+        """ Update the role of an existing permission prototype. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                org = model.organization.get_organization(orgname)
+            except model.InvalidOrganizationException:
+                raise NotFound()
 
-      details = request.get_json()
-      role_name = details['role']
-      prototype = model.permission.update_prototype_permission(org, prototypeid, role_name)
-      if not prototype:
-        raise NotFound()
+            existing = model.permission.get_prototype_permission(org, prototypeid)
+            if not existing:
+                raise NotFound()
 
-      log_prototype_action('modify_prototype_permission', orgname, prototype,
-                           original_role=existing.role.name)
+            details = request.get_json()
+            role_name = details["role"]
+            prototype = model.permission.update_prototype_permission(
+                org, prototypeid, role_name
+            )
+            if not prototype:
+                raise NotFound()
 
-      users_filter = {prototype.activating_user, prototype.delegate_user}
-      org_members = model.organization.get_organization_member_set(org, users_filter=users_filter)
-      return prototype_view(prototype, org_members)
+            log_prototype_action(
+                "modify_prototype_permission",
+                orgname,
+                prototype,
+                original_role=existing.role.name,
+            )
 
-    raise Unauthorized()
+            users_filter = {prototype.activating_user, prototype.delegate_user}
+            org_members = model.organization.get_organization_member_set(
+                org, users_filter=users_filter
+            )
+            return prototype_view(prototype, org_members)
+
+        raise Unauthorized()
diff --git a/endpoints/api/repoemail.py b/endpoints/api/repoemail.py
index 3edccb4cc..b41f7b30c 100644
--- a/endpoints/api/repoemail.py
+++ b/endpoints/api/repoemail.py
@@ -4,8 +4,17 @@ import logging
 
 from flask import request, abort
 
-from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           log_action, validate_json_request, internal_only, path_param, show_if)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_admin,
+    RepositoryParamResource,
+    log_action,
+    validate_json_request,
+    internal_only,
+    path_param,
+    show_if,
+)
 from endpoints.api.repoemail_models_pre_oci import pre_oci_model as model
 from endpoints.exception import NotFound
 from app import tf
@@ -18,35 +27,37 @@ logger = logging.getLogger(__name__)
 
 
 @internal_only
-@resource('/v1/repository/<apirepopath:repository>/authorizedemail/<email>')
+@resource("/v1/repository/<apirepopath:repository>/authorizedemail/<email>")
 @show_if(features.MAILING)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('email', 'The e-mail address')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("email", "The e-mail address")
 class RepositoryAuthorizedEmail(RepositoryParamResource):
-  """ Resource for checking and authorizing e-mail addresses to receive repo notifications. """
+    """ Resource for checking and authorizing e-mail addresses to receive repo notifications. """
 
-  @require_repo_admin
-  @nickname('checkRepoEmailAuthorized')
-  def get(self, namespace, repository, email):
-    """ Checks to see if the given e-mail address is authorized on this repository. """
-    record = model.get_email_authorized_for_repo(namespace, repository, email)
-    if not record:
-      abort(404)
+    @require_repo_admin
+    @nickname("checkRepoEmailAuthorized")
+    def get(self, namespace, repository, email):
+        """ Checks to see if the given e-mail address is authorized on this repository. """
+        record = model.get_email_authorized_for_repo(namespace, repository, email)
+        if not record:
+            abort(404)
 
-    return record.to_dict()
-
-  @require_repo_admin
-  @nickname('sendAuthorizeRepoEmail')
-  def post(self, namespace, repository, email):
-    """ Starts the authorization process for an e-mail address on a repository. """
-
-    with tf(db):
-      record = model.get_email_authorized_for_repo(namespace, repository, email)
-      if record and record.confirmed:
         return record.to_dict()
 
-      if not record:
-        record = model.create_email_authorization_for_repo(namespace, repository, email)
+    @require_repo_admin
+    @nickname("sendAuthorizeRepoEmail")
+    def post(self, namespace, repository, email):
+        """ Starts the authorization process for an e-mail address on a repository. """
 
-      send_repo_authorization_email(namespace, repository, email, record.code)
-      return record.to_dict()
+        with tf(db):
+            record = model.get_email_authorized_for_repo(namespace, repository, email)
+            if record and record.confirmed:
+                return record.to_dict()
+
+            if not record:
+                record = model.create_email_authorization_for_repo(
+                    namespace, repository, email
+                )
+
+            send_repo_authorization_email(namespace, repository, email, record.code)
+            return record.to_dict()
diff --git a/endpoints/api/repoemail_models_interface.py b/endpoints/api/repoemail_models_interface.py
index 2aae7ab9c..62dcc8a14 100644
--- a/endpoints/api/repoemail_models_interface.py
+++ b/endpoints/api/repoemail_models_interface.py
@@ -5,14 +5,12 @@ from six import add_metaclass
 
 
 class RepositoryAuthorizedEmail(
-    namedtuple('RepositoryAuthorizedEmail', [
-      'email',
-      'repository_name',
-      'namespace_name',
-      'confirmed',
-      'code',
-    ])):
-  """
+    namedtuple(
+        "RepositoryAuthorizedEmail",
+        ["email", "repository_name", "namespace_name", "confirmed", "code"],
+    )
+):
+    """
   Tag represents a name to an image.
   :type email: string
   :type repository_name: string
@@ -21,30 +19,32 @@ class RepositoryAuthorizedEmail(
   :type code: string
   """
 
-  def to_dict(self):
-    return {
-      'email': self.email,
-      'repository': self.repository_name,
-      'namespace': self.namespace_name,
-      'confirmed': self.confirmed,
-      'code': self.code
-    }
+    def to_dict(self):
+        return {
+            "email": self.email,
+            "repository": self.repository_name,
+            "namespace": self.namespace_name,
+            "confirmed": self.confirmed,
+            "code": self.code,
+        }
 
 
 @add_metaclass(ABCMeta)
 class RepoEmailDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by a Repo Email.
   """
 
-  @abstractmethod
-  def get_email_authorized_for_repo(self, namespace_name, repository_name, email):
-    """
+    @abstractmethod
+    def get_email_authorized_for_repo(self, namespace_name, repository_name, email):
+        """
     Returns a RepositoryAuthorizedEmail if available else None
     """
 
-  @abstractmethod
-  def create_email_authorization_for_repo(self, namespace_name, repository_name, email):
-    """
+    @abstractmethod
+    def create_email_authorization_for_repo(
+        self, namespace_name, repository_name, email
+    ):
+        """
     Returns the newly created repository authorized email.
     """
diff --git a/endpoints/api/repoemail_models_pre_oci.py b/endpoints/api/repoemail_models_pre_oci.py
index 80a65c995..5d091a9f1 100644
--- a/endpoints/api/repoemail_models_pre_oci.py
+++ b/endpoints/api/repoemail_models_pre_oci.py
@@ -1,28 +1,42 @@
 from data import model
-from endpoints.api.repoemail_models_interface import RepoEmailDataInterface, RepositoryAuthorizedEmail
+from endpoints.api.repoemail_models_interface import (
+    RepoEmailDataInterface,
+    RepositoryAuthorizedEmail,
+)
 
 
 def _return_none_or_data(func, namespace_name, repository_name, email):
-  data = func(namespace_name, repository_name, email)
-  if data is None:
-    return data
-  return RepositoryAuthorizedEmail(email, repository_name, namespace_name, data.confirmed,
-                                   data.code)
+    data = func(namespace_name, repository_name, email)
+    if data is None:
+        return data
+    return RepositoryAuthorizedEmail(
+        email, repository_name, namespace_name, data.confirmed, data.code
+    )
 
 
 class PreOCIModel(RepoEmailDataInterface):
-  """
+    """
   PreOCIModel implements the data model for the Repo Email using a database schema
   before it was changed to support the OCI specification.
   """
 
-  def get_email_authorized_for_repo(self, namespace_name, repository_name, email):
-    return _return_none_or_data(model.repository.get_email_authorized_for_repo, namespace_name,
-                                repository_name, email)
+    def get_email_authorized_for_repo(self, namespace_name, repository_name, email):
+        return _return_none_or_data(
+            model.repository.get_email_authorized_for_repo,
+            namespace_name,
+            repository_name,
+            email,
+        )
 
-  def create_email_authorization_for_repo(self, namespace_name, repository_name, email):
-    return _return_none_or_data(model.repository.create_email_authorization_for_repo,
-                                namespace_name, repository_name, email)
+    def create_email_authorization_for_repo(
+        self, namespace_name, repository_name, email
+    ):
+        return _return_none_or_data(
+            model.repository.create_email_authorization_for_repo,
+            namespace_name,
+            repository_name,
+            email,
+        )
 
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py
index d117f238d..5b9b0aaee 100644
--- a/endpoints/api/repository.py
+++ b/endpoints/api/repository.py
@@ -12,17 +12,42 @@ from flask import request, abort
 from app import dockerfile_build_queue, tuf_metadata_api
 from data.database import RepositoryState
 from endpoints.api import (
-  format_date, nickname, log_action, validate_json_request, require_repo_read, require_repo_write,
-  require_repo_admin, RepositoryParamResource, resource, parse_args, ApiResource, request_error,
-  require_scope, path_param, page_support, query_param, truthy_bool, show_if)
+    format_date,
+    nickname,
+    log_action,
+    validate_json_request,
+    require_repo_read,
+    require_repo_write,
+    require_repo_admin,
+    RepositoryParamResource,
+    resource,
+    parse_args,
+    ApiResource,
+    request_error,
+    require_scope,
+    path_param,
+    page_support,
+    query_param,
+    truthy_bool,
+    show_if,
+)
 from endpoints.api.repository_models_pre_oci import pre_oci_model as model
 from endpoints.exception import (
-  Unauthorized, NotFound, InvalidRequest, ExceedsLicenseException, DownstreamIssue)
+    Unauthorized,
+    NotFound,
+    InvalidRequest,
+    ExceedsLicenseException,
+    DownstreamIssue,
+)
 from endpoints.api.billing import lookup_allowed_private_repos, get_namespace_plan
 from endpoints.api.subscribe import check_repository_usage
 
-from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
-                              CreateRepositoryPermission, ReadRepositoryPermission)
+from auth.permissions import (
+    ModifyRepositoryPermission,
+    AdministerRepositoryPermission,
+    CreateRepositoryPermission,
+    ReadRepositoryPermission,
+)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from util.names import REPOSITORY_NAME_REGEX
@@ -34,371 +59,443 @@ MAX_DAYS_IN_3_MONTHS = 92
 
 
 def check_allowed_private_repos(namespace):
-  """ Checks to see if the given namespace has reached its private repository limit. If so,
+    """ Checks to see if the given namespace has reached its private repository limit. If so,
       raises a ExceedsLicenseException.
   """
-  # Not enabled if billing is disabled.
-  if not features.BILLING:
-    return
+    # Not enabled if billing is disabled.
+    if not features.BILLING:
+        return
 
-  if not lookup_allowed_private_repos(namespace):
-    raise ExceedsLicenseException()
+    if not lookup_allowed_private_repos(namespace):
+        raise ExceedsLicenseException()
 
 
-@resource('/v1/repository')
+@resource("/v1/repository")
 class RepositoryList(ApiResource):
-  """Operations for creating and listing repositories."""
-  schemas = {
-    'NewRepo': {
-      'type': 'object',
-      'description': 'Description of a new repository',
-      'required': [
-        'repository',
-        'visibility',
-        'description',
-      ],
-      'properties': {
-        'repository': {
-          'type': 'string',
-          'description': 'Repository name',
-        },
-        'visibility': {
-          'type': 'string',
-          'description': 'Visibility which the repository will start with',
-          'enum': [
-            'public',
-            'private',
-          ],
-        },
-        'namespace': {
-          'type':
-            'string',
-          'description': ('Namespace in which the repository should be created. If omitted, the '
-                          'username of the caller is used'),
-        },
-        'description': {
-          'type': 'string',
-          'description': 'Markdown encoded description for the repository',
-        },
-        'repo_kind': {
-          'type': ['string', 'null'],
-          'description': 'The kind of repository',
-          'enum': ['image', 'application', None],
+    """Operations for creating and listing repositories."""
+
+    schemas = {
+        "NewRepo": {
+            "type": "object",
+            "description": "Description of a new repository",
+            "required": ["repository", "visibility", "description"],
+            "properties": {
+                "repository": {"type": "string", "description": "Repository name"},
+                "visibility": {
+                    "type": "string",
+                    "description": "Visibility which the repository will start with",
+                    "enum": ["public", "private"],
+                },
+                "namespace": {
+                    "type": "string",
+                    "description": (
+                        "Namespace in which the repository should be created. If omitted, the "
+                        "username of the caller is used"
+                    ),
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Markdown encoded description for the repository",
+                },
+                "repo_kind": {
+                    "type": ["string", "null"],
+                    "description": "The kind of repository",
+                    "enum": ["image", "application", None],
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @require_scope(scopes.CREATE_REPO)
-  @nickname('createRepo')
-  @validate_json_request('NewRepo')
-  def post(self):
-    """Create a new repository."""
-    owner = get_authenticated_user()
-    req = request.get_json()
+    @require_scope(scopes.CREATE_REPO)
+    @nickname("createRepo")
+    @validate_json_request("NewRepo")
+    def post(self):
+        """Create a new repository."""
+        owner = get_authenticated_user()
+        req = request.get_json()
 
-    if owner is None and 'namespace' not in 'req':
-      raise InvalidRequest('Must provide a namespace or must be logged in.')
+        if owner is None and "namespace" not in "req":
+            raise InvalidRequest("Must provide a namespace or must be logged in.")
 
-    namespace_name = req['namespace'] if 'namespace' in req else owner.username
+        namespace_name = req["namespace"] if "namespace" in req else owner.username
 
-    permission = CreateRepositoryPermission(namespace_name)
-    if permission.can():
-      repository_name = req['repository']
-      visibility = req['visibility']
+        permission = CreateRepositoryPermission(namespace_name)
+        if permission.can():
+            repository_name = req["repository"]
+            visibility = req["visibility"]
 
-      if model.repo_exists(namespace_name, repository_name):
-        raise request_error(message='Repository already exists')
+            if model.repo_exists(namespace_name, repository_name):
+                raise request_error(message="Repository already exists")
 
-      visibility = req['visibility']
-      if visibility == 'private':
-        check_allowed_private_repos(namespace_name)
+            visibility = req["visibility"]
+            if visibility == "private":
+                check_allowed_private_repos(namespace_name)
 
-      # Verify that the repository name is valid.
-      if not REPOSITORY_NAME_REGEX.match(repository_name):
-        raise InvalidRequest('Invalid repository name')
+            # Verify that the repository name is valid.
+            if not REPOSITORY_NAME_REGEX.match(repository_name):
+                raise InvalidRequest("Invalid repository name")
 
-      kind = req.get('repo_kind', 'image') or 'image'
-      model.create_repo(namespace_name, repository_name, owner, req['description'],
-                        visibility=visibility, repo_kind=kind)
+            kind = req.get("repo_kind", "image") or "image"
+            model.create_repo(
+                namespace_name,
+                repository_name,
+                owner,
+                req["description"],
+                visibility=visibility,
+                repo_kind=kind,
+            )
 
-      log_action('create_repo', namespace_name,
-                 {'repo': repository_name,
-                  'namespace': namespace_name}, repo_name=repository_name)
-      return {
-        'namespace': namespace_name,
-        'name': repository_name,
-        'kind': kind,
-      }, 201
+            log_action(
+                "create_repo",
+                namespace_name,
+                {"repo": repository_name, "namespace": namespace_name},
+                repo_name=repository_name,
+            )
+            return (
+                {"namespace": namespace_name, "name": repository_name, "kind": kind},
+                201,
+            )
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_scope(scopes.READ_REPO)
-  @nickname('listRepos')
-  @parse_args()
-  @query_param('namespace', 'Filters the repositories returned to this namespace', type=str)
-  @query_param('starred', 'Filters the repositories returned to those starred by the user',
-               type=truthy_bool, default=False)
-  @query_param('public', 'Adds any repositories visible to the user by virtue of being public',
-               type=truthy_bool, default=False)
-  @query_param('last_modified', 'Whether to include when the repository was last modified.',
-               type=truthy_bool, default=False)
-  @query_param('popularity', 'Whether to include the repository\'s popularity metric.',
-               type=truthy_bool, default=False)
-  @query_param('repo_kind', 'The kind of repositories to return', type=str, default='image')
-  @page_support()
-  def get(self, page_token, parsed_args):
-    """ Fetch the list of repositories visible to the current user under a variety of situations.
+    @require_scope(scopes.READ_REPO)
+    @nickname("listRepos")
+    @parse_args()
+    @query_param(
+        "namespace", "Filters the repositories returned to this namespace", type=str
+    )
+    @query_param(
+        "starred",
+        "Filters the repositories returned to those starred by the user",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "public",
+        "Adds any repositories visible to the user by virtue of being public",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "last_modified",
+        "Whether to include when the repository was last modified.",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "popularity",
+        "Whether to include the repository's popularity metric.",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "repo_kind", "The kind of repositories to return", type=str, default="image"
+    )
+    @page_support()
+    def get(self, page_token, parsed_args):
+        """ Fetch the list of repositories visible to the current user under a variety of situations.
     """
-    # Ensure that the user requests either filtered by a namespace, only starred repositories,
-    # or public repositories. This ensures that the user is not requesting *all* visible repos,
-    # which can cause a surge in DB CPU usage.
-    if not parsed_args['namespace'] and not parsed_args['starred'] and not parsed_args['public']:
-      raise InvalidRequest('namespace, starred or public are required for this API call')
+        # Ensure that the user requests either filtered by a namespace, only starred repositories,
+        # or public repositories. This ensures that the user is not requesting *all* visible repos,
+        # which can cause a surge in DB CPU usage.
+        if (
+            not parsed_args["namespace"]
+            and not parsed_args["starred"]
+            and not parsed_args["public"]
+        ):
+            raise InvalidRequest(
+                "namespace, starred or public are required for this API call"
+            )
 
-    user = get_authenticated_user()
-    username = user.username if user else None
-    last_modified = parsed_args['last_modified']
-    popularity = parsed_args['popularity']
+        user = get_authenticated_user()
+        username = user.username if user else None
+        last_modified = parsed_args["last_modified"]
+        popularity = parsed_args["popularity"]
 
-    if parsed_args['starred'] and not username:
-      # No repositories should be returned, as there is no user.
-      abort(400)
+        if parsed_args["starred"] and not username:
+            # No repositories should be returned, as there is no user.
+            abort(400)
 
-    repos, next_page_token = model.get_repo_list(
-      parsed_args['starred'], user, parsed_args['repo_kind'], parsed_args['namespace'], username,
-      parsed_args['public'], page_token, last_modified, popularity)
+        repos, next_page_token = model.get_repo_list(
+            parsed_args["starred"],
+            user,
+            parsed_args["repo_kind"],
+            parsed_args["namespace"],
+            username,
+            parsed_args["public"],
+            page_token,
+            last_modified,
+            popularity,
+        )
 
-    return {'repositories': [repo.to_dict() for repo in repos]}, next_page_token
+        return {"repositories": [repo.to_dict() for repo in repos]}, next_page_token
 
 
-@resource('/v1/repository/<apirepopath:repository>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class Repository(RepositoryParamResource):
-  """Operations for managing a specific repository."""
-  schemas = {
-    'RepoUpdate': {
-      'type': 'object',
-      'description': 'Fields which can be updated in a repository.',
-      'required': ['description',],
-      'properties': {
-        'description': {
-          'type': 'string',
-          'description': 'Markdown encoded description for the repository',
-        },
-      }
+    """Operations for managing a specific repository."""
+
+    schemas = {
+        "RepoUpdate": {
+            "type": "object",
+            "description": "Fields which can be updated in a repository.",
+            "required": ["description"],
+            "properties": {
+                "description": {
+                    "type": "string",
+                    "description": "Markdown encoded description for the repository",
+                }
+            },
+        }
     }
-  }
 
-  @parse_args()
-  @query_param('includeStats', 'Whether to include action statistics', type=truthy_bool,
-               default=False)
-  @query_param('includeTags', 'Whether to include repository tags', type=truthy_bool,
-               default=True)
-  @require_repo_read
-  @nickname('getRepo')
-  def get(self, namespace, repository, parsed_args):
-    """Fetch the specified repository."""
-    logger.debug('Get repo: %s/%s' % (namespace, repository))
-    include_tags = parsed_args['includeTags']
-    max_tags = 500
-    repo = model.get_repo(namespace, repository, get_authenticated_user(), include_tags, max_tags)
-    if repo is None:
-      raise NotFound()
+    @parse_args()
+    @query_param(
+        "includeStats",
+        "Whether to include action statistics",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "includeTags",
+        "Whether to include repository tags",
+        type=truthy_bool,
+        default=True,
+    )
+    @require_repo_read
+    @nickname("getRepo")
+    def get(self, namespace, repository, parsed_args):
+        """Fetch the specified repository."""
+        logger.debug("Get repo: %s/%s" % (namespace, repository))
+        include_tags = parsed_args["includeTags"]
+        max_tags = 500
+        repo = model.get_repo(
+            namespace, repository, get_authenticated_user(), include_tags, max_tags
+        )
+        if repo is None:
+            raise NotFound()
 
-    has_write_permission = ModifyRepositoryPermission(namespace, repository).can()
-    has_write_permission = has_write_permission and repo.state == RepositoryState.NORMAL
+        has_write_permission = ModifyRepositoryPermission(namespace, repository).can()
+        has_write_permission = (
+            has_write_permission and repo.state == RepositoryState.NORMAL
+        )
 
-    repo_data = repo.to_dict()
-    repo_data['can_write'] = has_write_permission
-    repo_data['can_admin'] = AdministerRepositoryPermission(namespace, repository).can()
+        repo_data = repo.to_dict()
+        repo_data["can_write"] = has_write_permission
+        repo_data["can_admin"] = AdministerRepositoryPermission(
+            namespace, repository
+        ).can()
 
-    if parsed_args['includeStats'] and repo.repository_base_elements.kind_name != 'application':
-      stats = []
-      found_dates = {}
+        if (
+            parsed_args["includeStats"]
+            and repo.repository_base_elements.kind_name != "application"
+        ):
+            stats = []
+            found_dates = {}
 
-      for count in repo.counts:
-        stats.append(count.to_dict())
-        found_dates['%s/%s' % (count.date.month, count.date.day)] = True
+            for count in repo.counts:
+                stats.append(count.to_dict())
+                found_dates["%s/%s" % (count.date.month, count.date.day)] = True
 
-      # Fill in any missing stats with zeros.
-      for day in range(1, MAX_DAYS_IN_3_MONTHS):
-        day_date = datetime.now() - timedelta(days=day)
-        key = '%s/%s' % (day_date.month, day_date.day)
-        if key not in found_dates:
-          stats.append({
-            'date': day_date.date().isoformat(),
-            'count': 0,
-          })
+            # Fill in any missing stats with zeros.
+            for day in range(1, MAX_DAYS_IN_3_MONTHS):
+                day_date = datetime.now() - timedelta(days=day)
+                key = "%s/%s" % (day_date.month, day_date.day)
+                if key not in found_dates:
+                    stats.append({"date": day_date.date().isoformat(), "count": 0})
 
-      repo_data['stats'] = stats
-    return repo_data
+            repo_data["stats"] = stats
+        return repo_data
 
-  @require_repo_write
-  @nickname('updateRepo')
-  @validate_json_request('RepoUpdate')
-  def put(self, namespace, repository):
-    """ Update the description in the specified repository. """
-    if not model.repo_exists(namespace, repository):
-      raise NotFound()
+    @require_repo_write
+    @nickname("updateRepo")
+    @validate_json_request("RepoUpdate")
+    def put(self, namespace, repository):
+        """ Update the description in the specified repository. """
+        if not model.repo_exists(namespace, repository):
+            raise NotFound()
 
-    values = request.get_json()
-    model.set_description(namespace, repository, values['description'])
+        values = request.get_json()
+        model.set_description(namespace, repository, values["description"])
 
-    log_action('set_repo_description', namespace,
-               {'repo': repository,
-                'namespace': namespace,
-                'description': values['description']}, repo_name=repository)
-    return {'success': True}
+        log_action(
+            "set_repo_description",
+            namespace,
+            {
+                "repo": repository,
+                "namespace": namespace,
+                "description": values["description"],
+            },
+            repo_name=repository,
+        )
+        return {"success": True}
 
-  @require_repo_admin
-  @nickname('deleteRepository')
-  def delete(self, namespace, repository):
-    """ Delete a repository. """
-    username = model.purge_repository(namespace, repository)
+    @require_repo_admin
+    @nickname("deleteRepository")
+    def delete(self, namespace, repository):
+        """ Delete a repository. """
+        username = model.purge_repository(namespace, repository)
 
-    if features.BILLING:
-      plan = get_namespace_plan(namespace)
-      model.check_repository_usage(username, plan)
+        if features.BILLING:
+            plan = get_namespace_plan(namespace)
+            model.check_repository_usage(username, plan)
 
-    # Remove any builds from the queue.
-    dockerfile_build_queue.delete_namespaced_items(namespace, repository)
+        # Remove any builds from the queue.
+        dockerfile_build_queue.delete_namespaced_items(namespace, repository)
 
-    log_action('delete_repo', namespace, {'repo': repository, 'namespace': namespace})
-    return '', 204
+        log_action(
+            "delete_repo", namespace, {"repo": repository, "namespace": namespace}
+        )
+        return "", 204
 
 
-@resource('/v1/repository/<apirepopath:repository>/changevisibility')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/changevisibility")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryVisibility(RepositoryParamResource):
-  """ Custom verb for changing the visibility of the repository. """
-  schemas = {
-    'ChangeVisibility': {
-      'type': 'object',
-      'description': 'Change the visibility for the repository.',
-      'required': ['visibility',],
-      'properties': {
-        'visibility': {
-          'type': 'string',
-          'description': 'Visibility which the repository will start with',
-          'enum': [
-            'public',
-            'private',
-          ],
-        },
-      }
+    """ Custom verb for changing the visibility of the repository. """
+
+    schemas = {
+        "ChangeVisibility": {
+            "type": "object",
+            "description": "Change the visibility for the repository.",
+            "required": ["visibility"],
+            "properties": {
+                "visibility": {
+                    "type": "string",
+                    "description": "Visibility which the repository will start with",
+                    "enum": ["public", "private"],
+                }
+            },
+        }
     }
-  }
 
-  @require_repo_admin
-  @nickname('changeRepoVisibility')
-  @validate_json_request('ChangeVisibility')
-  def post(self, namespace, repository):
-    """ Change the visibility of a repository. """
-    if model.repo_exists(namespace, repository):
-      values = request.get_json()
-      visibility = values['visibility']
-      if visibility == 'private':
-        check_allowed_private_repos(namespace)
+    @require_repo_admin
+    @nickname("changeRepoVisibility")
+    @validate_json_request("ChangeVisibility")
+    def post(self, namespace, repository):
+        """ Change the visibility of a repository. """
+        if model.repo_exists(namespace, repository):
+            values = request.get_json()
+            visibility = values["visibility"]
+            if visibility == "private":
+                check_allowed_private_repos(namespace)
 
-      model.set_repository_visibility(namespace, repository, visibility)
-      log_action('change_repo_visibility', namespace,
-                 {'repo': repository,
-                  'namespace': namespace,
-                  'visibility': values['visibility']}, repo_name=repository)
-      return {'success': True}
+            model.set_repository_visibility(namespace, repository, visibility)
+            log_action(
+                "change_repo_visibility",
+                namespace,
+                {
+                    "repo": repository,
+                    "namespace": namespace,
+                    "visibility": values["visibility"],
+                },
+                repo_name=repository,
+            )
+            return {"success": True}
 
 
-@resource('/v1/repository/<apirepopath:repository>/changetrust')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/changetrust")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryTrust(RepositoryParamResource):
-  """ Custom verb for changing the trust settings of the repository. """
-  schemas = {
-    'ChangeRepoTrust': {
-      'type': 'object',
-      'description': 'Change the trust settings for the repository.',
-      'required': ['trust_enabled',],
-      'properties': {
-        'trust_enabled': {
-          'type': 'boolean',
-          'description': 'Whether or not signing is enabled for the repository.'
-        },
-      }
+    """ Custom verb for changing the trust settings of the repository. """
+
+    schemas = {
+        "ChangeRepoTrust": {
+            "type": "object",
+            "description": "Change the trust settings for the repository.",
+            "required": ["trust_enabled"],
+            "properties": {
+                "trust_enabled": {
+                    "type": "boolean",
+                    "description": "Whether or not signing is enabled for the repository.",
+                }
+            },
+        }
     }
-  }
 
-  @show_if(features.SIGNING)
-  @require_repo_admin
-  @nickname('changeRepoTrust')
-  @validate_json_request('ChangeRepoTrust')
-  def post(self, namespace, repository):
-    """ Change the visibility of a repository. """
-    if not model.repo_exists(namespace, repository):
-      raise NotFound()
+    @show_if(features.SIGNING)
+    @require_repo_admin
+    @nickname("changeRepoTrust")
+    @validate_json_request("ChangeRepoTrust")
+    def post(self, namespace, repository):
+        """ Change the visibility of a repository. """
+        if not model.repo_exists(namespace, repository):
+            raise NotFound()
 
-    tags, _ = tuf_metadata_api.get_default_tags_with_expiration(namespace, repository)
-    if tags and not tuf_metadata_api.delete_metadata(namespace, repository):
-      raise DownstreamIssue('Unable to delete downstream trust metadata')
+        tags, _ = tuf_metadata_api.get_default_tags_with_expiration(
+            namespace, repository
+        )
+        if tags and not tuf_metadata_api.delete_metadata(namespace, repository):
+            raise DownstreamIssue("Unable to delete downstream trust metadata")
 
-    values = request.get_json()
-    model.set_trust(namespace, repository, values['trust_enabled'])
+        values = request.get_json()
+        model.set_trust(namespace, repository, values["trust_enabled"])
 
-    log_action(
-      'change_repo_trust', namespace,
-      {'repo': repository,
-       'namespace': namespace,
-       'trust_enabled': values['trust_enabled']}, repo_name=repository)
+        log_action(
+            "change_repo_trust",
+            namespace,
+            {
+                "repo": repository,
+                "namespace": namespace,
+                "trust_enabled": values["trust_enabled"],
+            },
+            repo_name=repository,
+        )
 
-    return {'success': True}
+        return {"success": True}
 
 
-@resource('/v1/repository/<apirepopath:repository>/changestate')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/changestate")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 @show_if(features.REPO_MIRROR)
 class RepositoryStateResource(RepositoryParamResource):
-  """ Custom verb for changing the state of the repository. """
-  schemas = {
-    'ChangeRepoState': {
-      'type': 'object',
-      'description': 'Change the state of the repository.',
-      'required': ['state'],
-      'properties': {
-        'state': {
-          'type': 'string',
-          'description': 'Determines whether pushes are allowed.',
-          'enum': ['NORMAL', 'READ_ONLY', 'MIRROR'],
-        },
-      }
+    """ Custom verb for changing the state of the repository. """
+
+    schemas = {
+        "ChangeRepoState": {
+            "type": "object",
+            "description": "Change the state of the repository.",
+            "required": ["state"],
+            "properties": {
+                "state": {
+                    "type": "string",
+                    "description": "Determines whether pushes are allowed.",
+                    "enum": ["NORMAL", "READ_ONLY", "MIRROR"],
+                }
+            },
+        }
     }
-  }
 
-  @require_repo_admin
-  @nickname('changeRepoState')
-  @validate_json_request('ChangeRepoState')
-  def put(self, namespace, repository):
-    """ Change the state of a repository. """
-    if not model.repo_exists(namespace, repository):
-      raise NotFound()
+    @require_repo_admin
+    @nickname("changeRepoState")
+    @validate_json_request("ChangeRepoState")
+    def put(self, namespace, repository):
+        """ Change the state of a repository. """
+        if not model.repo_exists(namespace, repository):
+            raise NotFound()
 
-    values = request.get_json()
-    state_name = values['state']
+        values = request.get_json()
+        state_name = values["state"]
 
-    try:
-      state = RepositoryState[state_name]
-    except KeyError:
-      state = None
+        try:
+            state = RepositoryState[state_name]
+        except KeyError:
+            state = None
 
-    if state == RepositoryState.MIRROR and not features.REPO_MIRROR:
-      return {'detail': 'Unknown Repository State: %s' % state_name}, 400
+        if state == RepositoryState.MIRROR and not features.REPO_MIRROR:
+            return {"detail": "Unknown Repository State: %s" % state_name}, 400
 
-    if state is None:
-      return {'detail': '%s is not a valid Repository state.' % state_name}, 400
+        if state is None:
+            return {"detail": "%s is not a valid Repository state." % state_name}, 400
 
-    model.set_repository_state(namespace, repository, state)
+        model.set_repository_state(namespace, repository, state)
 
-    log_action('change_repo_state', namespace,
-               {'repo': repository,
-                'namespace': namespace,
-                'state_changed': state_name}, repo_name=repository)
+        log_action(
+            "change_repo_state",
+            namespace,
+            {"repo": repository, "namespace": namespace, "state_changed": state_name},
+            repo_name=repository,
+        )
 
-    return {'success': True}
+        return {"success": True}
diff --git a/endpoints/api/repository_models_interface.py b/endpoints/api/repository_models_interface.py
index 3b5e06a2f..4b566e2c6 100644
--- a/endpoints/api/repository_models_interface.py
+++ b/endpoints/api/repository_models_interface.py
@@ -10,13 +10,28 @@ from endpoints.api import format_date
 
 
 class RepositoryBaseElement(
-    namedtuple('RepositoryBaseElement', [
-      'namespace_name', 'repository_name', 'is_starred', 'is_public', 'kind_name', 'description',
-      'namespace_user_organization', 'namespace_user_removed_tag_expiration_s', 'last_modified',
-      'action_count', 'should_last_modified', 'should_popularity', 'should_is_starred',
-      'is_free_account', 'state'
-    ])):
-  """
+    namedtuple(
+        "RepositoryBaseElement",
+        [
+            "namespace_name",
+            "repository_name",
+            "is_starred",
+            "is_public",
+            "kind_name",
+            "description",
+            "namespace_user_organization",
+            "namespace_user_removed_tag_expiration_s",
+            "last_modified",
+            "action_count",
+            "should_last_modified",
+            "should_popularity",
+            "should_is_starred",
+            "is_free_account",
+            "state",
+        ],
+    )
+):
+    """
   Repository a single quay repository
   :type namespace_name: string
   :type repository_name: string
@@ -30,60 +45,73 @@ class RepositoryBaseElement(
   :type should_is_starred: boolean
   """
 
-  def to_dict(self):
-    repo = {
-      'namespace': self.namespace_name,
-      'name': self.repository_name,
-      'description': self.description,
-      'is_public': self.is_public,
-      'kind': self.kind_name,
-      'state': self.state.name if self.state is not None else None,
-    }
+    def to_dict(self):
+        repo = {
+            "namespace": self.namespace_name,
+            "name": self.repository_name,
+            "description": self.description,
+            "is_public": self.is_public,
+            "kind": self.kind_name,
+            "state": self.state.name if self.state is not None else None,
+        }
 
-    if self.should_last_modified:
-      repo['last_modified'] = self.last_modified
+        if self.should_last_modified:
+            repo["last_modified"] = self.last_modified
 
-    if self.should_popularity:
-      repo['popularity'] = float(self.action_count if self.action_count else 0)
+        if self.should_popularity:
+            repo["popularity"] = float(self.action_count if self.action_count else 0)
 
-    if self.should_is_starred:
-      repo['is_starred'] = self.is_starred
+        if self.should_is_starred:
+            repo["is_starred"] = self.is_starred
 
-    return repo
+        return repo
 
 
 class ApplicationRepository(
-    namedtuple('ApplicationRepository', ['repository_base_elements', 'channels', 'releases', 'state'])):
-  """
+    namedtuple(
+        "ApplicationRepository",
+        ["repository_base_elements", "channels", "releases", "state"],
+    )
+):
+    """
   Repository a single quay repository
   :type repository_base_elements: RepositoryBaseElement
   :type channels: [Channel]
   :type releases: [Release]
   """
 
-  def to_dict(self):
-    repo_data = {
-      'namespace': self.repository_base_elements.namespace_name,
-      'name': self.repository_base_elements.repository_name,
-      'kind': self.repository_base_elements.kind_name,
-      'description': self.repository_base_elements.description,
-      'is_public': self.repository_base_elements.is_public,
-      'is_organization': self.repository_base_elements.namespace_user_organization,
-      'is_starred': self.repository_base_elements.is_starred,
-      'channels': [chan.to_dict() for chan in self.channels],
-      'releases': [release.to_dict() for release in self.releases],
-      'state': self.state.name if self.state is not None else None,
-      'is_free_account': self.repository_base_elements.is_free_account,
-    }
+    def to_dict(self):
+        repo_data = {
+            "namespace": self.repository_base_elements.namespace_name,
+            "name": self.repository_base_elements.repository_name,
+            "kind": self.repository_base_elements.kind_name,
+            "description": self.repository_base_elements.description,
+            "is_public": self.repository_base_elements.is_public,
+            "is_organization": self.repository_base_elements.namespace_user_organization,
+            "is_starred": self.repository_base_elements.is_starred,
+            "channels": [chan.to_dict() for chan in self.channels],
+            "releases": [release.to_dict() for release in self.releases],
+            "state": self.state.name if self.state is not None else None,
+            "is_free_account": self.repository_base_elements.is_free_account,
+        }
 
-    return repo_data
+        return repo_data
 
 
 class ImageRepositoryRepository(
-    namedtuple('NonApplicationRepository',
-               ['repository_base_elements', 'tags', 'counts', 'badge_token', 'trust_enabled',
-                'state'])):
-  """
+    namedtuple(
+        "NonApplicationRepository",
+        [
+            "repository_base_elements",
+            "tags",
+            "counts",
+            "badge_token",
+            "trust_enabled",
+            "state",
+        ],
+    )
+):
+    """
   Repository a single quay repository
   :type repository_base_elements: RepositoryBaseElement
   :type tags: [Tag]
@@ -92,81 +120,95 @@ class ImageRepositoryRepository(
   :type trust_enabled: boolean
   """
 
-  def to_dict(self):
-    img_repo = {
-      'namespace': self.repository_base_elements.namespace_name,
-      'name': self.repository_base_elements.repository_name,
-      'kind': self.repository_base_elements.kind_name,
-      'description': self.repository_base_elements.description,
-      'is_public': self.repository_base_elements.is_public,
-      'is_organization': self.repository_base_elements.namespace_user_organization,
-      'is_starred': self.repository_base_elements.is_starred,
-      'status_token': self.badge_token if not self.repository_base_elements.is_public else '',
-      'trust_enabled': bool(features.SIGNING) and self.trust_enabled,
-      'tag_expiration_s': self.repository_base_elements.namespace_user_removed_tag_expiration_s,
-      'is_free_account': self.repository_base_elements.is_free_account,
-      'state': self.state.name if self.state is not None else None
-    }
+    def to_dict(self):
+        img_repo = {
+            "namespace": self.repository_base_elements.namespace_name,
+            "name": self.repository_base_elements.repository_name,
+            "kind": self.repository_base_elements.kind_name,
+            "description": self.repository_base_elements.description,
+            "is_public": self.repository_base_elements.is_public,
+            "is_organization": self.repository_base_elements.namespace_user_organization,
+            "is_starred": self.repository_base_elements.is_starred,
+            "status_token": self.badge_token
+            if not self.repository_base_elements.is_public
+            else "",
+            "trust_enabled": bool(features.SIGNING) and self.trust_enabled,
+            "tag_expiration_s": self.repository_base_elements.namespace_user_removed_tag_expiration_s,
+            "is_free_account": self.repository_base_elements.is_free_account,
+            "state": self.state.name if self.state is not None else None,
+        }
 
-    if self.tags is not None:
-      img_repo['tags'] = {tag.name: tag.to_dict() for tag in self.tags}
+        if self.tags is not None:
+            img_repo["tags"] = {tag.name: tag.to_dict() for tag in self.tags}
 
-    if self.repository_base_elements.state:
-      img_repo['state'] = self.repository_base_elements.state.name
+        if self.repository_base_elements.state:
+            img_repo["state"] = self.repository_base_elements.state.name
 
-    return img_repo
+        return img_repo
 
 
-class Repository(namedtuple('Repository', [
-    'namespace_name',
-    'repository_name',
-])):
-  """
+class Repository(namedtuple("Repository", ["namespace_name", "repository_name"])):
+    """
   Repository a single quay repository
   :type namespace_name: string
   :type repository_name: string
   """
 
 
-class Channel(namedtuple('Channel', ['name', 'linked_tag_name', 'linked_tag_lifetime_start'])):
-  """
+class Channel(
+    namedtuple("Channel", ["name", "linked_tag_name", "linked_tag_lifetime_start"])
+):
+    """
   Repository a single quay repository
   :type name: string
   :type linked_tag_name: string
   :type linked_tag_lifetime_start: string
   """
 
-  def to_dict(self):
-    return {
-      'name': self.name,
-      'release': self.linked_tag_name,
-      'last_modified': format_date(datetime.fromtimestamp(self.linked_tag_lifetime_start / 1000)),
-    }
+    def to_dict(self):
+        return {
+            "name": self.name,
+            "release": self.linked_tag_name,
+            "last_modified": format_date(
+                datetime.fromtimestamp(self.linked_tag_lifetime_start / 1000)
+            ),
+        }
 
 
 class Release(
-    namedtuple('Channel', ['name', 'lifetime_start', 'releases_channels_map'])):
-  """
+    namedtuple("Channel", ["name", "lifetime_start", "releases_channels_map"])
+):
+    """
   Repository a single quay repository
   :type name: string
   :type last_modified: string
   :type releases_channels_map: {string -> string}
   """
 
-  def to_dict(self):
-    return {
-      'name': self.name,
-      'last_modified': format_date(datetime.fromtimestamp(self.lifetime_start / 1000)),
-      'channels': self.releases_channels_map[self.name],
-    }
+    def to_dict(self):
+        return {
+            "name": self.name,
+            "last_modified": format_date(
+                datetime.fromtimestamp(self.lifetime_start / 1000)
+            ),
+            "channels": self.releases_channels_map[self.name],
+        }
 
 
 class Tag(
-    namedtuple('Tag', [
-      'name', 'image_docker_image_id', 'image_aggregate_size', 'lifetime_start_ts',
-      'tag_manifest_digest', 'lifetime_end_ts',
-    ])):
-  """
+    namedtuple(
+        "Tag",
+        [
+            "name",
+            "image_docker_image_id",
+            "image_aggregate_size",
+            "lifetime_start_ts",
+            "tag_manifest_digest",
+            "lifetime_end_ts",
+        ],
+    )
+):
+    """
   :type name: string
   :type image_docker_image_id: string
   :type image_aggregate_size: int
@@ -176,104 +218,120 @@ class Tag(
 
   """
 
-  def to_dict(self):
-    tag_info = {
-      'name': self.name,
-      'image_id': self.image_docker_image_id,
-      'size': self.image_aggregate_size
-    }
+    def to_dict(self):
+        tag_info = {
+            "name": self.name,
+            "image_id": self.image_docker_image_id,
+            "size": self.image_aggregate_size,
+        }
 
-    if self.lifetime_start_ts > 0:
-      last_modified = format_date(datetime.fromtimestamp(self.lifetime_start_ts))
-      tag_info['last_modified'] = last_modified
+        if self.lifetime_start_ts > 0:
+            last_modified = format_date(datetime.fromtimestamp(self.lifetime_start_ts))
+            tag_info["last_modified"] = last_modified
 
-    if self.lifetime_end_ts:
-      expiration = format_date(datetime.fromtimestamp(self.lifetime_end_ts))
-      tag_info['expiration'] = expiration
+        if self.lifetime_end_ts:
+            expiration = format_date(datetime.fromtimestamp(self.lifetime_end_ts))
+            tag_info["expiration"] = expiration
 
-    if self.tag_manifest_digest is not None:
-      tag_info['manifest_digest'] = self.tag_manifest_digest
+        if self.tag_manifest_digest is not None:
+            tag_info["manifest_digest"] = self.tag_manifest_digest
 
-    return tag_info
+        return tag_info
 
 
-class Count(namedtuple('Count', ['date', 'count'])):
-  """
+class Count(namedtuple("Count", ["date", "count"])):
+    """
     date: DateTime
     count: int
   """
 
-  def to_dict(self):
-    return {
-      'date': self.date.isoformat(),
-      'count': self.count,
-    }
+    def to_dict(self):
+        return {"date": self.date.isoformat(), "count": self.count}
 
 
 @add_metaclass(ABCMeta)
 class RepositoryDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by a Repository.
   """
 
-  @abstractmethod
-  def get_repo(self, namespace_name, repository_name, user, include_tags=True, max_tags=500):
-    """
+    @abstractmethod
+    def get_repo(
+        self, namespace_name, repository_name, user, include_tags=True, max_tags=500
+    ):
+        """
     Returns a repository
     """
 
-  @abstractmethod
-  def repo_exists(self, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def repo_exists(self, namespace_name, repository_name):
+        """
     Returns true if a repo exists and false if not
     """
 
-  @abstractmethod
-  def create_repo(self, namespace, name, creating_user, description, visibility='private',
-                  repo_kind='image'):
-    """
+    @abstractmethod
+    def create_repo(
+        self,
+        namespace,
+        name,
+        creating_user,
+        description,
+        visibility="private",
+        repo_kind="image",
+    ):
+        """
     Returns creates a new repo
     """
 
-  @abstractmethod
-  def get_repo_list(self, starred, user, repo_kind, namespace, username, public, page_token,
-                    last_modified, popularity):
-    """
+    @abstractmethod
+    def get_repo_list(
+        self,
+        starred,
+        user,
+        repo_kind,
+        namespace,
+        username,
+        public,
+        page_token,
+        last_modified,
+        popularity,
+    ):
+        """
     Returns a RepositoryBaseElement
     """
 
-  @abstractmethod
-  def set_repository_visibility(self, namespace_name, repository_name, visibility):
-    """
+    @abstractmethod
+    def set_repository_visibility(self, namespace_name, repository_name, visibility):
+        """
     Sets a repository's visibility if it is found
     """
 
-  @abstractmethod
-  def set_trust(self, namespace_name, repository_name, trust):
-    """
+    @abstractmethod
+    def set_trust(self, namespace_name, repository_name, trust):
+        """
     Sets a repository's trust_enabled field if it is found
     """
 
-  @abstractmethod
-  def set_description(self, namespace_name, repository_name, description):
-    """
+    @abstractmethod
+    def set_description(self, namespace_name, repository_name, description):
+        """
     Sets a repository's description if it is found.
     """
 
-  @abstractmethod
-  def purge_repository(self, namespace_name, repository_name):
-    """
+    @abstractmethod
+    def purge_repository(self, namespace_name, repository_name):
+        """
     Removes a repository
     """
 
-  @abstractmethod
-  def check_repository_usage(self, user_name, plan_found):
-    """
+    @abstractmethod
+    def check_repository_usage(self, user_name, plan_found):
+        """
     Creates a notification for a user if they are over or under on their repository usage
     """
 
-  @abstractmethod
-  def set_repository_state(self, namespace_name, repository_name, state):
-    """
+    @abstractmethod
+    def set_repository_state(self, namespace_name, repository_name, state):
+        """
     Set the State of the Repository.
     """
diff --git a/endpoints/api/repository_models_pre_oci.py b/endpoints/api/repository_models_pre_oci.py
index 328c5443e..23cb3c030 100644
--- a/endpoints/api/repository_models_pre_oci.py
+++ b/endpoints/api/repository_models_pre_oci.py
@@ -9,182 +9,285 @@ from data.appr_model import channel as channel_model, release as release_model
 from data.registry_model import registry_model
 from data.registry_model.datatypes import RepositoryReference
 from endpoints.appr.models_cnr import model as appr_model
-from endpoints.api.repository_models_interface import RepositoryDataInterface, RepositoryBaseElement, Repository, \
-  ApplicationRepository, ImageRepositoryRepository, Tag, Channel, Release, Count
+from endpoints.api.repository_models_interface import (
+    RepositoryDataInterface,
+    RepositoryBaseElement,
+    Repository,
+    ApplicationRepository,
+    ImageRepositoryRepository,
+    Tag,
+    Channel,
+    Release,
+    Count,
+)
 
 MAX_DAYS_IN_3_MONTHS = 92
 REPOS_PER_PAGE = 100
 
 
 def _create_channel(channel, releases_channels_map):
-  releases_channels_map[channel.linked_tag.name].append(channel.name)
-  return Channel(channel.name, channel.linked_tag.name, channel.linked_tag.lifetime_start)
+    releases_channels_map[channel.linked_tag.name].append(channel.name)
+    return Channel(
+        channel.name, channel.linked_tag.name, channel.linked_tag.lifetime_start
+    )
 
 
 class PreOCIModel(RepositoryDataInterface):
-  """
+    """
   PreOCIModel implements the data model for the Repo Email using a database schema
   before it was changed to support the OCI specification.
   """
 
-  def check_repository_usage(self, username, plan_found):
-    private_repos = model.user.get_private_repo_count(username)
-    if plan_found is None:
-      repos_allowed = 0
-    else:
-      repos_allowed = plan_found['privateRepos']
+    def check_repository_usage(self, username, plan_found):
+        private_repos = model.user.get_private_repo_count(username)
+        if plan_found is None:
+            repos_allowed = 0
+        else:
+            repos_allowed = plan_found["privateRepos"]
 
-    user_or_org = model.user.get_namespace_user(username)
-    if private_repos > repos_allowed:
-      model.notification.create_unique_notification('over_private_usage', user_or_org,
-                                                    {'namespace': username})
-    else:
-      model.notification.delete_notifications_by_kind(user_or_org, 'over_private_usage')
+        user_or_org = model.user.get_namespace_user(username)
+        if private_repos > repos_allowed:
+            model.notification.create_unique_notification(
+                "over_private_usage", user_or_org, {"namespace": username}
+            )
+        else:
+            model.notification.delete_notifications_by_kind(
+                user_or_org, "over_private_usage"
+            )
 
-  def purge_repository(self, namespace_name, repository_name):
-    model.gc.purge_repository(namespace_name, repository_name)
-    user = model.user.get_namespace_user(namespace_name)
-    return user.username
+    def purge_repository(self, namespace_name, repository_name):
+        model.gc.purge_repository(namespace_name, repository_name)
+        user = model.user.get_namespace_user(namespace_name)
+        return user.username
 
-  def set_description(self, namespace_name, repository_name, description):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    model.repository.set_description(repo, description)
+    def set_description(self, namespace_name, repository_name, description):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        model.repository.set_description(repo, description)
 
-  def set_trust(self, namespace_name, repository_name, trust):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    model.repository.set_trust(repo, trust)
+    def set_trust(self, namespace_name, repository_name, trust):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        model.repository.set_trust(repo, trust)
 
-  def set_repository_visibility(self, namespace_name, repository_name, visibility):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    model.repository.set_repository_visibility(repo, visibility)
+    def set_repository_visibility(self, namespace_name, repository_name, visibility):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        model.repository.set_repository_visibility(repo, visibility)
 
-  def set_repository_state(self, namespace_name, repository_name, state):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    model.repository.set_repository_state(repo, state)
+    def set_repository_state(self, namespace_name, repository_name, state):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        model.repository.set_repository_state(repo, state)
 
-  def get_repo_list(self, starred, user, repo_kind, namespace, username, public, page_token,
-                    last_modified, popularity):
-    next_page_token = None
-    # Lookup the requested repositories (either starred or non-starred.)
-    if starred:
-      # Return the full list of repos starred by the current user that are still visible to them.
-      def can_view_repo(repo):
-        can_view = ReadRepositoryPermission(repo.namespace_user.username, repo.name).can()
-        return can_view or model.repository.is_repository_public(repo)
+    def get_repo_list(
+        self,
+        starred,
+        user,
+        repo_kind,
+        namespace,
+        username,
+        public,
+        page_token,
+        last_modified,
+        popularity,
+    ):
+        next_page_token = None
+        # Lookup the requested repositories (either starred or non-starred.)
+        if starred:
+            # Return the full list of repos starred by the current user that are still visible to them.
+            def can_view_repo(repo):
+                can_view = ReadRepositoryPermission(
+                    repo.namespace_user.username, repo.name
+                ).can()
+                return can_view or model.repository.is_repository_public(repo)
 
-      unfiltered_repos = model.repository.get_user_starred_repositories(user,
-                                                                        kind_filter=repo_kind)
-      repos = [repo for repo in unfiltered_repos if can_view_repo(repo)]
-    elif namespace:
-      # Repositories filtered by namespace do not need pagination (their results are fairly small),
-      # so we just do the lookup directly.
-      repos = list(
-        model.repository.get_visible_repositories(username=username, include_public=public,
-                                                  namespace=namespace, kind_filter=repo_kind))
-    else:
-      # Determine the starting offset for pagination. Note that we don't use the normal
-      # model.modelutil.paginate method here, as that does not operate over UNION queries, which
-      # get_visible_repositories will return if there is a logged-in user (for performance reasons).
-      #
-      # Also note the +1 on the limit, as paginate_query uses the extra result to determine whether
-      # there is a next page.
-      start_id = model.modelutil.pagination_start(page_token)
-      repo_query = model.repository.get_visible_repositories(
-        username=username, include_public=public, start_id=start_id, limit=REPOS_PER_PAGE + 1,
-        kind_filter=repo_kind)
+            unfiltered_repos = model.repository.get_user_starred_repositories(
+                user, kind_filter=repo_kind
+            )
+            repos = [repo for repo in unfiltered_repos if can_view_repo(repo)]
+        elif namespace:
+            # Repositories filtered by namespace do not need pagination (their results are fairly small),
+            # so we just do the lookup directly.
+            repos = list(
+                model.repository.get_visible_repositories(
+                    username=username,
+                    include_public=public,
+                    namespace=namespace,
+                    kind_filter=repo_kind,
+                )
+            )
+        else:
+            # Determine the starting offset for pagination. Note that we don't use the normal
+            # model.modelutil.paginate method here, as that does not operate over UNION queries, which
+            # get_visible_repositories will return if there is a logged-in user (for performance reasons).
+            #
+            # Also note the +1 on the limit, as paginate_query uses the extra result to determine whether
+            # there is a next page.
+            start_id = model.modelutil.pagination_start(page_token)
+            repo_query = model.repository.get_visible_repositories(
+                username=username,
+                include_public=public,
+                start_id=start_id,
+                limit=REPOS_PER_PAGE + 1,
+                kind_filter=repo_kind,
+            )
 
-      repos, next_page_token = model.modelutil.paginate_query(repo_query, limit=REPOS_PER_PAGE,
-                                                              sort_field_name='rid')
+            repos, next_page_token = model.modelutil.paginate_query(
+                repo_query, limit=REPOS_PER_PAGE, sort_field_name="rid"
+            )
 
-    # Collect the IDs of the repositories found for subequent lookup of popularity
-    # and/or last modified.
-    last_modified_map = {}
-    action_sum_map = {}
-    if last_modified or popularity:
-      repository_refs = [RepositoryReference.for_id(repo.rid) for repo in repos]
-      repository_ids = [repo.rid for repo in repos]
+        # Collect the IDs of the repositories found for subequent lookup of popularity
+        # and/or last modified.
+        last_modified_map = {}
+        action_sum_map = {}
+        if last_modified or popularity:
+            repository_refs = [RepositoryReference.for_id(repo.rid) for repo in repos]
+            repository_ids = [repo.rid for repo in repos]
 
-      if last_modified:
-        last_modified_map = registry_model.get_most_recent_tag_lifetime_start(repository_refs)
+            if last_modified:
+                last_modified_map = registry_model.get_most_recent_tag_lifetime_start(
+                    repository_refs
+                )
 
-      if popularity:
-        action_sum_map = model.log.get_repositories_action_sums(repository_ids)
+            if popularity:
+                action_sum_map = model.log.get_repositories_action_sums(repository_ids)
 
-    # Collect the IDs of the repositories that are starred for the user, so we can mark them
-    # in the returned results.
-    star_set = set()
-    if username:
-      starred_repos = model.repository.get_user_starred_repositories(user)
-      star_set = {starred.id for starred in starred_repos}
+        # Collect the IDs of the repositories that are starred for the user, so we can mark them
+        # in the returned results.
+        star_set = set()
+        if username:
+            starred_repos = model.repository.get_user_starred_repositories(user)
+            star_set = {starred.id for starred in starred_repos}
 
-    return [
-             RepositoryBaseElement(repo.namespace_user.username, repo.name, repo.id in star_set,
-                                   repo.visibility_id == model.repository.get_public_repo_visibility().id,
-                                   repo_kind, repo.description, repo.namespace_user.organization,
-                                   repo.namespace_user.removed_tag_expiration_s,
-                                   last_modified_map.get(repo.rid),
-                                   action_sum_map.get(repo.rid), last_modified, popularity, username,
-                                   None, repo.state)
-             for repo in repos
-           ], next_page_token
+        return (
+            [
+                RepositoryBaseElement(
+                    repo.namespace_user.username,
+                    repo.name,
+                    repo.id in star_set,
+                    repo.visibility_id
+                    == model.repository.get_public_repo_visibility().id,
+                    repo_kind,
+                    repo.description,
+                    repo.namespace_user.organization,
+                    repo.namespace_user.removed_tag_expiration_s,
+                    last_modified_map.get(repo.rid),
+                    action_sum_map.get(repo.rid),
+                    last_modified,
+                    popularity,
+                    username,
+                    None,
+                    repo.state,
+                )
+                for repo in repos
+            ],
+            next_page_token,
+        )
 
-  def repo_exists(self, namespace_name, repository_name):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if repo is None:
-      return False
+    def repo_exists(self, namespace_name, repository_name):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if repo is None:
+            return False
 
-    return True
+        return True
 
-  def create_repo(self, namespace_name, repository_name, owner, description, visibility='private',
-                  repo_kind='image'):
-    repo = model.repository.create_repository(namespace_name, repository_name, owner, visibility,
-                                              repo_kind=repo_kind, description=description)
-    return Repository(namespace_name, repository_name)
+    def create_repo(
+        self,
+        namespace_name,
+        repository_name,
+        owner,
+        description,
+        visibility="private",
+        repo_kind="image",
+    ):
+        repo = model.repository.create_repository(
+            namespace_name,
+            repository_name,
+            owner,
+            visibility,
+            repo_kind=repo_kind,
+            description=description,
+        )
+        return Repository(namespace_name, repository_name)
 
-  def get_repo(self, namespace_name, repository_name, user, include_tags=True, max_tags=500):
-    repo = model.repository.get_repository(namespace_name, repository_name)
-    if repo is None:
-      return None
+    def get_repo(
+        self, namespace_name, repository_name, user, include_tags=True, max_tags=500
+    ):
+        repo = model.repository.get_repository(namespace_name, repository_name)
+        if repo is None:
+            return None
 
-    is_starred = model.repository.repository_is_starred(user, repo) if user else False
-    is_public = model.repository.is_repository_public(repo)
-    kind_name = RepositoryTable.kind.get_name(repo.kind_id)
-    base = RepositoryBaseElement(
-      namespace_name, repository_name, is_starred, is_public, kind_name, repo.description,
-      repo.namespace_user.organization, repo.namespace_user.removed_tag_expiration_s, None, None,
-      False, False, False, repo.namespace_user.stripe_id is None, repo.state)
+        is_starred = (
+            model.repository.repository_is_starred(user, repo) if user else False
+        )
+        is_public = model.repository.is_repository_public(repo)
+        kind_name = RepositoryTable.kind.get_name(repo.kind_id)
+        base = RepositoryBaseElement(
+            namespace_name,
+            repository_name,
+            is_starred,
+            is_public,
+            kind_name,
+            repo.description,
+            repo.namespace_user.organization,
+            repo.namespace_user.removed_tag_expiration_s,
+            None,
+            None,
+            False,
+            False,
+            False,
+            repo.namespace_user.stripe_id is None,
+            repo.state,
+        )
 
-    if base.kind_name == 'application':
-      channels = channel_model.get_repo_channels(repo, appr_model.models_ref)
-      releases = release_model.get_release_objs(repo, appr_model.models_ref)
-      releases_channels_map = defaultdict(list)
-      return ApplicationRepository(
-        base, [_create_channel(channel, releases_channels_map) for channel in channels], [
-          Release(release.name, release.lifetime_start, releases_channels_map)
-          for release in releases
-        ], repo.state)
+        if base.kind_name == "application":
+            channels = channel_model.get_repo_channels(repo, appr_model.models_ref)
+            releases = release_model.get_release_objs(repo, appr_model.models_ref)
+            releases_channels_map = defaultdict(list)
+            return ApplicationRepository(
+                base,
+                [
+                    _create_channel(channel, releases_channels_map)
+                    for channel in channels
+                ],
+                [
+                    Release(release.name, release.lifetime_start, releases_channels_map)
+                    for release in releases
+                ],
+                repo.state,
+            )
 
-    tags = None
-    repo_ref = RepositoryReference.for_repo_obj(repo)
-    if include_tags:
-      tags, _ = registry_model.list_repository_tag_history(repo_ref, page=1, size=max_tags,
-                                                           active_tags_only=True)
-      tags = [
-        Tag(tag.name,
-            tag.legacy_image.docker_image_id if tag.legacy_image_if_present else None,
-            tag.legacy_image.aggregate_size if tag.legacy_image_if_present else None,
-            tag.lifetime_start_ts,
-            tag.manifest_digest,
-            tag.lifetime_end_ts) for tag in tags
-      ]
+        tags = None
+        repo_ref = RepositoryReference.for_repo_obj(repo)
+        if include_tags:
+            tags, _ = registry_model.list_repository_tag_history(
+                repo_ref, page=1, size=max_tags, active_tags_only=True
+            )
+            tags = [
+                Tag(
+                    tag.name,
+                    tag.legacy_image.docker_image_id
+                    if tag.legacy_image_if_present
+                    else None,
+                    tag.legacy_image.aggregate_size
+                    if tag.legacy_image_if_present
+                    else None,
+                    tag.lifetime_start_ts,
+                    tag.manifest_digest,
+                    tag.lifetime_end_ts,
+                )
+                for tag in tags
+            ]
 
-    start_date = datetime.now() - timedelta(days=MAX_DAYS_IN_3_MONTHS)
-    counts = model.log.get_repository_action_counts(repo, start_date)
+        start_date = datetime.now() - timedelta(days=MAX_DAYS_IN_3_MONTHS)
+        counts = model.log.get_repository_action_counts(repo, start_date)
 
-    assert repo.state is not None
-    return ImageRepositoryRepository(base, tags,
-                                     [Count(count.date, count.count) for count in counts],
-                                     repo.badge_token, repo.trust_enabled, repo.state)
+        assert repo.state is not None
+        return ImageRepositoryRepository(
+            base,
+            tags,
+            [Count(count.date, count.count) for count in counts],
+            repo.badge_token,
+            repo.trust_enabled,
+            repo.state,
+        )
 
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/repositorynotification.py b/endpoints/api/repositorynotification.py
index c34cbc553..89bac8d72 100644
--- a/endpoints/api/repositorynotification.py
+++ b/endpoints/api/repositorynotification.py
@@ -4,161 +4,199 @@ import logging
 from flask import request
 
 from endpoints.api import (
-  RepositoryParamResource, nickname, resource, require_repo_admin, log_action,
-  validate_json_request, request_error, path_param, disallow_for_app_repositories, InvalidRequest)
+    RepositoryParamResource,
+    nickname,
+    resource,
+    require_repo_admin,
+    log_action,
+    validate_json_request,
+    request_error,
+    path_param,
+    disallow_for_app_repositories,
+    InvalidRequest,
+)
 from endpoints.exception import NotFound
 from notifications.models_interface import Repository
 from notifications.notificationevent import NotificationEvent
 from notifications.notificationmethod import (
-  NotificationMethod, CannotValidateNotificationMethodException)
+    NotificationMethod,
+    CannotValidateNotificationMethodException,
+)
 from endpoints.api.repositorynotification_models_pre_oci import pre_oci_model as model
 
 logger = logging.getLogger(__name__)
 
 
-@resource('/v1/repository/<apirepopath:repository>/notification/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/notification/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryNotificationList(RepositoryParamResource):
-  """ Resource for dealing with listing and creating notifications on a repository. """
-  schemas = {
-    'NotificationCreateRequest': {
-      'type': 'object',
-      'description': 'Information for creating a notification on a repository',
-      'required': [
-        'event',
-        'method',
-        'config',
-        'eventConfig',
-      ],
-      'properties': {
-        'event': {
-          'type': 'string',
-          'description': 'The event on which the notification will respond',
-        },
-        'method': {
-          'type': 'string',
-          'description': 'The method of notification (such as email or web callback)',
-        },
-        'config': {
-          'type': 'object',
-          'description': 'JSON config information for the specific method of notification'
-        },
-        'eventConfig': {
-          'type': 'object',
-          'description':  'JSON config information for the specific event of notification',
-        },
-        'title': {
-          'type': 'string',
-          'description': 'The human-readable title of the notification',
-        },
-      }
-    },
-  }
+    """ Resource for dealing with listing and creating notifications on a repository. """
 
-  @require_repo_admin
-  @nickname('createRepoNotification')
-  @disallow_for_app_repositories
-  @validate_json_request('NotificationCreateRequest')
-  def post(self, namespace_name, repository_name):
-    parsed = request.get_json()
+    schemas = {
+        "NotificationCreateRequest": {
+            "type": "object",
+            "description": "Information for creating a notification on a repository",
+            "required": ["event", "method", "config", "eventConfig"],
+            "properties": {
+                "event": {
+                    "type": "string",
+                    "description": "The event on which the notification will respond",
+                },
+                "method": {
+                    "type": "string",
+                    "description": "The method of notification (such as email or web callback)",
+                },
+                "config": {
+                    "type": "object",
+                    "description": "JSON config information for the specific method of notification",
+                },
+                "eventConfig": {
+                    "type": "object",
+                    "description": "JSON config information for the specific event of notification",
+                },
+                "title": {
+                    "type": "string",
+                    "description": "The human-readable title of the notification",
+                },
+            },
+        }
+    }
 
-    method_handler = NotificationMethod.get_method(parsed['method'])
-    try:
-      method_handler.validate(namespace_name, repository_name, parsed['config'])
-    except CannotValidateNotificationMethodException as ex:
-      raise request_error(message=ex.message)
+    @require_repo_admin
+    @nickname("createRepoNotification")
+    @disallow_for_app_repositories
+    @validate_json_request("NotificationCreateRequest")
+    def post(self, namespace_name, repository_name):
+        parsed = request.get_json()
 
-    new_notification = model.create_repo_notification(namespace_name, repository_name,
-                                                      parsed['event'], parsed['method'],
-                                                      parsed['config'], parsed['eventConfig'],
-                                                      parsed.get('title'))
+        method_handler = NotificationMethod.get_method(parsed["method"])
+        try:
+            method_handler.validate(namespace_name, repository_name, parsed["config"])
+        except CannotValidateNotificationMethodException as ex:
+            raise request_error(message=ex.message)
 
-    log_action('add_repo_notification', namespace_name, {
-      'repo': repository_name,
-      'namespace': namespace_name,
-      'notification_id': new_notification.uuid,
-      'event': new_notification.event_name,
-      'method': new_notification.method_name}, repo_name=repository_name)
-    return new_notification.to_dict(), 201
+        new_notification = model.create_repo_notification(
+            namespace_name,
+            repository_name,
+            parsed["event"],
+            parsed["method"],
+            parsed["config"],
+            parsed["eventConfig"],
+            parsed.get("title"),
+        )
 
-  @require_repo_admin
-  @nickname('listRepoNotifications')
-  @disallow_for_app_repositories
-  def get(self, namespace_name, repository_name):
-    """ List the notifications for the specified repository. """
-    notifications = model.list_repo_notifications(namespace_name, repository_name)
-    return {'notifications': [n.to_dict() for n in notifications]}
+        log_action(
+            "add_repo_notification",
+            namespace_name,
+            {
+                "repo": repository_name,
+                "namespace": namespace_name,
+                "notification_id": new_notification.uuid,
+                "event": new_notification.event_name,
+                "method": new_notification.method_name,
+            },
+            repo_name=repository_name,
+        )
+        return new_notification.to_dict(), 201
+
+    @require_repo_admin
+    @nickname("listRepoNotifications")
+    @disallow_for_app_repositories
+    def get(self, namespace_name, repository_name):
+        """ List the notifications for the specified repository. """
+        notifications = model.list_repo_notifications(namespace_name, repository_name)
+        return {"notifications": [n.to_dict() for n in notifications]}
 
 
-@resource('/v1/repository/<apirepopath:repository>/notification/<uuid>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('uuid', 'The UUID of the notification')
+@resource("/v1/repository/<apirepopath:repository>/notification/<uuid>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("uuid", "The UUID of the notification")
 class RepositoryNotification(RepositoryParamResource):
-  """ Resource for dealing with specific notifications. """
+    """ Resource for dealing with specific notifications. """
 
-  @require_repo_admin
-  @nickname('getRepoNotification')
-  @disallow_for_app_repositories
-  def get(self, namespace_name, repository_name, uuid):
-    """ Get information for the specified notification. """
-    found = model.get_repo_notification(uuid)
-    if not found:
-      raise NotFound()
-    return found.to_dict()
+    @require_repo_admin
+    @nickname("getRepoNotification")
+    @disallow_for_app_repositories
+    def get(self, namespace_name, repository_name, uuid):
+        """ Get information for the specified notification. """
+        found = model.get_repo_notification(uuid)
+        if not found:
+            raise NotFound()
+        return found.to_dict()
 
-  @require_repo_admin
-  @nickname('deleteRepoNotification')
-  @disallow_for_app_repositories
-  def delete(self, namespace_name, repository_name, uuid):
-    """ Deletes the specified notification. """
-    deleted = model.delete_repo_notification(namespace_name, repository_name, uuid)
-    if not deleted:
-      raise InvalidRequest("No repository notification found for: %s, %s, %s" %
-                           (namespace_name, repository_name, uuid))
+    @require_repo_admin
+    @nickname("deleteRepoNotification")
+    @disallow_for_app_repositories
+    def delete(self, namespace_name, repository_name, uuid):
+        """ Deletes the specified notification. """
+        deleted = model.delete_repo_notification(namespace_name, repository_name, uuid)
+        if not deleted:
+            raise InvalidRequest(
+                "No repository notification found for: %s, %s, %s"
+                % (namespace_name, repository_name, uuid)
+            )
 
-    log_action('delete_repo_notification', namespace_name, {
-      'repo': repository_name,
-      'namespace': namespace_name,
-      'notification_id': uuid,
-      'event': deleted.event_name,
-      'method': deleted.method_name}, repo_name=repository_name)
+        log_action(
+            "delete_repo_notification",
+            namespace_name,
+            {
+                "repo": repository_name,
+                "namespace": namespace_name,
+                "notification_id": uuid,
+                "event": deleted.event_name,
+                "method": deleted.method_name,
+            },
+            repo_name=repository_name,
+        )
 
-    return 'No Content', 204
+        return "No Content", 204
 
-  @require_repo_admin
-  @nickname('resetRepositoryNotificationFailures')
-  @disallow_for_app_repositories
-  def post(self, namespace_name, repository_name, uuid):
-    """ Resets repository notification to 0 failures. """
-    reset = model.reset_notification_number_of_failures(namespace_name, repository_name, uuid)
-    if not reset:
-      raise InvalidRequest("No repository notification found for: %s, %s, %s" %
-                           (namespace_name, repository_name, uuid))
+    @require_repo_admin
+    @nickname("resetRepositoryNotificationFailures")
+    @disallow_for_app_repositories
+    def post(self, namespace_name, repository_name, uuid):
+        """ Resets repository notification to 0 failures. """
+        reset = model.reset_notification_number_of_failures(
+            namespace_name, repository_name, uuid
+        )
+        if not reset:
+            raise InvalidRequest(
+                "No repository notification found for: %s, %s, %s"
+                % (namespace_name, repository_name, uuid)
+            )
 
-    log_action('reset_repo_notification', namespace_name, {
-      'repo': repository_name,
-      'namespace': namespace_name,
-      'notification_id': uuid,
-      'event': reset.event_name,
-      'method': reset.method_name}, repo_name=repository_name)
+        log_action(
+            "reset_repo_notification",
+            namespace_name,
+            {
+                "repo": repository_name,
+                "namespace": namespace_name,
+                "notification_id": uuid,
+                "event": reset.event_name,
+                "method": reset.method_name,
+            },
+            repo_name=repository_name,
+        )
 
-    return 'No Content', 204
+        return "No Content", 204
 
 
-@resource('/v1/repository/<apirepopath:repository>/notification/<uuid>/test')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('uuid', 'The UUID of the notification')
+@resource("/v1/repository/<apirepopath:repository>/notification/<uuid>/test")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("uuid", "The UUID of the notification")
 class TestRepositoryNotification(RepositoryParamResource):
-  """ Resource for queuing a test of a notification. """
+    """ Resource for queuing a test of a notification. """
 
-  @require_repo_admin
-  @nickname('testRepoNotification')
-  @disallow_for_app_repositories
-  def post(self, namespace_name, repository_name, uuid):
-    """ Queues a test notification for this repository. """
-    test_note = model.queue_test_notification(uuid)
-    if not test_note:
-      raise InvalidRequest("No repository notification found for: %s, %s, %s" %
-                           (namespace_name, repository_name, uuid))
+    @require_repo_admin
+    @nickname("testRepoNotification")
+    @disallow_for_app_repositories
+    def post(self, namespace_name, repository_name, uuid):
+        """ Queues a test notification for this repository. """
+        test_note = model.queue_test_notification(uuid)
+        if not test_note:
+            raise InvalidRequest(
+                "No repository notification found for: %s, %s, %s"
+                % (namespace_name, repository_name, uuid)
+            )
 
-    return {}, 200
+        return {}, 200
diff --git a/endpoints/api/repositorynotification_models_interface.py b/endpoints/api/repositorynotification_models_interface.py
index ed0ebd2f7..a8789ddf8 100644
--- a/endpoints/api/repositorynotification_models_interface.py
+++ b/endpoints/api/repositorynotification_models_interface.py
@@ -7,16 +7,20 @@ from six import add_metaclass
 
 
 class RepositoryNotification(
-    namedtuple('RepositoryNotification', [
-        'uuid',
-        'title',
-        'event_name',
-        'method_name',
-        'config_json',
-        'event_config_json',
-        'number_of_failures',
-    ])):
-  """
+    namedtuple(
+        "RepositoryNotification",
+        [
+            "uuid",
+            "title",
+            "event_name",
+            "method_name",
+            "config_json",
+            "event_config_json",
+            "number_of_failures",
+        ],
+    )
+):
+    """
   RepositoryNotification represents a notification for a repository.
   :type uuid: string
   :type event: string
@@ -27,38 +31,46 @@ class RepositoryNotification(
   :type number_of_failures: int
   """
 
-  def to_dict(self):
-    try:
-      config = json.loads(self.config_json)
-    except ValueError:
-      config = {}
+    def to_dict(self):
+        try:
+            config = json.loads(self.config_json)
+        except ValueError:
+            config = {}
 
-    try:
-      event_config = json.loads(self.event_config_json)
-    except ValueError:
-      event_config = {}
+        try:
+            event_config = json.loads(self.event_config_json)
+        except ValueError:
+            event_config = {}
 
-    return {
-      'uuid': self.uuid,
-      'title': self.title,
-      'event': self.event_name,
-      'method': self.method_name,
-      'config': config,
-      'event_config': event_config,
-      'number_of_failures': self.number_of_failures,
-    }
+        return {
+            "uuid": self.uuid,
+            "title": self.title,
+            "event": self.event_name,
+            "method": self.method_name,
+            "config": config,
+            "event_config": event_config,
+            "number_of_failures": self.number_of_failures,
+        }
 
 
 @add_metaclass(ABCMeta)
 class RepoNotificationInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the RepositoryNotification API
   """
 
-  @abstractmethod
-  def create_repo_notification(self, namespace_name, repository_name, event_name, method_name,
-                               method_config, event_config, title=None):
-    """
+    @abstractmethod
+    def create_repo_notification(
+        self,
+        namespace_name,
+        repository_name,
+        event_name,
+        method_name,
+        method_config,
+        event_config,
+        title=None,
+    ):
+        """
 
     Args:
       namespace_name: namespace of repository
@@ -73,11 +85,11 @@ class RepoNotificationInterface(object):
       RepositoryNotification object
 
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_repo_notifications(self, namespace_name, repository_name, event_name=None):
-    """
+    @abstractmethod
+    def list_repo_notifications(self, namespace_name, repository_name, event_name=None):
+        """
 
     Args:
       namespace_name: namespace of repository
@@ -87,11 +99,11 @@ class RepoNotificationInterface(object):
     Returns:
       list(RepositoryNotification)
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_repo_notification(self, uuid):
-    """
+    @abstractmethod
+    def get_repo_notification(self, uuid):
+        """
 
     Args:
       uuid: uuid of notification
@@ -100,11 +112,11 @@ class RepoNotificationInterface(object):
       RepositoryNotification or None
 
     """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_repo_notification(self, namespace_name, repository_name, uuid):
-    """
+    @abstractmethod
+    def delete_repo_notification(self, namespace_name, repository_name, uuid):
+        """
 
     Args:
       namespace_name: namespace of repository
@@ -115,11 +127,13 @@ class RepoNotificationInterface(object):
       RepositoryNotification or None
 
     """
-    pass
+        pass
 
-  @abstractmethod
-  def reset_notification_number_of_failures(self, namespace_name, repository_name, uuid):
-    """
+    @abstractmethod
+    def reset_notification_number_of_failures(
+        self, namespace_name, repository_name, uuid
+    ):
+        """
 
     Args:
       namespace_name: namespace of repository
@@ -130,11 +144,11 @@ class RepoNotificationInterface(object):
       RepositoryNotification
 
     """
-    pass
+        pass
 
-  @abstractmethod
-  def queue_test_notification(self, uuid):
-    """
+    @abstractmethod
+    def queue_test_notification(self, uuid):
+        """
 
     Args:
       uuid: uuid of notification
@@ -143,4 +157,4 @@ class RepoNotificationInterface(object):
       RepositoryNotification or None
 
     """
-    pass
+        pass
diff --git a/endpoints/api/repositorynotification_models_pre_oci.py b/endpoints/api/repositorynotification_models_pre_oci.py
index b3edf43ae..1b55143bd 100644
--- a/endpoints/api/repositorynotification_models_pre_oci.py
+++ b/endpoints/api/repositorynotification_models_pre_oci.py
@@ -3,70 +3,102 @@ import json
 from app import notification_queue
 from data import model
 from data.model import InvalidNotificationException
-from endpoints.api.repositorynotification_models_interface import (RepoNotificationInterface,
-                                                                   RepositoryNotification)
+from endpoints.api.repositorynotification_models_interface import (
+    RepoNotificationInterface,
+    RepositoryNotification,
+)
 from notifications import build_notification_data
 from notifications.notificationevent import NotificationEvent
 
 
 class RepoNotificationPreOCIModel(RepoNotificationInterface):
-  def create_repo_notification(self, namespace_name, repository_name, event_name, method_name,
-                               method_config, event_config, title=None):
-    repository = model.repository.get_repository(namespace_name, repository_name)
-    return self._notification(
-      model.notification.create_repo_notification(repository, event_name, method_name,
-                                                  method_config, event_config, title))
+    def create_repo_notification(
+        self,
+        namespace_name,
+        repository_name,
+        event_name,
+        method_name,
+        method_config,
+        event_config,
+        title=None,
+    ):
+        repository = model.repository.get_repository(namespace_name, repository_name)
+        return self._notification(
+            model.notification.create_repo_notification(
+                repository, event_name, method_name, method_config, event_config, title
+            )
+        )
 
-  def list_repo_notifications(self, namespace_name, repository_name, event_name=None):
-    return [
-      self._notification(n)
-      for n in model.notification.list_repo_notifications(namespace_name, repository_name,
-                                                          event_name)]
+    def list_repo_notifications(self, namespace_name, repository_name, event_name=None):
+        return [
+            self._notification(n)
+            for n in model.notification.list_repo_notifications(
+                namespace_name, repository_name, event_name
+            )
+        ]
 
-  def get_repo_notification(self, uuid):
-    try:
-      found = model.notification.get_repo_notification(uuid)
-    except InvalidNotificationException:
-      return None
-    return self._notification(found)
+    def get_repo_notification(self, uuid):
+        try:
+            found = model.notification.get_repo_notification(uuid)
+        except InvalidNotificationException:
+            return None
+        return self._notification(found)
 
-  def delete_repo_notification(self, namespace_name, repository_name, uuid):
-    try:
-      found = model.notification.delete_repo_notification(namespace_name, repository_name, uuid)
-    except InvalidNotificationException:
-      return None
-    return self._notification(found)
+    def delete_repo_notification(self, namespace_name, repository_name, uuid):
+        try:
+            found = model.notification.delete_repo_notification(
+                namespace_name, repository_name, uuid
+            )
+        except InvalidNotificationException:
+            return None
+        return self._notification(found)
 
-  def reset_notification_number_of_failures(self, namespace_name, repository_name, uuid):
-    return self._notification(
-      model.notification.reset_notification_number_of_failures(namespace_name, repository_name,
-                                                               uuid))
+    def reset_notification_number_of_failures(
+        self, namespace_name, repository_name, uuid
+    ):
+        return self._notification(
+            model.notification.reset_notification_number_of_failures(
+                namespace_name, repository_name, uuid
+            )
+        )
 
-  def queue_test_notification(self, uuid):
-    try:
-      notification = model.notification.get_repo_notification(uuid)
-    except InvalidNotificationException:
-      return None
+    def queue_test_notification(self, uuid):
+        try:
+            notification = model.notification.get_repo_notification(uuid)
+        except InvalidNotificationException:
+            return None
 
-    event_config = json.loads(notification.event_config_json or '{}')
-    event_info = NotificationEvent.get_event(notification.event.name)
-    sample_data = event_info.get_sample_data(notification.repository.namespace_user.username,
-                                             notification.repository.name, event_config)
-    notification_data = build_notification_data(notification, sample_data)
-    notification_queue.put([
-      notification.repository.namespace_user.username, notification.uuid, notification.event.name],
-                           json.dumps(notification_data))
-    return self._notification(notification)
+        event_config = json.loads(notification.event_config_json or "{}")
+        event_info = NotificationEvent.get_event(notification.event.name)
+        sample_data = event_info.get_sample_data(
+            notification.repository.namespace_user.username,
+            notification.repository.name,
+            event_config,
+        )
+        notification_data = build_notification_data(notification, sample_data)
+        notification_queue.put(
+            [
+                notification.repository.namespace_user.username,
+                notification.uuid,
+                notification.event.name,
+            ],
+            json.dumps(notification_data),
+        )
+        return self._notification(notification)
 
-  def _notification(self, notification):
-    if not notification:
-      return None
+    def _notification(self, notification):
+        if not notification:
+            return None
 
-    return RepositoryNotification(
-      uuid=notification.uuid, title=notification.title, event_name=notification.event.name,
-      method_name=notification.method.name, config_json=notification.config_json,
-      event_config_json=notification.event_config_json,
-      number_of_failures=notification.number_of_failures)
+        return RepositoryNotification(
+            uuid=notification.uuid,
+            title=notification.title,
+            event_name=notification.event.name,
+            method_name=notification.method.name,
+            config_json=notification.config_json,
+            event_config_json=notification.event_config_json,
+            number_of_failures=notification.number_of_failures,
+        )
 
 
 pre_oci_model = RepoNotificationPreOCIModel()
diff --git a/endpoints/api/repotoken.py b/endpoints/api/repotoken.py
index efa25a2fb..93f0f05eb 100644
--- a/endpoints/api/repotoken.py
+++ b/endpoints/api/repotoken.py
@@ -2,99 +2,87 @@
 
 import logging
 
-from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           validate_json_request, path_param)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_admin,
+    RepositoryParamResource,
+    validate_json_request,
+    path_param,
+)
 
 logger = logging.getLogger(__name__)
 
-@resource('/v1/repository/<apirepopath:repository>/tokens/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+
+@resource("/v1/repository/<apirepopath:repository>/tokens/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositoryTokenList(RepositoryParamResource):
-  """ Resource for creating and listing repository tokens. """
-  schemas = {
-    'NewToken': {
-      'type': 'object',
-      'description': 'Description of a new token.',
-      'required':[
-        'friendlyName',
-      ],
-      'properties': {
-        'friendlyName': {
-          'type': 'string',
-          'description': 'Friendly name to help identify the token',
-        },
-      },
-    },
-  }
+    """ Resource for creating and listing repository tokens. """
 
-  @require_repo_admin
-  @nickname('listRepoTokens')
-  def get(self, namespace_name, repo_name):
-    """ List the tokens for the specified repository. """
-    return {
-      'message': 'Handling of access tokens is no longer supported',
-    }, 410
+    schemas = {
+        "NewToken": {
+            "type": "object",
+            "description": "Description of a new token.",
+            "required": ["friendlyName"],
+            "properties": {
+                "friendlyName": {
+                    "type": "string",
+                    "description": "Friendly name to help identify the token",
+                }
+            },
+        }
+    }
+
+    @require_repo_admin
+    @nickname("listRepoTokens")
+    def get(self, namespace_name, repo_name):
+        """ List the tokens for the specified repository. """
+        return {"message": "Handling of access tokens is no longer supported"}, 410
+
+    @require_repo_admin
+    @nickname("createToken")
+    @validate_json_request("NewToken")
+    def post(self, namespace_name, repo_name):
+        """ Create a new repository token. """
+        return {"message": "Creation of access tokens is no longer supported"}, 410
 
 
-  @require_repo_admin
-  @nickname('createToken')
-  @validate_json_request('NewToken')
-  def post(self, namespace_name, repo_name):
-    """ Create a new repository token. """
-    return {
-      'message': 'Creation of access tokens is no longer supported',
-    }, 410
-
-
-@resource('/v1/repository/<apirepopath:repository>/tokens/<code>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('code', 'The token code')
+@resource("/v1/repository/<apirepopath:repository>/tokens/<code>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("code", "The token code")
 class RepositoryToken(RepositoryParamResource):
-  """ Resource for managing individual tokens. """
-  schemas = {
-    'TokenPermission': {
-      'type': 'object',
-      'description': 'Description of a token permission',
-      'required': [
-        'role',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Role to use for the token',
-          'enum': [
-            'read',
-            'write',
-            'admin',
-          ],
-        },
-      },
-    },
-  }
+    """ Resource for managing individual tokens. """
 
-  @require_repo_admin
-  @nickname('getTokens')
-  def get(self, namespace_name, repo_name, code):
-    """ Fetch the specified repository token information. """
-    return {
-      'message': 'Handling of access tokens is no longer supported',
-    }, 410
+    schemas = {
+        "TokenPermission": {
+            "type": "object",
+            "description": "Description of a token permission",
+            "required": ["role"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Role to use for the token",
+                    "enum": ["read", "write", "admin"],
+                }
+            },
+        }
+    }
 
+    @require_repo_admin
+    @nickname("getTokens")
+    def get(self, namespace_name, repo_name, code):
+        """ Fetch the specified repository token information. """
+        return {"message": "Handling of access tokens is no longer supported"}, 410
 
-  @require_repo_admin
-  @nickname('changeToken')
-  @validate_json_request('TokenPermission')
-  def put(self, namespace_name, repo_name, code):
-    """ Update the permissions for the specified repository token. """
-    return {
-      'message': 'Handling of access tokens is no longer supported',
-    }, 410
+    @require_repo_admin
+    @nickname("changeToken")
+    @validate_json_request("TokenPermission")
+    def put(self, namespace_name, repo_name, code):
+        """ Update the permissions for the specified repository token. """
+        return {"message": "Handling of access tokens is no longer supported"}, 410
 
-
-  @require_repo_admin
-  @nickname('deleteToken')
-  def delete(self, namespace_name, repo_name, code):
-    """ Delete the repository token. """
-    return {
-      'message': 'Handling of access tokens is no longer supported',
-    }, 410
+    @require_repo_admin
+    @nickname("deleteToken")
+    def delete(self, namespace_name, repo_name, code):
+        """ Delete the repository token. """
+        return {"message": "Handling of access tokens is no longer supported"}, 410
diff --git a/endpoints/api/robot.py b/endpoints/api/robot.py
index 867329323..ea22269b3 100644
--- a/endpoints/api/robot.py
+++ b/endpoints/api/robot.py
@@ -1,11 +1,26 @@
 """ Manage user and organization robot accounts. """
 
-from endpoints.api import (resource, nickname, ApiResource, log_action, related_user_resource,
-                           require_user_admin, require_scope, path_param, parse_args,
-                           truthy_bool, query_param, validate_json_request, max_json_size)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    log_action,
+    related_user_resource,
+    require_user_admin,
+    require_scope,
+    path_param,
+    parse_args,
+    truthy_bool,
+    query_param,
+    validate_json_request,
+    max_json_size,
+)
 from endpoints.api.robot_models_pre_oci import pre_oci_model as model
 from endpoints.exception import Unauthorized
-from auth.permissions import AdministerOrganizationPermission, OrganizationMemberPermission
+from auth.permissions import (
+    AdministerOrganizationPermission,
+    OrganizationMemberPermission,
+)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from util.names import format_robot_username
@@ -13,262 +28,309 @@ from flask import abort, request
 
 
 CREATE_ROBOT_SCHEMA = {
-  'type': 'object',
-  'description': 'Optional data for creating a robot',
-  'properties': {
-    'description': {
-      'type': 'string',
-      'description': 'Optional text description for the robot',
-      'maxLength': 255,
+    "type": "object",
+    "description": "Optional data for creating a robot",
+    "properties": {
+        "description": {
+            "type": "string",
+            "description": "Optional text description for the robot",
+            "maxLength": 255,
+        },
+        "unstructured_metadata": {
+            "type": "object",
+            "description": "Optional unstructured metadata for the robot",
+        },
     },
-    'unstructured_metadata': {
-      'type': 'object',
-      'description': 'Optional unstructured metadata for the robot',
-    },
-  },
 }
 
-ROBOT_MAX_SIZE = 1024 * 1024 # 1 KB.
+ROBOT_MAX_SIZE = 1024 * 1024  # 1 KB.
 
 
 def robots_list(prefix, include_permissions=False, include_token=False, limit=None):
-  robots = model.list_entity_robot_permission_teams(prefix, limit=limit,
-                                                    include_token=include_token,
-                                                    include_permissions=include_permissions)
-  return {'robots': [robot.to_dict(include_token=include_token) for robot in robots]}
+    robots = model.list_entity_robot_permission_teams(
+        prefix,
+        limit=limit,
+        include_token=include_token,
+        include_permissions=include_permissions,
+    )
+    return {"robots": [robot.to_dict(include_token=include_token) for robot in robots]}
 
 
-@resource('/v1/user/robots')
+@resource("/v1/user/robots")
 class UserRobotList(ApiResource):
-  """ Resource for listing user robots. """
+    """ Resource for listing user robots. """
 
-  @require_user_admin
-  @nickname('getUserRobots')
-  @parse_args()
-  @query_param('permissions',
-               'Whether to include repositories and teams in which the robots have permission.',
-               type=truthy_bool, default=False)
-  @query_param('token',
-               'If false, the robot\'s token is not returned.',
-               type=truthy_bool, default=True)
-  @query_param('limit',
-               'If specified, the number of robots to return.',
-               type=int, default=None)
-  def get(self, parsed_args):
-    """ List the available robots for the user. """
-    user = get_authenticated_user()
-    return robots_list(user.username, include_token=parsed_args.get('token', True),
-                       include_permissions=parsed_args.get('permissions', False),
-                       limit=parsed_args.get('limit'))
+    @require_user_admin
+    @nickname("getUserRobots")
+    @parse_args()
+    @query_param(
+        "permissions",
+        "Whether to include repositories and teams in which the robots have permission.",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "token",
+        "If false, the robot's token is not returned.",
+        type=truthy_bool,
+        default=True,
+    )
+    @query_param(
+        "limit", "If specified, the number of robots to return.", type=int, default=None
+    )
+    def get(self, parsed_args):
+        """ List the available robots for the user. """
+        user = get_authenticated_user()
+        return robots_list(
+            user.username,
+            include_token=parsed_args.get("token", True),
+            include_permissions=parsed_args.get("permissions", False),
+            limit=parsed_args.get("limit"),
+        )
 
 
-@resource('/v1/user/robots/<robot_shortname>')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/user/robots/<robot_shortname>")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 class UserRobot(ApiResource):
-  """ Resource for managing a user's robots. """
-  schemas = {
-    'CreateRobot': CREATE_ROBOT_SCHEMA,
-  }
+    """ Resource for managing a user's robots. """
 
-  @require_user_admin
-  @nickname('getUserRobot')
-  def get(self, robot_shortname):
-    """ Returns the user's robot with the specified name. """
-    parent = get_authenticated_user()
-    robot = model.get_user_robot(robot_shortname, parent)
-    return robot.to_dict(include_metadata=True, include_token=True)
+    schemas = {"CreateRobot": CREATE_ROBOT_SCHEMA}
 
-  @require_user_admin
-  @nickname('createUserRobot')
-  @max_json_size(ROBOT_MAX_SIZE)
-  @validate_json_request('CreateRobot', optional=True)
-  def put(self, robot_shortname):
-    """ Create a new user robot with the specified name. """
-    parent = get_authenticated_user()
-    create_data = request.get_json() or {}
-    robot = model.create_user_robot(robot_shortname, parent, create_data.get('description'),
-                                    create_data.get('unstructured_metadata'))
-    log_action('create_robot', parent.username, {
-      'robot': robot_shortname,
-      'description': create_data.get('description'),
-      'unstructured_metadata': create_data.get('unstructured_metadata'),
-    })
-    return robot.to_dict(include_metadata=True, include_token=True), 201
+    @require_user_admin
+    @nickname("getUserRobot")
+    def get(self, robot_shortname):
+        """ Returns the user's robot with the specified name. """
+        parent = get_authenticated_user()
+        robot = model.get_user_robot(robot_shortname, parent)
+        return robot.to_dict(include_metadata=True, include_token=True)
 
-  @require_user_admin
-  @nickname('deleteUserRobot')
-  def delete(self, robot_shortname):
-    """ Delete an existing robot. """
-    parent = get_authenticated_user()
-    model.delete_robot(format_robot_username(parent.username, robot_shortname))
-    log_action('delete_robot', parent.username, {'robot': robot_shortname})
-    return '', 204
+    @require_user_admin
+    @nickname("createUserRobot")
+    @max_json_size(ROBOT_MAX_SIZE)
+    @validate_json_request("CreateRobot", optional=True)
+    def put(self, robot_shortname):
+        """ Create a new user robot with the specified name. """
+        parent = get_authenticated_user()
+        create_data = request.get_json() or {}
+        robot = model.create_user_robot(
+            robot_shortname,
+            parent,
+            create_data.get("description"),
+            create_data.get("unstructured_metadata"),
+        )
+        log_action(
+            "create_robot",
+            parent.username,
+            {
+                "robot": robot_shortname,
+                "description": create_data.get("description"),
+                "unstructured_metadata": create_data.get("unstructured_metadata"),
+            },
+        )
+        return robot.to_dict(include_metadata=True, include_token=True), 201
+
+    @require_user_admin
+    @nickname("deleteUserRobot")
+    def delete(self, robot_shortname):
+        """ Delete an existing robot. """
+        parent = get_authenticated_user()
+        model.delete_robot(format_robot_username(parent.username, robot_shortname))
+        log_action("delete_robot", parent.username, {"robot": robot_shortname})
+        return "", 204
 
 
-@resource('/v1/organization/<orgname>/robots')
-@path_param('orgname', 'The name of the organization')
+@resource("/v1/organization/<orgname>/robots")
+@path_param("orgname", "The name of the organization")
 @related_user_resource(UserRobotList)
 class OrgRobotList(ApiResource):
-  """ Resource for listing an organization's robots. """
+    """ Resource for listing an organization's robots. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrgRobots')
-  @parse_args()
-  @query_param('permissions',
-               'Whether to include repostories and teams in which the robots have permission.',
-               type=truthy_bool, default=False)
-  @query_param('token',
-               'If false, the robot\'s token is not returned.',
-               type=truthy_bool, default=True)
-  @query_param('limit',
-               'If specified, the number of robots to return.',
-               type=int, default=None)
-  def get(self, orgname, parsed_args):
-    """ List the organization's robots. """
-    permission = OrganizationMemberPermission(orgname)
-    if permission.can():
-      include_token = (AdministerOrganizationPermission(orgname).can() and
-                       parsed_args.get('token', True))
-      include_permissions = (AdministerOrganizationPermission(orgname).can() and
-                             parsed_args.get('permissions', False))
-      return robots_list(orgname, include_permissions=include_permissions,
-                         include_token=include_token,
-                         limit=parsed_args.get('limit'))
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrgRobots")
+    @parse_args()
+    @query_param(
+        "permissions",
+        "Whether to include repostories and teams in which the robots have permission.",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "token",
+        "If false, the robot's token is not returned.",
+        type=truthy_bool,
+        default=True,
+    )
+    @query_param(
+        "limit", "If specified, the number of robots to return.", type=int, default=None
+    )
+    def get(self, orgname, parsed_args):
+        """ List the organization's robots. """
+        permission = OrganizationMemberPermission(orgname)
+        if permission.can():
+            include_token = AdministerOrganizationPermission(
+                orgname
+            ).can() and parsed_args.get("token", True)
+            include_permissions = AdministerOrganizationPermission(
+                orgname
+            ).can() and parsed_args.get("permissions", False)
+            return robots_list(
+                orgname,
+                include_permissions=include_permissions,
+                include_token=include_token,
+                limit=parsed_args.get("limit"),
+            )
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/robots/<robot_shortname>')
-@path_param('orgname', 'The name of the organization')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/organization/<orgname>/robots/<robot_shortname>")
+@path_param("orgname", "The name of the organization")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 @related_user_resource(UserRobot)
 class OrgRobot(ApiResource):
-  """ Resource for managing an organization's robots. """
-  schemas = {
-    'CreateRobot': CREATE_ROBOT_SCHEMA,
-  }
+    """ Resource for managing an organization's robots. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('getOrgRobot')
-  def get(self, orgname, robot_shortname):
-    """ Returns the organization's robot with the specified name. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      robot = model.get_org_robot(robot_shortname, orgname)
-      return robot.to_dict(include_metadata=True, include_token=True)
+    schemas = {"CreateRobot": CREATE_ROBOT_SCHEMA}
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("getOrgRobot")
+    def get(self, orgname, robot_shortname):
+        """ Returns the organization's robot with the specified name. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            robot = model.get_org_robot(robot_shortname, orgname)
+            return robot.to_dict(include_metadata=True, include_token=True)
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('createOrgRobot')
-  @max_json_size(ROBOT_MAX_SIZE)
-  @validate_json_request('CreateRobot', optional=True)
-  def put(self, orgname, robot_shortname):
-    """ Create a new robot in the organization. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      create_data = request.get_json() or {}
-      robot = model.create_org_robot(robot_shortname, orgname, create_data.get('description'),
-                                     create_data.get('unstructured_metadata'))
-      log_action('create_robot', orgname, {
-        'robot': robot_shortname,
-        'description': create_data.get('description'),
-        'unstructured_metadata': create_data.get('unstructured_metadata'),
-      })
-      return robot.to_dict(include_metadata=True, include_token=True), 201
+        raise Unauthorized()
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("createOrgRobot")
+    @max_json_size(ROBOT_MAX_SIZE)
+    @validate_json_request("CreateRobot", optional=True)
+    def put(self, orgname, robot_shortname):
+        """ Create a new robot in the organization. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            create_data = request.get_json() or {}
+            robot = model.create_org_robot(
+                robot_shortname,
+                orgname,
+                create_data.get("description"),
+                create_data.get("unstructured_metadata"),
+            )
+            log_action(
+                "create_robot",
+                orgname,
+                {
+                    "robot": robot_shortname,
+                    "description": create_data.get("description"),
+                    "unstructured_metadata": create_data.get("unstructured_metadata"),
+                },
+            )
+            return robot.to_dict(include_metadata=True, include_token=True), 201
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrgRobot')
-  def delete(self, orgname, robot_shortname):
-    """ Delete an existing organization robot. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      model.delete_robot(format_robot_username(orgname, robot_shortname))
-      log_action('delete_robot', orgname, {'robot': robot_shortname})
-      return '', 204
+        raise Unauthorized()
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrgRobot")
+    def delete(self, orgname, robot_shortname):
+        """ Delete an existing organization robot. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            model.delete_robot(format_robot_username(orgname, robot_shortname))
+            log_action("delete_robot", orgname, {"robot": robot_shortname})
+            return "", 204
+
+        raise Unauthorized()
 
 
-@resource('/v1/user/robots/<robot_shortname>/permissions')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/user/robots/<robot_shortname>/permissions")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 class UserRobotPermissions(ApiResource):
-  """ Resource for listing the permissions a user's robot has in the system. """
+    """ Resource for listing the permissions a user's robot has in the system. """
 
-  @require_user_admin
-  @nickname('getUserRobotPermissions')
-  def get(self, robot_shortname):
-    """ Returns the list of repository permissions for the user's robot. """
-    parent = get_authenticated_user()
-    robot = model.get_user_robot(robot_shortname, parent)
-    permissions = model.list_robot_permissions(robot.name)
+    @require_user_admin
+    @nickname("getUserRobotPermissions")
+    def get(self, robot_shortname):
+        """ Returns the list of repository permissions for the user's robot. """
+        parent = get_authenticated_user()
+        robot = model.get_user_robot(robot_shortname, parent)
+        permissions = model.list_robot_permissions(robot.name)
 
-    return {
-      'permissions': [permission.to_dict() for permission in permissions]
-    }
+        return {"permissions": [permission.to_dict() for permission in permissions]}
 
 
-@resource('/v1/organization/<orgname>/robots/<robot_shortname>/permissions')
-@path_param('orgname', 'The name of the organization')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/organization/<orgname>/robots/<robot_shortname>/permissions")
+@path_param("orgname", "The name of the organization")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 @related_user_resource(UserRobotPermissions)
 class OrgRobotPermissions(ApiResource):
-  """ Resource for listing the permissions an org's robot has in the system. """
+    """ Resource for listing the permissions an org's robot has in the system. """
 
-  @require_user_admin
-  @nickname('getOrgRobotPermissions')
-  def get(self, orgname, robot_shortname):
-    """ Returns the list of repository permissions for the org's robot. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      robot = model.get_org_robot(robot_shortname, orgname)
-      permissions = model.list_robot_permissions(robot.name)
+    @require_user_admin
+    @nickname("getOrgRobotPermissions")
+    def get(self, orgname, robot_shortname):
+        """ Returns the list of repository permissions for the org's robot. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            robot = model.get_org_robot(robot_shortname, orgname)
+            permissions = model.list_robot_permissions(robot.name)
 
-      return {
-        'permissions': [permission.to_dict() for permission in permissions]
-      }
+            return {"permissions": [permission.to_dict() for permission in permissions]}
 
-    abort(403)
+        abort(403)
 
 
-@resource('/v1/user/robots/<robot_shortname>/regenerate')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/user/robots/<robot_shortname>/regenerate")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 class RegenerateUserRobot(ApiResource):
-  """ Resource for regenerate an organization's robot's token. """
+    """ Resource for regenerate an organization's robot's token. """
 
-  @require_user_admin
-  @nickname('regenerateUserRobotToken')
-  def post(self, robot_shortname):
-    """ Regenerates the token for a user's robot. """
-    parent = get_authenticated_user()
-    robot = model.regenerate_user_robot_token(robot_shortname, parent)
-    log_action('regenerate_robot_token', parent.username, {'robot': robot_shortname})
-    return robot.to_dict(include_token=True)
+    @require_user_admin
+    @nickname("regenerateUserRobotToken")
+    def post(self, robot_shortname):
+        """ Regenerates the token for a user's robot. """
+        parent = get_authenticated_user()
+        robot = model.regenerate_user_robot_token(robot_shortname, parent)
+        log_action(
+            "regenerate_robot_token", parent.username, {"robot": robot_shortname}
+        )
+        return robot.to_dict(include_token=True)
 
 
-@resource('/v1/organization/<orgname>/robots/<robot_shortname>/regenerate')
-@path_param('orgname', 'The name of the organization')
-@path_param('robot_shortname',
-            'The short name for the robot, without any user or organization prefix')
+@resource("/v1/organization/<orgname>/robots/<robot_shortname>/regenerate")
+@path_param("orgname", "The name of the organization")
+@path_param(
+    "robot_shortname",
+    "The short name for the robot, without any user or organization prefix",
+)
 @related_user_resource(RegenerateUserRobot)
 class RegenerateOrgRobot(ApiResource):
-  """ Resource for regenerate an organization's robot's token. """
+    """ Resource for regenerate an organization's robot's token. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('regenerateOrgRobotToken')
-  def post(self, orgname, robot_shortname):
-    """ Regenerates the token for an organization robot. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      robot = model.regenerate_org_robot_token(robot_shortname, orgname)
-      log_action('regenerate_robot_token', orgname, {'robot': robot_shortname})
-      return robot.to_dict(include_token=True)
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("regenerateOrgRobotToken")
+    def post(self, orgname, robot_shortname):
+        """ Regenerates the token for an organization robot. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            robot = model.regenerate_org_robot_token(robot_shortname, orgname)
+            log_action("regenerate_robot_token", orgname, {"robot": robot_shortname})
+            return robot.to_dict(include_token=True)
 
-    raise Unauthorized()
+        raise Unauthorized()
diff --git a/endpoints/api/robot_models_interface.py b/endpoints/api/robot_models_interface.py
index c4a07d304..57be885a9 100644
--- a/endpoints/api/robot_models_interface.py
+++ b/endpoints/api/robot_models_interface.py
@@ -6,45 +6,51 @@ from six import add_metaclass
 from endpoints.api import format_date
 
 
-class Permission(namedtuple('Permission', ['repository_name', 'repository_visibility_name', 'role_name'])):
-  """
+class Permission(
+    namedtuple(
+        "Permission", ["repository_name", "repository_visibility_name", "role_name"]
+    )
+):
+    """
   Permission the relationship between a robot and a repository and whether that robot can see the repo.
   """
 
-  def to_dict(self):
-    return {
-      'repository': {
-        'name': self.repository_name,
-        'is_public': self.repository_visibility_name == 'public'
-      },
-      'role': self.role_name
-    }
+    def to_dict(self):
+        return {
+            "repository": {
+                "name": self.repository_name,
+                "is_public": self.repository_visibility_name == "public",
+            },
+            "role": self.role_name,
+        }
 
 
-class Team(namedtuple('Team', ['name', 'avatar'])):
-  """
+class Team(namedtuple("Team", ["name", "avatar"])):
+    """
   Team represents a team entry for a robot list entry.
   :type name: string
   :type avatar: {string -> string}
   """
-  def to_dict(self):
-    return {
-      'name': self.name,
-      'avatar': self.avatar,
-    }
+
+    def to_dict(self):
+        return {"name": self.name, "avatar": self.avatar}
 
 
 class RobotWithPermissions(
-  namedtuple('RobotWithPermissions', [
-    'name',
-    'password',
-    'created',
-    'last_accessed',
-    'teams',
-    'repository_names',
-    'description',
-  ])):
-  """
+    namedtuple(
+        "RobotWithPermissions",
+        [
+            "name",
+            "password",
+            "created",
+            "last_accessed",
+            "teams",
+            "repository_names",
+            "description",
+        ],
+    )
+):
+    """
   RobotWithPermissions is a list of robot entries.
   :type name: string
   :type password: string
@@ -55,32 +61,38 @@ class RobotWithPermissions(
   :type description: string
   """
 
-  def to_dict(self, include_token=False):
-    data = {
-      'name': self.name,
-      'created': format_date(self.created) if self.created is not None else None,
-      'last_accessed': format_date(self.last_accessed) if self.last_accessed is not None else None,
-      'teams': [team.to_dict() for team in self.teams],
-      'repositories': self.repository_names,
-      'description': self.description,
-    }
+    def to_dict(self, include_token=False):
+        data = {
+            "name": self.name,
+            "created": format_date(self.created) if self.created is not None else None,
+            "last_accessed": format_date(self.last_accessed)
+            if self.last_accessed is not None
+            else None,
+            "teams": [team.to_dict() for team in self.teams],
+            "repositories": self.repository_names,
+            "description": self.description,
+        }
 
-    if include_token:
-      data['token'] = self.password
+        if include_token:
+            data["token"] = self.password
 
-    return data
+        return data
 
 
 class Robot(
-  namedtuple('Robot', [
-    'name',
-    'password',
-    'created',
-    'last_accessed',
-    'description',
-    'unstructured_metadata',
-  ])):
-  """
+    namedtuple(
+        "Robot",
+        [
+            "name",
+            "password",
+            "created",
+            "last_accessed",
+            "description",
+            "unstructured_metadata",
+        ],
+    )
+):
+    """
   Robot represents a robot entity.
   :type name: string
   :type password: string
@@ -90,105 +102,108 @@ class Robot(
   :type unstructured_metadata: dict
   """
 
-  def to_dict(self, include_metadata=False, include_token=False):
-    data = {
-      'name': self.name,
-      'created': format_date(self.created) if self.created is not None else None,
-      'last_accessed': format_date(self.last_accessed) if self.last_accessed is not None else None,
-      'description': self.description,
-    }
+    def to_dict(self, include_metadata=False, include_token=False):
+        data = {
+            "name": self.name,
+            "created": format_date(self.created) if self.created is not None else None,
+            "last_accessed": format_date(self.last_accessed)
+            if self.last_accessed is not None
+            else None,
+            "description": self.description,
+        }
 
-    if include_token:
-      data['token'] = self.password
+        if include_token:
+            data["token"] = self.password
 
-    if include_metadata:
-      data['unstructured_metadata'] = self.unstructured_metadata
-    
-    return data
+        if include_metadata:
+            data["unstructured_metadata"] = self.unstructured_metadata
+
+        return data
 
 
 @add_metaclass(ABCMeta)
 class RobotInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the Robot API
   """
 
-  @abstractmethod
-  def get_org_robot(self, robot_shortname, orgname):
-    """
+    @abstractmethod
+    def get_org_robot(self, robot_shortname, orgname):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def get_user_robot(self, robot_shortname, owning_user):
-    """
+    @abstractmethod
+    def get_user_robot(self, robot_shortname, owning_user):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def create_user_robot(self, robot_shortname, owning_user):
-    """
+    @abstractmethod
+    def create_user_robot(self, robot_shortname, owning_user):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def create_org_robot(self, robot_shortname, orgname):
-    """
+    @abstractmethod
+    def create_org_robot(self, robot_shortname, orgname):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def delete_robot(self, robot_username):
-    """
+    @abstractmethod
+    def delete_robot(self, robot_username):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def regenerate_user_robot_token(self, robot_shortname, owning_user):
-    """
+    @abstractmethod
+    def regenerate_user_robot_token(self, robot_shortname, owning_user):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def regenerate_org_robot_token(self, robot_shortname, orgname):
-    """
+    @abstractmethod
+    def regenerate_org_robot_token(self, robot_shortname, orgname):
+        """
 
     Returns:
       Robot object
 
     """
 
-  @abstractmethod
-  def list_entity_robot_permission_teams(self, prefix, include_permissions=False,
-                                         include_token=False, limit=None):
-    """
+    @abstractmethod
+    def list_entity_robot_permission_teams(
+        self, prefix, include_permissions=False, include_token=False, limit=None
+    ):
+        """
 
     Returns:
       list of RobotWithPermissions objects
 
     """
 
-  @abstractmethod
-  def list_robot_permissions(self, username):
-    """
+    @abstractmethod
+    def list_robot_permissions(self, username):
+        """
 
     Returns:
       list of Robot objects
diff --git a/endpoints/api/robot_models_pre_oci.py b/endpoints/api/robot_models_pre_oci.py
index ad83decdf..29afbdac3 100644
--- a/endpoints/api/robot_models_pre_oci.py
+++ b/endpoints/api/robot_models_pre_oci.py
@@ -3,121 +3,206 @@ import features
 from app import avatar
 from data import model
 from active_migration import ActiveDataMigration, ERTMigrationFlags
-from data.database import (User, FederatedLogin, RobotAccountToken, Team as TeamTable, Repository,
-                           RobotAccountMetadata)
-from endpoints.api.robot_models_interface import (RobotInterface, Robot, RobotWithPermissions, Team,
-                                                  Permission)
+from data.database import (
+    User,
+    FederatedLogin,
+    RobotAccountToken,
+    Team as TeamTable,
+    Repository,
+    RobotAccountMetadata,
+)
+from endpoints.api.robot_models_interface import (
+    RobotInterface,
+    Robot,
+    RobotWithPermissions,
+    Team,
+    Permission,
+)
 
 
 class RobotPreOCIModel(RobotInterface):
-  def list_robot_permissions(self, username):
-    permissions = model.permission.list_robot_permissions(username)
-    return [Permission(permission.repository.name, permission.repository.visibility.name, permission.role.name) for
-            permission in permissions]
+    def list_robot_permissions(self, username):
+        permissions = model.permission.list_robot_permissions(username)
+        return [
+            Permission(
+                permission.repository.name,
+                permission.repository.visibility.name,
+                permission.role.name,
+            )
+            for permission in permissions
+        ]
 
-  def list_entity_robot_permission_teams(self, prefix, include_token=False,
-                                         include_permissions=False, limit=None):
-    tuples = model.user.list_entity_robot_permission_teams(prefix, limit=limit,
-                                                           include_permissions=include_permissions)
-    robots = {}
-    robot_teams = set()
+    def list_entity_robot_permission_teams(
+        self, prefix, include_token=False, include_permissions=False, limit=None
+    ):
+        tuples = model.user.list_entity_robot_permission_teams(
+            prefix, limit=limit, include_permissions=include_permissions
+        )
+        robots = {}
+        robot_teams = set()
 
-    for robot_tuple in tuples:
-      robot_name = robot_tuple.get(User.username)
-      if robot_name not in robots:
-        token = None
-        if include_token:
-          # TODO(remove-unenc): Remove branches once migrated.
-          if robot_tuple.get(RobotAccountToken.token):
-            token = robot_tuple.get(RobotAccountToken.token).decrypt()
+        for robot_tuple in tuples:
+            robot_name = robot_tuple.get(User.username)
+            if robot_name not in robots:
+                token = None
+                if include_token:
+                    # TODO(remove-unenc): Remove branches once migrated.
+                    if robot_tuple.get(RobotAccountToken.token):
+                        token = robot_tuple.get(RobotAccountToken.token).decrypt()
 
-          if token is None and ActiveDataMigration.has_flag(ERTMigrationFlags.READ_OLD_FIELDS):
-            token = robot_tuple.get(FederatedLogin.service_ident)
-            assert not token.startswith('robot:')
+                    if token is None and ActiveDataMigration.has_flag(
+                        ERTMigrationFlags.READ_OLD_FIELDS
+                    ):
+                        token = robot_tuple.get(FederatedLogin.service_ident)
+                        assert not token.startswith("robot:")
 
-        robot_dict = {
-          'name': robot_name,
-          'token': token,
-          'created': robot_tuple.get(User.creation_date),
-          'last_accessed': (robot_tuple.get(User.last_accessed)
-                            if features.USER_LAST_ACCESSED else None),
-          'description': robot_tuple.get(RobotAccountMetadata.description),
-          'unstructured_metadata': robot_tuple.get(RobotAccountMetadata.unstructured_json),
-        }
+                robot_dict = {
+                    "name": robot_name,
+                    "token": token,
+                    "created": robot_tuple.get(User.creation_date),
+                    "last_accessed": (
+                        robot_tuple.get(User.last_accessed)
+                        if features.USER_LAST_ACCESSED
+                        else None
+                    ),
+                    "description": robot_tuple.get(RobotAccountMetadata.description),
+                    "unstructured_metadata": robot_tuple.get(
+                        RobotAccountMetadata.unstructured_json
+                    ),
+                }
 
-        if include_permissions:
-          robot_dict.update({
-            'teams': [],
-            'repositories': [],
-          })
+                if include_permissions:
+                    robot_dict.update({"teams": [], "repositories": []})
 
-      robots[robot_name] = Robot(robot_dict['name'], robot_dict['token'], robot_dict['created'],
-                                 robot_dict['last_accessed'], robot_dict['description'],
-                                 robot_dict['unstructured_metadata'])
-      if include_permissions:
-        team_name = robot_tuple.get(TeamTable.name)
-        repository_name = robot_tuple.get(Repository.name)
+            robots[robot_name] = Robot(
+                robot_dict["name"],
+                robot_dict["token"],
+                robot_dict["created"],
+                robot_dict["last_accessed"],
+                robot_dict["description"],
+                robot_dict["unstructured_metadata"],
+            )
+            if include_permissions:
+                team_name = robot_tuple.get(TeamTable.name)
+                repository_name = robot_tuple.get(Repository.name)
 
-        if team_name is not None:
-          check_key = robot_name + ':' + team_name
-          if check_key not in robot_teams:
-            robot_teams.add(check_key)
+                if team_name is not None:
+                    check_key = robot_name + ":" + team_name
+                    if check_key not in robot_teams:
+                        robot_teams.add(check_key)
 
-            robot_dict['teams'].append(Team(
-              team_name,
-              avatar.get_data(team_name, team_name, 'team')
-            ))
+                        robot_dict["teams"].append(
+                            Team(
+                                team_name, avatar.get_data(team_name, team_name, "team")
+                            )
+                        )
 
-        if repository_name is not None:
-          if repository_name not in robot_dict['repositories']:
-            robot_dict['repositories'].append(repository_name)
-        robots[robot_name] = RobotWithPermissions(robot_dict['name'], robot_dict['token'],
-                                                  robot_dict['created'],
-                                                  (robot_dict['last_accessed'] 
-                                                   if features.USER_LAST_ACCESSED else None),
-                                                  robot_dict['teams'],
-                                                  robot_dict['repositories'],
-                                                  robot_dict['description'])
+                if repository_name is not None:
+                    if repository_name not in robot_dict["repositories"]:
+                        robot_dict["repositories"].append(repository_name)
+                robots[robot_name] = RobotWithPermissions(
+                    robot_dict["name"],
+                    robot_dict["token"],
+                    robot_dict["created"],
+                    (
+                        robot_dict["last_accessed"]
+                        if features.USER_LAST_ACCESSED
+                        else None
+                    ),
+                    robot_dict["teams"],
+                    robot_dict["repositories"],
+                    robot_dict["description"],
+                )
 
-    return robots.values()
+        return robots.values()
 
-  def regenerate_user_robot_token(self, robot_shortname, owning_user):
-    robot, password, metadata = model.user.regenerate_robot_token(robot_shortname, owning_user)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 metadata.description, metadata.unstructured_json)
+    def regenerate_user_robot_token(self, robot_shortname, owning_user):
+        robot, password, metadata = model.user.regenerate_robot_token(
+            robot_shortname, owning_user
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            metadata.description,
+            metadata.unstructured_json,
+        )
 
-  def regenerate_org_robot_token(self, robot_shortname, orgname):
-    parent = model.organization.get_organization(orgname)
-    robot, password, metadata = model.user.regenerate_robot_token(robot_shortname, parent)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 metadata.description, metadata.unstructured_json)
+    def regenerate_org_robot_token(self, robot_shortname, orgname):
+        parent = model.organization.get_organization(orgname)
+        robot, password, metadata = model.user.regenerate_robot_token(
+            robot_shortname, parent
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            metadata.description,
+            metadata.unstructured_json,
+        )
 
-  def delete_robot(self, robot_username):
-    model.user.delete_robot(robot_username)
+    def delete_robot(self, robot_username):
+        model.user.delete_robot(robot_username)
 
-  def create_user_robot(self, robot_shortname, owning_user, description, unstructured_metadata):
-    robot, password = model.user.create_robot(robot_shortname, owning_user, description or '',
-                                              unstructured_metadata)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 description or '', unstructured_metadata)
+    def create_user_robot(
+        self, robot_shortname, owning_user, description, unstructured_metadata
+    ):
+        robot, password = model.user.create_robot(
+            robot_shortname, owning_user, description or "", unstructured_metadata
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            description or "",
+            unstructured_metadata,
+        )
 
-  def create_org_robot(self, robot_shortname, orgname, description, unstructured_metadata):
-    parent = model.organization.get_organization(orgname)
-    robot, password = model.user.create_robot(robot_shortname, parent, description or '',
-                                              unstructured_metadata)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 description or '', unstructured_metadata)
+    def create_org_robot(
+        self, robot_shortname, orgname, description, unstructured_metadata
+    ):
+        parent = model.organization.get_organization(orgname)
+        robot, password = model.user.create_robot(
+            robot_shortname, parent, description or "", unstructured_metadata
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            description or "",
+            unstructured_metadata,
+        )
 
-  def get_org_robot(self, robot_shortname, orgname):
-    parent = model.organization.get_organization(orgname)
-    robot, password, metadata = model.user.get_robot_and_metadata(robot_shortname, parent)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 metadata.description, metadata.unstructured_json)
+    def get_org_robot(self, robot_shortname, orgname):
+        parent = model.organization.get_organization(orgname)
+        robot, password, metadata = model.user.get_robot_and_metadata(
+            robot_shortname, parent
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            metadata.description,
+            metadata.unstructured_json,
+        )
 
-  def get_user_robot(self, robot_shortname, owning_user):
-    robot, password, metadata = model.user.get_robot_and_metadata(robot_shortname, owning_user)
-    return Robot(robot.username, password, robot.creation_date, robot.last_accessed,
-                 metadata.description, metadata.unstructured_json)
+    def get_user_robot(self, robot_shortname, owning_user):
+        robot, password, metadata = model.user.get_robot_and_metadata(
+            robot_shortname, owning_user
+        )
+        return Robot(
+            robot.username,
+            password,
+            robot.creation_date,
+            robot.last_accessed,
+            metadata.description,
+            metadata.unstructured_json,
+        )
 
 
 pre_oci_model = RobotPreOCIModel()
diff --git a/endpoints/api/search.py b/endpoints/api/search.py
index 0ddbbc3fa..efb028e55 100644
--- a/endpoints/api/search.py
+++ b/endpoints/api/search.py
@@ -2,15 +2,30 @@
 
 import features
 
-from endpoints.api import (ApiResource, parse_args, query_param, truthy_bool, nickname, resource,
-                           require_scope, path_param, internal_only, Unauthorized, InvalidRequest,
-                           show_if)
+from endpoints.api import (
+    ApiResource,
+    parse_args,
+    query_param,
+    truthy_bool,
+    nickname,
+    resource,
+    require_scope,
+    path_param,
+    internal_only,
+    Unauthorized,
+    InvalidRequest,
+    show_if,
+)
 from data.database import Repository
 from data import model
 from data.registry_model import registry_model
-from auth.permissions import (OrganizationMemberPermission, ReadRepositoryPermission,
-                              UserAdminPermission, AdministerOrganizationPermission,
-                              ReadRepositoryPermission)
+from auth.permissions import (
+    OrganizationMemberPermission,
+    ReadRepositoryPermission,
+    UserAdminPermission,
+    AdministerOrganizationPermission,
+    ReadRepositoryPermission,
+)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from app import app, avatar, authentication
@@ -19,7 +34,7 @@ from operator import itemgetter
 from stringscore import liquidmetal
 from util.names import parse_robot_username
 
-import anunidecode # Don't listen to pylint's lies. This import is required.
+import anunidecode  # Don't listen to pylint's lies. This import is required.
 import math
 
 
@@ -28,355 +43,416 @@ TEAM_SEARCH_SCORE = 2
 REPOSITORY_SEARCH_SCORE = 4
 
 
-@resource('/v1/entities/link/<username>')
+@resource("/v1/entities/link/<username>")
 @internal_only
 class LinkExternalEntity(ApiResource):
-  """ Resource for linking external entities to internal users. """
-  @nickname('linkExternalUser')
-  def post(self, username):
-    if not authentication.federated_service:
-      abort(404)
+    """ Resource for linking external entities to internal users. """
 
-    # Only allowed if there is a logged in user.
-    if not get_authenticated_user():
-      raise Unauthorized()
+    @nickname("linkExternalUser")
+    def post(self, username):
+        if not authentication.federated_service:
+            abort(404)
 
-    # Try to link the user with the given *external* username, to an internal record.
-    (user, err_msg) = authentication.link_user(username)
-    if user is None:
-      raise InvalidRequest(err_msg, payload={'username': username})
+        # Only allowed if there is a logged in user.
+        if not get_authenticated_user():
+            raise Unauthorized()
 
-    return {
-      'entity': {
-        'name': user.username,
-        'kind': 'user',
-        'is_robot': False,
-        'avatar': avatar.get_data_for_user(user)
-      }
-    }
+        # Try to link the user with the given *external* username, to an internal record.
+        (user, err_msg) = authentication.link_user(username)
+        if user is None:
+            raise InvalidRequest(err_msg, payload={"username": username})
+
+        return {
+            "entity": {
+                "name": user.username,
+                "kind": "user",
+                "is_robot": False,
+                "avatar": avatar.get_data_for_user(user),
+            }
+        }
 
 
-@resource('/v1/entities/<prefix>')
+@resource("/v1/entities/<prefix>")
 class EntitySearch(ApiResource):
-  """ Resource for searching entities. """
-  @path_param('prefix', 'The prefix of the entities being looked up')
-  @parse_args()
-  @query_param('namespace', 'Namespace to use when querying for org entities.', type=str,
-               default='')
-  @query_param('includeTeams', 'Whether to include team names.', type=truthy_bool, default=False)
-  @query_param('includeOrgs', 'Whether to include orgs names.', type=truthy_bool, default=False)
-  @nickname('getMatchingEntities')
-  def get(self, prefix, parsed_args):
-    """ Get a list of entities that match the specified prefix. """
+    """ Resource for searching entities. """
 
-    # Ensure we don't have any unicode characters in the search, as it breaks the search. Nothing
-    # being searched can have unicode in it anyway, so this is a safe operation.
-    prefix = prefix.encode('unidecode', 'ignore').replace(' ', '').lower()
+    @path_param("prefix", "The prefix of the entities being looked up")
+    @parse_args()
+    @query_param(
+        "namespace",
+        "Namespace to use when querying for org entities.",
+        type=str,
+        default="",
+    )
+    @query_param(
+        "includeTeams",
+        "Whether to include team names.",
+        type=truthy_bool,
+        default=False,
+    )
+    @query_param(
+        "includeOrgs", "Whether to include orgs names.", type=truthy_bool, default=False
+    )
+    @nickname("getMatchingEntities")
+    def get(self, prefix, parsed_args):
+        """ Get a list of entities that match the specified prefix. """
 
-    teams = []
-    org_data = []
+        # Ensure we don't have any unicode characters in the search, as it breaks the search. Nothing
+        # being searched can have unicode in it anyway, so this is a safe operation.
+        prefix = prefix.encode("unidecode", "ignore").replace(" ", "").lower()
 
-    namespace_name = parsed_args['namespace']
-    robot_namespace = None
-    organization = None
+        teams = []
+        org_data = []
 
-    try:
-      organization = model.organization.get_organization(namespace_name)
+        namespace_name = parsed_args["namespace"]
+        robot_namespace = None
+        organization = None
 
-      # namespace name was an org
-      permission = OrganizationMemberPermission(namespace_name)
-      if permission.can():
-        robot_namespace = namespace_name
+        try:
+            organization = model.organization.get_organization(namespace_name)
 
-        if parsed_args['includeTeams']:
-          teams = model.team.get_matching_teams(prefix, organization)
+            # namespace name was an org
+            permission = OrganizationMemberPermission(namespace_name)
+            if permission.can():
+                robot_namespace = namespace_name
 
-        if (parsed_args['includeOrgs'] and AdministerOrganizationPermission(namespace_name) and
-            namespace_name.startswith(prefix)):
-          org_data = [{
-            'name': namespace_name,
-            'kind': 'org',
-            'is_org_member': True,
-            'avatar': avatar.get_data_for_org(organization),
-          }]
+                if parsed_args["includeTeams"]:
+                    teams = model.team.get_matching_teams(prefix, organization)
 
-    except model.organization.InvalidOrganizationException:
-      # namespace name was a user
-      user = get_authenticated_user()
-      if user and user.username == namespace_name:
-        # Check if there is admin user permissions (login only)
-        admin_permission = UserAdminPermission(user.username)
-        if admin_permission.can():
-          robot_namespace = namespace_name
+                if (
+                    parsed_args["includeOrgs"]
+                    and AdministerOrganizationPermission(namespace_name)
+                    and namespace_name.startswith(prefix)
+                ):
+                    org_data = [
+                        {
+                            "name": namespace_name,
+                            "kind": "org",
+                            "is_org_member": True,
+                            "avatar": avatar.get_data_for_org(organization),
+                        }
+                    ]
 
-    # Lookup users in the database for the prefix query.
-    users = model.user.get_matching_users(prefix, robot_namespace, organization, limit=10,
-                                          exact_matches_only=not features.PARTIAL_USER_AUTOCOMPLETE)
+        except model.organization.InvalidOrganizationException:
+            # namespace name was a user
+            user = get_authenticated_user()
+            if user and user.username == namespace_name:
+                # Check if there is admin user permissions (login only)
+                admin_permission = UserAdminPermission(user.username)
+                if admin_permission.can():
+                    robot_namespace = namespace_name
 
-    # Lookup users via the user system for the prefix query. We'll filter out any users that
-    # already exist in the database.
-    external_users, federated_id, _ = authentication.query_users(prefix, limit=10)
-    filtered_external_users = []
-    if external_users and federated_id is not None:
-      users = list(users)
-      user_ids = [user.id for user in users]
+        # Lookup users in the database for the prefix query.
+        users = model.user.get_matching_users(
+            prefix,
+            robot_namespace,
+            organization,
+            limit=10,
+            exact_matches_only=not features.PARTIAL_USER_AUTOCOMPLETE,
+        )
 
-      # Filter the users if any are already found via the database. We do so by looking up all
-      # the found users in the federated user system.
-      federated_query = model.user.get_federated_logins(user_ids, federated_id)
-      found = {result.service_ident for result in federated_query}
-      filtered_external_users = [user for user in external_users if not user.username in found]
+        # Lookup users via the user system for the prefix query. We'll filter out any users that
+        # already exist in the database.
+        external_users, federated_id, _ = authentication.query_users(prefix, limit=10)
+        filtered_external_users = []
+        if external_users and federated_id is not None:
+            users = list(users)
+            user_ids = [user.id for user in users]
 
-    def entity_team_view(team):
-      result = {
-        'name': team.name,
-        'kind': 'team',
-        'is_org_member': True,
-        'avatar': avatar.get_data_for_team(team)
-      }
-      return result
+            # Filter the users if any are already found via the database. We do so by looking up all
+            # the found users in the federated user system.
+            federated_query = model.user.get_federated_logins(user_ids, federated_id)
+            found = {result.service_ident for result in federated_query}
+            filtered_external_users = [
+                user for user in external_users if not user.username in found
+            ]
 
-    def user_view(user):
-      user_json = {
-        'name': user.username,
-        'kind': 'user',
-        'is_robot': user.robot,
-        'avatar': avatar.get_data_for_user(user)
-      }
+        def entity_team_view(team):
+            result = {
+                "name": team.name,
+                "kind": "team",
+                "is_org_member": True,
+                "avatar": avatar.get_data_for_team(team),
+            }
+            return result
 
-      if organization is not None:
-        user_json['is_org_member'] = user.robot or user.is_org_member
+        def user_view(user):
+            user_json = {
+                "name": user.username,
+                "kind": "user",
+                "is_robot": user.robot,
+                "avatar": avatar.get_data_for_user(user),
+            }
 
-      return user_json
+            if organization is not None:
+                user_json["is_org_member"] = user.robot or user.is_org_member
 
-    def external_view(user):
-      result = {
-        'name': user.username,
-        'kind': 'external',
-        'title': user.email or '',
-        'avatar': avatar.get_data_for_external_user(user)
-      }
-      return result
+            return user_json
 
-    team_data = [entity_team_view(team) for team in teams]
-    user_data = [user_view(user) for user in users]
-    external_data = [external_view(user) for user in filtered_external_users]
+        def external_view(user):
+            result = {
+                "name": user.username,
+                "kind": "external",
+                "title": user.email or "",
+                "avatar": avatar.get_data_for_external_user(user),
+            }
+            return result
 
-    return {
-      'results': team_data + user_data + org_data + external_data
-    }
+        team_data = [entity_team_view(team) for team in teams]
+        user_data = [user_view(user) for user in users]
+        external_data = [external_view(user) for user in filtered_external_users]
+
+        return {"results": team_data + user_data + org_data + external_data}
 
 
 def search_entity_view(username, entity, get_short_name=None):
-  kind = 'user'
-  title = 'user'
-  avatar_data = avatar.get_data_for_user(entity)
-  href = '/user/' + entity.username
+    kind = "user"
+    title = "user"
+    avatar_data = avatar.get_data_for_user(entity)
+    href = "/user/" + entity.username
 
-  if entity.organization:
-    kind = 'organization'
-    title = 'org'
-    avatar_data = avatar.get_data_for_org(entity)
-    href = '/organization/' + entity.username
-  elif entity.robot:
-    parts = parse_robot_username(entity.username)
-    if parts[0] == username:
-      href = '/user/' + username + '?tab=robots&showRobot=' + entity.username
-    else:
-      href = '/organization/' + parts[0] + '?tab=robots&showRobot=' + entity.username
+    if entity.organization:
+        kind = "organization"
+        title = "org"
+        avatar_data = avatar.get_data_for_org(entity)
+        href = "/organization/" + entity.username
+    elif entity.robot:
+        parts = parse_robot_username(entity.username)
+        if parts[0] == username:
+            href = "/user/" + username + "?tab=robots&showRobot=" + entity.username
+        else:
+            href = (
+                "/organization/" + parts[0] + "?tab=robots&showRobot=" + entity.username
+            )
 
-    kind = 'robot'
-    title = 'robot'
-    avatar_data = None
+        kind = "robot"
+        title = "robot"
+        avatar_data = None
 
-  data = {
-    'title': title,
-    'kind': kind,
-    'avatar': avatar_data,
-    'name': entity.username,
-    'score': ENTITY_SEARCH_SCORE,
-    'href': href
-  }
+    data = {
+        "title": title,
+        "kind": kind,
+        "avatar": avatar_data,
+        "name": entity.username,
+        "score": ENTITY_SEARCH_SCORE,
+        "href": href,
+    }
 
-  if get_short_name:
-    data['short_name'] = get_short_name(entity.username)
+    if get_short_name:
+        data["short_name"] = get_short_name(entity.username)
 
-  return data
+    return data
 
 
 def conduct_team_search(username, query, encountered_teams, results):
-  """ Finds the matching teams where the user is a member. """
-  matching_teams = model.team.get_matching_user_teams(query, get_authenticated_user(), limit=5)
-  for team in matching_teams:
-    if team.id in encountered_teams:
-      continue
+    """ Finds the matching teams where the user is a member. """
+    matching_teams = model.team.get_matching_user_teams(
+        query, get_authenticated_user(), limit=5
+    )
+    for team in matching_teams:
+        if team.id in encountered_teams:
+            continue
 
-    encountered_teams.add(team.id)
+        encountered_teams.add(team.id)
 
-    results.append({
-      'kind': 'team',
-      'name': team.name,
-      'organization': search_entity_view(username, team.organization),
-      'avatar': avatar.get_data_for_team(team),
-      'score': TEAM_SEARCH_SCORE,
-      'href': '/organization/' + team.organization.username + '/teams/' + team.name
-    })
+        results.append(
+            {
+                "kind": "team",
+                "name": team.name,
+                "organization": search_entity_view(username, team.organization),
+                "avatar": avatar.get_data_for_team(team),
+                "score": TEAM_SEARCH_SCORE,
+                "href": "/organization/"
+                + team.organization.username
+                + "/teams/"
+                + team.name,
+            }
+        )
 
 
 def conduct_admined_team_search(username, query, encountered_teams, results):
-  """ Finds matching teams in orgs admined by the user. """
-  matching_teams = model.team.get_matching_admined_teams(query, get_authenticated_user(), limit=5)
-  for team in matching_teams:
-    if team.id in encountered_teams:
-      continue
+    """ Finds matching teams in orgs admined by the user. """
+    matching_teams = model.team.get_matching_admined_teams(
+        query, get_authenticated_user(), limit=5
+    )
+    for team in matching_teams:
+        if team.id in encountered_teams:
+            continue
 
-    encountered_teams.add(team.id)
+        encountered_teams.add(team.id)
 
-    results.append({
-      'kind': 'team',
-      'name': team.name,
-      'organization': search_entity_view(username, team.organization),
-      'avatar': avatar.get_data_for_team(team),
-      'score': TEAM_SEARCH_SCORE,
-      'href': '/organization/' + team.organization.username + '/teams/' + team.name
-    })
+        results.append(
+            {
+                "kind": "team",
+                "name": team.name,
+                "organization": search_entity_view(username, team.organization),
+                "avatar": avatar.get_data_for_team(team),
+                "score": TEAM_SEARCH_SCORE,
+                "href": "/organization/"
+                + team.organization.username
+                + "/teams/"
+                + team.name,
+            }
+        )
 
 
 def conduct_repo_search(username, query, results, offset=0, limit=5):
-  """ Finds matching repositories. """
-  matching_repos = model.repository.get_filtered_matching_repositories(query, username, limit=limit,
-                                                                       repo_kind=None,
-                                                                       offset=offset)
+    """ Finds matching repositories. """
+    matching_repos = model.repository.get_filtered_matching_repositories(
+        query, username, limit=limit, repo_kind=None, offset=offset
+    )
 
-  for repo in matching_repos:
-    # TODO: make sure the repo.kind.name doesn't cause extra queries
-    results.append(repo_result_view(repo, username))
+    for repo in matching_repos:
+        # TODO: make sure the repo.kind.name doesn't cause extra queries
+        results.append(repo_result_view(repo, username))
 
 
 def conduct_namespace_search(username, query, results):
-  """ Finds matching users and organizations. """
-  matching_entities = model.user.get_matching_user_namespaces(query, username, limit=5)
-  for entity in matching_entities:
-    results.append(search_entity_view(username, entity))
+    """ Finds matching users and organizations. """
+    matching_entities = model.user.get_matching_user_namespaces(
+        query, username, limit=5
+    )
+    for entity in matching_entities:
+        results.append(search_entity_view(username, entity))
 
 
 def conduct_robot_search(username, query, results):
-  """ Finds matching robot accounts. """
-  def get_short_name(name):
-    return parse_robot_username(name)[1]
+    """ Finds matching robot accounts. """
 
-  matching_robots = model.user.get_matching_robots(query, username, limit=5)
-  for robot in matching_robots:
-    results.append(search_entity_view(username, robot, get_short_name))
+    def get_short_name(name):
+        return parse_robot_username(name)[1]
+
+    matching_robots = model.user.get_matching_robots(query, username, limit=5)
+    for robot in matching_robots:
+        results.append(search_entity_view(username, robot, get_short_name))
 
 
 def repo_result_view(repo, username, last_modified=None, stars=None, popularity=None):
-  kind = 'application' if Repository.kind.get_name(repo.kind_id) == 'application' else 'repository'
-  view = {
-    'kind': kind,
-    'title': 'app' if kind == 'application' else 'repo',
-    'namespace': search_entity_view(username, repo.namespace_user),
-    'name': repo.name,
-    'description': repo.description,
-    'is_public': model.repository.is_repository_public(repo),
-    'score': REPOSITORY_SEARCH_SCORE,
-    'href': '/' + kind + '/' + repo.namespace_user.username + '/' + repo.name
-  }
-
-  if last_modified is not None:
-    view['last_modified'] = last_modified
-
-  if stars is not None:
-    view['stars'] = stars
-
-  if popularity is not None:
-    view['popularity'] = popularity
-
-  return view
-
-@resource('/v1/find/all')
-class ConductSearch(ApiResource):
-  """ Resource for finding users, repositories, teams, etc. """
-  @parse_args()
-  @query_param('query', 'The search query.', type=str, default='')
-  @require_scope(scopes.READ_REPO)
-  @nickname('conductSearch')
-  def get(self, parsed_args):
-    """ Get a list of entities and resources that match the specified query. """
-    query = parsed_args['query']
-    if not query:
-      return {'results': []}
-
-    username = None
-    results = []
-
-    if get_authenticated_user():
-      username = get_authenticated_user().username
-
-      # Search for teams.
-      encountered_teams = set()
-      conduct_team_search(username, query, encountered_teams, results)
-      conduct_admined_team_search(username, query, encountered_teams, results)
-
-      # Search for robot accounts.
-      conduct_robot_search(username, query, results)
-
-    # Search for repos.
-    conduct_repo_search(username, query, results)
-
-    # Search for users and orgs.
-    conduct_namespace_search(username, query, results)
-
-    # Modify the results' scores via how close the query term is to each result's name.
-    for result in results:
-      name = result.get('short_name', result['name'])
-      lm_score = liquidmetal.score(name, query) or 0.5
-      result['score'] = result['score'] * lm_score
-
-    return {'results': sorted(results, key=itemgetter('score'), reverse=True)}
-
-
-MAX_PER_PAGE = app.config.get('SEARCH_RESULTS_PER_PAGE', 10)
-MAX_RESULT_PAGE_COUNT = app.config.get('SEARCH_MAX_RESULT_PAGE_COUNT', 10)
-
-@resource('/v1/find/repositories')
-class ConductRepositorySearch(ApiResource):
-  """ Resource for finding repositories. """
-  @parse_args()
-  @query_param('query', 'The search query.', type=str, default='')
-  @query_param('page', 'The page.', type=int, default=1)
-  @nickname('conductRepoSearch')
-  def get(self, parsed_args):
-    """ Get a list of apps and repositories that match the specified query. """
-    query = parsed_args['query']
-    page = min(max(1, parsed_args['page']), MAX_RESULT_PAGE_COUNT)
-    offset = (page - 1) * MAX_PER_PAGE
-    limit = offset + MAX_PER_PAGE + 1
-
-    username = get_authenticated_user().username if get_authenticated_user() else None
-
-    # Lookup matching repositories.
-    matching_repos = list(model.repository.get_filtered_matching_repositories(query, username,
-                                                                              repo_kind=None,
-                                                                              limit=limit,
-                                                                              offset=offset))
-
-    # Load secondary information such as last modified time, star count and action count.
-    repository_ids = [repo.id for repo in matching_repos]
-    last_modified_map = registry_model.get_most_recent_tag_lifetime_start(matching_repos)
-    star_map = model.repository.get_stars(repository_ids)
-    action_sum_map = model.log.get_repositories_action_sums(repository_ids)
-
-    # Build the results list.
-    results = [repo_result_view(repo, username, last_modified_map.get(repo.id),
-                                star_map.get(repo.id, 0),
-                                float(action_sum_map.get(repo.id, 0)))
-               for repo in matching_repos]
-
-    return {
-      'results': results[0:MAX_PER_PAGE],
-      'has_additional': len(results) > MAX_PER_PAGE,
-      'page': page,
-      'page_size': MAX_PER_PAGE,
-      'start_index': offset,
+    kind = (
+        "application"
+        if Repository.kind.get_name(repo.kind_id) == "application"
+        else "repository"
+    )
+    view = {
+        "kind": kind,
+        "title": "app" if kind == "application" else "repo",
+        "namespace": search_entity_view(username, repo.namespace_user),
+        "name": repo.name,
+        "description": repo.description,
+        "is_public": model.repository.is_repository_public(repo),
+        "score": REPOSITORY_SEARCH_SCORE,
+        "href": "/" + kind + "/" + repo.namespace_user.username + "/" + repo.name,
     }
+
+    if last_modified is not None:
+        view["last_modified"] = last_modified
+
+    if stars is not None:
+        view["stars"] = stars
+
+    if popularity is not None:
+        view["popularity"] = popularity
+
+    return view
+
+
+@resource("/v1/find/all")
+class ConductSearch(ApiResource):
+    """ Resource for finding users, repositories, teams, etc. """
+
+    @parse_args()
+    @query_param("query", "The search query.", type=str, default="")
+    @require_scope(scopes.READ_REPO)
+    @nickname("conductSearch")
+    def get(self, parsed_args):
+        """ Get a list of entities and resources that match the specified query. """
+        query = parsed_args["query"]
+        if not query:
+            return {"results": []}
+
+        username = None
+        results = []
+
+        if get_authenticated_user():
+            username = get_authenticated_user().username
+
+            # Search for teams.
+            encountered_teams = set()
+            conduct_team_search(username, query, encountered_teams, results)
+            conduct_admined_team_search(username, query, encountered_teams, results)
+
+            # Search for robot accounts.
+            conduct_robot_search(username, query, results)
+
+        # Search for repos.
+        conduct_repo_search(username, query, results)
+
+        # Search for users and orgs.
+        conduct_namespace_search(username, query, results)
+
+        # Modify the results' scores via how close the query term is to each result's name.
+        for result in results:
+            name = result.get("short_name", result["name"])
+            lm_score = liquidmetal.score(name, query) or 0.5
+            result["score"] = result["score"] * lm_score
+
+        return {"results": sorted(results, key=itemgetter("score"), reverse=True)}
+
+
+MAX_PER_PAGE = app.config.get("SEARCH_RESULTS_PER_PAGE", 10)
+MAX_RESULT_PAGE_COUNT = app.config.get("SEARCH_MAX_RESULT_PAGE_COUNT", 10)
+
+
+@resource("/v1/find/repositories")
+class ConductRepositorySearch(ApiResource):
+    """ Resource for finding repositories. """
+
+    @parse_args()
+    @query_param("query", "The search query.", type=str, default="")
+    @query_param("page", "The page.", type=int, default=1)
+    @nickname("conductRepoSearch")
+    def get(self, parsed_args):
+        """ Get a list of apps and repositories that match the specified query. """
+        query = parsed_args["query"]
+        page = min(max(1, parsed_args["page"]), MAX_RESULT_PAGE_COUNT)
+        offset = (page - 1) * MAX_PER_PAGE
+        limit = offset + MAX_PER_PAGE + 1
+
+        username = (
+            get_authenticated_user().username if get_authenticated_user() else None
+        )
+
+        # Lookup matching repositories.
+        matching_repos = list(
+            model.repository.get_filtered_matching_repositories(
+                query, username, repo_kind=None, limit=limit, offset=offset
+            )
+        )
+
+        # Load secondary information such as last modified time, star count and action count.
+        repository_ids = [repo.id for repo in matching_repos]
+        last_modified_map = registry_model.get_most_recent_tag_lifetime_start(
+            matching_repos
+        )
+        star_map = model.repository.get_stars(repository_ids)
+        action_sum_map = model.log.get_repositories_action_sums(repository_ids)
+
+        # Build the results list.
+        results = [
+            repo_result_view(
+                repo,
+                username,
+                last_modified_map.get(repo.id),
+                star_map.get(repo.id, 0),
+                float(action_sum_map.get(repo.id, 0)),
+            )
+            for repo in matching_repos
+        ]
+
+        return {
+            "results": results[0:MAX_PER_PAGE],
+            "has_additional": len(results) > MAX_PER_PAGE,
+            "page": page,
+            "page_size": MAX_PER_PAGE,
+            "start_index": offset,
+        }
diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py
index 71422184f..a17aeb2d0 100644
--- a/endpoints/api/secscan.py
+++ b/endpoints/api/secscan.py
@@ -7,9 +7,18 @@ from app import app, secscan_api
 from auth.decorators import process_basic_auth_no_pass
 from data.registry_model import registry_model
 from data.registry_model.datatypes import SecurityScanStatus
-from endpoints.api import (require_repo_read, path_param,
-                           RepositoryParamResource, resource, nickname, show_if, parse_args,
-                           query_param, truthy_bool, disallow_for_app_repositories)
+from endpoints.api import (
+    require_repo_read,
+    path_param,
+    RepositoryParamResource,
+    resource,
+    nickname,
+    show_if,
+    parse_args,
+    query_param,
+    truthy_bool,
+    disallow_for_app_repositories,
+)
 from endpoints.exception import NotFound, DownstreamIssue
 from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE
 from util.secscan.api import APIRequestFailure
@@ -17,92 +26,100 @@ from util.secscan.api import APIRequestFailure
 
 logger = logging.getLogger(__name__)
 
+
 def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):
-  """ Returns a dict representing the result of a call to the security status API for the given
+    """ Returns a dict representing the result of a call to the security status API for the given
       manifest or image.
   """
-  status = registry_model.get_security_status(manifest_or_legacy_image)
-  if status is None:
-    raise NotFound()
+    status = registry_model.get_security_status(manifest_or_legacy_image)
+    if status is None:
+        raise NotFound()
 
-  if status != SecurityScanStatus.SCANNED:
-    return {
-      'status': status.value,
-    }
+    if status != SecurityScanStatus.SCANNED:
+        return {"status": status.value}
 
-  try:
-    if include_vulnerabilities:
-      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)
-    else:
-      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)
-  except APIRequestFailure as arf:
-    raise DownstreamIssue(arf.message)
+    try:
+        if include_vulnerabilities:
+            data = secscan_api.get_layer_data(
+                manifest_or_legacy_image, include_vulnerabilities=True
+            )
+        else:
+            data = secscan_api.get_layer_data(
+                manifest_or_legacy_image, include_features=True
+            )
+    except APIRequestFailure as arf:
+        raise DownstreamIssue(arf.message)
 
-  if data is None:
-    # If no data was found but we reached this point, then it indicates we have incorrect security
-    # status for the manifest or legacy image. Mark the manifest or legacy image as unindexed
-    # so it automatically gets re-indexed.
-    if app.config.get('REGISTRY_STATE', 'normal') == 'normal':
-      registry_model.reset_security_status(manifest_or_legacy_image)
+    if data is None:
+        # If no data was found but we reached this point, then it indicates we have incorrect security
+        # status for the manifest or legacy image. Mark the manifest or legacy image as unindexed
+        # so it automatically gets re-indexed.
+        if app.config.get("REGISTRY_STATE", "normal") == "normal":
+            registry_model.reset_security_status(manifest_or_legacy_image)
 
-    return {
-      'status': SecurityScanStatus.QUEUED.value,
-    }
+        return {"status": SecurityScanStatus.QUEUED.value}
 
-  return {
-    'status': status.value,
-    'data': data,
-  }
+    return {"status": status.value, "data": data}
 
 
-@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')
+@resource("/v1/repository/<apirepopath:repository>/image/<imageid>/security")
 @show_if(features.SECURITY_SCANNER)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('imageid', 'The image ID')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("imageid", "The image ID")
 class RepositoryImageSecurity(RepositoryParamResource):
-  """ Operations for managing the vulnerabilities in a repository image. """
+    """ Operations for managing the vulnerabilities in a repository image. """
 
-  @process_basic_auth_no_pass
-  @require_repo_read
-  @nickname('getRepoImageSecurity')
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
-               default=False)
-  def get(self, namespace, repository, imageid, parsed_args):
-    """ Fetches the features and vulnerabilities (if any) for a repository image. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @process_basic_auth_no_pass
+    @require_repo_read
+    @nickname("getRepoImageSecurity")
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param(
+        "vulnerabilities",
+        "Include vulnerabilities informations",
+        type=truthy_bool,
+        default=False,
+    )
+    def get(self, namespace, repository, imageid, parsed_args):
+        """ Fetches the features and vulnerabilities (if any) for a repository image. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    legacy_image = registry_model.get_legacy_image(repo_ref, imageid)
-    if legacy_image is None:
-      raise NotFound()
+        legacy_image = registry_model.get_legacy_image(repo_ref, imageid)
+        if legacy_image is None:
+            raise NotFound()
 
-    return _security_info(legacy_image, parsed_args.vulnerabilities)
+        return _security_info(legacy_image, parsed_args.vulnerabilities)
 
 
-@resource(MANIFEST_DIGEST_ROUTE + '/security')
+@resource(MANIFEST_DIGEST_ROUTE + "/security")
 @show_if(features.SECURITY_SCANNER)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('manifestref', 'The digest of the manifest')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("manifestref", "The digest of the manifest")
 class RepositoryManifestSecurity(RepositoryParamResource):
-  """ Operations for managing the vulnerabilities in a repository manifest. """
+    """ Operations for managing the vulnerabilities in a repository manifest. """
 
-  @process_basic_auth_no_pass
-  @require_repo_read
-  @nickname('getRepoManifestSecurity')
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
-               default=False)
-  def get(self, namespace, repository, manifestref, parsed_args):
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @process_basic_auth_no_pass
+    @require_repo_read
+    @nickname("getRepoManifestSecurity")
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param(
+        "vulnerabilities",
+        "Include vulnerabilities informations",
+        type=truthy_bool,
+        default=False,
+    )
+    def get(self, namespace, repository, manifestref, parsed_args):
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)
-    if manifest is None:
-      raise NotFound()
+        manifest = registry_model.lookup_manifest_by_digest(
+            repo_ref, manifestref, allow_dead=True
+        )
+        if manifest is None:
+            raise NotFound()
 
-    return _security_info(manifest, parsed_args.vulnerabilities)
+        return _security_info(manifest, parsed_args.vulnerabilities)
diff --git a/endpoints/api/signing.py b/endpoints/api/signing.py
index eb2e942ec..a14c91523 100644
--- a/endpoints/api/signing.py
+++ b/endpoints/api/signing.py
@@ -4,26 +4,37 @@ import logging
 import features
 
 from app import tuf_metadata_api
-from endpoints.api import (require_repo_read, path_param,
-                           RepositoryParamResource, resource, nickname, show_if,
-                           disallow_for_app_repositories, NotFound)
+from endpoints.api import (
+    require_repo_read,
+    path_param,
+    RepositoryParamResource,
+    resource,
+    nickname,
+    show_if,
+    disallow_for_app_repositories,
+    NotFound,
+)
 from endpoints.api.signing_models_pre_oci import pre_oci_model as model
 
 logger = logging.getLogger(__name__)
 
 
-@resource('/v1/repository/<apirepopath:repository>/signatures')
+@resource("/v1/repository/<apirepopath:repository>/signatures")
 @show_if(features.SIGNING)
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class RepositorySignatures(RepositoryParamResource):
-  """ Operations for managing the signatures in a repository image. """
+    """ Operations for managing the signatures in a repository image. """
 
-  @require_repo_read
-  @nickname('getRepoSignatures')
-  @disallow_for_app_repositories
-  def get(self, namespace, repository):
-    """ Fetches the list of signed tags for the repository. """
-    if not model.is_trust_enabled(namespace, repository):
-      raise NotFound()
+    @require_repo_read
+    @nickname("getRepoSignatures")
+    @disallow_for_app_repositories
+    def get(self, namespace, repository):
+        """ Fetches the list of signed tags for the repository. """
+        if not model.is_trust_enabled(namespace, repository):
+            raise NotFound()
 
-    return {'delegations': tuf_metadata_api.get_all_tags_with_expiration(namespace, repository)}
+        return {
+            "delegations": tuf_metadata_api.get_all_tags_with_expiration(
+                namespace, repository
+            )
+        }
diff --git a/endpoints/api/signing_models_interface.py b/endpoints/api/signing_models_interface.py
index 6e5ce4ca4..ff8b9e369 100644
--- a/endpoints/api/signing_models_interface.py
+++ b/endpoints/api/signing_models_interface.py
@@ -1,14 +1,16 @@
 from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
+
 @add_metaclass(ABCMeta)
 class SigningInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the signing API endpoint.
   """
-  @abstractmethod
-  def is_trust_enabled(self, namespace_name, repo_name):
-    """
+
+    @abstractmethod
+    def is_trust_enabled(self, namespace_name, repo_name):
+        """
     Returns whether the repository with the given namespace name and repository name exists and
     has trust enabled.
     """
diff --git a/endpoints/api/signing_models_pre_oci.py b/endpoints/api/signing_models_pre_oci.py
index 03afb1104..4093d76de 100644
--- a/endpoints/api/signing_models_pre_oci.py
+++ b/endpoints/api/signing_models_pre_oci.py
@@ -3,16 +3,17 @@ from endpoints.api.signing_models_interface import SigningInterface
 
 
 class PreOCIModel(SigningInterface):
-  """
+    """
   PreOCIModel implements the data model for signing using a database schema
   before it was changed to support the OCI specification.
   """
-  def is_trust_enabled(self, namespace_name, repo_name):
-    repo = model.repository.get_repository(namespace_name, repo_name)
-    if repo is None:
-      return False
 
-    return repo.trust_enabled
+    def is_trust_enabled(self, namespace_name, repo_name):
+        repo = model.repository.get_repository(namespace_name, repo_name)
+        if repo is None:
+            return False
+
+        return repo.trust_enabled
 
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/subscribe.py b/endpoints/api/subscribe.py
index b526e25d2..5ae8cbbef 100644
--- a/endpoints/api/subscribe.py
+++ b/endpoints/api/subscribe.py
@@ -13,123 +13,129 @@ logger = logging.getLogger(__name__)
 
 
 def check_repository_usage(user_or_org, plan_found):
-  private_repos = model.get_private_repo_count(user_or_org.username)
-  if plan_found is None:
-    repos_allowed = 0
-  else:
-    repos_allowed = plan_found['privateRepos']
+    private_repos = model.get_private_repo_count(user_or_org.username)
+    if plan_found is None:
+        repos_allowed = 0
+    else:
+        repos_allowed = plan_found["privateRepos"]
 
-  if private_repos > repos_allowed:
-    model.create_unique_notification('over_private_usage', user_or_org.username, {'namespace': user_or_org.username})
-  else:
-    model.delete_notifications_by_kind(user_or_org.username, 'over_private_usage')
+    if private_repos > repos_allowed:
+        model.create_unique_notification(
+            "over_private_usage",
+            user_or_org.username,
+            {"namespace": user_or_org.username},
+        )
+    else:
+        model.delete_notifications_by_kind(user_or_org.username, "over_private_usage")
 
 
 def carderror_response(exc):
-  return {'carderror': exc.message}, 402
+    return {"carderror": exc.message}, 402
+
 
 def connection_response(exc):
-  return {'message': 'Could not contact Stripe. Please try again.'}, 503
+    return {"message": "Could not contact Stripe. Please try again."}, 503
 
 
 def subscription_view(stripe_subscription, used_repos):
-  view = {
-    'hasSubscription': True,
-    'isExistingCustomer': True,
-    'currentPeriodStart': stripe_subscription.current_period_start,
-    'currentPeriodEnd': stripe_subscription.current_period_end,
-    'plan': stripe_subscription.plan.id,
-    'usedPrivateRepos': used_repos,
-    'trialStart': stripe_subscription.trial_start,
-    'trialEnd': stripe_subscription.trial_end
-  }
+    view = {
+        "hasSubscription": True,
+        "isExistingCustomer": True,
+        "currentPeriodStart": stripe_subscription.current_period_start,
+        "currentPeriodEnd": stripe_subscription.current_period_end,
+        "plan": stripe_subscription.plan.id,
+        "usedPrivateRepos": used_repos,
+        "trialStart": stripe_subscription.trial_start,
+        "trialEnd": stripe_subscription.trial_end,
+    }
 
-  return view
+    return view
 
 
 def subscribe(user, plan, token, require_business_plan):
-  if not features.BILLING:
-    return
+    if not features.BILLING:
+        return
 
-  plan_found = None
-  for plan_obj in PLANS:
-    if plan_obj['stripeId'] == plan:
-      plan_found = plan_obj
+    plan_found = None
+    for plan_obj in PLANS:
+        if plan_obj["stripeId"] == plan:
+            plan_found = plan_obj
 
-  if not plan_found or plan_found['deprecated']:
-    logger.warning('Plan not found or deprecated: %s', plan)
-    raise NotFound()
+    if not plan_found or plan_found["deprecated"]:
+        logger.warning("Plan not found or deprecated: %s", plan)
+        raise NotFound()
 
-  if (require_business_plan and not plan_found['bus_features'] and not
-      plan_found['price'] == 0):
-    logger.warning('Business attempting to subscribe to personal plan: %s',
-                   user.username)
-    raise request_error(message='No matching plan found')
+    if (
+        require_business_plan
+        and not plan_found["bus_features"]
+        and not plan_found["price"] == 0
+    ):
+        logger.warning(
+            "Business attempting to subscribe to personal plan: %s", user.username
+        )
+        raise request_error(message="No matching plan found")
 
-  private_repos = model.get_private_repo_count(user.username)
+    private_repos = model.get_private_repo_count(user.username)
 
-  # This is the default response
-  response_json = {
-    'plan': plan,
-    'usedPrivateRepos': private_repos,
-  }
-  status_code = 200
+    # This is the default response
+    response_json = {"plan": plan, "usedPrivateRepos": private_repos}
+    status_code = 200
 
-  if not user.stripe_id:
-    # Check if a non-paying user is trying to subscribe to a free plan
-    if not plan_found['price'] == 0:
-      # They want a real paying plan, create the customer and plan
-      # simultaneously
-      card = token
+    if not user.stripe_id:
+        # Check if a non-paying user is trying to subscribe to a free plan
+        if not plan_found["price"] == 0:
+            # They want a real paying plan, create the customer and plan
+            # simultaneously
+            card = token
 
-      try:
-        cus = billing.Customer.create(email=user.email, plan=plan, card=card)
-        user.stripe_id = cus.id
-        user.save()
-        check_repository_usage(user, plan_found)
-        log_action('account_change_plan', user.username, {'plan': plan})
-      except stripe.error.CardError as e:
-        return carderror_response(e)
-      except stripe.error.APIConnectionError as e:
-        return connection_response(e)
+            try:
+                cus = billing.Customer.create(email=user.email, plan=plan, card=card)
+                user.stripe_id = cus.id
+                user.save()
+                check_repository_usage(user, plan_found)
+                log_action("account_change_plan", user.username, {"plan": plan})
+            except stripe.error.CardError as e:
+                return carderror_response(e)
+            except stripe.error.APIConnectionError as e:
+                return connection_response(e)
 
-      response_json = subscription_view(cus.subscription, private_repos)
-      status_code = 201
-
-  else:
-    # Change the plan
-    try:
-      cus = billing.Customer.retrieve(user.stripe_id)
-    except stripe.error.APIConnectionError as e:
-      return connection_response(e)
-
-    if plan_found['price'] == 0:
-      if cus.subscription is not None:
-        # We only have to cancel the subscription if they actually have one
-        try:
-          cus.subscription.delete()
-        except stripe.error.APIConnectionError as e:
-          return connection_response(e)
-
-        check_repository_usage(user, plan_found)
-        log_action('account_change_plan', user.username, {'plan': plan})
+            response_json = subscription_view(cus.subscription, private_repos)
+            status_code = 201
 
     else:
-      # User may have been a previous customer who is resubscribing
-      if token:
-        cus.card = token
+        # Change the plan
+        try:
+            cus = billing.Customer.retrieve(user.stripe_id)
+        except stripe.error.APIConnectionError as e:
+            return connection_response(e)
 
-      cus.plan = plan
+        if plan_found["price"] == 0:
+            if cus.subscription is not None:
+                # We only have to cancel the subscription if they actually have one
+                try:
+                    cus.subscription.delete()
+                except stripe.error.APIConnectionError as e:
+                    return connection_response(e)
 
-      try:
-        cus.save()
-      except stripe.error.CardError as e:
-        return carderror_response(e)
-      except stripe.error.APIConnectionError as e:
-        return connection_response(e)
+                check_repository_usage(user, plan_found)
+                log_action("account_change_plan", user.username, {"plan": plan})
 
-      response_json = subscription_view(cus.subscription, private_repos)
-      check_repository_usage(user, plan_found)
-      log_action('account_change_plan', user.username, {'plan': plan})
+        else:
+            # User may have been a previous customer who is resubscribing
+            if token:
+                cus.card = token
 
-  return response_json, status_code
+            cus.plan = plan
+
+            try:
+                cus.save()
+            except stripe.error.CardError as e:
+                return carderror_response(e)
+            except stripe.error.APIConnectionError as e:
+                return connection_response(e)
+
+            response_json = subscription_view(cus.subscription, private_repos)
+            check_repository_usage(user, plan_found)
+            log_action("account_change_plan", user.username, {"plan": plan})
+
+    return response_json, status_code
diff --git a/endpoints/api/subscribe_models_interface.py b/endpoints/api/subscribe_models_interface.py
index fbc7a8a70..e1668602f 100644
--- a/endpoints/api/subscribe_models_interface.py
+++ b/endpoints/api/subscribe_models_interface.py
@@ -4,23 +4,24 @@ from six import add_metaclass
 
 @add_metaclass(ABCMeta)
 class SubscribeInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the subscribe API endpoint.
   """
-  @abstractmethod
-  def get_private_repo_count(self, username):
-    """
+
+    @abstractmethod
+    def get_private_repo_count(self, username):
+        """
     Returns the number of private repositories for a given username or namespace.
     """
 
-  @abstractmethod
-  def create_unique_notification(self, kind_name, target_username, metadata={}):
-    """
+    @abstractmethod
+    def create_unique_notification(self, kind_name, target_username, metadata={}):
+        """
     Creates a notification using the given parameters.
     """
 
-  @abstractmethod
-  def delete_notifications_by_kind(self, target_username, kind_name):
-    """
+    @abstractmethod
+    def delete_notifications_by_kind(self, target_username, kind_name):
+        """
     Remove notifications for a target based on given kind.
     """
diff --git a/endpoints/api/subscribe_models_pre_oci.py b/endpoints/api/subscribe_models_pre_oci.py
index a5ca83149..8c226494e 100644
--- a/endpoints/api/subscribe_models_pre_oci.py
+++ b/endpoints/api/subscribe_models_pre_oci.py
@@ -1,23 +1,27 @@
-from data.model.notification import create_unique_notification, delete_notifications_by_kind
+from data.model.notification import (
+    create_unique_notification,
+    delete_notifications_by_kind,
+)
 from data.model.user import get_private_repo_count, get_user_or_org
 from endpoints.api.subscribe_models_interface import SubscribeInterface
 
 
 class PreOCIModel(SubscribeInterface):
-  """
+    """
   PreOCIModel implements the data model for build triggers using a database schema
   before it was changed to support the OCI specification.
   """
-  def get_private_repo_count(self, username):
-    return get_private_repo_count(username)
 
-  def create_unique_notification(self, kind_name, target_username, metadata={}):
-    target = get_user_or_org(target_username)
-    create_unique_notification(kind_name, target, metadata)
+    def get_private_repo_count(self, username):
+        return get_private_repo_count(username)
 
-  def delete_notifications_by_kind(self, target_username, kind_name):
-    target = get_user_or_org(target_username)
-    delete_notifications_by_kind(target, kind_name)
+    def create_unique_notification(self, kind_name, target_username, metadata={}):
+        target = get_user_or_org(target_username)
+        create_unique_notification(kind_name, target, metadata)
+
+    def delete_notifications_by_kind(self, target_username, kind_name):
+        target = get_user_or_org(target_username)
+        delete_notifications_by_kind(target, kind_name)
 
 
 data_model = PreOCIModel()
diff --git a/endpoints/api/suconfig.py b/endpoints/api/suconfig.py
index a96a7356b..bfe837345 100644
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@@ -10,7 +10,14 @@ from flask import abort
 from app import app, config_provider
 from auth.permissions import SuperUserPermission
 from endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
-from endpoints.api import (ApiResource, nickname, resource, internal_only, show_if, verify_not_prod)
+from endpoints.api import (
+    ApiResource,
+    nickname,
+    resource,
+    internal_only,
+    show_if,
+    verify_not_prod,
+)
 
 import features
 
@@ -19,51 +26,45 @@ logger = logging.getLogger(__name__)
 
 
 def database_is_valid():
-  """ Returns whether the database, as configured, is valid. """
-  if app.config['TESTING']:
-    return False
+    """ Returns whether the database, as configured, is valid. """
+    if app.config["TESTING"]:
+        return False
 
-  return model.is_valid()
+    return model.is_valid()
 
 
 def database_has_users():
-  """ Returns whether the database has any users defined. """
-  return model.has_users()
+    """ Returns whether the database has any users defined. """
+    return model.has_users()
 
 
-@resource('/v1/superuser/registrystatus')
+@resource("/v1/superuser/registrystatus")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserRegistryStatus(ApiResource):
-  """ Resource for determining the status of the registry, such as if config exists,
+    """ Resource for determining the status of the registry, such as if config exists,
       if a database is configured, and if it has any defined users.
   """
-  @nickname('scRegistryStatus')
-  @verify_not_prod
-  def get(self):
-    """ Returns the status of the registry. """
-    # If we have SETUP_COMPLETE, then we're ready to go!
-    if app.config.get('SETUP_COMPLETE', False):
-      return {
-        'provider_id': config_provider.provider_id,
-        'status': 'ready'
-      }
 
-    return {
-      'status': 'setup-incomplete'
-    }
+    @nickname("scRegistryStatus")
+    @verify_not_prod
+    def get(self):
+        """ Returns the status of the registry. """
+        # If we have SETUP_COMPLETE, then we're ready to go!
+        if app.config.get("SETUP_COMPLETE", False):
+            return {"provider_id": config_provider.provider_id, "status": "ready"}
+
+        return {"status": "setup-incomplete"}
 
 
 class _AlembicLogHandler(logging.Handler):
-  def __init__(self):
-    super(_AlembicLogHandler, self).__init__()
-    self.records = []
+    def __init__(self):
+        super(_AlembicLogHandler, self).__init__()
+        self.records = []
+
+    def emit(self, record):
+        self.records.append({"level": record.levelname, "message": record.getMessage()})
 
-  def emit(self, record):
-    self.records.append({
-      'level': record.levelname,
-      'message': record.getMessage()
-    })
 
 # From: https://stackoverflow.com/a/44712205
 def get_process_id(name):
@@ -76,29 +77,33 @@ def get_process_id(name):
     >>> get_process_id('non-existent process')
     []
     """
-    child = subprocess.Popen(['pgrep', name], stdout=subprocess.PIPE, shell=False)
+    child = subprocess.Popen(["pgrep", name], stdout=subprocess.PIPE, shell=False)
     response = child.communicate()[0]
     return [int(pid) for pid in response.split()]
 
 
-@resource('/v1/superuser/shutdown')
+@resource("/v1/superuser/shutdown")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserShutdown(ApiResource):
-  """ Resource for sending a shutdown signal to the container. """
+    """ Resource for sending a shutdown signal to the container. """
 
-  @verify_not_prod
-  @nickname('scShutdownContainer')
-  def post(self):
-    """ Sends a signal to the phusion init system to shut down the container. """
-    # Note: This method is called to set the database configuration before super users exists,
-    # so we also allow it to be called if there is no valid registry configuration setup.
-    if app.config['TESTING'] or not database_has_users() or SuperUserPermission().can():
-      # Note: We skip if debugging locally.
-      if app.config.get('DEBUGGING') == True:
-        return {}
+    @verify_not_prod
+    @nickname("scShutdownContainer")
+    def post(self):
+        """ Sends a signal to the phusion init system to shut down the container. """
+        # Note: This method is called to set the database configuration before super users exists,
+        # so we also allow it to be called if there is no valid registry configuration setup.
+        if (
+            app.config["TESTING"]
+            or not database_has_users()
+            or SuperUserPermission().can()
+        ):
+            # Note: We skip if debugging locally.
+            if app.config.get("DEBUGGING") == True:
+                return {}
 
-      os.kill(get_process_id('my_init')[0], signal.SIGINT)
-      return {}
+            os.kill(get_process_id("my_init")[0], signal.SIGINT)
+            return {}
 
-    abort(403)
+        abort(403)
diff --git a/endpoints/api/suconfig_models_interface.py b/endpoints/api/suconfig_models_interface.py
index 9f8cbd0cb..d41a97d11 100644
--- a/endpoints/api/suconfig_models_interface.py
+++ b/endpoints/api/suconfig_models_interface.py
@@ -4,36 +4,36 @@ from six import add_metaclass
 
 @add_metaclass(ABCMeta)
 class SuperuserConfigDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the superuser config API.
   """
 
-  @abstractmethod
-  def is_valid(self):
-    """
+    @abstractmethod
+    def is_valid(self):
+        """
     Returns true if the configured database is valid.
     """
 
-  @abstractmethod
-  def has_users(self):
-    """
+    @abstractmethod
+    def has_users(self):
+        """
     Returns true if there are any users defined.
     """
 
-  @abstractmethod
-  def create_superuser(self, username, password, email):
-    """
+    @abstractmethod
+    def create_superuser(self, username, password, email):
+        """
     Creates a new superuser with the given username, password and email. Returns the user's UUID.
     """
 
-  @abstractmethod
-  def has_federated_login(self, username, service_name):
-    """
+    @abstractmethod
+    def has_federated_login(self, username, service_name):
+        """
     Returns true if the matching user has a federated login under the matching service.
     """
 
-  @abstractmethod
-  def attach_federated_login(self, username, service_name, federated_username):
-    """
+    @abstractmethod
+    def attach_federated_login(self, username, service_name, federated_username):
+        """
     Attaches a federatated login to the matching user, under the given service.
     """
diff --git a/endpoints/api/suconfig_models_pre_oci.py b/endpoints/api/suconfig_models_pre_oci.py
index 9bcb40acd..e27ed4770 100644
--- a/endpoints/api/suconfig_models_pre_oci.py
+++ b/endpoints/api/suconfig_models_pre_oci.py
@@ -2,32 +2,34 @@ from data import model
 from data.database import User
 from endpoints.api.suconfig_models_interface import SuperuserConfigDataInterface
 
+
 class PreOCIModel(SuperuserConfigDataInterface):
-  def is_valid(self):
-    try:
-      list(User.select().limit(1))
-      return True
-    except:
-      return False
+    def is_valid(self):
+        try:
+            list(User.select().limit(1))
+            return True
+        except:
+            return False
 
-  def has_users(self):
-    return bool(list(User.select().limit(1)))
+    def has_users(self):
+        return bool(list(User.select().limit(1)))
 
-  def create_superuser(self, username, password, email):
-    return model.user.create_user(username, password, email, auto_verify=True).uuid
+    def create_superuser(self, username, password, email):
+        return model.user.create_user(username, password, email, auto_verify=True).uuid
 
-  def has_federated_login(self, username, service_name):
-    user = model.user.get_user(username)
-    if user is None:
-      return False
+    def has_federated_login(self, username, service_name):
+        user = model.user.get_user(username)
+        if user is None:
+            return False
 
-    return bool(model.user.lookup_federated_login(user, service_name))
+        return bool(model.user.lookup_federated_login(user, service_name))
 
-  def attach_federated_login(self, username, service_name, federated_username):
-    user = model.user.get_user(username)
-    if user is None:
-      return False
+    def attach_federated_login(self, username, service_name, federated_username):
+        user = model.user.get_user(username)
+        if user is None:
+            return False
+
+        model.user.attach_federated_login(user, service_name, federated_username)
 
-    model.user.attach_federated_login(user, service_name, federated_username)
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/superuser.py b/endpoints/api/superuser.py
index ec1a4992f..15a6e4af9 100644
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@@ -17,15 +17,35 @@ from auth.auth_context import get_authenticated_user
 from auth.permissions import SuperUserPermission
 from data.database import ServiceKeyApprovalType
 from data.logs_model import logs_model
-from endpoints.api import (ApiResource, nickname, resource, validate_json_request,
-                           internal_only, require_scope, show_if, parse_args,
-                           query_param, require_fresh_login, path_param, verify_not_prod,
-                           page_support, log_action, format_date, truthy_bool,
-                           InvalidRequest, NotFound, Unauthorized, InvalidResponse)
+from endpoints.api import (
+    ApiResource,
+    nickname,
+    resource,
+    validate_json_request,
+    internal_only,
+    require_scope,
+    show_if,
+    parse_args,
+    query_param,
+    require_fresh_login,
+    path_param,
+    verify_not_prod,
+    page_support,
+    log_action,
+    format_date,
+    truthy_bool,
+    InvalidRequest,
+    NotFound,
+    Unauthorized,
+    InvalidResponse,
+)
 from endpoints.api.build import get_logs_or_log_url
-from endpoints.api.superuser_models_pre_oci import (pre_oci_model, ServiceKeyDoesNotExist,
-                                                    ServiceKeyAlreadyApproved,
-                                                    InvalidRepositoryBuildException)
+from endpoints.api.superuser_models_pre_oci import (
+    pre_oci_model,
+    ServiceKeyDoesNotExist,
+    ServiceKeyAlreadyApproved,
+    InvalidRepositoryBuildException,
+)
 from endpoints.api.logs import _validate_logs_arguments
 from util.request import get_request_ip
 from util.useremails import send_confirmation_email, send_recovery_email
@@ -36,821 +56,871 @@ logger = logging.getLogger(__name__)
 
 
 def get_immediate_subdirectories(directory):
-  return [name for name in os.listdir(directory) if os.path.isdir(os.path.join(directory, name))]
+    return [
+        name
+        for name in os.listdir(directory)
+        if os.path.isdir(os.path.join(directory, name))
+    ]
 
 
 def get_services():
-  services = set(get_immediate_subdirectories(app.config['SYSTEM_SERVICES_PATH']))
-  services = services - set(app.config['SYSTEM_SERVICE_BLACKLIST'])
-  return services
+    services = set(get_immediate_subdirectories(app.config["SYSTEM_SERVICES_PATH"]))
+    services = services - set(app.config["SYSTEM_SERVICE_BLACKLIST"])
+    return services
 
 
-@resource('/v1/superuser/aggregatelogs')
+@resource("/v1/superuser/aggregatelogs")
 @internal_only
 class SuperUserAggregateLogs(ApiResource):
-  """ Resource for fetching aggregated logs for the current user. """
+    """ Resource for fetching aggregated logs for the current user. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('listAllAggregateLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time from which to get logs. (%m/%d/%Y %Z)', type=str)
-  @query_param('endtime', 'Latest time to which to get logs. (%m/%d/%Y %Z)', type=str)
-  def get(self, parsed_args):
-    """ Returns the aggregated logs for the current system. """
-    if SuperUserPermission().can():
-      (start_time, end_time) = _validate_logs_arguments(parsed_args['starttime'],
-                                                        parsed_args['endtime'])
-      aggregated_logs = logs_model.get_aggregated_log_counts(start_time, end_time)
-      return {
-        'aggregated': [log.to_dict() for log in aggregated_logs]
-      }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("listAllAggregateLogs")
+    @parse_args()
+    @query_param(
+        "starttime", "Earliest time from which to get logs. (%m/%d/%Y %Z)", type=str
+    )
+    @query_param("endtime", "Latest time to which to get logs. (%m/%d/%Y %Z)", type=str)
+    def get(self, parsed_args):
+        """ Returns the aggregated logs for the current system. """
+        if SuperUserPermission().can():
+            (start_time, end_time) = _validate_logs_arguments(
+                parsed_args["starttime"], parsed_args["endtime"]
+            )
+            aggregated_logs = logs_model.get_aggregated_log_counts(start_time, end_time)
+            return {"aggregated": [log.to_dict() for log in aggregated_logs]}
+
+        raise Unauthorized()
 
-    raise Unauthorized()
 
 LOGS_PER_PAGE = 20
 
-@resource('/v1/superuser/logs')
+
+@resource("/v1/superuser/logs")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserLogs(ApiResource):
-  """ Resource for fetching all logs in the system. """
+    """ Resource for fetching all logs in the system. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('listAllLogs')
-  @parse_args()
-  @query_param('starttime', 'Earliest time from which to get logs (%m/%d/%Y %Z)', type=str)
-  @query_param('endtime', 'Latest time to which to get logs (%m/%d/%Y %Z)', type=str)
-  @query_param('page', 'The page number for the logs', type=int, default=1)
-  @page_support()
-  @require_scope(scopes.SUPERUSER)
-  def get(self, parsed_args, page_token):
-    """ List the usage logs for the current system. """
-    if SuperUserPermission().can():
-      start_time = parsed_args['starttime']
-      end_time = parsed_args['endtime']
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("listAllLogs")
+    @parse_args()
+    @query_param(
+        "starttime", "Earliest time from which to get logs (%m/%d/%Y %Z)", type=str
+    )
+    @query_param("endtime", "Latest time to which to get logs (%m/%d/%Y %Z)", type=str)
+    @query_param("page", "The page number for the logs", type=int, default=1)
+    @page_support()
+    @require_scope(scopes.SUPERUSER)
+    def get(self, parsed_args, page_token):
+        """ List the usage logs for the current system. """
+        if SuperUserPermission().can():
+            start_time = parsed_args["starttime"]
+            end_time = parsed_args["endtime"]
 
-      (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
-      log_entry_page = logs_model.lookup_logs(start_time, end_time, page_token=page_token)
-      return {
-        'start_time': format_date(start_time),
-        'end_time': format_date(end_time),
-        'logs': [log.to_dict(avatar, include_namespace=True) for log in log_entry_page.logs],
-      }, log_entry_page.next_page_token
+            (start_time, end_time) = _validate_logs_arguments(start_time, end_time)
+            log_entry_page = logs_model.lookup_logs(
+                start_time, end_time, page_token=page_token
+            )
+            return (
+                {
+                    "start_time": format_date(start_time),
+                    "end_time": format_date(end_time),
+                    "logs": [
+                        log.to_dict(avatar, include_namespace=True)
+                        for log in log_entry_page.logs
+                    ],
+                },
+                log_entry_page.next_page_token,
+            )
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
 def org_view(org):
-  return {
-    'name': org.username,
-    'email': org.email,
-    'avatar': avatar.get_data_for_org(org),
-  }
+    return {
+        "name": org.username,
+        "email": org.email,
+        "avatar": avatar.get_data_for_org(org),
+    }
 
 
 def user_view(user, password=None):
-  user_data = {
-    'kind': 'user',
-    'name': user.username,
-    'username': user.username,
-    'email': user.email,
-    'verified': user.verified,
-    'avatar': avatar.get_data_for_user(user),
-    'super_user': superusers.is_superuser(user.username),
-    'enabled': user.enabled,
-  }
+    user_data = {
+        "kind": "user",
+        "name": user.username,
+        "username": user.username,
+        "email": user.email,
+        "verified": user.verified,
+        "avatar": avatar.get_data_for_user(user),
+        "super_user": superusers.is_superuser(user.username),
+        "enabled": user.enabled,
+    }
 
-  if password is not None:
-    user_data['encrypted_password'] = authentication.encrypt_user_password(password)
+    if password is not None:
+        user_data["encrypted_password"] = authentication.encrypt_user_password(password)
 
-  return user_data
+    return user_data
 
 
-@resource('/v1/superuser/changelog/')
+@resource("/v1/superuser/changelog/")
 @internal_only
 @show_if(features.SUPER_USERS)
 class ChangeLog(ApiResource):
-  """ Resource for returning the change log for enterprise customers. """
+    """ Resource for returning the change log for enterprise customers. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('getChangeLog')
-  @require_scope(scopes.SUPERUSER)
-  def get(self):
-    """ Returns the change log for this installation. """
-    if SuperUserPermission().can():
-      with open(os.path.join(ROOT_DIR, 'CHANGELOG.md'), 'r') as f:
-        return {
-          'log': f.read()
-        }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("getChangeLog")
+    @require_scope(scopes.SUPERUSER)
+    def get(self):
+        """ Returns the change log for this installation. """
+        if SuperUserPermission().can():
+            with open(os.path.join(ROOT_DIR, "CHANGELOG.md"), "r") as f:
+                return {"log": f.read()}
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/organizations/')
+@resource("/v1/superuser/organizations/")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserOrganizationList(ApiResource):
-  """ Resource for listing organizations in the system. """
+    """ Resource for listing organizations in the system. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('listAllOrganizations')
-  @require_scope(scopes.SUPERUSER)
-  def get(self):
-    """ Returns a list of all organizations in the system. """
-    if SuperUserPermission().can():
-      return {
-        'organizations': [org.to_dict() for org in pre_oci_model.get_organizations()]
-      }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("listAllOrganizations")
+    @require_scope(scopes.SUPERUSER)
+    def get(self):
+        """ Returns a list of all organizations in the system. """
+        if SuperUserPermission().can():
+            return {
+                "organizations": [
+                    org.to_dict() for org in pre_oci_model.get_organizations()
+                ]
+            }
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/users/')
+@resource("/v1/superuser/users/")
 @show_if(features.SUPER_USERS)
 class SuperUserList(ApiResource):
-  """ Resource for listing users in the system. """
-  schemas = {
-    'CreateInstallUser': {
-      'id': 'CreateInstallUser',
-      'description': 'Data for creating a user',
-      'required': ['username'],
-      'properties': {
-        'username': {
-          'type': 'string',
-          'description': 'The username of the user being created'
-        },
+    """ Resource for listing users in the system. """
 
-        'email': {
-          'type': 'string',
-          'description': 'The email address of the user being created'
+    schemas = {
+        "CreateInstallUser": {
+            "id": "CreateInstallUser",
+            "description": "Data for creating a user",
+            "required": ["username"],
+            "properties": {
+                "username": {
+                    "type": "string",
+                    "description": "The username of the user being created",
+                },
+                "email": {
+                    "type": "string",
+                    "description": "The email address of the user being created",
+                },
+            },
         }
-      }
     }
-  }
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('listAllUsers')
-  @parse_args()
-  @query_param('disabled', 'If false, only enabled users will be returned.', type=truthy_bool,
-               default=True)
-  @require_scope(scopes.SUPERUSER)
-  def get(self, parsed_args):
-    """ Returns a list of all users in the system. """
-    if SuperUserPermission().can():
-      users = pre_oci_model.get_active_users(disabled=parsed_args['disabled'])
-      return {
-        'users': [user.to_dict() for user in users]
-      }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("listAllUsers")
+    @parse_args()
+    @query_param(
+        "disabled",
+        "If false, only enabled users will be returned.",
+        type=truthy_bool,
+        default=True,
+    )
+    @require_scope(scopes.SUPERUSER)
+    def get(self, parsed_args):
+        """ Returns a list of all users in the system. """
+        if SuperUserPermission().can():
+            users = pre_oci_model.get_active_users(disabled=parsed_args["disabled"])
+            return {"users": [user.to_dict() for user in users]}
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('createInstallUser')
-  @validate_json_request('CreateInstallUser')
-  @require_scope(scopes.SUPERUSER)
-  def post(self):
-    """ Creates a new user. """
-    # Ensure that we are using database auth.
-    if app.config['AUTHENTICATION_TYPE'] != 'Database':
-      raise InvalidRequest('Cannot create a user in a non-database auth system')
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("createInstallUser")
+    @validate_json_request("CreateInstallUser")
+    @require_scope(scopes.SUPERUSER)
+    def post(self):
+        """ Creates a new user. """
+        # Ensure that we are using database auth.
+        if app.config["AUTHENTICATION_TYPE"] != "Database":
+            raise InvalidRequest("Cannot create a user in a non-database auth system")
 
-    user_information = request.get_json()
-    if SuperUserPermission().can():
-      # Generate a temporary password for the user.
-      random = SystemRandom()
-      password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)])
+        user_information = request.get_json()
+        if SuperUserPermission().can():
+            # Generate a temporary password for the user.
+            random = SystemRandom()
+            password = "".join(
+                [
+                    random.choice(string.ascii_uppercase + string.digits)
+                    for _ in range(32)
+                ]
+            )
 
-      # Create the user.
-      username = user_information['username']
-      email = user_information.get('email')
-      install_user, confirmation_code = pre_oci_model.create_install_user(username, password, email)
-      if features.MAILING:
-        send_confirmation_email(install_user.username, install_user.email, confirmation_code)
+            # Create the user.
+            username = user_information["username"]
+            email = user_information.get("email")
+            install_user, confirmation_code = pre_oci_model.create_install_user(
+                username, password, email
+            )
+            if features.MAILING:
+                send_confirmation_email(
+                    install_user.username, install_user.email, confirmation_code
+                )
 
-      return {
-        'username': username,
-        'email': email,
-        'password': password,
-        'encrypted_password': authentication.encrypt_user_password(password),
-      }
+            return {
+                "username": username,
+                "email": email,
+                "password": password,
+                "encrypted_password": authentication.encrypt_user_password(password),
+            }
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superusers/users/<username>/sendrecovery')
+@resource("/v1/superusers/users/<username>/sendrecovery")
 @internal_only
 @show_if(features.SUPER_USERS)
 @show_if(features.MAILING)
 class SuperUserSendRecoveryEmail(ApiResource):
-  """ Resource for sending a recovery user on behalf of a user. """
+    """ Resource for sending a recovery user on behalf of a user. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('sendInstallUserRecoveryEmail')
-  @require_scope(scopes.SUPERUSER)
-  def post(self, username):
-    # Ensure that we are using database auth.
-    if app.config['AUTHENTICATION_TYPE'] != 'Database':
-      raise InvalidRequest('Cannot send a recovery e-mail for non-database auth')
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("sendInstallUserRecoveryEmail")
+    @require_scope(scopes.SUPERUSER)
+    def post(self, username):
+        # Ensure that we are using database auth.
+        if app.config["AUTHENTICATION_TYPE"] != "Database":
+            raise InvalidRequest("Cannot send a recovery e-mail for non-database auth")
 
-    if SuperUserPermission().can():
-      user = pre_oci_model.get_nonrobot_user(username)
-      if user is None:
-        raise NotFound()
+        if SuperUserPermission().can():
+            user = pre_oci_model.get_nonrobot_user(username)
+            if user is None:
+                raise NotFound()
 
-      if superusers.is_superuser(username):
-        raise InvalidRequest('Cannot send a recovery email for a superuser')
+            if superusers.is_superuser(username):
+                raise InvalidRequest("Cannot send a recovery email for a superuser")
 
-      code = pre_oci_model.create_reset_password_email_code(user.email)
-      send_recovery_email(user.email, code)
-      return {
-        'email': user.email
-      }
+            code = pre_oci_model.create_reset_password_email_code(user.email)
+            send_recovery_email(user.email, code)
+            return {"email": user.email}
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/users/<username>')
-@path_param('username', 'The username of the user being managed')
+@resource("/v1/superuser/users/<username>")
+@path_param("username", "The username of the user being managed")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserManagement(ApiResource):
-  """ Resource for managing users in the system. """
-  schemas = {
-    'UpdateUser': {
-      'id': 'UpdateUser',
-      'type': 'object',
-      'description': 'Description of updates for a user',
-      'properties': {
-        'password': {
-          'type': 'string',
-          'description': 'The new password for the user',
-        },
-        'email': {
-          'type': 'string',
-          'description': 'The new e-mail address for the user',
-        },
-        'enabled': {
-          'type': 'boolean',
-          'description': 'Whether the user is enabled'
+    """ Resource for managing users in the system. """
+
+    schemas = {
+        "UpdateUser": {
+            "id": "UpdateUser",
+            "type": "object",
+            "description": "Description of updates for a user",
+            "properties": {
+                "password": {
+                    "type": "string",
+                    "description": "The new password for the user",
+                },
+                "email": {
+                    "type": "string",
+                    "description": "The new e-mail address for the user",
+                },
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Whether the user is enabled",
+                },
+            },
         }
-      },
-    },
-  }
+    }
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('getInstallUser')
-  @require_scope(scopes.SUPERUSER)
-  def get(self, username):
-    """ Returns information about the specified user. """
-    if SuperUserPermission().can():
-      user = pre_oci_model.get_nonrobot_user(username)
-      if user is None:
-        raise NotFound()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("getInstallUser")
+    @require_scope(scopes.SUPERUSER)
+    def get(self, username):
+        """ Returns information about the specified user. """
+        if SuperUserPermission().can():
+            user = pre_oci_model.get_nonrobot_user(username)
+            if user is None:
+                raise NotFound()
 
-      return user.to_dict()
+            return user.to_dict()
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('deleteInstallUser')
-  @require_scope(scopes.SUPERUSER)
-  def delete(self, username):
-    """ Deletes the specified user. """
-    if SuperUserPermission().can():
-      user = pre_oci_model.get_nonrobot_user(username)
-      if user is None:
-        raise NotFound()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("deleteInstallUser")
+    @require_scope(scopes.SUPERUSER)
+    def delete(self, username):
+        """ Deletes the specified user. """
+        if SuperUserPermission().can():
+            user = pre_oci_model.get_nonrobot_user(username)
+            if user is None:
+                raise NotFound()
 
-      if superusers.is_superuser(username):
-        raise InvalidRequest('Cannot delete a superuser')
+            if superusers.is_superuser(username):
+                raise InvalidRequest("Cannot delete a superuser")
 
-      pre_oci_model.mark_user_for_deletion(username)
-      return '', 204
+            pre_oci_model.mark_user_for_deletion(username)
+            return "", 204
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('changeInstallUser')
-  @validate_json_request('UpdateUser')
-  @require_scope(scopes.SUPERUSER)
-  def put(self, username):
-    """ Updates information about the specified user. """
-    if SuperUserPermission().can():
-      user = pre_oci_model.get_nonrobot_user(username)
-      if user is None:
-        raise NotFound()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("changeInstallUser")
+    @validate_json_request("UpdateUser")
+    @require_scope(scopes.SUPERUSER)
+    def put(self, username):
+        """ Updates information about the specified user. """
+        if SuperUserPermission().can():
+            user = pre_oci_model.get_nonrobot_user(username)
+            if user is None:
+                raise NotFound()
 
-      if superusers.is_superuser(username):
-        raise InvalidRequest('Cannot update a superuser')
+            if superusers.is_superuser(username):
+                raise InvalidRequest("Cannot update a superuser")
 
-      user_data = request.get_json()
-      if 'password' in user_data:
-        # Ensure that we are using database auth.
-        if app.config['AUTHENTICATION_TYPE'] != 'Database':
-          raise InvalidRequest('Cannot change password in non-database auth')
+            user_data = request.get_json()
+            if "password" in user_data:
+                # Ensure that we are using database auth.
+                if app.config["AUTHENTICATION_TYPE"] != "Database":
+                    raise InvalidRequest("Cannot change password in non-database auth")
 
-        pre_oci_model.change_password(username, user_data['password'])
+                pre_oci_model.change_password(username, user_data["password"])
 
-      if 'email' in user_data:
-        # Ensure that we are using database auth.
-        if app.config['AUTHENTICATION_TYPE'] not in ['Database', 'AppToken']:
-          raise InvalidRequest('Cannot change e-mail in non-database auth')
+            if "email" in user_data:
+                # Ensure that we are using database auth.
+                if app.config["AUTHENTICATION_TYPE"] not in ["Database", "AppToken"]:
+                    raise InvalidRequest("Cannot change e-mail in non-database auth")
 
-        pre_oci_model.update_email(username, user_data['email'], auto_verify=True)
+                pre_oci_model.update_email(
+                    username, user_data["email"], auto_verify=True
+                )
 
-      if 'enabled' in user_data:
-        # Disable/enable the user.
-        pre_oci_model.update_enabled(username, bool(user_data['enabled']))
+            if "enabled" in user_data:
+                # Disable/enable the user.
+                pre_oci_model.update_enabled(username, bool(user_data["enabled"]))
 
-      if 'superuser' in user_data:
-        config_object = config_provider.get_config()
-        superusers_set = set(config_object['SUPER_USERS'])
+            if "superuser" in user_data:
+                config_object = config_provider.get_config()
+                superusers_set = set(config_object["SUPER_USERS"])
 
-        if user_data['superuser']:
-          superusers_set.add(username)
-        elif username in superusers_set:
-          superusers_set.remove(username)
+                if user_data["superuser"]:
+                    superusers_set.add(username)
+                elif username in superusers_set:
+                    superusers_set.remove(username)
 
-        config_object['SUPER_USERS'] = list(superusers_set)
-        config_provider.save_config(config_object)
+                config_object["SUPER_USERS"] = list(superusers_set)
+                config_provider.save_config(config_object)
 
-      return_value = user.to_dict()
-      if user_data.get('password') is not None:
-        password = user_data.get('password')
-        return_value['encrypted_password'] = authentication.encrypt_user_password(password)
-      if user_data.get('email') is not None:
-        return_value['email'] = user_data.get('email')
+            return_value = user.to_dict()
+            if user_data.get("password") is not None:
+                password = user_data.get("password")
+                return_value[
+                    "encrypted_password"
+                ] = authentication.encrypt_user_password(password)
+            if user_data.get("email") is not None:
+                return_value["email"] = user_data.get("email")
 
-      return return_value
+            return return_value
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/takeownership/<namespace>')
-@path_param('namespace', 'The namespace of the user or organization being managed')
+@resource("/v1/superuser/takeownership/<namespace>")
+@path_param("namespace", "The namespace of the user or organization being managed")
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserTakeOwnership(ApiResource):
-  """ Resource for a superuser to take ownership of a namespace. """
+    """ Resource for a superuser to take ownership of a namespace. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('takeOwnership')
-  @require_scope(scopes.SUPERUSER)
-  def post(self, namespace):
-    """ Takes ownership of the specified organization or user. """
-    if SuperUserPermission().can():
-      # Disallow for superusers.
-      if superusers.is_superuser(namespace):
-        raise InvalidRequest('Cannot take ownership of a superuser')
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("takeOwnership")
+    @require_scope(scopes.SUPERUSER)
+    def post(self, namespace):
+        """ Takes ownership of the specified organization or user. """
+        if SuperUserPermission().can():
+            # Disallow for superusers.
+            if superusers.is_superuser(namespace):
+                raise InvalidRequest("Cannot take ownership of a superuser")
 
-      authed_user = get_authenticated_user()
-      entity_id, was_user = pre_oci_model.take_ownership(namespace, authed_user)
-      if entity_id is None:
-        raise NotFound()
+            authed_user = get_authenticated_user()
+            entity_id, was_user = pre_oci_model.take_ownership(namespace, authed_user)
+            if entity_id is None:
+                raise NotFound()
 
-      # Log the change.
-      log_metadata = {
-        'entity_id': entity_id,
-        'namespace': namespace,
-        'was_user': was_user,
-        'superuser': authed_user.username,
-      }
+            # Log the change.
+            log_metadata = {
+                "entity_id": entity_id,
+                "namespace": namespace,
+                "was_user": was_user,
+                "superuser": authed_user.username,
+            }
 
-      log_action('take_ownership', authed_user.username, log_metadata)
+            log_action("take_ownership", authed_user.username, log_metadata)
 
-      return jsonify({
-        'namespace': namespace
-      })
+            return jsonify({"namespace": namespace})
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/organizations/<name>')
-@path_param('name', 'The name of the organizaton being managed')
+@resource("/v1/superuser/organizations/<name>")
+@path_param("name", "The name of the organizaton being managed")
 @show_if(features.SUPER_USERS)
 class SuperUserOrganizationManagement(ApiResource):
-  """ Resource for managing organizations in the system. """
-  schemas = {
-    'UpdateOrg': {
-      'id': 'UpdateOrg',
-      'type': 'object',
-      'description': 'Description of updates for an organization',
-      'properties': {
-        'name': {
-          'type': 'string',
-          'description': 'The new name for the organization',
+    """ Resource for managing organizations in the system. """
+
+    schemas = {
+        "UpdateOrg": {
+            "id": "UpdateOrg",
+            "type": "object",
+            "description": "Description of updates for an organization",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "description": "The new name for the organization",
+                }
+            },
         }
-      },
-    },
-  }
+    }
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('deleteOrganization')
-  @require_scope(scopes.SUPERUSER)
-  def delete(self, name):
-    """ Deletes the specified organization. """
-    if SuperUserPermission().can():
-      pre_oci_model.mark_organization_for_deletion(name)
-      return '', 204
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("deleteOrganization")
+    @require_scope(scopes.SUPERUSER)
+    def delete(self, name):
+        """ Deletes the specified organization. """
+        if SuperUserPermission().can():
+            pre_oci_model.mark_organization_for_deletion(name)
+            return "", 204
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('changeOrganization')
-  @validate_json_request('UpdateOrg')
-  @require_scope(scopes.SUPERUSER)
-  def put(self, name):
-    """ Updates information about the specified user. """
-    if SuperUserPermission().can():
-      org_data = request.get_json()
-      old_name = org_data['name'] if 'name' in org_data else None
-      org = pre_oci_model.change_organization_name(name, old_name)
-      return org.to_dict()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("changeOrganization")
+    @validate_json_request("UpdateOrg")
+    @require_scope(scopes.SUPERUSER)
+    def put(self, name):
+        """ Updates information about the specified user. """
+        if SuperUserPermission().can():
+            org_data = request.get_json()
+            old_name = org_data["name"] if "name" in org_data else None
+            org = pre_oci_model.change_organization_name(name, old_name)
+            return org.to_dict()
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
 def key_view(key):
-  return {
-    'name': key.name,
-    'kid': key.kid,
-    'service': key.service,
-    'jwk': key.jwk,
-    'metadata': key.metadata,
-    'created_date': key.created_date,
-    'expiration_date': key.expiration_date,
-    'rotation_duration': key.rotation_duration,
-    'approval': approval_view(key.approval) if key.approval is not None else None,
-  }
+    return {
+        "name": key.name,
+        "kid": key.kid,
+        "service": key.service,
+        "jwk": key.jwk,
+        "metadata": key.metadata,
+        "created_date": key.created_date,
+        "expiration_date": key.expiration_date,
+        "rotation_duration": key.rotation_duration,
+        "approval": approval_view(key.approval) if key.approval is not None else None,
+    }
 
 
 def approval_view(approval):
-  return {
-    'approver': user_view(approval.approver) if approval.approver else None,
-    'approval_type': approval.approval_type,
-    'approved_date': approval.approved_date,
-    'notes': approval.notes,
-  }
+    return {
+        "approver": user_view(approval.approver) if approval.approver else None,
+        "approval_type": approval.approval_type,
+        "approved_date": approval.approved_date,
+        "notes": approval.notes,
+    }
 
 
-@resource('/v1/superuser/keys')
+@resource("/v1/superuser/keys")
 @show_if(features.SUPER_USERS)
 class SuperUserServiceKeyManagement(ApiResource):
-  """ Resource for managing service keys."""
-  schemas = {
-    'CreateServiceKey': {
-      'id': 'CreateServiceKey',
-      'type': 'object',
-      'description': 'Description of creation of a service key',
-      'required': ['service', 'expiration'],
-      'properties': {
-        'service': {
-          'type': 'string',
-          'description': 'The service authenticating with this key',
-        },
-        'name': {
-          'type': 'string',
-          'description': 'The friendly name of a service key',
-        },
-        'metadata': {
-          'type': 'object',
-          'description': 'The key/value pairs of this key\'s metadata',
-        },
-        'notes': {
-          'type': 'string',
-          'description': 'If specified, the extra notes for the key',
-        },
-        'expiration': {
-          'description': 'The expiration date as a unix timestamp',
-          'anyOf': [{'type': 'number'}, {'type': 'null'}],
-        },
-      },
-    },
-  }
+    """ Resource for managing service keys."""
 
-  @verify_not_prod
-  @nickname('listServiceKeys')
-  @require_scope(scopes.SUPERUSER)
-  def get(self):
-    if SuperUserPermission().can():
-      keys = pre_oci_model.list_all_service_keys()
+    schemas = {
+        "CreateServiceKey": {
+            "id": "CreateServiceKey",
+            "type": "object",
+            "description": "Description of creation of a service key",
+            "required": ["service", "expiration"],
+            "properties": {
+                "service": {
+                    "type": "string",
+                    "description": "The service authenticating with this key",
+                },
+                "name": {
+                    "type": "string",
+                    "description": "The friendly name of a service key",
+                },
+                "metadata": {
+                    "type": "object",
+                    "description": "The key/value pairs of this key's metadata",
+                },
+                "notes": {
+                    "type": "string",
+                    "description": "If specified, the extra notes for the key",
+                },
+                "expiration": {
+                    "description": "The expiration date as a unix timestamp",
+                    "anyOf": [{"type": "number"}, {"type": "null"}],
+                },
+            },
+        }
+    }
 
-      return jsonify({
-        'keys': [key.to_dict() for key in keys],
-      })
+    @verify_not_prod
+    @nickname("listServiceKeys")
+    @require_scope(scopes.SUPERUSER)
+    def get(self):
+        if SuperUserPermission().can():
+            keys = pre_oci_model.list_all_service_keys()
 
-    raise Unauthorized()
+            return jsonify({"keys": [key.to_dict() for key in keys]})
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('createServiceKey')
-  @require_scope(scopes.SUPERUSER)
-  @validate_json_request('CreateServiceKey')
-  def post(self):
-    if SuperUserPermission().can():
-      body = request.get_json()
-      key_name = body.get('name', '')
-      if not validate_service_key_name(key_name):
-        raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
+        raise Unauthorized()
 
-      # Ensure we have a valid expiration date if specified.
-      expiration_date = body.get('expiration', None)
-      if expiration_date is not None:
-        try:
-          expiration_date = datetime.utcfromtimestamp(float(expiration_date))
-        except ValueError as ve:
-          raise InvalidRequest('Invalid expiration date: %s' % ve)
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("createServiceKey")
+    @require_scope(scopes.SUPERUSER)
+    @validate_json_request("CreateServiceKey")
+    def post(self):
+        if SuperUserPermission().can():
+            body = request.get_json()
+            key_name = body.get("name", "")
+            if not validate_service_key_name(key_name):
+                raise InvalidRequest("Invalid service key friendly name: %s" % key_name)
 
-        if expiration_date <= datetime.now():
-          raise InvalidRequest('Expiration date cannot be in the past')
+            # Ensure we have a valid expiration date if specified.
+            expiration_date = body.get("expiration", None)
+            if expiration_date is not None:
+                try:
+                    expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+                except ValueError as ve:
+                    raise InvalidRequest("Invalid expiration date: %s" % ve)
 
-      # Create the metadata for the key.
-      user = get_authenticated_user()
-      metadata = body.get('metadata', {})
-      metadata.update({
-        'created_by': 'Quay Superuser Panel',
-        'creator': user.username,
-        'ip': get_request_ip(),
-      })
+                if expiration_date <= datetime.now():
+                    raise InvalidRequest("Expiration date cannot be in the past")
 
-      # Generate a key with a private key that we *never save*.
-      (private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
-                                                                 metadata=metadata,
-                                                                 name=key_name)
-      # Auto-approve the service key.
-      pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER,
-                                        notes=body.get('notes', ''))
+            # Create the metadata for the key.
+            user = get_authenticated_user()
+            metadata = body.get("metadata", {})
+            metadata.update(
+                {
+                    "created_by": "Quay Superuser Panel",
+                    "creator": user.username,
+                    "ip": get_request_ip(),
+                }
+            )
 
-      # Log the creation and auto-approval of the service key.
-      key_log_metadata = {
-        'kid': key_id,
-        'preshared': True,
-        'service': body['service'],
-        'name': key_name,
-        'expiration_date': expiration_date,
-        'auto_approved': True,
-      }
+            # Generate a key with a private key that we *never save*.
+            (private_key, key_id) = pre_oci_model.generate_service_key(
+                body["service"], expiration_date, metadata=metadata, name=key_name
+            )
+            # Auto-approve the service key.
+            pre_oci_model.approve_service_key(
+                key_id,
+                user,
+                ServiceKeyApprovalType.SUPERUSER,
+                notes=body.get("notes", ""),
+            )
 
-      log_action('service_key_create', None, key_log_metadata)
-      log_action('service_key_approve', None, key_log_metadata)
+            # Log the creation and auto-approval of the service key.
+            key_log_metadata = {
+                "kid": key_id,
+                "preshared": True,
+                "service": body["service"],
+                "name": key_name,
+                "expiration_date": expiration_date,
+                "auto_approved": True,
+            }
 
-      return jsonify({
-        'kid': key_id,
-        'name': key_name,
-        'service': body['service'],
-        'public_key': private_key.publickey().exportKey('PEM'),
-        'private_key': private_key.exportKey('PEM'),
-      })
+            log_action("service_key_create", None, key_log_metadata)
+            log_action("service_key_approve", None, key_log_metadata)
 
-    raise Unauthorized()
+            return jsonify(
+                {
+                    "kid": key_id,
+                    "name": key_name,
+                    "service": body["service"],
+                    "public_key": private_key.publickey().exportKey("PEM"),
+                    "private_key": private_key.exportKey("PEM"),
+                }
+            )
+
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/keys/<kid>')
-@path_param('kid', 'The unique identifier for a service key')
+@resource("/v1/superuser/keys/<kid>")
+@path_param("kid", "The unique identifier for a service key")
 @show_if(features.SUPER_USERS)
 class SuperUserServiceKey(ApiResource):
-  """ Resource for managing service keys. """
-  schemas = {
-    'PutServiceKey': {
-      'id': 'PutServiceKey',
-      'type': 'object',
-      'description': 'Description of updates for a service key',
-      'properties': {
-        'name': {
-          'type': 'string',
-          'description': 'The friendly name of a service key',
-        },
-        'metadata': {
-          'type': 'object',
-          'description': 'The key/value pairs of this key\'s metadata',
-        },
-        'expiration': {
-          'description': 'The expiration date as a unix timestamp',
-          'anyOf': [{'type': 'number'}, {'type': 'null'}],
-        },
-      },
-    },
-  }
+    """ Resource for managing service keys. """
 
-  @verify_not_prod
-  @nickname('getServiceKey')
-  @require_scope(scopes.SUPERUSER)
-  def get(self, kid):
-    if SuperUserPermission().can():
-      try:
-        key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
-        return jsonify(key.to_dict())
-      except ServiceKeyDoesNotExist:
-        raise NotFound()
+    schemas = {
+        "PutServiceKey": {
+            "id": "PutServiceKey",
+            "type": "object",
+            "description": "Description of updates for a service key",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "description": "The friendly name of a service key",
+                },
+                "metadata": {
+                    "type": "object",
+                    "description": "The key/value pairs of this key's metadata",
+                },
+                "expiration": {
+                    "description": "The expiration date as a unix timestamp",
+                    "anyOf": [{"type": "number"}, {"type": "null"}],
+                },
+            },
+        }
+    }
 
-    raise Unauthorized()
+    @verify_not_prod
+    @nickname("getServiceKey")
+    @require_scope(scopes.SUPERUSER)
+    def get(self, kid):
+        if SuperUserPermission().can():
+            try:
+                key = pre_oci_model.get_service_key(
+                    kid, approved_only=False, alive_only=False
+                )
+                return jsonify(key.to_dict())
+            except ServiceKeyDoesNotExist:
+                raise NotFound()
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('updateServiceKey')
-  @require_scope(scopes.SUPERUSER)
-  @validate_json_request('PutServiceKey')
-  def put(self, kid):
-    if SuperUserPermission().can():
-      body = request.get_json()
-      try:
-        key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
-      except ServiceKeyDoesNotExist:
-        raise NotFound()
+        raise Unauthorized()
 
-      key_log_metadata = {
-        'kid': key.kid,
-        'service': key.service,
-        'name': body.get('name', key.name),
-        'expiration_date': key.expiration_date,
-      }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("updateServiceKey")
+    @require_scope(scopes.SUPERUSER)
+    @validate_json_request("PutServiceKey")
+    def put(self, kid):
+        if SuperUserPermission().can():
+            body = request.get_json()
+            try:
+                key = pre_oci_model.get_service_key(
+                    kid, approved_only=False, alive_only=False
+                )
+            except ServiceKeyDoesNotExist:
+                raise NotFound()
 
-      if 'expiration' in body:
-        expiration_date = body['expiration']
-        if expiration_date is not None and expiration_date != '':
-          try:
-            expiration_date = datetime.utcfromtimestamp(float(expiration_date))
-          except ValueError as ve:
-            raise InvalidRequest('Invalid expiration date: %s' % ve)
+            key_log_metadata = {
+                "kid": key.kid,
+                "service": key.service,
+                "name": body.get("name", key.name),
+                "expiration_date": key.expiration_date,
+            }
 
-          if expiration_date <= datetime.now():
-            raise InvalidRequest('Cannot have an expiration date in the past')
+            if "expiration" in body:
+                expiration_date = body["expiration"]
+                if expiration_date is not None and expiration_date != "":
+                    try:
+                        expiration_date = datetime.utcfromtimestamp(
+                            float(expiration_date)
+                        )
+                    except ValueError as ve:
+                        raise InvalidRequest("Invalid expiration date: %s" % ve)
 
-        key_log_metadata.update({
-          'old_expiration_date': key.expiration_date,
-          'expiration_date': expiration_date,
-        })
+                    if expiration_date <= datetime.now():
+                        raise InvalidRequest(
+                            "Cannot have an expiration date in the past"
+                        )
 
-        log_action('service_key_extend', None, key_log_metadata)
-        pre_oci_model.set_key_expiration(kid, expiration_date)
+                key_log_metadata.update(
+                    {
+                        "old_expiration_date": key.expiration_date,
+                        "expiration_date": expiration_date,
+                    }
+                )
 
-      if 'name' in body or 'metadata' in body:
-        key_name = body.get('name')
-        if not validate_service_key_name(key_name):
-          raise InvalidRequest('Invalid service key friendly name: %s' % key_name)
+                log_action("service_key_extend", None, key_log_metadata)
+                pre_oci_model.set_key_expiration(kid, expiration_date)
 
-        pre_oci_model.update_service_key(kid, key_name, body.get('metadata'))
-        log_action('service_key_modify', None, key_log_metadata)
+            if "name" in body or "metadata" in body:
+                key_name = body.get("name")
+                if not validate_service_key_name(key_name):
+                    raise InvalidRequest(
+                        "Invalid service key friendly name: %s" % key_name
+                    )
 
-      updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
-      return jsonify(updated_key.to_dict())
+                pre_oci_model.update_service_key(kid, key_name, body.get("metadata"))
+                log_action("service_key_modify", None, key_log_metadata)
 
-    raise Unauthorized()
+            updated_key = pre_oci_model.get_service_key(
+                kid, approved_only=False, alive_only=False
+            )
+            return jsonify(updated_key.to_dict())
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('deleteServiceKey')
-  @require_scope(scopes.SUPERUSER)
-  def delete(self, kid):
-    if SuperUserPermission().can():
-      try:
-        key = pre_oci_model.delete_service_key(kid)
-      except ServiceKeyDoesNotExist:
-        raise NotFound()
+        raise Unauthorized()
 
-      key_log_metadata = {
-        'kid': kid,
-        'service': key.service,
-        'name': key.name,
-        'created_date': key.created_date,
-        'expiration_date': key.expiration_date,
-      }
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("deleteServiceKey")
+    @require_scope(scopes.SUPERUSER)
+    def delete(self, kid):
+        if SuperUserPermission().can():
+            try:
+                key = pre_oci_model.delete_service_key(kid)
+            except ServiceKeyDoesNotExist:
+                raise NotFound()
 
-      log_action('service_key_delete', None, key_log_metadata)
-      return make_response('', 204)
+            key_log_metadata = {
+                "kid": kid,
+                "service": key.service,
+                "name": key.name,
+                "created_date": key.created_date,
+                "expiration_date": key.expiration_date,
+            }
 
-    raise Unauthorized()
+            log_action("service_key_delete", None, key_log_metadata)
+            return make_response("", 204)
+
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/approvedkeys/<kid>')
-@path_param('kid', 'The unique identifier for a service key')
+@resource("/v1/superuser/approvedkeys/<kid>")
+@path_param("kid", "The unique identifier for a service key")
 @show_if(features.SUPER_USERS)
 class SuperUserServiceKeyApproval(ApiResource):
-  """ Resource for approving service keys. """
+    """ Resource for approving service keys. """
 
-  schemas = {
-    'ApproveServiceKey': {
-      'id': 'ApproveServiceKey',
-      'type': 'object',
-      'description': 'Information for approving service keys',
-      'properties': {
-        'notes': {
-          'type': 'string',
-          'description': 'Optional approval notes',
-        },
-      },
-    },
-  }
-
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('approveServiceKey')
-  @require_scope(scopes.SUPERUSER)
-  @validate_json_request('ApproveServiceKey')
-  def post(self, kid):
-    if SuperUserPermission().can():
-      notes = request.get_json().get('notes', '')
-      approver = get_authenticated_user()
-      try:
-        key = pre_oci_model.approve_service_key(kid, approver, ServiceKeyApprovalType.SUPERUSER,
-                                                notes=notes)
-
-        # Log the approval of the service key.
-        key_log_metadata = {
-          'kid': kid,
-          'service': key.service,
-          'name': key.name,
-          'expiration_date': key.expiration_date,
+    schemas = {
+        "ApproveServiceKey": {
+            "id": "ApproveServiceKey",
+            "type": "object",
+            "description": "Information for approving service keys",
+            "properties": {
+                "notes": {"type": "string", "description": "Optional approval notes"}
+            },
         }
+    }
 
-        log_action('service_key_approve', None, key_log_metadata)
-      except ServiceKeyDoesNotExist:
-        raise NotFound()
-      except ServiceKeyAlreadyApproved:
-        pass
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("approveServiceKey")
+    @require_scope(scopes.SUPERUSER)
+    @validate_json_request("ApproveServiceKey")
+    def post(self, kid):
+        if SuperUserPermission().can():
+            notes = request.get_json().get("notes", "")
+            approver = get_authenticated_user()
+            try:
+                key = pre_oci_model.approve_service_key(
+                    kid, approver, ServiceKeyApprovalType.SUPERUSER, notes=notes
+                )
 
-      return make_response('', 201)
+                # Log the approval of the service key.
+                key_log_metadata = {
+                    "kid": kid,
+                    "service": key.service,
+                    "name": key.name,
+                    "expiration_date": key.expiration_date,
+                }
 
-    raise Unauthorized()
+                log_action("service_key_approve", None, key_log_metadata)
+            except ServiceKeyDoesNotExist:
+                raise NotFound()
+            except ServiceKeyAlreadyApproved:
+                pass
+
+            return make_response("", 201)
+
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/<build_uuid>/logs')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/superuser/<build_uuid>/logs")
+@path_param("build_uuid", "The UUID of the build")
 @show_if(features.SUPER_USERS)
 class SuperUserRepositoryBuildLogs(ApiResource):
-  """ Resource for loading repository build logs for the superuser. """
+    """ Resource for loading repository build logs for the superuser. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('getRepoBuildLogsSuperUser')
-  @require_scope(scopes.SUPERUSER)
-  def get(self, build_uuid):
-    """ Return the build logs for the build specified by the build uuid. """
-    if SuperUserPermission().can():
-      try:
-        repo_build = pre_oci_model.get_repository_build(build_uuid)
-        return get_logs_or_log_url(repo_build)
-      except InvalidRepositoryBuildException as e:
-        raise InvalidResponse(str(e))
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("getRepoBuildLogsSuperUser")
+    @require_scope(scopes.SUPERUSER)
+    def get(self, build_uuid):
+        """ Return the build logs for the build specified by the build uuid. """
+        if SuperUserPermission().can():
+            try:
+                repo_build = pre_oci_model.get_repository_build(build_uuid)
+                return get_logs_or_log_url(repo_build)
+            except InvalidRepositoryBuildException as e:
+                raise InvalidResponse(str(e))
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/<build_uuid>/status')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/superuser/<build_uuid>/status")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("build_uuid", "The UUID of the build")
 @show_if(features.SUPER_USERS)
 class SuperUserRepositoryBuildStatus(ApiResource):
-  """ Resource for dealing with repository build status. """
+    """ Resource for dealing with repository build status. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('getRepoBuildStatusSuperUser')
-  @require_scope(scopes.SUPERUSER)
-  def get(self, build_uuid):
-    """ Return the status for the builds specified by the build uuids. """
-    if SuperUserPermission().can():
-      try:
-        build = pre_oci_model.get_repository_build(build_uuid)
-      except InvalidRepositoryBuildException as e:
-        raise InvalidResponse(str(e))
-      return build.to_dict()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("getRepoBuildStatusSuperUser")
+    @require_scope(scopes.SUPERUSER)
+    def get(self, build_uuid):
+        """ Return the status for the builds specified by the build uuids. """
+        if SuperUserPermission().can():
+            try:
+                build = pre_oci_model.get_repository_build(build_uuid)
+            except InvalidRepositoryBuildException as e:
+                raise InvalidResponse(str(e))
+            return build.to_dict()
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/superuser/<build_uuid>/build')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('build_uuid', 'The UUID of the build')
+@resource("/v1/superuser/<build_uuid>/build")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("build_uuid", "The UUID of the build")
 @show_if(features.SUPER_USERS)
 class SuperUserRepositoryBuildResource(ApiResource):
-  """ Resource for dealing with repository builds as a super user. """
+    """ Resource for dealing with repository builds as a super user. """
 
-  @require_fresh_login
-  @verify_not_prod
-  @nickname('getRepoBuildSuperUser')
-  @require_scope(scopes.SUPERUSER)
-  def get(self, build_uuid):
-    """ Returns information about a build. """
-    if SuperUserPermission().can():
-      try:
-        build = pre_oci_model.get_repository_build(build_uuid)
-      except InvalidRepositoryBuildException:
-        raise NotFound()
+    @require_fresh_login
+    @verify_not_prod
+    @nickname("getRepoBuildSuperUser")
+    @require_scope(scopes.SUPERUSER)
+    def get(self, build_uuid):
+        """ Returns information about a build. """
+        if SuperUserPermission().can():
+            try:
+                build = pre_oci_model.get_repository_build(build_uuid)
+            except InvalidRepositoryBuildException:
+                raise NotFound()
 
-      return build.to_dict()
+            return build.to_dict()
 
-    raise Unauthorized()
+        raise Unauthorized()
diff --git a/endpoints/api/superuser_models_interface.py b/endpoints/api/superuser_models_interface.py
index e03d98e8c..0e8211b02 100644
--- a/endpoints/api/superuser_models_interface.py
+++ b/endpoints/api/superuser_models_interface.py
@@ -15,16 +15,16 @@ from util.morecollections import AttrDict
 
 
 def user_view(user):
-  return {
-    'name': user.username,
-    'kind': 'user',
-    'is_robot': user.robot,
-  }
+    return {"name": user.username, "kind": "user", "is_robot": user.robot}
 
 
 class BuildTrigger(
-  namedtuple('BuildTrigger', ['uuid', 'service_name', 'pull_robot', 'can_read', 'can_admin', 'for_build'])):
-  """
+    namedtuple(
+        "BuildTrigger",
+        ["uuid", "service_name", "pull_robot", "can_read", "can_admin", "for_build"],
+    )
+):
+    """
   BuildTrigger represent a trigger that is associated with a build
   :type uuid: string
   :type service_name: string
@@ -34,39 +34,56 @@ class BuildTrigger(
   :type for_build: boolean
   """
 
-  def to_dict(self):
-    if not self.uuid:
-      return None
+    def to_dict(self):
+        if not self.uuid:
+            return None
 
-    build_trigger = BuildTriggerHandler.get_handler(self)
-    build_source = build_trigger.config.get('build_source')
+        build_trigger = BuildTriggerHandler.get_handler(self)
+        build_source = build_trigger.config.get("build_source")
 
-    repo_url = build_trigger.get_repository_url() if build_source else None
-    can_read = self.can_read or self.can_admin
+        repo_url = build_trigger.get_repository_url() if build_source else None
+        can_read = self.can_read or self.can_admin
 
-    trigger_data = {
-      'id': self.uuid,
-      'service': self.service_name,
-      'is_active': build_trigger.is_active(),
+        trigger_data = {
+            "id": self.uuid,
+            "service": self.service_name,
+            "is_active": build_trigger.is_active(),
+            "build_source": build_source if can_read else None,
+            "repository_url": repo_url if can_read else None,
+            "config": build_trigger.config if self.can_admin else {},
+            "can_invoke": self.can_admin,
+        }
 
-      'build_source': build_source if can_read else None,
-      'repository_url': repo_url if can_read else None,
+        if not self.for_build and self.can_admin and self.pull_robot:
+            trigger_data["pull_robot"] = user_view(self.pull_robot)
 
-      'config': build_trigger.config if self.can_admin else {},
-      'can_invoke': self.can_admin,
-    }
-
-    if not self.for_build and self.can_admin and self.pull_robot:
-      trigger_data['pull_robot'] = user_view(self.pull_robot)
-
-    return trigger_data
+        return trigger_data
 
 
-class RepositoryBuild(namedtuple('RepositoryBuild',
-                                 ['uuid', 'logs_archived', 'repository_namespace_user_username', 'repository_name',
-                                  'can_write', 'can_read', 'pull_robot', 'resource_key', 'trigger', 'display_name',
-                                  'started', 'job_config', 'phase', 'status', 'error', 'archive_url'])):
-  """
+class RepositoryBuild(
+    namedtuple(
+        "RepositoryBuild",
+        [
+            "uuid",
+            "logs_archived",
+            "repository_namespace_user_username",
+            "repository_name",
+            "can_write",
+            "can_read",
+            "pull_robot",
+            "resource_key",
+            "trigger",
+            "display_name",
+            "started",
+            "job_config",
+            "phase",
+            "status",
+            "error",
+            "archive_url",
+        ],
+    )
+):
+    """
   RepositoryBuild represents a build associated with a repostiory
   :type uuid: string
   :type logs_archived: boolean
@@ -86,42 +103,46 @@ class RepositoryBuild(namedtuple('RepositoryBuild',
   :type archive_url: string
   """
 
-  def to_dict(self):
+    def to_dict(self):
 
-    resp = {
-      'id': self.uuid,
-      'phase': self.phase,
-      'started': format_date(self.started),
-      'display_name': self.display_name,
-      'status': self.status or {},
-      'subdirectory': self.job_config.get('build_subdir', ''),
-      'dockerfile_path': self.job_config.get('build_subdir', ''),
-      'context': self.job_config.get('context', ''),
-      'tags': self.job_config.get('docker_tags', []),
-      'manual_user': self.job_config.get('manual_user', None),
-      'is_writer': self.can_write,
-      'trigger': self.trigger.to_dict(),
-      'trigger_metadata': self.job_config.get('trigger_metadata', None) if self.can_read else None,
-      'resource_key': self.resource_key,
-      'pull_robot': user_view(self.pull_robot) if self.pull_robot else None,
-      'repository': {
-        'namespace': self.repository_namespace_user_username,
-        'name': self.repository_name
-      },
-      'error': self.error,
-    }
+        resp = {
+            "id": self.uuid,
+            "phase": self.phase,
+            "started": format_date(self.started),
+            "display_name": self.display_name,
+            "status": self.status or {},
+            "subdirectory": self.job_config.get("build_subdir", ""),
+            "dockerfile_path": self.job_config.get("build_subdir", ""),
+            "context": self.job_config.get("context", ""),
+            "tags": self.job_config.get("docker_tags", []),
+            "manual_user": self.job_config.get("manual_user", None),
+            "is_writer": self.can_write,
+            "trigger": self.trigger.to_dict(),
+            "trigger_metadata": self.job_config.get("trigger_metadata", None)
+            if self.can_read
+            else None,
+            "resource_key": self.resource_key,
+            "pull_robot": user_view(self.pull_robot) if self.pull_robot else None,
+            "repository": {
+                "namespace": self.repository_namespace_user_username,
+                "name": self.repository_name,
+            },
+            "error": self.error,
+        }
 
-    if self.can_write:
-      if self.resource_key is not None:
-        resp['archive_url'] = self.archive_url
-      elif self.job_config.get('archive_url', None):
-        resp['archive_url'] = self.job_config['archive_url']
+        if self.can_write:
+            if self.resource_key is not None:
+                resp["archive_url"] = self.archive_url
+            elif self.job_config.get("archive_url", None):
+                resp["archive_url"] = self.job_config["archive_url"]
 
-    return resp
+        return resp
 
 
-class Approval(namedtuple('Approval', ['approver', 'approval_type', 'approved_date', 'notes'])):
-  """
+class Approval(
+    namedtuple("Approval", ["approver", "approval_type", "approved_date", "notes"])
+):
+    """
   Approval represents whether a key has been approved or not
   :type approver: User
   :type approval_type: string
@@ -129,18 +150,32 @@ class Approval(namedtuple('Approval', ['approver', 'approval_type', 'approved_da
   :type notes: string
   """
 
-  def to_dict(self):
-    return {
-      'approver': self.approver.to_dict() if self.approver else None,
-      'approval_type': self.approval_type,
-      'approved_date': self.approved_date,
-      'notes': self.notes,
-    }
+    def to_dict(self):
+        return {
+            "approver": self.approver.to_dict() if self.approver else None,
+            "approval_type": self.approval_type,
+            "approved_date": self.approved_date,
+            "notes": self.notes,
+        }
 
 
-class ServiceKey(namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'metadata', 'created_date',
-                                           'expiration_date', 'rotation_duration', 'approval'])):
-  """
+class ServiceKey(
+    namedtuple(
+        "ServiceKey",
+        [
+            "name",
+            "kid",
+            "service",
+            "jwk",
+            "metadata",
+            "created_date",
+            "expiration_date",
+            "rotation_duration",
+            "approval",
+        ],
+    )
+):
+    """
   ServiceKey is an apostille signing key
   :type name: string
   :type kid: int
@@ -154,22 +189,22 @@ class ServiceKey(namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'met
 
   """
 
-  def to_dict(self):
-    return {
-      'name': self.name,
-      'kid': self.kid,
-      'service': self.service,
-      'jwk': self.jwk,
-      'metadata': self.metadata,
-      'created_date': self.created_date,
-      'expiration_date': self.expiration_date,
-      'rotation_duration': self.rotation_duration,
-      'approval': self.approval.to_dict() if self.approval is not None else None,
-    }
+    def to_dict(self):
+        return {
+            "name": self.name,
+            "kid": self.kid,
+            "service": self.service,
+            "jwk": self.jwk,
+            "metadata": self.metadata,
+            "created_date": self.created_date,
+            "expiration_date": self.expiration_date,
+            "rotation_duration": self.rotation_duration,
+            "approval": self.approval.to_dict() if self.approval is not None else None,
+        }
 
 
-class User(namedtuple('User', ['username', 'email', 'verified', 'enabled', 'robot'])):
-  """
+class User(namedtuple("User", ["username", "email", "verified", "enabled", "robot"])):
+    """
   User represents a single user.
   :type username: string
   :type email: string
@@ -178,158 +213,166 @@ class User(namedtuple('User', ['username', 'email', 'verified', 'enabled', 'robo
   :type robot: User
   """
 
-  def to_dict(self):
-    user_data = {
-      'kind': 'user',
-      'name': self.username,
-      'username': self.username,
-      'email': self.email,
-      'verified': self.verified,
-      'avatar': avatar.get_data_for_user(self),
-      'super_user': superusers.is_superuser(self.username),
-      'enabled': self.enabled,
-    }
+    def to_dict(self):
+        user_data = {
+            "kind": "user",
+            "name": self.username,
+            "username": self.username,
+            "email": self.email,
+            "verified": self.verified,
+            "avatar": avatar.get_data_for_user(self),
+            "super_user": superusers.is_superuser(self.username),
+            "enabled": self.enabled,
+        }
 
-    return user_data
+        return user_data
 
 
-class Organization(namedtuple('Organization', ['username', 'email'])):
-  """
+class Organization(namedtuple("Organization", ["username", "email"])):
+    """
   Organization represents a single org.
   :type username: string
   :type email: string
   """
 
-  def to_dict(self):
-    return {
-      'name': self.username,
-      'email': self.email,
-      'avatar': avatar.get_data_for_org(self),
-    }
+    def to_dict(self):
+        return {
+            "name": self.username,
+            "email": self.email,
+            "avatar": avatar.get_data_for_org(self),
+        }
 
 
 @add_metaclass(ABCMeta)
 class SuperuserDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by a superuser api.
   """
 
-  @abstractmethod
-  def get_organizations(self):
-    """
+    @abstractmethod
+    def get_organizations(self):
+        """
     Returns a list of Organization
     """
 
-  @abstractmethod
-  def get_active_users(self):
-    """
+    @abstractmethod
+    def get_active_users(self):
+        """
     Returns a list of User
     """
 
-  @abstractmethod
-  def create_install_user(self, username, password, email):
-    """
+    @abstractmethod
+    def create_install_user(self, username, password, email):
+        """
     Returns the created user and confirmation code for email confirmation
     """
 
-  @abstractmethod
-  def get_nonrobot_user(self, username):
-    """
+    @abstractmethod
+    def get_nonrobot_user(self, username):
+        """
     Returns a User
     """
 
-  @abstractmethod
-  def create_reset_password_email_code(self, email):
-    """
+    @abstractmethod
+    def create_reset_password_email_code(self, email):
+        """
     Returns a recover password code
     """
 
-  @abstractmethod
-  def mark_user_for_deletion(self, username):
-    """
+    @abstractmethod
+    def mark_user_for_deletion(self, username):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def change_password(self, username, password):
-    """
+    @abstractmethod
+    def change_password(self, username, password):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def update_email(self, username, email, auto_verify):
-    """
+    @abstractmethod
+    def update_email(self, username, email, auto_verify):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def update_enabled(self, username, enabled):
-    """
+    @abstractmethod
+    def update_enabled(self, username, enabled):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def take_ownership(self, namespace, authed_user):
-    """
+    @abstractmethod
+    def take_ownership(self, namespace, authed_user):
+        """
     Returns id of entity and whether the entity was a user
     """
 
-  @abstractmethod
-  def mark_organization_for_deletion(self, name):
-    """
+    @abstractmethod
+    def mark_organization_for_deletion(self, name):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def change_organization_name(self, old_org_name, new_org_name):
-    """
+    @abstractmethod
+    def change_organization_name(self, old_org_name, new_org_name):
+        """
     Returns updated Organization
     """
 
-  @abstractmethod
-  def list_all_service_keys(self):
-    """
+    @abstractmethod
+    def list_all_service_keys(self):
+        """
     Returns a list of service keys
     """
 
-  @abstractmethod
-  def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None, rotation_duration=None):
-    """
+    @abstractmethod
+    def generate_service_key(
+        self,
+        service,
+        expiration_date,
+        kid=None,
+        name="",
+        metadata=None,
+        rotation_duration=None,
+    ):
+        """
     Returns a tuple of private key and public key id
     """
 
-  @abstractmethod
-  def approve_service_key(self, kid, approver, approval_type, notes=''):
-    """
+    @abstractmethod
+    def approve_service_key(self, kid, approver, approval_type, notes=""):
+        """
     Returns the approved Key
     """
 
-  @abstractmethod
-  def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
-    """
+    @abstractmethod
+    def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
+        """
     Returns ServiceKey
     """
 
-  @abstractmethod
-  def set_key_expiration(self, kid, expiration_date):
-    """
+    @abstractmethod
+    def set_key_expiration(self, kid, expiration_date):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def update_service_key(self, kid, name=None, metadata=None):
-    """
+    @abstractmethod
+    def update_service_key(self, kid, name=None, metadata=None):
+        """
     Returns None
     """
 
-  @abstractmethod
-  def delete_service_key(self, kid):
-    """
+    @abstractmethod
+    def delete_service_key(self, kid):
+        """
     Returns deleted ServiceKey
     """
 
-  @abstractmethod
-  def get_repository_build(self, uuid):
-    """
+    @abstractmethod
+    def get_repository_build(self, uuid):
+        """
     Returns RepositoryBuild
     """
diff --git a/endpoints/api/superuser_models_pre_oci.py b/endpoints/api/superuser_models_pre_oci.py
index 0458f9226..f48de7c24 100644
--- a/endpoints/api/superuser_models_pre_oci.py
+++ b/endpoints/api/superuser_models_pre_oci.py
@@ -3,180 +3,253 @@ import features
 from flask import request
 
 from app import all_queues, userfiles, namespace_gc_queue
-from auth.permissions import ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission
+from auth.permissions import (
+    ReadRepositoryPermission,
+    ModifyRepositoryPermission,
+    AdministerRepositoryPermission,
+)
 from data import model, database
 from endpoints.api.build import get_job_config, _get_build_status
 from endpoints.api.superuser_models_interface import BuildTrigger
-from endpoints.api.superuser_models_interface import SuperuserDataInterface, Organization, User, \
-  ServiceKey, Approval, RepositoryBuild
+from endpoints.api.superuser_models_interface import (
+    SuperuserDataInterface,
+    Organization,
+    User,
+    ServiceKey,
+    Approval,
+    RepositoryBuild,
+)
 from util.request import get_request_ip
 
 
 def _create_user(user):
-  if user is None:
-    return None
-  return User(user.username, user.email, user.verified, user.enabled, user.robot)
+    if user is None:
+        return None
+    return User(user.username, user.email, user.verified, user.enabled, user.robot)
 
 
 def _create_key(key):
-  approval = None
-  if key.approval is not None:
-    approval = Approval(_create_user(key.approval.approver), key.approval.approval_type, key.approval.approved_date,
-                        key.approval.notes)
+    approval = None
+    if key.approval is not None:
+        approval = Approval(
+            _create_user(key.approval.approver),
+            key.approval.approval_type,
+            key.approval.approved_date,
+            key.approval.notes,
+        )
 
-  return ServiceKey(key.name, key.kid, key.service, key.jwk, key.metadata, key.created_date, key.expiration_date,
-                    key.rotation_duration, approval)
+    return ServiceKey(
+        key.name,
+        key.kid,
+        key.service,
+        key.jwk,
+        key.metadata,
+        key.created_date,
+        key.expiration_date,
+        key.rotation_duration,
+        approval,
+    )
 
 
 class ServiceKeyDoesNotExist(Exception):
-  pass
+    pass
 
 
 class ServiceKeyAlreadyApproved(Exception):
-  pass
+    pass
 
 
 class InvalidRepositoryBuildException(Exception):
-  pass
+    pass
 
 
 class PreOCIModel(SuperuserDataInterface):
-  """
+    """
   PreOCIModel implements the data model for the SuperUser using a database schema
   before it was changed to support the OCI specification.
   """
 
-  def get_repository_build(self, uuid):
-    try:
-      build = model.build.get_repository_build(uuid)
-    except model.InvalidRepositoryBuildException as e:
-      raise InvalidRepositoryBuildException(str(e))
+    def get_repository_build(self, uuid):
+        try:
+            build = model.build.get_repository_build(uuid)
+        except model.InvalidRepositoryBuildException as e:
+            raise InvalidRepositoryBuildException(str(e))
 
-    repo_namespace = build.repository_namespace_user_username
-    repo_name = build.repository_name
+        repo_namespace = build.repository_namespace_user_username
+        repo_name = build.repository_name
 
-    can_read = ReadRepositoryPermission(repo_namespace, repo_name).can()
-    can_write = ModifyRepositoryPermission(repo_namespace, repo_name).can()
-    can_admin = AdministerRepositoryPermission(repo_namespace, repo_name).can()
-    job_config = get_job_config(build.job_config)
-    phase, status, error = _get_build_status(build)
-    url = userfiles.get_file_url(self.resource_key, get_request_ip(), requires_cors=True)
+        can_read = ReadRepositoryPermission(repo_namespace, repo_name).can()
+        can_write = ModifyRepositoryPermission(repo_namespace, repo_name).can()
+        can_admin = AdministerRepositoryPermission(repo_namespace, repo_name).can()
+        job_config = get_job_config(build.job_config)
+        phase, status, error = _get_build_status(build)
+        url = userfiles.get_file_url(
+            self.resource_key, get_request_ip(), requires_cors=True
+        )
 
-    return RepositoryBuild(build.uuid, build.logs_archived, repo_namespace, repo_name, can_write, can_read,
-                           _create_user(build.pull_robot), build.resource_key,
-                           BuildTrigger(build.trigger.uuid, build.trigger.service.name,
-                                        _create_user(build.trigger.pull_robot), can_read, can_admin, True),
-                           build.display_name, build.display_name, build.started, job_config, phase, status, error, url)
+        return RepositoryBuild(
+            build.uuid,
+            build.logs_archived,
+            repo_namespace,
+            repo_name,
+            can_write,
+            can_read,
+            _create_user(build.pull_robot),
+            build.resource_key,
+            BuildTrigger(
+                build.trigger.uuid,
+                build.trigger.service.name,
+                _create_user(build.trigger.pull_robot),
+                can_read,
+                can_admin,
+                True,
+            ),
+            build.display_name,
+            build.display_name,
+            build.started,
+            job_config,
+            phase,
+            status,
+            error,
+            url,
+        )
 
-  def delete_service_key(self, kid):
-    try:
-      key = model.service_keys.delete_service_key(kid)
-    except model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist
-    return _create_key(key)
+    def delete_service_key(self, kid):
+        try:
+            key = model.service_keys.delete_service_key(kid)
+        except model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist
+        return _create_key(key)
 
-  def update_service_key(self, kid, name=None, metadata=None):
-    model.service_keys.update_service_key(kid, name, metadata)
+    def update_service_key(self, kid, name=None, metadata=None):
+        model.service_keys.update_service_key(kid, name, metadata)
 
-  def set_key_expiration(self, kid, expiration_date):
-    model.service_keys.set_key_expiration(kid, expiration_date)
+    def set_key_expiration(self, kid, expiration_date):
+        model.service_keys.set_key_expiration(kid, expiration_date)
 
-  def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
-    try:
-      key = model.service_keys.get_service_key(kid, approved_only=approved_only, alive_only=alive_only)
-      return _create_key(key)
-    except model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist
+    def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
+        try:
+            key = model.service_keys.get_service_key(
+                kid, approved_only=approved_only, alive_only=alive_only
+            )
+            return _create_key(key)
+        except model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist
 
-  def approve_service_key(self, kid, approver, approval_type, notes=''):
-    try:
-      key = model.service_keys.approve_service_key(kid, approval_type, approver=approver, notes=notes)
-      return _create_key(key)
-    except model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist
-    except model.ServiceKeyAlreadyApproved:
-      raise ServiceKeyAlreadyApproved
+    def approve_service_key(self, kid, approver, approval_type, notes=""):
+        try:
+            key = model.service_keys.approve_service_key(
+                kid, approval_type, approver=approver, notes=notes
+            )
+            return _create_key(key)
+        except model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist
+        except model.ServiceKeyAlreadyApproved:
+            raise ServiceKeyAlreadyApproved
 
-  def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None, rotation_duration=None):
-    (private_key, key) = model.service_keys.generate_service_key(service, expiration_date, metadata=metadata, name=name)
+    def generate_service_key(
+        self,
+        service,
+        expiration_date,
+        kid=None,
+        name="",
+        metadata=None,
+        rotation_duration=None,
+    ):
+        (private_key, key) = model.service_keys.generate_service_key(
+            service, expiration_date, metadata=metadata, name=name
+        )
 
-    return private_key, key.kid
+        return private_key, key.kid
 
-  def list_all_service_keys(self):
-    keys = model.service_keys.list_all_keys()
-    return [_create_key(key) for key in keys]
+    def list_all_service_keys(self):
+        keys = model.service_keys.list_all_keys()
+        return [_create_key(key) for key in keys]
 
-  def change_organization_name(self, old_org_name, new_org_name):
-    org = model.organization.get_organization(old_org_name)
-    if new_org_name is not None:
-      org = model.user.change_username(org.id, new_org_name)
+    def change_organization_name(self, old_org_name, new_org_name):
+        org = model.organization.get_organization(old_org_name)
+        if new_org_name is not None:
+            org = model.user.change_username(org.id, new_org_name)
 
-    return Organization(org.username, org.email)
+        return Organization(org.username, org.email)
 
-  def mark_organization_for_deletion(self, name):
-    org = model.organization.get_organization(name)
-    model.user.mark_namespace_for_deletion(org, all_queues, namespace_gc_queue, force=True)
+    def mark_organization_for_deletion(self, name):
+        org = model.organization.get_organization(name)
+        model.user.mark_namespace_for_deletion(
+            org, all_queues, namespace_gc_queue, force=True
+        )
 
-  def take_ownership(self, namespace, authed_user):
-    entity = model.user.get_user_or_org(namespace)
-    if entity is None:
-      return None, False
+    def take_ownership(self, namespace, authed_user):
+        entity = model.user.get_user_or_org(namespace)
+        if entity is None:
+            return None, False
 
-    was_user = not entity.organization
-    if entity.organization:
-      # Add the superuser as an admin to the owners team of the org.
-      model.organization.add_user_as_admin(authed_user, entity)
-    else:
-      # If the entity is a user, convert it to an organization and add the current superuser
-      # as the admin.
-      model.organization.convert_user_to_organization(entity, authed_user)
-    return entity.id, was_user
+        was_user = not entity.organization
+        if entity.organization:
+            # Add the superuser as an admin to the owners team of the org.
+            model.organization.add_user_as_admin(authed_user, entity)
+        else:
+            # If the entity is a user, convert it to an organization and add the current superuser
+            # as the admin.
+            model.organization.convert_user_to_organization(entity, authed_user)
+        return entity.id, was_user
 
-  def update_enabled(self, username, enabled):
-    user = model.user.get_nonrobot_user(username)
-    model.user.update_enabled(user, bool(enabled))
+    def update_enabled(self, username, enabled):
+        user = model.user.get_nonrobot_user(username)
+        model.user.update_enabled(user, bool(enabled))
 
-  def update_email(self, username, email, auto_verify):
-    user = model.user.get_nonrobot_user(username)
-    model.user.update_email(user, email, auto_verify)
+    def update_email(self, username, email, auto_verify):
+        user = model.user.get_nonrobot_user(username)
+        model.user.update_email(user, email, auto_verify)
 
-  def change_password(self, username, password):
-    user = model.user.get_nonrobot_user(username)
-    model.user.change_password(user, password)
+    def change_password(self, username, password):
+        user = model.user.get_nonrobot_user(username)
+        model.user.change_password(user, password)
 
-  def mark_user_for_deletion(self, username):
-    user = model.user.get_nonrobot_user(username)
-    model.user.mark_namespace_for_deletion(user, all_queues, namespace_gc_queue, force=True)
+    def mark_user_for_deletion(self, username):
+        user = model.user.get_nonrobot_user(username)
+        model.user.mark_namespace_for_deletion(
+            user, all_queues, namespace_gc_queue, force=True
+        )
 
-  def create_reset_password_email_code(self, email):
-    code = model.user.create_reset_password_email_code(email)
-    return code
+    def create_reset_password_email_code(self, email):
+        code = model.user.create_reset_password_email_code(email)
+        return code
 
-  def get_nonrobot_user(self, username):
-    user = model.user.get_nonrobot_user(username)
-    if user is None:
-      return None
-    return _create_user(user)
+    def get_nonrobot_user(self, username):
+        user = model.user.get_nonrobot_user(username)
+        if user is None:
+            return None
+        return _create_user(user)
 
-  def create_install_user(self, username, password, email):
-    prompts = model.user.get_default_user_prompts(features)
-    user = model.user.create_user(username, password, email, auto_verify=not features.MAILING,
-                                  email_required=features.MAILING, prompts=prompts)
+    def create_install_user(self, username, password, email):
+        prompts = model.user.get_default_user_prompts(features)
+        user = model.user.create_user(
+            username,
+            password,
+            email,
+            auto_verify=not features.MAILING,
+            email_required=features.MAILING,
+            prompts=prompts,
+        )
 
-    return_user = _create_user(user)
-    # If mailing is turned on, send the user a verification email.
-    if features.MAILING:
-      confirmation_code = model.user.create_confirm_email_code(user)
-      return return_user, confirmation_code
+        return_user = _create_user(user)
+        # If mailing is turned on, send the user a verification email.
+        if features.MAILING:
+            confirmation_code = model.user.create_confirm_email_code(user)
+            return return_user, confirmation_code
 
-    return return_user, ''
+        return return_user, ""
 
-  def get_active_users(self, disabled=True):
-    users = model.user.get_active_users(disabled=disabled)
-    return [_create_user(user) for user in users]
+    def get_active_users(self, disabled=True):
+        users = model.user.get_active_users(disabled=disabled)
+        return [_create_user(user) for user in users]
 
-  def get_organizations(self):
-    return [Organization(org.username, org.email) for org in model.organization.get_organizations()]
+    def get_organizations(self):
+        return [
+            Organization(org.username, org.email)
+            for org in model.organization.get_organizations()
+        ]
 
 
 pre_oci_model = PreOCIModel()
diff --git a/endpoints/api/tag.py b/endpoints/api/tag.py
index 573f0fc97..66aaa1400 100644
--- a/endpoints/api/tag.py
+++ b/endpoints/api/tag.py
@@ -5,332 +5,393 @@ from flask import request, abort
 from app import storage, docker_v2_signing_key
 from auth.auth_context import get_authenticated_user
 from data.registry_model import registry_model
-from endpoints.api import (resource, nickname, require_repo_read, require_repo_write,
-                           RepositoryParamResource, log_action, validate_json_request, path_param,
-                           parse_args, query_param, truthy_bool, disallow_for_app_repositories,
-                           format_date, disallow_for_non_normal_repositories)
+from endpoints.api import (
+    resource,
+    nickname,
+    require_repo_read,
+    require_repo_write,
+    RepositoryParamResource,
+    log_action,
+    validate_json_request,
+    path_param,
+    parse_args,
+    query_param,
+    truthy_bool,
+    disallow_for_app_repositories,
+    format_date,
+    disallow_for_non_normal_repositories,
+)
 from endpoints.api.image import image_dict
 from endpoints.exception import NotFound, InvalidRequest
 from util.names import TAG_ERROR, TAG_REGEX
 
 
 def _tag_dict(tag):
-  tag_info = {
-    'name': tag.name,
-    'reversion': tag.reversion,
-  }
+    tag_info = {"name": tag.name, "reversion": tag.reversion}
 
-  if tag.lifetime_start_ts > 0:
-    tag_info['start_ts'] = tag.lifetime_start_ts
+    if tag.lifetime_start_ts > 0:
+        tag_info["start_ts"] = tag.lifetime_start_ts
 
-  if tag.lifetime_end_ts > 0:
-    tag_info['end_ts'] = tag.lifetime_end_ts
+    if tag.lifetime_end_ts > 0:
+        tag_info["end_ts"] = tag.lifetime_end_ts
 
-  # TODO: Remove this once fully on OCI data model.
-  if tag.legacy_image_if_present:
-    tag_info['docker_image_id'] = tag.legacy_image.docker_image_id
-    tag_info['image_id'] = tag.legacy_image.docker_image_id
-    tag_info['size'] = tag.legacy_image.aggregate_size
+    # TODO: Remove this once fully on OCI data model.
+    if tag.legacy_image_if_present:
+        tag_info["docker_image_id"] = tag.legacy_image.docker_image_id
+        tag_info["image_id"] = tag.legacy_image.docker_image_id
+        tag_info["size"] = tag.legacy_image.aggregate_size
 
-  # TODO: Remove this check once fully on OCI data model.
-  if tag.manifest_digest:
-    tag_info['manifest_digest'] = tag.manifest_digest
+    # TODO: Remove this check once fully on OCI data model.
+    if tag.manifest_digest:
+        tag_info["manifest_digest"] = tag.manifest_digest
 
-    if tag.manifest:
-      tag_info['is_manifest_list'] = tag.manifest.is_manifest_list
+        if tag.manifest:
+            tag_info["is_manifest_list"] = tag.manifest.is_manifest_list
 
-  if tag.lifetime_start_ts > 0:
-    last_modified = format_date(datetime.utcfromtimestamp(tag.lifetime_start_ts))
-    tag_info['last_modified'] = last_modified
+    if tag.lifetime_start_ts > 0:
+        last_modified = format_date(datetime.utcfromtimestamp(tag.lifetime_start_ts))
+        tag_info["last_modified"] = last_modified
 
-  if tag.lifetime_end_ts is not None:
-    expiration = format_date(datetime.utcfromtimestamp(tag.lifetime_end_ts))
-    tag_info['expiration'] = expiration
+    if tag.lifetime_end_ts is not None:
+        expiration = format_date(datetime.utcfromtimestamp(tag.lifetime_end_ts))
+        tag_info["expiration"] = expiration
 
-  return tag_info
+    return tag_info
 
 
-@resource('/v1/repository/<apirepopath:repository>/tag/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@resource("/v1/repository/<apirepopath:repository>/tag/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class ListRepositoryTags(RepositoryParamResource):
-  """ Resource for listing full repository tag history, alive *and dead*. """
+    """ Resource for listing full repository tag history, alive *and dead*. """
 
-  @require_repo_read
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('specificTag', 'Filters the tags to the specific tag.', type=str, default='')
-  @query_param('limit', 'Limit to the number of results to return per page. Max 100.', type=int,
-               default=50)
-  @query_param('page', 'Page index for the results. Default 1.', type=int, default=1)
-  @query_param('onlyActiveTags', 'Filter to only active tags.', type=truthy_bool, default=False)
-  @nickname('listRepoTags')
-  def get(self, namespace, repository, parsed_args):
-    specific_tag = parsed_args.get('specificTag') or None
-    page = max(1, parsed_args.get('page', 1))
-    limit = min(100, max(1, parsed_args.get('limit', 50)))
-    active_tags_only = parsed_args.get('onlyActiveTags')
+    @require_repo_read
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param(
+        "specificTag", "Filters the tags to the specific tag.", type=str, default=""
+    )
+    @query_param(
+        "limit",
+        "Limit to the number of results to return per page. Max 100.",
+        type=int,
+        default=50,
+    )
+    @query_param("page", "Page index for the results. Default 1.", type=int, default=1)
+    @query_param(
+        "onlyActiveTags", "Filter to only active tags.", type=truthy_bool, default=False
+    )
+    @nickname("listRepoTags")
+    def get(self, namespace, repository, parsed_args):
+        specific_tag = parsed_args.get("specificTag") or None
+        page = max(1, parsed_args.get("page", 1))
+        limit = min(100, max(1, parsed_args.get("limit", 50)))
+        active_tags_only = parsed_args.get("onlyActiveTags")
 
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    history, has_more = registry_model.list_repository_tag_history(repo_ref, page=page,
-                                                                   size=limit,
-                                                                   specific_tag_name=specific_tag,
-                                                                   active_tags_only=active_tags_only)
-    return {
-      'tags': [_tag_dict(tag) for tag in history],
-      'page': page,
-      'has_additional': has_more,
-    }
+        history, has_more = registry_model.list_repository_tag_history(
+            repo_ref,
+            page=page,
+            size=limit,
+            specific_tag_name=specific_tag,
+            active_tags_only=active_tags_only,
+        )
+        return {
+            "tags": [_tag_dict(tag) for tag in history],
+            "page": page,
+            "has_additional": has_more,
+        }
 
 
-@resource('/v1/repository/<apirepopath:repository>/tag/<tag>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('tag', 'The name of the tag')
+@resource("/v1/repository/<apirepopath:repository>/tag/<tag>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("tag", "The name of the tag")
 class RepositoryTag(RepositoryParamResource):
-  """ Resource for managing repository tags. """
-  schemas = {
-    'ChangeTag': {
-      'type': 'object',
-      'description': 'Makes changes to a specific tag',
-      'properties': {
-        'image': {
-          'type': ['string', 'null'],
-          'description': '(Deprecated: Use `manifest_digest`) Image to which the tag should point.',
-        },
-        'manifest_digest': {
-          'type': ['string', 'null'],
-          'description': '(If specified) The manifest digest to which the tag should point',
-        },
-        'expiration': {
-          'type': ['number', 'null'],
-          'description': '(If specified) The expiration for the image',
-        },
-      },
-    },
-  }
+    """ Resource for managing repository tags. """
 
-  @require_repo_write
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('changeTag')
-  @validate_json_request('ChangeTag')
-  def put(self, namespace, repository, tag):
-    """ Change which image a tag points to or create a new tag."""
-    if not TAG_REGEX.match(tag):
-      abort(400, TAG_ERROR)
+    schemas = {
+        "ChangeTag": {
+            "type": "object",
+            "description": "Makes changes to a specific tag",
+            "properties": {
+                "image": {
+                    "type": ["string", "null"],
+                    "description": "(Deprecated: Use `manifest_digest`) Image to which the tag should point.",
+                },
+                "manifest_digest": {
+                    "type": ["string", "null"],
+                    "description": "(If specified) The manifest digest to which the tag should point",
+                },
+                "expiration": {
+                    "type": ["number", "null"],
+                    "description": "(If specified) The expiration for the image",
+                },
+            },
+        }
+    }
 
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @require_repo_write
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("changeTag")
+    @validate_json_request("ChangeTag")
+    def put(self, namespace, repository, tag):
+        """ Change which image a tag points to or create a new tag."""
+        if not TAG_REGEX.match(tag):
+            abort(400, TAG_ERROR)
 
-    if 'expiration' in request.get_json():
-      tag_ref = registry_model.get_repo_tag(repo_ref, tag)
-      if tag_ref is None:
-        raise NotFound()
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-      expiration = request.get_json().get('expiration')
-      expiration_date = None
-      if expiration is not None:
-        try:
-          expiration_date = datetime.utcfromtimestamp(float(expiration))
-        except ValueError:
-          abort(400)
+        if "expiration" in request.get_json():
+            tag_ref = registry_model.get_repo_tag(repo_ref, tag)
+            if tag_ref is None:
+                raise NotFound()
 
-        if expiration_date <= datetime.now():
-          abort(400)
+            expiration = request.get_json().get("expiration")
+            expiration_date = None
+            if expiration is not None:
+                try:
+                    expiration_date = datetime.utcfromtimestamp(float(expiration))
+                except ValueError:
+                    abort(400)
 
-      existing_end_ts, ok = registry_model.change_repository_tag_expiration(tag_ref,
-                                                                            expiration_date)
-      if ok:
-        if not (existing_end_ts is None and expiration_date is None):
-          log_action('change_tag_expiration', namespace, {
-            'username': get_authenticated_user().username,
-            'repo': repository,
-            'tag': tag,
-            'namespace': namespace,
-            'expiration_date': expiration_date,
-            'old_expiration_date': existing_end_ts
-          }, repo_name=repository)
-      else:
-        raise InvalidRequest('Could not update tag expiration; Tag has probably changed')
+                if expiration_date <= datetime.now():
+                    abort(400)
 
-    if 'image' in request.get_json() or 'manifest_digest' in request.get_json():
-      existing_tag = registry_model.get_repo_tag(repo_ref, tag, include_legacy_image=True)
+            existing_end_ts, ok = registry_model.change_repository_tag_expiration(
+                tag_ref, expiration_date
+            )
+            if ok:
+                if not (existing_end_ts is None and expiration_date is None):
+                    log_action(
+                        "change_tag_expiration",
+                        namespace,
+                        {
+                            "username": get_authenticated_user().username,
+                            "repo": repository,
+                            "tag": tag,
+                            "namespace": namespace,
+                            "expiration_date": expiration_date,
+                            "old_expiration_date": existing_end_ts,
+                        },
+                        repo_name=repository,
+                    )
+            else:
+                raise InvalidRequest(
+                    "Could not update tag expiration; Tag has probably changed"
+                )
 
-      manifest_or_image = None
-      image_id = None
-      manifest_digest = None
+        if "image" in request.get_json() or "manifest_digest" in request.get_json():
+            existing_tag = registry_model.get_repo_tag(
+                repo_ref, tag, include_legacy_image=True
+            )
 
-      if 'image' in request.get_json():
-        image_id = request.get_json()['image']
-        manifest_or_image = registry_model.get_legacy_image(repo_ref, image_id)
-      else:
-        manifest_digest = request.get_json()['manifest_digest']
-        manifest_or_image = registry_model.lookup_manifest_by_digest(repo_ref, manifest_digest,
-                                                                     require_available=True)
+            manifest_or_image = None
+            image_id = None
+            manifest_digest = None
 
-      if manifest_or_image is None:
-        raise NotFound()
+            if "image" in request.get_json():
+                image_id = request.get_json()["image"]
+                manifest_or_image = registry_model.get_legacy_image(repo_ref, image_id)
+            else:
+                manifest_digest = request.get_json()["manifest_digest"]
+                manifest_or_image = registry_model.lookup_manifest_by_digest(
+                    repo_ref, manifest_digest, require_available=True
+                )
 
-      # TODO: Remove this check once fully on V22
-      existing_manifest_digest = None
-      if existing_tag:
-        existing_manifest = registry_model.get_manifest_for_tag(existing_tag)
-        existing_manifest_digest = existing_manifest.digest if existing_manifest else None
+            if manifest_or_image is None:
+                raise NotFound()
 
-      if not registry_model.retarget_tag(repo_ref, tag, manifest_or_image, storage,
-                                         docker_v2_signing_key):
-        raise InvalidRequest('Could not move tag')
+            # TODO: Remove this check once fully on V22
+            existing_manifest_digest = None
+            if existing_tag:
+                existing_manifest = registry_model.get_manifest_for_tag(existing_tag)
+                existing_manifest_digest = (
+                    existing_manifest.digest if existing_manifest else None
+                )
 
-      username = get_authenticated_user().username
+            if not registry_model.retarget_tag(
+                repo_ref, tag, manifest_or_image, storage, docker_v2_signing_key
+            ):
+                raise InvalidRequest("Could not move tag")
 
-      log_action('move_tag' if existing_tag else 'create_tag', namespace, {
-        'username': username,
-        'repo': repository,
-        'tag': tag,
-        'namespace': namespace,
-        'image': image_id,
-        'manifest_digest': manifest_digest,
-        'original_image': (existing_tag.legacy_image.docker_image_id
-                           if existing_tag and existing_tag.legacy_image_if_present
-                           else None),
-        'original_manifest_digest': existing_manifest_digest,
-      }, repo_name=repository)
+            username = get_authenticated_user().username
 
-    return 'Updated', 201
+            log_action(
+                "move_tag" if existing_tag else "create_tag",
+                namespace,
+                {
+                    "username": username,
+                    "repo": repository,
+                    "tag": tag,
+                    "namespace": namespace,
+                    "image": image_id,
+                    "manifest_digest": manifest_digest,
+                    "original_image": (
+                        existing_tag.legacy_image.docker_image_id
+                        if existing_tag and existing_tag.legacy_image_if_present
+                        else None
+                    ),
+                    "original_manifest_digest": existing_manifest_digest,
+                },
+                repo_name=repository,
+            )
 
-  @require_repo_write
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('deleteFullTag')
-  def delete(self, namespace, repository, tag):
-    """ Delete the specified repository tag. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+        return "Updated", 201
 
-    registry_model.delete_tag(repo_ref, tag)
+    @require_repo_write
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("deleteFullTag")
+    def delete(self, namespace, repository, tag):
+        """ Delete the specified repository tag. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    username = get_authenticated_user().username
-    log_action('delete_tag', namespace,
-               {'username': username,
-                'repo': repository,
-                'namespace': namespace,
-                'tag': tag}, repo_name=repository)
+        registry_model.delete_tag(repo_ref, tag)
 
-    return '', 204
+        username = get_authenticated_user().username
+        log_action(
+            "delete_tag",
+            namespace,
+            {
+                "username": username,
+                "repo": repository,
+                "namespace": namespace,
+                "tag": tag,
+            },
+            repo_name=repository,
+        )
+
+        return "", 204
 
 
-@resource('/v1/repository/<apirepopath:repository>/tag/<tag>/images')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('tag', 'The name of the tag')
+@resource("/v1/repository/<apirepopath:repository>/tag/<tag>/images")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("tag", "The name of the tag")
 class RepositoryTagImages(RepositoryParamResource):
-  """ Resource for listing the images in a specific repository tag. """
+    """ Resource for listing the images in a specific repository tag. """
 
-  @require_repo_read
-  @nickname('listTagImages')
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('owned', 'If specified, only images wholely owned by this tag are returned.',
-               type=truthy_bool, default=False)
-  def get(self, namespace, repository, tag, parsed_args):
-    """ List the images for the specified repository tag. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
+    @require_repo_read
+    @nickname("listTagImages")
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param(
+        "owned",
+        "If specified, only images wholely owned by this tag are returned.",
+        type=truthy_bool,
+        default=False,
+    )
+    def get(self, namespace, repository, tag, parsed_args):
+        """ List the images for the specified repository tag. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    tag_ref = registry_model.get_repo_tag(repo_ref, tag, include_legacy_image=True)
-    if tag_ref is None:
-      raise NotFound()
+        tag_ref = registry_model.get_repo_tag(repo_ref, tag, include_legacy_image=True)
+        if tag_ref is None:
+            raise NotFound()
 
-    if tag_ref.legacy_image_if_present is None:
-      return {'images': []}
+        if tag_ref.legacy_image_if_present is None:
+            return {"images": []}
 
-    image_id = tag_ref.legacy_image.docker_image_id
+        image_id = tag_ref.legacy_image.docker_image_id
 
-    all_images = None
-    if parsed_args['owned']:
-      # TODO: Remove the `owned` image concept once we are fully on V2_2.
-      all_images = registry_model.get_legacy_images_owned_by_tag(tag_ref)
-    else:
-      image_with_parents = registry_model.get_legacy_image(repo_ref, image_id, include_parents=True)
-      if image_with_parents is None:
-        raise NotFound()
+        all_images = None
+        if parsed_args["owned"]:
+            # TODO: Remove the `owned` image concept once we are fully on V2_2.
+            all_images = registry_model.get_legacy_images_owned_by_tag(tag_ref)
+        else:
+            image_with_parents = registry_model.get_legacy_image(
+                repo_ref, image_id, include_parents=True
+            )
+            if image_with_parents is None:
+                raise NotFound()
 
-      all_images = [image_with_parents] + image_with_parents.parents
+            all_images = [image_with_parents] + image_with_parents.parents
 
-    return {
-      'images': [image_dict(image) for image in all_images],
-    }
+        return {"images": [image_dict(image) for image in all_images]}
 
 
-@resource('/v1/repository/<apirepopath:repository>/tag/<tag>/restore')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('tag', 'The name of the tag')
+@resource("/v1/repository/<apirepopath:repository>/tag/<tag>/restore")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("tag", "The name of the tag")
 class RestoreTag(RepositoryParamResource):
-  """ Resource for restoring a repository tag back to a previous image. """
-  schemas = {
-    'RestoreTag': {
-      'type': 'object',
-      'description': 'Restores a tag to a specific image',
-      'properties': {
-        'image': {
-          'type': 'string',
-          'description': '(Deprecated: use `manifest_digest`) Image to which the tag should point',
-        },
-        'manifest_digest': {
-          'type': 'string',
-          'description': 'If specified, the manifest digest that should be used',
-        },
-      },
-    },
-  }
+    """ Resource for restoring a repository tag back to a previous image. """
 
-  @require_repo_write
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('restoreTag')
-  @validate_json_request('RestoreTag')
-  def post(self, namespace, repository, tag):
-    """ Restores a repository tag back to a previous image in the repository. """
-    repo_ref = registry_model.lookup_repository(namespace, repository)
-    if repo_ref is None:
-      raise NotFound()
-
-    # Restore the tag back to the previous image.
-    image_id = request.get_json().get('image', None)
-    manifest_digest = request.get_json().get('manifest_digest', None)
-
-    if image_id is None and manifest_digest is None:
-      raise InvalidRequest('Missing manifest_digest')
-
-    # Data for logging the reversion/restoration.
-    username = get_authenticated_user().username
-    log_data = {
-      'username': username,
-      'repo': repository,
-      'tag': tag,
-      'image': image_id,
-      'manifest_digest': manifest_digest,
+    schemas = {
+        "RestoreTag": {
+            "type": "object",
+            "description": "Restores a tag to a specific image",
+            "properties": {
+                "image": {
+                    "type": "string",
+                    "description": "(Deprecated: use `manifest_digest`) Image to which the tag should point",
+                },
+                "manifest_digest": {
+                    "type": "string",
+                    "description": "If specified, the manifest digest that should be used",
+                },
+            },
+        }
     }
 
-    manifest_or_legacy_image = None
-    if manifest_digest is not None:
-      manifest_or_legacy_image = registry_model.lookup_manifest_by_digest(repo_ref, manifest_digest,
-                                                                          allow_dead=True,
-                                                                          require_available=True)
-    elif image_id is not None:
-      manifest_or_legacy_image = registry_model.get_legacy_image(repo_ref, image_id)
+    @require_repo_write
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("restoreTag")
+    @validate_json_request("RestoreTag")
+    def post(self, namespace, repository, tag):
+        """ Restores a repository tag back to a previous image in the repository. """
+        repo_ref = registry_model.lookup_repository(namespace, repository)
+        if repo_ref is None:
+            raise NotFound()
 
-    if manifest_or_legacy_image is None:
-      raise NotFound()
+        # Restore the tag back to the previous image.
+        image_id = request.get_json().get("image", None)
+        manifest_digest = request.get_json().get("manifest_digest", None)
 
-    if not registry_model.retarget_tag(repo_ref, tag, manifest_or_legacy_image, storage,
-                                       docker_v2_signing_key, is_reversion=True):
-      raise InvalidRequest('Could not restore tag')
+        if image_id is None and manifest_digest is None:
+            raise InvalidRequest("Missing manifest_digest")
 
-    log_action('revert_tag', namespace, log_data, repo_name=repository)
+        # Data for logging the reversion/restoration.
+        username = get_authenticated_user().username
+        log_data = {
+            "username": username,
+            "repo": repository,
+            "tag": tag,
+            "image": image_id,
+            "manifest_digest": manifest_digest,
+        }
 
-    return {}
+        manifest_or_legacy_image = None
+        if manifest_digest is not None:
+            manifest_or_legacy_image = registry_model.lookup_manifest_by_digest(
+                repo_ref, manifest_digest, allow_dead=True, require_available=True
+            )
+        elif image_id is not None:
+            manifest_or_legacy_image = registry_model.get_legacy_image(
+                repo_ref, image_id
+            )
+
+        if manifest_or_legacy_image is None:
+            raise NotFound()
+
+        if not registry_model.retarget_tag(
+            repo_ref,
+            tag,
+            manifest_or_legacy_image,
+            storage,
+            docker_v2_signing_key,
+            is_reversion=True,
+        ):
+            raise InvalidRequest("Could not restore tag")
+
+        log_action("revert_tag", namespace, log_data, repo_name=repository)
+
+        return {}
diff --git a/endpoints/api/team.py b/endpoints/api/team.py
index b00a14393..cda23dc96 100644
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@@ -9,526 +9,599 @@ from flask import request
 import features
 
 from app import avatar, authentication
-from auth.permissions import (AdministerOrganizationPermission, ViewTeamPermission,
-                              SuperUserPermission)
+from auth.permissions import (
+    AdministerOrganizationPermission,
+    ViewTeamPermission,
+    SuperUserPermission,
+)
 
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
 from data.database import Team
-from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           log_action, internal_only, require_scope, path_param, query_param,
-                           truthy_bool, parse_args, require_user_admin, show_if, format_date,
-                           verify_not_prod, require_fresh_login)
+from endpoints.api import (
+    resource,
+    nickname,
+    ApiResource,
+    validate_json_request,
+    request_error,
+    log_action,
+    internal_only,
+    require_scope,
+    path_param,
+    query_param,
+    truthy_bool,
+    parse_args,
+    require_user_admin,
+    show_if,
+    format_date,
+    verify_not_prod,
+    require_fresh_login,
+)
 from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.useremails import send_org_invite_email
 from util.names import parse_robot_username
 
+
 def permission_view(permission):
-  return {
-    'repository': {
-      'name': permission.repository.name,
-      'is_public': permission.repository.visibility.name == 'public'
-    },
-    'role': permission.role.name
-  }
-
-def try_accept_invite(code, user):
-  (team, inviter) = model.team.confirm_team_invite(code, user)
-
-  model.notification.delete_matching_notifications(user, 'org_team_invite',
-                                                   org=team.organization.username)
-
-  orgname = team.organization.username
-  log_action('org_team_member_invite_accepted', orgname, {
-    'member': user.username,
-    'team': team.name,
-    'inviter': inviter.username
-  })
-
-  return team
-
-def handle_addinvite_team(inviter, team, user=None, email=None):
-  requires_invite = features.MAILING and features.REQUIRE_TEAM_INVITE
-  invite = model.team.add_or_invite_to_team(inviter, team, user, email,
-                                            requires_invite=requires_invite)
-  if not invite:
-    # User was added to the team directly.
-    return
-
-  orgname = team.organization.username
-  if user:
-    model.notification.create_notification('org_team_invite', user, metadata={
-      'code': invite.invite_token,
-      'inviter': inviter.username,
-      'org': orgname,
-      'team': team.name
-    })
-
-  send_org_invite_email(user.username if user else email, user.email if user else email,
-                        orgname, team.name, inviter.username, invite.invite_token)
-  return invite
-
-def team_view(orgname, team, is_new_team=False):
-  view_permission = ViewTeamPermission(orgname, team.name)
-  return {
-    'name': team.name,
-    'description': team.description,
-    'can_view': view_permission.can(),
-    'role': Team.role.get_name(team.role_id),
-    'avatar': avatar.get_data_for_team(team),
-    'new_team': is_new_team,
-  }
-
-def member_view(member, invited=False):
-  return {
-    'name': member.username,
-    'kind': 'user',
-    'is_robot': member.robot,
-    'avatar': avatar.get_data_for_user(member),
-    'invited': invited,
-  }
-
-def invite_view(invite):
-  if invite.user:
-    return member_view(invite.user, invited=True)
-  else:
     return {
-      'email': invite.email,
-      'kind': 'invite',
-      'avatar': avatar.get_data(invite.email, invite.email, 'user'),
-      'invited': True
+        "repository": {
+            "name": permission.repository.name,
+            "is_public": permission.repository.visibility.name == "public",
+        },
+        "role": permission.role.name,
     }
 
+
+def try_accept_invite(code, user):
+    (team, inviter) = model.team.confirm_team_invite(code, user)
+
+    model.notification.delete_matching_notifications(
+        user, "org_team_invite", org=team.organization.username
+    )
+
+    orgname = team.organization.username
+    log_action(
+        "org_team_member_invite_accepted",
+        orgname,
+        {"member": user.username, "team": team.name, "inviter": inviter.username},
+    )
+
+    return team
+
+
+def handle_addinvite_team(inviter, team, user=None, email=None):
+    requires_invite = features.MAILING and features.REQUIRE_TEAM_INVITE
+    invite = model.team.add_or_invite_to_team(
+        inviter, team, user, email, requires_invite=requires_invite
+    )
+    if not invite:
+        # User was added to the team directly.
+        return
+
+    orgname = team.organization.username
+    if user:
+        model.notification.create_notification(
+            "org_team_invite",
+            user,
+            metadata={
+                "code": invite.invite_token,
+                "inviter": inviter.username,
+                "org": orgname,
+                "team": team.name,
+            },
+        )
+
+    send_org_invite_email(
+        user.username if user else email,
+        user.email if user else email,
+        orgname,
+        team.name,
+        inviter.username,
+        invite.invite_token,
+    )
+    return invite
+
+
+def team_view(orgname, team, is_new_team=False):
+    view_permission = ViewTeamPermission(orgname, team.name)
+    return {
+        "name": team.name,
+        "description": team.description,
+        "can_view": view_permission.can(),
+        "role": Team.role.get_name(team.role_id),
+        "avatar": avatar.get_data_for_team(team),
+        "new_team": is_new_team,
+    }
+
+
+def member_view(member, invited=False):
+    return {
+        "name": member.username,
+        "kind": "user",
+        "is_robot": member.robot,
+        "avatar": avatar.get_data_for_user(member),
+        "invited": invited,
+    }
+
+
+def invite_view(invite):
+    if invite.user:
+        return member_view(invite.user, invited=True)
+    else:
+        return {
+            "email": invite.email,
+            "kind": "invite",
+            "avatar": avatar.get_data(invite.email, invite.email, "user"),
+            "invited": True,
+        }
+
+
 def disallow_for_synced_team(except_robots=False):
-  """ Disallows the decorated operation for a team that is marked as being synced from an internal
+    """ Disallows the decorated operation for a team that is marked as being synced from an internal
       auth provider such as LDAP. If except_robots is True, then the operation is allowed if the
       member specified on the operation is a robot account.
   """
-  def inner(func):
-    @wraps(func)
-    def wrapper(self, *args, **kwargs):
-      # Team syncing can only be enabled if we have a federated service.
-      if features.TEAM_SYNCING and authentication.federated_service:
-        orgname = kwargs['orgname']
-        teamname = kwargs['teamname']
-        if model.team.get_team_sync_information(orgname, teamname):
-          if not except_robots or not parse_robot_username(kwargs.get('membername', '')):
-            raise InvalidRequest('Cannot call this method on an auth-synced team')
 
-      return func(self, *args, **kwargs)
-    return wrapper
-  return inner
+    def inner(func):
+        @wraps(func)
+        def wrapper(self, *args, **kwargs):
+            # Team syncing can only be enabled if we have a federated service.
+            if features.TEAM_SYNCING and authentication.federated_service:
+                orgname = kwargs["orgname"]
+                teamname = kwargs["teamname"]
+                if model.team.get_team_sync_information(orgname, teamname):
+                    if not except_robots or not parse_robot_username(
+                        kwargs.get("membername", "")
+                    ):
+                        raise InvalidRequest(
+                            "Cannot call this method on an auth-synced team"
+                        )
+
+            return func(self, *args, **kwargs)
+
+        return wrapper
+
+    return inner
 
 
 disallow_nonrobots_for_synced_team = disallow_for_synced_team(except_robots=True)
 disallow_all_for_synced_team = disallow_for_synced_team(except_robots=False)
 
 
-@resource('/v1/organization/<orgname>/team/<teamname>')
-@path_param('orgname', 'The name of the organization')
-@path_param('teamname', 'The name of the team')
+@resource("/v1/organization/<orgname>/team/<teamname>")
+@path_param("orgname", "The name of the organization")
+@path_param("teamname", "The name of the team")
 class OrganizationTeam(ApiResource):
-  """ Resource for manging an organization's teams. """
-  schemas = {
-    'TeamDescription': {
-      'type': 'object',
-      'description': 'Description of a team',
-      'required': [
-        'role',
-      ],
-      'properties': {
-        'role': {
-          'type': 'string',
-          'description': 'Org wide permissions that should apply to the team',
-          'enum': [
-            'member',
-            'creator',
-            'admin',
-          ],
-        },
-        'description': {
-          'type': 'string',
-          'description': 'Markdown description for the team',
-        },
-      },
-    },
-  }
+    """ Resource for manging an organization's teams. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('updateOrganizationTeam')
-  @validate_json_request('TeamDescription')
-  def put(self, orgname, teamname):
-    """ Update the org-wide permission for the specified team. """
-    edit_permission = AdministerOrganizationPermission(orgname)
-    if edit_permission.can():
-      team = None
+    schemas = {
+        "TeamDescription": {
+            "type": "object",
+            "description": "Description of a team",
+            "required": ["role"],
+            "properties": {
+                "role": {
+                    "type": "string",
+                    "description": "Org wide permissions that should apply to the team",
+                    "enum": ["member", "creator", "admin"],
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Markdown description for the team",
+                },
+            },
+        }
+    }
 
-      details = request.get_json()
-      is_existing = False
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-        is_existing = True
-      except model.InvalidTeamException:
-        # Create the new team.
-        description = details['description'] if 'description' in details else ''
-        role = details['role'] if 'role' in details else 'member'
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("updateOrganizationTeam")
+    @validate_json_request("TeamDescription")
+    def put(self, orgname, teamname):
+        """ Update the org-wide permission for the specified team. """
+        edit_permission = AdministerOrganizationPermission(orgname)
+        if edit_permission.can():
+            team = None
 
-        org = model.organization.get_organization(orgname)
-        team = model.team.create_team(teamname, org, role, description)
-        log_action('org_create_team', orgname, {'team': teamname})
+            details = request.get_json()
+            is_existing = False
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+                is_existing = True
+            except model.InvalidTeamException:
+                # Create the new team.
+                description = details["description"] if "description" in details else ""
+                role = details["role"] if "role" in details else "member"
 
-      if is_existing:
-        if ('description' in details and
-            team.description != details['description']):
-          team.description = details['description']
-          team.save()
-          log_action('org_set_team_description', orgname,
-                     {'team': teamname, 'description': team.description})
+                org = model.organization.get_organization(orgname)
+                team = model.team.create_team(teamname, org, role, description)
+                log_action("org_create_team", orgname, {"team": teamname})
 
-        if 'role' in details:
-          role = Team.role.get_name(team.role_id)
-          if role != details['role']:
-            team = model.team.set_team_org_permission(team, details['role'],
-                                                      get_authenticated_user().username)
-            log_action('org_set_team_role', orgname, {'team': teamname, 'role': details['role']})
+            if is_existing:
+                if (
+                    "description" in details
+                    and team.description != details["description"]
+                ):
+                    team.description = details["description"]
+                    team.save()
+                    log_action(
+                        "org_set_team_description",
+                        orgname,
+                        {"team": teamname, "description": team.description},
+                    )
 
-      return team_view(orgname, team, is_new_team=not is_existing), 200
+                if "role" in details:
+                    role = Team.role.get_name(team.role_id)
+                    if role != details["role"]:
+                        team = model.team.set_team_org_permission(
+                            team, details["role"], get_authenticated_user().username
+                        )
+                        log_action(
+                            "org_set_team_role",
+                            orgname,
+                            {"team": teamname, "role": details["role"]},
+                        )
 
-    raise Unauthorized()
+            return team_view(orgname, team, is_new_team=not is_existing), 200
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrganizationTeam')
-  def delete(self, orgname, teamname):
-    """ Delete the specified team. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      model.team.remove_team(orgname, teamname, get_authenticated_user().username)
-      log_action('org_delete_team', orgname, {'team': teamname})
-      return '', 204
+        raise Unauthorized()
 
-    raise Unauthorized()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrganizationTeam")
+    def delete(self, orgname, teamname):
+        """ Delete the specified team. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            model.team.remove_team(orgname, teamname, get_authenticated_user().username)
+            log_action("org_delete_team", orgname, {"team": teamname})
+            return "", 204
+
+        raise Unauthorized()
 
 
 def _syncing_setup_allowed(orgname):
-  """ Returns whether syncing setup is allowed for the current user over the matching org. """
-  if not features.NONSUPERUSER_TEAM_SYNCING_SETUP and not SuperUserPermission().can():
-    return False
+    """ Returns whether syncing setup is allowed for the current user over the matching org. """
+    if not features.NONSUPERUSER_TEAM_SYNCING_SETUP and not SuperUserPermission().can():
+        return False
 
-  return AdministerOrganizationPermission(orgname).can()
+    return AdministerOrganizationPermission(orgname).can()
 
 
-@resource('/v1/organization/<orgname>/team/<teamname>/syncing')
-@path_param('orgname', 'The name of the organization')
-@path_param('teamname', 'The name of the team')
+@resource("/v1/organization/<orgname>/team/<teamname>/syncing")
+@path_param("orgname", "The name of the organization")
+@path_param("teamname", "The name of the team")
 @show_if(features.TEAM_SYNCING)
 class OrganizationTeamSyncing(ApiResource):
-  """ Resource for managing syncing of a team by a backing group. """
-  @require_scope(scopes.ORG_ADMIN)
-  @require_scope(scopes.SUPERUSER)
-  @nickname('enableOrganizationTeamSync')
-  @verify_not_prod
-  @require_fresh_login
-  def post(self, orgname, teamname):
-    if _syncing_setup_allowed(orgname):
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+    """ Resource for managing syncing of a team by a backing group. """
 
-      config = request.get_json()
-
-      # Ensure that the specified config points to a valid group.
-      status, err = authentication.check_group_lookup_args(config)
-      if not status:
-        raise InvalidRequest('Could not sync to group: %s' % err)
-
-      # Set the team's syncing config.
-      model.team.set_team_syncing(team, authentication.federated_service, config)
-
-      return team_view(orgname, team)
-
-    raise Unauthorized()
-
-  @require_scope(scopes.ORG_ADMIN)
-  @require_scope(scopes.SUPERUSER)
-  @nickname('disableOrganizationTeamSync')
-  @verify_not_prod
-  @require_fresh_login
-  def delete(self, orgname, teamname):
-    if _syncing_setup_allowed(orgname):
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
-
-      model.team.remove_team_syncing(orgname, teamname)
-      return team_view(orgname, team)
-
-    raise Unauthorized()
-
-
-@resource('/v1/organization/<orgname>/team/<teamname>/members')
-@path_param('orgname', 'The name of the organization')
-@path_param('teamname', 'The name of the team')
-class TeamMemberList(ApiResource):
-  """ Resource for managing the list of members for a team. """
-  @require_scope(scopes.ORG_ADMIN)
-  @parse_args()
-  @query_param('includePending', 'Whether to include pending members', type=truthy_bool,
-               default=False)
-  @nickname('getOrganizationTeamMembers')
-  def get(self, orgname, teamname, parsed_args):
-    """ Retrieve the list of members for the specified team. """
-    view_permission = ViewTeamPermission(orgname, teamname)
-    edit_permission = AdministerOrganizationPermission(orgname)
-
-    if view_permission.can():
-      team = None
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
-
-      members = model.organization.get_organization_team_members(team.id)
-      invites = []
-
-      if parsed_args['includePending'] and edit_permission.can():
-        invites = model.team.get_organization_team_member_invites(team.id)
-
-      data = {
-        'name': teamname,
-        'members': [member_view(m) for m in members] + [invite_view(i) for i in invites],
-        'can_edit': edit_permission.can(),
-      }
-
-      if features.TEAM_SYNCING and authentication.federated_service:
+    @require_scope(scopes.ORG_ADMIN)
+    @require_scope(scopes.SUPERUSER)
+    @nickname("enableOrganizationTeamSync")
+    @verify_not_prod
+    @require_fresh_login
+    def post(self, orgname, teamname):
         if _syncing_setup_allowed(orgname):
-          data['can_sync'] = {
-            'service': authentication.federated_service,
-          }
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-          data['can_sync'].update(authentication.service_metadata())
+            config = request.get_json()
 
-        sync_info = model.team.get_team_sync_information(orgname, teamname)
-        if sync_info is not None:
-          data['synced'] = {
-            'service': sync_info.service.name,
-          }
+            # Ensure that the specified config points to a valid group.
+            status, err = authentication.check_group_lookup_args(config)
+            if not status:
+                raise InvalidRequest("Could not sync to group: %s" % err)
 
-          if SuperUserPermission().can():
-            data['synced'].update({
-              'last_updated': format_date(sync_info.last_updated),
-              'config': json.loads(sync_info.config),
-            })
+            # Set the team's syncing config.
+            model.team.set_team_syncing(team, authentication.federated_service, config)
 
-      return data
+            return team_view(orgname, team)
 
-    raise Unauthorized()
+        raise Unauthorized()
+
+    @require_scope(scopes.ORG_ADMIN)
+    @require_scope(scopes.SUPERUSER)
+    @nickname("disableOrganizationTeamSync")
+    @verify_not_prod
+    @require_fresh_login
+    def delete(self, orgname, teamname):
+        if _syncing_setup_allowed(orgname):
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
+
+            model.team.remove_team_syncing(orgname, teamname)
+            return team_view(orgname, team)
+
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/team/<teamname>/members/<membername>')
-@path_param('orgname', 'The name of the organization')
-@path_param('teamname', 'The name of the team')
-@path_param('membername', 'The username of the team member')
+@resource("/v1/organization/<orgname>/team/<teamname>/members")
+@path_param("orgname", "The name of the organization")
+@path_param("teamname", "The name of the team")
+class TeamMemberList(ApiResource):
+    """ Resource for managing the list of members for a team. """
+
+    @require_scope(scopes.ORG_ADMIN)
+    @parse_args()
+    @query_param(
+        "includePending",
+        "Whether to include pending members",
+        type=truthy_bool,
+        default=False,
+    )
+    @nickname("getOrganizationTeamMembers")
+    def get(self, orgname, teamname, parsed_args):
+        """ Retrieve the list of members for the specified team. """
+        view_permission = ViewTeamPermission(orgname, teamname)
+        edit_permission = AdministerOrganizationPermission(orgname)
+
+        if view_permission.can():
+            team = None
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
+
+            members = model.organization.get_organization_team_members(team.id)
+            invites = []
+
+            if parsed_args["includePending"] and edit_permission.can():
+                invites = model.team.get_organization_team_member_invites(team.id)
+
+            data = {
+                "name": teamname,
+                "members": [member_view(m) for m in members]
+                + [invite_view(i) for i in invites],
+                "can_edit": edit_permission.can(),
+            }
+
+            if features.TEAM_SYNCING and authentication.federated_service:
+                if _syncing_setup_allowed(orgname):
+                    data["can_sync"] = {"service": authentication.federated_service}
+
+                    data["can_sync"].update(authentication.service_metadata())
+
+                sync_info = model.team.get_team_sync_information(orgname, teamname)
+                if sync_info is not None:
+                    data["synced"] = {"service": sync_info.service.name}
+
+                    if SuperUserPermission().can():
+                        data["synced"].update(
+                            {
+                                "last_updated": format_date(sync_info.last_updated),
+                                "config": json.loads(sync_info.config),
+                            }
+                        )
+
+            return data
+
+        raise Unauthorized()
+
+
+@resource("/v1/organization/<orgname>/team/<teamname>/members/<membername>")
+@path_param("orgname", "The name of the organization")
+@path_param("teamname", "The name of the team")
+@path_param("membername", "The username of the team member")
 class TeamMember(ApiResource):
-  """ Resource for managing individual members of a team. """
+    """ Resource for managing individual members of a team. """
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('updateOrganizationTeamMember')
-  @disallow_nonrobots_for_synced_team
-  def put(self, orgname, teamname, membername):
-    """ Adds or invites a member to an existing team. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      team = None
-      user = None
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("updateOrganizationTeamMember")
+    @disallow_nonrobots_for_synced_team
+    def put(self, orgname, teamname, membername):
+        """ Adds or invites a member to an existing team. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            team = None
+            user = None
 
-      # Find the team.
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+            # Find the team.
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-      # Find the user.
-      user = model.user.get_user(membername)
-      if not user:
-        raise request_error(message='Unknown user')
+            # Find the user.
+            user = model.user.get_user(membername)
+            if not user:
+                raise request_error(message="Unknown user")
 
-      # Add or invite the user to the team.
-      inviter = get_authenticated_user()
-      invite = handle_addinvite_team(inviter, team, user=user)
-      if not invite:
-        log_action('org_add_team_member', orgname, {'member': membername, 'team': teamname})
-        return member_view(user, invited=False)
+            # Add or invite the user to the team.
+            inviter = get_authenticated_user()
+            invite = handle_addinvite_team(inviter, team, user=user)
+            if not invite:
+                log_action(
+                    "org_add_team_member",
+                    orgname,
+                    {"member": membername, "team": teamname},
+                )
+                return member_view(user, invited=False)
 
-      # User was invited.
-      log_action('org_invite_team_member', orgname, {
-        'user': membername,
-        'member': membername,
-        'team': teamname
-      })
-      return member_view(user, invited=True)
+            # User was invited.
+            log_action(
+                "org_invite_team_member",
+                orgname,
+                {"user": membername, "member": membername, "team": teamname},
+            )
+            return member_view(user, invited=True)
 
-    raise Unauthorized()
+        raise Unauthorized()
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteOrganizationTeamMember')
-  @disallow_nonrobots_for_synced_team
-  def delete(self, orgname, teamname, membername):
-    """ Delete a member of a team. If the user is merely invited to join
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteOrganizationTeamMember")
+    @disallow_nonrobots_for_synced_team
+    def delete(self, orgname, teamname, membername):
+        """ Delete a member of a team. If the user is merely invited to join
         the team, then the invite is removed instead.
     """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      # Remote the user from the team.
-      invoking_user = get_authenticated_user().username
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            # Remote the user from the team.
+            invoking_user = get_authenticated_user().username
 
-      # Find the team.
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+            # Find the team.
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-      # Find the member.
-      member = model.user.get_user(membername)
-      if not member:
-        raise NotFound()
+            # Find the member.
+            member = model.user.get_user(membername)
+            if not member:
+                raise NotFound()
 
-      # First attempt to delete an invite for the user to this team. If none found,
-      # then we try to remove the user directly.
-      if model.team.delete_team_user_invite(team, member):
-        log_action('org_delete_team_member_invite', orgname, {
-          'user': membername,
-          'team': teamname,
-          'member': membername
-        })
-        return '', 204
+            # First attempt to delete an invite for the user to this team. If none found,
+            # then we try to remove the user directly.
+            if model.team.delete_team_user_invite(team, member):
+                log_action(
+                    "org_delete_team_member_invite",
+                    orgname,
+                    {"user": membername, "team": teamname, "member": membername},
+                )
+                return "", 204
 
-      model.team.remove_user_from_team(orgname, teamname, membername, invoking_user)
-      log_action('org_remove_team_member', orgname, {'member': membername, 'team': teamname})
-      return '', 204
+            model.team.remove_user_from_team(
+                orgname, teamname, membername, invoking_user
+            )
+            log_action(
+                "org_remove_team_member",
+                orgname,
+                {"member": membername, "team": teamname},
+            )
+            return "", 204
 
-    raise Unauthorized()
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/team/<teamname>/invite/<email>')
+@resource("/v1/organization/<orgname>/team/<teamname>/invite/<email>")
 @show_if(features.MAILING)
 class InviteTeamMember(ApiResource):
-  """ Resource for inviting a team member via email address. """
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('inviteTeamMemberEmail')
-  @disallow_all_for_synced_team
-  def put(self, orgname, teamname, email):
-    """ Invites an email address to an existing team. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      team = None
+    """ Resource for inviting a team member via email address. """
 
-      # Find the team.
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("inviteTeamMemberEmail")
+    @disallow_all_for_synced_team
+    def put(self, orgname, teamname, email):
+        """ Invites an email address to an existing team. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            team = None
 
-      # Invite the email to the team.
-      inviter = get_authenticated_user()
-      invite = handle_addinvite_team(inviter, team, email=email)
-      log_action('org_invite_team_member', orgname, {
-        'email': email,
-        'team': teamname,
-        'member': email
-      })
-      return invite_view(invite)
+            # Find the team.
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-    raise Unauthorized()
+            # Invite the email to the team.
+            inviter = get_authenticated_user()
+            invite = handle_addinvite_team(inviter, team, email=email)
+            log_action(
+                "org_invite_team_member",
+                orgname,
+                {"email": email, "team": teamname, "member": email},
+            )
+            return invite_view(invite)
 
-  @require_scope(scopes.ORG_ADMIN)
-  @nickname('deleteTeamMemberEmailInvite')
-  def delete(self, orgname, teamname, email):
-    """ Delete an invite of an email address to join a team. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      team = None
+        raise Unauthorized()
 
-      # Find the team.
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+    @require_scope(scopes.ORG_ADMIN)
+    @nickname("deleteTeamMemberEmailInvite")
+    def delete(self, orgname, teamname, email):
+        """ Delete an invite of an email address to join a team. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            team = None
 
-      # Delete the invite.
-      if not model.team.delete_team_email_invite(team, email):
-        raise NotFound()
+            # Find the team.
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-      log_action('org_delete_team_member_invite', orgname, {
-        'email': email,
-        'team': teamname,
-        'member': email
-      })
-      return '', 204
+            # Delete the invite.
+            if not model.team.delete_team_email_invite(team, email):
+                raise NotFound()
 
-    raise Unauthorized()
+            log_action(
+                "org_delete_team_member_invite",
+                orgname,
+                {"email": email, "team": teamname, "member": email},
+            )
+            return "", 204
+
+        raise Unauthorized()
 
 
-@resource('/v1/organization/<orgname>/team/<teamname>/permissions')
-@path_param('orgname', 'The name of the organization')
-@path_param('teamname', 'The name of the team')
+@resource("/v1/organization/<orgname>/team/<teamname>/permissions")
+@path_param("orgname", "The name of the organization")
+@path_param("teamname", "The name of the team")
 class TeamPermissions(ApiResource):
-  """ Resource for listing the permissions an org's team has in the system. """
-  @nickname('getOrganizationTeamPermissions')
-  def get(self, orgname, teamname):
-    """ Returns the list of repository permissions for the org's team. """
-    permission = AdministerOrganizationPermission(orgname)
-    if permission.can():
-      try:
-        team = model.team.get_organization_team(orgname, teamname)
-      except model.InvalidTeamException:
-        raise NotFound()
+    """ Resource for listing the permissions an org's team has in the system. """
 
-      permissions = model.permission.list_team_permissions(team)
+    @nickname("getOrganizationTeamPermissions")
+    def get(self, orgname, teamname):
+        """ Returns the list of repository permissions for the org's team. """
+        permission = AdministerOrganizationPermission(orgname)
+        if permission.can():
+            try:
+                team = model.team.get_organization_team(orgname, teamname)
+            except model.InvalidTeamException:
+                raise NotFound()
 
-      return {
-        'permissions': [permission_view(permission) for permission in permissions]
-      }
+            permissions = model.permission.list_team_permissions(team)
 
-    raise Unauthorized()
+            return {
+                "permissions": [
+                    permission_view(permission) for permission in permissions
+                ]
+            }
+
+        raise Unauthorized()
 
 
-@resource('/v1/teaminvite/<code>')
+@resource("/v1/teaminvite/<code>")
 @internal_only
 @show_if(features.MAILING)
 class TeamMemberInvite(ApiResource):
-  """ Resource for managing invites to join a team. """
-  @require_user_admin
-  @nickname('acceptOrganizationTeamInvite')
-  def put(self, code):
-    """ Accepts an invite to join a team in an organization. """
-    # Accept the invite for the current user.
-    team = try_accept_invite(code, get_authenticated_user())
-    if not team:
-      raise NotFound()
+    """ Resource for managing invites to join a team. """
 
-    orgname = team.organization.username
-    return {
-      'org': orgname,
-      'team': team.name
-    }
+    @require_user_admin
+    @nickname("acceptOrganizationTeamInvite")
+    def put(self, code):
+        """ Accepts an invite to join a team in an organization. """
+        # Accept the invite for the current user.
+        team = try_accept_invite(code, get_authenticated_user())
+        if not team:
+            raise NotFound()
 
-  @nickname('declineOrganizationTeamInvite')
-  @require_user_admin
-  def delete(self, code):
-    """ Delete an existing invitation to join a team. """
-    (team, inviter) = model.team.delete_team_invite(code, user_obj=get_authenticated_user())
+        orgname = team.organization.username
+        return {"org": orgname, "team": team.name}
 
-    model.notification.delete_matching_notifications(get_authenticated_user(), 'org_team_invite',
-                                                     code=code)
+    @nickname("declineOrganizationTeamInvite")
+    @require_user_admin
+    def delete(self, code):
+        """ Delete an existing invitation to join a team. """
+        (team, inviter) = model.team.delete_team_invite(
+            code, user_obj=get_authenticated_user()
+        )
 
-    orgname = team.organization.username
-    log_action('org_team_member_invite_declined', orgname, {
-      'member': get_authenticated_user().username,
-      'team': team.name,
-      'inviter': inviter.username
-    })
+        model.notification.delete_matching_notifications(
+            get_authenticated_user(), "org_team_invite", code=code
+        )
 
-    return '', 204
+        orgname = team.organization.username
+        log_action(
+            "org_team_member_invite_declined",
+            orgname,
+            {
+                "member": get_authenticated_user().username,
+                "team": team.name,
+                "inviter": inviter.username,
+            },
+        )
+
+        return "", 204
diff --git a/endpoints/api/test/shared.py b/endpoints/api/test/shared.py
index c5a553f09..9ccc86ee9 100644
--- a/endpoints/api/test/shared.py
+++ b/endpoints/api/test/shared.py
@@ -1,11 +1,22 @@
 from endpoints.test.shared import conduct_call
 from endpoints.api import api
 
-def conduct_api_call(client, resource, method, params, body=None, expected_code=200, headers=None):
-  """ Conducts an API call to the given resource via the given client, and ensures its returned
+
+def conduct_api_call(
+    client, resource, method, params, body=None, expected_code=200, headers=None
+):
+    """ Conducts an API call to the given resource via the given client, and ensures its returned
       status matches the code given.
 
       Returns the response.
   """
-  return conduct_call(client, resource, api.url_for, method, params, body, expected_code,
-                      headers=headers)
+    return conduct_call(
+        client,
+        resource,
+        api.url_for,
+        method,
+        params,
+        body,
+        expected_code,
+        headers=headers,
+    )
diff --git a/endpoints/api/test/test_appspecifictoken.py b/endpoints/api/test/test_appspecifictoken.py
index 28e2bcd00..b63c3b150 100644
--- a/endpoints/api/test/test_appspecifictoken.py
+++ b/endpoints/api/test/test_appspecifictoken.py
@@ -6,45 +6,52 @@ from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
+
 def test_app_specific_tokens(app, client):
-  with client_with_identity('devtable', client) as cl:
-    # Add an app specific token.
-    token_data = {'title': 'Testing 123'}
-    resp = conduct_api_call(cl, AppTokens, 'POST', None, token_data, 200).json
-    token_uuid = resp['token']['uuid']
-    assert 'token_code' in resp['token']
+    with client_with_identity("devtable", client) as cl:
+        # Add an app specific token.
+        token_data = {"title": "Testing 123"}
+        resp = conduct_api_call(cl, AppTokens, "POST", None, token_data, 200).json
+        token_uuid = resp["token"]["uuid"]
+        assert "token_code" in resp["token"]
 
-    # List the tokens and ensure we have the one added.
-    resp = conduct_api_call(cl, AppTokens, 'GET', None, None, 200).json
-    assert len(resp['tokens'])
-    assert token_uuid in set([token['uuid'] for token in resp['tokens']])
-    assert not set([token['token_code'] for token in resp['tokens'] if 'token_code' in token])
+        # List the tokens and ensure we have the one added.
+        resp = conduct_api_call(cl, AppTokens, "GET", None, None, 200).json
+        assert len(resp["tokens"])
+        assert token_uuid in set([token["uuid"] for token in resp["tokens"]])
+        assert not set(
+            [token["token_code"] for token in resp["tokens"] if "token_code" in token]
+        )
 
-    # List the tokens expiring soon and ensure the one added is not present.
-    resp = conduct_api_call(cl, AppTokens, 'GET', {'expiring': True}, None, 200).json
-    assert token_uuid not in set([token['uuid'] for token in resp['tokens']])
+        # List the tokens expiring soon and ensure the one added is not present.
+        resp = conduct_api_call(
+            cl, AppTokens, "GET", {"expiring": True}, None, 200
+        ).json
+        assert token_uuid not in set([token["uuid"] for token in resp["tokens"]])
 
-    # Get the token and ensure we have its code.
-    resp = conduct_api_call(cl, AppToken, 'GET', {'token_uuid': token_uuid}, None, 200).json
-    assert resp['token']['uuid'] == token_uuid
-    assert 'token_code' in resp['token']
+        # Get the token and ensure we have its code.
+        resp = conduct_api_call(
+            cl, AppToken, "GET", {"token_uuid": token_uuid}, None, 200
+        ).json
+        assert resp["token"]["uuid"] == token_uuid
+        assert "token_code" in resp["token"]
 
-    # Delete the token.
-    conduct_api_call(cl, AppToken, 'DELETE', {'token_uuid': token_uuid}, None, 204)
+        # Delete the token.
+        conduct_api_call(cl, AppToken, "DELETE", {"token_uuid": token_uuid}, None, 204)
 
-    # Ensure the token no longer exists.
-    resp = conduct_api_call(cl, AppTokens, 'GET', None, None, 200).json
-    assert len(resp['tokens'])
-    assert token_uuid not in set([token['uuid'] for token in resp['tokens']])
+        # Ensure the token no longer exists.
+        resp = conduct_api_call(cl, AppTokens, "GET", None, None, 200).json
+        assert len(resp["tokens"])
+        assert token_uuid not in set([token["uuid"] for token in resp["tokens"]])
 
-    conduct_api_call(cl, AppToken, 'GET', {'token_uuid': token_uuid}, None, 404)
+        conduct_api_call(cl, AppToken, "GET", {"token_uuid": token_uuid}, None, 404)
 
 
 def test_delete_expired_app_token(app, client):
-  user = model.user.get_user('devtable')
-  expiration = datetime.now() - timedelta(seconds=10)
-  token = model.appspecifictoken.create_token(user, 'some token', expiration)
+    user = model.user.get_user("devtable")
+    expiration = datetime.now() - timedelta(seconds=10)
+    token = model.appspecifictoken.create_token(user, "some token", expiration)
 
-  with client_with_identity('devtable', client) as cl:
-    # Delete the token.
-    conduct_api_call(cl, AppToken, 'DELETE', {'token_uuid': token.uuid}, None, 204)
+    with client_with_identity("devtable", client) as cl:
+        # Delete the token.
+        conduct_api_call(cl, AppToken, "DELETE", {"token_uuid": token.uuid}, None, 204)
diff --git a/endpoints/api/test/test_build.py b/endpoints/api/test/test_build.py
index bf98ad4eb..9e80972ac 100644
--- a/endpoints/api/test/test_build.py
+++ b/endpoints/api/test/test_build.py
@@ -3,18 +3,37 @@ import pytest
 from endpoints.api.build import RepositoryBuildList
 
 
-@pytest.mark.parametrize('request_json,subdir,context', [
-  ({}, '/Dockerfile', '/'),
-  ({'context': '/some_context'}, '/some_context/Dockerfile', '/some_context'),
-  ({'subdirectory': 'some_context'}, 'some_context/Dockerfile', 'some_context'),
-  ({'subdirectory': 'some_context/'}, 'some_context/Dockerfile', 'some_context/'),
-  ({'dockerfile_path': 'some_context/Dockerfile'}, 'some_context/Dockerfile', 'some_context'),
-  ({'dockerfile_path': 'some_context/Dockerfile', 'context': '/'}, 'some_context/Dockerfile', '/'),
-  ({'dockerfile_path': 'some_context/Dockerfile',
-    'context': '/',
-    'subdirectory': 'slime'}, 'some_context/Dockerfile', '/'),
-])
+@pytest.mark.parametrize(
+    "request_json,subdir,context",
+    [
+        ({}, "/Dockerfile", "/"),
+        ({"context": "/some_context"}, "/some_context/Dockerfile", "/some_context"),
+        ({"subdirectory": "some_context"}, "some_context/Dockerfile", "some_context"),
+        ({"subdirectory": "some_context/"}, "some_context/Dockerfile", "some_context/"),
+        (
+            {"dockerfile_path": "some_context/Dockerfile"},
+            "some_context/Dockerfile",
+            "some_context",
+        ),
+        (
+            {"dockerfile_path": "some_context/Dockerfile", "context": "/"},
+            "some_context/Dockerfile",
+            "/",
+        ),
+        (
+            {
+                "dockerfile_path": "some_context/Dockerfile",
+                "context": "/",
+                "subdirectory": "slime",
+            },
+            "some_context/Dockerfile",
+            "/",
+        ),
+    ],
+)
 def test_extract_dockerfile_args(request_json, subdir, context):
-  actual_context, actual_subdir = RepositoryBuildList.get_dockerfile_context(request_json)
-  assert subdir == actual_subdir
-  assert context == actual_context
+    actual_context, actual_subdir = RepositoryBuildList.get_dockerfile_context(
+        request_json
+    )
+    assert subdir == actual_subdir
+    assert context == actual_context
diff --git a/endpoints/api/test/test_disallow_for_apps.py b/endpoints/api/test/test_disallow_for_apps.py
index b9112c291..d33937328 100644
--- a/endpoints/api/test/test_disallow_for_apps.py
+++ b/endpoints/api/test/test_disallow_for_apps.py
@@ -2,82 +2,109 @@ import pytest
 
 from data import model
 from endpoints.api.repository import Repository
-from endpoints.api.build import (RepositoryBuildList, RepositoryBuildResource,
-                                 RepositoryBuildStatus, RepositoryBuildLogs)
+from endpoints.api.build import (
+    RepositoryBuildList,
+    RepositoryBuildResource,
+    RepositoryBuildStatus,
+    RepositoryBuildLogs,
+)
 from endpoints.api.image import RepositoryImageList, RepositoryImage
-from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel
-from endpoints.api.repositorynotification import (RepositoryNotification,
-                                                  RepositoryNotificationList,
-                                                  TestRepositoryNotification)
+from endpoints.api.manifest import (
+    RepositoryManifestLabels,
+    ManageRepositoryManifestLabel,
+)
+from endpoints.api.repositorynotification import (
+    RepositoryNotification,
+    RepositoryNotificationList,
+    TestRepositoryNotification,
+)
 from endpoints.api.secscan import RepositoryImageSecurity, RepositoryManifestSecurity
 from endpoints.api.signing import RepositorySignatures
-from endpoints.api.tag import ListRepositoryTags, RepositoryTag, RepositoryTagImages, RestoreTag
-from endpoints.api.trigger import (BuildTriggerList, BuildTrigger, BuildTriggerSubdirs,
-                                   BuildTriggerActivate, BuildTriggerAnalyze, ActivateBuildTrigger,
-                                   TriggerBuildList, BuildTriggerFieldValues, BuildTriggerSources,
-                                   BuildTriggerSourceNamespaces)
+from endpoints.api.tag import (
+    ListRepositoryTags,
+    RepositoryTag,
+    RepositoryTagImages,
+    RestoreTag,
+)
+from endpoints.api.trigger import (
+    BuildTriggerList,
+    BuildTrigger,
+    BuildTriggerSubdirs,
+    BuildTriggerActivate,
+    BuildTriggerAnalyze,
+    ActivateBuildTrigger,
+    TriggerBuildList,
+    BuildTriggerFieldValues,
+    BuildTriggerSources,
+    BuildTriggerSourceNamespaces,
+)
 from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-BUILD_ARGS = {'build_uuid': '1234'}
-IMAGE_ARGS = {'imageid': '1234', 'image_id': 1234}
-MANIFEST_ARGS = {'manifestref': 'sha256:abcd1234'}
-LABEL_ARGS = {'manifestref': 'sha256:abcd1234', 'labelid': '1234'}
-NOTIFICATION_ARGS = {'uuid': '1234'}
-TAG_ARGS = {'tag': 'foobar'}
-TRIGGER_ARGS = {'trigger_uuid': '1234'}
-FIELD_ARGS = {'trigger_uuid': '1234', 'field_name': 'foobar'}
+BUILD_ARGS = {"build_uuid": "1234"}
+IMAGE_ARGS = {"imageid": "1234", "image_id": 1234}
+MANIFEST_ARGS = {"manifestref": "sha256:abcd1234"}
+LABEL_ARGS = {"manifestref": "sha256:abcd1234", "labelid": "1234"}
+NOTIFICATION_ARGS = {"uuid": "1234"}
+TAG_ARGS = {"tag": "foobar"}
+TRIGGER_ARGS = {"trigger_uuid": "1234"}
+FIELD_ARGS = {"trigger_uuid": "1234", "field_name": "foobar"}
 
-@pytest.mark.parametrize('resource, method, params', [
-  (RepositoryBuildList, 'get', None),
-  (RepositoryBuildList, 'post', None),
-  (RepositoryBuildResource, 'get', BUILD_ARGS),
-  (RepositoryBuildResource, 'delete', BUILD_ARGS),
-  (RepositoryBuildStatus, 'get', BUILD_ARGS),
-  (RepositoryBuildLogs, 'get', BUILD_ARGS),
-  (RepositoryImageList, 'get', None),
-  (RepositoryImage, 'get', IMAGE_ARGS),
-  (RepositoryManifestLabels, 'get', MANIFEST_ARGS),
-  (RepositoryManifestLabels, 'post', MANIFEST_ARGS),
-  (ManageRepositoryManifestLabel, 'get', LABEL_ARGS),
-  (ManageRepositoryManifestLabel, 'delete', LABEL_ARGS),
-  (RepositoryNotificationList, 'get', None),
-  (RepositoryNotificationList, 'post', None),
-  (RepositoryNotification, 'get', NOTIFICATION_ARGS),
-  (RepositoryNotification, 'delete', NOTIFICATION_ARGS),
-  (RepositoryNotification, 'post', NOTIFICATION_ARGS),
-  (TestRepositoryNotification, 'post', NOTIFICATION_ARGS),
-  (RepositoryImageSecurity, 'get', IMAGE_ARGS),
-  (RepositoryManifestSecurity, 'get', MANIFEST_ARGS),
-  (RepositorySignatures, 'get', None),
-  (ListRepositoryTags, 'get', None),
-  (RepositoryTag, 'put', TAG_ARGS),
-  (RepositoryTag, 'delete', TAG_ARGS),
-  (RepositoryTagImages, 'get', TAG_ARGS),
-  (RestoreTag, 'post', TAG_ARGS),
-  (BuildTriggerList, 'get', None),
-  (BuildTrigger, 'get', TRIGGER_ARGS),
-  (BuildTrigger, 'delete', TRIGGER_ARGS),
-  (BuildTriggerSubdirs, 'post', TRIGGER_ARGS),
-  (BuildTriggerActivate, 'post', TRIGGER_ARGS),
-  (BuildTriggerAnalyze, 'post', TRIGGER_ARGS),
-  (ActivateBuildTrigger, 'post', TRIGGER_ARGS),
-  (TriggerBuildList, 'get', TRIGGER_ARGS),
-  (BuildTriggerFieldValues, 'post', FIELD_ARGS),
-  (BuildTriggerSources, 'post', TRIGGER_ARGS),
-  (BuildTriggerSourceNamespaces, 'get', TRIGGER_ARGS),
-])
+
+@pytest.mark.parametrize(
+    "resource, method, params",
+    [
+        (RepositoryBuildList, "get", None),
+        (RepositoryBuildList, "post", None),
+        (RepositoryBuildResource, "get", BUILD_ARGS),
+        (RepositoryBuildResource, "delete", BUILD_ARGS),
+        (RepositoryBuildStatus, "get", BUILD_ARGS),
+        (RepositoryBuildLogs, "get", BUILD_ARGS),
+        (RepositoryImageList, "get", None),
+        (RepositoryImage, "get", IMAGE_ARGS),
+        (RepositoryManifestLabels, "get", MANIFEST_ARGS),
+        (RepositoryManifestLabels, "post", MANIFEST_ARGS),
+        (ManageRepositoryManifestLabel, "get", LABEL_ARGS),
+        (ManageRepositoryManifestLabel, "delete", LABEL_ARGS),
+        (RepositoryNotificationList, "get", None),
+        (RepositoryNotificationList, "post", None),
+        (RepositoryNotification, "get", NOTIFICATION_ARGS),
+        (RepositoryNotification, "delete", NOTIFICATION_ARGS),
+        (RepositoryNotification, "post", NOTIFICATION_ARGS),
+        (TestRepositoryNotification, "post", NOTIFICATION_ARGS),
+        (RepositoryImageSecurity, "get", IMAGE_ARGS),
+        (RepositoryManifestSecurity, "get", MANIFEST_ARGS),
+        (RepositorySignatures, "get", None),
+        (ListRepositoryTags, "get", None),
+        (RepositoryTag, "put", TAG_ARGS),
+        (RepositoryTag, "delete", TAG_ARGS),
+        (RepositoryTagImages, "get", TAG_ARGS),
+        (RestoreTag, "post", TAG_ARGS),
+        (BuildTriggerList, "get", None),
+        (BuildTrigger, "get", TRIGGER_ARGS),
+        (BuildTrigger, "delete", TRIGGER_ARGS),
+        (BuildTriggerSubdirs, "post", TRIGGER_ARGS),
+        (BuildTriggerActivate, "post", TRIGGER_ARGS),
+        (BuildTriggerAnalyze, "post", TRIGGER_ARGS),
+        (ActivateBuildTrigger, "post", TRIGGER_ARGS),
+        (TriggerBuildList, "get", TRIGGER_ARGS),
+        (BuildTriggerFieldValues, "post", FIELD_ARGS),
+        (BuildTriggerSources, "post", TRIGGER_ARGS),
+        (BuildTriggerSourceNamespaces, "get", TRIGGER_ARGS),
+    ],
+)
 def test_disallowed_for_apps(resource, method, params, client):
-  namespace = 'devtable'
-  repository = 'someapprepo'
+    namespace = "devtable"
+    repository = "someapprepo"
 
-  devtable = model.user.get_user('devtable')
-  model.repository.create_repository(namespace, repository, devtable, repo_kind='application')
+    devtable = model.user.get_user("devtable")
+    model.repository.create_repository(
+        namespace, repository, devtable, repo_kind="application"
+    )
 
-  params = params or {}
-  params['repository'] = '%s/%s' % (namespace, repository)
-
-  with client_with_identity('devtable', client) as cl:
-    conduct_api_call(cl, resource, method, params, None, 501)
+    params = params or {}
+    params["repository"] = "%s/%s" % (namespace, repository)
 
+    with client_with_identity("devtable", client) as cl:
+        conduct_api_call(cl, resource, method, params, None, 501)
diff --git a/endpoints/api/test/test_disallow_for_nonnormal.py b/endpoints/api/test/test_disallow_for_nonnormal.py
index 7d8ace845..72712083f 100644
--- a/endpoints/api/test/test_disallow_for_nonnormal.py
+++ b/endpoints/api/test/test_disallow_for_nonnormal.py
@@ -3,62 +3,65 @@ import pytest
 from data import model
 from data.database import RepositoryState
 from endpoints.api.build import RepositoryBuildList, RepositoryBuildResource
-from endpoints.api.manifest import RepositoryManifestLabels, ManageRepositoryManifestLabel
+from endpoints.api.manifest import (
+    RepositoryManifestLabels,
+    ManageRepositoryManifestLabel,
+)
 from endpoints.api.tag import RepositoryTag, RestoreTag
-from endpoints.api.trigger import (BuildTrigger, BuildTriggerSubdirs,
-                                   BuildTriggerActivate, BuildTriggerAnalyze, ActivateBuildTrigger,
-                                   BuildTriggerFieldValues, BuildTriggerSources)
+from endpoints.api.trigger import (
+    BuildTrigger,
+    BuildTriggerSubdirs,
+    BuildTriggerActivate,
+    BuildTriggerAnalyze,
+    ActivateBuildTrigger,
+    BuildTriggerFieldValues,
+    BuildTriggerSources,
+)
 from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-BUILD_ARGS = {'build_uuid': '1234'}
-IMAGE_ARGS = {'imageid': '1234', 'image_id': 1234}
-MANIFEST_ARGS = {'manifestref': 'sha256:abcd1234'}
-LABEL_ARGS = {'manifestref': 'sha256:abcd1234', 'labelid': '1234'}
-NOTIFICATION_ARGS = {'uuid': '1234'}
-TAG_ARGS = {'tag': 'foobar'}
-TRIGGER_ARGS = {'trigger_uuid': '1234'}
-FIELD_ARGS = {'trigger_uuid': '1234', 'field_name': 'foobar'}
+BUILD_ARGS = {"build_uuid": "1234"}
+IMAGE_ARGS = {"imageid": "1234", "image_id": 1234}
+MANIFEST_ARGS = {"manifestref": "sha256:abcd1234"}
+LABEL_ARGS = {"manifestref": "sha256:abcd1234", "labelid": "1234"}
+NOTIFICATION_ARGS = {"uuid": "1234"}
+TAG_ARGS = {"tag": "foobar"}
+TRIGGER_ARGS = {"trigger_uuid": "1234"}
+FIELD_ARGS = {"trigger_uuid": "1234", "field_name": "foobar"}
 
 
-@pytest.mark.parametrize('state', [
-  RepositoryState.MIRROR,
-  RepositoryState.READ_ONLY,
-])
-@pytest.mark.parametrize('resource, method, params', [
-  (RepositoryBuildList, 'post', None),
-  (RepositoryBuildResource, 'delete', BUILD_ARGS),
-
-  (RepositoryManifestLabels, 'post', MANIFEST_ARGS),
-  (ManageRepositoryManifestLabel, 'delete', LABEL_ARGS),
-
-  (RepositoryTag, 'put', TAG_ARGS),
-  (RepositoryTag, 'delete', TAG_ARGS),
-
-  (RestoreTag, 'post', TAG_ARGS),
-
-  (BuildTrigger, 'delete', TRIGGER_ARGS),
-  (BuildTriggerSubdirs, 'post', TRIGGER_ARGS),
-  (BuildTriggerActivate, 'post', TRIGGER_ARGS),
-  (BuildTriggerAnalyze, 'post', TRIGGER_ARGS),
-  (ActivateBuildTrigger, 'post', TRIGGER_ARGS),
-
-  (BuildTriggerFieldValues, 'post', FIELD_ARGS),
-  (BuildTriggerSources, 'post', TRIGGER_ARGS),
-
-])
+@pytest.mark.parametrize("state", [RepositoryState.MIRROR, RepositoryState.READ_ONLY])
+@pytest.mark.parametrize(
+    "resource, method, params",
+    [
+        (RepositoryBuildList, "post", None),
+        (RepositoryBuildResource, "delete", BUILD_ARGS),
+        (RepositoryManifestLabels, "post", MANIFEST_ARGS),
+        (ManageRepositoryManifestLabel, "delete", LABEL_ARGS),
+        (RepositoryTag, "put", TAG_ARGS),
+        (RepositoryTag, "delete", TAG_ARGS),
+        (RestoreTag, "post", TAG_ARGS),
+        (BuildTrigger, "delete", TRIGGER_ARGS),
+        (BuildTriggerSubdirs, "post", TRIGGER_ARGS),
+        (BuildTriggerActivate, "post", TRIGGER_ARGS),
+        (BuildTriggerAnalyze, "post", TRIGGER_ARGS),
+        (ActivateBuildTrigger, "post", TRIGGER_ARGS),
+        (BuildTriggerFieldValues, "post", FIELD_ARGS),
+        (BuildTriggerSources, "post", TRIGGER_ARGS),
+    ],
+)
 def test_disallowed_for_nonnormal(state, resource, method, params, client):
-  namespace = 'devtable'
-  repository = 'somenewstaterepo'
+    namespace = "devtable"
+    repository = "somenewstaterepo"
 
-  devtable = model.user.get_user('devtable')
-  repo = model.repository.create_repository(namespace, repository, devtable)
-  repo.state = state
-  repo.save()
+    devtable = model.user.get_user("devtable")
+    repo = model.repository.create_repository(namespace, repository, devtable)
+    repo.state = state
+    repo.save()
 
-  params = params or {}
-  params['repository'] = '%s/%s' % (namespace, repository)
+    params = params or {}
+    params["repository"] = "%s/%s" % (namespace, repository)
 
-  with client_with_identity('devtable', client) as cl:
-    conduct_api_call(cl, resource, method, params, None, 503)
+    with client_with_identity("devtable", client) as cl:
+        conduct_api_call(cl, resource, method, params, None, 503)
diff --git a/endpoints/api/test/test_endtoend_auth.py b/endpoints/api/test/test_endtoend_auth.py
index 0bcf9c7e4..7901432cf 100644
--- a/endpoints/api/test/test_endtoend_auth.py
+++ b/endpoints/api/test/test_endtoend_auth.py
@@ -13,51 +13,54 @@ from test.test_keystone_auth import fake_keystone
 from test.fixtures import *
 
 
-@pytest.fixture(params=[
-  mock_ldap,
-  fake_jwt,
-  fake_keystone,
-])
+@pytest.fixture(params=[mock_ldap, fake_jwt, fake_keystone])
 def auth_engine(request):
-  return request.param
+    return request.param
 
 
-@pytest.fixture(params=[
-  False,
-  True,
-])
+@pytest.fixture(params=[False, True])
 def requires_email(request):
-  return request.param
+    return request.param
 
 
 def test_entity_search(auth_engine, requires_email, client):
-  with auth_engine(requires_email=requires_email) as auth:
-    with patch('endpoints.api.search.authentication', auth):
-      # Try an unknown prefix.
-      response = conduct_api_call(client, EntitySearch, 'GET', params=dict(prefix='unknown'))
-      results = response.json['results']
-      assert len(results) == 0
+    with auth_engine(requires_email=requires_email) as auth:
+        with patch("endpoints.api.search.authentication", auth):
+            # Try an unknown prefix.
+            response = conduct_api_call(
+                client, EntitySearch, "GET", params=dict(prefix="unknown")
+            )
+            results = response.json["results"]
+            assert len(results) == 0
 
-      # Try a known prefix.
-      response = conduct_api_call(client, EntitySearch, 'GET', params=dict(prefix='cool'))
-      results = response.json['results']
-      entity = results[0]
-      assert entity['name'] == 'cool.user'
-      assert entity['kind'] == 'external'
+            # Try a known prefix.
+            response = conduct_api_call(
+                client, EntitySearch, "GET", params=dict(prefix="cool")
+            )
+            results = response.json["results"]
+            entity = results[0]
+            assert entity["name"] == "cool.user"
+            assert entity["kind"] == "external"
 
 
 def test_link_external_entity(auth_engine, requires_email, client):
-  with auth_engine(requires_email=requires_email) as auth:
-    with patch('endpoints.api.search.authentication', auth):
-      with client_with_identity('devtable', client) as cl:
-        # Try an unknown user.
-        conduct_api_call(cl, LinkExternalEntity, 'POST', params=dict(username='unknownuser'),
-                         expected_code=400)
+    with auth_engine(requires_email=requires_email) as auth:
+        with patch("endpoints.api.search.authentication", auth):
+            with client_with_identity("devtable", client) as cl:
+                # Try an unknown user.
+                conduct_api_call(
+                    cl,
+                    LinkExternalEntity,
+                    "POST",
+                    params=dict(username="unknownuser"),
+                    expected_code=400,
+                )
 
-        # Try a known user.
-        response = conduct_api_call(cl, LinkExternalEntity, 'POST',
-                                    params=dict(username='cool.user'))
+                # Try a known user.
+                response = conduct_api_call(
+                    cl, LinkExternalEntity, "POST", params=dict(username="cool.user")
+                )
 
-        entity = response.json['entity']
-        assert entity['name'] == 'cool_user'
-        assert entity['kind'] == 'user'
+                entity = response.json["entity"]
+                assert entity["name"] == "cool_user"
+                assert entity["kind"] == "user"
diff --git a/endpoints/api/test/test_logs.py b/endpoints/api/test/test_logs.py
index a73561bfa..3d9fae266 100644
--- a/endpoints/api/test/test_logs.py
+++ b/endpoints/api/test/test_logs.py
@@ -10,25 +10,32 @@ from endpoints.test.shared import client_with_identity
 
 from test.fixtures import *
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('mysql') >= 0,
-                    reason="Queue code is very sensitive to times on MySQL, making this flaky")
+
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI", "").find("mysql") >= 0,
+    reason="Queue code is very sensitive to times on MySQL, making this flaky",
+)
 def test_export_logs(client):
-  with client_with_identity('devtable', client) as cl:
-    assert export_action_logs_queue.get() is None
+    with client_with_identity("devtable", client) as cl:
+        assert export_action_logs_queue.get() is None
 
-    timecode = time.time()
-    def get_time():
-      return timecode - 2
+        timecode = time.time()
 
-    with patch('time.time', get_time):
-      # Call to export logs.
-      body = {
-        'callback_url': 'http://some/url',
-        'callback_email': 'a@b.com',
-      }
+        def get_time():
+            return timecode - 2
 
-      conduct_api_call(cl, ExportOrgLogs, 'POST', {'orgname': 'buynlarge'},
-                       body, expected_code=200)
+        with patch("time.time", get_time):
+            # Call to export logs.
+            body = {"callback_url": "http://some/url", "callback_email": "a@b.com"}
 
-      # Ensure the request was queued.
-      assert export_action_logs_queue.get() is not None
+            conduct_api_call(
+                cl,
+                ExportOrgLogs,
+                "POST",
+                {"orgname": "buynlarge"},
+                body,
+                expected_code=200,
+            )
+
+            # Ensure the request was queued.
+            assert export_action_logs_queue.get() is not None
diff --git a/endpoints/api/test/test_manifest.py b/endpoints/api/test/test_manifest.py
index 164c26061..9fac8f356 100644
--- a/endpoints/api/test/test_manifest.py
+++ b/endpoints/api/test/test_manifest.py
@@ -5,20 +5,20 @@ from endpoints.test.shared import client_with_identity
 
 from test.fixtures import *
 
-def test_repository_manifest(client):
-  with client_with_identity('devtable', client) as cl:
-    repo_ref = registry_model.lookup_repository('devtable', 'simple')
-    tags = registry_model.list_all_active_repository_tags(repo_ref)
-    for tag in tags:
-      manifest_digest = tag.manifest_digest
-      if manifest_digest is None:
-        continue
 
-      params = {
-        'repository': 'devtable/simple',
-        'manifestref': manifest_digest,
-      }
-      result = conduct_api_call(cl, RepositoryManifest, 'GET', params, None, 200).json
-      assert result['digest'] == manifest_digest
-      assert result['manifest_data']
-      assert result['image']
+def test_repository_manifest(client):
+    with client_with_identity("devtable", client) as cl:
+        repo_ref = registry_model.lookup_repository("devtable", "simple")
+        tags = registry_model.list_all_active_repository_tags(repo_ref)
+        for tag in tags:
+            manifest_digest = tag.manifest_digest
+            if manifest_digest is None:
+                continue
+
+            params = {"repository": "devtable/simple", "manifestref": manifest_digest}
+            result = conduct_api_call(
+                cl, RepositoryManifest, "GET", params, None, 200
+            ).json
+            assert result["digest"] == manifest_digest
+            assert result["manifest_data"]
+            assert result["image"]
diff --git a/endpoints/api/test/test_organization.py b/endpoints/api/test/test_organization.py
index 4341e1125..89c7c7d74 100644
--- a/endpoints/api/test/test_organization.py
+++ b/endpoints/api/test/test_organization.py
@@ -3,36 +3,38 @@ import pytest
 from data import model
 from endpoints.api import api
 from endpoints.api.test.shared import conduct_api_call
-from endpoints.api.organization import (Organization,
-                                        OrganizationCollaboratorList)
+from endpoints.api.organization import Organization, OrganizationCollaboratorList
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('expiration, expected_code', [
-    (0, 200),
-    (100, 400),
-    (100000000000000000000, 400),
-])
+@pytest.mark.parametrize(
+    "expiration, expected_code", [(0, 200), (100, 400), (100000000000000000000, 400)]
+)
 def test_change_tag_expiration(expiration, expected_code, client):
-  with client_with_identity('devtable', client) as cl:
-    conduct_api_call(cl, Organization, 'PUT', {'orgname': 'buynlarge'},
-                     body={'tag_expiration_s': expiration},
-                     expected_code=expected_code)
+    with client_with_identity("devtable", client) as cl:
+        conduct_api_call(
+            cl,
+            Organization,
+            "PUT",
+            {"orgname": "buynlarge"},
+            body={"tag_expiration_s": expiration},
+            expected_code=expected_code,
+        )
 
 
 def test_get_organization_collaborators(client):
-  params = {'orgname': 'buynlarge'}
+    params = {"orgname": "buynlarge"}
 
-  with client_with_identity('devtable', client) as cl:
-    resp = conduct_api_call(cl, OrganizationCollaboratorList, 'GET', params)
+    with client_with_identity("devtable", client) as cl:
+        resp = conduct_api_call(cl, OrganizationCollaboratorList, "GET", params)
 
-  collaborator_names = [c['name'] for c in resp.json['collaborators']]
-  assert 'outsideorg' in collaborator_names
-  assert 'devtable' not in collaborator_names
-  assert 'reader' not in collaborator_names
+    collaborator_names = [c["name"] for c in resp.json["collaborators"]]
+    assert "outsideorg" in collaborator_names
+    assert "devtable" not in collaborator_names
+    assert "reader" not in collaborator_names
 
-  for collaborator in resp.json['collaborators']:
-    if collaborator['name'] == 'outsideorg':
-      assert 'orgrepo' in collaborator['repositories']
-      assert 'anotherorgrepo' not in collaborator['repositories']
+    for collaborator in resp.json["collaborators"]:
+        if collaborator["name"] == "outsideorg":
+            assert "orgrepo" in collaborator["repositories"]
+            assert "anotherorgrepo" not in collaborator["repositories"]
diff --git a/endpoints/api/test/test_permission.py b/endpoints/api/test/test_permission.py
index 1182f1071..58837ca1e 100644
--- a/endpoints/api/test/test_permission.py
+++ b/endpoints/api/test/test_permission.py
@@ -5,19 +5,33 @@ from endpoints.api.permission import RepositoryUserPermission
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-@pytest.mark.parametrize('repository, username, expected_code', [
-  pytest.param('devtable/simple', 'public', 200, id='valid user under user'),
-  pytest.param('devtable/simple', 'devtable+dtrobot', 200, id='valid robot under user'),
-  pytest.param('devtable/simple', 'buynlarge+coolrobot', 400, id='invalid robot under user'),
-  pytest.param('buynlarge/orgrepo', 'devtable', 200, id='valid user under org'),
-  pytest.param('buynlarge/orgrepo', 'devtable+dtrobot', 400, id='invalid robot under org'),
-  pytest.param('buynlarge/orgrepo', 'buynlarge+coolrobot', 200, id='valid robot under org'),
-])
+
+@pytest.mark.parametrize(
+    "repository, username, expected_code",
+    [
+        pytest.param("devtable/simple", "public", 200, id="valid user under user"),
+        pytest.param(
+            "devtable/simple", "devtable+dtrobot", 200, id="valid robot under user"
+        ),
+        pytest.param(
+            "devtable/simple", "buynlarge+coolrobot", 400, id="invalid robot under user"
+        ),
+        pytest.param("buynlarge/orgrepo", "devtable", 200, id="valid user under org"),
+        pytest.param(
+            "buynlarge/orgrepo", "devtable+dtrobot", 400, id="invalid robot under org"
+        ),
+        pytest.param(
+            "buynlarge/orgrepo", "buynlarge+coolrobot", 200, id="valid robot under org"
+        ),
+    ],
+)
 def test_robot_permission(repository, username, expected_code, client):
-  with client_with_identity('devtable', client) as cl:
-    conduct_api_call(cl, RepositoryUserPermission, 'PUT',
-                     {'repository': repository, 'username': username},
-                     body={
-                       'role': 'read',
-                     },
-                     expected_code=expected_code)
+    with client_with_identity("devtable", client) as cl:
+        conduct_api_call(
+            cl,
+            RepositoryUserPermission,
+            "PUT",
+            {"repository": repository, "username": username},
+            body={"role": "read"},
+            expected_code=expected_code,
+        )
diff --git a/endpoints/api/test/test_repoemail_models_pre_oci.py b/endpoints/api/test/test_repoemail_models_pre_oci.py
index 7c8de8226..f8435c844 100644
--- a/endpoints/api/test/test_repoemail_models_pre_oci.py
+++ b/endpoints/api/test/test_repoemail_models_pre_oci.py
@@ -9,81 +9,109 @@ from endpoints.api.repoemail_models_pre_oci import pre_oci_model
 
 @pytest.fixture
 def get_monkeypatch(monkeypatch):
-  return monkeypatch
+    return monkeypatch
 
 
 def return_none(name, repo, email):
-  return None
+    return None
 
 
 def get_return_mock(mock):
-  def return_mock(name, repo, email):
-    return mock
+    def return_mock(name, repo, email):
+        return mock
 
-  return return_mock
+    return return_mock
 
 
 def test_get_email_authorized_for_repo(get_monkeypatch):
-  mock = Mock()
+    mock = Mock()
 
-  get_monkeypatch.setattr(model.repository, 'get_email_authorized_for_repo', mock)
+    get_monkeypatch.setattr(model.repository, "get_email_authorized_for_repo", mock)
 
-  pre_oci_model.get_email_authorized_for_repo('namespace_name', 'repository_name', 'email')
+    pre_oci_model.get_email_authorized_for_repo(
+        "namespace_name", "repository_name", "email"
+    )
 
-  mock.assert_called_once_with('namespace_name', 'repository_name', 'email')
+    mock.assert_called_once_with("namespace_name", "repository_name", "email")
 
 
 def test_get_email_authorized_for_repo_return_none(get_monkeypatch):
-  get_monkeypatch.setattr(model.repository, 'get_email_authorized_for_repo', return_none)
+    get_monkeypatch.setattr(
+        model.repository, "get_email_authorized_for_repo", return_none
+    )
 
-  repo = pre_oci_model.get_email_authorized_for_repo('namespace_name', 'repository_name', 'email')
+    repo = pre_oci_model.get_email_authorized_for_repo(
+        "namespace_name", "repository_name", "email"
+    )
 
-  assert repo is None
+    assert repo is None
 
 
 def test_get_email_authorized_for_repo_return_repo(get_monkeypatch):
-  mock = Mock(confirmed=True, code='code')
-  get_monkeypatch.setattr(model.repository, 'get_email_authorized_for_repo', get_return_mock(mock))
+    mock = Mock(confirmed=True, code="code")
+    get_monkeypatch.setattr(
+        model.repository, "get_email_authorized_for_repo", get_return_mock(mock)
+    )
 
-  actual = pre_oci_model.get_email_authorized_for_repo('namespace_name', 'repository_name',
-                                                       'email')
+    actual = pre_oci_model.get_email_authorized_for_repo(
+        "namespace_name", "repository_name", "email"
+    )
 
-  assert actual == RepositoryAuthorizedEmail('email', 'repository_name', 'namespace_name', True,
-                                             'code')
+    assert actual == RepositoryAuthorizedEmail(
+        "email", "repository_name", "namespace_name", True, "code"
+    )
 
 
 def test_create_email_authorization_for_repo(get_monkeypatch):
-  mock = Mock()
-  get_monkeypatch.setattr(model.repository, 'create_email_authorization_for_repo', mock)
+    mock = Mock()
+    get_monkeypatch.setattr(
+        model.repository, "create_email_authorization_for_repo", mock
+    )
 
-  pre_oci_model.create_email_authorization_for_repo('namespace_name', 'repository_name', 'email')
+    pre_oci_model.create_email_authorization_for_repo(
+        "namespace_name", "repository_name", "email"
+    )
 
-  mock.assert_called_once_with('namespace_name', 'repository_name', 'email')
+    mock.assert_called_once_with("namespace_name", "repository_name", "email")
 
 
 def test_create_email_authorization_for_repo_return_none(get_monkeypatch):
-  get_monkeypatch.setattr(model.repository, 'create_email_authorization_for_repo', return_none)
+    get_monkeypatch.setattr(
+        model.repository, "create_email_authorization_for_repo", return_none
+    )
 
-  assert pre_oci_model.create_email_authorization_for_repo('namespace_name', 'repository_name',
-                                                           'email') is None
+    assert (
+        pre_oci_model.create_email_authorization_for_repo(
+            "namespace_name", "repository_name", "email"
+        )
+        is None
+    )
 
 
 def test_create_email_authorization_for_repo_return_mock(get_monkeypatch):
-  mock = Mock()
-  get_monkeypatch.setattr(model.repository, 'create_email_authorization_for_repo',
-                          get_return_mock(mock))
+    mock = Mock()
+    get_monkeypatch.setattr(
+        model.repository, "create_email_authorization_for_repo", get_return_mock(mock)
+    )
 
-  assert pre_oci_model.create_email_authorization_for_repo('namespace_name', 'repository_name',
-                                                           'email') is not None
+    assert (
+        pre_oci_model.create_email_authorization_for_repo(
+            "namespace_name", "repository_name", "email"
+        )
+        is not None
+    )
 
 
 def test_create_email_authorization_for_repo_return_value(get_monkeypatch):
-  mock = Mock(confirmed=False, code='code')
+    mock = Mock(confirmed=False, code="code")
 
-  get_monkeypatch.setattr(model.repository, 'create_email_authorization_for_repo',
-                          get_return_mock(mock))
+    get_monkeypatch.setattr(
+        model.repository, "create_email_authorization_for_repo", get_return_mock(mock)
+    )
 
-  actual = pre_oci_model.create_email_authorization_for_repo('namespace_name', 'repository_name',
-                                                             'email')
-  assert actual == RepositoryAuthorizedEmail('email', 'repository_name', 'namespace_name', False,
-                                             'code')
+    actual = pre_oci_model.create_email_authorization_for_repo(
+        "namespace_name", "repository_name", "email"
+    )
+    assert actual == RepositoryAuthorizedEmail(
+        "email", "repository_name", "namespace_name", False, "code"
+    )
diff --git a/endpoints/api/test/test_repository.py b/endpoints/api/test/test_repository.py
index 4edca0e35..b78b9bf83 100644
--- a/endpoints/api/test/test_repository.py
+++ b/endpoints/api/test/test_repository.py
@@ -13,154 +13,174 @@ from features import FeatureNameValue
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('trust_enabled,repo_found,expected_status', [
-  (True, True, 200),
-  (False, True, 200),
-  (False, False, 404),
-  ('invalid_req', False, 400),
-])
+@pytest.mark.parametrize(
+    "trust_enabled,repo_found,expected_status",
+    [
+        (True, True, 200),
+        (False, True, 200),
+        (False, False, 404),
+        ("invalid_req", False, 400),
+    ],
+)
 def test_post_changetrust(trust_enabled, repo_found, expected_status, client):
-  with patch('endpoints.api.repository.tuf_metadata_api') as mock_tuf:
-    with patch(
-        'endpoints.api.repository_models_pre_oci.model.repository.get_repository') as mock_model:
-      mock_model.return_value = MagicMock() if repo_found else None
-      mock_tuf.get_default_tags_with_expiration.return_value = ['tags', 'expiration']
-      with client_with_identity('devtable', client) as cl:
-        params = {'repository': 'devtable/repo'}
-        request_body = {'trust_enabled': trust_enabled}
-        conduct_api_call(cl, RepositoryTrust, 'POST', params, request_body, expected_status)
+    with patch("endpoints.api.repository.tuf_metadata_api") as mock_tuf:
+        with patch(
+            "endpoints.api.repository_models_pre_oci.model.repository.get_repository"
+        ) as mock_model:
+            mock_model.return_value = MagicMock() if repo_found else None
+            mock_tuf.get_default_tags_with_expiration.return_value = [
+                "tags",
+                "expiration",
+            ]
+            with client_with_identity("devtable", client) as cl:
+                params = {"repository": "devtable/repo"}
+                request_body = {"trust_enabled": trust_enabled}
+                conduct_api_call(
+                    cl, RepositoryTrust, "POST", params, request_body, expected_status
+                )
 
 
 def test_signing_disabled(client):
-  with patch('features.SIGNING', FeatureNameValue('SIGNING', False)):
-    with client_with_identity('devtable', client) as cl:
-      params = {'repository': 'devtable/simple'}
-      response = conduct_api_call(cl, Repository, 'GET', params).json
-      assert not response['trust_enabled']
+    with patch("features.SIGNING", FeatureNameValue("SIGNING", False)):
+        with client_with_identity("devtable", client) as cl:
+            params = {"repository": "devtable/simple"}
+            response = conduct_api_call(cl, Repository, "GET", params).json
+            assert not response["trust_enabled"]
 
 
 def test_list_starred_repos(client):
-  with client_with_identity('devtable', client) as cl:
-    params = {
-      'starred': 'true',
-    }
+    with client_with_identity("devtable", client) as cl:
+        params = {"starred": "true"}
 
-    response = conduct_api_call(cl, RepositoryList, 'GET', params).json
-    repos = {r['namespace'] + '/' + r['name'] for r in response['repositories']}
-    assert 'devtable/simple' in repos
-    assert 'public/publicrepo' not in repos
+        response = conduct_api_call(cl, RepositoryList, "GET", params).json
+        repos = {r["namespace"] + "/" + r["name"] for r in response["repositories"]}
+        assert "devtable/simple" in repos
+        assert "public/publicrepo" not in repos
 
-    # Add a star on publicrepo.
-    publicrepo = model.repository.get_repository('public', 'publicrepo')
-    model.repository.star_repository(model.user.get_user('devtable'), publicrepo)
+        # Add a star on publicrepo.
+        publicrepo = model.repository.get_repository("public", "publicrepo")
+        model.repository.star_repository(model.user.get_user("devtable"), publicrepo)
 
-    # Ensure publicrepo shows up.
-    response = conduct_api_call(cl, RepositoryList, 'GET', params).json
-    repos = {r['namespace'] + '/' + r['name'] for r in response['repositories']}
-    assert 'devtable/simple' in repos
-    assert 'public/publicrepo' in repos
+        # Ensure publicrepo shows up.
+        response = conduct_api_call(cl, RepositoryList, "GET", params).json
+        repos = {r["namespace"] + "/" + r["name"] for r in response["repositories"]}
+        assert "devtable/simple" in repos
+        assert "public/publicrepo" in repos
 
-    # Make publicrepo private and ensure it disappears.
-    model.repository.set_repository_visibility(publicrepo, 'private')
+        # Make publicrepo private and ensure it disappears.
+        model.repository.set_repository_visibility(publicrepo, "private")
 
-    response = conduct_api_call(cl, RepositoryList, 'GET', params).json
-    repos = {r['namespace'] + '/' + r['name'] for r in response['repositories']}
-    assert 'devtable/simple' in repos
-    assert 'public/publicrepo' not in repos
+        response = conduct_api_call(cl, RepositoryList, "GET", params).json
+        repos = {r["namespace"] + "/" + r["name"] for r in response["repositories"]}
+        assert "devtable/simple" in repos
+        assert "public/publicrepo" not in repos
 
 
 def test_list_repositories_last_modified(client):
-  with client_with_identity('devtable', client) as cl:
-    params = {
-      'namespace': 'devtable',
-      'last_modified': 'true',
-    }
+    with client_with_identity("devtable", client) as cl:
+        params = {"namespace": "devtable", "last_modified": "true"}
 
-    response = conduct_api_call(cl, RepositoryList, 'GET', params).json
+        response = conduct_api_call(cl, RepositoryList, "GET", params).json
 
-    for repo in response['repositories']:
-      if repo['name'] != 'building':
-        assert repo['last_modified'] is not None
+        for repo in response["repositories"]:
+            if repo["name"] != "building":
+                assert repo["last_modified"] is not None
 
 
-@pytest.mark.parametrize('repo_name, expected_status', [
-  pytest.param('x' * 255, 201, id='Maximum allowed length'),
-  pytest.param('x' * 256, 400, id='Over allowed length'),
-  pytest.param('a|b', 400, id='Invalid name'),
-])
+@pytest.mark.parametrize(
+    "repo_name, expected_status",
+    [
+        pytest.param("x" * 255, 201, id="Maximum allowed length"),
+        pytest.param("x" * 256, 400, id="Over allowed length"),
+        pytest.param("a|b", 400, id="Invalid name"),
+    ],
+)
 def test_create_repository(repo_name, expected_status, client):
-  with client_with_identity('devtable', client) as cl:
-    body = {
-      'namespace': 'devtable',
-      'repository': repo_name,
-      'visibility': 'public',
-      'description': 'foo',
-    }
+    with client_with_identity("devtable", client) as cl:
+        body = {
+            "namespace": "devtable",
+            "repository": repo_name,
+            "visibility": "public",
+            "description": "foo",
+        }
 
-    result = conduct_api_call(client, RepositoryList, 'post', None, body,
-                              expected_code=expected_status).json
-    if expected_status == 201:
-      assert result['name'] == repo_name
-      assert model.repository.get_repository('devtable', repo_name).name == repo_name
+        result = conduct_api_call(
+            client, RepositoryList, "post", None, body, expected_code=expected_status
+        ).json
+        if expected_status == 201:
+            assert result["name"] == repo_name
+            assert (
+                model.repository.get_repository("devtable", repo_name).name == repo_name
+            )
 
 
-@pytest.mark.parametrize('has_tag_manifest', [
-  True,
-  False,
-])
+@pytest.mark.parametrize("has_tag_manifest", [True, False])
 def test_get_repo(has_tag_manifest, client, initialized_db):
-  with client_with_identity('devtable', client) as cl:
-    if not has_tag_manifest:
-      database.TagManifestLabelMap.delete().execute()
-      database.TagManifestToManifest.delete().execute()
-      database.TagManifestLabel.delete().execute()
-      database.TagManifest.delete().execute()
+    with client_with_identity("devtable", client) as cl:
+        if not has_tag_manifest:
+            database.TagManifestLabelMap.delete().execute()
+            database.TagManifestToManifest.delete().execute()
+            database.TagManifestLabel.delete().execute()
+            database.TagManifest.delete().execute()
 
-    params = {'repository': 'devtable/simple'}
-    response = conduct_api_call(cl, Repository, 'GET', params).json
-    assert response['kind'] == 'image'
+        params = {"repository": "devtable/simple"}
+        response = conduct_api_call(cl, Repository, "GET", params).json
+        assert response["kind"] == "image"
 
 
 def test_get_app_repo(client, initialized_db):
-  with client_with_identity('devtable', client) as cl:
-    devtable = model.user.get_user('devtable')
-    repo = model.repository.create_repository('devtable', 'someappr', devtable,
-                                              repo_kind='application')
+    with client_with_identity("devtable", client) as cl:
+        devtable = model.user.get_user("devtable")
+        repo = model.repository.create_repository(
+            "devtable", "someappr", devtable, repo_kind="application"
+        )
 
-    models_ref = appr_model.models_ref
-    blob.get_or_create_blob('sha256:somedigest', 0, 'application/vnd.cnr.blob.v0.tar+gzip',
-                            ['local_us'], models_ref)
+        models_ref = appr_model.models_ref
+        blob.get_or_create_blob(
+            "sha256:somedigest",
+            0,
+            "application/vnd.cnr.blob.v0.tar+gzip",
+            ["local_us"],
+            models_ref,
+        )
 
-    release.create_app_release(repo, 'test',
-                               dict(mediaType='application/vnd.cnr.package-manifest.helm.v0.json'),
-                               'sha256:somedigest', models_ref, False)
+        release.create_app_release(
+            repo,
+            "test",
+            dict(mediaType="application/vnd.cnr.package-manifest.helm.v0.json"),
+            "sha256:somedigest",
+            models_ref,
+            False,
+        )
 
-    channel.create_or_update_channel(repo, 'somechannel', 'test', models_ref)
+        channel.create_or_update_channel(repo, "somechannel", "test", models_ref)
 
-    params = {'repository': 'devtable/someappr'}
-    response = conduct_api_call(cl, Repository, 'GET', params).json
-    assert response['kind'] == 'application'
-    assert response['channels']
-    assert response['releases']
+        params = {"repository": "devtable/someappr"}
+        response = conduct_api_call(cl, Repository, "GET", params).json
+        assert response["kind"] == "application"
+        assert response["channels"]
+        assert response["releases"]
 
 
-
-@pytest.mark.parametrize('state, can_write', [
-  (database.RepositoryState.NORMAL, True),
-  (database.RepositoryState.READ_ONLY, False),
-  (database.RepositoryState.MIRROR, False),
-])
+@pytest.mark.parametrize(
+    "state, can_write",
+    [
+        (database.RepositoryState.NORMAL, True),
+        (database.RepositoryState.READ_ONLY, False),
+        (database.RepositoryState.MIRROR, False),
+    ],
+)
 def test_get_repo_state_can_write(state, can_write, client, initialized_db):
-  with client_with_identity('devtable', client) as cl:
-    params = {'repository': 'devtable/simple'}
-    response = conduct_api_call(cl, Repository, 'GET', params).json
-    assert response['can_write']
+    with client_with_identity("devtable", client) as cl:
+        params = {"repository": "devtable/simple"}
+        response = conduct_api_call(cl, Repository, "GET", params).json
+        assert response["can_write"]
 
-  repo = model.repository.get_repository('devtable', 'simple')
-  repo.state = state
-  repo.save()
+    repo = model.repository.get_repository("devtable", "simple")
+    repo.state = state
+    repo.save()
 
-  with client_with_identity('devtable', client) as cl:
-    params = {'repository': 'devtable/simple'}
-    response = conduct_api_call(cl, Repository, 'GET', params).json
-    assert response['can_write'] == can_write
+    with client_with_identity("devtable", client) as cl:
+        params = {"repository": "devtable/simple"}
+        response = conduct_api_call(cl, Repository, "GET", params).json
+        assert response["can_write"] == can_write
diff --git a/endpoints/api/test/test_repositorynotification.py b/endpoints/api/test/test_repositorynotification.py
index 06d65e2f0..78f30ab16 100644
--- a/endpoints/api/test/test_repositorynotification.py
+++ b/endpoints/api/test/test_repositorynotification.py
@@ -3,88 +3,196 @@ import pytest
 from mock import Mock, MagicMock
 
 from endpoints.api.test.shared import conduct_api_call
-from endpoints.api.repositorynotification import RepositoryNotificationList, RepositoryNotification, TestRepositoryNotification
+from endpoints.api.repositorynotification import (
+    RepositoryNotificationList,
+    RepositoryNotification,
+    TestRepositoryNotification,
+)
 from endpoints.test.shared import client_with_identity
 import endpoints.api.repositorynotification_models_interface as iface
 from test.fixtures import *
 
+
 @pytest.fixture()
 def authd_client(client):
-  with client_with_identity('devtable', client) as cl:
-    yield cl
-    
+    with client_with_identity("devtable", client) as cl:
+        yield cl
+
+
 def mock_get_notification(uuid):
-  mock_notification = MagicMock(iface.RepositoryNotification)
-  if uuid == 'exists':
-    mock_notification.return_value = iface.RepositoryNotification(
-      'exists',
-      'title',
-      'event_name',
-      'method_name',
-      'config_json',
-      'event_config_json',
-      2,
+    mock_notification = MagicMock(iface.RepositoryNotification)
+    if uuid == "exists":
+        mock_notification.return_value = iface.RepositoryNotification(
+            "exists",
+            "title",
+            "event_name",
+            "method_name",
+            "config_json",
+            "event_config_json",
+            2,
+        )
+    else:
+        mock_notification.return_value = None
+    return mock_notification
+
+
+@pytest.mark.parametrize(
+    "namespace,repository,body,expected_code",
+    [
+        (
+            "devtable",
+            "simple",
+            dict(
+                config={"url": "http://example.com"},
+                event="repo_push",
+                method="webhook",
+                eventConfig={},
+                title="test",
+            ),
+            201,
+        ),
+        (
+            "devtable",
+            "simple",
+            dict(
+                config={"url": "http://example.com"},
+                event="repo_mirror_sync_started",
+                method="webhook",
+                eventConfig={},
+                title="test",
+            ),
+            201,
+        ),
+        (
+            "devtable",
+            "simple",
+            dict(
+                config={"url": "http://example.com"},
+                event="repo_mirror_sync_success",
+                method="webhook",
+                eventConfig={},
+                title="test",
+            ),
+            201,
+        ),
+        (
+            "devtable",
+            "simple",
+            dict(
+                config={"url": "http://example.com"},
+                event="repo_mirror_sync_failed",
+                method="webhook",
+                eventConfig={},
+                title="test",
+            ),
+            201,
+        ),
+    ],
+)
+def test_create_repo_notification(
+    namespace, repository, body, expected_code, authd_client
+):
+    params = {"repository": namespace + "/" + repository}
+    conduct_api_call(
+        authd_client,
+        RepositoryNotificationList,
+        "POST",
+        params,
+        body,
+        expected_code=expected_code,
     )
-  else:
-    mock_notification.return_value = None
-  return mock_notification
 
-@pytest.mark.parametrize('namespace,repository,body,expected_code',[
-  ('devtable', 'simple', dict(config={'url': 'http://example.com'}, event='repo_push',
-      method='webhook', eventConfig={}, title='test'), 201),
-  ('devtable', 'simple', dict(config={'url': 'http://example.com'}, event='repo_mirror_sync_started',
-      method='webhook', eventConfig={}, title='test'), 201),
-  ('devtable', 'simple', dict(config={'url': 'http://example.com'}, event='repo_mirror_sync_success',
-      method='webhook', eventConfig={}, title='test'), 201),
-  ('devtable', 'simple', dict(config={'url': 'http://example.com'}, event='repo_mirror_sync_failed',
-      method='webhook', eventConfig={}, title='test'), 201)
-])
-def test_create_repo_notification(namespace, repository, body, expected_code, authd_client):
-    params = {'repository': namespace + '/' + repository}
-    conduct_api_call(authd_client, RepositoryNotificationList, 'POST', params, body, expected_code=expected_code)
 
-@pytest.mark.parametrize('namespace,repository,expected_code',[
-  ('devtable', 'simple', 200)
-])
+@pytest.mark.parametrize(
+    "namespace,repository,expected_code", [("devtable", "simple", 200)]
+)
 def test_list_repo_notifications(namespace, repository, expected_code, authd_client):
-    params = {'repository': namespace + '/' + repository}
-    resp = conduct_api_call(authd_client, RepositoryNotificationList, 'GET', params, expected_code=expected_code).json
-    assert len(resp['notifications']) > 0
-  
-@pytest.mark.parametrize('namespace,repository,uuid,expected_code',[
-  ('devtable', 'simple', 'exists', 200),
-  ('devtable', 'simple', 'not found', 404),
-])
-def test_get_repo_notification(namespace, repository, uuid, expected_code, authd_client, monkeypatch):
-  monkeypatch.setattr('endpoints.api.repositorynotification.model.get_repo_notification', mock_get_notification(uuid))
-  params = {'repository': namespace + '/' + repository, 'uuid': uuid}
-  conduct_api_call(authd_client, RepositoryNotification, 'GET', params, expected_code=expected_code)
-
-@pytest.mark.parametrize('namespace,repository,uuid,expected_code',[
-  ('devtable', 'simple', 'exists', 204),
-  ('devtable', 'simple', 'not found', 400),
-])
-def test_delete_repo_notification(namespace, repository, uuid, expected_code, authd_client, monkeypatch):
-  monkeypatch.setattr('endpoints.api.repositorynotification.model.delete_repo_notification', mock_get_notification(uuid))
-  params = {'repository': namespace + '/' + repository, 'uuid': uuid}
-  conduct_api_call(authd_client, RepositoryNotification, 'DELETE', params, expected_code=expected_code)
+    params = {"repository": namespace + "/" + repository}
+    resp = conduct_api_call(
+        authd_client,
+        RepositoryNotificationList,
+        "GET",
+        params,
+        expected_code=expected_code,
+    ).json
+    assert len(resp["notifications"]) > 0
 
 
-@pytest.mark.parametrize('namespace,repository,uuid,expected_code',[
-  ('devtable', 'simple', 'exists', 204),
-  ('devtable', 'simple', 'not found', 400),
-])
-def test_reset_repo_noticiation(namespace, repository, uuid, expected_code, authd_client, monkeypatch):
-  monkeypatch.setattr('endpoints.api.repositorynotification.model.reset_notification_number_of_failures', mock_get_notification(uuid))
-  params = {'repository': namespace + '/' + repository, 'uuid': uuid}
-  conduct_api_call(authd_client, RepositoryNotification, 'POST', params, expected_code=expected_code)
+@pytest.mark.parametrize(
+    "namespace,repository,uuid,expected_code",
+    [("devtable", "simple", "exists", 200), ("devtable", "simple", "not found", 404)],
+)
+def test_get_repo_notification(
+    namespace, repository, uuid, expected_code, authd_client, monkeypatch
+):
+    monkeypatch.setattr(
+        "endpoints.api.repositorynotification.model.get_repo_notification",
+        mock_get_notification(uuid),
+    )
+    params = {"repository": namespace + "/" + repository, "uuid": uuid}
+    conduct_api_call(
+        authd_client, RepositoryNotification, "GET", params, expected_code=expected_code
+    )
 
 
-@pytest.mark.parametrize('namespace,repository,uuid,expected_code',[
-  ('devtable', 'simple', 'exists', 200),
-  ('devtable', 'simple', 'not found', 400),
-])
-def test_test_repo_notification(namespace, repository, uuid, expected_code, authd_client, monkeypatch):
-  monkeypatch.setattr('endpoints.api.repositorynotification.model.queue_test_notification', mock_get_notification(uuid))
-  params = {'repository': namespace + '/' + repository, 'uuid': uuid}
-  conduct_api_call(authd_client, TestRepositoryNotification, 'POST', params, expected_code=expected_code)
+@pytest.mark.parametrize(
+    "namespace,repository,uuid,expected_code",
+    [("devtable", "simple", "exists", 204), ("devtable", "simple", "not found", 400)],
+)
+def test_delete_repo_notification(
+    namespace, repository, uuid, expected_code, authd_client, monkeypatch
+):
+    monkeypatch.setattr(
+        "endpoints.api.repositorynotification.model.delete_repo_notification",
+        mock_get_notification(uuid),
+    )
+    params = {"repository": namespace + "/" + repository, "uuid": uuid}
+    conduct_api_call(
+        authd_client,
+        RepositoryNotification,
+        "DELETE",
+        params,
+        expected_code=expected_code,
+    )
+
+
+@pytest.mark.parametrize(
+    "namespace,repository,uuid,expected_code",
+    [("devtable", "simple", "exists", 204), ("devtable", "simple", "not found", 400)],
+)
+def test_reset_repo_noticiation(
+    namespace, repository, uuid, expected_code, authd_client, monkeypatch
+):
+    monkeypatch.setattr(
+        "endpoints.api.repositorynotification.model.reset_notification_number_of_failures",
+        mock_get_notification(uuid),
+    )
+    params = {"repository": namespace + "/" + repository, "uuid": uuid}
+    conduct_api_call(
+        authd_client,
+        RepositoryNotification,
+        "POST",
+        params,
+        expected_code=expected_code,
+    )
+
+
+@pytest.mark.parametrize(
+    "namespace,repository,uuid,expected_code",
+    [("devtable", "simple", "exists", 200), ("devtable", "simple", "not found", 400)],
+)
+def test_test_repo_notification(
+    namespace, repository, uuid, expected_code, authd_client, monkeypatch
+):
+    monkeypatch.setattr(
+        "endpoints.api.repositorynotification.model.queue_test_notification",
+        mock_get_notification(uuid),
+    )
+    params = {"repository": namespace + "/" + repository, "uuid": uuid}
+    conduct_api_call(
+        authd_client,
+        TestRepositoryNotification,
+        "POST",
+        params,
+        expected_code=expected_code,
+    )
diff --git a/endpoints/api/test/test_robot.py b/endpoints/api/test/test_robot.py
index 7c5349549..3d9702228 100644
--- a/endpoints/api/test/test_robot.py
+++ b/endpoints/api/test/test_robot.py
@@ -12,93 +12,103 @@ from test.test_ldap import mock_ldap
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('endpoint', [
-  UserRobot,
-  OrgRobot,
-])
-@pytest.mark.parametrize('body', [
-  {},
-  {'description': 'this is a description'},
-  {'unstructured_metadata': {'foo': 'bar'}},
-  {'description': 'this is a description', 'unstructured_metadata': {'foo': 'bar'}},
-])
+
+@pytest.mark.parametrize("endpoint", [UserRobot, OrgRobot])
+@pytest.mark.parametrize(
+    "body",
+    [
+        {},
+        {"description": "this is a description"},
+        {"unstructured_metadata": {"foo": "bar"}},
+        {
+            "description": "this is a description",
+            "unstructured_metadata": {"foo": "bar"},
+        },
+    ],
+)
 def test_create_robot_with_metadata(endpoint, body, client):
-  with client_with_identity('devtable', client) as cl:
-    # Create the robot with the specified body.
-    conduct_api_call(cl, endpoint, 'PUT', {'orgname': 'buynlarge', 'robot_shortname': 'somebot'},
-                     body, expected_code=201)
+    with client_with_identity("devtable", client) as cl:
+        # Create the robot with the specified body.
+        conduct_api_call(
+            cl,
+            endpoint,
+            "PUT",
+            {"orgname": "buynlarge", "robot_shortname": "somebot"},
+            body,
+            expected_code=201,
+        )
 
-    # Ensure the create succeeded.
-    resp = conduct_api_call(cl, endpoint, 'GET', {
-      'orgname': 'buynlarge',
-      'robot_shortname': 'somebot',
-    })
+        # Ensure the create succeeded.
+        resp = conduct_api_call(
+            cl, endpoint, "GET", {"orgname": "buynlarge", "robot_shortname": "somebot"}
+        )
 
-    body = body or {}
-    assert resp.json['description'] == (body.get('description') or '')
-    assert resp.json['unstructured_metadata'] == (body.get('unstructured_metadata') or {})
+        body = body or {}
+        assert resp.json["description"] == (body.get("description") or "")
+        assert resp.json["unstructured_metadata"] == (
+            body.get("unstructured_metadata") or {}
+        )
 
 
-@pytest.mark.parametrize('endpoint, params', [
-  (UserRobot, {'robot_shortname': 'dtrobot'}),
-  (OrgRobot, {'orgname': 'buynlarge', 'robot_shortname': 'coolrobot'}),
-])
+@pytest.mark.parametrize(
+    "endpoint, params",
+    [
+        (UserRobot, {"robot_shortname": "dtrobot"}),
+        (OrgRobot, {"orgname": "buynlarge", "robot_shortname": "coolrobot"}),
+    ],
+)
 def test_retrieve_robot(endpoint, params, app, client):
-  with client_with_identity('devtable', client) as cl:
-    result = conduct_api_call(cl, endpoint, 'GET', params, None)
-    assert result.json['token'] is not None
+    with client_with_identity("devtable", client) as cl:
+        result = conduct_api_call(cl, endpoint, "GET", params, None)
+        assert result.json["token"] is not None
 
 
-@pytest.mark.parametrize('endpoint, params, bot_endpoint', [
-  (UserRobotList, {}, UserRobot),
-  (OrgRobotList, {'orgname': 'buynlarge'}, OrgRobot),
-])
-@pytest.mark.parametrize('include_token', [
-  True,
-  False,
-])
-@pytest.mark.parametrize('limit', [
-  None,
-  1,
-  5,
-])
-def test_retrieve_robots(endpoint, params, bot_endpoint, include_token, limit, app, client):
-  params['token'] = 'true' if include_token else 'false'
-
-  if limit is not None:
-    params['limit'] = limit
-
-  with client_with_identity('devtable', client) as cl:
-    result = conduct_api_call(cl, endpoint, 'GET', params, None)
+@pytest.mark.parametrize(
+    "endpoint, params, bot_endpoint",
+    [
+        (UserRobotList, {}, UserRobot),
+        (OrgRobotList, {"orgname": "buynlarge"}, OrgRobot),
+    ],
+)
+@pytest.mark.parametrize("include_token", [True, False])
+@pytest.mark.parametrize("limit", [None, 1, 5])
+def test_retrieve_robots(
+    endpoint, params, bot_endpoint, include_token, limit, app, client
+):
+    params["token"] = "true" if include_token else "false"
 
     if limit is not None:
-      assert len(result.json['robots']) <= limit
+        params["limit"] = limit
 
-    for robot in result.json['robots']:
-      assert (robot.get('token') is not None) == include_token
-      if include_token:
-        bot_params = dict(params)
-        bot_params['robot_shortname'] = parse_robot_username(robot['name'])[1]
-        result = conduct_api_call(cl, bot_endpoint, 'GET', bot_params, None)
-        assert robot.get('token') == result.json['token']
+    with client_with_identity("devtable", client) as cl:
+        result = conduct_api_call(cl, endpoint, "GET", params, None)
+
+        if limit is not None:
+            assert len(result.json["robots"]) <= limit
+
+        for robot in result.json["robots"]:
+            assert (robot.get("token") is not None) == include_token
+            if include_token:
+                bot_params = dict(params)
+                bot_params["robot_shortname"] = parse_robot_username(robot["name"])[1]
+                result = conduct_api_call(cl, bot_endpoint, "GET", bot_params, None)
+                assert robot.get("token") == result.json["token"]
 
 
-@pytest.mark.parametrize('username, is_admin', [
-  ('devtable', True),
-  ('reader', False),
-])
-@pytest.mark.parametrize('with_permissions', [
-  True,
-  False,
-])
-def test_retrieve_robots_token_permission(username, is_admin, with_permissions, app, client):
-  with client_with_identity(username, client) as cl:
-    params = {'orgname': 'buynlarge', 'token': 'true'}
-    if with_permissions:
-      params['permissions'] = 'true'
+@pytest.mark.parametrize("username, is_admin", [("devtable", True), ("reader", False)])
+@pytest.mark.parametrize("with_permissions", [True, False])
+def test_retrieve_robots_token_permission(
+    username, is_admin, with_permissions, app, client
+):
+    with client_with_identity(username, client) as cl:
+        params = {"orgname": "buynlarge", "token": "true"}
+        if with_permissions:
+            params["permissions"] = "true"
 
-    result = conduct_api_call(cl, OrgRobotList, 'GET', params, None)
-    assert result.json['robots']
-    for robot in result.json['robots']:
-      assert (robot.get('token') is not None) == is_admin
-      assert (robot.get('repositories') is not None) == (is_admin and with_permissions)
+        result = conduct_api_call(cl, OrgRobotList, "GET", params, None)
+        assert result.json["robots"]
+        for robot in result.json["robots"]:
+            assert (robot.get("token") is not None) == is_admin
+            assert (robot.get("repositories") is not None) == (
+                is_admin and with_permissions
+            )
diff --git a/endpoints/api/test/test_search.py b/endpoints/api/test/test_search.py
index 5e034934c..5ce77236f 100644
--- a/endpoints/api/test/test_search.py
+++ b/endpoints/api/test/test_search.py
@@ -8,34 +8,28 @@ from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-@pytest.mark.parametrize('query', [
-  (''),
-  ('simple'),
-  ('public'),
-  ('repository'),
-])
+
+@pytest.mark.parametrize("query", [(""), ("simple"), ("public"), ("repository")])
 def test_repository_search(query, client):
-  # Prime the caches.
-  database.Repository.kind.get_id('image')
-  database.Repository.kind.get_name(1)
+    # Prime the caches.
+    database.Repository.kind.get_id("image")
+    database.Repository.kind.get_name(1)
 
-  with client_with_identity('devtable', client) as cl:
-    params = {'query': query}
-    with assert_query_count(7):
-      result = conduct_api_call(cl, ConductRepositorySearch, 'GET', params, None, 200).json
-      assert result['start_index'] == 0
-      assert result['page'] == 1
-      assert len(result['results'])
+    with client_with_identity("devtable", client) as cl:
+        params = {"query": query}
+        with assert_query_count(7):
+            result = conduct_api_call(
+                cl, ConductRepositorySearch, "GET", params, None, 200
+            ).json
+            assert result["start_index"] == 0
+            assert result["page"] == 1
+            assert len(result["results"])
 
 
-@pytest.mark.parametrize('query', [
-  ('simple'),
-  ('public'),
-  ('repository'),
-])
+@pytest.mark.parametrize("query", [("simple"), ("public"), ("repository")])
 def test_search_query_count(query, client):
-  with client_with_identity('devtable', client) as cl:
-    params = {'query': query}
-    with assert_query_count(10):
-      result = conduct_api_call(cl, ConductSearch, 'GET', params, None, 200).json
-      assert len(result['results'])
+    with client_with_identity("devtable", client) as cl:
+        params = {"query": query}
+        with assert_query_count(10):
+            result = conduct_api_call(cl, ConductSearch, "GET", params, None, 200).json
+            assert len(result["results"])
diff --git a/endpoints/api/test/test_secscan.py b/endpoints/api/test/test_secscan.py
index 40afa6ac3..21437a005 100644
--- a/endpoints/api/test/test_secscan.py
+++ b/endpoints/api/test/test_secscan.py
@@ -8,23 +8,25 @@ from endpoints.api.secscan import RepositoryImageSecurity, RepositoryManifestSec
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('endpoint', [
-  RepositoryImageSecurity,
-  RepositoryManifestSecurity,
-])
+
+@pytest.mark.parametrize(
+    "endpoint", [RepositoryImageSecurity, RepositoryManifestSecurity]
+)
 def test_get_security_info_with_pull_secret(endpoint, client):
-  repository_ref = registry_model.lookup_repository('devtable', 'simple')
-  tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
-  manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
+    repository_ref = registry_model.lookup_repository("devtable", "simple")
+    tag = registry_model.get_repo_tag(
+        repository_ref, "latest", include_legacy_image=True
+    )
+    manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
 
-  params = {
-    'repository': 'devtable/simple',
-    'imageid': tag.legacy_image.docker_image_id,
-    'manifestref': manifest.digest,
-  }
+    params = {
+        "repository": "devtable/simple",
+        "imageid": tag.legacy_image.docker_image_id,
+        "manifestref": manifest.digest,
+    }
 
-  headers = {
-    'Authorization': 'Basic %s' % base64.b64encode('devtable:password'),
-  }
+    headers = {"Authorization": "Basic %s" % base64.b64encode("devtable:password")}
 
-  conduct_api_call(client, endpoint, 'GET', params, None, headers=headers, expected_code=200)
+    conduct_api_call(
+        client, endpoint, "GET", params, None, headers=headers, expected_code=200
+    )
diff --git a/endpoints/api/test/test_security.py b/endpoints/api/test/test_security.py
index 9f93413a7..1a8b83b26 100644
--- a/endpoints/api/test/test_security.py
+++ b/endpoints/api/test/test_security.py
@@ -39,1447 +39,7045 @@ from endpoints.api.repository import Repository
 
 from test.fixtures import *
 
-ORG_PARAMS = {'orgname': 'buynlarge'}
-TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
-BUILD_PARAMS = {'build_uuid': 'test-1234'}
-REPO_PARAMS = {'repository': 'devtable/someapp'}
-SEARCH_PARAMS = {'query': ''}
-NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple', 'uuid': 'some uuid'}
-TOKEN_PARAMS = {'token_uuid': 'someuuid'}
-TRIGGER_PARAMS = {'repository': 'devtable/simple', 'trigger_uuid': 'someuuid'}
-MANIFEST_PARAMS =  {'repository': 'devtable/simple', 'manifestref': 'sha256:deadbeef'}
-EXPORTLOGS_PARAMS = {'callback_url': 'http://foo'}
+ORG_PARAMS = {"orgname": "buynlarge"}
+TEAM_PARAMS = {"orgname": "buynlarge", "teamname": "owners"}
+BUILD_PARAMS = {"build_uuid": "test-1234"}
+REPO_PARAMS = {"repository": "devtable/someapp"}
+SEARCH_PARAMS = {"query": ""}
+NOTIFICATION_PARAMS = {
+    "namespace": "devtable",
+    "repository": "devtable/simple",
+    "uuid": "some uuid",
+}
+TOKEN_PARAMS = {"token_uuid": "someuuid"}
+TRIGGER_PARAMS = {"repository": "devtable/simple", "trigger_uuid": "someuuid"}
+MANIFEST_PARAMS = {"repository": "devtable/simple", "manifestref": "sha256:deadbeef"}
+EXPORTLOGS_PARAMS = {"callback_url": "http://foo"}
 
 SECURITY_TESTS = [
-  (AppTokens, 'GET', {}, {}, None, 401),
-  (AppTokens, 'GET', {}, {}, 'freshuser', 200),
-  (AppTokens, 'GET', {}, {}, 'reader', 200),
-  (AppTokens, 'GET', {}, {}, 'devtable', 200),
-
-  (AppTokens, 'POST', {}, {}, None, 401),
-  (AppTokens, 'POST', {}, {}, 'freshuser', 400),
-  (AppTokens, 'POST', {}, {}, 'reader', 400),
-  (AppTokens, 'POST', {}, {}, 'devtable', 400),
-
-  (AppToken, 'GET', TOKEN_PARAMS, {}, None, 401),
-  (AppToken, 'GET', TOKEN_PARAMS, {}, 'freshuser', 404),
-  (AppToken, 'GET', TOKEN_PARAMS, {}, 'reader', 404),
-  (AppToken, 'GET', TOKEN_PARAMS, {}, 'devtable', 404),
-
-  (AppToken, 'DELETE', TOKEN_PARAMS, {}, None, 401),
-  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'freshuser', 404),
-  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'reader', 404),
-  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'devtable', 404),
-
-  (RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, None, 401),
-  (RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'freshuser', 403),
-  (RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'reader', 403),
-  (RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'devtable', 404),
-
-  (OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, None, 401),
-  (OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'freshuser', 403),
-  (OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'reader', 403),
-  (OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'devtable', 200),
-
-  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 401),
-  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
-  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
-  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),
-
-  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 401),
-  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
-  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
-  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),
-
-  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, None, 200),
-  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'freshuser', 200),
-  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'reader', 200),
-  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'devtable', 200),
-
-  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
-  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
-  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),
-  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'devtable', 400),
-
-  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, None, 401),
-  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
-  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'reader', 403),
-  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'devtable', 400),
-
-  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, None, 401),
-  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
-  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
-  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404),
-
-  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),
-  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),
-  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404),
-
-  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, None, 401),
-  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'freshuser', 403),
-  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'reader', 403),
-  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'devtable', 400),
-
-  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 401),
-  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403),
-  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403),
-  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'devtable', 404),
-
-  (BuildTrigger, 'GET', TRIGGER_PARAMS, {}, None, 401),
-  (BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'freshuser', 403),
-  (BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'reader', 403),
-  (BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'devtable', 404),
-
-  (BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, None, 401),
-  (BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'freshuser', 403),
-  (BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'reader', 403),
-  (BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'devtable', 404),
-
-  (BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, None, 401),
-  (BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'freshuser', 403),
-  (BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'reader', 403),
-  (BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'devtable', 400),
-
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/nope'}, None, 'devtable', 404),
-
-  (StarredRepositoryList, 'GET', None, None, None, 401),
-  (StarredRepositoryList, 'GET', None, None, 'devtable', 200),
-  (StarredRepositoryList, 'GET', None, None, 'freshuser', 200),
-  (StarredRepositoryList, 'GET', None, None, 'reader', 200),
-  (StarredRepositoryList, 'POST', None, {u'namespace': 'public', u'repository': 'publicrepo'}, None, 401),
-  (StarredRepositoryList, 'POST', None, {u'namespace': 'public', u'repository': 'publicrepo'}, 'devtable', 201),
-  (StarredRepositoryList, 'POST', None, {u'namespace': 'public', u'repository': 'publicrepo'}, 'freshuser', 201),
-  (StarredRepositoryList, 'POST', None, {u'namespace': 'public', u'repository': 'publicrepo'}, 'reader', 201),
-
-  (StarredRepository, 'DELETE', {'repository': 'public/publicrepo'}, None, None, 401),
-  (StarredRepository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'devtable', 204),
-  (StarredRepository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'freshuser', 204),
-  (StarredRepository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'reader', 204),
-
-  (UserNotification, 'GET', {'uuid': 'someuuid'}, None, None, 401),
-  (UserNotification, 'GET', {'uuid': 'someuuid'}, None, 'devtable', 404),
-  (UserNotification, 'GET', {'uuid': 'someuuid'}, None, 'freshuser', 404),
-  (UserNotification, 'GET', {'uuid': 'someuuid'}, None, 'reader', 404),
-  (UserNotification, 'PUT', {'uuid': 'someuuid'}, {}, None, 401),
-  (UserNotification, 'PUT', {'uuid': 'someuuid'}, {}, 'devtable', 404),
-  (UserNotification, 'PUT', {'uuid': 'someuuid'}, {}, 'freshuser', 404),
-  (UserNotification, 'PUT', {'uuid': 'someuuid'}, {}, 'reader', 404),
-
-  (UserInvoiceList, 'GET', None, None, None, 401),
-  (UserInvoiceList, 'GET', None, None, 'devtable', 200),
-  (UserInvoiceList, 'GET', None, None, 'freshuser', 404),
-  (UserInvoiceList, 'GET', None, None, 'reader', 404),
-
-  (PrivateRepositories, 'GET', None, None, None, 401),
-  (PrivateRepositories, 'GET', None, None, 'devtable', 200),
-  (PrivateRepositories, 'GET', None, None, 'freshuser', 200),
-  (PrivateRepositories, 'GET', None, None, 'reader', 200),
-
-  (ConvertToOrganization, 'POST', None, {u'adminPassword': 'IQTM', u'plan': '1RB4', u'adminUser': '44E8'}, None, 401),
-  (ConvertToOrganization, 'POST', None, {u'adminPassword': 'IQTM', u'plan': '1RB4', u'adminUser': '44E8'}, 'devtable', 400),
-  (ConvertToOrganization, 'POST', None, {u'adminPassword': 'IQTM', u'plan': '1RB4', u'adminUser': '44E8'}, 'freshuser', 400),
-  (ConvertToOrganization, 'POST', None, {u'adminPassword': 'IQTM', u'plan': '1RB4', u'adminUser': '44E8'}, 'reader', 400),
-
-  (UserRobotList, 'GET', None, None, None, 401),
-  (UserRobotList, 'GET', None, None, 'devtable', 200),
-  (UserRobotList, 'GET', None, None, 'freshuser', 200),
-  (UserRobotList, 'GET', None, None, 'reader', 200),
-
-  (UserCard, 'GET', None, None, None, 401),
-  (UserCard, 'GET', None, None, 'devtable', 200),
-  (UserCard, 'GET', None, None, 'freshuser', 200),
-  (UserCard, 'GET', None, None, 'reader', 200),
-  (UserCard, 'POST', None, {u'token': 'ORH4'}, None, 401),
-
-  (UserPlan, 'GET', None, None, None, 401),
-  (UserPlan, 'GET', None, None, 'devtable', 200),
-  (UserPlan, 'GET', None, None, 'freshuser', 200),
-  (UserPlan, 'GET', None, None, 'reader', 200),
-  (UserPlan, 'PUT', None, {u'plan': '1QIK'}, None, 401),
-
-  (UserLogs, 'GET', None, None, None, 401),
-  (UserLogs, 'GET', None, None, 'devtable', 200),
-  (UserLogs, 'GET', None, None, 'freshuser', 200),
-  (UserLogs, 'GET', None, None, 'reader', 200),
-
-  (OrganizationList, 'POST', None, {u'name': 'KSIS', u'email': 'DHVZ'}, None, 401),
-  (OrganizationList, 'POST', None, {u'name': 'KSIS', u'email': 'DHVZ'}, 'devtable', 400),
-  (OrganizationList, 'POST', None, {u'name': 'KSIS', u'email': 'DHVZ'}, 'freshuser', 400),
-  (OrganizationList, 'POST', None, {u'name': 'KSIS', u'email': 'DHVZ'}, 'reader', 400),
-
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, None, 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 200),
-
-  (RepositoryList, 'GET', None, None, None, 400),
-  (RepositoryList, 'GET', None, None, 'devtable', 400),
-  (RepositoryList, 'GET', None, None, 'freshuser', 400),
-  (RepositoryList, 'GET', None, None, 'reader', 400),
-  (RepositoryList, 'POST', None, {u'repository': 'XZGB', u'visibility': u'public', u'description': '0O8U'}, None, 400),
-  (RepositoryList, 'POST', None, {u'repository': 'XZGB', u'visibility': u'public', u'description': '0O8U'}, 'devtable', 201),
-  (RepositoryList, 'POST', None, {u'repository': 'XZGB', u'visibility': u'public', u'description': '0O8U'}, 'freshuser', 201),
-  (RepositoryList, 'POST', None, {u'repository': 'XZGB', u'visibility': u'public', u'description': '0O8U'}, 'reader', 201),
-
-  (DiscoveryResource, 'GET', None, None, None, 200),
-  (DiscoveryResource, 'GET', None, None, 'devtable', 200),
-  (DiscoveryResource, 'GET', None, None, 'freshuser', 200),
-  (DiscoveryResource, 'GET', None, None, 'reader', 200),
-
-  (FileDropResource, 'POST', None, {u'mimeType': 'TKBX'}, None, 200),
-  (FileDropResource, 'POST', None, {u'mimeType': 'TKBX'}, 'devtable', 200),
-  (FileDropResource, 'POST', None, {u'mimeType': 'TKBX'}, 'freshuser', 200),
-  (FileDropResource, 'POST', None, {u'mimeType': 'TKBX'}, 'reader', 200),
-
-  (Recovery, 'POST', None, {u'email': '826S'}, None, 200),
-  (Recovery, 'POST', None, {u'email': '826S'}, 'devtable', 200),
-  (Recovery, 'POST', None, {u'email': '826S'}, 'freshuser', 200),
-  (Recovery, 'POST', None, {u'email': '826S'}, 'reader', 200),
-
-  (Signout, 'POST', None, None, None, 200),
-  (Signout, 'POST', None, None, 'devtable', 200),
-  (Signout, 'POST', None, None, 'freshuser', 200),
-  (Signout, 'POST', None, None, 'reader', 200),
-
-  (Signin, 'POST', None, {u'username': 'E9RY', u'password': 'LQ0N'}, None, 403),
-  (Signin, 'POST', None, {u'username': 'E9RY', u'password': 'LQ0N'}, 'devtable', 403),
-  (Signin, 'POST', None, {u'username': 'E9RY', u'password': 'LQ0N'}, 'freshuser', 403),
-  (Signin, 'POST', None, {u'username': 'E9RY', u'password': 'LQ0N'}, 'reader', 403),
-
-  (ExternalLoginInformation, 'POST', {'service_id': 'someservice'}, {}, None, 400),
-  (ExternalLoginInformation, 'POST', {'service_id': 'someservice'}, {}, 'devtable', 400),
-  (ExternalLoginInformation, 'POST', {'service_id': 'someservice'}, {}, 'freshuser', 400),
-  (ExternalLoginInformation, 'POST', {'service_id': 'someservice'}, {}, 'reader', 400),
-
-  (DetachExternal, 'POST', {'service_id': 'someservice'}, {}, None, 401),
-  (DetachExternal, 'POST', {'service_id': 'someservice'}, {}, 'devtable', 200),
-  (DetachExternal, 'POST', {'service_id': 'someservice'}, {}, 'freshuser', 200),
-  (DetachExternal, 'POST', {'service_id': 'someservice'}, {}, 'reader', 200),
-
-  (VerifyUser, 'POST', None, {u'password': 'LQ0N'}, None, 401),
-  (VerifyUser, 'POST', None, {u'password': 'password'}, 'devtable', 200),
-  (VerifyUser, 'POST', None, {u'password': 'LQ0N'}, 'freshuser', 403),
-  (VerifyUser, 'POST', None, {u'password': 'LQ0N'}, 'reader', 403),
-
-  (ClientKey, 'POST', None, {u'password': 'LQ0N'}, None, 401),
-  (ClientKey, 'POST', None, {u'password': 'password'}, 'devtable', 200),
-  (ClientKey, 'POST', None, {u'password': 'LQ0N'}, 'freshuser', 400),
-  (ClientKey, 'POST', None, {u'password': 'password'}, 'reader', 200),
-
-  (ListPlans, 'GET', None, None, None, 200),
-  (ListPlans, 'GET', None, None, 'devtable', 200),
-  (ListPlans, 'GET', None, None, 'freshuser', 200),
-  (ListPlans, 'GET', None, None, 'reader', 200),
-
-  (User, 'GET', None, None, None, 401),
-  (User, 'GET', None, None, 'devtable', 200),
-  (User, 'GET', None, None, 'freshuser', 200),
-  (User, 'GET', None, None, 'reader', 200),
-  (User, 'POST', None, {u'username': 'T946', u'password': '0SG4', u'email': 'MENT'}, None, 400),
-  (User, 'POST', None, {u'username': 'T946', u'password': '0SG4', u'email': 'MENT'}, 'devtable', 400),
-  (User, 'POST', None, {u'username': 'T946', u'password': '0SG4', u'email': 'MENT'}, 'freshuser', 400),
-  (User, 'POST', None, {u'username': 'T946', u'password': '0SG4', u'email': 'MENT'}, 'reader', 400),
-  (User, 'PUT', None, {}, None, 401),
-  (User, 'PUT', None, {}, 'devtable', 200),
-  (User, 'PUT', None, {}, 'freshuser', 200),
-  (User, 'PUT', None, {}, 'reader', 200),
-  (User, 'DELETE', None, {}, None, 401),
-  (User, 'DELETE', None, {}, 'devtable', 400),
-  (User, 'DELETE', None, {}, 'freshuser', 204),
-  (User, 'DELETE', None, {}, 'reader', 204),
-
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, None, 401),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'devtable', 400),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'reader', 403),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, None, 401),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'devtable', 200),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'readers'}, None, 'reader', 403),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, None, 401),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'devtable', 400),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (TeamMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'reader', 403),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, None, 401),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'devtable', 400),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (TeamMember, 'PUT', {'orgname': 'buynlarge', 'membername': 'devtable', 'teamname': 'owners'}, None, 'reader', 403),
-
-  (TeamPermissions, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, None, 401),
-  (TeamPermissions, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'devtable', 200),
-  (TeamPermissions, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (TeamPermissions, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'reader', 403),
-
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, None, 401),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'devtable', 200),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'reader', 200),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, None, 401),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'devtable', 200),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (TeamMemberList, 'GET', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'reader', 403),
-
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'public/publicrepo'}, {u'role': u'read'}, None, 401),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'devtable', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'devtable/shared'}, {u'role': u'read'}, None, 401),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'devtable', 400),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'DELETE', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermission, 'GET', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, None, 401),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'devtable', 400),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryUserPermission, 'PUT', {'username': 'A2O9', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'reader', 403),
-
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'devtable', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'devtable', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'readers'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'devtable', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'readers'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'readers'}, {u'role': u'read'}, 'devtable', 400),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'readers'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'readers'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'devtable', 204),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'devtable', 200),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'devtable', 200),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'readers'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'devtable', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'devtable', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'public/publicrepo', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'owners'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'devtable', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'public/publicrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'devtable/shared', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'owners'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'owners'}, {u'role': u'read'}, 'devtable', 400),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'owners'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'devtable/shared', 'teamname': 'owners'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'DELETE', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, None, 401),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'devtable', 400),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (RepositoryTeamPermission, 'GET', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, None, 'reader', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, {u'role': u'read'}, None, 401),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'devtable', 200),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryTeamPermission, 'PUT', {'repository': 'buynlarge/orgrepo', 'teamname': 'owners'}, {u'role': u'read'}, 'reader', 403),
-
-  (BuildTriggerActivate, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerActivate, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'devtable', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerActivate, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerActivate, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerActivate, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerActivate, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerActivate, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'devtable', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'public/publicrepo', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'devtable/shared', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, None, 401),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, 'freshuser', 403),
-  (BuildTriggerFieldValues, 'POST', {'field_name': 'test_field', 'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'SWO1'}, {}, 'reader', 403),
-
-  (BuildTriggerSources, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '831C'}, None, None, 401),
-  (BuildTriggerSources, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '831C'}, {'namespace': 'foo'}, 'devtable', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '831C'}, None, 'freshuser', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '831C'}, None, 'reader', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '831C'}, None, None, 401),
-  (BuildTriggerSources, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '831C'}, {'namespace': 'foo'}, 'devtable', 404),
-  (BuildTriggerSources, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '831C'}, None, 'freshuser', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '831C'}, None, 'reader', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '831C'}, None, None, 401),
-  (BuildTriggerSources, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '831C'}, {'namespace': 'foo'}, 'devtable', 404),
-  (BuildTriggerSources, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '831C'}, None, 'freshuser', 403),
-  (BuildTriggerSources, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '831C'}, None, 'reader', 403),
-
-  (BuildTriggerSubdirs, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '4I2Y'}, {}, None, 401),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '4I2Y'}, {}, 'devtable', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '4I2Y'}, {}, 'freshuser', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '4I2Y'}, {}, 'reader', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '4I2Y'}, {}, None, 401),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '4I2Y'}, {}, 'devtable', 404),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '4I2Y'}, {}, 'freshuser', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '4I2Y'}, {}, 'reader', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '4I2Y'}, {}, None, 401),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '4I2Y'}, {}, 'devtable', 404),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '4I2Y'}, {}, 'freshuser', 403),
-  (BuildTriggerSubdirs, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '4I2Y'}, {}, 'reader', 403),
-
-  (TriggerBuildList, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'ZM1W'}, None, None, 401),
-  (TriggerBuildList, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'ZM1W'}, None, 'devtable', 403),
-  (TriggerBuildList, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'ZM1W'}, None, 'freshuser', 403),
-  (TriggerBuildList, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'ZM1W'}, None, 'reader', 403),
-  (TriggerBuildList, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'ZM1W'}, None, None, 401),
-  (TriggerBuildList, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'ZM1W'}, None, 'devtable', 200),
-  (TriggerBuildList, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'ZM1W'}, None, 'freshuser', 403),
-  (TriggerBuildList, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'ZM1W'}, None, 'reader', 403),
-  (TriggerBuildList, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'ZM1W'}, None, None, 401),
-  (TriggerBuildList, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'ZM1W'}, None, 'devtable', 200),
-  (TriggerBuildList, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'ZM1W'}, None, 'freshuser', 403),
-  (TriggerBuildList, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'ZM1W'}, None, 'reader', 403),
-
-  (ActivateBuildTrigger, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (ActivateBuildTrigger, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, 'devtable', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (ActivateBuildTrigger, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, {}, 'devtable', 404),
-  (ActivateBuildTrigger, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (ActivateBuildTrigger, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, {}, 'devtable', 404),
-  (ActivateBuildTrigger, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (ActivateBuildTrigger, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-
-  (BuildTriggerAnalyze, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, {'config': {}}, 'devtable', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'public/publicrepo', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'devtable/shared', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, None, 401),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, {'config': {}}, 'devtable', 404),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, 'freshuser', 403),
-  (BuildTriggerAnalyze, 'POST', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': '0BYE'}, None, 'reader', 403),
-
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, None, 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'devtable', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'freshuser', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'reader', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'reader', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildStatus, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 400),
-
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, None, 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'devtable', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'freshuser', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'reader', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'reader', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildResource, 'GET', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 404),
-
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildResource, 'DELETE', {'build_uuid': 'FG86', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildLogs, 'GET', {'build_uuid': 'S5J8', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, None, 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'devtable', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'freshuser', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'reader', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, None, 401),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'reader', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (ListRepositoryTags, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 200),
-
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, None, 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'devtable', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'freshuser', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'public/publicrepo'}, None, 'reader', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'devtable/shared'}, None, 'reader', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryTagImages, 'GET', {'tag': 'TN96', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 404),
-
-  (PermissionPrototype, 'DELETE', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, None, None, 401),
-  (PermissionPrototype, 'DELETE', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, None, 'devtable', 404),
-  (PermissionPrototype, 'DELETE', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, None, 'freshuser', 403),
-  (PermissionPrototype, 'DELETE', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, None, 'reader', 403),
-  (PermissionPrototype, 'PUT', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, {u'role': u'read'}, None, 401),
-  (PermissionPrototype, 'PUT', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, {u'role': u'read'}, 'devtable', 404),
-  (PermissionPrototype, 'PUT', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, {u'role': u'read'}, 'freshuser', 403),
-  (PermissionPrototype, 'PUT', {'orgname': 'buynlarge', 'prototypeid': 'L24B'}, {u'role': u'read'}, 'reader', 403),
-
-  (OrganizationMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, None, 401),
-  (OrganizationMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'devtable', 404),
-  (OrganizationMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'freshuser', 403),
-  (OrganizationMember, 'DELETE', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'reader', 403),
-  (OrganizationMember, 'GET', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, None, 401),
-  (OrganizationMember, 'GET', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'devtable', 404),
-  (OrganizationMember, 'GET', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'freshuser', 403),
-  (OrganizationMember, 'GET', {'orgname': 'buynlarge', 'membername': 'someuser'}, None, 'reader', 403),
-
-  (OrgRobot, 'DELETE', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, None, 401),
-  (OrgRobot, 'DELETE', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'devtable', 400),
-  (OrgRobot, 'DELETE', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'freshuser', 403),
-  (OrgRobot, 'DELETE', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'reader', 403),
-  (OrgRobot, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, None, 401),
-  (OrgRobot, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'devtable', 400),
-  (OrgRobot, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'freshuser', 403),
-  (OrgRobot, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, None, 'reader', 403),
-  (OrgRobot, 'PUT', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, {}, None, 401),
-  (OrgRobot, 'PUT', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, {}, 'devtable', 400),
-  (OrgRobot, 'PUT', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, {}, 'freshuser', 403),
-  (OrgRobot, 'PUT', {'orgname': 'buynlarge', 'robot_shortname': 'Z7PD'}, {}, 'reader', 403),
-
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, None, 401),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'devtable', 204),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'freshuser', 403),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'readers'}, None, 'reader', 403),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'readers'}, {u'role': u'member'}, None, 401),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'readers'}, {u'role': u'member'}, 'devtable', 200),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'readers'}, {u'role': u'member'}, 'freshuser', 403),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'readers'}, {u'role': u'member'}, 'reader', 403),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, None, 401),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'devtable', 400),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'freshuser', 403),
-  (OrganizationTeam, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners'}, None, 'reader', 403),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners'}, {u'role': u'member'}, None, 401),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners'}, {u'role': u'member'}, 'devtable', 400),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners'}, {u'role': u'member'}, 'freshuser', 403),
-  (OrganizationTeam, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners'}, {u'role': u'member'}, 'reader', 403),
-
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryTeamPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (RepositoryUserPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryUserPermissionList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (BuildTrigger, 'DELETE', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'DELETE', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'devtable', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-  (BuildTrigger, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'devtable', 403),
-  (BuildTrigger, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'GET', {'repository': 'public/publicrepo', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'DELETE', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'devtable', 404),
-  (BuildTrigger, 'DELETE', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-  (BuildTrigger, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'devtable', 404),
-  (BuildTrigger, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'GET', {'repository': 'devtable/shared', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'DELETE', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'devtable', 404),
-  (BuildTrigger, 'DELETE', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'DELETE', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-  (BuildTrigger, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, None, 401),
-  (BuildTrigger, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'devtable', 404),
-  (BuildTrigger, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'freshuser', 403),
-  (BuildTrigger, 'GET', {'repository': 'buynlarge/orgrepo', 'trigger_uuid': 'D6TI'}, None, 'reader', 403),
-
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'DELETE', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryNotification, 'GET', {'uuid': 'QFAT', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'public/publicrepo'}, {u'role': u'read'}, None, 401),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'devtable', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'public/publicrepo'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'devtable', 410),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'devtable', 410),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'devtable/shared'}, {u'role': u'read'}, None, 401),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'devtable', 410),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'devtable/shared'}, {u'role': u'read'}, 'reader', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 410),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryToken, 'DELETE', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 410),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryToken, 'GET', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, None, 401),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'devtable', 410),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'freshuser', 403),
-  (RepositoryToken, 'PUT', {'code': 'UJQB', 'repository': 'buynlarge/orgrepo'}, {u'role': u'read'}, 'reader', 403),
-
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'public/publicrepo'}, None, None, 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'public/publicrepo'}, None, 'devtable', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'public/publicrepo'}, None, 'freshuser', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'public/publicrepo'}, None, 'reader', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'devtable/shared'}, None, 'reader', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryImage, 'GET', {'image_id': '5AVQ', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 404),
-
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, None, 401),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'devtable', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'reader', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, None, 401),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'devtable', 404),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'reader', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, None, 401),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'devtable', 404),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RestoreTag, 'POST', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'reader', 403),
-
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, None, 401),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'devtable', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'public/publicrepo'}, {u'image': 'WXNG'}, 'reader', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'devtable/shared'}, None, 'devtable', 400),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, None, 401),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'devtable', 404),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'devtable/shared'}, {u'image': 'WXNG'}, 'reader', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 400),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryTag, 'DELETE', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, None, 401),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'devtable', 404),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'freshuser', 403),
-  (RepositoryTag, 'PUT', {'tag': 'HP8R', 'repository': 'buynlarge/orgrepo'}, {u'image': 'WXNG'}, 'reader', 403),
-
-  (PermissionPrototypeList, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (PermissionPrototypeList, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (PermissionPrototypeList, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (PermissionPrototypeList, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-  (PermissionPrototypeList, 'POST', {'orgname': 'buynlarge'}, {u'role': u'read', u'delegate': {u'kind': u'user', u'name': '7DGP'}}, None, 401),
-  (PermissionPrototypeList, 'POST', {'orgname': 'buynlarge'}, {u'role': u'read', u'delegate': {u'kind': u'user', u'name': '7DGP'}}, 'devtable', 400),
-  (PermissionPrototypeList, 'POST', {'orgname': 'buynlarge'}, {u'role': u'read', u'delegate': {u'kind': u'user', u'name': '7DGP'}}, 'freshuser', 403),
-  (PermissionPrototypeList, 'POST', {'orgname': 'buynlarge'}, {u'role': u'read', u'delegate': {u'kind': u'user', u'name': '7DGP'}}, 'reader', 403),
-
-  (OrganizationInvoiceList, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrganizationInvoiceList, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationInvoiceList, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationInvoiceList, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-
-  (OrgPrivateRepositories, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrgPrivateRepositories, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrgPrivateRepositories, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrgPrivateRepositories, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-
-  (OrganizationMemberList, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrganizationMemberList, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationMemberList, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationMemberList, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-
-  (OrgRobotList, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrgRobotList, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrgRobotList, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrgRobotList, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 200),
-
-  (OrganizationCard, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrganizationCard, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationCard, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationCard, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-  (OrganizationCard, 'POST', {'orgname': 'buynlarge'}, {u'token': '4VFR'}, None, 401),
-  (OrganizationCard, 'POST', {'orgname': 'buynlarge'}, {u'token': '4VFR'}, 'freshuser', 403),
-  (OrganizationCard, 'POST', {'orgname': 'buynlarge'}, {u'token': '4VFR'}, 'reader', 403),
-
-  (OrganizationPlan, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrganizationPlan, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationPlan, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationPlan, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-  (OrganizationPlan, 'PUT', {'orgname': 'buynlarge'}, {u'plan': 'WWEI'}, None, 401),
-  (OrganizationPlan, 'PUT', {'orgname': 'buynlarge'}, {u'plan': 'WWEI'}, 'freshuser', 403),
-  (OrganizationPlan, 'PUT', {'orgname': 'buynlarge'}, {u'plan': 'WWEI'}, 'reader', 403),
-
-  (OrgLogs, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrgLogs, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrgLogs, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrgLogs, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-
-  (RepositoryVisibility, 'POST', {'repository': 'public/publicrepo'}, {u'visibility': u'public'}, None, 401),
-  (RepositoryVisibility, 'POST', {'repository': 'public/publicrepo'}, {u'visibility': u'public'}, 'devtable', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'public/publicrepo'}, {u'visibility': u'public'}, 'freshuser', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'public/publicrepo'}, {u'visibility': u'public'}, 'reader', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'devtable/shared'}, {u'visibility': u'public'}, None, 401),
-  (RepositoryVisibility, 'POST', {'repository': 'devtable/shared'}, {u'visibility': u'public'}, 'devtable', 200),
-  (RepositoryVisibility, 'POST', {'repository': 'devtable/shared'}, {u'visibility': u'public'}, 'freshuser', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'devtable/shared'}, {u'visibility': u'public'}, 'reader', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'visibility': u'public'}, None, 401),
-  (RepositoryVisibility, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'visibility': u'public'}, 'devtable', 200),
-  (RepositoryVisibility, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'visibility': u'public'}, 'freshuser', 403),
-  (RepositoryVisibility, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'visibility': u'public'}, 'reader', 403),
-
-  (BuildTriggerList, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (BuildTriggerList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (BuildTriggerList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (BuildTriggerList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (BuildTriggerList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (BuildTriggerList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (BuildTriggerList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (BuildTriggerList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (BuildTriggerList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (BuildTriggerList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (BuildTriggerList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (BuildTriggerList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (RepositoryNotificationList, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryNotificationList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'public/publicrepo'}, {}, None, 401),
-  (RepositoryNotificationList, 'POST', {'repository': 'public/publicrepo'}, {}, 'devtable', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'public/publicrepo'}, {}, 'freshuser', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'public/publicrepo'}, {}, 'reader', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryNotificationList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryNotificationList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'devtable/shared'}, {}, None, 401),
-  (RepositoryNotificationList, 'POST', {'repository': 'devtable/shared'}, {'config': {'email': 'a@b.com'}, 'event': 'repo_push', 'method': 'email'}, 'devtable', 400),
-  (RepositoryNotificationList, 'POST', {'repository': 'devtable/shared'}, {}, 'freshuser', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'devtable/shared'}, {}, 'reader', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryNotificationList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryNotificationList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryNotificationList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'buynlarge/orgrepo'}, {}, None, 401),
-  (RepositoryNotificationList, 'POST', {'repository': 'buynlarge/orgrepo'}, {'config': {'email': 'a@b.com'}, 'event': 'repo_push', 'method': 'email'}, 'devtable', 400),
-  (RepositoryNotificationList, 'POST', {'repository': 'buynlarge/orgrepo'}, {}, 'freshuser', 403),
-  (RepositoryNotificationList, 'POST', {'repository': 'buynlarge/orgrepo'}, {}, 'reader', 403),
-
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, {}, None, 401),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, {}, 'devtable', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, {}, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'public/publicrepo'}, {}, 'reader', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, None, 'devtable', 404),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, {}, None, 401),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, {}, 'devtable', 200),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, {}, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'devtable/shared'}, {}, 'reader', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'GET', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, {}, None, 401),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, {}, 'devtable', 200),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, {}, 'freshuser', 403),
-  (RepositoryAuthorizedEmail, 'POST', {'email': 'jschorr@devtable.com', 'repository': 'buynlarge/orgrepo'}, {}, 'reader', 403),
-
-  (RepositoryTokenList, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryTokenList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'public/publicrepo'}, {u'friendlyName': 'R1CN'}, None, 401),
-  (RepositoryTokenList, 'POST', {'repository': 'public/publicrepo'}, {u'friendlyName': 'R1CN'}, 'devtable', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'public/publicrepo'}, {u'friendlyName': 'R1CN'}, 'freshuser', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'public/publicrepo'}, {u'friendlyName': 'R1CN'}, 'reader', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryTokenList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 410),
-  (RepositoryTokenList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'devtable/shared'}, {u'friendlyName': 'R1CN'}, None, 401),
-  (RepositoryTokenList, 'POST', {'repository': 'devtable/shared'}, {u'friendlyName': 'R1CN'}, 'devtable', 410),
-  (RepositoryTokenList, 'POST', {'repository': 'devtable/shared'}, {u'friendlyName': 'R1CN'}, 'freshuser', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'devtable/shared'}, {u'friendlyName': 'R1CN'}, 'reader', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryTokenList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 410),
-  (RepositoryTokenList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryTokenList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'friendlyName': 'R1CN'}, None, 401),
-  (RepositoryTokenList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'friendlyName': 'R1CN'}, 'devtable', 410),
-  (RepositoryTokenList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'friendlyName': 'R1CN'}, 'freshuser', 403),
-  (RepositoryTokenList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'friendlyName': 'R1CN'}, 'reader', 403),
-
-  (RepositoryBuildList, 'GET', {'repository': 'public/publicrepo'}, None, None, 200),
-  (RepositoryBuildList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 200),
-  (RepositoryBuildList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 200),
-  (RepositoryBuildList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 200),
-  (RepositoryBuildList, 'POST', {'repository': 'public/publicrepo'}, {u'file_id': 'UX7K'}, None, 401),
-  (RepositoryBuildList, 'POST', {'repository': 'public/publicrepo'}, {u'file_id': 'UX7K'}, 'devtable', 403),
-  (RepositoryBuildList, 'POST', {'repository': 'public/publicrepo'}, {u'file_id': 'UX7K'}, 'freshuser', 403),
-  (RepositoryBuildList, 'POST', {'repository': 'public/publicrepo'}, {u'file_id': 'UX7K'}, 'reader', 403),
-  (RepositoryBuildList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryBuildList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryBuildList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryBuildList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 200),
-  (RepositoryBuildList, 'POST', {'repository': 'devtable/shared'}, {u'file_id': 'UX7K'}, None, 401),
-  (RepositoryBuildList, 'POST', {'repository': 'devtable/shared'}, {u'file_id': 'UX7K'}, 'devtable', 201),
-  (RepositoryBuildList, 'POST', {'repository': 'devtable/shared'}, {u'file_id': 'UX7K'}, 'freshuser', 403),
-  (RepositoryBuildList, 'POST', {'repository': 'devtable/shared'}, {u'file_id': 'UX7K'}, 'reader', 403),
-  (RepositoryBuildList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryBuildList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryBuildList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryBuildList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 200),
-  (RepositoryBuildList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'file_id': 'UX7K'}, None, 401),
-  (RepositoryBuildList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'file_id': 'UX7K'}, 'devtable', 201),
-  (RepositoryBuildList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'file_id': 'UX7K'}, 'freshuser', 403),
-  (RepositoryBuildList, 'POST', {'repository': 'buynlarge/orgrepo'}, {u'file_id': 'UX7K'}, 'reader', 403),
-
-  (RepositoryImageList, 'GET', {'repository': 'public/publicrepo'}, None, None, 200),
-  (RepositoryImageList, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 200),
-  (RepositoryImageList, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 200),
-  (RepositoryImageList, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 200),
-  (RepositoryImageList, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryImageList, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryImageList, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryImageList, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 200),
-  (RepositoryImageList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryImageList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryImageList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryImageList, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 200),
-
-  (RepositoryLogs, 'GET', {'repository': 'public/publicrepo'}, None, None, 401),
-  (RepositoryLogs, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (RepositoryLogs, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (RepositoryLogs, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (RepositoryLogs, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (RepositoryLogs, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (RepositoryLogs, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (RepositoryLogs, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (RepositoryLogs, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (RepositoryLogs, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (RepositoryLogs, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (RepositoryLogs, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-
-  (UserRobot, 'DELETE', {'robot_shortname': 'robotname'}, None, None, 401),
-  (UserRobot, 'DELETE', {'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (UserRobot, 'DELETE', {'robot_shortname': 'robotname'}, None, 'freshuser', 400),
-  (UserRobot, 'DELETE', {'robot_shortname': 'robotname'}, None, 'reader', 400),
-  (UserRobot, 'GET', {'robot_shortname': 'robotname'}, None, None, 401),
-  (UserRobot, 'GET', {'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (UserRobot, 'GET', {'robot_shortname': 'robotname'}, None, 'freshuser', 400),
-  (UserRobot, 'GET', {'robot_shortname': 'robotname'}, None, 'reader', 400),
-  (UserRobot, 'PUT', {'robot_shortname': 'robotname'}, {}, None, 401),
-  (UserRobot, 'PUT', {'robot_shortname': 'robotname'}, {}, 'devtable', 201),
-  (UserRobot, 'PUT', {'robot_shortname': 'robotname'}, {}, 'freshuser', 201),
-  (UserRobot, 'PUT', {'robot_shortname': 'robotname'}, {}, 'reader', 201),
-
-  (RegenerateUserRobot, 'POST', {'robot_shortname': 'robotname'}, None, None, 401),
-  (RegenerateUserRobot, 'POST', {'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (RegenerateUserRobot, 'POST', {'robot_shortname': 'robotname'}, None, 'freshuser', 400),
-  (RegenerateUserRobot, 'POST', {'robot_shortname': 'robotname'}, None, 'reader', 400),
-
-  (RegenerateOrgRobot, 'POST', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, None, 401),
-  (RegenerateOrgRobot, 'POST', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (RegenerateOrgRobot, 'POST', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'freshuser', 403),
-  (RegenerateOrgRobot, 'POST', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'reader', 403),
-
-  (UserRobotPermissions, 'GET', {'robot_shortname': 'robotname'}, None, None, 401),
-  (UserRobotPermissions, 'GET', {'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (UserRobotPermissions, 'GET', {'robot_shortname': 'robotname'}, None, 'freshuser', 400),
-  (UserRobotPermissions, 'GET', {'robot_shortname': 'robotname'}, None, 'reader', 400),
-
-  (OrgRobotPermissions, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, None, 401),
-  (OrgRobotPermissions, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'devtable', 400),
-  (OrgRobotPermissions, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'freshuser', 403),
-  (OrgRobotPermissions, 'GET', {'orgname': 'buynlarge', 'robot_shortname': 'robotname'}, None, 'reader', 403),
-
-  (Organization, 'DELETE', {'orgname': 'buynlarge'}, {}, None, 401),
-  (Organization, 'DELETE', {'orgname': 'buynlarge'}, {}, 'devtable', 204),
-  (Organization, 'DELETE', {'orgname': 'buynlarge'}, {}, 'freshuser', 403),
-  (Organization, 'DELETE', {'orgname': 'buynlarge'}, {}, 'reader', 403),
-  (Organization, 'GET', {'orgname': 'buynlarge'}, None, None, 200),
-  (Organization, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (Organization, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 200),
-  (Organization, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 200),
-  (Organization, 'PUT', {'orgname': 'buynlarge'}, {}, None, 401),
-  (Organization, 'PUT', {'orgname': 'buynlarge'}, {}, 'devtable', 200),
-  (Organization, 'PUT', {'orgname': 'buynlarge'}, {}, 'freshuser', 403),
-  (Organization, 'PUT', {'orgname': 'buynlarge'}, {}, 'reader', 403),
-
-  (Repository, 'DELETE', {'repository': 'public/publicrepo'}, None, None, 401),
-  (Repository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'devtable', 403),
-  (Repository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'freshuser', 403),
-  (Repository, 'DELETE', {'repository': 'public/publicrepo'}, None, 'reader', 403),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, None, 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'devtable', 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'freshuser', 200),
-  (Repository, 'GET', {'repository': 'public/publicrepo'}, None, 'reader', 200),
-  (Repository, 'PUT', {'repository': 'public/publicrepo'}, {u'description': 'WXNG'}, None, 401),
-  (Repository, 'PUT', {'repository': 'public/publicrepo'}, {u'description': 'WXNG'}, 'devtable', 403),
-  (Repository, 'PUT', {'repository': 'public/publicrepo'}, {u'description': 'WXNG'}, 'freshuser', 403),
-  (Repository, 'PUT', {'repository': 'public/publicrepo'}, {u'description': 'WXNG'}, 'reader', 403),
-  (Repository, 'DELETE', {'repository': 'devtable/shared'}, None, None, 401),
-  (Repository, 'DELETE', {'repository': 'devtable/shared'}, None, 'devtable', 204),
-  (Repository, 'DELETE', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (Repository, 'DELETE', {'repository': 'devtable/shared'}, None, 'reader', 403),
-  (Repository, 'GET', {'repository': 'devtable/shared'}, None, None, 401),
-  (Repository, 'GET', {'repository': 'devtable/shared'}, None, 'devtable', 200),
-  (Repository, 'GET', {'repository': 'devtable/shared'}, None, 'freshuser', 403),
-  (Repository, 'GET', {'repository': 'devtable/shared'}, None, 'reader', 200),
-  (Repository, 'PUT', {'repository': 'devtable/shared'}, {u'description': 'WXNG'}, None, 401),
-  (Repository, 'PUT', {'repository': 'devtable/shared'}, {u'description': 'WXNG'}, 'devtable', 200),
-  (Repository, 'PUT', {'repository': 'devtable/shared'}, {u'description': 'WXNG'}, 'freshuser', 403),
-  (Repository, 'PUT', {'repository': 'devtable/shared'}, {u'description': 'WXNG'}, 'reader', 403),
-  (Repository, 'DELETE', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (Repository, 'DELETE', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 204),
-  (Repository, 'DELETE', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (Repository, 'DELETE', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
-  (Repository, 'GET', {'repository': 'buynlarge/orgrepo'}, None, None, 401),
-  (Repository, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'devtable', 200),
-  (Repository, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
-  (Repository, 'GET', {'repository': 'buynlarge/orgrepo'}, None, 'reader', 200),
-  (Repository, 'PUT', {'repository': 'buynlarge/orgrepo'}, {u'description': 'WXNG'}, None, 401),
-  (Repository, 'PUT', {'repository': 'buynlarge/orgrepo'}, {u'description': 'WXNG'}, 'devtable', 200),
-  (Repository, 'PUT', {'repository': 'buynlarge/orgrepo'}, {u'description': 'WXNG'}, 'freshuser', 403),
-  (Repository, 'PUT', {'repository': 'buynlarge/orgrepo'}, {u'description': 'WXNG'}, 'reader', 403),
-
-  (EntitySearch, 'GET', {'prefix': 'R9NZ'}, None, None, 200),
-  (EntitySearch, 'GET', {'prefix': 'R9NZ'}, None, 'devtable', 200),
-  (EntitySearch, 'GET', {'prefix': 'R9NZ'}, None, 'freshuser', 200),
-  (EntitySearch, 'GET', {'prefix': 'R9NZ'}, None, 'reader', 200),
-
-  (ApplicationInformation, 'GET', {'client_id': '3LGI'}, None, None, 404),
-  (ApplicationInformation, 'GET', {'client_id': '3LGI'}, None, 'devtable', 404),
-  (ApplicationInformation, 'GET', {'client_id': '3LGI'}, None, 'freshuser', 404),
-  (ApplicationInformation, 'GET', {'client_id': '3LGI'}, None, 'reader', 404),
-
-  (OrganizationApplications, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrganizationApplications, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationApplications, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationApplications, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-  (OrganizationApplications, 'POST', {'orgname': 'buynlarge'}, {u'name': 'foo'}, None, 401),
-  (OrganizationApplications, 'POST', {'orgname': 'buynlarge'}, {u'name': 'foo'}, 'devtable', 200),
-  (OrganizationApplications, 'POST', {'orgname': 'buynlarge'}, {u'name': 'foo'}, 'freshuser', 403),
-  (OrganizationApplications, 'POST', {'orgname': 'buynlarge'}, {u'name': 'foo'}, 'reader', 403),
-
-  (OrganizationApplicationResource, 'DELETE', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, None, 401),
-  (OrganizationApplicationResource, 'DELETE', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'devtable', 204),
-  (OrganizationApplicationResource, 'DELETE', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'freshuser', 403),
-  (OrganizationApplicationResource, 'DELETE', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'reader', 403),
-  (OrganizationApplicationResource, 'GET', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, None, 401),
-  (OrganizationApplicationResource, 'GET', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'devtable', 200),
-  (OrganizationApplicationResource, 'GET', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'freshuser', 403),
-  (OrganizationApplicationResource, 'GET', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'reader', 403),
-  (OrganizationApplicationResource, 'PUT', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, {u'redirect_uri': 'foo', u'name': 'foo', u'application_uri': 'foo'}, None, 401),
-  (OrganizationApplicationResource, 'PUT', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, {u'redirect_uri': 'foo', u'name': 'foo', u'application_uri': 'foo'}, 'devtable', 200),
-  (OrganizationApplicationResource, 'PUT', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, {u'redirect_uri': 'foo', u'name': 'foo', u'application_uri': 'foo'}, 'freshuser', 403),
-  (OrganizationApplicationResource, 'PUT', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, {u'redirect_uri': 'foo', u'name': 'foo', u'application_uri': 'foo'}, 'reader', 403),
-
-  (OrganizationApplicationResetClientSecret, 'POST', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, None, 401),
-  (OrganizationApplicationResetClientSecret, 'POST', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'devtable', 200),
-  (OrganizationApplicationResetClientSecret, 'POST', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'freshuser', 403),
-  (OrganizationApplicationResetClientSecret, 'POST', {'orgname': 'buynlarge', 'client_id': 'deadbeef'}, None, 'reader', 403),
-
-  (Users, 'GET', {'username': 'devtable'}, None, None, 200),
-
-  (UserNotificationList, 'GET', None, None, None, 401),
-  (UserNotificationList, 'GET', None, None, 'devtable', 200),
-  (UserNotificationList, 'GET', None, None, 'freshuser', 200),
-  (UserNotificationList, 'GET', None, None, 'reader', 200),
-
-  (UserAuthorizationList, 'GET', None, None, None, 401),
-  (UserAuthorizationList, 'GET', None, None, 'devtable', 200),
-  (UserAuthorizationList, 'GET', None, None, 'freshuser', 200),
-  (UserAuthorizationList, 'GET', None, None, 'reader', 200),
-
-  (UserAuthorization, 'DELETE', {'access_token_uuid': 'fake'}, None, None, 401),
-  (UserAuthorization, 'DELETE', {'access_token_uuid': 'fake'}, None, 'devtable', 404),
-  (UserAuthorization, 'DELETE', {'access_token_uuid': 'fake'}, None, 'freshuser', 404),
-  (UserAuthorization, 'DELETE', {'access_token_uuid': 'fake'}, None, 'reader', 404),
-  (UserAuthorization, 'GET', {'access_token_uuid': 'fake'}, None, None, 401),
-  (UserAuthorization, 'GET', {'access_token_uuid': 'fake'}, None, 'devtable', 404),
-  (UserAuthorization, 'GET', {'access_token_uuid': 'fake'}, None, 'freshuser', 404),
-  (UserAuthorization, 'GET', {'access_token_uuid': 'fake'}, None, 'reader', 404),
-
-  (UserAggregateLogs, 'GET', None, None, None, 401),
-  (UserAggregateLogs, 'GET', None, None, 'devtable', 200),
-  (UserAggregateLogs, 'GET', None, None, 'freshuser', 200),
-  (UserAggregateLogs, 'GET', None, None, 'reader', 200),
-
-  (OrgAggregateLogs, 'GET', {'orgname': 'buynlarge'}, None, None, 401),
-  (OrgAggregateLogs, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrgAggregateLogs, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrgAggregateLogs, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-
-  (RepositoryAggregateLogs, 'GET', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepositoryAggregateLogs, 'GET', {'repository': 'devtable/simple'}, None, 'devtable', 200),
-  (RepositoryAggregateLogs, 'GET', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepositoryAggregateLogs, 'GET', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (ExportUserLogs, 'POST', None, EXPORTLOGS_PARAMS, None, 401),
-  (ExportUserLogs, 'POST', None, EXPORTLOGS_PARAMS, 'devtable', 200),
-  (ExportUserLogs, 'POST', None, EXPORTLOGS_PARAMS, 'freshuser', 200),
-  (ExportUserLogs, 'POST', None, EXPORTLOGS_PARAMS, 'reader', 200),
-
-  (ExportOrgLogs, 'POST', {'orgname': 'buynlarge'}, EXPORTLOGS_PARAMS, None, 401),
-  (ExportOrgLogs, 'POST', {'orgname': 'buynlarge'}, EXPORTLOGS_PARAMS, 'devtable', 200),
-  (ExportOrgLogs, 'POST', {'orgname': 'buynlarge'}, EXPORTLOGS_PARAMS, 'freshuser', 403),
-  (ExportOrgLogs, 'POST', {'orgname': 'buynlarge'}, EXPORTLOGS_PARAMS, 'reader', 403),
-
-  (ExportRepositoryLogs, 'POST', {'repository': 'devtable/simple'}, EXPORTLOGS_PARAMS, None, 401),
-  (ExportRepositoryLogs, 'POST', {'repository': 'devtable/simple'}, EXPORTLOGS_PARAMS, 'devtable', 200),
-  (ExportRepositoryLogs, 'POST', {'repository': 'devtable/simple'}, EXPORTLOGS_PARAMS, 'freshuser', 403),
-  (ExportRepositoryLogs, 'POST', {'repository': 'devtable/simple'}, EXPORTLOGS_PARAMS, 'reader', 403),
-
-  (SuperUserAggregateLogs, 'GET', None, None, None, 401),
-  (SuperUserAggregateLogs, 'GET', None, None, 'devtable', 200),
-  (SuperUserAggregateLogs, 'GET', None, None, 'freshuser', 403),
-  (SuperUserAggregateLogs, 'GET', None, None, 'reader', 403),
-
-  (SuperUserLogs, 'GET', None, None, None, 401),
-  (SuperUserLogs, 'GET', None, None, 'devtable', 200),
-  (SuperUserLogs, 'GET', None, None, 'freshuser', 403),
-  (SuperUserLogs, 'GET', None, None, 'reader', 403),
-
-  (SuperUserSendRecoveryEmail, 'POST', {'username': 'someuser'}, None, None, 401),
-  (SuperUserSendRecoveryEmail, 'POST', {'username': 'someuser'}, None, 'devtable', 404),
-  (SuperUserSendRecoveryEmail, 'POST', {'username': 'someuser'}, None, 'freshuser', 403),
-  (SuperUserSendRecoveryEmail, 'POST', {'username': 'someuser'}, None, 'reader', 403),
-
-  (SuperUserTakeOwnership, 'POST', {'namespace': 'invalidnamespace'}, {}, None, 401),
-  (SuperUserTakeOwnership, 'POST', {'namespace': 'invalidnamespace'}, {}, 'devtable', 404),
-  (SuperUserTakeOwnership, 'POST', {'namespace': 'invalidnamespace'}, {}, 'freshuser', 403),
-  (SuperUserTakeOwnership, 'POST', {'namespace': 'invalidnamespace'}, {}, 'reader', 403),
-
-  (SuperUserServiceKeyApproval, 'POST', {'kid': 1234}, {}, None, 401),
-  (SuperUserServiceKeyApproval, 'POST', {'kid': 1234}, {}, 'devtable', 404),
-  (SuperUserServiceKeyApproval, 'POST', {'kid': 1234}, {}, 'freshuser', 403),
-  (SuperUserServiceKeyApproval, 'POST', {'kid': 1234}, {}, 'reader', 403),
-
-  (SuperUserServiceKeyManagement, 'GET', None, None, None, 401),
-  (SuperUserServiceKeyManagement, 'GET', None, None, 'devtable', 200),
-  (SuperUserServiceKeyManagement, 'GET', None, None, 'freshuser', 403),
-  (SuperUserServiceKeyManagement, 'GET', None, None, 'reader', 403),
-  (SuperUserServiceKeyManagement, 'POST', None, {'expiration': None, 'service': 'someservice'}, None, 401),
-  (SuperUserServiceKeyManagement, 'POST', None, {'expiration': None, 'service': 'someservice'}, 'devtable', 200),
-  (SuperUserServiceKeyManagement, 'POST', None, {'expiration': None, 'service': 'someservice'}, 'freshuser', 403),
-  (SuperUserServiceKeyManagement, 'POST', None, {'expiration': None, 'service': 'someservice'}, 'reader', 403),
-
-  (SuperUserServiceKey, 'DELETE', {'kid': 1234}, None, None, 401),
-  (SuperUserServiceKey, 'DELETE', {'kid': 1234}, None, 'devtable', 404),
-  (SuperUserServiceKey, 'DELETE', {'kid': 1234}, None, 'freshuser', 403),
-  (SuperUserServiceKey, 'DELETE', {'kid': 1234}, None, 'reader', 403),
-  (SuperUserServiceKey, 'GET', {'kid': 1234}, None, None, 401),
-  (SuperUserServiceKey, 'GET', {'kid': 1234}, None, 'devtable', 404),
-  (SuperUserServiceKey, 'GET', {'kid': 1234}, None, 'freshuser', 403),
-  (SuperUserServiceKey, 'GET', {'kid': 1234}, None, 'reader', 403),
-  (SuperUserServiceKey, 'PUT', {'kid': 1234}, {}, None, 401),
-  (SuperUserServiceKey, 'PUT', {'kid': 1234}, {}, 'devtable', 404),
-  (SuperUserServiceKey, 'PUT', {'kid': 1234}, {}, 'freshuser', 403),
-  (SuperUserServiceKey, 'PUT', {'kid': 1234}, {}, 'reader', 403),
-
-  (TeamMemberInvite, 'DELETE', {'code': 'foobarbaz'}, None, None, 401),
-  (TeamMemberInvite, 'DELETE', {'code': 'foobarbaz'}, None, 'devtable', 400),
-  (TeamMemberInvite, 'DELETE', {'code': 'foobarbaz'}, None, 'freshuser', 400),
-  (TeamMemberInvite, 'DELETE', {'code': 'foobarbaz'}, None, 'reader', 400),
-  (TeamMemberInvite, 'PUT', {'code': 'foobarbaz'}, None, None, 401),
-  (TeamMemberInvite, 'PUT', {'code': 'foobarbaz'}, None, 'devtable', 400),
-  (TeamMemberInvite, 'PUT', {'code': 'foobarbaz'}, None, 'freshuser', 400),
-  (TeamMemberInvite, 'PUT', {'code': 'foobarbaz'}, None, 'reader', 400),
-
-  (ConductSearch, 'GET', None, None, None, 200),
-  (ConductSearch, 'GET', None, None, 'devtable', 200),
-
-  (ChangeLog, 'GET', None, None, None, 401),
-  (ChangeLog, 'GET', None, None, 'devtable', 200),
-  (ChangeLog, 'GET', None, None, 'freshuser', 403),
-  (ChangeLog, 'GET', None, None, 'reader', 403),
-
-  (SuperUserOrganizationList, 'GET', None, None, None, 401),
-  (SuperUserOrganizationList, 'GET', None, None, 'devtable', 200),
-  (SuperUserOrganizationList, 'GET', None, None, 'freshuser', 403),
-  (SuperUserOrganizationList, 'GET', None, None, 'reader', 403),
-
-  (SuperUserOrganizationManagement, 'DELETE', {'name': 'buynlarge'}, None, None, 401),
-  (SuperUserOrganizationManagement, 'DELETE', {'name': 'buynlarge'}, None, 'devtable', 204),
-  (SuperUserOrganizationManagement, 'DELETE', {'name': 'buynlarge'}, None, 'freshuser', 403),
-  (SuperUserOrganizationManagement, 'DELETE', {'name': 'buynlarge'}, None, 'reader', 403),
-  (SuperUserOrganizationManagement, 'PUT', {'name': 'buynlarge'}, {}, None, 401),
-  (SuperUserOrganizationManagement, 'PUT', {'name': 'buynlarge'}, {}, 'devtable', 200),
-  (SuperUserOrganizationManagement, 'PUT', {'name': 'buynlarge'}, {}, 'freshuser', 403),
-  (SuperUserOrganizationManagement, 'PUT', {'name': 'buynlarge'}, {}, 'reader', 403),
-
-  (SuperUserList, 'GET', None, None, None, 401),
-  (SuperUserList, 'GET', None, None, 'devtable', 200),
-  (SuperUserList, 'GET', None, None, 'freshuser', 403),
-  (SuperUserList, 'GET', None, None, 'reader', 403),
-
-  (SuperUserList, 'POST', None, {'username': 'foo'}, None, 401),
-  (SuperUserList, 'POST', None, {'username': 'foo'}, 'devtable', 400),
-  (SuperUserList, 'POST', None, {'username': 'foo'}, 'freshuser', 403),
-  (SuperUserList, 'POST', None, {'username': 'foo'}, 'reader', 403),
-
-  (SuperUserManagement, 'DELETE', {'username': 'freshuser'}, None, None, 401),
-  (SuperUserManagement, 'DELETE', {'username': 'freshuser'}, None, 'devtable', 204),
-  (SuperUserManagement, 'DELETE', {'username': 'freshuser'}, None, 'freshuser', 403),
-  (SuperUserManagement, 'DELETE', {'username': 'freshuser'}, None, 'reader', 403),
-  (SuperUserManagement, 'GET', {'username': 'freshuser'}, None, None, 401),
-  (SuperUserManagement, 'GET', {'username': 'freshuser'}, None, 'devtable', 200),
-  (SuperUserManagement, 'GET', {'username': 'freshuser'}, None, 'freshuser', 403),
-  (SuperUserManagement, 'GET', {'username': 'freshuser'}, None, 'reader', 403),
-  (SuperUserManagement, 'PUT', {'username': 'freshuser'}, {}, None, 401),
-  (SuperUserManagement, 'PUT', {'username': 'freshuser'}, {}, 'devtable', 200),
-  (SuperUserManagement, 'PUT', {'username': 'freshuser'}, {}, 'freshuser', 403),
-  (SuperUserManagement, 'PUT', {'username': 'freshuser'}, {}, 'reader', 403),
-
-  (GlobalUserMessages, 'GET', None, None, None, 200),
-
-  (GlobalUserMessages, 'POST', None, None, None, 401),
-  (GlobalUserMessages, 'POST', None, {'message': {'content': 'msg', 'media_type': 'text/plain', 'severity': 'info'}}, 'devtable', 201),
-  (GlobalUserMessages, 'POST', None, {'message': {'content': 'msg', 'media_type': 'text/plain', 'severity': 'info'}}, 'freshuser', 403),
-  (GlobalUserMessages, 'POST', None, {'message': {'content': 'msg', 'media_type': 'text/plain', 'severity': 'info'}}, 'reader', 403),
-
-  (GlobalUserMessage, 'DELETE', {'uuid': '1234'}, None, None, 401),
-  (GlobalUserMessage, 'DELETE', {'uuid': '1234'}, None, 'devtable', 204),
-  (GlobalUserMessage, 'DELETE', {'uuid': '1234'}, None, 'freshuser', 403),
-  (GlobalUserMessage, 'DELETE', {'uuid': '1234'}, None, 'reader', 403),
-
-  (UserInvoiceFieldList, 'GET', None, None, None, 401),
-  (UserInvoiceFieldList, 'GET', None, None, 'devtable', 200),
-  (UserInvoiceFieldList, 'GET', None, None, 'freshuser', 404),
-  (UserInvoiceFieldList, 'GET', None, None, 'reader', 404),
-  (UserInvoiceFieldList, 'POST', None, None, None, 401),
-  (UserInvoiceFieldList, 'POST', None, {'value': 'bar', 'title': 'foo'}, 'devtable', 200),
-  (UserInvoiceFieldList, 'POST', None, {'value': 'bar', 'title': 'foo'}, 'freshuser', 404),
-  (UserInvoiceFieldList, 'POST', None, {'value': 'bar', 'title': 'foo'}, 'reader', 404),
-
-  (UserInvoiceField, 'DELETE', {'field_uuid': '1234'}, None, None, 401),
-  (UserInvoiceField, 'DELETE', {'field_uuid': '1234'}, None, 'devtable', 201),
-  (UserInvoiceField, 'DELETE', {'field_uuid': '1234'}, None, 'freshuser', 404),
-  (UserInvoiceField, 'DELETE', {'field_uuid': '1234'}, None, 'reader', 404),
-
-  (OrganizationInvoiceFieldList, 'GET', {'orgname': 'buynlarge'}, None, None, 403),
-  (OrganizationInvoiceFieldList, 'GET', {'orgname': 'buynlarge'}, None, 'devtable', 200),
-  (OrganizationInvoiceFieldList, 'GET', {'orgname': 'buynlarge'}, None, 'freshuser', 403),
-  (OrganizationInvoiceFieldList, 'GET', {'orgname': 'buynlarge'}, None, 'reader', 403),
-  (OrganizationInvoiceFieldList, 'POST', {'orgname': 'buynlarge'}, {'value': 'bar', 'title': 'foo'}, None, 403),
-  (OrganizationInvoiceFieldList, 'POST', {'orgname': 'buynlarge'}, {'value': 'bar', 'title': 'foo'}, 'devtable', 200),
-  (OrganizationInvoiceFieldList, 'POST', {'orgname': 'buynlarge'}, {'value': 'bar', 'title': 'foo'}, 'freshuser', 403),
-  (OrganizationInvoiceFieldList, 'POST', {'orgname': 'buynlarge'}, {'value': 'bar', 'title': 'foo'}, 'reader', 403),
-
-  (OrganizationInvoiceField, 'DELETE', {'orgname': 'buynlarge', 'field_uuid': '1234'}, None, None, 403),
-  (OrganizationInvoiceField, 'DELETE', {'orgname': 'buynlarge', 'field_uuid': '1234'}, None, 'devtable', 201),
-  (OrganizationInvoiceField, 'DELETE', {'orgname': 'buynlarge', 'field_uuid': '1234'}, None, 'freshuser', 403),
-  (OrganizationInvoiceField, 'DELETE', {'orgname': 'buynlarge', 'field_uuid': '1234'}, None, 'reader', 403),
-
-  (RepositoryImageSecurity, 'GET', {'repository': 'devtable/simple', 'imageid': 'fake'}, None, None, 401),
-  (RepositoryImageSecurity, 'GET', {'repository': 'devtable/simple', 'imageid': 'fake'}, None, 'devtable', 404),
-  (RepositoryImageSecurity, 'GET', {'repository': 'devtable/simple', 'imageid': 'fake'}, None, 'freshuser', 403),
-  (RepositoryImageSecurity, 'GET', {'repository': 'devtable/simple', 'imageid': 'fake'}, None, 'reader', 403),
-
-  (RepositoryManifestSecurity, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, None, 401),
-  (RepositoryManifestSecurity, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (RepositoryManifestSecurity, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepositoryManifestSecurity, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepositoryManifestLabels, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, None, 401),
-  (RepositoryManifestLabels, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (RepositoryManifestLabels, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepositoryManifestLabels, 'GET', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'reader', 403),
-  (RepositoryManifestLabels, 'POST', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, {'media_type': 'text/plain', 'value': 'bar', 'key': 'foo'}, None, 401),
-  (RepositoryManifestLabels, 'POST', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, {'media_type': 'text/plain', 'value': 'bar', 'key': 'foo'}, 'devtable', 404),
-  (RepositoryManifestLabels, 'POST', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, {'media_type': 'text/plain', 'value': 'bar', 'key': 'foo'}, 'freshuser', 403),
-  (RepositoryManifestLabels, 'POST', {'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, {'media_type': 'text/plain', 'value': 'bar', 'key': 'foo'}, 'reader', 403),
-
-  (ManageRepositoryManifestLabel, 'GET', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, None, 401),
-  (ManageRepositoryManifestLabel, 'GET', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (ManageRepositoryManifestLabel, 'GET', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (ManageRepositoryManifestLabel, 'GET', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (ManageRepositoryManifestLabel, 'DELETE', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, None, 401),
-  (ManageRepositoryManifestLabel, 'DELETE', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (ManageRepositoryManifestLabel, 'DELETE', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (ManageRepositoryManifestLabel, 'DELETE', {'labelid': 'someid', 'manifestref': 'sha256:abcd', 'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (InviteTeamMember, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, None, 401),
-  (InviteTeamMember, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'devtable', 200),
-  (InviteTeamMember, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'freshuser', 403),
-  (InviteTeamMember, 'PUT', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'reader', 403),
-
-  (InviteTeamMember, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, None, 401),
-  (InviteTeamMember, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'devtable', 404),
-  (InviteTeamMember, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'freshuser', 403),
-  (InviteTeamMember, 'DELETE', {'orgname': 'buynlarge', 'teamname': 'owners', 'email': 'a@example.com'}, None, 'reader', 403),
-
-  (TestRepositoryNotification, 'POST', {'repository': 'buynlarge/orgrepo', 'uuid': 'foo'}, None, None, 401),
-  (TestRepositoryNotification, 'POST', {'repository': 'buynlarge/orgrepo', 'uuid': 'foo'}, None, 'devtable', 400),
-  (TestRepositoryNotification, 'POST', {'repository': 'buynlarge/orgrepo', 'uuid': 'foo'}, None, 'freshuser', 403),
-  (TestRepositoryNotification, 'POST', {'repository': 'buynlarge/orgrepo', 'uuid': 'foo'}, None, 'reader', 403),
-
-  (LinkExternalEntity, 'POST', {'username': 'foo'}, None, None, 404),
-
-  (BuildTriggerSourceNamespaces, 'GET', {'repository': 'devtable/simple', 'trigger_uuid': 'foo'}, None, None, 401),
-  (BuildTriggerSourceNamespaces, 'GET', {'repository': 'devtable/simple', 'trigger_uuid': 'foo'}, None, 'devtable', 404),
-  (BuildTriggerSourceNamespaces, 'GET', {'repository': 'devtable/simple', 'trigger_uuid': 'foo'}, None, 'freshuser', 403),
-  (BuildTriggerSourceNamespaces, 'GET', {'repository': 'devtable/simple', 'trigger_uuid': 'foo'}, None, 'reader', 403),
-
-  (RepoMirrorResource, 'GET', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepoMirrorResource, 'GET', {'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (RepoMirrorResource, 'GET', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepoMirrorResource, 'GET', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepoMirrorResource, 'POST', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepoMirrorResource, 'POST', {'repository': 'devtable/simple'}, None, 'devtable', 400),
-  (RepoMirrorResource, 'POST', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepoMirrorResource, 'POST', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepoMirrorResource, 'PUT', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepoMirrorResource, 'PUT', {'repository': 'devtable/simple'}, None, 'devtable', 400),
-  (RepoMirrorResource, 'PUT', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepoMirrorResource, 'PUT', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepoMirrorSyncNowResource, 'POST', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepoMirrorSyncNowResource, 'POST', {'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (RepoMirrorSyncNowResource, 'POST', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepoMirrorSyncNowResource, 'POST', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepoMirrorSyncCancelResource, 'POST', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepoMirrorSyncCancelResource, 'POST', {'repository': 'devtable/simple'}, None, 'devtable', 404),
-  (RepoMirrorSyncCancelResource, 'POST', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepoMirrorSyncCancelResource, 'POST', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (RepositoryStateResource, 'PUT', {'repository': 'devtable/simple'}, None, None, 401),
-  (RepositoryStateResource, 'PUT', {'repository': 'devtable/simple'}, None, 'devtable', 400),
-  (RepositoryStateResource, 'PUT', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (RepositoryStateResource, 'PUT', {'repository': 'devtable/simple'}, None, 'reader', 403),
-
-  (ManageRepoMirrorRule, 'PUT', {'repository': 'devtable/simple'}, None, None, 401),
-  (ManageRepoMirrorRule, 'PUT', {'repository': 'devtable/simple'}, None, 'devtable', 400),
-  (ManageRepoMirrorRule, 'PUT', {'repository': 'devtable/simple'}, None, 'freshuser', 403),
-  (ManageRepoMirrorRule, 'PUT', {'repository': 'devtable/simple'}, None, 'reader', 403),
+    (AppTokens, "GET", {}, {}, None, 401),
+    (AppTokens, "GET", {}, {}, "freshuser", 200),
+    (AppTokens, "GET", {}, {}, "reader", 200),
+    (AppTokens, "GET", {}, {}, "devtable", 200),
+    (AppTokens, "POST", {}, {}, None, 401),
+    (AppTokens, "POST", {}, {}, "freshuser", 400),
+    (AppTokens, "POST", {}, {}, "reader", 400),
+    (AppTokens, "POST", {}, {}, "devtable", 400),
+    (AppToken, "GET", TOKEN_PARAMS, {}, None, 401),
+    (AppToken, "GET", TOKEN_PARAMS, {}, "freshuser", 404),
+    (AppToken, "GET", TOKEN_PARAMS, {}, "reader", 404),
+    (AppToken, "GET", TOKEN_PARAMS, {}, "devtable", 404),
+    (AppToken, "DELETE", TOKEN_PARAMS, {}, None, 401),
+    (AppToken, "DELETE", TOKEN_PARAMS, {}, "freshuser", 404),
+    (AppToken, "DELETE", TOKEN_PARAMS, {}, "reader", 404),
+    (AppToken, "DELETE", TOKEN_PARAMS, {}, "devtable", 404),
+    (RepositoryManifest, "GET", MANIFEST_PARAMS, {}, None, 401),
+    (RepositoryManifest, "GET", MANIFEST_PARAMS, {}, "freshuser", 403),
+    (RepositoryManifest, "GET", MANIFEST_PARAMS, {}, "reader", 403),
+    (RepositoryManifest, "GET", MANIFEST_PARAMS, {}, "devtable", 404),
+    (OrganizationCollaboratorList, "GET", ORG_PARAMS, None, None, 401),
+    (OrganizationCollaboratorList, "GET", ORG_PARAMS, None, "freshuser", 403),
+    (OrganizationCollaboratorList, "GET", ORG_PARAMS, None, "reader", 403),
+    (OrganizationCollaboratorList, "GET", ORG_PARAMS, None, "devtable", 200),
+    (OrganizationTeamSyncing, "POST", TEAM_PARAMS, {}, None, 401),
+    (OrganizationTeamSyncing, "POST", TEAM_PARAMS, {}, "freshuser", 403),
+    (OrganizationTeamSyncing, "POST", TEAM_PARAMS, {}, "reader", 403),
+    (OrganizationTeamSyncing, "POST", TEAM_PARAMS, {}, "devtable", 400),
+    (OrganizationTeamSyncing, "DELETE", TEAM_PARAMS, {}, None, 401),
+    (OrganizationTeamSyncing, "DELETE", TEAM_PARAMS, {}, "freshuser", 403),
+    (OrganizationTeamSyncing, "DELETE", TEAM_PARAMS, {}, "reader", 403),
+    (OrganizationTeamSyncing, "DELETE", TEAM_PARAMS, {}, "devtable", 200),
+    (ConductRepositorySearch, "GET", SEARCH_PARAMS, None, None, 200),
+    (ConductRepositorySearch, "GET", SEARCH_PARAMS, None, "freshuser", 200),
+    (ConductRepositorySearch, "GET", SEARCH_PARAMS, None, "reader", 200),
+    (ConductRepositorySearch, "GET", SEARCH_PARAMS, None, "devtable", 200),
+    (SuperUserRepositoryBuildLogs, "GET", BUILD_PARAMS, None, None, 401),
+    (SuperUserRepositoryBuildLogs, "GET", BUILD_PARAMS, None, "freshuser", 403),
+    (SuperUserRepositoryBuildLogs, "GET", BUILD_PARAMS, None, "reader", 403),
+    (SuperUserRepositoryBuildLogs, "GET", BUILD_PARAMS, None, "devtable", 400),
+    (SuperUserRepositoryBuildStatus, "GET", BUILD_PARAMS, None, None, 401),
+    (SuperUserRepositoryBuildStatus, "GET", BUILD_PARAMS, None, "freshuser", 403),
+    (SuperUserRepositoryBuildStatus, "GET", BUILD_PARAMS, None, "reader", 403),
+    (SuperUserRepositoryBuildStatus, "GET", BUILD_PARAMS, None, "devtable", 400),
+    (SuperUserRepositoryBuildResource, "GET", BUILD_PARAMS, None, None, 401),
+    (SuperUserRepositoryBuildResource, "GET", BUILD_PARAMS, None, "freshuser", 403),
+    (SuperUserRepositoryBuildResource, "GET", BUILD_PARAMS, None, "reader", 403),
+    (SuperUserRepositoryBuildResource, "GET", BUILD_PARAMS, None, "devtable", 404),
+    (RepositorySignatures, "GET", REPO_PARAMS, {}, "freshuser", 403),
+    (RepositorySignatures, "GET", REPO_PARAMS, {}, "reader", 403),
+    (RepositorySignatures, "GET", REPO_PARAMS, {}, "devtable", 404),
+    (RepositoryNotification, "POST", NOTIFICATION_PARAMS, {}, None, 401),
+    (RepositoryNotification, "POST", NOTIFICATION_PARAMS, {}, "freshuser", 403),
+    (RepositoryNotification, "POST", NOTIFICATION_PARAMS, {}, "reader", 403),
+    (RepositoryNotification, "POST", NOTIFICATION_PARAMS, {}, "devtable", 400),
+    (RepositoryTrust, "POST", REPO_PARAMS, {"trust_enabled": True}, None, 401),
+    (RepositoryTrust, "POST", REPO_PARAMS, {"trust_enabled": True}, "freshuser", 403),
+    (RepositoryTrust, "POST", REPO_PARAMS, {"trust_enabled": True}, "reader", 403),
+    (RepositoryTrust, "POST", REPO_PARAMS, {"trust_enabled": True}, "devtable", 404),
+    (BuildTrigger, "GET", TRIGGER_PARAMS, {}, None, 401),
+    (BuildTrigger, "GET", TRIGGER_PARAMS, {}, "freshuser", 403),
+    (BuildTrigger, "GET", TRIGGER_PARAMS, {}, "reader", 403),
+    (BuildTrigger, "GET", TRIGGER_PARAMS, {}, "devtable", 404),
+    (BuildTrigger, "DELETE", TRIGGER_PARAMS, {}, None, 401),
+    (BuildTrigger, "DELETE", TRIGGER_PARAMS, {}, "freshuser", 403),
+    (BuildTrigger, "DELETE", TRIGGER_PARAMS, {}, "reader", 403),
+    (BuildTrigger, "DELETE", TRIGGER_PARAMS, {}, "devtable", 404),
+    (BuildTrigger, "PUT", TRIGGER_PARAMS, {}, None, 401),
+    (BuildTrigger, "PUT", TRIGGER_PARAMS, {}, "freshuser", 403),
+    (BuildTrigger, "PUT", TRIGGER_PARAMS, {}, "reader", 403),
+    (BuildTrigger, "PUT", TRIGGER_PARAMS, {}, "devtable", 400),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "devtable", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryUserTransitivePermission,
+        "GET",
+        {"username": "devtable", "repository": "devtable/nope"},
+        None,
+        "devtable",
+        404,
+    ),
+    (StarredRepositoryList, "GET", None, None, None, 401),
+    (StarredRepositoryList, "GET", None, None, "devtable", 200),
+    (StarredRepositoryList, "GET", None, None, "freshuser", 200),
+    (StarredRepositoryList, "GET", None, None, "reader", 200),
+    (
+        StarredRepositoryList,
+        "POST",
+        None,
+        {u"namespace": "public", u"repository": "publicrepo"},
+        None,
+        401,
+    ),
+    (
+        StarredRepositoryList,
+        "POST",
+        None,
+        {u"namespace": "public", u"repository": "publicrepo"},
+        "devtable",
+        201,
+    ),
+    (
+        StarredRepositoryList,
+        "POST",
+        None,
+        {u"namespace": "public", u"repository": "publicrepo"},
+        "freshuser",
+        201,
+    ),
+    (
+        StarredRepositoryList,
+        "POST",
+        None,
+        {u"namespace": "public", u"repository": "publicrepo"},
+        "reader",
+        201,
+    ),
+    (StarredRepository, "DELETE", {"repository": "public/publicrepo"}, None, None, 401),
+    (
+        StarredRepository,
+        "DELETE",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        204,
+    ),
+    (
+        StarredRepository,
+        "DELETE",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        204,
+    ),
+    (
+        StarredRepository,
+        "DELETE",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        204,
+    ),
+    (UserNotification, "GET", {"uuid": "someuuid"}, None, None, 401),
+    (UserNotification, "GET", {"uuid": "someuuid"}, None, "devtable", 404),
+    (UserNotification, "GET", {"uuid": "someuuid"}, None, "freshuser", 404),
+    (UserNotification, "GET", {"uuid": "someuuid"}, None, "reader", 404),
+    (UserNotification, "PUT", {"uuid": "someuuid"}, {}, None, 401),
+    (UserNotification, "PUT", {"uuid": "someuuid"}, {}, "devtable", 404),
+    (UserNotification, "PUT", {"uuid": "someuuid"}, {}, "freshuser", 404),
+    (UserNotification, "PUT", {"uuid": "someuuid"}, {}, "reader", 404),
+    (UserInvoiceList, "GET", None, None, None, 401),
+    (UserInvoiceList, "GET", None, None, "devtable", 200),
+    (UserInvoiceList, "GET", None, None, "freshuser", 404),
+    (UserInvoiceList, "GET", None, None, "reader", 404),
+    (PrivateRepositories, "GET", None, None, None, 401),
+    (PrivateRepositories, "GET", None, None, "devtable", 200),
+    (PrivateRepositories, "GET", None, None, "freshuser", 200),
+    (PrivateRepositories, "GET", None, None, "reader", 200),
+    (
+        ConvertToOrganization,
+        "POST",
+        None,
+        {u"adminPassword": "IQTM", u"plan": "1RB4", u"adminUser": "44E8"},
+        None,
+        401,
+    ),
+    (
+        ConvertToOrganization,
+        "POST",
+        None,
+        {u"adminPassword": "IQTM", u"plan": "1RB4", u"adminUser": "44E8"},
+        "devtable",
+        400,
+    ),
+    (
+        ConvertToOrganization,
+        "POST",
+        None,
+        {u"adminPassword": "IQTM", u"plan": "1RB4", u"adminUser": "44E8"},
+        "freshuser",
+        400,
+    ),
+    (
+        ConvertToOrganization,
+        "POST",
+        None,
+        {u"adminPassword": "IQTM", u"plan": "1RB4", u"adminUser": "44E8"},
+        "reader",
+        400,
+    ),
+    (UserRobotList, "GET", None, None, None, 401),
+    (UserRobotList, "GET", None, None, "devtable", 200),
+    (UserRobotList, "GET", None, None, "freshuser", 200),
+    (UserRobotList, "GET", None, None, "reader", 200),
+    (UserCard, "GET", None, None, None, 401),
+    (UserCard, "GET", None, None, "devtable", 200),
+    (UserCard, "GET", None, None, "freshuser", 200),
+    (UserCard, "GET", None, None, "reader", 200),
+    (UserCard, "POST", None, {u"token": "ORH4"}, None, 401),
+    (UserPlan, "GET", None, None, None, 401),
+    (UserPlan, "GET", None, None, "devtable", 200),
+    (UserPlan, "GET", None, None, "freshuser", 200),
+    (UserPlan, "GET", None, None, "reader", 200),
+    (UserPlan, "PUT", None, {u"plan": "1QIK"}, None, 401),
+    (UserLogs, "GET", None, None, None, 401),
+    (UserLogs, "GET", None, None, "devtable", 200),
+    (UserLogs, "GET", None, None, "freshuser", 200),
+    (UserLogs, "GET", None, None, "reader", 200),
+    (OrganizationList, "POST", None, {u"name": "KSIS", u"email": "DHVZ"}, None, 401),
+    (
+        OrganizationList,
+        "POST",
+        None,
+        {u"name": "KSIS", u"email": "DHVZ"},
+        "devtable",
+        400,
+    ),
+    (
+        OrganizationList,
+        "POST",
+        None,
+        {u"name": "KSIS", u"email": "DHVZ"},
+        "freshuser",
+        400,
+    ),
+    (
+        OrganizationList,
+        "POST",
+        None,
+        {u"name": "KSIS", u"email": "DHVZ"},
+        "reader",
+        400,
+    ),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, None, 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "devtable", 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "freshuser", 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "reader", 200),
+    (RepositoryList, "GET", None, None, None, 400),
+    (RepositoryList, "GET", None, None, "devtable", 400),
+    (RepositoryList, "GET", None, None, "freshuser", 400),
+    (RepositoryList, "GET", None, None, "reader", 400),
+    (
+        RepositoryList,
+        "POST",
+        None,
+        {u"repository": "XZGB", u"visibility": u"public", u"description": "0O8U"},
+        None,
+        400,
+    ),
+    (
+        RepositoryList,
+        "POST",
+        None,
+        {u"repository": "XZGB", u"visibility": u"public", u"description": "0O8U"},
+        "devtable",
+        201,
+    ),
+    (
+        RepositoryList,
+        "POST",
+        None,
+        {u"repository": "XZGB", u"visibility": u"public", u"description": "0O8U"},
+        "freshuser",
+        201,
+    ),
+    (
+        RepositoryList,
+        "POST",
+        None,
+        {u"repository": "XZGB", u"visibility": u"public", u"description": "0O8U"},
+        "reader",
+        201,
+    ),
+    (DiscoveryResource, "GET", None, None, None, 200),
+    (DiscoveryResource, "GET", None, None, "devtable", 200),
+    (DiscoveryResource, "GET", None, None, "freshuser", 200),
+    (DiscoveryResource, "GET", None, None, "reader", 200),
+    (FileDropResource, "POST", None, {u"mimeType": "TKBX"}, None, 200),
+    (FileDropResource, "POST", None, {u"mimeType": "TKBX"}, "devtable", 200),
+    (FileDropResource, "POST", None, {u"mimeType": "TKBX"}, "freshuser", 200),
+    (FileDropResource, "POST", None, {u"mimeType": "TKBX"}, "reader", 200),
+    (Recovery, "POST", None, {u"email": "826S"}, None, 200),
+    (Recovery, "POST", None, {u"email": "826S"}, "devtable", 200),
+    (Recovery, "POST", None, {u"email": "826S"}, "freshuser", 200),
+    (Recovery, "POST", None, {u"email": "826S"}, "reader", 200),
+    (Signout, "POST", None, None, None, 200),
+    (Signout, "POST", None, None, "devtable", 200),
+    (Signout, "POST", None, None, "freshuser", 200),
+    (Signout, "POST", None, None, "reader", 200),
+    (Signin, "POST", None, {u"username": "E9RY", u"password": "LQ0N"}, None, 403),
+    (Signin, "POST", None, {u"username": "E9RY", u"password": "LQ0N"}, "devtable", 403),
+    (
+        Signin,
+        "POST",
+        None,
+        {u"username": "E9RY", u"password": "LQ0N"},
+        "freshuser",
+        403,
+    ),
+    (Signin, "POST", None, {u"username": "E9RY", u"password": "LQ0N"}, "reader", 403),
+    (ExternalLoginInformation, "POST", {"service_id": "someservice"}, {}, None, 400),
+    (
+        ExternalLoginInformation,
+        "POST",
+        {"service_id": "someservice"},
+        {},
+        "devtable",
+        400,
+    ),
+    (
+        ExternalLoginInformation,
+        "POST",
+        {"service_id": "someservice"},
+        {},
+        "freshuser",
+        400,
+    ),
+    (
+        ExternalLoginInformation,
+        "POST",
+        {"service_id": "someservice"},
+        {},
+        "reader",
+        400,
+    ),
+    (DetachExternal, "POST", {"service_id": "someservice"}, {}, None, 401),
+    (DetachExternal, "POST", {"service_id": "someservice"}, {}, "devtable", 200),
+    (DetachExternal, "POST", {"service_id": "someservice"}, {}, "freshuser", 200),
+    (DetachExternal, "POST", {"service_id": "someservice"}, {}, "reader", 200),
+    (VerifyUser, "POST", None, {u"password": "LQ0N"}, None, 401),
+    (VerifyUser, "POST", None, {u"password": "password"}, "devtable", 200),
+    (VerifyUser, "POST", None, {u"password": "LQ0N"}, "freshuser", 403),
+    (VerifyUser, "POST", None, {u"password": "LQ0N"}, "reader", 403),
+    (ClientKey, "POST", None, {u"password": "LQ0N"}, None, 401),
+    (ClientKey, "POST", None, {u"password": "password"}, "devtable", 200),
+    (ClientKey, "POST", None, {u"password": "LQ0N"}, "freshuser", 400),
+    (ClientKey, "POST", None, {u"password": "password"}, "reader", 200),
+    (ListPlans, "GET", None, None, None, 200),
+    (ListPlans, "GET", None, None, "devtable", 200),
+    (ListPlans, "GET", None, None, "freshuser", 200),
+    (ListPlans, "GET", None, None, "reader", 200),
+    (User, "GET", None, None, None, 401),
+    (User, "GET", None, None, "devtable", 200),
+    (User, "GET", None, None, "freshuser", 200),
+    (User, "GET", None, None, "reader", 200),
+    (
+        User,
+        "POST",
+        None,
+        {u"username": "T946", u"password": "0SG4", u"email": "MENT"},
+        None,
+        400,
+    ),
+    (
+        User,
+        "POST",
+        None,
+        {u"username": "T946", u"password": "0SG4", u"email": "MENT"},
+        "devtable",
+        400,
+    ),
+    (
+        User,
+        "POST",
+        None,
+        {u"username": "T946", u"password": "0SG4", u"email": "MENT"},
+        "freshuser",
+        400,
+    ),
+    (
+        User,
+        "POST",
+        None,
+        {u"username": "T946", u"password": "0SG4", u"email": "MENT"},
+        "reader",
+        400,
+    ),
+    (User, "PUT", None, {}, None, 401),
+    (User, "PUT", None, {}, "devtable", 200),
+    (User, "PUT", None, {}, "freshuser", 200),
+    (User, "PUT", None, {}, "reader", 200),
+    (User, "DELETE", None, {}, None, 401),
+    (User, "DELETE", None, {}, "devtable", 400),
+    (User, "DELETE", None, {}, "freshuser", 204),
+    (User, "DELETE", None, {}, "reader", 204),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "membername": "devtable", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TeamPermissions,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamPermissions,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TeamPermissions,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamPermissions,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TeamMemberList,
+        "GET",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "DELETE",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "GET",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermission,
+        "PUT",
+        {"username": "A2O9", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        {u"role": u"read"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "readers"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "devtable",
+        204,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "readers"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "public/publicrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        {u"role": u"read"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "devtable/shared", "teamname": "owners"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermission,
+        "PUT",
+        {"repository": "buynlarge/orgrepo", "teamname": "owners"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "SWO1"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "SWO1"},
+        {},
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "SWO1"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "SWO1"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "SWO1"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "SWO1"},
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "SWO1"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "SWO1"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "SWO1"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "SWO1"},
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "SWO1"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerActivate,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "SWO1"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "public/publicrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "public/publicrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "public/publicrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "public/publicrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "devtable/shared",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "devtable/shared",
+            "trigger_uuid": "SWO1",
+        },
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "devtable/shared",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "devtable/shared",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "buynlarge/orgrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "buynlarge/orgrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "buynlarge/orgrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerFieldValues,
+        "POST",
+        {
+            "field_name": "test_field",
+            "repository": "buynlarge/orgrepo",
+            "trigger_uuid": "SWO1",
+        },
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "831C"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "831C"},
+        {"namespace": "foo"},
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "831C"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "831C"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "831C"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "831C"},
+        {"namespace": "foo"},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "831C"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "831C"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "831C"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "831C"},
+        {"namespace": "foo"},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "831C"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSources,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "831C"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "4I2Y"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "4I2Y"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "4I2Y"},
+        {},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "4I2Y"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "4I2Y"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "4I2Y"},
+        {},
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSubdirs,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "4I2Y"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "ZM1W"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "ZM1W"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "ZM1W"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "ZM1W"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "ZM1W"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "ZM1W"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TriggerBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "ZM1W"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        {},
+        "devtable",
+        404,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        {},
+        "devtable",
+        404,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ActivateBuildTrigger,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        {"config": {}},
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "public/publicrepo", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "devtable/shared", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        {"config": {}},
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerAnalyze,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "0BYE"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        None,
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "reader",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildStatus,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        400,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        None,
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "GET",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildResource,
+        "DELETE",
+        {"build_uuid": "FG86", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildLogs,
+        "GET",
+        {"build_uuid": "S5J8", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        None,
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ListRepositoryTags,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        None,
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "devtable/shared"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTagImages,
+        "GET",
+        {"tag": "TN96", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        PermissionPrototype,
+        "DELETE",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        None,
+        None,
+        401,
+    ),
+    (
+        PermissionPrototype,
+        "DELETE",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        PermissionPrototype,
+        "DELETE",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        PermissionPrototype,
+        "DELETE",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        PermissionPrototype,
+        "PUT",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        PermissionPrototype,
+        "PUT",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        {u"role": u"read"},
+        "devtable",
+        404,
+    ),
+    (
+        PermissionPrototype,
+        "PUT",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        PermissionPrototype,
+        "PUT",
+        {"orgname": "buynlarge", "prototypeid": "L24B"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        OrganizationMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationMember,
+        "DELETE",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationMember,
+        "GET",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationMember,
+        "GET",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        OrganizationMember,
+        "GET",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationMember,
+        "GET",
+        {"orgname": "buynlarge", "membername": "someuser"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrgRobot,
+        "DELETE",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrgRobot,
+        "DELETE",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        OrgRobot,
+        "DELETE",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrgRobot,
+        "DELETE",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrgRobot,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrgRobot,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        OrgRobot,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrgRobot,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrgRobot,
+        "PUT",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        {},
+        None,
+        401,
+    ),
+    (
+        OrgRobot,
+        "PUT",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        {},
+        "devtable",
+        400,
+    ),
+    (
+        OrgRobot,
+        "PUT",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        OrgRobot,
+        "PUT",
+        {"orgname": "buynlarge", "robot_shortname": "Z7PD"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "devtable",
+        204,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        {u"role": u"member"},
+        None,
+        401,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        {u"role": u"member"},
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        {u"role": u"member"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "readers"},
+        {u"role": u"member"},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        {u"role": u"member"},
+        None,
+        401,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        {u"role": u"member"},
+        "devtable",
+        400,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        {u"role": u"member"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationTeam,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners"},
+        {u"role": u"member"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTeamPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryUserPermissionList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "public/publicrepo", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "devtable/shared", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "DELETE",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTrigger,
+        "GET",
+        {"repository": "buynlarge/orgrepo", "trigger_uuid": "D6TI"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "DELETE",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotification,
+        "GET",
+        {"uuid": "QFAT", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "public/publicrepo"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "devtable/shared"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "DELETE",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "GET",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        None,
+        401,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryToken,
+        "PUT",
+        {"code": "UJQB", "repository": "buynlarge/orgrepo"},
+        {u"role": u"read"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "public/publicrepo"},
+        None,
+        None,
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "devtable/shared"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryImage,
+        "GET",
+        {"image_id": "5AVQ", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        404,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "devtable",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "devtable",
+        404,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "devtable",
+        404,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RestoreTag,
+        "POST",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "public/publicrepo"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "devtable/shared"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "DELETE",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTag,
+        "PUT",
+        {"tag": "HP8R", "repository": "buynlarge/orgrepo"},
+        {u"image": "WXNG"},
+        "reader",
+        403,
+    ),
+    (PermissionPrototypeList, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (PermissionPrototypeList, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (PermissionPrototypeList, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (PermissionPrototypeList, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (
+        PermissionPrototypeList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"role": u"read", u"delegate": {u"kind": u"user", u"name": "7DGP"}},
+        None,
+        401,
+    ),
+    (
+        PermissionPrototypeList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"role": u"read", u"delegate": {u"kind": u"user", u"name": "7DGP"}},
+        "devtable",
+        400,
+    ),
+    (
+        PermissionPrototypeList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"role": u"read", u"delegate": {u"kind": u"user", u"name": "7DGP"}},
+        "freshuser",
+        403,
+    ),
+    (
+        PermissionPrototypeList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"role": u"read", u"delegate": {u"kind": u"user", u"name": "7DGP"}},
+        "reader",
+        403,
+    ),
+    (OrganizationInvoiceList, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrganizationInvoiceList, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrganizationInvoiceList, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrganizationInvoiceList, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (OrgPrivateRepositories, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrgPrivateRepositories, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrgPrivateRepositories, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrgPrivateRepositories, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (OrganizationMemberList, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrganizationMemberList, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrganizationMemberList, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrganizationMemberList, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (OrgRobotList, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrgRobotList, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrgRobotList, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrgRobotList, "GET", {"orgname": "buynlarge"}, None, "reader", 200),
+    (OrganizationCard, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrganizationCard, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrganizationCard, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrganizationCard, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (OrganizationCard, "POST", {"orgname": "buynlarge"}, {u"token": "4VFR"}, None, 401),
+    (
+        OrganizationCard,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"token": "4VFR"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationCard,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"token": "4VFR"},
+        "reader",
+        403,
+    ),
+    (OrganizationPlan, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrganizationPlan, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrganizationPlan, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrganizationPlan, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (OrganizationPlan, "PUT", {"orgname": "buynlarge"}, {u"plan": "WWEI"}, None, 401),
+    (
+        OrganizationPlan,
+        "PUT",
+        {"orgname": "buynlarge"},
+        {u"plan": "WWEI"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationPlan,
+        "PUT",
+        {"orgname": "buynlarge"},
+        {u"plan": "WWEI"},
+        "reader",
+        403,
+    ),
+    (OrgLogs, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrgLogs, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrgLogs, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrgLogs, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"visibility": u"public"},
+        None,
+        401,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"visibility": u"public"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"visibility": u"public"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"visibility": u"public"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"visibility": u"public"},
+        None,
+        401,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"visibility": u"public"},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"visibility": u"public"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"visibility": u"public"},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"visibility": u"public"},
+        None,
+        401,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"visibility": u"public"},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"visibility": u"public"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryVisibility,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"visibility": u"public"},
+        "reader",
+        403,
+    ),
+    (BuildTriggerList, "GET", {"repository": "public/publicrepo"}, None, None, 401),
+    (
+        BuildTriggerList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        BuildTriggerList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (BuildTriggerList, "GET", {"repository": "public/publicrepo"}, None, "reader", 403),
+    (BuildTriggerList, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (BuildTriggerList, "GET", {"repository": "devtable/shared"}, None, "devtable", 200),
+    (
+        BuildTriggerList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (BuildTriggerList, "GET", {"repository": "devtable/shared"}, None, "reader", 403),
+    (BuildTriggerList, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (
+        BuildTriggerList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        BuildTriggerList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (BuildTriggerList, "GET", {"repository": "buynlarge/orgrepo"}, None, "reader", 403),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {"config": {"email": "a@b.com"}, "event": "repo_push", "method": "email"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {"config": {"email": "a@b.com"}, "event": "repo_push", "method": "email"},
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryNotificationList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        {},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "public/publicrepo"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        {},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "devtable/shared"},
+        {},
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "GET",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        {},
+        None,
+        401,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        {},
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAuthorizedEmail,
+        "POST",
+        {"email": "jschorr@devtable.com", "repository": "buynlarge/orgrepo"},
+        {},
+        "reader",
+        403,
+    ),
+    (RepositoryTokenList, "GET", {"repository": "public/publicrepo"}, None, None, 401),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"friendlyName": "R1CN"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"friendlyName": "R1CN"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"friendlyName": "R1CN"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"friendlyName": "R1CN"},
+        "reader",
+        403,
+    ),
+    (RepositoryTokenList, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"friendlyName": "R1CN"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"friendlyName": "R1CN"},
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"friendlyName": "R1CN"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"friendlyName": "R1CN"},
+        "reader",
+        403,
+    ),
+    (RepositoryTokenList, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"friendlyName": "R1CN"},
+        None,
+        401,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"friendlyName": "R1CN"},
+        "devtable",
+        410,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"friendlyName": "R1CN"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryTokenList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"friendlyName": "R1CN"},
+        "reader",
+        403,
+    ),
+    (RepositoryBuildList, "GET", {"repository": "public/publicrepo"}, None, None, 200),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"file_id": "UX7K"},
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"file_id": "UX7K"},
+        "devtable",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"file_id": "UX7K"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "public/publicrepo"},
+        {u"file_id": "UX7K"},
+        "reader",
+        403,
+    ),
+    (RepositoryBuildList, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"file_id": "UX7K"},
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"file_id": "UX7K"},
+        "devtable",
+        201,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"file_id": "UX7K"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "devtable/shared"},
+        {u"file_id": "UX7K"},
+        "reader",
+        403,
+    ),
+    (RepositoryBuildList, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"file_id": "UX7K"},
+        None,
+        401,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"file_id": "UX7K"},
+        "devtable",
+        201,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"file_id": "UX7K"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryBuildList,
+        "POST",
+        {"repository": "buynlarge/orgrepo"},
+        {u"file_id": "UX7K"},
+        "reader",
+        403,
+    ),
+    (RepositoryImageList, "GET", {"repository": "public/publicrepo"}, None, None, 200),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        200,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (RepositoryImageList, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "devtable/shared"},
+        None,
+        "reader",
+        200,
+    ),
+    (RepositoryImageList, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryImageList,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "reader",
+        200,
+    ),
+    (RepositoryLogs, "GET", {"repository": "public/publicrepo"}, None, None, 401),
+    (RepositoryLogs, "GET", {"repository": "public/publicrepo"}, None, "devtable", 403),
+    (
+        RepositoryLogs,
+        "GET",
+        {"repository": "public/publicrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (RepositoryLogs, "GET", {"repository": "public/publicrepo"}, None, "reader", 403),
+    (RepositoryLogs, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (RepositoryLogs, "GET", {"repository": "devtable/shared"}, None, "devtable", 200),
+    (RepositoryLogs, "GET", {"repository": "devtable/shared"}, None, "freshuser", 403),
+    (RepositoryLogs, "GET", {"repository": "devtable/shared"}, None, "reader", 403),
+    (RepositoryLogs, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (RepositoryLogs, "GET", {"repository": "buynlarge/orgrepo"}, None, "devtable", 200),
+    (
+        RepositoryLogs,
+        "GET",
+        {"repository": "buynlarge/orgrepo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (RepositoryLogs, "GET", {"repository": "buynlarge/orgrepo"}, None, "reader", 403),
+    (UserRobot, "DELETE", {"robot_shortname": "robotname"}, None, None, 401),
+    (UserRobot, "DELETE", {"robot_shortname": "robotname"}, None, "devtable", 400),
+    (UserRobot, "DELETE", {"robot_shortname": "robotname"}, None, "freshuser", 400),
+    (UserRobot, "DELETE", {"robot_shortname": "robotname"}, None, "reader", 400),
+    (UserRobot, "GET", {"robot_shortname": "robotname"}, None, None, 401),
+    (UserRobot, "GET", {"robot_shortname": "robotname"}, None, "devtable", 400),
+    (UserRobot, "GET", {"robot_shortname": "robotname"}, None, "freshuser", 400),
+    (UserRobot, "GET", {"robot_shortname": "robotname"}, None, "reader", 400),
+    (UserRobot, "PUT", {"robot_shortname": "robotname"}, {}, None, 401),
+    (UserRobot, "PUT", {"robot_shortname": "robotname"}, {}, "devtable", 201),
+    (UserRobot, "PUT", {"robot_shortname": "robotname"}, {}, "freshuser", 201),
+    (UserRobot, "PUT", {"robot_shortname": "robotname"}, {}, "reader", 201),
+    (RegenerateUserRobot, "POST", {"robot_shortname": "robotname"}, None, None, 401),
+    (
+        RegenerateUserRobot,
+        "POST",
+        {"robot_shortname": "robotname"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RegenerateUserRobot,
+        "POST",
+        {"robot_shortname": "robotname"},
+        None,
+        "freshuser",
+        400,
+    ),
+    (
+        RegenerateUserRobot,
+        "POST",
+        {"robot_shortname": "robotname"},
+        None,
+        "reader",
+        400,
+    ),
+    (
+        RegenerateOrgRobot,
+        "POST",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RegenerateOrgRobot,
+        "POST",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RegenerateOrgRobot,
+        "POST",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RegenerateOrgRobot,
+        "POST",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "reader",
+        403,
+    ),
+    (UserRobotPermissions, "GET", {"robot_shortname": "robotname"}, None, None, 401),
+    (
+        UserRobotPermissions,
+        "GET",
+        {"robot_shortname": "robotname"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        UserRobotPermissions,
+        "GET",
+        {"robot_shortname": "robotname"},
+        None,
+        "freshuser",
+        400,
+    ),
+    (
+        UserRobotPermissions,
+        "GET",
+        {"robot_shortname": "robotname"},
+        None,
+        "reader",
+        400,
+    ),
+    (
+        OrgRobotPermissions,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrgRobotPermissions,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        OrgRobotPermissions,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrgRobotPermissions,
+        "GET",
+        {"orgname": "buynlarge", "robot_shortname": "robotname"},
+        None,
+        "reader",
+        403,
+    ),
+    (Organization, "DELETE", {"orgname": "buynlarge"}, {}, None, 401),
+    (Organization, "DELETE", {"orgname": "buynlarge"}, {}, "devtable", 204),
+    (Organization, "DELETE", {"orgname": "buynlarge"}, {}, "freshuser", 403),
+    (Organization, "DELETE", {"orgname": "buynlarge"}, {}, "reader", 403),
+    (Organization, "GET", {"orgname": "buynlarge"}, None, None, 200),
+    (Organization, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (Organization, "GET", {"orgname": "buynlarge"}, None, "freshuser", 200),
+    (Organization, "GET", {"orgname": "buynlarge"}, None, "reader", 200),
+    (Organization, "PUT", {"orgname": "buynlarge"}, {}, None, 401),
+    (Organization, "PUT", {"orgname": "buynlarge"}, {}, "devtable", 200),
+    (Organization, "PUT", {"orgname": "buynlarge"}, {}, "freshuser", 403),
+    (Organization, "PUT", {"orgname": "buynlarge"}, {}, "reader", 403),
+    (Repository, "DELETE", {"repository": "public/publicrepo"}, None, None, 401),
+    (Repository, "DELETE", {"repository": "public/publicrepo"}, None, "devtable", 403),
+    (Repository, "DELETE", {"repository": "public/publicrepo"}, None, "freshuser", 403),
+    (Repository, "DELETE", {"repository": "public/publicrepo"}, None, "reader", 403),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, None, 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "devtable", 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "freshuser", 200),
+    (Repository, "GET", {"repository": "public/publicrepo"}, None, "reader", 200),
+    (
+        Repository,
+        "PUT",
+        {"repository": "public/publicrepo"},
+        {u"description": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "public/publicrepo"},
+        {u"description": "WXNG"},
+        "devtable",
+        403,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "public/publicrepo"},
+        {u"description": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "public/publicrepo"},
+        {u"description": "WXNG"},
+        "reader",
+        403,
+    ),
+    (Repository, "DELETE", {"repository": "devtable/shared"}, None, None, 401),
+    (Repository, "DELETE", {"repository": "devtable/shared"}, None, "devtable", 204),
+    (Repository, "DELETE", {"repository": "devtable/shared"}, None, "freshuser", 403),
+    (Repository, "DELETE", {"repository": "devtable/shared"}, None, "reader", 403),
+    (Repository, "GET", {"repository": "devtable/shared"}, None, None, 401),
+    (Repository, "GET", {"repository": "devtable/shared"}, None, "devtable", 200),
+    (Repository, "GET", {"repository": "devtable/shared"}, None, "freshuser", 403),
+    (Repository, "GET", {"repository": "devtable/shared"}, None, "reader", 200),
+    (
+        Repository,
+        "PUT",
+        {"repository": "devtable/shared"},
+        {u"description": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "devtable/shared"},
+        {u"description": "WXNG"},
+        "devtable",
+        200,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "devtable/shared"},
+        {u"description": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "devtable/shared"},
+        {u"description": "WXNG"},
+        "reader",
+        403,
+    ),
+    (Repository, "DELETE", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (Repository, "DELETE", {"repository": "buynlarge/orgrepo"}, None, "devtable", 204),
+    (Repository, "DELETE", {"repository": "buynlarge/orgrepo"}, None, "freshuser", 403),
+    (Repository, "DELETE", {"repository": "buynlarge/orgrepo"}, None, "reader", 403),
+    (Repository, "GET", {"repository": "buynlarge/orgrepo"}, None, None, 401),
+    (Repository, "GET", {"repository": "buynlarge/orgrepo"}, None, "devtable", 200),
+    (Repository, "GET", {"repository": "buynlarge/orgrepo"}, None, "freshuser", 403),
+    (Repository, "GET", {"repository": "buynlarge/orgrepo"}, None, "reader", 200),
+    (
+        Repository,
+        "PUT",
+        {"repository": "buynlarge/orgrepo"},
+        {u"description": "WXNG"},
+        None,
+        401,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "buynlarge/orgrepo"},
+        {u"description": "WXNG"},
+        "devtable",
+        200,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "buynlarge/orgrepo"},
+        {u"description": "WXNG"},
+        "freshuser",
+        403,
+    ),
+    (
+        Repository,
+        "PUT",
+        {"repository": "buynlarge/orgrepo"},
+        {u"description": "WXNG"},
+        "reader",
+        403,
+    ),
+    (EntitySearch, "GET", {"prefix": "R9NZ"}, None, None, 200),
+    (EntitySearch, "GET", {"prefix": "R9NZ"}, None, "devtable", 200),
+    (EntitySearch, "GET", {"prefix": "R9NZ"}, None, "freshuser", 200),
+    (EntitySearch, "GET", {"prefix": "R9NZ"}, None, "reader", 200),
+    (ApplicationInformation, "GET", {"client_id": "3LGI"}, None, None, 404),
+    (ApplicationInformation, "GET", {"client_id": "3LGI"}, None, "devtable", 404),
+    (ApplicationInformation, "GET", {"client_id": "3LGI"}, None, "freshuser", 404),
+    (ApplicationInformation, "GET", {"client_id": "3LGI"}, None, "reader", 404),
+    (OrganizationApplications, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrganizationApplications, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrganizationApplications, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrganizationApplications, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (
+        OrganizationApplications,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"name": "foo"},
+        None,
+        401,
+    ),
+    (
+        OrganizationApplications,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"name": "foo"},
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationApplications,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"name": "foo"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationApplications,
+        "POST",
+        {"orgname": "buynlarge"},
+        {u"name": "foo"},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "DELETE",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationApplicationResource,
+        "DELETE",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "devtable",
+        204,
+    ),
+    (
+        OrganizationApplicationResource,
+        "DELETE",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "DELETE",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "GET",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationApplicationResource,
+        "GET",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationApplicationResource,
+        "GET",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "GET",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "PUT",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        {u"redirect_uri": "foo", u"name": "foo", u"application_uri": "foo"},
+        None,
+        401,
+    ),
+    (
+        OrganizationApplicationResource,
+        "PUT",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        {u"redirect_uri": "foo", u"name": "foo", u"application_uri": "foo"},
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationApplicationResource,
+        "PUT",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        {u"redirect_uri": "foo", u"name": "foo", u"application_uri": "foo"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationApplicationResource,
+        "PUT",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        {u"redirect_uri": "foo", u"name": "foo", u"application_uri": "foo"},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationApplicationResetClientSecret,
+        "POST",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        None,
+        401,
+    ),
+    (
+        OrganizationApplicationResetClientSecret,
+        "POST",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationApplicationResetClientSecret,
+        "POST",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationApplicationResetClientSecret,
+        "POST",
+        {"orgname": "buynlarge", "client_id": "deadbeef"},
+        None,
+        "reader",
+        403,
+    ),
+    (Users, "GET", {"username": "devtable"}, None, None, 200),
+    (UserNotificationList, "GET", None, None, None, 401),
+    (UserNotificationList, "GET", None, None, "devtable", 200),
+    (UserNotificationList, "GET", None, None, "freshuser", 200),
+    (UserNotificationList, "GET", None, None, "reader", 200),
+    (UserAuthorizationList, "GET", None, None, None, 401),
+    (UserAuthorizationList, "GET", None, None, "devtable", 200),
+    (UserAuthorizationList, "GET", None, None, "freshuser", 200),
+    (UserAuthorizationList, "GET", None, None, "reader", 200),
+    (UserAuthorization, "DELETE", {"access_token_uuid": "fake"}, None, None, 401),
+    (UserAuthorization, "DELETE", {"access_token_uuid": "fake"}, None, "devtable", 404),
+    (
+        UserAuthorization,
+        "DELETE",
+        {"access_token_uuid": "fake"},
+        None,
+        "freshuser",
+        404,
+    ),
+    (UserAuthorization, "DELETE", {"access_token_uuid": "fake"}, None, "reader", 404),
+    (UserAuthorization, "GET", {"access_token_uuid": "fake"}, None, None, 401),
+    (UserAuthorization, "GET", {"access_token_uuid": "fake"}, None, "devtable", 404),
+    (UserAuthorization, "GET", {"access_token_uuid": "fake"}, None, "freshuser", 404),
+    (UserAuthorization, "GET", {"access_token_uuid": "fake"}, None, "reader", 404),
+    (UserAggregateLogs, "GET", None, None, None, 401),
+    (UserAggregateLogs, "GET", None, None, "devtable", 200),
+    (UserAggregateLogs, "GET", None, None, "freshuser", 200),
+    (UserAggregateLogs, "GET", None, None, "reader", 200),
+    (OrgAggregateLogs, "GET", {"orgname": "buynlarge"}, None, None, 401),
+    (OrgAggregateLogs, "GET", {"orgname": "buynlarge"}, None, "devtable", 200),
+    (OrgAggregateLogs, "GET", {"orgname": "buynlarge"}, None, "freshuser", 403),
+    (OrgAggregateLogs, "GET", {"orgname": "buynlarge"}, None, "reader", 403),
+    (
+        RepositoryAggregateLogs,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryAggregateLogs,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        RepositoryAggregateLogs,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryAggregateLogs,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (ExportUserLogs, "POST", None, EXPORTLOGS_PARAMS, None, 401),
+    (ExportUserLogs, "POST", None, EXPORTLOGS_PARAMS, "devtable", 200),
+    (ExportUserLogs, "POST", None, EXPORTLOGS_PARAMS, "freshuser", 200),
+    (ExportUserLogs, "POST", None, EXPORTLOGS_PARAMS, "reader", 200),
+    (ExportOrgLogs, "POST", {"orgname": "buynlarge"}, EXPORTLOGS_PARAMS, None, 401),
+    (
+        ExportOrgLogs,
+        "POST",
+        {"orgname": "buynlarge"},
+        EXPORTLOGS_PARAMS,
+        "devtable",
+        200,
+    ),
+    (
+        ExportOrgLogs,
+        "POST",
+        {"orgname": "buynlarge"},
+        EXPORTLOGS_PARAMS,
+        "freshuser",
+        403,
+    ),
+    (ExportOrgLogs, "POST", {"orgname": "buynlarge"}, EXPORTLOGS_PARAMS, "reader", 403),
+    (
+        ExportRepositoryLogs,
+        "POST",
+        {"repository": "devtable/simple"},
+        EXPORTLOGS_PARAMS,
+        None,
+        401,
+    ),
+    (
+        ExportRepositoryLogs,
+        "POST",
+        {"repository": "devtable/simple"},
+        EXPORTLOGS_PARAMS,
+        "devtable",
+        200,
+    ),
+    (
+        ExportRepositoryLogs,
+        "POST",
+        {"repository": "devtable/simple"},
+        EXPORTLOGS_PARAMS,
+        "freshuser",
+        403,
+    ),
+    (
+        ExportRepositoryLogs,
+        "POST",
+        {"repository": "devtable/simple"},
+        EXPORTLOGS_PARAMS,
+        "reader",
+        403,
+    ),
+    (SuperUserAggregateLogs, "GET", None, None, None, 401),
+    (SuperUserAggregateLogs, "GET", None, None, "devtable", 200),
+    (SuperUserAggregateLogs, "GET", None, None, "freshuser", 403),
+    (SuperUserAggregateLogs, "GET", None, None, "reader", 403),
+    (SuperUserLogs, "GET", None, None, None, 401),
+    (SuperUserLogs, "GET", None, None, "devtable", 200),
+    (SuperUserLogs, "GET", None, None, "freshuser", 403),
+    (SuperUserLogs, "GET", None, None, "reader", 403),
+    (SuperUserSendRecoveryEmail, "POST", {"username": "someuser"}, None, None, 401),
+    (
+        SuperUserSendRecoveryEmail,
+        "POST",
+        {"username": "someuser"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        SuperUserSendRecoveryEmail,
+        "POST",
+        {"username": "someuser"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (SuperUserSendRecoveryEmail, "POST", {"username": "someuser"}, None, "reader", 403),
+    (SuperUserTakeOwnership, "POST", {"namespace": "invalidnamespace"}, {}, None, 401),
+    (
+        SuperUserTakeOwnership,
+        "POST",
+        {"namespace": "invalidnamespace"},
+        {},
+        "devtable",
+        404,
+    ),
+    (
+        SuperUserTakeOwnership,
+        "POST",
+        {"namespace": "invalidnamespace"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (
+        SuperUserTakeOwnership,
+        "POST",
+        {"namespace": "invalidnamespace"},
+        {},
+        "reader",
+        403,
+    ),
+    (SuperUserServiceKeyApproval, "POST", {"kid": 1234}, {}, None, 401),
+    (SuperUserServiceKeyApproval, "POST", {"kid": 1234}, {}, "devtable", 404),
+    (SuperUserServiceKeyApproval, "POST", {"kid": 1234}, {}, "freshuser", 403),
+    (SuperUserServiceKeyApproval, "POST", {"kid": 1234}, {}, "reader", 403),
+    (SuperUserServiceKeyManagement, "GET", None, None, None, 401),
+    (SuperUserServiceKeyManagement, "GET", None, None, "devtable", 200),
+    (SuperUserServiceKeyManagement, "GET", None, None, "freshuser", 403),
+    (SuperUserServiceKeyManagement, "GET", None, None, "reader", 403),
+    (
+        SuperUserServiceKeyManagement,
+        "POST",
+        None,
+        {"expiration": None, "service": "someservice"},
+        None,
+        401,
+    ),
+    (
+        SuperUserServiceKeyManagement,
+        "POST",
+        None,
+        {"expiration": None, "service": "someservice"},
+        "devtable",
+        200,
+    ),
+    (
+        SuperUserServiceKeyManagement,
+        "POST",
+        None,
+        {"expiration": None, "service": "someservice"},
+        "freshuser",
+        403,
+    ),
+    (
+        SuperUserServiceKeyManagement,
+        "POST",
+        None,
+        {"expiration": None, "service": "someservice"},
+        "reader",
+        403,
+    ),
+    (SuperUserServiceKey, "DELETE", {"kid": 1234}, None, None, 401),
+    (SuperUserServiceKey, "DELETE", {"kid": 1234}, None, "devtable", 404),
+    (SuperUserServiceKey, "DELETE", {"kid": 1234}, None, "freshuser", 403),
+    (SuperUserServiceKey, "DELETE", {"kid": 1234}, None, "reader", 403),
+    (SuperUserServiceKey, "GET", {"kid": 1234}, None, None, 401),
+    (SuperUserServiceKey, "GET", {"kid": 1234}, None, "devtable", 404),
+    (SuperUserServiceKey, "GET", {"kid": 1234}, None, "freshuser", 403),
+    (SuperUserServiceKey, "GET", {"kid": 1234}, None, "reader", 403),
+    (SuperUserServiceKey, "PUT", {"kid": 1234}, {}, None, 401),
+    (SuperUserServiceKey, "PUT", {"kid": 1234}, {}, "devtable", 404),
+    (SuperUserServiceKey, "PUT", {"kid": 1234}, {}, "freshuser", 403),
+    (SuperUserServiceKey, "PUT", {"kid": 1234}, {}, "reader", 403),
+    (TeamMemberInvite, "DELETE", {"code": "foobarbaz"}, None, None, 401),
+    (TeamMemberInvite, "DELETE", {"code": "foobarbaz"}, None, "devtable", 400),
+    (TeamMemberInvite, "DELETE", {"code": "foobarbaz"}, None, "freshuser", 400),
+    (TeamMemberInvite, "DELETE", {"code": "foobarbaz"}, None, "reader", 400),
+    (TeamMemberInvite, "PUT", {"code": "foobarbaz"}, None, None, 401),
+    (TeamMemberInvite, "PUT", {"code": "foobarbaz"}, None, "devtable", 400),
+    (TeamMemberInvite, "PUT", {"code": "foobarbaz"}, None, "freshuser", 400),
+    (TeamMemberInvite, "PUT", {"code": "foobarbaz"}, None, "reader", 400),
+    (ConductSearch, "GET", None, None, None, 200),
+    (ConductSearch, "GET", None, None, "devtable", 200),
+    (ChangeLog, "GET", None, None, None, 401),
+    (ChangeLog, "GET", None, None, "devtable", 200),
+    (ChangeLog, "GET", None, None, "freshuser", 403),
+    (ChangeLog, "GET", None, None, "reader", 403),
+    (SuperUserOrganizationList, "GET", None, None, None, 401),
+    (SuperUserOrganizationList, "GET", None, None, "devtable", 200),
+    (SuperUserOrganizationList, "GET", None, None, "freshuser", 403),
+    (SuperUserOrganizationList, "GET", None, None, "reader", 403),
+    (SuperUserOrganizationManagement, "DELETE", {"name": "buynlarge"}, None, None, 401),
+    (
+        SuperUserOrganizationManagement,
+        "DELETE",
+        {"name": "buynlarge"},
+        None,
+        "devtable",
+        204,
+    ),
+    (
+        SuperUserOrganizationManagement,
+        "DELETE",
+        {"name": "buynlarge"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        SuperUserOrganizationManagement,
+        "DELETE",
+        {"name": "buynlarge"},
+        None,
+        "reader",
+        403,
+    ),
+    (SuperUserOrganizationManagement, "PUT", {"name": "buynlarge"}, {}, None, 401),
+    (
+        SuperUserOrganizationManagement,
+        "PUT",
+        {"name": "buynlarge"},
+        {},
+        "devtable",
+        200,
+    ),
+    (
+        SuperUserOrganizationManagement,
+        "PUT",
+        {"name": "buynlarge"},
+        {},
+        "freshuser",
+        403,
+    ),
+    (SuperUserOrganizationManagement, "PUT", {"name": "buynlarge"}, {}, "reader", 403),
+    (SuperUserList, "GET", None, None, None, 401),
+    (SuperUserList, "GET", None, None, "devtable", 200),
+    (SuperUserList, "GET", None, None, "freshuser", 403),
+    (SuperUserList, "GET", None, None, "reader", 403),
+    (SuperUserList, "POST", None, {"username": "foo"}, None, 401),
+    (SuperUserList, "POST", None, {"username": "foo"}, "devtable", 400),
+    (SuperUserList, "POST", None, {"username": "foo"}, "freshuser", 403),
+    (SuperUserList, "POST", None, {"username": "foo"}, "reader", 403),
+    (SuperUserManagement, "DELETE", {"username": "freshuser"}, None, None, 401),
+    (SuperUserManagement, "DELETE", {"username": "freshuser"}, None, "devtable", 204),
+    (SuperUserManagement, "DELETE", {"username": "freshuser"}, None, "freshuser", 403),
+    (SuperUserManagement, "DELETE", {"username": "freshuser"}, None, "reader", 403),
+    (SuperUserManagement, "GET", {"username": "freshuser"}, None, None, 401),
+    (SuperUserManagement, "GET", {"username": "freshuser"}, None, "devtable", 200),
+    (SuperUserManagement, "GET", {"username": "freshuser"}, None, "freshuser", 403),
+    (SuperUserManagement, "GET", {"username": "freshuser"}, None, "reader", 403),
+    (SuperUserManagement, "PUT", {"username": "freshuser"}, {}, None, 401),
+    (SuperUserManagement, "PUT", {"username": "freshuser"}, {}, "devtable", 200),
+    (SuperUserManagement, "PUT", {"username": "freshuser"}, {}, "freshuser", 403),
+    (SuperUserManagement, "PUT", {"username": "freshuser"}, {}, "reader", 403),
+    (GlobalUserMessages, "GET", None, None, None, 200),
+    (GlobalUserMessages, "POST", None, None, None, 401),
+    (
+        GlobalUserMessages,
+        "POST",
+        None,
+        {"message": {"content": "msg", "media_type": "text/plain", "severity": "info"}},
+        "devtable",
+        201,
+    ),
+    (
+        GlobalUserMessages,
+        "POST",
+        None,
+        {"message": {"content": "msg", "media_type": "text/plain", "severity": "info"}},
+        "freshuser",
+        403,
+    ),
+    (
+        GlobalUserMessages,
+        "POST",
+        None,
+        {"message": {"content": "msg", "media_type": "text/plain", "severity": "info"}},
+        "reader",
+        403,
+    ),
+    (GlobalUserMessage, "DELETE", {"uuid": "1234"}, None, None, 401),
+    (GlobalUserMessage, "DELETE", {"uuid": "1234"}, None, "devtable", 204),
+    (GlobalUserMessage, "DELETE", {"uuid": "1234"}, None, "freshuser", 403),
+    (GlobalUserMessage, "DELETE", {"uuid": "1234"}, None, "reader", 403),
+    (UserInvoiceFieldList, "GET", None, None, None, 401),
+    (UserInvoiceFieldList, "GET", None, None, "devtable", 200),
+    (UserInvoiceFieldList, "GET", None, None, "freshuser", 404),
+    (UserInvoiceFieldList, "GET", None, None, "reader", 404),
+    (UserInvoiceFieldList, "POST", None, None, None, 401),
+    (
+        UserInvoiceFieldList,
+        "POST",
+        None,
+        {"value": "bar", "title": "foo"},
+        "devtable",
+        200,
+    ),
+    (
+        UserInvoiceFieldList,
+        "POST",
+        None,
+        {"value": "bar", "title": "foo"},
+        "freshuser",
+        404,
+    ),
+    (
+        UserInvoiceFieldList,
+        "POST",
+        None,
+        {"value": "bar", "title": "foo"},
+        "reader",
+        404,
+    ),
+    (UserInvoiceField, "DELETE", {"field_uuid": "1234"}, None, None, 401),
+    (UserInvoiceField, "DELETE", {"field_uuid": "1234"}, None, "devtable", 201),
+    (UserInvoiceField, "DELETE", {"field_uuid": "1234"}, None, "freshuser", 404),
+    (UserInvoiceField, "DELETE", {"field_uuid": "1234"}, None, "reader", 404),
+    (OrganizationInvoiceFieldList, "GET", {"orgname": "buynlarge"}, None, None, 403),
+    (
+        OrganizationInvoiceFieldList,
+        "GET",
+        {"orgname": "buynlarge"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "GET",
+        {"orgname": "buynlarge"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "GET",
+        {"orgname": "buynlarge"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {"value": "bar", "title": "foo"},
+        None,
+        403,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {"value": "bar", "title": "foo"},
+        "devtable",
+        200,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {"value": "bar", "title": "foo"},
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationInvoiceFieldList,
+        "POST",
+        {"orgname": "buynlarge"},
+        {"value": "bar", "title": "foo"},
+        "reader",
+        403,
+    ),
+    (
+        OrganizationInvoiceField,
+        "DELETE",
+        {"orgname": "buynlarge", "field_uuid": "1234"},
+        None,
+        None,
+        403,
+    ),
+    (
+        OrganizationInvoiceField,
+        "DELETE",
+        {"orgname": "buynlarge", "field_uuid": "1234"},
+        None,
+        "devtable",
+        201,
+    ),
+    (
+        OrganizationInvoiceField,
+        "DELETE",
+        {"orgname": "buynlarge", "field_uuid": "1234"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        OrganizationInvoiceField,
+        "DELETE",
+        {"orgname": "buynlarge", "field_uuid": "1234"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryImageSecurity,
+        "GET",
+        {"repository": "devtable/simple", "imageid": "fake"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryImageSecurity,
+        "GET",
+        {"repository": "devtable/simple", "imageid": "fake"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryImageSecurity,
+        "GET",
+        {"repository": "devtable/simple", "imageid": "fake"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryImageSecurity,
+        "GET",
+        {"repository": "devtable/simple", "imageid": "fake"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryManifestSecurity,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryManifestSecurity,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryManifestSecurity,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryManifestSecurity,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryManifestLabels,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryManifestLabels,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryManifestLabels,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryManifestLabels,
+        "GET",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryManifestLabels,
+        "POST",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        {"media_type": "text/plain", "value": "bar", "key": "foo"},
+        None,
+        401,
+    ),
+    (
+        RepositoryManifestLabels,
+        "POST",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        {"media_type": "text/plain", "value": "bar", "key": "foo"},
+        "devtable",
+        404,
+    ),
+    (
+        RepositoryManifestLabels,
+        "POST",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        {"media_type": "text/plain", "value": "bar", "key": "foo"},
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryManifestLabels,
+        "POST",
+        {"manifestref": "sha256:abcd", "repository": "devtable/simple"},
+        {"media_type": "text/plain", "value": "bar", "key": "foo"},
+        "reader",
+        403,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "GET",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        None,
+        401,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "GET",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "GET",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "GET",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "reader",
+        403,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "DELETE",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        None,
+        401,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "DELETE",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "DELETE",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ManageRepositoryManifestLabel,
+        "DELETE",
+        {
+            "labelid": "someid",
+            "manifestref": "sha256:abcd",
+            "repository": "devtable/simple",
+        },
+        None,
+        "reader",
+        403,
+    ),
+    (
+        InviteTeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        None,
+        401,
+    ),
+    (
+        InviteTeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "devtable",
+        200,
+    ),
+    (
+        InviteTeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        InviteTeamMember,
+        "PUT",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        InviteTeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        None,
+        401,
+    ),
+    (
+        InviteTeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        InviteTeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        InviteTeamMember,
+        "DELETE",
+        {"orgname": "buynlarge", "teamname": "owners", "email": "a@example.com"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        TestRepositoryNotification,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "uuid": "foo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        TestRepositoryNotification,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "uuid": "foo"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        TestRepositoryNotification,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "uuid": "foo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        TestRepositoryNotification,
+        "POST",
+        {"repository": "buynlarge/orgrepo", "uuid": "foo"},
+        None,
+        "reader",
+        403,
+    ),
+    (LinkExternalEntity, "POST", {"username": "foo"}, None, None, 404),
+    (
+        BuildTriggerSourceNamespaces,
+        "GET",
+        {"repository": "devtable/simple", "trigger_uuid": "foo"},
+        None,
+        None,
+        401,
+    ),
+    (
+        BuildTriggerSourceNamespaces,
+        "GET",
+        {"repository": "devtable/simple", "trigger_uuid": "foo"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        BuildTriggerSourceNamespaces,
+        "GET",
+        {"repository": "devtable/simple", "trigger_uuid": "foo"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        BuildTriggerSourceNamespaces,
+        "GET",
+        {"repository": "devtable/simple", "trigger_uuid": "foo"},
+        None,
+        "reader",
+        403,
+    ),
+    (RepoMirrorResource, "GET", {"repository": "devtable/simple"}, None, None, 401),
+    (
+        RepoMirrorResource,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepoMirrorResource,
+        "GET",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (RepoMirrorResource, "GET", {"repository": "devtable/simple"}, None, "reader", 403),
+    (RepoMirrorResource, "POST", {"repository": "devtable/simple"}, None, None, 401),
+    (
+        RepoMirrorResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepoMirrorResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepoMirrorResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (RepoMirrorResource, "PUT", {"repository": "devtable/simple"}, None, None, 401),
+    (
+        RepoMirrorResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepoMirrorResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (RepoMirrorResource, "PUT", {"repository": "devtable/simple"}, None, "reader", 403),
+    (
+        RepoMirrorSyncNowResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepoMirrorSyncNowResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepoMirrorSyncNowResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepoMirrorSyncNowResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepoMirrorSyncCancelResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepoMirrorSyncCancelResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        404,
+    ),
+    (
+        RepoMirrorSyncCancelResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepoMirrorSyncCancelResource,
+        "POST",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (
+        RepositoryStateResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        None,
+        401,
+    ),
+    (
+        RepositoryStateResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        RepositoryStateResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        RepositoryStateResource,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
+    (ManageRepoMirrorRule, "PUT", {"repository": "devtable/simple"}, None, None, 401),
+    (
+        ManageRepoMirrorRule,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "devtable",
+        400,
+    ),
+    (
+        ManageRepoMirrorRule,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "freshuser",
+        403,
+    ),
+    (
+        ManageRepoMirrorRule,
+        "PUT",
+        {"repository": "devtable/simple"},
+        None,
+        "reader",
+        403,
+    ),
 ]
 
-@pytest.mark.parametrize('resource,method,params,body,identity,expected', SECURITY_TESTS)
+
+@pytest.mark.parametrize(
+    "resource,method,params,body,identity,expected", SECURITY_TESTS
+)
 def test_api_security(resource, method, params, body, identity, expected, client):
-  with client_with_identity(identity, client) as cl:
-    conduct_api_call(cl, resource, method, params, body, expected)
+    with client_with_identity(identity, client) as cl:
+        conduct_api_call(cl, resource, method, params, body, expected)
 
 
-ALLOWED_MISSING_MODULES = {'endpoints.api.suconfig', 'endpoints.api.error', 'data.userfiles'}
+ALLOWED_MISSING_MODULES = {
+    "endpoints.api.suconfig",
+    "endpoints.api.error",
+    "data.userfiles",
+}
+
 
 def test_all_apis_tested(app):
-  required_tests = set()
+    required_tests = set()
 
-  for rule in app.url_map.iter_rules():
-    endpoint_method = app.view_functions[rule.endpoint]
+    for rule in app.url_map.iter_rules():
+        endpoint_method = app.view_functions[rule.endpoint]
 
-    # Verify that we have a view class for this API method.
-    if not 'view_class' in dir(endpoint_method):
-      continue
+        # Verify that we have a view class for this API method.
+        if not "view_class" in dir(endpoint_method):
+            continue
 
-    view_class = endpoint_method.view_class    
-    if view_class.__module__ in ALLOWED_MISSING_MODULES:
-      continue
+        view_class = endpoint_method.view_class
+        if view_class.__module__ in ALLOWED_MISSING_MODULES:
+            continue
 
-    method_names = list(rule.methods.difference(['HEAD', 'OPTIONS']))
-    full_name = '%s.%s' % (view_class.__module__, view_class.__name__)
-    for method_name in method_names:
-      required_tests.add('%s::%s' % (full_name, method_name.upper()))
+        method_names = list(rule.methods.difference(["HEAD", "OPTIONS"]))
+        full_name = "%s.%s" % (view_class.__module__, view_class.__name__)
+        for method_name in method_names:
+            required_tests.add("%s::%s" % (full_name, method_name.upper()))
 
-  assert required_tests
+    assert required_tests
 
-  for test in SECURITY_TESTS:
-    view_class = test[0]
-    required_tests.discard('%s.%s::%s' % (view_class.__module__, view_class.__name__,
-                                          test[1].upper()))
+    for test in SECURITY_TESTS:
+        view_class = test[0]
+        required_tests.discard(
+            "%s.%s::%s" % (view_class.__module__, view_class.__name__, test[1].upper())
+        )
 
-  assert not required_tests, "API security tests missing for: %s" % required_tests
+    assert not required_tests, "API security tests missing for: %s" % required_tests
 
 
-@pytest.mark.parametrize('is_superuser', [
-  (True),
-  (False),
-])
-@pytest.mark.parametrize('allow_nonsuperuser', [
-  (True),
-  (False),
-])
-@pytest.mark.parametrize('method, expected', [
-  ('POST', 400),
-  ('DELETE', 200),
-])
+@pytest.mark.parametrize("is_superuser", [(True), (False)])
+@pytest.mark.parametrize("allow_nonsuperuser", [(True), (False)])
+@pytest.mark.parametrize("method, expected", [("POST", 400), ("DELETE", 200)])
 def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):
-  def is_superuser_method(_):
-    return is_superuser
+    def is_superuser_method(_):
+        return is_superuser
 
-  with patch('auth.permissions.superusers.is_superuser', is_superuser_method):
-    with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):
-      with client_with_identity('devtable', client) as cl:
-        expect_success = is_superuser or allow_nonsuperuser
-        expected_status = expected if expect_success else 403
-        conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)
+    with patch("auth.permissions.superusers.is_superuser", is_superuser_method):
+        with toggle_feature("NONSUPERUSER_TEAM_SYNCING_SETUP", allow_nonsuperuser):
+            with client_with_identity("devtable", client) as cl:
+                expect_success = is_superuser or allow_nonsuperuser
+                expected_status = expected if expect_success else 403
+                conduct_api_call(
+                    cl,
+                    OrganizationTeamSyncing,
+                    method,
+                    TEAM_PARAMS,
+                    {},
+                    expected_status,
+                )
diff --git a/endpoints/api/test/test_signing.py b/endpoints/api/test/test_signing.py
index e941cee56..12ff38835 100644
--- a/endpoints/api/test/test_signing.py
+++ b/endpoints/api/test/test_signing.py
@@ -11,45 +11,51 @@ from test.fixtures import *
 
 VALID_TARGETS_MAP = {
     "targets/ci": {
-      "targets": {
-        "latest": {
-          "hashes": {
-            "sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ="
-          },
-          "length": 2111
-        }
-      },
-      "expiration": "2020-05-22T10:26:46.618176424-04:00"
+        "targets": {
+            "latest": {
+                "hashes": {"sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ="},
+                "length": 2111,
+            }
+        },
+        "expiration": "2020-05-22T10:26:46.618176424-04:00",
     },
     "targets": {
-      "targets": {
-        "latest": {
-          "hashes": {
-            "sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ="
-          },
-          "length": 2111
-        }
-      },
-      "expiration": "2020-05-22T10:26:01.953414888-04:00"}
-  }
+        "targets": {
+            "latest": {
+                "hashes": {"sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ="},
+                "length": 2111,
+            }
+        },
+        "expiration": "2020-05-22T10:26:01.953414888-04:00",
+    },
+}
 
 
 def tags_equal(expected, actual):
-  expected_tags = expected.get('delegations')
-  actual_tags = actual.get('delegations')
-  if expected_tags and actual_tags:
-    return Counter(expected_tags) == Counter(actual_tags)
-  return expected == actual
+    expected_tags = expected.get("delegations")
+    actual_tags = actual.get("delegations")
+    if expected_tags and actual_tags:
+        return Counter(expected_tags) == Counter(actual_tags)
+    return expected == actual
 
-@pytest.mark.parametrize('targets_map,expected', [
-  (VALID_TARGETS_MAP, {'delegations': VALID_TARGETS_MAP}),
-  ({'bad': 'tags'}, {'delegations': {'bad': 'tags'}}),
-  ({}, {'delegations': {}}),
-  (None, {'delegations': None}),   # API returns None on exceptions
-])
+
+@pytest.mark.parametrize(
+    "targets_map,expected",
+    [
+        (VALID_TARGETS_MAP, {"delegations": VALID_TARGETS_MAP}),
+        ({"bad": "tags"}, {"delegations": {"bad": "tags"}}),
+        ({}, {"delegations": {}}),
+        (None, {"delegations": None}),  # API returns None on exceptions
+    ],
+)
 def test_get_signatures(targets_map, expected, client):
-  with patch('endpoints.api.signing.tuf_metadata_api') as mock_tuf:
-    mock_tuf.get_all_tags_with_expiration.return_value = targets_map
-    with client_with_identity('devtable', client) as cl:
-      params = {'repository': 'devtable/trusted'}
-      assert tags_equal(expected, conduct_api_call(cl, RepositorySignatures, 'GET', params, None, 200).json)
+    with patch("endpoints.api.signing.tuf_metadata_api") as mock_tuf:
+        mock_tuf.get_all_tags_with_expiration.return_value = targets_map
+        with client_with_identity("devtable", client) as cl:
+            params = {"repository": "devtable/trusted"}
+            assert tags_equal(
+                expected,
+                conduct_api_call(
+                    cl, RepositorySignatures, "GET", params, None, 200
+                ).json,
+            )
diff --git a/endpoints/api/test/test_subscribe_models_pre_oci.py b/endpoints/api/test/test_subscribe_models_pre_oci.py
index 8810e36f5..7c257f2a8 100644
--- a/endpoints/api/test/test_subscribe_models_pre_oci.py
+++ b/endpoints/api/test/test_subscribe_models_pre_oci.py
@@ -4,40 +4,52 @@ from mock import patch
 from endpoints.api.subscribe_models_pre_oci import data_model
 
 
-@pytest.mark.parametrize('username,repo_count', [
-  ('devtable', 3)
-])
+@pytest.mark.parametrize("username,repo_count", [("devtable", 3)])
 def test_get_private_repo_count(username, repo_count):
-  with patch('endpoints.api.subscribe_models_pre_oci.get_private_repo_count') as mock_get_private_reop_count:
-    mock_get_private_reop_count.return_value = repo_count
-    count = data_model.get_private_repo_count(username)
+    with patch(
+        "endpoints.api.subscribe_models_pre_oci.get_private_repo_count"
+    ) as mock_get_private_reop_count:
+        mock_get_private_reop_count.return_value = repo_count
+        count = data_model.get_private_repo_count(username)
 
-    mock_get_private_reop_count.assert_called_once_with(username)
-    assert count == repo_count
+        mock_get_private_reop_count.assert_called_once_with(username)
+        assert count == repo_count
 
 
-@pytest.mark.parametrize('kind_name,target_username,metadata', [
-  ('over_private_usage', 'devtable', {'namespace': 'devtable'})
-])
+@pytest.mark.parametrize(
+    "kind_name,target_username,metadata",
+    [("over_private_usage", "devtable", {"namespace": "devtable"})],
+)
 def test_create_unique_notification(kind_name, target_username, metadata):
-  with patch('endpoints.api.subscribe_models_pre_oci.get_user_or_org') as mock_get_user_or_org:
-    mock_get_user_or_org.return_value = {'username': target_username}
-    with patch('endpoints.api.subscribe_models_pre_oci.create_unique_notification') as mock_create_unique_notification:
-      data_model.create_unique_notification(kind_name, target_username, metadata)
+    with patch(
+        "endpoints.api.subscribe_models_pre_oci.get_user_or_org"
+    ) as mock_get_user_or_org:
+        mock_get_user_or_org.return_value = {"username": target_username}
+        with patch(
+            "endpoints.api.subscribe_models_pre_oci.create_unique_notification"
+        ) as mock_create_unique_notification:
+            data_model.create_unique_notification(kind_name, target_username, metadata)
 
-      mock_get_user_or_org.assert_called_once_with(target_username)
-      mock_create_unique_notification.assert_called_once_with(kind_name, mock_get_user_or_org.return_value, metadata)
+            mock_get_user_or_org.assert_called_once_with(target_username)
+            mock_create_unique_notification.assert_called_once_with(
+                kind_name, mock_get_user_or_org.return_value, metadata
+            )
 
 
-@pytest.mark.parametrize('target_username,kind_name', [
-  ('devtable', 'over_private_usage')
-])
+@pytest.mark.parametrize(
+    "target_username,kind_name", [("devtable", "over_private_usage")]
+)
 def test_delete_notifications_by_kind(target_username, kind_name):
-  with patch('endpoints.api.subscribe_models_pre_oci.get_user_or_org') as mock_get_user_or_org:
-    mock_get_user_or_org.return_value = {'username': target_username}
-    with patch('endpoints.api.subscribe_models_pre_oci.delete_notifications_by_kind') as mock_delete_notifications_by_kind:
-      data_model.delete_notifications_by_kind(target_username, kind_name)
-
-      mock_get_user_or_org.assert_called_once_with(target_username)
-      mock_delete_notifications_by_kind.assert_called_once_with(mock_get_user_or_org.return_value, kind_name)
+    with patch(
+        "endpoints.api.subscribe_models_pre_oci.get_user_or_org"
+    ) as mock_get_user_or_org:
+        mock_get_user_or_org.return_value = {"username": target_username}
+        with patch(
+            "endpoints.api.subscribe_models_pre_oci.delete_notifications_by_kind"
+        ) as mock_delete_notifications_by_kind:
+            data_model.delete_notifications_by_kind(target_username, kind_name)
 
+            mock_get_user_or_org.assert_called_once_with(target_username)
+            mock_delete_notifications_by_kind.assert_called_once_with(
+                mock_get_user_or_org.return_value, kind_name
+            )
diff --git a/endpoints/api/test/test_superuser.py b/endpoints/api/test/test_superuser.py
index 46e4bacf3..ad392c48f 100644
--- a/endpoints/api/test/test_superuser.py
+++ b/endpoints/api/test/test_superuser.py
@@ -5,24 +5,24 @@ from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-@pytest.mark.parametrize('disabled', [
-  (True),
-  (False),
-])
+
+@pytest.mark.parametrize("disabled", [(True), (False)])
 def test_list_all_users(disabled, client):
-  with client_with_identity('devtable', client) as cl:
-    params = {'disabled': disabled}
-    result = conduct_api_call(cl, SuperUserList, 'GET', params, None, 200).json
-    assert len(result['users'])
-    for user in result['users']:
-      if not disabled:
-        assert user['enabled']
+    with client_with_identity("devtable", client) as cl:
+        params = {"disabled": disabled}
+        result = conduct_api_call(cl, SuperUserList, "GET", params, None, 200).json
+        assert len(result["users"])
+        for user in result["users"]:
+            if not disabled:
+                assert user["enabled"]
 
 
 def test_change_install_user(client):
-  with client_with_identity('devtable', client) as cl:
-    params = {'username': 'randomuser'}
-    body = {'email': 'new_email123@test.com'}
-    result = conduct_api_call(cl, SuperUserManagement, 'PUT', params, body, 200).json
-    
-    assert result['email'] == body['email']
+    with client_with_identity("devtable", client) as cl:
+        params = {"username": "randomuser"}
+        body = {"email": "new_email123@test.com"}
+        result = conduct_api_call(
+            cl, SuperUserManagement, "PUT", params, body, 200
+        ).json
+
+        assert result["email"] == body["email"]
diff --git a/endpoints/api/test/test_tag.py b/endpoints/api/test/test_tag.py
index 54f6df599..e4bf375ea 100644
--- a/endpoints/api/test/test_tag.py
+++ b/endpoints/api/test/test_tag.py
@@ -7,110 +7,125 @@ from data.database import Manifest
 
 from endpoints.api.test.shared import conduct_api_call
 from endpoints.test.shared import client_with_identity
-from endpoints.api.tag import RepositoryTag, RestoreTag, ListRepositoryTags, RepositoryTagImages
+from endpoints.api.tag import (
+    RepositoryTag,
+    RestoreTag,
+    ListRepositoryTags,
+    RepositoryTagImages,
+)
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('expiration_time, expected_status', [
-  (None, 201),
-  ('aksdjhasd', 400),
-])
+
+@pytest.mark.parametrize(
+    "expiration_time, expected_status", [(None, 201), ("aksdjhasd", 400)]
+)
 def test_change_tag_expiration_default(expiration_time, expected_status, client, app):
-  with client_with_identity('devtable', client) as cl:
-    params = {
-      'repository': 'devtable/simple',
-      'tag': 'latest',
-    }
+    with client_with_identity("devtable", client) as cl:
+        params = {"repository": "devtable/simple", "tag": "latest"}
 
-    request_body = {
-      'expiration': expiration_time,
-    }
+        request_body = {"expiration": expiration_time}
 
-    conduct_api_call(cl, RepositoryTag, 'put', params, request_body, expected_status)
+        conduct_api_call(
+            cl, RepositoryTag, "put", params, request_body, expected_status
+        )
 
 
 def test_change_tag_expiration(client, app):
-  with client_with_identity('devtable', client) as cl:
-    params = {
-      'repository': 'devtable/simple',
-      'tag': 'latest',
-    }
+    with client_with_identity("devtable", client) as cl:
+        params = {"repository": "devtable/simple", "tag": "latest"}
 
-    tag = model.tag.get_active_tag('devtable', 'simple', 'latest')
-    updated_expiration = tag.lifetime_start_ts + 60*60*24
+        tag = model.tag.get_active_tag("devtable", "simple", "latest")
+        updated_expiration = tag.lifetime_start_ts + 60 * 60 * 24
 
-    request_body = {
-      'expiration': updated_expiration,
-    }
+        request_body = {"expiration": updated_expiration}
 
-    conduct_api_call(cl, RepositoryTag, 'put', params, request_body, 201)
-    tag = model.tag.get_active_tag('devtable', 'simple', 'latest')
-    assert tag.lifetime_end_ts == updated_expiration
+        conduct_api_call(cl, RepositoryTag, "put", params, request_body, 201)
+        tag = model.tag.get_active_tag("devtable", "simple", "latest")
+        assert tag.lifetime_end_ts == updated_expiration
 
 
-@pytest.mark.parametrize('image_exists,test_tag,expected_status', [
-  (True, '-INVALID-TAG-NAME', 400),
-  (True, '.INVALID-TAG-NAME', 400),
-  (True,
-   'INVALID-TAG_NAME-BECAUSE-THIS-IS-WAY-WAY-TOO-LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG',
-   400),
-  (False, 'newtag', 404),
-  (True, 'generatemanifestfail', None),
-  (True, 'latest', 201),
-  (True, 'newtag', 201),
-])
+@pytest.mark.parametrize(
+    "image_exists,test_tag,expected_status",
+    [
+        (True, "-INVALID-TAG-NAME", 400),
+        (True, ".INVALID-TAG-NAME", 400),
+        (
+            True,
+            "INVALID-TAG_NAME-BECAUSE-THIS-IS-WAY-WAY-TOO-LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG",
+            400,
+        ),
+        (False, "newtag", 404),
+        (True, "generatemanifestfail", None),
+        (True, "latest", 201),
+        (True, "newtag", 201),
+    ],
+)
 def test_move_tag(image_exists, test_tag, expected_status, client, app):
-  with client_with_identity('devtable', client) as cl:
-    test_image = 'unknown'
-    if image_exists:
-      repo_ref = registry_model.lookup_repository('devtable', 'simple')
-      tag_ref = registry_model.get_repo_tag(repo_ref, 'latest', include_legacy_image=True)
-      assert tag_ref
+    with client_with_identity("devtable", client) as cl:
+        test_image = "unknown"
+        if image_exists:
+            repo_ref = registry_model.lookup_repository("devtable", "simple")
+            tag_ref = registry_model.get_repo_tag(
+                repo_ref, "latest", include_legacy_image=True
+            )
+            assert tag_ref
 
-      test_image = tag_ref.legacy_image.docker_image_id
+            test_image = tag_ref.legacy_image.docker_image_id
 
-    params = {'repository': 'devtable/simple', 'tag': test_tag}
-    request_body = {'image': test_image}
-    if expected_status is None:
-      with pytest.raises(Exception):
-        conduct_api_call(cl, RepositoryTag, 'put', params, request_body, expected_status)
-    else:
-      conduct_api_call(cl, RepositoryTag, 'put', params, request_body, expected_status)
+        params = {"repository": "devtable/simple", "tag": test_tag}
+        request_body = {"image": test_image}
+        if expected_status is None:
+            with pytest.raises(Exception):
+                conduct_api_call(
+                    cl, RepositoryTag, "put", params, request_body, expected_status
+                )
+        else:
+            conduct_api_call(
+                cl, RepositoryTag, "put", params, request_body, expected_status
+            )
 
 
-@pytest.mark.parametrize('repo_namespace, repo_name, query_count', [
-  ('devtable', 'simple', 5),
-  ('devtable', 'history', 5),
-  ('devtable', 'complex', 5),
-  ('devtable', 'gargantuan', 5),
-  ('buynlarge', 'orgrepo', 7), # +2 for permissions checks.
-  ('buynlarge', 'anotherorgrepo', 7), # +2 for permissions checks.
-])
+@pytest.mark.parametrize(
+    "repo_namespace, repo_name, query_count",
+    [
+        ("devtable", "simple", 5),
+        ("devtable", "history", 5),
+        ("devtable", "complex", 5),
+        ("devtable", "gargantuan", 5),
+        ("buynlarge", "orgrepo", 7),  # +2 for permissions checks.
+        ("buynlarge", "anotherorgrepo", 7),  # +2 for permissions checks.
+    ],
+)
 def test_list_repo_tags(repo_namespace, repo_name, client, query_count, app):
-  # Pre-cache media type loads to ensure consistent query count.
-  Manifest.media_type.get_name(1)
+    # Pre-cache media type loads to ensure consistent query count.
+    Manifest.media_type.get_name(1)
 
-  params = {'repository': repo_namespace + '/' + repo_name}
-  with client_with_identity('devtable', client) as cl:
-    with assert_query_count(query_count):
-      tags = conduct_api_call(cl, ListRepositoryTags, 'get', params).json['tags']
+    params = {"repository": repo_namespace + "/" + repo_name}
+    with client_with_identity("devtable", client) as cl:
+        with assert_query_count(query_count):
+            tags = conduct_api_call(cl, ListRepositoryTags, "get", params).json["tags"]
 
-    repo_ref = registry_model.lookup_repository(repo_namespace, repo_name)
-    history, _ = registry_model.list_repository_tag_history(repo_ref)
-    assert len(tags) == len(history)
+        repo_ref = registry_model.lookup_repository(repo_namespace, repo_name)
+        history, _ = registry_model.list_repository_tag_history(repo_ref)
+        assert len(tags) == len(history)
 
 
-@pytest.mark.parametrize('repository, tag, owned, expect_images', [
-  ('devtable/simple', 'prod', False, True),
-  ('devtable/simple', 'prod', True, False),
-  ('devtable/simple', 'latest', False, True),
-  ('devtable/simple', 'latest', True, False),
-
-  ('devtable/complex', 'prod', False, True),
-  ('devtable/complex', 'prod', True, True),
-])
+@pytest.mark.parametrize(
+    "repository, tag, owned, expect_images",
+    [
+        ("devtable/simple", "prod", False, True),
+        ("devtable/simple", "prod", True, False),
+        ("devtable/simple", "latest", False, True),
+        ("devtable/simple", "latest", True, False),
+        ("devtable/complex", "prod", False, True),
+        ("devtable/complex", "prod", True, True),
+    ],
+)
 def test_list_tag_images(repository, tag, owned, expect_images, client, app):
-  with client_with_identity('devtable', client) as cl:
-    params = {'repository': repository, 'tag': tag, 'owned': owned}
-    result = conduct_api_call(cl, RepositoryTagImages, 'get', params, None, 200).json
-    assert bool(result['images']) == expect_images
+    with client_with_identity("devtable", client) as cl:
+        params = {"repository": repository, "tag": tag, "owned": owned}
+        result = conduct_api_call(
+            cl, RepositoryTagImages, "get", params, None, 200
+        ).json
+        assert bool(result["images"]) == expect_images
diff --git a/endpoints/api/test/test_team.py b/endpoints/api/test/test_team.py
index 9a17a36e4..bfed82b57 100644
--- a/endpoints/api/test/test_team.py
+++ b/endpoints/api/test/test_team.py
@@ -13,78 +13,85 @@ from test.test_ldap import mock_ldap
 
 from test.fixtures import *
 
-SYNCED_TEAM_PARAMS = {'orgname': 'sellnsmall', 'teamname': 'synced'}
-UNSYNCED_TEAM_PARAMS = {'orgname': 'sellnsmall', 'teamname': 'owners'}
+SYNCED_TEAM_PARAMS = {"orgname": "sellnsmall", "teamname": "synced"}
+UNSYNCED_TEAM_PARAMS = {"orgname": "sellnsmall", "teamname": "owners"}
+
 
 def test_team_syncing(client):
-  with mock_ldap() as ldap:
-    with patch('endpoints.api.team.authentication', ldap):
-      with client_with_identity('devtable', client) as cl:
-        config = {
-          'group_dn': 'cn=AwesomeFolk',
-        }
+    with mock_ldap() as ldap:
+        with patch("endpoints.api.team.authentication", ldap):
+            with client_with_identity("devtable", client) as cl:
+                config = {"group_dn": "cn=AwesomeFolk"}
 
-        conduct_api_call(cl, OrganizationTeamSyncing, 'POST', UNSYNCED_TEAM_PARAMS, config)
+                conduct_api_call(
+                    cl, OrganizationTeamSyncing, "POST", UNSYNCED_TEAM_PARAMS, config
+                )
 
-        # Ensure the team is now synced.
-        sync_info = model.team.get_team_sync_information(UNSYNCED_TEAM_PARAMS['orgname'],
-                                                         UNSYNCED_TEAM_PARAMS['teamname'])
-        assert sync_info is not None
-        assert json.loads(sync_info.config) == config
+                # Ensure the team is now synced.
+                sync_info = model.team.get_team_sync_information(
+                    UNSYNCED_TEAM_PARAMS["orgname"], UNSYNCED_TEAM_PARAMS["teamname"]
+                )
+                assert sync_info is not None
+                assert json.loads(sync_info.config) == config
 
-        # Remove the syncing.
-        conduct_api_call(cl, OrganizationTeamSyncing, 'DELETE', UNSYNCED_TEAM_PARAMS, None)
+                # Remove the syncing.
+                conduct_api_call(
+                    cl, OrganizationTeamSyncing, "DELETE", UNSYNCED_TEAM_PARAMS, None
+                )
 
-        # Ensure the team is no longer synced.
-        sync_info = model.team.get_team_sync_information(UNSYNCED_TEAM_PARAMS['orgname'],
-                                                         UNSYNCED_TEAM_PARAMS['teamname'])
-        assert sync_info is None
+                # Ensure the team is no longer synced.
+                sync_info = model.team.get_team_sync_information(
+                    UNSYNCED_TEAM_PARAMS["orgname"], UNSYNCED_TEAM_PARAMS["teamname"]
+                )
+                assert sync_info is None
 
 
 def test_team_member_sync_info(client):
-  with mock_ldap() as ldap:
-    with patch('endpoints.api.team.authentication', ldap):
-      # Check for an unsynced team, with superuser.
-      with client_with_identity('devtable', client) as cl:
-        resp = conduct_api_call(cl, TeamMemberList, 'GET', UNSYNCED_TEAM_PARAMS)
-        assert 'can_sync' in resp.json
-        assert resp.json['can_sync']['service'] == 'ldap'
+    with mock_ldap() as ldap:
+        with patch("endpoints.api.team.authentication", ldap):
+            # Check for an unsynced team, with superuser.
+            with client_with_identity("devtable", client) as cl:
+                resp = conduct_api_call(cl, TeamMemberList, "GET", UNSYNCED_TEAM_PARAMS)
+                assert "can_sync" in resp.json
+                assert resp.json["can_sync"]["service"] == "ldap"
 
-        assert 'synced' not in resp.json
+                assert "synced" not in resp.json
 
-      # Check for an unsynced team, with non-superuser.
-      with client_with_identity('randomuser', client) as cl:
-        resp = conduct_api_call(cl, TeamMemberList, 'GET', UNSYNCED_TEAM_PARAMS)
-        assert 'can_sync' not in resp.json
-        assert 'synced' not in resp.json
+            # Check for an unsynced team, with non-superuser.
+            with client_with_identity("randomuser", client) as cl:
+                resp = conduct_api_call(cl, TeamMemberList, "GET", UNSYNCED_TEAM_PARAMS)
+                assert "can_sync" not in resp.json
+                assert "synced" not in resp.json
 
-      # Check for a synced team, with superuser.
-      with client_with_identity('devtable', client) as cl:
-        resp = conduct_api_call(cl, TeamMemberList, 'GET', SYNCED_TEAM_PARAMS)
-        assert 'can_sync' in resp.json
-        assert resp.json['can_sync']['service'] == 'ldap'
+            # Check for a synced team, with superuser.
+            with client_with_identity("devtable", client) as cl:
+                resp = conduct_api_call(cl, TeamMemberList, "GET", SYNCED_TEAM_PARAMS)
+                assert "can_sync" in resp.json
+                assert resp.json["can_sync"]["service"] == "ldap"
 
-        assert 'synced' in resp.json
-        assert 'last_updated' in resp.json['synced']
-        assert 'group_dn' in resp.json['synced']['config']
+                assert "synced" in resp.json
+                assert "last_updated" in resp.json["synced"]
+                assert "group_dn" in resp.json["synced"]["config"]
 
-      # Check for a synced team, with non-superuser.
-      with client_with_identity('randomuser', client) as cl:
-        resp = conduct_api_call(cl, TeamMemberList, 'GET', SYNCED_TEAM_PARAMS)
-        assert 'can_sync' not in resp.json
+            # Check for a synced team, with non-superuser.
+            with client_with_identity("randomuser", client) as cl:
+                resp = conduct_api_call(cl, TeamMemberList, "GET", SYNCED_TEAM_PARAMS)
+                assert "can_sync" not in resp.json
 
-        assert 'synced' in resp.json
-        assert 'last_updated' not in resp.json['synced']
-        assert 'config' not in resp.json['synced']
+                assert "synced" in resp.json
+                assert "last_updated" not in resp.json["synced"]
+                assert "config" not in resp.json["synced"]
 
 
 def test_organization_teams_sync_bool(client):
-  with mock_ldap() as ldap:
-    with patch('endpoints.api.organization.authentication', ldap):
-      # Ensure synced teams are marked as such in the organization teams list.
-      with client_with_identity('devtable', client) as cl:
-        resp = conduct_api_call(cl, Organization, 'GET', {'orgname': 'sellnsmall'})
+    with mock_ldap() as ldap:
+        with patch("endpoints.api.organization.authentication", ldap):
+            # Ensure synced teams are marked as such in the organization teams list.
+            with client_with_identity("devtable", client) as cl:
+                resp = conduct_api_call(
+                    cl, Organization, "GET", {"orgname": "sellnsmall"}
+                )
 
-        assert not resp.json['teams']['owners']['is_synced']
+                assert not resp.json["teams"]["owners"]["is_synced"]
 
-        assert resp.json['teams']['synced']['is_synced']
+                assert resp.json["teams"]["synced"]["is_synced"]
diff --git a/endpoints/api/test/test_trigger.py b/endpoints/api/test/test_trigger.py
index 946b34431..7e6d20662 100644
--- a/endpoints/api/test/test_trigger.py
+++ b/endpoints/api/test/test_trigger.py
@@ -9,47 +9,43 @@ from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('context,dockerfile_path,expected', [
-  ("/", "/a/b", True),
-  ("/a", "/a/b", True),
-  ("/a/b", "/a/b", False),
-  ("/a//", "/a/b", True),
-  ("/a", "/a//b/c", True),
-  ("/a//", "a/b", True),
-  ("/a/b", "a/bc/d", False),
-  ("/d", "/a/b", False),
-  ("/a/b", "/a/b.c", False),
-  ("/a/b", "/a/b/b.c", True),
-  ("", "/a/b.c", False),
-  ("/a/b", "", False),
-  ("", "", False),
-])
+@pytest.mark.parametrize(
+    "context,dockerfile_path,expected",
+    [
+        ("/", "/a/b", True),
+        ("/a", "/a/b", True),
+        ("/a/b", "/a/b", False),
+        ("/a//", "/a/b", True),
+        ("/a", "/a//b/c", True),
+        ("/a//", "a/b", True),
+        ("/a/b", "a/bc/d", False),
+        ("/d", "/a/b", False),
+        ("/a/b", "/a/b.c", False),
+        ("/a/b", "/a/b/b.c", True),
+        ("", "/a/b.c", False),
+        ("/a/b", "", False),
+        ("", "", False),
+    ],
+)
 def test_super_user_build_endpoints(context, dockerfile_path, expected):
-  assert is_parent(context, dockerfile_path) == expected
+    assert is_parent(context, dockerfile_path) == expected
 
 
 def test_enabled_disabled_trigger(app, client):
-  trigger = model.build.list_build_triggers('devtable', 'building')[0]
-  trigger.config = json.dumps({'hook_id': 'someid'})
-  trigger.save()
+    trigger = model.build.list_build_triggers("devtable", "building")[0]
+    trigger.config = json.dumps({"hook_id": "someid"})
+    trigger.save()
 
-  params = {
-    'repository': 'devtable/building',
-    'trigger_uuid': trigger.uuid,
-  }
+    params = {"repository": "devtable/building", "trigger_uuid": trigger.uuid}
 
-  body = {
-    'enabled': False,
-  }
+    body = {"enabled": False}
 
-  with client_with_identity('devtable', client) as cl:
-    result = conduct_api_call(cl, BuildTrigger, 'PUT', params, body, 200).json
-    assert not result['enabled']
+    with client_with_identity("devtable", client) as cl:
+        result = conduct_api_call(cl, BuildTrigger, "PUT", params, body, 200).json
+        assert not result["enabled"]
 
-  body = {
-    'enabled': True,
-  }
+    body = {"enabled": True}
 
-  with client_with_identity('devtable', client) as cl:
-    result = conduct_api_call(cl, BuildTrigger, 'PUT', params, body, 200).json
-    assert result['enabled']
+    with client_with_identity("devtable", client) as cl:
+        result = conduct_api_call(cl, BuildTrigger, "PUT", params, body, 200).json
+        assert result["enabled"]
diff --git a/endpoints/api/test/test_trigger_analyzer.py b/endpoints/api/test/test_trigger_analyzer.py
index 881bad8a3..b7183956b 100644
--- a/endpoints/api/test/test_trigger_analyzer.py
+++ b/endpoints/api/test/test_trigger_analyzer.py
@@ -6,147 +6,339 @@ from data import model
 from endpoints.api.trigger_analyzer import TriggerAnalyzer
 from util import dockerfileparse
 
-BAD_PATH = "\"server_hostname/\" is not a valid Quay repository path"
+BAD_PATH = '"server_hostname/" is not a valid Quay repository path'
 
 EMPTY_CONF = {}
 
-GOOD_CONF = {'context': '/', 'dockerfile_path': '/file'}
+GOOD_CONF = {"context": "/", "dockerfile_path": "/file"}
 
-BAD_CONF = {'context': 'context', 'dockerfile_path': 'dockerfile_path'}
+BAD_CONF = {"context": "context", "dockerfile_path": "dockerfile_path"}
 
-ONE_ROBOT = {'can_read': False, 'is_robot': True, 'kind': 'user', 'name': 'name'}
+ONE_ROBOT = {"can_read": False, "is_robot": True, "kind": "user", "name": "name"}
 
-DOCKERFILE_NOT_CHILD = 'Dockerfile, context, is not a child of the context, dockerfile_path.'
+DOCKERFILE_NOT_CHILD = (
+    "Dockerfile, context, is not a child of the context, dockerfile_path."
+)
 
-THE_DOCKERFILE_SPECIFIED = 'Could not parse the Dockerfile specified'
+THE_DOCKERFILE_SPECIFIED = "Could not parse the Dockerfile specified"
 
-DOCKERFILE_PATH_NOT_FOUND = 'Specified Dockerfile path for the trigger was not found on the main branch. This trigger may fail.'
+DOCKERFILE_PATH_NOT_FOUND = "Specified Dockerfile path for the trigger was not found on the main branch. This trigger may fail."
 
-NO_FROM_LINE = 'No FROM line found in the Dockerfile'
+NO_FROM_LINE = "No FROM line found in the Dockerfile"
 
-REPO_NOT_FOUND = 'Repository "server_hostname/path/file" referenced by the Dockerfile was not found'
+REPO_NOT_FOUND = (
+    'Repository "server_hostname/path/file" referenced by the Dockerfile was not found'
+)
 
 
 @pytest.fixture
 def get_monkeypatch(monkeypatch):
-  return monkeypatch
+    return monkeypatch
 
 
 def patch_permissions(monkeypatch, can_read=False):
-  def can_read_fn(base_namespace, base_repository):
-    return can_read
+    def can_read_fn(base_namespace, base_repository):
+        return can_read
 
-  monkeypatch.setattr(permissions, 'ReadRepositoryPermission', can_read_fn)
+    monkeypatch.setattr(permissions, "ReadRepositoryPermission", can_read_fn)
 
 
 def patch_list_namespace_robots(monkeypatch):
-  my_mock = Mock()
-  my_mock.configure_mock(**{'username': 'name'})
-  return_value = [my_mock]
+    my_mock = Mock()
+    my_mock.configure_mock(**{"username": "name"})
+    return_value = [my_mock]
 
-  def return_list_mocks(namesapce):
+    def return_list_mocks(namesapce):
+        return return_value
+
+    monkeypatch.setattr(model.user, "list_namespace_robots", return_list_mocks)
     return return_value
 
-  monkeypatch.setattr(model.user, 'list_namespace_robots', return_list_mocks)
-  return return_value
-
 
 def patch_get_all_repo_users_transitive(monkeypatch):
-  my_mock = Mock()
-  my_mock.configure_mock(**{'username': 'name'})
-  return_value = [my_mock]
+    my_mock = Mock()
+    my_mock.configure_mock(**{"username": "name"})
+    return_value = [my_mock]
 
-  def return_get_mocks(namesapce, image_repostiory):
+    def return_get_mocks(namesapce, image_repostiory):
+        return return_value
+
+    monkeypatch.setattr(model.user, "get_all_repo_users_transitive", return_get_mocks)
     return return_value
 
-  monkeypatch.setattr(model.user, 'get_all_repo_users_transitive', return_get_mocks)
-  return return_value
-
 
 def patch_parse_dockerfile(monkeypatch, get_base_image):
-  if get_base_image is not None:
-    def return_return_value(content):
-      parse_mock = Mock()
-      parse_mock.configure_mock(**{'get_base_image': get_base_image})
-      return parse_mock
+    if get_base_image is not None:
 
-    monkeypatch.setattr(dockerfileparse, "parse_dockerfile", return_return_value)
-  else:
-    def return_return_value(content):
-      return get_base_image
+        def return_return_value(content):
+            parse_mock = Mock()
+            parse_mock.configure_mock(**{"get_base_image": get_base_image})
+            return parse_mock
 
-    monkeypatch.setattr(dockerfileparse, "parse_dockerfile", return_return_value)
+        monkeypatch.setattr(dockerfileparse, "parse_dockerfile", return_return_value)
+    else:
+
+        def return_return_value(content):
+            return get_base_image
+
+        monkeypatch.setattr(dockerfileparse, "parse_dockerfile", return_return_value)
 
 
 def patch_model_repository_get_repository(monkeypatch, get_repository):
-  if get_repository is not None:
+    if get_repository is not None:
 
-    def mock_get_repository(base_namespace, base_repository):
-      vis_mock = Mock()
-      vis_mock.name = get_repository
-      get_repo_mock = Mock(visibility=vis_mock)
+        def mock_get_repository(base_namespace, base_repository):
+            vis_mock = Mock()
+            vis_mock.name = get_repository
+            get_repo_mock = Mock(visibility=vis_mock)
 
+            return get_repo_mock
 
-      return get_repo_mock
+    else:
 
-  else:
-    def mock_get_repository(base_namespace, base_repository):
-      return None
+        def mock_get_repository(base_namespace, base_repository):
+            return None
 
-  monkeypatch.setattr(model.repository, "get_repository", mock_get_repository)
+    monkeypatch.setattr(model.repository, "get_repository", mock_get_repository)
 
 
 def return_none():
-  return None
+    return None
 
 
 def return_content():
-  return Mock()
+    return Mock()
 
 
 def return_server_hostname():
-  return "server_hostname/"
+    return "server_hostname/"
 
 
 def return_non_server_hostname():
-  return "slime"
+    return "slime"
 
 
 def return_path():
-  return "server_hostname/path/file"
+    return "server_hostname/path/file"
 
 
 @pytest.mark.parametrize(
-  'handler_fn, config_dict, admin_org_permission, status, message, get_base_image, robots, server_hostname, get_repository, can_read, namespace, name', [
-    (return_none, EMPTY_CONF, False, "warning", DOCKERFILE_PATH_NOT_FOUND, None, [], None, None, False, "namespace", None),
-    (return_none, EMPTY_CONF, True, "warning", DOCKERFILE_PATH_NOT_FOUND, None, [ONE_ROBOT], None, None, False, "namespace", None),
-    (return_content, BAD_CONF, False, "error", THE_DOCKERFILE_SPECIFIED, None, [], None, None, False, "namespace", None),
-    (return_none, EMPTY_CONF, False, "warning", DOCKERFILE_PATH_NOT_FOUND, return_none, [], None, None, False, "namespace", None),
-    (return_none, EMPTY_CONF, True, "warning", DOCKERFILE_PATH_NOT_FOUND, return_none, [ONE_ROBOT], None, None, False, "namespace", None),
-    (return_content, BAD_CONF, False, "error", DOCKERFILE_NOT_CHILD, return_none, [], None, None, False, "namespace", None),
-    (return_content, GOOD_CONF, False, "warning", NO_FROM_LINE, return_none, [], None, None, False, "namespace", None),
-    (return_content, GOOD_CONF, False, "publicbase", None, return_non_server_hostname, [], "server_hostname", None, False, "namespace", None),
-    (return_content, GOOD_CONF, False, "warning", BAD_PATH, return_server_hostname, [], "server_hostname", None, False, "namespace", None),
-    (return_content, GOOD_CONF, False, "error", REPO_NOT_FOUND, return_path, [], "server_hostname", None, False, "namespace", None),
-    (return_content, GOOD_CONF, False, "error", REPO_NOT_FOUND, return_path, [], "server_hostname", "nonpublic", False, "namespace", None),
-    (return_content, GOOD_CONF, False, "requiresrobot", None, return_path, [], "server_hostname", "nonpublic", True, "path", "file"),
-    (return_content, GOOD_CONF, False, "publicbase", None, return_path, [], "server_hostname", "public", True, "path", "file"),
-
-  ])
-def test_trigger_analyzer(handler_fn, config_dict, admin_org_permission, status, message, get_base_image, robots,
-                          server_hostname, get_repository, can_read, namespace, name,
-                          get_monkeypatch):
-  patch_list_namespace_robots(get_monkeypatch)
-  patch_get_all_repo_users_transitive(get_monkeypatch)
-  patch_parse_dockerfile(get_monkeypatch, get_base_image)
-  patch_model_repository_get_repository(get_monkeypatch, get_repository)
-  patch_permissions(get_monkeypatch, can_read)
-  handler_mock = Mock()
-  handler_mock.configure_mock(**{'load_dockerfile_contents': handler_fn})
-  trigger_analyzer = TriggerAnalyzer(handler_mock, 'namespace', server_hostname, config_dict, admin_org_permission)
-  assert trigger_analyzer.analyze_trigger() == {'namespace': namespace,
-                                                'name': name,
-                                                'robots': robots,
-                                                'status': status,
-                                                'message': message,
-                                                'is_admin': admin_org_permission}
+    "handler_fn, config_dict, admin_org_permission, status, message, get_base_image, robots, server_hostname, get_repository, can_read, namespace, name",
+    [
+        (
+            return_none,
+            EMPTY_CONF,
+            False,
+            "warning",
+            DOCKERFILE_PATH_NOT_FOUND,
+            None,
+            [],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_none,
+            EMPTY_CONF,
+            True,
+            "warning",
+            DOCKERFILE_PATH_NOT_FOUND,
+            None,
+            [ONE_ROBOT],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            BAD_CONF,
+            False,
+            "error",
+            THE_DOCKERFILE_SPECIFIED,
+            None,
+            [],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_none,
+            EMPTY_CONF,
+            False,
+            "warning",
+            DOCKERFILE_PATH_NOT_FOUND,
+            return_none,
+            [],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_none,
+            EMPTY_CONF,
+            True,
+            "warning",
+            DOCKERFILE_PATH_NOT_FOUND,
+            return_none,
+            [ONE_ROBOT],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            BAD_CONF,
+            False,
+            "error",
+            DOCKERFILE_NOT_CHILD,
+            return_none,
+            [],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "warning",
+            NO_FROM_LINE,
+            return_none,
+            [],
+            None,
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "publicbase",
+            None,
+            return_non_server_hostname,
+            [],
+            "server_hostname",
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "warning",
+            BAD_PATH,
+            return_server_hostname,
+            [],
+            "server_hostname",
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "error",
+            REPO_NOT_FOUND,
+            return_path,
+            [],
+            "server_hostname",
+            None,
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "error",
+            REPO_NOT_FOUND,
+            return_path,
+            [],
+            "server_hostname",
+            "nonpublic",
+            False,
+            "namespace",
+            None,
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "requiresrobot",
+            None,
+            return_path,
+            [],
+            "server_hostname",
+            "nonpublic",
+            True,
+            "path",
+            "file",
+        ),
+        (
+            return_content,
+            GOOD_CONF,
+            False,
+            "publicbase",
+            None,
+            return_path,
+            [],
+            "server_hostname",
+            "public",
+            True,
+            "path",
+            "file",
+        ),
+    ],
+)
+def test_trigger_analyzer(
+    handler_fn,
+    config_dict,
+    admin_org_permission,
+    status,
+    message,
+    get_base_image,
+    robots,
+    server_hostname,
+    get_repository,
+    can_read,
+    namespace,
+    name,
+    get_monkeypatch,
+):
+    patch_list_namespace_robots(get_monkeypatch)
+    patch_get_all_repo_users_transitive(get_monkeypatch)
+    patch_parse_dockerfile(get_monkeypatch, get_base_image)
+    patch_model_repository_get_repository(get_monkeypatch, get_repository)
+    patch_permissions(get_monkeypatch, can_read)
+    handler_mock = Mock()
+    handler_mock.configure_mock(**{"load_dockerfile_contents": handler_fn})
+    trigger_analyzer = TriggerAnalyzer(
+        handler_mock, "namespace", server_hostname, config_dict, admin_org_permission
+    )
+    assert trigger_analyzer.analyze_trigger() == {
+        "namespace": namespace,
+        "name": name,
+        "robots": robots,
+        "status": status,
+        "message": message,
+        "is_admin": admin_org_permission,
+    }
diff --git a/endpoints/api/test/test_user.py b/endpoints/api/test/test_user.py
index bf31b0b6d..1b4102550 100644
--- a/endpoints/api/test/test_user.py
+++ b/endpoints/api/test/test_user.py
@@ -11,32 +11,32 @@ from test.fixtures import *
 
 
 def test_user_metadata_update(client):
-  with patch('features.USER_METADATA', FeatureNameValue('USER_METADATA', True)):
-    with client_with_identity('devtable', client) as cl:
-      metadata = {
-        'given_name': 'Quay',
-        'family_name': 'User',
-        'location': 'NYC',
-        'company': 'Red Hat',
-      }
+    with patch("features.USER_METADATA", FeatureNameValue("USER_METADATA", True)):
+        with client_with_identity("devtable", client) as cl:
+            metadata = {
+                "given_name": "Quay",
+                "family_name": "User",
+                "location": "NYC",
+                "company": "Red Hat",
+            }
 
-      # Update all user metadata fields.
-      conduct_api_call(cl, User, 'PUT', None, body=metadata)
+            # Update all user metadata fields.
+            conduct_api_call(cl, User, "PUT", None, body=metadata)
 
-      # Test that they were successfully updated.
-      user = conduct_api_call(cl, User, 'GET', None).json
-      for field in metadata:
-        assert user.get(field) == metadata.get(field)
+            # Test that they were successfully updated.
+            user = conduct_api_call(cl, User, "GET", None).json
+            for field in metadata:
+                assert user.get(field) == metadata.get(field)
 
-      # Now nullify one of the fields, and remove another.
-      metadata['company'] = None
-      location = metadata.pop('location')
+            # Now nullify one of the fields, and remove another.
+            metadata["company"] = None
+            location = metadata.pop("location")
 
-      conduct_api_call(cl, User, 'PUT', None, body=metadata)
+            conduct_api_call(cl, User, "PUT", None, body=metadata)
 
-      user = conduct_api_call(cl, User, 'GET', None).json
-      for field in metadata:
-        assert user.get(field) == metadata.get(field)
+            user = conduct_api_call(cl, User, "GET", None).json
+            for field in metadata:
+                assert user.get(field) == metadata.get(field)
 
-      # The location field should be unchanged.
-      assert user.get('location') == location
+            # The location field should be unchanged.
+            assert user.get("location") == location
diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py
index fb9f72a48..e6f719801 100644
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@@ -7,21 +7,40 @@ from flask import request, url_for
 
 from active_migration import ActiveDataMigration, ERTMigrationFlags
 from app import app
-from auth.permissions import (UserAdminPermission, AdministerOrganizationPermission,
-                              AdministerRepositoryPermission)
+from auth.permissions import (
+    UserAdminPermission,
+    AdministerOrganizationPermission,
+    AdministerRepositoryPermission,
+)
 from buildtrigger.basehandler import BuildTriggerHandler
 from buildtrigger.triggerutil import TriggerException, EmptyRepositoryException
 from data import model
 from data.fields import DecryptedValue
 from data.model.build import update_build_trigger
-from endpoints.api import (RepositoryParamResource, nickname, resource, require_repo_admin,
-                           log_action, request_error, query_param, parse_args, internal_only,
-                           validate_json_request, api, path_param, abort,
-                           disallow_for_app_repositories, disallow_for_non_normal_repositories)
+from endpoints.api import (
+    RepositoryParamResource,
+    nickname,
+    resource,
+    require_repo_admin,
+    log_action,
+    request_error,
+    query_param,
+    parse_args,
+    internal_only,
+    validate_json_request,
+    api,
+    path_param,
+    abort,
+    disallow_for_app_repositories,
+    disallow_for_non_normal_repositories,
+)
 from endpoints.api.build import build_status_view, trigger_view, RepositoryBuildStatus
 from endpoints.api.trigger_analyzer import TriggerAnalyzer
-from endpoints.building import (start_build, MaximumBuildsQueuedException,
-                                BuildTriggerDisabledException)
+from endpoints.building import (
+    start_build,
+    MaximumBuildsQueuedException,
+    BuildTriggerDisabledException,
+)
 from endpoints.exception import NotFound, Unauthorized, InvalidRequest
 from util.names import parse_robot_username
 
@@ -29,511 +48,530 @@ logger = logging.getLogger(__name__)
 
 
 def _prepare_webhook_url(scheme, username, password, hostname, path):
-  auth_hostname = '%s:%s@%s' % (username, password, hostname)
-  return urlunparse((scheme, auth_hostname, path, '', '', ''))
+    auth_hostname = "%s:%s@%s" % (username, password, hostname)
+    return urlunparse((scheme, auth_hostname, path, "", "", ""))
 
 
 def get_trigger(trigger_uuid):
-  try:
-    trigger = model.build.get_build_trigger(trigger_uuid)
-  except model.InvalidBuildTriggerException:
-    raise NotFound()
-  return trigger
+    try:
+        trigger = model.build.get_build_trigger(trigger_uuid)
+    except model.InvalidBuildTriggerException:
+        raise NotFound()
+    return trigger
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+
+@resource("/v1/repository/<apirepopath:repository>/trigger/")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
 class BuildTriggerList(RepositoryParamResource):
-  """ Resource for listing repository build triggers. """
+    """ Resource for listing repository build triggers. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @nickname('listBuildTriggers')
-  def get(self, namespace_name, repo_name):
-    """ List the triggers for the specified repository. """
-    triggers = model.build.list_build_triggers(namespace_name, repo_name)
-    return {
-      'triggers': [trigger_view(trigger, can_admin=True) for trigger in triggers]
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @nickname("listBuildTriggers")
+    def get(self, namespace_name, repo_name):
+        """ List the triggers for the specified repository. """
+        triggers = model.build.list_build_triggers(namespace_name, repo_name)
+        return {
+            "triggers": [trigger_view(trigger, can_admin=True) for trigger in triggers]
+        }
+
+
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
+class BuildTrigger(RepositoryParamResource):
+    """ Resource for managing specific build triggers. """
+
+    schemas = {
+        "UpdateTrigger": {
+            "type": "object",
+            "description": "Options for updating a build trigger",
+            "required": ["enabled"],
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Whether the build trigger is enabled",
+                }
+            },
+        }
     }
 
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @nickname("getBuildTrigger")
+    def get(self, namespace_name, repo_name, trigger_uuid):
+        """ Get information for the specified build trigger. """
+        return trigger_view(get_trigger(trigger_uuid), can_admin=True)
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
-class BuildTrigger(RepositoryParamResource):
-  """ Resource for managing specific build triggers. """
-  schemas = {
-    'UpdateTrigger': {
-      'type': 'object',
-      'description': 'Options for updating a build trigger',
-      'required': [
-        'enabled',
-      ],
-      'properties': {
-        'enabled': {
-          'type': 'boolean',
-          'description': 'Whether the build trigger is enabled',
-        },
-      }
-    },
-  }
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("updateBuildTrigger")
+    @validate_json_request("UpdateTrigger")
+    def put(self, namespace_name, repo_name, trigger_uuid):
+        """ Updates the specified build trigger. """
+        trigger = get_trigger(trigger_uuid)
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @nickname('getBuildTrigger')
-  def get(self, namespace_name, repo_name, trigger_uuid):
-    """ Get information for the specified build trigger. """
-    return trigger_view(get_trigger(trigger_uuid), can_admin=True)
+        handler = BuildTriggerHandler.get_handler(trigger)
+        if not handler.is_active():
+            raise InvalidRequest("Cannot update an unactivated trigger")
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('updateBuildTrigger')
-  @validate_json_request('UpdateTrigger')
-  def put(self, namespace_name, repo_name, trigger_uuid):
-    """ Updates the specified build trigger. """
-    trigger = get_trigger(trigger_uuid)
+        enable = request.get_json()["enabled"]
+        model.build.toggle_build_trigger(trigger, enable)
+        log_action(
+            "toggle_repo_trigger",
+            namespace_name,
+            {
+                "repo": repo_name,
+                "trigger_id": trigger_uuid,
+                "service": trigger.service.name,
+                "enabled": enable,
+            },
+            repo=model.repository.get_repository(namespace_name, repo_name),
+        )
 
-    handler = BuildTriggerHandler.get_handler(trigger)
-    if not handler.is_active():
-      raise InvalidRequest('Cannot update an unactivated trigger')
+        return trigger_view(trigger)
 
-    enable = request.get_json()['enabled']
-    model.build.toggle_build_trigger(trigger, enable)
-    log_action('toggle_repo_trigger', namespace_name,
-                {'repo': repo_name, 'trigger_id': trigger_uuid,
-                'service': trigger.service.name, 'enabled': enable},
-                repo=model.repository.get_repository(namespace_name, repo_name))
-                
-    return trigger_view(trigger)
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("deleteBuildTrigger")
+    def delete(self, namespace_name, repo_name, trigger_uuid):
+        """ Delete the specified build trigger. """
+        trigger = get_trigger(trigger_uuid)
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('deleteBuildTrigger')
-  def delete(self, namespace_name, repo_name, trigger_uuid):
-    """ Delete the specified build trigger. """
-    trigger = get_trigger(trigger_uuid)
+        handler = BuildTriggerHandler.get_handler(trigger)
+        if handler.is_active():
+            try:
+                handler.deactivate()
+            except TriggerException as ex:
+                # We are just going to eat this error
+                logger.warning("Trigger deactivation problem: %s", ex)
 
-    handler = BuildTriggerHandler.get_handler(trigger)
-    if handler.is_active():
-      try:
-        handler.deactivate()
-      except TriggerException as ex:
-        # We are just going to eat this error
-        logger.warning('Trigger deactivation problem: %s', ex)
+            log_action(
+                "delete_repo_trigger",
+                namespace_name,
+                {
+                    "repo": repo_name,
+                    "trigger_id": trigger_uuid,
+                    "service": trigger.service.name,
+                },
+                repo=model.repository.get_repository(namespace_name, repo_name),
+            )
 
-      log_action('delete_repo_trigger', namespace_name,
-                 {'repo': repo_name, 'trigger_id': trigger_uuid,
-                  'service': trigger.service.name},
-                 repo=model.repository.get_repository(namespace_name, repo_name))
+        trigger.delete_instance(recursive=True)
 
-    trigger.delete_instance(recursive=True)
+        if trigger.write_token is not None:
+            trigger.write_token.delete_instance()
 
-    if trigger.write_token is not None:
-      trigger.write_token.delete_instance()
-
-    return 'No Content', 204
+        return "No Content", 204
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/subdir')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/subdir")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 @internal_only
 class BuildTriggerSubdirs(RepositoryParamResource):
-  """ Custom verb for fetching the subdirs which are buildable for a trigger. """
-  schemas = {
-    'BuildTriggerSubdirRequest': {
-      'type': 'object',
-      'description': 'Arbitrary json.',
-    },
-  }
+    """ Custom verb for fetching the subdirs which are buildable for a trigger. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('listBuildTriggerSubdirs')
-  @validate_json_request('BuildTriggerSubdirRequest')
-  def post(self, namespace_name, repo_name, trigger_uuid):
-    """ List the subdirectories available for the specified build trigger and source. """
-    trigger = get_trigger(trigger_uuid)
-
-    user_permission = UserAdminPermission(trigger.connected_user.username)
-    if user_permission.can():
-      new_config_dict = request.get_json()
-      handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
-
-      try:
-        subdirs = handler.list_build_subdirs()
-        context_map = {}
-        for file in subdirs:
-          context_map = handler.get_parent_directory_mappings(file, context_map)
-
-        return {
-          'dockerfile_paths': ['/' + subdir for subdir in subdirs],
-          'contextMap': context_map,
-          'status': 'success',
+    schemas = {
+        "BuildTriggerSubdirRequest": {
+            "type": "object",
+            "description": "Arbitrary json.",
         }
-      except EmptyRepositoryException as exc:
-        return {
-          'status': 'success',
-          'contextMap': {},
-          'dockerfile_paths': [],
-        }
-      except TriggerException as exc:
-        return {
-          'status': 'error',
-          'message': exc.message,
-        }
-    else:
-      raise Unauthorized()
+    }
+
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("listBuildTriggerSubdirs")
+    @validate_json_request("BuildTriggerSubdirRequest")
+    def post(self, namespace_name, repo_name, trigger_uuid):
+        """ List the subdirectories available for the specified build trigger and source. """
+        trigger = get_trigger(trigger_uuid)
+
+        user_permission = UserAdminPermission(trigger.connected_user.username)
+        if user_permission.can():
+            new_config_dict = request.get_json()
+            handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
+
+            try:
+                subdirs = handler.list_build_subdirs()
+                context_map = {}
+                for file in subdirs:
+                    context_map = handler.get_parent_directory_mappings(
+                        file, context_map
+                    )
+
+                return {
+                    "dockerfile_paths": ["/" + subdir for subdir in subdirs],
+                    "contextMap": context_map,
+                    "status": "success",
+                }
+            except EmptyRepositoryException as exc:
+                return {"status": "success", "contextMap": {}, "dockerfile_paths": []}
+            except TriggerException as exc:
+                return {"status": "error", "message": exc.message}
+        else:
+            raise Unauthorized()
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/activate')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/activate")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 class BuildTriggerActivate(RepositoryParamResource):
-  """ Custom verb for activating a build trigger once all required information has been collected.
+    """ Custom verb for activating a build trigger once all required information has been collected.
   """
-  schemas = {
-    'BuildTriggerActivateRequest': {
-      'type': 'object',
-      'required': [
-        'config'
-      ],
-      'properties': {
-        'config': {
-          'type': 'object',
-          'description': 'Arbitrary json.',
-        },
-        'pull_robot': {
-          'type': 'string',
-          'description': 'The name of the robot that will be used to pull images.'
+
+    schemas = {
+        "BuildTriggerActivateRequest": {
+            "type": "object",
+            "required": ["config"],
+            "properties": {
+                "config": {"type": "object", "description": "Arbitrary json."},
+                "pull_robot": {
+                    "type": "string",
+                    "description": "The name of the robot that will be used to pull images.",
+                },
+            },
         }
-      }
-    },
-  }
+    }
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('activateBuildTrigger')
-  @validate_json_request('BuildTriggerActivateRequest')
-  def post(self, namespace_name, repo_name, trigger_uuid):
-    """ Activate the specified build trigger. """
-    trigger = get_trigger(trigger_uuid)
-    handler = BuildTriggerHandler.get_handler(trigger)
-    if handler.is_active():
-      raise InvalidRequest('Trigger config is not sufficient for activation.')
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("activateBuildTrigger")
+    @validate_json_request("BuildTriggerActivateRequest")
+    def post(self, namespace_name, repo_name, trigger_uuid):
+        """ Activate the specified build trigger. """
+        trigger = get_trigger(trigger_uuid)
+        handler = BuildTriggerHandler.get_handler(trigger)
+        if handler.is_active():
+            raise InvalidRequest("Trigger config is not sufficient for activation.")
 
-    user_permission = UserAdminPermission(trigger.connected_user.username)
-    if user_permission.can():
-      # Update the pull robot (if any).
-      pull_robot_name = request.get_json().get('pull_robot', None)
-      if pull_robot_name:
-        try:
-          pull_robot = model.user.lookup_robot(pull_robot_name)
-        except model.InvalidRobotException:
-          raise NotFound()
+        user_permission = UserAdminPermission(trigger.connected_user.username)
+        if user_permission.can():
+            # Update the pull robot (if any).
+            pull_robot_name = request.get_json().get("pull_robot", None)
+            if pull_robot_name:
+                try:
+                    pull_robot = model.user.lookup_robot(pull_robot_name)
+                except model.InvalidRobotException:
+                    raise NotFound()
 
-        # Make sure the user has administer permissions for the robot's namespace.
-        (robot_namespace, _) = parse_robot_username(pull_robot_name)
-        if not AdministerOrganizationPermission(robot_namespace).can():
-          raise Unauthorized()
+                # Make sure the user has administer permissions for the robot's namespace.
+                (robot_namespace, _) = parse_robot_username(pull_robot_name)
+                if not AdministerOrganizationPermission(robot_namespace).can():
+                    raise Unauthorized()
 
-        # Make sure the namespace matches that of the trigger.
-        if robot_namespace != namespace_name:
-          raise Unauthorized()
+                # Make sure the namespace matches that of the trigger.
+                if robot_namespace != namespace_name:
+                    raise Unauthorized()
 
-        # Set the pull robot.
-        trigger.pull_robot = pull_robot
+                # Set the pull robot.
+                trigger.pull_robot = pull_robot
 
-      # Update the config.
-      new_config_dict = request.get_json()['config']
+            # Update the config.
+            new_config_dict = request.get_json()["config"]
 
-      write_token_name = 'Build Trigger: %s' % trigger.service.name
-      write_token = model.token.create_delegate_token(namespace_name, repo_name, write_token_name,
-                                                      'write')
+            write_token_name = "Build Trigger: %s" % trigger.service.name
+            write_token = model.token.create_delegate_token(
+                namespace_name, repo_name, write_token_name, "write"
+            )
 
-      try:
-        path = url_for('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid)
-        authed_url = _prepare_webhook_url(app.config['PREFERRED_URL_SCHEME'],
-                                          '$token', write_token.get_code(),
-                                          app.config['SERVER_HOSTNAME'], path)
+            try:
+                path = url_for(
+                    "webhooks.build_trigger_webhook", trigger_uuid=trigger.uuid
+                )
+                authed_url = _prepare_webhook_url(
+                    app.config["PREFERRED_URL_SCHEME"],
+                    "$token",
+                    write_token.get_code(),
+                    app.config["SERVER_HOSTNAME"],
+                    path,
+                )
 
-        handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
-        final_config, private_config = handler.activate(authed_url)
+                handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
+                final_config, private_config = handler.activate(authed_url)
 
-        if 'private_key' in private_config:
-          trigger.secure_private_key = DecryptedValue(private_config['private_key'])
+                if "private_key" in private_config:
+                    trigger.secure_private_key = DecryptedValue(
+                        private_config["private_key"]
+                    )
 
-          # TODO(remove-unenc): Remove legacy field.
-          if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
-            trigger.private_key = private_config['private_key']
+                    # TODO(remove-unenc): Remove legacy field.
+                    if ActiveDataMigration.has_flag(ERTMigrationFlags.WRITE_OLD_FIELDS):
+                        trigger.private_key = private_config["private_key"]
 
-      except TriggerException as exc:
-        write_token.delete_instance()
-        raise request_error(message=exc.message)
+            except TriggerException as exc:
+                write_token.delete_instance()
+                raise request_error(message=exc.message)
 
-      # Save the updated config.
-      update_build_trigger(trigger, final_config, write_token=write_token)
+            # Save the updated config.
+            update_build_trigger(trigger, final_config, write_token=write_token)
 
-      # Log the trigger setup.
-      repo = model.repository.get_repository(namespace_name, repo_name)
-      log_action('setup_repo_trigger', namespace_name,
-                 {'repo': repo_name, 'namespace': namespace_name,
-                  'trigger_id': trigger.uuid, 'service': trigger.service.name,
-                  'pull_robot': trigger.pull_robot.username if trigger.pull_robot else None,
-                  'config': final_config},
-                 repo=repo)
+            # Log the trigger setup.
+            repo = model.repository.get_repository(namespace_name, repo_name)
+            log_action(
+                "setup_repo_trigger",
+                namespace_name,
+                {
+                    "repo": repo_name,
+                    "namespace": namespace_name,
+                    "trigger_id": trigger.uuid,
+                    "service": trigger.service.name,
+                    "pull_robot": trigger.pull_robot.username
+                    if trigger.pull_robot
+                    else None,
+                    "config": final_config,
+                },
+                repo=repo,
+            )
 
-      return trigger_view(trigger, can_admin=True)
-    else:
-      raise Unauthorized()
+            return trigger_view(trigger, can_admin=True)
+        else:
+            raise Unauthorized()
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/analyze')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/analyze")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 @internal_only
 class BuildTriggerAnalyze(RepositoryParamResource):
-  """ Custom verb for analyzing the config for a build trigger and suggesting various changes
+    """ Custom verb for analyzing the config for a build trigger and suggesting various changes
       (such as a robot account to use for pulling)
   """
-  schemas = {
-    'BuildTriggerAnalyzeRequest': {
-      'type': 'object',
-      'required': [
-        'config'
-      ],
-      'properties': {
-        'config': {
-          'type': 'object',
-          'description': 'Arbitrary json.',
+
+    schemas = {
+        "BuildTriggerAnalyzeRequest": {
+            "type": "object",
+            "required": ["config"],
+            "properties": {
+                "config": {"type": "object", "description": "Arbitrary json."}
+            },
         }
-      }
-    },
-  }
+    }
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('analyzeBuildTrigger')
-  @validate_json_request('BuildTriggerAnalyzeRequest')
-  def post(self, namespace_name, repo_name, trigger_uuid):
-    """ Analyze the specified build trigger configuration. """
-    trigger = get_trigger(trigger_uuid)
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("analyzeBuildTrigger")
+    @validate_json_request("BuildTriggerAnalyzeRequest")
+    def post(self, namespace_name, repo_name, trigger_uuid):
+        """ Analyze the specified build trigger configuration. """
+        trigger = get_trigger(trigger_uuid)
 
-    if trigger.repository.namespace_user.username != namespace_name:
-      raise NotFound()
+        if trigger.repository.namespace_user.username != namespace_name:
+            raise NotFound()
 
-    if trigger.repository.name != repo_name:
-      raise NotFound()
+        if trigger.repository.name != repo_name:
+            raise NotFound()
 
-    new_config_dict = request.get_json()['config']
-    handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
-    server_hostname = app.config['SERVER_HOSTNAME']
-    try:
-      trigger_analyzer = TriggerAnalyzer(handler,
-                                         namespace_name,
-                                         server_hostname,
-                                         new_config_dict,
-                                         AdministerOrganizationPermission(namespace_name).can())
-      return trigger_analyzer.analyze_trigger()
-    except TriggerException as rre:
-      return {
-        'status': 'error',
-        'message': 'Could not analyze the repository: %s' % rre.message,
-      }
-    except NotImplementedError:
-      return {
-        'status': 'notimplemented',
-      }
+        new_config_dict = request.get_json()["config"]
+        handler = BuildTriggerHandler.get_handler(trigger, new_config_dict)
+        server_hostname = app.config["SERVER_HOSTNAME"]
+        try:
+            trigger_analyzer = TriggerAnalyzer(
+                handler,
+                namespace_name,
+                server_hostname,
+                new_config_dict,
+                AdministerOrganizationPermission(namespace_name).can(),
+            )
+            return trigger_analyzer.analyze_trigger()
+        except TriggerException as rre:
+            return {
+                "status": "error",
+                "message": "Could not analyze the repository: %s" % rre.message,
+            }
+        except NotImplementedError:
+            return {"status": "notimplemented"}
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/start')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/start")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 class ActivateBuildTrigger(RepositoryParamResource):
-  """ Custom verb to manually activate a build trigger. """
-  schemas = {
-    'RunParameters': {
-      'type': 'object',
-      'description': 'Optional run parameters for activating the build trigger',
-      'properties': {
-        'branch_name': {
-          'type': 'string',
-          'description': '(SCM only) If specified, the name of the branch to build.'
-        },
-        'commit_sha': {
-          'type': 'string',
-          'description': '(Custom Only) If specified, the ref/SHA1 used to checkout a git repository.'
-        },
-        'refs': {
-          'type': ['object', 'null'],
-          'description': '(SCM Only) If specified, the ref to build.'
+    """ Custom verb to manually activate a build trigger. """
+
+    schemas = {
+        "RunParameters": {
+            "type": "object",
+            "description": "Optional run parameters for activating the build trigger",
+            "properties": {
+                "branch_name": {
+                    "type": "string",
+                    "description": "(SCM only) If specified, the name of the branch to build.",
+                },
+                "commit_sha": {
+                    "type": "string",
+                    "description": "(Custom Only) If specified, the ref/SHA1 used to checkout a git repository.",
+                },
+                "refs": {
+                    "type": ["object", "null"],
+                    "description": "(SCM Only) If specified, the ref to build.",
+                },
+            },
+            "additionalProperties": False,
         }
-      },
-      'additionalProperties': False
     }
-  }
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('manuallyStartBuildTrigger')
-  @validate_json_request('RunParameters')
-  def post(self, namespace_name, repo_name, trigger_uuid):
-    """ Manually start a build from the specified trigger. """
-    trigger = get_trigger(trigger_uuid)
-    if not trigger.enabled:
-      raise InvalidRequest('Trigger is not enabled.')
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("manuallyStartBuildTrigger")
+    @validate_json_request("RunParameters")
+    def post(self, namespace_name, repo_name, trigger_uuid):
+        """ Manually start a build from the specified trigger. """
+        trigger = get_trigger(trigger_uuid)
+        if not trigger.enabled:
+            raise InvalidRequest("Trigger is not enabled.")
 
-    handler = BuildTriggerHandler.get_handler(trigger)
-    if not handler.is_active():
-      raise InvalidRequest('Trigger is not active.')
+        handler = BuildTriggerHandler.get_handler(trigger)
+        if not handler.is_active():
+            raise InvalidRequest("Trigger is not active.")
 
-    try:
-      repo = model.repository.get_repository(namespace_name, repo_name)
-      pull_robot_name = model.build.get_pull_robot_name(trigger)
+        try:
+            repo = model.repository.get_repository(namespace_name, repo_name)
+            pull_robot_name = model.build.get_pull_robot_name(trigger)
 
-      run_parameters = request.get_json()
-      prepared = handler.manual_start(run_parameters=run_parameters)
-      build_request = start_build(repo, prepared, pull_robot_name=pull_robot_name)
-    except TriggerException as tse:
-      raise InvalidRequest(tse.message)
-    except MaximumBuildsQueuedException:
-      abort(429, message='Maximum queued build rate exceeded.')
-    except BuildTriggerDisabledException:
-      abort(400, message='Build trigger is disabled')
+            run_parameters = request.get_json()
+            prepared = handler.manual_start(run_parameters=run_parameters)
+            build_request = start_build(repo, prepared, pull_robot_name=pull_robot_name)
+        except TriggerException as tse:
+            raise InvalidRequest(tse.message)
+        except MaximumBuildsQueuedException:
+            abort(429, message="Maximum queued build rate exceeded.")
+        except BuildTriggerDisabledException:
+            abort(400, message="Build trigger is disabled")
 
-    resp = build_status_view(build_request)
-    repo_string = '%s/%s' % (namespace_name, repo_name)
-    headers = {
-      'Location': api.url_for(RepositoryBuildStatus, repository=repo_string,
-                              build_uuid=build_request.uuid),
-    }
-    return resp, 201, headers
+        resp = build_status_view(build_request)
+        repo_string = "%s/%s" % (namespace_name, repo_name)
+        headers = {
+            "Location": api.url_for(
+                RepositoryBuildStatus,
+                repository=repo_string,
+                build_uuid=build_request.uuid,
+            )
+        }
+        return resp, 201, headers
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/builds')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/builds")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 class TriggerBuildList(RepositoryParamResource):
-  """ Resource to represent builds that were activated from the specified trigger. """
+    """ Resource to represent builds that were activated from the specified trigger. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @parse_args()
-  @query_param('limit', 'The maximum number of builds to return', type=int, default=5)
-  @nickname('listTriggerRecentBuilds')
-  def get(self, namespace_name, repo_name, trigger_uuid, parsed_args):
-    """ List the builds started by the specified trigger. """
-    limit = parsed_args['limit']
-    builds = model.build.list_trigger_builds(namespace_name, repo_name, trigger_uuid, limit)
-    return {
-      'builds': [build_status_view(bld) for bld in builds]
-    }
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @parse_args()
+    @query_param("limit", "The maximum number of builds to return", type=int, default=5)
+    @nickname("listTriggerRecentBuilds")
+    def get(self, namespace_name, repo_name, trigger_uuid, parsed_args):
+        """ List the builds started by the specified trigger. """
+        limit = parsed_args["limit"]
+        builds = model.build.list_trigger_builds(
+            namespace_name, repo_name, trigger_uuid, limit
+        )
+        return {"builds": [build_status_view(bld) for bld in builds]}
 
 
 FIELD_VALUE_LIMIT = 30
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/fields/<field_name>')
+@resource(
+    "/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/fields/<field_name>"
+)
 @internal_only
 class BuildTriggerFieldValues(RepositoryParamResource):
-  """ Custom verb to fetch a values list for a particular field name. """
+    """ Custom verb to fetch a values list for a particular field name. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('listTriggerFieldValues')
-  def post(self, namespace_name, repo_name, trigger_uuid, field_name):
-    """ List the field values for a custom run field. """
-    trigger = get_trigger(trigger_uuid)
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("listTriggerFieldValues")
+    def post(self, namespace_name, repo_name, trigger_uuid, field_name):
+        """ List the field values for a custom run field. """
+        trigger = get_trigger(trigger_uuid)
 
-    config = request.get_json() or None
-    if AdministerRepositoryPermission(namespace_name, repo_name).can():
-      handler = BuildTriggerHandler.get_handler(trigger, config)
-      values = handler.list_field_values(field_name, limit=FIELD_VALUE_LIMIT)
+        config = request.get_json() or None
+        if AdministerRepositoryPermission(namespace_name, repo_name).can():
+            handler = BuildTriggerHandler.get_handler(trigger, config)
+            values = handler.list_field_values(field_name, limit=FIELD_VALUE_LIMIT)
 
-      if values is None:
-        raise NotFound()
+            if values is None:
+                raise NotFound()
 
-      return {
-        'values': values
-      }
-    else:
-      raise Unauthorized()
+            return {"values": values}
+        else:
+            raise Unauthorized()
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/sources')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/sources")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 @internal_only
 class BuildTriggerSources(RepositoryParamResource):
-  """ Custom verb to fetch the list of build sources for the trigger config. """
-  schemas = {
-    'BuildTriggerSourcesRequest': {
-      'type': 'object',
-      'description': 'Specifies the namespace under which to fetch sources',
-      'properties': {
-        'namespace': {
-          'type': 'string',
-          'description': 'The namespace for which to fetch sources'
-        },
-      },
-    }
-  }
+    """ Custom verb to fetch the list of build sources for the trigger config. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @disallow_for_non_normal_repositories
-  @nickname('listTriggerBuildSources')
-  @validate_json_request('BuildTriggerSourcesRequest')
-  def post(self, namespace_name, repo_name, trigger_uuid):
-    """ List the build sources for the trigger configuration thus far. """
-    namespace = request.get_json()['namespace']
-
-    trigger = get_trigger(trigger_uuid)
-
-    user_permission = UserAdminPermission(trigger.connected_user.username)
-    if user_permission.can():
-      handler = BuildTriggerHandler.get_handler(trigger)
-
-      try:
-        return {
-          'sources': handler.list_build_sources_for_namespace(namespace)
+    schemas = {
+        "BuildTriggerSourcesRequest": {
+            "type": "object",
+            "description": "Specifies the namespace under which to fetch sources",
+            "properties": {
+                "namespace": {
+                    "type": "string",
+                    "description": "The namespace for which to fetch sources",
+                }
+            },
         }
-      except TriggerException as rre:
-        raise InvalidRequest(rre.message)
-    else:
-      raise Unauthorized()
+    }
+
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @disallow_for_non_normal_repositories
+    @nickname("listTriggerBuildSources")
+    @validate_json_request("BuildTriggerSourcesRequest")
+    def post(self, namespace_name, repo_name, trigger_uuid):
+        """ List the build sources for the trigger configuration thus far. """
+        namespace = request.get_json()["namespace"]
+
+        trigger = get_trigger(trigger_uuid)
+
+        user_permission = UserAdminPermission(trigger.connected_user.username)
+        if user_permission.can():
+            handler = BuildTriggerHandler.get_handler(trigger)
+
+            try:
+                return {"sources": handler.list_build_sources_for_namespace(namespace)}
+            except TriggerException as rre:
+                raise InvalidRequest(rre.message)
+        else:
+            raise Unauthorized()
 
 
-@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/namespaces')
-@path_param('repository', 'The full path of the repository. e.g. namespace/name')
-@path_param('trigger_uuid', 'The UUID of the build trigger')
+@resource("/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/namespaces")
+@path_param("repository", "The full path of the repository. e.g. namespace/name")
+@path_param("trigger_uuid", "The UUID of the build trigger")
 @internal_only
 class BuildTriggerSourceNamespaces(RepositoryParamResource):
-  """ Custom verb to fetch the list of namespaces (orgs, projects, etc) for the trigger config. """
+    """ Custom verb to fetch the list of namespaces (orgs, projects, etc) for the trigger config. """
 
-  @require_repo_admin
-  @disallow_for_app_repositories
-  @nickname('listTriggerBuildSourceNamespaces')
-  def get(self, namespace_name, repo_name, trigger_uuid):
-    """ List the build sources for the trigger configuration thus far. """
-    trigger = get_trigger(trigger_uuid)
+    @require_repo_admin
+    @disallow_for_app_repositories
+    @nickname("listTriggerBuildSourceNamespaces")
+    def get(self, namespace_name, repo_name, trigger_uuid):
+        """ List the build sources for the trigger configuration thus far. """
+        trigger = get_trigger(trigger_uuid)
 
-    user_permission = UserAdminPermission(trigger.connected_user.username)
-    if user_permission.can():
-      handler = BuildTriggerHandler.get_handler(trigger)
-
-      try:
-        return {
-          'namespaces': handler.list_build_source_namespaces()
-        }
-      except TriggerException as rre:
-        raise InvalidRequest(rre.message)
-    else:
-      raise Unauthorized()
+        user_permission = UserAdminPermission(trigger.connected_user.username)
+        if user_permission.can():
+            handler = BuildTriggerHandler.get_handler(trigger)
 
+            try:
+                return {"namespaces": handler.list_build_source_namespaces()}
+            except TriggerException as rre:
+                raise InvalidRequest(rre.message)
+        else:
+            raise Unauthorized()
diff --git a/endpoints/api/trigger_analyzer.py b/endpoints/api/trigger_analyzer.py
index 2a29e502e..cce1f5517 100644
--- a/endpoints/api/trigger_analyzer.py
+++ b/endpoints/api/trigger_analyzer.py
@@ -6,117 +6,163 @@ from util import dockerfileparse
 
 
 def is_parent(context, dockerfile_path):
-  """ This checks whether the context is a parent of the dockerfile_path"""
-  if context == "" or dockerfile_path == "":
-    return False
+    """ This checks whether the context is a parent of the dockerfile_path"""
+    if context == "" or dockerfile_path == "":
+        return False
 
-  normalized_context = path.normpath(context)
-  if normalized_context[len(normalized_context) - 1] != path.sep:
-    normalized_context += path.sep
+    normalized_context = path.normpath(context)
+    if normalized_context[len(normalized_context) - 1] != path.sep:
+        normalized_context += path.sep
 
-  if normalized_context[0] != path.sep:
-    normalized_context = path.sep + normalized_context
+    if normalized_context[0] != path.sep:
+        normalized_context = path.sep + normalized_context
 
-  normalized_subdir = path.normpath(path.dirname(dockerfile_path))
-  if normalized_subdir[0] != path.sep:
-    normalized_subdir = path.sep + normalized_subdir
+    normalized_subdir = path.normpath(path.dirname(dockerfile_path))
+    if normalized_subdir[0] != path.sep:
+        normalized_subdir = path.sep + normalized_subdir
 
-  if normalized_subdir[len(normalized_subdir) - 1] != path.sep:
-    normalized_subdir += path.sep
+    if normalized_subdir[len(normalized_subdir) - 1] != path.sep:
+        normalized_subdir += path.sep
 
-  return normalized_subdir.startswith(normalized_context)
+    return normalized_subdir.startswith(normalized_context)
 
 
 class TriggerAnalyzer:
-  """ This analyzes triggers and returns the appropriate trigger and robot view to the frontend. """
+    """ This analyzes triggers and returns the appropriate trigger and robot view to the frontend. """
 
-  def __init__(self, handler, namespace_name, server_hostname, new_config_dict, admin_org_permission):
-    self.handler = handler
-    self.namespace_name = namespace_name
-    self.server_hostname = server_hostname
-    self.new_config_dict = new_config_dict
-    self.admin_org_permission = admin_org_permission
+    def __init__(
+        self,
+        handler,
+        namespace_name,
+        server_hostname,
+        new_config_dict,
+        admin_org_permission,
+    ):
+        self.handler = handler
+        self.namespace_name = namespace_name
+        self.server_hostname = server_hostname
+        self.new_config_dict = new_config_dict
+        self.admin_org_permission = admin_org_permission
 
-  def analyze_trigger(self):
-    # Load the contents of the Dockerfile.
-    contents = self.handler.load_dockerfile_contents()
-    if not contents:
-      return self.analyze_view(self.namespace_name, None, 'warning',
-                               message='Specified Dockerfile path for the trigger was not found on the main ' +
-                                       'branch. This trigger may fail.')
+    def analyze_trigger(self):
+        # Load the contents of the Dockerfile.
+        contents = self.handler.load_dockerfile_contents()
+        if not contents:
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "warning",
+                message="Specified Dockerfile path for the trigger was not found on the main "
+                + "branch. This trigger may fail.",
+            )
 
-    # Parse the contents of the Dockerfile.
-    parsed = dockerfileparse.parse_dockerfile(contents)
-    if not parsed:
-      return self.analyze_view(self.namespace_name, None, 'error', message='Could not parse the Dockerfile specified')
+        # Parse the contents of the Dockerfile.
+        parsed = dockerfileparse.parse_dockerfile(contents)
+        if not parsed:
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "error",
+                message="Could not parse the Dockerfile specified",
+            )
 
-    # Check whether the dockerfile_path is correct
-    if self.new_config_dict.get('context') and not is_parent(self.new_config_dict.get('context'),
-                                                             self.new_config_dict.get('dockerfile_path')):
-        return self.analyze_view(self.namespace_name, None, 'error',
-                                 message='Dockerfile, %s, is not a child of the context, %s.' %
-                                         (self.new_config_dict.get('context'),
-                                          self.new_config_dict.get('dockerfile_path')))
+        # Check whether the dockerfile_path is correct
+        if self.new_config_dict.get("context") and not is_parent(
+            self.new_config_dict.get("context"),
+            self.new_config_dict.get("dockerfile_path"),
+        ):
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "error",
+                message="Dockerfile, %s, is not a child of the context, %s."
+                % (
+                    self.new_config_dict.get("context"),
+                    self.new_config_dict.get("dockerfile_path"),
+                ),
+            )
 
-    # Determine the base image (i.e. the FROM) for the Dockerfile.
-    base_image = parsed.get_base_image()
-    if not base_image:
-      return self.analyze_view(self.namespace_name, None, 'warning', message='No FROM line found in the Dockerfile')
+        # Determine the base image (i.e. the FROM) for the Dockerfile.
+        base_image = parsed.get_base_image()
+        if not base_image:
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "warning",
+                message="No FROM line found in the Dockerfile",
+            )
 
-    # Check to see if the base image lives in Quay.
-    quay_registry_prefix = '%s/' % self.server_hostname
-    if not base_image.startswith(quay_registry_prefix):
-      return self.analyze_view(self.namespace_name, None, 'publicbase')
+        # Check to see if the base image lives in Quay.
+        quay_registry_prefix = "%s/" % self.server_hostname
+        if not base_image.startswith(quay_registry_prefix):
+            return self.analyze_view(self.namespace_name, None, "publicbase")
 
-    # Lookup the repository in Quay.
-    result = str(base_image)[len(quay_registry_prefix):].split('/', 2)
-    if len(result) != 2:
-      msg = '"%s" is not a valid Quay repository path' % base_image
-      return self.analyze_view(self.namespace_name, None, 'warning', message=msg)
+        # Lookup the repository in Quay.
+        result = str(base_image)[len(quay_registry_prefix) :].split("/", 2)
+        if len(result) != 2:
+            msg = '"%s" is not a valid Quay repository path' % base_image
+            return self.analyze_view(self.namespace_name, None, "warning", message=msg)
 
-    (base_namespace, base_repository) = result
-    found_repository = model.repository.get_repository(base_namespace, base_repository)
-    if not found_repository:
-      return self.analyze_view(self.namespace_name, None, 'error',
-                               message='Repository "%s" referenced by the Dockerfile was not found' % base_image)
+        (base_namespace, base_repository) = result
+        found_repository = model.repository.get_repository(
+            base_namespace, base_repository
+        )
+        if not found_repository:
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "error",
+                message='Repository "%s" referenced by the Dockerfile was not found'
+                % base_image,
+            )
 
-    # If the repository is private and the user cannot see that repo, then
-    # mark it as not found.
-    can_read = permissions.ReadRepositoryPermission(base_namespace, base_repository)
-    if found_repository.visibility.name != 'public' and not can_read:
-      return self.analyze_view(self.namespace_name, None, 'error',
-                               message='Repository "%s" referenced by the Dockerfile was not found' % base_image)
+        # If the repository is private and the user cannot see that repo, then
+        # mark it as not found.
+        can_read = permissions.ReadRepositoryPermission(base_namespace, base_repository)
+        if found_repository.visibility.name != "public" and not can_read:
+            return self.analyze_view(
+                self.namespace_name,
+                None,
+                "error",
+                message='Repository "%s" referenced by the Dockerfile was not found'
+                % base_image,
+            )
 
-    if found_repository.visibility.name == 'public':
-      return self.analyze_view(base_namespace, base_repository, 'publicbase')
+        if found_repository.visibility.name == "public":
+            return self.analyze_view(base_namespace, base_repository, "publicbase")
 
-    return self.analyze_view(base_namespace, base_repository, 'requiresrobot')
+        return self.analyze_view(base_namespace, base_repository, "requiresrobot")
 
-  def analyze_view(self, image_namespace, image_repository, status, message=None):
-    # Retrieve the list of robots and mark whether they have read access already.
-    robots = []
-    if self.admin_org_permission:
-      if image_repository is not None:
-        perm_query = model.user.get_all_repo_users_transitive(image_namespace, image_repository)
-        user_ids_with_permission = set([user.id for user in perm_query])
-      else:
-        user_ids_with_permission = set()
+    def analyze_view(self, image_namespace, image_repository, status, message=None):
+        # Retrieve the list of robots and mark whether they have read access already.
+        robots = []
+        if self.admin_org_permission:
+            if image_repository is not None:
+                perm_query = model.user.get_all_repo_users_transitive(
+                    image_namespace, image_repository
+                )
+                user_ids_with_permission = set([user.id for user in perm_query])
+            else:
+                user_ids_with_permission = set()
+
+            def robot_view(robot):
+                return {
+                    "name": robot.username,
+                    "kind": "user",
+                    "is_robot": True,
+                    "can_read": robot.id in user_ids_with_permission,
+                }
+
+            robots = [
+                robot_view(robot)
+                for robot in model.user.list_namespace_robots(image_namespace)
+            ]
 
-      def robot_view(robot):
         return {
-          'name': robot.username,
-          'kind': 'user',
-          'is_robot': True,
-          'can_read': robot.id in user_ids_with_permission,
+            "namespace": image_namespace,
+            "name": image_repository,
+            "robots": robots,
+            "status": status,
+            "message": message,
+            "is_admin": self.admin_org_permission,
         }
-
-      robots = [robot_view(robot) for robot in model.user.list_namespace_robots(image_namespace)]
-
-    return {
-      'namespace': image_namespace,
-      'name': image_repository,
-      'robots': robots,
-      'status': status,
-      'message': message,
-      'is_admin': self.admin_org_permission,
-    }
diff --git a/endpoints/appr/__init__.py b/endpoints/appr/__init__.py
index c998d8a95..759058c9e 100644
--- a/endpoints/appr/__init__.py
+++ b/endpoints/appr/__init__.py
@@ -6,38 +6,49 @@ from cnr.exception import Forbidden
 from flask import Blueprint
 
 from app import metric_queue
-from auth.permissions import (AdministerRepositoryPermission, ReadRepositoryPermission,
-                              ModifyRepositoryPermission)
+from auth.permissions import (
+    AdministerRepositoryPermission,
+    ReadRepositoryPermission,
+    ModifyRepositoryPermission,
+)
 from endpoints.appr.decorators import require_repo_permission
 from util.metrics.metricqueue import time_blueprint
 
 
-appr_bp = Blueprint('appr', __name__)
+appr_bp = Blueprint("appr", __name__)
 time_blueprint(appr_bp, metric_queue)
 logger = logging.getLogger(__name__)
 
 
 def _raise_method(repository, scopes):
-  raise Forbidden("Unauthorized access for: %s" % repository,
-                  {"package": repository, "scopes": scopes})
+    raise Forbidden(
+        "Unauthorized access for: %s" % repository,
+        {"package": repository, "scopes": scopes},
+    )
 
 
 def _get_reponame_kwargs(*args, **kwargs):
-  return [kwargs['namespace'], kwargs['package_name']]
+    return [kwargs["namespace"], kwargs["package_name"]]
 
 
-require_app_repo_read = require_repo_permission(ReadRepositoryPermission,
-                                                scopes=['pull'],
-                                                allow_public=True,
-                                                raise_method=_raise_method,
-                                                get_reponame_method=_get_reponame_kwargs)
+require_app_repo_read = require_repo_permission(
+    ReadRepositoryPermission,
+    scopes=["pull"],
+    allow_public=True,
+    raise_method=_raise_method,
+    get_reponame_method=_get_reponame_kwargs,
+)
 
-require_app_repo_write = require_repo_permission(ModifyRepositoryPermission,
-                                                 scopes=['pull', 'push'],
-                                                 raise_method=_raise_method,
-                                                 get_reponame_method=_get_reponame_kwargs)
+require_app_repo_write = require_repo_permission(
+    ModifyRepositoryPermission,
+    scopes=["pull", "push"],
+    raise_method=_raise_method,
+    get_reponame_method=_get_reponame_kwargs,
+)
 
-require_app_repo_admin = require_repo_permission(AdministerRepositoryPermission,
-                                                 scopes=['pull', 'push'],
-                                                 raise_method=_raise_method,
-                                                 get_reponame_method=_get_reponame_kwargs)
+require_app_repo_admin = require_repo_permission(
+    AdministerRepositoryPermission,
+    scopes=["pull", "push"],
+    raise_method=_raise_method,
+    get_reponame_method=_get_reponame_kwargs,
+)
diff --git a/endpoints/appr/cnr_backend.py b/endpoints/appr/cnr_backend.py
index a9e1b2539..26008226e 100644
--- a/endpoints/appr/cnr_backend.py
+++ b/endpoints/appr/cnr_backend.py
@@ -13,165 +13,177 @@ from util.request import get_request_ip
 
 
 class Blob(BlobBase):
-  @classmethod
-  def upload_url(cls, digest):
-    return "cnr/blobs/sha256/%s/%s" % (digest[0:2], digest)
+    @classmethod
+    def upload_url(cls, digest):
+        return "cnr/blobs/sha256/%s/%s" % (digest[0:2], digest)
 
-  def save(self, content_media_type):
-    model.store_blob(self, content_media_type)
+    def save(self, content_media_type):
+        model.store_blob(self, content_media_type)
 
-  @classmethod
-  def delete(cls, package_name, digest):
-    pass
+    @classmethod
+    def delete(cls, package_name, digest):
+        pass
 
-  @classmethod
-  def _fetch_b64blob(cls, package_name, digest):
-    blobpath = cls.upload_url(digest)
-    locations = model.get_blob_locations(digest)
-    if not locations:
-      raise_package_not_found(package_name, digest)
-    return base64.b64encode(storage.get_content(locations, blobpath))
+    @classmethod
+    def _fetch_b64blob(cls, package_name, digest):
+        blobpath = cls.upload_url(digest)
+        locations = model.get_blob_locations(digest)
+        if not locations:
+            raise_package_not_found(package_name, digest)
+        return base64.b64encode(storage.get_content(locations, blobpath))
 
-  @classmethod
-  def download_url(cls, package_name, digest):
-    blobpath = cls.upload_url(digest)
-    locations = model.get_blob_locations(digest)
-    if not locations:
-      raise_package_not_found(package_name, digest)
-    return storage.get_direct_download_url(locations, blobpath, get_request_ip())
+    @classmethod
+    def download_url(cls, package_name, digest):
+        blobpath = cls.upload_url(digest)
+        locations = model.get_blob_locations(digest)
+        if not locations:
+            raise_package_not_found(package_name, digest)
+        return storage.get_direct_download_url(locations, blobpath, get_request_ip())
 
 
 class Channel(ChannelBase):
-  """ CNR Channel model implemented against the Quay data model. """
+    """ CNR Channel model implemented against the Quay data model. """
 
-  def __init__(self, name, package, current=None):
-    super(Channel, self).__init__(name, package, current=current)
-    self._channel_data = None
+    def __init__(self, name, package, current=None):
+        super(Channel, self).__init__(name, package, current=current)
+        self._channel_data = None
 
-  def _exists(self):
-    """ Check if the channel is saved already """
-    return model.channel_exists(self.package, self.name)
+    def _exists(self):
+        """ Check if the channel is saved already """
+        return model.channel_exists(self.package, self.name)
 
-  @classmethod
-  def get(cls, name, package):
-    chanview = model.fetch_channel(package, name, with_releases=False)
-    return cls(name, package, chanview.current)
+    @classmethod
+    def get(cls, name, package):
+        chanview = model.fetch_channel(package, name, with_releases=False)
+        return cls(name, package, chanview.current)
 
-  def save(self):
-    model.update_channel(self.package, self.name, self.current)
+    def save(self):
+        model.update_channel(self.package, self.name, self.current)
 
-  def delete(self):
-    model.delete_channel(self.package, self.name)
+    def delete(self):
+        model.delete_channel(self.package, self.name)
 
-  @classmethod
-  def all(cls, package_name):
-    return [
-      Channel(c.name, package_name, c.current) for c in model.list_channels(package_name)
-    ]
+    @classmethod
+    def all(cls, package_name):
+        return [
+            Channel(c.name, package_name, c.current)
+            for c in model.list_channels(package_name)
+        ]
 
-  @property
-  def _channel(self):
-    if self._channel_data is None:
-      self._channel_data = model.fetch_channel(self.package, self.name)
-    return self._channel_data
+    @property
+    def _channel(self):
+        if self._channel_data is None:
+            self._channel_data = model.fetch_channel(self.package, self.name)
+        return self._channel_data
 
-  def releases(self):
-    """ Returns the list of versions """
-    return self._channel.releases
+    def releases(self):
+        """ Returns the list of versions """
+        return self._channel.releases
 
-  def _add_release(self, release):
-    return model.update_channel(self.package, self.name, release)._asdict
+    def _add_release(self, release):
+        return model.update_channel(self.package, self.name, release)._asdict
 
-  def _remove_release(self, release):
-    model.delete_channel(self.package, self.name)
+    def _remove_release(self, release):
+        model.delete_channel(self.package, self.name)
 
 
 class User(object):
-  """ User in CNR models """
+    """ User in CNR models """
 
-  @classmethod
-  def get_user(cls, username, password):
-    """ Returns True if user creds is valid """
-    return model.get_user(username, password)
+    @classmethod
+    def get_user(cls, username, password):
+        """ Returns True if user creds is valid """
+        return model.get_user(username, password)
 
 
 class Package(PackageBase):
-  """ CNR Package model implemented against the Quay data model. """
+    """ CNR Package model implemented against the Quay data model. """
 
-  @classmethod
-  def _apptuple_to_dict(cls, apptuple):
-    return {
-      'release': apptuple.release,
-      'created_at': apptuple.created_at,
-      'digest': apptuple.manifest.digest,
-      'mediaType': apptuple.manifest.mediaType,
-      'package': apptuple.name,
-      'content': apptuple.manifest.content._asdict()
-    }
+    @classmethod
+    def _apptuple_to_dict(cls, apptuple):
+        return {
+            "release": apptuple.release,
+            "created_at": apptuple.created_at,
+            "digest": apptuple.manifest.digest,
+            "mediaType": apptuple.manifest.mediaType,
+            "package": apptuple.name,
+            "content": apptuple.manifest.content._asdict(),
+        }
 
-  @classmethod
-  def create_repository(cls, package_name, visibility, owner):
-    model.create_application(package_name, visibility, owner)
+    @classmethod
+    def create_repository(cls, package_name, visibility, owner):
+        model.create_application(package_name, visibility, owner)
 
-  @classmethod
-  def exists(cls, package_name):
-    return model.application_exists(package_name)
+    @classmethod
+    def exists(cls, package_name):
+        return model.application_exists(package_name)
 
-  @classmethod
-  def all(cls, organization=None, media_type=None, search=None, username=None, **kwargs):
-    return [
-      dict(x._asdict())
-      for x in model.list_applications(namespace=organization, media_type=media_type,
-                                               search=search, username=username)
-    ]
+    @classmethod
+    def all(
+        cls, organization=None, media_type=None, search=None, username=None, **kwargs
+    ):
+        return [
+            dict(x._asdict())
+            for x in model.list_applications(
+                namespace=organization,
+                media_type=media_type,
+                search=search,
+                username=username,
+            )
+        ]
 
-  @classmethod
-  def _fetch(cls, package_name, release, media_type):
-    data = model.fetch_release(package_name, release, manifest_media_type(media_type))
-    return cls._apptuple_to_dict(data)
+    @classmethod
+    def _fetch(cls, package_name, release, media_type):
+        data = model.fetch_release(
+            package_name, release, manifest_media_type(media_type)
+        )
+        return cls._apptuple_to_dict(data)
 
-  @classmethod
-  def all_releases(cls, package_name, media_type=None):
-    return model.list_releases(package_name, media_type)
+    @classmethod
+    def all_releases(cls, package_name, media_type=None):
+        return model.list_releases(package_name, media_type)
 
-  @classmethod
-  def search(cls, query, username=None):
-    return model.basic_search(query, username=username)
+    @classmethod
+    def search(cls, query, username=None):
+        return model.basic_search(query, username=username)
 
-  def _save(self, force=False, **kwargs):
-    user = kwargs['user']
-    visibility = kwargs['visibility']
-    model.create_release(self, user, visibility, force)
+    def _save(self, force=False, **kwargs):
+        user = kwargs["user"]
+        visibility = kwargs["visibility"]
+        model.create_release(self, user, visibility, force)
 
-  @classmethod
-  def _delete(cls, package_name, release, media_type):
-    model.delete_release(package_name, release, manifest_media_type(media_type))
+    @classmethod
+    def _delete(cls, package_name, release, media_type):
+        model.delete_release(package_name, release, manifest_media_type(media_type))
 
-  @classmethod
-  def isdeleted_release(cls, package, release):
-    return model.release_exists(package, release)
+    @classmethod
+    def isdeleted_release(cls, package, release):
+        return model.release_exists(package, release)
 
-  def channels(self, channel_class, iscurrent=True):
-    return [
-      c.name
-      for c in model.list_release_channels(self.package, self.release, active=iscurrent)
-    ]
+    def channels(self, channel_class, iscurrent=True):
+        return [
+            c.name
+            for c in model.list_release_channels(
+                self.package, self.release, active=iscurrent
+            )
+        ]
 
-  @classmethod
-  def manifests(cls, package, release=None):
-    return model.list_manifests(package, release)
+    @classmethod
+    def manifests(cls, package, release=None):
+        return model.list_manifests(package, release)
 
-  @classmethod
-  def dump_all(cls, blob_cls):
-    raise NotImplementedError
+    @classmethod
+    def dump_all(cls, blob_cls):
+        raise NotImplementedError
 
 
 class QuayDB(CnrDB):
-  """ Wrapper Class to embed all CNR Models """
-  Channel = Channel
-  Package = Package
-  Blob = Blob
+    """ Wrapper Class to embed all CNR Models """
 
-  @classmethod
-  def reset_db(cls, force=False):
-    pass
+    Channel = Channel
+    Package = Package
+    Blob = Blob
+
+    @classmethod
+    def reset_db(cls, force=False):
+        pass
diff --git a/endpoints/appr/decorators.py b/endpoints/appr/decorators.py
index 8df6a46a9..59eb6666e 100644
--- a/endpoints/appr/decorators.py
+++ b/endpoints/appr/decorators.py
@@ -10,43 +10,61 @@ logger = logging.getLogger(__name__)
 
 
 def _raise_unauthorized(repository, scopes):
-  raise StandardError("Unauthorized acces to %s", repository)
+    raise StandardError("Unauthorized acces to %s", repository)
 
 
 def _get_reponame_kwargs(*args, **kwargs):
-  return [kwargs['namespace'], kwargs['package_name']]
+    return [kwargs["namespace"], kwargs["package_name"]]
 
 
 def disallow_for_image_repository(get_reponame_method=_get_reponame_kwargs):
-  def wrapper(func):
-    @wraps(func)
-    def wrapped(*args, **kwargs):
-      namespace_name, repo_name = get_reponame_method(*args, **kwargs)
-      image_repo = model.repository.get_repository(namespace_name, repo_name, kind_filter='image')
-      if image_repo is not None:
-        logger.debug('Tried to invoked a CNR method on an image repository')
-        abort(405, message='Cannot push an application to an image repository with the same name')
-      return func(*args, **kwargs)
-    return wrapped
-  return wrapper
+    def wrapper(func):
+        @wraps(func)
+        def wrapped(*args, **kwargs):
+            namespace_name, repo_name = get_reponame_method(*args, **kwargs)
+            image_repo = model.repository.get_repository(
+                namespace_name, repo_name, kind_filter="image"
+            )
+            if image_repo is not None:
+                logger.debug("Tried to invoked a CNR method on an image repository")
+                abort(
+                    405,
+                    message="Cannot push an application to an image repository with the same name",
+                )
+            return func(*args, **kwargs)
+
+        return wrapped
+
+    return wrapper
 
 
-def require_repo_permission(permission_class, scopes=None, allow_public=False,
-                            raise_method=_raise_unauthorized,
-                            get_reponame_method=_get_reponame_kwargs):
-  def wrapper(func):
-    @wraps(func)
-    @disallow_for_image_repository(get_reponame_method=get_reponame_method)
-    def wrapped(*args, **kwargs):
-      namespace_name, repo_name = get_reponame_method(*args, **kwargs)
-      logger.debug('Checking permission %s for repo: %s/%s', permission_class,
-                   namespace_name, repo_name)
-      permission = permission_class(namespace_name, repo_name)
-      if (permission.can() or
-          (allow_public and
-           model.repository.repository_is_public(namespace_name, repo_name))):
-        return func(*args, **kwargs)
-      repository = namespace_name + '/' + repo_name
-      raise_method(repository, scopes)
-    return wrapped
-  return wrapper
+def require_repo_permission(
+    permission_class,
+    scopes=None,
+    allow_public=False,
+    raise_method=_raise_unauthorized,
+    get_reponame_method=_get_reponame_kwargs,
+):
+    def wrapper(func):
+        @wraps(func)
+        @disallow_for_image_repository(get_reponame_method=get_reponame_method)
+        def wrapped(*args, **kwargs):
+            namespace_name, repo_name = get_reponame_method(*args, **kwargs)
+            logger.debug(
+                "Checking permission %s for repo: %s/%s",
+                permission_class,
+                namespace_name,
+                repo_name,
+            )
+            permission = permission_class(namespace_name, repo_name)
+            if permission.can() or (
+                allow_public
+                and model.repository.repository_is_public(namespace_name, repo_name)
+            ):
+                return func(*args, **kwargs)
+            repository = namespace_name + "/" + repo_name
+            raise_method(repository, scopes)
+
+        return wrapped
+
+    return wrapper
diff --git a/endpoints/appr/models_cnr.py b/endpoints/appr/models_cnr.py
index 89216127c..8cc566c72 100644
--- a/endpoints/appr/models_cnr.py
+++ b/endpoints/appr/models_cnr.py
@@ -12,142 +12,183 @@ from data import appr_model
 from data.database import Repository, MediaType, db_transaction
 from data.appr_model.models import NEW_MODELS
 from endpoints.appr.models_interface import (
-  ApplicationManifest, ApplicationRelease, ApplicationSummaryView, AppRegistryDataInterface,
-  BlobDescriptor, ChannelView, ChannelReleasesView)
+    ApplicationManifest,
+    ApplicationRelease,
+    ApplicationSummaryView,
+    AppRegistryDataInterface,
+    BlobDescriptor,
+    ChannelView,
+    ChannelReleasesView,
+)
 from util.audit import track_and_log
 from util.morecollections import AttrDict
 from util.names import parse_robot_username
 
 
-
 class ReadOnlyException(CnrException):
-  status_code = 405
-  errorcode = "read-only"
+    status_code = 405
+    errorcode = "read-only"
 
 
 def _strip_sha256_header(digest):
-  if digest.startswith('sha256:'):
-    return digest.split('sha256:')[1]
-  return digest
+    if digest.startswith("sha256:"):
+        return digest.split("sha256:")[1]
+    return digest
 
 
 def _split_package_name(package):
-  """ Returns the namespace and package-name """
-  return package.split("/")
+    """ Returns the namespace and package-name """
+    return package.split("/")
 
 
 def _join_package_name(ns, name):
-  """ Returns a app-name in the 'namespace/name' format """
-  return "%s/%s" % (ns, name)
+    """ Returns a app-name in the 'namespace/name' format """
+    return "%s/%s" % (ns, name)
 
 
 def _timestamp_to_iso(timestamp, in_ms=True):
-  if in_ms:
-    timestamp = timestamp / 1000
-  return datetime.fromtimestamp(timestamp).isoformat()
+    if in_ms:
+        timestamp = timestamp / 1000
+    return datetime.fromtimestamp(timestamp).isoformat()
 
 
 def _application(package):
-  ns, name = _split_package_name(package)
-  repo = data.model.repository.get_app_repository(ns, name)
-  if repo is None:
-    raise_package_not_found(package)
-  return repo
+    ns, name = _split_package_name(package)
+    repo = data.model.repository.get_app_repository(ns, name)
+    if repo is None:
+        raise_package_not_found(package)
+    return repo
 
 
 class CNRAppModel(AppRegistryDataInterface):
-  def __init__(self, models_ref, is_readonly):
-    self.models_ref = models_ref
-    self.is_readonly = is_readonly    
+    def __init__(self, models_ref, is_readonly):
+        self.models_ref = models_ref
+        self.is_readonly = is_readonly
 
-  def log_action(self, event_name, namespace_name, repo_name=None, analytics_name=None,
-                 analytics_sample=1, metadata=None):
-    metadata = {} if metadata is None else metadata
+    def log_action(
+        self,
+        event_name,
+        namespace_name,
+        repo_name=None,
+        analytics_name=None,
+        analytics_sample=1,
+        metadata=None,
+    ):
+        metadata = {} if metadata is None else metadata
 
-    repo = None
-    if repo_name is not None:
-      db_repo = data.model.repository.get_repository(namespace_name, repo_name,
-                                                kind_filter='application')
-      repo = AttrDict({
-        'id': db_repo.id,
-        'name': db_repo.name,
-        'namespace_name': db_repo.namespace_user.username,
-        'is_free_namespace': db_repo.namespace_user.stripe_id is None,
-      })
-    track_and_log(event_name, repo, analytics_name=analytics_name,
-                  analytics_sample=analytics_sample, **metadata)
+        repo = None
+        if repo_name is not None:
+            db_repo = data.model.repository.get_repository(
+                namespace_name, repo_name, kind_filter="application"
+            )
+            repo = AttrDict(
+                {
+                    "id": db_repo.id,
+                    "name": db_repo.name,
+                    "namespace_name": db_repo.namespace_user.username,
+                    "is_free_namespace": db_repo.namespace_user.stripe_id is None,
+                }
+            )
+        track_and_log(
+            event_name,
+            repo,
+            analytics_name=analytics_name,
+            analytics_sample=analytics_sample,
+            **metadata
+        )
 
-  def list_applications(self, namespace=None, media_type=None, search=None, username=None,
-                        with_channels=False):
-    """ Lists all repositories that contain applications, with optional filtering to a specific
+    def list_applications(
+        self,
+        namespace=None,
+        media_type=None,
+        search=None,
+        username=None,
+        with_channels=False,
+    ):
+        """ Lists all repositories that contain applications, with optional filtering to a specific
         namespace and view a specific user.
     """
 
-    views = []
-    for repo in appr_model.package.list_packages_query(self.models_ref, namespace, media_type,
-                                                       search, username=username):
-      tag_set_prefetch = getattr(repo, self.models_ref.tag_set_prefetch_name)
-      releases = [t.name for t in tag_set_prefetch]
-      if not releases:
-        continue
-      available_releases = [
-        str(x) for x in sorted(cnr.semver.versions(releases, False), reverse=True)]
-      channels = None
-      if with_channels:
-        channels = [
-          ChannelView(name=chan.name, current=chan.linked_tag.name)
-          for chan in appr_model.channel.get_repo_channels(repo, self.models_ref)]
+        views = []
+        for repo in appr_model.package.list_packages_query(
+            self.models_ref, namespace, media_type, search, username=username
+        ):
+            tag_set_prefetch = getattr(repo, self.models_ref.tag_set_prefetch_name)
+            releases = [t.name for t in tag_set_prefetch]
+            if not releases:
+                continue
+            available_releases = [
+                str(x)
+                for x in sorted(cnr.semver.versions(releases, False), reverse=True)
+            ]
+            channels = None
+            if with_channels:
+                channels = [
+                    ChannelView(name=chan.name, current=chan.linked_tag.name)
+                    for chan in appr_model.channel.get_repo_channels(
+                        repo, self.models_ref
+                    )
+                ]
 
-      app_name = _join_package_name(repo.namespace_user.username, repo.name)
-      manifests = self.list_manifests(app_name, available_releases[0])
-      view = ApplicationSummaryView(
-        namespace=repo.namespace_user.username,
-        name=app_name,
-        visibility=repo.visibility.name,
-        default=available_releases[0],
-        channels=channels,
-        manifests=manifests,
-        releases=available_releases,
-        updated_at=_timestamp_to_iso(tag_set_prefetch[-1].lifetime_start),
-        created_at=_timestamp_to_iso(tag_set_prefetch[0].lifetime_start),)
-      views.append(view)
-    return views
+            app_name = _join_package_name(repo.namespace_user.username, repo.name)
+            manifests = self.list_manifests(app_name, available_releases[0])
+            view = ApplicationSummaryView(
+                namespace=repo.namespace_user.username,
+                name=app_name,
+                visibility=repo.visibility.name,
+                default=available_releases[0],
+                channels=channels,
+                manifests=manifests,
+                releases=available_releases,
+                updated_at=_timestamp_to_iso(tag_set_prefetch[-1].lifetime_start),
+                created_at=_timestamp_to_iso(tag_set_prefetch[0].lifetime_start),
+            )
+            views.append(view)
+        return views
 
-  def application_is_public(self, package_name):
-    """
+    def application_is_public(self, package_name):
+        """
       Returns:
         * True if the repository is public
     """
-    namespace, name = _split_package_name(package_name)
-    return data.model.repository.repository_is_public(namespace, name)
+        namespace, name = _split_package_name(package_name)
+        return data.model.repository.repository_is_public(namespace, name)
 
-  def create_application(self, package_name, visibility, owner):
-    """ Create a new app repository, owner is the user who creates it """
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+    def create_application(self, package_name, visibility, owner):
+        """ Create a new app repository, owner is the user who creates it """
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    ns, name = _split_package_name(package_name)
-    data.model.repository.create_repository(ns, name, owner, visibility, 'application')
+        ns, name = _split_package_name(package_name)
+        data.model.repository.create_repository(
+            ns, name, owner, visibility, "application"
+        )
 
-  def application_exists(self, package_name):
-    """ Create a new app repository, owner is the user who creates it """
-    ns, name = _split_package_name(package_name)
-    return data.model.repository.get_repository(ns, name, kind_filter='application') is not None
+    def application_exists(self, package_name):
+        """ Create a new app repository, owner is the user who creates it """
+        ns, name = _split_package_name(package_name)
+        return (
+            data.model.repository.get_repository(ns, name, kind_filter="application")
+            is not None
+        )
 
-  def basic_search(self, query, username=None):
-    """ Returns an array of matching AppRepositories in the format: 'namespace/name'
+    def basic_search(self, query, username=None):
+        """ Returns an array of matching AppRepositories in the format: 'namespace/name'
         Note:
           * Only 'public' repositories are returned
 
         Todo:
           * Filter results with readeable reposistory for the user (including visibilitys)
     """
-    return [
-      _join_package_name(r.namespace_user.username, r.name)
-      for r in data.model.repository.get_app_search(lookup=query, username=username, limit=50)]
+        return [
+            _join_package_name(r.namespace_user.username, r.name)
+            for r in data.model.repository.get_app_search(
+                lookup=query, username=username, limit=50
+            )
+        ]
 
-  def list_releases(self, package_name, media_type=None):
-    """ Return the list of all releases of an Application
+    def list_releases(self, package_name, media_type=None):
+        """ Return the list of all releases of an Application
         Example:
             >>> get_app_releases('ant31/rocketchat')
             ['1.7.1', '1.7.0', '1.7.2']
@@ -155,161 +196,209 @@ class CNRAppModel(AppRegistryDataInterface):
         Todo:
           * Paginate
     """
-    return appr_model.release.get_releases(_application(package_name), self.models_ref, media_type)
+        return appr_model.release.get_releases(
+            _application(package_name), self.models_ref, media_type
+        )
 
-  def list_manifests(self, package_name, release=None):
-    """ Returns the list of all manifests of an Application.
+    def list_manifests(self, package_name, release=None):
+        """ Returns the list of all manifests of an Application.
 
         Todo:
           * Paginate
     """
-    try:
-      repo = _application(package_name)
-      return list(appr_model.manifest.get_manifest_types(repo, self.models_ref, release))
-    except (Repository.DoesNotExist, self.models_ref.Tag.DoesNotExist):
-      raise_package_not_found(package_name, release)
+        try:
+            repo = _application(package_name)
+            return list(
+                appr_model.manifest.get_manifest_types(repo, self.models_ref, release)
+            )
+        except (Repository.DoesNotExist, self.models_ref.Tag.DoesNotExist):
+            raise_package_not_found(package_name, release)
 
-  def fetch_release(self, package_name, release, media_type):
-    """
+    def fetch_release(self, package_name, release, media_type):
+        """
      Retrieves an AppRelease from it's repository-name and release-name
     """
-    repo = _application(package_name)
-    try:
-      tag, manifest, blob = appr_model.release.get_app_release(repo, release, media_type,
-                                                               self.models_ref)
-      created_at = _timestamp_to_iso(tag.lifetime_start)
+        repo = _application(package_name)
+        try:
+            tag, manifest, blob = appr_model.release.get_app_release(
+                repo, release, media_type, self.models_ref
+            )
+            created_at = _timestamp_to_iso(tag.lifetime_start)
 
-      blob_descriptor = BlobDescriptor(digest=_strip_sha256_header(blob.digest),
-                                       mediaType=blob.media_type.name, size=blob.size, urls=[])
+            blob_descriptor = BlobDescriptor(
+                digest=_strip_sha256_header(blob.digest),
+                mediaType=blob.media_type.name,
+                size=blob.size,
+                urls=[],
+            )
 
-      app_manifest = ApplicationManifest(
-        digest=manifest.digest, mediaType=manifest.media_type.name, content=blob_descriptor)
+            app_manifest = ApplicationManifest(
+                digest=manifest.digest,
+                mediaType=manifest.media_type.name,
+                content=blob_descriptor,
+            )
 
-      app_release = ApplicationRelease(release=tag.name, created_at=created_at, name=package_name,
-                                       manifest=app_manifest)
-      return app_release
-    except (self.models_ref.Tag.DoesNotExist,
+            app_release = ApplicationRelease(
+                release=tag.name,
+                created_at=created_at,
+                name=package_name,
+                manifest=app_manifest,
+            )
+            return app_release
+        except (
+            self.models_ref.Tag.DoesNotExist,
             self.models_ref.Manifest.DoesNotExist,
             self.models_ref.Blob.DoesNotExist,
             Repository.DoesNotExist,
-            MediaType.DoesNotExist):
-      raise_package_not_found(package_name, release, media_type)
+            MediaType.DoesNotExist,
+        ):
+            raise_package_not_found(package_name, release, media_type)
 
-  def store_blob(self, cnrblob, content_media_type):
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+    def store_blob(self, cnrblob, content_media_type):
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    fp = cnrblob.packager.io_file
-    path = cnrblob.upload_url(cnrblob.digest)
-    locations = storage.preferred_locations
-    storage.stream_write(locations, path, fp, 'application/x-gzip')
-    db_blob = appr_model.blob.get_or_create_blob(cnrblob.digest, cnrblob.size, content_media_type,
-                                                 locations, self.models_ref)
-    return BlobDescriptor(mediaType=content_media_type,
-                          digest=_strip_sha256_header(db_blob.digest), size=db_blob.size, urls=[])
+        fp = cnrblob.packager.io_file
+        path = cnrblob.upload_url(cnrblob.digest)
+        locations = storage.preferred_locations
+        storage.stream_write(locations, path, fp, "application/x-gzip")
+        db_blob = appr_model.blob.get_or_create_blob(
+            cnrblob.digest, cnrblob.size, content_media_type, locations, self.models_ref
+        )
+        return BlobDescriptor(
+            mediaType=content_media_type,
+            digest=_strip_sha256_header(db_blob.digest),
+            size=db_blob.size,
+            urls=[],
+        )
 
-  def create_release(self, package, user, visibility, force=False):
-    """ Add an app-release to a repository
+    def create_release(self, package, user, visibility, force=False):
+        """ Add an app-release to a repository
     package is an instance of data.cnr.package.Package
     """
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    manifest = package.manifest()
-    ns, name = package.namespace, package.name
-    repo = data.model.repository.get_or_create_repository(ns, name, user, visibility=visibility,
-                                                          repo_kind='application')
-    tag_name = package.release
-    appr_model.release.create_app_release(repo, tag_name, package.manifest(),
-                                          manifest['content']['digest'], self.models_ref, force)
+        manifest = package.manifest()
+        ns, name = package.namespace, package.name
+        repo = data.model.repository.get_or_create_repository(
+            ns, name, user, visibility=visibility, repo_kind="application"
+        )
+        tag_name = package.release
+        appr_model.release.create_app_release(
+            repo,
+            tag_name,
+            package.manifest(),
+            manifest["content"]["digest"],
+            self.models_ref,
+            force,
+        )
 
-  def delete_release(self, package_name, release, media_type):
-    """ Remove/Delete an app-release from an app-repository.
+    def delete_release(self, package_name, release, media_type):
+        """ Remove/Delete an app-release from an app-repository.
         It does not delete the entire app-repository, only a single release
     """
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    repo = _application(package_name)
-    try:
-      appr_model.release.delete_app_release(repo, release, media_type, self.models_ref)
-    except (self.models_ref.Channel.DoesNotExist,
+        repo = _application(package_name)
+        try:
+            appr_model.release.delete_app_release(
+                repo, release, media_type, self.models_ref
+            )
+        except (
+            self.models_ref.Channel.DoesNotExist,
             self.models_ref.Tag.DoesNotExist,
-            MediaType.DoesNotExist):
-      raise_package_not_found(package_name, release, media_type)
+            MediaType.DoesNotExist,
+        ):
+            raise_package_not_found(package_name, release, media_type)
 
-  def release_exists(self, package, release):
-    """ Return true if a release with that name already exist or
+    def release_exists(self, package, release):
+        """ Return true if a release with that name already exist or
     have existed (include deleted ones) """
-    # TODO: Figure out why this isn't implemented.
+        # TODO: Figure out why this isn't implemented.
 
-  def channel_exists(self, package_name, channel_name):
-    """ Returns true if channel exists """
-    repo = _application(package_name)
-    return appr_model.tag.tag_exists(repo, channel_name, self.models_ref, "channel")
+    def channel_exists(self, package_name, channel_name):
+        """ Returns true if channel exists """
+        repo = _application(package_name)
+        return appr_model.tag.tag_exists(repo, channel_name, self.models_ref, "channel")
 
-  def delete_channel(self, package_name, channel_name):
-    """ Delete an AppChannel
+    def delete_channel(self, package_name, channel_name):
+        """ Delete an AppChannel
     Note:
       It doesn't delete the AppReleases
     """
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    repo = _application(package_name)
-    try:
-      appr_model.channel.delete_channel(repo, channel_name, self.models_ref)
-    except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
-      raise_channel_not_found(package_name, channel_name)
+        repo = _application(package_name)
+        try:
+            appr_model.channel.delete_channel(repo, channel_name, self.models_ref)
+        except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
+            raise_channel_not_found(package_name, channel_name)
 
-  def list_channels(self, package_name):
-    """ Returns all AppChannel for a package """
-    repo = _application(package_name)
-    channels = appr_model.channel.get_repo_channels(repo, self.models_ref)
-    return [ChannelView(name=chan.name, current=chan.linked_tag.name) for chan in channels]
+    def list_channels(self, package_name):
+        """ Returns all AppChannel for a package """
+        repo = _application(package_name)
+        channels = appr_model.channel.get_repo_channels(repo, self.models_ref)
+        return [
+            ChannelView(name=chan.name, current=chan.linked_tag.name)
+            for chan in channels
+        ]
 
-  def fetch_channel(self, package_name, channel_name, with_releases=True):
-    """ Returns an AppChannel """
-    repo = _application(package_name)
+    def fetch_channel(self, package_name, channel_name, with_releases=True):
+        """ Returns an AppChannel """
+        repo = _application(package_name)
 
-    try:
-      channel = appr_model.channel.get_channel(repo, channel_name, self.models_ref)
-    except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
-      raise_channel_not_found(package_name, channel_name)
+        try:
+            channel = appr_model.channel.get_channel(
+                repo, channel_name, self.models_ref
+            )
+        except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
+            raise_channel_not_found(package_name, channel_name)
 
-    if with_releases:
-      releases = appr_model.channel.get_channel_releases(repo, channel, self.models_ref)
-      chanview = ChannelReleasesView(
-        current=channel.linked_tag.name, name=channel.name,
-        releases=[channel.linked_tag.name] + [c.name for c in releases])
-    else:
-      chanview = ChannelView(current=channel.linked_tag.name, name=channel.name)
+        if with_releases:
+            releases = appr_model.channel.get_channel_releases(
+                repo, channel, self.models_ref
+            )
+            chanview = ChannelReleasesView(
+                current=channel.linked_tag.name,
+                name=channel.name,
+                releases=[channel.linked_tag.name] + [c.name for c in releases],
+            )
+        else:
+            chanview = ChannelView(current=channel.linked_tag.name, name=channel.name)
 
-    return chanview
+        return chanview
 
-  def list_release_channels(self, package_name, release, active=True):
-    repo = _application(package_name)
-    try:
-      channels = appr_model.channel.get_tag_channels(repo, release, self.models_ref, active=active)
-      return [ChannelView(name=c.name, current=c.linked_tag.name) for c in channels]
-    except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
-      raise_package_not_found(package_name, release)
+    def list_release_channels(self, package_name, release, active=True):
+        repo = _application(package_name)
+        try:
+            channels = appr_model.channel.get_tag_channels(
+                repo, release, self.models_ref, active=active
+            )
+            return [
+                ChannelView(name=c.name, current=c.linked_tag.name) for c in channels
+            ]
+        except (self.models_ref.Channel.DoesNotExist, self.models_ref.Tag.DoesNotExist):
+            raise_package_not_found(package_name, release)
 
-  def update_channel(self, package_name, channel_name, release):
-    """ Append a new release to the AppChannel
+    def update_channel(self, package_name, channel_name, release):
+        """ Append a new release to the AppChannel
     Returns:
       A new AppChannel with the release
     """
-    if self.is_readonly:
-      raise ReadOnlyException('Currently in read-only mode')
+        if self.is_readonly:
+            raise ReadOnlyException("Currently in read-only mode")
 
-    repo = _application(package_name)
-    channel = appr_model.channel.create_or_update_channel(repo, channel_name, release,
-                                                          self.models_ref)
-    return ChannelView(current=channel.linked_tag.name, name=channel.name)
+        repo = _application(package_name)
+        channel = appr_model.channel.create_or_update_channel(
+            repo, channel_name, release, self.models_ref
+        )
+        return ChannelView(current=channel.linked_tag.name, name=channel.name)
 
-  def get_blob_locations(self, digest):
-    return appr_model.blob.get_blob_locations(digest, self.models_ref)
+    def get_blob_locations(self, digest):
+        return appr_model.blob.get_blob_locations(digest, self.models_ref)
 
 
 # Phase 3: Read and write from new tables.
diff --git a/endpoints/appr/models_interface.py b/endpoints/appr/models_interface.py
index 6ebf949ac..ea855e297 100644
--- a/endpoints/appr/models_interface.py
+++ b/endpoints/appr/models_interface.py
@@ -4,188 +4,217 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class BlobDescriptor(namedtuple('Blob', ['mediaType', 'size', 'digest', 'urls'])):
-  """ BlobDescriptor describes a blob with its mediatype, size and digest.
+class BlobDescriptor(namedtuple("Blob", ["mediaType", "size", "digest", "urls"])):
+    """ BlobDescriptor describes a blob with its mediatype, size and digest.
       A BlobDescriptor is used to retrieves the actual blob.
   """
 
 
-class ChannelReleasesView(namedtuple('ChannelReleasesView', ['name', 'current', 'releases'])):
-  """ A channel is a pointer to a Release (current).
+class ChannelReleasesView(
+    namedtuple("ChannelReleasesView", ["name", "current", "releases"])
+):
+    """ A channel is a pointer to a Release (current).
       Releases are the previous tags pointed by channel (history).
   """
 
 
-class ChannelView(namedtuple('ChannelView', ['name', 'current'])):
-  """ A channel is a pointer to a Release (current).
+class ChannelView(namedtuple("ChannelView", ["name", "current"])):
+    """ A channel is a pointer to a Release (current).
   """
 
 
 class ApplicationSummaryView(
-    namedtuple('ApplicationSummaryView', [
-      'name', 'namespace', 'visibility', 'default', 'manifests', 'channels', 'releases',
-      'updated_at', 'created_at'
-    ])):
-  """ ApplicationSummaryView is an aggregated view of an application repository.
+    namedtuple(
+        "ApplicationSummaryView",
+        [
+            "name",
+            "namespace",
+            "visibility",
+            "default",
+            "manifests",
+            "channels",
+            "releases",
+            "updated_at",
+            "created_at",
+        ],
+    )
+):
+    """ ApplicationSummaryView is an aggregated view of an application repository.
   """
 
 
-class ApplicationManifest(namedtuple('ApplicationManifest', ['mediaType', 'digest', 'content'])):
-  """ ApplicationManifest embed the BlobDescriptor and some metadata around it.
+class ApplicationManifest(
+    namedtuple("ApplicationManifest", ["mediaType", "digest", "content"])
+):
+    """ ApplicationManifest embed the BlobDescriptor and some metadata around it.
       An ApplicationManifest is content-addressable.
   """
 
 
 class ApplicationRelease(
-    namedtuple('ApplicationRelease', ['release', 'name', 'created_at', 'manifest'])):
-  """ The ApplicationRelease associates an ApplicationManifest to a repository and release.
+    namedtuple("ApplicationRelease", ["release", "name", "created_at", "manifest"])
+):
+    """ The ApplicationRelease associates an ApplicationManifest to a repository and release.
   """
 
 
 @add_metaclass(ABCMeta)
 class AppRegistryDataInterface(object):
-  """ Interface that represents all data store interactions required by a App Registry.
+    """ Interface that represents all data store interactions required by a App Registry.
   """
 
-  @abstractmethod
-  def list_applications(self, namespace=None, media_type=None, search=None, username=None,
-                        with_channels=False):
-    """ Lists all repositories that contain applications, with optional filtering to a specific
+    @abstractmethod
+    def list_applications(
+        self,
+        namespace=None,
+        media_type=None,
+        search=None,
+        username=None,
+        with_channels=False,
+    ):
+        """ Lists all repositories that contain applications, with optional filtering to a specific
         namespace and/or to those visible to a specific user.
 
        Returns: list of ApplicationSummaryView
     """
-    pass
+        pass
 
-  @abstractmethod
-  def application_is_public(self, package_name):
-    """
+    @abstractmethod
+    def application_is_public(self, package_name):
+        """
       Returns true if the application is public
     """
-    pass
+        pass
 
-  @abstractmethod
-  def create_application(self, package_name, visibility, owner):
-    """ Create a new app repository, owner is the user who creates it """
-    pass
+    @abstractmethod
+    def create_application(self, package_name, visibility, owner):
+        """ Create a new app repository, owner is the user who creates it """
+        pass
 
-  @abstractmethod
-  def application_exists(self, package_name):
-    """ Returns true if the application exists """
-    pass
+    @abstractmethod
+    def application_exists(self, package_name):
+        """ Returns true if the application exists """
+        pass
 
-  @abstractmethod
-  def basic_search(self, query, username=None):
-    """ Returns an array of matching application in the format: 'namespace/name'
+    @abstractmethod
+    def basic_search(self, query, username=None):
+        """ Returns an array of matching application in the format: 'namespace/name'
     Note:
       * Only 'public' repositories are returned
     """
-    pass
+        pass
 
-  # @TODO: Paginate
-  @abstractmethod
-  def list_releases(self, package_name, media_type=None):
-    """ Returns the list of all releases(names) of an AppRepository
+    # @TODO: Paginate
+    @abstractmethod
+    def list_releases(self, package_name, media_type=None):
+        """ Returns the list of all releases(names) of an AppRepository
     Example:
         >>> get_app_releases('ant31/rocketchat')
         ['1.7.1', '1.7.0', '1.7.2']
     """
-    pass
+        pass
 
-  # @TODO: Paginate
-  @abstractmethod
-  def list_manifests(self, package_name, release=None):
-    """ Returns the list of all available manifests type of an Application across all releases or
+    # @TODO: Paginate
+    @abstractmethod
+    def list_manifests(self, package_name, release=None):
+        """ Returns the list of all available manifests type of an Application across all releases or
     for a specific one.
 
     Example:
         >>> get_app_releases('ant31/rocketchat')
         ['1.7.1', '1.7.0', '1.7.2']
     """
-    pass
+        pass
 
-  @abstractmethod
-  def fetch_release(self, package_name, release, media_type):
-    """
+    @abstractmethod
+    def fetch_release(self, package_name, release, media_type):
+        """
      Returns an ApplicationRelease
     """
-    pass
+        pass
 
-  @abstractmethod
-  def store_blob(self, cnrblob, content_media_type):
-    """
+    @abstractmethod
+    def store_blob(self, cnrblob, content_media_type):
+        """
     Upload the blob content to a storage location and creates a Blob entry in the DB.
 
     Returns a BlobDescriptor
     """
-    pass
+        pass
 
-  @abstractmethod
-  def create_release(self, package, user, visibility, force=False):
-    """ Creates and returns an ApplicationRelease
+    @abstractmethod
+    def create_release(self, package, user, visibility, force=False):
+        """ Creates and returns an ApplicationRelease
     - package is a data.model.Package object
     - user is the owner of the package
     - visibility is a string: 'public' or 'private'
     """
-    pass
+        pass
 
-  @abstractmethod
-  def release_exists(self, package, release):
-    """ Return true if a release with that name already exist or
+    @abstractmethod
+    def release_exists(self, package, release):
+        """ Return true if a release with that name already exist or
     has existed (including deleted ones)
     """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_release(self, package_name, release, media_type):
-    """ Remove/Delete an app-release from an app-repository.
+    @abstractmethod
+    def delete_release(self, package_name, release, media_type):
+        """ Remove/Delete an app-release from an app-repository.
         It does not delete the entire app-repository, only a single release
     """
-    pass
+        pass
 
-  @abstractmethod
-  def list_release_channels(self, package_name, release, active=True):
-    """ Returns a list of Channel that are/was pointing to a release.
+    @abstractmethod
+    def list_release_channels(self, package_name, release, active=True):
+        """ Returns a list of Channel that are/was pointing to a release.
         If active is True, returns only active Channel (lifetime_end not null)
     """
-    pass
+        pass
 
-  @abstractmethod
-  def channel_exists(self, package_name, channel_name):
-    """ Returns true if the channel with the given name exists under the matching package """
-    pass
+    @abstractmethod
+    def channel_exists(self, package_name, channel_name):
+        """ Returns true if the channel with the given name exists under the matching package """
+        pass
 
-  @abstractmethod
-  def update_channel(self, package_name, channel_name, release):
-    """ Append a new release to the Channel
+    @abstractmethod
+    def update_channel(self, package_name, channel_name, release):
+        """ Append a new release to the Channel
     Returns a new Channel with the release as current
     """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_channel(self, package_name, channel_name):
-    """ Delete a Channel, it doesn't delete/touch the ApplicationRelease pointed by the channel """
+    @abstractmethod
+    def delete_channel(self, package_name, channel_name):
+        """ Delete a Channel, it doesn't delete/touch the ApplicationRelease pointed by the channel """
 
-  # @TODO: Paginate
-  @abstractmethod
-  def list_channels(self, package_name):
-    """ Returns all AppChannel for a package """
-    pass
+    # @TODO: Paginate
+    @abstractmethod
+    def list_channels(self, package_name):
+        """ Returns all AppChannel for a package """
+        pass
 
-  @abstractmethod
-  def fetch_channel(self, package_name, channel_name, with_releases=True):
-    """ Returns an Channel
+    @abstractmethod
+    def fetch_channel(self, package_name, channel_name, with_releases=True):
+        """ Returns an Channel
     Raises: ChannelNotFound, PackageNotFound
     """
-    pass
+        pass
 
-  @abstractmethod
-  def log_action(self, event_name, namespace_name, repo_name=None, analytics_name=None,
-                 analytics_sample=1, **kwargs):
-    """ Logs an action to the audit log. """
-    pass
+    @abstractmethod
+    def log_action(
+        self,
+        event_name,
+        namespace_name,
+        repo_name=None,
+        analytics_name=None,
+        analytics_sample=1,
+        **kwargs
+    ):
+        """ Logs an action to the audit log. """
+        pass
 
-  @abstractmethod
-  def get_blob_locations(self, digest):
-    """ Returns a list of strings for the locations in which a Blob is present. """
-    pass
+    @abstractmethod
+    def get_blob_locations(self, digest):
+        """ Returns a list of strings for the locations in which a Blob is present. """
+        pass
diff --git a/endpoints/appr/registry.py b/endpoints/appr/registry.py
index 0b470f878..ca16a19fd 100644
--- a/endpoints/appr/registry.py
+++ b/endpoints/appr/registry.py
@@ -5,9 +5,19 @@ import cnr
 from cnr.api.impl import registry as cnr_registry
 from cnr.api.registry import _pull, repo_name
 from cnr.exception import (
-  ChannelNotFound, CnrException, Forbidden, InvalidParams, InvalidRelease, InvalidUsage,
-  PackageAlreadyExists, PackageNotFound, PackageReleaseNotFound, UnableToLockResource,
-  UnauthorizedAccess, Unsupported)
+    ChannelNotFound,
+    CnrException,
+    Forbidden,
+    InvalidParams,
+    InvalidRelease,
+    InvalidUsage,
+    PackageAlreadyExists,
+    PackageNotFound,
+    PackageReleaseNotFound,
+    UnableToLockResource,
+    UnauthorizedAccess,
+    Unsupported,
+)
 from flask import jsonify, request
 
 from auth.auth_context import get_authenticated_user
@@ -38,281 +48,357 @@ logger = logging.getLogger(__name__)
 @appr_bp.errorhandler(InvalidParams)
 @appr_bp.errorhandler(ChannelNotFound)
 def render_error(error):
-  response = jsonify({"error": error.to_dict()})
-  response.status_code = error.status_code
-  return response
+    response = jsonify({"error": error.to_dict()})
+    response.status_code = error.status_code
+    return response
 
 
 @appr_bp.route("/version")
 @anon_allowed
 def version():
-  return jsonify({"cnr-api": cnr.__version__})
+    return jsonify({"cnr-api": cnr.__version__})
 
 
-@appr_bp.route("/api/v1/users/login", methods=['POST'])
+@appr_bp.route("/api/v1/users/login", methods=["POST"])
 @anon_allowed
 def login():
-  values = request.get_json(force=True, silent=True) or {}
-  username = values.get('user', {}).get('username')
-  password = values.get('user', {}).get('password')
-  if not username or not password:
-    raise InvalidUsage('Missing username or password')
+    values = request.get_json(force=True, silent=True) or {}
+    username = values.get("user", {}).get("username")
+    password = values.get("user", {}).get("password")
+    if not username or not password:
+        raise InvalidUsage("Missing username or password")
 
-  result, _ = validate_credentials(username, password)
-  if not result.auth_valid:
-    raise UnauthorizedAccess(result.error_message)
+    result, _ = validate_credentials(username, password)
+    if not result.auth_valid:
+        raise UnauthorizedAccess(result.error_message)
 
-  return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))})
+    return jsonify({"token": "basic " + b64encode("%s:%s" % (username, password))})
 
 
 # @TODO: Redirect to S3 url
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/blobs/sha256/<string:digest>",
-  methods=['GET'],
-  strict_slashes=False,)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/blobs/sha256/<string:digest>",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
-@check_region_blacklisted(namespace_name_kwarg='namespace')
+@check_region_blacklisted(namespace_name_kwarg="namespace")
 @anon_protect
 def blobs(namespace, package_name, digest):
-  reponame = repo_name(namespace, package_name)
-  data = cnr_registry.pull_blob(reponame, digest, blob_class=Blob)
-  json_format = request.args.get('format', None) == 'json'
-  return _pull(data, json_format=json_format)
+    reponame = repo_name(namespace, package_name)
+    data = cnr_registry.pull_blob(reponame, digest, blob_class=Blob)
+    json_format = request.args.get("format", None) == "json"
+    return _pull(data, json_format=json_format)
 
 
-@appr_bp.route("/api/v1/packages", methods=['GET'], strict_slashes=False)
+@appr_bp.route("/api/v1/packages", methods=["GET"], strict_slashes=False)
 @process_auth
 @anon_protect
 def list_packages():
-  namespace = request.args.get('namespace', None)
-  media_type = request.args.get('media_type', None)
-  query = request.args.get('query', None)
-  user = get_authenticated_user()
-  username = None
-  if user:
-    username = user.username
-  result_data = cnr_registry.list_packages(namespace, package_class=Package, search=query,
-                                           media_type=media_type, username=username)
-  return jsonify(result_data)
+    namespace = request.args.get("namespace", None)
+    media_type = request.args.get("media_type", None)
+    query = request.args.get("query", None)
+    user = get_authenticated_user()
+    username = None
+    if user:
+        username = user.username
+    result_data = cnr_registry.list_packages(
+        namespace,
+        package_class=Package,
+        search=query,
+        media_type=media_type,
+        username=username,
+    )
+    return jsonify(result_data)
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>",
-  methods=['DELETE'], strict_slashes=False)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>",
+    methods=["DELETE"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_write
 @anon_protect
 def delete_package(namespace, package_name, release, media_type):
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.delete_package(reponame, release, media_type, package_class=Package)
-  logs_model.log_action('delete_tag', namespace, repository_name=package_name,
-                        metadata={'release': release, 'mediatype': media_type})
-  return jsonify(result)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.delete_package(
+        reponame, release, media_type, package_class=Package
+    )
+    logs_model.log_action(
+        "delete_tag",
+        namespace,
+        repository_name=package_name,
+        metadata={"release": release, "mediatype": media_type},
+    )
+    return jsonify(result)
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>",
-  methods=['GET'], strict_slashes=False)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
-@check_region_blacklisted(namespace_name_kwarg='namespace')
+@check_region_blacklisted(namespace_name_kwarg="namespace")
 @anon_protect
 def show_package(namespace, package_name, release, media_type):
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.show_package(reponame, release, media_type, channel_class=Channel,
-                                     package_class=Package)
-  return jsonify(result)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.show_package(
+        reponame, release, media_type, channel_class=Channel, package_class=Package
+    )
+    return jsonify(result)
 
 
-@appr_bp.route("/api/v1/packages/<string:namespace>/<string:package_name>", methods=['GET'],
-               strict_slashes=False)
+@appr_bp.route(
+    "/api/v1/packages/<string:namespace>/<string:package_name>",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
 @anon_protect
 def show_package_releases(namespace, package_name):
-  reponame = repo_name(namespace, package_name)
-  media_type = request.args.get('media_type', None)
-  result = cnr_registry.show_package_releases(reponame, media_type=media_type,
-                                              package_class=Package)
-  return jsonify(result)
+    reponame = repo_name(namespace, package_name)
+    media_type = request.args.get("media_type", None)
+    result = cnr_registry.show_package_releases(
+        reponame, media_type=media_type, package_class=Package
+    )
+    return jsonify(result)
 
 
-@appr_bp.route("/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>",
-               methods=['GET'], strict_slashes=False)
+@appr_bp.route(
+    "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
 @anon_protect
 def show_package_release_manifests(namespace, package_name, release):
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.show_package_manifests(reponame, release, package_class=Package)
-  return jsonify(result)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.show_package_manifests(
+        reponame, release, package_class=Package
+    )
+    return jsonify(result)
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>/pull",
-  methods=['GET'],
-  strict_slashes=False,)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/<string:release>/<string:media_type>/pull",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
-@check_region_blacklisted(namespace_name_kwarg='namespace')
+@check_region_blacklisted(namespace_name_kwarg="namespace")
 @anon_protect
 def pull(namespace, package_name, release, media_type):
-  logger.debug('Pull of release %s of app repository %s/%s', release, namespace, package_name)
-  reponame = repo_name(namespace, package_name)
-  data = cnr_registry.pull(reponame, release, media_type, Package, blob_class=Blob)
-  logs_model.log_action('pull_repo', namespace, repository_name=package_name,
-                        metadata={'release': release, 'mediatype': media_type})
-  json_format = request.args.get('format', None) == 'json'
-  return _pull(data, json_format)
+    logger.debug(
+        "Pull of release %s of app repository %s/%s", release, namespace, package_name
+    )
+    reponame = repo_name(namespace, package_name)
+    data = cnr_registry.pull(reponame, release, media_type, Package, blob_class=Blob)
+    logs_model.log_action(
+        "pull_repo",
+        namespace,
+        repository_name=package_name,
+        metadata={"release": release, "mediatype": media_type},
+    )
+    json_format = request.args.get("format", None) == "json"
+    return _pull(data, json_format)
 
 
-@appr_bp.route("/api/v1/packages/<string:namespace>/<string:package_name>", methods=['POST'],
-               strict_slashes=False)
+@appr_bp.route(
+    "/api/v1/packages/<string:namespace>/<string:package_name>",
+    methods=["POST"],
+    strict_slashes=False,
+)
 @disallow_for_image_repository()
 @process_auth
 @anon_protect
 def push(namespace, package_name):
-  reponame = repo_name(namespace, package_name)
+    reponame = repo_name(namespace, package_name)
 
-  if not REPOSITORY_NAME_REGEX.match(package_name):
-    logger.debug('Found invalid repository name CNR push: %s', reponame)
-    raise InvalidUsage('invalid repository name: %s' % reponame)
+    if not REPOSITORY_NAME_REGEX.match(package_name):
+        logger.debug("Found invalid repository name CNR push: %s", reponame)
+        raise InvalidUsage("invalid repository name: %s" % reponame)
 
-  values = request.get_json(force=True, silent=True) or {}
-  private = values.get('visibility', 'private')
+    values = request.get_json(force=True, silent=True) or {}
+    private = values.get("visibility", "private")
 
-  owner = get_authenticated_user()
-  if not Package.exists(reponame):
-    if not CreateRepositoryPermission(namespace).can():
-      raise Forbidden("Unauthorized access for: %s" % reponame,
-                      {"package": reponame,
-                       "scopes": ['create']})
-    Package.create_repository(reponame, private, owner)
-    logs_model.log_action('create_repo', namespace, repository_name=package_name)
+    owner = get_authenticated_user()
+    if not Package.exists(reponame):
+        if not CreateRepositoryPermission(namespace).can():
+            raise Forbidden(
+                "Unauthorized access for: %s" % reponame,
+                {"package": reponame, "scopes": ["create"]},
+            )
+        Package.create_repository(reponame, private, owner)
+        logs_model.log_action("create_repo", namespace, repository_name=package_name)
 
-  if not ModifyRepositoryPermission(namespace, package_name).can():
-    raise Forbidden("Unauthorized access for: %s" % reponame,
-                    {"package": reponame,
-                     "scopes": ['push']})
+    if not ModifyRepositoryPermission(namespace, package_name).can():
+        raise Forbidden(
+            "Unauthorized access for: %s" % reponame,
+            {"package": reponame, "scopes": ["push"]},
+        )
 
-  if not 'release' in values:
-    raise InvalidUsage('Missing release')
+    if not "release" in values:
+        raise InvalidUsage("Missing release")
 
-  if not 'media_type' in values:
-    raise InvalidUsage('Missing media_type')
+    if not "media_type" in values:
+        raise InvalidUsage("Missing media_type")
 
-  if not 'blob' in values:
-    raise InvalidUsage('Missing blob')
+    if not "blob" in values:
+        raise InvalidUsage("Missing blob")
 
-  release_version = str(values['release'])
-  media_type = values['media_type']
-  force = request.args.get('force', 'false') == 'true'
+    release_version = str(values["release"])
+    media_type = values["media_type"]
+    force = request.args.get("force", "false") == "true"
 
-  blob = Blob(reponame, values['blob'])
-  app_release = cnr_registry.push(reponame, release_version, media_type, blob, force,
-                                  package_class=Package, user=owner, visibility=private)
-  logs_model.log_action('push_repo', namespace, repository_name=package_name,
-                        metadata={'release': release_version})
-  return jsonify(app_release)
+    blob = Blob(reponame, values["blob"])
+    app_release = cnr_registry.push(
+        reponame,
+        release_version,
+        media_type,
+        blob,
+        force,
+        package_class=Package,
+        user=owner,
+        visibility=private,
+    )
+    logs_model.log_action(
+        "push_repo",
+        namespace,
+        repository_name=package_name,
+        metadata={"release": release_version},
+    )
+    return jsonify(app_release)
 
 
-@appr_bp.route("/api/v1/packages/search", methods=['GET'], strict_slashes=False)
+@appr_bp.route("/api/v1/packages/search", methods=["GET"], strict_slashes=False)
 @process_auth
 @anon_protect
 def search_packages():
-  query = request.args.get("q")
-  user = get_authenticated_user()
-  username = None
-  if user:
-    username = user.username
+    query = request.args.get("q")
+    user = get_authenticated_user()
+    username = None
+    if user:
+        username = user.username
 
-  search_results = cnr_registry.search(query, Package, username=username)
-  return jsonify(search_results)
+    search_results = cnr_registry.search(query, Package, username=username)
+    return jsonify(search_results)
 
 
 # CHANNELS
-@appr_bp.route("/api/v1/packages/<string:namespace>/<string:package_name>/channels",
-               methods=['GET'], strict_slashes=False)
+@appr_bp.route(
+    "/api/v1/packages/<string:namespace>/<string:package_name>/channels",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
 @anon_protect
 def list_channels(namespace, package_name):
-  reponame = repo_name(namespace, package_name)
-  return jsonify(cnr_registry.list_channels(reponame, channel_class=Channel))
+    reponame = repo_name(namespace, package_name)
+    return jsonify(cnr_registry.list_channels(reponame, channel_class=Channel))
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>",
-  methods=['GET'], strict_slashes=False)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>",
+    methods=["GET"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_read
 @anon_protect
 def show_channel(namespace, package_name, channel_name):
-  reponame = repo_name(namespace, package_name)
-  channel = cnr_registry.show_channel(reponame, channel_name, channel_class=Channel)
-  return jsonify(channel)
+    reponame = repo_name(namespace, package_name)
+    channel = cnr_registry.show_channel(reponame, channel_name, channel_class=Channel)
+    return jsonify(channel)
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>/<string:release>",
-  methods=['POST'],
-  strict_slashes=False,)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>/<string:release>",
+    methods=["POST"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_write
 @anon_protect
 def add_channel_release(namespace, package_name, channel_name, release):
-  _check_channel_name(channel_name, release)
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.add_channel_release(reponame, channel_name, release, channel_class=Channel,
-                                            package_class=Package)
-  logs_model.log_action('create_tag', namespace, repository_name=package_name,
-                        metadata={'channel': channel_name, 'release': release})
-  return jsonify(result)
+    _check_channel_name(channel_name, release)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.add_channel_release(
+        reponame, channel_name, release, channel_class=Channel, package_class=Package
+    )
+    logs_model.log_action(
+        "create_tag",
+        namespace,
+        repository_name=package_name,
+        metadata={"channel": channel_name, "release": release},
+    )
+    return jsonify(result)
 
 
 def _check_channel_name(channel_name, release=None):
-  if not TAG_REGEX.match(channel_name):
-    logger.debug('Found invalid channel name CNR add channel release: %s', channel_name)
-    raise InvalidUsage("Found invalid channelname %s" % release,
-                       {'name': channel_name,
-                        'release': release})
+    if not TAG_REGEX.match(channel_name):
+        logger.debug(
+            "Found invalid channel name CNR add channel release: %s", channel_name
+        )
+        raise InvalidUsage(
+            "Found invalid channelname %s" % release,
+            {"name": channel_name, "release": release},
+        )
 
-  if release is not None and not TAG_REGEX.match(release):
-    logger.debug('Found invalid release name CNR add channel release: %s', release)
-    raise InvalidUsage('Found invalid channel release name %s' % release,
-                       {'name': channel_name,
-                        'release': release})
+    if release is not None and not TAG_REGEX.match(release):
+        logger.debug("Found invalid release name CNR add channel release: %s", release)
+        raise InvalidUsage(
+            "Found invalid channel release name %s" % release,
+            {"name": channel_name, "release": release},
+        )
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>/<string:release>",
-  methods=['DELETE'],
-  strict_slashes=False,)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>/<string:release>",
+    methods=["DELETE"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_write
 @anon_protect
 def delete_channel_release(namespace, package_name, channel_name, release):
-  _check_channel_name(channel_name, release)
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.delete_channel_release(reponame, channel_name, release,
-                                               channel_class=Channel, package_class=Package)
-  logs_model.log_action('delete_tag', namespace, repository_name=package_name,
-                        metadata={'channel': channel_name, 'release': release})
-  return jsonify(result)
+    _check_channel_name(channel_name, release)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.delete_channel_release(
+        reponame, channel_name, release, channel_class=Channel, package_class=Package
+    )
+    logs_model.log_action(
+        "delete_tag",
+        namespace,
+        repository_name=package_name,
+        metadata={"channel": channel_name, "release": release},
+    )
+    return jsonify(result)
 
 
 @appr_bp.route(
-  "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>",
-  methods=['DELETE'],
-  strict_slashes=False,)
+    "/api/v1/packages/<string:namespace>/<string:package_name>/channels/<string:channel_name>",
+    methods=["DELETE"],
+    strict_slashes=False,
+)
 @process_auth
 @require_app_repo_write
 @anon_protect
 def delete_channel(namespace, package_name, channel_name):
-  _check_channel_name(channel_name)
-  reponame = repo_name(namespace, package_name)
-  result = cnr_registry.delete_channel(reponame, channel_name, channel_class=Channel)
-  logs_model.log_action('delete_tag', namespace, repository_name=package_name,
-                        metadata={'channel': channel_name})
-  return jsonify(result)
+    _check_channel_name(channel_name)
+    reponame = repo_name(namespace, package_name)
+    result = cnr_registry.delete_channel(reponame, channel_name, channel_class=Channel)
+    logs_model.log_action(
+        "delete_tag",
+        namespace,
+        repository_name=package_name,
+        metadata={"channel": channel_name},
+    )
+    return jsonify(result)
diff --git a/endpoints/appr/test/test_api.py b/endpoints/appr/test/test_api.py
index 99af88c2c..8df82a68d 100644
--- a/endpoints/appr/test/test_api.py
+++ b/endpoints/appr/test/test_api.py
@@ -10,7 +10,7 @@ import data.appr_model.blob as appr_blob
 
 from data.database import User
 from data.model import organization, user
-from endpoints.appr import registry # Needed to register the endpoint
+from endpoints.appr import registry  # Needed to register the endpoint
 from endpoints.appr.cnr_backend import Channel, Package, QuayDB
 from endpoints.appr.models_cnr import model as appr_app_model
 
@@ -18,146 +18,172 @@ from test.fixtures import *
 
 
 def create_org(namespace, owner):
-  try:
-    User.get(username=namespace)
-  except User.DoesNotExist:
-    organization.create_organization(namespace, "%s@test.com" % str(uuid.uuid1()), owner)
+    try:
+        User.get(username=namespace)
+    except User.DoesNotExist:
+        organization.create_organization(
+            namespace, "%s@test.com" % str(uuid.uuid1()), owner
+        )
 
 
 class ChannelTest(Channel):
-  @classmethod
-  def dump_all(cls, package_class=None):
-    result = []
-    for repo in appr_app_model.list_applications(with_channels=True):
-      for chan in repo.channels:
-        result.append({'name': chan.name, 'current': chan.current, 'package': repo.name})
-    return result
+    @classmethod
+    def dump_all(cls, package_class=None):
+        result = []
+        for repo in appr_app_model.list_applications(with_channels=True):
+            for chan in repo.channels:
+                result.append(
+                    {"name": chan.name, "current": chan.current, "package": repo.name}
+                )
+        return result
 
 
 class PackageTest(Package):
-  def _save(self, force, **kwargs):
-    owner = user.get_user('devtable')
-    create_org(self.namespace, owner)
-    super(PackageTest, self)._save(force, user=owner, visibility="public")
+    def _save(self, force, **kwargs):
+        owner = user.get_user("devtable")
+        create_org(self.namespace, owner)
+        super(PackageTest, self)._save(force, user=owner, visibility="public")
 
-  @classmethod
-  def create_repository(cls, package_name, visibility, owner):
-    ns, _ = package_name.split("/")
-    owner = user.get_user('devtable')
-    visibility = "public"
-    create_org(ns, owner)
-    return super(PackageTest, cls).create_repository(package_name, visibility, owner)
+    @classmethod
+    def create_repository(cls, package_name, visibility, owner):
+        ns, _ = package_name.split("/")
+        owner = user.get_user("devtable")
+        visibility = "public"
+        create_org(ns, owner)
+        return super(PackageTest, cls).create_repository(
+            package_name, visibility, owner
+        )
 
-  @classmethod
-  def dump_all(cls, blob_cls):
-    result = []
-    for repo in appr_app_model.list_applications(with_channels=True):
-      package_name = repo.name
-      for release in repo.releases:
-        for mtype in cls.manifests(package_name, release):
-          package = appr_app_model.fetch_release(package_name, release, mtype)
-          blob = blob_cls.get(package_name, package.manifest.content.digest)
-          app_data = cls._apptuple_to_dict(package)
-          app_data.pop('digest')
-          app_data['channels'] = [
-            x.name
-            for x in appr_app_model.list_release_channels(package_name, package.release, False)
-          ]
-          app_data['blob'] = blob.b64blob
-          result.append(app_data)
-    return result
+    @classmethod
+    def dump_all(cls, blob_cls):
+        result = []
+        for repo in appr_app_model.list_applications(with_channels=True):
+            package_name = repo.name
+            for release in repo.releases:
+                for mtype in cls.manifests(package_name, release):
+                    package = appr_app_model.fetch_release(package_name, release, mtype)
+                    blob = blob_cls.get(package_name, package.manifest.content.digest)
+                    app_data = cls._apptuple_to_dict(package)
+                    app_data.pop("digest")
+                    app_data["channels"] = [
+                        x.name
+                        for x in appr_app_model.list_release_channels(
+                            package_name, package.release, False
+                        )
+                    ]
+                    app_data["blob"] = blob.b64blob
+                    result.append(app_data)
+        return result
 
 
 @pytest.fixture(autouse=True)
 def quaydb(monkeypatch, app):
-  monkeypatch.setattr('endpoints.appr.cnr_backend.QuayDB.Package', PackageTest)
-  monkeypatch.setattr('endpoints.appr.cnr_backend.Package', PackageTest)
-  monkeypatch.setattr('endpoints.appr.registry.Package', PackageTest)
-  monkeypatch.setattr('cnr.models.Package', PackageTest)
+    monkeypatch.setattr("endpoints.appr.cnr_backend.QuayDB.Package", PackageTest)
+    monkeypatch.setattr("endpoints.appr.cnr_backend.Package", PackageTest)
+    monkeypatch.setattr("endpoints.appr.registry.Package", PackageTest)
+    monkeypatch.setattr("cnr.models.Package", PackageTest)
 
-  monkeypatch.setattr('endpoints.appr.cnr_backend.QuayDB.Channel', ChannelTest)
-  monkeypatch.setattr('endpoints.appr.registry.Channel', ChannelTest)
-  monkeypatch.setattr('cnr.models.Channel', ChannelTest)
+    monkeypatch.setattr("endpoints.appr.cnr_backend.QuayDB.Channel", ChannelTest)
+    monkeypatch.setattr("endpoints.appr.registry.Channel", ChannelTest)
+    monkeypatch.setattr("cnr.models.Channel", ChannelTest)
 
 
 class TestServerQuayDB(BaseTestServer):
-  DB_CLASS = QuayDB
+    DB_CLASS = QuayDB
 
-  @property
-  def token(self):
-    return "basic ZGV2dGFibGU6cGFzc3dvcmQ="
+    @property
+    def token(self):
+        return "basic ZGV2dGFibGU6cGFzc3dvcmQ="
 
-  def test_search_package_match(self, db_with_data1, client):
-    """ TODO: search cross namespace and package name """
-    BaseTestServer.test_search_package_match(self, db_with_data1, client)
+    def test_search_package_match(self, db_with_data1, client):
+        """ TODO: search cross namespace and package name """
+        BaseTestServer.test_search_package_match(self, db_with_data1, client)
 
-  def test_list_search_package_match(self, db_with_data1, client):
-    url = self._url_for("api/v1/packages")
-    res = self.Client(client, self.headers()).get(url, params={'query': 'rocketchat'})
-    assert res.status_code == 200
-    assert len(self.json(res)) == 1
+    def test_list_search_package_match(self, db_with_data1, client):
+        url = self._url_for("api/v1/packages")
+        res = self.Client(client, self.headers()).get(
+            url, params={"query": "rocketchat"}
+        )
+        assert res.status_code == 200
+        assert len(self.json(res)) == 1
 
-  def test_list_search_package_no_match(self, db_with_data1, client):
-    url = self._url_for("api/v1/packages")
-    res = self.Client(client, self.headers()).get(url, params={'query': 'toto'})
-    assert res.status_code == 200
-    assert len(self.json(res)) == 0
+    def test_list_search_package_no_match(self, db_with_data1, client):
+        url = self._url_for("api/v1/packages")
+        res = self.Client(client, self.headers()).get(url, params={"query": "toto"})
+        assert res.status_code == 200
+        assert len(self.json(res)) == 0
 
-  @pytest.mark.xfail
-  def test_push_package_already_exists_force(self, db_with_data1, package_b64blob, client):
-    """ No force push implemented """
-    BaseTestServer.test_push_package_already_exists_force(self, db_with_data1, package_b64blob,
-                                                          client)
+    @pytest.mark.xfail
+    def test_push_package_already_exists_force(
+        self, db_with_data1, package_b64blob, client
+    ):
+        """ No force push implemented """
+        BaseTestServer.test_push_package_already_exists_force(
+            self, db_with_data1, package_b64blob, client
+        )
 
-  @pytest.mark.xfail
-  def test_delete_channel_release_absent_release(self, db_with_data1, client):
-    BaseTestServer.test_delete_channel_release_absent_release(self, db_with_data1, client)
+    @pytest.mark.xfail
+    def test_delete_channel_release_absent_release(self, db_with_data1, client):
+        BaseTestServer.test_delete_channel_release_absent_release(
+            self, db_with_data1, client
+        )
 
-  @pytest.mark.xfail
-  def test_get_absent_blob(self, newdb, client):
-    pass
+    @pytest.mark.xfail
+    def test_get_absent_blob(self, newdb, client):
+        pass
 
 
 class TestQuayModels(CnrTestModels):
-  DB_CLASS = QuayDB
+    DB_CLASS = QuayDB
 
-  @pytest.mark.xfail
-  def test_channel_delete_releases(self, db_with_data1):
-    """ Can't remove a release from the channel, only delete the channel entirely """
-    CnrTestModels.test_channel_delete_releases(self, db_with_data1)
+    @pytest.mark.xfail
+    def test_channel_delete_releases(self, db_with_data1):
+        """ Can't remove a release from the channel, only delete the channel entirely """
+        CnrTestModels.test_channel_delete_releases(self, db_with_data1)
 
-  @pytest.mark.xfail
-  def test_forbiddeb_db_reset(self, db_class):
-    pass
+    @pytest.mark.xfail
+    def test_forbiddeb_db_reset(self, db_class):
+        pass
 
-  @pytest.mark.xfail
-  def test_db_restore(self, newdb, dbdata1):
-    # This will fail as long as CNR tests use a mediatype with v1.
-    pass
+    @pytest.mark.xfail
+    def test_db_restore(self, newdb, dbdata1):
+        # This will fail as long as CNR tests use a mediatype with v1.
+        pass
 
-  def test_push_same_blob(self, db_with_data1):
-    p = db_with_data1.Package.get("titi/rocketchat", ">1.2", 'kpm')
-    assert p.package == "titi/rocketchat"
-    assert p.release == "2.0.1"
-    assert p.digest == "d3b54b7912fe770a61b59ab612a442eac52a8a5d8d05dbe92bf8f212d68aaa80"
-    blob = db_with_data1.Blob.get("titi/rocketchat", p.digest)
-    bdb = appr_blob.get_blob(p.digest, appr_app_model.models_ref)
-    newblob = db_with_data1.Blob("titi/app2", blob.b64blob)
-    p2 = db_with_data1.Package("titi/app2", "1.0.0", "helm", newblob)
-    p2.save()
-    b2db = appr_blob.get_blob(p2.digest, appr_app_model.models_ref)
-    assert b2db.id == bdb.id
+    def test_push_same_blob(self, db_with_data1):
+        p = db_with_data1.Package.get("titi/rocketchat", ">1.2", "kpm")
+        assert p.package == "titi/rocketchat"
+        assert p.release == "2.0.1"
+        assert (
+            p.digest
+            == "d3b54b7912fe770a61b59ab612a442eac52a8a5d8d05dbe92bf8f212d68aaa80"
+        )
+        blob = db_with_data1.Blob.get("titi/rocketchat", p.digest)
+        bdb = appr_blob.get_blob(p.digest, appr_app_model.models_ref)
+        newblob = db_with_data1.Blob("titi/app2", blob.b64blob)
+        p2 = db_with_data1.Package("titi/app2", "1.0.0", "helm", newblob)
+        p2.save()
+        b2db = appr_blob.get_blob(p2.digest, appr_app_model.models_ref)
+        assert b2db.id == bdb.id
 
-  def test_force_push_different_blob(self, db_with_data1):
-    p = db_with_data1.Package.get("titi/rocketchat", "2.0.1", 'kpm')
-    assert p.package == "titi/rocketchat"
-    assert p.release == "2.0.1"
-    assert p.digest == "d3b54b7912fe770a61b59ab612a442eac52a8a5d8d05dbe92bf8f212d68aaa80"
-    blob = db_with_data1.Blob.get(
-      "titi/rocketchat", "72ed15c9a65961ecd034cca098ec18eb99002cd402824aae8a674a8ae41bd0ef")
-    p2 = db_with_data1.Package("titi/rocketchat", "2.0.1", "kpm", blob)
-    p2.save(force=True)
-    pnew = db_with_data1.Package.get("titi/rocketchat", "2.0.1", 'kpm')
-    assert pnew.package == "titi/rocketchat"
-    assert pnew.release == "2.0.1"
-    assert pnew.digest == "72ed15c9a65961ecd034cca098ec18eb99002cd402824aae8a674a8ae41bd0ef"
+    def test_force_push_different_blob(self, db_with_data1):
+        p = db_with_data1.Package.get("titi/rocketchat", "2.0.1", "kpm")
+        assert p.package == "titi/rocketchat"
+        assert p.release == "2.0.1"
+        assert (
+            p.digest
+            == "d3b54b7912fe770a61b59ab612a442eac52a8a5d8d05dbe92bf8f212d68aaa80"
+        )
+        blob = db_with_data1.Blob.get(
+            "titi/rocketchat",
+            "72ed15c9a65961ecd034cca098ec18eb99002cd402824aae8a674a8ae41bd0ef",
+        )
+        p2 = db_with_data1.Package("titi/rocketchat", "2.0.1", "kpm", blob)
+        p2.save(force=True)
+        pnew = db_with_data1.Package.get("titi/rocketchat", "2.0.1", "kpm")
+        assert pnew.package == "titi/rocketchat"
+        assert pnew.release == "2.0.1"
+        assert (
+            pnew.digest
+            == "72ed15c9a65961ecd034cca098ec18eb99002cd402824aae8a674a8ae41bd0ef"
+        )
diff --git a/endpoints/appr/test/test_api_security.py b/endpoints/appr/test/test_api_security.py
index c3e52b30c..b672f8f1a 100644
--- a/endpoints/appr/test/test_api_security.py
+++ b/endpoints/appr/test/test_api_security.py
@@ -8,90 +8,252 @@ from endpoints.appr.registry import appr_bp, blobs
 from endpoints.test.shared import client_with_identity
 from test.fixtures import *
 
-BLOB_ARGS = {'digest': 'abcd1235'}
-PACKAGE_ARGS = {'release': 'r', 'media_type': 'foo'}
-RELEASE_ARGS = {'release': 'r'}
-CHANNEL_ARGS = {'channel_name': 'c'}
-CHANNEL_RELEASE_ARGS = {'channel_name': 'c', 'release': 'r'}
+BLOB_ARGS = {"digest": "abcd1235"}
+PACKAGE_ARGS = {"release": "r", "media_type": "foo"}
+RELEASE_ARGS = {"release": "r"}
+CHANNEL_ARGS = {"channel_name": "c"}
+CHANNEL_RELEASE_ARGS = {"channel_name": "c", "release": "r"}
 
-@pytest.mark.parametrize('resource,method,params,owned_by,is_public,identity,expected', [
-  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'public', 403),
-  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'public', 404),
-  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'public', 403),
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
+@pytest.mark.parametrize(
+    "resource,method,params,owned_by,is_public,identity,expected",
+    [
+        ("appr.blobs", "GET", BLOB_ARGS, "devtable", False, "public", 403),
+        ("appr.blobs", "GET", BLOB_ARGS, "devtable", False, "devtable", 404),
+        ("appr.blobs", "GET", BLOB_ARGS, "devtable", True, "public", 404),
+        ("appr.blobs", "GET", BLOB_ARGS, "devtable", True, "devtable", 404),
+        (
+            "appr.delete_package",
+            "DELETE",
+            PACKAGE_ARGS,
+            "devtable",
+            False,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_package",
+            "DELETE",
+            PACKAGE_ARGS,
+            "devtable",
+            False,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.delete_package",
+            "DELETE",
+            PACKAGE_ARGS,
+            "devtable",
+            True,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_package",
+            "DELETE",
+            PACKAGE_ARGS,
+            "devtable",
+            True,
+            "devtable",
+            404,
+        ),
+        ("appr.show_package", "GET", PACKAGE_ARGS, "devtable", False, "public", 403),
+        ("appr.show_package", "GET", PACKAGE_ARGS, "devtable", False, "devtable", 404),
+        ("appr.show_package", "GET", PACKAGE_ARGS, "devtable", True, "public", 404),
+        ("appr.show_package", "GET", PACKAGE_ARGS, "devtable", True, "devtable", 404),
+        ("appr.show_package_releases", "GET", {}, "devtable", False, "public", 403),
+        ("appr.show_package_releases", "GET", {}, "devtable", False, "devtable", 200),
+        ("appr.show_package_releases", "GET", {}, "devtable", True, "public", 200),
+        ("appr.show_package_releases", "GET", {}, "devtable", True, "devtable", 200),
+        (
+            "appr.show_package_release_manifests",
+            "GET",
+            RELEASE_ARGS,
+            "devtable",
+            False,
+            "public",
+            403,
+        ),
+        (
+            "appr.show_package_release_manifests",
+            "GET",
+            RELEASE_ARGS,
+            "devtable",
+            False,
+            "devtable",
+            200,
+        ),
+        (
+            "appr.show_package_release_manifests",
+            "GET",
+            RELEASE_ARGS,
+            "devtable",
+            True,
+            "public",
+            200,
+        ),
+        (
+            "appr.show_package_release_manifests",
+            "GET",
+            RELEASE_ARGS,
+            "devtable",
+            True,
+            "devtable",
+            200,
+        ),
+        ("appr.pull", "GET", PACKAGE_ARGS, "devtable", False, "public", 403),
+        ("appr.pull", "GET", PACKAGE_ARGS, "devtable", False, "devtable", 404),
+        ("appr.pull", "GET", PACKAGE_ARGS, "devtable", True, "public", 404),
+        ("appr.pull", "GET", PACKAGE_ARGS, "devtable", True, "devtable", 404),
+        ("appr.push", "POST", {}, "devtable", False, "public", 403),
+        ("appr.push", "POST", {}, "devtable", False, "devtable", 400),
+        ("appr.push", "POST", {}, "devtable", True, "public", 403),
+        ("appr.push", "POST", {}, "devtable", True, "devtable", 400),
+        ("appr.list_channels", "GET", {}, "devtable", False, "public", 403),
+        ("appr.list_channels", "GET", {}, "devtable", False, "devtable", 200),
+        ("appr.list_channels", "GET", {}, "devtable", True, "public", 200),
+        ("appr.list_channels", "GET", {}, "devtable", True, "devtable", 200),
+        ("appr.show_channel", "GET", CHANNEL_ARGS, "devtable", False, "public", 403),
+        ("appr.show_channel", "GET", CHANNEL_ARGS, "devtable", False, "devtable", 404),
+        ("appr.show_channel", "GET", CHANNEL_ARGS, "devtable", True, "public", 404),
+        ("appr.show_channel", "GET", CHANNEL_ARGS, "devtable", True, "devtable", 404),
+        (
+            "appr.delete_channel",
+            "DELETE",
+            CHANNEL_ARGS,
+            "devtable",
+            False,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_channel",
+            "DELETE",
+            CHANNEL_ARGS,
+            "devtable",
+            False,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.delete_channel",
+            "DELETE",
+            CHANNEL_ARGS,
+            "devtable",
+            True,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_channel",
+            "DELETE",
+            CHANNEL_ARGS,
+            "devtable",
+            True,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.add_channel_release",
+            "POST",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            False,
+            "public",
+            403,
+        ),
+        (
+            "appr.add_channel_release",
+            "POST",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            False,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.add_channel_release",
+            "POST",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            True,
+            "public",
+            403,
+        ),
+        (
+            "appr.add_channel_release",
+            "POST",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            True,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.delete_channel_release",
+            "DELETE",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            False,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_channel_release",
+            "DELETE",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            False,
+            "devtable",
+            404,
+        ),
+        (
+            "appr.delete_channel_release",
+            "DELETE",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            True,
+            "public",
+            403,
+        ),
+        (
+            "appr.delete_channel_release",
+            "DELETE",
+            CHANNEL_RELEASE_ARGS,
+            "devtable",
+            True,
+            "devtable",
+            404,
+        ),
+    ],
+)
+def test_api_security(
+    resource, method, params, owned_by, is_public, identity, expected, app, client
+):
+    app.register_blueprint(appr_bp, url_prefix="/cnr")
 
-  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
-  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
+    with client_with_identity(identity, client) as cl:
+        owner = model.user.get_user(owned_by)
+        visibility = "public" if is_public else "private"
+        model.repository.create_repository(
+            owned_by,
+            "someapprepo",
+            owner,
+            visibility=visibility,
+            repo_kind="application",
+        )
 
-  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'public', 403),
-  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'devtable', 200),
-  ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'public', 200),
-  ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'devtable', 200),
+        params["namespace"] = owned_by
+        params["package_name"] = "someapprepo"
+        params["_csrf_token"] = "123csrfforme"
 
-  ('appr.show_package_release_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.show_package_release_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'devtable', 200),
-  ('appr.show_package_release_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'public', 200),
-  ('appr.show_package_release_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'devtable', 200),
+        url = url_for(resource, **params)
+        headers = {}
+        if identity is not None:
+            headers["authorization"] = "basic " + base64.b64encode(
+                "%s:password" % identity
+            )
 
-  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
-  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
-
-  ('appr.push', 'POST', {}, 'devtable', False, 'public', 403),
-  ('appr.push', 'POST', {}, 'devtable', False, 'devtable', 400),
-  ('appr.push', 'POST', {}, 'devtable', True, 'public', 403),
-  ('appr.push', 'POST', {}, 'devtable', True, 'devtable', 400),
-
-  ('appr.list_channels', 'GET', {}, 'devtable', False, 'public', 403),
-  ('appr.list_channels', 'GET', {}, 'devtable', False, 'devtable', 200),
-  ('appr.list_channels', 'GET', {}, 'devtable', True, 'public', 200),
-  ('appr.list_channels', 'GET', {}, 'devtable', True, 'devtable', 200),
-
-  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'public', 403),
-  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'public', 404),
-  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
-
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'public', 403),
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'public', 403),
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
-
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 403),
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
-
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 403),
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 403),
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
-])
-def test_api_security(resource, method, params, owned_by, is_public, identity, expected, app, client):
-  app.register_blueprint(appr_bp, url_prefix='/cnr')
-
-  with client_with_identity(identity, client) as cl:
-    owner = model.user.get_user(owned_by)
-    visibility = 'public' if is_public else 'private'
-    model.repository.create_repository(owned_by, 'someapprepo', owner, visibility=visibility,
-                                       repo_kind='application')
-
-    params['namespace'] = owned_by
-    params['package_name'] = 'someapprepo'
-    params['_csrf_token'] = '123csrfforme'
-
-    url = url_for(resource, **params)
-    headers = {}
-    if identity is not None:
-      headers['authorization'] = 'basic ' + base64.b64encode('%s:password' % identity)
-
-    rv = cl.open(url, headers=headers, method=method)
-    assert rv.status_code == expected
+        rv = cl.open(url, headers=headers, method=method)
+        assert rv.status_code == expected
diff --git a/endpoints/appr/test/test_appr_decorators.py b/endpoints/appr/test/test_appr_decorators.py
index 77519d6bd..490d6d98a 100644
--- a/endpoints/appr/test/test_appr_decorators.py
+++ b/endpoints/appr/test/test_appr_decorators.py
@@ -7,14 +7,15 @@ from endpoints.appr import require_app_repo_read
 
 from test.fixtures import *
 
+
 def test_require_app_repo_read(app):
-  called = [False]
+    called = [False]
 
-  # Ensure that trying to read an *image* repository fails.
-  @require_app_repo_read
-  def empty(**kwargs):
-    called[0] = True
+    # Ensure that trying to read an *image* repository fails.
+    @require_app_repo_read
+    def empty(**kwargs):
+        called[0] = True
 
-  with pytest.raises(HTTPException):
-    empty(namespace='devtable', package_name='simple')
-    assert not called[0]
+    with pytest.raises(HTTPException):
+        empty(namespace="devtable", package_name="simple")
+        assert not called[0]
diff --git a/endpoints/appr/test/test_digest_prefix.py b/endpoints/appr/test/test_digest_prefix.py
index 089becd43..03f943851 100644
--- a/endpoints/appr/test/test_digest_prefix.py
+++ b/endpoints/appr/test/test_digest_prefix.py
@@ -2,10 +2,18 @@ import pytest
 from endpoints.appr.models_cnr import _strip_sha256_header
 
 
-@pytest.mark.parametrize('digest,expected', [
-  ('sha256:251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a',
-   '251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a'),
-  ('251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a',
-   '251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a'),])
+@pytest.mark.parametrize(
+    "digest,expected",
+    [
+        (
+            "sha256:251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a",
+            "251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a",
+        ),
+        (
+            "251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a",
+            "251b6897608fb18b8a91ac9abac686e2e95245d5a041f2d1e78fe7a815e6480a",
+        ),
+    ],
+)
 def test_stip_sha256(digest, expected):
-  assert _strip_sha256_header(digest) == expected
+    assert _strip_sha256_header(digest) == expected
diff --git a/endpoints/appr/test/test_registry.py b/endpoints/appr/test/test_registry.py
index bd6602675..a853766b5 100644
--- a/endpoints/appr/test/test_registry.py
+++ b/endpoints/appr/test/test_registry.py
@@ -13,80 +13,60 @@ from endpoints.appr.registry import appr_bp
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('login_data, expected_code', [
-  ({
-    "username": "devtable",
-    "password": "password"
-  }, 200),
-  ({
-    "username": "devtable",
-    "password": "badpass"
-  }, 401),
-  ({
-    "username": "devtable+dtrobot",
-    "password": "badpass"
-  }, 401),
-  ({
-    "username": "devtable+dtrobot2",
-    "password": "badpass"
-  }, 401),
-])
+@pytest.mark.parametrize(
+    "login_data, expected_code",
+    [
+        ({"username": "devtable", "password": "password"}, 200),
+        ({"username": "devtable", "password": "badpass"}, 401),
+        ({"username": "devtable+dtrobot", "password": "badpass"}, 401),
+        ({"username": "devtable+dtrobot2", "password": "badpass"}, 401),
+    ],
+)
 def test_login(login_data, expected_code, app, client):
-  if "+" in login_data['username'] and login_data['password'] is None:
-    username, robotname = login_data['username'].split("+")
-    _, login_data['password'] = model.user.create_robot(robotname, model.user.get_user(username))
+    if "+" in login_data["username"] and login_data["password"] is None:
+        username, robotname = login_data["username"].split("+")
+        _, login_data["password"] = model.user.create_robot(
+            robotname, model.user.get_user(username)
+        )
 
-  url = url_for('appr.login')
-  headers = {'Content-Type': 'application/json'}
-  data = {'user': login_data}
+    url = url_for("appr.login")
+    headers = {"Content-Type": "application/json"}
+    data = {"user": login_data}
 
-  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
-  assert rv.status_code == expected_code
+    rv = client.open(url, method="POST", data=json.dumps(data), headers=headers)
+    assert rv.status_code == expected_code
 
 
-@pytest.mark.parametrize('release_name', [
-  '1.0',
-  '1',
-  1,
-])
+@pytest.mark.parametrize("release_name", ["1.0", "1", 1])
 def test_invalid_release_name(release_name, app, client):
-  params = {
-    'namespace': 'devtable',
-    'package_name': 'someapprepo',
-  }
+    params = {"namespace": "devtable", "package_name": "someapprepo"}
 
-  url = url_for('appr.push', **params)
-  auth = base64.b64encode('devtable:password')
-  headers = {'Content-Type': 'application/json', 'Authorization': 'Basic ' + auth}
-  data = {
-    'release': release_name,
-    'media_type': 'application/vnd.cnr.manifest.v1+json',
-    'blob': 'H4sIAFQwWVoAA+3PMQrCQBAF0Bxlb+Bk143nETGIIEoSC29vMMFOu3TvNb/5DH/Ot8f02jWbiohDremT3ZKR90uuUlty7nKJNmqKtkQuTarbzlo8x+k4zFOu4+lyH4afvbnW93/urH98EwAAAAAAAAAAADb0BsdwExIAKAAA',
-  }
+    url = url_for("appr.push", **params)
+    auth = base64.b64encode("devtable:password")
+    headers = {"Content-Type": "application/json", "Authorization": "Basic " + auth}
+    data = {
+        "release": release_name,
+        "media_type": "application/vnd.cnr.manifest.v1+json",
+        "blob": "H4sIAFQwWVoAA+3PMQrCQBAF0Bxlb+Bk143nETGIIEoSC29vMMFOu3TvNb/5DH/Ot8f02jWbiohDremT3ZKR90uuUlty7nKJNmqKtkQuTarbzlo8x+k4zFOu4+lyH4afvbnW93/urH98EwAAAAAAAAAAADb0BsdwExIAKAAA",
+    }
 
-  rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
-  assert rv.status_code == 422
+    rv = client.open(url, method="POST", data=json.dumps(data), headers=headers)
+    assert rv.status_code == 422
 
 
-@pytest.mark.parametrize('readonly, expected_status', [
-  (True, 405),
-  (False, 422),
-])
+@pytest.mark.parametrize("readonly, expected_status", [(True, 405), (False, 422)])
 def test_readonly(readonly, expected_status, app, client):
-  params = {
-    'namespace': 'devtable',
-    'package_name': 'someapprepo',
-  }
+    params = {"namespace": "devtable", "package_name": "someapprepo"}
 
-  url = url_for('appr.push', **params)
-  auth = base64.b64encode('devtable:password')
-  headers = {'Content-Type': 'application/json', 'Authorization': 'Basic ' + auth}
-  data = {
-    'release': '1.0',
-    'media_type': 'application/vnd.cnr.manifest.v0+json',
-    'blob': 'H4sIAFQwWVoAA+3PMQrCQBAF0Bxlb+Bk143nETGIIEoSC29vMMFOu3TvNb/5DH/Ot8f02jWbiohDremT3ZKR90uuUlty7nKJNmqKtkQuTarbzlo8x+k4zFOu4+lyH4afvbnW93/urH98EwAAAAAAAAAAADb0BsdwExIAKAAA',
-  }
+    url = url_for("appr.push", **params)
+    auth = base64.b64encode("devtable:password")
+    headers = {"Content-Type": "application/json", "Authorization": "Basic " + auth}
+    data = {
+        "release": "1.0",
+        "media_type": "application/vnd.cnr.manifest.v0+json",
+        "blob": "H4sIAFQwWVoAA+3PMQrCQBAF0Bxlb+Bk143nETGIIEoSC29vMMFOu3TvNb/5DH/Ot8f02jWbiohDremT3ZKR90uuUlty7nKJNmqKtkQuTarbzlo8x+k4zFOu4+lyH4afvbnW93/urH98EwAAAAAAAAAAADb0BsdwExIAKAAA",
+    }
 
-  with patch('endpoints.appr.models_cnr.model.is_readonly', readonly):
-    rv = client.open(url, method='POST', data=json.dumps(data), headers=headers)
-    assert rv.status_code == expected_status
+    with patch("endpoints.appr.models_cnr.model.is_readonly", readonly):
+        rv = client.open(url, method="POST", data=json.dumps(data), headers=headers)
+        assert rv.status_code == expected_status
diff --git a/endpoints/bitbuckettrigger.py b/endpoints/bitbuckettrigger.py
index 7e521c10d..e6b5887c9 100644
--- a/endpoints/bitbuckettrigger.py
+++ b/endpoints/bitbuckettrigger.py
@@ -14,33 +14,33 @@ from util.http import abort
 import features
 
 logger = logging.getLogger(__name__)
-client = app.config['HTTPCLIENT']
-bitbuckettrigger = Blueprint('bitbuckettrigger', __name__)
+client = app.config["HTTPCLIENT"]
+bitbuckettrigger = Blueprint("bitbuckettrigger", __name__)
 
 
-@bitbuckettrigger.route('/bitbucket/callback/trigger/<trigger_uuid>', methods=['GET'])
+@bitbuckettrigger.route("/bitbucket/callback/trigger/<trigger_uuid>", methods=["GET"])
 @route_show_if(features.BITBUCKET_BUILD)
 @require_session_login
 def attach_bitbucket_build_trigger(trigger_uuid):
-  trigger = model.build.get_build_trigger(trigger_uuid)
-  if not trigger or trigger.service.name != BitbucketBuildTrigger.service_name():
-    abort(404)
+    trigger = model.build.get_build_trigger(trigger_uuid)
+    if not trigger or trigger.service.name != BitbucketBuildTrigger.service_name():
+        abort(404)
 
-  if trigger.connected_user != current_user.db_user():
-    abort(404)
+    if trigger.connected_user != current_user.db_user():
+        abort(404)
 
-  verifier = request.args.get('oauth_verifier')
-  handler = BuildTriggerHandler.get_handler(trigger)
-  result = handler.exchange_verifier(verifier)
-  if not result:
-    trigger.delete_instance()
-    return 'Token has expired'
+    verifier = request.args.get("oauth_verifier")
+    handler = BuildTriggerHandler.get_handler(trigger)
+    result = handler.exchange_verifier(verifier)
+    if not result:
+        trigger.delete_instance()
+        return "Token has expired"
 
-  namespace = trigger.repository.namespace_user.username
-  repository = trigger.repository.name
+    namespace = trigger.repository.namespace_user.username
+    repository = trigger.repository.name
 
-  repo_path = '%s/%s' % (namespace, repository)
-  full_url = url_for('web.buildtrigger', path=repo_path, trigger=trigger.uuid)
+    repo_path = "%s/%s" % (namespace, repository)
+    full_url = url_for("web.buildtrigger", path=repo_path, trigger=trigger.uuid)
 
-  logger.debug('Redirecting to full url: %s', full_url)
-  return redirect(full_url)
+    logger.debug("Redirecting to full url: %s", full_url)
+    return redirect(full_url)
diff --git a/endpoints/building.py b/endpoints/building.py
index 247d0a932..456a1a8e9 100644
--- a/endpoints/building.py
+++ b/endpoints/building.py
@@ -20,255 +20,293 @@ logger = logging.getLogger(__name__)
 
 
 class MaximumBuildsQueuedException(Exception):
-  """
+    """
   This exception is raised when a build is requested, but the incoming build
   would exceed the configured maximum build rate.
   """
-  pass
+
+    pass
 
 
 class BuildTriggerDisabledException(Exception):
-  """
+    """
   This exception is raised when a build is required, but the build trigger has been disabled.
   """
-  pass
+
+    pass
 
 
 def start_build(repository, prepared_build, pull_robot_name=None):
-  # Ensure that builds are only run in image repositories.
-  if repository.kind.name != 'image':
-    raise Exception('Attempt to start a build for application repository %s' % repository.id)
+    # Ensure that builds are only run in image repositories.
+    if repository.kind.name != "image":
+        raise Exception(
+            "Attempt to start a build for application repository %s" % repository.id
+        )
 
-  # Ensure the repository isn't in mirror or read-only mode.
-  if repository.state != RepositoryState.NORMAL:
-    raise Exception(('Attempt to start a build for a non-normal repository: %s %s' %
-                     (repository.id, repository.state)))
+    # Ensure the repository isn't in mirror or read-only mode.
+    if repository.state != RepositoryState.NORMAL:
+        raise Exception(
+            (
+                "Attempt to start a build for a non-normal repository: %s %s"
+                % (repository.id, repository.state)
+            )
+        )
 
-  # Ensure that disabled triggers are not run.
-  if prepared_build.trigger is not None and not prepared_build.trigger.enabled:
-    raise BuildTriggerDisabledException
+    # Ensure that disabled triggers are not run.
+    if prepared_build.trigger is not None and not prepared_build.trigger.enabled:
+        raise BuildTriggerDisabledException
 
-  if repository.namespace_user.maximum_queued_builds_count is not None:
-    queue_item_canonical_name = [repository.namespace_user.username]
-    alive_builds = dockerfile_build_queue.num_alive_jobs(queue_item_canonical_name)
-    if alive_builds >= repository.namespace_user.maximum_queued_builds_count:
-      logger.debug('Prevented queueing of build under namespace %s due to reaching max: %s',
-                   repository.namespace_user.username,
-                   repository.namespace_user.maximum_queued_builds_count)
-      raise MaximumBuildsQueuedException()      
+    if repository.namespace_user.maximum_queued_builds_count is not None:
+        queue_item_canonical_name = [repository.namespace_user.username]
+        alive_builds = dockerfile_build_queue.num_alive_jobs(queue_item_canonical_name)
+        if alive_builds >= repository.namespace_user.maximum_queued_builds_count:
+            logger.debug(
+                "Prevented queueing of build under namespace %s due to reaching max: %s",
+                repository.namespace_user.username,
+                repository.namespace_user.maximum_queued_builds_count,
+            )
+            raise MaximumBuildsQueuedException()
 
-  host = app.config['SERVER_HOSTNAME']
-  repo_path = '%s/%s/%s' % (host, repository.namespace_user.username, repository.name)
+    host = app.config["SERVER_HOSTNAME"]
+    repo_path = "%s/%s/%s" % (host, repository.namespace_user.username, repository.name)
 
-  new_token = model.token.create_access_token(repository, 'write', kind='build-worker',
-                                              friendly_name='Repository Build Token')
-  logger.debug('Creating build %s with repo %s tags %s',
-               prepared_build.build_name, repo_path, prepared_build.tags)
+    new_token = model.token.create_access_token(
+        repository, "write", kind="build-worker", friendly_name="Repository Build Token"
+    )
+    logger.debug(
+        "Creating build %s with repo %s tags %s",
+        prepared_build.build_name,
+        repo_path,
+        prepared_build.tags,
+    )
 
-  job_config = {
-    'docker_tags': prepared_build.tags,
-    'registry': host,
-    'build_subdir': prepared_build.subdirectory,
-    'context': prepared_build.context,
-    'trigger_metadata': prepared_build.metadata or {},
-    'is_manual': prepared_build.is_manual,
-    'manual_user': get_authenticated_user().username if get_authenticated_user() else None,
-    'archive_url': prepared_build.archive_url
-  }
+    job_config = {
+        "docker_tags": prepared_build.tags,
+        "registry": host,
+        "build_subdir": prepared_build.subdirectory,
+        "context": prepared_build.context,
+        "trigger_metadata": prepared_build.metadata or {},
+        "is_manual": prepared_build.is_manual,
+        "manual_user": get_authenticated_user().username
+        if get_authenticated_user()
+        else None,
+        "archive_url": prepared_build.archive_url,
+    }
 
-  with app.config['DB_TRANSACTION_FACTORY'](db):
-    build_request = model.build.create_repository_build(repository, new_token, job_config,
-                                                        prepared_build.dockerfile_id,
-                                                        prepared_build.build_name,
-                                                        prepared_build.trigger,
-                                                        pull_robot_name=pull_robot_name)
+    with app.config["DB_TRANSACTION_FACTORY"](db):
+        build_request = model.build.create_repository_build(
+            repository,
+            new_token,
+            job_config,
+            prepared_build.dockerfile_id,
+            prepared_build.build_name,
+            prepared_build.trigger,
+            pull_robot_name=pull_robot_name,
+        )
 
-    pull_creds = model.user.get_pull_credentials(pull_robot_name) if pull_robot_name else None
+        pull_creds = (
+            model.user.get_pull_credentials(pull_robot_name)
+            if pull_robot_name
+            else None
+        )
 
-    json_data = json.dumps({
-      'build_uuid': build_request.uuid,
-      'pull_credentials': pull_creds
-    })
+        json_data = json.dumps(
+            {"build_uuid": build_request.uuid, "pull_credentials": pull_creds}
+        )
 
-    queue_id = dockerfile_build_queue.put([repository.namespace_user.username, repository.name],
-                                          json_data,
-                                          retries_remaining=3)
+        queue_id = dockerfile_build_queue.put(
+            [repository.namespace_user.username, repository.name],
+            json_data,
+            retries_remaining=3,
+        )
 
-    build_request.queue_id = queue_id
-    build_request.save()
+        build_request.queue_id = queue_id
+        build_request.save()
 
-  # Add the queueing of the build to the metrics queue.
-  metric_queue.repository_build_queued.Inc(labelvalues=[repository.namespace_user.username,
-                                                        repository.name])
+    # Add the queueing of the build to the metrics queue.
+    metric_queue.repository_build_queued.Inc(
+        labelvalues=[repository.namespace_user.username, repository.name]
+    )
 
-  # Add the build to the repo's log and spawn the build_queued notification.
-  event_log_metadata = {
-    'build_id': build_request.uuid,
-    'docker_tags': prepared_build.tags,
-    'repo': repository.name,
-    'namespace': repository.namespace_user.username,
-    'is_manual': prepared_build.is_manual,
-    'manual_user': get_authenticated_user().username if get_authenticated_user() else None
-  }
+    # Add the build to the repo's log and spawn the build_queued notification.
+    event_log_metadata = {
+        "build_id": build_request.uuid,
+        "docker_tags": prepared_build.tags,
+        "repo": repository.name,
+        "namespace": repository.namespace_user.username,
+        "is_manual": prepared_build.is_manual,
+        "manual_user": get_authenticated_user().username
+        if get_authenticated_user()
+        else None,
+    }
 
-  if prepared_build.trigger:
-    event_log_metadata['trigger_id'] = prepared_build.trigger.uuid
-    event_log_metadata['trigger_kind'] = prepared_build.trigger.service.name
-    event_log_metadata['trigger_metadata'] = prepared_build.metadata or {}
+    if prepared_build.trigger:
+        event_log_metadata["trigger_id"] = prepared_build.trigger.uuid
+        event_log_metadata["trigger_kind"] = prepared_build.trigger.service.name
+        event_log_metadata["trigger_metadata"] = prepared_build.metadata or {}
 
-  logs_model.log_action('build_dockerfile', repository.namespace_user.username,
-                        ip=get_request_ip(), metadata=event_log_metadata, repository=repository)
+    logs_model.log_action(
+        "build_dockerfile",
+        repository.namespace_user.username,
+        ip=get_request_ip(),
+        metadata=event_log_metadata,
+        repository=repository,
+    )
 
-  # TODO: remove when more endpoints have been converted to using interfaces
-  repo = AttrDict({
-    'namespace_name': repository.namespace_user.username,
-    'name': repository.name,
-  })
+    # TODO: remove when more endpoints have been converted to using interfaces
+    repo = AttrDict(
+        {"namespace_name": repository.namespace_user.username, "name": repository.name}
+    )
 
-  spawn_notification(repo, 'build_queued', event_log_metadata,
-                     subpage='build/%s' % build_request.uuid,
-                     pathargs=['build', build_request.uuid])
+    spawn_notification(
+        repo,
+        "build_queued",
+        event_log_metadata,
+        subpage="build/%s" % build_request.uuid,
+        pathargs=["build", build_request.uuid],
+    )
 
-  return build_request
+    return build_request
 
 
 class PreparedBuild(object):
-  """ Class which holds all the information about a prepared build. The build queuing service
+    """ Class which holds all the information about a prepared build. The build queuing service
       will use this result to actually invoke the build.
   """
-  def __init__(self, trigger=None):
-    self._dockerfile_id = None
-    self._archive_url = None
-    self._tags = None
-    self._build_name = None
-    self._subdirectory = None
-    self._context = None
-    self._metadata = None
-    self._trigger = trigger
-    self._is_manual = None
 
-  @staticmethod
-  def get_display_name(sha):
-    return sha[0:7]
+    def __init__(self, trigger=None):
+        self._dockerfile_id = None
+        self._archive_url = None
+        self._tags = None
+        self._build_name = None
+        self._subdirectory = None
+        self._context = None
+        self._metadata = None
+        self._trigger = trigger
+        self._is_manual = None
 
-  def tags_from_ref(self, ref, default_branch=None):
-    branch = ref.split('/', 2)[-1]
-    tags = {branch}
+    @staticmethod
+    def get_display_name(sha):
+        return sha[0:7]
 
-    if branch == default_branch:
-      tags.add('latest')
+    def tags_from_ref(self, ref, default_branch=None):
+        branch = ref.split("/", 2)[-1]
+        tags = {branch}
 
-    self.tags = tags
+        if branch == default_branch:
+            tags.add("latest")
 
-  def name_from_sha(self, sha):
-    self.build_name = PreparedBuild.get_display_name(sha)
+        self.tags = tags
 
-  @property
-  def is_manual(self):
-    if self._is_manual is None:
-      raise Exception('Property is_manual not set')
+    def name_from_sha(self, sha):
+        self.build_name = PreparedBuild.get_display_name(sha)
 
-    return self._is_manual
+    @property
+    def is_manual(self):
+        if self._is_manual is None:
+            raise Exception("Property is_manual not set")
 
-  @is_manual.setter
-  def is_manual(self, value):
-    if self._is_manual is not None:
-      raise Exception('Property is_manual already set')
+        return self._is_manual
 
-    self._is_manual = value
+    @is_manual.setter
+    def is_manual(self, value):
+        if self._is_manual is not None:
+            raise Exception("Property is_manual already set")
 
-  @property
-  def trigger(self):
-    return self._trigger
+        self._is_manual = value
 
-  @property
-  def archive_url(self):
-    return self._archive_url
+    @property
+    def trigger(self):
+        return self._trigger
 
-  @archive_url.setter
-  def archive_url(self, value):
-    if self._archive_url:
-      raise Exception('Property archive_url already set')
+    @property
+    def archive_url(self):
+        return self._archive_url
 
-    self._archive_url = value
+    @archive_url.setter
+    def archive_url(self, value):
+        if self._archive_url:
+            raise Exception("Property archive_url already set")
 
-  @property
-  def dockerfile_id(self):
-    return self._dockerfile_id
+        self._archive_url = value
 
-  @dockerfile_id.setter
-  def dockerfile_id(self, value):
-    if self._dockerfile_id:
-      raise Exception('Property dockerfile_id already set')
+    @property
+    def dockerfile_id(self):
+        return self._dockerfile_id
 
-    self._dockerfile_id = value
+    @dockerfile_id.setter
+    def dockerfile_id(self, value):
+        if self._dockerfile_id:
+            raise Exception("Property dockerfile_id already set")
 
-  @property
-  def tags(self):
-    if not self._tags:
-      raise Exception('Missing property tags')
+        self._dockerfile_id = value
 
-    return self._tags
+    @property
+    def tags(self):
+        if not self._tags:
+            raise Exception("Missing property tags")
 
-  @tags.setter
-  def tags(self, value):
-    if self._tags:
-      raise Exception('Property tags already set')
+        return self._tags
 
-    self._tags = [escape_tag(tag, default='latest') for tag in value]
+    @tags.setter
+    def tags(self, value):
+        if self._tags:
+            raise Exception("Property tags already set")
 
-  @property
-  def build_name(self):
-    if not self._build_name:
-      raise Exception('Missing property build_name')
+        self._tags = [escape_tag(tag, default="latest") for tag in value]
 
-    return self._build_name
+    @property
+    def build_name(self):
+        if not self._build_name:
+            raise Exception("Missing property build_name")
 
-  @build_name.setter
-  def build_name(self, value):
-    if self._build_name:
-      raise Exception('Property build_name already set')
+        return self._build_name
 
-    self._build_name = value
+    @build_name.setter
+    def build_name(self, value):
+        if self._build_name:
+            raise Exception("Property build_name already set")
 
-  @property
-  def subdirectory(self):
-    if self._subdirectory is None:
-      raise Exception('Missing property subdirectory')
+        self._build_name = value
 
-    return self._subdirectory
+    @property
+    def subdirectory(self):
+        if self._subdirectory is None:
+            raise Exception("Missing property subdirectory")
 
-  @subdirectory.setter
-  def subdirectory(self, value):
-    if self._subdirectory:
-      raise Exception('Property subdirectory already set')
+        return self._subdirectory
 
-    self._subdirectory = value
+    @subdirectory.setter
+    def subdirectory(self, value):
+        if self._subdirectory:
+            raise Exception("Property subdirectory already set")
 
-  @property
-  def context(self):
-    if self._context is None:
-      raise Exception('Missing property context')
+        self._subdirectory = value
 
-    return self._context
+    @property
+    def context(self):
+        if self._context is None:
+            raise Exception("Missing property context")
 
-  @context.setter
-  def context(self, value):
-    if self._context:
-      raise Exception('Property context already set')
+        return self._context
 
-    self._context = value
+    @context.setter
+    def context(self, value):
+        if self._context:
+            raise Exception("Property context already set")
 
-  @property
-  def metadata(self):
-    if self._metadata is None:
-      raise Exception('Missing property metadata')
+        self._context = value
 
-    return self._metadata
+    @property
+    def metadata(self):
+        if self._metadata is None:
+            raise Exception("Missing property metadata")
 
-  @metadata.setter
-  def metadata(self, value):
-    if self._metadata:
-      raise Exception('Property metadata already set')
+        return self._metadata
 
-    self._metadata = value
+    @metadata.setter
+    def metadata(self, value):
+        if self._metadata:
+            raise Exception("Property metadata already set")
+
+        self._metadata = value
diff --git a/endpoints/common.py b/endpoints/common.py
index 6ce1e745d..bb265b707 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -9,7 +9,14 @@ from flask_principal import identity_changed
 import endpoints.decorated  # Register the various exceptions via decorators.
 import features
 
-from app import app, oauth_apps, oauth_login, LoginWrappedDBUser, user_analytics, IS_KUBERNETES
+from app import (
+    app,
+    oauth_apps,
+    oauth_login,
+    LoginWrappedDBUser,
+    user_analytics,
+    IS_KUBERNETES,
+)
 from auth import scopes
 from auth.permissions import QuayDeferredPermissionUser
 from config import frontend_visible_config
@@ -26,141 +33,160 @@ from _init import __version__
 logger = logging.getLogger(__name__)
 
 
-JS_BUNDLE_NAME = 'bundle'
+JS_BUNDLE_NAME = "bundle"
 
 
 def common_login(user_uuid, permanent_session=True):
-  """ Performs login of the given user, with optional non-permanence on the session.
+    """ Performs login of the given user, with optional non-permanence on the session.
       Returns a tuple with (success, headers to set on success).
   """
-  user = model.get_user(user_uuid)
-  if user is None:
+    user = model.get_user(user_uuid)
+    if user is None:
+        return (False, None)
+
+    if login_user(LoginWrappedDBUser(user_uuid)):
+        logger.debug(
+            "Successfully signed in as user %s with uuid %s", user.username, user_uuid
+        )
+        new_identity = QuayDeferredPermissionUser.for_id(user_uuid)
+        identity_changed.send(app, identity=new_identity)
+        session["login_time"] = datetime.datetime.now()
+
+        if permanent_session and features.PERMANENT_SESSIONS:
+            session_timeout_str = app.config.get("SESSION_TIMEOUT", "31d")
+            session.permanent = True
+            session.permanent_session_lifetime = convert_to_timedelta(
+                session_timeout_str
+            )
+
+        # Inform our user analytics that we have a new "lead"
+        create_lead_future = user_analytics.create_lead(
+            user.email,
+            user.username,
+            user.given_name,
+            user.family_name,
+            user.company,
+            user.location,
+        )
+
+        create_lead_future.add_done_callback(build_error_callback("Create lead failed"))
+
+        # Force a new CSRF token.
+        headers = {}
+        headers[QUAY_CSRF_UPDATED_HEADER_NAME] = generate_csrf_token(force=True)
+        return (True, headers)
+
+    logger.debug("User could not be logged in, inactive?")
     return (False, None)
 
-  if login_user(LoginWrappedDBUser(user_uuid)):
-    logger.debug('Successfully signed in as user %s with uuid %s', user.username, user_uuid)
-    new_identity = QuayDeferredPermissionUser.for_id(user_uuid)
-    identity_changed.send(app, identity=new_identity)
-    session['login_time'] = datetime.datetime.now()
-
-    if permanent_session and features.PERMANENT_SESSIONS:
-      session_timeout_str = app.config.get('SESSION_TIMEOUT', '31d')
-      session.permanent = True
-      session.permanent_session_lifetime = convert_to_timedelta(session_timeout_str)
-
-    # Inform our user analytics that we have a new "lead"
-    create_lead_future = user_analytics.create_lead(
-      user.email,
-      user.username,
-      user.given_name,
-      user.family_name,
-      user.company,
-      user.location,
-    )
-
-    create_lead_future.add_done_callback(build_error_callback('Create lead failed'))
-
-    # Force a new CSRF token.
-    headers = {}
-    headers[QUAY_CSRF_UPDATED_HEADER_NAME] = generate_csrf_token(force=True)
-    return (True, headers)
-
-  logger.debug('User could not be logged in, inactive?')
-  return (False, None)
-
 
 def _list_files(path, extension, contains=""):
-  """ Returns a list of all the files with the given extension found under the given path. """
-  def matches(f):
-    return os.path.splitext(f)[1] == '.' + extension and contains in os.path.splitext(f)[0]
+    """ Returns a list of all the files with the given extension found under the given path. """
 
-  def join_path(dp, f):
-    # Remove the static/ prefix. It is added in the template.
-    return os.path.join(dp, f)[len('static/'):]
+    def matches(f):
+        return (
+            os.path.splitext(f)[1] == "." + extension
+            and contains in os.path.splitext(f)[0]
+        )
 
-  filepath = os.path.join('static/', path)
-  return [join_path(dp, f) for dp, _, files in os.walk(filepath) for f in files if matches(f)]
+    def join_path(dp, f):
+        # Remove the static/ prefix. It is added in the template.
+        return os.path.join(dp, f)[len("static/") :]
+
+    filepath = os.path.join("static/", path)
+    return [
+        join_path(dp, f)
+        for dp, _, files in os.walk(filepath)
+        for f in files
+        if matches(f)
+    ]
 
 
-FONT_AWESOME_5 = 'use.fontawesome.com/releases/v5.0.4/css/all.css'
+FONT_AWESOME_5 = "use.fontawesome.com/releases/v5.0.4/css/all.css"
 
 
 def render_page_template(name, route_data=None, **kwargs):
-  """ Renders the page template with the given name as the response and returns its contents. """
-  main_scripts = _list_files('build', 'js', JS_BUNDLE_NAME)
+    """ Renders the page template with the given name as the response and returns its contents. """
+    main_scripts = _list_files("build", "js", JS_BUNDLE_NAME)
 
-  use_cdn = app.config.get('USE_CDN', True)
-  if request.args.get('use_cdn') is not None:
-    use_cdn = request.args.get('use_cdn') == 'true'
+    use_cdn = app.config.get("USE_CDN", True)
+    if request.args.get("use_cdn") is not None:
+        use_cdn = request.args.get("use_cdn") == "true"
 
-  external_styles = get_external_css(local=not use_cdn, exclude=FONT_AWESOME_5)
-  external_scripts = get_external_javascript(local=not use_cdn)
+    external_styles = get_external_css(local=not use_cdn, exclude=FONT_AWESOME_5)
+    external_scripts = get_external_javascript(local=not use_cdn)
 
-  # Add Stripe checkout if billing is enabled.
-  if features.BILLING:
-    external_scripts.append('//checkout.stripe.com/checkout.js')
+    # Add Stripe checkout if billing is enabled.
+    if features.BILLING:
+        external_scripts.append("//checkout.stripe.com/checkout.js")
 
-  def get_external_login_config():
-    login_config = []
-    for login_service in oauth_login.services:
-      login_config.append({
-        'id': login_service.service_id(),
-        'title': login_service.service_name(),
-        'config': login_service.get_public_config(),
-        'icon': login_service.get_icon(),
-      })
+    def get_external_login_config():
+        login_config = []
+        for login_service in oauth_login.services:
+            login_config.append(
+                {
+                    "id": login_service.service_id(),
+                    "title": login_service.service_name(),
+                    "config": login_service.get_public_config(),
+                    "icon": login_service.get_icon(),
+                }
+            )
 
-    return login_config
+        return login_config
 
-  def get_oauth_config():
-    oauth_config = {}
-    for oauth_app in oauth_apps:
-      oauth_config[oauth_app.key_name] = oauth_app.get_public_config()
+    def get_oauth_config():
+        oauth_config = {}
+        for oauth_app in oauth_apps:
+            oauth_config[oauth_app.key_name] = oauth_app.get_public_config()
 
-    return oauth_config
+        return oauth_config
 
-  has_contact = len(app.config.get('CONTACT_INFO', [])) > 0
-  contact_href = None
-  if len(app.config.get('CONTACT_INFO', [])) == 1:
-    contact_href = app.config['CONTACT_INFO'][0]
+    has_contact = len(app.config.get("CONTACT_INFO", [])) > 0
+    contact_href = None
+    if len(app.config.get("CONTACT_INFO", [])) == 1:
+        contact_href = app.config["CONTACT_INFO"][0]
 
-  version_number = ''
-  if not features.BILLING:
-    version_number = 'Quay %s' % __version__
+    version_number = ""
+    if not features.BILLING:
+        version_number = "Quay %s" % __version__
 
-  scopes_set = {scope.scope: scope._asdict() for scope in scopes.app_scopes(app.config).values()}
+    scopes_set = {
+        scope.scope: scope._asdict() for scope in scopes.app_scopes(app.config).values()
+    }
 
-  contents = render_template(name,
-                             registry_state=app.config.get('REGISTRY_STATE', 'normal'),
-                             route_data=route_data,
-                             external_styles=external_styles,
-                             external_scripts=external_scripts,
-                             main_scripts=main_scripts,
-                             feature_set=features.get_features(),
-                             config_set=frontend_visible_config(app.config),
-                             oauth_set=get_oauth_config(),
-                             external_login_set=get_external_login_config(),
-                             scope_set=scopes_set,
-                             vuln_priority_set=PRIORITY_LEVELS,
-                             mixpanel_key=app.config.get('MIXPANEL_KEY', ''),
-                             munchkin_key=app.config.get('MARKETO_MUNCHKIN_ID', ''),
-                             recaptcha_key=app.config.get('RECAPTCHA_SITE_KEY', ''),
-                             google_tagmanager_key=app.config.get('GOOGLE_TAGMANAGER_KEY', ''),
-                             google_anaytics_key=app.config.get('GOOGLE_ANALYTICS_KEY', ''),
-                             sentry_public_dsn=app.config.get('SENTRY_PUBLIC_DSN', ''),
-                             is_debug=str(app.config.get('DEBUGGING', False)).lower(),
-                             aci_conversion=features.ACI_CONVERSION,
-                             has_billing=features.BILLING,
-                             onprem=not app.config.get('FEATURE_BILLING', False),
-                             contact_href=contact_href,
-                             has_contact=has_contact,
-                             hostname=app.config['SERVER_HOSTNAME'],
-                             preferred_scheme=app.config['PREFERRED_URL_SCHEME'],
-                             version_number=version_number,
-                             current_year=datetime.datetime.now().year,
-                             kubernetes_namespace=IS_KUBERNETES and QE_NAMESPACE,
-                             **kwargs)
+    contents = render_template(
+        name,
+        registry_state=app.config.get("REGISTRY_STATE", "normal"),
+        route_data=route_data,
+        external_styles=external_styles,
+        external_scripts=external_scripts,
+        main_scripts=main_scripts,
+        feature_set=features.get_features(),
+        config_set=frontend_visible_config(app.config),
+        oauth_set=get_oauth_config(),
+        external_login_set=get_external_login_config(),
+        scope_set=scopes_set,
+        vuln_priority_set=PRIORITY_LEVELS,
+        mixpanel_key=app.config.get("MIXPANEL_KEY", ""),
+        munchkin_key=app.config.get("MARKETO_MUNCHKIN_ID", ""),
+        recaptcha_key=app.config.get("RECAPTCHA_SITE_KEY", ""),
+        google_tagmanager_key=app.config.get("GOOGLE_TAGMANAGER_KEY", ""),
+        google_anaytics_key=app.config.get("GOOGLE_ANALYTICS_KEY", ""),
+        sentry_public_dsn=app.config.get("SENTRY_PUBLIC_DSN", ""),
+        is_debug=str(app.config.get("DEBUGGING", False)).lower(),
+        aci_conversion=features.ACI_CONVERSION,
+        has_billing=features.BILLING,
+        onprem=not app.config.get("FEATURE_BILLING", False),
+        contact_href=contact_href,
+        has_contact=has_contact,
+        hostname=app.config["SERVER_HOSTNAME"],
+        preferred_scheme=app.config["PREFERRED_URL_SCHEME"],
+        version_number=version_number,
+        current_year=datetime.datetime.now().year,
+        kubernetes_namespace=IS_KUBERNETES and QE_NAMESPACE,
+        **kwargs
+    )
 
-  resp = make_response(contents)
-  resp.headers['X-FRAME-OPTIONS'] = 'DENY'
-  return resp
+    resp = make_response(contents)
+    resp.headers["X-FRAME-OPTIONS"] = "DENY"
+    return resp
diff --git a/endpoints/common_models_interface.py b/endpoints/common_models_interface.py
index 95ccf5685..749237672 100644
--- a/endpoints/common_models_interface.py
+++ b/endpoints/common_models_interface.py
@@ -4,30 +4,37 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-USER_FIELDS = ['uuid', 'username', 'email', 'given_name',
-               'family_name', 'company', 'location']
+USER_FIELDS = [
+    "uuid",
+    "username",
+    "email",
+    "given_name",
+    "family_name",
+    "company",
+    "location",
+]
 
 
-class User(namedtuple('User', USER_FIELDS)):
-  """
+class User(namedtuple("User", USER_FIELDS)):
+    """
   User represents a user.
   """
 
 
 @add_metaclass(ABCMeta)
 class EndpointsCommonDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the common endpoints lib.
   """
 
-  @abstractmethod
-  def get_user(self, user_uuid):
-    """
+    @abstractmethod
+    def get_user(self, user_uuid):
+        """
     Returns the User matching the given uuid, if any or None if none.
     """
 
-  @abstractmethod
-  def get_namespace_uuid(self, namespace_name):
-    """
+    @abstractmethod
+    def get_namespace_uuid(self, namespace_name):
+        """
     Returns the uuid of the Namespace with the given name, if any.
     """
diff --git a/endpoints/common_models_pre_oci.py b/endpoints/common_models_pre_oci.py
index 1f5e01052..4cee5f475 100644
--- a/endpoints/common_models_pre_oci.py
+++ b/endpoints/common_models_pre_oci.py
@@ -3,20 +3,27 @@ from endpoints.common_models_interface import User, EndpointsCommonDataInterface
 
 
 class EndpointsCommonDataPreOCIModel(EndpointsCommonDataInterface):
-  def get_user(self, user_uuid):
-    user = model.user.get_user_by_uuid(user_uuid)
-    if user is None:
-      return None
+    def get_user(self, user_uuid):
+        user = model.user.get_user_by_uuid(user_uuid)
+        if user is None:
+            return None
 
-    return User(uuid=user.uuid, username=user.username, email=user.email,
-                given_name=user.given_name, family_name=user.family_name,
-                company=user.company, location=user.location)
+        return User(
+            uuid=user.uuid,
+            username=user.username,
+            email=user.email,
+            given_name=user.given_name,
+            family_name=user.family_name,
+            company=user.company,
+            location=user.location,
+        )
 
-  def get_namespace_uuid(self, namespace_name):
-    user = model.user.get_namespace_user(namespace_name)
-    if user is None:
-      return None
+    def get_namespace_uuid(self, namespace_name):
+        user = model.user.get_namespace_user(namespace_name)
+        if user is None:
+            return None
+
+        return user.uuid
 
-    return user.uuid
 
 pre_oci_model = EndpointsCommonDataPreOCIModel()
diff --git a/endpoints/csrf.py b/endpoints/csrf.py
index 11c225924..751e61134 100644
--- a/endpoints/csrf.py
+++ b/endpoints/csrf.py
@@ -15,57 +15,65 @@ from util.http import abort
 
 logger = logging.getLogger(__name__)
 
-OAUTH_CSRF_TOKEN_NAME = '_oauth_csrf_token'
-_QUAY_CSRF_TOKEN_NAME = '_csrf_token'
-_QUAY_CSRF_HEADER_NAME = 'X-CSRF-Token'
+OAUTH_CSRF_TOKEN_NAME = "_oauth_csrf_token"
+_QUAY_CSRF_TOKEN_NAME = "_csrf_token"
+_QUAY_CSRF_HEADER_NAME = "X-CSRF-Token"
 
-QUAY_CSRF_UPDATED_HEADER_NAME = 'X-Next-CSRF-Token'
+QUAY_CSRF_UPDATED_HEADER_NAME = "X-Next-CSRF-Token"
 
 
 def generate_csrf_token(session_token_name=_QUAY_CSRF_TOKEN_NAME, force=False):
-  """ If not present in the session, generates a new CSRF token with the given name
+    """ If not present in the session, generates a new CSRF token with the given name
       and places it into the session. Returns the generated token.
   """
-  if session_token_name not in session or force:
-    session[session_token_name] = base64.b64encode(os.urandom(48))
+    if session_token_name not in session or force:
+        session[session_token_name] = base64.b64encode(os.urandom(48))
 
-  return session[session_token_name]
+    return session[session_token_name]
 
 
-def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,
-                request_token_name=_QUAY_CSRF_TOKEN_NAME,
-                check_header=True):
-  """ Verifies that the CSRF token with the given name is found in the session and
+def verify_csrf(
+    session_token_name=_QUAY_CSRF_TOKEN_NAME,
+    request_token_name=_QUAY_CSRF_TOKEN_NAME,
+    check_header=True,
+):
+    """ Verifies that the CSRF token with the given name is found in the session and
       that the matching token is found in the request args or values.
   """
-  token = str(session.get(session_token_name, ''))
-  found_token = str(request.values.get(request_token_name, ''))
-  if check_header and not found_token:
-    found_token = str(request.headers.get(_QUAY_CSRF_HEADER_NAME, ''))
+    token = str(session.get(session_token_name, ""))
+    found_token = str(request.values.get(request_token_name, ""))
+    if check_header and not found_token:
+        found_token = str(request.headers.get(_QUAY_CSRF_HEADER_NAME, ""))
 
-  if not token or not found_token or not hmac.compare_digest(token, found_token):
-    msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'
-    logger.error(msg, session_token_name, token, request_token_name, found_token)
-    abort(403, message='CSRF token was invalid or missing.')
+    if not token or not found_token or not hmac.compare_digest(token, found_token):
+        msg = "CSRF Failure. Session token (%s) was %s and request token (%s) was %s"
+        logger.error(msg, session_token_name, token, request_token_name, found_token)
+        abort(403, message="CSRF token was invalid or missing.")
 
 
-def csrf_protect(session_token_name=_QUAY_CSRF_TOKEN_NAME,
-                 request_token_name=_QUAY_CSRF_TOKEN_NAME,
-                 all_methods=False,
-                 check_header=True):
-  def inner(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      # Verify the CSRF token.
-      if get_validated_oauth_token() is None:
-        if all_methods or (request.method != "GET" and request.method != "HEAD"):
-          verify_csrf(session_token_name, request_token_name, check_header)
+def csrf_protect(
+    session_token_name=_QUAY_CSRF_TOKEN_NAME,
+    request_token_name=_QUAY_CSRF_TOKEN_NAME,
+    all_methods=False,
+    check_header=True,
+):
+    def inner(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            # Verify the CSRF token.
+            if get_validated_oauth_token() is None:
+                if all_methods or (
+                    request.method != "GET" and request.method != "HEAD"
+                ):
+                    verify_csrf(session_token_name, request_token_name, check_header)
 
-      # Invoke the handler.
-      resp = func(*args, **kwargs)
-      return resp
-    return wrapper
-  return inner
+            # Invoke the handler.
+            resp = func(*args, **kwargs)
+            return resp
+
+        return wrapper
+
+    return inner
 
 
-app.jinja_env.globals['csrf_token'] = generate_csrf_token
+app.jinja_env.globals["csrf_token"] = generate_csrf_token
diff --git a/endpoints/decorated.py b/endpoints/decorated.py
index 88216216b..166c313f5 100644
--- a/endpoints/decorated.py
+++ b/endpoints/decorated.py
@@ -15,40 +15,52 @@ logger = logging.getLogger(__name__)
 
 @app.errorhandler(model.DataModelException)
 def handle_dme(ex):
-  logger.exception(ex)
-  response = jsonify({'message': str(ex)})
-  response.status_code = 400
-  return response
+    logger.exception(ex)
+    response = jsonify({"message": str(ex)})
+    response.status_code = 400
+    return response
+
 
 @app.errorhandler(CannotSendEmailException)
 def handle_emailexception(ex):
-  message = 'Could not send email. Please contact an administrator and report this problem.'
-  response = jsonify({'message': message})
-  response.status_code = 400
-  return response
+    message = (
+        "Could not send email. Please contact an administrator and report this problem."
+    )
+    response = jsonify({"message": message})
+    response.status_code = 400
+    return response
+
 
 @app.errorhandler(CannotWriteConfigException)
 def handle_configexception(ex):
-  message = ('Configuration could not be written to the mounted volume. \n' +
-             'Please make sure the mounted volume is not read-only and restart ' +
-             'the setup process. \n\nIssue: %s' % ex)
-  response = jsonify({'message': message})
-  response.status_code = 400
-  return response
+    message = (
+        "Configuration could not be written to the mounted volume. \n"
+        + "Please make sure the mounted volume is not read-only and restart "
+        + "the setup process. \n\nIssue: %s" % ex
+    )
+    response = jsonify({"message": message})
+    response.status_code = 400
+    return response
+
 
 @app.errorhandler(model.TooManyLoginAttemptsException)
-@crossdomain(origin='*', headers=['Authorization', 'Content-Type'])
+@crossdomain(origin="*", headers=["Authorization", "Content-Type"])
 def handle_too_many_login_attempts(error):
-  msg = 'Too many login attempts. \nPlease reset your Quay password and try again.'
-  response = make_response(msg, 429)
-  response.headers['Retry-After'] = int(error.retry_after)
-  return response
+    msg = "Too many login attempts. \nPlease reset your Quay password and try again."
+    response = make_response(msg, 429)
+    response.headers["Retry-After"] = int(error.retry_after)
+    return response
+
 
 @app.errorhandler(ReadOnlyModeException)
 def handle_readonly(ex):
-  logger.exception(ex)
-  response = jsonify({'message': 'System is currently read-only. Pulls will succeed but all ' +
-                                 'write operations are currently suspended.',
-                      'is_readonly': True})
-  response.status_code = 503
-  return response
+    logger.exception(ex)
+    response = jsonify(
+        {
+            "message": "System is currently read-only. Pulls will succeed but all "
+            + "write operations are currently suspended.",
+            "is_readonly": True,
+        }
+    )
+    response.status_code = 503
+    return response
diff --git a/endpoints/decorators.py b/endpoints/decorators.py
index ecafb1cdb..96476d913 100644
--- a/endpoints/decorators.py
+++ b/endpoints/decorators.py
@@ -22,227 +22,266 @@ from util.request import get_request_ip
 logger = logging.getLogger(__name__)
 
 
-def parse_repository_name(include_tag=False,
-                          ns_kwarg_name='namespace_name',
-                          repo_kwarg_name='repo_name',
-                          tag_kwarg_name='tag_name',
-                          incoming_repo_kwarg='repository'):
-  """ Decorator which parses the repository name found in the incoming_repo_kwarg argument,
+def parse_repository_name(
+    include_tag=False,
+    ns_kwarg_name="namespace_name",
+    repo_kwarg_name="repo_name",
+    tag_kwarg_name="tag_name",
+    incoming_repo_kwarg="repository",
+):
+    """ Decorator which parses the repository name found in the incoming_repo_kwarg argument,
       and applies its pieces to the decorated function.
   """
-  def inner(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      try:
-        repo_name_components = parse_namespace_repository(kwargs[incoming_repo_kwarg],
-                                                          app.config['LIBRARY_NAMESPACE'],
-                                                          include_tag=include_tag,
-                                                          allow_library=features.LIBRARY_SUPPORT)
-      except ImplicitLibraryNamespaceNotAllowed:
-        abort(400, message='A namespace must be specified explicitly')
 
-      del kwargs[incoming_repo_kwarg]
-      kwargs[ns_kwarg_name] = repo_name_components[0]
-      kwargs[repo_kwarg_name] = repo_name_components[1]
-      if include_tag:
-        kwargs[tag_kwarg_name] = repo_name_components[2]
-      return func(*args, **kwargs)
-    return wrapper
-  return inner
+    def inner(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            try:
+                repo_name_components = parse_namespace_repository(
+                    kwargs[incoming_repo_kwarg],
+                    app.config["LIBRARY_NAMESPACE"],
+                    include_tag=include_tag,
+                    allow_library=features.LIBRARY_SUPPORT,
+                )
+            except ImplicitLibraryNamespaceNotAllowed:
+                abort(400, message="A namespace must be specified explicitly")
+
+            del kwargs[incoming_repo_kwarg]
+            kwargs[ns_kwarg_name] = repo_name_components[0]
+            kwargs[repo_kwarg_name] = repo_name_components[1]
+            if include_tag:
+                kwargs[tag_kwarg_name] = repo_name_components[2]
+            return func(*args, **kwargs)
+
+        return wrapper
+
+    return inner
 
 
 def param_required(param_name, allow_body=False):
-  """ Marks a route as requiring a parameter with the given name to exist in the request's arguments
+    """ Marks a route as requiring a parameter with the given name to exist in the request's arguments
       or (if allow_body=True) in its body values. If the parameter is not present, the request will
       fail with a 400.
   """
-  def wrapper(wrapped):
-    @wraps(wrapped)
-    def decorated(*args, **kwargs):
-      if param_name not in request.args:
-        if not allow_body or param_name not in request.values:
-          abort(400, message='Required param: %s' % param_name)
-      return wrapped(*args, **kwargs)
-    return decorated
-  return wrapper
+
+    def wrapper(wrapped):
+        @wraps(wrapped)
+        def decorated(*args, **kwargs):
+            if param_name not in request.args:
+                if not allow_body or param_name not in request.values:
+                    abort(400, message="Required param: %s" % param_name)
+            return wrapped(*args, **kwargs)
+
+        return decorated
+
+    return wrapper
 
 
 def readonly_call_allowed(func):
-  """ Marks a method as allowing for invocation when the registry is in a read only state.
+    """ Marks a method as allowing for invocation when the registry is in a read only state.
       Only necessary on non-GET methods.
   """
-  func.__readonly_call_allowed = True
-  return func
+    func.__readonly_call_allowed = True
+    return func
 
 
 def anon_allowed(func):
-  """ Marks a method to allow anonymous access where it would otherwise be disallowed. """
-  func.__anon_allowed = True
-  return func
+    """ Marks a method to allow anonymous access where it would otherwise be disallowed. """
+    func.__anon_allowed = True
+    return func
 
 
 def anon_protect(func):
-  """ Marks a method as requiring some form of valid user auth before it can be executed. """
-  func.__anon_protected = True
-  return check_anon_protection(func)
+    """ Marks a method as requiring some form of valid user auth before it can be executed. """
+    func.__anon_protected = True
+    return check_anon_protection(func)
 
 
 def check_anon_protection(func):
-  """ Validates a method as requiring some form of valid user auth before it can be executed. """
+    """ Validates a method as requiring some form of valid user auth before it can be executed. """
 
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    # Skip if anonymous access is allowed.
-    if features.ANONYMOUS_ACCESS or '__anon_allowed' in dir(func):
-      return func(*args, **kwargs)
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        # Skip if anonymous access is allowed.
+        if features.ANONYMOUS_ACCESS or "__anon_allowed" in dir(func):
+            return func(*args, **kwargs)
 
-    # Check for validated context. If none exists, fail with a 401.
-    if get_authenticated_context() and not get_authenticated_context().is_anonymous:
-      return func(*args, **kwargs)
+        # Check for validated context. If none exists, fail with a 401.
+        if get_authenticated_context() and not get_authenticated_context().is_anonymous:
+            return func(*args, **kwargs)
 
-    abort(401, message='Anonymous access is not allowed')
+        abort(401, message="Anonymous access is not allowed")
 
-  return wrapper
+    return wrapper
 
 
 def check_readonly(func):
-  """ Validates that a non-GET method is not invoked when the registry is in read-only mode,
+    """ Validates that a non-GET method is not invoked when the registry is in read-only mode,
       unless explicitly marked as being allowed.
   """
 
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    # Skip if a GET method.
-    if request.method == 'GET':
-      return func(*args, **kwargs)
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        # Skip if a GET method.
+        if request.method == "GET":
+            return func(*args, **kwargs)
 
-    # Skip if not in read only mode.
-    if app.config.get('REGISTRY_STATE', 'normal') != 'readonly':
-      return func(*args, **kwargs)
+        # Skip if not in read only mode.
+        if app.config.get("REGISTRY_STATE", "normal") != "readonly":
+            return func(*args, **kwargs)
 
-    # Skip if readonly access is allowed.
-    if hasattr(func, '__readonly_call_allowed'):
-      return func(*args, **kwargs)
+        # Skip if readonly access is allowed.
+        if hasattr(func, "__readonly_call_allowed"):
+            return func(*args, **kwargs)
 
-    raise ReadOnlyModeException()
-  return wrapper
+        raise ReadOnlyModeException()
+
+    return wrapper
 
 
 def route_show_if(value):
-  """ Adds/shows the decorated route if the given value is True. """
+    """ Adds/shows the decorated route if the given value is True. """
 
-  def decorator(f):
-    @wraps(f)
-    def decorated_function(*args, **kwargs):
-      if not value:
-        abort(404)
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if not value:
+                abort(404)
 
-      return f(*args, **kwargs)
-    return decorated_function
-  return decorator
+            return f(*args, **kwargs)
+
+        return decorated_function
+
+    return decorator
 
 
 def require_xhr_from_browser(func):
-  """ Requires that API GET calls made from browsers are made via XHR, in order to prevent
+    """ Requires that API GET calls made from browsers are made via XHR, in order to prevent
       reflected text attacks.
   """
 
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    if app.config.get('BROWSER_API_CALLS_XHR_ONLY', False):
-      if request.method == 'GET' and request.user_agent.browser:
-        has_xhr_header = request.headers.get('X-Requested-With') == 'XMLHttpRequest'
-        if not has_xhr_header and not app.config.get('DEBUGGING') == True:
-          logger.warning('Disallowed possible RTA to URL %s with user agent %s',
-                         request.path, request.user_agent)
-          abort(400, message='API calls must be invoked with an X-Requested-With header ' +
-                'if called from a browser')
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        if app.config.get("BROWSER_API_CALLS_XHR_ONLY", False):
+            if request.method == "GET" and request.user_agent.browser:
+                has_xhr_header = (
+                    request.headers.get("X-Requested-With") == "XMLHttpRequest"
+                )
+                if not has_xhr_header and not app.config.get("DEBUGGING") == True:
+                    logger.warning(
+                        "Disallowed possible RTA to URL %s with user agent %s",
+                        request.path,
+                        request.user_agent,
+                    )
+                    abort(
+                        400,
+                        message="API calls must be invoked with an X-Requested-With header "
+                        + "if called from a browser",
+                    )
 
-    return func(*args, **kwargs)
-  return wrapper
+        return func(*args, **kwargs)
+
+    return wrapper
 
 
 def check_region_blacklisted(error_class=None, namespace_name_kwarg=None):
-  """ Decorator which checks if the incoming request is from a region geo IP blocked
+    """ Decorator which checks if the incoming request is from a region geo IP blocked
       for the current namespace. The first argument to the wrapped function must be
       the namespace name.
   """
-  def wrapper(wrapped):
-    @wraps(wrapped)
-    def decorated(*args, **kwargs):
-      if namespace_name_kwarg:
-        namespace_name = kwargs[namespace_name_kwarg]
-      else:
-        namespace_name = args[0]
 
-      region_blacklist = registry_model.get_cached_namespace_region_blacklist(model_cache,
-                                                                              namespace_name)
-      if region_blacklist:
-        # Resolve the IP information and block if on the namespace's blacklist.
-        remote_ip = get_request_ip()
-        resolved_ip_info = ip_resolver.resolve_ip(remote_ip)
-        logger.debug('Resolved IP information for IP %s: %s', remote_ip, resolved_ip_info)
+    def wrapper(wrapped):
+        @wraps(wrapped)
+        def decorated(*args, **kwargs):
+            if namespace_name_kwarg:
+                namespace_name = kwargs[namespace_name_kwarg]
+            else:
+                namespace_name = args[0]
 
-        if (resolved_ip_info and
-            resolved_ip_info.country_iso_code and
-            resolved_ip_info.country_iso_code in region_blacklist):
-          if error_class:
-            raise error_class()
+            region_blacklist = registry_model.get_cached_namespace_region_blacklist(
+                model_cache, namespace_name
+            )
+            if region_blacklist:
+                # Resolve the IP information and block if on the namespace's blacklist.
+                remote_ip = get_request_ip()
+                resolved_ip_info = ip_resolver.resolve_ip(remote_ip)
+                logger.debug(
+                    "Resolved IP information for IP %s: %s", remote_ip, resolved_ip_info
+                )
 
-          abort(403, 'Pulls of this data have been restricted geographically')
+                if (
+                    resolved_ip_info
+                    and resolved_ip_info.country_iso_code
+                    and resolved_ip_info.country_iso_code in region_blacklist
+                ):
+                    if error_class:
+                        raise error_class()
 
-      return wrapped(*args, **kwargs)
-    return decorated
-  return wrapper
+                    abort(403, "Pulls of this data have been restricted geographically")
+
+            return wrapped(*args, **kwargs)
+
+        return decorated
+
+    return wrapper
 
 
 def check_repository_state(f):
-  @wraps(f)
-  def wrapper(namespace_name, repo_name, *args, **kwargs):
-    """
+    @wraps(f)
+    def wrapper(namespace_name, repo_name, *args, **kwargs):
+        """
     Conditionally allow changes depending on the Repository's state.
     NORMAL    -> Pass
     READ_ONLY -> Block all POST/PUT/DELETE
     MIRROR    -> Same as READ_ONLY, except treat the Mirroring Robot User as Normal
     """
-    user = get_authenticated_user()
-    if user is None:
-      # NOTE: Remaining auth checks will be handled by subsequent decorators.
-      return f(namespace_name, repo_name, *args, **kwargs)
+        user = get_authenticated_user()
+        if user is None:
+            # NOTE: Remaining auth checks will be handled by subsequent decorators.
+            return f(namespace_name, repo_name, *args, **kwargs)
 
-    repository = get_repository(namespace_name, repo_name)
-    if not repository:
-      return f(namespace_name, repo_name, *args, **kwargs)
+        repository = get_repository(namespace_name, repo_name)
+        if not repository:
+            return f(namespace_name, repo_name, *args, **kwargs)
 
-    if repository.state == RepositoryState.READ_ONLY:
-      abort(405, '%s/%s is in read-only mode.' % (namespace_name, repo_name))
+        if repository.state == RepositoryState.READ_ONLY:
+            abort(405, "%s/%s is in read-only mode." % (namespace_name, repo_name))
 
-    if repository.state == RepositoryState.MIRROR:
-      mirror = get_mirror(repository)
-      robot = mirror.internal_robot if mirror is not None else None
+        if repository.state == RepositoryState.MIRROR:
+            mirror = get_mirror(repository)
+            robot = mirror.internal_robot if mirror is not None else None
 
-      if mirror is None:
-        abort(500, 'Repository %s/%s is set as a mirror but the Mirror configuration is missing.' % (
-          namespace_name, repo_name))
+            if mirror is None:
+                abort(
+                    500,
+                    "Repository %s/%s is set as a mirror but the Mirror configuration is missing."
+                    % (namespace_name, repo_name),
+                )
 
-      elif robot is None:
-        abort(400, 'Repository %s/%s is configured for mirroring but no robot is assigned.' % (
-          namespace_name, repo_name))
+            elif robot is None:
+                abort(
+                    400,
+                    "Repository %s/%s is configured for mirroring but no robot is assigned."
+                    % (namespace_name, repo_name),
+                )
 
-      elif user.id != robot.id:
-        abort(405,
-          'Repository %s/%s is a mirror. Mirrored repositories cannot be modified directly.' % (
-            namespace_name, repo_name))
+            elif user.id != robot.id:
+                abort(
+                    405,
+                    "Repository %s/%s is a mirror. Mirrored repositories cannot be modified directly."
+                    % (namespace_name, repo_name),
+                )
 
-      elif user.id == robot.id:
-        pass  # User is designated robot for this mirror repo.
+            elif user.id == robot.id:
+                pass  # User is designated robot for this mirror repo.
 
-      else:
-        msg = (
-          'An internal error has occurred while verifying repository %s/%s state. Please report '
-          'this to an administrator.'
-        ) % (namespace_name, repo_name)
-        raise Exception(msg)
+            else:
+                msg = (
+                    "An internal error has occurred while verifying repository %s/%s state. Please report "
+                    "this to an administrator."
+                ) % (namespace_name, repo_name)
+                raise Exception(msg)
 
-    return f(namespace_name, repo_name, *args, **kwargs)
-  return wrapper
+        return f(namespace_name, repo_name, *args, **kwargs)
+
+    return wrapper
diff --git a/endpoints/exception.py b/endpoints/exception.py
index abc32cc54..9dc21f0ec 100644
--- a/endpoints/exception.py
+++ b/endpoints/exception.py
@@ -7,34 +7,34 @@ from auth.auth_context import get_authenticated_user
 
 
 class ApiErrorType(Enum):
-  external_service_timeout = 'external_service_timeout'
-  invalid_request = 'invalid_request'
-  invalid_response = 'invalid_response'
-  invalid_token = 'invalid_token'
-  expired_token = 'expired_token'
-  insufficient_scope = 'insufficient_scope'
-  fresh_login_required = 'fresh_login_required'
-  exceeds_license = 'exceeds_license'
-  not_found = 'not_found'
-  downstream_issue = 'downstream_issue'
+    external_service_timeout = "external_service_timeout"
+    invalid_request = "invalid_request"
+    invalid_response = "invalid_response"
+    invalid_token = "invalid_token"
+    expired_token = "expired_token"
+    insufficient_scope = "insufficient_scope"
+    fresh_login_required = "fresh_login_required"
+    exceeds_license = "exceeds_license"
+    not_found = "not_found"
+    downstream_issue = "downstream_issue"
 
 
 ERROR_DESCRIPTION = {
-  ApiErrorType.external_service_timeout.value: "An external service timed out. Retrying the request may resolve the issue.",
-  ApiErrorType.invalid_request.value: "The request was invalid. It may have contained invalid values or was improperly formatted.",
-  ApiErrorType.invalid_response.value: "The response was invalid.",
-  ApiErrorType.invalid_token.value: "The access token provided was invalid.",
-  ApiErrorType.expired_token.value: "The access token provided has expired.",
-  ApiErrorType.insufficient_scope.value: "The access token did not have sufficient scope to access the requested resource.",
-  ApiErrorType.fresh_login_required.value: "The action requires a fresh login to succeed.",
-  ApiErrorType.exceeds_license.value: "The action was refused because the current license does not allow it.",
-  ApiErrorType.not_found.value: "The resource was not found.",
-  ApiErrorType.downstream_issue.value: "An error occurred in a downstream service.",
+    ApiErrorType.external_service_timeout.value: "An external service timed out. Retrying the request may resolve the issue.",
+    ApiErrorType.invalid_request.value: "The request was invalid. It may have contained invalid values or was improperly formatted.",
+    ApiErrorType.invalid_response.value: "The response was invalid.",
+    ApiErrorType.invalid_token.value: "The access token provided was invalid.",
+    ApiErrorType.expired_token.value: "The access token provided has expired.",
+    ApiErrorType.insufficient_scope.value: "The access token did not have sufficient scope to access the requested resource.",
+    ApiErrorType.fresh_login_required.value: "The action requires a fresh login to succeed.",
+    ApiErrorType.exceeds_license.value: "The action was refused because the current license does not allow it.",
+    ApiErrorType.not_found.value: "The resource was not found.",
+    ApiErrorType.downstream_issue.value: "An error occurred in a downstream service.",
 }
 
 
 class ApiException(HTTPException):
-  """
+    """
   Represents an error in the application/problem+json format.
 
   See: https://tools.ietf.org/html/rfc7807
@@ -56,78 +56,110 @@ class ApiException(HTTPException):
       information if dereferenced.
   """
 
-  def __init__(self, error_type, status_code, error_description, payload=None):
-    Exception.__init__(self)
-    self.error_description = error_description
-    self.code = status_code
-    self.payload = payload
-    self.error_type = error_type
-    self.data = self.to_dict()
+    def __init__(self, error_type, status_code, error_description, payload=None):
+        Exception.__init__(self)
+        self.error_description = error_description
+        self.code = status_code
+        self.payload = payload
+        self.error_type = error_type
+        self.data = self.to_dict()
 
-    super(ApiException, self).__init__(error_description, None)
+        super(ApiException, self).__init__(error_description, None)
 
-  def to_dict(self):
-    rv = dict(self.payload or ())
+    def to_dict(self):
+        rv = dict(self.payload or ())
 
-    if self.error_description is not None:
-      rv['detail'] = self.error_description
-      rv['error_message'] = self.error_description  # TODO: deprecate
+        if self.error_description is not None:
+            rv["detail"] = self.error_description
+            rv["error_message"] = self.error_description  # TODO: deprecate
 
-    rv['error_type'] = self.error_type.value  # TODO: deprecate
-    rv['title'] = self.error_type.value
-    rv['type'] = url_for('api.error', error_type=self.error_type.value, _external=True)
-    rv['status'] = self.code
+        rv["error_type"] = self.error_type.value  # TODO: deprecate
+        rv["title"] = self.error_type.value
+        rv["type"] = url_for(
+            "api.error", error_type=self.error_type.value, _external=True
+        )
+        rv["status"] = self.code
 
-    return rv
+        return rv
 
 
 class ExternalServiceError(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.external_service_timeout, 520, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.external_service_timeout, 520, error_description, payload
+        )
 
 
 class InvalidRequest(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.invalid_request, 400, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.invalid_request, 400, error_description, payload
+        )
 
 
 class InvalidResponse(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.invalid_response, 400, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.invalid_response, 400, error_description, payload
+        )
 
 
 class InvalidToken(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.invalid_token, 401, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.invalid_token, 401, error_description, payload
+        )
+
 
 class ExpiredToken(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.expired_token, 401, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.expired_token, 401, error_description, payload
+        )
+
 
 class Unauthorized(ApiException):
-  def __init__(self, payload=None):
-    user = get_authenticated_user()
-    if user is None or user.organization:
-      ApiException.__init__(self, ApiErrorType.invalid_token, 401, "Requires authentication", payload)
-    else:
-      ApiException.__init__(self, ApiErrorType.insufficient_scope, 403, 'Unauthorized', payload)
+    def __init__(self, payload=None):
+        user = get_authenticated_user()
+        if user is None or user.organization:
+            ApiException.__init__(
+                self,
+                ApiErrorType.invalid_token,
+                401,
+                "Requires authentication",
+                payload,
+            )
+        else:
+            ApiException.__init__(
+                self, ApiErrorType.insufficient_scope, 403, "Unauthorized", payload
+            )
 
 
 class FreshLoginRequired(ApiException):
-  def __init__(self, payload=None):
-    ApiException.__init__(self, ApiErrorType.fresh_login_required, 401, "Requires fresh login", payload)
+    def __init__(self, payload=None):
+        ApiException.__init__(
+            self,
+            ApiErrorType.fresh_login_required,
+            401,
+            "Requires fresh login",
+            payload,
+        )
 
 
 class ExceedsLicenseException(ApiException):
-  def __init__(self, payload=None):
-    ApiException.__init__(self, ApiErrorType.exceeds_license, 402, 'Payment Required', payload)
+    def __init__(self, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.exceeds_license, 402, "Payment Required", payload
+        )
 
 
 class NotFound(ApiException):
-  def __init__(self, payload=None):
-    ApiException.__init__(self, ApiErrorType.not_found, 404, 'Not Found', payload)
+    def __init__(self, payload=None):
+        ApiException.__init__(self, ApiErrorType.not_found, 404, "Not Found", payload)
 
 
 class DownstreamIssue(ApiException):
-  def __init__(self, error_description, payload=None):
-    ApiException.__init__(self, ApiErrorType.downstream_issue, 520, error_description, payload)
+    def __init__(self, error_description, payload=None):
+        ApiException.__init__(
+            self, ApiErrorType.downstream_issue, 520, error_description, payload
+        )
diff --git a/endpoints/githubtrigger.py b/endpoints/githubtrigger.py
index 3b4b21f0a..71ea80aba 100644
--- a/endpoints/githubtrigger.py
+++ b/endpoints/githubtrigger.py
@@ -14,31 +14,33 @@ from util.http import abort
 
 
 logger = logging.getLogger(__name__)
-client = app.config['HTTPCLIENT']
-githubtrigger = Blueprint('callback', __name__)
+client = app.config["HTTPCLIENT"]
+githubtrigger = Blueprint("callback", __name__)
 
 
-@githubtrigger.route('/github/callback/trigger/<repopath:repository>', methods=['GET'])
+@githubtrigger.route("/github/callback/trigger/<repopath:repository>", methods=["GET"])
 @route_show_if(features.GITHUB_BUILD)
 @require_session_login
 @parse_repository_name()
 def attach_github_build_trigger(namespace_name, repo_name):
-  permission = AdministerRepositoryPermission(namespace_name, repo_name)
-  if permission.can():
-    code = request.args.get('code')
-    token = github_trigger.exchange_code_for_token(app.config, client, code)
-    repo = model.repository.get_repository(namespace_name, repo_name)
-    if not repo:
-      msg = 'Invalid repository: %s/%s' % (namespace_name, repo_name)
-      abort(404, message=msg)
-    elif repo.kind.name != 'image':
-      abort(501)
+    permission = AdministerRepositoryPermission(namespace_name, repo_name)
+    if permission.can():
+        code = request.args.get("code")
+        token = github_trigger.exchange_code_for_token(app.config, client, code)
+        repo = model.repository.get_repository(namespace_name, repo_name)
+        if not repo:
+            msg = "Invalid repository: %s/%s" % (namespace_name, repo_name)
+            abort(404, message=msg)
+        elif repo.kind.name != "image":
+            abort(501)
 
-    trigger = model.build.create_build_trigger(repo, 'github', token, current_user.db_user())
-    repo_path = '%s/%s' % (namespace_name, repo_name)
-    full_url = url_for('web.buildtrigger', path=repo_path, trigger=trigger.uuid)
+        trigger = model.build.create_build_trigger(
+            repo, "github", token, current_user.db_user()
+        )
+        repo_path = "%s/%s" % (namespace_name, repo_name)
+        full_url = url_for("web.buildtrigger", path=repo_path, trigger=trigger.uuid)
 
-    logger.debug('Redirecting to full url: %s', full_url)
-    return redirect(full_url)
+        logger.debug("Redirecting to full url: %s", full_url)
+        return redirect(full_url)
 
-  abort(403)
+    abort(403)
diff --git a/endpoints/gitlabtrigger.py b/endpoints/gitlabtrigger.py
index 4d97caffe..6684a0ff0 100644
--- a/endpoints/gitlabtrigger.py
+++ b/endpoints/gitlabtrigger.py
@@ -14,44 +14,47 @@ from util.http import abort
 
 
 logger = logging.getLogger(__name__)
-client = app.config['HTTPCLIENT']
-gitlabtrigger = Blueprint('gitlab', __name__)
+client = app.config["HTTPCLIENT"]
+gitlabtrigger = Blueprint("gitlab", __name__)
 
 
-@gitlabtrigger.route('/gitlab/callback/trigger', methods=['GET'])
+@gitlabtrigger.route("/gitlab/callback/trigger", methods=["GET"])
 @route_show_if(features.GITLAB_BUILD)
 @require_session_login
 def attach_gitlab_build_trigger():
-  state = request.args.get('state', None)
-  if not state:
-    abort(400)
-  state = state[len('repo:'):]
-  try:
-    [namespace, repository] = state.split('/')
-  except ValueError:
-    abort(400)
+    state = request.args.get("state", None)
+    if not state:
+        abort(400)
+    state = state[len("repo:") :]
+    try:
+        [namespace, repository] = state.split("/")
+    except ValueError:
+        abort(400)
 
-  permission = AdministerRepositoryPermission(namespace, repository)
-  if permission.can():
-    code = request.args.get('code')
-    token = gitlab_trigger.exchange_code_for_token(app.config, client, code,
-                                                   redirect_suffix='/trigger')
-    if not token:
-      msg = 'Could not exchange token. It may have expired.'
-      abort(404, message=msg)
+    permission = AdministerRepositoryPermission(namespace, repository)
+    if permission.can():
+        code = request.args.get("code")
+        token = gitlab_trigger.exchange_code_for_token(
+            app.config, client, code, redirect_suffix="/trigger"
+        )
+        if not token:
+            msg = "Could not exchange token. It may have expired."
+            abort(404, message=msg)
 
-    repo = model.repository.get_repository(namespace, repository)
-    if not repo:
-      msg = 'Invalid repository: %s/%s' % (namespace, repository)
-      abort(404, message=msg)
-    elif repo.kind.name != 'image':
-      abort(501)
+        repo = model.repository.get_repository(namespace, repository)
+        if not repo:
+            msg = "Invalid repository: %s/%s" % (namespace, repository)
+            abort(404, message=msg)
+        elif repo.kind.name != "image":
+            abort(501)
 
-    trigger = model.build.create_build_trigger(repo, 'gitlab', token, current_user.db_user())
-    repo_path = '%s/%s' % (namespace, repository)
-    full_url = url_for('web.buildtrigger', path=repo_path, trigger=trigger.uuid)
+        trigger = model.build.create_build_trigger(
+            repo, "gitlab", token, current_user.db_user()
+        )
+        repo_path = "%s/%s" % (namespace, repository)
+        full_url = url_for("web.buildtrigger", path=repo_path, trigger=trigger.uuid)
 
-    logger.debug('Redirecting to full url: %s', full_url)
-    return redirect(full_url)
+        logger.debug("Redirecting to full url: %s", full_url)
+        return redirect(full_url)
 
-  abort(403)
+    abort(403)
diff --git a/endpoints/keyserver/__init__.py b/endpoints/keyserver/__init__.py
index f24b30421..95a304678 100644
--- a/endpoints/keyserver/__init__.py
+++ b/endpoints/keyserver/__init__.py
@@ -14,190 +14,220 @@ from util.request import get_request_ip
 
 
 logger = logging.getLogger(__name__)
-key_server = Blueprint('key_server', __name__)
+key_server = Blueprint("key_server", __name__)
 
 
-JWT_HEADER_NAME = 'Authorization'
-JWT_AUDIENCE = app.config['PREFERRED_URL_SCHEME'] + '://' + app.config['SERVER_HOSTNAME']
+JWT_HEADER_NAME = "Authorization"
+JWT_AUDIENCE = (
+    app.config["PREFERRED_URL_SCHEME"] + "://" + app.config["SERVER_HOSTNAME"]
+)
 
 
 def _validate_jwk(jwk):
-  if 'kty' not in jwk:
-    abort(400)
+    if "kty" not in jwk:
+        abort(400)
 
-  if jwk['kty'] == 'EC':
-    if 'x' not in jwk or 'y' not in jwk:
-      abort(400)
-  elif jwk['kty'] == 'RSA':
-    if 'e' not in jwk or 'n' not in jwk:
-      abort(400)
-  else:
-    abort(400)
+    if jwk["kty"] == "EC":
+        if "x" not in jwk or "y" not in jwk:
+            abort(400)
+    elif jwk["kty"] == "RSA":
+        if "e" not in jwk or "n" not in jwk:
+            abort(400)
+    else:
+        abort(400)
 
 
 def _validate_jwt(encoded_jwt, jwk, service):
-  public_key = jwtutil.jwk_dict_to_public_key(jwk)
+    public_key = jwtutil.jwk_dict_to_public_key(jwk)
 
-  try:
-    jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
-                   audience=JWT_AUDIENCE, issuer=service)
-  except jwtutil.InvalidTokenError:
-    logger.exception('JWT validation failure')
-    abort(400)
+    try:
+        jwtutil.decode(
+            encoded_jwt,
+            public_key,
+            algorithms=["RS256"],
+            audience=JWT_AUDIENCE,
+            issuer=service,
+        )
+    except jwtutil.InvalidTokenError:
+        logger.exception("JWT validation failure")
+        abort(400)
 
 
 def _signer_kid(encoded_jwt, allow_none=False):
-  headers = get_unverified_header(encoded_jwt)
-  kid = headers.get('kid', None)
-  if not kid and not allow_none:
-    abort(400)
+    headers = get_unverified_header(encoded_jwt)
+    kid = headers.get("kid", None)
+    if not kid and not allow_none:
+        abort(400)
 
-  return kid
+    return kid
 
 
 def _lookup_service_key(service, signer_kid, approved_only=True):
-  try:
-    return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
-  except ServiceKeyDoesNotExist:
-    abort(403)
+    try:
+        return model.get_service_key(
+            signer_kid, service=service, approved_only=approved_only
+        )
+    except ServiceKeyDoesNotExist:
+        abort(403)
 
 
 def jwk_with_kid(key):
-  jwk = key.jwk.copy()
-  jwk.update({'kid': key.kid})
-  return jwk
+    jwk = key.jwk.copy()
+    jwk.update({"kid": key.kid})
+    return jwk
 
 
-@key_server.route('/services/<service>/keys', methods=['GET'])
+@key_server.route("/services/<service>/keys", methods=["GET"])
 def list_service_keys(service):
-  keys = model.list_service_keys(service)
-  return jsonify({'keys': [jwk_with_kid(key) for key in keys]})
+    keys = model.list_service_keys(service)
+    return jsonify({"keys": [jwk_with_kid(key) for key in keys]})
 
 
-@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
+@key_server.route("/services/<service>/keys/<kid>", methods=["GET"])
 def get_service_key(service, kid):
-  try:
-    key = model.get_service_key(kid, alive_only=False, approved_only=False)
-  except ServiceKeyDoesNotExist:
-    abort(404)
-
-  if key.approval is None:
-    abort(409)
-
-  if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():
-    abort(403)
-
-  resp = jsonify(key.jwk)
-  lifetime = min(timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow()))
-  resp.cache_control.max_age = max(0, lifetime.total_seconds())
-  return resp
-
-
-@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
-def put_service_key(service, kid):
-  metadata = {'ip': get_request_ip()}
-
-  rotation_duration = request.args.get('rotation', None)
-  expiration_date = request.args.get('expiration', None)
-  if expiration_date is not None:
     try:
-      expiration_date = datetime.utcfromtimestamp(float(expiration_date))
-    except ValueError:
-      logger.exception('Error parsing expiration date on key')
-      abort(400)
-
-  try:
-    jwk = request.get_json()
-  except ValueError:
-    logger.exception('Error parsing JWK')
-    abort(400)
-
-  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
-  match = jwtutil.TOKEN_REGEX.match(jwt_header)
-  if match is None:
-    logger.error('Could not find matching bearer token')
-    abort(400)
-
-  encoded_jwt = match.group(1)
-
-  _validate_jwk(jwk)
-
-  signer_kid = _signer_kid(encoded_jwt, allow_none=True)
-  if kid == signer_kid or signer_kid is None:
-    # The key is self-signed. Create a new instance and await approval.
-    _validate_jwt(encoded_jwt, jwk, service)
-    model.create_service_key('', kid, service, jwk, metadata, expiration_date,
-                             rotation_duration=rotation_duration)
-
-    logs_model.log_action('service_key_create', ip=get_request_ip(), metadata={
-      'kid': kid,
-      'preshared': False,
-      'service': service,
-      'name': '',
-      'expiration_date': expiration_date,
-      'user_agent': request.headers.get('User-Agent'),
-      'ip': get_request_ip(),
-    })
-
-    return make_response('', 202)
-
-  # Key is going to be rotated.
-  metadata.update({'created_by': 'Key Rotation'})
-  signer_key = _lookup_service_key(service, signer_kid)
-  signer_jwk = signer_key.jwk
-
-  _validate_jwt(encoded_jwt, signer_jwk, service)
-
-  try:
-    model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
-  except ServiceKeyDoesNotExist:
-    abort(404)
-
-  logs_model.log_action('service_key_rotate', ip=get_request_ip(), metadata={
-    'kid': kid,
-    'signer_kid': signer_key.kid,
-    'service': service,
-    'name': signer_key.name,
-    'expiration_date': expiration_date,
-    'user_agent': request.headers.get('User-Agent'),
-    'ip': get_request_ip(),
-  })
-
-  return make_response('', 200)
-
-
-@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
-def delete_service_key(service, kid):
-  jwt_header = request.headers.get(JWT_HEADER_NAME, '')
-  match = jwtutil.TOKEN_REGEX.match(jwt_header)
-  if match is None:
-    abort(400)
-
-  encoded_jwt = match.group(1)
-
-  signer_kid = _signer_kid(encoded_jwt)
-  signer_key = _lookup_service_key(service, signer_kid, approved_only=False)
-
-  self_signed = kid == signer_kid
-  approved_key_for_service = signer_key.approval is not None
-
-  if self_signed or approved_key_for_service:
-    _validate_jwt(encoded_jwt, signer_key.jwk, service)
-
-    try:
-      model.delete_service_key(kid)
+        key = model.get_service_key(kid, alive_only=False, approved_only=False)
     except ServiceKeyDoesNotExist:
-      abort(404)
+        abort(404)
 
-    logs_model.log_action('service_key_delete', ip=get_request_ip(), metadata={
-      'kid': kid,
-      'signer_kid': signer_key.kid,
-      'service': service,
-      'name': signer_key.name,
-      'user_agent': request.headers.get('User-Agent'),
-      'ip': get_request_ip(),
-    })
+    if key.approval is None:
+        abort(409)
 
-    return make_response('', 204)
+    if key.expiration_date is not None and key.expiration_date <= datetime.utcnow():
+        abort(403)
 
-  abort(403)
+    resp = jsonify(key.jwk)
+    lifetime = min(
+        timedelta(days=1), ((key.expiration_date or datetime.max) - datetime.utcnow())
+    )
+    resp.cache_control.max_age = max(0, lifetime.total_seconds())
+    return resp
+
+
+@key_server.route("/services/<service>/keys/<kid>", methods=["PUT"])
+def put_service_key(service, kid):
+    metadata = {"ip": get_request_ip()}
+
+    rotation_duration = request.args.get("rotation", None)
+    expiration_date = request.args.get("expiration", None)
+    if expiration_date is not None:
+        try:
+            expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+        except ValueError:
+            logger.exception("Error parsing expiration date on key")
+            abort(400)
+
+    try:
+        jwk = request.get_json()
+    except ValueError:
+        logger.exception("Error parsing JWK")
+        abort(400)
+
+    jwt_header = request.headers.get(JWT_HEADER_NAME, "")
+    match = jwtutil.TOKEN_REGEX.match(jwt_header)
+    if match is None:
+        logger.error("Could not find matching bearer token")
+        abort(400)
+
+    encoded_jwt = match.group(1)
+
+    _validate_jwk(jwk)
+
+    signer_kid = _signer_kid(encoded_jwt, allow_none=True)
+    if kid == signer_kid or signer_kid is None:
+        # The key is self-signed. Create a new instance and await approval.
+        _validate_jwt(encoded_jwt, jwk, service)
+        model.create_service_key(
+            "",
+            kid,
+            service,
+            jwk,
+            metadata,
+            expiration_date,
+            rotation_duration=rotation_duration,
+        )
+
+        logs_model.log_action(
+            "service_key_create",
+            ip=get_request_ip(),
+            metadata={
+                "kid": kid,
+                "preshared": False,
+                "service": service,
+                "name": "",
+                "expiration_date": expiration_date,
+                "user_agent": request.headers.get("User-Agent"),
+                "ip": get_request_ip(),
+            },
+        )
+
+        return make_response("", 202)
+
+    # Key is going to be rotated.
+    metadata.update({"created_by": "Key Rotation"})
+    signer_key = _lookup_service_key(service, signer_kid)
+    signer_jwk = signer_key.jwk
+
+    _validate_jwt(encoded_jwt, signer_jwk, service)
+
+    try:
+        model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
+    except ServiceKeyDoesNotExist:
+        abort(404)
+
+    logs_model.log_action(
+        "service_key_rotate",
+        ip=get_request_ip(),
+        metadata={
+            "kid": kid,
+            "signer_kid": signer_key.kid,
+            "service": service,
+            "name": signer_key.name,
+            "expiration_date": expiration_date,
+            "user_agent": request.headers.get("User-Agent"),
+            "ip": get_request_ip(),
+        },
+    )
+
+    return make_response("", 200)
+
+
+@key_server.route("/services/<service>/keys/<kid>", methods=["DELETE"])
+def delete_service_key(service, kid):
+    jwt_header = request.headers.get(JWT_HEADER_NAME, "")
+    match = jwtutil.TOKEN_REGEX.match(jwt_header)
+    if match is None:
+        abort(400)
+
+    encoded_jwt = match.group(1)
+
+    signer_kid = _signer_kid(encoded_jwt)
+    signer_key = _lookup_service_key(service, signer_kid, approved_only=False)
+
+    self_signed = kid == signer_kid
+    approved_key_for_service = signer_key.approval is not None
+
+    if self_signed or approved_key_for_service:
+        _validate_jwt(encoded_jwt, signer_key.jwk, service)
+
+        try:
+            model.delete_service_key(kid)
+        except ServiceKeyDoesNotExist:
+            abort(404)
+
+        logs_model.log_action(
+            "service_key_delete",
+            ip=get_request_ip(),
+            metadata={
+                "kid": kid,
+                "signer_kid": signer_key.kid,
+                "service": service,
+                "name": signer_key.name,
+                "user_agent": request.headers.get("User-Agent"),
+                "ip": get_request_ip(),
+            },
+        )
+
+        return make_response("", 204)
+
+    abort(403)
diff --git a/endpoints/keyserver/models_interface.py b/endpoints/keyserver/models_interface.py
index 977c2f6b4..3e168201f 100644
--- a/endpoints/keyserver/models_interface.py
+++ b/endpoints/keyserver/models_interface.py
@@ -4,62 +4,79 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class ServiceKey(namedtuple('ServiceKey', ['name', 'kid', 'service', 'jwk', 'metadata',
-                                           'created_date', 'expiration_date', 'rotation_duration',
-                                           'approval'])):
-  """
+class ServiceKey(
+    namedtuple(
+        "ServiceKey",
+        [
+            "name",
+            "kid",
+            "service",
+            "jwk",
+            "metadata",
+            "created_date",
+            "expiration_date",
+            "rotation_duration",
+            "approval",
+        ],
+    )
+):
+    """
   Service Key represents a public key (JWK) being used by an instance of a particular service to
   authenticate with other services.
   """
-  pass
+
+    pass
 
 
 class ServiceKeyException(Exception):
-  pass
+    pass
 
 
 class ServiceKeyDoesNotExist(ServiceKeyException):
-  pass
+    pass
 
 
 @add_metaclass(ABCMeta)
 class KeyServerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by a JWT key service.
   """
 
-  @abstractmethod
-  def list_service_keys(self, service):
-    """
+    @abstractmethod
+    def list_service_keys(self, service):
+        """
     Returns a list of service keys or an empty list if the service does not exist.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_service_key(self, signer_kid, service=None, alive_only=None, approved_only=None):
-    """
+    @abstractmethod
+    def get_service_key(
+        self, signer_kid, service=None, alive_only=None, approved_only=None
+    ):
+        """
     Returns a service kid with the given kid or raises ServiceKeyNotFound.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def create_service_key(self, name, kid, service, jwk, metadata, expiration_date,
-                         rotation_duration=None):
-    """
+    @abstractmethod
+    def create_service_key(
+        self, name, kid, service, jwk, metadata, expiration_date, rotation_duration=None
+    ):
+        """
     Stores a service key.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
-    """
+    @abstractmethod
+    def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
+        """
     Replaces a service with a new key or raises ServiceKeyNotFound.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_service_key(self, kid):
-    """
+    @abstractmethod
+    def delete_service_key(self, kid):
+        """
     Deletes and returns a service key with the given kid or raises ServiceKeyNotFound.
     """
-    pass
+        pass
diff --git a/endpoints/keyserver/models_pre_oci.py b/endpoints/keyserver/models_pre_oci.py
index 8dfb119b9..609eee68b 100644
--- a/endpoints/keyserver/models_pre_oci.py
+++ b/endpoints/keyserver/models_pre_oci.py
@@ -1,59 +1,71 @@
 import data.model
 
-from endpoints.keyserver.models_interface import (KeyServerDataInterface, ServiceKey,
-                                                  ServiceKeyDoesNotExist)
+from endpoints.keyserver.models_interface import (
+    KeyServerDataInterface,
+    ServiceKey,
+    ServiceKeyDoesNotExist,
+)
 
 
 class PreOCIModel(KeyServerDataInterface):
-  """
+    """
   PreOCIModel implements the data model for JWT key service using a database schema before it was
   changed to support the OCI specification.
   """
-  def list_service_keys(self, service):
-    return data.model.service_keys.list_service_keys(service)
 
-  def get_service_key(self, signer_kid, service=None, alive_only=True, approved_only=True):
-    try:
-      key = data.model.service_keys.get_service_key(signer_kid, service, alive_only, approved_only)
-      return _db_key_to_servicekey(key)
-    except data.model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist()
+    def list_service_keys(self, service):
+        return data.model.service_keys.list_service_keys(service)
 
-  def create_service_key(self, name, kid, service, jwk, metadata, expiration_date,
-                         rotation_duration=None):
-    key = data.model.service_keys.create_service_key(name, kid, service, jwk, metadata,
-                                                     expiration_date, rotation_duration)
-    return _db_key_to_servicekey(key)
+    def get_service_key(
+        self, signer_kid, service=None, alive_only=True, approved_only=True
+    ):
+        try:
+            key = data.model.service_keys.get_service_key(
+                signer_kid, service, alive_only, approved_only
+            )
+            return _db_key_to_servicekey(key)
+        except data.model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist()
 
-  def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
-    try:
-      data.model.service_keys.replace_service_key(old_kid, kid, jwk, metadata, expiration_date)
-    except data.model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist()
+    def create_service_key(
+        self, name, kid, service, jwk, metadata, expiration_date, rotation_duration=None
+    ):
+        key = data.model.service_keys.create_service_key(
+            name, kid, service, jwk, metadata, expiration_date, rotation_duration
+        )
+        return _db_key_to_servicekey(key)
 
-  def delete_service_key(self, kid):
-    try:
-      key = data.model.service_keys.delete_service_key(kid)
-      return _db_key_to_servicekey(key)
-    except data.model.ServiceKeyDoesNotExist:
-      raise ServiceKeyDoesNotExist()
+    def replace_service_key(self, old_kid, kid, jwk, metadata, expiration_date):
+        try:
+            data.model.service_keys.replace_service_key(
+                old_kid, kid, jwk, metadata, expiration_date
+            )
+        except data.model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist()
+
+    def delete_service_key(self, kid):
+        try:
+            key = data.model.service_keys.delete_service_key(kid)
+            return _db_key_to_servicekey(key)
+        except data.model.ServiceKeyDoesNotExist:
+            raise ServiceKeyDoesNotExist()
 
 
 pre_oci_model = PreOCIModel()
 
 
 def _db_key_to_servicekey(key):
-  """
+    """
   Converts the Pre-OCI database model of a service key into a ServiceKey.
   """
-  return ServiceKey(
-    name=key.name,
-    kid=key.kid,
-    service=key.service,
-    jwk=key.jwk,
-    metadata=key.metadata,
-    created_date=key.created_date,
-    expiration_date=key.expiration_date,
-    rotation_duration=key.rotation_duration,
-    approval=key.approval,
-  )
+    return ServiceKey(
+        name=key.name,
+        kid=key.kid,
+        service=key.service,
+        jwk=key.jwk,
+        metadata=key.metadata,
+        created_date=key.created_date,
+        expiration_date=key.expiration_date,
+        rotation_duration=key.rotation_duration,
+        approval=key.approval,
+    )
diff --git a/endpoints/oauth/login.py b/endpoints/oauth/login.py
index 89c81f9c6..6e3408ef9 100644
--- a/endpoints/oauth/login.py
+++ b/endpoints/oauth/login.py
@@ -8,7 +8,14 @@ from peewee import IntegrityError
 
 import features
 
-from app import app, analytics, get_app_url, oauth_login, authentication, url_scheme_and_hostname
+from app import (
+    app,
+    analytics,
+    get_app_url,
+    oauth_login,
+    authentication,
+    url_scheme_and_hostname,
+)
 from auth.auth_context import get_authenticated_user
 from auth.decorators import require_session_login
 from data import model
@@ -21,282 +28,370 @@ from util.validation import generate_valid_usernames
 from util.request import get_request_ip
 
 logger = logging.getLogger(__name__)
-client = app.config['HTTPCLIENT']
-oauthlogin = Blueprint('oauthlogin', __name__)
+client = app.config["HTTPCLIENT"]
+oauthlogin = Blueprint("oauthlogin", __name__)
 
-oauthlogin_csrf_protect = csrf_protect(OAUTH_CSRF_TOKEN_NAME, 'state', all_methods=True,
-                                       check_header=False)
+oauthlogin_csrf_protect = csrf_protect(
+    OAUTH_CSRF_TOKEN_NAME, "state", all_methods=True, check_header=False
+)
 
 
-OAuthResult = namedtuple('oauthresult', ['user_obj', 'service_name', 'error_message',
-                                         'register_redirect', 'requires_verification'])
+OAuthResult = namedtuple(
+    "oauthresult",
+    [
+        "user_obj",
+        "service_name",
+        "error_message",
+        "register_redirect",
+        "requires_verification",
+    ],
+)
+
+
+def _oauthresult(
+    user_obj=None,
+    service_name=None,
+    error_message=None,
+    register_redirect=False,
+    requires_verification=False,
+):
+    return OAuthResult(
+        user_obj, service_name, error_message, register_redirect, requires_verification
+    )
 
-def _oauthresult(user_obj=None, service_name=None, error_message=None, register_redirect=False,
-                 requires_verification=False):
-  return OAuthResult(user_obj, service_name, error_message, register_redirect,
-                     requires_verification)
 
 def _get_response(result):
-  if result.error_message is not None:
-    return _render_ologin_error(result.service_name, result.error_message, result.register_redirect)
-
-  return _perform_login(result.user_obj, result.service_name)
-
-def _conduct_oauth_login(auth_system, login_service, lid, lusername, lemail, metadata=None,
-                         captcha_verified=False):
-  """ Conducts login from the result of an OAuth service's login flow and returns
-      the status of the login, as well as the followup step. """
-  service_id = login_service.service_id()
-  service_name = login_service.service_name()
-
-  # Check for an existing account *bound to this service*. If found, conduct login of that account
-  # and redirect.
-  user_obj = model.user.verify_federated_login(service_id, lid)
-  if user_obj is not None:
-    return _oauthresult(user_obj=user_obj, service_name=service_name)
-
-  # If the login service has a bound field name, and we have a defined internal auth type that is
-  # not the database, then search for an existing account with that matching field. This allows
-  # users to setup SSO while also being backed by something like LDAP.
-  bound_field_name = login_service.login_binding_field()
-  if auth_system.federated_service is not None and bound_field_name is not None:
-    # Perform lookup.
-    logger.debug('Got oauth bind field name of "%s"', bound_field_name)
-    lookup_value = None
-    if bound_field_name == 'sub':
-      lookup_value = lid
-    elif bound_field_name == 'username':
-      lookup_value = lusername
-    elif bound_field_name == 'email':
-      lookup_value = lemail
-
-    if lookup_value is None:
-      logger.error('Missing lookup value for OAuth login')
-      return _oauthresult(service_name=service_name,
-                          error_message='Configuration error in this provider')
-
-    (user_obj, err) = auth_system.link_user(lookup_value)
-    if err is not None:
-      logger.debug('%s %s not found: %s', bound_field_name, lookup_value, err)
-      msg = '%s %s not found in backing auth system' % (bound_field_name, lookup_value)
-      return _oauthresult(service_name=service_name, error_message=msg)
-
-    # Found an existing user. Bind their internal auth account to this service as well.
-    result = _attach_service(login_service, user_obj, lid, lusername)
     if result.error_message is not None:
-      return result
+        return _render_ologin_error(
+            result.service_name, result.error_message, result.register_redirect
+        )
 
-    return _oauthresult(user_obj=user_obj, service_name=service_name)
+    return _perform_login(result.user_obj, result.service_name)
 
-  # Otherwise, we need to create a new user account.
-  blacklisted_domains = app.config.get('BLACKLISTED_EMAIL_DOMAINS', [])
-  if not can_create_user(lemail, blacklisted_domains=blacklisted_domains):
-    error_message = 'User creation is disabled. Please contact your administrator'
-    return _oauthresult(service_name=service_name, error_message=error_message)
 
-  if features.RECAPTCHA and not captcha_verified:
-    return _oauthresult(service_name=service_name, requires_verification=True)
+def _conduct_oauth_login(
+    auth_system,
+    login_service,
+    lid,
+    lusername,
+    lemail,
+    metadata=None,
+    captcha_verified=False,
+):
+    """ Conducts login from the result of an OAuth service's login flow and returns
+      the status of the login, as well as the followup step. """
+    service_id = login_service.service_id()
+    service_name = login_service.service_name()
 
-  # Try to create the user
-  try:
-    # Generate a valid username.
-    new_username = None
-    for valid in generate_valid_usernames(lusername):
-      if model.user.get_user_or_org(valid):
-        continue
+    # Check for an existing account *bound to this service*. If found, conduct login of that account
+    # and redirect.
+    user_obj = model.user.verify_federated_login(service_id, lid)
+    if user_obj is not None:
+        return _oauthresult(user_obj=user_obj, service_name=service_name)
 
-      new_username = valid
-      break
+    # If the login service has a bound field name, and we have a defined internal auth type that is
+    # not the database, then search for an existing account with that matching field. This allows
+    # users to setup SSO while also being backed by something like LDAP.
+    bound_field_name = login_service.login_binding_field()
+    if auth_system.federated_service is not None and bound_field_name is not None:
+        # Perform lookup.
+        logger.debug('Got oauth bind field name of "%s"', bound_field_name)
+        lookup_value = None
+        if bound_field_name == "sub":
+            lookup_value = lid
+        elif bound_field_name == "username":
+            lookup_value = lusername
+        elif bound_field_name == "email":
+            lookup_value = lemail
 
-    requires_password = auth_system.requires_distinct_cli_password
-    prompts = model.user.get_default_user_prompts(features)
-    user_obj = model.user.create_federated_user(new_username, lemail, service_id, lid,
-                                                set_password_notification=requires_password,
-                                                metadata=metadata or {},
-                                                confirm_username=features.USERNAME_CONFIRMATION,
-                                                prompts=prompts,
-                                                email_required=features.MAILING)
+        if lookup_value is None:
+            logger.error("Missing lookup value for OAuth login")
+            return _oauthresult(
+                service_name=service_name,
+                error_message="Configuration error in this provider",
+            )
 
-    # Success, tell analytics
-    analytics.track(user_obj.username, 'register', {'service': service_name.lower()})
-    return _oauthresult(user_obj=user_obj, service_name=service_name)
+        (user_obj, err) = auth_system.link_user(lookup_value)
+        if err is not None:
+            logger.debug("%s %s not found: %s", bound_field_name, lookup_value, err)
+            msg = "%s %s not found in backing auth system" % (
+                bound_field_name,
+                lookup_value,
+            )
+            return _oauthresult(service_name=service_name, error_message=msg)
 
-  except model.InvalidEmailAddressException:
-    message = ("The e-mail address {0} is already associated "
-               "with an existing {1} account. \n"
-               "Please log in with your username and password and "
-               "associate your {2} account to use it in the future.")
-    message = message.format(lemail, app.config['REGISTRY_TITLE_SHORT'], service_name)
-    return _oauthresult(service_name=service_name, error_message=message,
-                        register_redirect=True)
+        # Found an existing user. Bind their internal auth account to this service as well.
+        result = _attach_service(login_service, user_obj, lid, lusername)
+        if result.error_message is not None:
+            return result
+
+        return _oauthresult(user_obj=user_obj, service_name=service_name)
+
+    # Otherwise, we need to create a new user account.
+    blacklisted_domains = app.config.get("BLACKLISTED_EMAIL_DOMAINS", [])
+    if not can_create_user(lemail, blacklisted_domains=blacklisted_domains):
+        error_message = "User creation is disabled. Please contact your administrator"
+        return _oauthresult(service_name=service_name, error_message=error_message)
+
+    if features.RECAPTCHA and not captcha_verified:
+        return _oauthresult(service_name=service_name, requires_verification=True)
+
+    # Try to create the user
+    try:
+        # Generate a valid username.
+        new_username = None
+        for valid in generate_valid_usernames(lusername):
+            if model.user.get_user_or_org(valid):
+                continue
+
+            new_username = valid
+            break
+
+        requires_password = auth_system.requires_distinct_cli_password
+        prompts = model.user.get_default_user_prompts(features)
+        user_obj = model.user.create_federated_user(
+            new_username,
+            lemail,
+            service_id,
+            lid,
+            set_password_notification=requires_password,
+            metadata=metadata or {},
+            confirm_username=features.USERNAME_CONFIRMATION,
+            prompts=prompts,
+            email_required=features.MAILING,
+        )
+
+        # Success, tell analytics
+        analytics.track(
+            user_obj.username, "register", {"service": service_name.lower()}
+        )
+        return _oauthresult(user_obj=user_obj, service_name=service_name)
+
+    except model.InvalidEmailAddressException:
+        message = (
+            "The e-mail address {0} is already associated "
+            "with an existing {1} account. \n"
+            "Please log in with your username and password and "
+            "associate your {2} account to use it in the future."
+        )
+        message = message.format(
+            lemail, app.config["REGISTRY_TITLE_SHORT"], service_name
+        )
+        return _oauthresult(
+            service_name=service_name, error_message=message, register_redirect=True
+        )
+
+    except model.DataModelException as ex:
+        return _oauthresult(service_name=service_name, error_message=str(ex))
 
-  except model.DataModelException as ex:
-    return _oauthresult(service_name=service_name, error_message=str(ex))
 
 def _render_ologin_error(service_name, error_message=None, register_redirect=False):
-  """ Returns a Flask response indicating an OAuth error. """
+    """ Returns a Flask response indicating an OAuth error. """
 
-  user_creation = bool(features.USER_CREATION and features.DIRECT_LOGIN and
-                       not features.INVITE_ONLY_USER_CREATION)
-  error_info = {
-    'reason': 'ologinerror',
-    'service_name': service_name,
-    'error_message': error_message or 'Could not load user data. The token may have expired',
-    'service_url': get_app_url(),
-    'user_creation': user_creation,
-    'register_redirect': register_redirect,
-  }
-
-  resp = index('', error_info=error_info)
-  resp.status_code = 400
-  return resp
-
-def _perform_login(user_obj, service_name):
-  """ Attempts to login the given user, returning the Flask result of whether the login succeeded.
-  """
-  success, _ = common_login(user_obj.uuid)
-  if success:
-    if model.user.has_user_prompts(user_obj):
-      return redirect(url_for('web.updateuser'))
-    else:
-      return redirect(url_for('web.index'))
-  else:
-    return _render_ologin_error(service_name, 'Could not login. Account may be disabled')
-
-def _attach_service(login_service, user_obj, lid, lusername):
-  """ Attaches the given user account to the given service, with the given service user ID and
-      service username.
-  """
-  metadata = {
-    'service_username': lusername,
-  }
-
-  try:
-    model.user.attach_federated_login(user_obj, login_service.service_id(), lid,
-                                      metadata=metadata)
-    return _oauthresult(user_obj=user_obj)
-  except IntegrityError:
-    err = '%s account %s is already attached to a %s account' % (
-      login_service.service_name(), lusername, app.config['REGISTRY_TITLE_SHORT'])
-    return _oauthresult(service_name=login_service.service_name(), error_message=err)
-
-def _register_service(login_service):
-  """ Registers the given login service, adding its callback and attach routes to the blueprint. """
-
-  @oauthlogin_csrf_protect
-  def callback_func():
-    # Check for a callback error.
-    error = request.values.get('error', None)
-    if error:
-      return _render_ologin_error(login_service.service_name(), error)
-
-    # Exchange the OAuth code for login information.
-    code = request.values.get('code')
-    try:
-      lid, lusername, lemail = login_service.exchange_code_for_login(app.config, client, code, '')
-    except OAuthLoginException as ole:
-      logger.exception('Got login exception')
-      return _render_ologin_error(login_service.service_name(), str(ole))
-
-    # Conduct login.
-    metadata = {
-      'service_username': lusername,
+    user_creation = bool(
+        features.USER_CREATION
+        and features.DIRECT_LOGIN
+        and not features.INVITE_ONLY_USER_CREATION
+    )
+    error_info = {
+        "reason": "ologinerror",
+        "service_name": service_name,
+        "error_message": error_message
+        or "Could not load user data. The token may have expired",
+        "service_url": get_app_url(),
+        "user_creation": user_creation,
+        "register_redirect": register_redirect,
     }
 
-    # Conduct OAuth login.
-    captcha_verified = (int(time.time()) - session.get('captcha_verified', 0)) <= 600
-    session['captcha_verified'] = 0
-
-    result = _conduct_oauth_login(authentication, login_service, lid, lusername, lemail,
-                                  metadata=metadata, captcha_verified=captcha_verified)
-    if result.requires_verification:
-      return render_page_template_with_routedata('oauthcaptcha.html',
-                                                 recaptcha_site_key=app.config['RECAPTCHA_SITE_KEY'],
-                                                 callback_url=request.base_url)
-
-    return _get_response(result)
+    resp = index("", error_info=error_info)
+    resp.status_code = 400
+    return resp
 
 
-  @require_session_login
-  @oauthlogin_csrf_protect
-  def attach_func():
-    # Check for a callback error.
-    error = request.values.get('error', None)
-    if error:
-      return _render_ologin_error(login_service.service_name(), error)
+def _perform_login(user_obj, service_name):
+    """ Attempts to login the given user, returning the Flask result of whether the login succeeded.
+  """
+    success, _ = common_login(user_obj.uuid)
+    if success:
+        if model.user.has_user_prompts(user_obj):
+            return redirect(url_for("web.updateuser"))
+        else:
+            return redirect(url_for("web.index"))
+    else:
+        return _render_ologin_error(
+            service_name, "Could not login. Account may be disabled"
+        )
+
+
+def _attach_service(login_service, user_obj, lid, lusername):
+    """ Attaches the given user account to the given service, with the given service user ID and
+      service username.
+  """
+    metadata = {"service_username": lusername}
 
-    # Exchange the OAuth code for login information.
-    code = request.values.get('code')
     try:
-      lid, lusername, _ = login_service.exchange_code_for_login(app.config, client, code, '/attach')
-    except OAuthLoginException as ole:
-      return _render_ologin_error(login_service.service_name(), str(ole))
+        model.user.attach_federated_login(
+            user_obj, login_service.service_id(), lid, metadata=metadata
+        )
+        return _oauthresult(user_obj=user_obj)
+    except IntegrityError:
+        err = "%s account %s is already attached to a %s account" % (
+            login_service.service_name(),
+            lusername,
+            app.config["REGISTRY_TITLE_SHORT"],
+        )
+        return _oauthresult(
+            service_name=login_service.service_name(), error_message=err
+        )
 
-    # Conduct attach.
-    user_obj = get_authenticated_user()
-    result = _attach_service(login_service, user_obj, lid, lusername)
-    if result.error_message is not None:
-      return _get_response(result)
 
-    return redirect(url_for('web.user_view', path=user_obj.username, tab='external'))
+def _register_service(login_service):
+    """ Registers the given login service, adding its callback and attach routes to the blueprint. """
 
-  def captcha_func():
-    recaptcha_response = request.values.get('recaptcha_response', '')
-    result = recaptcha2.verify(app.config['RECAPTCHA_SECRET_KEY'],
-                               recaptcha_response,
-                               get_request_ip())
+    @oauthlogin_csrf_protect
+    def callback_func():
+        # Check for a callback error.
+        error = request.values.get("error", None)
+        if error:
+            return _render_ologin_error(login_service.service_name(), error)
 
-    if not result['success']:
-      abort(400)
+        # Exchange the OAuth code for login information.
+        code = request.values.get("code")
+        try:
+            lid, lusername, lemail = login_service.exchange_code_for_login(
+                app.config, client, code, ""
+            )
+        except OAuthLoginException as ole:
+            logger.exception("Got login exception")
+            return _render_ologin_error(login_service.service_name(), str(ole))
 
-    # Save that the captcha was verified.
-    session['captcha_verified'] = int(time.time())
+        # Conduct login.
+        metadata = {"service_username": lusername}
 
-    # Redirect to the normal OAuth flow again, so that the user can now create an account.
-    csrf_token = generate_csrf_token(OAUTH_CSRF_TOKEN_NAME)
-    login_scopes = login_service.get_login_scopes()
-    auth_url = login_service.get_auth_url(url_scheme_and_hostname, '', csrf_token, login_scopes)
-    return redirect(auth_url)
+        # Conduct OAuth login.
+        captcha_verified = (
+            int(time.time()) - session.get("captcha_verified", 0)
+        ) <= 600
+        session["captcha_verified"] = 0
 
-  @require_session_login
-  @oauthlogin_csrf_protect
-  def cli_token_func():
-    # Check for a callback error.
-    error = request.values.get('error', None)
-    if error:
-      return _render_ologin_error(login_service.service_name(), error)
+        result = _conduct_oauth_login(
+            authentication,
+            login_service,
+            lid,
+            lusername,
+            lemail,
+            metadata=metadata,
+            captcha_verified=captcha_verified,
+        )
+        if result.requires_verification:
+            return render_page_template_with_routedata(
+                "oauthcaptcha.html",
+                recaptcha_site_key=app.config["RECAPTCHA_SITE_KEY"],
+                callback_url=request.base_url,
+            )
 
-    # Exchange the OAuth code for the ID token.
-    code = request.values.get('code')
-    try:
-      idtoken, _ = login_service.exchange_code_for_tokens(app.config, client, code, '/cli')
-    except OAuthLoginException as ole:
-      return _render_ologin_error(login_service.service_name(), str(ole))
+        return _get_response(result)
 
-    user_obj = get_authenticated_user()
-    return redirect(url_for('web.user_view', path=user_obj.username, tab='settings',
-                            idtoken=idtoken))
+    @require_session_login
+    @oauthlogin_csrf_protect
+    def attach_func():
+        # Check for a callback error.
+        error = request.values.get("error", None)
+        if error:
+            return _render_ologin_error(login_service.service_name(), error)
 
-  oauthlogin.add_url_rule('/%s/callback/captcha' % login_service.service_id(),
-                          '%s_oauth_captcha' % login_service.service_id(),
-                          captcha_func,
-                          methods=['POST'])
+        # Exchange the OAuth code for login information.
+        code = request.values.get("code")
+        try:
+            lid, lusername, _ = login_service.exchange_code_for_login(
+                app.config, client, code, "/attach"
+            )
+        except OAuthLoginException as ole:
+            return _render_ologin_error(login_service.service_name(), str(ole))
 
-  oauthlogin.add_url_rule('/%s/callback' % login_service.service_id(),
-                          '%s_oauth_callback' % login_service.service_id(),
-                          callback_func,
-                          methods=['GET', 'POST'])
+        # Conduct attach.
+        user_obj = get_authenticated_user()
+        result = _attach_service(login_service, user_obj, lid, lusername)
+        if result.error_message is not None:
+            return _get_response(result)
 
-  oauthlogin.add_url_rule('/%s/callback/attach' % login_service.service_id(),
-                          '%s_oauth_attach' % login_service.service_id(),
-                          attach_func,
-                          methods=['GET', 'POST'])
+        return redirect(
+            url_for("web.user_view", path=user_obj.username, tab="external")
+        )
+
+    def captcha_func():
+        recaptcha_response = request.values.get("recaptcha_response", "")
+        result = recaptcha2.verify(
+            app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
+        )
+
+        if not result["success"]:
+            abort(400)
+
+        # Save that the captcha was verified.
+        session["captcha_verified"] = int(time.time())
+
+        # Redirect to the normal OAuth flow again, so that the user can now create an account.
+        csrf_token = generate_csrf_token(OAUTH_CSRF_TOKEN_NAME)
+        login_scopes = login_service.get_login_scopes()
+        auth_url = login_service.get_auth_url(
+            url_scheme_and_hostname, "", csrf_token, login_scopes
+        )
+        return redirect(auth_url)
+
+    @require_session_login
+    @oauthlogin_csrf_protect
+    def cli_token_func():
+        # Check for a callback error.
+        error = request.values.get("error", None)
+        if error:
+            return _render_ologin_error(login_service.service_name(), error)
+
+        # Exchange the OAuth code for the ID token.
+        code = request.values.get("code")
+        try:
+            idtoken, _ = login_service.exchange_code_for_tokens(
+                app.config, client, code, "/cli"
+            )
+        except OAuthLoginException as ole:
+            return _render_ologin_error(login_service.service_name(), str(ole))
+
+        user_obj = get_authenticated_user()
+        return redirect(
+            url_for(
+                "web.user_view", path=user_obj.username, tab="settings", idtoken=idtoken
+            )
+        )
+
+    oauthlogin.add_url_rule(
+        "/%s/callback/captcha" % login_service.service_id(),
+        "%s_oauth_captcha" % login_service.service_id(),
+        captcha_func,
+        methods=["POST"],
+    )
+
+    oauthlogin.add_url_rule(
+        "/%s/callback" % login_service.service_id(),
+        "%s_oauth_callback" % login_service.service_id(),
+        callback_func,
+        methods=["GET", "POST"],
+    )
+
+    oauthlogin.add_url_rule(
+        "/%s/callback/attach" % login_service.service_id(),
+        "%s_oauth_attach" % login_service.service_id(),
+        attach_func,
+        methods=["GET", "POST"],
+    )
+
+    oauthlogin.add_url_rule(
+        "/%s/callback/cli" % login_service.service_id(),
+        "%s_oauth_cli" % login_service.service_id(),
+        cli_token_func,
+        methods=["GET", "POST"],
+    )
 
-  oauthlogin.add_url_rule('/%s/callback/cli' % login_service.service_id(),
-                          '%s_oauth_cli' % login_service.service_id(),
-                          cli_token_func,
-                          methods=['GET', 'POST'])
 
 # Register the routes for each of the login services.
 for current_service in oauth_login.services:
-  _register_service(current_service)
+    _register_service(current_service)
diff --git a/endpoints/oauth/test/test_login.py b/endpoints/oauth/test/test_login.py
index 12a26e7ee..693a8fa4e 100644
--- a/endpoints/oauth/test/test_login.py
+++ b/endpoints/oauth/test/test_login.py
@@ -10,213 +10,269 @@ from test.test_ldap import mock_ldap
 
 from test.fixtures import *
 
-@pytest.fixture(params=[None, 'username', 'email'])
+
+@pytest.fixture(params=[None, "username", "email"])
 def login_service(request, app):
-  config = {'GITHUB': {}}
-  if request is not None:
-    config['GITHUB']['LOGIN_BINDING_FIELD'] = request.param
+    config = {"GITHUB": {}}
+    if request is not None:
+        config["GITHUB"]["LOGIN_BINDING_FIELD"] = request.param
 
-  return GithubOAuthService(config, 'GITHUB')
+    return GithubOAuthService(config, "GITHUB")
 
 
-@pytest.fixture(params=['Database', 'LDAP'])
+@pytest.fixture(params=["Database", "LDAP"])
 def auth_system(request):
-  return _get_users_handler(request.param)
+    return _get_users_handler(request.param)
+
 
 def _get_users_handler(auth_type):
-  config = {}
-  config['AUTHENTICATION_TYPE'] = auth_type
-  config['LDAP_BASE_DN'] = ['dc=quay', 'dc=io']
-  config['LDAP_ADMIN_DN'] = 'uid=testy,ou=employees,dc=quay,dc=io'
-  config['LDAP_ADMIN_PASSWD'] = 'password'
-  config['LDAP_USER_RDN'] = ['ou=employees']
+    config = {}
+    config["AUTHENTICATION_TYPE"] = auth_type
+    config["LDAP_BASE_DN"] = ["dc=quay", "dc=io"]
+    config["LDAP_ADMIN_DN"] = "uid=testy,ou=employees,dc=quay,dc=io"
+    config["LDAP_ADMIN_PASSWD"] = "password"
+    config["LDAP_USER_RDN"] = ["ou=employees"]
+
+    return get_users_handler(config, None, None)
 
-  return get_users_handler(config, None, None)
 
 def test_existing_account(auth_system, login_service):
-  login_service_lid = 'someexternaluser'
+    login_service_lid = "someexternaluser"
 
-  # Create an existing bound federated user.
-  created_user = model.user.create_federated_user('someuser', 'example@example.com',
-                                                  login_service.service_id(),
-                                                  login_service_lid, False)
-  existing_user_count = database.User.select().count()
+    # Create an existing bound federated user.
+    created_user = model.user.create_federated_user(
+        "someuser",
+        "example@example.com",
+        login_service.service_id(),
+        login_service_lid,
+        False,
+    )
+    existing_user_count = database.User.select().count()
 
-  with mock_ldap():
-    result = _conduct_oauth_login(auth_system, login_service,
-                                  login_service_lid, login_service_lid,
-                                  'example@example.com')
+    with mock_ldap():
+        result = _conduct_oauth_login(
+            auth_system,
+            login_service,
+            login_service_lid,
+            login_service_lid,
+            "example@example.com",
+        )
 
-    assert result.user_obj == created_user
+        assert result.user_obj == created_user
 
-    # Ensure that no addtional users were created.
-    current_user_count = database.User.select().count()
-    assert current_user_count == existing_user_count
+        # Ensure that no addtional users were created.
+        current_user_count = database.User.select().count()
+        assert current_user_count == existing_user_count
 
 
 def test_new_account_via_database(login_service):
-  existing_user_count = database.User.select().count()
-  login_service_lid = 'someexternaluser'
-  internal_auth = DatabaseUsers()
+    existing_user_count = database.User.select().count()
+    login_service_lid = "someexternaluser"
+    internal_auth = DatabaseUsers()
 
-  # Conduct login. Since the external user doesn't (yet) bind to a user in the database,
-  # a new user should be created and bound to the external service.
-  result = _conduct_oauth_login(internal_auth, login_service, login_service_lid, login_service_lid,
-                                'example@example.com')
-  assert result.user_obj is not None
-
-  current_user_count = database.User.select().count()
-  assert current_user_count == existing_user_count + 1
-
-  # Find the user and ensure it is bound.
-  new_user = model.user.get_user(login_service_lid)
-  federated_login = model.user.lookup_federated_login(new_user, login_service.service_id())
-  assert federated_login is not None
-
-  # Ensure that a notification was created.
-  assert list(model.notification.list_notifications(result.user_obj,
-                                                    kind_name='password_required'))
-
-@pytest.mark.parametrize('open_creation, invite_only, has_invite, expect_success', [
-  # Open creation -> Success!
-  (True, False, False, True),
-
-  # Open creation + invite only + no invite -> Failure!
-  (True, True, False, False),
-
-  # Open creation + invite only + invite -> Success!
-  (True, True, True, True),
-
-  # Close creation -> Failure!
-  (False, False, False, False),
-])
-def test_flagged_user_creation(open_creation, invite_only, has_invite, expect_success, login_service):
-  login_service_lid = 'someexternaluser'
-  email = 'some@example.com'
-
-  if has_invite:
-    inviter = model.user.get_user('devtable')
-    team = model.team.get_organization_team('buynlarge', 'owners')
-    model.team.add_or_invite_to_team(inviter, team, email=email)
-
-  internal_auth = DatabaseUsers()
-
-  with patch('features.USER_CREATION', open_creation):
-    with patch('features.INVITE_ONLY_USER_CREATION', invite_only):
-      # Conduct login.
-      result = _conduct_oauth_login(internal_auth, login_service, login_service_lid, login_service_lid,
-                                    email)
-      assert (result.user_obj is not None) == expect_success
-      assert (result.error_message is None) == expect_success
-
-@pytest.mark.parametrize('binding_field, lid, lusername, lemail, expected_error', [
-  # No binding field + newly seen user -> New unlinked user
-  (None, 'someid', 'someunknownuser', 'someemail@example.com', None),
-
-  # sub binding field + unknown sub -> Error.
-  ('sub', 'someid', 'someuser', 'foo@bar.com',
-   'sub someid not found in backing auth system'),
-
-  # username binding field + unknown username -> Error.
-  ('username', 'someid', 'someunknownuser', 'foo@bar.com',
-   'username someunknownuser not found in backing auth system'),
-
-  # email binding field + unknown email address -> Error.
-  ('email', 'someid', 'someuser', 'someemail@example.com',
-   'email someemail@example.com not found in backing auth system'),
-
-  # No binding field + newly seen user -> New unlinked user.
-  (None, 'someid', 'someuser', 'foo@bar.com', None),
-
-  # username binding field + valid username -> fully bound user.
-  ('username', 'someid', 'someuser', 'foo@bar.com', None),
-
-  # sub binding field + valid sub -> fully bound user.
-  ('sub', 'someuser', 'someusername', 'foo@bar.com', None),
-
-  # email binding field + valid email -> fully bound user.
-  ('email', 'someid', 'someuser', 'foo@bar.com', None),
-
-  # username binding field + valid username + invalid email -> fully bound user.
-  ('username', 'someid', 'someuser', 'another@email.com', None),
-
-  # email binding field + valid email + invalid username -> fully bound user.
-  ('email', 'someid', 'someotherusername', 'foo@bar.com', None),
-])
-def test_new_account_via_ldap(binding_field, lid, lusername, lemail, expected_error, app):
-  existing_user_count = database.User.select().count()
-
-  config = {'GITHUB': {}}
-  if binding_field is not None:
-    config['GITHUB']['LOGIN_BINDING_FIELD'] = binding_field
-
-  external_auth = GithubOAuthService(config, 'GITHUB')
-  internal_auth = _get_users_handler('LDAP')
-
-  with mock_ldap():
-    # Conduct OAuth login.
-    result = _conduct_oauth_login(internal_auth, external_auth, lid, lusername, lemail)
-    assert result.error_message == expected_error
+    # Conduct login. Since the external user doesn't (yet) bind to a user in the database,
+    # a new user should be created and bound to the external service.
+    result = _conduct_oauth_login(
+        internal_auth,
+        login_service,
+        login_service_lid,
+        login_service_lid,
+        "example@example.com",
+    )
+    assert result.user_obj is not None
 
     current_user_count = database.User.select().count()
-    if expected_error is None:
-      # Ensure that the new user was created and that it is bound to both the
-      # external login service and to LDAP (if a binding_field was given).
-      assert current_user_count == existing_user_count + 1
-      assert result.user_obj is not None
+    assert current_user_count == existing_user_count + 1
 
-      # Check the service bindings.
-      external_login = model.user.lookup_federated_login(result.user_obj,
-                                                         external_auth.service_id())
-      assert external_login is not None
+    # Find the user and ensure it is bound.
+    new_user = model.user.get_user(login_service_lid)
+    federated_login = model.user.lookup_federated_login(
+        new_user, login_service.service_id()
+    )
+    assert federated_login is not None
 
-      internal_login = model.user.lookup_federated_login(result.user_obj,
-                                                         internal_auth.federated_service)
-      if binding_field is not None:
-        assert internal_login is not None
-      else:
-        assert internal_login is None
+    # Ensure that a notification was created.
+    assert list(
+        model.notification.list_notifications(
+            result.user_obj, kind_name="password_required"
+        )
+    )
 
-      # Ensure that no notification was created.
-      assert not list(model.notification.list_notifications(result.user_obj,
-                                                            kind_name='password_required'))
-    else:
-      # Ensure that no addtional users were created.
-      assert current_user_count == existing_user_count
+
+@pytest.mark.parametrize(
+    "open_creation, invite_only, has_invite, expect_success",
+    [
+        # Open creation -> Success!
+        (True, False, False, True),
+        # Open creation + invite only + no invite -> Failure!
+        (True, True, False, False),
+        # Open creation + invite only + invite -> Success!
+        (True, True, True, True),
+        # Close creation -> Failure!
+        (False, False, False, False),
+    ],
+)
+def test_flagged_user_creation(
+    open_creation, invite_only, has_invite, expect_success, login_service
+):
+    login_service_lid = "someexternaluser"
+    email = "some@example.com"
+
+    if has_invite:
+        inviter = model.user.get_user("devtable")
+        team = model.team.get_organization_team("buynlarge", "owners")
+        model.team.add_or_invite_to_team(inviter, team, email=email)
+
+    internal_auth = DatabaseUsers()
+
+    with patch("features.USER_CREATION", open_creation):
+        with patch("features.INVITE_ONLY_USER_CREATION", invite_only):
+            # Conduct login.
+            result = _conduct_oauth_login(
+                internal_auth,
+                login_service,
+                login_service_lid,
+                login_service_lid,
+                email,
+            )
+            assert (result.user_obj is not None) == expect_success
+            assert (result.error_message is None) == expect_success
+
+
+@pytest.mark.parametrize(
+    "binding_field, lid, lusername, lemail, expected_error",
+    [
+        # No binding field + newly seen user -> New unlinked user
+        (None, "someid", "someunknownuser", "someemail@example.com", None),
+        # sub binding field + unknown sub -> Error.
+        (
+            "sub",
+            "someid",
+            "someuser",
+            "foo@bar.com",
+            "sub someid not found in backing auth system",
+        ),
+        # username binding field + unknown username -> Error.
+        (
+            "username",
+            "someid",
+            "someunknownuser",
+            "foo@bar.com",
+            "username someunknownuser not found in backing auth system",
+        ),
+        # email binding field + unknown email address -> Error.
+        (
+            "email",
+            "someid",
+            "someuser",
+            "someemail@example.com",
+            "email someemail@example.com not found in backing auth system",
+        ),
+        # No binding field + newly seen user -> New unlinked user.
+        (None, "someid", "someuser", "foo@bar.com", None),
+        # username binding field + valid username -> fully bound user.
+        ("username", "someid", "someuser", "foo@bar.com", None),
+        # sub binding field + valid sub -> fully bound user.
+        ("sub", "someuser", "someusername", "foo@bar.com", None),
+        # email binding field + valid email -> fully bound user.
+        ("email", "someid", "someuser", "foo@bar.com", None),
+        # username binding field + valid username + invalid email -> fully bound user.
+        ("username", "someid", "someuser", "another@email.com", None),
+        # email binding field + valid email + invalid username -> fully bound user.
+        ("email", "someid", "someotherusername", "foo@bar.com", None),
+    ],
+)
+def test_new_account_via_ldap(
+    binding_field, lid, lusername, lemail, expected_error, app
+):
+    existing_user_count = database.User.select().count()
+
+    config = {"GITHUB": {}}
+    if binding_field is not None:
+        config["GITHUB"]["LOGIN_BINDING_FIELD"] = binding_field
+
+    external_auth = GithubOAuthService(config, "GITHUB")
+    internal_auth = _get_users_handler("LDAP")
+
+    with mock_ldap():
+        # Conduct OAuth login.
+        result = _conduct_oauth_login(
+            internal_auth, external_auth, lid, lusername, lemail
+        )
+        assert result.error_message == expected_error
+
+        current_user_count = database.User.select().count()
+        if expected_error is None:
+            # Ensure that the new user was created and that it is bound to both the
+            # external login service and to LDAP (if a binding_field was given).
+            assert current_user_count == existing_user_count + 1
+            assert result.user_obj is not None
+
+            # Check the service bindings.
+            external_login = model.user.lookup_federated_login(
+                result.user_obj, external_auth.service_id()
+            )
+            assert external_login is not None
+
+            internal_login = model.user.lookup_federated_login(
+                result.user_obj, internal_auth.federated_service
+            )
+            if binding_field is not None:
+                assert internal_login is not None
+            else:
+                assert internal_login is None
+
+            # Ensure that no notification was created.
+            assert not list(
+                model.notification.list_notifications(
+                    result.user_obj, kind_name="password_required"
+                )
+            )
+        else:
+            # Ensure that no addtional users were created.
+            assert current_user_count == existing_user_count
 
 
 def test_existing_account_in_ldap(app):
-  config = {'GITHUB': {'LOGIN_BINDING_FIELD': 'username'}}
+    config = {"GITHUB": {"LOGIN_BINDING_FIELD": "username"}}
 
-  external_auth = GithubOAuthService(config, 'GITHUB')
-  internal_auth = _get_users_handler('LDAP')
+    external_auth = GithubOAuthService(config, "GITHUB")
+    internal_auth = _get_users_handler("LDAP")
 
-  # Add an existing federated user bound to the LDAP account associated with `someuser`.
-  bound_user = model.user.create_federated_user('someuser', 'foo@bar.com',
-                                                internal_auth.federated_service, 'someuser', False)
+    # Add an existing federated user bound to the LDAP account associated with `someuser`.
+    bound_user = model.user.create_federated_user(
+        "someuser", "foo@bar.com", internal_auth.federated_service, "someuser", False
+    )
 
-  existing_user_count = database.User.select().count()
+    existing_user_count = database.User.select().count()
 
-  with mock_ldap():
-    # Conduct OAuth login with the same lid and bound field. This should find the existing LDAP
-    # user (via the `username` binding), and then bind Github to it as well.
-    result = _conduct_oauth_login(internal_auth, external_auth, bound_user.username,
-                                  bound_user.username, bound_user.email)
-    assert result.error_message is None
+    with mock_ldap():
+        # Conduct OAuth login with the same lid and bound field. This should find the existing LDAP
+        # user (via the `username` binding), and then bind Github to it as well.
+        result = _conduct_oauth_login(
+            internal_auth,
+            external_auth,
+            bound_user.username,
+            bound_user.username,
+            bound_user.email,
+        )
+        assert result.error_message is None
 
-    # Ensure that the same user was returned, and that it is now bound to the Github account
-    # as well.
-    assert result.user_obj.id == bound_user.id
+        # Ensure that the same user was returned, and that it is now bound to the Github account
+        # as well.
+        assert result.user_obj.id == bound_user.id
 
-    # Ensure that no additional users were created.
-    current_user_count = database.User.select().count()
-    assert current_user_count == existing_user_count
+        # Ensure that no additional users were created.
+        current_user_count = database.User.select().count()
+        assert current_user_count == existing_user_count
 
-    # Check the service bindings.
-    external_login = model.user.lookup_federated_login(result.user_obj,
-                                                       external_auth.service_id())
-    assert external_login is not None
+        # Check the service bindings.
+        external_login = model.user.lookup_federated_login(
+            result.user_obj, external_auth.service_id()
+        )
+        assert external_login is not None
 
-    internal_login = model.user.lookup_federated_login(result.user_obj,
-                                                       internal_auth.federated_service)
-    assert internal_login is not None
+        internal_login = model.user.lookup_federated_login(
+            result.user_obj, internal_auth.federated_service
+        )
+        assert internal_login is not None
diff --git a/endpoints/realtime.py b/endpoints/realtime.py
index 9112b8146..e61a59024 100644
--- a/endpoints/realtime.py
+++ b/endpoints/realtime.py
@@ -12,13 +12,13 @@ from data.userevent import CannotReadUserEventsException
 logger = logging.getLogger(__name__)
 
 
-realtime = Blueprint('realtime', __name__)
+realtime = Blueprint("realtime", __name__)
 
 
 @realtime.route("/user/")
 @require_session_login
 def index():
-  debug_template = """
+    debug_template = """
     <html>
       <head>
       </head>
@@ -39,45 +39,46 @@ def index():
       </body>
     </html>
     """
-  return(debug_template)
+    return debug_template
 
 
 @realtime.route("/user/test")
 @require_session_login
 def user_test():
-  evt = userevents.get_event(current_user.db_user().username)
-  evt.publish_event_data('test', {'foo': 2})
-  return 'OK'
+    evt = userevents.get_event(current_user.db_user().username)
+    evt.publish_event_data("test", {"foo": 2})
+    return "OK"
+
 
 @realtime.route("/user/subscribe")
 @require_session_login
 def user_subscribe():
-  def wrapper(listener):
-    logger.debug('Beginning streaming of user events')
+    def wrapper(listener):
+        logger.debug("Beginning streaming of user events")
+        try:
+            yield "data: %s\n\n" % json.dumps({})
+
+            for event_id, data in listener.event_stream():
+                message = {"event": event_id, "data": data}
+                json_string = json.dumps(message)
+                yield "data: %s\n\n" % json_string
+        finally:
+            logger.debug("Closing listener due to exception")
+            listener.stop()
+
+    events = request.args.get("events", "").split(",")
+    if not events:
+        abort(404)
+
     try:
-      yield 'data: %s\n\n' % json.dumps({})
+        listener = userevents.get_listener(current_user.db_user().username, events)
+    except CannotReadUserEventsException:
+        abort(504)
 
-      for event_id, data in listener.event_stream():
-        message = {'event': event_id, 'data': data}
-        json_string = json.dumps(message)
-        yield 'data: %s\n\n' % json_string
-    finally:
-      logger.debug('Closing listener due to exception')
-      listener.stop()
+    def on_close():
+        logger.debug("Closing listener due to response close")
+        listener.stop()
 
-  events = request.args.get('events', '').split(',')
-  if not events:
-    abort(404)
-
-  try:
-    listener = userevents.get_listener(current_user.db_user().username, events)
-  except CannotReadUserEventsException:
-    abort(504)
-
-  def on_close():
-    logger.debug('Closing listener due to response close')
-    listener.stop()
-
-  r = Response(wrapper(listener), mimetype="text/event-stream")
-  r.call_on_close(on_close)
-  return r
+    r = Response(wrapper(listener), mimetype="text/event-stream")
+    r.call_on_close(on_close)
+    return r
diff --git a/endpoints/secscan.py b/endpoints/secscan.py
index 1f49bf23c..395949b89 100644
--- a/endpoints/secscan.py
+++ b/endpoints/secscan.py
@@ -8,26 +8,27 @@ from flask import request, make_response, Blueprint, abort
 from endpoints.decorators import route_show_if, anon_allowed
 
 logger = logging.getLogger(__name__)
-secscan = Blueprint('secscan', __name__)
+secscan = Blueprint("secscan", __name__)
+
 
 @route_show_if(features.SECURITY_SCANNER)
-@secscan.route('/notify', methods=['POST'])
+@secscan.route("/notify", methods=["POST"])
 def secscan_notification():
-  data = request.get_json()
-  logger.debug('Got notification from Security Scanner: %s', data)
-  if 'Notification' not in data:
-    abort(400)
+    data = request.get_json()
+    logger.debug("Got notification from Security Scanner: %s", data)
+    if "Notification" not in data:
+        abort(400)
 
-  notification = data['Notification']
-  name = ['named', notification['Name']]
+    notification = data["Notification"]
+    name = ["named", notification["Name"]]
 
-  if not secscan_notification_queue.alive(name):
-    secscan_notification_queue.put(name, json.dumps(notification))
+    if not secscan_notification_queue.alive(name):
+        secscan_notification_queue.put(name, json.dumps(notification))
 
-  return make_response('Okay')
+    return make_response("Okay")
 
 
-@secscan.route('/_internal_ping')
+@secscan.route("/_internal_ping")
 @anon_allowed
 def internal_ping():
-  return make_response('true', 200)
+    return make_response("true", 200)
diff --git a/endpoints/test/shared.py b/endpoints/test/shared.py
index fa6430445..c1c438f73 100644
--- a/endpoints/test/shared.py
+++ b/endpoints/test/shared.py
@@ -8,73 +8,89 @@ from data import model
 from flask import g
 from flask_principal import Identity
 
-CSRF_TOKEN_KEY = '_csrf_token'
+CSRF_TOKEN_KEY = "_csrf_token"
+
 
 @contextmanager
 def client_with_identity(auth_username, client):
-  with client.session_transaction() as sess:
-    if auth_username and auth_username is not None:
-      loaded = model.user.get_user(auth_username)
-      sess['user_id'] = loaded.uuid
-      sess['login_time'] = datetime.datetime.now()
-    else:
-      sess['user_id'] = 'anonymous'
+    with client.session_transaction() as sess:
+        if auth_username and auth_username is not None:
+            loaded = model.user.get_user(auth_username)
+            sess["user_id"] = loaded.uuid
+            sess["login_time"] = datetime.datetime.now()
+        else:
+            sess["user_id"] = "anonymous"
 
-  yield client
+    yield client
 
-  with client.session_transaction() as sess:
-    sess['user_id'] = None
-    sess['login_time'] = None
-    sess[CSRF_TOKEN_KEY] = None
+    with client.session_transaction() as sess:
+        sess["user_id"] = None
+        sess["login_time"] = None
+        sess[CSRF_TOKEN_KEY] = None
 
 
 @contextmanager
 def toggle_feature(name, enabled):
-  """ Context manager which temporarily toggles a feature. """
-  import features
-  previous_value = getattr(features, name)
-  setattr(features, name, enabled)
-  yield
-  setattr(features, name, previous_value)
+    """ Context manager which temporarily toggles a feature. """
+    import features
+
+    previous_value = getattr(features, name)
+    setattr(features, name, enabled)
+    yield
+    setattr(features, name, previous_value)
 
 
 def add_csrf_param(client, params):
-  """ Returns a params dict with the CSRF parameter added. """
-  params = params or {}
+    """ Returns a params dict with the CSRF parameter added. """
+    params = params or {}
 
-  with client.session_transaction() as sess:
-    params[CSRF_TOKEN_KEY] = 'sometoken'
-    sess[CSRF_TOKEN_KEY] = 'sometoken'
+    with client.session_transaction() as sess:
+        params[CSRF_TOKEN_KEY] = "sometoken"
+        sess[CSRF_TOKEN_KEY] = "sometoken"
 
-  return params
+    return params
 
 
 def gen_basic_auth(username, password):
-  """ Generates a basic auth header. """
-  return 'Basic ' + base64.b64encode("%s:%s" % (username, password))
+    """ Generates a basic auth header. """
+    return "Basic " + base64.b64encode("%s:%s" % (username, password))
 
 
-def conduct_call(client, resource, url_for, method, params, body=None, expected_code=200,
-                 headers=None, raw_body=None):
-  """ Conducts a call to a Flask endpoint. """
-  params = add_csrf_param(client, params)
+def conduct_call(
+    client,
+    resource,
+    url_for,
+    method,
+    params,
+    body=None,
+    expected_code=200,
+    headers=None,
+    raw_body=None,
+):
+    """ Conducts a call to a Flask endpoint. """
+    params = add_csrf_param(client, params)
 
-  final_url = url_for(resource, **params)
+    final_url = url_for(resource, **params)
 
-  headers = headers or {}
-  headers.update({"Content-Type": "application/json"})
+    headers = headers or {}
+    headers.update({"Content-Type": "application/json"})
 
-  if body is not None:
-    body = json.dumps(body)
+    if body is not None:
+        body = json.dumps(body)
 
-  if raw_body is not None:
-    body = raw_body
+    if raw_body is not None:
+        body = raw_body
 
-  # Required for anonymous calls to not exception.
-  g.identity = Identity(None, 'none')
+    # Required for anonymous calls to not exception.
+    g.identity = Identity(None, "none")
 
-  rv = client.open(final_url, method=method, data=body, headers=headers)
-  msg = '%s %s: got %s expected: %s | %s' % (method, final_url, rv.status_code, expected_code,
-                                             rv.data)
-  assert rv.status_code == expected_code, msg
-  return rv
+    rv = client.open(final_url, method=method, data=body, headers=headers)
+    msg = "%s %s: got %s expected: %s | %s" % (
+        method,
+        final_url,
+        rv.status_code,
+        expected_code,
+        rv.data,
+    )
+    assert rv.status_code == expected_code, msg
+    return rv
diff --git a/endpoints/test/test_anon_checked.py b/endpoints/test/test_anon_checked.py
index 94cc9b9aa..78556e5df 100644
--- a/endpoints/test/test_anon_checked.py
+++ b/endpoints/test/test_anon_checked.py
@@ -5,23 +5,23 @@ from endpoints.v1 import v1_bp
 from endpoints.v2 import v2_bp
 from endpoints.verbs import verbs
 
-@pytest.mark.parametrize('blueprint', [
-  v2_bp,
-  v1_bp,
-  verbs,
-])
+
+@pytest.mark.parametrize("blueprint", [v2_bp, v1_bp, verbs])
 def test_verify_blueprint(blueprint):
-  class Checker(object):
-    def __init__(self):
-      self.first_registration = True
-      self.app = app
+    class Checker(object):
+        def __init__(self):
+            self.first_registration = True
+            self.app = app
 
-    def add_url_rule(self, rule, endpoint, view_function, methods=None):
-      result = ('__anon_protected' in dir(view_function) or
-                '__anon_allowed' in dir(view_function))
-      error_message = ('Missing anonymous access protection decorator on function ' +
-                       '%s under blueprint %s' % (endpoint, blueprint.name))
-      assert result, error_message
+        def add_url_rule(self, rule, endpoint, view_function, methods=None):
+            result = "__anon_protected" in dir(
+                view_function
+            ) or "__anon_allowed" in dir(view_function)
+            error_message = (
+                "Missing anonymous access protection decorator on function "
+                + "%s under blueprint %s" % (endpoint, blueprint.name)
+            )
+            assert result, error_message
 
-  for deferred_function in blueprint.deferred_functions:
-    deferred_function(Checker())
+    for deferred_function in blueprint.deferred_functions:
+        deferred_function(Checker())
diff --git a/endpoints/test/test_building.py b/endpoints/test/test_building.py
index 222149785..33f7722f8 100644
--- a/endpoints/test/test_building.py
+++ b/endpoints/test/test_building.py
@@ -2,96 +2,103 @@ import pytest
 
 from data import model
 from buildtrigger.triggerutil import raise_if_skipped_build, SkipRequestException
-from endpoints.building import (start_build, PreparedBuild, MaximumBuildsQueuedException,
-                                BuildTriggerDisabledException)
+from endpoints.building import (
+    start_build,
+    PreparedBuild,
+    MaximumBuildsQueuedException,
+    BuildTriggerDisabledException,
+)
 
 from test.fixtures import *
 
+
 def test_maximum_builds(app):
-  # Change the maximum number of builds to 1.
-  user = model.user.create_user('foobar', 'password', 'foo@example.com')
-  user.maximum_queued_builds_count = 1
-  user.save()
+    # Change the maximum number of builds to 1.
+    user = model.user.create_user("foobar", "password", "foo@example.com")
+    user.maximum_queued_builds_count = 1
+    user.save()
 
-  repo = model.repository.create_repository('foobar', 'somerepo', user)
+    repo = model.repository.create_repository("foobar", "somerepo", user)
 
-  # Try to queue a build; should succeed.
-  prepared_build = PreparedBuild()
-  prepared_build.build_name = 'foo'
-  prepared_build.is_manual = True
-  prepared_build.dockerfile_id = 'foobar'
-  prepared_build.archive_url = 'someurl'
-  prepared_build.tags = ['latest']
-  prepared_build.subdirectory = '/'
-  prepared_build.context = '/'
-  prepared_build.metadata = {}
+    # Try to queue a build; should succeed.
+    prepared_build = PreparedBuild()
+    prepared_build.build_name = "foo"
+    prepared_build.is_manual = True
+    prepared_build.dockerfile_id = "foobar"
+    prepared_build.archive_url = "someurl"
+    prepared_build.tags = ["latest"]
+    prepared_build.subdirectory = "/"
+    prepared_build.context = "/"
+    prepared_build.metadata = {}
 
-  start_build(repo, prepared_build)
-
-  # Try to queue a second build; should fail.
-  with pytest.raises(MaximumBuildsQueuedException):
     start_build(repo, prepared_build)
 
+    # Try to queue a second build; should fail.
+    with pytest.raises(MaximumBuildsQueuedException):
+        start_build(repo, prepared_build)
+
 
 def test_start_build_disabled_trigger(app):
-  trigger = model.build.list_build_triggers('devtable', 'building')[0]
-  trigger.enabled = False
-  trigger.save()
+    trigger = model.build.list_build_triggers("devtable", "building")[0]
+    trigger.enabled = False
+    trigger.save()
 
-  build = PreparedBuild(trigger=trigger)
+    build = PreparedBuild(trigger=trigger)
 
-  with pytest.raises(BuildTriggerDisabledException):
-    start_build(trigger.repository, build)
+    with pytest.raises(BuildTriggerDisabledException):
+        start_build(trigger.repository, build)
 
 
-@pytest.mark.parametrize('ref, expected_tags', [
-  ('ref/heads/somebranch', ['somebranch']),
-  ('ref/heads/master', ['master', 'latest']),
-
-  ('ref/tags/somebranch', ['somebranch']),
-  ('ref/tags/master', ['master', 'latest']),
-
-  ('ref/heads/slash/branch', ['slash_branch']),
-  ('ref/tags/slash/tag', ['slash_tag']),
-
-  ('ref/heads/foobar#2', ['foobar_2']),
-])
+@pytest.mark.parametrize(
+    "ref, expected_tags",
+    [
+        ("ref/heads/somebranch", ["somebranch"]),
+        ("ref/heads/master", ["master", "latest"]),
+        ("ref/tags/somebranch", ["somebranch"]),
+        ("ref/tags/master", ["master", "latest"]),
+        ("ref/heads/slash/branch", ["slash_branch"]),
+        ("ref/tags/slash/tag", ["slash_tag"]),
+        ("ref/heads/foobar#2", ["foobar_2"]),
+    ],
+)
 def test_tags_for_ref(ref, expected_tags):
-  prepared = PreparedBuild()
-  prepared.tags_from_ref(ref, default_branch='master')
-  assert set(prepared._tags) == set(expected_tags)
+    prepared = PreparedBuild()
+    prepared.tags_from_ref(ref, default_branch="master")
+    assert set(prepared._tags) == set(expected_tags)
 
 
-@pytest.mark.parametrize('metadata, config', [
-  ({}, {}),
-  pytest.param({'ref': 'ref/heads/master'}, {'branchtag_regex': 'nothing'}, id='branchtag regex'),
-  pytest.param({
-    'ref': 'ref/heads/master',
-    'commit_info': {
-      'message': '[skip build]',
-    },
-  }, {}, id='commit message'),
-])
+@pytest.mark.parametrize(
+    "metadata, config",
+    [
+        ({}, {}),
+        pytest.param(
+            {"ref": "ref/heads/master"},
+            {"branchtag_regex": "nothing"},
+            id="branchtag regex",
+        ),
+        pytest.param(
+            {"ref": "ref/heads/master", "commit_info": {"message": "[skip build]"}},
+            {},
+            id="commit message",
+        ),
+    ],
+)
 def test_skip(metadata, config):
-  prepared = PreparedBuild()
-  prepared.metadata = metadata
-  config = config
+    prepared = PreparedBuild()
+    prepared.metadata = metadata
+    config = config
 
-  with pytest.raises(SkipRequestException):
-    raise_if_skipped_build(prepared, config)
+    with pytest.raises(SkipRequestException):
+        raise_if_skipped_build(prepared, config)
 
 
 def test_does_not_skip():
-  prepared = PreparedBuild()
-  prepared.metadata = {
-    'ref': 'ref/heads/master',
-    'commit_info': {
-      'message': 'some cool message',
-    },
-  }
+    prepared = PreparedBuild()
+    prepared.metadata = {
+        "ref": "ref/heads/master",
+        "commit_info": {"message": "some cool message"},
+    }
 
-  config = {
-    'branchtag_regex': '(master)|(heads/master)',
-  }
+    config = {"branchtag_regex": "(master)|(heads/master)"}
 
-  raise_if_skipped_build(prepared, config)
+    raise_if_skipped_build(prepared, config)
diff --git a/endpoints/test/test_common.py b/endpoints/test/test_common.py
index d99033cde..7e6f01ed4 100644
--- a/endpoints/test/test_common.py
+++ b/endpoints/test/test_common.py
@@ -6,24 +6,25 @@ from endpoints.csrf import QUAY_CSRF_UPDATED_HEADER_NAME
 from test.fixtures import *
 from endpoints.common_models_pre_oci import pre_oci_model as model
 
-@pytest.mark.parametrize('username, expect_success', [
-  # Valid users.
-  ('devtable', True),
-  ('public', True),
 
-  # Org.
-  ('buynlarge', False),
-
-  # Robot.
-  ('devtable+dtrobot', False),
-
-  # Unverified user.
-  ('unverified', False),
-])
+@pytest.mark.parametrize(
+    "username, expect_success",
+    [
+        # Valid users.
+        ("devtable", True),
+        ("public", True),
+        # Org.
+        ("buynlarge", False),
+        # Robot.
+        ("devtable+dtrobot", False),
+        # Unverified user.
+        ("unverified", False),
+    ],
+)
 def test_common_login(username, expect_success, app):
-  uuid = model.get_namespace_uuid(username)
-  with app.app_context():
-    success, headers = common_login(uuid)
-    assert success == expect_success
-    if success:
-      assert QUAY_CSRF_UPDATED_HEADER_NAME in headers
+    uuid = model.get_namespace_uuid(username)
+    with app.app_context():
+        success, headers = common_login(uuid)
+        assert success == expect_success
+        if success:
+            assert QUAY_CSRF_UPDATED_HEADER_NAME in headers
diff --git a/endpoints/test/test_decorators.py b/endpoints/test/test_decorators.py
index e7866e25d..116590d93 100644
--- a/endpoints/test/test_decorators.py
+++ b/endpoints/test/test_decorators.py
@@ -5,31 +5,38 @@ from endpoints.test.shared import conduct_call
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('user_agent, include_header, expected_code', [
-  ('curl/whatever', True, 200),
-  ('curl/whatever', False, 200),
+@pytest.mark.parametrize(
+    "user_agent, include_header, expected_code",
+    [
+        ("curl/whatever", True, 200),
+        ("curl/whatever", False, 200),
+        ("Mozilla/whatever", True, 200),
+        ("Mozilla/5.0", True, 200),
+        ("Mozilla/5.0 (Windows NT 5.1; Win64; x64)", False, 400),
+    ],
+)
+def test_require_xhr_from_browser(
+    user_agent, include_header, expected_code, app, client
+):
+    # Create a public repo with a dot in its name.
+    user = model.user.get_user("devtable")
+    model.repository.create_repository("devtable", "somerepo.bat", user, "public")
 
-  ('Mozilla/whatever', True, 200),
-  ('Mozilla/5.0', True, 200),
-  ('Mozilla/5.0 (Windows NT 5.1; Win64; x64)', False, 400),
-])
-def test_require_xhr_from_browser(user_agent, include_header, expected_code, app, client):
-  # Create a public repo with a dot in its name.
-  user = model.user.get_user('devtable')
-  model.repository.create_repository('devtable', 'somerepo.bat', user, 'public')
+    # Retrieve the repository and ensure we either allow it through or fail, depending on the
+    # user agent and header.
+    params = {"repository": "devtable/somerepo.bat"}
 
-  # Retrieve the repository and ensure we either allow it through or fail, depending on the
-  # user agent and header.
-  params = {
-    'repository': 'devtable/somerepo.bat'
-  }
+    headers = {"User-Agent": user_agent}
 
-  headers = {
-    'User-Agent': user_agent,
-  }
+    if include_header:
+        headers["X-Requested-With"] = "XMLHttpRequest"
 
-  if include_header:
-    headers['X-Requested-With'] = 'XMLHttpRequest'
-
-  conduct_call(client, Repository, api.url_for, 'GET', params, headers=headers,
-               expected_code=expected_code)
+    conduct_call(
+        client,
+        Repository,
+        api.url_for,
+        "GET",
+        params,
+        headers=headers,
+        expected_code=expected_code,
+    )
diff --git a/endpoints/test/test_webhooks.py b/endpoints/test/test_webhooks.py
index 1061f106b..3c74a50ec 100644
--- a/endpoints/test/test_webhooks.py
+++ b/endpoints/test/test_webhooks.py
@@ -7,18 +7,23 @@ from data import model
 from endpoints.test.shared import conduct_call
 from test.fixtures import *
 
+
 def test_start_build_disabled_trigger(app, client):
-  trigger = model.build.list_build_triggers('devtable', 'building')[0]
-  trigger.enabled = False
-  trigger.save()
+    trigger = model.build.list_build_triggers("devtable", "building")[0]
+    trigger.enabled = False
+    trigger.save()
 
-  params = {
-    'trigger_uuid': trigger.uuid,
-  }
+    params = {"trigger_uuid": trigger.uuid}
 
-  headers = {
-    'Authorization': 'Basic ' + base64.b64encode('devtable:password'),
-  }
+    headers = {"Authorization": "Basic " + base64.b64encode("devtable:password")}
 
-  conduct_call(client, 'webhooks.build_trigger_webhook', url_for, 'POST', params, None, 400,
-               headers=headers)
+    conduct_call(
+        client,
+        "webhooks.build_trigger_webhook",
+        url_for,
+        "POST",
+        params,
+        None,
+        400,
+        headers=headers,
+    )
diff --git a/endpoints/v1/__init__.py b/endpoints/v1/__init__.py
index 2248222d2..5aba74d0e 100644
--- a/endpoints/v1/__init__.py
+++ b/endpoints/v1/__init__.py
@@ -12,65 +12,73 @@ from endpoints.decorators import anon_protect, anon_allowed
 from util.metrics.metricqueue import time_blueprint
 from util.http import abort
 
-v1_bp = Blueprint('v1', __name__)
+v1_bp = Blueprint("v1", __name__)
 time_blueprint(v1_bp, metric_queue)
 
 logger = logging.getLogger(__name__)
 
 # Note: This is *not* part of the Docker index spec. This is here for our own health check,
 # since we have nginx handle the _ping below.
-@v1_bp.route('/_internal_ping')
+@v1_bp.route("/_internal_ping")
 @anon_allowed
 def internal_ping():
-  return make_response('true', 200)
+    return make_response("true", 200)
 
 
-@v1_bp.route('/_ping')
+@v1_bp.route("/_ping")
 @anon_allowed
 def ping():
-  # NOTE: any changes made here must also be reflected in the nginx config
-  response = make_response('true', 200)
-  response.headers['X-Docker-Registry-Version'] = '0.6.0'
-  response.headers['X-Docker-Registry-Standalone'] = '0'
-  return response
+    # NOTE: any changes made here must also be reflected in the nginx config
+    response = make_response("true", 200)
+    response.headers["X-Docker-Registry-Version"] = "0.6.0"
+    response.headers["X-Docker-Registry-Standalone"] = "0"
+    return response
 
 
 @v1_bp.app_errorhandler(ReadOnlyModeException)
 def handle_readonly(ex):
-  response = jsonify({'message': 'System is currently read-only. Pulls will succeed but all ' +
-                                 'write operations are currently suspended.',
-                      'is_readonly': True})
-  response.status_code = 503
-  return response
+    response = jsonify(
+        {
+            "message": "System is currently read-only. Pulls will succeed but all "
+            + "write operations are currently suspended.",
+            "is_readonly": True,
+        }
+    )
+    response.status_code = 503
+    return response
 
 
-def check_v1_push_enabled(namespace_name_kwarg='namespace_name'):
-  """ Decorator which checks if V1 push is enabled for the current namespace. The first argument
+def check_v1_push_enabled(namespace_name_kwarg="namespace_name"):
+    """ Decorator which checks if V1 push is enabled for the current namespace. The first argument
       to the wrapped function must be the namespace name or there must be a kwarg with the
       name `namespace_name`.
   """
-  def wrapper(wrapped):
-    @wraps(wrapped)
-    def decorated(*args, **kwargs):
-      if namespace_name_kwarg in kwargs:
-        namespace_name = kwargs[namespace_name_kwarg]
-      else:
-        namespace_name = args[0]
 
-      if features.RESTRICTED_V1_PUSH:
-        whitelist = app.config.get('V1_PUSH_WHITELIST') or []
-        logger.debug('V1 push is restricted to whitelist: %s', whitelist)
-        if namespace_name not in whitelist:
-          abort(405,
-                message=('V1 push support has been deprecated. To enable for this ' +
-                         'namespace, please contact support.'))
+    def wrapper(wrapped):
+        @wraps(wrapped)
+        def decorated(*args, **kwargs):
+            if namespace_name_kwarg in kwargs:
+                namespace_name = kwargs[namespace_name_kwarg]
+            else:
+                namespace_name = args[0]
 
-      return wrapped(*args, **kwargs)
-    return decorated
-  return wrapper
+            if features.RESTRICTED_V1_PUSH:
+                whitelist = app.config.get("V1_PUSH_WHITELIST") or []
+                logger.debug("V1 push is restricted to whitelist: %s", whitelist)
+                if namespace_name not in whitelist:
+                    abort(
+                        405,
+                        message=(
+                            "V1 push support has been deprecated. To enable for this "
+                            + "namespace, please contact support."
+                        ),
+                    )
+
+            return wrapped(*args, **kwargs)
+
+        return decorated
+
+    return wrapper
 
 
-from endpoints.v1 import (
-  index,
-  registry,
-  tag,)
+from endpoints.v1 import index, registry, tag
diff --git a/endpoints/v1/index.py b/endpoints/v1/index.py
index 3030b20e8..2918ce5e8 100644
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@@ -11,14 +11,27 @@ from auth.auth_context import get_authenticated_context, get_authenticated_user
 from auth.credentials import validate_credentials, CredentialKind
 from auth.decorators import process_auth
 from auth.permissions import (
-  ModifyRepositoryPermission, UserAdminPermission, ReadRepositoryPermission,
-  CreateRepositoryPermission, repository_read_grant, repository_write_grant)
+    ModifyRepositoryPermission,
+    UserAdminPermission,
+    ReadRepositoryPermission,
+    CreateRepositoryPermission,
+    repository_read_grant,
+    repository_write_grant,
+)
 from auth.signedgrant import generate_signed_token
 from data import model
 from data.registry_model import registry_model
-from data.registry_model.manifestbuilder import create_manifest_builder, lookup_manifest_builder
-from endpoints.decorators import (anon_protect, anon_allowed, parse_repository_name,
-                                  check_repository_state, check_readonly)
+from data.registry_model.manifestbuilder import (
+    create_manifest_builder,
+    lookup_manifest_builder,
+)
+from endpoints.decorators import (
+    anon_protect,
+    anon_allowed,
+    parse_repository_name,
+    check_repository_state,
+    check_readonly,
+)
 from endpoints.v1 import v1_bp, check_v1_push_enabled
 from notifications import spawn_notification
 from util.audit import track_and_log
@@ -29,143 +42,160 @@ logger = logging.getLogger(__name__)
 
 
 class GrantType(object):
-  READ_REPOSITORY = 'read'
-  WRITE_REPOSITORY = 'write'
+    READ_REPOSITORY = "read"
+    WRITE_REPOSITORY = "write"
 
 
 def ensure_namespace_enabled(f):
-  @wraps(f)
-  def wrapper(namespace_name, repo_name, *args, **kwargs):
-    namespace = model.user.get_namespace_user(namespace_name)
-    is_namespace_enabled = namespace is not None and namespace.enabled
-    if not is_namespace_enabled:
-      abort(400, message='Namespace is disabled. Please contact your system administrator.')
-
-    return f(namespace_name, repo_name, *args, **kwargs)
-  return wrapper
-
-
-def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
-  def decorator_method(f):
     @wraps(f)
     def wrapper(namespace_name, repo_name, *args, **kwargs):
-      response = f(namespace_name, repo_name, *args, **kwargs)
+        namespace = model.user.get_namespace_user(namespace_name)
+        is_namespace_enabled = namespace is not None and namespace.enabled
+        if not is_namespace_enabled:
+            abort(
+                400,
+                message="Namespace is disabled. Please contact your system administrator.",
+            )
 
-      # Setting session namespace and repository
-      session['namespace'] = namespace_name
-      session['repository'] = repo_name
-
-      # We run our index and registry on the same hosts for now
-      registry_server = urlparse.urlparse(request.url).netloc
-      response.headers['X-Docker-Endpoints'] = registry_server
-
-      has_token_request = request.headers.get('X-Docker-Token', '')
-      force_grant = (add_grant_for_status == response.status_code)
-
-      if has_token_request or force_grant:
-        grants = []
-
-        if scope == GrantType.READ_REPOSITORY:
-          if force_grant or ReadRepositoryPermission(namespace_name, repo_name).can():
-            grants.append(repository_read_grant(namespace_name, repo_name))
-        elif scope == GrantType.WRITE_REPOSITORY:
-          if force_grant or ModifyRepositoryPermission(namespace_name, repo_name).can():
-            grants.append(repository_write_grant(namespace_name, repo_name))
-
-        # Generate a signed token for the user (if any) and the grants (if any)
-        if grants or get_authenticated_user():
-          user_context = get_authenticated_user() and get_authenticated_user().username
-          signature = generate_signed_token(grants, user_context)
-          response.headers['WWW-Authenticate'] = signature
-          response.headers['X-Docker-Token'] = signature
-
-      return response
+        return f(namespace_name, repo_name, *args, **kwargs)
 
     return wrapper
 
-  return decorator_method
+
+def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
+    def decorator_method(f):
+        @wraps(f)
+        def wrapper(namespace_name, repo_name, *args, **kwargs):
+            response = f(namespace_name, repo_name, *args, **kwargs)
+
+            # Setting session namespace and repository
+            session["namespace"] = namespace_name
+            session["repository"] = repo_name
+
+            # We run our index and registry on the same hosts for now
+            registry_server = urlparse.urlparse(request.url).netloc
+            response.headers["X-Docker-Endpoints"] = registry_server
+
+            has_token_request = request.headers.get("X-Docker-Token", "")
+            force_grant = add_grant_for_status == response.status_code
+
+            if has_token_request or force_grant:
+                grants = []
+
+                if scope == GrantType.READ_REPOSITORY:
+                    if (
+                        force_grant
+                        or ReadRepositoryPermission(namespace_name, repo_name).can()
+                    ):
+                        grants.append(repository_read_grant(namespace_name, repo_name))
+                elif scope == GrantType.WRITE_REPOSITORY:
+                    if (
+                        force_grant
+                        or ModifyRepositoryPermission(namespace_name, repo_name).can()
+                    ):
+                        grants.append(repository_write_grant(namespace_name, repo_name))
+
+                # Generate a signed token for the user (if any) and the grants (if any)
+                if grants or get_authenticated_user():
+                    user_context = (
+                        get_authenticated_user() and get_authenticated_user().username
+                    )
+                    signature = generate_signed_token(grants, user_context)
+                    response.headers["WWW-Authenticate"] = signature
+                    response.headers["X-Docker-Token"] = signature
+
+            return response
+
+        return wrapper
+
+    return decorator_method
 
 
-@v1_bp.route('/users', methods=['POST'])
-@v1_bp.route('/users/', methods=['POST'])
+@v1_bp.route("/users", methods=["POST"])
+@v1_bp.route("/users/", methods=["POST"])
 @anon_allowed
 @check_readonly
 def create_user():
-  user_data = request.get_json()
-  if not user_data or not 'username' in user_data:
-    abort(400, 'Missing username')
+    user_data = request.get_json()
+    if not user_data or not "username" in user_data:
+        abort(400, "Missing username")
 
-  username = user_data['username']
-  password = user_data.get('password', '')
+    username = user_data["username"]
+    password = user_data.get("password", "")
 
-  # UGH! we have to use this response when the login actually worked, in order
-  # to get the CLI to try again with a get, and then tell us login succeeded.
-  success = make_response('"Username or email already exists"', 400)
-  result, kind = validate_credentials(username, password)
-  if not result.auth_valid:
-    if kind == CredentialKind.token:
-      abort(400, 'Invalid access token.', issue='invalid-access-token')
+    # UGH! we have to use this response when the login actually worked, in order
+    # to get the CLI to try again with a get, and then tell us login succeeded.
+    success = make_response('"Username or email already exists"', 400)
+    result, kind = validate_credentials(username, password)
+    if not result.auth_valid:
+        if kind == CredentialKind.token:
+            abort(400, "Invalid access token.", issue="invalid-access-token")
 
-    if kind == CredentialKind.robot:
-      abort(400, 'Invalid robot account or password.', issue='robot-login-failure')
+        if kind == CredentialKind.robot:
+            abort(
+                400, "Invalid robot account or password.", issue="robot-login-failure"
+            )
 
-    if kind == CredentialKind.oauth_token:
-      abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token')
+        if kind == CredentialKind.oauth_token:
+            abort(
+                400, "Invalid oauth access token.", issue="invalid-oauth-access-token"
+            )
 
-    if kind == CredentialKind.user:
-      # Mark that the login failed.
-      event = userevents.get_event(username)
-      event.publish_event_data('docker-cli', {'action': 'loginfailure'})
-      abort(400, result.error_message, issue='login-failure')
+        if kind == CredentialKind.user:
+            # Mark that the login failed.
+            event = userevents.get_event(username)
+            event.publish_event_data("docker-cli", {"action": "loginfailure"})
+            abort(400, result.error_message, issue="login-failure")
 
-    # Default case: Just fail.
-    abort(400, result.error_message, issue='login-failure')
+        # Default case: Just fail.
+        abort(400, result.error_message, issue="login-failure")
 
-  if result.has_nonrobot_user:
-    # Mark that the user was logged in.
-    event = userevents.get_event(username)
-    event.publish_event_data('docker-cli', {'action': 'login'})
+    if result.has_nonrobot_user:
+        # Mark that the user was logged in.
+        event = userevents.get_event(username)
+        event.publish_event_data("docker-cli", {"action": "login"})
 
-  return success
+    return success
 
 
-@v1_bp.route('/users', methods=['GET'])
-@v1_bp.route('/users/', methods=['GET'])
+@v1_bp.route("/users", methods=["GET"])
+@v1_bp.route("/users/", methods=["GET"])
 @process_auth
 @anon_allowed
 def get_user():
-  context = get_authenticated_context()
-  if not context or context.is_anonymous:
-    abort(404)
+    context = get_authenticated_context()
+    if not context or context.is_anonymous:
+        abort(404)
 
-  return jsonify({
-    'username': context.credential_username,
-    'email': None,
-  })
+    return jsonify({"username": context.credential_username, "email": None})
 
 
-@v1_bp.route('/users/<username>/', methods=['PUT'])
+@v1_bp.route("/users/<username>/", methods=["PUT"])
 @process_auth
 @anon_allowed
 @check_readonly
 def update_user(username):
-  permission = UserAdminPermission(username)
-  if permission.can():
-    update_request = request.get_json()
+    permission = UserAdminPermission(username)
+    if permission.can():
+        update_request = request.get_json()
 
-    if 'password' in update_request:
-      logger.debug('Updating user password')
-      model.user.change_password(get_authenticated_user(), update_request['password'])
+        if "password" in update_request:
+            logger.debug("Updating user password")
+            model.user.change_password(
+                get_authenticated_user(), update_request["password"]
+            )
 
-    return jsonify({
-      'username': get_authenticated_user().username,
-      'email': get_authenticated_user().email,
-    })
+        return jsonify(
+            {
+                "username": get_authenticated_user().username,
+                "email": get_authenticated_user().email,
+            }
+        )
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/', methods=['PUT'])
+@v1_bp.route("/repositories/<repopath:repository>/", methods=["PUT"])
 @process_auth
 @parse_repository_name()
 @check_v1_push_enabled()
@@ -175,64 +205,89 @@ def update_user(username):
 @anon_allowed
 @check_readonly
 def create_repository(namespace_name, repo_name):
-  # Verify that the repository name is valid.
-  if not REPOSITORY_NAME_REGEX.match(repo_name):
-    abort(400, message='Invalid repository name. Repository names cannot contain slashes.')
+    # Verify that the repository name is valid.
+    if not REPOSITORY_NAME_REGEX.match(repo_name):
+        abort(
+            400,
+            message="Invalid repository name. Repository names cannot contain slashes.",
+        )
 
-  logger.debug('Looking up repository %s/%s', namespace_name, repo_name)
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None and get_authenticated_user() is None:
-    logger.debug('Attempt to create repository %s/%s without user auth', namespace_name, repo_name)
-    abort(401,
-          message='Cannot create a repository as a guest. Please login via "docker login" first.',
-          issue='no-login')
-  elif repository_ref:
-    modify_perm = ModifyRepositoryPermission(namespace_name, repo_name)
-    if not modify_perm.can():
-      abort(403,
-            message='You do not have permission to modify repository %(namespace)s/%(repository)s',
-            issue='no-repo-write-permission', namespace=namespace_name, repository=repo_name)
-    elif repository_ref.kind != 'image':
-      msg = ('This repository is for managing %s resources and not container images.' %
-             repository_ref.kind)
-      abort(405, message=msg, namespace=namespace_name)
-  else:
-    create_perm = CreateRepositoryPermission(namespace_name)
-    if not create_perm.can():
-      logger.warning('Attempt to create a new repo %s/%s with insufficient perms', namespace_name,
-                     repo_name)
-      msg = 'You do not have permission to create repositories in namespace "%(namespace)s"'
-      abort(403, message=msg, issue='no-create-permission', namespace=namespace_name)
+    logger.debug("Looking up repository %s/%s", namespace_name, repo_name)
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None and get_authenticated_user() is None:
+        logger.debug(
+            "Attempt to create repository %s/%s without user auth",
+            namespace_name,
+            repo_name,
+        )
+        abort(
+            401,
+            message='Cannot create a repository as a guest. Please login via "docker login" first.',
+            issue="no-login",
+        )
+    elif repository_ref:
+        modify_perm = ModifyRepositoryPermission(namespace_name, repo_name)
+        if not modify_perm.can():
+            abort(
+                403,
+                message="You do not have permission to modify repository %(namespace)s/%(repository)s",
+                issue="no-repo-write-permission",
+                namespace=namespace_name,
+                repository=repo_name,
+            )
+        elif repository_ref.kind != "image":
+            msg = (
+                "This repository is for managing %s resources and not container images."
+                % repository_ref.kind
+            )
+            abort(405, message=msg, namespace=namespace_name)
+    else:
+        create_perm = CreateRepositoryPermission(namespace_name)
+        if not create_perm.can():
+            logger.warning(
+                "Attempt to create a new repo %s/%s with insufficient perms",
+                namespace_name,
+                repo_name,
+            )
+            msg = 'You do not have permission to create repositories in namespace "%(namespace)s"'
+            abort(
+                403, message=msg, issue="no-create-permission", namespace=namespace_name
+            )
 
-    # Attempt to create the new repository.
-    logger.debug('Creating repository %s/%s with owner: %s', namespace_name, repo_name,
-                 get_authenticated_user().username)
+        # Attempt to create the new repository.
+        logger.debug(
+            "Creating repository %s/%s with owner: %s",
+            namespace_name,
+            repo_name,
+            get_authenticated_user().username,
+        )
 
-    repository_ref = model.repository.create_repository(namespace_name, repo_name,
-                                                        get_authenticated_user())
+        repository_ref = model.repository.create_repository(
+            namespace_name, repo_name, get_authenticated_user()
+        )
 
-  if get_authenticated_user():
-    user_event_data = {
-      'action': 'push_start',
-      'repository': repo_name,
-      'namespace': namespace_name,
-    }
+    if get_authenticated_user():
+        user_event_data = {
+            "action": "push_start",
+            "repository": repo_name,
+            "namespace": namespace_name,
+        }
 
-    event = userevents.get_event(get_authenticated_user().username)
-    event.publish_event_data('docker-cli', user_event_data)
+        event = userevents.get_event(get_authenticated_user().username)
+        event.publish_event_data("docker-cli", user_event_data)
 
-  # Start a new builder for the repository and save its ID in the session.
-  assert repository_ref
-  builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
-  logger.debug('Started repo push with manifest builder %s', builder)
-  if builder is None:
-    abort(404, message='Unknown repository', issue='unknown-repo')
+    # Start a new builder for the repository and save its ID in the session.
+    assert repository_ref
+    builder = create_manifest_builder(repository_ref, storage, docker_v2_signing_key)
+    logger.debug("Started repo push with manifest builder %s", builder)
+    if builder is None:
+        abort(404, message="Unknown repository", issue="unknown-repo")
 
-  session['manifest_builder'] = builder.builder_id
-  return make_response('Created', 201)
+    session["manifest_builder"] = builder.builder_id
+    return make_response("Created", 201)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/images', methods=['PUT'])
+@v1_bp.route("/repositories/<repopath:repository>/images", methods=["PUT"])
 @process_auth
 @parse_repository_name()
 @check_v1_push_enabled()
@@ -242,67 +297,78 @@ def create_repository(namespace_name, repo_name):
 @anon_allowed
 @check_readonly
 def update_images(namespace_name, repo_name):
-  permission = ModifyRepositoryPermission(namespace_name, repo_name)
+    permission = ModifyRepositoryPermission(namespace_name, repo_name)
 
-  if permission.can():
-    logger.debug('Looking up repository')
-    repository_ref = registry_model.lookup_repository(namespace_name, repo_name,
-                                                      kind_filter='image')
-    if repository_ref is None:
-      # Make sure the repo actually exists.
-      abort(404, message='Unknown repository', issue='unknown-repo')
+    if permission.can():
+        logger.debug("Looking up repository")
+        repository_ref = registry_model.lookup_repository(
+            namespace_name, repo_name, kind_filter="image"
+        )
+        if repository_ref is None:
+            # Make sure the repo actually exists.
+            abort(404, message="Unknown repository", issue="unknown-repo")
 
-    builder = lookup_manifest_builder(repository_ref, session.get('manifest_builder'), storage,
-                                      docker_v2_signing_key)
-    if builder is None:
-      abort(400)
+        builder = lookup_manifest_builder(
+            repository_ref,
+            session.get("manifest_builder"),
+            storage,
+            docker_v2_signing_key,
+        )
+        if builder is None:
+            abort(400)
 
-    # Generate a job for each notification that has been added to this repo
-    logger.debug('Adding notifications for repository')
-    event_data = {
-      'updated_tags': [tag.name for tag in builder.committed_tags],
-    }
+        # Generate a job for each notification that has been added to this repo
+        logger.debug("Adding notifications for repository")
+        event_data = {"updated_tags": [tag.name for tag in builder.committed_tags]}
 
-    builder.done()
+        builder.done()
 
-    track_and_log('push_repo', repository_ref)
-    spawn_notification(repository_ref, 'repo_push', event_data)
-    metric_queue.repository_push.Inc(labelvalues=[namespace_name, repo_name, 'v1', True])
-    return make_response('Updated', 204)
+        track_and_log("push_repo", repository_ref)
+        spawn_notification(repository_ref, "repo_push", event_data)
+        metric_queue.repository_push.Inc(
+            labelvalues=[namespace_name, repo_name, "v1", True]
+        )
+        return make_response("Updated", 204)
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/images', methods=['GET'])
+@v1_bp.route("/repositories/<repopath:repository>/images", methods=["GET"])
 @process_auth
 @parse_repository_name()
 @ensure_namespace_enabled
 @generate_headers(scope=GrantType.READ_REPOSITORY)
 @anon_protect
 def get_repository_images(namespace_name, repo_name):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name,
-                                                    kind_filter='image')
+    repository_ref = registry_model.lookup_repository(
+        namespace_name, repo_name, kind_filter="image"
+    )
 
-  permission = ReadRepositoryPermission(namespace_name, repo_name)
-  if permission.can() or (repository_ref and repository_ref.is_public):
-    # We can't rely on permissions to tell us if a repo exists anymore
-    if repository_ref is None:
-      abort(404, message='Unknown repository', issue='unknown-repo')
+    permission = ReadRepositoryPermission(namespace_name, repo_name)
+    if permission.can() or (repository_ref and repository_ref.is_public):
+        # We can't rely on permissions to tell us if a repo exists anymore
+        if repository_ref is None:
+            abort(404, message="Unknown repository", issue="unknown-repo")
 
-    logger.debug('Building repository image response')
-    resp = make_response(json.dumps([]), 200)
-    resp.mimetype = 'application/json'
+        logger.debug("Building repository image response")
+        resp = make_response(json.dumps([]), 200)
+        resp.mimetype = "application/json"
 
-    track_and_log('pull_repo', repository_ref,
-                  analytics_name='pull_repo_100x',
-                  analytics_sample=0.01)
-    metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v1', True])
-    return resp
+        track_and_log(
+            "pull_repo",
+            repository_ref,
+            analytics_name="pull_repo_100x",
+            analytics_sample=0.01,
+        )
+        metric_queue.repository_pull.Inc(
+            labelvalues=[namespace_name, repo_name, "v1", True]
+        )
+        return resp
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/images', methods=['DELETE'])
+@v1_bp.route("/repositories/<repopath:repository>/images", methods=["DELETE"])
 @process_auth
 @parse_repository_name()
 @check_v1_push_enabled()
@@ -312,10 +378,10 @@ def get_repository_images(namespace_name, repo_name):
 @anon_allowed
 @check_readonly
 def delete_repository_images(namespace_name, repo_name):
-  abort(501, 'Not Implemented', issue='not-implemented')
+    abort(501, "Not Implemented", issue="not-implemented")
 
 
-@v1_bp.route('/repositories/<repopath:repository>/auth', methods=['PUT'])
+@v1_bp.route("/repositories/<repopath:repository>/auth", methods=["PUT"])
 @parse_repository_name()
 @check_v1_push_enabled()
 @ensure_namespace_enabled
@@ -323,66 +389,67 @@ def delete_repository_images(namespace_name, repo_name):
 @anon_allowed
 @check_readonly
 def put_repository_auth(namespace_name, repo_name):
-  abort(501, 'Not Implemented', issue='not-implemented')
+    abort(501, "Not Implemented", issue="not-implemented")
 
 
-@v1_bp.route('/search', methods=['GET'])
+@v1_bp.route("/search", methods=["GET"])
 @process_auth
 @anon_protect
 def get_search():
-  query = request.args.get('q') or ''
+    query = request.args.get("q") or ""
 
-  try:
-    limit = min(100, max(1, int(request.args.get('n', 25))))
-  except ValueError:
-    limit = 25
+    try:
+        limit = min(100, max(1, int(request.args.get("n", 25))))
+    except ValueError:
+        limit = 25
 
-  try:
-    page = max(0, int(request.args.get('page', 1)))
-  except ValueError:
-    page = 1
+    try:
+        page = max(0, int(request.args.get("page", 1)))
+    except ValueError:
+        page = 1
 
-  username = None
-  user = get_authenticated_user()
-  if user is not None:
-    username = user.username
+    username = None
+    user = get_authenticated_user()
+    if user is not None:
+        username = user.username
 
-  data = _conduct_repo_search(username, query, limit, page)
-  resp = make_response(json.dumps(data), 200)
-  resp.mimetype = 'application/json'
-  return resp
+    data = _conduct_repo_search(username, query, limit, page)
+    resp = make_response(json.dumps(data), 200)
+    resp.mimetype = "application/json"
+    return resp
 
 
 def _conduct_repo_search(username, query, limit=25, page=1):
-  """ Finds matching repositories. """
-  # Note that we put a maximum limit of five pages here, because this API should only really ever
-  # be used by the Docker CLI, and it doesn't even paginate.
-  page = min(page, 5)
-  offset = (page - 1) * limit
+    """ Finds matching repositories. """
+    # Note that we put a maximum limit of five pages here, because this API should only really ever
+    # be used by the Docker CLI, and it doesn't even paginate.
+    page = min(page, 5)
+    offset = (page - 1) * limit
 
-  if query:
-    matching_repos = model.repository.get_filtered_matching_repositories(query,
-                                                                         filter_username=username,
-                                                                         offset=offset,
-                                                                         limit=limit + 1)
-  else:
-    matching_repos = []
+    if query:
+        matching_repos = model.repository.get_filtered_matching_repositories(
+            query, filter_username=username, offset=offset, limit=limit + 1
+        )
+    else:
+        matching_repos = []
 
-  results = []
-  for repo in matching_repos[0:limit]:
-    results.append({
-      'name': repo.namespace_user.username + '/' + repo.name,
-      'description': repo.description,
-      'is_public': model.repository.is_repository_public(repo),
-      'href': '/repository/' + repo.namespace_user.username + '/' + repo.name
-    })
+    results = []
+    for repo in matching_repos[0:limit]:
+        results.append(
+            {
+                "name": repo.namespace_user.username + "/" + repo.name,
+                "description": repo.description,
+                "is_public": model.repository.is_repository_public(repo),
+                "href": "/repository/" + repo.namespace_user.username + "/" + repo.name,
+            }
+        )
 
-  # Defined: https://docs.docker.com/v1.6/reference/api/registry_api/
-  return {
-    'query': query,
-    'num_results': len(results),
-    'num_pages': page + 1 if len(matching_repos) > limit else page,
-    'page': page,
-    'page_size': limit,
-    'results': results,
-  }
+    # Defined: https://docs.docker.com/v1.6/reference/api/registry_api/
+    return {
+        "query": query,
+        "num_results": len(results),
+        "num_pages": page + 1 if len(matching_repos) > limit else page,
+        "page": page,
+        "page_size": limit,
+        "results": results,
+    }
diff --git a/endpoints/v1/registry.py b/endpoints/v1/registry.py
index 14376cb19..2c6aebceb 100644
--- a/endpoints/v1/registry.py
+++ b/endpoints/v1/registry.py
@@ -5,21 +5,36 @@ from functools import wraps
 from datetime import datetime
 from time import time
 
-from flask import make_response, request, session, Response, redirect, abort as flask_abort
+from flask import (
+    make_response,
+    request,
+    session,
+    Response,
+    redirect,
+    abort as flask_abort,
+)
 
 from app import storage as store, app, docker_v2_signing_key, metric_queue
 from auth.auth_context import get_authenticated_user
 from auth.decorators import extract_namespace_repo_from_session, process_auth
-from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission)
+from auth.permissions import ReadRepositoryPermission, ModifyRepositoryPermission
 from data import database
 from data.registry_model import registry_model
-from data.registry_model.blobuploader import upload_blob, BlobUploadSettings, BlobUploadException
+from data.registry_model.blobuploader import (
+    upload_blob,
+    BlobUploadSettings,
+    BlobUploadException,
+)
 from data.registry_model.manifestbuilder import lookup_manifest_builder
 from digest import checksums
 from endpoints.v1 import v1_bp, check_v1_push_enabled
 from endpoints.v1.index import ensure_namespace_enabled
-from endpoints.decorators import (anon_protect, check_region_blacklisted, check_repository_state,
-                                  check_readonly)
+from endpoints.decorators import (
+    anon_protect,
+    check_region_blacklisted,
+    check_repository_state,
+    check_readonly,
+)
 from util.http import abort, exact_abort
 from util.registry.replication import queue_storage_replication
 from util.request import get_request_ip
@@ -28,47 +43,54 @@ logger = logging.getLogger(__name__)
 
 
 def require_completion(f):
-  """ This make sure that the image push correctly finished. """
-  @wraps(f)
-  def wrapper(namespace, repository, *args, **kwargs):
-    image_id = kwargs['image_id']
-    repository_ref = registry_model.lookup_repository(namespace, repository)
-    if repository_ref is not None:
-      legacy_image = registry_model.get_legacy_image(repository_ref, image_id)
-      if legacy_image is not None and legacy_image.uploading:
-        abort(400, 'Image %(image_id)s is being uploaded, retry later', issue='upload-in-progress',
-              image_id=image_id)
+    """ This make sure that the image push correctly finished. """
 
-    return f(namespace, repository, *args, **kwargs)
-  return wrapper
+    @wraps(f)
+    def wrapper(namespace, repository, *args, **kwargs):
+        image_id = kwargs["image_id"]
+        repository_ref = registry_model.lookup_repository(namespace, repository)
+        if repository_ref is not None:
+            legacy_image = registry_model.get_legacy_image(repository_ref, image_id)
+            if legacy_image is not None and legacy_image.uploading:
+                abort(
+                    400,
+                    "Image %(image_id)s is being uploaded, retry later",
+                    issue="upload-in-progress",
+                    image_id=image_id,
+                )
+
+        return f(namespace, repository, *args, **kwargs)
+
+    return wrapper
 
 
 def set_cache_headers(f):
-  """Returns HTTP headers suitable for caching."""
+    """Returns HTTP headers suitable for caching."""
 
-  @wraps(f)
-  def wrapper(*args, **kwargs):
-    # Set TTL to 1 year by default
-    ttl = 31536000
-    expires = datetime.fromtimestamp(int(time()) + ttl)
-    expires = expires.strftime('%a, %d %b %Y %H:%M:%S GMT')
-    headers = {
-      'Cache-Control': 'public, max-age={0}'.format(ttl),
-      'Expires': expires,
-      'Last-Modified': 'Thu, 01 Jan 1970 00:00:00 GMT',}
-    if 'If-Modified-Since' in request.headers:
-      response = make_response('Not modified', 304)
-      response.headers.extend(headers)
-      return response
-    kwargs['headers'] = headers
-    # Prevent the Cookie to be sent when the object is cacheable
-    session.modified = False
-    return f(*args, **kwargs)
+    @wraps(f)
+    def wrapper(*args, **kwargs):
+        # Set TTL to 1 year by default
+        ttl = 31536000
+        expires = datetime.fromtimestamp(int(time()) + ttl)
+        expires = expires.strftime("%a, %d %b %Y %H:%M:%S GMT")
+        headers = {
+            "Cache-Control": "public, max-age={0}".format(ttl),
+            "Expires": expires,
+            "Last-Modified": "Thu, 01 Jan 1970 00:00:00 GMT",
+        }
+        if "If-Modified-Since" in request.headers:
+            response = make_response("Not modified", 304)
+            response.headers.extend(headers)
+            return response
+        kwargs["headers"] = headers
+        # Prevent the Cookie to be sent when the object is cacheable
+        session.modified = False
+        return f(*args, **kwargs)
 
-  return wrapper
+    return wrapper
 
 
-@v1_bp.route('/images/<image_id>/layer', methods=['HEAD'])
+@v1_bp.route("/images/<image_id>/layer", methods=["HEAD"])
 @process_auth
 @extract_namespace_repo_from_session
 @ensure_namespace_enabled
@@ -76,36 +98,45 @@ def set_cache_headers(f):
 @set_cache_headers
 @anon_protect
 def head_image_layer(namespace, repository, image_id, headers):
-  permission = ReadRepositoryPermission(namespace, repository)
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
+    permission = ReadRepositoryPermission(namespace, repository)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
 
-  logger.debug('Checking repo permissions')
-  if permission.can() or (repository_ref is not None and repository_ref.is_public):
-    if repository_ref is None:
-      abort(404)
+    logger.debug("Checking repo permissions")
+    if permission.can() or (repository_ref is not None and repository_ref.is_public):
+        if repository_ref is None:
+            abort(404)
 
-    logger.debug('Looking up placement locations')
-    legacy_image = registry_model.get_legacy_image(repository_ref, image_id, include_blob=True)
-    if legacy_image is None:
-      logger.debug('Could not find any blob placement locations')
-      abort(404, 'Image %(image_id)s not found', issue='unknown-image', image_id=image_id)
+        logger.debug("Looking up placement locations")
+        legacy_image = registry_model.get_legacy_image(
+            repository_ref, image_id, include_blob=True
+        )
+        if legacy_image is None:
+            logger.debug("Could not find any blob placement locations")
+            abort(
+                404,
+                "Image %(image_id)s not found",
+                issue="unknown-image",
+                image_id=image_id,
+            )
 
-    # Add the Accept-Ranges header if the storage engine supports resumable
-    # downloads.
-    extra_headers = {}
-    if store.get_supports_resumable_downloads(legacy_image.blob.placements):
-      logger.debug('Storage supports resumable downloads')
-      extra_headers['Accept-Ranges'] = 'bytes'
+        # Add the Accept-Ranges header if the storage engine supports resumable
+        # downloads.
+        extra_headers = {}
+        if store.get_supports_resumable_downloads(legacy_image.blob.placements):
+            logger.debug("Storage supports resumable downloads")
+            extra_headers["Accept-Ranges"] = "bytes"
 
-    resp = make_response('')
-    resp.headers.extend(headers)
-    resp.headers.extend(extra_headers)
-    return resp
+        resp = make_response("")
+        resp.headers.extend(headers)
+        resp.headers.extend(extra_headers)
+        return resp
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/images/<image_id>/layer', methods=['GET'])
+@v1_bp.route("/images/<image_id>/layer", methods=["GET"])
 @process_auth
 @extract_namespace_repo_from_session
 @ensure_namespace_enabled
@@ -114,42 +145,61 @@ def head_image_layer(namespace, repository, image_id, headers):
 @check_region_blacklisted()
 @anon_protect
 def get_image_layer(namespace, repository, image_id, headers):
-  permission = ReadRepositoryPermission(namespace, repository)
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
+    permission = ReadRepositoryPermission(namespace, repository)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
 
-  logger.debug('Checking repo permissions')
-  if permission.can() or (repository_ref is not None and repository_ref.is_public):
-    if repository_ref is None:
-      abort(404)
+    logger.debug("Checking repo permissions")
+    if permission.can() or (repository_ref is not None and repository_ref.is_public):
+        if repository_ref is None:
+            abort(404)
 
-    legacy_image = registry_model.get_legacy_image(repository_ref, image_id, include_blob=True)
-    if legacy_image is None:
-      abort(404, 'Image %(image_id)s not found', issue='unknown-image', image_id=image_id)
+        legacy_image = registry_model.get_legacy_image(
+            repository_ref, image_id, include_blob=True
+        )
+        if legacy_image is None:
+            abort(
+                404,
+                "Image %(image_id)s not found",
+                issue="unknown-image",
+                image_id=image_id,
+            )
 
-    path = legacy_image.blob.storage_path
-    metric_queue.pull_byte_count.Inc(legacy_image.blob.compressed_size, labelvalues=['v1'])
+        path = legacy_image.blob.storage_path
+        metric_queue.pull_byte_count.Inc(
+            legacy_image.blob.compressed_size, labelvalues=["v1"]
+        )
 
-    try:
-      logger.debug('Looking up the direct download URL for path: %s', path)
-      direct_download_url = store.get_direct_download_url(legacy_image.blob.placements, path,
-                                                          get_request_ip())
-      if direct_download_url:
-        logger.debug('Returning direct download URL')
-        resp = redirect(direct_download_url)
-        return resp
+        try:
+            logger.debug("Looking up the direct download URL for path: %s", path)
+            direct_download_url = store.get_direct_download_url(
+                legacy_image.blob.placements, path, get_request_ip()
+            )
+            if direct_download_url:
+                logger.debug("Returning direct download URL")
+                resp = redirect(direct_download_url)
+                return resp
 
-      # Close the database handle here for this process before we send the long download.
-      database.close_db_filter(None)
-      logger.debug('Streaming layer data')
-      return Response(store.stream_read(legacy_image.blob.placements, path), headers=headers)
-    except (IOError, AttributeError):
-      logger.exception('Image layer data not found')
-      abort(404, 'Image %(image_id)s not found', issue='unknown-image', image_id=image_id)
+            # Close the database handle here for this process before we send the long download.
+            database.close_db_filter(None)
+            logger.debug("Streaming layer data")
+            return Response(
+                store.stream_read(legacy_image.blob.placements, path), headers=headers
+            )
+        except (IOError, AttributeError):
+            logger.exception("Image layer data not found")
+            abort(
+                404,
+                "Image %(image_id)s not found",
+                issue="unknown-image",
+                image_id=image_id,
+            )
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/images/<image_id>/layer', methods=['PUT'])
+@v1_bp.route("/images/<image_id>/layer", methods=["PUT"])
 @process_auth
 @extract_namespace_repo_from_session
 @check_v1_push_enabled()
@@ -158,93 +208,110 @@ def get_image_layer(namespace, repository, image_id, headers):
 @anon_protect
 @check_readonly
 def put_image_layer(namespace, repository, image_id):
-  logger.debug('Checking repo permissions')
-  permission = ModifyRepositoryPermission(namespace, repository)
-  if not permission.can():
-    abort(403)
+    logger.debug("Checking repo permissions")
+    permission = ModifyRepositoryPermission(namespace, repository)
+    if not permission.can():
+        abort(403)
 
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
-  if repository_ref is None:
-    abort(403)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
+    if repository_ref is None:
+        abort(403)
 
-  logger.debug('Checking for image in manifest builder')
-  builder = lookup_manifest_builder(repository_ref, session.get('manifest_builder'), store,
-                                    docker_v2_signing_key)
-  if builder is None:
-    abort(400)
+    logger.debug("Checking for image in manifest builder")
+    builder = lookup_manifest_builder(
+        repository_ref, session.get("manifest_builder"), store, docker_v2_signing_key
+    )
+    if builder is None:
+        abort(400)
 
-  layer = builder.lookup_layer(image_id)
-  if layer is None:
-    abort(404)
+    layer = builder.lookup_layer(image_id)
+    if layer is None:
+        abort(404)
 
-  logger.debug('Storing layer data')
-  input_stream = request.stream
-  if request.headers.get('transfer-encoding') == 'chunked':
-    # Careful, might work only with WSGI servers supporting chunked
-    # encoding (Gunicorn)
-    input_stream = request.environ['wsgi.input']
+    logger.debug("Storing layer data")
+    input_stream = request.stream
+    if request.headers.get("transfer-encoding") == "chunked":
+        # Careful, might work only with WSGI servers supporting chunked
+        # encoding (Gunicorn)
+        input_stream = request.environ["wsgi.input"]
 
-  expiration_sec = app.config['PUSH_TEMP_TAG_EXPIRATION_SEC']
-  settings = BlobUploadSettings(maximum_blob_size=app.config['MAXIMUM_LAYER_SIZE'],
-                                bittorrent_piece_size=app.config['BITTORRENT_PIECE_SIZE'],
-                                committed_blob_expiration=expiration_sec)
+    expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"]
+    settings = BlobUploadSettings(
+        maximum_blob_size=app.config["MAXIMUM_LAYER_SIZE"],
+        bittorrent_piece_size=app.config["BITTORRENT_PIECE_SIZE"],
+        committed_blob_expiration=expiration_sec,
+    )
 
-  extra_handlers = []
+    extra_handlers = []
 
-  # Add a handler that copies the data into a temp file. This is used to calculate the tarsum,
-  # which is only needed for older versions of Docker.
-  requires_tarsum = bool(builder.get_layer_checksums(layer))
-  if requires_tarsum:
-    tmp, tmp_hndlr = store.temp_store_handler()
-    extra_handlers.append(tmp_hndlr)
-
-  # Add a handler which computes the simple Docker V1 checksum.
-  h, sum_hndlr = checksums.simple_checksum_handler(layer.v1_metadata_string)
-  extra_handlers.append(sum_hndlr)
-
-  uploaded_blob = None
-  try:
-    with upload_blob(repository_ref, store, settings,
-                     extra_blob_stream_handlers=extra_handlers) as manager:
-      manager.upload_chunk(app.config, input_stream)
-      uploaded_blob = manager.commit_to_blob(app.config)
-  except BlobUploadException:
-    logger.exception('Exception when writing image data')
-    abort(520, 'Image %(image_id)s could not be written. Please try again.', image_id=image_id)
-
-  # Compute the final checksum
-  csums = []
-  csums.append('sha256:{0}'.format(h.hexdigest()))
-
-  try:
+    # Add a handler that copies the data into a temp file. This is used to calculate the tarsum,
+    # which is only needed for older versions of Docker.
+    requires_tarsum = bool(builder.get_layer_checksums(layer))
     if requires_tarsum:
-      tmp.seek(0)
-      csums.append(checksums.compute_tarsum(tmp, layer.v1_metadata_string))
-      tmp.close()
-  except (IOError, checksums.TarError) as exc:
-    logger.debug('put_image_layer: Error when computing tarsum %s', exc)
+        tmp, tmp_hndlr = store.temp_store_handler()
+        extra_handlers.append(tmp_hndlr)
 
-  # If there was already a precomputed checksum, validate against it now.
-  if builder.get_layer_checksums(layer):
-    checksum = builder.get_layer_checksums(layer)[0]
-    if not builder.validate_layer_checksum(layer, checksum):
-      logger.debug('put_image_checksum: Wrong checksum. Given: %s and expected: %s', checksum,
-                   builder.get_layer_checksums(layer))
-      abort(400, 'Checksum mismatch for image: %(image_id)s', issue='checksum-mismatch',
-            image_id=image_id)
+    # Add a handler which computes the simple Docker V1 checksum.
+    h, sum_hndlr = checksums.simple_checksum_handler(layer.v1_metadata_string)
+    extra_handlers.append(sum_hndlr)
 
-  # Assign the blob to the layer in the manifest.
-  if not builder.assign_layer_blob(layer, uploaded_blob, csums):
-    abort(500, 'Something went wrong')
+    uploaded_blob = None
+    try:
+        with upload_blob(
+            repository_ref, store, settings, extra_blob_stream_handlers=extra_handlers
+        ) as manager:
+            manager.upload_chunk(app.config, input_stream)
+            uploaded_blob = manager.commit_to_blob(app.config)
+    except BlobUploadException:
+        logger.exception("Exception when writing image data")
+        abort(
+            520,
+            "Image %(image_id)s could not be written. Please try again.",
+            image_id=image_id,
+        )
 
-  # Send a job to the work queue to replicate the image layer.
-  # TODO: move this into a better place.
-  queue_storage_replication(namespace, uploaded_blob)
+    # Compute the final checksum
+    csums = []
+    csums.append("sha256:{0}".format(h.hexdigest()))
 
-  return make_response('true', 200)
+    try:
+        if requires_tarsum:
+            tmp.seek(0)
+            csums.append(checksums.compute_tarsum(tmp, layer.v1_metadata_string))
+            tmp.close()
+    except (IOError, checksums.TarError) as exc:
+        logger.debug("put_image_layer: Error when computing tarsum %s", exc)
+
+    # If there was already a precomputed checksum, validate against it now.
+    if builder.get_layer_checksums(layer):
+        checksum = builder.get_layer_checksums(layer)[0]
+        if not builder.validate_layer_checksum(layer, checksum):
+            logger.debug(
+                "put_image_checksum: Wrong checksum. Given: %s and expected: %s",
+                checksum,
+                builder.get_layer_checksums(layer),
+            )
+            abort(
+                400,
+                "Checksum mismatch for image: %(image_id)s",
+                issue="checksum-mismatch",
+                image_id=image_id,
+            )
+
+    # Assign the blob to the layer in the manifest.
+    if not builder.assign_layer_blob(layer, uploaded_blob, csums):
+        abort(500, "Something went wrong")
+
+    # Send a job to the work queue to replicate the image layer.
+    # TODO: move this into a better place.
+    queue_storage_replication(namespace, uploaded_blob)
+
+    return make_response("true", 200)
 
 
-@v1_bp.route('/images/<image_id>/checksum', methods=['PUT'])
+@v1_bp.route("/images/<image_id>/checksum", methods=["PUT"])
 @process_auth
 @extract_namespace_repo_from_session
 @check_v1_push_enabled()
@@ -253,50 +320,64 @@ def put_image_layer(namespace, repository, image_id):
 @anon_protect
 @check_readonly
 def put_image_checksum(namespace, repository, image_id):
-  logger.debug('Checking repo permissions')
-  permission = ModifyRepositoryPermission(namespace, repository)
-  if not permission.can():
-    abort(403)
+    logger.debug("Checking repo permissions")
+    permission = ModifyRepositoryPermission(namespace, repository)
+    if not permission.can():
+        abort(403)
 
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
-  if repository_ref is None:
-    abort(403)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
+    if repository_ref is None:
+        abort(403)
 
-  # Docker Version < 0.10 (tarsum+sha):
-  old_checksum = request.headers.get('X-Docker-Checksum')
+    # Docker Version < 0.10 (tarsum+sha):
+    old_checksum = request.headers.get("X-Docker-Checksum")
 
-  # Docker Version >= 0.10 (sha):
-  new_checksum = request.headers.get('X-Docker-Checksum-Payload')
+    # Docker Version >= 0.10 (sha):
+    new_checksum = request.headers.get("X-Docker-Checksum-Payload")
 
-  checksum = new_checksum or old_checksum
-  if not checksum:
-    abort(400, "Missing checksum for image %(image_id)s", issue='missing-checksum',
-          image_id=image_id)
+    checksum = new_checksum or old_checksum
+    if not checksum:
+        abort(
+            400,
+            "Missing checksum for image %(image_id)s",
+            issue="missing-checksum",
+            image_id=image_id,
+        )
 
-  logger.debug('Checking for image in manifest builder')
-  builder = lookup_manifest_builder(repository_ref, session.get('manifest_builder'), store,
-                                    docker_v2_signing_key)
-  if builder is None:
-    abort(400)
+    logger.debug("Checking for image in manifest builder")
+    builder = lookup_manifest_builder(
+        repository_ref, session.get("manifest_builder"), store, docker_v2_signing_key
+    )
+    if builder is None:
+        abort(400)
 
-  layer = builder.lookup_layer(image_id)
-  if layer is None:
-    abort(404)
+    layer = builder.lookup_layer(image_id)
+    if layer is None:
+        abort(404)
 
-  if old_checksum:
-    builder.save_precomputed_checksum(layer, checksum)
-    return make_response('true', 200)
+    if old_checksum:
+        builder.save_precomputed_checksum(layer, checksum)
+        return make_response("true", 200)
 
-  if not builder.validate_layer_checksum(layer, checksum):
-    logger.debug('put_image_checksum: Wrong checksum. Given: %s and expected: %s', checksum,
-                 builder.get_layer_checksums(layer))
-    abort(400, 'Checksum mismatch for image: %(image_id)s', issue='checksum-mismatch',
-          image_id=image_id)
+    if not builder.validate_layer_checksum(layer, checksum):
+        logger.debug(
+            "put_image_checksum: Wrong checksum. Given: %s and expected: %s",
+            checksum,
+            builder.get_layer_checksums(layer),
+        )
+        abort(
+            400,
+            "Checksum mismatch for image: %(image_id)s",
+            issue="checksum-mismatch",
+            image_id=image_id,
+        )
 
-  return make_response('true', 200)
+    return make_response("true", 200)
 
 
-@v1_bp.route('/images/<image_id>/json', methods=['GET'])
+@v1_bp.route("/images/<image_id>/json", methods=["GET"])
 @process_auth
 @extract_namespace_repo_from_session
 @ensure_namespace_enabled
@@ -304,29 +385,35 @@ def put_image_checksum(namespace, repository, image_id):
 @set_cache_headers
 @anon_protect
 def get_image_json(namespace, repository, image_id, headers):
-  logger.debug('Checking repo permissions')
-  permission = ReadRepositoryPermission(namespace, repository)
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
-  if not permission.can() and not (repository_ref is not None and repository_ref.is_public):
-    abort(403)
+    logger.debug("Checking repo permissions")
+    permission = ReadRepositoryPermission(namespace, repository)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
+    if not permission.can() and not (
+        repository_ref is not None and repository_ref.is_public
+    ):
+        abort(403)
 
-  logger.debug('Looking up repo image')
-  legacy_image = registry_model.get_legacy_image(repository_ref, image_id, include_blob=True)
-  if legacy_image is None:
-    flask_abort(404)
+    logger.debug("Looking up repo image")
+    legacy_image = registry_model.get_legacy_image(
+        repository_ref, image_id, include_blob=True
+    )
+    if legacy_image is None:
+        flask_abort(404)
 
-  size = legacy_image.blob.compressed_size
-  if size is not None:
-    # Note: X-Docker-Size is optional and we *can* end up with a NULL image_size,
-    # so handle this case rather than failing.
-    headers['X-Docker-Size'] = str(size)
+    size = legacy_image.blob.compressed_size
+    if size is not None:
+        # Note: X-Docker-Size is optional and we *can* end up with a NULL image_size,
+        # so handle this case rather than failing.
+        headers["X-Docker-Size"] = str(size)
 
-  response = make_response(legacy_image.v1_metadata_string, 200)
-  response.headers.extend(headers)
-  return response
+    response = make_response(legacy_image.v1_metadata_string, 200)
+    response.headers.extend(headers)
+    return response
 
 
-@v1_bp.route('/images/<image_id>/ancestry', methods=['GET'])
+@v1_bp.route("/images/<image_id>/ancestry", methods=["GET"])
 @process_auth
 @extract_namespace_repo_from_session
 @ensure_namespace_enabled
@@ -334,26 +421,38 @@ def get_image_json(namespace, repository, image_id, headers):
 @set_cache_headers
 @anon_protect
 def get_image_ancestry(namespace, repository, image_id, headers):
-  logger.debug('Checking repo permissions')
-  permission = ReadRepositoryPermission(namespace, repository)
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
-  if not permission.can() and not (repository_ref is not None and repository_ref.is_public):
-    abort(403)
+    logger.debug("Checking repo permissions")
+    permission = ReadRepositoryPermission(namespace, repository)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
+    if not permission.can() and not (
+        repository_ref is not None and repository_ref.is_public
+    ):
+        abort(403)
 
-  logger.debug('Looking up repo image')
-  legacy_image = registry_model.get_legacy_image(repository_ref, image_id, include_parents=True)
-  if legacy_image is None:
-    abort(404, 'Image %(image_id)s not found', issue='unknown-image', image_id=image_id)
+    logger.debug("Looking up repo image")
+    legacy_image = registry_model.get_legacy_image(
+        repository_ref, image_id, include_parents=True
+    )
+    if legacy_image is None:
+        abort(
+            404,
+            "Image %(image_id)s not found",
+            issue="unknown-image",
+            image_id=image_id,
+        )
 
-  # NOTE: We can not use jsonify here because we are returning a list not an object.
-  ancestor_ids = ([legacy_image.docker_image_id] + 
-                  [a.docker_image_id for a in legacy_image.parents])
-  response = make_response(json.dumps(ancestor_ids), 200)
-  response.headers.extend(headers)
-  return response
+    # NOTE: We can not use jsonify here because we are returning a list not an object.
+    ancestor_ids = [legacy_image.docker_image_id] + [
+        a.docker_image_id for a in legacy_image.parents
+    ]
+    response = make_response(json.dumps(ancestor_ids), 200)
+    response.headers.extend(headers)
+    return response
 
 
-@v1_bp.route('/images/<image_id>/json', methods=['PUT'])
+@v1_bp.route("/images/<image_id>/json", methods=["PUT"])
 @process_auth
 @extract_namespace_repo_from_session
 @check_v1_push_enabled()
@@ -362,46 +461,71 @@ def get_image_ancestry(namespace, repository, image_id, headers):
 @anon_protect
 @check_readonly
 def put_image_json(namespace, repository, image_id):
-  logger.debug('Checking repo permissions')
-  permission = ModifyRepositoryPermission(namespace, repository)
-  if not permission.can():
-    abort(403)
+    logger.debug("Checking repo permissions")
+    permission = ModifyRepositoryPermission(namespace, repository)
+    if not permission.can():
+        abort(403)
 
-  repository_ref = registry_model.lookup_repository(namespace, repository, kind_filter='image')
-  if repository_ref is None:
-    abort(403)
+    repository_ref = registry_model.lookup_repository(
+        namespace, repository, kind_filter="image"
+    )
+    if repository_ref is None:
+        abort(403)
 
-  builder = lookup_manifest_builder(repository_ref, session.get('manifest_builder'), store,
-                                    docker_v2_signing_key)
-  if builder is None:
-    abort(400)
+    builder = lookup_manifest_builder(
+        repository_ref, session.get("manifest_builder"), store, docker_v2_signing_key
+    )
+    if builder is None:
+        abort(400)
 
-  logger.debug('Parsing image JSON')
-  try:
-    uploaded_metadata = request.data
-    data = json.loads(uploaded_metadata.decode('utf8'))
-  except ValueError:
-    pass
+    logger.debug("Parsing image JSON")
+    try:
+        uploaded_metadata = request.data
+        data = json.loads(uploaded_metadata.decode("utf8"))
+    except ValueError:
+        pass
 
-  if not data or not isinstance(data, dict):
-    abort(400, 'Invalid JSON for image: %(image_id)s\nJSON: %(json)s', issue='invalid-request',
-          image_id=image_id, json=request.data)
+    if not data or not isinstance(data, dict):
+        abort(
+            400,
+            "Invalid JSON for image: %(image_id)s\nJSON: %(json)s",
+            issue="invalid-request",
+            image_id=image_id,
+            json=request.data,
+        )
 
-  if 'id' not in data:
-    abort(400, 'Missing key `id` in JSON for image: %(image_id)s', issue='invalid-request',
-          image_id=image_id)
+    if "id" not in data:
+        abort(
+            400,
+            "Missing key `id` in JSON for image: %(image_id)s",
+            issue="invalid-request",
+            image_id=image_id,
+        )
 
-  if image_id != data['id']:
-    abort(400, 'JSON data contains invalid id for image: %(image_id)s', issue='invalid-request',
-          image_id=image_id)
+    if image_id != data["id"]:
+        abort(
+            400,
+            "JSON data contains invalid id for image: %(image_id)s",
+            issue="invalid-request",
+            image_id=image_id,
+        )
 
-  logger.debug('Looking up repo image')
-  location_pref = store.preferred_locations[0]
-  username = get_authenticated_user() and get_authenticated_user().username
-  layer = builder.start_layer(image_id, uploaded_metadata, location_pref, username,
-                              app.config['PUSH_TEMP_TAG_EXPIRATION_SEC'])
-  if layer is None:
-    abort(400, 'Image %(image_id)s has invalid metadata',
-          issue='invalid-request', image_id=image_id)
+    logger.debug("Looking up repo image")
+    location_pref = store.preferred_locations[0]
+    username = get_authenticated_user() and get_authenticated_user().username
+    layer = builder.start_layer(
+        image_id,
+        uploaded_metadata,
+        location_pref,
+        username,
+        app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"],
+    )
+    if layer is None:
+        abort(
+            400,
+            "Image %(image_id)s has invalid metadata",
+            issue="invalid-request",
+            image_id=image_id,
+        )
 
-  return make_response('true', 200)
+    return make_response("true", 200)
diff --git a/endpoints/v1/tag.py b/endpoints/v1/tag.py
index 67f37e098..eb447e259 100644
--- a/endpoints/v1/tag.py
+++ b/endpoints/v1/tag.py
@@ -5,11 +5,15 @@ from flask import abort, request, jsonify, make_response, session
 
 from app import storage, docker_v2_signing_key
 from auth.decorators import process_auth
-from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission)
+from auth.permissions import ReadRepositoryPermission, ModifyRepositoryPermission
 from data.registry_model import registry_model
 from data.registry_model.manifestbuilder import lookup_manifest_builder
-from endpoints.decorators import (anon_protect, parse_repository_name, check_repository_state,
-                                  check_readonly)
+from endpoints.decorators import (
+    anon_protect,
+    parse_repository_name,
+    check_repository_state,
+    check_readonly,
+)
 from endpoints.v1 import v1_bp, check_v1_push_enabled
 from util.audit import track_and_log
 from util.names import TAG_ERROR, TAG_REGEX
@@ -17,46 +21,50 @@ from util.names import TAG_ERROR, TAG_REGEX
 logger = logging.getLogger(__name__)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/tags', methods=['GET'])
+@v1_bp.route("/repositories/<repopath:repository>/tags", methods=["GET"])
 @process_auth
 @anon_protect
 @parse_repository_name()
 def get_tags(namespace_name, repo_name):
-  permission = ReadRepositoryPermission(namespace_name, repo_name)
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name, kind_filter='image')
-  if permission.can() or (repository_ref is not None and repository_ref.is_public):
-    if repository_ref is None:
-      abort(404)
+    permission = ReadRepositoryPermission(namespace_name, repo_name)
+    repository_ref = registry_model.lookup_repository(
+        namespace_name, repo_name, kind_filter="image"
+    )
+    if permission.can() or (repository_ref is not None and repository_ref.is_public):
+        if repository_ref is None:
+            abort(404)
 
-    tag_map = registry_model.get_legacy_tags_map(repository_ref, storage)
-    return jsonify(tag_map)
+        tag_map = registry_model.get_legacy_tags_map(repository_ref, storage)
+        return jsonify(tag_map)
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['GET'])
+@v1_bp.route("/repositories/<repopath:repository>/tags/<tag>", methods=["GET"])
 @process_auth
 @anon_protect
 @parse_repository_name()
 def get_tag(namespace_name, repo_name, tag):
-  permission = ReadRepositoryPermission(namespace_name, repo_name)
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name, kind_filter='image')
-  if permission.can() or (repository_ref is not None and repository_ref.is_public):
-    if repository_ref is None:
-      abort(404)
+    permission = ReadRepositoryPermission(namespace_name, repo_name)
+    repository_ref = registry_model.lookup_repository(
+        namespace_name, repo_name, kind_filter="image"
+    )
+    if permission.can() or (repository_ref is not None and repository_ref.is_public):
+        if repository_ref is None:
+            abort(404)
 
-    image_id = registry_model.get_tag_legacy_image_id(repository_ref, tag, storage)
-    if image_id is None:
-      abort(404)
+        image_id = registry_model.get_tag_legacy_image_id(repository_ref, tag, storage)
+        if image_id is None:
+            abort(404)
 
-    resp = make_response('"%s"' % image_id)
-    resp.headers['Content-Type'] = 'application/json'
-    return resp
+        resp = make_response('"%s"' % image_id)
+        resp.headers["Content-Type"] = "application/json"
+        return resp
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['PUT'])
+@v1_bp.route("/repositories/<repopath:repository>/tags/<tag>", methods=["PUT"])
 @process_auth
 @anon_protect
 @parse_repository_name()
@@ -64,43 +72,53 @@ def get_tag(namespace_name, repo_name, tag):
 @check_v1_push_enabled()
 @check_readonly
 def put_tag(namespace_name, repo_name, tag):
-  permission = ModifyRepositoryPermission(namespace_name, repo_name)
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name, kind_filter='image')
+    permission = ModifyRepositoryPermission(namespace_name, repo_name)
+    repository_ref = registry_model.lookup_repository(
+        namespace_name, repo_name, kind_filter="image"
+    )
 
-  if permission.can() and repository_ref is not None:
-    if not TAG_REGEX.match(tag):
-      abort(400, TAG_ERROR)
+    if permission.can() and repository_ref is not None:
+        if not TAG_REGEX.match(tag):
+            abort(400, TAG_ERROR)
 
-    image_id = json.loads(request.data)
+        image_id = json.loads(request.data)
 
-    # Check for the image ID first in a builder (for an in-progress push).
-    builder = lookup_manifest_builder(repository_ref, session.get('manifest_builder'), storage,
-                                      docker_v2_signing_key)
-    if builder is not None:
-      layer = builder.lookup_layer(image_id)
-      if layer is not None:
-        commited_tag = builder.commit_tag_and_manifest(tag, layer)
-        if commited_tag is None:
-          abort(400)
+        # Check for the image ID first in a builder (for an in-progress push).
+        builder = lookup_manifest_builder(
+            repository_ref,
+            session.get("manifest_builder"),
+            storage,
+            docker_v2_signing_key,
+        )
+        if builder is not None:
+            layer = builder.lookup_layer(image_id)
+            if layer is not None:
+                commited_tag = builder.commit_tag_and_manifest(tag, layer)
+                if commited_tag is None:
+                    abort(400)
 
-        return make_response('Created', 200)
+                return make_response("Created", 200)
 
-    # Check if there is an existing image we should use (for PUT calls outside of a normal push
-    # operation).
-    legacy_image = registry_model.get_legacy_image(repository_ref, image_id)
-    if legacy_image is None:
-      abort(400)
+        # Check if there is an existing image we should use (for PUT calls outside of a normal push
+        # operation).
+        legacy_image = registry_model.get_legacy_image(repository_ref, image_id)
+        if legacy_image is None:
+            abort(400)
 
-    if registry_model.retarget_tag(repository_ref, tag, legacy_image, storage,
-                                   docker_v2_signing_key) is None:
-      abort(400)
+        if (
+            registry_model.retarget_tag(
+                repository_ref, tag, legacy_image, storage, docker_v2_signing_key
+            )
+            is None
+        ):
+            abort(400)
 
-    return make_response('Created', 200)
+        return make_response("Created", 200)
 
-  abort(403)
+    abort(403)
 
 
-@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['DELETE'])
+@v1_bp.route("/repositories/<repopath:repository>/tags/<tag>", methods=["DELETE"])
 @process_auth
 @anon_protect
 @parse_repository_name()
@@ -108,14 +126,16 @@ def put_tag(namespace_name, repo_name, tag):
 @check_v1_push_enabled()
 @check_readonly
 def delete_tag(namespace_name, repo_name, tag):
-  permission = ModifyRepositoryPermission(namespace_name, repo_name)
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name, kind_filter='image')
+    permission = ModifyRepositoryPermission(namespace_name, repo_name)
+    repository_ref = registry_model.lookup_repository(
+        namespace_name, repo_name, kind_filter="image"
+    )
 
-  if permission.can() and repository_ref is not None:
-    if not registry_model.delete_tag(repository_ref, tag):
-      abort(404)
+    if permission.can() and repository_ref is not None:
+        if not registry_model.delete_tag(repository_ref, tag):
+            abort(404)
 
-    track_and_log('delete_tag', repository_ref, tag=tag)
-    return make_response('Deleted', 200)
+        track_and_log("delete_tag", repository_ref, tag=tag)
+        return make_response("Deleted", 200)
 
-  abort(403)
+    abort(403)
diff --git a/endpoints/v2/__init__.py b/endpoints/v2/__init__.py
index 845ad258f..b036f8140 100644
--- a/endpoints/v2/__init__.py
+++ b/endpoints/v2/__init__.py
@@ -13,13 +13,21 @@ import features
 from app import app, metric_queue, get_app_url
 from auth.auth_context import get_authenticated_context
 from auth.permissions import (
-  ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission)
+    ReadRepositoryPermission,
+    ModifyRepositoryPermission,
+    AdministerRepositoryPermission,
+)
 from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
 from data.registry_model import registry_model
 from data.readreplica import ReadOnlyModeException
 from endpoints.decorators import anon_protect, anon_allowed, route_show_if
-from endpoints.v2.errors import (V2RegistryException, Unauthorized, Unsupported, NameUnknown,
-                                 ReadOnlyMode)
+from endpoints.v2.errors import (
+    V2RegistryException,
+    Unauthorized,
+    Unsupported,
+    NameUnknown,
+    ReadOnlyMode,
+)
 from util.http import abort
 from util.metrics.metricqueue import time_blueprint
 from util.registry.dockerver import docker_version
@@ -27,145 +35,170 @@ from util.pagination import encrypt_page_token, decrypt_page_token
 
 logger = logging.getLogger(__name__)
 
-v2_bp = Blueprint('v2', __name__)
+v2_bp = Blueprint("v2", __name__)
 time_blueprint(v2_bp, metric_queue)
 
 
 @v2_bp.app_errorhandler(V2RegistryException)
 def handle_registry_v2_exception(error):
-  response = jsonify({'errors': [error.as_dict()]})
+    response = jsonify({"errors": [error.as_dict()]})
 
-  response.status_code = error.http_status_code
-  if response.status_code == 401:
-    response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
-  logger.debug('sending response: %s', response.get_data())
-  return response
+    response.status_code = error.http_status_code
+    if response.status_code == 401:
+        response.headers.extend(
+            get_auth_headers(repository=error.repository, scopes=error.scopes)
+        )
+    logger.debug("sending response: %s", response.get_data())
+    return response
 
 
 @v2_bp.app_errorhandler(ReadOnlyModeException)
 def handle_readonly(ex):
-  error = ReadOnlyMode()
-  response = jsonify({'errors': [error.as_dict()]})
-  response.status_code = error.http_status_code
-  logger.debug('sending response: %s', response.get_data())
-  return response
+    error = ReadOnlyMode()
+    response = jsonify({"errors": [error.as_dict()]})
+    response.status_code = error.http_status_code
+    logger.debug("sending response: %s", response.get_data())
+    return response
 
 
-_MAX_RESULTS_PER_PAGE = app.config.get('V2_PAGINATION_SIZE', 100)
+_MAX_RESULTS_PER_PAGE = app.config.get("V2_PAGINATION_SIZE", 100)
 
 
-def paginate(start_id_kwarg_name='start_id', limit_kwarg_name='limit',
-             callback_kwarg_name='pagination_callback'):
-  """
+def paginate(
+    start_id_kwarg_name="start_id",
+    limit_kwarg_name="limit",
+    callback_kwarg_name="pagination_callback",
+):
+    """
   Decorates a handler adding a parsed pagination token and a callback to encode a response token.
   """
 
-  def wrapper(func):
-    @wraps(func)
-    def wrapped(*args, **kwargs):
-      try:
-        requested_limit = int(request.args.get('n', _MAX_RESULTS_PER_PAGE))
-      except ValueError:
-        requested_limit = 0
+    def wrapper(func):
+        @wraps(func)
+        def wrapped(*args, **kwargs):
+            try:
+                requested_limit = int(request.args.get("n", _MAX_RESULTS_PER_PAGE))
+            except ValueError:
+                requested_limit = 0
 
-      limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1)
-      next_page_token = request.args.get('next_page', request.args.get('last', None))
+            limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1)
+            next_page_token = request.args.get(
+                "next_page", request.args.get("last", None)
+            )
 
-      # Decrypt the next page token, if any.
-      start_id = None
-      page_info = decrypt_page_token(next_page_token)
-      if page_info is not None:
-        start_id = page_info.get('start_id', None)
+            # Decrypt the next page token, if any.
+            start_id = None
+            page_info = decrypt_page_token(next_page_token)
+            if page_info is not None:
+                start_id = page_info.get("start_id", None)
 
-      def callback(results, response):
-        if len(results) <= limit:
-          return
+            def callback(results, response):
+                if len(results) <= limit:
+                    return
 
-        next_page_token = encrypt_page_token({'start_id': max([obj.id for obj in results])})
+                next_page_token = encrypt_page_token(
+                    {"start_id": max([obj.id for obj in results])}
+                )
 
-        link_url = os.path.join(get_app_url(), url_for(request.endpoint, **request.view_args))
-        link_param = urlencode({'n': limit, 'next_page': next_page_token})
-        link = '<%s?%s>; rel="next"' % (link_url, link_param)
-        response.headers['Link'] = link
+                link_url = os.path.join(
+                    get_app_url(), url_for(request.endpoint, **request.view_args)
+                )
+                link_param = urlencode({"n": limit, "next_page": next_page_token})
+                link = '<%s?%s>; rel="next"' % (link_url, link_param)
+                response.headers["Link"] = link
 
-      kwargs[limit_kwarg_name] = limit
-      kwargs[start_id_kwarg_name] = start_id
-      kwargs[callback_kwarg_name] = callback
-      return func(*args, **kwargs)
-    return wrapped
-  return wrapper
+            kwargs[limit_kwarg_name] = limit
+            kwargs[start_id_kwarg_name] = start_id
+            kwargs[callback_kwarg_name] = callback
+            return func(*args, **kwargs)
+
+        return wrapped
+
+    return wrapper
 
 
 def _require_repo_permission(permission_class, scopes=None, allow_public=False):
-  def wrapper(func):
-    @wraps(func)
-    def wrapped(namespace_name, repo_name, *args, **kwargs):
-      logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name,
-                   repo_name)
+    def wrapper(func):
+        @wraps(func)
+        def wrapped(namespace_name, repo_name, *args, **kwargs):
+            logger.debug(
+                "Checking permission %s for repo: %s/%s",
+                permission_class,
+                namespace_name,
+                repo_name,
+            )
 
-      permission = permission_class(namespace_name, repo_name)
-      if permission.can():
-        return func(namespace_name, repo_name, *args, **kwargs)
+            permission = permission_class(namespace_name, repo_name)
+            if permission.can():
+                return func(namespace_name, repo_name, *args, **kwargs)
 
-      repository = namespace_name + '/' + repo_name
-      if allow_public:
-        repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-        if repository_ref is None or not repository_ref.is_public:
-          raise Unauthorized(repository=repository, scopes=scopes)
+            repository = namespace_name + "/" + repo_name
+            if allow_public:
+                repository_ref = registry_model.lookup_repository(
+                    namespace_name, repo_name
+                )
+                if repository_ref is None or not repository_ref.is_public:
+                    raise Unauthorized(repository=repository, scopes=scopes)
 
-        if repository_ref.kind != 'image':
-          msg = 'This repository is for managing %s and not container images.' % repository_ref.kind
-          raise Unsupported(detail=msg)
+                if repository_ref.kind != "image":
+                    msg = (
+                        "This repository is for managing %s and not container images."
+                        % repository_ref.kind
+                    )
+                    raise Unsupported(detail=msg)
+
+                if repository_ref.is_public:
+                    if not features.ANONYMOUS_ACCESS:
+                        raise Unauthorized(repository=repository, scopes=scopes)
+
+                    return func(namespace_name, repo_name, *args, **kwargs)
 
-        if repository_ref.is_public:
-          if not features.ANONYMOUS_ACCESS:
             raise Unauthorized(repository=repository, scopes=scopes)
 
-          return func(namespace_name, repo_name, *args, **kwargs)
+        return wrapped
 
-      raise Unauthorized(repository=repository, scopes=scopes)
-    return wrapped
-  return wrapper
+    return wrapper
 
 
-require_repo_read = _require_repo_permission(ReadRepositoryPermission, scopes=['pull'],
-                                             allow_public=True)
-require_repo_write = _require_repo_permission(ModifyRepositoryPermission, scopes=['pull', 'push'])
-require_repo_admin = _require_repo_permission(AdministerRepositoryPermission, scopes=[
-  'pull', 'push'])
+require_repo_read = _require_repo_permission(
+    ReadRepositoryPermission, scopes=["pull"], allow_public=True
+)
+require_repo_write = _require_repo_permission(
+    ModifyRepositoryPermission, scopes=["pull", "push"]
+)
+require_repo_admin = _require_repo_permission(
+    AdministerRepositoryPermission, scopes=["pull", "push"]
+)
 
 
 def get_input_stream(flask_request):
-  if flask_request.headers.get('transfer-encoding') == 'chunked':
-    return flask_request.environ['wsgi.input']
-  return flask_request.stream
+    if flask_request.headers.get("transfer-encoding") == "chunked":
+        return flask_request.environ["wsgi.input"]
+    return flask_request.stream
 
 
-@v2_bp.route('/')
+@v2_bp.route("/")
 @route_show_if(features.ADVERTISE_V2)
 @process_registry_jwt_auth()
 @anon_allowed
 def v2_support_enabled():
-  docker_ver = docker_version(request.user_agent.string)
+    docker_ver = docker_version(request.user_agent.string)
 
-  # Check if our version is one of the blacklisted versions, if we can't
-  # identify the version (None) we will fail open and assume that it is
-  # newer and therefore should not be blacklisted.
-  if docker_ver is not None and Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver):
-    abort(404)
+    # Check if our version is one of the blacklisted versions, if we can't
+    # identify the version (None) we will fail open and assume that it is
+    # newer and therefore should not be blacklisted.
+    if docker_ver is not None and Spec(app.config["BLACKLIST_V2_SPEC"]).match(
+        docker_ver
+    ):
+        abort(404)
 
-  response = make_response('true', 200)
+    response = make_response("true", 200)
 
-  if get_authenticated_context() is None:
-    response = make_response('true', 401)
+    if get_authenticated_context() is None:
+        response = make_response("true", 401)
 
-  response.headers.extend(get_auth_headers())
-  return response
+    response.headers.extend(get_auth_headers())
+    return response
 
 
-from endpoints.v2 import (
-  blob,
-  catalog,
-  manifest,
-  tag,
-  v2auth,)
+from endpoints.v2 import blob, catalog, manifest, tag, v2auth
diff --git a/endpoints/v2/blob.py b/endpoints/v2/blob.py
index 141c37990..aea438a01 100644
--- a/endpoints/v2/blob.py
+++ b/endpoints/v2/blob.py
@@ -8,17 +8,34 @@ from auth.registry_jwt_auth import process_registry_jwt_auth
 from auth.permissions import ReadRepositoryPermission
 from data import database
 from data.registry_model import registry_model
-from data.registry_model.blobuploader import (create_blob_upload, retrieve_blob_upload_manager,
-                                              complete_when_uploaded, BlobUploadSettings,
-                                              BlobUploadException, BlobTooLargeException,
-                                              BlobRangeMismatchException)
+from data.registry_model.blobuploader import (
+    create_blob_upload,
+    retrieve_blob_upload_manager,
+    complete_when_uploaded,
+    BlobUploadSettings,
+    BlobUploadException,
+    BlobTooLargeException,
+    BlobRangeMismatchException,
+)
 from digest import digest_tools
-from endpoints.decorators import (anon_protect, anon_allowed, parse_repository_name,
-                                  check_region_blacklisted, check_readonly)
+from endpoints.decorators import (
+    anon_protect,
+    anon_allowed,
+    parse_repository_name,
+    check_region_blacklisted,
+    check_readonly,
+)
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write, get_input_stream
 from endpoints.v2.errors import (
-  BlobUnknown, BlobUploadInvalid, BlobUploadUnknown, Unsupported, NameUnknown, LayerTooLarge,
-  InvalidRequest, BlobDownloadGeoBlocked)
+    BlobUnknown,
+    BlobUploadInvalid,
+    BlobUploadUnknown,
+    Unsupported,
+    NameUnknown,
+    LayerTooLarge,
+    InvalidRequest,
+    BlobDownloadGeoBlocked,
+)
 from util.cache import cache_control
 from util.names import parse_namespace_repository
 from util.request import get_request_ip
@@ -28,423 +45,505 @@ logger = logging.getLogger(__name__)
 
 BASE_BLOB_ROUTE = '/<repopath:repository>/blobs/<regex("{0}"):digest>'
 BLOB_DIGEST_ROUTE = BASE_BLOB_ROUTE.format(digest_tools.DIGEST_PATTERN)
-RANGE_HEADER_REGEX = re.compile(r'^bytes=([0-9]+)-([0-9]+)$')
-BLOB_CONTENT_TYPE = 'application/octet-stream'
+RANGE_HEADER_REGEX = re.compile(r"^bytes=([0-9]+)-([0-9]+)$")
+BLOB_CONTENT_TYPE = "application/octet-stream"
 
 
 class _InvalidRangeHeader(Exception):
-  pass
+    pass
 
 
-@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['HEAD'])
+@v2_bp.route(BLOB_DIGEST_ROUTE, methods=["HEAD"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_read
 @anon_allowed
 @cache_control(max_age=31436000)
 def check_blob_exists(namespace_name, repo_name, digest):
-  # Find the blob.
-  blob = registry_model.get_cached_repo_blob(model_cache, namespace_name, repo_name, digest)
-  if blob is None:
-    raise BlobUnknown()
+    # Find the blob.
+    blob = registry_model.get_cached_repo_blob(
+        model_cache, namespace_name, repo_name, digest
+    )
+    if blob is None:
+        raise BlobUnknown()
 
-  # Build the response headers.
-  headers = {
-    'Docker-Content-Digest': digest,
-    'Content-Length': blob.compressed_size,
-    'Content-Type': BLOB_CONTENT_TYPE,
-  }
+    # Build the response headers.
+    headers = {
+        "Docker-Content-Digest": digest,
+        "Content-Length": blob.compressed_size,
+        "Content-Type": BLOB_CONTENT_TYPE,
+    }
 
-  # If our storage supports range requests, let the client know.
-  if storage.get_supports_resumable_downloads(blob.placements):
-    headers['Accept-Ranges'] = 'bytes'
+    # If our storage supports range requests, let the client know.
+    if storage.get_supports_resumable_downloads(blob.placements):
+        headers["Accept-Ranges"] = "bytes"
 
-  # Write the response to the client.
-  return Response(headers=headers)
+    # Write the response to the client.
+    return Response(headers=headers)
 
 
-@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['GET'])
+@v2_bp.route(BLOB_DIGEST_ROUTE, methods=["GET"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_read
 @anon_allowed
 @check_region_blacklisted(BlobDownloadGeoBlocked)
 @cache_control(max_age=31536000)
 def download_blob(namespace_name, repo_name, digest):
-  # Find the blob.
-  blob = registry_model.get_cached_repo_blob(model_cache, namespace_name, repo_name, digest)
-  if blob is None:
-    raise BlobUnknown()
-
-  # Build the response headers.
-  headers = {'Docker-Content-Digest': digest}
-
-  # If our storage supports range requests, let the client know.
-  if storage.get_supports_resumable_downloads(blob.placements):
-    headers['Accept-Ranges'] = 'bytes'
-
-  metric_queue.pull_byte_count.Inc(blob.compressed_size, labelvalues=['v2'])
-
-  # Short-circuit by redirecting if the storage supports it.
-  path = blob.storage_path
-  logger.debug('Looking up the direct download URL for path: %s', path)
-  direct_download_url = storage.get_direct_download_url(blob.placements, path, get_request_ip())
-  if direct_download_url:
-    logger.debug('Returning direct download URL')
-    resp = redirect(direct_download_url)
-    resp.headers.extend(headers)
-    return resp
-
-  # Close the database connection before we stream the download.
-  logger.debug('Closing database connection before streaming layer data')
-  with database.CloseForLongOperation(app.config):
-    # Stream the response to the client.
-    return Response(
-      storage.stream_read(blob.placements, path),
-      headers=headers.update({
-        'Content-Length': blob.compressed_size,
-        'Content-Type': BLOB_CONTENT_TYPE,
-      }),
+    # Find the blob.
+    blob = registry_model.get_cached_repo_blob(
+        model_cache, namespace_name, repo_name, digest
     )
+    if blob is None:
+        raise BlobUnknown()
+
+    # Build the response headers.
+    headers = {"Docker-Content-Digest": digest}
+
+    # If our storage supports range requests, let the client know.
+    if storage.get_supports_resumable_downloads(blob.placements):
+        headers["Accept-Ranges"] = "bytes"
+
+    metric_queue.pull_byte_count.Inc(blob.compressed_size, labelvalues=["v2"])
+
+    # Short-circuit by redirecting if the storage supports it.
+    path = blob.storage_path
+    logger.debug("Looking up the direct download URL for path: %s", path)
+    direct_download_url = storage.get_direct_download_url(
+        blob.placements, path, get_request_ip()
+    )
+    if direct_download_url:
+        logger.debug("Returning direct download URL")
+        resp = redirect(direct_download_url)
+        resp.headers.extend(headers)
+        return resp
+
+    # Close the database connection before we stream the download.
+    logger.debug("Closing database connection before streaming layer data")
+    with database.CloseForLongOperation(app.config):
+        # Stream the response to the client.
+        return Response(
+            storage.stream_read(blob.placements, path),
+            headers=headers.update(
+                {
+                    "Content-Length": blob.compressed_size,
+                    "Content-Type": BLOB_CONTENT_TYPE,
+                }
+            ),
+        )
 
 
 def _try_to_mount_blob(repository_ref, mount_blob_digest):
-  """ Attempts to mount a blob requested by the user from another repository. """
-  logger.debug('Got mount request for blob `%s` into `%s`', mount_blob_digest, repository_ref)
-  from_repo = request.args.get('from', None)
-  if from_repo is None:
-    raise InvalidRequest(message='Missing `from` repository argument')
+    """ Attempts to mount a blob requested by the user from another repository. """
+    logger.debug(
+        "Got mount request for blob `%s` into `%s`", mount_blob_digest, repository_ref
+    )
+    from_repo = request.args.get("from", None)
+    if from_repo is None:
+        raise InvalidRequest(message="Missing `from` repository argument")
 
-  # Ensure the user has access to the repository.
-  logger.debug('Got mount request for blob `%s` under repository `%s` into `%s`',
-               mount_blob_digest, from_repo, repository_ref)
-  from_namespace, from_repo_name = parse_namespace_repository(from_repo,
-                                                              app.config['LIBRARY_NAMESPACE'],
-                                                              include_tag=False)
+    # Ensure the user has access to the repository.
+    logger.debug(
+        "Got mount request for blob `%s` under repository `%s` into `%s`",
+        mount_blob_digest,
+        from_repo,
+        repository_ref,
+    )
+    from_namespace, from_repo_name = parse_namespace_repository(
+        from_repo, app.config["LIBRARY_NAMESPACE"], include_tag=False
+    )
 
-  from_repository_ref = registry_model.lookup_repository(from_namespace, from_repo_name)
-  if from_repository_ref is None:
-    logger.debug('Could not find from repo: `%s/%s`', from_namespace, from_repo_name)
-    return None
+    from_repository_ref = registry_model.lookup_repository(
+        from_namespace, from_repo_name
+    )
+    if from_repository_ref is None:
+        logger.debug(
+            "Could not find from repo: `%s/%s`", from_namespace, from_repo_name
+        )
+        return None
 
-  # First check permission.
-  read_permission = ReadRepositoryPermission(from_namespace, from_repo_name).can()
-  if not read_permission:
-    # If no direct permission, check if the repostory is public.
-    if not from_repository_ref.is_public:
-      logger.debug('No permission to mount blob `%s` under repository `%s` into `%s`',
-                   mount_blob_digest, from_repo, repository_ref)
-      return None
+    # First check permission.
+    read_permission = ReadRepositoryPermission(from_namespace, from_repo_name).can()
+    if not read_permission:
+        # If no direct permission, check if the repostory is public.
+        if not from_repository_ref.is_public:
+            logger.debug(
+                "No permission to mount blob `%s` under repository `%s` into `%s`",
+                mount_blob_digest,
+                from_repo,
+                repository_ref,
+            )
+            return None
 
-  # Lookup if the mount blob's digest exists in the repository.
-  mount_blob = registry_model.get_cached_repo_blob(model_cache, from_namespace, from_repo_name,
-                                                   mount_blob_digest)
-  if mount_blob is None:
-    logger.debug('Blob `%s` under repository `%s` not found', mount_blob_digest, from_repo)
-    return None
+    # Lookup if the mount blob's digest exists in the repository.
+    mount_blob = registry_model.get_cached_repo_blob(
+        model_cache, from_namespace, from_repo_name, mount_blob_digest
+    )
+    if mount_blob is None:
+        logger.debug(
+            "Blob `%s` under repository `%s` not found", mount_blob_digest, from_repo
+        )
+        return None
 
-  logger.debug('Mounting blob `%s` under repository `%s` into `%s`', mount_blob_digest,
-               from_repo, repository_ref)
+    logger.debug(
+        "Mounting blob `%s` under repository `%s` into `%s`",
+        mount_blob_digest,
+        from_repo,
+        repository_ref,
+    )
 
-  # Mount the blob into the current repository and return that we've completed the operation.
-  expiration_sec = app.config['PUSH_TEMP_TAG_EXPIRATION_SEC']
-  mounted = registry_model.mount_blob_into_repository(mount_blob, repository_ref, expiration_sec)
-  if not mounted:
-    logger.debug('Could not mount blob `%s` under repository `%s` not found', mount_blob_digest,
-                 from_repo)
-    return
+    # Mount the blob into the current repository and return that we've completed the operation.
+    expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"]
+    mounted = registry_model.mount_blob_into_repository(
+        mount_blob, repository_ref, expiration_sec
+    )
+    if not mounted:
+        logger.debug(
+            "Could not mount blob `%s` under repository `%s` not found",
+            mount_blob_digest,
+            from_repo,
+        )
+        return
 
-  # Return the response for the blob indicating that it was mounted, and including its content
-  # digest.
-  logger.debug('Mounted blob `%s` under repository `%s` into `%s`', mount_blob_digest,
-               from_repo, repository_ref)
+    # Return the response for the blob indicating that it was mounted, and including its content
+    # digest.
+    logger.debug(
+        "Mounted blob `%s` under repository `%s` into `%s`",
+        mount_blob_digest,
+        from_repo,
+        repository_ref,
+    )
 
-  namespace_name = repository_ref.namespace_name
-  repo_name = repository_ref.name
+    namespace_name = repository_ref.namespace_name
+    repo_name = repository_ref.name
 
-  return Response(
-    status=201,
-    headers={
-      'Docker-Content-Digest': mount_blob_digest,
-      'Location':
-        get_app_url() + url_for('v2.download_blob',
-                                repository='%s/%s' % (namespace_name, repo_name),
-                                digest=mount_blob_digest),
-    },
-  )
+    return Response(
+        status=201,
+        headers={
+            "Docker-Content-Digest": mount_blob_digest,
+            "Location": get_app_url()
+            + url_for(
+                "v2.download_blob",
+                repository="%s/%s" % (namespace_name, repo_name),
+                digest=mount_blob_digest,
+            ),
+        },
+    )
 
 
-@v2_bp.route('/<repopath:repository>/blobs/uploads/', methods=['POST'])
+@v2_bp.route("/<repopath:repository>/blobs/uploads/", methods=["POST"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def start_blob_upload(namespace_name, repo_name):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  # Check for mounting of a blob from another repository.
-  mount_blob_digest = request.args.get('mount', None)
-  if mount_blob_digest is not None:
-    response = _try_to_mount_blob(repository_ref, mount_blob_digest)
-    if response is not None:
-      return response
+    # Check for mounting of a blob from another repository.
+    mount_blob_digest = request.args.get("mount", None)
+    if mount_blob_digest is not None:
+        response = _try_to_mount_blob(repository_ref, mount_blob_digest)
+        if response is not None:
+            return response
 
-  # Begin the blob upload process.
-  blob_uploader = create_blob_upload(repository_ref, storage, _upload_settings())
-  if blob_uploader is None:
-    logger.debug('Could not create a blob upload for `%s/%s`', namespace_name, repo_name)
-    raise InvalidRequest(message='Unable to start blob upload for unknown repository')
+    # Begin the blob upload process.
+    blob_uploader = create_blob_upload(repository_ref, storage, _upload_settings())
+    if blob_uploader is None:
+        logger.debug(
+            "Could not create a blob upload for `%s/%s`", namespace_name, repo_name
+        )
+        raise InvalidRequest(
+            message="Unable to start blob upload for unknown repository"
+        )
 
-  # Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then
-  # the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect
-  # for the client to upload the chunks as distinct operations.
-  digest = request.args.get('digest', None)
-  if digest is None:
-    # Short-circuit because the user will send the blob data in another request.
+    # Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then
+    # the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect
+    # for the client to upload the chunks as distinct operations.
+    digest = request.args.get("digest", None)
+    if digest is None:
+        # Short-circuit because the user will send the blob data in another request.
+        return Response(
+            status=202,
+            headers={
+                "Docker-Upload-UUID": blob_uploader.blob_upload_id,
+                "Range": _render_range(0),
+                "Location": get_app_url()
+                + url_for(
+                    "v2.upload_chunk",
+                    repository="%s/%s" % (namespace_name, repo_name),
+                    upload_uuid=blob_uploader.blob_upload_id,
+                ),
+            },
+        )
+
+    # Upload the data sent and commit it to a blob.
+    with complete_when_uploaded(blob_uploader):
+        _upload_chunk(blob_uploader, digest)
+
+    # Write the response to the client.
     return Response(
-      status=202,
-      headers={
-        'Docker-Upload-UUID': blob_uploader.blob_upload_id,
-        'Range': _render_range(0),
-        'Location':
-          get_app_url() + url_for('v2.upload_chunk',
-                                  repository='%s/%s' % (namespace_name, repo_name),
-                                  upload_uuid=blob_uploader.blob_upload_id)
-      },
+        status=201,
+        headers={
+            "Docker-Content-Digest": digest,
+            "Location": get_app_url()
+            + url_for(
+                "v2.download_blob",
+                repository="%s/%s" % (namespace_name, repo_name),
+                digest=digest,
+            ),
+        },
     )
 
-  # Upload the data sent and commit it to a blob.
-  with complete_when_uploaded(blob_uploader):
-    _upload_chunk(blob_uploader, digest)
 
-  # Write the response to the client.
-  return Response(
-    status=201,
-    headers={
-      'Docker-Content-Digest': digest,
-      'Location':
-        get_app_url() + url_for('v2.download_blob',
-                                repository='%s/%s' % (namespace_name, repo_name),
-                                digest=digest),
-    },
-  )
-
-
-@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['GET'])
+@v2_bp.route("/<repopath:repository>/blobs/uploads/<upload_uuid>", methods=["GET"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_write
 @anon_protect
 def fetch_existing_upload(namespace_name, repo_name, upload_uuid):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  uploader = retrieve_blob_upload_manager(repository_ref, upload_uuid, storage, _upload_settings())
-  if uploader is None:
-    raise BlobUploadUnknown()
+    uploader = retrieve_blob_upload_manager(
+        repository_ref, upload_uuid, storage, _upload_settings()
+    )
+    if uploader is None:
+        raise BlobUploadUnknown()
 
-  return Response(
-    status=204,
-    headers={
-      'Docker-Upload-UUID': upload_uuid,
-      'Range': _render_range(uploader.blob_upload.byte_count + 1),  # byte ranges are exclusive
-    },
-  )
+    return Response(
+        status=204,
+        headers={
+            "Docker-Upload-UUID": upload_uuid,
+            "Range": _render_range(
+                uploader.blob_upload.byte_count + 1
+            ),  # byte ranges are exclusive
+        },
+    )
 
 
-@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PATCH'])
+@v2_bp.route("/<repopath:repository>/blobs/uploads/<upload_uuid>", methods=["PATCH"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def upload_chunk(namespace_name, repo_name, upload_uuid):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  uploader = retrieve_blob_upload_manager(repository_ref, upload_uuid, storage, _upload_settings())
-  if uploader is None:
-    raise BlobUploadUnknown()
+    uploader = retrieve_blob_upload_manager(
+        repository_ref, upload_uuid, storage, _upload_settings()
+    )
+    if uploader is None:
+        raise BlobUploadUnknown()
 
-  # Upload the chunk for the blob.
-  _upload_chunk(uploader)
+    # Upload the chunk for the blob.
+    _upload_chunk(uploader)
 
-  # Write the response to the client.
-  return Response(
-    status=204,
-    headers={
-      'Location': _current_request_url(),
-      'Range': _render_range(uploader.blob_upload.byte_count, with_bytes_prefix=False),
-      'Docker-Upload-UUID': upload_uuid,
-    },
-  )
+    # Write the response to the client.
+    return Response(
+        status=204,
+        headers={
+            "Location": _current_request_url(),
+            "Range": _render_range(
+                uploader.blob_upload.byte_count, with_bytes_prefix=False
+            ),
+            "Docker-Upload-UUID": upload_uuid,
+        },
+    )
 
 
-@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PUT'])
+@v2_bp.route("/<repopath:repository>/blobs/uploads/<upload_uuid>", methods=["PUT"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def monolithic_upload_or_last_chunk(namespace_name, repo_name, upload_uuid):
-  # Ensure the digest is present before proceeding.
-  digest = request.args.get('digest', None)
-  if digest is None:
-    raise BlobUploadInvalid(detail={'reason': 'Missing digest arg on monolithic upload'})
+    # Ensure the digest is present before proceeding.
+    digest = request.args.get("digest", None)
+    if digest is None:
+        raise BlobUploadInvalid(
+            detail={"reason": "Missing digest arg on monolithic upload"}
+        )
 
-  # Find the upload.
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    # Find the upload.
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  uploader = retrieve_blob_upload_manager(repository_ref, upload_uuid, storage, _upload_settings())
-  if uploader is None:
-    raise BlobUploadUnknown()
+    uploader = retrieve_blob_upload_manager(
+        repository_ref, upload_uuid, storage, _upload_settings()
+    )
+    if uploader is None:
+        raise BlobUploadUnknown()
 
-  # Upload the chunk for the blob and commit it once complete.
-  with complete_when_uploaded(uploader):
-    _upload_chunk(uploader, digest)
+    # Upload the chunk for the blob and commit it once complete.
+    with complete_when_uploaded(uploader):
+        _upload_chunk(uploader, digest)
 
-  # Write the response to the client.
-  return Response(status=201, headers={
-    'Docker-Content-Digest': digest,
-    'Location':
-      get_app_url() + url_for('v2.download_blob',
-                              repository='%s/%s' % (namespace_name, repo_name),
-                              digest=digest),
-    },
-  )
+    # Write the response to the client.
+    return Response(
+        status=201,
+        headers={
+            "Docker-Content-Digest": digest,
+            "Location": get_app_url()
+            + url_for(
+                "v2.download_blob",
+                repository="%s/%s" % (namespace_name, repo_name),
+                digest=digest,
+            ),
+        },
+    )
 
 
-@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['DELETE'])
+@v2_bp.route("/<repopath:repository>/blobs/uploads/<upload_uuid>", methods=["DELETE"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def cancel_upload(namespace_name, repo_name, upload_uuid):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  uploader = retrieve_blob_upload_manager(repository_ref, upload_uuid, storage, _upload_settings())
-  if uploader is None:
-    raise BlobUploadUnknown()
+    uploader = retrieve_blob_upload_manager(
+        repository_ref, upload_uuid, storage, _upload_settings()
+    )
+    if uploader is None:
+        raise BlobUploadUnknown()
 
-  uploader.cancel_upload()
-  return Response(status=204)
+    uploader.cancel_upload()
+    return Response(status=204)
 
 
-@v2_bp.route('/<repopath:repository>/blobs/<digest>', methods=['DELETE'])
+@v2_bp.route("/<repopath:repository>/blobs/<digest>", methods=["DELETE"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def delete_digest(namespace_name, repo_name, upload_uuid):
-  # We do not support deleting arbitrary digests, as they break repo images.
-  raise Unsupported()
+    # We do not support deleting arbitrary digests, as they break repo images.
+    raise Unsupported()
 
 
 def _render_range(num_uploaded_bytes, with_bytes_prefix=True):
-  """
+    """
   Returns a string formatted to be used in the Range header.
   """
-  return '{0}0-{1}'.format('bytes=' if with_bytes_prefix else '', num_uploaded_bytes - 1)
+    return "{0}0-{1}".format(
+        "bytes=" if with_bytes_prefix else "", num_uploaded_bytes - 1
+    )
 
 
 def _current_request_url():
-  return '{0}{1}{2}'.format(get_app_url(), request.script_root, request.path)
+    return "{0}{1}{2}".format(get_app_url(), request.script_root, request.path)
 
 
 def _abort_range_not_satisfiable(valid_end, upload_uuid):
-  """
+    """
   Writes a failure response for scenarios where the registry cannot function
   with the provided range.
 
   TODO: Unify this with the V2RegistryException class.
   """
-  flask_abort(
-    Response(status=416, headers={
-      'Location': _current_request_url(),
-      'Range': '0-{0}'.format(valid_end),
-      'Docker-Upload-UUID': upload_uuid}))
+    flask_abort(
+        Response(
+            status=416,
+            headers={
+                "Location": _current_request_url(),
+                "Range": "0-{0}".format(valid_end),
+                "Docker-Upload-UUID": upload_uuid,
+            },
+        )
+    )
 
 
 def _parse_range_header(range_header_text):
-  """
+    """
   Parses the range header.
 
   Returns a tuple of the start offset and the length.
   If the parse fails, raises _InvalidRangeHeader.
   """
-  found = RANGE_HEADER_REGEX.match(range_header_text)
-  if found is None:
-    raise _InvalidRangeHeader()
+    found = RANGE_HEADER_REGEX.match(range_header_text)
+    if found is None:
+        raise _InvalidRangeHeader()
 
-  start = int(found.group(1))
-  length = int(found.group(2)) - start
+    start = int(found.group(1))
+    length = int(found.group(2)) - start
 
-  if length <= 0:
-    raise _InvalidRangeHeader()
+    if length <= 0:
+        raise _InvalidRangeHeader()
 
-  return (start, length)
+    return (start, length)
 
 
 def _start_offset_and_length(range_header):
-  """
+    """
   Returns a tuple of the start offset and the length.
   If the range header doesn't exist, defaults to (0, -1).
   If parsing fails, returns (None, None).
   """
-  start_offset, length = 0, -1
-  if range_header is not None:
-    try:
-      start_offset, length = _parse_range_header(range_header)
-    except _InvalidRangeHeader:
-      return None, None
+    start_offset, length = 0, -1
+    if range_header is not None:
+        try:
+            start_offset, length = _parse_range_header(range_header)
+        except _InvalidRangeHeader:
+            return None, None
 
-  return start_offset, length
+    return start_offset, length
 
 
 def _upload_settings():
-  """ Returns the settings for instantiating a blob upload manager. """
-  expiration_sec = app.config['PUSH_TEMP_TAG_EXPIRATION_SEC']
-  settings = BlobUploadSettings(maximum_blob_size=app.config['MAXIMUM_LAYER_SIZE'],
-                                bittorrent_piece_size=app.config['BITTORRENT_PIECE_SIZE'],
-                                committed_blob_expiration=expiration_sec)
-  return settings
+    """ Returns the settings for instantiating a blob upload manager. """
+    expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"]
+    settings = BlobUploadSettings(
+        maximum_blob_size=app.config["MAXIMUM_LAYER_SIZE"],
+        bittorrent_piece_size=app.config["BITTORRENT_PIECE_SIZE"],
+        committed_blob_expiration=expiration_sec,
+    )
+    return settings
 
 
 def _upload_chunk(blob_uploader, commit_digest=None):
-  """ Performs uploading of a chunk of data in the current request's stream, via the blob uploader
+    """ Performs uploading of a chunk of data in the current request's stream, via the blob uploader
       given. If commit_digest is specified, the upload is committed to a blob once the stream's
       data has been read and stored.
   """
-  start_offset, length = _start_offset_and_length(request.headers.get('range'))
-  if None in {start_offset, length}:
-    raise InvalidRequest(message='Invalid range header')
+    start_offset, length = _start_offset_and_length(request.headers.get("range"))
+    if None in {start_offset, length}:
+        raise InvalidRequest(message="Invalid range header")
 
-  input_fp = get_input_stream(request)
+    input_fp = get_input_stream(request)
 
-  try:
-    # Upload the data received.
-    blob_uploader.upload_chunk(app.config, input_fp, start_offset, length, metric_queue)
+    try:
+        # Upload the data received.
+        blob_uploader.upload_chunk(
+            app.config, input_fp, start_offset, length, metric_queue
+        )
 
-    if commit_digest is not None:
-      # Commit the upload to a blob.
-      return blob_uploader.commit_to_blob(app.config, commit_digest)
-  except BlobTooLargeException as ble:
-    raise LayerTooLarge(uploaded=ble.uploaded, max_allowed=ble.max_allowed)
-  except BlobRangeMismatchException:
-    logger.exception('Exception when uploading blob to %s', blob_uploader.blob_upload_id)
-    _abort_range_not_satisfiable(blob_uploader.blob_upload.byte_count,
-                                 blob_uploader.blob_upload_id)
-  except BlobUploadException:
-    logger.exception('Exception when uploading blob to %s', blob_uploader.blob_upload_id)
-    raise BlobUploadInvalid()
+        if commit_digest is not None:
+            # Commit the upload to a blob.
+            return blob_uploader.commit_to_blob(app.config, commit_digest)
+    except BlobTooLargeException as ble:
+        raise LayerTooLarge(uploaded=ble.uploaded, max_allowed=ble.max_allowed)
+    except BlobRangeMismatchException:
+        logger.exception(
+            "Exception when uploading blob to %s", blob_uploader.blob_upload_id
+        )
+        _abort_range_not_satisfiable(
+            blob_uploader.blob_upload.byte_count, blob_uploader.blob_upload_id
+        )
+    except BlobUploadException:
+        logger.exception(
+            "Exception when uploading blob to %s", blob_uploader.blob_upload_id
+        )
+        raise BlobUploadInvalid()
diff --git a/endpoints/v2/catalog.py b/endpoints/v2/catalog.py
index 240ab6ac5..fa9aa08ae 100644
--- a/endpoints/v2/catalog.py
+++ b/endpoints/v2/catalog.py
@@ -13,43 +13,57 @@ from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp, paginate
 
 
-class Repository(namedtuple('Repository', ['id', 'namespace_name', 'name'])):
-  pass
+class Repository(namedtuple("Repository", ["id", "namespace_name", "name"])):
+    pass
 
 
-@v2_bp.route('/_catalog', methods=['GET'])
+@v2_bp.route("/_catalog", methods=["GET"])
 @process_registry_jwt_auth()
 @anon_protect
 @paginate()
 def catalog_search(start_id, limit, pagination_callback):
-  def _load_catalog():
-    include_public = bool(features.PUBLIC_CATALOG)
-    if not include_public and not get_authenticated_user():
-      return []
+    def _load_catalog():
+        include_public = bool(features.PUBLIC_CATALOG)
+        if not include_public and not get_authenticated_user():
+            return []
 
-    username = get_authenticated_user().username if get_authenticated_user() else None
-    if username and not get_authenticated_user().enabled:
-      return []
+        username = (
+            get_authenticated_user().username if get_authenticated_user() else None
+        )
+        if username and not get_authenticated_user().enabled:
+            return []
 
-    query = model.repository.get_visible_repositories(username,
-                                                      kind_filter='image',
-                                                      include_public=include_public,
-                                                      start_id=start_id,
-                                                      limit=limit + 1)
-    # NOTE: The repository ID is in `rid` (not `id`) here, as per the requirements of
-    # the `get_visible_repositories` call.
-    return [Repository(repo.rid, repo.namespace_user.username, repo.name)._asdict()
-            for repo in query]
+        query = model.repository.get_visible_repositories(
+            username,
+            kind_filter="image",
+            include_public=include_public,
+            start_id=start_id,
+            limit=limit + 1,
+        )
+        # NOTE: The repository ID is in `rid` (not `id`) here, as per the requirements of
+        # the `get_visible_repositories` call.
+        return [
+            Repository(repo.rid, repo.namespace_user.username, repo.name)._asdict()
+            for repo in query
+        ]
 
-  context_key = get_authenticated_context().unique_key if get_authenticated_context() else None
-  catalog_cache_key = cache_key.for_catalog_page(context_key, start_id, limit)
-  visible_repositories = [Repository(**repo_dict) for repo_dict
-                          in model_cache.retrieve(catalog_cache_key, _load_catalog)]
+    context_key = (
+        get_authenticated_context().unique_key if get_authenticated_context() else None
+    )
+    catalog_cache_key = cache_key.for_catalog_page(context_key, start_id, limit)
+    visible_repositories = [
+        Repository(**repo_dict)
+        for repo_dict in model_cache.retrieve(catalog_cache_key, _load_catalog)
+    ]
 
-  response = jsonify({
-    'repositories': ['%s/%s' % (repo.namespace_name, repo.name)
-                     for repo in visible_repositories][0:limit],
-  })
+    response = jsonify(
+        {
+            "repositories": [
+                "%s/%s" % (repo.namespace_name, repo.name)
+                for repo in visible_repositories
+            ][0:limit]
+        }
+    )
 
-  pagination_callback(visible_repositories, response)
-  return response
+    pagination_callback(visible_repositories, response)
+    return response
diff --git a/endpoints/v2/errors.py b/endpoints/v2/errors.py
index 1479984db..f142697d1 100644
--- a/endpoints/v2/errors.py
+++ b/endpoints/v2/errors.py
@@ -2,167 +2,216 @@ import bitmath
 
 
 class V2RegistryException(Exception):
-  def __init__(self, error_code_str, message, detail, http_status_code=400, repository=None,
-               scopes=None, is_read_only=False):
-    super(V2RegistryException, self).__init__(message)
-    self.http_status_code = http_status_code
-    self.repository = repository
-    self.scopes = scopes
-    self.is_read_only = is_read_only
+    def __init__(
+        self,
+        error_code_str,
+        message,
+        detail,
+        http_status_code=400,
+        repository=None,
+        scopes=None,
+        is_read_only=False,
+    ):
+        super(V2RegistryException, self).__init__(message)
+        self.http_status_code = http_status_code
+        self.repository = repository
+        self.scopes = scopes
+        self.is_read_only = is_read_only
 
-    self._error_code_str = error_code_str
-    self._detail = detail
+        self._error_code_str = error_code_str
+        self._detail = detail
 
-  def as_dict(self):
-    error_dict = {
-      'code': self._error_code_str,
-      'message': str(self),
-      'detail': self._detail if self._detail is not None else {},
-    }
+    def as_dict(self):
+        error_dict = {
+            "code": self._error_code_str,
+            "message": str(self),
+            "detail": self._detail if self._detail is not None else {},
+        }
 
-    if self.is_read_only:
-      error_dict['is_readonly'] = True
+        if self.is_read_only:
+            error_dict["is_readonly"] = True
 
-    return error_dict
+        return error_dict
 
 
 class BlobUnknown(V2RegistryException):
-  def __init__(self, detail=None):
-    super(BlobUnknown, self).__init__('BLOB_UNKNOWN', 'blob unknown to registry', detail, 404)
+    def __init__(self, detail=None):
+        super(BlobUnknown, self).__init__(
+            "BLOB_UNKNOWN", "blob unknown to registry", detail, 404
+        )
 
 
 class BlobUploadInvalid(V2RegistryException):
-  def __init__(self, detail=None):
-    super(BlobUploadInvalid, self).__init__('BLOB_UPLOAD_INVALID', 'blob upload invalid', detail)
+    def __init__(self, detail=None):
+        super(BlobUploadInvalid, self).__init__(
+            "BLOB_UPLOAD_INVALID", "blob upload invalid", detail
+        )
 
 
 class BlobUploadUnknown(V2RegistryException):
-  def __init__(self, detail=None):
-    super(BlobUploadUnknown, self).__init__('BLOB_UPLOAD_UNKNOWN',
-                                            'blob upload unknown to registry', detail, 404)
+    def __init__(self, detail=None):
+        super(BlobUploadUnknown, self).__init__(
+            "BLOB_UPLOAD_UNKNOWN", "blob upload unknown to registry", detail, 404
+        )
 
 
 class DigestInvalid(V2RegistryException):
-  def __init__(self, detail=None):
-    super(DigestInvalid, self).__init__('DIGEST_INVALID',
-                                        'provided digest did not match uploaded content', detail)
+    def __init__(self, detail=None):
+        super(DigestInvalid, self).__init__(
+            "DIGEST_INVALID", "provided digest did not match uploaded content", detail
+        )
 
 
 class ManifestBlobUnknown(V2RegistryException):
-  def __init__(self, detail=None):
-    super(ManifestBlobUnknown, self).__init__('MANIFEST_BLOB_UNKNOWN',
-                                              'manifest blob unknown to registry', detail)
+    def __init__(self, detail=None):
+        super(ManifestBlobUnknown, self).__init__(
+            "MANIFEST_BLOB_UNKNOWN", "manifest blob unknown to registry", detail
+        )
 
 
 class ManifestInvalid(V2RegistryException):
-  def __init__(self, detail=None, http_status_code=400):
-    super(ManifestInvalid, self).__init__('MANIFEST_INVALID', 'manifest invalid', detail,
-                                          http_status_code)
+    def __init__(self, detail=None, http_status_code=400):
+        super(ManifestInvalid, self).__init__(
+            "MANIFEST_INVALID", "manifest invalid", detail, http_status_code
+        )
 
 
 class ManifestUnknown(V2RegistryException):
-  def __init__(self, detail=None):
-    super(ManifestUnknown, self).__init__('MANIFEST_UNKNOWN', 'manifest unknown', detail, 404)
+    def __init__(self, detail=None):
+        super(ManifestUnknown, self).__init__(
+            "MANIFEST_UNKNOWN", "manifest unknown", detail, 404
+        )
 
 
 class TagExpired(V2RegistryException):
-  def __init__(self, message=None, detail=None):
-    super(TagExpired, self).__init__('TAG_EXPIRED',
-                                     message or 'Tag has expired',
-                                     detail,
-                                     404)
+    def __init__(self, message=None, detail=None):
+        super(TagExpired, self).__init__(
+            "TAG_EXPIRED", message or "Tag has expired", detail, 404
+        )
 
 
 class ManifestUnverified(V2RegistryException):
-  def __init__(self, detail=None):
-    super(ManifestUnverified, self).__init__('MANIFEST_UNVERIFIED',
-                                             'manifest failed signature verification', detail)
+    def __init__(self, detail=None):
+        super(ManifestUnverified, self).__init__(
+            "MANIFEST_UNVERIFIED", "manifest failed signature verification", detail
+        )
 
 
 class NameInvalid(V2RegistryException):
-  def __init__(self, detail=None, message=None):
-    super(NameInvalid, self).__init__('NAME_INVALID', message or 'invalid repository name', detail)
+    def __init__(self, detail=None, message=None):
+        super(NameInvalid, self).__init__(
+            "NAME_INVALID", message or "invalid repository name", detail
+        )
 
 
 class NameUnknown(V2RegistryException):
-  def __init__(self, detail=None):
-    super(NameUnknown, self).__init__('NAME_UNKNOWN', 'repository name not known to registry',
-                                      detail, 404)
+    def __init__(self, detail=None):
+        super(NameUnknown, self).__init__(
+            "NAME_UNKNOWN", "repository name not known to registry", detail, 404
+        )
 
 
 class SizeInvalid(V2RegistryException):
-  def __init__(self, detail=None):
-    super(SizeInvalid, self).__init__('SIZE_INVALID',
-                                      'provided length did not match content length', detail)
+    def __init__(self, detail=None):
+        super(SizeInvalid, self).__init__(
+            "SIZE_INVALID", "provided length did not match content length", detail
+        )
 
 
 class TagAlreadyExists(V2RegistryException):
-  def __init__(self, detail=None):
-    super(TagAlreadyExists, self).__init__('TAG_ALREADY_EXISTS', 'tag was already pushed', detail,
-                                           409)
+    def __init__(self, detail=None):
+        super(TagAlreadyExists, self).__init__(
+            "TAG_ALREADY_EXISTS", "tag was already pushed", detail, 409
+        )
 
 
 class TagInvalid(V2RegistryException):
-  def __init__(self, detail=None):
-    super(TagInvalid, self).__init__('TAG_INVALID', 'manifest tag did not match URI', detail)
+    def __init__(self, detail=None):
+        super(TagInvalid, self).__init__(
+            "TAG_INVALID", "manifest tag did not match URI", detail
+        )
 
 
 class LayerTooLarge(V2RegistryException):
-  def __init__(self, uploaded=None, max_allowed=None):
-    detail = {}
-    message = 'Uploaded blob is larger than allowed by this registry'
+    def __init__(self, uploaded=None, max_allowed=None):
+        detail = {}
+        message = "Uploaded blob is larger than allowed by this registry"
 
-    if uploaded is not None and max_allowed is not None:
-      detail = {
-        'reason': '%s is greater than maximum allowed size %s' % (uploaded, max_allowed),
-        'max_allowed': max_allowed,
-        'uploaded': uploaded,}
+        if uploaded is not None and max_allowed is not None:
+            detail = {
+                "reason": "%s is greater than maximum allowed size %s"
+                % (uploaded, max_allowed),
+                "max_allowed": max_allowed,
+                "uploaded": uploaded,
+            }
 
-      up_str = bitmath.Byte(uploaded).best_prefix().format("{value:.2f} {unit}")
-      max_str = bitmath.Byte(max_allowed).best_prefix().format("{value:.2f} {unit}")
-      message = 'Uploaded blob of %s is larger than %s allowed by this registry' % (up_str,
-                                                                                    max_str)
+            up_str = bitmath.Byte(uploaded).best_prefix().format("{value:.2f} {unit}")
+            max_str = (
+                bitmath.Byte(max_allowed).best_prefix().format("{value:.2f} {unit}")
+            )
+            message = (
+                "Uploaded blob of %s is larger than %s allowed by this registry"
+                % (up_str, max_str)
+            )
 
 
 class Unauthorized(V2RegistryException):
-  def __init__(self, detail=None, repository=None, scopes=None):
-    super(Unauthorized,
-          self).__init__('UNAUTHORIZED', 'access to the requested resource is not authorized',
-                         detail, 401, repository=repository, scopes=scopes)
+    def __init__(self, detail=None, repository=None, scopes=None):
+        super(Unauthorized, self).__init__(
+            "UNAUTHORIZED",
+            "access to the requested resource is not authorized",
+            detail,
+            401,
+            repository=repository,
+            scopes=scopes,
+        )
 
 
 class Unsupported(V2RegistryException):
-  def __init__(self, detail=None, message=None):
-    super(Unsupported, self).__init__('UNSUPPORTED', message or 'The operation is unsupported.',
-                                      detail, 405)
+    def __init__(self, detail=None, message=None):
+        super(Unsupported, self).__init__(
+            "UNSUPPORTED", message or "The operation is unsupported.", detail, 405
+        )
 
 
 class InvalidLogin(V2RegistryException):
-  def __init__(self, message=None):
-    super(InvalidLogin, self).__init__('UNAUTHORIZED', message or
-                                       'Specified credentials are invalid', {}, 401)
+    def __init__(self, message=None):
+        super(InvalidLogin, self).__init__(
+            "UNAUTHORIZED", message or "Specified credentials are invalid", {}, 401
+        )
 
 
 class InvalidRequest(V2RegistryException):
-  def __init__(self, message=None):
-    super(InvalidRequest, self).__init__('INVALID_REQUEST', message or 'Invalid request', {}, 400)
+    def __init__(self, message=None):
+        super(InvalidRequest, self).__init__(
+            "INVALID_REQUEST", message or "Invalid request", {}, 400
+        )
 
 
 class NamespaceDisabled(V2RegistryException):
-  def __init__(self, message=None):
-    message = message or 'This namespace is disabled. Please contact your system administrator.'
-    super(NamespaceDisabled, self).__init__('DENIED', message, {}, 405)
+    def __init__(self, message=None):
+        message = (
+            message
+            or "This namespace is disabled. Please contact your system administrator."
+        )
+        super(NamespaceDisabled, self).__init__("DENIED", message, {}, 405)
 
 
 class BlobDownloadGeoBlocked(V2RegistryException):
-  def __init__(self, detail=None):
-    message = ('The region from which you are pulling has been geo-ip blocked. ' +
-               'Please contact the namespace owner.')
-    super(BlobDownloadGeoBlocked, self).__init__('DENIED', message, detail, 403)
+    def __init__(self, detail=None):
+        message = (
+            "The region from which you are pulling has been geo-ip blocked. "
+            + "Please contact the namespace owner."
+        )
+        super(BlobDownloadGeoBlocked, self).__init__("DENIED", message, detail, 403)
 
 
 class ReadOnlyMode(V2RegistryException):
-  def __init__(self, detail=None):
-    message = ('System is currently read-only. Pulls will succeed but all write operations ' +
-               'are currently suspended.')
-    super(ReadOnlyMode, self).__init__('DENIED', message, detail, 405, is_read_only=True)
+    def __init__(self, detail=None):
+        message = (
+            "System is currently read-only. Pulls will succeed but all write operations "
+            + "are currently suspended."
+        )
+        super(ReadOnlyMode, self).__init__(
+            "DENIED", message, detail, 405, is_read_only=True
+        )
diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py
index b71b3bb3f..cb0e1d50b 100644
--- a/endpoints/v2/manifest.py
+++ b/endpoints/v2/manifest.py
@@ -13,10 +13,18 @@ from data.registry_model import registry_model
 from data.model.oci.manifest import CreateManifestException
 from endpoints.decorators import anon_protect, parse_repository_name, check_readonly
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
-from endpoints.v2.errors import (ManifestInvalid, ManifestUnknown, NameInvalid, TagExpired,
-                                 NameUnknown)
+from endpoints.v2.errors import (
+    ManifestInvalid,
+    ManifestUnknown,
+    NameInvalid,
+    TagExpired,
+    NameUnknown,
+)
 from image.docker import ManifestException
-from image.docker.schema1 import DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE, DOCKER_SCHEMA1_CONTENT_TYPES
+from image.docker.schema1 import (
+    DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA1_CONTENT_TYPES,
+)
 from image.docker.schema2 import DOCKER_SCHEMA2_CONTENT_TYPES, OCI_CONTENT_TYPES
 from image.docker.schemas import parse_manifest_from_bytes
 from notifications import spawn_notification
@@ -33,292 +41,342 @@ MANIFEST_DIGEST_ROUTE = BASE_MANIFEST_ROUTE.format(digest_tools.DIGEST_PATTERN)
 MANIFEST_TAGNAME_ROUTE = BASE_MANIFEST_ROUTE.format(VALID_TAG_PATTERN)
 
 
-@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET'])
+@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=["GET"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_read
 @anon_protect
 def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  tag = registry_model.get_repo_tag(repository_ref, manifest_ref)
-  if tag is None:
-    if registry_model.has_expired_tag(repository_ref, manifest_ref):
-      logger.debug('Found expired tag %s for repository %s/%s', manifest_ref, namespace_name,
-                   repo_name)
-      msg = 'Tag %s was deleted or has expired. To pull, revive via time machine' % manifest_ref
-      raise TagExpired(msg)
+    tag = registry_model.get_repo_tag(repository_ref, manifest_ref)
+    if tag is None:
+        if registry_model.has_expired_tag(repository_ref, manifest_ref):
+            logger.debug(
+                "Found expired tag %s for repository %s/%s",
+                manifest_ref,
+                namespace_name,
+                repo_name,
+            )
+            msg = (
+                "Tag %s was deleted or has expired. To pull, revive via time machine"
+                % manifest_ref
+            )
+            raise TagExpired(msg)
 
-    raise ManifestUnknown()
+        raise ManifestUnknown()
 
-  manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
-  if manifest is None:
-    # Something went wrong.
-    raise ManifestInvalid()
+    manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
+    if manifest is None:
+        # Something went wrong.
+        raise ManifestInvalid()
 
-  manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
-    namespace_name, repo_name, manifest_ref, manifest)
-  if manifest_bytes is None:
-    raise ManifestUnknown()
+    manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
+        namespace_name, repo_name, manifest_ref, manifest
+    )
+    if manifest_bytes is None:
+        raise ManifestUnknown()
 
-  track_and_log('pull_repo', repository_ref, analytics_name='pull_repo_100x', analytics_sample=0.01,
-                tag=manifest_ref)
-  metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
+    track_and_log(
+        "pull_repo",
+        repository_ref,
+        analytics_name="pull_repo_100x",
+        analytics_sample=0.01,
+        tag=manifest_ref,
+    )
+    metric_queue.repository_pull.Inc(
+        labelvalues=[namespace_name, repo_name, "v2", True]
+    )
 
-  return Response(
-    manifest_bytes.as_unicode(),
-    status=200,
-    headers={
-      'Content-Type': manifest_media_type,
-      'Docker-Content-Digest': manifest_digest,
-    },
-  )
+    return Response(
+        manifest_bytes.as_unicode(),
+        status=200,
+        headers={
+            "Content-Type": manifest_media_type,
+            "Docker-Content-Digest": manifest_digest,
+        },
+    )
 
 
-@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET'])
+@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=["GET"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_read
 @anon_protect
 def fetch_manifest_by_digest(namespace_name, repo_name, manifest_ref):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
-  if manifest is None:
-    raise ManifestUnknown()
+    manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
+    if manifest is None:
+        raise ManifestUnknown()
 
-  manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
-    namespace_name, repo_name, '$digest', manifest)
-  if manifest_digest is None:
-    raise ManifestUnknown()
+    manifest_bytes, manifest_digest, manifest_media_type = _rewrite_schema_if_necessary(
+        namespace_name, repo_name, "$digest", manifest
+    )
+    if manifest_digest is None:
+        raise ManifestUnknown()
 
-  track_and_log('pull_repo', repository_ref, manifest_digest=manifest_ref)
-  metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
+    track_and_log("pull_repo", repository_ref, manifest_digest=manifest_ref)
+    metric_queue.repository_pull.Inc(
+        labelvalues=[namespace_name, repo_name, "v2", True]
+    )
 
-  return Response(manifest_bytes.as_unicode(), status=200, headers={
-    'Content-Type': manifest_media_type,
-    'Docker-Content-Digest': manifest_digest,
-  })
+    return Response(
+        manifest_bytes.as_unicode(),
+        status=200,
+        headers={
+            "Content-Type": manifest_media_type,
+            "Docker-Content-Digest": manifest_digest,
+        },
+    )
 
 
 def _rewrite_schema_if_necessary(namespace_name, repo_name, tag_name, manifest):
-  # As per the Docker protocol, if the manifest is not schema version 1 and the manifest's
-  # media type is not in the Accept header, we return a schema 1 version of the manifest for
-  # the amd64+linux platform, if any, or None if none.
-  # See: https://docs.docker.com/registry/spec/manifest-v2-2
-  mimetypes = [mimetype for mimetype, _ in request.accept_mimetypes]
-  if manifest.media_type in mimetypes:
-    return manifest.internal_manifest_bytes, manifest.digest, manifest.media_type
+    # As per the Docker protocol, if the manifest is not schema version 1 and the manifest's
+    # media type is not in the Accept header, we return a schema 1 version of the manifest for
+    # the amd64+linux platform, if any, or None if none.
+    # See: https://docs.docker.com/registry/spec/manifest-v2-2
+    mimetypes = [mimetype for mimetype, _ in request.accept_mimetypes]
+    if manifest.media_type in mimetypes:
+        return manifest.internal_manifest_bytes, manifest.digest, manifest.media_type
 
-  # Short-circuit check: If the mimetypes is empty or just `application/json`, verify we have
-  # a schema 1 manifest and return it.
-  if not mimetypes or mimetypes == ['application/json']:
-    if manifest.media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-      return manifest.internal_manifest_bytes, manifest.digest, manifest.media_type
+    # Short-circuit check: If the mimetypes is empty or just `application/json`, verify we have
+    # a schema 1 manifest and return it.
+    if not mimetypes or mimetypes == ["application/json"]:
+        if manifest.media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
+            return (
+                manifest.internal_manifest_bytes,
+                manifest.digest,
+                manifest.media_type,
+            )
 
-  logger.debug('Manifest `%s` not compatible against %s; checking for conversion', manifest.digest,
-               request.accept_mimetypes)
-  converted = registry_model.convert_manifest(manifest, namespace_name, repo_name, tag_name,
-                                              mimetypes, storage)
-  if converted is not None:
-    return converted.bytes, converted.digest, converted.media_type
+    logger.debug(
+        "Manifest `%s` not compatible against %s; checking for conversion",
+        manifest.digest,
+        request.accept_mimetypes,
+    )
+    converted = registry_model.convert_manifest(
+        manifest, namespace_name, repo_name, tag_name, mimetypes, storage
+    )
+    if converted is not None:
+        return converted.bytes, converted.digest, converted.media_type
 
-  # For back-compat, we always default to schema 1 if the manifest could not be converted.
-  schema1 = registry_model.get_schema1_parsed_manifest(manifest, namespace_name, repo_name,
-                                                       tag_name, storage)
-  if schema1 is None:
-    return None, None, None
+    # For back-compat, we always default to schema 1 if the manifest could not be converted.
+    schema1 = registry_model.get_schema1_parsed_manifest(
+        manifest, namespace_name, repo_name, tag_name, storage
+    )
+    if schema1 is None:
+        return None, None, None
 
-  return schema1.bytes, schema1.digest, schema1.media_type
+    return schema1.bytes, schema1.digest, schema1.media_type
 
 
 def _reject_manifest2_schema2(func):
-  @wraps(func)
-  def wrapped(*args, **kwargs):
-    namespace_name = kwargs['namespace_name']
-    if registry_model.supports_schema2(namespace_name):
-      return func(*args, **kwargs)
+    @wraps(func)
+    def wrapped(*args, **kwargs):
+        namespace_name = kwargs["namespace_name"]
+        if registry_model.supports_schema2(namespace_name):
+            return func(*args, **kwargs)
 
-    if _doesnt_accept_schema_v1() or \
-      request.content_type in DOCKER_SCHEMA2_CONTENT_TYPES | OCI_CONTENT_TYPES:
-      raise ManifestInvalid(detail={'message': 'manifest schema version not supported'},
-                            http_status_code=415)
-    return func(*args, **kwargs)
+        if (
+            _doesnt_accept_schema_v1()
+            or request.content_type in DOCKER_SCHEMA2_CONTENT_TYPES | OCI_CONTENT_TYPES
+        ):
+            raise ManifestInvalid(
+                detail={"message": "manifest schema version not supported"},
+                http_status_code=415,
+            )
+        return func(*args, **kwargs)
 
-  return wrapped
+    return wrapped
 
 
 def _doesnt_accept_schema_v1():
-  # If the client doesn't specify anything, still give them Schema v1.
-  return len(request.accept_mimetypes) != 0 and \
-         DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE not in request.accept_mimetypes
+    # If the client doesn't specify anything, still give them Schema v1.
+    return (
+        len(request.accept_mimetypes) != 0
+        and DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE not in request.accept_mimetypes
+    )
 
 
-@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT'])
+@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=["PUT"])
 @parse_repository_name()
 @_reject_manifest2_schema2
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def write_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
-  parsed = _parse_manifest()
-  return _write_manifest_and_log(namespace_name, repo_name, manifest_ref, parsed)
+    parsed = _parse_manifest()
+    return _write_manifest_and_log(namespace_name, repo_name, manifest_ref, parsed)
 
 
-@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT'])
+@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=["PUT"])
 @parse_repository_name()
 @_reject_manifest2_schema2
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def write_manifest_by_digest(namespace_name, repo_name, manifest_ref):
-  parsed = _parse_manifest()
-  if parsed.digest != manifest_ref:
-    raise ManifestInvalid(detail={'message': 'manifest digest mismatch'})
+    parsed = _parse_manifest()
+    if parsed.digest != manifest_ref:
+        raise ManifestInvalid(detail={"message": "manifest digest mismatch"})
 
-  if parsed.schema_version != 2:
-    return _write_manifest_and_log(namespace_name, repo_name, parsed.tag, parsed)
+    if parsed.schema_version != 2:
+        return _write_manifest_and_log(namespace_name, repo_name, parsed.tag, parsed)
 
-  # If the manifest is schema version 2, then this cannot be a normal tag-based push, as the
-  # manifest does not contain the tag and this call was not given a tag name. Instead, we write the
-  # manifest with a temporary tag, as it is being pushed as part of a call for a manifest list.
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    # If the manifest is schema version 2, then this cannot be a normal tag-based push, as the
+    # manifest does not contain the tag and this call was not given a tag name. Instead, we write the
+    # manifest with a temporary tag, as it is being pushed as part of a call for a manifest list.
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  expiration_sec = app.config['PUSH_TEMP_TAG_EXPIRATION_SEC']
-  manifest = registry_model.create_manifest_with_temp_tag(repository_ref, parsed, expiration_sec,
-                                                          storage)
-  if manifest is None:
-    raise ManifestInvalid()
+    expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"]
+    manifest = registry_model.create_manifest_with_temp_tag(
+        repository_ref, parsed, expiration_sec, storage
+    )
+    if manifest is None:
+        raise ManifestInvalid()
 
-  return Response(
-    'OK',
-    status=202,
-    headers={
-      'Docker-Content-Digest': manifest.digest,
-      'Location':
-        url_for('v2.fetch_manifest_by_digest',
-                repository='%s/%s' % (namespace_name, repo_name),
-                manifest_ref=manifest.digest),
-    },
-  )
+    return Response(
+        "OK",
+        status=202,
+        headers={
+            "Docker-Content-Digest": manifest.digest,
+            "Location": url_for(
+                "v2.fetch_manifest_by_digest",
+                repository="%s/%s" % (namespace_name, repo_name),
+                manifest_ref=manifest.digest,
+            ),
+        },
+    )
 
 
 def _parse_manifest():
-  content_type = request.content_type or DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
-  if content_type == 'application/json':
-    # For back-compat.
-    content_type = DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+    content_type = request.content_type or DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+    if content_type == "application/json":
+        # For back-compat.
+        content_type = DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
 
-  try:
-    return parse_manifest_from_bytes(Bytes.for_string_or_unicode(request.data), content_type)
-  except ManifestException as me:
-    logger.exception("failed to parse manifest when writing by tagname")
-    raise ManifestInvalid(detail={'message': 'failed to parse manifest: %s' % me})
+    try:
+        return parse_manifest_from_bytes(
+            Bytes.for_string_or_unicode(request.data), content_type
+        )
+    except ManifestException as me:
+        logger.exception("failed to parse manifest when writing by tagname")
+        raise ManifestInvalid(detail={"message": "failed to parse manifest: %s" % me})
 
 
-@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE'])
+@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=["DELETE"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull', 'push'])
+@process_registry_jwt_auth(scopes=["pull", "push"])
 @require_repo_write
 @anon_protect
 @check_readonly
 def delete_manifest_by_digest(namespace_name, repo_name, manifest_ref):
-  """
+    """
   Delete the manifest specified by the digest.
 
   Note: there is no equivalent method for deleting by tag name because it is
   forbidden by the spec.
   """
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
-  if manifest is None:
-    raise ManifestUnknown()
+    manifest = registry_model.lookup_manifest_by_digest(repository_ref, manifest_ref)
+    if manifest is None:
+        raise ManifestUnknown()
 
-  tags = registry_model.delete_tags_for_manifest(manifest)
-  if not tags:
-    raise ManifestUnknown()
+    tags = registry_model.delete_tags_for_manifest(manifest)
+    if not tags:
+        raise ManifestUnknown()
 
-  for tag in tags:
-    track_and_log('delete_tag', repository_ref, tag=tag.name, digest=manifest_ref)
+    for tag in tags:
+        track_and_log("delete_tag", repository_ref, tag=tag.name, digest=manifest_ref)
 
-  return Response(status=202)
+    return Response(status=202)
 
 
 def _write_manifest_and_log(namespace_name, repo_name, tag_name, manifest_impl):
-  repository_ref, manifest, tag = _write_manifest(namespace_name, repo_name, tag_name,
-                                                  manifest_impl)
+    repository_ref, manifest, tag = _write_manifest(
+        namespace_name, repo_name, tag_name, manifest_impl
+    )
 
-  # Queue all blob manifests for replication.
-  if features.STORAGE_REPLICATION:
-    blobs = registry_model.get_manifest_local_blobs(manifest)
-    if blobs is None:
-      logger.error('Could not lookup blobs for manifest `%s`', manifest.digest)
-    else:
-      with queue_replication_batch(namespace_name) as queue_storage_replication:
-        for blob_digest in blobs:
-          queue_storage_replication(blob_digest)
+    # Queue all blob manifests for replication.
+    if features.STORAGE_REPLICATION:
+        blobs = registry_model.get_manifest_local_blobs(manifest)
+        if blobs is None:
+            logger.error("Could not lookup blobs for manifest `%s`", manifest.digest)
+        else:
+            with queue_replication_batch(namespace_name) as queue_storage_replication:
+                for blob_digest in blobs:
+                    queue_storage_replication(blob_digest)
 
-  track_and_log('push_repo', repository_ref, tag=tag_name)
-  spawn_notification(repository_ref, 'repo_push', {'updated_tags': [tag_name]})
-  metric_queue.repository_push.Inc(labelvalues=[namespace_name, repo_name, 'v2', True])
+    track_and_log("push_repo", repository_ref, tag=tag_name)
+    spawn_notification(repository_ref, "repo_push", {"updated_tags": [tag_name]})
+    metric_queue.repository_push.Inc(
+        labelvalues=[namespace_name, repo_name, "v2", True]
+    )
 
-  return Response(
-    'OK',
-    status=202,
-    headers={
-      'Docker-Content-Digest': manifest.digest,
-      'Location':
-        url_for('v2.fetch_manifest_by_digest',
-                repository='%s/%s' % (namespace_name, repo_name),
-                manifest_ref=manifest.digest),
-    },
-  )
+    return Response(
+        "OK",
+        status=202,
+        headers={
+            "Docker-Content-Digest": manifest.digest,
+            "Location": url_for(
+                "v2.fetch_manifest_by_digest",
+                repository="%s/%s" % (namespace_name, repo_name),
+                manifest_ref=manifest.digest,
+            ),
+        },
+    )
 
 
 def _write_manifest(namespace_name, repo_name, tag_name, manifest_impl):
-  # NOTE: These extra checks are needed for schema version 1 because the manifests
-  # contain the repo namespace, name and tag name.
-  if manifest_impl.schema_version == 1:
-    if (manifest_impl.namespace == '' and features.LIBRARY_SUPPORT and
-        namespace_name == app.config['LIBRARY_NAMESPACE']):
-      pass
-    elif manifest_impl.namespace != namespace_name:
-      raise NameInvalid()
+    # NOTE: These extra checks are needed for schema version 1 because the manifests
+    # contain the repo namespace, name and tag name.
+    if manifest_impl.schema_version == 1:
+        if (
+            manifest_impl.namespace == ""
+            and features.LIBRARY_SUPPORT
+            and namespace_name == app.config["LIBRARY_NAMESPACE"]
+        ):
+            pass
+        elif manifest_impl.namespace != namespace_name:
+            raise NameInvalid()
 
-    if manifest_impl.repo_name != repo_name:
-      raise NameInvalid()
+        if manifest_impl.repo_name != repo_name:
+            raise NameInvalid()
 
+        try:
+            if not manifest_impl.layers:
+                raise ManifestInvalid(
+                    detail={"message": "manifest does not reference any layers"}
+                )
+        except ManifestException as me:
+            raise ManifestInvalid(detail={"message": str(me)})
+
+    # Ensure that the repository exists.
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
+
+    # Create the manifest(s) and retarget the tag to point to it.
     try:
-      if not manifest_impl.layers:
-        raise ManifestInvalid(detail={'message': 'manifest does not reference any layers'})
-    except ManifestException as me:
-      raise ManifestInvalid(detail={'message': str(me)})
+        manifest, tag = registry_model.create_manifest_and_retarget_tag(
+            repository_ref, manifest_impl, tag_name, storage, raise_on_error=True
+        )
+    except CreateManifestException as cme:
+        raise ManifestInvalid(detail={"message": str(cme)})
 
-  # Ensure that the repository exists.
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    if manifest is None:
+        raise ManifestInvalid()
 
-  # Create the manifest(s) and retarget the tag to point to it.
-  try:
-    manifest, tag = registry_model.create_manifest_and_retarget_tag(repository_ref, manifest_impl,
-                                                                    tag_name, storage,
-                                                                    raise_on_error=True)
-  except CreateManifestException as cme:
-    raise ManifestInvalid(detail={'message': str(cme)})
-
-  if manifest is None:
-    raise ManifestInvalid()
-
-  return repository_ref, manifest, tag
+    return repository_ref, manifest, tag
diff --git a/endpoints/v2/tag.py b/endpoints/v2/tag.py
index 779a78351..1904ae7c5 100644
--- a/endpoints/v2/tag.py
+++ b/endpoints/v2/tag.py
@@ -8,25 +8,28 @@ from endpoints.v2 import v2_bp, require_repo_read, paginate
 from endpoints.v2.errors import NameUnknown
 
 
-@v2_bp.route('/<repopath:repository>/tags/list', methods=['GET'])
+@v2_bp.route("/<repopath:repository>/tags/list", methods=["GET"])
 @parse_repository_name()
-@process_registry_jwt_auth(scopes=['pull'])
+@process_registry_jwt_auth(scopes=["pull"])
 @require_repo_read
 @anon_protect
 @paginate()
 def list_all_tags(namespace_name, repo_name, start_id, limit, pagination_callback):
-  repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repository_ref is None:
-    raise NameUnknown()
+    repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repository_ref is None:
+        raise NameUnknown()
 
-  # NOTE: We add 1 to the limit because that's how pagination_callback knows if there are
-  # additional tags.
-  tags = registry_model.lookup_cached_active_repository_tags(model_cache, repository_ref, start_id,
-                                                             limit + 1)
-  response = jsonify({
-    'name': '{0}/{1}'.format(namespace_name, repo_name),
-    'tags': [tag.name for tag in tags][0:limit],
-  })
+    # NOTE: We add 1 to the limit because that's how pagination_callback knows if there are
+    # additional tags.
+    tags = registry_model.lookup_cached_active_repository_tags(
+        model_cache, repository_ref, start_id, limit + 1
+    )
+    response = jsonify(
+        {
+            "name": "{0}/{1}".format(namespace_name, repo_name),
+            "tags": [tag.name for tag in tags][0:limit],
+        }
+    )
 
-  pagination_callback(tags, response)
-  return response
+    pagination_callback(tags, response)
+    return response
diff --git a/endpoints/v2/test/test_blob.py b/endpoints/v2/test/test_blob.py
index cd3b0932d..7e582c977 100644
--- a/endpoints/v2/test/test_blob.py
+++ b/endpoints/v2/test/test_blob.py
@@ -14,114 +14,157 @@ from endpoints.test.shared import conduct_call
 from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
 from test.fixtures import *
 
-@pytest.mark.parametrize('method, endpoint', [
-  ('GET', 'download_blob'),
-  ('HEAD', 'check_blob_exists'),
-])
+
+@pytest.mark.parametrize(
+    "method, endpoint", [("GET", "download_blob"), ("HEAD", "check_blob_exists")]
+)
 def test_blob_caching(method, endpoint, client, app):
-  digest = 'sha256:' + hashlib.sha256("a").hexdigest()
-  location = ImageStorageLocation.get(name='local_us')
-  model.blob.store_blob_record_and_temp_link('devtable', 'simple', digest, location, 1, 10000000)
+    digest = "sha256:" + hashlib.sha256("a").hexdigest()
+    location = ImageStorageLocation.get(name="local_us")
+    model.blob.store_blob_record_and_temp_link(
+        "devtable", "simple", digest, location, 1, 10000000
+    )
 
-  params = {
-    'repository': 'devtable/simple',
-    'digest': digest,
-  }
+    params = {"repository": "devtable/simple", "digest": digest}
 
-  user = model.user.get_user('devtable')
-  access = [{
-    'type': 'repository',
-    'name': 'devtable/simple',
-    'actions': ['pull'],
-  }]
+    user = model.user.get_user("devtable")
+    access = [{"type": "repository", "name": "devtable/simple", "actions": ["pull"]}]
 
-  context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
-  token = generate_bearer_token(realapp.config['SERVER_HOSTNAME'], subject, context, access, 600,
-                                instance_keys)
+    context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
+    token = generate_bearer_token(
+        realapp.config["SERVER_HOSTNAME"], subject, context, access, 600, instance_keys
+    )
 
-  headers = {
-    'Authorization': 'Bearer %s' % token,
-  }
+    headers = {"Authorization": "Bearer %s" % token}
 
-  # Run without caching to make sure the request works. This also preloads some of
-  # our global model caches.
-  conduct_call(client, 'v2.' + endpoint, url_for, method, params, expected_code=200,
-               headers=headers)
+    # Run without caching to make sure the request works. This also preloads some of
+    # our global model caches.
+    conduct_call(
+        client,
+        "v2." + endpoint,
+        url_for,
+        method,
+        params,
+        expected_code=200,
+        headers=headers,
+    )
 
-  with patch('endpoints.v2.blob.model_cache', InMemoryDataModelCache()):
-    # First request should make a DB query to retrieve the blob.
-    conduct_call(client, 'v2.' + endpoint, url_for, method, params, expected_code=200,
-                 headers=headers)
+    with patch("endpoints.v2.blob.model_cache", InMemoryDataModelCache()):
+        # First request should make a DB query to retrieve the blob.
+        conduct_call(
+            client,
+            "v2." + endpoint,
+            url_for,
+            method,
+            params,
+            expected_code=200,
+            headers=headers,
+        )
 
-    # Subsequent requests should use the cached blob.
-    with assert_query_count(0):
-      conduct_call(client, 'v2.' + endpoint, url_for, method, params, expected_code=200,
-                   headers=headers)
+        # Subsequent requests should use the cached blob.
+        with assert_query_count(0):
+            conduct_call(
+                client,
+                "v2." + endpoint,
+                url_for,
+                method,
+                params,
+                expected_code=200,
+                headers=headers,
+            )
 
-@pytest.mark.parametrize('mount_digest, source_repo, username, expect_success', [
-  # Unknown blob.
-  ('sha256:unknown', 'devtable/simple', 'devtable', False),
 
-  # Blob not in repo.
-  ('sha256:' + hashlib.sha256("a").hexdigest(), 'devtable/complex', 'devtable', False),
+@pytest.mark.parametrize(
+    "mount_digest, source_repo, username, expect_success",
+    [
+        # Unknown blob.
+        ("sha256:unknown", "devtable/simple", "devtable", False),
+        # Blob not in repo.
+        (
+            "sha256:" + hashlib.sha256("a").hexdigest(),
+            "devtable/complex",
+            "devtable",
+            False,
+        ),
+        # Blob in repo.
+        (
+            "sha256:" + hashlib.sha256("b").hexdigest(),
+            "devtable/complex",
+            "devtable",
+            True,
+        ),
+        # No access to repo.
+        (
+            "sha256:" + hashlib.sha256("b").hexdigest(),
+            "devtable/complex",
+            "public",
+            False,
+        ),
+        # Public repo.
+        (
+            "sha256:" + hashlib.sha256("c").hexdigest(),
+            "public/publicrepo",
+            "devtable",
+            True,
+        ),
+    ],
+)
+def test_blob_mounting(
+    mount_digest, source_repo, username, expect_success, client, app
+):
+    location = ImageStorageLocation.get(name="local_us")
 
-  # Blob in repo.
-  ('sha256:' + hashlib.sha256("b").hexdigest(), 'devtable/complex', 'devtable', True),
+    # Store and link some blobs.
+    digest = "sha256:" + hashlib.sha256("a").hexdigest()
+    model.blob.store_blob_record_and_temp_link(
+        "devtable", "simple", digest, location, 1, 10000000
+    )
 
-  # No access to repo.
-  ('sha256:' + hashlib.sha256("b").hexdigest(), 'devtable/complex', 'public', False),
+    digest = "sha256:" + hashlib.sha256("b").hexdigest()
+    model.blob.store_blob_record_and_temp_link(
+        "devtable", "complex", digest, location, 1, 10000000
+    )
 
-  # Public repo.
-  ('sha256:' + hashlib.sha256("c").hexdigest(), 'public/publicrepo', 'devtable', True),
-])
-def test_blob_mounting(mount_digest, source_repo, username, expect_success, client, app):
-  location = ImageStorageLocation.get(name='local_us')
+    digest = "sha256:" + hashlib.sha256("c").hexdigest()
+    model.blob.store_blob_record_and_temp_link(
+        "public", "publicrepo", digest, location, 1, 10000000
+    )
 
-  # Store and link some blobs.
-  digest = 'sha256:' + hashlib.sha256("a").hexdigest()
-  model.blob.store_blob_record_and_temp_link('devtable', 'simple', digest, location, 1, 10000000)
+    params = {
+        "repository": "devtable/building",
+        "mount": mount_digest,
+        "from": source_repo,
+    }
 
-  digest = 'sha256:' + hashlib.sha256("b").hexdigest()
-  model.blob.store_blob_record_and_temp_link('devtable', 'complex', digest, location, 1, 10000000)
+    user = model.user.get_user(username)
+    access = [
+        {"type": "repository", "name": "devtable/building", "actions": ["pull", "push"]}
+    ]
 
-  digest = 'sha256:' + hashlib.sha256("c").hexdigest()
-  model.blob.store_blob_record_and_temp_link('public', 'publicrepo', digest, location, 1, 10000000)
+    if source_repo.find(username) == 0:
+        access.append({"type": "repository", "name": source_repo, "actions": ["pull"]})
 
-  params = {
-    'repository': 'devtable/building',
-    'mount': mount_digest,
-    'from': source_repo,
-  }
+    context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
+    token = generate_bearer_token(
+        realapp.config["SERVER_HOSTNAME"], subject, context, access, 600, instance_keys
+    )
 
-  user = model.user.get_user(username)
-  access = [{
-    'type': 'repository',
-    'name': 'devtable/building',
-    'actions': ['pull', 'push'],
-  }]
+    headers = {"Authorization": "Bearer %s" % token}
 
-  if source_repo.find(username) == 0:
-    access.append({
-      'type': 'repository',
-      'name': source_repo,
-      'actions': ['pull'],
-    })
+    expected_code = 201 if expect_success else 202
+    conduct_call(
+        client,
+        "v2.start_blob_upload",
+        url_for,
+        "POST",
+        params,
+        expected_code=expected_code,
+        headers=headers,
+    )
 
-  context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
-  token = generate_bearer_token(realapp.config['SERVER_HOSTNAME'], subject, context, access, 600,
-                                instance_keys)
-
-  headers = {
-    'Authorization': 'Bearer %s' % token,
-  }
-
-  expected_code = 201 if expect_success else 202
-  conduct_call(client, 'v2.start_blob_upload', url_for, 'POST', params, expected_code=expected_code,
-               headers=headers)
-
-  if expect_success:
-    # Ensure the blob now exists under the repo.
-    model.blob.get_repo_blob_by_digest('devtable', 'building', mount_digest)
-  else:
-    with pytest.raises(model.blob.BlobDoesNotExist):
-      model.blob.get_repo_blob_by_digest('devtable', 'building', mount_digest)
+    if expect_success:
+        # Ensure the blob now exists under the repo.
+        model.blob.get_repo_blob_by_digest("devtable", "building", mount_digest)
+    else:
+        with pytest.raises(model.blob.BlobDoesNotExist):
+            model.blob.get_repo_blob_by_digest("devtable", "building", mount_digest)
diff --git a/endpoints/v2/test/test_manifest.py b/endpoints/v2/test/test_manifest.py
index 960501052..829208aa7 100644
--- a/endpoints/v2/test/test_manifest.py
+++ b/endpoints/v2/test/test_manifest.py
@@ -14,42 +14,54 @@ from endpoints.test.shared import conduct_call
 from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
 from test.fixtures import *
 
+
 def test_e2e_query_count_manifest_norewrite(client, app):
-  tag_manifest = model.tag.load_tag_manifest('devtable', 'simple', 'latest')
+    tag_manifest = model.tag.load_tag_manifest("devtable", "simple", "latest")
 
-  params = {
-    'repository': 'devtable/simple',
-    'manifest_ref': tag_manifest.digest,
-  }
+    params = {"repository": "devtable/simple", "manifest_ref": tag_manifest.digest}
 
-  user = model.user.get_user('devtable')
-  access = [{
-    'type': 'repository',
-    'name': 'devtable/simple',
-    'actions': ['pull', 'push'],
-  }]
+    user = model.user.get_user("devtable")
+    access = [
+        {"type": "repository", "name": "devtable/simple", "actions": ["pull", "push"]}
+    ]
 
-  context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
-  token = generate_bearer_token(realapp.config['SERVER_HOSTNAME'], subject, context, access, 600,
-                                instance_keys)
+    context, subject = build_context_and_subject(ValidatedAuthContext(user=user))
+    token = generate_bearer_token(
+        realapp.config["SERVER_HOSTNAME"], subject, context, access, 600, instance_keys
+    )
 
-  headers = {
-    'Authorization': 'Bearer %s' % token,
-  }
+    headers = {"Authorization": "Bearer %s" % token}
 
-  # Conduct a call to prime the instance key and other caches.
-  conduct_call(client, 'v2.write_manifest_by_digest', url_for, 'PUT', params, expected_code=202,
-               headers=headers, raw_body=tag_manifest.json_data)
+    # Conduct a call to prime the instance key and other caches.
+    conduct_call(
+        client,
+        "v2.write_manifest_by_digest",
+        url_for,
+        "PUT",
+        params,
+        expected_code=202,
+        headers=headers,
+        raw_body=tag_manifest.json_data,
+    )
 
-  timecode = time.time()
-  def get_time():
-    return timecode + 10
+    timecode = time.time()
 
-  with patch('time.time', get_time):
-    # Necessary in order to have the tag updates not occur in the same second, which is the
-    # granularity supported currently.
-    with count_queries() as counter:
-      conduct_call(client, 'v2.write_manifest_by_digest', url_for, 'PUT', params, expected_code=202,
-                   headers=headers, raw_body=tag_manifest.json_data)
+    def get_time():
+        return timecode + 10
 
-    assert counter.count <= 27
+    with patch("time.time", get_time):
+        # Necessary in order to have the tag updates not occur in the same second, which is the
+        # granularity supported currently.
+        with count_queries() as counter:
+            conduct_call(
+                client,
+                "v2.write_manifest_by_digest",
+                url_for,
+                "PUT",
+                params,
+                expected_code=202,
+                headers=headers,
+                raw_body=tag_manifest.json_data,
+            )
+
+        assert counter.count <= 27
diff --git a/endpoints/v2/test/test_manifest_cornercases.py b/endpoints/v2/test/test_manifest_cornercases.py
index b08242343..9cf05832a 100644
--- a/endpoints/v2/test/test_manifest_cornercases.py
+++ b/endpoints/v2/test/test_manifest_cornercases.py
@@ -11,28 +11,30 @@ from image.docker.schema1 import DockerSchema1ManifestBuilder
 from test.fixtures import *
 
 
-ADMIN_ACCESS_USER = 'devtable'
-REPO = 'simple'
-FIRST_TAG = 'first'
-SECOND_TAG = 'second'
-THIRD_TAG = 'third'
+ADMIN_ACCESS_USER = "devtable"
+REPO = "simple"
+FIRST_TAG = "first"
+SECOND_TAG = "second"
+THIRD_TAG = "third"
 
 
 @contextmanager
 def set_tag_expiration_policy(namespace, expiration_s=0):
-  namespace_user = model.user.get_user(namespace)
-  model.user.change_user_tag_expiration(namespace_user, expiration_s)
-  yield
+    namespace_user = model.user.get_user(namespace)
+    model.user.change_user_tag_expiration(namespace_user, expiration_s)
+    yield
 
 
 def _perform_cleanup():
-  database.RepositoryTag.delete().where(database.RepositoryTag.hidden == True).execute()
-  repo_object = model.repository.get_repository(ADMIN_ACCESS_USER, REPO)
-  model.gc.garbage_collect_repo(repo_object)
+    database.RepositoryTag.delete().where(
+        database.RepositoryTag.hidden == True
+    ).execute()
+    repo_object = model.repository.get_repository(ADMIN_ACCESS_USER, REPO)
+    model.gc.garbage_collect_repo(repo_object)
 
 
 def test_missing_link(initialized_db):
-  """ Tests for a corner case that could result in missing a link to a blob referenced by a
+    """ Tests for a corner case that could result in missing a link to a blob referenced by a
       manifest. The test exercises the case as follows:
 
       1) Push a manifest of a single layer with a Docker ID `FIRST_ID`, pointing
@@ -53,86 +55,139 @@ def test_missing_link(initialized_db):
                   that of `SECOND_ID`, leaving `THIRD_ID` unlinked and therefore, after a GC, missing
                   `FOURTH_BLOB`.
   """
-  with set_tag_expiration_policy('devtable', 0):
-    location_name = storage.preferred_locations[0]
-    location = database.ImageStorageLocation.get(name=location_name)
+    with set_tag_expiration_policy("devtable", 0):
+        location_name = storage.preferred_locations[0]
+        location = database.ImageStorageLocation.get(name=location_name)
 
-    # Create first blob.
-    first_blob_sha = 'sha256:' + hashlib.sha256("FIRST").hexdigest()
-    model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, first_blob_sha, location, 0, 0, 0)
+        # Create first blob.
+        first_blob_sha = "sha256:" + hashlib.sha256("FIRST").hexdigest()
+        model.blob.store_blob_record_and_temp_link(
+            ADMIN_ACCESS_USER, REPO, first_blob_sha, location, 0, 0, 0
+        )
 
-    # Push the first manifest.
-    first_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, FIRST_TAG)
-                      .add_layer(first_blob_sha, '{"id": "first"}')
-                      .build(docker_v2_signing_key))
+        # Push the first manifest.
+        first_manifest = (
+            DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, FIRST_TAG)
+            .add_layer(first_blob_sha, '{"id": "first"}')
+            .build(docker_v2_signing_key)
+        )
 
-    _write_manifest(ADMIN_ACCESS_USER, REPO, FIRST_TAG, first_manifest)
+        _write_manifest(ADMIN_ACCESS_USER, REPO, FIRST_TAG, first_manifest)
 
-    # Delete all temp tags and perform GC.
-    _perform_cleanup()
+        # Delete all temp tags and perform GC.
+        _perform_cleanup()
 
-    # Ensure that the first blob still exists, along with the first tag.
-    assert model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, first_blob_sha) is not None
+        # Ensure that the first blob still exists, along with the first tag.
+        assert (
+            model.blob.get_repo_blob_by_digest(ADMIN_ACCESS_USER, REPO, first_blob_sha)
+            is not None
+        )
 
-    repository_ref = registry_model.lookup_repository(ADMIN_ACCESS_USER, REPO)
-    found_tag = registry_model.get_repo_tag(repository_ref, FIRST_TAG, include_legacy_image=True)
-    assert found_tag is not None
-    assert found_tag.legacy_image.docker_image_id == 'first'
+        repository_ref = registry_model.lookup_repository(ADMIN_ACCESS_USER, REPO)
+        found_tag = registry_model.get_repo_tag(
+            repository_ref, FIRST_TAG, include_legacy_image=True
+        )
+        assert found_tag is not None
+        assert found_tag.legacy_image.docker_image_id == "first"
 
-    # Create the second and third blobs.
-    second_blob_sha = 'sha256:' + hashlib.sha256("SECOND").hexdigest()
-    third_blob_sha = 'sha256:' + hashlib.sha256("THIRD").hexdigest()
+        # Create the second and third blobs.
+        second_blob_sha = "sha256:" + hashlib.sha256("SECOND").hexdigest()
+        third_blob_sha = "sha256:" + hashlib.sha256("THIRD").hexdigest()
 
-    model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, second_blob_sha, location, 0, 0, 0)
-    model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, third_blob_sha, location, 0, 0, 0)
+        model.blob.store_blob_record_and_temp_link(
+            ADMIN_ACCESS_USER, REPO, second_blob_sha, location, 0, 0, 0
+        )
+        model.blob.store_blob_record_and_temp_link(
+            ADMIN_ACCESS_USER, REPO, third_blob_sha, location, 0, 0, 0
+        )
 
-    # Push the second manifest.
-    second_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, SECOND_TAG)
-                        .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}')
-                        .add_layer(second_blob_sha, '{"id": "first"}')
-                        .build(docker_v2_signing_key))
+        # Push the second manifest.
+        second_manifest = (
+            DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, SECOND_TAG)
+            .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}')
+            .add_layer(second_blob_sha, '{"id": "first"}')
+            .build(docker_v2_signing_key)
+        )
 
-    _write_manifest(ADMIN_ACCESS_USER, REPO, SECOND_TAG, second_manifest)
+        _write_manifest(ADMIN_ACCESS_USER, REPO, SECOND_TAG, second_manifest)
 
-    # Delete all temp tags and perform GC.
-    _perform_cleanup()
+        # Delete all temp tags and perform GC.
+        _perform_cleanup()
 
-    # Ensure that the first and second blobs still exists, along with the second tag.
-    assert registry_model.get_repo_blob_by_digest(repository_ref, first_blob_sha) is not None
-    assert registry_model.get_repo_blob_by_digest(repository_ref, second_blob_sha) is not None
-    assert registry_model.get_repo_blob_by_digest(repository_ref, third_blob_sha) is not None
+        # Ensure that the first and second blobs still exists, along with the second tag.
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, first_blob_sha)
+            is not None
+        )
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, second_blob_sha)
+            is not None
+        )
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, third_blob_sha)
+            is not None
+        )
 
-    found_tag = registry_model.get_repo_tag(repository_ref, FIRST_TAG, include_legacy_image=True)
-    assert found_tag is not None
-    assert found_tag.legacy_image.docker_image_id == 'first'
+        found_tag = registry_model.get_repo_tag(
+            repository_ref, FIRST_TAG, include_legacy_image=True
+        )
+        assert found_tag is not None
+        assert found_tag.legacy_image.docker_image_id == "first"
 
-    # Ensure the IDs have changed.
-    found_tag = registry_model.get_repo_tag(repository_ref, SECOND_TAG, include_legacy_image=True)
-    assert found_tag is not None
-    assert found_tag.legacy_image.docker_image_id != 'second'
+        # Ensure the IDs have changed.
+        found_tag = registry_model.get_repo_tag(
+            repository_ref, SECOND_TAG, include_legacy_image=True
+        )
+        assert found_tag is not None
+        assert found_tag.legacy_image.docker_image_id != "second"
 
-    # Create the fourth blob.
-    fourth_blob_sha = 'sha256:' + hashlib.sha256("FOURTH").hexdigest()
-    model.blob.store_blob_record_and_temp_link(ADMIN_ACCESS_USER, REPO, fourth_blob_sha, location, 0, 0, 0)
+        # Create the fourth blob.
+        fourth_blob_sha = "sha256:" + hashlib.sha256("FOURTH").hexdigest()
+        model.blob.store_blob_record_and_temp_link(
+            ADMIN_ACCESS_USER, REPO, fourth_blob_sha, location, 0, 0, 0
+        )
 
-    # Push the third manifest.
-    third_manifest = (DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, THIRD_TAG)
-                      .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}')
-                      .add_layer(fourth_blob_sha, '{"id": "first"}')  # Note the change in BLOB from the second manifest.
-                      .build(docker_v2_signing_key))
+        # Push the third manifest.
+        third_manifest = (
+            DockerSchema1ManifestBuilder(ADMIN_ACCESS_USER, REPO, THIRD_TAG)
+            .add_layer(third_blob_sha, '{"id": "second", "parent": "first"}')
+            .add_layer(
+                fourth_blob_sha, '{"id": "first"}'
+            )  # Note the change in BLOB from the second manifest.
+            .build(docker_v2_signing_key)
+        )
 
-    _write_manifest(ADMIN_ACCESS_USER, REPO, THIRD_TAG, third_manifest)
+        _write_manifest(ADMIN_ACCESS_USER, REPO, THIRD_TAG, third_manifest)
 
-    # Delete all temp tags and perform GC.
-    _perform_cleanup()
+        # Delete all temp tags and perform GC.
+        _perform_cleanup()
 
-    # Ensure all blobs are present.
-    assert registry_model.get_repo_blob_by_digest(repository_ref, first_blob_sha) is not None
-    assert registry_model.get_repo_blob_by_digest(repository_ref, second_blob_sha) is not None
-    assert registry_model.get_repo_blob_by_digest(repository_ref, third_blob_sha) is not None
-    assert registry_model.get_repo_blob_by_digest(repository_ref, fourth_blob_sha) is not None
+        # Ensure all blobs are present.
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, first_blob_sha)
+            is not None
+        )
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, second_blob_sha)
+            is not None
+        )
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, third_blob_sha)
+            is not None
+        )
+        assert (
+            registry_model.get_repo_blob_by_digest(repository_ref, fourth_blob_sha)
+            is not None
+        )
 
-    # Ensure new synthesized IDs were created.
-    second_tag = registry_model.get_repo_tag(repository_ref, SECOND_TAG, include_legacy_image=True)
-    third_tag = registry_model.get_repo_tag(repository_ref, THIRD_TAG, include_legacy_image=True)
-    assert second_tag.legacy_image.docker_image_id != third_tag.legacy_image.docker_image_id
+        # Ensure new synthesized IDs were created.
+        second_tag = registry_model.get_repo_tag(
+            repository_ref, SECOND_TAG, include_legacy_image=True
+        )
+        third_tag = registry_model.get_repo_tag(
+            repository_ref, THIRD_TAG, include_legacy_image=True
+        )
+        assert (
+            second_tag.legacy_image.docker_image_id
+            != third_tag.legacy_image.docker_image_id
+        )
diff --git a/endpoints/v2/test/test_v2_tuf.py b/endpoints/v2/test/test_v2_tuf.py
index efd0c0ce9..e0d496631 100644
--- a/endpoints/v2/test/test_v2_tuf.py
+++ b/endpoints/v2/test/test_v2_tuf.py
@@ -10,59 +10,60 @@ from test import testconfig
 from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT
 
 
-
 def admin_identity(namespace, reponame):
-  identity = Identity('admin')
-  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'admin'))
-  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'admin'))
-  return identity
+    identity = Identity("admin")
+    identity.provides.add(permissions._RepositoryNeed(namespace, reponame, "admin"))
+    identity.provides.add(permissions._OrganizationRepoNeed(namespace, "admin"))
+    return identity
 
 
 def write_identity(namespace, reponame):
-  identity = Identity('writer')
-  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'write'))
-  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'write'))
-  return identity
+    identity = Identity("writer")
+    identity.provides.add(permissions._RepositoryNeed(namespace, reponame, "write"))
+    identity.provides.add(permissions._OrganizationRepoNeed(namespace, "write"))
+    return identity
 
 
 def read_identity(namespace, reponame):
-  identity = Identity('reader')
-  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'read'))
-  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'read'))
-  return identity
+    identity = Identity("reader")
+    identity.provides.add(permissions._RepositoryNeed(namespace, reponame, "read"))
+    identity.provides.add(permissions._OrganizationRepoNeed(namespace, "read"))
+    return identity
 
 
 def app_with_principal():
-  app = flask.Flask(__name__)
-  app.config.from_object(testconfig.TestConfig())
-  principal = Principal(app)
-  return app, principal
+    app = flask.Flask(__name__)
+    app.config.from_object(testconfig.TestConfig())
+    principal = Principal(app)
+    return app, principal
 
 
-@pytest.mark.parametrize('identity,expected', [
-  (Identity('anon'), QUAY_TUF_ROOT),
-  (read_identity("namespace", "repo"), QUAY_TUF_ROOT),
-  (read_identity("different", "repo"), QUAY_TUF_ROOT),
-  (admin_identity("different", "repo"), QUAY_TUF_ROOT),
-  (write_identity("different", "repo"), QUAY_TUF_ROOT),
-  (admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),
-  (write_identity("namespace", "repo"), SIGNER_TUF_ROOT),
-])
+@pytest.mark.parametrize(
+    "identity,expected",
+    [
+        (Identity("anon"), QUAY_TUF_ROOT),
+        (read_identity("namespace", "repo"), QUAY_TUF_ROOT),
+        (read_identity("different", "repo"), QUAY_TUF_ROOT),
+        (admin_identity("different", "repo"), QUAY_TUF_ROOT),
+        (write_identity("different", "repo"), QUAY_TUF_ROOT),
+        (admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),
+        (write_identity("namespace", "repo"), SIGNER_TUF_ROOT),
+    ],
+)
 def test_get_tuf_root(identity, expected):
-  app, principal = app_with_principal()
-  with app.test_request_context('/'):
-    principal.set_identity(identity)
-    actual = _get_tuf_root(Mock(), "namespace", "repo")
-    assert actual == expected, "should be %s, but was %s" % (expected, actual)
+    app, principal = app_with_principal()
+    with app.test_request_context("/"):
+        principal.set_identity(identity)
+        actual = _get_tuf_root(Mock(), "namespace", "repo")
+        assert actual == expected, "should be %s, but was %s" % (expected, actual)
 
 
-@pytest.mark.parametrize('trust_enabled,tuf_root', [
-  (True, QUAY_TUF_ROOT),
-  (False, DISABLED_TUF_ROOT),
-])
-def test_trust_disabled(trust_enabled,tuf_root):
-  app, principal = app_with_principal()
-  with app.test_request_context('/'):
-    principal.set_identity(read_identity("namespace", "repo"))
-    actual = _get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
-    assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
+@pytest.mark.parametrize(
+    "trust_enabled,tuf_root", [(True, QUAY_TUF_ROOT), (False, DISABLED_TUF_ROOT)]
+)
+def test_trust_disabled(trust_enabled, tuf_root):
+    app, principal = app_with_principal()
+    with app.test_request_context("/"):
+        principal.set_identity(read_identity("namespace", "repo"))
+        actual = _get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
+        assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
diff --git a/endpoints/v2/test/test_v2auth.py b/endpoints/v2/test/test_v2auth.py
index 60c8f34b1..a9654e8cc 100644
--- a/endpoints/v2/test/test_v2auth.py
+++ b/endpoints/v2/test/test_v2auth.py
@@ -11,140 +11,238 @@ from test.fixtures import *
 
 
 def get_robot_password(username):
-  parent_name, robot_shortname = username.split('+', 1)
-  parent = get_user(parent_name)
-  _, token, _ = get_robot_and_metadata(robot_shortname, parent)
-  return token
+    parent_name, robot_shortname = username.split("+", 1)
+    parent = get_user(parent_name)
+    _, token, _ = get_robot_and_metadata(robot_shortname, parent)
+    return token
 
 
-@pytest.mark.parametrize('scope, username, password, expected_code, expected_scopes', [
-  # Invalid repository.
-  ('repository:devtable/simple/foo/bar/baz:pull', 'devtable', 'password', 400, []),
+@pytest.mark.parametrize(
+    "scope, username, password, expected_code, expected_scopes",
+    [
+        # Invalid repository.
+        (
+            "repository:devtable/simple/foo/bar/baz:pull",
+            "devtable",
+            "password",
+            400,
+            [],
+        ),
+        # Invalid scopes.
+        ("some_invalid_scope", "devtable", "password", 400, []),
+        # Invalid credentials.
+        ("repository:devtable/simple:pull", "devtable", "invalid", 401, []),
+        # Valid credentials.
+        (
+            "repository:devtable/simple:pull",
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:pull"],
+        ),
+        (
+            "repository:devtable/simple:push",
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push"],
+        ),
+        (
+            "repository:devtable/simple:pull,push",
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push,pull"],
+        ),
+        (
+            "repository:devtable/simple:pull,push,*",
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push,pull,*"],
+        ),
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "devtable",
+            "password",
+            200,
+            ["buynlarge/orgrepo:push,pull,*"],
+        ),
+        ("", "devtable", "password", 200, []),
+        # No credentials, non-public repo.
+        ("repository:devtable/simple:pull", None, None, 200, ["devtable/simple:"]),
+        # No credentials, public repo.
+        (
+            "repository:public/publicrepo:pull",
+            None,
+            None,
+            200,
+            ["public/publicrepo:pull"],
+        ),
+        # Reader only.
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "reader",
+            "password",
+            200,
+            ["buynlarge/orgrepo:pull"],
+        ),
+        # Unknown repository.
+        (
+            "repository:devtable/unknownrepo:pull,push",
+            "devtable",
+            "password",
+            200,
+            ["devtable/unknownrepo:push,pull"],
+        ),
+        # Unknown repository in another namespace.
+        (
+            "repository:somenamespace/unknownrepo:pull,push",
+            "devtable",
+            "password",
+            200,
+            ["somenamespace/unknownrepo:"],
+        ),
+        # Disabled namespace.
+        (
+            [
+                "repository:devtable/simple:pull,push",
+                "repository:disabled/complex:pull",
+            ],
+            "devtable",
+            "password",
+            405,
+            [],
+        ),
+        # Multiple scopes.
+        (
+            [
+                "repository:devtable/simple:pull,push",
+                "repository:devtable/complex:pull",
+            ],
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push,pull", "devtable/complex:pull"],
+        ),
+        # Multiple scopes with restricted behavior.
+        (
+            [
+                "repository:devtable/simple:pull,push",
+                "repository:public/publicrepo:pull,push",
+            ],
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push,pull", "public/publicrepo:pull"],
+        ),
+        (
+            [
+                "repository:devtable/simple:pull,push,*",
+                "repository:public/publicrepo:pull,push,*",
+            ],
+            "devtable",
+            "password",
+            200,
+            ["devtable/simple:push,pull,*", "public/publicrepo:pull"],
+        ),
+        # Read Only State
+        (
+            "repository:devtable/readonly:pull,push,*",
+            "devtable",
+            "password",
+            200,
+            ["devtable/readonly:pull"],
+        ),
+        # Mirror State as a typical User
+        (
+            "repository:devtable/mirrored:pull,push,*",
+            "devtable",
+            "password",
+            200,
+            ["devtable/mirrored:pull"],
+        ),
+        # Mirror State as the robot User should have write access
+        (
+            "repository:devtable/mirrored:pull,push,*",
+            "devtable+dtrobot",
+            get_robot_password,
+            200,
+            ["devtable/mirrored:push,pull"],
+        ),
+        # Organization repository, org admin
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "devtable",
+            "password",
+            200,
+            ["buynlarge/orgrepo:push,pull,*"],
+        ),
+        # Organization repository, org creator
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "creator",
+            "password",
+            200,
+            ["buynlarge/orgrepo:"],
+        ),
+        # Organization repository, org reader
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "reader",
+            "password",
+            200,
+            ["buynlarge/orgrepo:pull"],
+        ),
+        # Organization repository, freshuser
+        (
+            "repository:buynlarge/orgrepo:pull,push,*",
+            "freshuser",
+            "password",
+            200,
+            ["buynlarge/orgrepo:"],
+        ),
+    ],
+)
+def test_generate_registry_jwt(
+    scope, username, password, expected_code, expected_scopes, app, client
+):
+    params = {"service": original_app.config["SERVER_HOSTNAME"], "scope": scope}
 
-  # Invalid scopes.
-  ('some_invalid_scope', 'devtable', 'password', 400, []),
+    if callable(password):
+        password = password(username)
 
-  # Invalid credentials.
-  ('repository:devtable/simple:pull', 'devtable', 'invalid', 401, []),
+    headers = {}
+    if username and password:
+        headers["Authorization"] = "Basic %s" % (
+            base64.b64encode("%s:%s" % (username, password))
+        )
 
-  # Valid credentials.
-  ('repository:devtable/simple:pull', 'devtable', 'password', 200,
-   ['devtable/simple:pull']),
+    resp = conduct_call(
+        client,
+        "v2.generate_registry_jwt",
+        url_for,
+        "GET",
+        params,
+        {},
+        expected_code,
+        headers=headers,
+    )
+    if expected_code != 200:
+        return
 
-  ('repository:devtable/simple:push', 'devtable', 'password', 200,
-   ['devtable/simple:push']),
+    token = resp.json["token"]
+    decoded = decode_bearer_token(token, instance_keys, original_app.config)
+    assert decoded["iss"] == "quay"
+    assert decoded["aud"] == original_app.config["SERVER_HOSTNAME"]
+    assert decoded["sub"] == username if username else "(anonymous)"
 
-  ('repository:devtable/simple:pull,push', 'devtable', 'password', 200,
-   ['devtable/simple:push,pull']),
+    expected_access = []
+    for scope in expected_scopes:
+        name, actions_str = scope.split(":")
+        actions = actions_str.split(",") if actions_str else []
 
-  ('repository:devtable/simple:pull,push,*', 'devtable', 'password', 200,
-   ['devtable/simple:push,pull,*']),
+        expected_access.append({"type": "repository", "name": name, "actions": actions})
 
-  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
-   ['buynlarge/orgrepo:push,pull,*']),
-
-  ('', 'devtable', 'password', 200, []),
-
-  # No credentials, non-public repo.
-  ('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),
-
-  # No credentials, public repo.
-  ('repository:public/publicrepo:pull', None, None, 200, ['public/publicrepo:pull']),
-
-  # Reader only.
-  ('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,
-   ['buynlarge/orgrepo:pull']),
-
-  # Unknown repository.
-  ('repository:devtable/unknownrepo:pull,push', 'devtable', 'password', 200,
-   ['devtable/unknownrepo:push,pull']),
-
-  # Unknown repository in another namespace.
-  ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
-   ['somenamespace/unknownrepo:']),
-
-  # Disabled namespace.
-  (['repository:devtable/simple:pull,push', 'repository:disabled/complex:pull'],
-    'devtable', 'password', 405,
-   []),
-
-  # Multiple scopes.
-  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
-    'devtable', 'password', 200,
-   ['devtable/simple:push,pull', 'devtable/complex:pull']),
-
-  # Multiple scopes with restricted behavior.
-  (['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
-    'devtable', 'password', 200,
-   ['devtable/simple:push,pull', 'public/publicrepo:pull']),
-
-  (['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
-    'devtable', 'password', 200,
-   ['devtable/simple:push,pull,*', 'public/publicrepo:pull']),
-
-  # Read Only State
-  ('repository:devtable/readonly:pull,push,*', 'devtable', 'password', 200,
-   ['devtable/readonly:pull']),
-
-  # Mirror State as a typical User
-  ('repository:devtable/mirrored:pull,push,*', 'devtable', 'password', 200,
-   ['devtable/mirrored:pull']),
-
-  # Mirror State as the robot User should have write access
-  ('repository:devtable/mirrored:pull,push,*', 'devtable+dtrobot', get_robot_password, 200,
-   ['devtable/mirrored:push,pull']),
-
-  # Organization repository, org admin
-  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
-   ['buynlarge/orgrepo:push,pull,*']),
-
-  # Organization repository, org creator
-  ('repository:buynlarge/orgrepo:pull,push,*', 'creator', 'password', 200,
-   ['buynlarge/orgrepo:']),
-
-  # Organization repository, org reader
-  ('repository:buynlarge/orgrepo:pull,push,*', 'reader', 'password', 200,
-   ['buynlarge/orgrepo:pull']),
-
-  # Organization repository, freshuser
-  ('repository:buynlarge/orgrepo:pull,push,*', 'freshuser', 'password', 200,
-   ['buynlarge/orgrepo:']),
-])
-def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
-                               app, client):
-  params = {
-    'service': original_app.config['SERVER_HOSTNAME'],
-    'scope': scope,
-  }
-
-  if callable(password):
-    password = password(username)
-
-  headers = {}
-  if username and password:
-    headers['Authorization'] = 'Basic %s' % (base64.b64encode('%s:%s' % (username, password)))
-
-  resp = conduct_call(client, 'v2.generate_registry_jwt', url_for, 'GET', params, {}, expected_code,
-                      headers=headers)
-  if expected_code != 200:
-    return
-
-  token = resp.json['token']
-  decoded = decode_bearer_token(token, instance_keys, original_app.config)
-  assert decoded['iss'] == 'quay'
-  assert decoded['aud'] == original_app.config['SERVER_HOSTNAME']
-  assert decoded['sub'] == username if username else '(anonymous)'
-
-  expected_access = []
-  for scope in expected_scopes:
-    name, actions_str = scope.split(':')
-    actions = actions_str.split(',') if actions_str else []
-
-    expected_access.append({
-      'type': 'repository',
-      'name': name,
-      'actions': actions,
-    })
-
-  assert decoded['access'] == expected_access
-  assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)
+    assert decoded["access"] == expected_access
+    assert len(decoded["context"][CLAIM_TUF_ROOTS]) == len(expected_scopes)
diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py
index c3a6aa3ce..78f986e40 100644
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@@ -9,8 +9,12 @@ import features
 from app import app, userevents, instance_keys
 from auth.auth_context import get_authenticated_context, get_authenticated_user
 from auth.decorators import process_basic_auth
-from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
-                              CreateRepositoryPermission, AdministerRepositoryPermission)
+from auth.permissions import (
+    ModifyRepositoryPermission,
+    ReadRepositoryPermission,
+    CreateRepositoryPermission,
+    AdministerRepositoryPermission,
+)
 from data import model
 from data.database import RepositoryState
 from data.registry_model import registry_model
@@ -18,244 +22,307 @@ from data.registry_model.datatypes import RepositoryReference
 from data.model.repo_mirror import get_mirroring_robot
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp
-from endpoints.v2.errors import (InvalidLogin, NameInvalid, InvalidRequest, Unsupported,
-                                 Unauthorized, NamespaceDisabled)
+from endpoints.v2.errors import (
+    InvalidLogin,
+    NameInvalid,
+    InvalidRequest,
+    Unsupported,
+    Unauthorized,
+    NamespaceDisabled,
+)
 from util.cache import no_cache
 from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
-from util.security.registry_jwt import (generate_bearer_token, build_context_and_subject,
-                                        QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT)
+from util.security.registry_jwt import (
+    generate_bearer_token,
+    build_context_and_subject,
+    QUAY_TUF_ROOT,
+    SIGNER_TUF_ROOT,
+    DISABLED_TUF_ROOT,
+)
 
 logger = logging.getLogger(__name__)
 
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
-SCOPE_REGEX_TEMPLATE = r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)*[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
+SCOPE_REGEX_TEMPLATE = r"^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)*[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$"
 
-scopeResult = namedtuple('scopeResult', ['actions', 'namespace', 'repository', 'registry_and_repo',
-                                         'tuf_root'])
+scopeResult = namedtuple(
+    "scopeResult",
+    ["actions", "namespace", "repository", "registry_and_repo", "tuf_root"],
+)
 
-@v2_bp.route('/auth')
+
+@v2_bp.route("/auth")
 @process_basic_auth
 @no_cache
 @anon_protect
 def generate_registry_jwt(auth_result):
-  """
+    """
   This endpoint will generate a JWT conforming to the Docker Registry v2 Auth Spec:
   https://docs.docker.com/registry/spec/auth/token/
   """
-  audience_param = request.args.get('service')
-  logger.debug('Request audience: %s', audience_param)
+    audience_param = request.args.get("service")
+    logger.debug("Request audience: %s", audience_param)
 
-  scope_params = request.args.getlist('scope') or []
-  logger.debug('Scope request: %s', scope_params)
+    scope_params = request.args.getlist("scope") or []
+    logger.debug("Scope request: %s", scope_params)
 
-  auth_header = request.headers.get('authorization', '')
-  auth_credentials_sent = bool(auth_header)
+    auth_header = request.headers.get("authorization", "")
+    auth_credentials_sent = bool(auth_header)
 
-  # Load the auth context and verify thatg we've directly received credentials.
-  has_valid_auth_context = False
-  if get_authenticated_context():
-    has_valid_auth_context = not get_authenticated_context().is_anonymous
+    # Load the auth context and verify thatg we've directly received credentials.
+    has_valid_auth_context = False
+    if get_authenticated_context():
+        has_valid_auth_context = not get_authenticated_context().is_anonymous
 
-  if auth_credentials_sent and not has_valid_auth_context:
-    # The auth credentials sent for the user are invalid.
-    raise InvalidLogin(auth_result.error_message)
+    if auth_credentials_sent and not has_valid_auth_context:
+        # The auth credentials sent for the user are invalid.
+        raise InvalidLogin(auth_result.error_message)
 
-  if not has_valid_auth_context and len(scope_params) == 0:
-    # In this case, we are doing an auth flow, and it's not an anonymous pull.
-    logger.debug('No user and no token sent for empty scope list')
-    raise Unauthorized()
+    if not has_valid_auth_context and len(scope_params) == 0:
+        # In this case, we are doing an auth flow, and it's not an anonymous pull.
+        logger.debug("No user and no token sent for empty scope list")
+        raise Unauthorized()
 
-  # Build the access list for the authenticated context.
-  access = []
-  scope_results = []
-  for scope_param in scope_params:
-    scope_result = _authorize_or_downscope_request(scope_param, has_valid_auth_context)
-    if scope_result is None:
-      continue
+    # Build the access list for the authenticated context.
+    access = []
+    scope_results = []
+    for scope_param in scope_params:
+        scope_result = _authorize_or_downscope_request(
+            scope_param, has_valid_auth_context
+        )
+        if scope_result is None:
+            continue
 
-    scope_results.append(scope_result)
-    access.append({
-      'type': 'repository',
-      'name': scope_result.registry_and_repo,
-      'actions': scope_result.actions,
-    })
+        scope_results.append(scope_result)
+        access.append(
+            {
+                "type": "repository",
+                "name": scope_result.registry_and_repo,
+                "actions": scope_result.actions,
+            }
+        )
 
-  # Issue user events.
-  user_event_data = {
-    'action': 'login',
-  }
+    # Issue user events.
+    user_event_data = {"action": "login"}
 
-  # Set the user event data for when authed.
-  if len(scope_results) > 0:
-    if 'push' in scope_results[0].actions:
-      user_action = 'push_start'
-    elif 'pull' in scope_results[0].actions:
-      user_action = 'pull_start'
-    else:
-      user_action = 'login'
+    # Set the user event data for when authed.
+    if len(scope_results) > 0:
+        if "push" in scope_results[0].actions:
+            user_action = "push_start"
+        elif "pull" in scope_results[0].actions:
+            user_action = "pull_start"
+        else:
+            user_action = "login"
 
-    user_event_data = {
-      'action': user_action,
-      'namespace': scope_results[0].namespace,
-      'repository': scope_results[0].repository,
+        user_event_data = {
+            "action": user_action,
+            "namespace": scope_results[0].namespace,
+            "repository": scope_results[0].repository,
+        }
+
+    # Send the user event.
+    if get_authenticated_user() is not None:
+        event = userevents.get_event(get_authenticated_user().username)
+        event.publish_event_data("docker-cli", user_event_data)
+
+    # Build the signed JWT.
+    tuf_roots = {
+        "%s/%s"
+        % (scope_result.namespace, scope_result.repository): scope_result.tuf_root
+        for scope_result in scope_results
     }
-
-  # Send the user event.
-  if get_authenticated_user() is not None:
-    event = userevents.get_event(get_authenticated_user().username)
-    event.publish_event_data('docker-cli', user_event_data)
-
-  # Build the signed JWT.
-  tuf_roots = {'%s/%s' % (scope_result.namespace, scope_result.repository): scope_result.tuf_root
-               for scope_result in scope_results}
-  context, subject = build_context_and_subject(get_authenticated_context(), tuf_roots=tuf_roots)
-  token = generate_bearer_token(audience_param, subject, context, access,
-                                TOKEN_VALIDITY_LIFETIME_S, instance_keys)
-  return jsonify({'token': token})
+    context, subject = build_context_and_subject(
+        get_authenticated_context(), tuf_roots=tuf_roots
+    )
+    token = generate_bearer_token(
+        audience_param,
+        subject,
+        context,
+        access,
+        TOKEN_VALIDITY_LIFETIME_S,
+        instance_keys,
+    )
+    return jsonify({"token": token})
 
 
 @lru_cache(maxsize=1)
 def _get_scope_regex():
-  hostname = re.escape(app.config['SERVER_HOSTNAME'])
-  scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
-  return re.compile(scope_regex_string)
+    hostname = re.escape(app.config["SERVER_HOSTNAME"])
+    scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
+    return re.compile(scope_regex_string)
 
 
 def _get_tuf_root(repository_ref, namespace, reponame):
-  if not features.SIGNING or repository_ref is None or not repository_ref.trust_enabled:
-    return DISABLED_TUF_ROOT
+    if (
+        not features.SIGNING
+        or repository_ref is None
+        or not repository_ref.trust_enabled
+    ):
+        return DISABLED_TUF_ROOT
 
-  # Users with write access to a repository will see signer-rooted TUF metadata
-  if ModifyRepositoryPermission(namespace, reponame).can():
-    return SIGNER_TUF_ROOT
-  return QUAY_TUF_ROOT
+    # Users with write access to a repository will see signer-rooted TUF metadata
+    if ModifyRepositoryPermission(namespace, reponame).can():
+        return SIGNER_TUF_ROOT
+    return QUAY_TUF_ROOT
 
 
 def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
-  # TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup.
-  if len(scope_param) == 0:
-    if not has_valid_auth_context:
-      # In this case, we are doing an auth flow, and it's not an anonymous pull.
-      logger.debug('No user and no token sent for empty scope list')
-      raise Unauthorized()
+    # TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup.
+    if len(scope_param) == 0:
+        if not has_valid_auth_context:
+            # In this case, we are doing an auth flow, and it's not an anonymous pull.
+            logger.debug("No user and no token sent for empty scope list")
+            raise Unauthorized()
 
-    return None
+        return None
 
-  match = _get_scope_regex().match(scope_param)
-  if match is None:
-    logger.debug('Match: %s', match)
-    logger.debug('len: %s', len(scope_param))
-    logger.warning('Unable to decode repository and actions: %s', scope_param)
-    raise InvalidRequest('Unable to decode repository and actions: %s' % scope_param)
+    match = _get_scope_regex().match(scope_param)
+    if match is None:
+        logger.debug("Match: %s", match)
+        logger.debug("len: %s", len(scope_param))
+        logger.warning("Unable to decode repository and actions: %s", scope_param)
+        raise InvalidRequest(
+            "Unable to decode repository and actions: %s" % scope_param
+        )
 
-  logger.debug('Match: %s', match.groups())
+    logger.debug("Match: %s", match.groups())
 
-  registry_and_repo = match.group(1)
-  namespace_and_repo = match.group(2)
-  requested_actions = match.group(3).split(',')
+    registry_and_repo = match.group(1)
+    namespace_and_repo = match.group(2)
+    requested_actions = match.group(3).split(",")
 
-  lib_namespace = app.config['LIBRARY_NAMESPACE']
-  namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
+    lib_namespace = app.config["LIBRARY_NAMESPACE"]
+    namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
 
-  # Ensure that we are never creating an invalid repository.
-  if not REPOSITORY_NAME_REGEX.match(reponame):
-    logger.debug('Found invalid repository name in auth flow: %s', reponame)
-    if len(namespace_and_repo.split('/')) > 1:
-      msg = 'Nested repositories are not supported. Found: %s' % namespace_and_repo
-      raise NameInvalid(message=msg)
+    # Ensure that we are never creating an invalid repository.
+    if not REPOSITORY_NAME_REGEX.match(reponame):
+        logger.debug("Found invalid repository name in auth flow: %s", reponame)
+        if len(namespace_and_repo.split("/")) > 1:
+            msg = (
+                "Nested repositories are not supported. Found: %s" % namespace_and_repo
+            )
+            raise NameInvalid(message=msg)
 
-    raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
+        raise NameInvalid(message="Invalid repository name: %s" % namespace_and_repo)
 
-  # Ensure the namespace is enabled.
-  if registry_model.is_existing_disabled_namespace(namespace):
-    msg = 'Namespace %s has been disabled. Please contact a system administrator.' % namespace
-    raise NamespaceDisabled(message=msg)
+    # Ensure the namespace is enabled.
+    if registry_model.is_existing_disabled_namespace(namespace):
+        msg = (
+            "Namespace %s has been disabled. Please contact a system administrator."
+            % namespace
+        )
+        raise NamespaceDisabled(message=msg)
 
-  final_actions = []
+    final_actions = []
 
-  repository_ref = registry_model.lookup_repository(namespace, reponame)
-  repo_is_public = repository_ref is not None and repository_ref.is_public
-  invalid_repo_message = ''
-  if repository_ref is not None and repository_ref.kind != 'image':
-    invalid_repo_message = ((
-      'This repository is for managing %s ' + 'and not container images.') % repository_ref.kind)
+    repository_ref = registry_model.lookup_repository(namespace, reponame)
+    repo_is_public = repository_ref is not None and repository_ref.is_public
+    invalid_repo_message = ""
+    if repository_ref is not None and repository_ref.kind != "image":
+        invalid_repo_message = (
+            "This repository is for managing %s " + "and not container images."
+        ) % repository_ref.kind
 
-  if 'push' in requested_actions:
-    # Check if there is a valid user or token, as otherwise the repository cannot be
-    # accessed.
-    if has_valid_auth_context:
-      user = get_authenticated_user()
+    if "push" in requested_actions:
+        # Check if there is a valid user or token, as otherwise the repository cannot be
+        # accessed.
+        if has_valid_auth_context:
+            user = get_authenticated_user()
 
-      # Lookup the repository. If it exists, make sure the entity has modify
-      # permission. Otherwise, make sure the entity has create permission.
-      if repository_ref:
-        if ModifyRepositoryPermission(namespace, reponame).can():
-          if repository_ref is not None and repository_ref.kind != 'image':
-            raise Unsupported(message=invalid_repo_message)
+            # Lookup the repository. If it exists, make sure the entity has modify
+            # permission. Otherwise, make sure the entity has create permission.
+            if repository_ref:
+                if ModifyRepositoryPermission(namespace, reponame).can():
+                    if repository_ref is not None and repository_ref.kind != "image":
+                        raise Unsupported(message=invalid_repo_message)
 
-          # Check for different repository states.
-          if repository_ref.state == RepositoryState.NORMAL:
-            # In NORMAL mode, if the user has permission, then they can push.
-            final_actions.append('push')
-          elif repository_ref.state == RepositoryState.MIRROR:
-            # In MIRROR mode, only the mirroring robot can push.
-            mirror = model.repo_mirror.get_mirror(repository_ref.id)
-            robot = mirror.internal_robot if mirror is not None else None
-            if robot is not None and user is not None and robot == user:
-              assert robot.robot
-              final_actions.append('push')
+                    # Check for different repository states.
+                    if repository_ref.state == RepositoryState.NORMAL:
+                        # In NORMAL mode, if the user has permission, then they can push.
+                        final_actions.append("push")
+                    elif repository_ref.state == RepositoryState.MIRROR:
+                        # In MIRROR mode, only the mirroring robot can push.
+                        mirror = model.repo_mirror.get_mirror(repository_ref.id)
+                        robot = mirror.internal_robot if mirror is not None else None
+                        if robot is not None and user is not None and robot == user:
+                            assert robot.robot
+                            final_actions.append("push")
+                        else:
+                            logger.debug(
+                                "Repository %s/%s push requested for non-mirror robot %s: %s",
+                                namespace,
+                                reponame,
+                                robot,
+                                user,
+                            )
+                    elif repository_ref.state == RepositoryState.READ_ONLY:
+                        # No pushing allowed in read-only state.
+                        pass
+                    else:
+                        logger.warning(
+                            "Unknown state for repository %s: %s",
+                            repository_ref,
+                            repository_ref.state,
+                        )
+                else:
+                    logger.debug(
+                        "No permission to modify repository %s/%s", namespace, reponame
+                    )
             else:
-              logger.debug('Repository %s/%s push requested for non-mirror robot %s: %s', namespace,
-                           reponame, robot, user)
-          elif repository_ref.state == RepositoryState.READ_ONLY:
-            # No pushing allowed in read-only state.
-            pass
-          else:
-            logger.warning('Unknown state for repository %s: %s', repository_ref, repository_ref.state)
+                # TODO: Push-to-create functionality should be configurable
+                if CreateRepositoryPermission(namespace).can() and user is not None:
+                    logger.debug("Creating repository: %s/%s", namespace, reponame)
+                    repository_ref = RepositoryReference.for_repo_obj(
+                        model.repository.create_repository(namespace, reponame, user)
+                    )
+                    final_actions.append("push")
+                else:
+                    logger.debug(
+                        "No permission to create repository %s/%s", namespace, reponame
+                    )
+
+    if "pull" in requested_actions:
+        # Grant pull if the user can read the repo or it is public.
+        if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
+            if repository_ref is not None and repository_ref.kind != "image":
+                raise Unsupported(message=invalid_repo_message)
+
+            final_actions.append("pull")
         else:
-          logger.debug('No permission to modify repository %s/%s', namespace, reponame)
-      else:
-        # TODO: Push-to-create functionality should be configurable
-        if CreateRepositoryPermission(namespace).can() and user is not None:
-          logger.debug('Creating repository: %s/%s', namespace, reponame)
-          repository_ref = RepositoryReference.for_repo_obj(
-            model.repository.create_repository(namespace, reponame, user))
-          final_actions.append('push')
+            logger.debug("No permission to pull repository %s/%s", namespace, reponame)
+
+    if "*" in requested_actions:
+        # Grant * user is admin
+        if AdministerRepositoryPermission(namespace, reponame).can():
+            if repository_ref is not None and repository_ref.kind != "image":
+                raise Unsupported(message=invalid_repo_message)
+
+            if repository_ref and repository_ref.state in (
+                RepositoryState.MIRROR,
+                RepositoryState.READ_ONLY,
+            ):
+                logger.debug(
+                    "No permission to administer repository %s/%s", namespace, reponame
+                )
+            else:
+                assert repository_ref.state == RepositoryState.NORMAL
+                final_actions.append("*")
         else:
-          logger.debug('No permission to create repository %s/%s', namespace, reponame)      
+            logger.debug(
+                "No permission to administer repository %s/%s", namespace, reponame
+            )
 
-  if 'pull' in requested_actions:
-    # Grant pull if the user can read the repo or it is public.
-    if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
-      if repository_ref is not None and repository_ref.kind != 'image':
-        raise Unsupported(message=invalid_repo_message)
+    # Final sanity checks.
+    if "push" in final_actions:
+        assert repository_ref.state != RepositoryState.READ_ONLY
 
-      final_actions.append('pull')
-    else:
-      logger.debug('No permission to pull repository %s/%s', namespace, reponame)
-
-  if '*' in requested_actions:
-    # Grant * user is admin
-    if AdministerRepositoryPermission(namespace, reponame).can():
-      if repository_ref is not None and repository_ref.kind != 'image':
-        raise Unsupported(message=invalid_repo_message)
-
-      if repository_ref and repository_ref.state in (RepositoryState.MIRROR,
-                                                     RepositoryState.READ_ONLY):
-        logger.debug('No permission to administer repository %s/%s', namespace, reponame)
-      else:
+    if "*" in final_actions:
         assert repository_ref.state == RepositoryState.NORMAL
-        final_actions.append('*')
-    else:
-      logger.debug("No permission to administer repository %s/%s", namespace, reponame)
 
-  # Final sanity checks.
-  if 'push' in final_actions:
-    assert repository_ref.state != RepositoryState.READ_ONLY
-
-  if '*' in final_actions:
-    assert repository_ref.state == RepositoryState.NORMAL
-
-  return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
-                     registry_and_repo=registry_and_repo,
-                     tuf_root=_get_tuf_root(repository_ref, namespace, reponame))
+    return scopeResult(
+        actions=final_actions,
+        namespace=namespace,
+        repository=reponame,
+        registry_and_repo=registry_and_repo,
+        tuf_root=_get_tuf_root(repository_ref, namespace, reponame),
+    )
diff --git a/endpoints/verbs/__init__.py b/endpoints/verbs/__init__.py
index 1a7898ab8..474ad6f1a 100644
--- a/endpoints/verbs/__init__.py
+++ b/endpoints/verbs/__init__.py
@@ -7,15 +7,28 @@ from flask import redirect, Blueprint, abort, send_file, make_response, request
 
 import features
 
-from app import app, signer, storage, metric_queue, config_provider, ip_resolver, instance_keys
+from app import (
+    app,
+    signer,
+    storage,
+    metric_queue,
+    config_provider,
+    ip_resolver,
+    instance_keys,
+)
 from auth.auth_context import get_authenticated_user
 from auth.decorators import process_auth
 from auth.permissions import ReadRepositoryPermission
 from data import database
 from data import model
 from data.registry_model import registry_model
-from endpoints.decorators import (anon_protect, anon_allowed, route_show_if, parse_repository_name,
-                                  check_region_blacklisted)
+from endpoints.decorators import (
+    anon_protect,
+    anon_allowed,
+    route_show_if,
+    parse_repository_name,
+    check_region_blacklisted,
+)
 from endpoints.v2.blob import BLOB_DIGEST_ROUTE
 from image.appc import AppCImageFormatter
 from image.docker import ManifestException
@@ -27,477 +40,638 @@ from util.registry.filelike import wrap_with_handler
 from util.registry.queuefile import QueueFile
 from util.registry.queueprocess import QueueProcess
 from util.registry.tarlayerformat import TarLayerFormatterReporter
-from util.registry.torrent import (make_torrent, per_user_torrent_filename, public_torrent_filename,
-                                   PieceHasher, TorrentConfiguration)
+from util.registry.torrent import (
+    make_torrent,
+    per_user_torrent_filename,
+    public_torrent_filename,
+    PieceHasher,
+    TorrentConfiguration,
+)
 
 logger = logging.getLogger(__name__)
 
-verbs = Blueprint('verbs', __name__)
+verbs = Blueprint("verbs", __name__)
 
-LAYER_MIMETYPE = 'binary/octet-stream'
+LAYER_MIMETYPE = "binary/octet-stream"
 
 
 class VerbReporter(TarLayerFormatterReporter):
-  def __init__(self, kind):
-    self.kind = kind
+    def __init__(self, kind):
+        self.kind = kind
 
-  def report_pass(self, pass_count):
-    metric_queue.verb_action_passes.Inc(labelvalues=[self.kind, pass_count])
+    def report_pass(self, pass_count):
+        metric_queue.verb_action_passes.Inc(labelvalues=[self.kind, pass_count])
 
 
-def _open_stream(formatter, tag, schema1_manifest, derived_image_id, handlers, reporter):
-  """
+def _open_stream(
+    formatter, tag, schema1_manifest, derived_image_id, handlers, reporter
+):
+    """
   This method generates a stream of data which will be replicated and read from the queue files.
   This method runs in a separate process.
   """
-  # For performance reasons, we load the full image list here, cache it, then disconnect from
-  # the database.
-  with database.UseThenDisconnect(app.config):
-    layers = registry_model.list_parsed_manifest_layers(tag.repository, schema1_manifest, storage,
-                                                        include_placements=True)
+    # For performance reasons, we load the full image list here, cache it, then disconnect from
+    # the database.
+    with database.UseThenDisconnect(app.config):
+        layers = registry_model.list_parsed_manifest_layers(
+            tag.repository, schema1_manifest, storage, include_placements=True
+        )
 
-  def image_stream_getter(store, blob):
-    def get_stream_for_storage():
-      current_image_stream = store.stream_read_file(blob.placements, blob.storage_path)
-      logger.debug('Returning blob %s: %s', blob.digest, blob.storage_path)
-      return current_image_stream
-    return get_stream_for_storage
+    def image_stream_getter(store, blob):
+        def get_stream_for_storage():
+            current_image_stream = store.stream_read_file(
+                blob.placements, blob.storage_path
+            )
+            logger.debug("Returning blob %s: %s", blob.digest, blob.storage_path)
+            return current_image_stream
 
-  def tar_stream_getter_iterator():
-    # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
-    store = Storage(app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver)
+        return get_stream_for_storage
 
-    # Note: We reverse because we have to start at the leaf layer and move upward,
-    # as per the spec for the formatters.
-    for layer in reversed(layers):
-      yield image_stream_getter(store, layer.blob)
+    def tar_stream_getter_iterator():
+        # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
+        store = Storage(
+            app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver
+        )
 
-  stream = formatter.build_stream(tag, schema1_manifest, derived_image_id, layers,
-                                  tar_stream_getter_iterator, reporter=reporter)
+        # Note: We reverse because we have to start at the leaf layer and move upward,
+        # as per the spec for the formatters.
+        for layer in reversed(layers):
+            yield image_stream_getter(store, layer.blob)
 
-  for handler_fn in handlers:
-    stream = wrap_with_handler(stream, handler_fn)
+    stream = formatter.build_stream(
+        tag,
+        schema1_manifest,
+        derived_image_id,
+        layers,
+        tar_stream_getter_iterator,
+        reporter=reporter,
+    )
 
-  return stream.read
+    for handler_fn in handlers:
+        stream = wrap_with_handler(stream, handler_fn)
+
+    return stream.read
 
 
 def _sign_derived_image(verb, derived_image, queue_file):
-  """ Read from the queue file and sign the contents which are generated. This method runs in a
+    """ Read from the queue file and sign the contents which are generated. This method runs in a
       separate process. """
-  signature = None
-  try:
-    signature = signer.detached_sign(queue_file)
-  except:
-    logger.exception('Exception when signing %s deriving image %s', verb, derived_image)
-    return
+    signature = None
+    try:
+        signature = signer.detached_sign(queue_file)
+    except:
+        logger.exception(
+            "Exception when signing %s deriving image %s", verb, derived_image
+        )
+        return
 
-  # Setup the database (since this is a new process) and then disconnect immediately
-  # once the operation completes.
-  if not queue_file.raised_exception:
-    with database.UseThenDisconnect(app.config):
-      registry_model.set_derived_image_signature(derived_image, signer.name, signature)
+    # Setup the database (since this is a new process) and then disconnect immediately
+    # once the operation completes.
+    if not queue_file.raised_exception:
+        with database.UseThenDisconnect(app.config):
+            registry_model.set_derived_image_signature(
+                derived_image, signer.name, signature
+            )
 
 
 def _write_derived_image_to_storage(verb, derived_image, queue_file):
-  """ Read from the generated stream and write it back to the storage engine. This method runs in a
+    """ Read from the generated stream and write it back to the storage engine. This method runs in a
       separate process.
   """
 
-  def handle_exception(ex):
-    logger.debug('Exception when building %s derived image %s: %s', verb, derived_image, ex)
+    def handle_exception(ex):
+        logger.debug(
+            "Exception when building %s derived image %s: %s", verb, derived_image, ex
+        )
 
-    with database.UseThenDisconnect(app.config):
-      registry_model.delete_derived_image(derived_image)
+        with database.UseThenDisconnect(app.config):
+            registry_model.delete_derived_image(derived_image)
 
-  queue_file.add_exception_handler(handle_exception)
+    queue_file.add_exception_handler(handle_exception)
 
-  # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
-  store = Storage(app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver)
+    # Re-Initialize the storage engine because some may not respond well to forking (e.g. S3)
+    store = Storage(
+        app, metric_queue, config_provider=config_provider, ip_resolver=ip_resolver
+    )
 
-  try:
-    store.stream_write(derived_image.blob.placements, derived_image.blob.storage_path, queue_file)
-  except IOError as ex:
-    logger.debug('Exception when writing %s derived image %s: %s', verb, derived_image, ex)
+    try:
+        store.stream_write(
+            derived_image.blob.placements, derived_image.blob.storage_path, queue_file
+        )
+    except IOError as ex:
+        logger.debug(
+            "Exception when writing %s derived image %s: %s", verb, derived_image, ex
+        )
 
-    with database.UseThenDisconnect(app.config):
-      registry_model.delete_derived_image(derived_image)
+        with database.UseThenDisconnect(app.config):
+            registry_model.delete_derived_image(derived_image)
 
-  queue_file.close()
+    queue_file.close()
 
 
 def _torrent_for_blob(blob, is_public):
-  """ Returns a response containing the torrent file contents for the given blob. May abort
+    """ Returns a response containing the torrent file contents for the given blob. May abort
       with an error if the state is not valid (e.g. non-public, non-user request).
   """
-  # Make sure the storage has a size.
-  if not blob.compressed_size:
-    abort(404)
+    # Make sure the storage has a size.
+    if not blob.compressed_size:
+        abort(404)
 
-  # Lookup the torrent information for the storage.
-  torrent_info = registry_model.get_torrent_info(blob)
-  if torrent_info is None:
-    abort(404)
+    # Lookup the torrent information for the storage.
+    torrent_info = registry_model.get_torrent_info(blob)
+    if torrent_info is None:
+        abort(404)
 
-  # Lookup the webseed path for the storage.
-  webseed = storage.get_direct_download_url(blob.placements, blob.storage_path,
-                                            expires_in=app.config['BITTORRENT_WEBSEED_LIFETIME'])
-  if webseed is None:
-    # We cannot support webseeds for storages that cannot provide direct downloads.
-    exact_abort(501, 'Storage engine does not support seeding.')
+    # Lookup the webseed path for the storage.
+    webseed = storage.get_direct_download_url(
+        blob.placements,
+        blob.storage_path,
+        expires_in=app.config["BITTORRENT_WEBSEED_LIFETIME"],
+    )
+    if webseed is None:
+        # We cannot support webseeds for storages that cannot provide direct downloads.
+        exact_abort(501, "Storage engine does not support seeding.")
 
-  # Load the config for building torrents.
-  torrent_config = TorrentConfiguration.from_app_config(instance_keys, app.config)
+    # Load the config for building torrents.
+    torrent_config = TorrentConfiguration.from_app_config(instance_keys, app.config)
 
-  # Build the filename for the torrent.
-  if is_public:
-    name = public_torrent_filename(blob.uuid)
-  else:
-    user = get_authenticated_user()
-    if not user:
-      abort(403)
+    # Build the filename for the torrent.
+    if is_public:
+        name = public_torrent_filename(blob.uuid)
+    else:
+        user = get_authenticated_user()
+        if not user:
+            abort(403)
 
-    name = per_user_torrent_filename(torrent_config, user.uuid, blob.uuid)
+        name = per_user_torrent_filename(torrent_config, user.uuid, blob.uuid)
 
-  # Return the torrent file.
-  torrent_file = make_torrent(torrent_config, name, webseed, blob.compressed_size,
-                              torrent_info.piece_length, torrent_info.pieces)
+    # Return the torrent file.
+    torrent_file = make_torrent(
+        torrent_config,
+        name,
+        webseed,
+        blob.compressed_size,
+        torrent_info.piece_length,
+        torrent_info.pieces,
+    )
 
-  headers = {
-    'Content-Type': 'application/x-bittorrent',
-    'Content-Disposition': 'attachment; filename={0}.torrent'.format(name)}
+    headers = {
+        "Content-Type": "application/x-bittorrent",
+        "Content-Disposition": "attachment; filename={0}.torrent".format(name),
+    }
 
-  return make_response(torrent_file, 200, headers)
+    return make_response(torrent_file, 200, headers)
 
 
 def _torrent_repo_verb(repository, tag, manifest, verb, **kwargs):
-  """ Handles returning a torrent for the given verb on the given image and tag. """
-  if not features.BITTORRENT:
-    # Torrent feature is not enabled.
-    abort(406)
+    """ Handles returning a torrent for the given verb on the given image and tag. """
+    if not features.BITTORRENT:
+        # Torrent feature is not enabled.
+        abort(406)
 
-  # Lookup an *existing* derived storage for the verb. If the verb's image storage doesn't exist,
-  # we cannot create it here, so we 406.
-  derived_image = registry_model.lookup_derived_image(manifest, verb, storage,
-                                                      varying_metadata={'tag': tag.name},
-                                                      include_placements=True)
-  if derived_image is None:
-    abort(406)
+    # Lookup an *existing* derived storage for the verb. If the verb's image storage doesn't exist,
+    # we cannot create it here, so we 406.
+    derived_image = registry_model.lookup_derived_image(
+        manifest,
+        verb,
+        storage,
+        varying_metadata={"tag": tag.name},
+        include_placements=True,
+    )
+    if derived_image is None:
+        abort(406)
 
-  # Return the torrent.
-  torrent = _torrent_for_blob(derived_image.blob, model.repository.is_repository_public(repository))
+    # Return the torrent.
+    torrent = _torrent_for_blob(
+        derived_image.blob, model.repository.is_repository_public(repository)
+    )
 
-  # Log the action.
-  track_and_log('repo_verb', wrap_repository(repository), tag=tag.name, verb=verb, torrent=True,
-                **kwargs)
-  return torrent
+    # Log the action.
+    track_and_log(
+        "repo_verb",
+        wrap_repository(repository),
+        tag=tag.name,
+        verb=verb,
+        torrent=True,
+        **kwargs
+    )
+    return torrent
 
 
 def _verify_repo_verb(_, namespace, repo_name, tag_name, verb, checker=None):
-  permission = ReadRepositoryPermission(namespace, repo_name)
-  repo = model.repository.get_repository(namespace, repo_name)
-  repo_is_public = repo is not None and model.repository.is_repository_public(repo)
-  if not permission.can() and not repo_is_public:
-    logger.debug('No permission to read repository %s/%s for user %s with verb %s', namespace,
-                 repo_name, get_authenticated_user(), verb)
-    abort(403)
+    permission = ReadRepositoryPermission(namespace, repo_name)
+    repo = model.repository.get_repository(namespace, repo_name)
+    repo_is_public = repo is not None and model.repository.is_repository_public(repo)
+    if not permission.can() and not repo_is_public:
+        logger.debug(
+            "No permission to read repository %s/%s for user %s with verb %s",
+            namespace,
+            repo_name,
+            get_authenticated_user(),
+            verb,
+        )
+        abort(403)
 
-  if repo is not None and repo.kind.name != 'image':
-    logger.debug('Repository %s/%s for user %s is not an image repo', namespace, repo_name,
-                 get_authenticated_user())
-    abort(405)
+    if repo is not None and repo.kind.name != "image":
+        logger.debug(
+            "Repository %s/%s for user %s is not an image repo",
+            namespace,
+            repo_name,
+            get_authenticated_user(),
+        )
+        abort(405)
 
-  # Make sure the repo's namespace isn't disabled.
-  if not registry_model.is_namespace_enabled(namespace):
-    abort(400)
+    # Make sure the repo's namespace isn't disabled.
+    if not registry_model.is_namespace_enabled(namespace):
+        abort(400)
 
-  # Lookup the requested tag.
-  repo_ref = registry_model.lookup_repository(namespace, repo_name)
-  if repo_ref is None:
-    abort(404)
+    # Lookup the requested tag.
+    repo_ref = registry_model.lookup_repository(namespace, repo_name)
+    if repo_ref is None:
+        abort(404)
 
-  tag = registry_model.get_repo_tag(repo_ref, tag_name)
-  if tag is None:
-    logger.debug('Tag %s does not exist in repository %s/%s for user %s', tag, namespace, repo_name,
-                 get_authenticated_user())
-    abort(404)
+    tag = registry_model.get_repo_tag(repo_ref, tag_name)
+    if tag is None:
+        logger.debug(
+            "Tag %s does not exist in repository %s/%s for user %s",
+            tag,
+            namespace,
+            repo_name,
+            get_authenticated_user(),
+        )
+        abort(404)
 
-  # Get its associated manifest.
-  manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
-  if manifest is None:
-    logger.debug('Could not get manifest on %s/%s:%s::%s', namespace, repo_name, tag.name, verb)
-    abort(404)
+    # Get its associated manifest.
+    manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
+    if manifest is None:
+        logger.debug(
+            "Could not get manifest on %s/%s:%s::%s",
+            namespace,
+            repo_name,
+            tag.name,
+            verb,
+        )
+        abort(404)
 
-  # Retrieve the schema1-compatible version of the manifest.
-  try:
-    schema1_manifest = registry_model.get_schema1_parsed_manifest(manifest, namespace,
-                                                                  repo_name, tag.name,
-                                                                  storage)
-  except ManifestException:
-    logger.exception('Could not get manifest on %s/%s:%s::%s', namespace, repo_name, tag.name, verb)
-    abort(400)
+    # Retrieve the schema1-compatible version of the manifest.
+    try:
+        schema1_manifest = registry_model.get_schema1_parsed_manifest(
+            manifest, namespace, repo_name, tag.name, storage
+        )
+    except ManifestException:
+        logger.exception(
+            "Could not get manifest on %s/%s:%s::%s",
+            namespace,
+            repo_name,
+            tag.name,
+            verb,
+        )
+        abort(400)
 
-  if schema1_manifest is None:
-    abort(404)
+    if schema1_manifest is None:
+        abort(404)
 
-  # If there is a data checker, call it first.
-  if checker is not None:
-    if not checker(tag, schema1_manifest):
-      logger.debug('Check mismatch on %s/%s:%s, verb %s', namespace, repo_name, tag.name, verb)
-      abort(404)
+    # If there is a data checker, call it first.
+    if checker is not None:
+        if not checker(tag, schema1_manifest):
+            logger.debug(
+                "Check mismatch on %s/%s:%s, verb %s",
+                namespace,
+                repo_name,
+                tag.name,
+                verb,
+            )
+            abort(404)
 
-  # Preload the tag's repository information, so it gets cached.
-  assert tag.repository.namespace_name
-  assert tag.repository.name
+    # Preload the tag's repository information, so it gets cached.
+    assert tag.repository.namespace_name
+    assert tag.repository.name
 
-  return tag, manifest, schema1_manifest
+    return tag, manifest, schema1_manifest
 
 
 def _repo_verb_signature(namespace, repository, tag_name, verb, checker=None, **kwargs):
-  # Verify that the tag exists and that we have access to it.
-  tag, manifest, _ = _verify_repo_verb(storage, namespace, repository, tag_name, verb, checker)
+    # Verify that the tag exists and that we have access to it.
+    tag, manifest, _ = _verify_repo_verb(
+        storage, namespace, repository, tag_name, verb, checker
+    )
 
-  # Find the derived image storage for the verb.
-  derived_image = registry_model.lookup_derived_image(manifest, verb, storage,
-                                                      varying_metadata={'tag': tag.name})
+    # Find the derived image storage for the verb.
+    derived_image = registry_model.lookup_derived_image(
+        manifest, verb, storage, varying_metadata={"tag": tag.name}
+    )
 
-  if derived_image is None or derived_image.blob.uploading:
-    return make_response('', 202)
+    if derived_image is None or derived_image.blob.uploading:
+        return make_response("", 202)
 
-  # Check if we have a valid signer configured.
-  if not signer.name:
-    abort(404)
+    # Check if we have a valid signer configured.
+    if not signer.name:
+        abort(404)
 
-  # Lookup the signature for the verb.
-  signature_value = registry_model.get_derived_image_signature(derived_image, signer.name)
-  if signature_value is None:
-    abort(404)
+    # Lookup the signature for the verb.
+    signature_value = registry_model.get_derived_image_signature(
+        derived_image, signer.name
+    )
+    if signature_value is None:
+        abort(404)
 
-  # Return the signature.
-  return make_response(signature_value)
+    # Return the signature.
+    return make_response(signature_value)
 
 
 @check_region_blacklisted()
-def _repo_verb(namespace, repository, tag_name, verb, formatter, sign=False, checker=None,
-               **kwargs):
-  # Verify that the image exists and that we have access to it.
-  logger.debug('Verifying repo verb %s for repository %s/%s with user %s with mimetype %s',
-               verb, namespace, repository, get_authenticated_user(), request.accept_mimetypes.best)
-  tag, manifest, schema1_manifest = _verify_repo_verb(storage, namespace, repository,
-                                                      tag_name, verb, checker)
+def _repo_verb(
+    namespace, repository, tag_name, verb, formatter, sign=False, checker=None, **kwargs
+):
+    # Verify that the image exists and that we have access to it.
+    logger.debug(
+        "Verifying repo verb %s for repository %s/%s with user %s with mimetype %s",
+        verb,
+        namespace,
+        repository,
+        get_authenticated_user(),
+        request.accept_mimetypes.best,
+    )
+    tag, manifest, schema1_manifest = _verify_repo_verb(
+        storage, namespace, repository, tag_name, verb, checker
+    )
 
-  # Load the repository for later.
-  repo = model.repository.get_repository(namespace, repository)
-  if repo is None:
-    abort(404)
+    # Load the repository for later.
+    repo = model.repository.get_repository(namespace, repository)
+    if repo is None:
+        abort(404)
 
-  # Check for torrent. If found, we return a torrent for the repo verb image (if the derived
-  # image already exists).
-  if request.accept_mimetypes.best == 'application/x-bittorrent':
-    metric_queue.repository_pull.Inc(labelvalues=[namespace, repository, verb + '+torrent', True])
-    return _torrent_repo_verb(repo, tag, manifest, verb, **kwargs)
+    # Check for torrent. If found, we return a torrent for the repo verb image (if the derived
+    # image already exists).
+    if request.accept_mimetypes.best == "application/x-bittorrent":
+        metric_queue.repository_pull.Inc(
+            labelvalues=[namespace, repository, verb + "+torrent", True]
+        )
+        return _torrent_repo_verb(repo, tag, manifest, verb, **kwargs)
 
-  # Log the action.
-  track_and_log('repo_verb', wrap_repository(repo), tag=tag.name, verb=verb, **kwargs)
-  metric_queue.repository_pull.Inc(labelvalues=[namespace, repository, verb, True])
+    # Log the action.
+    track_and_log("repo_verb", wrap_repository(repo), tag=tag.name, verb=verb, **kwargs)
+    metric_queue.repository_pull.Inc(labelvalues=[namespace, repository, verb, True])
 
-  is_readonly = app.config.get('REGISTRY_STATE', 'normal') == 'readonly'
+    is_readonly = app.config.get("REGISTRY_STATE", "normal") == "readonly"
 
-  # Lookup/create the derived image for the verb and repo image.
-  if is_readonly:
-    derived_image = registry_model.lookup_derived_image(
-      manifest, verb, storage,
-      varying_metadata={'tag': tag.name},
-      include_placements=True)
-  else:
-    derived_image = registry_model.lookup_or_create_derived_image(
-      manifest, verb, storage.preferred_locations[0], storage,
-      varying_metadata={'tag': tag.name},
-      include_placements=True)
-    if derived_image is None:
-      logger.error('Could not create or lookup a derived image for manifest %s', manifest)
-      abort(400)
+    # Lookup/create the derived image for the verb and repo image.
+    if is_readonly:
+        derived_image = registry_model.lookup_derived_image(
+            manifest,
+            verb,
+            storage,
+            varying_metadata={"tag": tag.name},
+            include_placements=True,
+        )
+    else:
+        derived_image = registry_model.lookup_or_create_derived_image(
+            manifest,
+            verb,
+            storage.preferred_locations[0],
+            storage,
+            varying_metadata={"tag": tag.name},
+            include_placements=True,
+        )
+        if derived_image is None:
+            logger.error(
+                "Could not create or lookup a derived image for manifest %s", manifest
+            )
+            abort(400)
 
-  if derived_image is not None and not derived_image.blob.uploading:
-    logger.debug('Derived %s image %s exists in storage', verb, derived_image)
-    is_head_request = request.method == 'HEAD'
+    if derived_image is not None and not derived_image.blob.uploading:
+        logger.debug("Derived %s image %s exists in storage", verb, derived_image)
+        is_head_request = request.method == "HEAD"
 
-    metric_queue.pull_byte_count.Inc(derived_image.blob.compressed_size, labelvalues=[verb])
+        metric_queue.pull_byte_count.Inc(
+            derived_image.blob.compressed_size, labelvalues=[verb]
+        )
 
-    download_url = storage.get_direct_download_url(derived_image.blob.placements,
-                                                   derived_image.blob.storage_path,
-                                                   head=is_head_request)
-    if download_url:
-      logger.debug('Redirecting to download URL for derived %s image %s', verb, derived_image)
-      return redirect(download_url)
+        download_url = storage.get_direct_download_url(
+            derived_image.blob.placements,
+            derived_image.blob.storage_path,
+            head=is_head_request,
+        )
+        if download_url:
+            logger.debug(
+                "Redirecting to download URL for derived %s image %s",
+                verb,
+                derived_image,
+            )
+            return redirect(download_url)
+
+        # Close the database handle here for this process before we send the long download.
+        database.close_db_filter(None)
+
+        logger.debug("Sending cached derived %s image %s", verb, derived_image)
+        return send_file(
+            storage.stream_read_file(
+                derived_image.blob.placements, derived_image.blob.storage_path
+            ),
+            mimetype=LAYER_MIMETYPE,
+        )
+
+    logger.debug("Building and returning derived %s image", verb)
+
+    # Close the database connection before any process forking occurs. This is important because
+    # the Postgres driver does not react kindly to forking, so we need to make sure it is closed
+    # so that each process will get its own unique connection.
+    database.close_db_filter(None)
+
+    def _cleanup():
+        # Close any existing DB connection once the process has exited.
+        database.close_db_filter(None)
+
+    hasher = PieceHasher(app.config["BITTORRENT_PIECE_SIZE"])
+
+    def _store_metadata_and_cleanup():
+        if is_readonly:
+            return
+
+        with database.UseThenDisconnect(app.config):
+            registry_model.set_torrent_info(
+                derived_image.blob,
+                app.config["BITTORRENT_PIECE_SIZE"],
+                hasher.final_piece_hashes(),
+            )
+            registry_model.set_derived_image_size(derived_image, hasher.hashed_bytes)
+
+    # Create a queue process to generate the data. The queue files will read from the process
+    # and send the results to the client and storage.
+    unique_id = (
+        derived_image.unique_id
+        if derived_image is not None
+        else hashlib.sha256("%s:%s" % (verb, uuid.uuid4())).hexdigest()
+    )
+    handlers = [hasher.update]
+    reporter = VerbReporter(verb)
+    args = (formatter, tag, schema1_manifest, unique_id, handlers, reporter)
+    queue_process = QueueProcess(
+        _open_stream,
+        8 * 1024,
+        10 * 1024 * 1024,  # 8K/10M chunk/max
+        args,
+        finished=_store_metadata_and_cleanup,
+    )
+
+    client_queue_file = QueueFile(queue_process.create_queue(), "client")
+
+    if not is_readonly:
+        storage_queue_file = QueueFile(queue_process.create_queue(), "storage")
+
+        # If signing is required, add a QueueFile for signing the image as we stream it out.
+        signing_queue_file = None
+        if sign and signer.name:
+            signing_queue_file = QueueFile(queue_process.create_queue(), "signing")
+
+    # Start building.
+    queue_process.run()
+
+    # Start the storage saving.
+    if not is_readonly:
+        storage_args = (verb, derived_image, storage_queue_file)
+        QueueProcess.run_process(
+            _write_derived_image_to_storage, storage_args, finished=_cleanup
+        )
+
+        if sign and signer.name:
+            signing_args = (verb, derived_image, signing_queue_file)
+            QueueProcess.run_process(
+                _sign_derived_image, signing_args, finished=_cleanup
+            )
 
     # Close the database handle here for this process before we send the long download.
     database.close_db_filter(None)
 
-    logger.debug('Sending cached derived %s image %s', verb, derived_image)
-    return send_file(
-      storage.stream_read_file(derived_image.blob.placements, derived_image.blob.storage_path),
-      mimetype=LAYER_MIMETYPE)
-
-  logger.debug('Building and returning derived %s image', verb)
-
-  # Close the database connection before any process forking occurs. This is important because
-  # the Postgres driver does not react kindly to forking, so we need to make sure it is closed
-  # so that each process will get its own unique connection.
-  database.close_db_filter(None)
-
-  def _cleanup():
-    # Close any existing DB connection once the process has exited.
-    database.close_db_filter(None)
-
-  hasher = PieceHasher(app.config['BITTORRENT_PIECE_SIZE'])
-
-  def _store_metadata_and_cleanup():
-    if is_readonly:
-      return
-
-    with database.UseThenDisconnect(app.config):
-      registry_model.set_torrent_info(derived_image.blob, app.config['BITTORRENT_PIECE_SIZE'],
-                                      hasher.final_piece_hashes())
-      registry_model.set_derived_image_size(derived_image, hasher.hashed_bytes)
-
-  # Create a queue process to generate the data. The queue files will read from the process
-  # and send the results to the client and storage.
-  unique_id = (derived_image.unique_id
-               if derived_image is not None
-               else hashlib.sha256('%s:%s' % (verb, uuid.uuid4())).hexdigest())
-  handlers = [hasher.update]
-  reporter = VerbReporter(verb)
-  args = (formatter, tag, schema1_manifest, unique_id, handlers, reporter)
-  queue_process = QueueProcess(
-    _open_stream,
-    8 * 1024,
-    10 * 1024 * 1024,  # 8K/10M chunk/max
-    args,
-    finished=_store_metadata_and_cleanup)
-
-  client_queue_file = QueueFile(queue_process.create_queue(), 'client')
-
-  if not is_readonly:
-    storage_queue_file = QueueFile(queue_process.create_queue(), 'storage')
-
-    # If signing is required, add a QueueFile for signing the image as we stream it out.
-    signing_queue_file = None
-    if sign and signer.name:
-      signing_queue_file = QueueFile(queue_process.create_queue(), 'signing')
-
-  # Start building.
-  queue_process.run()
-
-  # Start the storage saving.
-  if not is_readonly:
-    storage_args = (verb, derived_image, storage_queue_file)
-    QueueProcess.run_process(_write_derived_image_to_storage, storage_args, finished=_cleanup)
-
-    if sign and signer.name:
-      signing_args = (verb, derived_image, signing_queue_file)
-      QueueProcess.run_process(_sign_derived_image, signing_args, finished=_cleanup)
-
-  # Close the database handle here for this process before we send the long download.
-  database.close_db_filter(None)
-
-  # Return the client's data.
-  return send_file(client_queue_file, mimetype=LAYER_MIMETYPE)
+    # Return the client's data.
+    return send_file(client_queue_file, mimetype=LAYER_MIMETYPE)
 
 
 def os_arch_checker(os, arch):
-  def checker(tag, manifest):
-    try:
-      image_json = json.loads(manifest.leaf_layer.raw_v1_metadata)
-    except ValueError:
-      logger.exception('Could not parse leaf layer JSON for manifest %s', manifest)
-      return False
-    except TypeError:
-      logger.exception('Could not parse leaf layer JSON for manifest %s', manifest)
-      return False
+    def checker(tag, manifest):
+        try:
+            image_json = json.loads(manifest.leaf_layer.raw_v1_metadata)
+        except ValueError:
+            logger.exception(
+                "Could not parse leaf layer JSON for manifest %s", manifest
+            )
+            return False
+        except TypeError:
+            logger.exception(
+                "Could not parse leaf layer JSON for manifest %s", manifest
+            )
+            return False
 
-    # Verify the architecture and os.
-    operating_system = image_json.get('os', 'linux')
-    if operating_system != os:
-      return False
+        # Verify the architecture and os.
+        operating_system = image_json.get("os", "linux")
+        if operating_system != os:
+            return False
 
-    architecture = image_json.get('architecture', 'amd64')
+        architecture = image_json.get("architecture", "amd64")
 
-    # Note: Some older Docker images have 'x86_64' rather than 'amd64'.
-    # We allow the conversion here.
-    if architecture == 'x86_64' and operating_system == 'linux':
-      architecture = 'amd64'
+        # Note: Some older Docker images have 'x86_64' rather than 'amd64'.
+        # We allow the conversion here.
+        if architecture == "x86_64" and operating_system == "linux":
+            architecture = "amd64"
 
-    if architecture != arch:
-      return False
+        if architecture != arch:
+            return False
 
-    return True
+        return True
 
-  return checker
+    return checker
 
 
 @route_show_if(features.ACI_CONVERSION)
 @anon_protect
-@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/sig/<os>/<arch>/', methods=['GET'])
-@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/aci.asc/<os>/<arch>/', methods=['GET'])
+@verbs.route(
+    "/aci/<server>/<namespace>/<repository>/<tag>/sig/<os>/<arch>/", methods=["GET"]
+)
+@verbs.route(
+    "/aci/<server>/<namespace>/<repository>/<tag>/aci.asc/<os>/<arch>/", methods=["GET"]
+)
 @process_auth
 def get_aci_signature(server, namespace, repository, tag, os, arch):
-  return _repo_verb_signature(namespace, repository, tag, 'aci', checker=os_arch_checker(os, arch),
-                              os=os, arch=arch)
+    return _repo_verb_signature(
+        namespace,
+        repository,
+        tag,
+        "aci",
+        checker=os_arch_checker(os, arch),
+        os=os,
+        arch=arch,
+    )
 
 
 @route_show_if(features.ACI_CONVERSION)
 @anon_protect
-@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/aci/<os>/<arch>/', methods=[
-  'GET', 'HEAD'])
+@verbs.route(
+    "/aci/<server>/<namespace>/<repository>/<tag>/aci/<os>/<arch>/",
+    methods=["GET", "HEAD"],
+)
 @process_auth
 def get_aci_image(server, namespace, repository, tag, os, arch):
-  return _repo_verb(namespace, repository, tag, 'aci',
-                    AppCImageFormatter(), sign=True, checker=os_arch_checker(os, arch), os=os,
-                    arch=arch)
+    return _repo_verb(
+        namespace,
+        repository,
+        tag,
+        "aci",
+        AppCImageFormatter(),
+        sign=True,
+        checker=os_arch_checker(os, arch),
+        os=os,
+        arch=arch,
+    )
 
 
 @anon_protect
-@verbs.route('/squash/<namespace>/<repository>/<tag>', methods=['GET'])
+@verbs.route("/squash/<namespace>/<repository>/<tag>", methods=["GET"])
 @process_auth
 def get_squashed_tag(namespace, repository, tag):
-  return _repo_verb(namespace, repository, tag, 'squash', SquashedDockerImageFormatter())
+    return _repo_verb(
+        namespace, repository, tag, "squash", SquashedDockerImageFormatter()
+    )
 
 
 @route_show_if(features.BITTORRENT)
 @anon_protect
-@verbs.route('/torrent{0}'.format(BLOB_DIGEST_ROUTE), methods=['GET'])
+@verbs.route("/torrent{0}".format(BLOB_DIGEST_ROUTE), methods=["GET"])
 @process_auth
 @parse_repository_name()
-@check_region_blacklisted(namespace_name_kwarg='namespace_name')
+@check_region_blacklisted(namespace_name_kwarg="namespace_name")
 def get_tag_torrent(namespace_name, repo_name, digest):
-  repo = model.repository.get_repository(namespace_name, repo_name)
-  repo_is_public = repo is not None and model.repository.is_repository_public(repo)
+    repo = model.repository.get_repository(namespace_name, repo_name)
+    repo_is_public = repo is not None and model.repository.is_repository_public(repo)
 
-  permission = ReadRepositoryPermission(namespace_name, repo_name)
-  if not permission.can() and not repo_is_public:
-    abort(403)
+    permission = ReadRepositoryPermission(namespace_name, repo_name)
+    if not permission.can() and not repo_is_public:
+        abort(403)
 
-  user = get_authenticated_user()
-  if user is None and not repo_is_public:
-    # We can not generate a private torrent cluster without a user uuid (e.g. token auth)
-    abort(403)
+    user = get_authenticated_user()
+    if user is None and not repo_is_public:
+        # We can not generate a private torrent cluster without a user uuid (e.g. token auth)
+        abort(403)
 
-  if repo is not None and repo.kind.name != 'image':
-    abort(405)
+    if repo is not None and repo.kind.name != "image":
+        abort(405)
 
-  repo_ref = registry_model.lookup_repository(namespace_name, repo_name)
-  if repo_ref is None:
-    abort(404)
+    repo_ref = registry_model.lookup_repository(namespace_name, repo_name)
+    if repo_ref is None:
+        abort(404)
 
-  blob = registry_model.get_repo_blob_by_digest(repo_ref, digest, include_placements=True)
-  if blob is None:
-    abort(404)
+    blob = registry_model.get_repo_blob_by_digest(
+        repo_ref, digest, include_placements=True
+    )
+    if blob is None:
+        abort(404)
 
-  metric_queue.repository_pull.Inc(labelvalues=[namespace_name, repo_name, 'torrent', True])
-  return _torrent_for_blob(blob, repo_is_public)
+    metric_queue.repository_pull.Inc(
+        labelvalues=[namespace_name, repo_name, "torrent", True]
+    )
+    return _torrent_for_blob(blob, repo_is_public)
 
 
-@verbs.route('/_internal_ping')
+@verbs.route("/_internal_ping")
 @anon_allowed
 def internal_ping():
-  return make_response('true', 200)
+    return make_response("true", 200)
diff --git a/endpoints/verbs/test/test_security.py b/endpoints/verbs/test/test_security.py
index eeb79c567..b872ba2b9 100644
--- a/endpoints/verbs/test/test_security.py
+++ b/endpoints/verbs/test/test_security.py
@@ -4,71 +4,186 @@ from flask import url_for
 from endpoints.test.shared import conduct_call, gen_basic_auth
 from test.fixtures import *
 
-NO_ACCESS_USER = 'freshuser'
-READ_ACCESS_USER = 'reader'
-ADMIN_ACCESS_USER = 'devtable'
-CREATOR_ACCESS_USER = 'creator'
+NO_ACCESS_USER = "freshuser"
+READ_ACCESS_USER = "reader"
+ADMIN_ACCESS_USER = "devtable"
+CREATOR_ACCESS_USER = "creator"
 
-PUBLIC_REPO = 'public/publicrepo'
-PRIVATE_REPO = 'devtable/shared'
-ORG_REPO = 'buynlarge/orgrepo'
-ANOTHER_ORG_REPO = 'buynlarge/anotherorgrepo'
+PUBLIC_REPO = "public/publicrepo"
+PRIVATE_REPO = "devtable/shared"
+ORG_REPO = "buynlarge/orgrepo"
+ANOTHER_ORG_REPO = "buynlarge/anotherorgrepo"
 
-ACI_ARGS = {
-  'server': 'someserver',
-  'tag': 'fake',
-  'os': 'linux',
-  'arch': 'x64',}
+ACI_ARGS = {"server": "someserver", "tag": "fake", "os": "linux", "arch": "x64"}
 
 
-@pytest.mark.parametrize('user', [
-  (0, None),
-  (1, NO_ACCESS_USER),
-  (2, READ_ACCESS_USER),
-  (3, CREATOR_ACCESS_USER),
-  (4, ADMIN_ACCESS_USER),])
 @pytest.mark.parametrize(
-  'endpoint,method,repository,single_repo_path,params,expected_statuses',
-  [
-    ('get_aci_signature', 'GET', PUBLIC_REPO, False, ACI_ARGS, (404, 404, 404, 404, 404)),
-    ('get_aci_signature', 'GET', PRIVATE_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)),
-    ('get_aci_signature', 'GET', ORG_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)),
-    ('get_aci_signature', 'GET', ANOTHER_ORG_REPO, False, ACI_ARGS, (403, 403, 403, 403, 404)),
+    "user",
+    [
+        (0, None),
+        (1, NO_ACCESS_USER),
+        (2, READ_ACCESS_USER),
+        (3, CREATOR_ACCESS_USER),
+        (4, ADMIN_ACCESS_USER),
+    ],
+)
+@pytest.mark.parametrize(
+    "endpoint,method,repository,single_repo_path,params,expected_statuses",
+    [
+        (
+            "get_aci_signature",
+            "GET",
+            PUBLIC_REPO,
+            False,
+            ACI_ARGS,
+            (404, 404, 404, 404, 404),
+        ),
+        (
+            "get_aci_signature",
+            "GET",
+            PRIVATE_REPO,
+            False,
+            ACI_ARGS,
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_aci_signature",
+            "GET",
+            ORG_REPO,
+            False,
+            ACI_ARGS,
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_aci_signature",
+            "GET",
+            ANOTHER_ORG_REPO,
+            False,
+            ACI_ARGS,
+            (403, 403, 403, 403, 404),
+        ),
+        # get_aci_image
+        (
+            "get_aci_image",
+            "GET",
+            PUBLIC_REPO,
+            False,
+            ACI_ARGS,
+            (404, 404, 404, 404, 404),
+        ),
+        (
+            "get_aci_image",
+            "GET",
+            PRIVATE_REPO,
+            False,
+            ACI_ARGS,
+            (403, 403, 404, 403, 404),
+        ),
+        ("get_aci_image", "GET", ORG_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)),
+        (
+            "get_aci_image",
+            "GET",
+            ANOTHER_ORG_REPO,
+            False,
+            ACI_ARGS,
+            (403, 403, 403, 403, 404),
+        ),
+        # get_squashed_tag
+        (
+            "get_squashed_tag",
+            "GET",
+            PUBLIC_REPO,
+            False,
+            dict(tag="fake"),
+            (404, 404, 404, 404, 404),
+        ),
+        (
+            "get_squashed_tag",
+            "GET",
+            PRIVATE_REPO,
+            False,
+            dict(tag="fake"),
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_squashed_tag",
+            "GET",
+            ORG_REPO,
+            False,
+            dict(tag="fake"),
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_squashed_tag",
+            "GET",
+            ANOTHER_ORG_REPO,
+            False,
+            dict(tag="fake"),
+            (403, 403, 403, 403, 404),
+        ),
+        # get_tag_torrent
+        (
+            "get_tag_torrent",
+            "GET",
+            PUBLIC_REPO,
+            True,
+            dict(digest="sha256:1234"),
+            (404, 404, 404, 404, 404),
+        ),
+        (
+            "get_tag_torrent",
+            "GET",
+            PRIVATE_REPO,
+            True,
+            dict(digest="sha256:1234"),
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_tag_torrent",
+            "GET",
+            ORG_REPO,
+            True,
+            dict(digest="sha256:1234"),
+            (403, 403, 404, 403, 404),
+        ),
+        (
+            "get_tag_torrent",
+            "GET",
+            ANOTHER_ORG_REPO,
+            True,
+            dict(digest="sha256:1234"),
+            (403, 403, 403, 403, 404),
+        ),
+    ],
+)
+def test_verbs_security(
+    user,
+    endpoint,
+    method,
+    repository,
+    single_repo_path,
+    params,
+    expected_statuses,
+    app,
+    client,
+):
+    headers = {}
+    if user[1] is not None:
+        headers["Authorization"] = gen_basic_auth(user[1], "password")
 
-    # get_aci_image
-    ('get_aci_image', 'GET', PUBLIC_REPO, False, ACI_ARGS, (404, 404, 404, 404, 404)),
-    ('get_aci_image', 'GET', PRIVATE_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)),
-    ('get_aci_image', 'GET', ORG_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)),
-    ('get_aci_image', 'GET', ANOTHER_ORG_REPO, False, ACI_ARGS, (403, 403, 403, 403, 404)),
+    if single_repo_path:
+        params["repository"] = repository
+    else:
+        (namespace, repo_name) = repository.split("/")
+        params["namespace"] = namespace
+        params["repository"] = repo_name
 
-    # get_squashed_tag
-    ('get_squashed_tag', 'GET', PUBLIC_REPO, False, dict(tag='fake'), (404, 404, 404, 404, 404)),
-    ('get_squashed_tag', 'GET', PRIVATE_REPO, False, dict(tag='fake'), (403, 403, 404, 403, 404)),
-    ('get_squashed_tag', 'GET', ORG_REPO, False, dict(tag='fake'), (403, 403, 404, 403, 404)),
-    ('get_squashed_tag', 'GET', ANOTHER_ORG_REPO, False, dict(tag='fake'), (403, 403, 403, 403,
-                                                                            404)),
-
-    # get_tag_torrent
-    ('get_tag_torrent', 'GET', PUBLIC_REPO, True, dict(digest='sha256:1234'), (404, 404, 404, 404,
-                                                                               404)),
-    ('get_tag_torrent', 'GET', PRIVATE_REPO, True, dict(digest='sha256:1234'), (403, 403, 404, 403,
-                                                                                404)),
-    ('get_tag_torrent', 'GET', ORG_REPO, True, dict(digest='sha256:1234'), (403, 403, 404, 403,
-                                                                            404)),
-    ('get_tag_torrent', 'GET', ANOTHER_ORG_REPO, True, dict(digest='sha256:1234'), (403, 403, 403,
-                                                                                    403, 404)),])
-def test_verbs_security(user, endpoint, method, repository, single_repo_path, params,
-                        expected_statuses, app, client):
-  headers = {}
-  if user[1] is not None:
-    headers['Authorization'] = gen_basic_auth(user[1], 'password')
-
-  if single_repo_path:
-    params['repository'] = repository
-  else:
-    (namespace, repo_name) = repository.split('/')
-    params['namespace'] = namespace
-    params['repository'] = repo_name
-
-  conduct_call(client, 'verbs.' + endpoint, url_for, method, params,
-               expected_code=expected_statuses[user[0]], headers=headers)
+    conduct_call(
+        client,
+        "verbs." + endpoint,
+        url_for,
+        method,
+        params,
+        expected_code=expected_statuses[user[0]],
+        headers=headers,
+    )
diff --git a/endpoints/web.py b/endpoints/web.py
index 9c77ef4bf..b750c3310 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -5,21 +5,48 @@ import logging
 from datetime import timedelta, datetime
 
 from cachetools.func import lru_cache
-from flask import (abort, redirect, request, url_for, make_response, Response, render_template,
-                   Blueprint, jsonify, send_file, session)
+from flask import (
+    abort,
+    redirect,
+    request,
+    url_for,
+    make_response,
+    Response,
+    render_template,
+    Blueprint,
+    jsonify,
+    send_file,
+    session,
+)
 from flask_login import current_user
 
 import features
 
-from app import (app, billing as stripe, build_logs, avatar, signer, log_archive, config_provider,
-                 get_app_url, instance_keys, user_analytics, storage)
+from app import (
+    app,
+    billing as stripe,
+    build_logs,
+    avatar,
+    signer,
+    log_archive,
+    config_provider,
+    get_app_url,
+    instance_keys,
+    user_analytics,
+    storage,
+)
 from auth import scopes
 from auth.auth_context import get_authenticated_user
 from auth.basic import has_basic_auth
 from auth.decorators import require_session_login, process_oauth, process_auth_or_cookie
-from auth.permissions import (AdministerOrganizationPermission, ReadRepositoryPermission,
-                              SuperUserPermission, AdministerRepositoryPermission,
-                              ModifyRepositoryPermission, OrganizationMemberPermission)
+from auth.permissions import (
+    AdministerOrganizationPermission,
+    ReadRepositoryPermission,
+    SuperUserPermission,
+    AdministerRepositoryPermission,
+    ModifyRepositoryPermission,
+    OrganizationMemberPermission,
+)
 from buildtrigger.basehandler import BuildTriggerHandler
 from buildtrigger.bitbuckethandler import BitbucketBuildTrigger
 from buildtrigger.customhandler import CustomBuildTrigger
@@ -29,8 +56,13 @@ from data.database import db, RepositoryTag, TagToRepositoryTag
 from endpoints.api.discovery import swagger_route_data
 from endpoints.common import common_login, render_page_template
 from endpoints.csrf import csrf_protect, generate_csrf_token, verify_csrf
-from endpoints.decorators import (anon_protect, anon_allowed, route_show_if, parse_repository_name,
-                                  param_required)
+from endpoints.decorators import (
+    anon_protect,
+    anon_allowed,
+    route_show_if,
+    parse_repository_name,
+    param_required,
+)
 from health.healthcheck import get_healthchecker
 from util.cache import no_cache
 from util.headers import parse_basic_auth
@@ -42,827 +74,892 @@ from util.request import get_request_ip
 from _init import ROOT_DIR
 
 
-PGP_KEY_MIMETYPE = 'application/pgp-keys'
+PGP_KEY_MIMETYPE = "application/pgp-keys"
 
 
 @lru_cache(maxsize=1)
 def _get_route_data():
-  return swagger_route_data(include_internal=True, compact=True)
+    return swagger_route_data(include_internal=True, compact=True)
 
 
 def render_page_template_with_routedata(name, *args, **kwargs):
-  return render_page_template(name, _get_route_data(), *args, **kwargs)
+    return render_page_template(name, _get_route_data(), *args, **kwargs)
+
 
 # Capture the unverified SSL errors.
 logger = logging.getLogger(__name__)
 logging.captureWarnings(True)
 
-web = Blueprint('web', __name__)
+web = Blueprint("web", __name__)
 
-STATUS_TAGS = app.config['STATUS_TAGS']
+STATUS_TAGS = app.config["STATUS_TAGS"]
 
 
-@web.route('/', methods=['GET'], defaults={'path': ''})
+@web.route("/", methods=["GET"], defaults={"path": ""})
 @no_cache
 def index(path, **kwargs):
-  return render_page_template_with_routedata('index.html', **kwargs)
+    return render_page_template_with_routedata("index.html", **kwargs)
 
-@web.route('/_internal_ping')
+
+@web.route("/_internal_ping")
 @anon_allowed
 def internal_ping():
-  return make_response('true', 200)
+    return make_response("true", 200)
 
-@web.route('/500', methods=['GET'])
+
+@web.route("/500", methods=["GET"])
 def internal_error_display():
-  return render_page_template_with_routedata('500.html')
+    return render_page_template_with_routedata("500.html")
+
 
 @web.errorhandler(404)
-@web.route('/404', methods=['GET'])
-def not_found_error_display(e = None):
-  resp = index('', error_code=404, error_info=dict(reason='notfound'))
-  resp.status_code = 404
-  return resp
+@web.route("/404", methods=["GET"])
+def not_found_error_display(e=None):
+    resp = index("", error_code=404, error_info=dict(reason="notfound"))
+    resp.status_code = 404
+    return resp
 
-@web.route('/organization/<path:path>', methods=['GET'])
-@web.route('/organization/<path:path>/', methods=['GET'])
+
+@web.route("/organization/<path:path>", methods=["GET"])
+@web.route("/organization/<path:path>/", methods=["GET"])
 @no_cache
 def org_view(path):
-  return index('')
+    return index("")
 
 
-@web.route('/user/<path:path>', methods=['GET'])
-@web.route('/user/<path:path>/', methods=['GET'])
+@web.route("/user/<path:path>", methods=["GET"])
+@web.route("/user/<path:path>/", methods=["GET"])
 @no_cache
 def user_view(path):
-  return index('')
+    return index("")
 
 
 @route_show_if(features.ACI_CONVERSION)
-@web.route('/aci-signing-key')
+@web.route("/aci-signing-key")
 @no_cache
 @anon_protect
 def aci_signing_key():
-  if not signer.name:
-    abort(404)
+    if not signer.name:
+        abort(404)
 
-  return send_file(signer.open_public_key_file(), mimetype=PGP_KEY_MIMETYPE)
+    return send_file(signer.open_public_key_file(), mimetype=PGP_KEY_MIMETYPE)
 
 
-@web.route('/plans/')
+@web.route("/plans/")
 @no_cache
 @route_show_if(features.BILLING)
 def plans():
-  return index('')
+    return index("")
 
 
-@web.route('/search')
+@web.route("/search")
 @no_cache
 def search():
-  return index('')
+    return index("")
 
 
-@web.route('/guide/')
+@web.route("/guide/")
 @no_cache
 def guide():
-  return index('')
+    return index("")
 
 
-@web.route('/tour/')
-@web.route('/tour/<path:path>')
+@web.route("/tour/")
+@web.route("/tour/<path:path>")
 @no_cache
-def tour(path = ''):
-  return index('')
+def tour(path=""):
+    return index("")
 
 
-@web.route('/tutorial/')
+@web.route("/tutorial/")
 @no_cache
 def tutorial():
-  return index('')
+    return index("")
 
 
-@web.route('/organizations/')
-@web.route('/organizations/new/')
+@web.route("/organizations/")
+@web.route("/organizations/new/")
 @no_cache
 def organizations():
-  return index('')
+    return index("")
 
 
-@web.route('/superuser/')
+@web.route("/superuser/")
 @no_cache
 @route_show_if(features.SUPER_USERS)
 def superuser():
-  return index('')
+    return index("")
 
 
-@web.route('/setup/')
+@web.route("/setup/")
 @no_cache
 @route_show_if(features.SUPER_USERS)
 def setup():
-  return index('')
+    return index("")
 
 
-@web.route('/upgradeprogress/')
+@web.route("/upgradeprogress/")
 @no_cache
 @route_show_if(not features.BILLING)
-@route_show_if(app.config.get('V3_UPGRADE_MODE') == 'background')
+@route_show_if(app.config.get("V3_UPGRADE_MODE") == "background")
 def upgrade_progress():
-  total_tags = RepositoryTag.select().where(RepositoryTag.hidden == False).count()
-  if total_tags == 0:
-    return jsonify({
-      'progress': 1.0,
-      'tags_remaining': 0,
-      'total_tags': 0,
-    })
+    total_tags = RepositoryTag.select().where(RepositoryTag.hidden == False).count()
+    if total_tags == 0:
+        return jsonify({"progress": 1.0, "tags_remaining": 0, "total_tags": 0})
 
-  upgraded_tags = TagToRepositoryTag.select().count()
-  return jsonify({
-    'progress': float(upgraded_tags) / total_tags,
-    'tags_remaining': total_tags - upgraded_tags,
-    'total_tags': total_tags,
-  })
+    upgraded_tags = TagToRepositoryTag.select().count()
+    return jsonify(
+        {
+            "progress": float(upgraded_tags) / total_tags,
+            "tags_remaining": total_tags - upgraded_tags,
+            "total_tags": total_tags,
+        }
+    )
 
 
-@web.route('/signin/')
+@web.route("/signin/")
 @no_cache
 def signin(redirect=None):
-  return index('')
+    return index("")
 
 
-@web.route('/contact/')
+@web.route("/contact/")
 @no_cache
 def contact():
-  return index('')
+    return index("")
 
 
-@web.route('/about/')
+@web.route("/about/")
 @no_cache
 def about():
-  return index('')
+    return index("")
 
 
-@web.route('/new/')
+@web.route("/new/")
 @no_cache
 def new():
-  return index('')
+    return index("")
 
 
-@web.route('/updateuser')
+@web.route("/updateuser")
 @no_cache
 def updateuser():
-  return index('')
+    return index("")
 
 
-@web.route('/confirminvite')
+@web.route("/confirminvite")
 @no_cache
 def confirm_invite():
-  code = request.values['code']
-  return index('', code=code)
+    code = request.values["code"]
+    return index("", code=code)
 
 
-@web.route('/repository/', defaults={'path': ''})
-@web.route('/repository/<path:path>', methods=['GET'])
+@web.route("/repository/", defaults={"path": ""})
+@web.route("/repository/<path:path>", methods=["GET"])
 @no_cache
 def repository(path):
-  return index('')
+    return index("")
 
 
-@web.route('/repository/<path:path>/trigger/<trigger>', methods=['GET'])
+@web.route("/repository/<path:path>/trigger/<trigger>", methods=["GET"])
 @no_cache
 def buildtrigger(path, trigger):
-  return index('')
+    return index("")
 
 
 @route_show_if(features.APP_REGISTRY)
-@web.route('/application/', defaults={'path': ''})
-@web.route('/application/<path:path>', methods=['GET'])
+@web.route("/application/", defaults={"path": ""})
+@web.route("/application/<path:path>", methods=["GET"])
 @no_cache
 def application(path):
-  return index('')
+    return index("")
 
 
-@web.route('/security/')
+@web.route("/security/")
 @no_cache
 def security():
-  return index('')
+    return index("")
 
 
-@web.route('/enterprise/')
+@web.route("/enterprise/")
 @no_cache
 @route_show_if(features.BILLING)
 def enterprise():
-    return redirect('/plans?tab=enterprise')
+    return redirect("/plans?tab=enterprise")
 
 
-@web.route('/__exp/<expname>')
+@web.route("/__exp/<expname>")
 @no_cache
 def exp(expname):
-  return index('')
+    return index("")
 
 
-@web.route('/v1')
-@web.route('/v1/')
+@web.route("/v1")
+@web.route("/v1/")
 @no_cache
 def v1():
-  return index('')
+    return index("")
 
 
-@web.route('/tos', methods=['GET'])
+@web.route("/tos", methods=["GET"])
 @no_cache
 def tos():
-  return index('')
+    return index("")
 
 
-@web.route('/privacy', methods=['GET'])
+@web.route("/privacy", methods=["GET"])
 @no_cache
 def privacy():
-  return index('')
+    return index("")
 
 
-@web.route('/health', methods=['GET'])
-@web.route('/health/instance', methods=['GET'])
+@web.route("/health", methods=["GET"])
+@web.route("/health/instance", methods=["GET"])
 @process_auth_or_cookie
 @no_cache
 def instance_health():
-  checker = get_healthchecker(app, config_provider, instance_keys)
-  (data, status_code) = checker.check_instance()
-  response = jsonify(dict(data=data, status_code=status_code))
-  response.status_code = status_code
-  return response
+    checker = get_healthchecker(app, config_provider, instance_keys)
+    (data, status_code) = checker.check_instance()
+    response = jsonify(dict(data=data, status_code=status_code))
+    response.status_code = status_code
+    return response
 
 
-@web.route('/status', methods=['GET'])
-@web.route('/health/endtoend', methods=['GET'])
+@web.route("/status", methods=["GET"])
+@web.route("/health/endtoend", methods=["GET"])
 @process_auth_or_cookie
 @no_cache
 def endtoend_health():
-  checker = get_healthchecker(app, config_provider, instance_keys)
-  (data, status_code) = checker.check_endtoend()
-  response = jsonify(dict(data=data, status_code=status_code))
-  response.status_code = status_code
-  return response
+    checker = get_healthchecker(app, config_provider, instance_keys)
+    (data, status_code) = checker.check_endtoend()
+    response = jsonify(dict(data=data, status_code=status_code))
+    response.status_code = status_code
+    return response
 
 
-@web.route('/health/warning', methods=['GET'])
+@web.route("/health/warning", methods=["GET"])
 @process_auth_or_cookie
 @no_cache
 def warning_health():
-  checker = get_healthchecker(app, config_provider, instance_keys)
-  (data, status_code) = checker.check_warning()
-  response = jsonify(dict(data=data, status_code=status_code))
-  response.status_code = status_code
-  return response
+    checker = get_healthchecker(app, config_provider, instance_keys)
+    (data, status_code) = checker.check_warning()
+    response = jsonify(dict(data=data, status_code=status_code))
+    response.status_code = status_code
+    return response
 
 
-@web.route('/health/dbrevision', methods=['GET'])
-@route_show_if(features.BILLING) # Since this is only used in production.
+@web.route("/health/dbrevision", methods=["GET"])
+@route_show_if(features.BILLING)  # Since this is only used in production.
 @process_auth_or_cookie
 @no_cache
 def dbrevision_health():
-  # Find the revision from the database.
-  result = db.execute_sql('select * from alembic_version limit 1').fetchone()
-  db_revision = result[0]
+    # Find the revision from the database.
+    result = db.execute_sql("select * from alembic_version limit 1").fetchone()
+    db_revision = result[0]
 
-  # Find the local revision from the file system.
-  with open(os.path.join(ROOT_DIR, 'ALEMBIC_HEAD'), 'r') as f:
-    local_revision = f.readline().split(' ')[0]
+    # Find the local revision from the file system.
+    with open(os.path.join(ROOT_DIR, "ALEMBIC_HEAD"), "r") as f:
+        local_revision = f.readline().split(" ")[0]
 
-  data = {
-    'db_revision': db_revision,
-    'local_revision': local_revision,
-  }
+    data = {"db_revision": db_revision, "local_revision": local_revision}
 
-  status_code = 200 if db_revision == local_revision else 400
+    status_code = 200 if db_revision == local_revision else 400
 
-  response = jsonify(dict(data=data, status_code=status_code))
-  response.status_code = status_code
-  return response
+    response = jsonify(dict(data=data, status_code=status_code))
+    response.status_code = status_code
+    return response
 
 
-@web.route('/health/enabledebug/<secret>', methods=['GET'])
+@web.route("/health/enabledebug/<secret>", methods=["GET"])
 @no_cache
 def enable_health_debug(secret):
-  if not secret:
-    abort(404)
+    if not secret:
+        abort(404)
 
-  if not app.config.get('ENABLE_HEALTH_DEBUG_SECRET'):
-    abort(404)
+    if not app.config.get("ENABLE_HEALTH_DEBUG_SECRET"):
+        abort(404)
 
-  if app.config.get('ENABLE_HEALTH_DEBUG_SECRET') != secret:
-    abort(404)
+    if app.config.get("ENABLE_HEALTH_DEBUG_SECRET") != secret:
+        abort(404)
 
-  session['health_debug'] = True
-  return make_response('Health check debug information enabled')
+    session["health_debug"] = True
+    return make_response("Health check debug information enabled")
 
 
-
-@web.route('/robots.txt', methods=['GET'])
+@web.route("/robots.txt", methods=["GET"])
 def robots():
-  robots_txt = make_response(render_template('robots.txt', baseurl=get_app_url()))
-  robots_txt.headers['Content-Type'] = 'text/plain'
-  return robots_txt
+    robots_txt = make_response(render_template("robots.txt", baseurl=get_app_url()))
+    robots_txt.headers["Content-Type"] = "text/plain"
+    return robots_txt
 
 
-@web.route('/buildlogs/<build_uuid>', methods=['GET'])
+@web.route("/buildlogs/<build_uuid>", methods=["GET"])
 @route_show_if(features.BUILD_SUPPORT)
 @process_auth_or_cookie
 def buildlogs(build_uuid):
-  found_build = model.build.get_repository_build(build_uuid)
-  if not found_build:
-    abort(403)
+    found_build = model.build.get_repository_build(build_uuid)
+    if not found_build:
+        abort(403)
 
-  repo = found_build.repository
-  has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
-  if features.READER_BUILD_LOGS and not has_permission:
-    if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
-        model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
-      has_permission = True
+    repo = found_build.repository
+    has_permission = ModifyRepositoryPermission(
+        repo.namespace_user.username, repo.name
+    ).can()
+    if features.READER_BUILD_LOGS and not has_permission:
+        if ReadRepositoryPermission(
+            repo.namespace_user.username, repo.name
+        ).can() or model.repository.repository_is_public(
+            repo.namespace_user.username, repo.name
+        ):
+            has_permission = True
 
-  if not has_permission:
-    abort(403)
+    if not has_permission:
+        abort(403)
 
-  # If the logs have been archived, just return a URL of the completed archive
-  if found_build.logs_archived:
-    return redirect(log_archive.get_file_url(found_build.uuid, get_request_ip()))
+    # If the logs have been archived, just return a URL of the completed archive
+    if found_build.logs_archived:
+        return redirect(log_archive.get_file_url(found_build.uuid, get_request_ip()))
 
-  _, logs = build_logs.get_log_entries(found_build.uuid, 0)
-  response = jsonify({
-    'logs': [log for log in logs]
-  })
+    _, logs = build_logs.get_log_entries(found_build.uuid, 0)
+    response = jsonify({"logs": [log for log in logs]})
 
-  response.headers["Content-Disposition"] = "attachment;filename=" + found_build.uuid + ".json"
-  return response
+    response.headers["Content-Disposition"] = (
+        "attachment;filename=" + found_build.uuid + ".json"
+    )
+    return response
 
 
-@web.route('/exportedlogs/<file_id>', methods=['GET'])
+@web.route("/exportedlogs/<file_id>", methods=["GET"])
 def exportedlogs(file_id):
-  # Only enable this endpoint if local storage is available.
-  has_local_storage = False
-  for storage_type, _ in app.config.get('DISTRIBUTED_STORAGE_CONFIG', {}).values():
-    if storage_type == 'LocalStorage':
-      has_local_storage = True
-      break
+    # Only enable this endpoint if local storage is available.
+    has_local_storage = False
+    for storage_type, _ in app.config.get("DISTRIBUTED_STORAGE_CONFIG", {}).values():
+        if storage_type == "LocalStorage":
+            has_local_storage = True
+            break
 
-  if not has_local_storage:
-    abort(404)
+    if not has_local_storage:
+        abort(404)
 
-  JSON_MIMETYPE = 'application/json'
-  exported_logs_storage_path = app.config.get('EXPORT_ACTION_LOGS_STORAGE_PATH',
-                                              'exportedactionlogs')
-  export_storage_path = os.path.join(exported_logs_storage_path, file_id)
-  if not storage.exists(storage.preferred_locations, export_storage_path):
-    abort(404)
+    JSON_MIMETYPE = "application/json"
+    exported_logs_storage_path = app.config.get(
+        "EXPORT_ACTION_LOGS_STORAGE_PATH", "exportedactionlogs"
+    )
+    export_storage_path = os.path.join(exported_logs_storage_path, file_id)
+    if not storage.exists(storage.preferred_locations, export_storage_path):
+        abort(404)
 
-  try:
-    return send_file(storage.stream_read_file(storage.preferred_locations, export_storage_path),
-                     mimetype=JSON_MIMETYPE)
-  except IOError:
-    logger.exception('Could not read exported logs')
-    abort(403)
+    try:
+        return send_file(
+            storage.stream_read_file(storage.preferred_locations, export_storage_path),
+            mimetype=JSON_MIMETYPE,
+        )
+    except IOError:
+        logger.exception("Could not read exported logs")
+        abort(403)
 
 
-@web.route('/logarchive/<file_id>', methods=['GET'])
+@web.route("/logarchive/<file_id>", methods=["GET"])
 @route_show_if(features.BUILD_SUPPORT)
 @process_auth_or_cookie
 def logarchive(file_id):
-  JSON_MIMETYPE = 'application/json'
-  try:
-    found_build = model.build.get_repository_build(file_id)
-  except model.InvalidRepositoryBuildException as ex:
-    logger.exception(ex, extra={'build_uuid': file_id})
-    abort(403)
+    JSON_MIMETYPE = "application/json"
+    try:
+        found_build = model.build.get_repository_build(file_id)
+    except model.InvalidRepositoryBuildException as ex:
+        logger.exception(ex, extra={"build_uuid": file_id})
+        abort(403)
 
-  repo = found_build.repository
-  has_permission = ModifyRepositoryPermission(repo.namespace_user.username, repo.name).can()
-  if features.READER_BUILD_LOGS and not has_permission:
-    if (ReadRepositoryPermission(repo.namespace_user.username, repo.name).can() or
-        model.repository.repository_is_public(repo.namespace_user.username, repo.name)):
-      has_permission = True
+    repo = found_build.repository
+    has_permission = ModifyRepositoryPermission(
+        repo.namespace_user.username, repo.name
+    ).can()
+    if features.READER_BUILD_LOGS and not has_permission:
+        if ReadRepositoryPermission(
+            repo.namespace_user.username, repo.name
+        ).can() or model.repository.repository_is_public(
+            repo.namespace_user.username, repo.name
+        ):
+            has_permission = True
 
-  if not has_permission:
-    abort(403)
+    if not has_permission:
+        abort(403)
 
-  try:
-    path = log_archive.get_file_id_path(file_id)
-    data_stream = log_archive._storage.stream_read_file(log_archive._locations, path)
-    return send_file(GzipInputStream(data_stream), mimetype=JSON_MIMETYPE)
-  except IOError:
-    logger.exception('Could not read archived logs')
-    abort(403)
+    try:
+        path = log_archive.get_file_id_path(file_id)
+        data_stream = log_archive._storage.stream_read_file(
+            log_archive._locations, path
+        )
+        return send_file(GzipInputStream(data_stream), mimetype=JSON_MIMETYPE)
+    except IOError:
+        logger.exception("Could not read archived logs")
+        abort(403)
 
 
-@web.route('/receipt', methods=['GET'])
+@web.route("/receipt", methods=["GET"])
 @route_show_if(features.BILLING)
 @require_session_login
 def receipt():
-  if not current_user.is_authenticated:
-    abort(401)
-    return
+    if not current_user.is_authenticated:
+        abort(401)
+        return
 
-  invoice_id = request.args.get('id')
-  if invoice_id:
-    invoice = stripe.Invoice.retrieve(invoice_id)
-    if invoice:
-      user_or_org = model.user.get_user_or_org_by_customer_id(invoice.customer)
+    invoice_id = request.args.get("id")
+    if invoice_id:
+        invoice = stripe.Invoice.retrieve(invoice_id)
+        if invoice:
+            user_or_org = model.user.get_user_or_org_by_customer_id(invoice.customer)
 
-      if user_or_org:
-        if user_or_org.organization:
-          admin_org = AdministerOrganizationPermission(user_or_org.username)
-          if not admin_org.can():
-            abort(404)
-            return
-        else:
-          if not user_or_org.username == current_user.db_user().username:
-            abort(404)
-            return
+            if user_or_org:
+                if user_or_org.organization:
+                    admin_org = AdministerOrganizationPermission(user_or_org.username)
+                    if not admin_org.can():
+                        abort(404)
+                        return
+                else:
+                    if not user_or_org.username == current_user.db_user().username:
+                        abort(404)
+                        return
 
-      def format_date(timestamp):
-        return datetime.fromtimestamp(timestamp).strftime('%Y-%m-%d')
+            def format_date(timestamp):
+                return datetime.fromtimestamp(timestamp).strftime("%Y-%m-%d")
 
-      file_data = renderInvoiceToPdf(invoice, user_or_org)
-      receipt_filename = 'quay-receipt-%s.pdf' % (format_date(invoice.date))
-      return Response(file_data,
-                      mimetype="application/pdf",
-                      headers={"Content-Disposition": "attachment;filename=" + receipt_filename})
-  abort(404)
+            file_data = renderInvoiceToPdf(invoice, user_or_org)
+            receipt_filename = "quay-receipt-%s.pdf" % (format_date(invoice.date))
+            return Response(
+                file_data,
+                mimetype="application/pdf",
+                headers={
+                    "Content-Disposition": "attachment;filename=" + receipt_filename
+                },
+            )
+    abort(404)
 
 
-@web.route('/authrepoemail', methods=['GET'])
+@web.route("/authrepoemail", methods=["GET"])
 @route_show_if(features.MAILING)
 def confirm_repo_email():
-  code = request.values['code']
-  record = None
+    code = request.values["code"]
+    record = None
 
-  try:
-    record = model.repository.confirm_email_authorization_for_repo(code)
-  except model.DataModelException as ex:
-    return index('', error_info=dict(reason='confirmerror', error_message=ex.message))
+    try:
+        record = model.repository.confirm_email_authorization_for_repo(code)
+    except model.DataModelException as ex:
+        return index(
+            "", error_info=dict(reason="confirmerror", error_message=ex.message)
+        )
 
-  message = """
+    message = """
   Your E-mail address has been authorized to receive notifications for repository
   <a href="%s://%s/repository/%s/%s">%s/%s</a>.
-  """ % (app.config['PREFERRED_URL_SCHEME'], app.config['SERVER_HOSTNAME'],
-         record.repository.namespace_user.username, record.repository.name,
-         record.repository.namespace_user.username, record.repository.name)
+  """ % (
+        app.config["PREFERRED_URL_SCHEME"],
+        app.config["SERVER_HOSTNAME"],
+        record.repository.namespace_user.username,
+        record.repository.name,
+        record.repository.namespace_user.username,
+        record.repository.name,
+    )
 
-  return render_page_template_with_routedata('message.html', message=message)
+    return render_page_template_with_routedata("message.html", message=message)
 
 
-@web.route('/confirm', methods=['GET'])
+@web.route("/confirm", methods=["GET"])
 @route_show_if(features.MAILING)
 @anon_allowed
 def confirm_email():
-  code = request.values['code']
-  user = None
-  new_email = None
+    code = request.values["code"]
+    user = None
+    new_email = None
 
-  try:
-    user, new_email, old_email = model.user.confirm_user_email(code)
-  except model.DataModelException as ex:
-    return index('', error_info=dict(reason='confirmerror', error_message=ex.message))
+    try:
+        user, new_email, old_email = model.user.confirm_user_email(code)
+    except model.DataModelException as ex:
+        return index(
+            "", error_info=dict(reason="confirmerror", error_message=ex.message)
+        )
 
-  if new_email:
-    send_email_changed(user.username, old_email, new_email)
-    change_email_future = user_analytics.change_email(old_email, new_email)
-    change_email_future.add_done_callback(build_error_callback('Change email failed'))
+    if new_email:
+        send_email_changed(user.username, old_email, new_email)
+        change_email_future = user_analytics.change_email(old_email, new_email)
+        change_email_future.add_done_callback(
+            build_error_callback("Change email failed")
+        )
 
-  success, _ = common_login(user.uuid)
-  if not success:
-    return index('', error_info=dict(reason='confirmerror',
-                                     error_message='Could not perform login'))
+    success, _ = common_login(user.uuid)
+    if not success:
+        return index(
+            "",
+            error_info=dict(
+                reason="confirmerror", error_message="Could not perform login"
+            ),
+        )
 
-  if model.user.has_user_prompts(user):
-    return redirect(url_for('web.updateuser'))
-  elif new_email:
-    return redirect(url_for('web.user_view', path=user.username, tab='settings'))
-  else:
-    return redirect(url_for('web.index'))
+    if model.user.has_user_prompts(user):
+        return redirect(url_for("web.updateuser"))
+    elif new_email:
+        return redirect(url_for("web.user_view", path=user.username, tab="settings"))
+    else:
+        return redirect(url_for("web.index"))
 
 
-@web.route('/recovery', methods=['GET'])
+@web.route("/recovery", methods=["GET"])
 @route_show_if(features.MAILING)
 @anon_allowed
 def confirm_recovery():
-  code = request.values['code']
-  user = model.user.validate_reset_code(code)
+    code = request.values["code"]
+    user = model.user.validate_reset_code(code)
 
-  if user is not None:
-    success, _ = common_login(user.uuid)
-    if not success:
-      message = 'Could not perform login.'
-      return render_page_template_with_routedata('message.html', message=message)
+    if user is not None:
+        success, _ = common_login(user.uuid)
+        if not success:
+            message = "Could not perform login."
+            return render_page_template_with_routedata("message.html", message=message)
 
-    return redirect(url_for('web.user_view', path=user.username, tab='settings', action='password'))
-  else:
-    message = 'Invalid recovery code: This code is invalid or may have already been used.'
-    return render_page_template_with_routedata('message.html', message=message)
+        return redirect(
+            url_for(
+                "web.user_view", path=user.username, tab="settings", action="password"
+            )
+        )
+    else:
+        message = (
+            "Invalid recovery code: This code is invalid or may have already been used."
+        )
+        return render_page_template_with_routedata("message.html", message=message)
 
 
-@web.route('/repository/<repopath:repository>/status', methods=['GET'])
+@web.route("/repository/<repopath:repository>/status", methods=["GET"])
 @parse_repository_name()
 @anon_protect
 def build_status_badge(namespace_name, repo_name):
-  token = request.args.get('token', None)
-  repo = model.repository.get_repository(namespace_name, repo_name)
-  if repo and repo.kind.name != 'image':
-    abort(404)
+    token = request.args.get("token", None)
+    repo = model.repository.get_repository(namespace_name, repo_name)
+    if repo and repo.kind.name != "image":
+        abort(404)
 
-  is_public = model.repository.repository_is_public(namespace_name, repo_name)
-  if not is_public:
-    if not repo or token != repo.badge_token:
-      abort(404)
+    is_public = model.repository.repository_is_public(namespace_name, repo_name)
+    if not is_public:
+        if not repo or token != repo.badge_token:
+            abort(404)
 
-  is_empty = model.repository.is_empty(namespace_name, repo_name)
-  recent_build = model.build.get_recent_repository_build(namespace_name, repo_name)
-  if not is_empty and (not recent_build or recent_build.phase == 'complete'):
-    status_name = 'ready'
-  elif recent_build and recent_build.phase == 'error':
-    status_name = 'failed'
-  elif recent_build and recent_build.phase == 'cancelled':
-    status_name = 'cancelled'
-  elif recent_build and recent_build.phase != 'complete':
-    status_name = 'building'
-  else:
-    status_name = 'none'
+    is_empty = model.repository.is_empty(namespace_name, repo_name)
+    recent_build = model.build.get_recent_repository_build(namespace_name, repo_name)
+    if not is_empty and (not recent_build or recent_build.phase == "complete"):
+        status_name = "ready"
+    elif recent_build and recent_build.phase == "error":
+        status_name = "failed"
+    elif recent_build and recent_build.phase == "cancelled":
+        status_name = "cancelled"
+    elif recent_build and recent_build.phase != "complete":
+        status_name = "building"
+    else:
+        status_name = "none"
 
-  if request.headers.get('If-None-Match') == status_name:
-    return Response(status=304)
+    if request.headers.get("If-None-Match") == status_name:
+        return Response(status=304)
 
-  response = make_response(STATUS_TAGS[status_name])
-  response.content_type = 'image/svg+xml'
-  response.headers['Cache-Control'] = 'no-cache'
-  response.headers['ETag'] = status_name
-  return response
+    response = make_response(STATUS_TAGS[status_name])
+    response.content_type = "image/svg+xml"
+    response.headers["Cache-Control"] = "no-cache"
+    response.headers["ETag"] = status_name
+    return response
 
 
 class FlaskAuthorizationProvider(model.oauth.DatabaseAuthorizationProvider):
-  def get_authorized_user(self):
-    return get_authenticated_user()
+    def get_authorized_user(self):
+        return get_authenticated_user()
 
-  def _make_response(self, body='', headers=None, status_code=200):
-    return make_response(body, status_code, headers)
+    def _make_response(self, body="", headers=None, status_code=200):
+        return make_response(body, status_code, headers)
 
 
-@web.route('/oauth/authorizeapp', methods=['POST'])
+@web.route("/oauth/authorizeapp", methods=["POST"])
 @process_auth_or_cookie
 def authorize_application():
-  # Check for an authenticated user.
-  if not get_authenticated_user():
-    abort(401)
-    return
+    # Check for an authenticated user.
+    if not get_authenticated_user():
+        abort(401)
+        return
 
-  # If direct OAuth is not enabled or the user is not directly authed, verify CSRF.
-  client_id = request.form.get('client_id', None)
-  whitelist = app.config.get('DIRECT_OAUTH_CLIENTID_WHITELIST', [])
-  if client_id not in whitelist or not has_basic_auth(get_authenticated_user().username):
-    verify_csrf()
+    # If direct OAuth is not enabled or the user is not directly authed, verify CSRF.
+    client_id = request.form.get("client_id", None)
+    whitelist = app.config.get("DIRECT_OAUTH_CLIENTID_WHITELIST", [])
+    if client_id not in whitelist or not has_basic_auth(
+        get_authenticated_user().username
+    ):
+        verify_csrf()
 
-  provider = FlaskAuthorizationProvider()
-  redirect_uri = request.form.get('redirect_uri', None)
-  scope = request.form.get('scope', None)
+    provider = FlaskAuthorizationProvider()
+    redirect_uri = request.form.get("redirect_uri", None)
+    scope = request.form.get("scope", None)
 
-  # Add the access token.
-  return provider.get_token_response('token', client_id, redirect_uri, scope=scope)
+    # Add the access token.
+    return provider.get_token_response("token", client_id, redirect_uri, scope=scope)
 
 
-@web.route(app.config['LOCAL_OAUTH_HANDLER'], methods=['GET'])
+@web.route(app.config["LOCAL_OAUTH_HANDLER"], methods=["GET"])
 def oauth_local_handler():
-  if not current_user.is_authenticated:
-    abort(401)
-    return
+    if not current_user.is_authenticated:
+        abort(401)
+        return
 
-  if not request.args.get('scope'):
-    return render_page_template_with_routedata("message.html", message="Authorization canceled")
-  else:
-    return render_page_template_with_routedata("generatedtoken.html")
+    if not request.args.get("scope"):
+        return render_page_template_with_routedata(
+            "message.html", message="Authorization canceled"
+        )
+    else:
+        return render_page_template_with_routedata("generatedtoken.html")
 
 
-@web.route('/oauth/denyapp', methods=['POST'])
+@web.route("/oauth/denyapp", methods=["POST"])
 @csrf_protect()
 def deny_application():
-  if not current_user.is_authenticated:
-    abort(401)
-    return
+    if not current_user.is_authenticated:
+        abort(401)
+        return
 
-  provider = FlaskAuthorizationProvider()
-  client_id = request.form.get('client_id', None)
-  redirect_uri = request.form.get('redirect_uri', None)
-  scope = request.form.get('scope', None)
+    provider = FlaskAuthorizationProvider()
+    client_id = request.form.get("client_id", None)
+    redirect_uri = request.form.get("redirect_uri", None)
+    scope = request.form.get("scope", None)
 
-  # Add the access token.
-  return provider.get_auth_denied_response('token', client_id, redirect_uri, scope=scope)
+    # Add the access token.
+    return provider.get_auth_denied_response(
+        "token", client_id, redirect_uri, scope=scope
+    )
 
 
-@web.route('/oauth/authorize', methods=['GET'])
+@web.route("/oauth/authorize", methods=["GET"])
 @no_cache
-@param_required('client_id')
-@param_required('redirect_uri')
-@param_required('scope')
+@param_required("client_id")
+@param_required("redirect_uri")
+@param_required("scope")
 @process_auth_or_cookie
 def request_authorization_code():
-  provider = FlaskAuthorizationProvider()
-  response_type = request.args.get('response_type', 'code')
-  client_id = request.args.get('client_id', None)
-  redirect_uri = request.args.get('redirect_uri', None)
-  scope = request.args.get('scope', None)
+    provider = FlaskAuthorizationProvider()
+    response_type = request.args.get("response_type", "code")
+    client_id = request.args.get("client_id", None)
+    redirect_uri = request.args.get("redirect_uri", None)
+    scope = request.args.get("scope", None)
 
-  if (not current_user.is_authenticated or
-      not provider.validate_has_scopes(client_id, current_user.db_user().username, scope)):
-    if not provider.validate_redirect_uri(client_id, redirect_uri):
-      current_app = provider.get_application_for_client_id(client_id)
-      if not current_app:
-        abort(404)
+    if not current_user.is_authenticated or not provider.validate_has_scopes(
+        client_id, current_user.db_user().username, scope
+    ):
+        if not provider.validate_redirect_uri(client_id, redirect_uri):
+            current_app = provider.get_application_for_client_id(client_id)
+            if not current_app:
+                abort(404)
 
-      return provider._make_redirect_error_response(current_app.redirect_uri,
-                                                    'redirect_uri_mismatch')
+            return provider._make_redirect_error_response(
+                current_app.redirect_uri, "redirect_uri_mismatch"
+            )
 
-    # Load the scope information.
-    scope_info = scopes.get_scope_information(scope)
-    if not scope_info:
-      abort(404)
-      return
+        # Load the scope information.
+        scope_info = scopes.get_scope_information(scope)
+        if not scope_info:
+            abort(404)
+            return
 
-    # Load the application information.
-    oauth_app = provider.get_application_for_client_id(client_id)
-    app_email = oauth_app.avatar_email or oauth_app.organization.email
+        # Load the application information.
+        oauth_app = provider.get_application_for_client_id(client_id)
+        app_email = oauth_app.avatar_email or oauth_app.organization.email
 
-    oauth_app_view = {
-      'name': oauth_app.name,
-      'description': oauth_app.description,
-      'url': oauth_app.application_uri,
-      'avatar': json.dumps(avatar.get_data(oauth_app.name, app_email, 'app')),
-      'organization': {
-        'name': oauth_app.organization.username,
-        'avatar': json.dumps(avatar.get_data_for_org(oauth_app.organization))
-      }
-    }
+        oauth_app_view = {
+            "name": oauth_app.name,
+            "description": oauth_app.description,
+            "url": oauth_app.application_uri,
+            "avatar": json.dumps(avatar.get_data(oauth_app.name, app_email, "app")),
+            "organization": {
+                "name": oauth_app.organization.username,
+                "avatar": json.dumps(avatar.get_data_for_org(oauth_app.organization)),
+            },
+        }
 
-    # Show the authorization page.
-    has_dangerous_scopes = any([check_scope['dangerous'] for check_scope in scope_info])
-    return render_page_template_with_routedata('oauthorize.html', scopes=scope_info,
-                                               has_dangerous_scopes=has_dangerous_scopes,
-                                               application=oauth_app_view,
-                                               enumerate=enumerate, client_id=client_id,
-                                               redirect_uri=redirect_uri, scope=scope,
-                                               csrf_token_val=generate_csrf_token())
+        # Show the authorization page.
+        has_dangerous_scopes = any(
+            [check_scope["dangerous"] for check_scope in scope_info]
+        )
+        return render_page_template_with_routedata(
+            "oauthorize.html",
+            scopes=scope_info,
+            has_dangerous_scopes=has_dangerous_scopes,
+            application=oauth_app_view,
+            enumerate=enumerate,
+            client_id=client_id,
+            redirect_uri=redirect_uri,
+            scope=scope,
+            csrf_token_val=generate_csrf_token(),
+        )
 
-  if response_type == 'token':
-    return provider.get_token_response(response_type, client_id, redirect_uri, scope=scope)
-  else:
-    return provider.get_authorization_code(response_type, client_id, redirect_uri, scope=scope)
+    if response_type == "token":
+        return provider.get_token_response(
+            response_type, client_id, redirect_uri, scope=scope
+        )
+    else:
+        return provider.get_authorization_code(
+            response_type, client_id, redirect_uri, scope=scope
+        )
 
-@web.route('/oauth/access_token', methods=['POST'])
+
+@web.route("/oauth/access_token", methods=["POST"])
 @no_cache
-@param_required('grant_type', allow_body=True)
-@param_required('client_id', allow_body=True)
-@param_required('redirect_uri', allow_body=True)
-@param_required('code', allow_body=True)
-@param_required('scope', allow_body=True)
+@param_required("grant_type", allow_body=True)
+@param_required("client_id", allow_body=True)
+@param_required("redirect_uri", allow_body=True)
+@param_required("code", allow_body=True)
+@param_required("scope", allow_body=True)
 def exchange_code_for_token():
-  grant_type = request.values.get('grant_type', None)
-  client_id = request.values.get('client_id', None)
-  client_secret = request.values.get('client_id', None)
-  redirect_uri = request.values.get('redirect_uri', None)
-  code = request.values.get('code', None)
-  scope = request.values.get('scope', None)
+    grant_type = request.values.get("grant_type", None)
+    client_id = request.values.get("client_id", None)
+    client_secret = request.values.get("client_id", None)
+    redirect_uri = request.values.get("redirect_uri", None)
+    code = request.values.get("code", None)
+    scope = request.values.get("scope", None)
 
-  # Sometimes OAuth2 clients place the client id/secret in the Auth header.
-  basic_header = parse_basic_auth(request.headers.get('Authorization'))
-  if basic_header is not None:
-    client_id = basic_header[0] or client_id
-    client_secret = basic_header[1] or client_secret
+    # Sometimes OAuth2 clients place the client id/secret in the Auth header.
+    basic_header = parse_basic_auth(request.headers.get("Authorization"))
+    if basic_header is not None:
+        client_id = basic_header[0] or client_id
+        client_secret = basic_header[1] or client_secret
 
-  provider = FlaskAuthorizationProvider()
-  return provider.get_token(grant_type, client_id, client_secret, redirect_uri, code, scope=scope)
+    provider = FlaskAuthorizationProvider()
+    return provider.get_token(
+        grant_type, client_id, client_secret, redirect_uri, code, scope=scope
+    )
 
 
-@web.route('/bitbucket/setup/<repopath:repository>', methods=['GET'])
+@web.route("/bitbucket/setup/<repopath:repository>", methods=["GET"])
 @require_session_login
 @parse_repository_name()
 @route_show_if(features.BITBUCKET_BUILD)
 def attach_bitbucket_trigger(namespace_name, repo_name):
-  permission = AdministerRepositoryPermission(namespace_name, repo_name)
-  if permission.can():
-    repo = model.repository.get_repository(namespace_name, repo_name)
-    if not repo:
-      msg = 'Invalid repository: %s/%s' % (namespace_name, repo_name)
-      abort(404, message=msg)
-    elif repo.kind.name != 'image':
-      abort(501)
+    permission = AdministerRepositoryPermission(namespace_name, repo_name)
+    if permission.can():
+        repo = model.repository.get_repository(namespace_name, repo_name)
+        if not repo:
+            msg = "Invalid repository: %s/%s" % (namespace_name, repo_name)
+            abort(404, message=msg)
+        elif repo.kind.name != "image":
+            abort(501)
 
-    trigger = model.build.create_build_trigger(repo, BitbucketBuildTrigger.service_name(), None,
-                                               current_user.db_user())
+        trigger = model.build.create_build_trigger(
+            repo, BitbucketBuildTrigger.service_name(), None, current_user.db_user()
+        )
 
-    try:
-      oauth_info = BuildTriggerHandler.get_handler(trigger).get_oauth_url()
-    except TriggerProviderException:
-      trigger.delete_instance()
-      logger.debug('Could not retrieve Bitbucket OAuth URL')
-      abort(500)
+        try:
+            oauth_info = BuildTriggerHandler.get_handler(trigger).get_oauth_url()
+        except TriggerProviderException:
+            trigger.delete_instance()
+            logger.debug("Could not retrieve Bitbucket OAuth URL")
+            abort(500)
 
-    config = {
-      'access_token': oauth_info['access_token']
-    }
+        config = {"access_token": oauth_info["access_token"]}
 
-    access_token_secret = oauth_info['access_token_secret']
-    model.build.update_build_trigger(trigger, config, auth_token=access_token_secret)
+        access_token_secret = oauth_info["access_token_secret"]
+        model.build.update_build_trigger(
+            trigger, config, auth_token=access_token_secret
+        )
 
-    return redirect(oauth_info['url'])
+        return redirect(oauth_info["url"])
 
-  abort(403)
+    abort(403)
 
 
-@web.route('/customtrigger/setup/<repopath:repository>', methods=['GET'])
+@web.route("/customtrigger/setup/<repopath:repository>", methods=["GET"])
 @require_session_login
 @parse_repository_name()
 def attach_custom_build_trigger(namespace_name, repo_name):
-  permission = AdministerRepositoryPermission(namespace_name, repo_name)
-  if permission.can():
-    repo = model.repository.get_repository(namespace_name, repo_name)
-    if not repo:
-      msg = 'Invalid repository: %s/%s' % (namespace_name, repo_name)
-      abort(404, message=msg)
-    elif repo.kind.name != 'image':
-      abort(501)
+    permission = AdministerRepositoryPermission(namespace_name, repo_name)
+    if permission.can():
+        repo = model.repository.get_repository(namespace_name, repo_name)
+        if not repo:
+            msg = "Invalid repository: %s/%s" % (namespace_name, repo_name)
+            abort(404, message=msg)
+        elif repo.kind.name != "image":
+            abort(501)
 
-    trigger = model.build.create_build_trigger(repo, CustomBuildTrigger.service_name(),
-                                               None, current_user.db_user())
+        trigger = model.build.create_build_trigger(
+            repo, CustomBuildTrigger.service_name(), None, current_user.db_user()
+        )
 
-    repo_path = '%s/%s' % (namespace_name, repo_name)
-    full_url = url_for('web.buildtrigger', path=repo_path, trigger=trigger.uuid)
-    logger.debug('Redirecting to full url: %s', full_url)
-    return redirect(full_url)
+        repo_path = "%s/%s" % (namespace_name, repo_name)
+        full_url = url_for("web.buildtrigger", path=repo_path, trigger=trigger.uuid)
+        logger.debug("Redirecting to full url: %s", full_url)
+        return redirect(full_url)
 
-  abort(403)
+    abort(403)
 
 
-@web.route('/<repopath:repository>')
-@web.route('/<repopath:repository>/')
+@web.route("/<repopath:repository>")
+@web.route("/<repopath:repository>/")
 @no_cache
 @process_oauth
 @parse_repository_name(include_tag=True)
 @anon_protect
 def redirect_to_repository(namespace_name, repo_name, tag_name):
-  # Always return 200 for ac-discovery, to ensure that rkt and other ACI-compliant clients can
-  # find the metadata they need. Permissions will be checked in the registry API.
-  if request.args.get('ac-discovery', 0) == 1:
-    return index('')
+    # Always return 200 for ac-discovery, to ensure that rkt and other ACI-compliant clients can
+    # find the metadata they need. Permissions will be checked in the registry API.
+    if request.args.get("ac-discovery", 0) == 1:
+        return index("")
 
-  # Redirect to the repository page if the user can see the repository.
-  is_public = model.repository.repository_is_public(namespace_name, repo_name)
-  permission = ReadRepositoryPermission(namespace_name, repo_name)
-  repo = model.repository.get_repository(namespace_name, repo_name)
+    # Redirect to the repository page if the user can see the repository.
+    is_public = model.repository.repository_is_public(namespace_name, repo_name)
+    permission = ReadRepositoryPermission(namespace_name, repo_name)
+    repo = model.repository.get_repository(namespace_name, repo_name)
 
-  if repo and (permission.can() or is_public):
-    repo_path = '/'.join([namespace_name, repo_name])
-    if repo.kind.name == 'application':
-      return redirect(url_for('web.application', path=repo_path))
+    if repo and (permission.can() or is_public):
+        repo_path = "/".join([namespace_name, repo_name])
+        if repo.kind.name == "application":
+            return redirect(url_for("web.application", path=repo_path))
+        else:
+            return redirect(
+                url_for("web.repository", path=repo_path, tab="tags", tag=tag_name)
+            )
+
+    namespace_exists = bool(model.user.get_user_or_org(namespace_name))
+    namespace_permission = OrganizationMemberPermission(namespace_name).can()
+    if get_authenticated_user() and get_authenticated_user().username == namespace_name:
+        namespace_permission = True
+
+    # Otherwise, we display an error for the user. Which error we display depends on permissions:
+    # > If the namespace doesn't exist, 404.
+    # > If the user is a member of the namespace:
+    #   - If the repository doesn't exist, 404
+    #   - If the repository does exist (no access), 403
+    # > If the user is not a member of the namespace: 403
+    error_info = {
+        "reason": "notfound",
+        "for_repo": True,
+        "namespace_exists": namespace_exists,
+        "namespace": namespace_name,
+        "repo_name": repo_name,
+    }
+
+    if not namespace_exists or (namespace_permission and repo is None):
+        resp = index("", error_code=404, error_info=json.dumps(error_info))
+        resp.status_code = 404
+        return resp
     else:
-      return redirect(url_for('web.repository', path=repo_path, tab="tags", tag=tag_name))
-
-  namespace_exists = bool(model.user.get_user_or_org(namespace_name))
-  namespace_permission = OrganizationMemberPermission(namespace_name).can()
-  if get_authenticated_user() and get_authenticated_user().username == namespace_name:
-    namespace_permission = True
-
-  # Otherwise, we display an error for the user. Which error we display depends on permissions:
-  # > If the namespace doesn't exist, 404.
-  # > If the user is a member of the namespace:
-  #   - If the repository doesn't exist, 404
-  #   - If the repository does exist (no access), 403
-  # > If the user is not a member of the namespace: 403
-  error_info = {
-    'reason': 'notfound',
-    'for_repo': True,
-    'namespace_exists': namespace_exists,
-    'namespace': namespace_name,
-    'repo_name': repo_name,
-  }
-
-  if not namespace_exists or (namespace_permission and repo is None):
-    resp = index('', error_code=404, error_info=json.dumps(error_info))
-    resp.status_code = 404
-    return resp
-  else:
-    resp = index('', error_code=403, error_info=json.dumps(error_info))
-    resp.status_code = 403
-    return resp
+        resp = index("", error_code=403, error_info=json.dumps(error_info))
+        resp.status_code = 403
+        return resp
 
 
-@web.route('/<namespace>')
-@web.route('/<namespace>/')
+@web.route("/<namespace>")
+@web.route("/<namespace>/")
 @no_cache
 @process_oauth
 @anon_protect
 def redirect_to_namespace(namespace):
-  okay, _ = model.user.validate_username(namespace)
-  if not okay:
-    abort(404)
+    okay, _ = model.user.validate_username(namespace)
+    if not okay:
+        abort(404)
 
-  user_or_org = model.user.get_user_or_org(namespace)
-  if not user_or_org:
-    abort(404)
+    user_or_org = model.user.get_user_or_org(namespace)
+    if not user_or_org:
+        abort(404)
 
-  if user_or_org.organization:
-    return redirect(url_for('web.org_view', path=namespace))
-  else:
-    return redirect(url_for('web.user_view', path=namespace))
+    if user_or_org.organization:
+        return redirect(url_for("web.org_view", path=namespace))
+    else:
+        return redirect(url_for("web.user_view", path=namespace))
diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py
index 41c28233f..46008ad55 100644
--- a/endpoints/webhooks.py
+++ b/endpoints/webhooks.py
@@ -8,131 +8,160 @@ from data.database import RepositoryState
 from auth.decorators import process_auth
 from auth.permissions import ModifyRepositoryPermission
 from util.invoice import renderInvoiceToHtml
-from util.useremails import send_invoice_email, send_subscription_change, send_payment_failed
+from util.useremails import (
+    send_invoice_email,
+    send_subscription_change,
+    send_payment_failed,
+)
 from util.http import abort
 from buildtrigger.basehandler import BuildTriggerHandler
-from buildtrigger.triggerutil import (ValidationRequestException, SkipRequestException,
-                                      InvalidPayloadException)
-from endpoints.building import (start_build, MaximumBuildsQueuedException,
-                                BuildTriggerDisabledException)
+from buildtrigger.triggerutil import (
+    ValidationRequestException,
+    SkipRequestException,
+    InvalidPayloadException,
+)
+from endpoints.building import (
+    start_build,
+    MaximumBuildsQueuedException,
+    BuildTriggerDisabledException,
+)
 
 
 logger = logging.getLogger(__name__)
 
-webhooks = Blueprint('webhooks', __name__)
+webhooks = Blueprint("webhooks", __name__)
 
 
-@webhooks.route('/stripe', methods=['POST'])
+@webhooks.route("/stripe", methods=["POST"])
 def stripe_webhook():
-  request_data = request.get_json()
-  logger.debug('Stripe webhook call: %s', request_data)
+    request_data = request.get_json()
+    logger.debug("Stripe webhook call: %s", request_data)
 
-  customer_id = request_data.get('data', {}).get('object', {}).get('customer', None)
-  namespace = model.user.get_user_or_org_by_customer_id(customer_id) if customer_id else None
+    customer_id = request_data.get("data", {}).get("object", {}).get("customer", None)
+    namespace = (
+        model.user.get_user_or_org_by_customer_id(customer_id) if customer_id else None
+    )
 
-  event_type = request_data['type'] if 'type' in request_data else None
-  if event_type == 'charge.succeeded':
-    invoice_id = request_data['data']['object']['invoice']
+    event_type = request_data["type"] if "type" in request_data else None
+    if event_type == "charge.succeeded":
+        invoice_id = request_data["data"]["object"]["invoice"]
 
-    namespace = model.user.get_user_or_org_by_customer_id(customer_id) if customer_id else None
-    if namespace:
-      # Increase the namespace's build allowance, since we had a successful charge.
-      build_maximum = app.config.get('BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT')
-      if build_maximum is not None:
-        model.user.increase_maximum_build_count(namespace, build_maximum)
+        namespace = (
+            model.user.get_user_or_org_by_customer_id(customer_id)
+            if customer_id
+            else None
+        )
+        if namespace:
+            # Increase the namespace's build allowance, since we had a successful charge.
+            build_maximum = app.config.get("BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT")
+            if build_maximum is not None:
+                model.user.increase_maximum_build_count(namespace, build_maximum)
 
-      if namespace.invoice_email:
-        # Lookup the invoice.
-        invoice = stripe.Invoice.retrieve(invoice_id)
-        if invoice:
-          invoice_html = renderInvoiceToHtml(invoice, namespace)
-          send_invoice_email(namespace.invoice_email_address or namespace.email, invoice_html)
+            if namespace.invoice_email:
+                # Lookup the invoice.
+                invoice = stripe.Invoice.retrieve(invoice_id)
+                if invoice:
+                    invoice_html = renderInvoiceToHtml(invoice, namespace)
+                    send_invoice_email(
+                        namespace.invoice_email_address or namespace.email, invoice_html
+                    )
 
-  elif event_type.startswith('customer.subscription.'):
-    cust_email = namespace.email if namespace is not None else 'unknown@domain.com'
-    quay_username = namespace.username if namespace is not None else 'unknown'
+    elif event_type.startswith("customer.subscription."):
+        cust_email = namespace.email if namespace is not None else "unknown@domain.com"
+        quay_username = namespace.username if namespace is not None else "unknown"
 
-    change_type = ''
-    if event_type.endswith('.deleted'):
-      plan_id = request_data['data']['object']['plan']['id']
-      requested = bool(request_data.get('request'))
-      if requested:
-        change_type = 'canceled %s' % plan_id
-        send_subscription_change(change_type, customer_id, cust_email, quay_username)
-    elif event_type.endswith('.created'):
-      plan_id = request_data['data']['object']['plan']['id']
-      change_type = 'subscribed %s' % plan_id
-      send_subscription_change(change_type, customer_id, cust_email, quay_username)
-    elif event_type.endswith('.updated'):
-      if 'previous_attributes' in request_data['data']:
-        if 'plan' in request_data['data']['previous_attributes']:
-          old_plan = request_data['data']['previous_attributes']['plan']['id']
-          new_plan = request_data['data']['object']['plan']['id']
-          change_type = 'switched %s -> %s' % (old_plan, new_plan)
-          send_subscription_change(change_type, customer_id, cust_email, quay_username)
+        change_type = ""
+        if event_type.endswith(".deleted"):
+            plan_id = request_data["data"]["object"]["plan"]["id"]
+            requested = bool(request_data.get("request"))
+            if requested:
+                change_type = "canceled %s" % plan_id
+                send_subscription_change(
+                    change_type, customer_id, cust_email, quay_username
+                )
+        elif event_type.endswith(".created"):
+            plan_id = request_data["data"]["object"]["plan"]["id"]
+            change_type = "subscribed %s" % plan_id
+            send_subscription_change(
+                change_type, customer_id, cust_email, quay_username
+            )
+        elif event_type.endswith(".updated"):
+            if "previous_attributes" in request_data["data"]:
+                if "plan" in request_data["data"]["previous_attributes"]:
+                    old_plan = request_data["data"]["previous_attributes"]["plan"]["id"]
+                    new_plan = request_data["data"]["object"]["plan"]["id"]
+                    change_type = "switched %s -> %s" % (old_plan, new_plan)
+                    send_subscription_change(
+                        change_type, customer_id, cust_email, quay_username
+                    )
 
-  elif event_type == 'invoice.payment_failed':
-    if namespace:
-      send_payment_failed(namespace.email, namespace.username)
+    elif event_type == "invoice.payment_failed":
+        if namespace:
+            send_payment_failed(namespace.email, namespace.username)
 
-  return make_response('Okay')
+    return make_response("Okay")
 
 
-@webhooks.route('/push/<repopath:repository>/trigger/<trigger_uuid>', methods=['POST'])
-@webhooks.route('/push/trigger/<trigger_uuid>', methods=['POST'], defaults={'repository': ''})
+@webhooks.route("/push/<repopath:repository>/trigger/<trigger_uuid>", methods=["POST"])
+@webhooks.route(
+    "/push/trigger/<trigger_uuid>", methods=["POST"], defaults={"repository": ""}
+)
 @process_auth
 def build_trigger_webhook(trigger_uuid, **kwargs):
-  logger.debug('Webhook received with uuid %s', trigger_uuid)
+    logger.debug("Webhook received with uuid %s", trigger_uuid)
 
-  try:
-    trigger = model.build.get_build_trigger(trigger_uuid)
-  except model.InvalidBuildTriggerException:
-    # It is ok to return 404 here, since letting an attacker know that a trigger UUID is valid
-    # doesn't leak anything
-    abort(404)
-
-  # Ensure we are not currently in read-only mode.
-  if app.config.get('REGISTRY_STATE', 'normal') == 'readonly':
-    abort(503, 'System is currently in read-only mode')
-
-  # Ensure the trigger has permission.
-  namespace = trigger.repository.namespace_user.username
-  repository = trigger.repository.name
-  if ModifyRepositoryPermission(namespace, repository).can():
-    handler = BuildTriggerHandler.get_handler(trigger)
-
-    if trigger.repository.kind.name != 'image':
-      abort(501, 'Build triggers cannot be invoked on application repositories')
-
-    if trigger.repository.state != RepositoryState.NORMAL:
-      abort(503, 'Repository is currently in read only or mirror mode')
-
-    logger.debug('Passing webhook request to handler %s', handler)
     try:
-      prepared = handler.handle_trigger_request(request)
-    except ValidationRequestException:
-      logger.debug('Handler reported a validation exception: %s', handler)
-      # This was just a validation request, we don't need to build anything
-      return make_response('Okay')
-    except SkipRequestException:
-      logger.debug('Handler reported to skip the build: %s', handler)
-      # The build was requested to be skipped
-      return make_response('Okay')
-    except InvalidPayloadException as ipe:
-      logger.exception('Invalid payload')
-      # The payload was malformed
-      abort(400, message=str(ipe))
+        trigger = model.build.get_build_trigger(trigger_uuid)
+    except model.InvalidBuildTriggerException:
+        # It is ok to return 404 here, since letting an attacker know that a trigger UUID is valid
+        # doesn't leak anything
+        abort(404)
 
-    pull_robot_name = model.build.get_pull_robot_name(trigger)
-    repo = model.repository.get_repository(namespace, repository)
-    try:
-      start_build(repo, prepared, pull_robot_name=pull_robot_name)
-    except MaximumBuildsQueuedException:
-      abort(429, message='Maximum queued build rate exceeded.')
-    except BuildTriggerDisabledException:
-      logger.debug('Build trigger %s is disabled', trigger_uuid)
-      abort(400, message='This build trigger is currently disabled. Please re-enable to continue.')
+    # Ensure we are not currently in read-only mode.
+    if app.config.get("REGISTRY_STATE", "normal") == "readonly":
+        abort(503, "System is currently in read-only mode")
 
-    return make_response('Okay')
+    # Ensure the trigger has permission.
+    namespace = trigger.repository.namespace_user.username
+    repository = trigger.repository.name
+    if ModifyRepositoryPermission(namespace, repository).can():
+        handler = BuildTriggerHandler.get_handler(trigger)
 
-  abort(403)
+        if trigger.repository.kind.name != "image":
+            abort(501, "Build triggers cannot be invoked on application repositories")
+
+        if trigger.repository.state != RepositoryState.NORMAL:
+            abort(503, "Repository is currently in read only or mirror mode")
+
+        logger.debug("Passing webhook request to handler %s", handler)
+        try:
+            prepared = handler.handle_trigger_request(request)
+        except ValidationRequestException:
+            logger.debug("Handler reported a validation exception: %s", handler)
+            # This was just a validation request, we don't need to build anything
+            return make_response("Okay")
+        except SkipRequestException:
+            logger.debug("Handler reported to skip the build: %s", handler)
+            # The build was requested to be skipped
+            return make_response("Okay")
+        except InvalidPayloadException as ipe:
+            logger.exception("Invalid payload")
+            # The payload was malformed
+            abort(400, message=str(ipe))
+
+        pull_robot_name = model.build.get_pull_robot_name(trigger)
+        repo = model.repository.get_repository(namespace, repository)
+        try:
+            start_build(repo, prepared, pull_robot_name=pull_robot_name)
+        except MaximumBuildsQueuedException:
+            abort(429, message="Maximum queued build rate exceeded.")
+        except BuildTriggerDisabledException:
+            logger.debug("Build trigger %s is disabled", trigger_uuid)
+            abort(
+                400,
+                message="This build trigger is currently disabled. Please re-enable to continue.",
+            )
+
+        return make_response("Okay")
+
+    abort(403)
diff --git a/endpoints/wellknown.py b/endpoints/wellknown.py
index bafc2aab4..d313ce921 100644
--- a/endpoints/wellknown.py
+++ b/endpoints/wellknown.py
@@ -7,41 +7,38 @@ from auth.auth_context import get_authenticated_user
 from flask import Blueprint, make_response, redirect
 
 logger = logging.getLogger(__name__)
-wellknown = Blueprint('wellknown', __name__)
+wellknown = Blueprint("wellknown", __name__)
 
-@wellknown.route('/app-capabilities', methods=['GET'])
+
+@wellknown.route("/app-capabilities", methods=["GET"])
 def app_capabilities():
-  view_image_tmpl = '%s/{namespace}/{reponame}:{tag}' % get_app_url()
+    view_image_tmpl = "%s/{namespace}/{reponame}:{tag}" % get_app_url()
 
-  image_security = '%s/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security'
-  image_security_tmpl = image_security % get_app_url()
+    image_security = (
+        "%s/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security"
+    )
+    image_security_tmpl = image_security % get_app_url()
 
-  manifest_security = '%s/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security'
-  manifest_security_tmpl = manifest_security % get_app_url()
+    manifest_security = (
+        "%s/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security"
+    )
+    manifest_security_tmpl = manifest_security % get_app_url()
 
-  metadata = {
-    'appName': 'io.quay',
-    'capabilities': {
-      'io.quay.view-image': {
-        'url-template': view_image_tmpl,
-      },
+    metadata = {
+        "appName": "io.quay",
+        "capabilities": {
+            "io.quay.view-image": {"url-template": view_image_tmpl},
+            "io.quay.image-security": {"rest-api-template": image_security_tmpl},
+            "io.quay.manifest-security": {"rest-api-template": manifest_security_tmpl},
+        },
+    }
 
-      'io.quay.image-security': {
-        'rest-api-template': image_security_tmpl,
-      },
-
-      'io.quay.manifest-security': {
-        'rest-api-template': manifest_security_tmpl,
-      },
-    },
-  }
-
-  resp = make_response(json.dumps(metadata))
-  resp.headers['Content-Type'] = 'application/json'
-  return resp
+    resp = make_response(json.dumps(metadata))
+    resp.headers["Content-Type"] = "application/json"
+    return resp
 
 
-@wellknown.route('/change-password', methods=['GET'])
+@wellknown.route("/change-password", methods=["GET"])
 @require_session_login
 def change_password():
-  return redirect('/user/%s?tab=settings' % get_authenticated_user().username)
+    return redirect("/user/%s?tab=settings" % get_authenticated_user().username)
diff --git a/features/__init__.py b/features/__init__.py
index ca8c2880a..fa20cf2a1 100644
--- a/features/__init__.py
+++ b/features/__init__.py
@@ -1,29 +1,32 @@
 _FEATURES = {}
 
+
 def import_features(config_dict):
-  for feature, feature_val in config_dict.items():
-    if feature.startswith('FEATURE_'):
-      feature_name = feature[8:]
-      _FEATURES[feature_name] = globals()[feature_name] = FeatureNameValue(feature_name, feature_val)
+    for feature, feature_val in config_dict.items():
+        if feature.startswith("FEATURE_"):
+            feature_name = feature[8:]
+            _FEATURES[feature_name] = globals()[feature_name] = FeatureNameValue(
+                feature_name, feature_val
+            )
 
 
 def get_features():
-  return {key: _FEATURES[key].value for key in _FEATURES}
+    return {key: _FEATURES[key].value for key in _FEATURES}
 
 
 class FeatureNameValue(object):
-  def __init__(self, name, value):
-    self.value = value
-    self.name = name
+    def __init__(self, name, value):
+        self.value = value
+        self.name = name
 
-  def __str__(self):
-    return '%s => %s' % (self.name, self.value)
+    def __str__(self):
+        return "%s => %s" % (self.name, self.value)
 
-  def __repr__(self):
-    return str(self.value)
+    def __repr__(self):
+        return str(self.value)
 
-  def __cmp__(self, other):
-    return self.value.__cmp__(other)
+    def __cmp__(self, other):
+        return self.value.__cmp__(other)
 
-  def __nonzero__(self):
-    return self.value.__nonzero__()
+    def __nonzero__(self):
+        return self.value.__nonzero__()
diff --git a/health/healthcheck.py b/health/healthcheck.py
index 4210b4e0c..fd2ef5746 100644
--- a/health/healthcheck.py
+++ b/health/healthcheck.py
@@ -11,172 +11,188 @@ logger = logging.getLogger(__name__)
 
 
 def get_healthchecker(app, config_provider, instance_keys):
-  """ Returns a HealthCheck instance for the given app. """
-  return HealthCheck.get_checker(app, config_provider, instance_keys)
+    """ Returns a HealthCheck instance for the given app. """
+    return HealthCheck.get_checker(app, config_provider, instance_keys)
 
 
 class HealthCheck(object):
-  def __init__(self, app, config_provider, instance_keys, instance_skips=None):
-    self.app = app
-    self.config_provider = config_provider
-    self.instance_keys = instance_keys
-    self.instance_skips = instance_skips or []
+    def __init__(self, app, config_provider, instance_keys, instance_skips=None):
+        self.app = app
+        self.config_provider = config_provider
+        self.instance_keys = instance_keys
+        self.instance_skips = instance_skips or []
 
-  def check_warning(self):
-    """
+    def check_warning(self):
+        """
     Conducts a check on the warnings, returning a dict representing the HealthCheck
     output and a number indicating the health check response code.
     """
-    service_statuses = check_warning_services(self.app, [])
-    return self.get_instance_health(service_statuses)
+        service_statuses = check_warning_services(self.app, [])
+        return self.get_instance_health(service_statuses)
 
-  def check_instance(self):
-    """
+    def check_instance(self):
+        """
     Conducts a check on this specific instance, returning a dict representing the HealthCheck
     output and a number indicating the health check response code.
     """
-    service_statuses = check_all_services(self.app, self.instance_skips, for_instance=True)
-    return self.get_instance_health(service_statuses)
+        service_statuses = check_all_services(
+            self.app, self.instance_skips, for_instance=True
+        )
+        return self.get_instance_health(service_statuses)
 
-  def check_endtoend(self):
-    """
+    def check_endtoend(self):
+        """
     Conducts a check on all services, returning a dict representing the HealthCheck
     output and a number indicating the health check response code.
     """
-    service_statuses = check_all_services(self.app, [], for_instance=False)
-    return self.calculate_overall_health(service_statuses)
+        service_statuses = check_all_services(self.app, [], for_instance=False)
+        return self.calculate_overall_health(service_statuses)
 
-  def get_instance_health(self, service_statuses):
-    """
+    def get_instance_health(self, service_statuses):
+        """
     For the given service statuses, returns a dict representing the HealthCheck
     output and a number indicating the health check response code. By default,
     this simply ensures that all services are reporting as healthy.
     """
-    return self.calculate_overall_health(service_statuses)
+        return self.calculate_overall_health(service_statuses)
 
-  def calculate_overall_health(self, service_statuses, skip=None, notes=None):
-    """ Returns true if and only if all the given service statuses report as healthy. """
-    is_healthy = True
-    notes = notes or []
+    def calculate_overall_health(self, service_statuses, skip=None, notes=None):
+        """ Returns true if and only if all the given service statuses report as healthy. """
+        is_healthy = True
+        notes = notes or []
 
-    service_statuses_bools = {}
-    service_status_expanded = {}
+        service_statuses_bools = {}
+        service_status_expanded = {}
 
-    for service_name in service_statuses:
-      status, message = service_statuses[service_name]
+        for service_name in service_statuses:
+            status, message = service_statuses[service_name]
 
-      service_statuses_bools[service_name] = status
-      service_status_expanded[service_name] = {
-        'status': status,
-      }
+            service_statuses_bools[service_name] = status
+            service_status_expanded[service_name] = {"status": status}
 
-      if not status:
-        service_status_expanded[service_name]['failure'] = message
-      elif message:
-        service_status_expanded[service_name]['message'] = message
+            if not status:
+                service_status_expanded[service_name]["failure"] = message
+            elif message:
+                service_status_expanded[service_name]["message"] = message
 
-      if skip and service_name in skip:
-        notes.append('%s skipped in compute health' % service_name)
-        continue
+            if skip and service_name in skip:
+                notes.append("%s skipped in compute health" % service_name)
+                continue
 
-      is_healthy = is_healthy and status
+            is_healthy = is_healthy and status
 
-    data = {
-      'services': service_statuses_bools,
-    }
+        data = {"services": service_statuses_bools}
 
-    expanded_data = {
-      'services_expanded': service_status_expanded,
-      'notes': notes,
-      'is_testing': self.app.config['TESTING'],
-      'config_provider': self.config_provider.provider_id,
-      'local_service_key_id': self.instance_keys.local_key_id,
-      'hostname': socket.gethostname(),
-    }
+        expanded_data = {
+            "services_expanded": service_status_expanded,
+            "notes": notes,
+            "is_testing": self.app.config["TESTING"],
+            "config_provider": self.config_provider.provider_id,
+            "local_service_key_id": self.instance_keys.local_key_id,
+            "hostname": socket.gethostname(),
+        }
 
-    add_debug_information = SuperUserPermission().can() or session.get('health_debug', False)
-    if add_debug_information:
-      data.update(expanded_data)
+        add_debug_information = SuperUserPermission().can() or session.get(
+            "health_debug", False
+        )
+        if add_debug_information:
+            data.update(expanded_data)
 
-    if not is_healthy:
-      logger.warning('[FAILED HEALTH CHECK] %s', expanded_data)
+        if not is_healthy:
+            logger.warning("[FAILED HEALTH CHECK] %s", expanded_data)
 
-    return (data, 200 if is_healthy else 503)
+        return (data, 200 if is_healthy else 503)
 
-  @classmethod
-  def get_checker(cls, app, config_provider, instance_keys):
-    name = app.config['HEALTH_CHECKER'][0]
-    parameters = app.config['HEALTH_CHECKER'][1] or {}
+    @classmethod
+    def get_checker(cls, app, config_provider, instance_keys):
+        name = app.config["HEALTH_CHECKER"][0]
+        parameters = app.config["HEALTH_CHECKER"][1] or {}
 
-    for subc in cls.__subclasses__():
-      if name in subc.check_names():
-        return subc(app, config_provider, instance_keys, **parameters)
+        for subc in cls.__subclasses__():
+            if name in subc.check_names():
+                return subc(app, config_provider, instance_keys, **parameters)
 
-    raise Exception('Unknown health check with name %s' % name)
+        raise Exception("Unknown health check with name %s" % name)
 
 
 class LocalHealthCheck(HealthCheck):
-  def __init__(self, app, config_provider, instance_keys):
-    super(LocalHealthCheck, self).__init__(app, config_provider, instance_keys, [
-      'redis', 'storage'])
+    def __init__(self, app, config_provider, instance_keys):
+        super(LocalHealthCheck, self).__init__(
+            app, config_provider, instance_keys, ["redis", "storage"]
+        )
 
-  @classmethod
-  def check_names(cls):
-    return ['LocalHealthCheck']
+    @classmethod
+    def check_names(cls):
+        return ["LocalHealthCheck"]
 
 
 class RDSAwareHealthCheck(HealthCheck):
-  def __init__(self, app, config_provider, instance_keys, access_key, secret_key,
-               db_instance='quay', region='us-east-1'):
-    # Note: We skip the redis check because if redis is down, we don't want ELB taking the
-    # machines out of service. Redis is not considered a high avaliability-required service.
-    super(RDSAwareHealthCheck, self).__init__(app, config_provider, instance_keys, [
-      'redis', 'storage'])
+    def __init__(
+        self,
+        app,
+        config_provider,
+        instance_keys,
+        access_key,
+        secret_key,
+        db_instance="quay",
+        region="us-east-1",
+    ):
+        # Note: We skip the redis check because if redis is down, we don't want ELB taking the
+        # machines out of service. Redis is not considered a high avaliability-required service.
+        super(RDSAwareHealthCheck, self).__init__(
+            app, config_provider, instance_keys, ["redis", "storage"]
+        )
 
-    self.access_key = access_key
-    self.secret_key = secret_key
-    self.db_instance = db_instance
-    self.region = region
+        self.access_key = access_key
+        self.secret_key = secret_key
+        self.db_instance = db_instance
+        self.region = region
 
-  @classmethod
-  def check_names(cls):
-    return ['RDSAwareHealthCheck', 'ProductionHealthCheck']
+    @classmethod
+    def check_names(cls):
+        return ["RDSAwareHealthCheck", "ProductionHealthCheck"]
 
-  def get_instance_health(self, service_statuses):
-    skip = []
-    notes = []
+    def get_instance_health(self, service_statuses):
+        skip = []
+        notes = []
 
-    # If the database is marked as unhealthy, check the status of RDS directly. If RDS is
-    # reporting as available, then the problem is with this instance. Otherwise, the problem is
-    # with RDS, and so we skip the DB status so we can keep this machine as 'healthy'.
-    if 'database' in service_statuses:
-      db_healthy = service_statuses['database']
-      if not db_healthy:
-        rds_status = self._get_rds_status()
-        notes.append('DB reports unhealthy; RDS status: %s' % rds_status)
+        # If the database is marked as unhealthy, check the status of RDS directly. If RDS is
+        # reporting as available, then the problem is with this instance. Otherwise, the problem is
+        # with RDS, and so we skip the DB status so we can keep this machine as 'healthy'.
+        if "database" in service_statuses:
+            db_healthy = service_statuses["database"]
+            if not db_healthy:
+                rds_status = self._get_rds_status()
+                notes.append("DB reports unhealthy; RDS status: %s" % rds_status)
 
-        # If the RDS is in any state but available, then we skip the DB check since it will
-        # fail and bring down the instance.
-        if rds_status != 'available':
-          skip.append('database')
+                # If the RDS is in any state but available, then we skip the DB check since it will
+                # fail and bring down the instance.
+                if rds_status != "available":
+                    skip.append("database")
 
-    return self.calculate_overall_health(service_statuses, skip=skip, notes=notes)
+        return self.calculate_overall_health(service_statuses, skip=skip, notes=notes)
 
-  def _get_rds_status(self):
-    """ Returns the status of the RDS instance as reported by AWS. """
-    try:
-      region = boto.rds2.connect_to_region(self.region, aws_access_key_id=self.access_key,
-                                           aws_secret_access_key=self.secret_key)
+    def _get_rds_status(self):
+        """ Returns the status of the RDS instance as reported by AWS. """
+        try:
+            region = boto.rds2.connect_to_region(
+                self.region,
+                aws_access_key_id=self.access_key,
+                aws_secret_access_key=self.secret_key,
+            )
 
-      response = region.describe_db_instances()['DescribeDBInstancesResponse']
-      result = response['DescribeDBInstancesResult']
-      instances = [
-        i for i in result['DBInstances'] if i['DBInstanceIdentifier'] == self.db_instance]
-      if not instances:
-        return 'error'
+            response = region.describe_db_instances()["DescribeDBInstancesResponse"]
+            result = response["DescribeDBInstancesResult"]
+            instances = [
+                i
+                for i in result["DBInstances"]
+                if i["DBInstanceIdentifier"] == self.db_instance
+            ]
+            if not instances:
+                return "error"
 
-      status = instances[0]['DBInstanceStatus']
-      return status
-    except:
-      logger.exception("Exception while checking RDS status")
-      return 'error'
+            status = instances[0]["DBInstanceStatus"]
+            return status
+        except:
+            logger.exception("Exception while checking RDS status")
+            return "error"
diff --git a/health/models_interface.py b/health/models_interface.py
index ff49a4dde..a7fc87b2f 100644
--- a/health/models_interface.py
+++ b/health/models_interface.py
@@ -4,11 +4,11 @@ from six import add_metaclass
 
 @add_metaclass(ABCMeta)
 class HealthCheckDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by health checks.
   """
 
-  @abstractmethod
-  def check_health(self, app_config):
-    """ Returns True if the connection to the database is healthy and False otherwise. """
-    pass
+    @abstractmethod
+    def check_health(self, app_config):
+        """ Returns True if the connection to the database is healthy and False otherwise. """
+        pass
diff --git a/health/models_pre_oci.py b/health/models_pre_oci.py
index 9f50b55eb..62f073737 100644
--- a/health/models_pre_oci.py
+++ b/health/models_pre_oci.py
@@ -3,8 +3,8 @@ from health.models_interface import HealthCheckDataInterface
 
 
 class PreOCIModel(HealthCheckDataInterface):
-  def check_health(self, app_config):
-    return health.check_health(app_config)
+    def check_health(self, app_config):
+        return health.check_health(app_config)
 
 
 pre_oci_model = PreOCIModel()
diff --git a/health/services.py b/health/services.py
index 368c09b2f..2576c0d12 100644
--- a/health/services.py
+++ b/health/services.py
@@ -9,189 +9,221 @@ from health.models_pre_oci import pre_oci_model as model
 
 logger = logging.getLogger(__name__)
 
+
 def _compute_internal_endpoint(app, endpoint):
-  # Compute the URL for checking the endpoint. We append a port if and only if the
-  # hostname contains one.
-  hostname_parts = app.config['SERVER_HOSTNAME'].split(':')
-  port = ''
-  if hostname_parts[0] == 'localhost':
-    if len(hostname_parts) == 2:
-      port = ':' + hostname_parts[1]
+    # Compute the URL for checking the endpoint. We append a port if and only if the
+    # hostname contains one.
+    hostname_parts = app.config["SERVER_HOSTNAME"].split(":")
+    port = ""
+    if hostname_parts[0] == "localhost":
+        if len(hostname_parts) == 2:
+            port = ":" + hostname_parts[1]
 
-  scheme = app.config['PREFERRED_URL_SCHEME']
-  if app.config.get('EXTERNAL_TLS_TERMINATION', False):
-    scheme = 'http'
+    scheme = app.config["PREFERRED_URL_SCHEME"]
+    if app.config.get("EXTERNAL_TLS_TERMINATION", False):
+        scheme = "http"
 
-  if port == '':
-    if scheme == 'http':
-      port = ':8080'
-    else:
-      port = ':8443'
+    if port == "":
+        if scheme == "http":
+            port = ":8080"
+        else:
+            port = ":8443"
 
-  return '%s://localhost%s/%s' % (scheme, port, endpoint)
+    return "%s://localhost%s/%s" % (scheme, port, endpoint)
 
 
 def _check_gunicorn(endpoint):
-  def fn(app):
-    """ Returns the status of the gunicorn workers. """
-    client = app.config['HTTPCLIENT']
-    registry_url = _compute_internal_endpoint(app, endpoint)
-    try:
-      status_code = client.get(registry_url, verify=False, timeout=2).status_code
-      okay = status_code == 200
-      message = ('Got non-200 response for worker: %s' % status_code) if not okay else None
-      return (okay, message)
-    except Exception as ex:
-      logger.exception('Exception when checking worker health: %s', registry_url)
-      return (False, 'Exception when checking worker health: %s' % registry_url)
+    def fn(app):
+        """ Returns the status of the gunicorn workers. """
+        client = app.config["HTTPCLIENT"]
+        registry_url = _compute_internal_endpoint(app, endpoint)
+        try:
+            status_code = client.get(registry_url, verify=False, timeout=2).status_code
+            okay = status_code == 200
+            message = (
+                ("Got non-200 response for worker: %s" % status_code)
+                if not okay
+                else None
+            )
+            return (okay, message)
+        except Exception as ex:
+            logger.exception("Exception when checking worker health: %s", registry_url)
+            return (False, "Exception when checking worker health: %s" % registry_url)
 
-  return fn
+    return fn
 
 
 def _check_jwt_proxy(app):
-  """ Returns the status of JWT proxy in the container. """
-  client = app.config['HTTPCLIENT']
-  registry_url = _compute_internal_endpoint(app, 'secscan')
-  try:
-    status_code = client.get(registry_url, verify=False, timeout=2).status_code
-    okay = status_code == 403
-    return (okay, ('Got non-403 response for JWT proxy: %s' % status_code) if not okay else None)
-  except Exception as ex:
-    logger.exception('Exception when checking jwtproxy health: %s', registry_url)
-    return (False, 'Exception when checking jwtproxy health: %s' % registry_url)
+    """ Returns the status of JWT proxy in the container. """
+    client = app.config["HTTPCLIENT"]
+    registry_url = _compute_internal_endpoint(app, "secscan")
+    try:
+        status_code = client.get(registry_url, verify=False, timeout=2).status_code
+        okay = status_code == 403
+        return (
+            okay,
+            ("Got non-403 response for JWT proxy: %s" % status_code)
+            if not okay
+            else None,
+        )
+    except Exception as ex:
+        logger.exception("Exception when checking jwtproxy health: %s", registry_url)
+        return (False, "Exception when checking jwtproxy health: %s" % registry_url)
 
 
 def _check_database(app):
-  """ Returns the status of the database, as accessed from this instance. """
-  return model.check_health(app.config)
+    """ Returns the status of the database, as accessed from this instance. """
+    return model.check_health(app.config)
 
 
 def _check_redis(app):
-  """ Returns the status of Redis, as accessed from this instance. """
-  return build_logs.check_health()
+    """ Returns the status of Redis, as accessed from this instance. """
+    return build_logs.check_health()
 
 
 def _check_storage(app):
-  """ Returns the status of storage, as accessed from this instance. """
-  if app.config.get('REGISTRY_STATE', 'normal') == 'readonly':
-    return (True, 'Storage check disabled for readonly mode')
+    """ Returns the status of storage, as accessed from this instance. """
+    if app.config.get("REGISTRY_STATE", "normal") == "readonly":
+        return (True, "Storage check disabled for readonly mode")
 
-  try:
-    storage.validate(storage.preferred_locations, app.config['HTTPCLIENT'])
-    return (True, None)
-  except Exception as ex:
-    logger.exception('Storage check failed with exception %s', ex)
-    return (False, 'Storage check failed with exception %s' % ex.message)
+    try:
+        storage.validate(storage.preferred_locations, app.config["HTTPCLIENT"])
+        return (True, None)
+    except Exception as ex:
+        logger.exception("Storage check failed with exception %s", ex)
+        return (False, "Storage check failed with exception %s" % ex.message)
 
 
 def _check_auth(app):
-  """ Returns the status of the auth engine, as accessed from this instance. """
-  return authentication.ping()
+    """ Returns the status of the auth engine, as accessed from this instance. """
+    return authentication.ping()
 
 
 def _check_service_key(app):
-  """ Returns the status of the service key for this instance. If the key has disappeared or
+    """ Returns the status of the service key for this instance. If the key has disappeared or
       has expired, then will return False.
   """
-  if not app.config.get('SETUP_COMPLETE', False):
-    return (True, 'Stack not fully setup; skipping check')
+    if not app.config.get("SETUP_COMPLETE", False):
+        return (True, "Stack not fully setup; skipping check")
 
-  try:
-    kid = instance_keys.local_key_id
-  except IOError as ex:
-    # Key has not been created yet.
-    return (True, 'Stack not fully setup; skipping check')
+    try:
+        kid = instance_keys.local_key_id
+    except IOError as ex:
+        # Key has not been created yet.
+        return (True, "Stack not fully setup; skipping check")
 
-  try:
-    key_is_valid = bool(instance_keys.get_service_key_public_key(kid))
-    message = 'Could not find valid instance service key %s' % kid if not key_is_valid else None
-    return (key_is_valid, message)
-  except Exception as ex:
-    logger.exception('Got exception when trying to retrieve the instance key')
-
-    # NOTE: We return *True* here if there was an exception when retrieving the key, as it means
-    # the database is down, which will be handled by the database health check.
-    return (True, 'Failed to get instance key due to a database issue; skipping check')
+    try:
+        key_is_valid = bool(instance_keys.get_service_key_public_key(kid))
+        message = (
+            "Could not find valid instance service key %s" % kid
+            if not key_is_valid
+            else None
+        )
+        return (key_is_valid, message)
+    except Exception as ex:
+        logger.exception("Got exception when trying to retrieve the instance key")
 
+        # NOTE: We return *True* here if there was an exception when retrieving the key, as it means
+        # the database is down, which will be handled by the database health check.
+        return (
+            True,
+            "Failed to get instance key due to a database issue; skipping check",
+        )
 
 
 def _disk_within_threshold(path, threshold):
-  usage = psutil.disk_usage(path)
-  return (1.0 - (usage.percent / 100.0)) >= threshold
+    usage = psutil.disk_usage(path)
+    return (1.0 - (usage.percent / 100.0)) >= threshold
 
 
 def _check_disk_space(for_warning):
-  def _check_disk_space(app):
-    """ Returns the status of the disk space for this instance. If the available disk space is below
+    def _check_disk_space(app):
+        """ Returns the status of the disk space for this instance. If the available disk space is below
         a certain threshold, then will return False.
     """
-    if not app.config.get('SETUP_COMPLETE', False):
-      return (True, 'Stack not fully setup; skipping check')
+        if not app.config.get("SETUP_COMPLETE", False):
+            return (True, "Stack not fully setup; skipping check")
 
-    config_key = ('DISKSPACE_HEALTH_WARNING_THRESHOLD'
-                  if for_warning else 'DISKSPACE_HEALTH_THRESHOLD')
-    default_threshold = 0.1 if for_warning else 0.01
+        config_key = (
+            "DISKSPACE_HEALTH_WARNING_THRESHOLD"
+            if for_warning
+            else "DISKSPACE_HEALTH_THRESHOLD"
+        )
+        default_threshold = 0.1 if for_warning else 0.01
 
-    # Check the directory in which we're running.
-    currentfile = os.path.abspath(__file__)
-    if not _disk_within_threshold(currentfile, app.config.get(config_key, default_threshold)):
-      stats = psutil.disk_usage(currentfile)
-      logger.debug('Disk space on main volume: %s', stats)
-      return (False, 'Disk space has gone below threshold on main volume: %s' % stats.percent)
+        # Check the directory in which we're running.
+        currentfile = os.path.abspath(__file__)
+        if not _disk_within_threshold(
+            currentfile, app.config.get(config_key, default_threshold)
+        ):
+            stats = psutil.disk_usage(currentfile)
+            logger.debug("Disk space on main volume: %s", stats)
+            return (
+                False,
+                "Disk space has gone below threshold on main volume: %s"
+                % stats.percent,
+            )
 
-    # Check the temp directory as well.
-    tempdir = tempfile.gettempdir()
-    if tempdir is not None:
-      if not _disk_within_threshold(tempdir, app.config.get(config_key, default_threshold)):
-        stats = psutil.disk_usage(tempdir)
-        logger.debug('Disk space on temp volume: %s', stats)
-        return (False, 'Disk space has gone below threshold on temp volume: %s' % stats.percent)
+        # Check the temp directory as well.
+        tempdir = tempfile.gettempdir()
+        if tempdir is not None:
+            if not _disk_within_threshold(
+                tempdir, app.config.get(config_key, default_threshold)
+            ):
+                stats = psutil.disk_usage(tempdir)
+                logger.debug("Disk space on temp volume: %s", stats)
+                return (
+                    False,
+                    "Disk space has gone below threshold on temp volume: %s"
+                    % stats.percent,
+                )
 
-    return (True, '')
+        return (True, "")
 
-  return _check_disk_space
+    return _check_disk_space
 
 
 _INSTANCE_SERVICES = {
-  'registry_gunicorn': _check_gunicorn('v1/_internal_ping'),
-  'web_gunicorn': _check_gunicorn('_internal_ping'),
-  'verbs_gunicorn': _check_gunicorn('c1/_internal_ping'),
-  'service_key': _check_service_key,
-  'disk_space': _check_disk_space(for_warning=False),
-  'jwtproxy': _check_jwt_proxy,
+    "registry_gunicorn": _check_gunicorn("v1/_internal_ping"),
+    "web_gunicorn": _check_gunicorn("_internal_ping"),
+    "verbs_gunicorn": _check_gunicorn("c1/_internal_ping"),
+    "service_key": _check_service_key,
+    "disk_space": _check_disk_space(for_warning=False),
+    "jwtproxy": _check_jwt_proxy,
 }
 
 _GLOBAL_SERVICES = {
-  'database': _check_database,
-  'redis': _check_redis,
-  'storage': _check_storage,
-  'auth': _check_auth,
+    "database": _check_database,
+    "redis": _check_redis,
+    "storage": _check_storage,
+    "auth": _check_auth,
 }
 
-_WARNING_SERVICES = {
-  'disk_space_warning': _check_disk_space(for_warning=True),
-}
+_WARNING_SERVICES = {"disk_space_warning": _check_disk_space(for_warning=True)}
+
 
 def check_all_services(app, skip, for_instance=False):
-  """ Returns a dictionary containing the status of all the services defined. """
-  if for_instance:
-    services = dict(_INSTANCE_SERVICES)
-    services.update(_GLOBAL_SERVICES)
-  else:
-    services = _GLOBAL_SERVICES
+    """ Returns a dictionary containing the status of all the services defined. """
+    if for_instance:
+        services = dict(_INSTANCE_SERVICES)
+        services.update(_GLOBAL_SERVICES)
+    else:
+        services = _GLOBAL_SERVICES
+
+    return _check_services(app, skip, services)
 
-  return _check_services(app, skip, services)
 
 def check_warning_services(app, skip):
-  """ Returns a dictionary containing the status of all the warning services defined. """
-  return _check_services(app, skip, _WARNING_SERVICES)
+    """ Returns a dictionary containing the status of all the warning services defined. """
+    return _check_services(app, skip, _WARNING_SERVICES)
+
 
 def _check_services(app, skip, services):
-  status = {}
-  for name in services:
-    if name in skip:
-      continue
+    status = {}
+    for name in services:
+        if name in skip:
+            continue
 
-    status[name] = services[name](app)
+        status[name] = services[name](app)
 
-  return status
+    return status
diff --git a/image/appc/__init__.py b/image/appc/__init__.py
index a30f63416..c7e48078d 100644
--- a/image/appc/__init__.py
+++ b/image/appc/__init__.py
@@ -10,101 +10,92 @@ from util.dict_wrappers import JSONPathDict
 from image.common import TarImageFormatter
 
 
-ACNAME_REGEX = re.compile(r'[^a-z-]+')
+ACNAME_REGEX = re.compile(r"[^a-z-]+")
 
 
 class AppCImageFormatter(TarImageFormatter):
-  """
+    """
   Image formatter which produces an tarball according to the AppC specification.
   """
 
-  def stream_generator(self, tag, parsed_manifest, synthetic_image_id, layer_iterator,
-                       tar_stream_getter_iterator, reporter=None):
-    image_mtime = 0
-    created = parsed_manifest.created_datetime
-    if created is not None:
-      image_mtime = calendar.timegm(created.utctimetuple())
+    def stream_generator(
+        self,
+        tag,
+        parsed_manifest,
+        synthetic_image_id,
+        layer_iterator,
+        tar_stream_getter_iterator,
+        reporter=None,
+    ):
+        image_mtime = 0
+        created = parsed_manifest.created_datetime
+        if created is not None:
+            image_mtime = calendar.timegm(created.utctimetuple())
 
-    # ACI Format (.tar):
-    #   manifest - The JSON manifest
-    #   rootfs - The root file system
+        # ACI Format (.tar):
+        #   manifest - The JSON manifest
+        #   rootfs - The root file system
 
-    # Yield the manifest.
-    aci_manifest = json.dumps(DockerV1ToACIManifestTranslator.build_manifest(
-      tag,
-      parsed_manifest,
-      synthetic_image_id
-    ))
-    yield self.tar_file('manifest', aci_manifest, mtime=image_mtime)
+        # Yield the manifest.
+        aci_manifest = json.dumps(
+            DockerV1ToACIManifestTranslator.build_manifest(
+                tag, parsed_manifest, synthetic_image_id
+            )
+        )
+        yield self.tar_file("manifest", aci_manifest, mtime=image_mtime)
 
-    # Yield the merged layer dtaa.
-    yield self.tar_folder('rootfs', mtime=image_mtime)
+        # Yield the merged layer dtaa.
+        yield self.tar_folder("rootfs", mtime=image_mtime)
 
-    layer_merger = StreamLayerMerger(tar_stream_getter_iterator, path_prefix='rootfs/',
-                                     reporter=reporter)
-    for entry in layer_merger.get_generator():
-      yield entry
+        layer_merger = StreamLayerMerger(
+            tar_stream_getter_iterator, path_prefix="rootfs/", reporter=reporter
+        )
+        for entry in layer_merger.get_generator():
+            yield entry
 
 
 class DockerV1ToACIManifestTranslator(object):
-  @staticmethod
-  def _build_isolators(docker_config):
-    """
+    @staticmethod
+    def _build_isolators(docker_config):
+        """
     Builds ACI isolator config from the docker config.
     """
 
-    def _isolate_memory(memory):
-      return {
-        "name": "memory/limit",
-        "value": {
-          "request": str(memory) + 'B',
+        def _isolate_memory(memory):
+            return {"name": "memory/limit", "value": {"request": str(memory) + "B"}}
+
+        def _isolate_swap(memory):
+            return {"name": "memory/swap", "value": {"request": str(memory) + "B"}}
+
+        def _isolate_cpu(cpu):
+            return {"name": "cpu/shares", "value": {"request": str(cpu)}}
+
+        def _isolate_capabilities(capabilities_set_value):
+            capabilities_set = re.split(r"[\s,]", capabilities_set_value)
+            return {
+                "name": "os/linux/capabilities-retain-set",
+                "value": {"set": capabilities_set},
+            }
+
+        mappers = {
+            "Memory": _isolate_memory,
+            "MemorySwap": _isolate_swap,
+            "CpuShares": _isolate_cpu,
+            "Cpuset": _isolate_capabilities,
         }
-      }
 
-    def _isolate_swap(memory):
-      return {
-        "name": "memory/swap",
-        "value": {
-          "request": str(memory) + 'B',
-        }
-      }
+        isolators = []
 
-    def _isolate_cpu(cpu):
-      return {
-        "name": "cpu/shares",
-        "value": {
-          "request": str(cpu),
-        }
-      }
+        for config_key in mappers:
+            value = docker_config.get(config_key)
+            if value:
+                isolators.append(mappers[config_key](value))
 
-    def _isolate_capabilities(capabilities_set_value):
-      capabilities_set = re.split(r'[\s,]', capabilities_set_value)
-      return {
-        "name": "os/linux/capabilities-retain-set",
-        "value": {
-          "set": capabilities_set,
-        }
-      }
+        return isolators
 
-    mappers = {
-      'Memory': _isolate_memory,
-      'MemorySwap': _isolate_swap,
-      'CpuShares': _isolate_cpu,
-      'Cpuset': _isolate_capabilities
-    }
-
-    isolators = []
-
-    for config_key in mappers:
-      value = docker_config.get(config_key)
-      if value:
-        isolators.append(mappers[config_key](value))
-
-    return isolators
-
-  @staticmethod
-  def _build_ports(docker_config):
-    """
+    @staticmethod
+    def _build_ports(docker_config):
+        """
     Builds the ports definitions for the ACI.
 
     Formats:
@@ -112,131 +103,141 @@ class DockerV1ToACIManifestTranslator(object):
       port/udp
       port
     """
-    ports = []
+        ports = []
 
-    exposed_ports = docker_config['ExposedPorts']
-    if exposed_ports is not None:
-      port_list = exposed_ports.keys()
-    else:
-      port_list = docker_config['Ports'] or docker_config['ports'] or []
+        exposed_ports = docker_config["ExposedPorts"]
+        if exposed_ports is not None:
+            port_list = exposed_ports.keys()
+        else:
+            port_list = docker_config["Ports"] or docker_config["ports"] or []
 
-    for docker_port in port_list:
-      protocol = 'tcp'
-      port_number = -1
+        for docker_port in port_list:
+            protocol = "tcp"
+            port_number = -1
 
-      if '/' in docker_port:
-        (port_number, protocol) = docker_port.split('/')
-      else:
-        port_number = docker_port
+            if "/" in docker_port:
+                (port_number, protocol) = docker_port.split("/")
+            else:
+                port_number = docker_port
 
-      try:
-        port_number = int(port_number)
-        ports.append({
-          "name": "port-%s" % port_number,
-          "port": port_number,
-          "protocol": protocol,
-        })
-      except ValueError:
-        pass
+            try:
+                port_number = int(port_number)
+                ports.append(
+                    {
+                        "name": "port-%s" % port_number,
+                        "port": port_number,
+                        "protocol": protocol,
+                    }
+                )
+            except ValueError:
+                pass
 
-    return ports
+        return ports
 
-  @staticmethod
-  def _ac_name(value):
-    sanitized = ACNAME_REGEX.sub('-', value.lower()).strip('-')
-    if sanitized == '':
-      return str(uuid4())
-    return sanitized
+    @staticmethod
+    def _ac_name(value):
+        sanitized = ACNAME_REGEX.sub("-", value.lower()).strip("-")
+        if sanitized == "":
+            return str(uuid4())
+        return sanitized
 
-  @staticmethod
-  def _build_volumes(docker_config):
-    """ Builds the volumes definitions for the ACI. """
-    volumes = []
+    @staticmethod
+    def _build_volumes(docker_config):
+        """ Builds the volumes definitions for the ACI. """
+        volumes = []
 
-    def get_name(docker_volume_path):
-      volume_name = DockerV1ToACIManifestTranslator._ac_name(docker_volume_path)
-      return "volume-%s" % volume_name
+        def get_name(docker_volume_path):
+            volume_name = DockerV1ToACIManifestTranslator._ac_name(docker_volume_path)
+            return "volume-%s" % volume_name
 
-    volume_list = docker_config['Volumes'] or docker_config['volumes'] or {}
-    for docker_volume_path in volume_list.iterkeys():
-      if not docker_volume_path:
-        continue
+        volume_list = docker_config["Volumes"] or docker_config["volumes"] or {}
+        for docker_volume_path in volume_list.iterkeys():
+            if not docker_volume_path:
+                continue
 
-      volumes.append({
-        "name": get_name(docker_volume_path),
-        "path": docker_volume_path,
-        "readOnly": False,
-      })
-    return volumes
+            volumes.append(
+                {
+                    "name": get_name(docker_volume_path),
+                    "path": docker_volume_path,
+                    "readOnly": False,
+                }
+            )
+        return volumes
 
-  @staticmethod
-  def build_manifest(tag, manifest, synthetic_image_id):
-    """ Builds an ACI manifest of an existing repository image. """
-    docker_layer_data = JSONPathDict(json.loads(manifest.leaf_layer.raw_v1_metadata))
-    config = docker_layer_data['config'] or JSONPathDict({})
+    @staticmethod
+    def build_manifest(tag, manifest, synthetic_image_id):
+        """ Builds an ACI manifest of an existing repository image. """
+        docker_layer_data = JSONPathDict(
+            json.loads(manifest.leaf_layer.raw_v1_metadata)
+        )
+        config = docker_layer_data["config"] or JSONPathDict({})
 
-    namespace = tag.repository.namespace_name
-    repo_name = tag.repository.name
-    source_url = "%s://%s/%s/%s:%s" % (app.config['PREFERRED_URL_SCHEME'],
-                                       app.config['SERVER_HOSTNAME'],
-                                       namespace, repo_name, tag.name)
+        namespace = tag.repository.namespace_name
+        repo_name = tag.repository.name
+        source_url = "%s://%s/%s/%s:%s" % (
+            app.config["PREFERRED_URL_SCHEME"],
+            app.config["SERVER_HOSTNAME"],
+            namespace,
+            repo_name,
+            tag.name,
+        )
 
-    # ACI requires that the execution command be absolutely referenced. Therefore, if we find
-    # a relative command, we give it as an argument to /bin/sh to resolve and execute for us.
-    entrypoint = config['Entrypoint'] or []
-    exec_path = entrypoint + (config['Cmd'] or [])
-    if exec_path and not exec_path[0].startswith('/'):
-      exec_path = ['/bin/sh', '-c', '""%s""' % ' '.join(exec_path)]
+        # ACI requires that the execution command be absolutely referenced. Therefore, if we find
+        # a relative command, we give it as an argument to /bin/sh to resolve and execute for us.
+        entrypoint = config["Entrypoint"] or []
+        exec_path = entrypoint + (config["Cmd"] or [])
+        if exec_path and not exec_path[0].startswith("/"):
+            exec_path = ["/bin/sh", "-c", '""%s""' % " ".join(exec_path)]
 
-    # TODO: ACI doesn't support : in the name, so remove any ports.
-    hostname = app.config['SERVER_HOSTNAME']
-    hostname = hostname.split(':', 1)[0]
+        # TODO: ACI doesn't support : in the name, so remove any ports.
+        hostname = app.config["SERVER_HOSTNAME"]
+        hostname = hostname.split(":", 1)[0]
 
-    # Calculate the environment variables.
-    docker_env_vars = config.get('Env') or []
-    env_vars = []
-    for var in docker_env_vars:
-      pieces = var.split('=')
-      if len(pieces) != 2:
-        continue
+        # Calculate the environment variables.
+        docker_env_vars = config.get("Env") or []
+        env_vars = []
+        for var in docker_env_vars:
+            pieces = var.split("=")
+            if len(pieces) != 2:
+                continue
 
-      env_vars.append(pieces)
+            env_vars.append(pieces)
 
-    manifest = {
-      "acKind": "ImageManifest",
-      "acVersion": "0.6.1",
-      "name": '%s/%s/%s' % (hostname.lower(), namespace.lower(), repo_name.lower()),
-      "labels": [
-        {
-          "name": "version",
-          "value": tag.name,
-        },
-        {
-          "name": "arch",
-          "value": docker_layer_data.get('architecture') or 'amd64'
-        },
-        {
-          "name": "os",
-          "value": docker_layer_data.get('os') or 'linux'
+        manifest = {
+            "acKind": "ImageManifest",
+            "acVersion": "0.6.1",
+            "name": "%s/%s/%s"
+            % (hostname.lower(), namespace.lower(), repo_name.lower()),
+            "labels": [
+                {"name": "version", "value": tag.name},
+                {
+                    "name": "arch",
+                    "value": docker_layer_data.get("architecture") or "amd64",
+                },
+                {"name": "os", "value": docker_layer_data.get("os") or "linux"},
+            ],
+            "app": {
+                "exec": exec_path,
+                # Below, `or 'root'` is required to replace empty string from Dockerfiles.
+                "user": config.get("User") or "root",
+                "group": config.get("Group") or "root",
+                "eventHandlers": [],
+                "workingDirectory": config.get("WorkingDir") or "/",
+                "environment": [
+                    {"name": key, "value": value} for (key, value) in env_vars
+                ],
+                "isolators": DockerV1ToACIManifestTranslator._build_isolators(config),
+                "mountPoints": DockerV1ToACIManifestTranslator._build_volumes(config),
+                "ports": DockerV1ToACIManifestTranslator._build_ports(config),
+                "annotations": [
+                    {
+                        "name": "created",
+                        "value": docker_layer_data.get("created") or "",
+                    },
+                    {"name": "homepage", "value": source_url},
+                    {"name": "quay.io/derived-image", "value": synthetic_image_id},
+                ],
+            },
         }
-      ],
-      "app": {
-        "exec": exec_path,
-        # Below, `or 'root'` is required to replace empty string from Dockerfiles.
-        "user": config.get('User') or 'root',
-        "group": config.get('Group') or 'root',
-        "eventHandlers": [],
-        "workingDirectory": config.get('WorkingDir') or '/',
-        "environment": [{"name": key, "value": value} for (key, value) in env_vars],
-        "isolators": DockerV1ToACIManifestTranslator._build_isolators(config),
-        "mountPoints": DockerV1ToACIManifestTranslator._build_volumes(config),
-        "ports": DockerV1ToACIManifestTranslator._build_ports(config),
-        "annotations": [
-          {"name": "created", "value": docker_layer_data.get('created') or ''},
-          {"name": "homepage", "value": source_url},
-          {"name": "quay.io/derived-image", "value": synthetic_image_id},
-        ]
-      },
-    }
 
-    return manifest
+        return manifest
diff --git a/image/appc/test/test_appc.py b/image/appc/test/test_appc.py
index d078fbe9f..a3c126e01 100644
--- a/image/appc/test/test_appc.py
+++ b/image/appc/test/test_appc.py
@@ -5,82 +5,76 @@ from util.dict_wrappers import JSONPathDict
 
 
 EXAMPLE_MANIFEST_OBJ = {
-  "architecture": "amd64",
-  "config": {
-    "Hostname": "1d811a9194c4",
-    "Domainname": "",
-    "User": "",
-    "AttachStdin": False,
-    "AttachStdout": False,
-    "AttachStderr": False,
-    "ExposedPorts": {
-      "2379/tcp": {},
-      "2380/tcp": {}
+    "architecture": "amd64",
+    "config": {
+        "Hostname": "1d811a9194c4",
+        "Domainname": "",
+        "User": "",
+        "AttachStdin": False,
+        "AttachStdout": False,
+        "AttachStderr": False,
+        "ExposedPorts": {"2379/tcp": {}, "2380/tcp": {}},
+        "Tty": False,
+        "OpenStdin": False,
+        "StdinOnce": False,
+        "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
+        "Cmd": ["/usr/local/bin/etcd"],
+        "ArgsEscaped": True,
+        "Image": "sha256:4c86d1f362d42420c137846fae31667ee85ce6f2cab406cdff26a8ff8a2c31c4",
+        "Volumes": None,
+        "WorkingDir": "",
+        "Entrypoint": None,
+        "OnBuild": [],
+        "Labels": {},
     },
-    "Tty": False,
-    "OpenStdin": False,
-    "StdinOnce": False,
-    "Env": [
-      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-    ],
-    "Cmd": [
-      "/usr/local/bin/etcd"
-    ],
-    "ArgsEscaped": True,
-    "Image": "sha256:4c86d1f362d42420c137846fae31667ee85ce6f2cab406cdff26a8ff8a2c31c4",
-    "Volumes": None,
-    "WorkingDir": "",
-    "Entrypoint": None,
-    "OnBuild": [],
-    "Labels": {}
-  },
-  "container": "5a3565ce9b808a0eb0bcbc966dad624f76ad308ad24e11525b5da1201a1df135",
-  "container_config": {
-    "Hostname": "1d811a9194c4",
-    "Domainname": "",
-    "User": "",
-    "AttachStdin": False,
-    "AttachStdout": False,
-    "AttachStderr": False,
-    "ExposedPorts": {
-      "2379/tcp": {},
-      "2380/tcp": {}
+    "container": "5a3565ce9b808a0eb0bcbc966dad624f76ad308ad24e11525b5da1201a1df135",
+    "container_config": {
+        "Hostname": "1d811a9194c4",
+        "Domainname": "",
+        "User": "",
+        "AttachStdin": False,
+        "AttachStdout": False,
+        "AttachStderr": False,
+        "ExposedPorts": {"2379/tcp": {}, "2380/tcp": {}},
+        "Tty": False,
+        "OpenStdin": False,
+        "StdinOnce": False,
+        "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
+        "Cmd": ["/bin/sh", "-c", '#(nop) CMD ["/usr/local/bin/etcd"]'],
+        "ArgsEscaped": True,
+        "Image": "sha256:4c86d1f362d42420c137846fae31667ee85ce6f2cab406cdff26a8ff8a2c31c4",
+        "Volumes": None,
+        "WorkingDir": "",
+        "Entrypoint": None,
+        "OnBuild": [],
+        "Labels": {},
     },
-    "Tty": False,
-    "OpenStdin": False,
-    "StdinOnce": False,
-    "Env": [
-      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-    ],
-    "Cmd": [
-      "/bin/sh",
-      "-c",
-      "#(nop) CMD [\"/usr/local/bin/etcd\"]"
-    ],
-    "ArgsEscaped": True,
-    "Image": "sha256:4c86d1f362d42420c137846fae31667ee85ce6f2cab406cdff26a8ff8a2c31c4",
-    "Volumes": None,
-    "WorkingDir": "",
-    "Entrypoint": None,
-    "OnBuild": [],
-    "Labels": {}
-  },
-  "created": "2016-11-11T19:03:55.137387628Z",
-  "docker_version": "1.11.1",
-  "id": "3314a3781a526fe728e2e96cfcfb3cc0de901b5c102e6204e8b0155c8f7d5fd2",
-  "os": "linux",
-  "parent": "625342ec4d0f3d7a96fd3bb1ef0b4b0b6bc65ebb3d252fd33af0691f7984440e",
-  "throwaway": True
+    "created": "2016-11-11T19:03:55.137387628Z",
+    "docker_version": "1.11.1",
+    "id": "3314a3781a526fe728e2e96cfcfb3cc0de901b5c102e6204e8b0155c8f7d5fd2",
+    "os": "linux",
+    "parent": "625342ec4d0f3d7a96fd3bb1ef0b4b0b6bc65ebb3d252fd33af0691f7984440e",
+    "throwaway": True,
 }
 
-@pytest.mark.parametrize("vcfg,expected", [
-  ({'Volumes': None}, []),
-  ({'Volumes': {}}, []),
-  ({'Volumes': {'/bin': {}}}, [{'name': 'volume-bin', 'path': '/bin', 'readOnly': False}]),
-  ({'volumes': None}, []),
-  ({'volumes': {}}, []),
-  ({'volumes': {'/bin': {}}}, [{'name': 'volume-bin', 'path': '/bin', 'readOnly': False}]),
-])
+
+@pytest.mark.parametrize(
+    "vcfg,expected",
+    [
+        ({"Volumes": None}, []),
+        ({"Volumes": {}}, []),
+        (
+            {"Volumes": {"/bin": {}}},
+            [{"name": "volume-bin", "path": "/bin", "readOnly": False}],
+        ),
+        ({"volumes": None}, []),
+        ({"volumes": {}}, []),
+        (
+            {"volumes": {"/bin": {}}},
+            [{"name": "volume-bin", "path": "/bin", "readOnly": False}],
+        ),
+    ],
+)
 def test_volume_version_easy(vcfg, expected):
-  output = DockerV1ToACIManifestTranslator._build_volumes(JSONPathDict(vcfg))
-  assert output == expected
+    output = DockerV1ToACIManifestTranslator._build_volumes(JSONPathDict(vcfg))
+    assert output == expected
diff --git a/image/docker/__init__.py b/image/docker/__init__.py
index f694dcb12..49e5bf6e6 100644
--- a/image/docker/__init__.py
+++ b/image/docker/__init__.py
@@ -2,9 +2,10 @@
 docker implements pure data transformations according to the many Docker specifications.
 """
 
+
 class DockerFormatException(Exception):
-  pass
+    pass
 
 
 class ManifestException(DockerFormatException):
-  pass
+    pass
diff --git a/image/docker/interfaces.py b/image/docker/interfaces.py
index 85a17fd06..8b0b2acde 100644
--- a/image/docker/interfaces.py
+++ b/image/docker/interfaces.py
@@ -1,116 +1,118 @@
 from abc import ABCMeta, abstractproperty, abstractmethod
 from six import add_metaclass
 
+
 @add_metaclass(ABCMeta)
 class ManifestInterface(object):
-  """ Defines the interface for the various manifests types supported. """
-  @abstractproperty
-  def is_manifest_list(self):
-    """ Returns whether this manifest is a list. """
+    """ Defines the interface for the various manifests types supported. """
 
-  @abstractproperty
-  def schema_version(self):
-    """ The version of the schema. """
+    @abstractproperty
+    def is_manifest_list(self):
+        """ Returns whether this manifest is a list. """
 
-  @abstractproperty
-  def digest(self):
-    """ The digest of the manifest, including type prefix. """
-    pass
+    @abstractproperty
+    def schema_version(self):
+        """ The version of the schema. """
 
-  @abstractproperty
-  def media_type(self):
-    """ The media type of the schema. """
-    pass
+    @abstractproperty
+    def digest(self):
+        """ The digest of the manifest, including type prefix. """
+        pass
 
-  @abstractproperty
-  def manifest_dict(self):
-    """ Returns the manifest as a dictionary ready to be serialized to JSON. """
-    pass
+    @abstractproperty
+    def media_type(self):
+        """ The media type of the schema. """
+        pass
 
-  @abstractproperty
-  def bytes(self):
-    """ Returns the bytes of the manifest. """
-    pass
+    @abstractproperty
+    def manifest_dict(self):
+        """ Returns the manifest as a dictionary ready to be serialized to JSON. """
+        pass
 
-  @abstractproperty
-  def layers_compressed_size(self):
-    """ Returns the total compressed size of all the layers in this manifest. Returns None if this
+    @abstractproperty
+    def bytes(self):
+        """ Returns the bytes of the manifest. """
+        pass
+
+    @abstractproperty
+    def layers_compressed_size(self):
+        """ Returns the total compressed size of all the layers in this manifest. Returns None if this
         cannot be computed locally.
     """
 
-  @abstractmethod
-  def validate(self, content_retriever):
-    """ Performs validation of required assertions about the manifest. Raises a ManifestException
+    @abstractmethod
+    def validate(self, content_retriever):
+        """ Performs validation of required assertions about the manifest. Raises a ManifestException
         on failure.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_layers(self, content_retriever):
-    """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
+    @abstractmethod
+    def get_layers(self, content_retriever):
+        """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
         does not support layers. The layer must be of type ManifestImageLayer. """
-    pass
+        pass
 
-  @abstractmethod
-  def get_leaf_layer_v1_image_id(self, content_retriever):
-    """ Returns the Docker V1 image ID for the leaf (top) layer, if any, or None if
+    @abstractmethod
+    def get_leaf_layer_v1_image_id(self, content_retriever):
+        """ Returns the Docker V1 image ID for the leaf (top) layer, if any, or None if
         not applicable. """
-    pass
+        pass
 
-  @abstractmethod
-  def get_legacy_image_ids(self, content_retriever):
-    """ Returns the Docker V1 image IDs for the layers of this manifest or None if not applicable.
+    @abstractmethod
+    def get_legacy_image_ids(self, content_retriever):
+        """ Returns the Docker V1 image IDs for the layers of this manifest or None if not applicable.
     """
-    pass
+        pass
 
-  @abstractproperty
-  def blob_digests(self):
-    """ Returns an iterator over all the blob digests referenced by this manifest,
+    @abstractproperty
+    def blob_digests(self):
+        """ Returns an iterator over all the blob digests referenced by this manifest,
         from base to leaf. The blob digests are strings with prefixes. For manifests that reference
         config as a blob, the blob will be included here as the last entry.
     """
 
-  @abstractmethod
-  def get_blob_digests_for_translation(self):
-    """ Returns the blob digests for translation of this manifest into another manifest. This
+    @abstractmethod
+    def get_blob_digests_for_translation(self):
+        """ Returns the blob digests for translation of this manifest into another manifest. This
         method will ignore missing IDs in layers, unlike `blob_digests`.
     """
 
-  @abstractproperty
-  def local_blob_digests(self):
-    """ Returns an iterator over all the *non-remote* blob digests referenced by this manifest,
+    @abstractproperty
+    def local_blob_digests(self):
+        """ Returns an iterator over all the *non-remote* blob digests referenced by this manifest,
         from base to leaf. The blob digests are strings with prefixes. For manifests that reference
         config as a blob, the blob will be included here as the last entry.
     """
 
-  @abstractmethod
-  def child_manifests(self, content_retriever):
-    """ Returns an iterator of all manifests that live under this manifest, if any or None if not
+    @abstractmethod
+    def child_manifests(self, content_retriever):
+        """ Returns an iterator of all manifests that live under this manifest, if any or None if not
         applicable.
     """
 
-  @abstractmethod
-  def get_manifest_labels(self, content_retriever):
-    """ Returns a dictionary of all the labels defined inside this manifest or None if this kind
+    @abstractmethod
+    def get_manifest_labels(self, content_retriever):
+        """ Returns a dictionary of all the labels defined inside this manifest or None if this kind
         of manifest does not support labels. """
-    pass
+        pass
 
-  @abstractmethod
-  def get_requires_empty_layer_blob(self, content_retriever):
-    """ Whether this schema requires the special empty layer blob. """
-    pass
+    @abstractmethod
+    def get_requires_empty_layer_blob(self, content_retriever):
+        """ Whether this schema requires the special empty layer blob. """
+        pass
 
-  @abstractmethod
-  def unsigned(self):
-    """ Returns an unsigned version of this manifest. """
+    @abstractmethod
+    def unsigned(self):
+        """ Returns an unsigned version of this manifest. """
 
-  @abstractproperty
-  def has_legacy_image(self):
-    """ Returns True if this manifest has a legacy V1 image, or False if not. """
+    @abstractproperty
+    def has_legacy_image(self):
+        """ Returns True if this manifest has a legacy V1 image, or False if not. """
 
-  @abstractmethod
-  def generate_legacy_layers(self, images_map, content_retriever):
-    """
+    @abstractmethod
+    def generate_legacy_layers(self, images_map, content_retriever):
+        """
     Rewrites Docker v1 image IDs and returns a generator of DockerV1Metadata, starting
     at the base layer and working towards the leaf.
 
@@ -121,28 +123,32 @@ class ManifestInterface(object):
     Returns None if there are no legacy images associated with the manifest.
     """
 
-  @abstractmethod
-  def get_schema1_manifest(self, namespace_name, repo_name, tag_name, content_retriever):
-    """ Returns a schema1 version of the manifest. If this is a mainfest list, should return the
+    @abstractmethod
+    def get_schema1_manifest(
+        self, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        """ Returns a schema1 version of the manifest. If this is a mainfest list, should return the
         manifest that is compatible with V1, by virtue of being `amd64` and `linux`.
         If none, returns None.
     """
 
-  @abstractmethod
-  def convert_manifest(self, allowed_mediatypes, namespace_name, repo_name, tag_name,
-                       content_retriever):
-    """ Returns a version of this schema that has a media type found in the given media type set.
+    @abstractmethod
+    def convert_manifest(
+        self, allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        """ Returns a version of this schema that has a media type found in the given media type set.
         If not possible, or an error occurs, returns None.
     """
 
 
 @add_metaclass(ABCMeta)
 class ContentRetriever(object):
-  """ Defines the interface for retrieval of various content referenced by a manifest. """
-  @abstractmethod
-  def get_manifest_bytes_with_digest(self, digest):
-    """ Returns the bytes of the manifest with the given digest or None if none found. """
+    """ Defines the interface for retrieval of various content referenced by a manifest. """
 
-  @abstractmethod
-  def get_blob_bytes_with_digest(self, digest):
-    """ Returns the bytes of the blob with the given digest or None if none found. """
+    @abstractmethod
+    def get_manifest_bytes_with_digest(self, digest):
+        """ Returns the bytes of the manifest with the given digest or None if none found. """
+
+    @abstractmethod
+    def get_blob_bytes_with_digest(self, digest):
+        """ Returns the bytes of the blob with the given digest or None if none found. """
diff --git a/image/docker/schema1.py b/image/docker/schema1.py
index ef5c7e459..fad7c7ac7 100644
--- a/image/docker/schema1.py
+++ b/image/docker/schema1.py
@@ -30,455 +30,511 @@ logger = logging.getLogger(__name__)
 
 
 # Content Types
-DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE = 'application/vnd.docker.distribution.manifest.v1+json'
-DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE = 'application/vnd.docker.distribution.manifest.v1+prettyjws'
-DOCKER_SCHEMA1_CONTENT_TYPES = {DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE,
-                                DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE}
+DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE = (
+    "application/vnd.docker.distribution.manifest.v1+json"
+)
+DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE = (
+    "application/vnd.docker.distribution.manifest.v1+prettyjws"
+)
+DOCKER_SCHEMA1_CONTENT_TYPES = {
+    DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,
+}
 
 # Keys for signature-related data
-DOCKER_SCHEMA1_SIGNATURES_KEY = 'signatures'
-DOCKER_SCHEMA1_HEADER_KEY = 'header'
-DOCKER_SCHEMA1_SIGNATURE_KEY = 'signature'
-DOCKER_SCHEMA1_PROTECTED_KEY = 'protected'
-DOCKER_SCHEMA1_FORMAT_LENGTH_KEY = 'formatLength'
-DOCKER_SCHEMA1_FORMAT_TAIL_KEY = 'formatTail'
+DOCKER_SCHEMA1_SIGNATURES_KEY = "signatures"
+DOCKER_SCHEMA1_HEADER_KEY = "header"
+DOCKER_SCHEMA1_SIGNATURE_KEY = "signature"
+DOCKER_SCHEMA1_PROTECTED_KEY = "protected"
+DOCKER_SCHEMA1_FORMAT_LENGTH_KEY = "formatLength"
+DOCKER_SCHEMA1_FORMAT_TAIL_KEY = "formatTail"
 
 # Keys for manifest-related data
-DOCKER_SCHEMA1_REPO_NAME_KEY = 'name'
-DOCKER_SCHEMA1_REPO_TAG_KEY = 'tag'
-DOCKER_SCHEMA1_ARCH_KEY = 'architecture'
-DOCKER_SCHEMA1_FS_LAYERS_KEY = 'fsLayers'
-DOCKER_SCHEMA1_BLOB_SUM_KEY = 'blobSum'
-DOCKER_SCHEMA1_HISTORY_KEY = 'history'
-DOCKER_SCHEMA1_V1_COMPAT_KEY = 'v1Compatibility'
-DOCKER_SCHEMA1_SCHEMA_VER_KEY = 'schemaVersion'
+DOCKER_SCHEMA1_REPO_NAME_KEY = "name"
+DOCKER_SCHEMA1_REPO_TAG_KEY = "tag"
+DOCKER_SCHEMA1_ARCH_KEY = "architecture"
+DOCKER_SCHEMA1_FS_LAYERS_KEY = "fsLayers"
+DOCKER_SCHEMA1_BLOB_SUM_KEY = "blobSum"
+DOCKER_SCHEMA1_HISTORY_KEY = "history"
+DOCKER_SCHEMA1_V1_COMPAT_KEY = "v1Compatibility"
+DOCKER_SCHEMA1_SCHEMA_VER_KEY = "schemaVersion"
 
 # Format for time used in the protected payload.
-_ISO_DATETIME_FORMAT_ZULU = '%Y-%m-%dT%H:%M:%SZ'
+_ISO_DATETIME_FORMAT_ZULU = "%Y-%m-%dT%H:%M:%SZ"
 
 # The algorithm we use to sign the JWS.
-_JWS_SIGNING_ALGORITHM = 'RS256'
+_JWS_SIGNING_ALGORITHM = "RS256"
+
 
 class MalformedSchema1Manifest(ManifestException):
-  """
+    """
   Raised when a manifest fails an assertion that should be true according to the Docker Manifest
   v2.1 Specification.
   """
-  pass
+
+    pass
 
 
 class InvalidSchema1Signature(ManifestException):
-  """
+    """
   Raised when there is a failure verifying the signature of a signed Docker 2.1 Manifest.
   """
-  pass
+
+    pass
 
 
-class Schema1Layer(namedtuple('Schema1Layer', ['digest', 'v1_metadata', 'raw_v1_metadata',
-                                               'compressed_size', 'is_remote', 'urls'])):
-  """
+class Schema1Layer(
+    namedtuple(
+        "Schema1Layer",
+        [
+            "digest",
+            "v1_metadata",
+            "raw_v1_metadata",
+            "compressed_size",
+            "is_remote",
+            "urls",
+        ],
+    )
+):
+    """
   Represents all of the data about an individual layer in a given Manifest.
   This is the union of the fsLayers (digest) and the history entries (v1_compatibility).
   """
 
 
-class Schema1V1Metadata(namedtuple('Schema1V1Metadata', ['image_id', 'parent_image_id', 'created',
-                                                         'comment', 'command', 'author',
-                                                         'labels'])):
-  """
+class Schema1V1Metadata(
+    namedtuple(
+        "Schema1V1Metadata",
+        [
+            "image_id",
+            "parent_image_id",
+            "created",
+            "comment",
+            "command",
+            "author",
+            "labels",
+        ],
+    )
+):
+    """
   Represents the necessary data extracted from the v1 compatibility string in a given layer of a
   Manifest.
   """
 
 
 class DockerSchema1Manifest(ManifestInterface):
-  METASCHEMA = {
-    'type': 'object',
-    'properties': {
-      DOCKER_SCHEMA1_SIGNATURES_KEY: {
-        'type': 'array',
-        'items': {
-          'type': 'object',
-          'properties': {
-            DOCKER_SCHEMA1_PROTECTED_KEY: {
-              'type': 'string',
-            },
-            DOCKER_SCHEMA1_HEADER_KEY: {
-              'type': 'object',
-              'properties': {
-                'alg': {
-                  'type': 'string',
+    METASCHEMA = {
+        "type": "object",
+        "properties": {
+            DOCKER_SCHEMA1_SIGNATURES_KEY: {
+                "type": "array",
+                "items": {
+                    "type": "object",
+                    "properties": {
+                        DOCKER_SCHEMA1_PROTECTED_KEY: {"type": "string"},
+                        DOCKER_SCHEMA1_HEADER_KEY: {
+                            "type": "object",
+                            "properties": {
+                                "alg": {"type": "string"},
+                                "jwk": {"type": "object"},
+                            },
+                            "required": ["alg", "jwk"],
+                        },
+                        DOCKER_SCHEMA1_SIGNATURE_KEY: {"type": "string"},
+                    },
+                    "required": [
+                        DOCKER_SCHEMA1_PROTECTED_KEY,
+                        DOCKER_SCHEMA1_HEADER_KEY,
+                        DOCKER_SCHEMA1_SIGNATURE_KEY,
+                    ],
                 },
-                'jwk': {
-                  'type': 'object',
+            },
+            DOCKER_SCHEMA1_REPO_TAG_KEY: {"type": "string"},
+            DOCKER_SCHEMA1_REPO_NAME_KEY: {"type": "string"},
+            DOCKER_SCHEMA1_HISTORY_KEY: {
+                "type": "array",
+                "items": {
+                    "type": "object",
+                    "properties": {DOCKER_SCHEMA1_V1_COMPAT_KEY: {"type": "string"}},
+                    "required": [DOCKER_SCHEMA1_V1_COMPAT_KEY],
                 },
-              },
-              'required': ['alg', 'jwk'],
             },
-            DOCKER_SCHEMA1_SIGNATURE_KEY: {
-              'type': 'string',
+            DOCKER_SCHEMA1_FS_LAYERS_KEY: {
+                "type": "array",
+                "items": {
+                    "type": "object",
+                    "properties": {DOCKER_SCHEMA1_BLOB_SUM_KEY: {"type": "string"}},
+                    "required": [DOCKER_SCHEMA1_BLOB_SUM_KEY],
+                },
             },
-          },
-          'required': [DOCKER_SCHEMA1_PROTECTED_KEY, DOCKER_SCHEMA1_HEADER_KEY,
-                       DOCKER_SCHEMA1_SIGNATURE_KEY],
         },
-      },
-      DOCKER_SCHEMA1_REPO_TAG_KEY: {
-        'type': 'string',
-      },
-      DOCKER_SCHEMA1_REPO_NAME_KEY: {
-        'type': 'string',
-      },
-      DOCKER_SCHEMA1_HISTORY_KEY: {
-        'type': 'array',
-        'items': {
-          'type': 'object',
-          'properties': {
-            DOCKER_SCHEMA1_V1_COMPAT_KEY: {
-              'type': 'string',
-            },
-          },
-          'required': [DOCKER_SCHEMA1_V1_COMPAT_KEY],
-        },
-      },
-      DOCKER_SCHEMA1_FS_LAYERS_KEY: {
-        'type': 'array',
-        'items': {
-          'type': 'object',
-          'properties': {
-            DOCKER_SCHEMA1_BLOB_SUM_KEY: {
-              'type': 'string',
-            },
-          },
-          'required': [DOCKER_SCHEMA1_BLOB_SUM_KEY],
-        },
-      },
-    },
-    'required': [DOCKER_SCHEMA1_REPO_TAG_KEY,
-                 DOCKER_SCHEMA1_REPO_NAME_KEY, DOCKER_SCHEMA1_FS_LAYERS_KEY,
-                 DOCKER_SCHEMA1_HISTORY_KEY],
-  }
+        "required": [
+            DOCKER_SCHEMA1_REPO_TAG_KEY,
+            DOCKER_SCHEMA1_REPO_NAME_KEY,
+            DOCKER_SCHEMA1_FS_LAYERS_KEY,
+            DOCKER_SCHEMA1_HISTORY_KEY,
+        ],
+    }
 
-  def __init__(self, manifest_bytes, validate=True):
-    assert isinstance(manifest_bytes, Bytes)
+    def __init__(self, manifest_bytes, validate=True):
+        assert isinstance(manifest_bytes, Bytes)
 
-    self._layers = None
-    self._bytes = manifest_bytes
+        self._layers = None
+        self._bytes = manifest_bytes
 
-    try:
-      self._parsed = json.loads(manifest_bytes.as_encoded_str())
-    except ValueError as ve:
-      raise MalformedSchema1Manifest('malformed manifest data: %s' % ve)
+        try:
+            self._parsed = json.loads(manifest_bytes.as_encoded_str())
+        except ValueError as ve:
+            raise MalformedSchema1Manifest("malformed manifest data: %s" % ve)
 
-    try:
-      validate_schema(self._parsed, DockerSchema1Manifest.METASCHEMA)
-    except ValidationError as ve:
-      raise MalformedSchema1Manifest('manifest data does not match schema: %s' % ve)
+        try:
+            validate_schema(self._parsed, DockerSchema1Manifest.METASCHEMA)
+        except ValidationError as ve:
+            raise MalformedSchema1Manifest(
+                "manifest data does not match schema: %s" % ve
+            )
 
-    self._signatures = self._parsed.get(DOCKER_SCHEMA1_SIGNATURES_KEY)
-    self._architecture = self._parsed.get(DOCKER_SCHEMA1_ARCH_KEY)
+        self._signatures = self._parsed.get(DOCKER_SCHEMA1_SIGNATURES_KEY)
+        self._architecture = self._parsed.get(DOCKER_SCHEMA1_ARCH_KEY)
 
-    self._tag = self._parsed[DOCKER_SCHEMA1_REPO_TAG_KEY]
+        self._tag = self._parsed[DOCKER_SCHEMA1_REPO_TAG_KEY]
 
-    repo_name = self._parsed[DOCKER_SCHEMA1_REPO_NAME_KEY]
-    repo_name_tuple = repo_name.split('/')
-    if len(repo_name_tuple) > 1:
-      self._namespace, self._repo_name = repo_name_tuple
-    elif len(repo_name_tuple) == 1:
-      self._namespace = ''
-      self._repo_name = repo_name_tuple[0]
-    else:
-      raise MalformedSchema1Manifest('malformed repository name: %s' % repo_name)
+        repo_name = self._parsed[DOCKER_SCHEMA1_REPO_NAME_KEY]
+        repo_name_tuple = repo_name.split("/")
+        if len(repo_name_tuple) > 1:
+            self._namespace, self._repo_name = repo_name_tuple
+        elif len(repo_name_tuple) == 1:
+            self._namespace = ""
+            self._repo_name = repo_name_tuple[0]
+        else:
+            raise MalformedSchema1Manifest("malformed repository name: %s" % repo_name)
 
-    if validate:
-      self._validate()
+        if validate:
+            self._validate()
 
-  def _validate(self):
-    if not self._signatures:
-      return
+    def _validate(self):
+        if not self._signatures:
+            return
 
-    payload_str = self._payload
-    for signature in self._signatures:
-      bytes_to_verify = '{0}.{1}'.format(signature['protected'], base64url_encode(payload_str))
-      signer = SIGNER_ALGS[signature['header']['alg']]
-      key = keyrep(signature['header']['jwk'])
-      gk = key.get_key()
-      sig = base64url_decode(signature['signature'].encode('utf-8'))
+        payload_str = self._payload
+        for signature in self._signatures:
+            bytes_to_verify = "{0}.{1}".format(
+                signature["protected"], base64url_encode(payload_str)
+            )
+            signer = SIGNER_ALGS[signature["header"]["alg"]]
+            key = keyrep(signature["header"]["jwk"])
+            gk = key.get_key()
+            sig = base64url_decode(signature["signature"].encode("utf-8"))
 
-      try:
-        verified = signer.verify(bytes_to_verify, sig, gk)
-      except BadSignature:
-        raise InvalidSchema1Signature()
+            try:
+                verified = signer.verify(bytes_to_verify, sig, gk)
+            except BadSignature:
+                raise InvalidSchema1Signature()
 
-      if not verified:
-        raise InvalidSchema1Signature()
+            if not verified:
+                raise InvalidSchema1Signature()
 
-  def validate(self, content_retriever):
-    """ Performs validation of required assertions about the manifest. Raises a ManifestException
+    def validate(self, content_retriever):
+        """ Performs validation of required assertions about the manifest. Raises a ManifestException
         on failure.
     """
-    # Already validated.
+        # Already validated.
 
-  @property
-  def is_signed(self):
-    """ Returns whether the schema is signed. """
-    return bool(self._signatures)
+    @property
+    def is_signed(self):
+        """ Returns whether the schema is signed. """
+        return bool(self._signatures)
 
-  @property
-  def architecture(self):
-    return self._architecture
+    @property
+    def architecture(self):
+        return self._architecture
 
-  @property
-  def is_manifest_list(self):
-    return False
+    @property
+    def is_manifest_list(self):
+        return False
 
-  @property
-  def schema_version(self):
-    return 1
+    @property
+    def schema_version(self):
+        return 1
 
-  @property
-  def content_type(self):
-    return (DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
-            if self._signatures else DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE)
+    @property
+    def content_type(self):
+        return (
+            DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
+            if self._signatures
+            else DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+        )
 
-  @property
-  def media_type(self):
-    return self.content_type
+    @property
+    def media_type(self):
+        return self.content_type
 
-  @property
-  def signatures(self):
-    return self._signatures
+    @property
+    def signatures(self):
+        return self._signatures
 
-  @property
-  def namespace(self):
-    return self._namespace
+    @property
+    def namespace(self):
+        return self._namespace
 
-  @property
-  def repo_name(self):
-    return self._repo_name
+    @property
+    def repo_name(self):
+        return self._repo_name
 
-  @property
-  def tag(self):
-    return self._tag
+    @property
+    def tag(self):
+        return self._tag
 
-  @property
-  def bytes(self):
-    return self._bytes
+    @property
+    def bytes(self):
+        return self._bytes
 
-  @property
-  def manifest_json(self):
-    return self._parsed
+    @property
+    def manifest_json(self):
+        return self._parsed
 
-  @property
-  def manifest_dict(self):
-    return self._parsed
+    @property
+    def manifest_dict(self):
+        return self._parsed
 
-  @property
-  def layers_compressed_size(self):
-    return None
+    @property
+    def layers_compressed_size(self):
+        return None
 
-  @property
-  def digest(self):
-    return digest_tools.sha256_digest(self._payload)
+    @property
+    def digest(self):
+        return digest_tools.sha256_digest(self._payload)
 
-  @property
-  def image_ids(self):
-    return {mdata.v1_metadata.image_id for mdata in self.layers}
+    @property
+    def image_ids(self):
+        return {mdata.v1_metadata.image_id for mdata in self.layers}
 
-  @property
-  def parent_image_ids(self):
-    return {mdata.v1_metadata.parent_image_id for mdata in self.layers
-            if mdata.v1_metadata.parent_image_id}
+    @property
+    def parent_image_ids(self):
+        return {
+            mdata.v1_metadata.parent_image_id
+            for mdata in self.layers
+            if mdata.v1_metadata.parent_image_id
+        }
 
-  @property
-  def checksums(self):
-    return list({str(mdata.digest) for mdata in self.layers})
+    @property
+    def checksums(self):
+        return list({str(mdata.digest) for mdata in self.layers})
 
-  @property
-  def leaf_layer(self):
-    return self.layers[-1]
+    @property
+    def leaf_layer(self):
+        return self.layers[-1]
 
-  @property
-  def created_datetime(self):
-    created_datetime_str = self.leaf_layer.v1_metadata.created
-    if created_datetime_str is None:
-      return None
+    @property
+    def created_datetime(self):
+        created_datetime_str = self.leaf_layer.v1_metadata.created
+        if created_datetime_str is None:
+            return None
 
-    try:
-      return dateutil.parser.parse(created_datetime_str).replace(tzinfo=None)
-    except:
-      # parse raises different exceptions, so we cannot use a specific kind of handler here.
-      return None
+        try:
+            return dateutil.parser.parse(created_datetime_str).replace(tzinfo=None)
+        except:
+            # parse raises different exceptions, so we cannot use a specific kind of handler here.
+            return None
 
-  @property
-  def layers(self):
-    if self._layers is None:
-      self._layers = list(self._generate_layers())
-    return self._layers
+    @property
+    def layers(self):
+        if self._layers is None:
+            self._layers = list(self._generate_layers())
+        return self._layers
 
-  def get_layers(self, content_retriever):
-    """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
+    def get_layers(self, content_retriever):
+        """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
         does not support layers. """
-    for layer in self.layers:
-      created_datetime = None
-      try:
-        created_datetime = dateutil.parser.parse(layer.v1_metadata.created).replace(tzinfo=None)
-      except:
-        pass
+        for layer in self.layers:
+            created_datetime = None
+            try:
+                created_datetime = dateutil.parser.parse(
+                    layer.v1_metadata.created
+                ).replace(tzinfo=None)
+            except:
+                pass
 
-      yield ManifestImageLayer(layer_id=layer.v1_metadata.image_id,
-                               compressed_size=layer.compressed_size,
-                               is_remote=False,
-                               urls=None,
-                               command=layer.v1_metadata.command,
-                               comment=layer.v1_metadata.comment,
-                               author=layer.v1_metadata.author,
-                               blob_digest=layer.digest,
-                               created_datetime=created_datetime,
-                               internal_layer=layer)
+            yield ManifestImageLayer(
+                layer_id=layer.v1_metadata.image_id,
+                compressed_size=layer.compressed_size,
+                is_remote=False,
+                urls=None,
+                command=layer.v1_metadata.command,
+                comment=layer.v1_metadata.comment,
+                author=layer.v1_metadata.author,
+                blob_digest=layer.digest,
+                created_datetime=created_datetime,
+                internal_layer=layer,
+            )
 
-  @property
-  def blob_digests(self):
-    return [str(layer.digest) for layer in self.layers]
+    @property
+    def blob_digests(self):
+        return [str(layer.digest) for layer in self.layers]
 
-  @property
-  def local_blob_digests(self):
-    return self.blob_digests
+    @property
+    def local_blob_digests(self):
+        return self.blob_digests
 
-  def get_blob_digests_for_translation(self):
-    """ Returns the blob digests for translation of this manifest into another manifest. This
+    def get_blob_digests_for_translation(self):
+        """ Returns the blob digests for translation of this manifest into another manifest. This
         method will ignore missing IDs in layers, unlike `blob_digests`.
     """
-    layers = self._generate_layers(allow_missing_ids=True)
-    return [str(layer.digest) for layer in layers]
+        layers = self._generate_layers(allow_missing_ids=True)
+        return [str(layer.digest) for layer in layers]
 
-  def child_manifests(self, content_retriever):
-    return None
+    def child_manifests(self, content_retriever):
+        return None
 
-  def get_manifest_labels(self, content_retriever):
-    return self.layers[-1].v1_metadata.labels
+    def get_manifest_labels(self, content_retriever):
+        return self.layers[-1].v1_metadata.labels
 
-  def get_requires_empty_layer_blob(self, content_retriever):
-    return False
+    def get_requires_empty_layer_blob(self, content_retriever):
+        return False
 
-  def _unsigned_builder(self):
-    builder = DockerSchema1ManifestBuilder(self._namespace, self._repo_name, self._tag,
-                                           self._architecture)
-    for layer in reversed(self.layers):
-      builder.add_layer(str(layer.digest), layer.raw_v1_metadata)
+    def _unsigned_builder(self):
+        builder = DockerSchema1ManifestBuilder(
+            self._namespace, self._repo_name, self._tag, self._architecture
+        )
+        for layer in reversed(self.layers):
+            builder.add_layer(str(layer.digest), layer.raw_v1_metadata)
 
-    return builder
+        return builder
 
-  def unsigned(self):
-    if self.media_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE:
-      return self
+    def unsigned(self):
+        if self.media_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE:
+            return self
 
-    # Create an unsigned version of the manifest.
-    return self._unsigned_builder().build()
+        # Create an unsigned version of the manifest.
+        return self._unsigned_builder().build()
 
-  def with_tag_name(self, tag_name, json_web_key=None):
-    """ Returns a copy of this manifest, with the tag changed to the given tag name. """
-    builder = DockerSchema1ManifestBuilder(self._namespace, self._repo_name, tag_name,
-                                           self._architecture)
-    for layer in reversed(self.layers):
-      builder.add_layer(str(layer.digest), layer.raw_v1_metadata)
+    def with_tag_name(self, tag_name, json_web_key=None):
+        """ Returns a copy of this manifest, with the tag changed to the given tag name. """
+        builder = DockerSchema1ManifestBuilder(
+            self._namespace, self._repo_name, tag_name, self._architecture
+        )
+        for layer in reversed(self.layers):
+            builder.add_layer(str(layer.digest), layer.raw_v1_metadata)
 
-    return builder.build(json_web_key)
+        return builder.build(json_web_key)
 
-  def _generate_layers(self, allow_missing_ids=False):
-    """
+    def _generate_layers(self, allow_missing_ids=False):
+        """
     Returns a generator of objects that have the blobSum and v1Compatibility keys in them,
     starting from the base image and working toward the leaf node.
     """
-    for blob_sum_obj, history_obj in reversed(zip(self._parsed[DOCKER_SCHEMA1_FS_LAYERS_KEY],
-                                                  self._parsed[DOCKER_SCHEMA1_HISTORY_KEY])):
+        for blob_sum_obj, history_obj in reversed(
+            zip(
+                self._parsed[DOCKER_SCHEMA1_FS_LAYERS_KEY],
+                self._parsed[DOCKER_SCHEMA1_HISTORY_KEY],
+            )
+        ):
 
-      try:
-        image_digest = digest_tools.Digest.parse_digest(blob_sum_obj[DOCKER_SCHEMA1_BLOB_SUM_KEY])
-      except digest_tools.InvalidDigestException:
-        raise MalformedSchema1Manifest('could not parse manifest digest: %s' %
-                                       blob_sum_obj[DOCKER_SCHEMA1_BLOB_SUM_KEY])
+            try:
+                image_digest = digest_tools.Digest.parse_digest(
+                    blob_sum_obj[DOCKER_SCHEMA1_BLOB_SUM_KEY]
+                )
+            except digest_tools.InvalidDigestException:
+                raise MalformedSchema1Manifest(
+                    "could not parse manifest digest: %s"
+                    % blob_sum_obj[DOCKER_SCHEMA1_BLOB_SUM_KEY]
+                )
 
-      metadata_string = history_obj[DOCKER_SCHEMA1_V1_COMPAT_KEY]
+            metadata_string = history_obj[DOCKER_SCHEMA1_V1_COMPAT_KEY]
 
-      try:
-        v1_metadata = json.loads(metadata_string)
-      except (ValueError, TypeError):
-        raise MalformedSchema1Manifest('Could not parse metadata string: %s' % metadata_string)
+            try:
+                v1_metadata = json.loads(metadata_string)
+            except (ValueError, TypeError):
+                raise MalformedSchema1Manifest(
+                    "Could not parse metadata string: %s" % metadata_string
+                )
 
-      container_config = v1_metadata.get('container_config') or {}
-      command_list = container_config.get('Cmd', None)
-      command = to_canonical_json(command_list) if command_list else None
+            container_config = v1_metadata.get("container_config") or {}
+            command_list = container_config.get("Cmd", None)
+            command = to_canonical_json(command_list) if command_list else None
 
-      if not allow_missing_ids and not 'id' in v1_metadata:
-        raise MalformedSchema1Manifest('id field missing from v1Compatibility JSON')
+            if not allow_missing_ids and not "id" in v1_metadata:
+                raise MalformedSchema1Manifest(
+                    "id field missing from v1Compatibility JSON"
+                )
 
-      labels = v1_metadata.get('config', {}).get('Labels', {}) or {}
-      extracted = Schema1V1Metadata(image_id=v1_metadata.get('id'),
-                                    parent_image_id=v1_metadata.get('parent'),
-                                    created=v1_metadata.get('created'),
-                                    comment=v1_metadata.get('comment'),
-                                    author=v1_metadata.get('author'),
-                                    command=command,
-                                    labels=labels)
+            labels = v1_metadata.get("config", {}).get("Labels", {}) or {}
+            extracted = Schema1V1Metadata(
+                image_id=v1_metadata.get("id"),
+                parent_image_id=v1_metadata.get("parent"),
+                created=v1_metadata.get("created"),
+                comment=v1_metadata.get("comment"),
+                author=v1_metadata.get("author"),
+                command=command,
+                labels=labels,
+            )
 
-      compressed_size = v1_metadata.get('Size')
-      yield Schema1Layer(image_digest, extracted, metadata_string, compressed_size, False, None)
+            compressed_size = v1_metadata.get("Size")
+            yield Schema1Layer(
+                image_digest, extracted, metadata_string, compressed_size, False, None
+            )
 
-  @property
-  def _payload(self):
-    if self._signatures is None:
-      return self._bytes.as_encoded_str()
+    @property
+    def _payload(self):
+        if self._signatures is None:
+            return self._bytes.as_encoded_str()
 
-    byte_data = self._bytes.as_encoded_str()
-    protected = str(self._signatures[0][DOCKER_SCHEMA1_PROTECTED_KEY])
-    parsed_protected = json.loads(base64url_decode(protected))
-    signed_content_head = byte_data[:parsed_protected[DOCKER_SCHEMA1_FORMAT_LENGTH_KEY]]
-    signed_content_tail = base64url_decode(str(parsed_protected[DOCKER_SCHEMA1_FORMAT_TAIL_KEY]))
-    return signed_content_head + signed_content_tail
+        byte_data = self._bytes.as_encoded_str()
+        protected = str(self._signatures[0][DOCKER_SCHEMA1_PROTECTED_KEY])
+        parsed_protected = json.loads(base64url_decode(protected))
+        signed_content_head = byte_data[
+            : parsed_protected[DOCKER_SCHEMA1_FORMAT_LENGTH_KEY]
+        ]
+        signed_content_tail = base64url_decode(
+            str(parsed_protected[DOCKER_SCHEMA1_FORMAT_TAIL_KEY])
+        )
+        return signed_content_head + signed_content_tail
 
-  def generate_legacy_layers(self, images_map, content_retriever):
-    return self.rewrite_invalid_image_ids(images_map)
+    def generate_legacy_layers(self, images_map, content_retriever):
+        return self.rewrite_invalid_image_ids(images_map)
 
-  def get_legacy_image_ids(self, content_retriever):
-    return self.legacy_image_ids
+    def get_legacy_image_ids(self, content_retriever):
+        return self.legacy_image_ids
 
-  @property
-  def legacy_image_ids(self):
-    return {mdata.v1_metadata.image_id for mdata in self.layers}
+    @property
+    def legacy_image_ids(self):
+        return {mdata.v1_metadata.image_id for mdata in self.layers}
 
-  @property
-  def has_legacy_image(self):
-    return True
+    @property
+    def has_legacy_image(self):
+        return True
 
-  @property
-  def leaf_layer_v1_image_id(self):
-    return self.layers[-1].v1_metadata.image_id
+    @property
+    def leaf_layer_v1_image_id(self):
+        return self.layers[-1].v1_metadata.image_id
 
-  def get_leaf_layer_v1_image_id(self, content_retriever):
-    return self.layers[-1].v1_metadata.image_id
+    def get_leaf_layer_v1_image_id(self, content_retriever):
+        return self.layers[-1].v1_metadata.image_id
 
-  def get_schema1_manifest(self, namespace_name, repo_name, tag_name, content_retriever):
-    """ Returns the manifest that is compatible with V1, by virtue of being `amd64` and `linux`.
+    def get_schema1_manifest(
+        self, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        """ Returns the manifest that is compatible with V1, by virtue of being `amd64` and `linux`.
         If none, returns None.
     """
-    # Note: schema1 *technically* supports non-amd64 architectures, but in practice these were never
-    # used, so to ensure full backwards compatibility, we just always return the schema.
-    return self
+        # Note: schema1 *technically* supports non-amd64 architectures, but in practice these were never
+        # used, so to ensure full backwards compatibility, we just always return the schema.
+        return self
 
-  def convert_manifest(self, allowed_mediatypes, namespace_name, repo_name, tag_name,
-                       content_retriever):
-    if self.media_type in allowed_mediatypes:
-      return self
+    def convert_manifest(
+        self, allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        if self.media_type in allowed_mediatypes:
+            return self
 
-    unsigned = self.unsigned()
-    if unsigned.media_type in allowed_mediatypes:
-      return unsigned
+        unsigned = self.unsigned()
+        if unsigned.media_type in allowed_mediatypes:
+            return unsigned
 
-    return None
+        return None
 
-  def rewrite_invalid_image_ids(self, images_map):
-    """
+    def rewrite_invalid_image_ids(self, images_map):
+        """
     Rewrites Docker v1 image IDs and returns a generator of DockerV1Metadata.
 
     If Docker gives us a layer with a v1 image ID that already points to existing
@@ -486,198 +542,215 @@ class DockerSchema1Manifest(ManifestInterface):
     to something new in order to ensure consistency.
     """
 
-    # Used to synthesize a new "content addressable" image id
-    digest_history = hashlib.sha256()
-    has_rewritten_ids = False
-    updated_id_map = {}
+        # Used to synthesize a new "content addressable" image id
+        digest_history = hashlib.sha256()
+        has_rewritten_ids = False
+        updated_id_map = {}
 
-    for layer in self.layers:
-      digest_str = str(layer.digest)
-      extracted_v1_metadata = layer.v1_metadata
-      working_image_id = extracted_v1_metadata.image_id
+        for layer in self.layers:
+            digest_str = str(layer.digest)
+            extracted_v1_metadata = layer.v1_metadata
+            working_image_id = extracted_v1_metadata.image_id
 
-      # Update our digest_history hash for the new layer data.
-      digest_history.update(digest_str)
-      digest_history.update("@")
-      digest_history.update(layer.raw_v1_metadata.encode('utf-8'))
-      digest_history.update("|")
+            # Update our digest_history hash for the new layer data.
+            digest_history.update(digest_str)
+            digest_history.update("@")
+            digest_history.update(layer.raw_v1_metadata.encode("utf-8"))
+            digest_history.update("|")
 
-      # Ensure that the v1 image's storage matches the V2 blob. If not, we've
-      # found a data inconsistency and need to create a new layer ID for the V1
-      # image, and all images that follow it in the ancestry chain.
-      digest_mismatch = (extracted_v1_metadata.image_id in images_map and
-                         images_map[extracted_v1_metadata.image_id].content_checksum != digest_str)
-      if digest_mismatch or has_rewritten_ids:
-        working_image_id = digest_history.hexdigest()
-        has_rewritten_ids = True
+            # Ensure that the v1 image's storage matches the V2 blob. If not, we've
+            # found a data inconsistency and need to create a new layer ID for the V1
+            # image, and all images that follow it in the ancestry chain.
+            digest_mismatch = (
+                extracted_v1_metadata.image_id in images_map
+                and images_map[extracted_v1_metadata.image_id].content_checksum
+                != digest_str
+            )
+            if digest_mismatch or has_rewritten_ids:
+                working_image_id = digest_history.hexdigest()
+                has_rewritten_ids = True
 
-      # Store the new docker id in the map
-      updated_id_map[extracted_v1_metadata.image_id] = working_image_id
+            # Store the new docker id in the map
+            updated_id_map[extracted_v1_metadata.image_id] = working_image_id
 
-      # Lookup the parent image for the layer, if any.
-      parent_image_id = extracted_v1_metadata.parent_image_id
-      if parent_image_id is not None:
-        parent_image_id = updated_id_map.get(parent_image_id, parent_image_id)
+            # Lookup the parent image for the layer, if any.
+            parent_image_id = extracted_v1_metadata.parent_image_id
+            if parent_image_id is not None:
+                parent_image_id = updated_id_map.get(parent_image_id, parent_image_id)
 
-      # Synthesize and store the v1 metadata in the db.
-      v1_metadata_json = layer.raw_v1_metadata
-      if has_rewritten_ids:
-        v1_metadata_json = _updated_v1_metadata(v1_metadata_json, updated_id_map)
+            # Synthesize and store the v1 metadata in the db.
+            v1_metadata_json = layer.raw_v1_metadata
+            if has_rewritten_ids:
+                v1_metadata_json = _updated_v1_metadata(
+                    v1_metadata_json, updated_id_map
+                )
 
-      updated_image = DockerV1Metadata(
-        namespace_name=self.namespace,
-        repo_name=self.repo_name,
-        image_id=working_image_id,
-        created=extracted_v1_metadata.created,
-        comment=extracted_v1_metadata.comment,
-        author=extracted_v1_metadata.author,
-        command=extracted_v1_metadata.command,
-        compat_json=v1_metadata_json,
-        parent_image_id=parent_image_id,
-        checksum=None, # TODO: Check if we need this.
-        content_checksum=digest_str,
-      )
+            updated_image = DockerV1Metadata(
+                namespace_name=self.namespace,
+                repo_name=self.repo_name,
+                image_id=working_image_id,
+                created=extracted_v1_metadata.created,
+                comment=extracted_v1_metadata.comment,
+                author=extracted_v1_metadata.author,
+                command=extracted_v1_metadata.command,
+                compat_json=v1_metadata_json,
+                parent_image_id=parent_image_id,
+                checksum=None,  # TODO: Check if we need this.
+                content_checksum=digest_str,
+            )
 
-      yield updated_image
+            yield updated_image
 
 
 class DockerSchema1ManifestBuilder(object):
-  """
+    """
   A convenient abstraction around creating new DockerSchema1Manifests.
   """
-  def __init__(self, namespace_name, repo_name, tag, architecture='amd64'):
-    repo_name_key = '{0}/{1}'.format(namespace_name, repo_name)
-    if namespace_name == '':
-      repo_name_key = repo_name
 
-    self._base_payload = {
-      DOCKER_SCHEMA1_REPO_TAG_KEY: tag,
-      DOCKER_SCHEMA1_REPO_NAME_KEY: repo_name_key,
-      DOCKER_SCHEMA1_ARCH_KEY: architecture,
-      DOCKER_SCHEMA1_SCHEMA_VER_KEY: 1,
-    }
+    def __init__(self, namespace_name, repo_name, tag, architecture="amd64"):
+        repo_name_key = "{0}/{1}".format(namespace_name, repo_name)
+        if namespace_name == "":
+            repo_name_key = repo_name
 
-    self._fs_layer_digests = []
-    self._history = []
-    self._namespace_name = namespace_name
-    self._repo_name = repo_name
-    self._tag = tag
-    self._architecture = architecture
+        self._base_payload = {
+            DOCKER_SCHEMA1_REPO_TAG_KEY: tag,
+            DOCKER_SCHEMA1_REPO_NAME_KEY: repo_name_key,
+            DOCKER_SCHEMA1_ARCH_KEY: architecture,
+            DOCKER_SCHEMA1_SCHEMA_VER_KEY: 1,
+        }
 
-  def add_layer(self, layer_digest, v1_json_metadata):
-    self._fs_layer_digests.append({
-      DOCKER_SCHEMA1_BLOB_SUM_KEY: layer_digest,
-    })
-    self._history.append({
-      DOCKER_SCHEMA1_V1_COMPAT_KEY: v1_json_metadata or '{}',
-    })
-    return self
+        self._fs_layer_digests = []
+        self._history = []
+        self._namespace_name = namespace_name
+        self._repo_name = repo_name
+        self._tag = tag
+        self._architecture = architecture
 
-  def with_metadata_removed(self):
-    """ Returns a copy of the builder where every layer but the leaf layer has
+    def add_layer(self, layer_digest, v1_json_metadata):
+        self._fs_layer_digests.append({DOCKER_SCHEMA1_BLOB_SUM_KEY: layer_digest})
+        self._history.append({DOCKER_SCHEMA1_V1_COMPAT_KEY: v1_json_metadata or "{}"})
+        return self
+
+    def with_metadata_removed(self):
+        """ Returns a copy of the builder where every layer but the leaf layer has
         its metadata stripped down to the bare essentials.
     """
-    builder = DockerSchema1ManifestBuilder(self._namespace_name, self._repo_name, self._tag,
-                                           self._architecture)
+        builder = DockerSchema1ManifestBuilder(
+            self._namespace_name, self._repo_name, self._tag, self._architecture
+        )
 
-    for index, fs_layer in enumerate(self._fs_layer_digests):
-      try:
-        metadata = json.loads(self._history[index][DOCKER_SCHEMA1_V1_COMPAT_KEY])
-      except (ValueError, TypeError):
-        logger.exception('Could not parse existing builder')
-        raise MalformedSchema1Manifest
+        for index, fs_layer in enumerate(self._fs_layer_digests):
+            try:
+                metadata = json.loads(
+                    self._history[index][DOCKER_SCHEMA1_V1_COMPAT_KEY]
+                )
+            except (ValueError, TypeError):
+                logger.exception("Could not parse existing builder")
+                raise MalformedSchema1Manifest
 
-      fixed_metadata = {}
-      if index == 0: # Leaf layer is at index 0 in schema 1.
-        fixed_metadata = metadata
-      else:
-        # Remove all container config from the metadata.
-        fixed_metadata['id'] = metadata['id']
-        if 'parent' in metadata:
-          fixed_metadata['parent'] = metadata['parent']
+            fixed_metadata = {}
+            if index == 0:  # Leaf layer is at index 0 in schema 1.
+                fixed_metadata = metadata
+            else:
+                # Remove all container config from the metadata.
+                fixed_metadata["id"] = metadata["id"]
+                if "parent" in metadata:
+                    fixed_metadata["parent"] = metadata["parent"]
 
-        if 'created' in metadata:
-          fixed_metadata['created'] = metadata['created']
+                if "created" in metadata:
+                    fixed_metadata["created"] = metadata["created"]
 
-        if 'author' in metadata:
-          fixed_metadata['author'] = metadata['author']
+                if "author" in metadata:
+                    fixed_metadata["author"] = metadata["author"]
 
-        if 'comment' in metadata:
-          fixed_metadata['comment'] = metadata['comment']
+                if "comment" in metadata:
+                    fixed_metadata["comment"] = metadata["comment"]
 
-        if 'Size' in metadata:
-          fixed_metadata['Size'] = metadata['Size']
+                if "Size" in metadata:
+                    fixed_metadata["Size"] = metadata["Size"]
 
-        if 'Cmd' in metadata.get('container_config', {}):
-          fixed_metadata['container_config'] = {
-            'Cmd': metadata['container_config']['Cmd'],
-          }
+                if "Cmd" in metadata.get("container_config", {}):
+                    fixed_metadata["container_config"] = {
+                        "Cmd": metadata["container_config"]["Cmd"]
+                    }
 
-      builder.add_layer(fs_layer[DOCKER_SCHEMA1_BLOB_SUM_KEY], json.dumps(fixed_metadata))
+            builder.add_layer(
+                fs_layer[DOCKER_SCHEMA1_BLOB_SUM_KEY], json.dumps(fixed_metadata)
+            )
 
-    return builder
+        return builder
 
-  def build(self, json_web_key=None, ensure_ascii=True):
-    """
+    def build(self, json_web_key=None, ensure_ascii=True):
+        """
     Builds a DockerSchema1Manifest object, with optional signature.
     """
-    payload = OrderedDict(self._base_payload)
-    payload.update({
-      DOCKER_SCHEMA1_HISTORY_KEY: self._history,
-      DOCKER_SCHEMA1_FS_LAYERS_KEY: self._fs_layer_digests,
-    })
+        payload = OrderedDict(self._base_payload)
+        payload.update(
+            {
+                DOCKER_SCHEMA1_HISTORY_KEY: self._history,
+                DOCKER_SCHEMA1_FS_LAYERS_KEY: self._fs_layer_digests,
+            }
+        )
 
-    payload_str = json.dumps(payload, indent=3, ensure_ascii=ensure_ascii)
-    if json_web_key is None:
-      return DockerSchema1Manifest(Bytes.for_string_or_unicode(payload_str))
+        payload_str = json.dumps(payload, indent=3, ensure_ascii=ensure_ascii)
+        if json_web_key is None:
+            return DockerSchema1Manifest(Bytes.for_string_or_unicode(payload_str))
 
-    payload_str = Bytes.for_string_or_unicode(payload_str).as_encoded_str()
-    split_point = payload_str.rfind('\n}')
+        payload_str = Bytes.for_string_or_unicode(payload_str).as_encoded_str()
+        split_point = payload_str.rfind("\n}")
 
-    protected_payload = {
-      'formatTail': base64url_encode(payload_str[split_point:]),
-      'formatLength': split_point,
-      'time': datetime.utcnow().strftime(_ISO_DATETIME_FORMAT_ZULU),
-    }
-    protected = base64url_encode(json.dumps(protected_payload, ensure_ascii=ensure_ascii))
-    logger.debug('Generated protected block: %s', protected)
+        protected_payload = {
+            "formatTail": base64url_encode(payload_str[split_point:]),
+            "formatLength": split_point,
+            "time": datetime.utcnow().strftime(_ISO_DATETIME_FORMAT_ZULU),
+        }
+        protected = base64url_encode(
+            json.dumps(protected_payload, ensure_ascii=ensure_ascii)
+        )
+        logger.debug("Generated protected block: %s", protected)
 
-    bytes_to_sign = '{0}.{1}'.format(protected, base64url_encode(payload_str))
+        bytes_to_sign = "{0}.{1}".format(protected, base64url_encode(payload_str))
 
-    signer = SIGNER_ALGS[_JWS_SIGNING_ALGORITHM]
-    signature = base64url_encode(signer.sign(bytes_to_sign, json_web_key.get_key()))
-    logger.debug('Generated signature: %s', signature)
+        signer = SIGNER_ALGS[_JWS_SIGNING_ALGORITHM]
+        signature = base64url_encode(signer.sign(bytes_to_sign, json_web_key.get_key()))
+        logger.debug("Generated signature: %s", signature)
 
-    public_members = set(json_web_key.public_members)
-    public_key = {comp: value for comp, value in json_web_key.to_dict().items()
-                  if comp in public_members}
+        public_members = set(json_web_key.public_members)
+        public_key = {
+            comp: value
+            for comp, value in json_web_key.to_dict().items()
+            if comp in public_members
+        }
 
-    signature_block = {
-      DOCKER_SCHEMA1_HEADER_KEY: {'jwk': public_key, 'alg': _JWS_SIGNING_ALGORITHM},
-      DOCKER_SCHEMA1_SIGNATURE_KEY: signature,
-      DOCKER_SCHEMA1_PROTECTED_KEY: protected,
-    }
+        signature_block = {
+            DOCKER_SCHEMA1_HEADER_KEY: {
+                "jwk": public_key,
+                "alg": _JWS_SIGNING_ALGORITHM,
+            },
+            DOCKER_SCHEMA1_SIGNATURE_KEY: signature,
+            DOCKER_SCHEMA1_PROTECTED_KEY: protected,
+        }
 
-    logger.debug('Encoded signature block: %s', json.dumps(signature_block))
-    payload.update({DOCKER_SCHEMA1_SIGNATURES_KEY: [signature_block]})
+        logger.debug("Encoded signature block: %s", json.dumps(signature_block))
+        payload.update({DOCKER_SCHEMA1_SIGNATURES_KEY: [signature_block]})
 
-    json_str = json.dumps(payload, indent=3, ensure_ascii=ensure_ascii)
-    return DockerSchema1Manifest(Bytes.for_string_or_unicode(json_str))
+        json_str = json.dumps(payload, indent=3, ensure_ascii=ensure_ascii)
+        return DockerSchema1Manifest(Bytes.for_string_or_unicode(json_str))
 
 
 def _updated_v1_metadata(v1_metadata_json, updated_id_map):
-  """
+    """
   Updates v1_metadata with new image IDs.
   """
-  parsed = json.loads(v1_metadata_json)
-  parsed['id'] = updated_id_map[parsed['id']]
+    parsed = json.loads(v1_metadata_json)
+    parsed["id"] = updated_id_map[parsed["id"]]
 
-  if parsed.get('parent') and parsed['parent'] in updated_id_map:
-    parsed['parent'] = updated_id_map[parsed['parent']]
+    if parsed.get("parent") and parsed["parent"] in updated_id_map:
+        parsed["parent"] = updated_id_map[parsed["parent"]]
 
-  if parsed.get('container_config', {}).get('Image'):
-    existing_image = parsed['container_config']['Image']
-    if existing_image in updated_id_map:
-      parsed['container_config']['image'] = updated_id_map[existing_image]
+    if parsed.get("container_config", {}).get("Image"):
+        existing_image = parsed["container_config"]["Image"]
+        if existing_image in updated_id_map:
+            parsed["container_config"]["image"] = updated_id_map[existing_image]
 
-  return to_canonical_json(parsed)
+    return to_canonical_json(parsed)
diff --git a/image/docker/schema2/__init__.py b/image/docker/schema2/__init__.py
index 8477596ae..c60eb60e7 100644
--- a/image/docker/schema2/__init__.py
+++ b/image/docker/schema2/__init__.py
@@ -5,26 +5,71 @@ https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md
 """
 
 # Content Types
-DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE = 'application/vnd.docker.distribution.manifest.v2+json'
-DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE = 'application/vnd.docker.distribution.manifest.list.v2+json'
+DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE = (
+    "application/vnd.docker.distribution.manifest.v2+json"
+)
+DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE = (
+    "application/vnd.docker.distribution.manifest.list.v2+json"
+)
 
-DOCKER_SCHEMA2_LAYER_CONTENT_TYPE = 'application/vnd.docker.image.rootfs.diff.tar.gzip'
-DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE = 'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip'
+DOCKER_SCHEMA2_LAYER_CONTENT_TYPE = "application/vnd.docker.image.rootfs.diff.tar.gzip"
+DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE = (
+    "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
+)
 
-DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE = 'application/vnd.docker.container.image.v1+json'
+DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE = "application/vnd.docker.container.image.v1+json"
 
-OCI_MANIFEST_CONTENT_TYPE = 'application/vnd.oci.image.manifest.v1+json'
-OCI_MANIFESTLIST_CONTENT_TYPE = 'application/vnd.oci.image.index.v1+json'
+OCI_MANIFEST_CONTENT_TYPE = "application/vnd.oci.image.manifest.v1+json"
+OCI_MANIFESTLIST_CONTENT_TYPE = "application/vnd.oci.image.index.v1+json"
 
-DOCKER_SCHEMA2_CONTENT_TYPES = {DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
-                                DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE}
+DOCKER_SCHEMA2_CONTENT_TYPES = {
+    DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
+}
 OCI_CONTENT_TYPES = {OCI_MANIFEST_CONTENT_TYPE, OCI_MANIFESTLIST_CONTENT_TYPE}
 
 # The magical digest to be used for "empty" layers.
 # https://github.com/docker/distribution/blob/749f6afb4572201e3c37325d0ffedb6f32be8950/manifest/schema1/config_builder.go#L22
-EMPTY_LAYER_BLOB_DIGEST = 'sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4'
+EMPTY_LAYER_BLOB_DIGEST = (
+    "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+)
 EMPTY_LAYER_SIZE = 32
-EMPTY_LAYER_BYTES = "".join(map(chr, [
-  31, 139, 8, 0, 0, 9, 110, 136, 0, 255, 98, 24, 5, 163, 96, 20, 140, 88,
-  0, 8, 0, 0, 255, 255, 46, 175, 181, 239, 0, 4, 0, 0,
-]))
+EMPTY_LAYER_BYTES = "".join(
+    map(
+        chr,
+        [
+            31,
+            139,
+            8,
+            0,
+            0,
+            9,
+            110,
+            136,
+            0,
+            255,
+            98,
+            24,
+            5,
+            163,
+            96,
+            20,
+            140,
+            88,
+            0,
+            8,
+            0,
+            0,
+            255,
+            255,
+            46,
+            175,
+            181,
+            239,
+            0,
+            4,
+            0,
+            0,
+        ],
+    )
+)
diff --git a/image/docker/schema2/config.py b/image/docker/schema2/config.py
index c5b14862f..91b9330bf 100644
--- a/image/docker/schema2/config.py
+++ b/image/docker/schema2/config.py
@@ -115,161 +115,181 @@ DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY = "empty_layer"
 DOCKER_SCHEMA2_CONFIG_TYPE_KEY = "type"
 
 
-LayerHistory = namedtuple('LayerHistory', ['created', 'created_datetime', 'command', 'is_empty',
-                                           'author', 'comment', 'raw_entry'])
+LayerHistory = namedtuple(
+    "LayerHistory",
+    [
+        "created",
+        "created_datetime",
+        "command",
+        "is_empty",
+        "author",
+        "comment",
+        "raw_entry",
+    ],
+)
 
 
 class MalformedSchema2Config(ManifestException):
-  """
+    """
   Raised when a config fails an assertion that should be true according to the Docker Manifest
   v2.2 Config Specification.
   """
-  pass
+
+    pass
 
 
 class DockerSchema2Config(object):
-  METASCHEMA = {
-    'type': 'object',
-    'description': 'The container configuration found in a schema 2 manifest',
-    'required': [DOCKER_SCHEMA2_CONFIG_HISTORY_KEY, DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY],
-    'properties': {
-      DOCKER_SCHEMA2_CONFIG_HISTORY_KEY: {
-        'type': 'array',
-        'description': 'The history used to create the container image',
-        'items': {
-          'type': 'object',
-          'properties': {
-            DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY: {
-              'type': 'boolean',
-              'description': 'If present, this layer is empty',
+    METASCHEMA = {
+        "type": "object",
+        "description": "The container configuration found in a schema 2 manifest",
+        "required": [
+            DOCKER_SCHEMA2_CONFIG_HISTORY_KEY,
+            DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY,
+        ],
+        "properties": {
+            DOCKER_SCHEMA2_CONFIG_HISTORY_KEY: {
+                "type": "array",
+                "description": "The history used to create the container image",
+                "items": {
+                    "type": "object",
+                    "properties": {
+                        DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY: {
+                            "type": "boolean",
+                            "description": "If present, this layer is empty",
+                        },
+                        DOCKER_SCHEMA2_CONFIG_CREATED_KEY: {
+                            "type": "string",
+                            "description": "The date/time that the layer was created",
+                            "format": "date-time",
+                            "x-example": "2018-04-03T18:37:09.284840891Z",
+                        },
+                        DOCKER_SCHEMA2_CONFIG_CREATED_BY_KEY: {
+                            "type": "string",
+                            "description": "The command used to create the layer",
+                            "x-example": "\/bin\/sh -c #(nop) ADD file:somesha in /",
+                        },
+                        DOCKER_SCHEMA2_CONFIG_COMMENT_KEY: {
+                            "type": "string",
+                            "description": "Comment describing the layer",
+                        },
+                        DOCKER_SCHEMA2_CONFIG_AUTHOR_KEY: {
+                            "type": "string",
+                            "description": "The author of the layer",
+                        },
+                    },
+                    "additionalProperties": True,
+                },
             },
-            DOCKER_SCHEMA2_CONFIG_CREATED_KEY: {
-              'type': 'string',
-              'description': 'The date/time that the layer was created',
-              'format': 'date-time',
-              'x-example': '2018-04-03T18:37:09.284840891Z',
+            DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY: {
+                "type": "object",
+                "description": "Describes the root filesystem for this image",
+                "properties": {
+                    DOCKER_SCHEMA2_CONFIG_TYPE_KEY: {
+                        "type": "string",
+                        "description": "The type of the root file system entries",
+                    }
+                },
+                "required": [DOCKER_SCHEMA2_CONFIG_TYPE_KEY],
+                "additionalProperties": True,
             },
-            DOCKER_SCHEMA2_CONFIG_CREATED_BY_KEY: {
-              'type': 'string',
-              'description': 'The command used to create the layer',
-              'x-example': '\/bin\/sh -c #(nop) ADD file:somesha in /',
-            },
-            DOCKER_SCHEMA2_CONFIG_COMMENT_KEY: {
-              'type': 'string',
-              'description': 'Comment describing the layer',
-            },
-            DOCKER_SCHEMA2_CONFIG_AUTHOR_KEY: {
-              'type': 'string',
-              'description': 'The author of the layer',
-            },
-          },
-          'additionalProperties': True,
         },
-      },
-      DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY: {
-        'type': 'object',
-        'description': 'Describes the root filesystem for this image',
-        'properties': {
-          DOCKER_SCHEMA2_CONFIG_TYPE_KEY: {
-            'type': 'string',
-            'description': 'The type of the root file system entries',
-          },
-        },
-        'required': [DOCKER_SCHEMA2_CONFIG_TYPE_KEY],
-        'additionalProperties': True,
-      },
-    },
-    'additionalProperties': True,
-  }
+        "additionalProperties": True,
+    }
 
-  def __init__(self, config_bytes):
-    assert isinstance(config_bytes, Bytes)
+    def __init__(self, config_bytes):
+        assert isinstance(config_bytes, Bytes)
 
-    self._config_bytes = config_bytes
+        self._config_bytes = config_bytes
 
-    try:
-      self._parsed = json.loads(config_bytes.as_unicode())
-    except ValueError as ve:
-      raise MalformedSchema2Config('malformed config data: %s' % ve)
+        try:
+            self._parsed = json.loads(config_bytes.as_unicode())
+        except ValueError as ve:
+            raise MalformedSchema2Config("malformed config data: %s" % ve)
 
-    try:
-      validate_schema(self._parsed, DockerSchema2Config.METASCHEMA)
-    except ValidationError as ve:
-      raise MalformedSchema2Config('config data does not match schema: %s' % ve)
+        try:
+            validate_schema(self._parsed, DockerSchema2Config.METASCHEMA)
+        except ValidationError as ve:
+            raise MalformedSchema2Config("config data does not match schema: %s" % ve)
 
-  @property
-  def digest(self):
-    """ Returns the digest of this config object. """
-    return digest_tools.sha256_digest(self._config_bytes.as_encoded_str())
+    @property
+    def digest(self):
+        """ Returns the digest of this config object. """
+        return digest_tools.sha256_digest(self._config_bytes.as_encoded_str())
 
-  @property
-  def size(self):
-    """ Returns the size of this config object. """
-    return len(self._config_bytes.as_encoded_str())
+    @property
+    def size(self):
+        """ Returns the size of this config object. """
+        return len(self._config_bytes.as_encoded_str())
 
-  @property
-  def bytes(self):
-    """ Returns the bytes of this config object. """
-    return self._config_bytes
+    @property
+    def bytes(self):
+        """ Returns the bytes of this config object. """
+        return self._config_bytes
 
-  @property
-  def labels(self):
-    """ Returns a dictionary of all the labels defined in this configuration. """
-    return self._parsed.get('config', {}).get('Labels', {}) or {}
+    @property
+    def labels(self):
+        """ Returns a dictionary of all the labels defined in this configuration. """
+        return self._parsed.get("config", {}).get("Labels", {}) or {}
 
-  @property
-  def has_empty_layer(self):
-    """ Returns whether this config contains an empty layer. """
-    for history_entry in self._parsed[DOCKER_SCHEMA2_CONFIG_HISTORY_KEY]:
-      if history_entry.get(DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY, False):
-        return True
+    @property
+    def has_empty_layer(self):
+        """ Returns whether this config contains an empty layer. """
+        for history_entry in self._parsed[DOCKER_SCHEMA2_CONFIG_HISTORY_KEY]:
+            if history_entry.get(DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY, False):
+                return True
 
-    return False
+        return False
 
-  @property
-  def history(self):
-    """ Returns the history of the image, started at the base layer. """
-    for history_entry in self._parsed[DOCKER_SCHEMA2_CONFIG_HISTORY_KEY]:
-      created_datetime = parse_date(history_entry[DOCKER_SCHEMA2_CONFIG_CREATED_KEY])
-      yield LayerHistory(created_datetime=created_datetime,
-                         created=history_entry.get(DOCKER_SCHEMA2_CONFIG_CREATED_KEY),
-                         command=history_entry.get(DOCKER_SCHEMA2_CONFIG_CREATED_BY_KEY),
-                         author=history_entry.get(DOCKER_SCHEMA2_CONFIG_AUTHOR_KEY),
-                         comment=history_entry.get(DOCKER_SCHEMA2_CONFIG_COMMENT_KEY),
-                         is_empty=history_entry.get(DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY, False),
-                         raw_entry=history_entry)
+    @property
+    def history(self):
+        """ Returns the history of the image, started at the base layer. """
+        for history_entry in self._parsed[DOCKER_SCHEMA2_CONFIG_HISTORY_KEY]:
+            created_datetime = parse_date(
+                history_entry[DOCKER_SCHEMA2_CONFIG_CREATED_KEY]
+            )
+            yield LayerHistory(
+                created_datetime=created_datetime,
+                created=history_entry.get(DOCKER_SCHEMA2_CONFIG_CREATED_KEY),
+                command=history_entry.get(DOCKER_SCHEMA2_CONFIG_CREATED_BY_KEY),
+                author=history_entry.get(DOCKER_SCHEMA2_CONFIG_AUTHOR_KEY),
+                comment=history_entry.get(DOCKER_SCHEMA2_CONFIG_COMMENT_KEY),
+                is_empty=history_entry.get(
+                    DOCKER_SCHEMA2_CONFIG_EMPTY_LAYER_KEY, False
+                ),
+                raw_entry=history_entry,
+            )
 
-  def build_v1_compatibility(self, history, v1_id, v1_parent_id, is_leaf, compressed_size=None):
-    """ Builds the V1 compatibility block for the given layer.
+    def build_v1_compatibility(
+        self, history, v1_id, v1_parent_id, is_leaf, compressed_size=None
+    ):
+        """ Builds the V1 compatibility block for the given layer.
     """
-    # If the layer is the leaf, it gets the full config (minus 2 fields). Otherwise, it gets only
-    # IDs.
-    v1_compatibility = copy.deepcopy(self._parsed) if is_leaf else {}
-    v1_compatibility['id'] = v1_id
-    if v1_parent_id is not None:
-      v1_compatibility['parent'] = v1_parent_id
+        # If the layer is the leaf, it gets the full config (minus 2 fields). Otherwise, it gets only
+        # IDs.
+        v1_compatibility = copy.deepcopy(self._parsed) if is_leaf else {}
+        v1_compatibility["id"] = v1_id
+        if v1_parent_id is not None:
+            v1_compatibility["parent"] = v1_parent_id
 
-    if 'created' not in v1_compatibility and history.created:
-      v1_compatibility['created'] = history.created
+        if "created" not in v1_compatibility and history.created:
+            v1_compatibility["created"] = history.created
 
-    if 'author' not in v1_compatibility and history.author:
-      v1_compatibility['author'] = history.author
+        if "author" not in v1_compatibility and history.author:
+            v1_compatibility["author"] = history.author
 
-    if 'comment' not in v1_compatibility and history.comment:
-      v1_compatibility['comment'] = history.comment
+        if "comment" not in v1_compatibility and history.comment:
+            v1_compatibility["comment"] = history.comment
 
-    if 'throwaway' not in v1_compatibility and history.is_empty:
-      v1_compatibility['throwaway'] = True
+        if "throwaway" not in v1_compatibility and history.is_empty:
+            v1_compatibility["throwaway"] = True
 
-    if 'container_config' not in v1_compatibility:
-      v1_compatibility['container_config'] = {
-        'Cmd': [history.command],
-      }
+        if "container_config" not in v1_compatibility:
+            v1_compatibility["container_config"] = {"Cmd": [history.command]}
 
-    if compressed_size is not None:
-      v1_compatibility['Size'] = compressed_size
+        if compressed_size is not None:
+            v1_compatibility["Size"] = compressed_size
 
-    # The history and rootfs keys are schema2-config specific.
-    v1_compatibility.pop(DOCKER_SCHEMA2_CONFIG_HISTORY_KEY, None)
-    v1_compatibility.pop(DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY, None)
-    return v1_compatibility
+        # The history and rootfs keys are schema2-config specific.
+        v1_compatibility.pop(DOCKER_SCHEMA2_CONFIG_HISTORY_KEY, None)
+        v1_compatibility.pop(DOCKER_SCHEMA2_CONFIG_ROOTFS_KEY, None)
+        return v1_compatibility
diff --git a/image/docker/schema2/list.py b/image/docker/schema2/list.py
index bf1c52132..ab13c5b26 100644
--- a/image/docker/schema2/list.py
+++ b/image/docker/schema2/list.py
@@ -9,8 +9,10 @@ from image.docker import ManifestException
 from image.docker.interfaces import ManifestInterface
 from image.docker.schema1 import DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
 from image.docker.schema1 import DockerSchema1Manifest
-from image.docker.schema2 import (DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
-                                  DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE)
+from image.docker.schema2 import (
+    DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
+    DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+)
 from image.docker.schema2.manifest import DockerSchema2Manifest
 from util.bytes import Bytes
 
@@ -18,362 +20,413 @@ from util.bytes import Bytes
 logger = logging.getLogger(__name__)
 
 # Keys.
-DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY = 'schemaVersion'
-DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY = 'mediaType'
-DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY = 'size'
-DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY = 'digest'
-DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY = 'manifests'
-DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY = 'platform'
-DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY = 'architecture'
-DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY = 'os'
-DOCKER_SCHEMA2_MANIFESTLIST_OS_VERSION_KEY = 'os.version'
-DOCKER_SCHEMA2_MANIFESTLIST_OS_FEATURES_KEY = 'os.features'
-DOCKER_SCHEMA2_MANIFESTLIST_FEATURES_KEY = 'features'
-DOCKER_SCHEMA2_MANIFESTLIST_VARIANT_KEY = 'variant'
+DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY = "schemaVersion"
+DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY = "mediaType"
+DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY = "size"
+DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY = "digest"
+DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY = "manifests"
+DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY = "platform"
+DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY = "architecture"
+DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY = "os"
+DOCKER_SCHEMA2_MANIFESTLIST_OS_VERSION_KEY = "os.version"
+DOCKER_SCHEMA2_MANIFESTLIST_OS_FEATURES_KEY = "os.features"
+DOCKER_SCHEMA2_MANIFESTLIST_FEATURES_KEY = "features"
+DOCKER_SCHEMA2_MANIFESTLIST_VARIANT_KEY = "variant"
 
 
 class MalformedSchema2ManifestList(ManifestException):
-  """
+    """
   Raised when a manifest list fails an assertion that should be true according to the
   Docker Manifest v2.2 Specification.
   """
-  pass
+
+    pass
 
 
 class MismatchManifestException(MalformedSchema2ManifestList):
-  """ Raised when a manifest list contains a schema 1 manifest with a differing architecture
+    """ Raised when a manifest list contains a schema 1 manifest with a differing architecture
       from that specified in the manifest list for the manifest.
   """
-  pass
+
+    pass
 
 
 class LazyManifestLoader(object):
-  def __init__(self, manifest_data, content_retriever):
-    self._manifest_data = manifest_data
-    self._content_retriever = content_retriever
-    self._loaded_manifest = None
+    def __init__(self, manifest_data, content_retriever):
+        self._manifest_data = manifest_data
+        self._content_retriever = content_retriever
+        self._loaded_manifest = None
 
-  @property
-  def manifest_obj(self):
-    if self._loaded_manifest is not None:
-      return self._loaded_manifest
+    @property
+    def manifest_obj(self):
+        if self._loaded_manifest is not None:
+            return self._loaded_manifest
 
-    self._loaded_manifest = self._load_manifest()
-    return self._loaded_manifest
+        self._loaded_manifest = self._load_manifest()
+        return self._loaded_manifest
 
-  def _load_manifest(self):
-    digest = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY]
-    size = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY]
-    manifest_bytes = self._content_retriever.get_manifest_bytes_with_digest(digest)
-    if manifest_bytes is None:
-      raise MalformedSchema2ManifestList('Could not find child manifest with digest `%s`' % digest)
+    def _load_manifest(self):
+        digest = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY]
+        size = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY]
+        manifest_bytes = self._content_retriever.get_manifest_bytes_with_digest(digest)
+        if manifest_bytes is None:
+            raise MalformedSchema2ManifestList(
+                "Could not find child manifest with digest `%s`" % digest
+            )
 
-    if len(manifest_bytes) != size:
-      raise MalformedSchema2ManifestList('Size of manifest does not match that retrieved: %s vs %s',
-                                         len(manifest_bytes), size)
+        if len(manifest_bytes) != size:
+            raise MalformedSchema2ManifestList(
+                "Size of manifest does not match that retrieved: %s vs %s",
+                len(manifest_bytes),
+                size,
+            )
 
-    content_type = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY]
-    if content_type == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE:
-      return DockerSchema2Manifest(Bytes.for_string_or_unicode(manifest_bytes))
+        content_type = self._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY]
+        if content_type == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE:
+            return DockerSchema2Manifest(Bytes.for_string_or_unicode(manifest_bytes))
 
-    if content_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE:
-      return DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes), validate=False)
+        if content_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE:
+            return DockerSchema1Manifest(
+                Bytes.for_string_or_unicode(manifest_bytes), validate=False
+            )
 
-    raise MalformedSchema2ManifestList('Unknown manifest content type')
+        raise MalformedSchema2ManifestList("Unknown manifest content type")
 
 
 class DockerSchema2ManifestList(ManifestInterface):
-  METASCHEMA = {
-    'type': 'object',
-    'properties': {
-      DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY: {
-        'type': 'number',
-        'description': 'The version of the manifest list. Must always be `2`.',
-        'minimum': 2,
-        'maximum': 2,
-      },
-      DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: {
-        'type': 'string',
-        'description': 'The media type of the manifest list.',
-        'enum': [DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE],
-      },
-      DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY: {
-        'type': 'array',
-        'description': 'The manifests field contains a list of manifests for specific platforms',
-        'items': {
-          'type': 'object',
-          'properties': {
+    METASCHEMA = {
+        "type": "object",
+        "properties": {
+            DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY: {
+                "type": "number",
+                "description": "The version of the manifest list. Must always be `2`.",
+                "minimum": 2,
+                "maximum": 2,
+            },
             DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: {
-              'type': 'string',
-              'description': 'The MIME type of the referenced object. This will generally be ' +
-                             'application/vnd.docker.distribution.manifest.v2+json, but it ' +
-                             'could also be application/vnd.docker.distribution.manifest.v1+json ' +
-                             'if the manifest list references a legacy schema-1 manifest.',
-              'enum': [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE, DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE],
+                "type": "string",
+                "description": "The media type of the manifest list.",
+                "enum": [DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE],
             },
-            DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY: {
-              'type': 'number',
-              'description': 'The size in bytes of the object. This field exists so that a ' +
-                             'client will have an expected size for the content before ' +
-                             'validating. If the length of the retrieved content does not ' +
-                             'match the specified length, the content should not be trusted.',
+            DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY: {
+                "type": "array",
+                "description": "The manifests field contains a list of manifests for specific platforms",
+                "items": {
+                    "type": "object",
+                    "properties": {
+                        DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: {
+                            "type": "string",
+                            "description": "The MIME type of the referenced object. This will generally be "
+                            + "application/vnd.docker.distribution.manifest.v2+json, but it "
+                            + "could also be application/vnd.docker.distribution.manifest.v1+json "
+                            + "if the manifest list references a legacy schema-1 manifest.",
+                            "enum": [
+                                DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+                                DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE,
+                            ],
+                        },
+                        DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY: {
+                            "type": "number",
+                            "description": "The size in bytes of the object. This field exists so that a "
+                            + "client will have an expected size for the content before "
+                            + "validating. If the length of the retrieved content does not "
+                            + "match the specified length, the content should not be trusted.",
+                        },
+                        DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY: {
+                            "type": "string",
+                            "description": "The content addressable digest of the manifest in the blob store",
+                        },
+                        DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY: {
+                            "type": "object",
+                            "description": "The platform object describes the platform which the image in "
+                            + "the manifest runs on",
+                            "properties": {
+                                DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY: {
+                                    "type": "string",
+                                    "description": "Specifies the CPU architecture, for example amd64 or ppc64le.",
+                                },
+                                DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY: {
+                                    "type": "string",
+                                    "description": "Specifies the operating system, for example linux or windows",
+                                },
+                                DOCKER_SCHEMA2_MANIFESTLIST_OS_VERSION_KEY: {
+                                    "type": "string",
+                                    "description": "Specifies the operating system version, for example 10.0.10586",
+                                },
+                                DOCKER_SCHEMA2_MANIFESTLIST_OS_FEATURES_KEY: {
+                                    "type": "array",
+                                    "description": "specifies an array of strings, each listing a required OS "
+                                    + "feature (for example on Windows win32k)",
+                                    "items": {"type": "string"},
+                                },
+                                DOCKER_SCHEMA2_MANIFESTLIST_VARIANT_KEY: {
+                                    "type": "string",
+                                    "description": "Specifies a variant of the CPU, for example armv6l to specify "
+                                    + "a particular CPU variant of the ARM CPU",
+                                },
+                                DOCKER_SCHEMA2_MANIFESTLIST_FEATURES_KEY: {
+                                    "type": "array",
+                                    "description": "specifies an array of strings, each listing a required CPU "
+                                    + "feature (for example sse4 or aes).",
+                                    "items": {"type": "string"},
+                                },
+                            },
+                            "required": [
+                                DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY,
+                                DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY,
+                            ],
+                        },
+                    },
+                    "required": [
+                        DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY,
+                        DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY,
+                        DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY,
+                        DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY,
+                    ],
+                },
             },
-            DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY: {
-              'type': 'string',
-              'description': 'The content addressable digest of the manifest in the blob store',
-            },
-            DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY: {
-              'type': 'object',
-              'description': 'The platform object describes the platform which the image in ' +
-                             'the manifest runs on',
-              'properties': {
-                DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY: {
-                  'type': 'string',
-                  'description': 'Specifies the CPU architecture, for example amd64 or ppc64le.',
-                },
-                DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY: {
-                  'type': 'string',
-                  'description': 'Specifies the operating system, for example linux or windows',
-                },
-                DOCKER_SCHEMA2_MANIFESTLIST_OS_VERSION_KEY: {
-                  'type': 'string',
-                  'description': 'Specifies the operating system version, for example 10.0.10586',
-                },
-                DOCKER_SCHEMA2_MANIFESTLIST_OS_FEATURES_KEY: {
-                  'type': 'array',
-                  'description': 'specifies an array of strings, each listing a required OS ' +
-                                 'feature (for example on Windows win32k)',
-                  'items': {
-                    'type': 'string',
-                  },
-                },
-                DOCKER_SCHEMA2_MANIFESTLIST_VARIANT_KEY: {
-                  'type': 'string',
-                  'description': 'Specifies a variant of the CPU, for example armv6l to specify ' +
-                                 'a particular CPU variant of the ARM CPU',
-                },
-                DOCKER_SCHEMA2_MANIFESTLIST_FEATURES_KEY: {
-                  'type': 'array',
-                  'description': 'specifies an array of strings, each listing a required CPU ' +
-                                 'feature (for example sse4 or aes).',
-                  'items': {
-                    'type': 'string',
-                  },
-                },
-              },
-              'required': [DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY,
-                           DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY],
-            },
-          },
-          'required': [DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY,
-                       DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY,
-                       DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY,
-                       DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY],
         },
-      },
-    },
-    'required': [DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY,
-                 DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY,
-                 DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY],
-  }
+        "required": [
+            DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY,
+            DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY,
+            DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY,
+        ],
+    }
 
-  def __init__(self, manifest_bytes):
-    assert isinstance(manifest_bytes, Bytes)
+    def __init__(self, manifest_bytes):
+        assert isinstance(manifest_bytes, Bytes)
 
-    self._layers = None
-    self._manifest_bytes = manifest_bytes
+        self._layers = None
+        self._manifest_bytes = manifest_bytes
 
-    try:
-      self._parsed = json.loads(manifest_bytes.as_unicode())
-    except ValueError as ve:
-      raise MalformedSchema2ManifestList('malformed manifest data: %s' % ve)
+        try:
+            self._parsed = json.loads(manifest_bytes.as_unicode())
+        except ValueError as ve:
+            raise MalformedSchema2ManifestList("malformed manifest data: %s" % ve)
 
-    try:
-      validate_schema(self._parsed, DockerSchema2ManifestList.METASCHEMA)
-    except ValidationError as ve:
-      raise MalformedSchema2ManifestList('manifest data does not match schema: %s' % ve)
+        try:
+            validate_schema(self._parsed, DockerSchema2ManifestList.METASCHEMA)
+        except ValidationError as ve:
+            raise MalformedSchema2ManifestList(
+                "manifest data does not match schema: %s" % ve
+            )
 
-  @property
-  def is_manifest_list(self):
-    """ Returns whether this manifest is a list. """
-    return True
+    @property
+    def is_manifest_list(self):
+        """ Returns whether this manifest is a list. """
+        return True
 
-  @property
-  def schema_version(self):
-    return 2
+    @property
+    def schema_version(self):
+        return 2
 
-  @property
-  def digest(self):
-    """ The digest of the manifest, including type prefix. """
-    return digest_tools.sha256_digest(self._manifest_bytes.as_encoded_str())
+    @property
+    def digest(self):
+        """ The digest of the manifest, including type prefix. """
+        return digest_tools.sha256_digest(self._manifest_bytes.as_encoded_str())
 
-  @property
-  def media_type(self):
-    """ The media type of the schema. """
-    return self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY]
+    @property
+    def media_type(self):
+        """ The media type of the schema. """
+        return self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY]
 
-  @property
-  def manifest_dict(self):
-    """ Returns the manifest as a dictionary ready to be serialized to JSON. """
-    return self._parsed
+    @property
+    def manifest_dict(self):
+        """ Returns the manifest as a dictionary ready to be serialized to JSON. """
+        return self._parsed
 
-  @property
-  def bytes(self):
-    return self._manifest_bytes
+    @property
+    def bytes(self):
+        return self._manifest_bytes
 
-  def get_layers(self, content_retriever):
-    """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
+    def get_layers(self, content_retriever):
+        """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
         does not support layers. """
-    return None
-
-  @property
-  def blob_digests(self):
-    # Manifest lists have no blob digests, since everything is stored as a manifest.
-    return []
-
-  @property
-  def local_blob_digests(self):
-    return self.blob_digests
-
-  def get_blob_digests_for_translation(self):
-    return self.blob_digests
-
-  @property
-  def layers_compressed_size(self):
-    return None
-
-  @lru_cache(maxsize=1)
-  def manifests(self, content_retriever):
-    """ Returns the manifests in the list.
-    """
-    manifests = self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]
-    return [LazyManifestLoader(m, content_retriever) for m in manifests]
-
-  def validate(self, content_retriever):
-    """ Performs validation of required assertions about the manifest. Raises a ManifestException
-        on failure.
-    """
-    for index, m in enumerate(self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]):
-      if m[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY] == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE:
-        platform = m[DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY]
-
-        # Validate the architecture against the schema 1 architecture defined.
-        parsed = self.manifests(content_retriever)[index].manifest_obj
-        assert isinstance(parsed, DockerSchema1Manifest)
-        if (parsed.architecture and
-            parsed.architecture != platform[DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY]):
-          raise MismatchManifestException('Mismatch in arch for manifest `%s`' % parsed.digest)
-
-  def child_manifests(self, content_retriever):
-    return self.manifests(content_retriever)
-
-  def child_manifest_digests(self):
-    return [m[DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY]
-            for m in self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]]
-
-  def get_manifest_labels(self, content_retriever):
-    return None
-
-  def get_leaf_layer_v1_image_id(self, content_retriever):
-    return None
-
-  def get_legacy_image_ids(self, content_retriever):
-    return None
-
-  @property
-  def has_legacy_image(self):
-    return False
-
-  def get_requires_empty_layer_blob(self, content_retriever):
-    return False
-
-  def get_schema1_manifest(self, namespace_name, repo_name, tag_name, content_retriever):
-    """ Returns the manifest that is compatible with V1, by virtue of being `amd64` and `linux`.
-        If none, returns None.
-    """
-    legacy_manifest = self._get_legacy_manifest(content_retriever)
-    if legacy_manifest is None:
-      return None
-
-    return legacy_manifest.get_schema1_manifest(namespace_name, repo_name, tag_name,
-                                                content_retriever)
-
-  def convert_manifest(self, allowed_mediatypes, namespace_name, repo_name, tag_name,
-                       content_retriever):
-    if self.media_type in allowed_mediatypes:
-      return self
-
-    legacy_manifest = self._get_legacy_manifest(content_retriever)
-    if legacy_manifest is None:
-      return None
-
-    return legacy_manifest.convert_manifest(allowed_mediatypes, namespace_name, repo_name,
-                                            tag_name, content_retriever)
-
-  def _get_legacy_manifest(self, content_retriever):
-    """ Returns the manifest under this list with architecture amd64 and os linux, if any, or None
-        if none or error.
-    """
-    for manifest_ref in self.manifests(content_retriever):
-      platform = manifest_ref._manifest_data[DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY]
-      architecture = platform[DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY]
-      os = platform[DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY]
-      if architecture != 'amd64' or os != 'linux':
-        continue
-
-      try:
-        return manifest_ref.manifest_obj
-      except (ManifestException, IOError):
-        logger.exception('Could not load child manifest')
         return None
 
-    return None
+    @property
+    def blob_digests(self):
+        # Manifest lists have no blob digests, since everything is stored as a manifest.
+        return []
 
-  def unsigned(self):
-    return self
+    @property
+    def local_blob_digests(self):
+        return self.blob_digests
 
-  def generate_legacy_layers(self, images_map, content_retriever):
-    return None
+    def get_blob_digests_for_translation(self):
+        return self.blob_digests
+
+    @property
+    def layers_compressed_size(self):
+        return None
+
+    @lru_cache(maxsize=1)
+    def manifests(self, content_retriever):
+        """ Returns the manifests in the list.
+    """
+        manifests = self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]
+        return [LazyManifestLoader(m, content_retriever) for m in manifests]
+
+    def validate(self, content_retriever):
+        """ Performs validation of required assertions about the manifest. Raises a ManifestException
+        on failure.
+    """
+        for index, m in enumerate(
+            self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]
+        ):
+            if (
+                m[DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY]
+                == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+            ):
+                platform = m[DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY]
+
+                # Validate the architecture against the schema 1 architecture defined.
+                parsed = self.manifests(content_retriever)[index].manifest_obj
+                assert isinstance(parsed, DockerSchema1Manifest)
+                if (
+                    parsed.architecture
+                    and parsed.architecture
+                    != platform[DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY]
+                ):
+                    raise MismatchManifestException(
+                        "Mismatch in arch for manifest `%s`" % parsed.digest
+                    )
+
+    def child_manifests(self, content_retriever):
+        return self.manifests(content_retriever)
+
+    def child_manifest_digests(self):
+        return [
+            m[DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY]
+            for m in self._parsed[DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY]
+        ]
+
+    def get_manifest_labels(self, content_retriever):
+        return None
+
+    def get_leaf_layer_v1_image_id(self, content_retriever):
+        return None
+
+    def get_legacy_image_ids(self, content_retriever):
+        return None
+
+    @property
+    def has_legacy_image(self):
+        return False
+
+    def get_requires_empty_layer_blob(self, content_retriever):
+        return False
+
+    def get_schema1_manifest(
+        self, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        """ Returns the manifest that is compatible with V1, by virtue of being `amd64` and `linux`.
+        If none, returns None.
+    """
+        legacy_manifest = self._get_legacy_manifest(content_retriever)
+        if legacy_manifest is None:
+            return None
+
+        return legacy_manifest.get_schema1_manifest(
+            namespace_name, repo_name, tag_name, content_retriever
+        )
+
+    def convert_manifest(
+        self, allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        if self.media_type in allowed_mediatypes:
+            return self
+
+        legacy_manifest = self._get_legacy_manifest(content_retriever)
+        if legacy_manifest is None:
+            return None
+
+        return legacy_manifest.convert_manifest(
+            allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+        )
+
+    def _get_legacy_manifest(self, content_retriever):
+        """ Returns the manifest under this list with architecture amd64 and os linux, if any, or None
+        if none or error.
+    """
+        for manifest_ref in self.manifests(content_retriever):
+            platform = manifest_ref._manifest_data[
+                DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY
+            ]
+            architecture = platform[DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY]
+            os = platform[DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY]
+            if architecture != "amd64" or os != "linux":
+                continue
+
+            try:
+                return manifest_ref.manifest_obj
+            except (ManifestException, IOError):
+                logger.exception("Could not load child manifest")
+                return None
+
+        return None
+
+    def unsigned(self):
+        return self
+
+    def generate_legacy_layers(self, images_map, content_retriever):
+        return None
 
 
 class DockerSchema2ManifestListBuilder(object):
-  """
+    """
   A convenient abstraction around creating new DockerSchema2ManifestList's.
   """
-  def __init__(self):
-    self.manifests = []
 
-  def add_manifest(self, manifest, architecture, os):
-    """ Adds a manifest to the list. """
-    manifest = manifest.unsigned() # Make sure we add the unsigned version to the list.
-    self.add_manifest_digest(manifest.digest,
-                             len(manifest.bytes.as_encoded_str()),
-                             manifest.media_type,
-                             architecture, os)
+    def __init__(self):
+        self.manifests = []
 
-  def add_manifest_digest(self, manifest_digest, manifest_size, media_type, architecture, os):
-    """ Adds a manifest to the list. """
-    self.manifests.append((manifest_digest, manifest_size, media_type, {
-      DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY: architecture,
-      DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY: os,
-    }))
+    def add_manifest(self, manifest, architecture, os):
+        """ Adds a manifest to the list. """
+        manifest = (
+            manifest.unsigned()
+        )  # Make sure we add the unsigned version to the list.
+        self.add_manifest_digest(
+            manifest.digest,
+            len(manifest.bytes.as_encoded_str()),
+            manifest.media_type,
+            architecture,
+            os,
+        )
 
-  def build(self):
-    """ Builds and returns the DockerSchema2ManifestList. """
-    assert self.manifests
+    def add_manifest_digest(
+        self, manifest_digest, manifest_size, media_type, architecture, os
+    ):
+        """ Adds a manifest to the list. """
+        self.manifests.append(
+            (
+                manifest_digest,
+                manifest_size,
+                media_type,
+                {
+                    DOCKER_SCHEMA2_MANIFESTLIST_ARCHITECTURE_KEY: architecture,
+                    DOCKER_SCHEMA2_MANIFESTLIST_OS_KEY: os,
+                },
+            )
+        )
 
-    manifest_list_dict = {
-      DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY: 2,
-      DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
-      DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY: [
-        {
-          DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: manifest[2],
-          DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY: manifest[0],
-          DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY: manifest[1],
-          DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY: manifest[3],
-        } for manifest in self.manifests
-      ],
-    }
+    def build(self):
+        """ Builds and returns the DockerSchema2ManifestList. """
+        assert self.manifests
 
-    json_str = Bytes.for_string_or_unicode(json.dumps(manifest_list_dict, indent=3))
-    return DockerSchema2ManifestList(json_str)
+        manifest_list_dict = {
+            DOCKER_SCHEMA2_MANIFESTLIST_VERSION_KEY: 2,
+            DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
+            DOCKER_SCHEMA2_MANIFESTLIST_MANIFESTS_KEY: [
+                {
+                    DOCKER_SCHEMA2_MANIFESTLIST_MEDIATYPE_KEY: manifest[2],
+                    DOCKER_SCHEMA2_MANIFESTLIST_DIGEST_KEY: manifest[0],
+                    DOCKER_SCHEMA2_MANIFESTLIST_SIZE_KEY: manifest[1],
+                    DOCKER_SCHEMA2_MANIFESTLIST_PLATFORM_KEY: manifest[3],
+                }
+                for manifest in self.manifests
+            ],
+        }
+
+        json_str = Bytes.for_string_or_unicode(json.dumps(manifest_list_dict, indent=3))
+        return DockerSchema2ManifestList(json_str)
diff --git a/image/docker/schema2/manifest.py b/image/docker/schema2/manifest.py
index e6188554e..6b682ad39 100644
--- a/image/docker/schema2/manifest.py
+++ b/image/docker/schema2/manifest.py
@@ -9,454 +9,521 @@ from digest import digest_tools
 from image.docker import ManifestException
 from image.docker.interfaces import ManifestInterface
 from image.docker.types import ManifestImageLayer
-from image.docker.schema2 import (DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
-                                  DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE,
-                                  DOCKER_SCHEMA2_LAYER_CONTENT_TYPE,
-                                  DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE,
-                                  EMPTY_LAYER_BLOB_DIGEST, EMPTY_LAYER_SIZE)
+from image.docker.schema2 import (
+    DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE,
+    DOCKER_SCHEMA2_LAYER_CONTENT_TYPE,
+    DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE,
+    EMPTY_LAYER_BLOB_DIGEST,
+    EMPTY_LAYER_SIZE,
+)
 from image.docker.schema1 import DockerSchema1ManifestBuilder
 from image.docker.schema2.config import DockerSchema2Config
 from util.bytes import Bytes
 
 # Keys.
-DOCKER_SCHEMA2_MANIFEST_VERSION_KEY = 'schemaVersion'
-DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY = 'mediaType'
-DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY = 'config'
-DOCKER_SCHEMA2_MANIFEST_SIZE_KEY = 'size'
-DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY = 'digest'
-DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY = 'layers'
-DOCKER_SCHEMA2_MANIFEST_URLS_KEY = 'urls'
+DOCKER_SCHEMA2_MANIFEST_VERSION_KEY = "schemaVersion"
+DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY = "mediaType"
+DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY = "config"
+DOCKER_SCHEMA2_MANIFEST_SIZE_KEY = "size"
+DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY = "digest"
+DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY = "layers"
+DOCKER_SCHEMA2_MANIFEST_URLS_KEY = "urls"
 
 # Named tuples.
-DockerV2ManifestConfig = namedtuple('DockerV2ManifestConfig', ['size', 'digest'])
-DockerV2ManifestLayer = namedtuple('DockerV2ManifestLayer', ['index', 'digest',
-                                                             'is_remote', 'urls',
-                                                             'compressed_size'])
+DockerV2ManifestConfig = namedtuple("DockerV2ManifestConfig", ["size", "digest"])
+DockerV2ManifestLayer = namedtuple(
+    "DockerV2ManifestLayer", ["index", "digest", "is_remote", "urls", "compressed_size"]
+)
 
-DockerV2ManifestImageLayer = namedtuple('DockerV2ManifestImageLayer', ['history', 'blob_layer',
-                                                                       'v1_id', 'v1_parent_id',
-                                                                       'compressed_size',
-                                                                       'blob_digest'])
+DockerV2ManifestImageLayer = namedtuple(
+    "DockerV2ManifestImageLayer",
+    [
+        "history",
+        "blob_layer",
+        "v1_id",
+        "v1_parent_id",
+        "compressed_size",
+        "blob_digest",
+    ],
+)
 
 logger = logging.getLogger(__name__)
 
+
 class MalformedSchema2Manifest(ManifestException):
-  """
+    """
   Raised when a manifest fails an assertion that should be true according to the Docker Manifest
   v2.2 Specification.
   """
-  pass
+
+    pass
 
 
 class DockerSchema2Manifest(ManifestInterface):
-  METASCHEMA = {
-    'type': 'object',
-    'properties': {
-      DOCKER_SCHEMA2_MANIFEST_VERSION_KEY: {
-        'type': 'number',
-        'description': 'The version of the schema. Must always be `2`.',
-        'minimum': 2,
-        'maximum': 2,
-      },
-      DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: {
-        'type': 'string',
-        'description': 'The media type of the schema.',
-        'enum': [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE],
-      },
-      DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY: {
-        'type': 'object',
-        'description': 'The config field references a configuration object for a container, ' +
-                       'by digest. This configuration item is a JSON blob that the runtime ' +
-                       'uses to set up the container.',
-        'properties': {
-          DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: {
-            'type': 'string',
-            'description': 'The MIME type of the referenced object. This should generally be ' +
-                           'application/vnd.docker.container.image.v1+json',
-            'enum': [DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE],
-          },
-          DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: {
-            'type': 'number',
-            'description': 'The size in bytes of the object. This field exists so that a ' +
-                           'client will have an expected size for the content before ' +
-                           'validating. If the length of the retrieved content does not ' +
-                           'match the specified length, the content should not be trusted.',
-          },
-          DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: {
-            'type': 'string',
-            'description': 'The content addressable digest of the config in the blob store',
-          },
-        },
-        'required': [DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY, DOCKER_SCHEMA2_MANIFEST_SIZE_KEY,
-                     DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY],
-      },
-      DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY: {
-        'type': 'array',
-        'description': 'The layer list is ordered starting from the base ' +
-                       'image (opposite order of schema1).',
-        'items': {
-          'type': 'object',
-          'properties': {
+    METASCHEMA = {
+        "type": "object",
+        "properties": {
+            DOCKER_SCHEMA2_MANIFEST_VERSION_KEY: {
+                "type": "number",
+                "description": "The version of the schema. Must always be `2`.",
+                "minimum": 2,
+                "maximum": 2,
+            },
             DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: {
-              'type': 'string',
-              'description': 'The MIME type of the referenced object. This should generally be ' +
-                             'application/vnd.docker.image.rootfs.diff.tar.gzip. Layers of type ' +
-                             'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip may be ' +
-                             'pulled from a remote location but they should never be pushed.',
-              'enum': [DOCKER_SCHEMA2_LAYER_CONTENT_TYPE, DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE],
+                "type": "string",
+                "description": "The media type of the schema.",
+                "enum": [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE],
             },
-            DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: {
-              'type': 'number',
-              'description': 'The size in bytes of the object. This field exists so that a ' +
-                             'client will have an expected size for the content before ' +
-                             'validating. If the length of the retrieved content does not ' +
-                             'match the specified length, the content should not be trusted.',
+            DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY: {
+                "type": "object",
+                "description": "The config field references a configuration object for a container, "
+                + "by digest. This configuration item is a JSON blob that the runtime "
+                + "uses to set up the container.",
+                "properties": {
+                    DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: {
+                        "type": "string",
+                        "description": "The MIME type of the referenced object. This should generally be "
+                        + "application/vnd.docker.container.image.v1+json",
+                        "enum": [DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE],
+                    },
+                    DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: {
+                        "type": "number",
+                        "description": "The size in bytes of the object. This field exists so that a "
+                        + "client will have an expected size for the content before "
+                        + "validating. If the length of the retrieved content does not "
+                        + "match the specified length, the content should not be trusted.",
+                    },
+                    DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: {
+                        "type": "string",
+                        "description": "The content addressable digest of the config in the blob store",
+                    },
+                },
+                "required": [
+                    DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY,
+                    DOCKER_SCHEMA2_MANIFEST_SIZE_KEY,
+                    DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY,
+                ],
             },
-            DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: {
-              'type': 'string',
-              'description': 'The content addressable digest of the layer in the blob store',
+            DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY: {
+                "type": "array",
+                "description": "The layer list is ordered starting from the base "
+                + "image (opposite order of schema1).",
+                "items": {
+                    "type": "object",
+                    "properties": {
+                        DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: {
+                            "type": "string",
+                            "description": "The MIME type of the referenced object. This should generally be "
+                            + "application/vnd.docker.image.rootfs.diff.tar.gzip. Layers of type "
+                            + "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip may be "
+                            + "pulled from a remote location but they should never be pushed.",
+                            "enum": [
+                                DOCKER_SCHEMA2_LAYER_CONTENT_TYPE,
+                                DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE,
+                            ],
+                        },
+                        DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: {
+                            "type": "number",
+                            "description": "The size in bytes of the object. This field exists so that a "
+                            + "client will have an expected size for the content before "
+                            + "validating. If the length of the retrieved content does not "
+                            + "match the specified length, the content should not be trusted.",
+                        },
+                        DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: {
+                            "type": "string",
+                            "description": "The content addressable digest of the layer in the blob store",
+                        },
+                    },
+                    "required": [
+                        DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY,
+                        DOCKER_SCHEMA2_MANIFEST_SIZE_KEY,
+                        DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY,
+                    ],
+                },
             },
-          },
-          'required': [
-            DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY, DOCKER_SCHEMA2_MANIFEST_SIZE_KEY,
-            DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY,
-          ],
         },
-      },
-    },
-    'required': [DOCKER_SCHEMA2_MANIFEST_VERSION_KEY, DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY,
-                 DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY, DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY],
-  }
+        "required": [
+            DOCKER_SCHEMA2_MANIFEST_VERSION_KEY,
+            DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY,
+            DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY,
+            DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY,
+        ],
+    }
 
-  def __init__(self, manifest_bytes):
-    assert isinstance(manifest_bytes, Bytes)
+    def __init__(self, manifest_bytes):
+        assert isinstance(manifest_bytes, Bytes)
 
-    self._payload = manifest_bytes
+        self._payload = manifest_bytes
 
-    self._filesystem_layers = None
-    self._cached_built_config = None
+        self._filesystem_layers = None
+        self._cached_built_config = None
 
-    try:
-      self._parsed = json.loads(self._payload.as_unicode())
-    except ValueError as ve:
-      raise MalformedSchema2Manifest('malformed manifest data: %s' % ve)
+        try:
+            self._parsed = json.loads(self._payload.as_unicode())
+        except ValueError as ve:
+            raise MalformedSchema2Manifest("malformed manifest data: %s" % ve)
 
-    try:
-      validate_schema(self._parsed, DockerSchema2Manifest.METASCHEMA)
-    except ValidationError as ve:
-      raise MalformedSchema2Manifest('manifest data does not match schema: %s' % ve)
+        try:
+            validate_schema(self._parsed, DockerSchema2Manifest.METASCHEMA)
+        except ValidationError as ve:
+            raise MalformedSchema2Manifest(
+                "manifest data does not match schema: %s" % ve
+            )
 
-    for layer in self.filesystem_layers:
-      if layer.is_remote and not layer.urls:
-        raise MalformedSchema2Manifest('missing `urls` for remote layer')
+        for layer in self.filesystem_layers:
+            if layer.is_remote and not layer.urls:
+                raise MalformedSchema2Manifest("missing `urls` for remote layer")
 
-  def validate(self, content_retriever):
-    """ Performs validation of required assertions about the manifest. Raises a ManifestException
+    def validate(self, content_retriever):
+        """ Performs validation of required assertions about the manifest. Raises a ManifestException
         on failure.
     """
-    # Nothing to validate.
+        # Nothing to validate.
 
-  @property
-  def is_manifest_list(self):
-    return False
+    @property
+    def is_manifest_list(self):
+        return False
 
-  @property
-  def schema_version(self):
-    return 2
+    @property
+    def schema_version(self):
+        return 2
 
-  @property
-  def manifest_dict(self):
-    return self._parsed
+    @property
+    def manifest_dict(self):
+        return self._parsed
 
-  @property
-  def media_type(self):
-    return self._parsed[DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY]
+    @property
+    def media_type(self):
+        return self._parsed[DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY]
 
-  @property
-  def digest(self):
-    return digest_tools.sha256_digest(self._payload.as_encoded_str())
+    @property
+    def digest(self):
+        return digest_tools.sha256_digest(self._payload.as_encoded_str())
 
-  @property
-  def config(self):
-    config = self._parsed[DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY]
-    return DockerV2ManifestConfig(size=config[DOCKER_SCHEMA2_MANIFEST_SIZE_KEY],
-                                  digest=config[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY])
+    @property
+    def config(self):
+        config = self._parsed[DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY]
+        return DockerV2ManifestConfig(
+            size=config[DOCKER_SCHEMA2_MANIFEST_SIZE_KEY],
+            digest=config[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY],
+        )
 
-  @property
-  def filesystem_layers(self):
-    """ Returns the file system layers of this manifest, from base to leaf. """
-    if self._filesystem_layers is None:
-      self._filesystem_layers = list(self._generate_filesystem_layers())
-    return self._filesystem_layers
+    @property
+    def filesystem_layers(self):
+        """ Returns the file system layers of this manifest, from base to leaf. """
+        if self._filesystem_layers is None:
+            self._filesystem_layers = list(self._generate_filesystem_layers())
+        return self._filesystem_layers
 
-  @property
-  def leaf_filesystem_layer(self):
-    """ Returns the leaf file system layer for this manifest. """
-    return self.filesystem_layers[-1]
+    @property
+    def leaf_filesystem_layer(self):
+        """ Returns the leaf file system layer for this manifest. """
+        return self.filesystem_layers[-1]
 
-  @property
-  def layers_compressed_size(self):
-    return sum(layer.compressed_size for layer in self.filesystem_layers)
+    @property
+    def layers_compressed_size(self):
+        return sum(layer.compressed_size for layer in self.filesystem_layers)
 
-  @property
-  def has_remote_layer(self):
-    for layer in self.filesystem_layers:
-      if layer.is_remote:
-        return True
+    @property
+    def has_remote_layer(self):
+        for layer in self.filesystem_layers:
+            if layer.is_remote:
+                return True
 
-    return False
+        return False
 
-  @property
-  def blob_digests(self):
-    return [str(layer.digest) for layer in self.filesystem_layers] + [str(self.config.digest)]
+    @property
+    def blob_digests(self):
+        return [str(layer.digest) for layer in self.filesystem_layers] + [
+            str(self.config.digest)
+        ]
 
-  @property
-  def local_blob_digests(self):
-    return ([str(layer.digest) for layer in self.filesystem_layers if not layer.urls] +
-            [str(self.config.digest)])
+    @property
+    def local_blob_digests(self):
+        return [
+            str(layer.digest) for layer in self.filesystem_layers if not layer.urls
+        ] + [str(self.config.digest)]
 
-  def get_blob_digests_for_translation(self):
-    return self.blob_digests
+    def get_blob_digests_for_translation(self):
+        return self.blob_digests
 
-  def get_manifest_labels(self, content_retriever):
-    return self._get_built_config(content_retriever).labels
+    def get_manifest_labels(self, content_retriever):
+        return self._get_built_config(content_retriever).labels
 
-  def get_layers(self, content_retriever):
-    """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
+    def get_layers(self, content_retriever):
+        """ Returns the layers of this manifest, from base to leaf or None if this kind of manifest
         does not support layers. """
-    for image_layer in self._manifest_image_layers(content_retriever):
-      is_remote = image_layer.blob_layer.is_remote if image_layer.blob_layer else False
-      urls = image_layer.blob_layer.urls if image_layer.blob_layer else None
-      yield ManifestImageLayer(layer_id=image_layer.v1_id,
-                               compressed_size=image_layer.compressed_size,
-                               is_remote=is_remote,
-                               urls=urls,
-                               command=image_layer.history.command,
-                               blob_digest=image_layer.blob_digest,
-                               created_datetime=image_layer.history.created_datetime,
-                               author=image_layer.history.author,
-                               comment=image_layer.history.comment,
-                               internal_layer=image_layer)
+        for image_layer in self._manifest_image_layers(content_retriever):
+            is_remote = (
+                image_layer.blob_layer.is_remote if image_layer.blob_layer else False
+            )
+            urls = image_layer.blob_layer.urls if image_layer.blob_layer else None
+            yield ManifestImageLayer(
+                layer_id=image_layer.v1_id,
+                compressed_size=image_layer.compressed_size,
+                is_remote=is_remote,
+                urls=urls,
+                command=image_layer.history.command,
+                blob_digest=image_layer.blob_digest,
+                created_datetime=image_layer.history.created_datetime,
+                author=image_layer.history.author,
+                comment=image_layer.history.comment,
+                internal_layer=image_layer,
+            )
 
-  @property
-  def bytes(self):
-    return self._payload
+    @property
+    def bytes(self):
+        return self._payload
 
-  def child_manifests(self, content_retriever):
-    return None
+    def child_manifests(self, content_retriever):
+        return None
 
-  def _manifest_image_layers(self, content_retriever):
-    # Retrieve the configuration for the manifest.
-    config = self._get_built_config(content_retriever)
-    history = list(config.history)
-    if len(history) < len(self.filesystem_layers):
-      raise MalformedSchema2Manifest('Found less history than layer blobs')
+    def _manifest_image_layers(self, content_retriever):
+        # Retrieve the configuration for the manifest.
+        config = self._get_built_config(content_retriever)
+        history = list(config.history)
+        if len(history) < len(self.filesystem_layers):
+            raise MalformedSchema2Manifest("Found less history than layer blobs")
 
-    digest_history = hashlib.sha256()
-    v1_layer_parent_id = None
-    v1_layer_id = None
-    blob_index = 0
+        digest_history = hashlib.sha256()
+        v1_layer_parent_id = None
+        v1_layer_id = None
+        blob_index = 0
 
-    for history_index, history_entry in enumerate(history):
-      if not history_entry.is_empty and blob_index >= len(self.filesystem_layers):
-        raise MalformedSchema2Manifest('Missing history entry #%s' % blob_index)
+        for history_index, history_entry in enumerate(history):
+            if not history_entry.is_empty and blob_index >= len(self.filesystem_layers):
+                raise MalformedSchema2Manifest("Missing history entry #%s" % blob_index)
 
-      v1_layer_parent_id = v1_layer_id
-      blob_layer = None if history_entry.is_empty else self.filesystem_layers[blob_index]
-      blob_digest = EMPTY_LAYER_BLOB_DIGEST if blob_layer is None else str(blob_layer.digest)
-      compressed_size = EMPTY_LAYER_SIZE if blob_layer is None else blob_layer.compressed_size
+            v1_layer_parent_id = v1_layer_id
+            blob_layer = (
+                None if history_entry.is_empty else self.filesystem_layers[blob_index]
+            )
+            blob_digest = (
+                EMPTY_LAYER_BLOB_DIGEST
+                if blob_layer is None
+                else str(blob_layer.digest)
+            )
+            compressed_size = (
+                EMPTY_LAYER_SIZE if blob_layer is None else blob_layer.compressed_size
+            )
 
-      # Create a new synthesized V1 ID for the history layer by hashing its content and
-      # the blob associated with it.
-      digest_history.update(json.dumps(history_entry.raw_entry))
-      digest_history.update("|")
-      digest_history.update(str(history_index))
-      digest_history.update("|")
-      digest_history.update(blob_digest)
-      digest_history.update("||")
+            # Create a new synthesized V1 ID for the history layer by hashing its content and
+            # the blob associated with it.
+            digest_history.update(json.dumps(history_entry.raw_entry))
+            digest_history.update("|")
+            digest_history.update(str(history_index))
+            digest_history.update("|")
+            digest_history.update(blob_digest)
+            digest_history.update("||")
 
-      v1_layer_id = digest_history.hexdigest()
-      yield DockerV2ManifestImageLayer(history=history_entry,
-                                       blob_layer=blob_layer,
-                                       blob_digest=blob_digest,
-                                       v1_id=v1_layer_id,
-                                       v1_parent_id=v1_layer_parent_id,
-                                       compressed_size=compressed_size)
+            v1_layer_id = digest_history.hexdigest()
+            yield DockerV2ManifestImageLayer(
+                history=history_entry,
+                blob_layer=blob_layer,
+                blob_digest=blob_digest,
+                v1_id=v1_layer_id,
+                v1_parent_id=v1_layer_parent_id,
+                compressed_size=compressed_size,
+            )
 
-      if not history_entry.is_empty:
-        blob_index += 1
+            if not history_entry.is_empty:
+                blob_index += 1
 
-  @property
-  def has_legacy_image(self):
-    return not self.has_remote_layer
+    @property
+    def has_legacy_image(self):
+        return not self.has_remote_layer
 
-  def generate_legacy_layers(self, images_map, content_retriever):
-    assert not self.has_remote_layer
+    def generate_legacy_layers(self, images_map, content_retriever):
+        assert not self.has_remote_layer
 
-    # NOTE: We use the DockerSchema1ManifestBuilder here because it already contains
-    # the logic for generating the DockerV1Metadata. All of this will go away once we get
-    # rid of legacy images in the database, so this is a temporary solution.
-    v1_builder = DockerSchema1ManifestBuilder('', '', '')
-    self._populate_schema1_builder(v1_builder, content_retriever)
-    return v1_builder.build().generate_legacy_layers(images_map, content_retriever)
+        # NOTE: We use the DockerSchema1ManifestBuilder here because it already contains
+        # the logic for generating the DockerV1Metadata. All of this will go away once we get
+        # rid of legacy images in the database, so this is a temporary solution.
+        v1_builder = DockerSchema1ManifestBuilder("", "", "")
+        self._populate_schema1_builder(v1_builder, content_retriever)
+        return v1_builder.build().generate_legacy_layers(images_map, content_retriever)
 
-  def get_leaf_layer_v1_image_id(self, content_retriever):
-    # NOTE: If there exists a layer with remote content, then we consider this manifest
-    # to not support legacy images.
-    if self.has_remote_layer:
-      return None
+    def get_leaf_layer_v1_image_id(self, content_retriever):
+        # NOTE: If there exists a layer with remote content, then we consider this manifest
+        # to not support legacy images.
+        if self.has_remote_layer:
+            return None
 
-    return self.get_legacy_image_ids(content_retriever)[-1].v1_id
+        return self.get_legacy_image_ids(content_retriever)[-1].v1_id
 
-  def get_legacy_image_ids(self, content_retriever):
-    if self.has_remote_layer:
-      return None
+    def get_legacy_image_ids(self, content_retriever):
+        if self.has_remote_layer:
+            return None
 
-    return [l.v1_id for l in self._manifest_image_layers(content_retriever)]
+        return [l.v1_id for l in self._manifest_image_layers(content_retriever)]
 
-  def convert_manifest(self, allowed_mediatypes, namespace_name, repo_name, tag_name,
-                       content_retriever):
-    if self.media_type in allowed_mediatypes:
-      return self
+    def convert_manifest(
+        self, allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        if self.media_type in allowed_mediatypes:
+            return self
 
-    # If this manifest is not on the allowed list, try to convert the schema 1 version (if any)
-    schema1 = self.get_schema1_manifest(namespace_name, repo_name, tag_name, content_retriever)
-    if schema1 is None:
-      return None
+        # If this manifest is not on the allowed list, try to convert the schema 1 version (if any)
+        schema1 = self.get_schema1_manifest(
+            namespace_name, repo_name, tag_name, content_retriever
+        )
+        if schema1 is None:
+            return None
 
-    return schema1.convert_manifest(allowed_mediatypes, namespace_name, repo_name, tag_name,
-                                    content_retriever)
+        return schema1.convert_manifest(
+            allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+        )
 
-  def get_schema1_manifest(self, namespace_name, repo_name, tag_name, content_retriever):
-    if self.has_remote_layer:
-      return None
+    def get_schema1_manifest(
+        self, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        if self.has_remote_layer:
+            return None
 
-    v1_builder = DockerSchema1ManifestBuilder(namespace_name, repo_name, tag_name)
-    self._populate_schema1_builder(v1_builder, content_retriever)
-    return v1_builder.build()
+        v1_builder = DockerSchema1ManifestBuilder(namespace_name, repo_name, tag_name)
+        self._populate_schema1_builder(v1_builder, content_retriever)
+        return v1_builder.build()
 
-  def unsigned(self):
-    return self
+    def unsigned(self):
+        return self
 
-  def get_requires_empty_layer_blob(self, content_retriever):
-    schema2_config = self._get_built_config(content_retriever)
-    if schema2_config is None:
-      return None
+    def get_requires_empty_layer_blob(self, content_retriever):
+        schema2_config = self._get_built_config(content_retriever)
+        if schema2_config is None:
+            return None
 
-    return schema2_config.has_empty_layer
+        return schema2_config.has_empty_layer
 
-  def _populate_schema1_builder(self, v1_builder, content_retriever):
-    """ Populates a DockerSchema1ManifestBuilder with the layers and config from
+    def _populate_schema1_builder(self, v1_builder, content_retriever):
+        """ Populates a DockerSchema1ManifestBuilder with the layers and config from
         this schema.
     """
-    assert not self.has_remote_layer
-    schema2_config = self._get_built_config(content_retriever)
-    layers = list(self._manifest_image_layers(content_retriever))
+        assert not self.has_remote_layer
+        schema2_config = self._get_built_config(content_retriever)
+        layers = list(self._manifest_image_layers(content_retriever))
 
-    for index, layer in enumerate(reversed(layers)): # Schema 1 layers are in reverse order
-      v1_compatibility = schema2_config.build_v1_compatibility(layer.history,
-                                                               layer.v1_id,
-                                                               layer.v1_parent_id,
-                                                               index == 0,
-                                                               layer.compressed_size)
-      v1_builder.add_layer(str(layer.blob_digest), json.dumps(v1_compatibility))
+        for index, layer in enumerate(
+            reversed(layers)
+        ):  # Schema 1 layers are in reverse order
+            v1_compatibility = schema2_config.build_v1_compatibility(
+                layer.history,
+                layer.v1_id,
+                layer.v1_parent_id,
+                index == 0,
+                layer.compressed_size,
+            )
+            v1_builder.add_layer(str(layer.blob_digest), json.dumps(v1_compatibility))
 
-    return v1_builder
+        return v1_builder
 
-  def _get_built_config(self, content_retriever):
-    if self._cached_built_config:
-      return self._cached_built_config
+    def _get_built_config(self, content_retriever):
+        if self._cached_built_config:
+            return self._cached_built_config
 
-    config_bytes = content_retriever.get_blob_bytes_with_digest(self.config.digest)
-    if config_bytes is None:
-      raise MalformedSchema2Manifest('Could not load config blob for manifest')
+        config_bytes = content_retriever.get_blob_bytes_with_digest(self.config.digest)
+        if config_bytes is None:
+            raise MalformedSchema2Manifest("Could not load config blob for manifest")
 
-    if len(config_bytes) != self.config.size:
-      msg = 'Size of config does not match that retrieved: %s vs %s' % (len(config_bytes),
-                                                                        self.config.size)
-      raise MalformedSchema2Manifest(msg)
+        if len(config_bytes) != self.config.size:
+            msg = "Size of config does not match that retrieved: %s vs %s" % (
+                len(config_bytes),
+                self.config.size,
+            )
+            raise MalformedSchema2Manifest(msg)
 
-    self._cached_built_config = DockerSchema2Config(Bytes.for_string_or_unicode(config_bytes))
-    return self._cached_built_config
+        self._cached_built_config = DockerSchema2Config(
+            Bytes.for_string_or_unicode(config_bytes)
+        )
+        return self._cached_built_config
 
-  def _generate_filesystem_layers(self):
-    for index, layer in enumerate(self._parsed[DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY]):
-      content_type = layer[DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY]
-      is_remote = content_type == DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE
+    def _generate_filesystem_layers(self):
+        for index, layer in enumerate(self._parsed[DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY]):
+            content_type = layer[DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY]
+            is_remote = content_type == DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE
 
-      try:
-        digest = digest_tools.Digest.parse_digest(layer[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY])
-      except digest_tools.InvalidDigestException:
-        raise MalformedSchema2Manifest('could not parse manifest digest: %s' %
-                                       layer[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY])
+            try:
+                digest = digest_tools.Digest.parse_digest(
+                    layer[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY]
+                )
+            except digest_tools.InvalidDigestException:
+                raise MalformedSchema2Manifest(
+                    "could not parse manifest digest: %s"
+                    % layer[DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY]
+                )
 
-      yield DockerV2ManifestLayer(index=index,
-                                  compressed_size=layer[DOCKER_SCHEMA2_MANIFEST_SIZE_KEY],
-                                  digest=digest,
-                                  is_remote=is_remote,
-                                  urls=layer.get(DOCKER_SCHEMA2_MANIFEST_URLS_KEY))
+            yield DockerV2ManifestLayer(
+                index=index,
+                compressed_size=layer[DOCKER_SCHEMA2_MANIFEST_SIZE_KEY],
+                digest=digest,
+                is_remote=is_remote,
+                urls=layer.get(DOCKER_SCHEMA2_MANIFEST_URLS_KEY),
+            )
 
 
 class DockerSchema2ManifestBuilder(object):
-  """
+    """
   A convenient abstraction around creating new DockerSchema2Manifests.
   """
-  def __init__(self):
-    self.config = None
-    self.filesystem_layers = []
 
-  def set_config(self, schema2_config):
-    """ Sets the configuration for the manifest being built. """
-    self.set_config_digest(schema2_config.digest, schema2_config.size)
+    def __init__(self):
+        self.config = None
+        self.filesystem_layers = []
 
-  def set_config_digest(self, config_digest, config_size):
-    """ Sets the digest and size of the configuration layer. """
-    self.config = DockerV2ManifestConfig(size=config_size, digest=config_digest)
+    def set_config(self, schema2_config):
+        """ Sets the configuration for the manifest being built. """
+        self.set_config_digest(schema2_config.digest, schema2_config.size)
 
-  def add_layer(self, digest, size, urls=None):
-    """ Adds a filesystem layer to the manifest. """
-    self.filesystem_layers.append(DockerV2ManifestLayer(index=len(self.filesystem_layers),
-                                                        digest=digest,
-                                                        compressed_size=size,
-                                                        urls=urls,
-                                                        is_remote=bool(urls)))
+    def set_config_digest(self, config_digest, config_size):
+        """ Sets the digest and size of the configuration layer. """
+        self.config = DockerV2ManifestConfig(size=config_size, digest=config_digest)
 
-  def build(self, ensure_ascii=True):
-    """ Builds and returns the DockerSchema2Manifest. """
-    assert self.filesystem_layers
-    assert self.config
+    def add_layer(self, digest, size, urls=None):
+        """ Adds a filesystem layer to the manifest. """
+        self.filesystem_layers.append(
+            DockerV2ManifestLayer(
+                index=len(self.filesystem_layers),
+                digest=digest,
+                compressed_size=size,
+                urls=urls,
+                is_remote=bool(urls),
+            )
+        )
 
-    def _build_layer(layer):
-      if layer.urls:
-        return {
-          DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE,
-          DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: layer.compressed_size,
-          DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(layer.digest),
-          DOCKER_SCHEMA2_MANIFEST_URLS_KEY: layer.urls,
+    def build(self, ensure_ascii=True):
+        """ Builds and returns the DockerSchema2Manifest. """
+        assert self.filesystem_layers
+        assert self.config
+
+        def _build_layer(layer):
+            if layer.urls:
+                return {
+                    DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_REMOTE_LAYER_CONTENT_TYPE,
+                    DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: layer.compressed_size,
+                    DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(layer.digest),
+                    DOCKER_SCHEMA2_MANIFEST_URLS_KEY: layer.urls,
+                }
+
+            return {
+                DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_LAYER_CONTENT_TYPE,
+                DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: layer.compressed_size,
+                DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(layer.digest),
+            }
+
+        manifest_dict = {
+            DOCKER_SCHEMA2_MANIFEST_VERSION_KEY: 2,
+            DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+            # Config
+            DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY: {
+                DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE,
+                DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: self.config.size,
+                DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(self.config.digest),
+            },
+            # Layers
+            DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY: [
+                _build_layer(layer) for layer in self.filesystem_layers
+            ],
         }
 
-      return {
-        DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_LAYER_CONTENT_TYPE,
-        DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: layer.compressed_size,
-        DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(layer.digest),
-      }
-
-    manifest_dict = {
-      DOCKER_SCHEMA2_MANIFEST_VERSION_KEY: 2,
-      DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
-
-      # Config
-      DOCKER_SCHEMA2_MANIFEST_CONFIG_KEY: {
-        DOCKER_SCHEMA2_MANIFEST_MEDIATYPE_KEY: DOCKER_SCHEMA2_CONFIG_CONTENT_TYPE,
-        DOCKER_SCHEMA2_MANIFEST_SIZE_KEY: self.config.size,
-        DOCKER_SCHEMA2_MANIFEST_DIGEST_KEY: str(self.config.digest),
-      },
-
-      # Layers
-      DOCKER_SCHEMA2_MANIFEST_LAYERS_KEY: [
-        _build_layer(layer) for layer in self.filesystem_layers
-      ],
-    }
-
-    json_str = json.dumps(manifest_dict, ensure_ascii=ensure_ascii, indent=3)
-    return DockerSchema2Manifest(Bytes.for_string_or_unicode(json_str))
+        json_str = json.dumps(manifest_dict, ensure_ascii=ensure_ascii, indent=3)
+        return DockerSchema2Manifest(Bytes.for_string_or_unicode(json_str))
diff --git a/image/docker/schema2/test/test_config.py b/image/docker/schema2/test/test_config.py
index ba59feea3..d90ad0206 100644
--- a/image/docker/schema2/test/test_config.py
+++ b/image/docker/schema2/test/test_config.py
@@ -4,130 +4,125 @@ import pytest
 from image.docker.schema2.config import MalformedSchema2Config, DockerSchema2Config
 from util.bytes import Bytes
 
-@pytest.mark.parametrize('json_data', [
-  '',
-  '{}',
-  """
+
+@pytest.mark.parametrize(
+    "json_data",
+    [
+        "",
+        "{}",
+        """
   {
     "unknown": "key"
   }
   """,
-])
+    ],
+)
 def test_malformed_configs(json_data):
-  with pytest.raises(MalformedSchema2Config):
-    DockerSchema2Config(Bytes.for_string_or_unicode(json_data))
+    with pytest.raises(MalformedSchema2Config):
+        DockerSchema2Config(Bytes.for_string_or_unicode(json_data))
 
-CONFIG_BYTES = json.dumps({
-  "architecture": "amd64",
-  "config": {
-    "Hostname": "",
-    "Domainname": "",
-    "User": "",
-    "AttachStdin": False,
-    "AttachStdout": False,
-    "AttachStderr": False,
-    "Tty": False,
-    "OpenStdin": False,
-    "StdinOnce": False,
-    "Env": [
-      "HTTP_PROXY=http:\/\/localhost:8080",
-      "http_proxy=http:\/\/localhost:8080",
-      "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin"
-    ],
-    "Cmd": [
-      "sh"
-    ],
-    "Image": "",
-    "Volumes": None,
-    "WorkingDir": "",
-    "Entrypoint": None,
-    "OnBuild": None,
-    "Labels": {
-      
+
+CONFIG_BYTES = json.dumps(
+    {
+        "architecture": "amd64",
+        "config": {
+            "Hostname": "",
+            "Domainname": "",
+            "User": "",
+            "AttachStdin": False,
+            "AttachStdout": False,
+            "AttachStderr": False,
+            "Tty": False,
+            "OpenStdin": False,
+            "StdinOnce": False,
+            "Env": [
+                "HTTP_PROXY=http:\/\/localhost:8080",
+                "http_proxy=http:\/\/localhost:8080",
+                "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin",
+            ],
+            "Cmd": ["sh"],
+            "Image": "",
+            "Volumes": None,
+            "WorkingDir": "",
+            "Entrypoint": None,
+            "OnBuild": None,
+            "Labels": {},
+        },
+        "container": "b7a43694b435c8e9932615643f61f975a9213e453b15cd6c2a386f144a2d2de9",
+        "container_config": {
+            "Hostname": "b7a43694b435",
+            "Domainname": "",
+            "User": "",
+            "AttachStdin": True,
+            "AttachStdout": True,
+            "AttachStderr": True,
+            "Tty": True,
+            "OpenStdin": True,
+            "StdinOnce": True,
+            "Env": [
+                "HTTP_PROXY=http:\/\/localhost:8080",
+                "http_proxy=http:\/\/localhost:8080",
+                "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin",
+            ],
+            "Cmd": ["sh"],
+            "Image": "jschorr\/somerepo",
+            "Volumes": None,
+            "WorkingDir": "",
+            "Entrypoint": None,
+            "OnBuild": None,
+            "Labels": {},
+        },
+        "created": "2018-04-16T10:41:19.079522722Z",
+        "docker_version": "17.09.0-ce",
+        "history": [
+            {
+                "created": "2018-04-03T18:37:09.284840891Z",
+                "created_by": "\/bin\/sh -c #(nop) ADD file:9e4ca21cbd24dc05b454b6be21c7c639216ae66559b21ba24af0d665c62620dc in \/ ",
+            },
+            {
+                "created": "2018-04-03T18:37:09.613317719Z",
+                "created_by": '/bin/sh -c #(nop)  CMD ["sh"]',
+                "empty_layer": True,
+            },
+            {"created": "2018-04-16T10:37:44.418262777Z", "created_by": "sh"},
+            {"created": "2018-04-16T10:41:19.079522722Z", "created_by": "sh"},
+        ],
+        "os": "linux",
+        "rootfs": {
+            "type": "layers",
+            "diff_ids": [
+                "sha256:3e596351c689c8827a3c9635bc1083cff17fa4a174f84f0584bd0ae6f384195b",
+                "sha256:4552be273c71275a88de0b8c8853dcac18cb74d5790f5383d9b38d4ac55062d5",
+                "sha256:1319c76152ca37fbeb7fb71e0ffa7239bc19ffbe3b95c00417ece39d89d06e6e",
+            ],
+        },
     }
-  },
-  "container": "b7a43694b435c8e9932615643f61f975a9213e453b15cd6c2a386f144a2d2de9",
-  "container_config": {
-    "Hostname": "b7a43694b435",
-    "Domainname": "",
-    "User": "",
-    "AttachStdin": True,
-    "AttachStdout": True,
-    "AttachStderr": True,
-    "Tty": True,
-    "OpenStdin": True,
-    "StdinOnce": True,
-    "Env": [
-      "HTTP_PROXY=http:\/\/localhost:8080",
-      "http_proxy=http:\/\/localhost:8080",
-      "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin"
-    ],
-    "Cmd": [
-      "sh"
-    ],
-    "Image": "jschorr\/somerepo",
-    "Volumes": None,
-    "WorkingDir": "",
-    "Entrypoint": None,
-    "OnBuild": None,
-    "Labels": {
-      
-    }
-  },
-  "created": "2018-04-16T10:41:19.079522722Z",
-  "docker_version": "17.09.0-ce",
-  "history": [
-    {
-      "created": "2018-04-03T18:37:09.284840891Z",
-      "created_by": "\/bin\/sh -c #(nop) ADD file:9e4ca21cbd24dc05b454b6be21c7c639216ae66559b21ba24af0d665c62620dc in \/ "
-    },
-    {
-      "created": "2018-04-03T18:37:09.613317719Z",
-      "created_by": "/bin/sh -c #(nop)  CMD [\"sh\"]",
-      "empty_layer": True
-    },
-    {
-      "created": "2018-04-16T10:37:44.418262777Z",
-      "created_by": "sh"
-    },
-    {
-      "created": "2018-04-16T10:41:19.079522722Z",
-      "created_by": "sh"
-    }
-  ],
-  "os": "linux",
-  "rootfs": {
-    "type": "layers",
-    "diff_ids": [
-      "sha256:3e596351c689c8827a3c9635bc1083cff17fa4a174f84f0584bd0ae6f384195b",
-      "sha256:4552be273c71275a88de0b8c8853dcac18cb74d5790f5383d9b38d4ac55062d5",
-      "sha256:1319c76152ca37fbeb7fb71e0ffa7239bc19ffbe3b95c00417ece39d89d06e6e"
-    ]
-  }
-})
+)
+
 
 def test_valid_config():
-  config = DockerSchema2Config(Bytes.for_string_or_unicode(CONFIG_BYTES))
-  history = list(config.history)
-  assert len(history) == 4
+    config = DockerSchema2Config(Bytes.for_string_or_unicode(CONFIG_BYTES))
+    history = list(config.history)
+    assert len(history) == 4
 
-  assert not history[0].is_empty
-  assert history[1].is_empty
+    assert not history[0].is_empty
+    assert history[1].is_empty
 
-  assert history[0].created_datetime.year == 2018
-  assert history[1].command == '/bin/sh -c #(nop)  CMD ["sh"]'
-  assert history[2].command == 'sh'
+    assert history[0].created_datetime.year == 2018
+    assert history[1].command == '/bin/sh -c #(nop)  CMD ["sh"]'
+    assert history[2].command == "sh"
 
-  for index, history_entry in enumerate(history):
-    v1_compat = config.build_v1_compatibility(history_entry, 'somev1id', 'someparentid',
-                                              index == 3)
-    assert v1_compat['id'] == 'somev1id'
-    assert v1_compat['parent'] == 'someparentid'
+    for index, history_entry in enumerate(history):
+        v1_compat = config.build_v1_compatibility(
+            history_entry, "somev1id", "someparentid", index == 3
+        )
+        assert v1_compat["id"] == "somev1id"
+        assert v1_compat["parent"] == "someparentid"
 
-    if index == 3:
-      assert v1_compat['container_config'] == config._parsed['container_config']
-    else:
-      assert 'Hostname' not in v1_compat['container_config']
-      assert v1_compat['container_config']['Cmd'] == [history_entry.command]
+        if index == 3:
+            assert v1_compat["container_config"] == config._parsed["container_config"]
+        else:
+            assert "Hostname" not in v1_compat["container_config"]
+            assert v1_compat["container_config"]["Cmd"] == [history_entry.command]
 
-  assert config.labels == {}
+    assert config.labels == {}
diff --git a/image/docker/schema2/test/test_conversion.py b/image/docker/schema2/test/test_conversion.py
index 75a1bece9..a65a33ec7 100644
--- a/image/docker/schema2/test/test_conversion.py
+++ b/image/docker/schema2/test/test_conversion.py
@@ -10,106 +10,164 @@ from util.bytes import Bytes
 
 
 def _get_test_file_contents(test_name, kind):
-  filename = '%s.%s.json' % (test_name, kind)
-  data_dir = os.path.dirname(__file__)
-  with open(os.path.join(data_dir, 'conversion_data', filename), 'r') as f:
-    return Bytes.for_string_or_unicode(f.read())
+    filename = "%s.%s.json" % (test_name, kind)
+    data_dir = os.path.dirname(__file__)
+    with open(os.path.join(data_dir, "conversion_data", filename), "r") as f:
+        return Bytes.for_string_or_unicode(f.read())
 
 
-@pytest.mark.parametrize('name, config_sha', [
-  ('simple', 'sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf'),
-  ('complex', 'sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e'),
-  ('ubuntu', 'sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26'),
-])
+@pytest.mark.parametrize(
+    "name, config_sha",
+    [
+        (
+            "simple",
+            "sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf",
+        ),
+        (
+            "complex",
+            "sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e",
+        ),
+        (
+            "ubuntu",
+            "sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26",
+        ),
+    ],
+)
 def test_legacy_layers(name, config_sha):
-  cr = {}
-  cr[config_sha] = _get_test_file_contents(name, 'config').as_encoded_str()
-  retriever = ContentRetrieverForTesting(cr)
+    cr = {}
+    cr[config_sha] = _get_test_file_contents(name, "config").as_encoded_str()
+    retriever = ContentRetrieverForTesting(cr)
 
-  schema2 = DockerSchema2Manifest(_get_test_file_contents(name, 'schema2'))
-  schema1 = DockerSchema1Manifest(_get_test_file_contents(name, 'schema1'), validate=False)
+    schema2 = DockerSchema2Manifest(_get_test_file_contents(name, "schema2"))
+    schema1 = DockerSchema1Manifest(
+        _get_test_file_contents(name, "schema1"), validate=False
+    )
 
-  # Check legacy layers
-  schema2_legacy_layers = list(schema2.generate_legacy_layers({}, retriever))
-  schema1_legacy_layers = list(schema1.generate_legacy_layers({}, retriever))
-  assert len(schema1_legacy_layers) == len(schema2_legacy_layers)
+    # Check legacy layers
+    schema2_legacy_layers = list(schema2.generate_legacy_layers({}, retriever))
+    schema1_legacy_layers = list(schema1.generate_legacy_layers({}, retriever))
+    assert len(schema1_legacy_layers) == len(schema2_legacy_layers)
 
-  for index in range(0, len(schema1_legacy_layers)):
-    schema1_legacy_layer = schema1_legacy_layers[index]
-    schema2_legacy_layer = schema2_legacy_layers[index]
-    assert schema1_legacy_layer.content_checksum == schema2_legacy_layer.content_checksum
-    assert schema1_legacy_layer.comment == schema2_legacy_layer.comment
-    assert schema1_legacy_layer.command == schema2_legacy_layer.command
+    for index in range(0, len(schema1_legacy_layers)):
+        schema1_legacy_layer = schema1_legacy_layers[index]
+        schema2_legacy_layer = schema2_legacy_layers[index]
+        assert (
+            schema1_legacy_layer.content_checksum
+            == schema2_legacy_layer.content_checksum
+        )
+        assert schema1_legacy_layer.comment == schema2_legacy_layer.comment
+        assert schema1_legacy_layer.command == schema2_legacy_layer.command
 
 
-@pytest.mark.parametrize('name, config_sha', [
-  ('simple', 'sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf'),
-  ('complex', 'sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e'),
-  ('ubuntu', 'sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26'),
-])
+@pytest.mark.parametrize(
+    "name, config_sha",
+    [
+        (
+            "simple",
+            "sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf",
+        ),
+        (
+            "complex",
+            "sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e",
+        ),
+        (
+            "ubuntu",
+            "sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26",
+        ),
+    ],
+)
 def test_conversion(name, config_sha):
-  cr = {}
-  cr[config_sha] = _get_test_file_contents(name, 'config').as_encoded_str()
-  retriever = ContentRetrieverForTesting(cr)
+    cr = {}
+    cr[config_sha] = _get_test_file_contents(name, "config").as_encoded_str()
+    retriever = ContentRetrieverForTesting(cr)
 
-  schema2 = DockerSchema2Manifest(_get_test_file_contents(name, 'schema2'))
-  schema1 = DockerSchema1Manifest(_get_test_file_contents(name, 'schema1'), validate=False)
+    schema2 = DockerSchema2Manifest(_get_test_file_contents(name, "schema2"))
+    schema1 = DockerSchema1Manifest(
+        _get_test_file_contents(name, "schema1"), validate=False
+    )
 
-  s2to2 = schema2.convert_manifest([schema2.media_type], 'devtable', 'somerepo', 'latest',
-                                   retriever)
-  assert s2to2 == schema2
+    s2to2 = schema2.convert_manifest(
+        [schema2.media_type], "devtable", "somerepo", "latest", retriever
+    )
+    assert s2to2 == schema2
 
-  s1to1 = schema1.convert_manifest([schema1.media_type], 'devtable', 'somerepo', 'latest',
-                                   retriever)
-  assert s1to1 == schema1
+    s1to1 = schema1.convert_manifest(
+        [schema1.media_type], "devtable", "somerepo", "latest", retriever
+    )
+    assert s1to1 == schema1
 
-  s2to1 = schema2.convert_manifest(DOCKER_SCHEMA1_CONTENT_TYPES, 'devtable', 'somerepo', 'latest',
-                                   retriever)
-  assert s2to1.media_type in DOCKER_SCHEMA1_CONTENT_TYPES
-  assert len(s2to1.layers) == len(schema1.layers)
+    s2to1 = schema2.convert_manifest(
+        DOCKER_SCHEMA1_CONTENT_TYPES, "devtable", "somerepo", "latest", retriever
+    )
+    assert s2to1.media_type in DOCKER_SCHEMA1_CONTENT_TYPES
+    assert len(s2to1.layers) == len(schema1.layers)
 
-  s2toempty = schema2.convert_manifest([], 'devtable', 'somerepo', 'latest', retriever)
-  assert s2toempty is None
+    s2toempty = schema2.convert_manifest(
+        [], "devtable", "somerepo", "latest", retriever
+    )
+    assert s2toempty is None
 
 
-@pytest.mark.parametrize('name, config_sha', [
-  ('simple', 'sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf'),
-  ('complex', 'sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e'),
-  ('ubuntu', 'sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26'),
-])
+@pytest.mark.parametrize(
+    "name, config_sha",
+    [
+        (
+            "simple",
+            "sha256:e7a06c2e5b7afb1bbfa9124812e87f1138c4c10d77e0a217f0b8c8c9694dc5cf",
+        ),
+        (
+            "complex",
+            "sha256:ae6b78bedf88330a5e5392164f40d28ed8a38120b142905d30b652ebffece10e",
+        ),
+        (
+            "ubuntu",
+            "sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26",
+        ),
+    ],
+)
 def test_2to1_conversion(name, config_sha):
-  cr = {}
-  cr[config_sha] = _get_test_file_contents(name, 'config').as_encoded_str()
-  retriever = ContentRetrieverForTesting(cr)
+    cr = {}
+    cr[config_sha] = _get_test_file_contents(name, "config").as_encoded_str()
+    retriever = ContentRetrieverForTesting(cr)
 
-  schema2 = DockerSchema2Manifest(_get_test_file_contents(name, 'schema2'))
-  schema1 = DockerSchema1Manifest(_get_test_file_contents(name, 'schema1'), validate=False)
+    schema2 = DockerSchema2Manifest(_get_test_file_contents(name, "schema2"))
+    schema1 = DockerSchema1Manifest(
+        _get_test_file_contents(name, "schema1"), validate=False
+    )
 
-  converted = schema2.get_schema1_manifest('devtable', 'somerepo', 'latest', retriever)
-  assert len(converted.layers) == len(schema1.layers)
+    converted = schema2.get_schema1_manifest(
+        "devtable", "somerepo", "latest", retriever
+    )
+    assert len(converted.layers) == len(schema1.layers)
 
-  image_id_map = {}
-  for index in range(0, len(converted.layers)):
-    converted_layer = converted.layers[index]
-    schema1_layer = schema1.layers[index]
+    image_id_map = {}
+    for index in range(0, len(converted.layers)):
+        converted_layer = converted.layers[index]
+        schema1_layer = schema1.layers[index]
 
-    image_id_map[schema1_layer.v1_metadata.image_id] = converted_layer.v1_metadata.image_id
+        image_id_map[
+            schema1_layer.v1_metadata.image_id
+        ] = converted_layer.v1_metadata.image_id
 
-    assert str(schema1_layer.digest) == str(converted_layer.digest)
+        assert str(schema1_layer.digest) == str(converted_layer.digest)
 
-    schema1_parent_id = schema1_layer.v1_metadata.parent_image_id
-    converted_parent_id = converted_layer.v1_metadata.parent_image_id
-    assert (schema1_parent_id is None) == (converted_parent_id is None)
+        schema1_parent_id = schema1_layer.v1_metadata.parent_image_id
+        converted_parent_id = converted_layer.v1_metadata.parent_image_id
+        assert (schema1_parent_id is None) == (converted_parent_id is None)
 
-    if schema1_parent_id is not None:
-      assert image_id_map[schema1_parent_id] == converted_parent_id
+        if schema1_parent_id is not None:
+            assert image_id_map[schema1_parent_id] == converted_parent_id
 
-    assert schema1_layer.v1_metadata.created == converted_layer.v1_metadata.created
-    assert schema1_layer.v1_metadata.comment == converted_layer.v1_metadata.comment
-    assert schema1_layer.v1_metadata.command == converted_layer.v1_metadata.command
-    assert schema1_layer.v1_metadata.labels == converted_layer.v1_metadata.labels
+        assert schema1_layer.v1_metadata.created == converted_layer.v1_metadata.created
+        assert schema1_layer.v1_metadata.comment == converted_layer.v1_metadata.comment
+        assert schema1_layer.v1_metadata.command == converted_layer.v1_metadata.command
+        assert schema1_layer.v1_metadata.labels == converted_layer.v1_metadata.labels
 
-    schema1_container_config = json.loads(schema1_layer.raw_v1_metadata)['container_config']
-    converted_container_config = json.loads(converted_layer.raw_v1_metadata)['container_config']
+        schema1_container_config = json.loads(schema1_layer.raw_v1_metadata)[
+            "container_config"
+        ]
+        converted_container_config = json.loads(converted_layer.raw_v1_metadata)[
+            "container_config"
+        ]
 
-    assert schema1_container_config == converted_container_config
+        assert schema1_container_config == converted_container_config
diff --git a/image/docker/schema2/test/test_list.py b/image/docker/schema2/test/test_list.py
index 04a321ce0..bde57c619 100644
--- a/image/docker/schema2/test/test_list.py
+++ b/image/docker/schema2/test/test_list.py
@@ -1,151 +1,173 @@
 import json
 import pytest
 
-from image.docker.schema1 import (DockerSchema1Manifest, DOCKER_SCHEMA1_CONTENT_TYPES,
-                                  DockerSchema1ManifestBuilder)
+from image.docker.schema1 import (
+    DockerSchema1Manifest,
+    DOCKER_SCHEMA1_CONTENT_TYPES,
+    DockerSchema1ManifestBuilder,
+)
 from image.docker.schema2 import DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE
 from image.docker.schema2.manifest import DockerSchema2Manifest
-from image.docker.schema2.list import (MalformedSchema2ManifestList, DockerSchema2ManifestList,
-                                       DockerSchema2ManifestListBuilder, MismatchManifestException)
+from image.docker.schema2.list import (
+    MalformedSchema2ManifestList,
+    DockerSchema2ManifestList,
+    DockerSchema2ManifestListBuilder,
+    MismatchManifestException,
+)
 from image.docker.schema2.test.test_manifest import MANIFEST_BYTES as v22_bytes
 from image.docker.schemautil import ContentRetrieverForTesting
 from image.docker.test.test_schema1 import MANIFEST_BYTES as v21_bytes
 from util.bytes import Bytes
 
 
-@pytest.mark.parametrize('json_data', [
-  '',
-  '{}',
-  """
+@pytest.mark.parametrize(
+    "json_data",
+    [
+        "",
+        "{}",
+        """
   {
     "unknown": "key"
   }
   """,
-])
+    ],
+)
 def test_malformed_manifest_lists(json_data):
-  with pytest.raises(MalformedSchema2ManifestList):
-    DockerSchema2ManifestList(Bytes.for_string_or_unicode(json_data))
+    with pytest.raises(MalformedSchema2ManifestList):
+        DockerSchema2ManifestList(Bytes.for_string_or_unicode(json_data))
 
 
-MANIFESTLIST_BYTES = json.dumps({
-  "schemaVersion": 2,
-  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-  "manifests": [
+MANIFESTLIST_BYTES = json.dumps(
     {
-      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-      "size": 946,
-      "digest": "sha256:e6",
-      "platform": {
-        "architecture": "ppc64le",
-        "os": "linux",
-      }
-    },
-    {
-      "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-      "size": 878,
-      "digest": "sha256:5b",
-      "platform": {
-        "architecture": "amd64",
-        "os": "linux",
-        "features": [
-          "sse4"
-        ]
-      }
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+        "manifests": [
+            {
+                "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+                "size": 946,
+                "digest": "sha256:e6",
+                "platform": {"architecture": "ppc64le", "os": "linux"},
+            },
+            {
+                "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
+                "size": 878,
+                "digest": "sha256:5b",
+                "platform": {
+                    "architecture": "amd64",
+                    "os": "linux",
+                    "features": ["sse4"],
+                },
+            },
+        ],
     }
-  ]
-})
+)
 
-NO_AMD_MANIFESTLIST_BYTES = json.dumps({
-  "schemaVersion": 2,
-  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-  "manifests": [
+NO_AMD_MANIFESTLIST_BYTES = json.dumps(
     {
-      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-      "size": 946,
-      "digest": "sha256:e6",
-      "platform": {
-        "architecture": "ppc64le",
-        "os": "linux",
-      }
-    },
-  ]
-})
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+        "manifests": [
+            {
+                "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+                "size": 946,
+                "digest": "sha256:e6",
+                "platform": {"architecture": "ppc64le", "os": "linux"},
+            }
+        ],
+    }
+)
+
+retriever = ContentRetrieverForTesting({"sha256:e6": v22_bytes, "sha256:5b": v21_bytes})
 
-retriever = ContentRetrieverForTesting({
-  'sha256:e6': v22_bytes,
-  'sha256:5b': v21_bytes,
-})
 
 def test_valid_manifestlist():
-  manifestlist = DockerSchema2ManifestList(Bytes.for_string_or_unicode(MANIFESTLIST_BYTES))
-  assert len(manifestlist.manifests(retriever)) == 2
+    manifestlist = DockerSchema2ManifestList(
+        Bytes.for_string_or_unicode(MANIFESTLIST_BYTES)
+    )
+    assert len(manifestlist.manifests(retriever)) == 2
 
-  assert manifestlist.media_type == 'application/vnd.docker.distribution.manifest.list.v2+json'
-  assert manifestlist.bytes.as_encoded_str() == MANIFESTLIST_BYTES
-  assert manifestlist.manifest_dict == json.loads(MANIFESTLIST_BYTES)
-  assert manifestlist.get_layers(retriever) is None
-  assert not manifestlist.blob_digests
+    assert (
+        manifestlist.media_type
+        == "application/vnd.docker.distribution.manifest.list.v2+json"
+    )
+    assert manifestlist.bytes.as_encoded_str() == MANIFESTLIST_BYTES
+    assert manifestlist.manifest_dict == json.loads(MANIFESTLIST_BYTES)
+    assert manifestlist.get_layers(retriever) is None
+    assert not manifestlist.blob_digests
 
-  for index, manifest in enumerate(manifestlist.manifests(retriever)):
-    if index == 0:
-      assert isinstance(manifest.manifest_obj, DockerSchema2Manifest)
-      assert manifest.manifest_obj.schema_version == 2
-    else:
-      assert isinstance(manifest.manifest_obj, DockerSchema1Manifest)
-      assert manifest.manifest_obj.schema_version == 1
+    for index, manifest in enumerate(manifestlist.manifests(retriever)):
+        if index == 0:
+            assert isinstance(manifest.manifest_obj, DockerSchema2Manifest)
+            assert manifest.manifest_obj.schema_version == 2
+        else:
+            assert isinstance(manifest.manifest_obj, DockerSchema1Manifest)
+            assert manifest.manifest_obj.schema_version == 1
 
-  # Check retrieval of a schema 2 manifest. This should return None, because the schema 2 manifest
-  # is not amd64-compatible.
-  schema2_manifest = manifestlist.convert_manifest([DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE], 'foo',
-                                                   'bar', 'baz', retriever)
-  assert schema2_manifest is None
+    # Check retrieval of a schema 2 manifest. This should return None, because the schema 2 manifest
+    # is not amd64-compatible.
+    schema2_manifest = manifestlist.convert_manifest(
+        [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE], "foo", "bar", "baz", retriever
+    )
+    assert schema2_manifest is None
 
-  # Check retrieval of a schema 1 manifest.
-  compatible_manifest = manifestlist.get_schema1_manifest('foo', 'bar', 'baz', retriever)
-  assert compatible_manifest.schema_version == 1
+    # Check retrieval of a schema 1 manifest.
+    compatible_manifest = manifestlist.get_schema1_manifest(
+        "foo", "bar", "baz", retriever
+    )
+    assert compatible_manifest.schema_version == 1
 
-  schema1_manifest = manifestlist.convert_manifest(DOCKER_SCHEMA1_CONTENT_TYPES, 'foo',
-                                                   'bar', 'baz', retriever)
-  assert schema1_manifest.schema_version == 1
-  assert schema1_manifest.digest == compatible_manifest.digest
+    schema1_manifest = manifestlist.convert_manifest(
+        DOCKER_SCHEMA1_CONTENT_TYPES, "foo", "bar", "baz", retriever
+    )
+    assert schema1_manifest.schema_version == 1
+    assert schema1_manifest.digest == compatible_manifest.digest
 
-  # Ensure it validates.
-  manifestlist.validate(retriever)
+    # Ensure it validates.
+    manifestlist.validate(retriever)
 
 
 def test_get_schema1_manifest_no_matching_list():
-  manifestlist = DockerSchema2ManifestList(Bytes.for_string_or_unicode(NO_AMD_MANIFESTLIST_BYTES))
-  assert len(manifestlist.manifests(retriever)) == 1
+    manifestlist = DockerSchema2ManifestList(
+        Bytes.for_string_or_unicode(NO_AMD_MANIFESTLIST_BYTES)
+    )
+    assert len(manifestlist.manifests(retriever)) == 1
 
-  assert manifestlist.media_type == 'application/vnd.docker.distribution.manifest.list.v2+json'
-  assert manifestlist.bytes.as_encoded_str() == NO_AMD_MANIFESTLIST_BYTES
+    assert (
+        manifestlist.media_type
+        == "application/vnd.docker.distribution.manifest.list.v2+json"
+    )
+    assert manifestlist.bytes.as_encoded_str() == NO_AMD_MANIFESTLIST_BYTES
 
-  compatible_manifest = manifestlist.get_schema1_manifest('foo', 'bar', 'baz', retriever)
-  assert compatible_manifest is None
+    compatible_manifest = manifestlist.get_schema1_manifest(
+        "foo", "bar", "baz", retriever
+    )
+    assert compatible_manifest is None
 
 
 def test_builder():
-  existing = DockerSchema2ManifestList(Bytes.for_string_or_unicode(MANIFESTLIST_BYTES))
-  builder = DockerSchema2ManifestListBuilder()
-  for index, manifest in enumerate(existing.manifests(retriever)):
-    builder.add_manifest(manifest.manifest_obj, "amd64", "os")
+    existing = DockerSchema2ManifestList(
+        Bytes.for_string_or_unicode(MANIFESTLIST_BYTES)
+    )
+    builder = DockerSchema2ManifestListBuilder()
+    for index, manifest in enumerate(existing.manifests(retriever)):
+        builder.add_manifest(manifest.manifest_obj, "amd64", "os")
 
-  built = builder.build()
-  assert len(built.manifests(retriever)) == 2
+    built = builder.build()
+    assert len(built.manifests(retriever)) == 2
 
 
 def test_invalid_manifestlist():
-  # Build a manifest list with a schema 1 manifest of the wrong architecture.
-  builder = DockerSchema1ManifestBuilder('foo', 'bar', 'baz')
-  builder.add_layer('sha:2356', '{"id": "foo"}')
-  manifest = builder.build().unsigned()
+    # Build a manifest list with a schema 1 manifest of the wrong architecture.
+    builder = DockerSchema1ManifestBuilder("foo", "bar", "baz")
+    builder.add_layer("sha:2356", '{"id": "foo"}')
+    manifest = builder.build().unsigned()
 
-  listbuilder = DockerSchema2ManifestListBuilder()
-  listbuilder.add_manifest(manifest, 'amd32', 'linux')
-  manifestlist = listbuilder.build()
+    listbuilder = DockerSchema2ManifestListBuilder()
+    listbuilder.add_manifest(manifest, "amd32", "linux")
+    manifestlist = listbuilder.build()
 
-  retriever = ContentRetrieverForTesting()
-  retriever.add_digest(manifest.digest, manifest.bytes.as_encoded_str())
+    retriever = ContentRetrieverForTesting()
+    retriever.add_digest(manifest.digest, manifest.bytes.as_encoded_str())
 
-  with pytest.raises(MismatchManifestException):
-    manifestlist.validate(retriever)
+    with pytest.raises(MismatchManifestException):
+        manifestlist.validate(retriever)
diff --git a/image/docker/schema2/test/test_manifest.py b/image/docker/schema2/test/test_manifest.py
index 6d2193b6d..7f5cc13e8 100644
--- a/image/docker/schema2/test/test_manifest.py
+++ b/image/docker/schema2/test/test_manifest.py
@@ -5,418 +5,446 @@ import pytest
 import os
 
 from app import docker_v2_signing_key
-from image.docker.schema1 import (DockerSchema1ManifestBuilder,
-                                  DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,
-                                  DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE)
-from image.docker.schema2.manifest import (MalformedSchema2Manifest, DockerSchema2Manifest,
-                                           DockerSchema2ManifestBuilder, EMPTY_LAYER_BLOB_DIGEST)
+from image.docker.schema1 import (
+    DockerSchema1ManifestBuilder,
+    DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE,
+)
+from image.docker.schema2.manifest import (
+    MalformedSchema2Manifest,
+    DockerSchema2Manifest,
+    DockerSchema2ManifestBuilder,
+    EMPTY_LAYER_BLOB_DIGEST,
+)
 from image.docker.schema2.config import DockerSchema2Config
 from image.docker.schema2.test.test_config import CONFIG_BYTES
 from image.docker.schemautil import ContentRetrieverForTesting
 from util.bytes import Bytes
 
 
-@pytest.mark.parametrize('json_data', [
-  '',
-  '{}',
-  """
+@pytest.mark.parametrize(
+    "json_data",
+    [
+        "",
+        "{}",
+        """
   {
     "unknown": "key"
   }
   """,
-])
+    ],
+)
 def test_malformed_manifests(json_data):
-  with pytest.raises(MalformedSchema2Manifest):
-    DockerSchema2Manifest(Bytes.for_string_or_unicode(json_data))
+    with pytest.raises(MalformedSchema2Manifest):
+        DockerSchema2Manifest(Bytes.for_string_or_unicode(json_data))
 
 
-MANIFEST_BYTES = json.dumps({
-  "schemaVersion": 2,
-  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-  "config": {
-    "mediaType": "application/vnd.docker.container.image.v1+json",
-    "size": 1885,
-    "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
-  },
-  "layers": [
+MANIFEST_BYTES = json.dumps(
     {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 1234,
-      "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 32654,
-      "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 16724,
-      "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 73109,
-      "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
-    },
-  ],
-})
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+        "config": {
+            "mediaType": "application/vnd.docker.container.image.v1+json",
+            "size": 1885,
+            "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        },
+        "layers": [
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 1234,
+                "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 32654,
+                "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f",
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 16724,
+                "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b",
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 73109,
+                "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
+            },
+        ],
+    }
+)
 
-REMOTE_MANIFEST_BYTES = json.dumps({
-  "schemaVersion": 2,
-  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-  "config": {
-    "mediaType": "application/vnd.docker.container.image.v1+json",
-    "size": 1885,
-    "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
-  },
-  "layers": [
+REMOTE_MANIFEST_BYTES = json.dumps(
     {
-      "mediaType": "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip",
-      "size": 1234,
-      "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
-      "urls": ['http://some/url'],
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 32654,
-      "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 16724,
-      "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
-    },
-    {
-      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-      "size": 73109,
-      "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
-    },
-  ],
-})
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+        "config": {
+            "mediaType": "application/vnd.docker.container.image.v1+json",
+            "size": 1885,
+            "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        },
+        "layers": [
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip",
+                "size": 1234,
+                "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
+                "urls": ["http://some/url"],
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 32654,
+                "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f",
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 16724,
+                "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b",
+            },
+            {
+                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                "size": 73109,
+                "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
+            },
+        ],
+    }
+)
+
 
 def test_valid_manifest():
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
-  assert manifest.config.size == 1885
-  assert str(manifest.config.digest) == 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7'
-  assert manifest.media_type == "application/vnd.docker.distribution.manifest.v2+json"
-  assert not manifest.has_remote_layer
-  assert manifest.has_legacy_image
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
+    assert manifest.config.size == 1885
+    assert (
+        str(manifest.config.digest)
+        == "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    )
+    assert manifest.media_type == "application/vnd.docker.distribution.manifest.v2+json"
+    assert not manifest.has_remote_layer
+    assert manifest.has_legacy_image
 
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-      "Labels": {},
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-    ],
-  }, 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7', 1885)
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {"Labels": {}},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+            ],
+        },
+        "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        1885,
+    )
 
-  assert len(manifest.filesystem_layers) == 4
-  assert manifest.filesystem_layers[0].compressed_size == 1234
-  assert str(manifest.filesystem_layers[0].digest) == 'sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736'
-  assert not manifest.filesystem_layers[0].is_remote
+    assert len(manifest.filesystem_layers) == 4
+    assert manifest.filesystem_layers[0].compressed_size == 1234
+    assert (
+        str(manifest.filesystem_layers[0].digest)
+        == "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+    )
+    assert not manifest.filesystem_layers[0].is_remote
 
-  assert manifest.leaf_filesystem_layer == manifest.filesystem_layers[3]
-  assert not manifest.leaf_filesystem_layer.is_remote
-  assert manifest.leaf_filesystem_layer.compressed_size == 73109
+    assert manifest.leaf_filesystem_layer == manifest.filesystem_layers[3]
+    assert not manifest.leaf_filesystem_layer.is_remote
+    assert manifest.leaf_filesystem_layer.compressed_size == 73109
 
-  blob_digests = list(manifest.blob_digests)
-  expected = [str(layer.digest) for layer in manifest.filesystem_layers] + [manifest.config.digest]
-  assert blob_digests == expected
-  assert list(manifest.local_blob_digests) == expected
+    blob_digests = list(manifest.blob_digests)
+    expected = [str(layer.digest) for layer in manifest.filesystem_layers] + [
+        manifest.config.digest
+    ]
+    assert blob_digests == expected
+    assert list(manifest.local_blob_digests) == expected
 
-  manifest_image_layers = list(manifest.get_layers(retriever))
-  assert len(manifest_image_layers) == len(list(manifest.filesystem_layers))
-  for index in range(0, 4):
-    assert manifest_image_layers[index].blob_digest == str(manifest.filesystem_layers[index].digest)
+    manifest_image_layers = list(manifest.get_layers(retriever))
+    assert len(manifest_image_layers) == len(list(manifest.filesystem_layers))
+    for index in range(0, 4):
+        assert manifest_image_layers[index].blob_digest == str(
+            manifest.filesystem_layers[index].digest
+        )
 
 
 def test_valid_remote_manifest():
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(REMOTE_MANIFEST_BYTES))
-  assert manifest.config.size == 1885
-  assert str(manifest.config.digest) == 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7'
-  assert manifest.media_type == "application/vnd.docker.distribution.manifest.v2+json"
-  assert manifest.has_remote_layer
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(REMOTE_MANIFEST_BYTES))
+    assert manifest.config.size == 1885
+    assert (
+        str(manifest.config.digest)
+        == "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    )
+    assert manifest.media_type == "application/vnd.docker.distribution.manifest.v2+json"
+    assert manifest.has_remote_layer
 
-  assert len(manifest.filesystem_layers) == 4
-  assert manifest.filesystem_layers[0].compressed_size == 1234
-  assert str(manifest.filesystem_layers[0].digest) == 'sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736'
-  assert manifest.filesystem_layers[0].is_remote
-  assert manifest.filesystem_layers[0].urls == ['http://some/url']
+    assert len(manifest.filesystem_layers) == 4
+    assert manifest.filesystem_layers[0].compressed_size == 1234
+    assert (
+        str(manifest.filesystem_layers[0].digest)
+        == "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+    )
+    assert manifest.filesystem_layers[0].is_remote
+    assert manifest.filesystem_layers[0].urls == ["http://some/url"]
 
-  assert manifest.leaf_filesystem_layer == manifest.filesystem_layers[3]
-  assert not manifest.leaf_filesystem_layer.is_remote
-  assert manifest.leaf_filesystem_layer.compressed_size == 73109
+    assert manifest.leaf_filesystem_layer == manifest.filesystem_layers[3]
+    assert not manifest.leaf_filesystem_layer.is_remote
+    assert manifest.leaf_filesystem_layer.compressed_size == 73109
 
-  expected = set([str(layer.digest) for layer in manifest.filesystem_layers] + 
-                 [manifest.config.digest])
+    expected = set(
+        [str(layer.digest) for layer in manifest.filesystem_layers]
+        + [manifest.config.digest]
+    )
 
-  blob_digests = set(manifest.blob_digests)
-  local_digests = set(manifest.local_blob_digests)
+    blob_digests = set(manifest.blob_digests)
+    local_digests = set(manifest.local_blob_digests)
 
-  assert blob_digests == expected
-  assert local_digests == (expected - {manifest.filesystem_layers[0].digest})
+    assert blob_digests == expected
+    assert local_digests == (expected - {manifest.filesystem_layers[0].digest})
 
-  assert manifest.has_remote_layer
-  assert manifest.get_leaf_layer_v1_image_id(None) is None
-  assert manifest.get_legacy_image_ids(None) is None
+    assert manifest.has_remote_layer
+    assert manifest.get_leaf_layer_v1_image_id(None) is None
+    assert manifest.get_legacy_image_ids(None) is None
 
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-      "Labels": {},
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-    ],
-  }, 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7', 1885)
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {"Labels": {}},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+            ],
+        },
+        "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        1885,
+    )
 
-  manifest_image_layers = list(manifest.get_layers(retriever))
-  assert len(manifest_image_layers) == len(list(manifest.filesystem_layers))
-  for index in range(0, 4):
-    assert manifest_image_layers[index].blob_digest == str(manifest.filesystem_layers[index].digest)
+    manifest_image_layers = list(manifest.get_layers(retriever))
+    assert len(manifest_image_layers) == len(list(manifest.filesystem_layers))
+    for index in range(0, 4):
+        assert manifest_image_layers[index].blob_digest == str(
+            manifest.filesystem_layers[index].digest
+        )
 
 
 def test_schema2_builder():
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
 
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(manifest.config.digest, manifest.config.size)
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(manifest.config.digest, manifest.config.size)
 
-  for layer in manifest.filesystem_layers:
-    builder.add_layer(layer.digest, layer.compressed_size, urls=layer.urls)
+    for layer in manifest.filesystem_layers:
+        builder.add_layer(layer.digest, layer.compressed_size, urls=layer.urls)
 
-  built = builder.build()
-  assert built.filesystem_layers == manifest.filesystem_layers
-  assert built.config == manifest.config
+    built = builder.build()
+    assert built.filesystem_layers == manifest.filesystem_layers
+    assert built.config == manifest.config
 
 
 def test_get_manifest_labels():
-  labels = dict(foo='bar', baz='meh')
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-      "Labels": labels,
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [],
-  }, 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7', 1885)
+    labels = dict(foo="bar", baz="meh")
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {"Labels": labels},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [],
+        },
+        "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        1885,
+    )
 
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
-  assert manifest.get_manifest_labels(retriever) == labels
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
+    assert manifest.get_manifest_labels(retriever) == labels
 
 
 def test_build_schema1():
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
-  assert not manifest.has_remote_layer
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
+    assert not manifest.has_remote_layer
 
-  retriever = ContentRetrieverForTesting({
-    'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7': CONFIG_BYTES,
-  })
+    retriever = ContentRetrieverForTesting(
+        {
+            "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7": CONFIG_BYTES
+        }
+    )
 
-  builder = DockerSchema1ManifestBuilder('somenamespace', 'somename', 'sometag')
-  manifest._populate_schema1_builder(builder, retriever)
-  schema1 = builder.build(docker_v2_signing_key)
+    builder = DockerSchema1ManifestBuilder("somenamespace", "somename", "sometag")
+    manifest._populate_schema1_builder(builder, retriever)
+    schema1 = builder.build(docker_v2_signing_key)
 
-  assert schema1.media_type == DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
+    assert schema1.media_type == DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
 
 
 def test_get_schema1_manifest():
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-      "Labels": {},
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "foo"
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "bar"
-      },
-    ],
-  }, 'sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7', 1885)
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {"Labels": {}},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "foo"},
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "bar"},
+            ],
+        },
+        "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7",
+        1885,
+    )
 
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
-  schema1 = manifest.get_schema1_manifest('somenamespace', 'somename', 'sometag', retriever)
-  assert schema1 is not None
-  assert schema1.media_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES))
+    schema1 = manifest.get_schema1_manifest(
+        "somenamespace", "somename", "sometag", retriever
+    )
+    assert schema1 is not None
+    assert schema1.media_type == DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
 
-  via_convert = manifest.convert_manifest([schema1.media_type], 'somenamespace', 'somename',
-                                          'sometag', retriever)
-  assert via_convert.digest == schema1.digest
+    via_convert = manifest.convert_manifest(
+        [schema1.media_type], "somenamespace", "somename", "sometag", retriever
+    )
+    assert via_convert.digest == schema1.digest
 
 
 def test_generate_legacy_layers():
-  builder = DockerSchema2ManifestBuilder()
-  builder.add_layer('sha256:abc123', 123)
-  builder.add_layer('sha256:def456', 789)
-  builder.set_config_digest('sha256:def456', 2000)
-  manifest = builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.add_layer("sha256:abc123", 123)
+    builder.add_layer("sha256:def456", 789)
+    builder.set_config_digest("sha256:def456", 2000)
+    manifest = builder.build()
 
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "base"
-      },
-      {
-        "created": "2018-04-06T18:37:09.284840891Z",
-        "created_by": "middle",
-        "empty_layer": True,
-      },
-      {
-        "created": "2018-04-12T18:37:09.284840891Z",
-        "created_by": "leaf"
-      },
-    ],
-  }, 'sha256:def456', 2000)
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {"created": "2018-04-03T18:37:09.284840891Z", "created_by": "base"},
+                {
+                    "created": "2018-04-06T18:37:09.284840891Z",
+                    "created_by": "middle",
+                    "empty_layer": True,
+                },
+                {"created": "2018-04-12T18:37:09.284840891Z", "created_by": "leaf"},
+            ],
+        },
+        "sha256:def456",
+        2000,
+    )
 
-  legacy_layers = list(manifest.generate_legacy_layers({}, retriever))
-  assert len(legacy_layers) == 3
-  assert legacy_layers[0].content_checksum == 'sha256:abc123'
-  assert legacy_layers[1].content_checksum == EMPTY_LAYER_BLOB_DIGEST
-  assert legacy_layers[2].content_checksum == 'sha256:def456'
+    legacy_layers = list(manifest.generate_legacy_layers({}, retriever))
+    assert len(legacy_layers) == 3
+    assert legacy_layers[0].content_checksum == "sha256:abc123"
+    assert legacy_layers[1].content_checksum == EMPTY_LAYER_BLOB_DIGEST
+    assert legacy_layers[2].content_checksum == "sha256:def456"
 
-  assert legacy_layers[0].created == "2018-04-03T18:37:09.284840891Z"
-  assert legacy_layers[1].created == "2018-04-06T18:37:09.284840891Z"
-  assert legacy_layers[2].created == "2018-04-12T18:37:09.284840891Z"
+    assert legacy_layers[0].created == "2018-04-03T18:37:09.284840891Z"
+    assert legacy_layers[1].created == "2018-04-06T18:37:09.284840891Z"
+    assert legacy_layers[2].created == "2018-04-12T18:37:09.284840891Z"
 
-  assert legacy_layers[0].command == '["base"]'
-  assert legacy_layers[1].command == '["middle"]'
-  assert legacy_layers[2].command == '["leaf"]'
+    assert legacy_layers[0].command == '["base"]'
+    assert legacy_layers[1].command == '["middle"]'
+    assert legacy_layers[2].command == '["leaf"]'
 
-  assert legacy_layers[2].parent_image_id == legacy_layers[1].image_id
-  assert legacy_layers[1].parent_image_id == legacy_layers[0].image_id
-  assert legacy_layers[0].parent_image_id is None
+    assert legacy_layers[2].parent_image_id == legacy_layers[1].image_id
+    assert legacy_layers[1].parent_image_id == legacy_layers[0].image_id
+    assert legacy_layers[0].parent_image_id is None
 
-  assert legacy_layers[1].image_id != legacy_layers[2]
-  assert legacy_layers[0].image_id != legacy_layers[1]
+    assert legacy_layers[1].image_id != legacy_layers[2]
+    assert legacy_layers[0].image_id != legacy_layers[1]
 
 
 def test_remote_layer_manifest():
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest('sha256:abcd', 1234)
-  builder.add_layer('sha256:adef', 1234, urls=['http://some/url'])
-  builder.add_layer('sha256:1352', 4567)
-  builder.add_layer('sha256:1353', 4567)
-  manifest = builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest("sha256:abcd", 1234)
+    builder.add_layer("sha256:adef", 1234, urls=["http://some/url"])
+    builder.add_layer("sha256:1352", 4567)
+    builder.add_layer("sha256:1353", 4567)
+    manifest = builder.build()
 
-  assert manifest.has_remote_layer
-  assert manifest.get_leaf_layer_v1_image_id(None) is None
-  assert manifest.get_legacy_image_ids(None) is None
-  assert not manifest.has_legacy_image
+    assert manifest.has_remote_layer
+    assert manifest.get_leaf_layer_v1_image_id(None) is None
+    assert manifest.get_legacy_image_ids(None) is None
+    assert not manifest.has_legacy_image
 
-  schema1 = manifest.get_schema1_manifest('somenamespace', 'somename', 'sometag', None)
-  assert schema1 is None
+    schema1 = manifest.get_schema1_manifest(
+        "somenamespace", "somename", "sometag", None
+    )
+    assert schema1 is None
 
-  assert set(manifest.blob_digests) == {'sha256:adef', 'sha256:abcd', 'sha256:1352', 'sha256:1353'}
-  assert set(manifest.local_blob_digests) == {'sha256:abcd', 'sha256:1352', 'sha256:1353'}
+    assert set(manifest.blob_digests) == {
+        "sha256:adef",
+        "sha256:abcd",
+        "sha256:1352",
+        "sha256:1353",
+    }
+    assert set(manifest.local_blob_digests) == {
+        "sha256:abcd",
+        "sha256:1352",
+        "sha256:1353",
+    }
 
 
 def test_unencoded_unicode_manifest():
-  builder = DockerSchema2ManifestBuilder()
-  builder.add_layer('sha256:abc123', 123)
-  builder.set_config_digest('sha256:def456', 2000)
-  manifest = builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.add_layer("sha256:abc123", 123)
+    builder.set_config_digest("sha256:def456", 2000)
+    manifest = builder.build()
 
-  retriever = ContentRetrieverForTesting.for_config({
-    "config": {
-      "author": u"Sômé guy",
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "base",
-        "author": u"Sômé guy",
-      },
-    ],
-  }, 'sha256:def456', 2000, ensure_ascii=False)
+    retriever = ContentRetrieverForTesting.for_config(
+        {
+            "config": {"author": u"Sômé guy"},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "base",
+                    "author": u"Sômé guy",
+                }
+            ],
+        },
+        "sha256:def456",
+        2000,
+        ensure_ascii=False,
+    )
 
-  layers = list(manifest.get_layers(retriever))
-  assert layers[0].author == u"Sômé guy"
+    layers = list(manifest.get_layers(retriever))
+    assert layers[0].author == u"Sômé guy"
 
 
 def test_build_unencoded_unicode_manifest():
-  config_json = json.dumps({
-    "config": {
-      "author": u"Sômé guy",
-    },
-    "rootfs": {"type": "layers", "diff_ids": []},
-    "history": [
-      {
-        "created": "2018-04-03T18:37:09.284840891Z",
-        "created_by": "base",
-        "author": u"Sômé guy",
-      },
-    ],
-  }, ensure_ascii=False)
+    config_json = json.dumps(
+        {
+            "config": {"author": u"Sômé guy"},
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [
+                {
+                    "created": "2018-04-03T18:37:09.284840891Z",
+                    "created_by": "base",
+                    "author": u"Sômé guy",
+                }
+            ],
+        },
+        ensure_ascii=False,
+    )
 
-  schema2_config = DockerSchema2Config(Bytes.for_string_or_unicode(config_json))
+    schema2_config = DockerSchema2Config(Bytes.for_string_or_unicode(config_json))
 
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config(schema2_config)
-  builder.add_layer('sha256:abc123', 123)
-  builder.build()
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config(schema2_config)
+    builder.add_layer("sha256:abc123", 123)
+    builder.build()
 
 
 def test_load_unicode_manifest():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'unicode_manifest_config.json'), 'r') as f:
-    retriever = ContentRetrieverForTesting()
-    retriever.add_digest('sha256:5bdd65cdd055c7f3bbaecdc9fd6c75f155322520f85953aa0e2724cab006d407',
-                         f.read())
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "unicode_manifest_config.json"), "r") as f:
+        retriever = ContentRetrieverForTesting()
+        retriever.add_digest(
+            "sha256:5bdd65cdd055c7f3bbaecdc9fd6c75f155322520f85953aa0e2724cab006d407",
+            f.read(),
+        )
 
-  with open(os.path.join(test_dir, 'unicode_manifest.json'), 'r') as f:
-    manifest_bytes = f.read()
+    with open(os.path.join(test_dir, "unicode_manifest.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(manifest_bytes))
-  assert manifest.digest == 'sha256:97556fa8c553395bd9d8e19a04acef4716ca287ffbf6bde14dd9966053912613'
+    manifest = DockerSchema2Manifest(Bytes.for_string_or_unicode(manifest_bytes))
+    assert (
+        manifest.digest
+        == "sha256:97556fa8c553395bd9d8e19a04acef4716ca287ffbf6bde14dd9966053912613"
+    )
 
-  layers = list(manifest.get_layers(retriever))
-  assert layers[-1].author == u"Sômé guy"
+    layers = list(manifest.get_layers(retriever))
+    assert layers[-1].author == u"Sômé guy"
diff --git a/image/docker/schemas.py b/image/docker/schemas.py
index ab0d952f9..bc0544f5a 100644
--- a/image/docker/schemas.py
+++ b/image/docker/schemas.py
@@ -1,25 +1,29 @@
 from image.docker import ManifestException
 from image.docker.schema1 import DockerSchema1Manifest, DOCKER_SCHEMA1_CONTENT_TYPES
-from image.docker.schema2 import (DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
-                                  DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE)
+from image.docker.schema2 import (
+    DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE,
+    DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE,
+)
 from image.docker.schema2.manifest import DockerSchema2Manifest
 from image.docker.schema2.list import DockerSchema2ManifestList
 from util.bytes import Bytes
 
 
 def parse_manifest_from_bytes(manifest_bytes, media_type, validate=True):
-  """ Parses and returns a manifest from the given bytes, for the given media type.
+    """ Parses and returns a manifest from the given bytes, for the given media type.
       Raises a ManifestException if the parse fails for some reason.
   """
-  assert isinstance(manifest_bytes, Bytes)
+    assert isinstance(manifest_bytes, Bytes)
 
-  if media_type == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE:
-    return DockerSchema2Manifest(manifest_bytes)
+    if media_type == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE:
+        return DockerSchema2Manifest(manifest_bytes)
 
-  if media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
-    return DockerSchema2ManifestList(manifest_bytes)
+    if media_type == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE:
+        return DockerSchema2ManifestList(manifest_bytes)
 
-  if media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-    return DockerSchema1Manifest(manifest_bytes, validate=validate)
+    if media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
+        return DockerSchema1Manifest(manifest_bytes, validate=validate)
 
-  raise ManifestException('Unknown or unsupported manifest media type `%s`' % media_type)
+    raise ManifestException(
+        "Unknown or unsupported manifest media type `%s`" % media_type
+    )
diff --git a/image/docker/schemautil.py b/image/docker/schemautil.py
index adfa021c7..d2947f9f1 100644
--- a/image/docker/schemautil.py
+++ b/image/docker/schemautil.py
@@ -2,43 +2,50 @@ import json
 
 from image.docker.interfaces import ContentRetriever
 
+
 class ContentRetrieverForTesting(ContentRetriever):
-  def __init__(self, digests=None):
-    self.digests = digests or {}
+    def __init__(self, digests=None):
+        self.digests = digests or {}
 
-  def add_digest(self, digest, content):
-    self.digests[digest] = content
+    def add_digest(self, digest, content):
+        self.digests[digest] = content
 
-  def get_manifest_bytes_with_digest(self, digest):
-    return self.digests.get(digest)
+    def get_manifest_bytes_with_digest(self, digest):
+        return self.digests.get(digest)
 
-  def get_blob_bytes_with_digest(self, digest):
-    return self.digests.get(digest)
+    def get_blob_bytes_with_digest(self, digest):
+        return self.digests.get(digest)
 
-  @classmethod
-  def for_config(cls, config_obj, digest, size, ensure_ascii=True):
-    config_str = json.dumps(config_obj, ensure_ascii=ensure_ascii)
-    padded_string = config_str + ' ' * (size - len(config_str))
-    digests = {}
-    digests[digest] = padded_string
-    return ContentRetrieverForTesting(digests)
+    @classmethod
+    def for_config(cls, config_obj, digest, size, ensure_ascii=True):
+        config_str = json.dumps(config_obj, ensure_ascii=ensure_ascii)
+        padded_string = config_str + " " * (size - len(config_str))
+        digests = {}
+        digests[digest] = padded_string
+        return ContentRetrieverForTesting(digests)
 
 
 class _CustomEncoder(json.JSONEncoder):
-  def encode(self, o):
-    encoded = super(_CustomEncoder, self).encode(o)
-    if isinstance(o, basestring):
-      encoded = encoded.replace('<', '\\u003c')
-      encoded = encoded.replace('>', '\\u003e')
-      encoded = encoded.replace('&', '\\u0026')
-    return encoded
+    def encode(self, o):
+        encoded = super(_CustomEncoder, self).encode(o)
+        if isinstance(o, basestring):
+            encoded = encoded.replace("<", "\\u003c")
+            encoded = encoded.replace(">", "\\u003e")
+            encoded = encoded.replace("&", "\\u0026")
+        return encoded
 
 
 def to_canonical_json(value, ensure_ascii=True, indent=None):
-  """ Returns the canonical JSON string form of the given value,
+    """ Returns the canonical JSON string form of the given value,
       as per the guidelines in https://github.com/docker/distribution/blob/master/docs/spec/json.md.
 
       `indent` is allowed only for the purposes of indenting for debugging.
   """
-  return json.dumps(value, ensure_ascii=ensure_ascii, sort_keys=True, separators=(',', ':'),
-                    cls=_CustomEncoder, indent=indent)
+    return json.dumps(
+        value,
+        ensure_ascii=ensure_ascii,
+        sort_keys=True,
+        separators=(",", ":"),
+        cls=_CustomEncoder,
+        indent=indent,
+    )
diff --git a/image/docker/squashed.py b/image/docker/squashed.py
index a5f5f0c64..3a9f9acbf 100644
--- a/image/docker/squashed.py
+++ b/image/docker/squashed.py
@@ -10,120 +10,141 @@ from util.registry.streamlayerformat import StreamLayerMerger
 
 
 class FileEstimationException(Exception):
-  """
+    """
   Exception raised by build_docker_load_stream if the estimated size of the layer tar was lower
   than the actual size. This means the sent tar header is wrong, and we have to fail.
   """
-  pass
+
+    pass
 
 
 class SquashedDockerImageFormatter(TarImageFormatter):
-  """
+    """
   Image formatter which produces a squashed image compatible with the `docker load` command.
   """
 
-  # Multiplier against the image size reported by Docker to account for the tar metadata.
-  # Note: This multiplier was not formally calculated in anyway and should be adjusted overtime
-  # if/when we encounter issues with it. Unfortunately, we cannot make it too large or the Docker
-  # daemon dies when trying to load the entire tar into memory.
-  SIZE_MULTIPLIER = 1.2
+    # Multiplier against the image size reported by Docker to account for the tar metadata.
+    # Note: This multiplier was not formally calculated in anyway and should be adjusted overtime
+    # if/when we encounter issues with it. Unfortunately, we cannot make it too large or the Docker
+    # daemon dies when trying to load the entire tar into memory.
+    SIZE_MULTIPLIER = 1.2
 
-  def stream_generator(self, tag, parsed_manifest, synthetic_image_id, layer_iterator,
-                       tar_stream_getter_iterator, reporter=None):
-    image_mtime = 0
-    created = parsed_manifest.created_datetime
-    if created is not None:
-      image_mtime = calendar.timegm(created.utctimetuple())
+    def stream_generator(
+        self,
+        tag,
+        parsed_manifest,
+        synthetic_image_id,
+        layer_iterator,
+        tar_stream_getter_iterator,
+        reporter=None,
+    ):
+        image_mtime = 0
+        created = parsed_manifest.created_datetime
+        if created is not None:
+            image_mtime = calendar.timegm(created.utctimetuple())
 
-    # Docker import V1 Format (.tar):
-    #  repositories - JSON file containing a repo -> tag -> image map
-    #  {image ID folder}:
-    #     json - The layer JSON
-    #     layer.tar - The tarballed contents of the layer
-    #     VERSION - The docker import version: '1.0'
-    layer_merger = StreamLayerMerger(tar_stream_getter_iterator, reporter=reporter)
+        # Docker import V1 Format (.tar):
+        #  repositories - JSON file containing a repo -> tag -> image map
+        #  {image ID folder}:
+        #     json - The layer JSON
+        #     layer.tar - The tarballed contents of the layer
+        #     VERSION - The docker import version: '1.0'
+        layer_merger = StreamLayerMerger(tar_stream_getter_iterator, reporter=reporter)
 
-    # Yield the repositories file:
-    synthetic_layer_info = {}
-    synthetic_layer_info[tag.name + '.squash'] = synthetic_image_id
+        # Yield the repositories file:
+        synthetic_layer_info = {}
+        synthetic_layer_info[tag.name + ".squash"] = synthetic_image_id
 
-    hostname = app.config['SERVER_HOSTNAME']
-    repositories = {}
-    namespace = tag.repository.namespace_name
-    repository = tag.repository.name
-    repositories[hostname + '/' + namespace + '/' + repository] = synthetic_layer_info
+        hostname = app.config["SERVER_HOSTNAME"]
+        repositories = {}
+        namespace = tag.repository.namespace_name
+        repository = tag.repository.name
+        repositories[
+            hostname + "/" + namespace + "/" + repository
+        ] = synthetic_layer_info
 
-    yield self.tar_file('repositories', json.dumps(repositories), mtime=image_mtime)
+        yield self.tar_file("repositories", json.dumps(repositories), mtime=image_mtime)
 
-    # Yield the image ID folder.
-    yield self.tar_folder(synthetic_image_id, mtime=image_mtime)
+        # Yield the image ID folder.
+        yield self.tar_folder(synthetic_image_id, mtime=image_mtime)
 
-    # Yield the JSON layer data.
-    layer_json = SquashedDockerImageFormatter._build_layer_json(parsed_manifest, synthetic_image_id)
-    yield self.tar_file(synthetic_image_id + '/json', json.dumps(layer_json), mtime=image_mtime)
+        # Yield the JSON layer data.
+        layer_json = SquashedDockerImageFormatter._build_layer_json(
+            parsed_manifest, synthetic_image_id
+        )
+        yield self.tar_file(
+            synthetic_image_id + "/json", json.dumps(layer_json), mtime=image_mtime
+        )
 
-    # Yield the VERSION file.
-    yield self.tar_file(synthetic_image_id + '/VERSION', '1.0', mtime=image_mtime)
+        # Yield the VERSION file.
+        yield self.tar_file(synthetic_image_id + "/VERSION", "1.0", mtime=image_mtime)
 
-    # Yield the merged layer data's header.
-    estimated_file_size = 0
-    for layer in layer_iterator:
-      estimated_file_size += layer.estimated_size(SquashedDockerImageFormatter.SIZE_MULTIPLIER)
+        # Yield the merged layer data's header.
+        estimated_file_size = 0
+        for layer in layer_iterator:
+            estimated_file_size += layer.estimated_size(
+                SquashedDockerImageFormatter.SIZE_MULTIPLIER
+            )
 
-    # Make sure the estimated file size is an integer number of bytes.
-    estimated_file_size = int(math.ceil(estimated_file_size))
+        # Make sure the estimated file size is an integer number of bytes.
+        estimated_file_size = int(math.ceil(estimated_file_size))
 
-    yield self.tar_file_header(synthetic_image_id + '/layer.tar', estimated_file_size,
-                               mtime=image_mtime)
+        yield self.tar_file_header(
+            synthetic_image_id + "/layer.tar", estimated_file_size, mtime=image_mtime
+        )
 
-    # Yield the contents of the merged layer.
-    yielded_size = 0
-    for entry in layer_merger.get_generator():
-      yield entry
-      yielded_size += len(entry)
+        # Yield the contents of the merged layer.
+        yielded_size = 0
+        for entry in layer_merger.get_generator():
+            yield entry
+            yielded_size += len(entry)
 
-    # If the yielded size is more than the estimated size (which is unlikely but possible), then
-    # raise an exception since the tar header will be wrong.
-    if yielded_size > estimated_file_size:
-      leaf_image_id = parsed_manifest.leaf_layer_v1_image_id
-      message = "For %s/%s:%s (%s:%s): Expected %s bytes, found %s bytes" % (namespace,
-                                                                             repository,
-                                                                             tag,
-                                                                             parsed_manifest.digest,
-                                                                             leaf_image_id,
-                                                                             estimated_file_size,
-                                                                             yielded_size)
-      raise FileEstimationException(message)
+        # If the yielded size is more than the estimated size (which is unlikely but possible), then
+        # raise an exception since the tar header will be wrong.
+        if yielded_size > estimated_file_size:
+            leaf_image_id = parsed_manifest.leaf_layer_v1_image_id
+            message = "For %s/%s:%s (%s:%s): Expected %s bytes, found %s bytes" % (
+                namespace,
+                repository,
+                tag,
+                parsed_manifest.digest,
+                leaf_image_id,
+                estimated_file_size,
+                yielded_size,
+            )
+            raise FileEstimationException(message)
 
-    # If the yielded size is less than the estimated size (which is likely), fill the rest with
-    # zeros.
-    if yielded_size < estimated_file_size:
-      to_yield = estimated_file_size - yielded_size
-      while to_yield > 0:
-        yielded = min(to_yield, GZIP_BUFFER_SIZE)
-        yield '\0' * yielded
-        to_yield -= yielded
+        # If the yielded size is less than the estimated size (which is likely), fill the rest with
+        # zeros.
+        if yielded_size < estimated_file_size:
+            to_yield = estimated_file_size - yielded_size
+            while to_yield > 0:
+                yielded = min(to_yield, GZIP_BUFFER_SIZE)
+                yield "\0" * yielded
+                to_yield -= yielded
 
-    # Yield any file padding to 512 bytes that is necessary.
-    yield self.tar_file_padding(estimated_file_size)
+        # Yield any file padding to 512 bytes that is necessary.
+        yield self.tar_file_padding(estimated_file_size)
 
-    # Last two records are empty in tar spec.
-    yield '\0' * 512
-    yield '\0' * 512
+        # Last two records are empty in tar spec.
+        yield "\0" * 512
+        yield "\0" * 512
 
+    @staticmethod
+    def _build_layer_json(manifest, synthetic_image_id):
+        updated_json = json.loads(manifest.leaf_layer.raw_v1_metadata)
+        updated_json["id"] = synthetic_image_id
 
-  @staticmethod
-  def _build_layer_json(manifest, synthetic_image_id):
-    updated_json = json.loads(manifest.leaf_layer.raw_v1_metadata)
-    updated_json['id'] = synthetic_image_id
+        if "parent" in updated_json:
+            del updated_json["parent"]
 
-    if 'parent' in updated_json:
-      del updated_json['parent']
+        if "config" in updated_json and "Image" in updated_json["config"]:
+            updated_json["config"]["Image"] = synthetic_image_id
 
-    if 'config' in updated_json and 'Image' in updated_json['config']:
-      updated_json['config']['Image'] = synthetic_image_id
+        if (
+            "container_config" in updated_json
+            and "Image" in updated_json["container_config"]
+        ):
+            updated_json["container_config"]["Image"] = synthetic_image_id
 
-    if 'container_config' in updated_json and 'Image' in updated_json['container_config']:
-      updated_json['container_config']['Image'] = synthetic_image_id
-
-    return updated_json
+        return updated_json
diff --git a/image/docker/test/test_schema1.py b/image/docker/test/test_schema1.py
index 2766cdaac..417e3f646 100644
--- a/image/docker/test/test_schema1.py
+++ b/image/docker/test/test_schema1.py
@@ -6,306 +6,343 @@ import json
 import pytest
 
 from app import docker_v2_signing_key
-from image.docker.schema1 import (MalformedSchema1Manifest, DockerSchema1Manifest,
-                                  DockerSchema1ManifestBuilder)
+from image.docker.schema1 import (
+    MalformedSchema1Manifest,
+    DockerSchema1Manifest,
+    DockerSchema1ManifestBuilder,
+)
 from util.bytes import Bytes
 
 
-@pytest.mark.parametrize('json_data', [
-  '',
-  '{}',
-  """
+@pytest.mark.parametrize(
+    "json_data",
+    [
+        "",
+        "{}",
+        """
   {
     "unknown": "key"
   }
   """,
-])
+    ],
+)
 def test_malformed_manifests(json_data):
-  with pytest.raises(MalformedSchema1Manifest):
-    DockerSchema1Manifest(Bytes.for_string_or_unicode(json_data))
+    with pytest.raises(MalformedSchema1Manifest):
+        DockerSchema1Manifest(Bytes.for_string_or_unicode(json_data))
 
 
-MANIFEST_BYTES = json.dumps({
-  "name": 'hello-world',
-  "tag": "latest",
-  "architecture": "amd64",
-  "fsLayers": [
+MANIFEST_BYTES = json.dumps(
     {
-      "blobSum": "sha256:cc8567d70002e957612902a8e985ea129d831ebe04057d88fb644857caa45d11"
-    },
-    {
-      "blobSum": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+        "name": "hello-world",
+        "tag": "latest",
+        "architecture": "amd64",
+        "fsLayers": [
+            {
+                "blobSum": "sha256:cc8567d70002e957612902a8e985ea129d831ebe04057d88fb644857caa45d11"
+            },
+            {
+                "blobSum": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+            },
+        ],
+        "history": [
+            {"v1Compatibility": '{"id":"someid", "parent": "anotherid"}'},
+            {"v1Compatibility": '{"id":"anotherid"}'},
+        ],
+        "schemaVersion": 1,
+        "signatures": [
+            {
+                "header": {
+                    "jwk": {
+                        "crv": "P-256",
+                        "kid": "OD6I:6DRK:JXEJ:KBM4:255X:NSAA:MUSF:E4VM:ZI6W:CUN2:L4Z6:LSF4",
+                        "kty": "EC",
+                        "x": "3gAwX48IQ5oaYQAYSxor6rYYc_6yjuLCjtQ9LUakg4A",
+                        "y": "t72ge6kIA1XOjqjVoEOiPPAURltJFBMGDSQvEGVB010",
+                    },
+                    "alg": "ES256",
+                },
+                "signature": "XREm0L8WNn27Ga_iE_vRnTxVMhhYY0Zst_FfkKopg6gWSoTOZTuW4rK0fg_IqnKkEKlbD83tD46LKEGi5aIVFg",
+                "protected": "eyJmb3JtYXRMZW5ndGgiOjY2MjgsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNS0wNC0wOFQxODo1Mjo1OVoifQ",
+            }
+        ],
     }
-  ],
-  "history": [
-    {
-      "v1Compatibility": "{\"id\":\"someid\", \"parent\": \"anotherid\"}"
-    },
-    {
-      "v1Compatibility": "{\"id\":\"anotherid\"}"
-    },
-  ],
-  "schemaVersion": 1,
-  "signatures": [
-    {
-      "header": {
-        "jwk": {
-          "crv": "P-256",
-          "kid": "OD6I:6DRK:JXEJ:KBM4:255X:NSAA:MUSF:E4VM:ZI6W:CUN2:L4Z6:LSF4",
-          "kty": "EC",
-          "x": "3gAwX48IQ5oaYQAYSxor6rYYc_6yjuLCjtQ9LUakg4A",
-          "y": "t72ge6kIA1XOjqjVoEOiPPAURltJFBMGDSQvEGVB010"
-        },
-        "alg": "ES256"
-      },
-      "signature": "XREm0L8WNn27Ga_iE_vRnTxVMhhYY0Zst_FfkKopg6gWSoTOZTuW4rK0fg_IqnKkEKlbD83tD46LKEGi5aIVFg",
-      "protected": "eyJmb3JtYXRMZW5ndGgiOjY2MjgsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNS0wNC0wOFQxODo1Mjo1OVoifQ"
-    }
-  ]
-})
+)
 
 
 def test_valid_manifest():
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(MANIFEST_BYTES), validate=False)
-  assert len(manifest.signatures) == 1
-  assert manifest.namespace == ''
-  assert manifest.repo_name == 'hello-world'
-  assert manifest.tag == 'latest'
-  assert manifest.image_ids == {'someid', 'anotherid'}
-  assert manifest.parent_image_ids == {'anotherid'}
+    manifest = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(MANIFEST_BYTES), validate=False
+    )
+    assert len(manifest.signatures) == 1
+    assert manifest.namespace == ""
+    assert manifest.repo_name == "hello-world"
+    assert manifest.tag == "latest"
+    assert manifest.image_ids == {"someid", "anotherid"}
+    assert manifest.parent_image_ids == {"anotherid"}
 
-  assert len(manifest.layers) == 2
+    assert len(manifest.layers) == 2
 
-  assert manifest.layers[0].v1_metadata.image_id == 'anotherid'
-  assert manifest.layers[0].v1_metadata.parent_image_id is None
+    assert manifest.layers[0].v1_metadata.image_id == "anotherid"
+    assert manifest.layers[0].v1_metadata.parent_image_id is None
 
-  assert manifest.layers[1].v1_metadata.image_id == 'someid'
-  assert manifest.layers[1].v1_metadata.parent_image_id == 'anotherid'
+    assert manifest.layers[1].v1_metadata.image_id == "someid"
+    assert manifest.layers[1].v1_metadata.parent_image_id == "anotherid"
 
-  assert manifest.layers[0].compressed_size is None
-  assert manifest.layers[1].compressed_size is None
+    assert manifest.layers[0].compressed_size is None
+    assert manifest.layers[1].compressed_size is None
 
-  assert manifest.leaf_layer == manifest.layers[1]
-  assert manifest.created_datetime is None
+    assert manifest.leaf_layer == manifest.layers[1]
+    assert manifest.created_datetime is None
 
-  unsigned = manifest.unsigned()
-  assert unsigned.namespace == manifest.namespace
-  assert unsigned.repo_name == manifest.repo_name
-  assert unsigned.tag == manifest.tag
-  assert unsigned.layers == manifest.layers
-  assert unsigned.blob_digests == manifest.blob_digests
-  assert unsigned.digest != manifest.digest
+    unsigned = manifest.unsigned()
+    assert unsigned.namespace == manifest.namespace
+    assert unsigned.repo_name == manifest.repo_name
+    assert unsigned.tag == manifest.tag
+    assert unsigned.layers == manifest.layers
+    assert unsigned.blob_digests == manifest.blob_digests
+    assert unsigned.digest != manifest.digest
 
-  image_layers = list(manifest.get_layers(None))
-  assert len(image_layers) == 2
-  for index in range(0, 2):
-    assert image_layers[index].layer_id == manifest.layers[index].v1_metadata.image_id
-    assert image_layers[index].blob_digest == manifest.layers[index].digest
-    assert image_layers[index].command == manifest.layers[index].v1_metadata.command
+    image_layers = list(manifest.get_layers(None))
+    assert len(image_layers) == 2
+    for index in range(0, 2):
+        assert (
+            image_layers[index].layer_id == manifest.layers[index].v1_metadata.image_id
+        )
+        assert image_layers[index].blob_digest == manifest.layers[index].digest
+        assert image_layers[index].command == manifest.layers[index].v1_metadata.command
 
 
 def test_validate_manifest():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'validated_manifest.json'), 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "validated_manifest.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes), validate=True)
-  digest = manifest.digest
-  assert digest == 'sha256:b5dc4f63fdbd64f34f2314c0747ef81008f9fcddce4edfc3fd0e8ec8b358d571'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(manifest_bytes), validate=True
+    )
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:b5dc4f63fdbd64f34f2314c0747ef81008f9fcddce4edfc3fd0e8ec8b358d571"
+    )
+    assert manifest.created_datetime
 
 
 def test_validate_manifest_with_unicode():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'validated_manifest_with_unicode.json'), 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "validated_manifest_with_unicode.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes), validate=True)
-  digest = manifest.digest
-  assert digest == 'sha256:815ecf45716a96b19d54d911e6ace91f78bab26ca0dd299645d9995dacd9f1ef'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(manifest_bytes), validate=True
+    )
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:815ecf45716a96b19d54d911e6ace91f78bab26ca0dd299645d9995dacd9f1ef"
+    )
+    assert manifest.created_datetime
 
 
 def test_validate_manifest_with_unicode_encoded():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'manifest_unicode_row.json'), 'r') as f:
-    manifest_bytes = json.loads(f.read())[0]['json_data']
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "manifest_unicode_row.json"), "r") as f:
+        manifest_bytes = json.loads(f.read())[0]["json_data"]
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes), validate=True)
-  digest = manifest.digest
-  assert digest == 'sha256:dde3714ce7e23edc6413aa85c0b42792e4f2f79e9ea36afc154d63ff3d04e86c'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(manifest_bytes), validate=True
+    )
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:dde3714ce7e23edc6413aa85c0b42792e4f2f79e9ea36afc154d63ff3d04e86c"
+    )
+    assert manifest.created_datetime
 
 
 def test_validate_manifest_with_unencoded_unicode():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'manifest_unencoded_unicode.json'), 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "manifest_unencoded_unicode.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
-  digest = manifest.digest
-  assert digest == 'sha256:5d8a0f34744a39bf566ba430251adc0cc86587f86aed3ac2acfb897f349777bc'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:5d8a0f34744a39bf566ba430251adc0cc86587f86aed3ac2acfb897f349777bc"
+    )
+    assert manifest.created_datetime
 
-  layers = list(manifest.get_layers(None))
-  assert layers[-1].author == u'Sômé guy'
+    layers = list(manifest.get_layers(None))
+    assert layers[-1].author == u"Sômé guy"
 
 
-@pytest.mark.parametrize('with_key', [
-  None,
-  docker_v2_signing_key,
-])
+@pytest.mark.parametrize("with_key", [None, docker_v2_signing_key])
 def test_build_unencoded_unicode_manifest(with_key):
-  builder = DockerSchema1ManifestBuilder('somenamespace', 'somerepo', 'sometag')
-  builder.add_layer('sha256:abcde', json.dumps({
-    'id': 'someid',
-    'author': u'Sômé guy',
-  }, ensure_ascii=False))
+    builder = DockerSchema1ManifestBuilder("somenamespace", "somerepo", "sometag")
+    builder.add_layer(
+        "sha256:abcde",
+        json.dumps({"id": "someid", "author": u"Sômé guy"}, ensure_ascii=False),
+    )
 
-  built = builder.build(with_key, ensure_ascii=False)
-  built._validate()
+    built = builder.build(with_key, ensure_ascii=False)
+    built._validate()
 
 
 def test_validate_manifest_known_issue():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'validate_manifest_known_issue.json'), 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "validate_manifest_known_issue.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
-  digest = manifest.digest
-  assert digest == 'sha256:44518f5a4d1cb5b7a6347763116fb6e10f6a8563b6c40bb389a0a982f0a9f47a'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes))
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:44518f5a4d1cb5b7a6347763116fb6e10f6a8563b6c40bb389a0a982f0a9f47a"
+    )
+    assert manifest.created_datetime
 
-  layers = list(manifest.get_layers(None))
-  assert layers[-1].author is None
+    layers = list(manifest.get_layers(None))
+    assert layers[-1].author is None
 
 
-@pytest.mark.parametrize('with_key', [
-  None,
-  docker_v2_signing_key,
-])
+@pytest.mark.parametrize("with_key", [None, docker_v2_signing_key])
 def test_validate_manifest_with_emoji(with_key):
-  builder = DockerSchema1ManifestBuilder('somenamespace', 'somerepo', 'sometag')
-  builder.add_layer('sha256:abcde', json.dumps({
-    'id': 'someid',
-    'author': u'😱',
-  }, ensure_ascii=False))
+    builder = DockerSchema1ManifestBuilder("somenamespace", "somerepo", "sometag")
+    builder.add_layer(
+        "sha256:abcde", json.dumps({"id": "someid", "author": u"😱"}, ensure_ascii=False)
+    )
 
-  built = builder.build(with_key, ensure_ascii=False)
-  built._validate()
+    built = builder.build(with_key, ensure_ascii=False)
+    built._validate()
 
-  # Ensure the manifest can be reloaded.
-  built_bytes = built.bytes.as_encoded_str()
-  DockerSchema1Manifest(Bytes.for_string_or_unicode(built_bytes))
+    # Ensure the manifest can be reloaded.
+    built_bytes = built.bytes.as_encoded_str()
+    DockerSchema1Manifest(Bytes.for_string_or_unicode(built_bytes))
 
 
-@pytest.mark.parametrize('with_key', [
-  None,
-  docker_v2_signing_key,
-])
+@pytest.mark.parametrize("with_key", [None, docker_v2_signing_key])
 def test_validate_manifest_with_none_metadata_layer(with_key):
-  builder = DockerSchema1ManifestBuilder('somenamespace', 'somerepo', 'sometag')
-  builder.add_layer('sha256:abcde', None)
+    builder = DockerSchema1ManifestBuilder("somenamespace", "somerepo", "sometag")
+    builder.add_layer("sha256:abcde", None)
 
-  built = builder.build(with_key, ensure_ascii=False)
-  built._validate()
+    built = builder.build(with_key, ensure_ascii=False)
+    built._validate()
 
-  # Ensure the manifest can be reloaded.
-  built_bytes = built.bytes.as_encoded_str()
-  DockerSchema1Manifest(Bytes.for_string_or_unicode(built_bytes))
+    # Ensure the manifest can be reloaded.
+    built_bytes = built.bytes.as_encoded_str()
+    DockerSchema1Manifest(Bytes.for_string_or_unicode(built_bytes))
 
 
 def test_build_with_metadata_removed():
-  builder = DockerSchema1ManifestBuilder('somenamespace', 'somerepo', 'sometag')
-  builder.add_layer('sha256:abcde', json.dumps({
-    'id': 'someid',
-    'parent': 'someid',
-    'author': u'😱',
-    'comment': 'hello world!',
-    'created': '1975-01-02 12:34',
-    'Size': 5678,
-    'container_config': {
-      'Cmd': 'foobar',
-      'more': 'stuff',
-      'goes': 'here',
-    },
-  }))
-  builder.add_layer('sha256:abcde', json.dumps({
-    'id': 'anotherid',
-    'author': u'😱',
-    'created': '1985-02-03 12:34',
-    'Size': 1234,
-    'container_config': {
-      'Cmd': 'barbaz',
-      'more': 'stuff',
-      'goes': 'here',
-    },
-  }))
+    builder = DockerSchema1ManifestBuilder("somenamespace", "somerepo", "sometag")
+    builder.add_layer(
+        "sha256:abcde",
+        json.dumps(
+            {
+                "id": "someid",
+                "parent": "someid",
+                "author": u"😱",
+                "comment": "hello world!",
+                "created": "1975-01-02 12:34",
+                "Size": 5678,
+                "container_config": {"Cmd": "foobar", "more": "stuff", "goes": "here"},
+            }
+        ),
+    )
+    builder.add_layer(
+        "sha256:abcde",
+        json.dumps(
+            {
+                "id": "anotherid",
+                "author": u"😱",
+                "created": "1985-02-03 12:34",
+                "Size": 1234,
+                "container_config": {"Cmd": "barbaz", "more": "stuff", "goes": "here"},
+            }
+        ),
+    )
 
-  built = builder.build(None)
-  built._validate()
+    built = builder.build(None)
+    built._validate()
 
-  assert built.leaf_layer_v1_image_id == 'someid'
+    assert built.leaf_layer_v1_image_id == "someid"
 
-  with_metadata_removed = builder.with_metadata_removed().build()
-  with_metadata_removed._validate()
+    with_metadata_removed = builder.with_metadata_removed().build()
+    with_metadata_removed._validate()
 
-  built_layers = list(built.get_layers(None))
-  with_metadata_removed_layers = list(with_metadata_removed.get_layers(None))
+    built_layers = list(built.get_layers(None))
+    with_metadata_removed_layers = list(with_metadata_removed.get_layers(None))
 
-  assert len(built_layers) == len(with_metadata_removed_layers)
-  for index, built_layer in enumerate(built_layers):
-    with_metadata_removed_layer = with_metadata_removed_layers[index]
+    assert len(built_layers) == len(with_metadata_removed_layers)
+    for index, built_layer in enumerate(built_layers):
+        with_metadata_removed_layer = with_metadata_removed_layers[index]
 
-    assert built_layer.layer_id == with_metadata_removed_layer.layer_id
-    assert built_layer.compressed_size == with_metadata_removed_layer.compressed_size
-    assert built_layer.command == with_metadata_removed_layer.command
-    assert built_layer.comment == with_metadata_removed_layer.comment
-    assert built_layer.author == with_metadata_removed_layer.author
-    assert built_layer.blob_digest == with_metadata_removed_layer.blob_digest
-    assert built_layer.created_datetime == with_metadata_removed_layer.created_datetime
+        assert built_layer.layer_id == with_metadata_removed_layer.layer_id
+        assert (
+            built_layer.compressed_size == with_metadata_removed_layer.compressed_size
+        )
+        assert built_layer.command == with_metadata_removed_layer.command
+        assert built_layer.comment == with_metadata_removed_layer.comment
+        assert built_layer.author == with_metadata_removed_layer.author
+        assert built_layer.blob_digest == with_metadata_removed_layer.blob_digest
+        assert (
+            built_layer.created_datetime == with_metadata_removed_layer.created_datetime
+        )
 
-  assert built.leaf_layer_v1_image_id == with_metadata_removed.leaf_layer_v1_image_id
-  assert built_layers[-1].layer_id == built.leaf_layer_v1_image_id
+    assert built.leaf_layer_v1_image_id == with_metadata_removed.leaf_layer_v1_image_id
+    assert built_layers[-1].layer_id == built.leaf_layer_v1_image_id
 
-  assert (json.loads(built_layers[-1].internal_layer.raw_v1_metadata) ==
-          json.loads(with_metadata_removed_layers[-1].internal_layer.raw_v1_metadata))
+    assert json.loads(built_layers[-1].internal_layer.raw_v1_metadata) == json.loads(
+        with_metadata_removed_layers[-1].internal_layer.raw_v1_metadata
+    )
 
 
 def test_validate_manifest_without_metadata():
-  test_dir = os.path.dirname(os.path.abspath(__file__))
-  with open(os.path.join(test_dir, 'validated_manifest.json'), 'r') as f:
-    manifest_bytes = f.read()
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "validated_manifest.json"), "r") as f:
+        manifest_bytes = f.read()
 
-  manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(manifest_bytes), validate=True)
-  digest = manifest.digest
-  assert digest == 'sha256:b5dc4f63fdbd64f34f2314c0747ef81008f9fcddce4edfc3fd0e8ec8b358d571'
-  assert manifest.created_datetime
+    manifest = DockerSchema1Manifest(
+        Bytes.for_string_or_unicode(manifest_bytes), validate=True
+    )
+    digest = manifest.digest
+    assert (
+        digest
+        == "sha256:b5dc4f63fdbd64f34f2314c0747ef81008f9fcddce4edfc3fd0e8ec8b358d571"
+    )
+    assert manifest.created_datetime
 
-  with_metadata_removed = manifest._unsigned_builder().with_metadata_removed().build()
-  assert with_metadata_removed.leaf_layer_v1_image_id == manifest.leaf_layer_v1_image_id
+    with_metadata_removed = manifest._unsigned_builder().with_metadata_removed().build()
+    assert (
+        with_metadata_removed.leaf_layer_v1_image_id == manifest.leaf_layer_v1_image_id
+    )
 
-  manifest_layers = list(manifest.get_layers(None))
-  with_metadata_removed_layers = list(with_metadata_removed.get_layers(None))
+    manifest_layers = list(manifest.get_layers(None))
+    with_metadata_removed_layers = list(with_metadata_removed.get_layers(None))
 
-  assert len(manifest_layers) == len(with_metadata_removed_layers)
-  for index, built_layer in enumerate(manifest_layers):
-    with_metadata_removed_layer = with_metadata_removed_layers[index]
+    assert len(manifest_layers) == len(with_metadata_removed_layers)
+    for index, built_layer in enumerate(manifest_layers):
+        with_metadata_removed_layer = with_metadata_removed_layers[index]
 
-    assert built_layer.layer_id == with_metadata_removed_layer.layer_id
-    assert built_layer.compressed_size == with_metadata_removed_layer.compressed_size
-    assert built_layer.command == with_metadata_removed_layer.command
-    assert built_layer.comment == with_metadata_removed_layer.comment
-    assert built_layer.author == with_metadata_removed_layer.author
-    assert built_layer.blob_digest == with_metadata_removed_layer.blob_digest
-    assert built_layer.created_datetime == with_metadata_removed_layer.created_datetime
+        assert built_layer.layer_id == with_metadata_removed_layer.layer_id
+        assert (
+            built_layer.compressed_size == with_metadata_removed_layer.compressed_size
+        )
+        assert built_layer.command == with_metadata_removed_layer.command
+        assert built_layer.comment == with_metadata_removed_layer.comment
+        assert built_layer.author == with_metadata_removed_layer.author
+        assert built_layer.blob_digest == with_metadata_removed_layer.blob_digest
+        assert (
+            built_layer.created_datetime == with_metadata_removed_layer.created_datetime
+        )
 
-  assert with_metadata_removed.digest != manifest.digest
+    assert with_metadata_removed.digest != manifest.digest
 
-  assert with_metadata_removed.namespace == manifest.namespace
-  assert with_metadata_removed.repo_name == manifest.repo_name
-  assert with_metadata_removed.tag == manifest.tag
-  assert with_metadata_removed.created_datetime == manifest.created_datetime
-  assert with_metadata_removed.checksums == manifest.checksums
-  assert with_metadata_removed.image_ids == manifest.image_ids
-  assert with_metadata_removed.parent_image_ids == manifest.parent_image_ids
+    assert with_metadata_removed.namespace == manifest.namespace
+    assert with_metadata_removed.repo_name == manifest.repo_name
+    assert with_metadata_removed.tag == manifest.tag
+    assert with_metadata_removed.created_datetime == manifest.created_datetime
+    assert with_metadata_removed.checksums == manifest.checksums
+    assert with_metadata_removed.image_ids == manifest.image_ids
+    assert with_metadata_removed.parent_image_ids == manifest.parent_image_ids
diff --git a/image/docker/test/test_schemas.py b/image/docker/test/test_schemas.py
index def881984..860add5c1 100644
--- a/image/docker/test/test_schemas.py
+++ b/image/docker/test/test_schemas.py
@@ -10,11 +10,15 @@ from image.docker.schema2.test.test_manifest import MANIFEST_BYTES as SCHEMA2_BY
 from util.bytes import Bytes
 
 
-@pytest.mark.parametrize('media_type, manifest_bytes', [
-  (DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE, SCHEMA1_BYTES),
-  (DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE, SCHEMA2_BYTES),
-  (DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE, MANIFESTLIST_BYTES),
-])
+@pytest.mark.parametrize(
+    "media_type, manifest_bytes",
+    [
+        (DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE, SCHEMA1_BYTES),
+        (DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE, SCHEMA2_BYTES),
+        (DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE, MANIFESTLIST_BYTES),
+    ],
+)
 def test_parse_manifest_from_bytes(media_type, manifest_bytes):
-  assert parse_manifest_from_bytes(Bytes.for_string_or_unicode(manifest_bytes), media_type,
-                                   validate=False)
+    assert parse_manifest_from_bytes(
+        Bytes.for_string_or_unicode(manifest_bytes), media_type, validate=False
+    )
diff --git a/image/docker/test/test_schemautil.py b/image/docker/test/test_schemautil.py
index 360a74bb7..5d022d69c 100644
--- a/image/docker/test/test_schemautil.py
+++ b/image/docker/test/test_schemautil.py
@@ -2,22 +2,26 @@ import pytest
 
 from image.docker.schemautil import to_canonical_json
 
-@pytest.mark.parametrize('input, expected_output', [
-  pytest.param({}, '{}', id='empty object'),
-  pytest.param({'b': 2, 'a': 1}, '{"a":1,"b":2}', id='object with sorted keys'),
-  pytest.param('hello world', '"hello world"', id='basic string'),
-  pytest.param('hey & hi', '"hey \\u0026 hi"', id='string with &'),
-  pytest.param('<hey>', '"\\u003chey\\u003e"', id='string with brackets'),
-  pytest.param({
-    "zxcv": [{}, True, 1000000000, 'tyui'],
-    "asdf": 1,
-    "qwer": [],
-  }, '{"asdf":1,"qwer":[],"zxcv":[{},true,1000000000,"tyui"]}', id='example canonical'),
-])
-def test_to_canonical_json(input, expected_output):
-  result = to_canonical_json(input)
-  assert result == expected_output
 
-  # Ensure the result is utf-8.
-  assert isinstance(result, str)
-  result.decode('utf-8')
+@pytest.mark.parametrize(
+    "input, expected_output",
+    [
+        pytest.param({}, "{}", id="empty object"),
+        pytest.param({"b": 2, "a": 1}, '{"a":1,"b":2}', id="object with sorted keys"),
+        pytest.param("hello world", '"hello world"', id="basic string"),
+        pytest.param("hey & hi", '"hey \\u0026 hi"', id="string with &"),
+        pytest.param("<hey>", '"\\u003chey\\u003e"', id="string with brackets"),
+        pytest.param(
+            {"zxcv": [{}, True, 1000000000, "tyui"], "asdf": 1, "qwer": []},
+            '{"asdf":1,"qwer":[],"zxcv":[{},true,1000000000,"tyui"]}',
+            id="example canonical",
+        ),
+    ],
+)
+def test_to_canonical_json(input, expected_output):
+    result = to_canonical_json(input)
+    assert result == expected_output
+
+    # Ensure the result is utf-8.
+    assert isinstance(result, str)
+    result.decode("utf-8")
diff --git a/image/docker/types.py b/image/docker/types.py
index 69ca6d3be..fd1ca6240 100644
--- a/image/docker/types.py
+++ b/image/docker/types.py
@@ -1,7 +1,17 @@
 from collections import namedtuple
 
-ManifestImageLayer = namedtuple('ManifestImageLayer', ['layer_id', 'compressed_size',
-                                                       'is_remote', 'urls', 'command',
-                                                       'blob_digest', 'created_datetime',
-                                                       'author', 'comment',
-                                                       'internal_layer'])
+ManifestImageLayer = namedtuple(
+    "ManifestImageLayer",
+    [
+        "layer_id",
+        "compressed_size",
+        "is_remote",
+        "urls",
+        "command",
+        "blob_digest",
+        "created_datetime",
+        "author",
+        "comment",
+        "internal_layer",
+    ],
+)
diff --git a/image/docker/v1.py b/image/docker/v1.py
index b6700cdad..d15564001 100644
--- a/image/docker/v1.py
+++ b/image/docker/v1.py
@@ -6,11 +6,26 @@ https://github.com/docker/docker/blob/master/image/spec/v1.1.md
 
 from collections import namedtuple
 
-class DockerV1Metadata(namedtuple('DockerV1Metadata',
-                                  ['namespace_name', 'repo_name', 'image_id', 'checksum',
-                                   'content_checksum', 'created', 'comment', 'command',
-                                   'author', 'parent_image_id', 'compat_json'])):
-  """
+
+class DockerV1Metadata(
+    namedtuple(
+        "DockerV1Metadata",
+        [
+            "namespace_name",
+            "repo_name",
+            "image_id",
+            "checksum",
+            "content_checksum",
+            "created",
+            "comment",
+            "command",
+            "author",
+            "parent_image_id",
+            "compat_json",
+        ],
+    )
+):
+    """
   DockerV1Metadata represents all of the metadata for a given Docker v1 Image.
   The original form of the metadata is stored in the compat_json field.
   """
diff --git a/initdb.py b/initdb.py
index 709157f00..38fe117e8 100644
--- a/initdb.py
+++ b/initdb.py
@@ -13,16 +13,46 @@ from uuid import UUID, uuid4
 from threading import Event
 
 from email.utils import formatdate
-from data.database import (db, all_models, Role, TeamRole, Visibility, LoginService,
-                           BuildTriggerService, AccessTokenKind, LogEntryKind, ImageStorageLocation,
-                           ImageStorageTransformation, ImageStorageSignatureKind,
-                           ExternalNotificationEvent, ExternalNotificationMethod, NotificationKind,
-                           QuayRegion, QuayService, UserRegion, OAuthAuthorizationCode,
-                           ServiceKeyApprovalType, MediaType, LabelSourceType, UserPromptKind,
-                           RepositoryKind, User, DisableReason, DeletedNamespace, appr_classes,
-                           ApprTagKind, ApprBlobPlacementLocation, Repository, TagKind,
-                           ManifestChild, TagToRepositoryTag, get_epoch_timestamp_ms,
-                           RepoMirrorConfig, RepoMirrorRule, RepositoryState)
+from data.database import (
+    db,
+    all_models,
+    Role,
+    TeamRole,
+    Visibility,
+    LoginService,
+    BuildTriggerService,
+    AccessTokenKind,
+    LogEntryKind,
+    ImageStorageLocation,
+    ImageStorageTransformation,
+    ImageStorageSignatureKind,
+    ExternalNotificationEvent,
+    ExternalNotificationMethod,
+    NotificationKind,
+    QuayRegion,
+    QuayService,
+    UserRegion,
+    OAuthAuthorizationCode,
+    ServiceKeyApprovalType,
+    MediaType,
+    LabelSourceType,
+    UserPromptKind,
+    RepositoryKind,
+    User,
+    DisableReason,
+    DeletedNamespace,
+    appr_classes,
+    ApprTagKind,
+    ApprBlobPlacementLocation,
+    Repository,
+    TagKind,
+    ManifestChild,
+    TagToRepositoryTag,
+    get_epoch_timestamp_ms,
+    RepoMirrorConfig,
+    RepoMirrorRule,
+    RepositoryState,
+)
 from data import model
 from data.fields import Credential
 from data.logs_model import logs_model
@@ -41,978 +71,1363 @@ from workers import repositoryactioncounter
 logger = logging.getLogger(__name__)
 
 
-SAMPLE_DIFFS = ['test/data/sample/diffs/diffs%s.json' % i
-                for i in range(1, 10)]
+SAMPLE_DIFFS = ["test/data/sample/diffs/diffs%s.json" % i for i in range(1, 10)]
 
-SAMPLE_CMDS = [["/bin/bash"],
-               ["/bin/sh", "-c",
-                "echo \"PasswordAuthentication no\" >> /etc/ssh/sshd_config"],
-               ["/bin/sh", "-c",
-                "sed -i 's/#\\(force_color_prompt\\)/\\1/' /etc/skel/.bashrc"],
-               ["/bin/sh", "-c", "#(nop) EXPOSE [8080]"],
-               ["/bin/sh", "-c",
-                "#(nop) MAINTAINER Jake Moshenko <jake@devtable.com>"],
-               None]
+SAMPLE_CMDS = [
+    ["/bin/bash"],
+    ["/bin/sh", "-c", 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config'],
+    ["/bin/sh", "-c", "sed -i 's/#\\(force_color_prompt\\)/\\1/' /etc/skel/.bashrc"],
+    ["/bin/sh", "-c", "#(nop) EXPOSE [8080]"],
+    ["/bin/sh", "-c", "#(nop) MAINTAINER Jake Moshenko <jake@devtable.com>"],
+    None,
+]
 
 REFERENCE_DATE = datetime(2013, 6, 23)
-TEST_STRIPE_ID = 'cus_2tmnh3PkXQS8NG'
+TEST_STRIPE_ID = "cus_2tmnh3PkXQS8NG"
 
-IS_TESTING_REAL_DATABASE = bool(os.environ.get('TEST_DATABASE_URI'))
+IS_TESTING_REAL_DATABASE = bool(os.environ.get("TEST_DATABASE_URI"))
 
 
 def __gen_checksum(image_id):
-  csum = hashlib.md5(image_id)
-  return 'tarsum+sha256:' + csum.hexdigest() + csum.hexdigest()
+    csum = hashlib.md5(image_id)
+    return "tarsum+sha256:" + csum.hexdigest() + csum.hexdigest()
 
 
 def __gen_image_id(repo, image_num):
-  str_to_hash = "%s/%s/%s" % (repo.namespace_user.username, repo.name, image_num)
+    str_to_hash = "%s/%s/%s" % (repo.namespace_user.username, repo.name, image_num)
 
-  img_id = hashlib.md5(str_to_hash)
-  return img_id.hexdigest() + img_id.hexdigest()
+    img_id = hashlib.md5(str_to_hash)
+    return img_id.hexdigest() + img_id.hexdigest()
 
 
 def __gen_image_uuid(repo, image_num):
-  str_to_hash = "%s/%s/%s" % (repo.namespace_user.username, repo.name, image_num)
+    str_to_hash = "%s/%s/%s" % (repo.namespace_user.username, repo.name, image_num)
 
-  img_uuid = hashlib.md5(str_to_hash)
-  return UUID(bytes=img_uuid.digest())
+    img_uuid = hashlib.md5(str_to_hash)
+    return UUID(bytes=img_uuid.digest())
 
 
 global_image_num = count()
 
 
 def __create_subtree(with_storage, repo, structure, creator_username, parent, tag_map):
-  num_nodes, subtrees, last_node_tags = structure
+    num_nodes, subtrees, last_node_tags = structure
 
-  # create the nodes
-  for model_num in range(num_nodes):
-    image_num = next(global_image_num)
-    docker_image_id = __gen_image_id(repo, image_num)
-    logger.debug('new docker id: %s', docker_image_id)
-    checksum = __gen_checksum(docker_image_id)
+    # create the nodes
+    for model_num in range(num_nodes):
+        image_num = next(global_image_num)
+        docker_image_id = __gen_image_id(repo, image_num)
+        logger.debug("new docker id: %s", docker_image_id)
+        checksum = __gen_checksum(docker_image_id)
 
-    new_image = model.image.find_create_or_link_image(docker_image_id, repo, None, {}, 'local_us')
-    new_image.storage.uuid = __gen_image_uuid(repo, image_num)
-    new_image.storage.uploading = False
-    new_image.storage.save()
+        new_image = model.image.find_create_or_link_image(
+            docker_image_id, repo, None, {}, "local_us"
+        )
+        new_image.storage.uuid = __gen_image_uuid(repo, image_num)
+        new_image.storage.uploading = False
+        new_image.storage.save()
 
-    # Write out a fake torrentinfo
-    model.storage.save_torrent_info(new_image.storage, 1, 'deadbeef')
+        # Write out a fake torrentinfo
+        model.storage.save_torrent_info(new_image.storage, 1, "deadbeef")
 
-    # Write some data for the storage.
-    if with_storage or os.environ.get('WRITE_STORAGE_FILES'):
-      storage_paths = StoragePaths()
-      paths = [storage_paths.v1_image_layer_path]
+        # Write some data for the storage.
+        if with_storage or os.environ.get("WRITE_STORAGE_FILES"):
+            storage_paths = StoragePaths()
+            paths = [storage_paths.v1_image_layer_path]
 
-      for path_builder in paths:
-        path = path_builder(new_image.storage.uuid)
-        store.put_content('local_us', path, checksum)
+            for path_builder in paths:
+                path = path_builder(new_image.storage.uuid)
+                store.put_content("local_us", path, checksum)
 
-    new_image.security_indexed = False
-    new_image.security_indexed_engine = -1
-    new_image.save()
+        new_image.security_indexed = False
+        new_image.security_indexed_engine = -1
+        new_image.save()
 
-    creation_time = REFERENCE_DATE + timedelta(weeks=image_num) + timedelta(days=model_num)
-    command_list = SAMPLE_CMDS[image_num % len(SAMPLE_CMDS)]
-    command = json.dumps(command_list) if command_list else None
+        creation_time = (
+            REFERENCE_DATE + timedelta(weeks=image_num) + timedelta(days=model_num)
+        )
+        command_list = SAMPLE_CMDS[image_num % len(SAMPLE_CMDS)]
+        command = json.dumps(command_list) if command_list else None
 
-    v1_metadata = {
-      'id': docker_image_id,
-    }
-    if parent is not None:
-      v1_metadata['parent'] = parent.docker_image_id
+        v1_metadata = {"id": docker_image_id}
+        if parent is not None:
+            v1_metadata["parent"] = parent.docker_image_id
 
-    new_image = model.image.set_image_metadata(docker_image_id, repo.namespace_user.username,
-                                               repo.name, str(creation_time), 'no comment', command,
-                                               json.dumps(v1_metadata), parent)
-    new_image.storage.content_checksum = checksum
-    new_image.storage.save()
+        new_image = model.image.set_image_metadata(
+            docker_image_id,
+            repo.namespace_user.username,
+            repo.name,
+            str(creation_time),
+            "no comment",
+            command,
+            json.dumps(v1_metadata),
+            parent,
+        )
+        new_image.storage.content_checksum = checksum
+        new_image.storage.save()
 
-    compressed_size = random.randrange(1, 1024 * 1024 * 1024)
-    model.storage.set_image_storage_metadata(docker_image_id, repo.namespace_user.username,
-                                             repo.name, compressed_size, int(compressed_size * 1.4))
+        compressed_size = random.randrange(1, 1024 * 1024 * 1024)
+        model.storage.set_image_storage_metadata(
+            docker_image_id,
+            repo.namespace_user.username,
+            repo.name,
+            compressed_size,
+            int(compressed_size * 1.4),
+        )
 
-    parent = new_image
+        parent = new_image
 
-  if last_node_tags:
-    if not isinstance(last_node_tags, list):
-      last_node_tags = [last_node_tags]
+    if last_node_tags:
+        if not isinstance(last_node_tags, list):
+            last_node_tags = [last_node_tags]
 
-    repo_ref = registry_model.lookup_repository(repo.namespace_user.username, repo.name)
-    for tag_name in last_node_tags:
-      adjusted_tag_name = tag_name
-      now_ms = None
-      if tag_name[0] == '#':
-        adjusted_tag_name = tag_name[1:]
-        now_ms = get_epoch_timestamp_ms() - 1000
+        repo_ref = registry_model.lookup_repository(
+            repo.namespace_user.username, repo.name
+        )
+        for tag_name in last_node_tags:
+            adjusted_tag_name = tag_name
+            now_ms = None
+            if tag_name[0] == "#":
+                adjusted_tag_name = tag_name[1:]
+                now_ms = get_epoch_timestamp_ms() - 1000
 
-      new_tag = model.tag.create_or_update_tag(repo.namespace_user.username, repo.name,
-                                               adjusted_tag_name,
-                                               new_image.docker_image_id,
-                                               now_ms=now_ms)
+            new_tag = model.tag.create_or_update_tag(
+                repo.namespace_user.username,
+                repo.name,
+                adjusted_tag_name,
+                new_image.docker_image_id,
+                now_ms=now_ms,
+            )
 
-      derived = model.image.find_or_create_derived_storage(new_tag, 'squash', 'local_us')
-      model.storage.find_or_create_storage_signature(derived, 'gpg2')
+            derived = model.image.find_or_create_derived_storage(
+                new_tag, "squash", "local_us"
+            )
+            model.storage.find_or_create_storage_signature(derived, "gpg2")
 
-      tag = pre_oci_model.get_repo_tag(repo_ref, adjusted_tag_name)
-      assert tag._db_id == new_tag.id
-      assert pre_oci_model.backfill_manifest_for_tag(tag)
-      tag_map[tag_name] = new_tag
+            tag = pre_oci_model.get_repo_tag(repo_ref, adjusted_tag_name)
+            assert tag._db_id == new_tag.id
+            assert pre_oci_model.backfill_manifest_for_tag(tag)
+            tag_map[tag_name] = new_tag
 
-  for subtree in subtrees:
-    __create_subtree(with_storage, repo, subtree, creator_username, new_image, tag_map)
+    for subtree in subtrees:
+        __create_subtree(
+            with_storage, repo, subtree, creator_username, new_image, tag_map
+        )
 
 
-def __generate_service_key(kid, name, user, timestamp, approval_type, expiration=None,
-                           metadata=None, service='sample_service', rotation_duration=None):
-  _, key = model.service_keys.generate_service_key(service, expiration, kid=kid,
-                                                   name=name, metadata=metadata,
-                                                   rotation_duration=rotation_duration)
+def __generate_service_key(
+    kid,
+    name,
+    user,
+    timestamp,
+    approval_type,
+    expiration=None,
+    metadata=None,
+    service="sample_service",
+    rotation_duration=None,
+):
+    _, key = model.service_keys.generate_service_key(
+        service,
+        expiration,
+        kid=kid,
+        name=name,
+        metadata=metadata,
+        rotation_duration=rotation_duration,
+    )
 
-  if approval_type is not None:
-    model.service_keys.approve_service_key(key.kid, approval_type, notes='The **test** approval')
+    if approval_type is not None:
+        model.service_keys.approve_service_key(
+            key.kid, approval_type, notes="The **test** approval"
+        )
 
-    key_metadata = {
-      'kid': kid,
-      'preshared': True,
-      'service': service,
-      'name': name,
-      'expiration_date': expiration,
-      'auto_approved': True
-    }
+        key_metadata = {
+            "kid": kid,
+            "preshared": True,
+            "service": service,
+            "name": name,
+            "expiration_date": expiration,
+            "auto_approved": True,
+        }
 
-    logs_model.log_action('service_key_approve', None, performer=user,
-                          timestamp=timestamp, metadata=key_metadata)
+        logs_model.log_action(
+            "service_key_approve",
+            None,
+            performer=user,
+            timestamp=timestamp,
+            metadata=key_metadata,
+        )
 
-    logs_model.log_action('service_key_create', None, performer=user,
-                          timestamp=timestamp, metadata=key_metadata)
+        logs_model.log_action(
+            "service_key_create",
+            None,
+            performer=user,
+            timestamp=timestamp,
+            metadata=key_metadata,
+        )
 
 
-def __generate_repository(with_storage, user_obj, name, description, is_public, permissions,
-                          structure):
-  repo = model.repository.create_repository(user_obj.username, name, user_obj)
+def __generate_repository(
+    with_storage, user_obj, name, description, is_public, permissions, structure
+):
+    repo = model.repository.create_repository(user_obj.username, name, user_obj)
 
-  if is_public:
-    model.repository.set_repository_visibility(repo, 'public')
+    if is_public:
+        model.repository.set_repository_visibility(repo, "public")
 
-  if description:
-    repo.description = description
-    repo.save()
+    if description:
+        repo.description = description
+        repo.save()
 
-  for delegate, role in permissions:
-    model.permission.set_user_repo_permission(delegate.username, user_obj.username, name, role)
+    for delegate, role in permissions:
+        model.permission.set_user_repo_permission(
+            delegate.username, user_obj.username, name, role
+        )
 
-  if isinstance(structure, list):
-    for leaf in structure:
-      __create_subtree(with_storage, repo, leaf, user_obj.username, None, {})
-  else:
-    __create_subtree(with_storage, repo, structure, user_obj.username, None, {})
+    if isinstance(structure, list):
+        for leaf in structure:
+            __create_subtree(with_storage, repo, leaf, user_obj.username, None, {})
+    else:
+        __create_subtree(with_storage, repo, structure, user_obj.username, None, {})
 
-  return repo
+    return repo
 
 
 db_initialized_for_testing = Event()
 testcases = {}
 
+
 def finished_database_for_testing(testcase):
-  """ Called when a testcase has finished using the database, indicating that
+    """ Called when a testcase has finished using the database, indicating that
       any changes should be discarded.
   """
-  testcases[testcase]['savepoint'].rollback()
-  testcases[testcase]['savepoint'].__exit__(True, None, None)
+    testcases[testcase]["savepoint"].rollback()
+    testcases[testcase]["savepoint"].__exit__(True, None, None)
+
+    testcases[testcase]["transaction"].__exit__(True, None, None)
 
-  testcases[testcase]['transaction'].__exit__(True, None, None)
 
 def setup_database_for_testing(testcase, with_storage=False, force_rebuild=False):
-  """ Called when a testcase has started using the database, indicating that
+    """ Called when a testcase has started using the database, indicating that
       the database should be setup (if not already) and a savepoint created.
   """
 
-  # Sanity check to make sure we're not killing our prod db
-  if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
-    raise RuntimeError('Attempted to wipe production database!')
+    # Sanity check to make sure we're not killing our prod db
+    if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
+        raise RuntimeError("Attempted to wipe production database!")
 
-  if not db_initialized_for_testing.is_set() or force_rebuild:
-    logger.debug('Setting up DB for testing.')
+    if not db_initialized_for_testing.is_set() or force_rebuild:
+        logger.debug("Setting up DB for testing.")
 
-    # Setup the database.
-    if os.environ.get('SKIP_DB_SCHEMA', '') != 'true':
-      wipe_database()
-      initialize_database()
+        # Setup the database.
+        if os.environ.get("SKIP_DB_SCHEMA", "") != "true":
+            wipe_database()
+            initialize_database()
 
-    populate_database(with_storage=with_storage)
+        populate_database(with_storage=with_storage)
 
-    models_missing_data = find_models_missing_data()
-    if models_missing_data:
-      raise RuntimeError('%s models are missing data: %s', len(models_missing_data),
-                         models_missing_data)
+        models_missing_data = find_models_missing_data()
+        if models_missing_data:
+            raise RuntimeError(
+                "%s models are missing data: %s",
+                len(models_missing_data),
+                models_missing_data,
+            )
 
-    # Enable foreign key constraints.
-    if not IS_TESTING_REAL_DATABASE:
-      db.obj.execute_sql('PRAGMA foreign_keys = ON;')
+        # Enable foreign key constraints.
+        if not IS_TESTING_REAL_DATABASE:
+            db.obj.execute_sql("PRAGMA foreign_keys = ON;")
 
-    db_initialized_for_testing.set()
+        db_initialized_for_testing.set()
 
-  # Initialize caches.
-  Repository.kind.get_id('image')
+    # Initialize caches.
+    Repository.kind.get_id("image")
 
-  # Create a savepoint for the testcase.
-  testcases[testcase] = {}
-  testcases[testcase]['transaction'] = db.transaction()
-  testcases[testcase]['transaction'].__enter__()
+    # Create a savepoint for the testcase.
+    testcases[testcase] = {}
+    testcases[testcase]["transaction"] = db.transaction()
+    testcases[testcase]["transaction"].__enter__()
 
-  testcases[testcase]['savepoint'] = db.savepoint()
-  testcases[testcase]['savepoint'].__enter__()
+    testcases[testcase]["savepoint"] = db.savepoint()
+    testcases[testcase]["savepoint"].__enter__()
 
 
 def initialize_database():
-  db.create_tables(all_models)
+    db.create_tables(all_models)
 
-  Role.create(name='admin')
-  Role.create(name='write')
-  Role.create(name='read')
-  TeamRole.create(name='admin')
-  TeamRole.create(name='creator')
-  TeamRole.create(name='member')
-  Visibility.create(name='public')
-  Visibility.create(name='private')
+    Role.create(name="admin")
+    Role.create(name="write")
+    Role.create(name="read")
+    TeamRole.create(name="admin")
+    TeamRole.create(name="creator")
+    TeamRole.create(name="member")
+    Visibility.create(name="public")
+    Visibility.create(name="private")
 
-  LoginService.create(name='google')
-  LoginService.create(name='github')
-  LoginService.create(name='quayrobot')
-  LoginService.create(name='ldap')
-  LoginService.create(name='jwtauthn')
-  LoginService.create(name='keystone')
-  LoginService.create(name='dex')
-  LoginService.create(name='oidc')
+    LoginService.create(name="google")
+    LoginService.create(name="github")
+    LoginService.create(name="quayrobot")
+    LoginService.create(name="ldap")
+    LoginService.create(name="jwtauthn")
+    LoginService.create(name="keystone")
+    LoginService.create(name="dex")
+    LoginService.create(name="oidc")
 
-  BuildTriggerService.create(name='github')
-  BuildTriggerService.create(name='custom-git')
-  BuildTriggerService.create(name='bitbucket')
-  BuildTriggerService.create(name='gitlab')
+    BuildTriggerService.create(name="github")
+    BuildTriggerService.create(name="custom-git")
+    BuildTriggerService.create(name="bitbucket")
+    BuildTriggerService.create(name="gitlab")
 
-  AccessTokenKind.create(name='build-worker')
-  AccessTokenKind.create(name='pushpull-token')
+    AccessTokenKind.create(name="build-worker")
+    AccessTokenKind.create(name="pushpull-token")
 
-  LogEntryKind.create(name='account_change_plan')
-  LogEntryKind.create(name='account_change_cc')
-  LogEntryKind.create(name='account_change_password')
-  LogEntryKind.create(name='account_convert')
+    LogEntryKind.create(name="account_change_plan")
+    LogEntryKind.create(name="account_change_cc")
+    LogEntryKind.create(name="account_change_password")
+    LogEntryKind.create(name="account_convert")
 
-  LogEntryKind.create(name='create_robot')
-  LogEntryKind.create(name='delete_robot')
+    LogEntryKind.create(name="create_robot")
+    LogEntryKind.create(name="delete_robot")
 
-  LogEntryKind.create(name='create_repo')
-  LogEntryKind.create(name='push_repo')
-  LogEntryKind.create(name='pull_repo')
-  LogEntryKind.create(name='delete_repo')
-  LogEntryKind.create(name='create_tag')
-  LogEntryKind.create(name='move_tag')
-  LogEntryKind.create(name='delete_tag')
-  LogEntryKind.create(name='revert_tag')
-  LogEntryKind.create(name='add_repo_permission')
-  LogEntryKind.create(name='change_repo_permission')
-  LogEntryKind.create(name='delete_repo_permission')
-  LogEntryKind.create(name='change_repo_visibility')
-  LogEntryKind.create(name='change_repo_trust')
-  LogEntryKind.create(name='add_repo_accesstoken')
-  LogEntryKind.create(name='delete_repo_accesstoken')
-  LogEntryKind.create(name='set_repo_description')
-  LogEntryKind.create(name='change_repo_state')
+    LogEntryKind.create(name="create_repo")
+    LogEntryKind.create(name="push_repo")
+    LogEntryKind.create(name="pull_repo")
+    LogEntryKind.create(name="delete_repo")
+    LogEntryKind.create(name="create_tag")
+    LogEntryKind.create(name="move_tag")
+    LogEntryKind.create(name="delete_tag")
+    LogEntryKind.create(name="revert_tag")
+    LogEntryKind.create(name="add_repo_permission")
+    LogEntryKind.create(name="change_repo_permission")
+    LogEntryKind.create(name="delete_repo_permission")
+    LogEntryKind.create(name="change_repo_visibility")
+    LogEntryKind.create(name="change_repo_trust")
+    LogEntryKind.create(name="add_repo_accesstoken")
+    LogEntryKind.create(name="delete_repo_accesstoken")
+    LogEntryKind.create(name="set_repo_description")
+    LogEntryKind.create(name="change_repo_state")
 
-  LogEntryKind.create(name='build_dockerfile')
+    LogEntryKind.create(name="build_dockerfile")
 
-  LogEntryKind.create(name='org_create_team')
-  LogEntryKind.create(name='org_delete_team')
-  LogEntryKind.create(name='org_invite_team_member')
-  LogEntryKind.create(name='org_delete_team_member_invite')
-  LogEntryKind.create(name='org_add_team_member')
-  LogEntryKind.create(name='org_team_member_invite_accepted')
-  LogEntryKind.create(name='org_team_member_invite_declined')
-  LogEntryKind.create(name='org_remove_team_member')
-  LogEntryKind.create(name='org_set_team_description')
-  LogEntryKind.create(name='org_set_team_role')
+    LogEntryKind.create(name="org_create_team")
+    LogEntryKind.create(name="org_delete_team")
+    LogEntryKind.create(name="org_invite_team_member")
+    LogEntryKind.create(name="org_delete_team_member_invite")
+    LogEntryKind.create(name="org_add_team_member")
+    LogEntryKind.create(name="org_team_member_invite_accepted")
+    LogEntryKind.create(name="org_team_member_invite_declined")
+    LogEntryKind.create(name="org_remove_team_member")
+    LogEntryKind.create(name="org_set_team_description")
+    LogEntryKind.create(name="org_set_team_role")
 
-  LogEntryKind.create(name='create_prototype_permission')
-  LogEntryKind.create(name='modify_prototype_permission')
-  LogEntryKind.create(name='delete_prototype_permission')
+    LogEntryKind.create(name="create_prototype_permission")
+    LogEntryKind.create(name="modify_prototype_permission")
+    LogEntryKind.create(name="delete_prototype_permission")
 
-  LogEntryKind.create(name='setup_repo_trigger')
-  LogEntryKind.create(name='delete_repo_trigger')
+    LogEntryKind.create(name="setup_repo_trigger")
+    LogEntryKind.create(name="delete_repo_trigger")
 
-  LogEntryKind.create(name='create_application')
-  LogEntryKind.create(name='update_application')
-  LogEntryKind.create(name='delete_application')
-  LogEntryKind.create(name='reset_application_client_secret')
+    LogEntryKind.create(name="create_application")
+    LogEntryKind.create(name="update_application")
+    LogEntryKind.create(name="delete_application")
+    LogEntryKind.create(name="reset_application_client_secret")
 
-  # Note: These next two are deprecated.
-  LogEntryKind.create(name='add_repo_webhook')
-  LogEntryKind.create(name='delete_repo_webhook')
+    # Note: These next two are deprecated.
+    LogEntryKind.create(name="add_repo_webhook")
+    LogEntryKind.create(name="delete_repo_webhook")
 
-  LogEntryKind.create(name='add_repo_notification')
-  LogEntryKind.create(name='delete_repo_notification')
-  LogEntryKind.create(name='reset_repo_notification')
+    LogEntryKind.create(name="add_repo_notification")
+    LogEntryKind.create(name="delete_repo_notification")
+    LogEntryKind.create(name="reset_repo_notification")
 
-  LogEntryKind.create(name='regenerate_robot_token')
+    LogEntryKind.create(name="regenerate_robot_token")
 
-  LogEntryKind.create(name='repo_verb')
+    LogEntryKind.create(name="repo_verb")
 
-  LogEntryKind.create(name='repo_mirror_enabled')
-  LogEntryKind.create(name='repo_mirror_disabled')
-  LogEntryKind.create(name='repo_mirror_config_changed')
-  LogEntryKind.create(name='repo_mirror_sync_started')
-  LogEntryKind.create(name='repo_mirror_sync_failed')
-  LogEntryKind.create(name='repo_mirror_sync_success')
-  LogEntryKind.create(name='repo_mirror_sync_now_requested')
-  LogEntryKind.create(name='repo_mirror_sync_tag_success')
-  LogEntryKind.create(name='repo_mirror_sync_tag_failed')
-  LogEntryKind.create(name='repo_mirror_sync_test_success')
-  LogEntryKind.create(name='repo_mirror_sync_test_failed')
-  LogEntryKind.create(name='repo_mirror_sync_test_started')
+    LogEntryKind.create(name="repo_mirror_enabled")
+    LogEntryKind.create(name="repo_mirror_disabled")
+    LogEntryKind.create(name="repo_mirror_config_changed")
+    LogEntryKind.create(name="repo_mirror_sync_started")
+    LogEntryKind.create(name="repo_mirror_sync_failed")
+    LogEntryKind.create(name="repo_mirror_sync_success")
+    LogEntryKind.create(name="repo_mirror_sync_now_requested")
+    LogEntryKind.create(name="repo_mirror_sync_tag_success")
+    LogEntryKind.create(name="repo_mirror_sync_tag_failed")
+    LogEntryKind.create(name="repo_mirror_sync_test_success")
+    LogEntryKind.create(name="repo_mirror_sync_test_failed")
+    LogEntryKind.create(name="repo_mirror_sync_test_started")
 
-  LogEntryKind.create(name='service_key_create')
-  LogEntryKind.create(name='service_key_approve')
-  LogEntryKind.create(name='service_key_delete')
-  LogEntryKind.create(name='service_key_modify')
-  LogEntryKind.create(name='service_key_extend')
-  LogEntryKind.create(name='service_key_rotate')
+    LogEntryKind.create(name="service_key_create")
+    LogEntryKind.create(name="service_key_approve")
+    LogEntryKind.create(name="service_key_delete")
+    LogEntryKind.create(name="service_key_modify")
+    LogEntryKind.create(name="service_key_extend")
+    LogEntryKind.create(name="service_key_rotate")
 
-  LogEntryKind.create(name='take_ownership')
+    LogEntryKind.create(name="take_ownership")
 
-  LogEntryKind.create(name='manifest_label_add')
-  LogEntryKind.create(name='manifest_label_delete')
+    LogEntryKind.create(name="manifest_label_add")
+    LogEntryKind.create(name="manifest_label_delete")
 
-  LogEntryKind.create(name='change_tag_expiration')
-  LogEntryKind.create(name='toggle_repo_trigger')
+    LogEntryKind.create(name="change_tag_expiration")
+    LogEntryKind.create(name="toggle_repo_trigger")
 
-  LogEntryKind.create(name='create_app_specific_token')
-  LogEntryKind.create(name='revoke_app_specific_token')
+    LogEntryKind.create(name="create_app_specific_token")
+    LogEntryKind.create(name="revoke_app_specific_token")
 
-  ImageStorageLocation.create(name='local_eu')
-  ImageStorageLocation.create(name='local_us')
+    ImageStorageLocation.create(name="local_eu")
+    ImageStorageLocation.create(name="local_us")
 
-  ApprBlobPlacementLocation.create(name='local_eu')
-  ApprBlobPlacementLocation.create(name='local_us')
+    ApprBlobPlacementLocation.create(name="local_eu")
+    ApprBlobPlacementLocation.create(name="local_us")
 
-  ImageStorageTransformation.create(name='squash')
-  ImageStorageTransformation.create(name='aci')
+    ImageStorageTransformation.create(name="squash")
+    ImageStorageTransformation.create(name="aci")
 
-  ImageStorageSignatureKind.create(name='gpg2')
+    ImageStorageSignatureKind.create(name="gpg2")
 
-  # NOTE: These MUST be copied over to NotificationKind, since every external
-  # notification can also generate a Quay.io notification.
-  ExternalNotificationEvent.create(name='repo_push')
-  ExternalNotificationEvent.create(name='build_queued')
-  ExternalNotificationEvent.create(name='build_start')
-  ExternalNotificationEvent.create(name='build_success')
-  ExternalNotificationEvent.create(name='build_cancelled')
-  ExternalNotificationEvent.create(name='build_failure')
-  ExternalNotificationEvent.create(name='vulnerability_found')
+    # NOTE: These MUST be copied over to NotificationKind, since every external
+    # notification can also generate a Quay.io notification.
+    ExternalNotificationEvent.create(name="repo_push")
+    ExternalNotificationEvent.create(name="build_queued")
+    ExternalNotificationEvent.create(name="build_start")
+    ExternalNotificationEvent.create(name="build_success")
+    ExternalNotificationEvent.create(name="build_cancelled")
+    ExternalNotificationEvent.create(name="build_failure")
+    ExternalNotificationEvent.create(name="vulnerability_found")
 
-  ExternalNotificationEvent.create(name='repo_mirror_sync_started')
-  ExternalNotificationEvent.create(name='repo_mirror_sync_success')
-  ExternalNotificationEvent.create(name='repo_mirror_sync_failed')
+    ExternalNotificationEvent.create(name="repo_mirror_sync_started")
+    ExternalNotificationEvent.create(name="repo_mirror_sync_success")
+    ExternalNotificationEvent.create(name="repo_mirror_sync_failed")
 
-  ExternalNotificationMethod.create(name='quay_notification')
-  ExternalNotificationMethod.create(name='email')
-  ExternalNotificationMethod.create(name='webhook')
+    ExternalNotificationMethod.create(name="quay_notification")
+    ExternalNotificationMethod.create(name="email")
+    ExternalNotificationMethod.create(name="webhook")
 
-  ExternalNotificationMethod.create(name='flowdock')
-  ExternalNotificationMethod.create(name='hipchat')
-  ExternalNotificationMethod.create(name='slack')
+    ExternalNotificationMethod.create(name="flowdock")
+    ExternalNotificationMethod.create(name="hipchat")
+    ExternalNotificationMethod.create(name="slack")
 
-  NotificationKind.create(name='repo_push')
-  NotificationKind.create(name='build_queued')
-  NotificationKind.create(name='build_start')
-  NotificationKind.create(name='build_success')
-  NotificationKind.create(name='build_cancelled')
-  NotificationKind.create(name='build_failure')
-  NotificationKind.create(name='vulnerability_found')
-  NotificationKind.create(name='service_key_submitted')
+    NotificationKind.create(name="repo_push")
+    NotificationKind.create(name="build_queued")
+    NotificationKind.create(name="build_start")
+    NotificationKind.create(name="build_success")
+    NotificationKind.create(name="build_cancelled")
+    NotificationKind.create(name="build_failure")
+    NotificationKind.create(name="vulnerability_found")
+    NotificationKind.create(name="service_key_submitted")
 
-  NotificationKind.create(name='password_required')
-  NotificationKind.create(name='over_private_usage')
-  NotificationKind.create(name='expiring_license')
-  NotificationKind.create(name='maintenance')
-  NotificationKind.create(name='org_team_invite')
+    NotificationKind.create(name="password_required")
+    NotificationKind.create(name="over_private_usage")
+    NotificationKind.create(name="expiring_license")
+    NotificationKind.create(name="maintenance")
+    NotificationKind.create(name="org_team_invite")
 
-  NotificationKind.create(name='repo_mirror_sync_started')
-  NotificationKind.create(name='repo_mirror_sync_success')
-  NotificationKind.create(name='repo_mirror_sync_failed')
+    NotificationKind.create(name="repo_mirror_sync_started")
+    NotificationKind.create(name="repo_mirror_sync_success")
+    NotificationKind.create(name="repo_mirror_sync_failed")
 
-  NotificationKind.create(name='test_notification')
+    NotificationKind.create(name="test_notification")
 
-  QuayRegion.create(name='us')
-  QuayService.create(name='quay')
+    QuayRegion.create(name="us")
+    QuayService.create(name="quay")
 
-  MediaType.create(name='text/plain')
-  MediaType.create(name='application/json')
-  MediaType.create(name='text/markdown')
-  MediaType.create(name='application/vnd.cnr.blob.v0.tar+gzip')
-  MediaType.create(name='application/vnd.cnr.package-manifest.helm.v0.json')
-  MediaType.create(name='application/vnd.cnr.package-manifest.kpm.v0.json')
-  MediaType.create(name='application/vnd.cnr.package-manifest.docker-compose.v0.json')
-  MediaType.create(name='application/vnd.cnr.package.kpm.v0.tar+gzip')
-  MediaType.create(name='application/vnd.cnr.package.helm.v0.tar+gzip')
-  MediaType.create(name='application/vnd.cnr.package.docker-compose.v0.tar+gzip')
-  MediaType.create(name='application/vnd.cnr.manifests.v0.json')
-  MediaType.create(name='application/vnd.cnr.manifest.list.v0.json')
+    MediaType.create(name="text/plain")
+    MediaType.create(name="application/json")
+    MediaType.create(name="text/markdown")
+    MediaType.create(name="application/vnd.cnr.blob.v0.tar+gzip")
+    MediaType.create(name="application/vnd.cnr.package-manifest.helm.v0.json")
+    MediaType.create(name="application/vnd.cnr.package-manifest.kpm.v0.json")
+    MediaType.create(name="application/vnd.cnr.package-manifest.docker-compose.v0.json")
+    MediaType.create(name="application/vnd.cnr.package.kpm.v0.tar+gzip")
+    MediaType.create(name="application/vnd.cnr.package.helm.v0.tar+gzip")
+    MediaType.create(name="application/vnd.cnr.package.docker-compose.v0.tar+gzip")
+    MediaType.create(name="application/vnd.cnr.manifests.v0.json")
+    MediaType.create(name="application/vnd.cnr.manifest.list.v0.json")
 
-  for media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
-    MediaType.create(name=media_type)
+    for media_type in DOCKER_SCHEMA1_CONTENT_TYPES:
+        MediaType.create(name=media_type)
 
-  for media_type in DOCKER_SCHEMA2_CONTENT_TYPES:
-    MediaType.create(name=media_type)
+    for media_type in DOCKER_SCHEMA2_CONTENT_TYPES:
+        MediaType.create(name=media_type)
 
-  LabelSourceType.create(name='manifest')
-  LabelSourceType.create(name='api', mutable=True)
-  LabelSourceType.create(name='internal')
+    LabelSourceType.create(name="manifest")
+    LabelSourceType.create(name="api", mutable=True)
+    LabelSourceType.create(name="internal")
 
-  UserPromptKind.create(name='confirm_username')
-  UserPromptKind.create(name='enter_name')
-  UserPromptKind.create(name='enter_company')
+    UserPromptKind.create(name="confirm_username")
+    UserPromptKind.create(name="enter_name")
+    UserPromptKind.create(name="enter_company")
 
-  RepositoryKind.create(name='image')
-  RepositoryKind.create(name='application')
+    RepositoryKind.create(name="image")
+    RepositoryKind.create(name="application")
 
-  ApprTagKind.create(name='tag')
-  ApprTagKind.create(name='release')
-  ApprTagKind.create(name='channel')
+    ApprTagKind.create(name="tag")
+    ApprTagKind.create(name="release")
+    ApprTagKind.create(name="channel")
 
-  DisableReason.create(name='user_toggled')
-  DisableReason.create(name='successive_build_failures')
-  DisableReason.create(name='successive_build_internal_errors')
+    DisableReason.create(name="user_toggled")
+    DisableReason.create(name="successive_build_failures")
+    DisableReason.create(name="successive_build_internal_errors")
 
-  TagKind.create(name='tag')
+    TagKind.create(name="tag")
 
 
 def wipe_database():
-  logger.debug('Wiping all data from the DB.')
+    logger.debug("Wiping all data from the DB.")
 
-  # Sanity check to make sure we're not killing our prod db
-  if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
-    raise RuntimeError('Attempted to wipe production database!')
+    # Sanity check to make sure we're not killing our prod db
+    if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
+        raise RuntimeError("Attempted to wipe production database!")
 
-  db.drop_tables(all_models)
+    db.drop_tables(all_models)
 
 
 def populate_database(minimal=False, with_storage=False):
-  logger.debug('Populating the DB with test data.')
+    logger.debug("Populating the DB with test data.")
 
-  # Check if the data already exists. If so, we skip. This can happen between calls from the
-  # "old style" tests and the new py.test's.
-  try:
-    User.get(username='devtable')
-    logger.debug('DB already populated')
-    return
-  except User.DoesNotExist:
-    pass
+    # Check if the data already exists. If so, we skip. This can happen between calls from the
+    # "old style" tests and the new py.test's.
+    try:
+        User.get(username="devtable")
+        logger.debug("DB already populated")
+        return
+    except User.DoesNotExist:
+        pass
 
-  # Note: databases set up with "real" schema (via Alembic) will not have these types
-  # type, so we it here it necessary.
-  try:
-    ImageStorageLocation.get(name='local_eu')
-    ImageStorageLocation.get(name='local_us')
-  except ImageStorageLocation.DoesNotExist:
-    ImageStorageLocation.create(name='local_eu')
-    ImageStorageLocation.create(name='local_us')
+    # Note: databases set up with "real" schema (via Alembic) will not have these types
+    # type, so we it here it necessary.
+    try:
+        ImageStorageLocation.get(name="local_eu")
+        ImageStorageLocation.get(name="local_us")
+    except ImageStorageLocation.DoesNotExist:
+        ImageStorageLocation.create(name="local_eu")
+        ImageStorageLocation.create(name="local_us")
 
-  try:
-    NotificationKind.get(name='test_notification')
-  except NotificationKind.DoesNotExist:
-    NotificationKind.create(name='test_notification')
+    try:
+        NotificationKind.get(name="test_notification")
+    except NotificationKind.DoesNotExist:
+        NotificationKind.create(name="test_notification")
 
-  new_user_1 = model.user.create_user('devtable', 'password', 'jschorr@devtable.com')
-  new_user_1.verified = True
-  new_user_1.stripe_id = TEST_STRIPE_ID
-  new_user_1.save()
+    new_user_1 = model.user.create_user("devtable", "password", "jschorr@devtable.com")
+    new_user_1.verified = True
+    new_user_1.stripe_id = TEST_STRIPE_ID
+    new_user_1.save()
 
-  if minimal:
-    logger.debug('Skipping most db population because user requested mininal db')
-    return
+    if minimal:
+        logger.debug("Skipping most db population because user requested mininal db")
+        return
 
-  UserRegion.create(user=new_user_1, location=ImageStorageLocation.get(name='local_us'))
-  model.release.set_region_release('quay', 'us', 'v0.1.2')
+    UserRegion.create(
+        user=new_user_1, location=ImageStorageLocation.get(name="local_us")
+    )
+    model.release.set_region_release("quay", "us", "v0.1.2")
 
-  model.user.create_confirm_email_code(new_user_1, new_email='typo@devtable.com')
+    model.user.create_confirm_email_code(new_user_1, new_email="typo@devtable.com")
 
-  disabled_user = model.user.create_user('disabled', 'password', 'jschorr+disabled@devtable.com')
-  disabled_user.verified = True
-  disabled_user.enabled = False
-  disabled_user.save()
+    disabled_user = model.user.create_user(
+        "disabled", "password", "jschorr+disabled@devtable.com"
+    )
+    disabled_user.verified = True
+    disabled_user.enabled = False
+    disabled_user.save()
 
-  dtrobot = model.user.create_robot('dtrobot', new_user_1)
-  dtrobot2 = model.user.create_robot('dtrobot2', new_user_1)  
+    dtrobot = model.user.create_robot("dtrobot", new_user_1)
+    dtrobot2 = model.user.create_robot("dtrobot2", new_user_1)
 
-  new_user_2 = model.user.create_user('public', 'password', 'jacob.moshenko@gmail.com')
-  new_user_2.verified = True
-  new_user_2.save()
+    new_user_2 = model.user.create_user(
+        "public", "password", "jacob.moshenko@gmail.com"
+    )
+    new_user_2.verified = True
+    new_user_2.save()
 
-  new_user_3 = model.user.create_user('freshuser', 'password', 'jschorr+test@devtable.com')
-  new_user_3.verified = True
-  new_user_3.save()
+    new_user_3 = model.user.create_user(
+        "freshuser", "password", "jschorr+test@devtable.com"
+    )
+    new_user_3.verified = True
+    new_user_3.save()
 
-  another_robot = model.user.create_robot('anotherrobot', new_user_3)
+    another_robot = model.user.create_robot("anotherrobot", new_user_3)
 
-  new_user_4 = model.user.create_user('randomuser', 'password', 'no4@thanks.com')
-  new_user_4.verified = True
-  new_user_4.save()
+    new_user_4 = model.user.create_user("randomuser", "password", "no4@thanks.com")
+    new_user_4.verified = True
+    new_user_4.save()
 
-  new_user_5 = model.user.create_user('unverified', 'password', 'no5@thanks.com')
-  new_user_5.save()
+    new_user_5 = model.user.create_user("unverified", "password", "no5@thanks.com")
+    new_user_5.save()
 
-  reader = model.user.create_user('reader', 'password', 'no1@thanks.com')
-  reader.verified = True
-  reader.save()
+    reader = model.user.create_user("reader", "password", "no1@thanks.com")
+    reader.verified = True
+    reader.save()
 
-  creatoruser = model.user.create_user('creator', 'password', 'noc@thanks.com')
-  creatoruser.verified = True
-  creatoruser.save()
+    creatoruser = model.user.create_user("creator", "password", "noc@thanks.com")
+    creatoruser.verified = True
+    creatoruser.save()
 
-  outside_org = model.user.create_user('outsideorg', 'password', 'no2@thanks.com')
-  outside_org.verified = True
-  outside_org.save()
+    outside_org = model.user.create_user("outsideorg", "password", "no2@thanks.com")
+    outside_org.verified = True
+    outside_org.save()
 
-  model.notification.create_notification('test_notification', new_user_1,
-                                         metadata={'some':'value',
-                                                   'arr':[1, 2, 3],
-                                                   'obj':{'a':1, 'b':2}})
+    model.notification.create_notification(
+        "test_notification",
+        new_user_1,
+        metadata={"some": "value", "arr": [1, 2, 3], "obj": {"a": 1, "b": 2}},
+    )
 
-  from_date = datetime.utcnow()
-  to_date = from_date + timedelta(hours=1)
-  notification_metadata = {
-    'from_date': formatdate(calendar.timegm(from_date.utctimetuple())),
-    'to_date': formatdate(calendar.timegm(to_date.utctimetuple())),
-    'reason': 'database migration'
-  }
-  model.notification.create_notification('maintenance', new_user_1,
-                                         metadata=notification_metadata)
-
-
-  __generate_repository(with_storage, new_user_4, 'randomrepo', 'Random repo repository.', False,
-                        [], (4, [], ['latest', 'prod']))
-
-  simple_repo = __generate_repository(with_storage, new_user_1, 'simple', 'Simple repository.', False,
-                                      [], (4, [], ['latest', 'prod']))
-
-  # Add some labels to the latest tag's manifest.
-  tag_manifest = model.tag.load_tag_manifest(new_user_1.username, 'simple', 'latest')
-  first_label = model.label.create_manifest_label(tag_manifest, 'foo', 'bar', 'manifest')
-  model.label.create_manifest_label(tag_manifest, 'foo', 'baz', 'api')
-  model.label.create_manifest_label(tag_manifest, 'anotherlabel', '1234', 'internal')
-  model.label.create_manifest_label(tag_manifest, 'jsonlabel', '{"hey": "there"}', 'internal')
-
-  label_metadata = {
-    'key': 'foo',
-    'value': 'bar',
-    'id': first_label.id,
-    'manifest_digest': tag_manifest.digest
-  }
-
-  logs_model.log_action('manifest_label_add', new_user_1.username, performer=new_user_1,
-                        timestamp=datetime.now(), metadata=label_metadata,
-                        repository=tag_manifest.tag.repository)
-
-  model.blob.initiate_upload(new_user_1.username, simple_repo.name, str(uuid4()), 'local_us', {})
-  model.notification.create_repo_notification(simple_repo, 'repo_push', 'quay_notification', {}, {})
-
-  __generate_repository(with_storage, new_user_1, 'sharedtags',
-                        'Shared tags repository',
-                        False, [(new_user_2, 'read'), (dtrobot[0], 'read')],
-                        (2, [(3, [], ['v2.0', 'v2.1', 'v2.2']),
-                             (1, [(1, [(1, [], ['prod', '581a284'])],
-                                   ['staging', '8423b58']),
-                                  (1, [], None)], None)], None))
-
-  __generate_repository(with_storage, new_user_1, 'history', 'Historical repository.', False,
-                        [], (4, [(2, [], '#latest'), (3, [], 'latest')], None))
-
-  __generate_repository(with_storage, new_user_1, 'complex',
-                        'Complex repository with many branches and tags.',
-                        False, [(new_user_2, 'read'), (dtrobot[0], 'read')],
-                        (2, [(3, [], 'v2.0'),
-                             (1, [(1, [(2, [], ['prod'])],
-                                   'staging'),
-                                  (1, [], None)], None)], None))
-
-  __generate_repository(with_storage, new_user_1, 'gargantuan', None, False, [],
-                        (2, [(3, [], 'v2.0'),
-                             (1, [(1, [(1, [], ['latest', 'prod'])],
-                                   'staging'),
-                                  (1, [], None)], None),
-                             (20, [], 'v3.0'),
-                             (5, [], 'v4.0'),
-                             (1, [(1, [], 'v5.0'), (1, [], 'v6.0')], None)],
-                         None))
-
-  trusted_repo = __generate_repository(with_storage, new_user_1, 'trusted', 'Trusted repository.',
-                                       False, [], (4, [], ['latest', 'prod']))
-  trusted_repo.trust_enabled = True
-  trusted_repo.save()
-
-  publicrepo = __generate_repository(with_storage, new_user_2, 'publicrepo',
-                                     'Public repository pullable by the world.', True,
-                                     [], (10, [], 'latest'))
-
-  __generate_repository(with_storage, outside_org, 'coolrepo',
-                        'Some cool repo.', False,
-                        [],
-                        (5, [], 'latest'))
-
-  __generate_repository(with_storage, new_user_1, 'shared',
-                        'Shared repository, another user can write.', False,
-                        [(new_user_2, 'write'), (reader, 'read')],
-                        (5, [], 'latest'))
-
-  __generate_repository(with_storage, new_user_1, 'text-full-repo',
-                        'This is a repository for testing text search', False,
-                        [(new_user_2, 'write'), (reader, 'read')],
-                        (5, [], 'latest'))
-
-  building = __generate_repository(with_storage, new_user_1, 'building',
-                                   'Empty repository which is building.',
-                                   False, [(new_user_2, 'write'), (reader, 'read')], (0, [], None))
-
-  new_token = model.token.create_access_token(building, 'write', 'build-worker')
-
-  trigger = model.build.create_build_trigger(building, 'github', '123authtoken', new_user_1,
-                                             pull_robot=dtrobot[0])
-  trigger.config = json.dumps({
-    'build_source': 'jakedt/testconnect',
-    'subdir': '',
-    'dockerfile_path': 'Dockerfile',
-    'context': '/',
-  })
-  trigger.save()
-
-  repo = 'ci.devtable.com:5000/%s/%s' % (building.namespace_user.username, building.name)
-  job_config = {
-    'repository': repo,
-    'docker_tags': ['latest'],
-    'build_subdir': '',
-    'trigger_metadata': {
-      'commit': '3482adc5822c498e8f7db2e361e8d57b3d77ddd9',
-      'ref': 'refs/heads/master',
-      'default_branch': 'master'
+    from_date = datetime.utcnow()
+    to_date = from_date + timedelta(hours=1)
+    notification_metadata = {
+        "from_date": formatdate(calendar.timegm(from_date.utctimetuple())),
+        "to_date": formatdate(calendar.timegm(to_date.utctimetuple())),
+        "reason": "database migration",
     }
-  }
-
-  model.repository.star_repository(new_user_1, simple_repo)
-
-  record = model.repository.create_email_authorization_for_repo(new_user_1.username, 'simple',
-                                                                'jschorr@devtable.com')
-  record.confirmed = True
-  record.save()
-
-  model.repository.create_email_authorization_for_repo(new_user_1.username, 'simple',
-                                                       'jschorr+other@devtable.com')
-
-  build2 = model.build.create_repository_build(building, new_token, job_config,
-                                               '68daeebd-a5b9-457f-80a0-4363b882f8ea',
-                                               'build-name', trigger)
-  build2.uuid = 'deadpork-dead-pork-dead-porkdeadpork'
-  build2.save()
-
-  build3 = model.build.create_repository_build(building, new_token, job_config,
-                                               'f49d07f9-93da-474d-ad5f-c852107c3892',
-                                               'build-name', trigger)
-  build3.uuid = 'deadduck-dead-duck-dead-duckdeadduck'
-  build3.save()
-
-  build1 = model.build.create_repository_build(building, new_token, job_config,
-                                               '701dcc3724fb4f2ea6c31400528343cd', 'build-name',
-                                               trigger)
-  build1.uuid = 'deadbeef-dead-beef-dead-beefdeadbeef'
-  build1.save()
-
-  org = model.organization.create_organization('buynlarge', 'quay@devtable.com', new_user_1)
-  org.stripe_id = TEST_STRIPE_ID
-  org.save()
-
-  liborg = model.organization.create_organization('library', 'quay+library@devtable.com', new_user_1)
-  liborg.save()
-
-  titiorg = model.organization.create_organization('titi', 'quay+titi@devtable.com', new_user_1)
-  titiorg.save()
-
-  thirdorg = model.organization.create_organization('sellnsmall', 'quay+sell@devtable.com', new_user_1)
-  thirdorg.save()
-
-  model.user.create_robot('coolrobot', org)
-
-  oauth_app_1 = model.oauth.create_application(org, 'Some Test App', 'http://localhost:8000',
-                                               'http://localhost:8000/o2c.html',
-                                               client_id='deadbeef')
-
-  model.oauth.create_application(org, 'Some Other Test App', 'http://quay.io',
-                                 'http://localhost:8000/o2c.html', client_id='deadpork',
-                                 description='This is another test application')
-
-  model.oauth.create_access_token_for_testing(new_user_1, 'deadbeef', 'repo:admin',
-                                              access_token='%s%s' % ('b' * 40, 'c' * 40))
-
-  oauth_credential = Credential.from_string('dswfhasdf1')
-  OAuthAuthorizationCode.create(application=oauth_app_1, code='Z932odswfhasdf1',
-                                scope='repo:admin', data='{"somejson": "goeshere"}',
-                                code_name='Z932odswfhasdf1Z932o', code_credential=oauth_credential)
-
-  model.user.create_robot('neworgrobot', org)
-
-  ownerbot = model.user.create_robot('ownerbot', org)[0]
-  creatorbot = model.user.create_robot('creatorbot', org)[0]
-
-  owners = model.team.get_organization_team('buynlarge', 'owners')
-  owners.description = 'Owners have unfetterd access across the entire org.'
-  owners.save()
-
-  org_repo = __generate_repository(with_storage, org, 'orgrepo', 'Repository owned by an org.', False,
-                                   [(outside_org, 'read')], (4, [], ['latest', 'prod']))
-
-  __generate_repository(with_storage, org, 'anotherorgrepo', 'Another repository owned by an org.', False,
-                        [], (4, [], ['latest', 'prod']))
-
-  creators = model.team.create_team('creators', org, 'creator', 'Creators of orgrepo.')
-
-  reader_team = model.team.create_team('readers', org, 'member', 'Readers of orgrepo.')
-  model.team.add_or_invite_to_team(new_user_1, reader_team, outside_org)
-  model.permission.set_team_repo_permission(reader_team.name, org_repo.namespace_user.username,
-                                            org_repo.name, 'read')
-
-  model.team.add_user_to_team(new_user_2, reader_team)
-  model.team.add_user_to_team(reader, reader_team)
-  model.team.add_user_to_team(ownerbot, owners)
-  model.team.add_user_to_team(creatorbot, creators)
-  model.team.add_user_to_team(creatoruser, creators)
-
-  sell_owners = model.team.get_organization_team('sellnsmall', 'owners')
-  sell_owners.description = 'Owners have unfettered access across the entire org.'
-  sell_owners.save()
-
-  model.team.add_user_to_team(new_user_4, sell_owners)
-
-  sync_config = {'group_dn': 'cn=Test-Group,ou=Users', 'group_id': 'somegroupid'}
-  synced_team = model.team.create_team('synced', org, 'member', 'Some synced team.')
-  model.team.set_team_syncing(synced_team, 'ldap', sync_config)
-
-  another_synced_team = model.team.create_team('synced', thirdorg, 'member', 'Some synced team.')
-  model.team.set_team_syncing(another_synced_team, 'ldap', {'group_dn': 'cn=Test-Group,ou=Users'})
-
-  __generate_repository(with_storage, new_user_1, 'superwide', None, False, [],
-                        [(10, [], 'latest2'),
-                         (2, [], 'latest3'),
-                         (2, [(1, [], 'latest11'), (2, [], 'latest12')],
-                          'latest4'),
-                         (2, [], 'latest5'),
-                         (2, [], 'latest6'),
-                         (2, [], 'latest7'),
-                         (2, [], 'latest8'),
-                         (2, [], 'latest9'),
-                         (2, [], 'latest10'),
-                         (2, [], 'latest13'),
-                         (2, [], 'latest14'),
-                         (2, [], 'latest15'),
-                         (2, [], 'latest16'),
-                         (2, [], 'latest17'),
-                         (2, [], 'latest18')])
-
-
-  mirror_repo = __generate_repository(with_storage, new_user_1, 'mirrored', 'Mirrored repository.',
-                                      False, [(dtrobot[0], 'write'), (dtrobot2[0], 'write')],
-                                      (4, [], ['latest', 'prod']))
-  mirror_rule = model.repo_mirror.create_mirroring_rule(mirror_repo, ['latest', '3.3*'])
-  mirror_args = (mirror_repo, mirror_rule, dtrobot[0], 'quay.io/coreos/etcd', 60*60*24)
-  mirror_kwargs = {
-    'external_registry_username': 'fakeusername',
-    'external_registry_password': 'fakepassword',
-    'external_registry_config': {},
-    'is_enabled': True,
-    'sync_start_date': datetime.utcnow()
-  }
-  mirror = model.repo_mirror.enable_mirroring_for_repository(*mirror_args, **mirror_kwargs)
-
-
-  read_only_repo = __generate_repository(with_storage, new_user_1, 'readonly', 'Read-Only Repo.',
-                                      False, [], (4, [], ['latest', 'prod']))
-  read_only_repo.state = RepositoryState.READ_ONLY
-  read_only_repo.save()
-
-
-  model.permission.add_prototype_permission(org, 'read', activating_user=new_user_1,
-                                            delegate_user=new_user_2)
-  model.permission.add_prototype_permission(org, 'read', activating_user=new_user_1,
-                                            delegate_team=reader_team)
-  model.permission.add_prototype_permission(org, 'write', activating_user=new_user_2,
-                                            delegate_user=new_user_1)
-
-
-
-  today = datetime.today()
-  week_ago = today - timedelta(6)
-  six_ago = today - timedelta(5)
-  four_ago = today - timedelta(4)
-  yesterday = datetime.combine(date.today(), datetime.min.time()) - timedelta(hours=6)
-
-  __generate_service_key('kid1', 'somesamplekey', new_user_1, today,
-                         ServiceKeyApprovalType.SUPERUSER)
-  __generate_service_key('kid2', 'someexpiringkey', new_user_1, week_ago,
-                         ServiceKeyApprovalType.SUPERUSER, today + timedelta(days=14))
-
-  __generate_service_key('kid3', 'unapprovedkey', new_user_1, today, None)
-
-  __generate_service_key('kid4', 'autorotatingkey', new_user_1, six_ago,
-                         ServiceKeyApprovalType.KEY_ROTATION, today + timedelta(days=1),
-                         rotation_duration=timedelta(hours=12).total_seconds())
-
-  __generate_service_key('kid5', 'key for another service', new_user_1, today,
-                         ServiceKeyApprovalType.SUPERUSER, today + timedelta(days=14),
-                         service='different_sample_service')
-
-  __generate_service_key('kid6', 'someexpiredkey', new_user_1, week_ago,
-                         ServiceKeyApprovalType.SUPERUSER, today - timedelta(days=1))
-
-  __generate_service_key('kid7', 'somewayexpiredkey', new_user_1, week_ago,
-                         ServiceKeyApprovalType.SUPERUSER, today - timedelta(days=30))
-
-  # Add the test pull key as pre-approved for local and unittest registry testing.
-  # Note: this must match the private key found in the local/test config.
-  _TEST_JWK = {
-    'e': 'AQAB',
-    'kty': 'RSA',
-    'n': 'yqdQgnelhAPMSeyH0kr3UGePK9oFOmNfwD0Ymnh7YYXr21VHWwyM2eVW3cnLd9KXywDFtGSe9oFDbnOuMCdUowdkBcaHju-isbv5KEbNSoy_T2Rip-6L0cY63YzcMJzv1nEYztYXS8wz76pSK81BKBCLapqOCmcPeCvV9yaoFZYvZEsXCl5jjXN3iujSzSF5Z6PpNFlJWTErMT2Z4QfbDKX2Nw6vJN6JnGpTNHZvgvcyNX8vkSgVpQ8DFnFkBEx54PvRV5KpHAq6AsJxKONMo11idQS2PfCNpa2hvz9O6UZe-eIX8jPo5NW8TuGZJumbdPT_nxTDLfCqfiZboeI0Pw'
-  }
-
-  key = model.service_keys.create_service_key('test_service_key', 'test_service_key', 'quay',
-                                              _TEST_JWK, {}, None)
-
-  model.service_keys.approve_service_key(key.kid, ServiceKeyApprovalType.SUPERUSER,
-                                         notes='Test service key for local/test registry testing')
-
-  # Add an app specific token.
-  token = model.appspecifictoken.create_token(new_user_1, 'some app')
-  token.token_name = 'a' * 60
-  token.token_secret = 'b' * 60
-  token.save()
-
-  logs_model.log_action('org_create_team', org.username, performer=new_user_1,
-                        timestamp=week_ago, metadata={'team': 'readers'})
-
-  logs_model.log_action('org_set_team_role', org.username, performer=new_user_1,
-                        timestamp=week_ago,
-                        metadata={'team': 'readers', 'role': 'read'})
-
-  logs_model.log_action('create_repo', org.username, performer=new_user_1,
-                        repository=org_repo, timestamp=week_ago,
-                        metadata={'namespace': org.username, 'repo': 'orgrepo'})
-
-  logs_model.log_action('change_repo_permission', org.username,
-                        performer=new_user_2, repository=org_repo,
-                        timestamp=six_ago,
-                        metadata={'username': new_user_1.username,
-                                  'repo': 'orgrepo', 'role': 'admin'})
-
-  logs_model.log_action('change_repo_permission', org.username,
-                        performer=new_user_1, repository=org_repo,
-                        timestamp=six_ago,
-                        metadata={'username': new_user_2.username,
-                                  'repo': 'orgrepo', 'role': 'read'})
-
-  logs_model.log_action('add_repo_accesstoken', org.username, performer=new_user_1,
-                        repository=org_repo, timestamp=four_ago,
-                        metadata={'repo': 'orgrepo', 'token': 'deploytoken'})
-
-  logs_model.log_action('push_repo', org.username, performer=new_user_2,
-                        repository=org_repo, timestamp=today,
-                        metadata={'username': new_user_2.username,
-                                  'repo': 'orgrepo'})
-
-  logs_model.log_action('pull_repo', org.username, performer=new_user_2,
-                        repository=org_repo, timestamp=today,
-                        metadata={'username': new_user_2.username,
-                                  'repo': 'orgrepo'})
-
-  logs_model.log_action('pull_repo', org.username, repository=org_repo,
-                        timestamp=today,
-                        metadata={'token': 'sometoken', 'token_code': 'somecode',
-                                  'repo': 'orgrepo'})
-
-  logs_model.log_action('delete_tag', org.username, performer=new_user_2,
-                        repository=org_repo, timestamp=today,
-                        metadata={'username': new_user_2.username,
-                                  'repo': 'orgrepo', 'tag': 'sometag'})
-
-  logs_model.log_action('pull_repo', org.username, repository=org_repo,
-                        timestamp=today,
-                        metadata={'token_code': 'somecode', 'repo': 'orgrepo'})
-
-  logs_model.log_action('pull_repo', new_user_2.username, repository=publicrepo,
-                        timestamp=yesterday,
-                        metadata={'token_code': 'somecode', 'repo': 'publicrepo'})
-
-  logs_model.log_action('build_dockerfile', new_user_1.username, repository=building,
-                        timestamp=today,
-                        metadata={'repo': 'building', 'namespace': new_user_1.username,
-                                  'trigger_id': trigger.uuid, 'config': json.loads(trigger.config),
-                                  'service': trigger.service.name})
-
-  model.message.create([{'content': 'We love you, Quay customers!', 'severity': 'info',
-                         'media_type': 'text/plain'}])
-
-  model.message.create([{'content': 'This is a **development** install of Quay',
-                         'severity': 'warning', 'media_type': 'text/markdown'}])
-
-  fake_queue = WorkQueue('fakequeue', tf)
-  fake_queue.put(['canonical', 'job', 'name'], '{}')
-
-  model.user.create_user_prompt(new_user_4, 'confirm_username')
-
-  while True:
-    to_count = model.repositoryactioncount.find_uncounted_repository()
-    if not to_count:
-      break
-
-    model.repositoryactioncount.count_repository_actions(to_count)
-    model.repositoryactioncount.update_repository_score(to_count)
-
-
-WHITELISTED_EMPTY_MODELS = ['DeletedNamespace', 'LogEntry', 'LogEntry2', 'ManifestChild',
-                            'NamespaceGeoRestriction', 'RepoMirrorConfig', 'RepoMirrorRule']
+    model.notification.create_notification(
+        "maintenance", new_user_1, metadata=notification_metadata
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_4,
+        "randomrepo",
+        "Random repo repository.",
+        False,
+        [],
+        (4, [], ["latest", "prod"]),
+    )
+
+    simple_repo = __generate_repository(
+        with_storage,
+        new_user_1,
+        "simple",
+        "Simple repository.",
+        False,
+        [],
+        (4, [], ["latest", "prod"]),
+    )
+
+    # Add some labels to the latest tag's manifest.
+    tag_manifest = model.tag.load_tag_manifest(new_user_1.username, "simple", "latest")
+    first_label = model.label.create_manifest_label(
+        tag_manifest, "foo", "bar", "manifest"
+    )
+    model.label.create_manifest_label(tag_manifest, "foo", "baz", "api")
+    model.label.create_manifest_label(tag_manifest, "anotherlabel", "1234", "internal")
+    model.label.create_manifest_label(
+        tag_manifest, "jsonlabel", '{"hey": "there"}', "internal"
+    )
+
+    label_metadata = {
+        "key": "foo",
+        "value": "bar",
+        "id": first_label.id,
+        "manifest_digest": tag_manifest.digest,
+    }
+
+    logs_model.log_action(
+        "manifest_label_add",
+        new_user_1.username,
+        performer=new_user_1,
+        timestamp=datetime.now(),
+        metadata=label_metadata,
+        repository=tag_manifest.tag.repository,
+    )
+
+    model.blob.initiate_upload(
+        new_user_1.username, simple_repo.name, str(uuid4()), "local_us", {}
+    )
+    model.notification.create_repo_notification(
+        simple_repo, "repo_push", "quay_notification", {}, {}
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "sharedtags",
+        "Shared tags repository",
+        False,
+        [(new_user_2, "read"), (dtrobot[0], "read")],
+        (
+            2,
+            [
+                (3, [], ["v2.0", "v2.1", "v2.2"]),
+                (
+                    1,
+                    [
+                        (1, [(1, [], ["prod", "581a284"])], ["staging", "8423b58"]),
+                        (1, [], None),
+                    ],
+                    None,
+                ),
+            ],
+            None,
+        ),
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "history",
+        "Historical repository.",
+        False,
+        [],
+        (4, [(2, [], "#latest"), (3, [], "latest")], None),
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "complex",
+        "Complex repository with many branches and tags.",
+        False,
+        [(new_user_2, "read"), (dtrobot[0], "read")],
+        (
+            2,
+            [
+                (3, [], "v2.0"),
+                (1, [(1, [(2, [], ["prod"])], "staging"), (1, [], None)], None),
+            ],
+            None,
+        ),
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "gargantuan",
+        None,
+        False,
+        [],
+        (
+            2,
+            [
+                (3, [], "v2.0"),
+                (
+                    1,
+                    [(1, [(1, [], ["latest", "prod"])], "staging"), (1, [], None)],
+                    None,
+                ),
+                (20, [], "v3.0"),
+                (5, [], "v4.0"),
+                (1, [(1, [], "v5.0"), (1, [], "v6.0")], None),
+            ],
+            None,
+        ),
+    )
+
+    trusted_repo = __generate_repository(
+        with_storage,
+        new_user_1,
+        "trusted",
+        "Trusted repository.",
+        False,
+        [],
+        (4, [], ["latest", "prod"]),
+    )
+    trusted_repo.trust_enabled = True
+    trusted_repo.save()
+
+    publicrepo = __generate_repository(
+        with_storage,
+        new_user_2,
+        "publicrepo",
+        "Public repository pullable by the world.",
+        True,
+        [],
+        (10, [], "latest"),
+    )
+
+    __generate_repository(
+        with_storage,
+        outside_org,
+        "coolrepo",
+        "Some cool repo.",
+        False,
+        [],
+        (5, [], "latest"),
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "shared",
+        "Shared repository, another user can write.",
+        False,
+        [(new_user_2, "write"), (reader, "read")],
+        (5, [], "latest"),
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "text-full-repo",
+        "This is a repository for testing text search",
+        False,
+        [(new_user_2, "write"), (reader, "read")],
+        (5, [], "latest"),
+    )
+
+    building = __generate_repository(
+        with_storage,
+        new_user_1,
+        "building",
+        "Empty repository which is building.",
+        False,
+        [(new_user_2, "write"), (reader, "read")],
+        (0, [], None),
+    )
+
+    new_token = model.token.create_access_token(building, "write", "build-worker")
+
+    trigger = model.build.create_build_trigger(
+        building, "github", "123authtoken", new_user_1, pull_robot=dtrobot[0]
+    )
+    trigger.config = json.dumps(
+        {
+            "build_source": "jakedt/testconnect",
+            "subdir": "",
+            "dockerfile_path": "Dockerfile",
+            "context": "/",
+        }
+    )
+    trigger.save()
+
+    repo = "ci.devtable.com:5000/%s/%s" % (
+        building.namespace_user.username,
+        building.name,
+    )
+    job_config = {
+        "repository": repo,
+        "docker_tags": ["latest"],
+        "build_subdir": "",
+        "trigger_metadata": {
+            "commit": "3482adc5822c498e8f7db2e361e8d57b3d77ddd9",
+            "ref": "refs/heads/master",
+            "default_branch": "master",
+        },
+    }
+
+    model.repository.star_repository(new_user_1, simple_repo)
+
+    record = model.repository.create_email_authorization_for_repo(
+        new_user_1.username, "simple", "jschorr@devtable.com"
+    )
+    record.confirmed = True
+    record.save()
+
+    model.repository.create_email_authorization_for_repo(
+        new_user_1.username, "simple", "jschorr+other@devtable.com"
+    )
+
+    build2 = model.build.create_repository_build(
+        building,
+        new_token,
+        job_config,
+        "68daeebd-a5b9-457f-80a0-4363b882f8ea",
+        "build-name",
+        trigger,
+    )
+    build2.uuid = "deadpork-dead-pork-dead-porkdeadpork"
+    build2.save()
+
+    build3 = model.build.create_repository_build(
+        building,
+        new_token,
+        job_config,
+        "f49d07f9-93da-474d-ad5f-c852107c3892",
+        "build-name",
+        trigger,
+    )
+    build3.uuid = "deadduck-dead-duck-dead-duckdeadduck"
+    build3.save()
+
+    build1 = model.build.create_repository_build(
+        building,
+        new_token,
+        job_config,
+        "701dcc3724fb4f2ea6c31400528343cd",
+        "build-name",
+        trigger,
+    )
+    build1.uuid = "deadbeef-dead-beef-dead-beefdeadbeef"
+    build1.save()
+
+    org = model.organization.create_organization(
+        "buynlarge", "quay@devtable.com", new_user_1
+    )
+    org.stripe_id = TEST_STRIPE_ID
+    org.save()
+
+    liborg = model.organization.create_organization(
+        "library", "quay+library@devtable.com", new_user_1
+    )
+    liborg.save()
+
+    titiorg = model.organization.create_organization(
+        "titi", "quay+titi@devtable.com", new_user_1
+    )
+    titiorg.save()
+
+    thirdorg = model.organization.create_organization(
+        "sellnsmall", "quay+sell@devtable.com", new_user_1
+    )
+    thirdorg.save()
+
+    model.user.create_robot("coolrobot", org)
+
+    oauth_app_1 = model.oauth.create_application(
+        org,
+        "Some Test App",
+        "http://localhost:8000",
+        "http://localhost:8000/o2c.html",
+        client_id="deadbeef",
+    )
+
+    model.oauth.create_application(
+        org,
+        "Some Other Test App",
+        "http://quay.io",
+        "http://localhost:8000/o2c.html",
+        client_id="deadpork",
+        description="This is another test application",
+    )
+
+    model.oauth.create_access_token_for_testing(
+        new_user_1, "deadbeef", "repo:admin", access_token="%s%s" % ("b" * 40, "c" * 40)
+    )
+
+    oauth_credential = Credential.from_string("dswfhasdf1")
+    OAuthAuthorizationCode.create(
+        application=oauth_app_1,
+        code="Z932odswfhasdf1",
+        scope="repo:admin",
+        data='{"somejson": "goeshere"}',
+        code_name="Z932odswfhasdf1Z932o",
+        code_credential=oauth_credential,
+    )
+
+    model.user.create_robot("neworgrobot", org)
+
+    ownerbot = model.user.create_robot("ownerbot", org)[0]
+    creatorbot = model.user.create_robot("creatorbot", org)[0]
+
+    owners = model.team.get_organization_team("buynlarge", "owners")
+    owners.description = "Owners have unfetterd access across the entire org."
+    owners.save()
+
+    org_repo = __generate_repository(
+        with_storage,
+        org,
+        "orgrepo",
+        "Repository owned by an org.",
+        False,
+        [(outside_org, "read")],
+        (4, [], ["latest", "prod"]),
+    )
+
+    __generate_repository(
+        with_storage,
+        org,
+        "anotherorgrepo",
+        "Another repository owned by an org.",
+        False,
+        [],
+        (4, [], ["latest", "prod"]),
+    )
+
+    creators = model.team.create_team(
+        "creators", org, "creator", "Creators of orgrepo."
+    )
+
+    reader_team = model.team.create_team(
+        "readers", org, "member", "Readers of orgrepo."
+    )
+    model.team.add_or_invite_to_team(new_user_1, reader_team, outside_org)
+    model.permission.set_team_repo_permission(
+        reader_team.name, org_repo.namespace_user.username, org_repo.name, "read"
+    )
+
+    model.team.add_user_to_team(new_user_2, reader_team)
+    model.team.add_user_to_team(reader, reader_team)
+    model.team.add_user_to_team(ownerbot, owners)
+    model.team.add_user_to_team(creatorbot, creators)
+    model.team.add_user_to_team(creatoruser, creators)
+
+    sell_owners = model.team.get_organization_team("sellnsmall", "owners")
+    sell_owners.description = "Owners have unfettered access across the entire org."
+    sell_owners.save()
+
+    model.team.add_user_to_team(new_user_4, sell_owners)
+
+    sync_config = {"group_dn": "cn=Test-Group,ou=Users", "group_id": "somegroupid"}
+    synced_team = model.team.create_team("synced", org, "member", "Some synced team.")
+    model.team.set_team_syncing(synced_team, "ldap", sync_config)
+
+    another_synced_team = model.team.create_team(
+        "synced", thirdorg, "member", "Some synced team."
+    )
+    model.team.set_team_syncing(
+        another_synced_team, "ldap", {"group_dn": "cn=Test-Group,ou=Users"}
+    )
+
+    __generate_repository(
+        with_storage,
+        new_user_1,
+        "superwide",
+        None,
+        False,
+        [],
+        [
+            (10, [], "latest2"),
+            (2, [], "latest3"),
+            (2, [(1, [], "latest11"), (2, [], "latest12")], "latest4"),
+            (2, [], "latest5"),
+            (2, [], "latest6"),
+            (2, [], "latest7"),
+            (2, [], "latest8"),
+            (2, [], "latest9"),
+            (2, [], "latest10"),
+            (2, [], "latest13"),
+            (2, [], "latest14"),
+            (2, [], "latest15"),
+            (2, [], "latest16"),
+            (2, [], "latest17"),
+            (2, [], "latest18"),
+        ],
+    )
+
+    mirror_repo = __generate_repository(
+        with_storage,
+        new_user_1,
+        "mirrored",
+        "Mirrored repository.",
+        False,
+        [(dtrobot[0], "write"), (dtrobot2[0], "write")],
+        (4, [], ["latest", "prod"]),
+    )
+    mirror_rule = model.repo_mirror.create_mirroring_rule(
+        mirror_repo, ["latest", "3.3*"]
+    )
+    mirror_args = (
+        mirror_repo,
+        mirror_rule,
+        dtrobot[0],
+        "quay.io/coreos/etcd",
+        60 * 60 * 24,
+    )
+    mirror_kwargs = {
+        "external_registry_username": "fakeusername",
+        "external_registry_password": "fakepassword",
+        "external_registry_config": {},
+        "is_enabled": True,
+        "sync_start_date": datetime.utcnow(),
+    }
+    mirror = model.repo_mirror.enable_mirroring_for_repository(
+        *mirror_args, **mirror_kwargs
+    )
+
+    read_only_repo = __generate_repository(
+        with_storage,
+        new_user_1,
+        "readonly",
+        "Read-Only Repo.",
+        False,
+        [],
+        (4, [], ["latest", "prod"]),
+    )
+    read_only_repo.state = RepositoryState.READ_ONLY
+    read_only_repo.save()
+
+    model.permission.add_prototype_permission(
+        org, "read", activating_user=new_user_1, delegate_user=new_user_2
+    )
+    model.permission.add_prototype_permission(
+        org, "read", activating_user=new_user_1, delegate_team=reader_team
+    )
+    model.permission.add_prototype_permission(
+        org, "write", activating_user=new_user_2, delegate_user=new_user_1
+    )
+
+    today = datetime.today()
+    week_ago = today - timedelta(6)
+    six_ago = today - timedelta(5)
+    four_ago = today - timedelta(4)
+    yesterday = datetime.combine(date.today(), datetime.min.time()) - timedelta(hours=6)
+
+    __generate_service_key(
+        "kid1", "somesamplekey", new_user_1, today, ServiceKeyApprovalType.SUPERUSER
+    )
+    __generate_service_key(
+        "kid2",
+        "someexpiringkey",
+        new_user_1,
+        week_ago,
+        ServiceKeyApprovalType.SUPERUSER,
+        today + timedelta(days=14),
+    )
+
+    __generate_service_key("kid3", "unapprovedkey", new_user_1, today, None)
+
+    __generate_service_key(
+        "kid4",
+        "autorotatingkey",
+        new_user_1,
+        six_ago,
+        ServiceKeyApprovalType.KEY_ROTATION,
+        today + timedelta(days=1),
+        rotation_duration=timedelta(hours=12).total_seconds(),
+    )
+
+    __generate_service_key(
+        "kid5",
+        "key for another service",
+        new_user_1,
+        today,
+        ServiceKeyApprovalType.SUPERUSER,
+        today + timedelta(days=14),
+        service="different_sample_service",
+    )
+
+    __generate_service_key(
+        "kid6",
+        "someexpiredkey",
+        new_user_1,
+        week_ago,
+        ServiceKeyApprovalType.SUPERUSER,
+        today - timedelta(days=1),
+    )
+
+    __generate_service_key(
+        "kid7",
+        "somewayexpiredkey",
+        new_user_1,
+        week_ago,
+        ServiceKeyApprovalType.SUPERUSER,
+        today - timedelta(days=30),
+    )
+
+    # Add the test pull key as pre-approved for local and unittest registry testing.
+    # Note: this must match the private key found in the local/test config.
+    _TEST_JWK = {
+        "e": "AQAB",
+        "kty": "RSA",
+        "n": "yqdQgnelhAPMSeyH0kr3UGePK9oFOmNfwD0Ymnh7YYXr21VHWwyM2eVW3cnLd9KXywDFtGSe9oFDbnOuMCdUowdkBcaHju-isbv5KEbNSoy_T2Rip-6L0cY63YzcMJzv1nEYztYXS8wz76pSK81BKBCLapqOCmcPeCvV9yaoFZYvZEsXCl5jjXN3iujSzSF5Z6PpNFlJWTErMT2Z4QfbDKX2Nw6vJN6JnGpTNHZvgvcyNX8vkSgVpQ8DFnFkBEx54PvRV5KpHAq6AsJxKONMo11idQS2PfCNpa2hvz9O6UZe-eIX8jPo5NW8TuGZJumbdPT_nxTDLfCqfiZboeI0Pw",
+    }
+
+    key = model.service_keys.create_service_key(
+        "test_service_key", "test_service_key", "quay", _TEST_JWK, {}, None
+    )
+
+    model.service_keys.approve_service_key(
+        key.kid,
+        ServiceKeyApprovalType.SUPERUSER,
+        notes="Test service key for local/test registry testing",
+    )
+
+    # Add an app specific token.
+    token = model.appspecifictoken.create_token(new_user_1, "some app")
+    token.token_name = "a" * 60
+    token.token_secret = "b" * 60
+    token.save()
+
+    logs_model.log_action(
+        "org_create_team",
+        org.username,
+        performer=new_user_1,
+        timestamp=week_ago,
+        metadata={"team": "readers"},
+    )
+
+    logs_model.log_action(
+        "org_set_team_role",
+        org.username,
+        performer=new_user_1,
+        timestamp=week_ago,
+        metadata={"team": "readers", "role": "read"},
+    )
+
+    logs_model.log_action(
+        "create_repo",
+        org.username,
+        performer=new_user_1,
+        repository=org_repo,
+        timestamp=week_ago,
+        metadata={"namespace": org.username, "repo": "orgrepo"},
+    )
+
+    logs_model.log_action(
+        "change_repo_permission",
+        org.username,
+        performer=new_user_2,
+        repository=org_repo,
+        timestamp=six_ago,
+        metadata={"username": new_user_1.username, "repo": "orgrepo", "role": "admin"},
+    )
+
+    logs_model.log_action(
+        "change_repo_permission",
+        org.username,
+        performer=new_user_1,
+        repository=org_repo,
+        timestamp=six_ago,
+        metadata={"username": new_user_2.username, "repo": "orgrepo", "role": "read"},
+    )
+
+    logs_model.log_action(
+        "add_repo_accesstoken",
+        org.username,
+        performer=new_user_1,
+        repository=org_repo,
+        timestamp=four_ago,
+        metadata={"repo": "orgrepo", "token": "deploytoken"},
+    )
+
+    logs_model.log_action(
+        "push_repo",
+        org.username,
+        performer=new_user_2,
+        repository=org_repo,
+        timestamp=today,
+        metadata={"username": new_user_2.username, "repo": "orgrepo"},
+    )
+
+    logs_model.log_action(
+        "pull_repo",
+        org.username,
+        performer=new_user_2,
+        repository=org_repo,
+        timestamp=today,
+        metadata={"username": new_user_2.username, "repo": "orgrepo"},
+    )
+
+    logs_model.log_action(
+        "pull_repo",
+        org.username,
+        repository=org_repo,
+        timestamp=today,
+        metadata={"token": "sometoken", "token_code": "somecode", "repo": "orgrepo"},
+    )
+
+    logs_model.log_action(
+        "delete_tag",
+        org.username,
+        performer=new_user_2,
+        repository=org_repo,
+        timestamp=today,
+        metadata={"username": new_user_2.username, "repo": "orgrepo", "tag": "sometag"},
+    )
+
+    logs_model.log_action(
+        "pull_repo",
+        org.username,
+        repository=org_repo,
+        timestamp=today,
+        metadata={"token_code": "somecode", "repo": "orgrepo"},
+    )
+
+    logs_model.log_action(
+        "pull_repo",
+        new_user_2.username,
+        repository=publicrepo,
+        timestamp=yesterday,
+        metadata={"token_code": "somecode", "repo": "publicrepo"},
+    )
+
+    logs_model.log_action(
+        "build_dockerfile",
+        new_user_1.username,
+        repository=building,
+        timestamp=today,
+        metadata={
+            "repo": "building",
+            "namespace": new_user_1.username,
+            "trigger_id": trigger.uuid,
+            "config": json.loads(trigger.config),
+            "service": trigger.service.name,
+        },
+    )
+
+    model.message.create(
+        [
+            {
+                "content": "We love you, Quay customers!",
+                "severity": "info",
+                "media_type": "text/plain",
+            }
+        ]
+    )
+
+    model.message.create(
+        [
+            {
+                "content": "This is a **development** install of Quay",
+                "severity": "warning",
+                "media_type": "text/markdown",
+            }
+        ]
+    )
+
+    fake_queue = WorkQueue("fakequeue", tf)
+    fake_queue.put(["canonical", "job", "name"], "{}")
+
+    model.user.create_user_prompt(new_user_4, "confirm_username")
+
+    while True:
+        to_count = model.repositoryactioncount.find_uncounted_repository()
+        if not to_count:
+            break
+
+        model.repositoryactioncount.count_repository_actions(to_count)
+        model.repositoryactioncount.update_repository_score(to_count)
+
+
+WHITELISTED_EMPTY_MODELS = [
+    "DeletedNamespace",
+    "LogEntry",
+    "LogEntry2",
+    "ManifestChild",
+    "NamespaceGeoRestriction",
+    "RepoMirrorConfig",
+    "RepoMirrorRule",
+]
 
 
 def find_models_missing_data():
-  # As a sanity check we are going to make sure that all db tables have some data, unless explicitly
-  # whitelisted.
-  models_missing_data = set()
-  for one_model in all_models:
-    if one_model in appr_classes:
-      continue
+    # As a sanity check we are going to make sure that all db tables have some data, unless explicitly
+    # whitelisted.
+    models_missing_data = set()
+    for one_model in all_models:
+        if one_model in appr_classes:
+            continue
 
-    try:
-      one_model.select().get()
-    except one_model.DoesNotExist:
-      if one_model.__name__ not in WHITELISTED_EMPTY_MODELS:
-        models_missing_data.add(one_model.__name__)
+        try:
+            one_model.select().get()
+        except one_model.DoesNotExist:
+            if one_model.__name__ not in WHITELISTED_EMPTY_MODELS:
+                models_missing_data.add(one_model.__name__)
 
-  return models_missing_data
+    return models_missing_data
 
 
-if __name__ == '__main__':
-  parser = argparse.ArgumentParser(description='Initialize the test database.')
-  parser.add_argument('--simple', action='store_true')
-  args = parser.parse_args()
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Initialize the test database.")
+    parser.add_argument("--simple", action="store_true")
+    args = parser.parse_args()
 
-  log_level = os.environ.get('LOGGING_LEVEL', getattr(logging, app.config['LOGGING_LEVEL']))
-  logging.basicConfig(level=log_level)
+    log_level = os.environ.get(
+        "LOGGING_LEVEL", getattr(logging, app.config["LOGGING_LEVEL"])
+    )
+    logging.basicConfig(level=log_level)
 
-  if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
-    raise RuntimeError('Attempted to initialize production database!')
+    if not IS_TESTING_REAL_DATABASE and not isinstance(db.obj, SqliteDatabase):
+        raise RuntimeError("Attempted to initialize production database!")
 
-  if os.environ.get('SKIP_DB_SCHEMA', '').lower() != 'true':
-    initialize_database()
+    if os.environ.get("SKIP_DB_SCHEMA", "").lower() != "true":
+        initialize_database()
 
-  populate_database(args.simple)
+    populate_database(args.simple)
 
-  if not args.simple:
-    models_missing_data = find_models_missing_data()
-    if models_missing_data:
-      logger.warning('The following models do not have any data: %s', models_missing_data)
+    if not args.simple:
+        models_missing_data = find_models_missing_data()
+        if models_missing_data:
+            logger.warning(
+                "The following models do not have any data: %s", models_missing_data
+            )
diff --git a/loghandler.py b/loghandler.py
index d3d9948cb..0309a3313 100755
--- a/loghandler.py
+++ b/loghandler.py
@@ -10,41 +10,62 @@ import re
 import traceback
 
 
-LOG_FORMAT_REGEXP = re.compile(r'\((.+?)\)', re.IGNORECASE)
+LOG_FORMAT_REGEXP = re.compile(r"\((.+?)\)", re.IGNORECASE)
 
 
 def _json_default(obj):
-  """
+    """
   Coerce everything to strings.
   All objects representing time get output as ISO8601.
   """
-  if isinstance(obj, (datetime.date, datetime.time, datetime.datetime)):
-    return obj.isoformat()
+    if isinstance(obj, (datetime.date, datetime.time, datetime.datetime)):
+        return obj.isoformat()
 
-  elif isinstance(obj, Exception):
-    return "Exception: %s" % str(obj)
+    elif isinstance(obj, Exception):
+        return "Exception: %s" % str(obj)
 
-  return str(obj)
+    return str(obj)
 
 
 # skip natural LogRecord attributes
 # http://docs.python.org/library/logging.html#logrecord-attributes
-RESERVED_ATTRS = set([
-  'args', 'asctime', 'created', 'exc_info', 'exc_text', 'filename', 'funcName', 'levelname',
-  'levelno', 'lineno', 'module', 'msecs', 'message', 'msg', 'name', 'pathname', 'process',
-  'processName', 'relativeCreated', 'stack_info', 'thread', 'threadName'
-])
+RESERVED_ATTRS = set(
+    [
+        "args",
+        "asctime",
+        "created",
+        "exc_info",
+        "exc_text",
+        "filename",
+        "funcName",
+        "levelname",
+        "levelno",
+        "lineno",
+        "module",
+        "msecs",
+        "message",
+        "msg",
+        "name",
+        "pathname",
+        "process",
+        "processName",
+        "relativeCreated",
+        "stack_info",
+        "thread",
+        "threadName",
+    ]
+)
 
 
 class JsonFormatter(logging.Formatter):
-  """
+    """
     A custom formatter to format logging records as json strings.
     extra values will be formatted as str() if nor supported by
     json default encoder
     """
 
-  def __init__(self, *args, **kwargs):
-    """
+    def __init__(self, *args, **kwargs):
+        """
         :param json_default: a function for encoding non-standard objects
             as outlined in http://docs.python.org/2/library/json.html
         :param json_encoder: optional custom encoder
@@ -52,63 +73,67 @@ class JsonFormatter(logging.Formatter):
             that will be used to serialize the log record.
         :param prefix: an optional key prefix to nest logs
         """
-    self.json_default = kwargs.pop("json_default", _json_default)
-    self.json_encoder = kwargs.pop("json_encoder", None)
-    self.json_serializer = kwargs.pop("json_serializer", json.dumps)
-    self.default_values = kwargs.pop("default_extra", {})
-    self.prefix_key = kwargs.pop("prefix_key", "data")
+        self.json_default = kwargs.pop("json_default", _json_default)
+        self.json_encoder = kwargs.pop("json_encoder", None)
+        self.json_serializer = kwargs.pop("json_serializer", json.dumps)
+        self.default_values = kwargs.pop("default_extra", {})
+        self.prefix_key = kwargs.pop("prefix_key", "data")
 
-    logging.Formatter.__init__(self, *args, **kwargs)
+        logging.Formatter.__init__(self, *args, **kwargs)
 
-    self._fmt_parameters = self._parse_format_string()
-    self._skip_fields = set(self._fmt_parameters)
-    self._skip_fields.update(RESERVED_ATTRS)
+        self._fmt_parameters = self._parse_format_string()
+        self._skip_fields = set(self._fmt_parameters)
+        self._skip_fields.update(RESERVED_ATTRS)
 
-  def _parse_format_string(self):
-    """Parses format string looking for substitutions"""
-    standard_formatters = LOG_FORMAT_REGEXP
-    return standard_formatters.findall(self._fmt)
+    def _parse_format_string(self):
+        """Parses format string looking for substitutions"""
+        standard_formatters = LOG_FORMAT_REGEXP
+        return standard_formatters.findall(self._fmt)
 
-  def add_fields(self, log_record, record, message_dict):
-    """
+    def add_fields(self, log_record, record, message_dict):
+        """
         Override this method to implement custom logic for adding fields.
     """
 
-    target = log_record
-    if self.prefix_key:
-      log_record[self.prefix_key] = {}
-      target = log_record[self.prefix_key]
+        target = log_record
+        if self.prefix_key:
+            log_record[self.prefix_key] = {}
+            target = log_record[self.prefix_key]
 
-    for field, value in record.__dict__.iteritems():
-      if field in self._fmt_parameters and field in RESERVED_ATTRS:
-        log_record[field] = value
-      elif field not in RESERVED_ATTRS:
-        target[field] = value
+        for field, value in record.__dict__.iteritems():
+            if field in self._fmt_parameters and field in RESERVED_ATTRS:
+                log_record[field] = value
+            elif field not in RESERVED_ATTRS:
+                target[field] = value
 
-    target.update(message_dict)
-    target.update(self.default_values)
+        target.update(message_dict)
+        target.update(self.default_values)
 
-  def format(self, record):
-    """Formats a log record and serializes to json"""
-    message_dict = {}
-    if isinstance(record.msg, dict):
-      message_dict = record.msg
-      record.message = None
-      if "message" in message_dict:
-        record.message = message_dict.pop("message", "")
-    else:
-      record.message = record.getMessage()
+    def format(self, record):
+        """Formats a log record and serializes to json"""
+        message_dict = {}
+        if isinstance(record.msg, dict):
+            message_dict = record.msg
+            record.message = None
+            if "message" in message_dict:
+                record.message = message_dict.pop("message", "")
+        else:
+            record.message = record.getMessage()
 
-    # only format time if needed
-    if "asctime" in self._fmt_parameters:
-      record.asctime = self.formatTime(record, self.datefmt)
+        # only format time if needed
+        if "asctime" in self._fmt_parameters:
+            record.asctime = self.formatTime(record, self.datefmt)
 
-    # Display formatted exception, but allow overriding it in the
-    # user-supplied dict.
-    if record.exc_info and not message_dict.get('exc_info'):
-      message_dict['exc_info'] = traceback.format_list(traceback.extract_tb(record.exc_info[2]))
-    log_record = {}
+        # Display formatted exception, but allow overriding it in the
+        # user-supplied dict.
+        if record.exc_info and not message_dict.get("exc_info"):
+            message_dict["exc_info"] = traceback.format_list(
+                traceback.extract_tb(record.exc_info[2])
+            )
+        log_record = {}
 
-    self.add_fields(log_record, record, message_dict)
+        self.add_fields(log_record, record, message_dict)
 
-    return self.json_serializer(log_record, default=self.json_default, cls=self.json_encoder)
+        return self.json_serializer(
+            log_record, default=self.json_default, cls=self.json_encoder
+        )
diff --git a/notifications/__init__.py b/notifications/__init__.py
index 04903167d..0b173cbba 100644
--- a/notifications/__init__.py
+++ b/notifications/__init__.py
@@ -9,80 +9,98 @@ from auth.auth_context import get_authenticated_user, get_validated_oauth_token
 DEFAULT_BATCH_SIZE = 1000
 
 
-def build_repository_event_data(namespace_name, repo_name, extra_data=None, subpage=None):
-  """ Builds the basic repository data for an event, including the repository's name, Docker URL
+def build_repository_event_data(
+    namespace_name, repo_name, extra_data=None, subpage=None
+):
+    """ Builds the basic repository data for an event, including the repository's name, Docker URL
       and homepage. If extra_data is specified, it is appended to the dictionary before it is
       returned.
   """
-  repo_string = '%s/%s' % (namespace_name, repo_name)
-  homepage = '%s://%s/repository/%s' % (app.config['PREFERRED_URL_SCHEME'],
-                                        app.config['SERVER_HOSTNAME'], repo_string)
+    repo_string = "%s/%s" % (namespace_name, repo_name)
+    homepage = "%s://%s/repository/%s" % (
+        app.config["PREFERRED_URL_SCHEME"],
+        app.config["SERVER_HOSTNAME"],
+        repo_string,
+    )
 
-  if subpage:
-    if not subpage.startswith('/'):
-      subpage = '/' + subpage
+    if subpage:
+        if not subpage.startswith("/"):
+            subpage = "/" + subpage
 
-    homepage = homepage + subpage
+        homepage = homepage + subpage
 
-  event_data = {
-    'repository': repo_string,
-    'namespace': namespace_name,
-    'name': repo_name,
-    'docker_url': '%s/%s' % (app.config['SERVER_HOSTNAME'], repo_string),
-    'homepage': homepage,
-  }
+    event_data = {
+        "repository": repo_string,
+        "namespace": namespace_name,
+        "name": repo_name,
+        "docker_url": "%s/%s" % (app.config["SERVER_HOSTNAME"], repo_string),
+        "homepage": homepage,
+    }
 
-  event_data.update(extra_data or {})
-  return event_data
+    event_data.update(extra_data or {})
+    return event_data
 
 
 def build_notification_data(notification, event_data, performer_data=None):
-  if not performer_data:
-    performer_data = {}
+    if not performer_data:
+        performer_data = {}
 
-    oauth_token = get_validated_oauth_token()
-    if oauth_token:
-      performer_data['oauth_token_id'] = oauth_token.id
-      performer_data['oauth_token_application_id'] = oauth_token.application.client_id
-      performer_data['oauth_token_application'] = oauth_token.application.name
+        oauth_token = get_validated_oauth_token()
+        if oauth_token:
+            performer_data["oauth_token_id"] = oauth_token.id
+            performer_data[
+                "oauth_token_application_id"
+            ] = oauth_token.application.client_id
+            performer_data["oauth_token_application"] = oauth_token.application.name
 
-    performer_user = get_authenticated_user()
-    if performer_user:
-      performer_data['entity_id'] = performer_user.id
-      performer_data['entity_name'] = performer_user.username
+        performer_user = get_authenticated_user()
+        if performer_user:
+            performer_data["entity_id"] = performer_user.id
+            performer_data["entity_name"] = performer_user.username
 
-  return {
-    'notification_uuid': notification.uuid,
-    'event_data': event_data,
-    'performer_data': performer_data,
-  }
+    return {
+        "notification_uuid": notification.uuid,
+        "event_data": event_data,
+        "performer_data": performer_data,
+    }
 
 
 @contextmanager
 def notification_batch(batch_size=DEFAULT_BATCH_SIZE):
-  """
+    """
   Context manager implementation which returns a target callable with the same signature
   as spawn_notification. When the the context block exits the notifications generated by
   the callable will be bulk inserted into the queue with the specified batch size.
   """
-  with notification_queue.batch_insert(batch_size) as queue_put:
+    with notification_queue.batch_insert(batch_size) as queue_put:
 
-    def spawn_notification_batch(repo, event_name, extra_data=None, subpage=None, pathargs=None,
-                                 performer_data=None):
-      event_data = build_repository_event_data(repo.namespace_name, repo.name,
-                                               extra_data=extra_data, subpage=subpage)
+        def spawn_notification_batch(
+            repo,
+            event_name,
+            extra_data=None,
+            subpage=None,
+            pathargs=None,
+            performer_data=None,
+        ):
+            event_data = build_repository_event_data(
+                repo.namespace_name, repo.name, extra_data=extra_data, subpage=subpage
+            )
 
-      notifications = model.notification.list_repo_notifications(repo.namespace_name, repo.name,
-                                                                 event_name=event_name)
-      path = [repo.namespace_name, repo.name, event_name] + (pathargs or [])
-      for notification in list(notifications):
-        notification_data = build_notification_data(notification, event_data, performer_data)
-        queue_put(path, json.dumps(notification_data))
+            notifications = model.notification.list_repo_notifications(
+                repo.namespace_name, repo.name, event_name=event_name
+            )
+            path = [repo.namespace_name, repo.name, event_name] + (pathargs or [])
+            for notification in list(notifications):
+                notification_data = build_notification_data(
+                    notification, event_data, performer_data
+                )
+                queue_put(path, json.dumps(notification_data))
 
-    yield spawn_notification_batch
+        yield spawn_notification_batch
 
 
-def spawn_notification(repo, event_name, extra_data=None, subpage=None, pathargs=None,
-                       performer_data=None):
-  with notification_batch(1) as batch_spawn:
-    batch_spawn(repo, event_name, extra_data, subpage, pathargs, performer_data)
+def spawn_notification(
+    repo, event_name, extra_data=None, subpage=None, pathargs=None, performer_data=None
+):
+    with notification_batch(1) as batch_spawn:
+        batch_spawn(repo, event_name, extra_data, subpage, pathargs, performer_data)
diff --git a/notifications/models_interface.py b/notifications/models_interface.py
index 734977c81..10d52b5d9 100644
--- a/notifications/models_interface.py
+++ b/notifications/models_interface.py
@@ -1,16 +1,25 @@
 from collections import namedtuple
 
 
-class Repository(namedtuple('Repository', ['namespace_name', 'name'])):
-  """
+class Repository(namedtuple("Repository", ["namespace_name", "name"])):
+    """
   Repository represents a repository.
   """
 
 
 class Notification(
-    namedtuple('Notification', [
-      'uuid', 'event_name', 'method_name', 'event_config_dict', 'method_config_dict',
-      'repository'])):
-  """
+    namedtuple(
+        "Notification",
+        [
+            "uuid",
+            "event_name",
+            "method_name",
+            "event_config_dict",
+            "method_config_dict",
+            "repository",
+        ],
+    )
+):
+    """
   Notification represents a registered notification of some kind.
   """
diff --git a/notifications/notificationevent.py b/notifications/notificationevent.py
index 085dceb0d..2c53804b4 100644
--- a/notifications/notificationevent.py
+++ b/notifications/notificationevent.py
@@ -11,412 +11,457 @@ logger = logging.getLogger(__name__)
 
 TEMPLATE_ENV = get_template_env("events")
 
-class InvalidNotificationEventException(Exception):
-  pass
 
-class NotificationEvent(object):
-  def __init__(self):
+class InvalidNotificationEventException(Exception):
     pass
 
-  def get_level(self, event_data, notification_data):
-    """
+
+class NotificationEvent(object):
+    def __init__(self):
+        pass
+
+    def get_level(self, event_data, notification_data):
+        """
     Returns a 'level' representing the severity of the event.
     Valid values are: 'info', 'warning', 'error', 'primary', 'success'
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def get_summary(self, event_data, notification_data):
-    """
+    def get_summary(self, event_data, notification_data):
+        """
     Returns a human readable one-line summary for the given notification data.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def get_message(self, event_data, notification_data):
-    """
+    def get_message(self, event_data, notification_data):
+        """
     Returns a human readable HTML message for the given notification data.
     """
-    return TEMPLATE_ENV.get_template(self.event_name() + '.html').render({
-      'event_data': event_data,
-      'notification_data': notification_data
-    })
+        return TEMPLATE_ENV.get_template(self.event_name() + ".html").render(
+            {"event_data": event_data, "notification_data": notification_data}
+        )
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    """
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        """
     Returns sample data for testing the raising of this notification, with an example notification.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def should_perform(self, event_data, notification_data):
-    """
+    def should_perform(self, event_data, notification_data):
+        """
     Whether a notification for this event should be performed. By default returns True.
     """
-    return True
+        return True
 
-  @classmethod
-  def event_name(cls):
-    """
+    @classmethod
+    def event_name(cls):
+        """
     Particular event implemented by subclasses.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @classmethod
-  def get_event(cls, eventname):
-    found = NotificationEvent._get_event(cls, eventname)
-    if found is not None:
-      return found
-
-    raise InvalidNotificationEventException('Unable to find event: %s' % eventname)
-
-  @classmethod
-  def event_names(cls):
-    for subc in cls.__subclasses__():
-      if subc.event_name() is None:
-        for subsubc in subc.__subclasses__():
-          yield subsubc.event_name()
-      else:
-        yield subc.event_name()
-
-  @staticmethod
-  def _get_event(cls, eventname):
-    for subc in cls.__subclasses__():
-      if subc.event_name() is None:
-        found = NotificationEvent._get_event(subc, eventname)
+    @classmethod
+    def get_event(cls, eventname):
+        found = NotificationEvent._get_event(cls, eventname)
         if found is not None:
-          return found
-      elif subc.event_name() == eventname:
-        return subc()
+            return found
+
+        raise InvalidNotificationEventException("Unable to find event: %s" % eventname)
+
+    @classmethod
+    def event_names(cls):
+        for subc in cls.__subclasses__():
+            if subc.event_name() is None:
+                for subsubc in subc.__subclasses__():
+                    yield subsubc.event_name()
+            else:
+                yield subc.event_name()
+
+    @staticmethod
+    def _get_event(cls, eventname):
+        for subc in cls.__subclasses__():
+            if subc.event_name() is None:
+                found = NotificationEvent._get_event(subc, eventname)
+                if found is not None:
+                    return found
+            elif subc.event_name() == eventname:
+                return subc()
 
 
 class RepoPushEvent(NotificationEvent):
-  @classmethod
-  def event_name(cls):
-    return 'repo_push'
+    @classmethod
+    def event_name(cls):
+        return "repo_push"
 
-  def get_level(self, event_data, notification_data):
-    return 'primary'
+    def get_level(self, event_data, notification_data):
+        return "primary"
 
-  def get_summary(self, event_data, notification_data):
-    return 'Repository %s updated' % (event_data['repository'])
+    def get_summary(self, event_data, notification_data):
+        return "Repository %s updated" % (event_data["repository"])
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    return build_repository_event_data(namespace_name, repo_name, {
-      'updated_tags': ['latest', 'foo'],
-      'pruned_image_count': 3
-    })
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {"updated_tags": ["latest", "foo"], "pruned_image_count": 3},
+        )
 
 
 class RepoMirrorSyncStartedEvent(NotificationEvent):
-  @classmethod
-  def event_name(cls):
-    return 'repo_mirror_sync_started'
+    @classmethod
+    def event_name(cls):
+        return "repo_mirror_sync_started"
 
-  def get_level(self, event_data, notification_data):
-    return 'info'
+    def get_level(self, event_data, notification_data):
+        return "info"
 
-  def get_summary(self, event_data, notification_data):
-    return 'Repository Mirror started for %s' % (event_data['message'])
+    def get_summary(self, event_data, notification_data):
+        return "Repository Mirror started for %s" % (event_data["message"])
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    return build_repository_event_data(namespace_name, repo_name, {
-      'message': 'TEST NOTIFICATION'
-    })
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        return build_repository_event_data(
+            namespace_name, repo_name, {"message": "TEST NOTIFICATION"}
+        )
 
 
 class RepoMirrorSyncSuccessEvent(NotificationEvent):
-  @classmethod
-  def event_name(cls):
-    return 'repo_mirror_sync_success'
+    @classmethod
+    def event_name(cls):
+        return "repo_mirror_sync_success"
 
-  def get_level(self, event_data, notification_data):
-    return 'success'
+    def get_level(self, event_data, notification_data):
+        return "success"
 
-  def get_summary(self, event_data, notification_data):
-    return 'Repository Mirror success for %s' % (event_data['message'])
+    def get_summary(self, event_data, notification_data):
+        return "Repository Mirror success for %s" % (event_data["message"])
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    return build_repository_event_data(namespace_name, repo_name, {
-      'message': 'TEST NOTIFICATION'
-    })
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        return build_repository_event_data(
+            namespace_name, repo_name, {"message": "TEST NOTIFICATION"}
+        )
 
 
 class RepoMirrorSyncFailedEvent(NotificationEvent):
-  @classmethod
-  def event_name(cls):
-    return 'repo_mirror_sync_failed'
+    @classmethod
+    def event_name(cls):
+        return "repo_mirror_sync_failed"
 
-  def get_level(self, event_data, notification_data):
-    return 'error'
+    def get_level(self, event_data, notification_data):
+        return "error"
 
-  def get_summary(self, event_data, notification_data):
-    return 'Repository Mirror failed for %s' % (event_data['message'])
+    def get_summary(self, event_data, notification_data):
+        return "Repository Mirror failed for %s" % (event_data["message"])
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    return build_repository_event_data(namespace_name, repo_name, {
-      'message': 'TEST NOTIFICATION'
-    })
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        return build_repository_event_data(
+            namespace_name, repo_name, {"message": "TEST NOTIFICATION"}
+        )
 
 
 def _build_summary(event_data):
-  """ Returns a summary string for the build data found in the event data block. """
-  summary = 'for repository %s [%s]' % (event_data['repository'], event_data['build_id'][0:7])
-  return summary
+    """ Returns a summary string for the build data found in the event data block. """
+    summary = "for repository %s [%s]" % (
+        event_data["repository"],
+        event_data["build_id"][0:7],
+    )
+    return summary
 
 
 class VulnerabilityFoundEvent(NotificationEvent):
-  CONFIG_LEVEL = 'level'
-  PRIORITY_KEY = 'priority'
-  VULNERABILITY_KEY = 'vulnerability'
-  MULTIPLE_VULNERABILITY_KEY = 'vulnerabilities'
+    CONFIG_LEVEL = "level"
+    PRIORITY_KEY = "priority"
+    VULNERABILITY_KEY = "vulnerability"
+    MULTIPLE_VULNERABILITY_KEY = "vulnerabilities"
 
-  @classmethod
-  def event_name(cls):
-    return 'vulnerability_found'
+    @classmethod
+    def event_name(cls):
+        return "vulnerability_found"
 
-  def get_level(self, event_data, notification_data):
-    vuln_data = event_data[VulnerabilityFoundEvent.VULNERABILITY_KEY]
-    priority = vuln_data[VulnerabilityFoundEvent.PRIORITY_KEY]
-    if priority == 'Defcon1' or priority == 'Critical':
-      return 'error'
+    def get_level(self, event_data, notification_data):
+        vuln_data = event_data[VulnerabilityFoundEvent.VULNERABILITY_KEY]
+        priority = vuln_data[VulnerabilityFoundEvent.PRIORITY_KEY]
+        if priority == "Defcon1" or priority == "Critical":
+            return "error"
 
-    if priority == 'Medium' or priority == 'High':
-      return 'warning'
+        if priority == "Medium" or priority == "High":
+            return "warning"
 
-    return 'info'
+        return "info"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    level = event_config.get(VulnerabilityFoundEvent.CONFIG_LEVEL, 'Critical')
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'tags': ['latest', 'prod', 'foo', 'bar', 'baz'],
-      'image': 'some-image-id',
-      'vulnerability': {
-        'id': 'CVE-FAKE-CVE',
-        'description': 'A futurist vulnerability',
-        'link': 'https://security-tracker.debian.org/tracker/CVE-FAKE-CVE',
-        'priority': get_priority_for_index(level)
-      },
-    })
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        level = event_config.get(VulnerabilityFoundEvent.CONFIG_LEVEL, "Critical")
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "tags": ["latest", "prod", "foo", "bar", "baz"],
+                "image": "some-image-id",
+                "vulnerability": {
+                    "id": "CVE-FAKE-CVE",
+                    "description": "A futurist vulnerability",
+                    "link": "https://security-tracker.debian.org/tracker/CVE-FAKE-CVE",
+                    "priority": get_priority_for_index(level),
+                },
+            },
+        )
 
-  def should_perform(self, event_data, notification_data):
-    event_config = notification_data.event_config_dict
-    if VulnerabilityFoundEvent.CONFIG_LEVEL not in event_config:
-      return True
+    def should_perform(self, event_data, notification_data):
+        event_config = notification_data.event_config_dict
+        if VulnerabilityFoundEvent.CONFIG_LEVEL not in event_config:
+            return True
 
-    if VulnerabilityFoundEvent.VULNERABILITY_KEY not in event_data:
-      return False
+        if VulnerabilityFoundEvent.VULNERABILITY_KEY not in event_data:
+            return False
 
-    vuln_info = event_data.get(VulnerabilityFoundEvent.VULNERABILITY_KEY, {})
-    event_severity = PRIORITY_LEVELS.get(vuln_info.get('priority', 'Unknown'))
-    if event_severity is None:
-      return False
+        vuln_info = event_data.get(VulnerabilityFoundEvent.VULNERABILITY_KEY, {})
+        event_severity = PRIORITY_LEVELS.get(vuln_info.get("priority", "Unknown"))
+        if event_severity is None:
+            return False
 
-    actual_level_index = int(event_severity['index'])
-    filter_level_index = int(event_config[VulnerabilityFoundEvent.CONFIG_LEVEL])
-    return actual_level_index <= filter_level_index
+        actual_level_index = int(event_severity["index"])
+        filter_level_index = int(event_config[VulnerabilityFoundEvent.CONFIG_LEVEL])
+        return actual_level_index <= filter_level_index
 
-  def get_summary(self, event_data, notification_data):
-    vuln_key = VulnerabilityFoundEvent.VULNERABILITY_KEY
-    priority_key = VulnerabilityFoundEvent.PRIORITY_KEY
+    def get_summary(self, event_data, notification_data):
+        vuln_key = VulnerabilityFoundEvent.VULNERABILITY_KEY
+        priority_key = VulnerabilityFoundEvent.PRIORITY_KEY
 
-    multiple_vulns = event_data.get(VulnerabilityFoundEvent.MULTIPLE_VULNERABILITY_KEY)
-    if multiple_vulns is not None:
-      top_priority = multiple_vulns[0].get(priority_key, 'Unknown')
-      matching = [v for v in multiple_vulns if v.get(priority_key, 'Unknown') == top_priority]
+        multiple_vulns = event_data.get(
+            VulnerabilityFoundEvent.MULTIPLE_VULNERABILITY_KEY
+        )
+        if multiple_vulns is not None:
+            top_priority = multiple_vulns[0].get(priority_key, "Unknown")
+            matching = [
+                v
+                for v in multiple_vulns
+                if v.get(priority_key, "Unknown") == top_priority
+            ]
 
-      msg = '%s %s' % (len(matching), top_priority)
-      if len(matching) < len(multiple_vulns):
-        msg += ' and %s more' % (len(multiple_vulns) - len(matching))
+            msg = "%s %s" % (len(matching), top_priority)
+            if len(matching) < len(multiple_vulns):
+                msg += " and %s more" % (len(multiple_vulns) - len(matching))
 
-      msg += ' vulnerabilities were detected in repository %s in %s tags'
-      return msg % (event_data['repository'], len(event_data['tags']))
-    else:
-      msg = '%s vulnerability detected in repository %s in %s tags'
-      return msg % (event_data[vuln_key][priority_key], event_data['repository'],
-                    len(event_data['tags']))
+            msg += " vulnerabilities were detected in repository %s in %s tags"
+            return msg % (event_data["repository"], len(event_data["tags"]))
+        else:
+            msg = "%s vulnerability detected in repository %s in %s tags"
+            return msg % (
+                event_data[vuln_key][priority_key],
+                event_data["repository"],
+                len(event_data["tags"]),
+            )
 
 
 class BaseBuildEvent(NotificationEvent):
-  @classmethod
-  def event_name(cls):
-    return None
+    @classmethod
+    def event_name(cls):
+        return None
 
-  def should_perform(self, event_data, notification_data):
-    if not notification_data.event_config_dict:
-      return True
+    def should_perform(self, event_data, notification_data):
+        if not notification_data.event_config_dict:
+            return True
 
-    event_config = notification_data.event_config_dict
-    ref_regex = event_config.get('ref-regex') or None
-    if ref_regex is None:
-      return True
+        event_config = notification_data.event_config_dict
+        ref_regex = event_config.get("ref-regex") or None
+        if ref_regex is None:
+            return True
 
-    # Lookup the ref. If none, this is a non-git build and we should not fire the event.
-    ref = event_data.get('trigger_metadata', {}).get('ref', None)
-    if ref is None:
-      return False
+        # Lookup the ref. If none, this is a non-git build and we should not fire the event.
+        ref = event_data.get("trigger_metadata", {}).get("ref", None)
+        if ref is None:
+            return False
 
-    # Try parsing the regex string as a regular expression. If we fail, we fail to fire
-    # the event.
-    try:
-      return bool(re.compile(str(ref_regex)).match(ref))
-    except Exception:
-      logger.warning('Regular expression error for build event filter: %s', ref_regex)
-      return False
+        # Try parsing the regex string as a regular expression. If we fail, we fail to fire
+        # the event.
+        try:
+            return bool(re.compile(str(ref_regex)).match(ref))
+        except Exception:
+            logger.warning(
+                "Regular expression error for build event filter: %s", ref_regex
+            )
+            return False
 
 
 class BuildQueueEvent(BaseBuildEvent):
-  @classmethod
-  def event_name(cls):
-    return 'build_queued'
+    @classmethod
+    def event_name(cls):
+        return "build_queued"
 
-  def get_level(self, event_data, notification_data):
-    return 'info'
+    def get_level(self, event_data, notification_data):
+        return "info"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    build_uuid = 'fake-build-id'
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'is_manual': False,
-      'build_id': build_uuid,
-      'build_name': 'some-fake-build',
-      'docker_tags': ['latest', 'foo', 'bar'],
-      'trigger_id': '1245634',
-      'trigger_kind': 'GitHub',
-      'trigger_metadata': {
-        "default_branch": "master",
-        "ref": "refs/heads/somebranch",
-        "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
-        "commit_info": {
-          'url': 'http://path/to/the/commit',
-          'message': 'Some commit message',
-          'date': time.mktime(datetime.now().timetuple()),
-          'author': {
-            'username': 'fakeauthor',
-            'url': 'http://path/to/fake/author/in/scm',
-            'avatar_url': 'http://www.gravatar.com/avatar/fakehash'
-          }
-        }
-      }
-    }, subpage='/build/%s' % build_uuid)
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        build_uuid = "fake-build-id"
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "is_manual": False,
+                "build_id": build_uuid,
+                "build_name": "some-fake-build",
+                "docker_tags": ["latest", "foo", "bar"],
+                "trigger_id": "1245634",
+                "trigger_kind": "GitHub",
+                "trigger_metadata": {
+                    "default_branch": "master",
+                    "ref": "refs/heads/somebranch",
+                    "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
+                    "commit_info": {
+                        "url": "http://path/to/the/commit",
+                        "message": "Some commit message",
+                        "date": time.mktime(datetime.now().timetuple()),
+                        "author": {
+                            "username": "fakeauthor",
+                            "url": "http://path/to/fake/author/in/scm",
+                            "avatar_url": "http://www.gravatar.com/avatar/fakehash",
+                        },
+                    },
+                },
+            },
+            subpage="/build/%s" % build_uuid,
+        )
 
-  def get_summary(self, event_data, notification_data):
-    return 'Build queued ' + _build_summary(event_data)
+    def get_summary(self, event_data, notification_data):
+        return "Build queued " + _build_summary(event_data)
 
 
 class BuildStartEvent(BaseBuildEvent):
-  @classmethod
-  def event_name(cls):
-    return 'build_start'
+    @classmethod
+    def event_name(cls):
+        return "build_start"
 
-  def get_level(self, event_data, notification_data):
-    return 'info'
+    def get_level(self, event_data, notification_data):
+        return "info"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    build_uuid = 'fake-build-id'
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'build_id': build_uuid,
-      'build_name': 'some-fake-build',
-      'docker_tags': ['latest', 'foo', 'bar'],
-      'trigger_id': '1245634',
-      'trigger_kind': 'GitHub',
-      'trigger_metadata': {
-        "default_branch": "master",
-        "ref": "refs/heads/somebranch",
-        "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d"
-      }
-    }, subpage='/build/%s' % build_uuid)
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        build_uuid = "fake-build-id"
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "build_id": build_uuid,
+                "build_name": "some-fake-build",
+                "docker_tags": ["latest", "foo", "bar"],
+                "trigger_id": "1245634",
+                "trigger_kind": "GitHub",
+                "trigger_metadata": {
+                    "default_branch": "master",
+                    "ref": "refs/heads/somebranch",
+                    "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
+                },
+            },
+            subpage="/build/%s" % build_uuid,
+        )
 
-  def get_summary(self, event_data, notification_data):
-    return 'Build started ' + _build_summary(event_data)
+    def get_summary(self, event_data, notification_data):
+        return "Build started " + _build_summary(event_data)
 
 
 class BuildSuccessEvent(BaseBuildEvent):
-  @classmethod
-  def event_name(cls):
-    return 'build_success'
+    @classmethod
+    def event_name(cls):
+        return "build_success"
 
-  def get_level(self, event_data, notification_data):
-    return 'success'
+    def get_level(self, event_data, notification_data):
+        return "success"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    build_uuid = 'fake-build-id'
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'build_id': build_uuid,
-      'build_name': 'some-fake-build',
-      'docker_tags': ['latest', 'foo', 'bar'],
-      'trigger_id': '1245634',
-      'trigger_kind': 'GitHub',
-      'trigger_metadata': {
-        "default_branch": "master",
-        "ref": "refs/heads/somebranch",
-        "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d"
-      },
-      'image_id': '1245657346'
-    }, subpage='/build/%s' % build_uuid)
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        build_uuid = "fake-build-id"
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "build_id": build_uuid,
+                "build_name": "some-fake-build",
+                "docker_tags": ["latest", "foo", "bar"],
+                "trigger_id": "1245634",
+                "trigger_kind": "GitHub",
+                "trigger_metadata": {
+                    "default_branch": "master",
+                    "ref": "refs/heads/somebranch",
+                    "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
+                },
+                "image_id": "1245657346",
+            },
+            subpage="/build/%s" % build_uuid,
+        )
 
-  def get_summary(self, event_data, notification_data):
-    return 'Build succeeded ' + _build_summary(event_data)
+    def get_summary(self, event_data, notification_data):
+        return "Build succeeded " + _build_summary(event_data)
 
 
 class BuildFailureEvent(BaseBuildEvent):
-  @classmethod
-  def event_name(cls):
-    return 'build_failure'
+    @classmethod
+    def event_name(cls):
+        return "build_failure"
 
-  def get_level(self, event_data, notification_data):
-    return 'error'
+    def get_level(self, event_data, notification_data):
+        return "error"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    build_uuid = 'fake-build-id'
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'build_id': build_uuid,
-      'build_name': 'some-fake-build',
-      'docker_tags': ['latest', 'foo', 'bar'],
-      'trigger_kind': 'GitHub',
-      'error_message': 'This is a fake error message',
-      'trigger_id': '1245634',
-      'trigger_kind': 'GitHub',
-      'trigger_metadata': {
-        "default_branch": "master",
-        "ref": "refs/heads/somebranch",
-        "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
-        "commit_info": {
-          'url': 'http://path/to/the/commit',
-          'message': 'Some commit message',
-          'date': time.mktime(datetime.now().timetuple()),
-          'author': {
-            'username': 'fakeauthor',
-            'url': 'http://path/to/fake/author/in/scm',
-            'avatar_url': 'http://www.gravatar.com/avatar/fakehash'
-          }
-        }
-      }
-    }, subpage='/build/%s' % build_uuid)
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        build_uuid = "fake-build-id"
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "build_id": build_uuid,
+                "build_name": "some-fake-build",
+                "docker_tags": ["latest", "foo", "bar"],
+                "trigger_kind": "GitHub",
+                "error_message": "This is a fake error message",
+                "trigger_id": "1245634",
+                "trigger_kind": "GitHub",
+                "trigger_metadata": {
+                    "default_branch": "master",
+                    "ref": "refs/heads/somebranch",
+                    "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
+                    "commit_info": {
+                        "url": "http://path/to/the/commit",
+                        "message": "Some commit message",
+                        "date": time.mktime(datetime.now().timetuple()),
+                        "author": {
+                            "username": "fakeauthor",
+                            "url": "http://path/to/fake/author/in/scm",
+                            "avatar_url": "http://www.gravatar.com/avatar/fakehash",
+                        },
+                    },
+                },
+            },
+            subpage="/build/%s" % build_uuid,
+        )
 
-  def get_summary(self, event_data, notification_data):
-    return 'Build failure ' + _build_summary(event_data)
+    def get_summary(self, event_data, notification_data):
+        return "Build failure " + _build_summary(event_data)
 
 
 class BuildCancelledEvent(BaseBuildEvent):
-  @classmethod
-  def event_name(cls):
-    return 'build_cancelled'
+    @classmethod
+    def event_name(cls):
+        return "build_cancelled"
 
-  def get_level(self, event_data, notification_data):
-    return 'info'
+    def get_level(self, event_data, notification_data):
+        return "info"
 
-  def get_sample_data(self, namespace_name, repo_name, event_config):
-    build_uuid = 'fake-build-id'
-    return build_repository_event_data(namespace_name, repo_name,  {
-      'build_id': build_uuid,
-      'build_name': 'some-fake-build',
-      'docker_tags': ['latest', 'foo', 'bar'],
-      'trigger_id': '1245634',
-      'trigger_kind': 'GitHub',
-      'trigger_metadata': {
-        "default_branch": "master",
-        "ref": "refs/heads/somebranch",
-        "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d"
-      },
-      'image_id': '1245657346'
-    }, subpage='/build/%s' % build_uuid)
+    def get_sample_data(self, namespace_name, repo_name, event_config):
+        build_uuid = "fake-build-id"
+        return build_repository_event_data(
+            namespace_name,
+            repo_name,
+            {
+                "build_id": build_uuid,
+                "build_name": "some-fake-build",
+                "docker_tags": ["latest", "foo", "bar"],
+                "trigger_id": "1245634",
+                "trigger_kind": "GitHub",
+                "trigger_metadata": {
+                    "default_branch": "master",
+                    "ref": "refs/heads/somebranch",
+                    "commit": "42d4a62c53350993ea41069e9f2cfdefb0df097d",
+                },
+                "image_id": "1245657346",
+            },
+            subpage="/build/%s" % build_uuid,
+        )
 
-  def get_summary(self, event_data, notification_data):
-    return 'Build cancelled ' + _build_summary(event_data)
+    def get_summary(self, event_data, notification_data):
+        return "Build cancelled " + _build_summary(event_data)
diff --git a/notifications/notificationmethod.py b/notifications/notificationmethod.py
index 73ac9d77e..616ea99ca 100644
--- a/notifications/notificationmethod.py
+++ b/notifications/notificationmethod.py
@@ -12,423 +12,495 @@ from workers.queueworker import JobException
 
 logger = logging.getLogger(__name__)
 
-METHOD_TIMEOUT = app.config.get('NOTIFICATION_SEND_TIMEOUT', 10)  # Seconds
+METHOD_TIMEOUT = app.config.get("NOTIFICATION_SEND_TIMEOUT", 10)  # Seconds
 
 
 class InvalidNotificationMethodException(Exception):
-  pass
+    pass
 
 
 class CannotValidateNotificationMethodException(Exception):
-  pass
+    pass
 
 
 class NotificationMethodPerformException(JobException):
-  pass
+    pass
 
 
 def _ssl_cert():
-  if app.config['PREFERRED_URL_SCHEME'] == 'https':
-    return [OVERRIDE_CONFIG_DIRECTORY + f for f in SSL_FILENAMES]
+    if app.config["PREFERRED_URL_SCHEME"] == "https":
+        return [OVERRIDE_CONFIG_DIRECTORY + f for f in SSL_FILENAMES]
 
-  return None
+    return None
 
 
 class NotificationMethod(object):
-  def __init__(self):
-    pass
+    def __init__(self):
+        pass
 
-  @classmethod
-  def method_name(cls):
-    """
+    @classmethod
+    def method_name(cls):
+        """
     Particular method implemented by subclasses.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def validate(self, namespace_name, repo_name, config_data):
-    """
+    def validate(self, namespace_name, repo_name, config_data):
+        """
     Validates that the notification can be created with the given data. Throws
     a CannotValidateNotificationMethodException on failure.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-
-  def perform(self, notification_obj, event_handler, notification_data):
-    """
+    def perform(self, notification_obj, event_handler, notification_data):
+        """
     Performs the notification method.
 
     notification_obj: The notification namedtuple.
     event_handler: The NotificationEvent handler.
     notification_data: The dict of notification data placed in the queue.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  @classmethod
-  def get_method(cls, methodname):
-    for subc in cls.__subclasses__():
-      if subc.method_name() == methodname:
-        return subc()
+    @classmethod
+    def get_method(cls, methodname):
+        for subc in cls.__subclasses__():
+            if subc.method_name() == methodname:
+                return subc()
 
-    raise InvalidNotificationMethodException('Unable to find method: %s' % methodname)
+        raise InvalidNotificationMethodException(
+            "Unable to find method: %s" % methodname
+        )
 
 
 class QuayNotificationMethod(NotificationMethod):
-  @classmethod
-  def method_name(cls):
-    return 'quay_notification'
+    @classmethod
+    def method_name(cls):
+        return "quay_notification"
 
-  def validate(self, namespace_name, repo_name, config_data):
-    _, err_message, _ = self.find_targets(namespace_name, config_data)
-    if err_message:
-      raise CannotValidateNotificationMethodException(err_message)
+    def validate(self, namespace_name, repo_name, config_data):
+        _, err_message, _ = self.find_targets(namespace_name, config_data)
+        if err_message:
+            raise CannotValidateNotificationMethodException(err_message)
 
-  def find_targets(self, namespace_name, config_data):
-    target_info = config_data.get('target', None)
-    if not target_info or not target_info.get('kind'):
-      return (True, 'Missing target', [])
+    def find_targets(self, namespace_name, config_data):
+        target_info = config_data.get("target", None)
+        if not target_info or not target_info.get("kind"):
+            return (True, "Missing target", [])
 
-    if target_info['kind'] == 'user':
-      target = model.user.get_nonrobot_user(target_info['name'])
-      if not target:
-        # Just to be safe.
-        return (True, 'Unknown user %s' % target_info['name'], [])
+        if target_info["kind"] == "user":
+            target = model.user.get_nonrobot_user(target_info["name"])
+            if not target:
+                # Just to be safe.
+                return (True, "Unknown user %s" % target_info["name"], [])
 
-      return (True, None, [target])
-    elif target_info['kind'] == 'org':
-      try:
-        target = model.organization.get_organization(target_info['name'])
-      except model.organization.InvalidOrganizationException:
-        return (True, 'Unknown organization %s' % target_info['name'], None)
+            return (True, None, [target])
+        elif target_info["kind"] == "org":
+            try:
+                target = model.organization.get_organization(target_info["name"])
+            except model.organization.InvalidOrganizationException:
+                return (True, "Unknown organization %s" % target_info["name"], None)
 
-      # Only repositories under the organization can cause notifications to that org.
-      if target_info['name'] != namespace_name:
-        return (False, 'Organization name must match repository namespace')
+            # Only repositories under the organization can cause notifications to that org.
+            if target_info["name"] != namespace_name:
+                return (False, "Organization name must match repository namespace")
 
-      return (True, None, [target])
-    elif target_info['kind'] == 'team':
-      # Lookup the team.
-      org_team = None
-      try:
-        org_team = model.team.get_organization_team(namespace_name, target_info['name'])
-      except model.InvalidTeamException:
-        # Probably deleted.
-        return (True, 'Unknown team %s' % target_info['name'], None)
+            return (True, None, [target])
+        elif target_info["kind"] == "team":
+            # Lookup the team.
+            org_team = None
+            try:
+                org_team = model.team.get_organization_team(
+                    namespace_name, target_info["name"]
+                )
+            except model.InvalidTeamException:
+                # Probably deleted.
+                return (True, "Unknown team %s" % target_info["name"], None)
 
-      # Lookup the team's members
-      return (True, None, model.organization.get_organization_team_members(org_team.id))
+            # Lookup the team's members
+            return (
+                True,
+                None,
+                model.organization.get_organization_team_members(org_team.id),
+            )
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    repository = notification_obj.repository
-    if not repository:
-      # Probably deleted.
-      return
+    def perform(self, notification_obj, event_handler, notification_data):
+        repository = notification_obj.repository
+        if not repository:
+            # Probably deleted.
+            return
 
-    # Lookup the target user or team to which we'll send the notification.
-    config_data = notification_obj.method_config_dict
-    status, err_message, target_users = self.find_targets(repository.namespace_name, config_data)
-    if not status:
-      raise NotificationMethodPerformException(err_message)
+        # Lookup the target user or team to which we'll send the notification.
+        config_data = notification_obj.method_config_dict
+        status, err_message, target_users = self.find_targets(
+            repository.namespace_name, config_data
+        )
+        if not status:
+            raise NotificationMethodPerformException(err_message)
 
-    # For each of the target users, create a notification.
-    for target_user in set(target_users or []):
-      model.notification.create_notification(event_handler.event_name(), target_user,
-                                             metadata=notification_data['event_data'])
+        # For each of the target users, create a notification.
+        for target_user in set(target_users or []):
+            model.notification.create_notification(
+                event_handler.event_name(),
+                target_user,
+                metadata=notification_data["event_data"],
+            )
 
 
 class EmailMethod(NotificationMethod):
-  @classmethod
-  def method_name(cls):
-    return 'email'
+    @classmethod
+    def method_name(cls):
+        return "email"
 
-  def validate(self, namespace_name, repo_name, config_data):
-    email = config_data.get('email', '')
-    if not email:
-      raise CannotValidateNotificationMethodException('Missing e-mail address')
+    def validate(self, namespace_name, repo_name, config_data):
+        email = config_data.get("email", "")
+        if not email:
+            raise CannotValidateNotificationMethodException("Missing e-mail address")
 
-    record = model.repository.get_email_authorized_for_repo(namespace_name, repo_name, email)
-    if not record or not record.confirmed:
-      raise CannotValidateNotificationMethodException('The specified e-mail address '
-                                                      'is not authorized to receive '
-                                                      'notifications for this repository')
+        record = model.repository.get_email_authorized_for_repo(
+            namespace_name, repo_name, email
+        )
+        if not record or not record.confirmed:
+            raise CannotValidateNotificationMethodException(
+                "The specified e-mail address "
+                "is not authorized to receive "
+                "notifications for this repository"
+            )
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    config_data = notification_obj.method_config_dict
-    email = config_data.get('email', '')
-    if not email:
-      return
+    def perform(self, notification_obj, event_handler, notification_data):
+        config_data = notification_obj.method_config_dict
+        email = config_data.get("email", "")
+        if not email:
+            return
 
-    with app.app_context():
-      msg = Message(event_handler.get_summary(notification_data['event_data'], notification_data),
-                    recipients=[email])
-      msg.html = event_handler.get_message(notification_data['event_data'], notification_data)
+        with app.app_context():
+            msg = Message(
+                event_handler.get_summary(
+                    notification_data["event_data"], notification_data
+                ),
+                recipients=[email],
+            )
+            msg.html = event_handler.get_message(
+                notification_data["event_data"], notification_data
+            )
 
-      try:
-        mail.send(msg)
-      except Exception as ex:
-        logger.exception('Email was unable to be sent')
-        raise NotificationMethodPerformException(ex.message)
+            try:
+                mail.send(msg)
+            except Exception as ex:
+                logger.exception("Email was unable to be sent")
+                raise NotificationMethodPerformException(ex.message)
 
 
 class WebhookMethod(NotificationMethod):
-  @classmethod
-  def method_name(cls):
-    return 'webhook'
+    @classmethod
+    def method_name(cls):
+        return "webhook"
 
-  def validate(self, namespace_name, repo_name, config_data):
-    url = config_data.get('url', '')
-    if not url:
-      raise CannotValidateNotificationMethodException('Missing webhook URL')
+    def validate(self, namespace_name, repo_name, config_data):
+        url = config_data.get("url", "")
+        if not url:
+            raise CannotValidateNotificationMethodException("Missing webhook URL")
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    config_data = notification_obj.method_config_dict
-    url = config_data.get('url', '')
-    if not url:
-      return
+    def perform(self, notification_obj, event_handler, notification_data):
+        config_data = notification_obj.method_config_dict
+        url = config_data.get("url", "")
+        if not url:
+            return
 
-    payload = notification_data['event_data']
-    headers = {'Content-type': 'application/json'}
+        payload = notification_data["event_data"]
+        headers = {"Content-type": "application/json"}
 
-    try:
-      resp = requests.post(url, data=json.dumps(payload), headers=headers, cert=_ssl_cert(),
-                           timeout=METHOD_TIMEOUT)
-      if resp.status_code / 100 != 2:
-        error_message = '%s response for webhook to url: %s' % (resp.status_code, url)
-        logger.error(error_message)
-        logger.error(resp.content)
-        raise NotificationMethodPerformException(error_message)
+        try:
+            resp = requests.post(
+                url,
+                data=json.dumps(payload),
+                headers=headers,
+                cert=_ssl_cert(),
+                timeout=METHOD_TIMEOUT,
+            )
+            if resp.status_code / 100 != 2:
+                error_message = "%s response for webhook to url: %s" % (
+                    resp.status_code,
+                    url,
+                )
+                logger.error(error_message)
+                logger.error(resp.content)
+                raise NotificationMethodPerformException(error_message)
 
-    except requests.exceptions.RequestException as ex:
-      logger.exception('Webhook was unable to be sent')
-      raise NotificationMethodPerformException(ex.message)
+        except requests.exceptions.RequestException as ex:
+            logger.exception("Webhook was unable to be sent")
+            raise NotificationMethodPerformException(ex.message)
 
 
 class FlowdockMethod(NotificationMethod):
-  """ Method for sending notifications to Flowdock via the Team Inbox API:
+    """ Method for sending notifications to Flowdock via the Team Inbox API:
       https://www.flowdock.com/api/team-inbox
   """
 
-  @classmethod
-  def method_name(cls):
-    return 'flowdock'
+    @classmethod
+    def method_name(cls):
+        return "flowdock"
 
-  def validate(self, namespace_name, repo_name, config_data):
-    token = config_data.get('flow_api_token', '')
-    if not token:
-      raise CannotValidateNotificationMethodException('Missing Flowdock API Token')
+    def validate(self, namespace_name, repo_name, config_data):
+        token = config_data.get("flow_api_token", "")
+        if not token:
+            raise CannotValidateNotificationMethodException(
+                "Missing Flowdock API Token"
+            )
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    config_data = notification_obj.method_config_dict
-    token = config_data.get('flow_api_token', '')
-    if not token:
-      return
+    def perform(self, notification_obj, event_handler, notification_data):
+        config_data = notification_obj.method_config_dict
+        token = config_data.get("flow_api_token", "")
+        if not token:
+            return
 
-    owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
-    if not owner:
-      # Something went wrong.
-      return
+        owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
+        if not owner:
+            # Something went wrong.
+            return
 
-    url = 'https://api.flowdock.com/v1/messages/team_inbox/%s' % token
-    headers = {'Content-type': 'application/json'}
-    payload = {
-      'source': 'Quay',
-      'from_address': 'support@quay.io',
-      'subject': event_handler.get_summary(notification_data['event_data'], notification_data),
-      'content': event_handler.get_message(notification_data['event_data'], notification_data),
-      'from_name': owner.username,
-      'project': (notification_obj.repository.namespace_name + ' ' +
-                  notification_obj.repository.name),
-      'tags': ['#' + event_handler.event_name()],
-      'link': notification_data['event_data']['homepage']
-    }
+        url = "https://api.flowdock.com/v1/messages/team_inbox/%s" % token
+        headers = {"Content-type": "application/json"}
+        payload = {
+            "source": "Quay",
+            "from_address": "support@quay.io",
+            "subject": event_handler.get_summary(
+                notification_data["event_data"], notification_data
+            ),
+            "content": event_handler.get_message(
+                notification_data["event_data"], notification_data
+            ),
+            "from_name": owner.username,
+            "project": (
+                notification_obj.repository.namespace_name
+                + " "
+                + notification_obj.repository.name
+            ),
+            "tags": ["#" + event_handler.event_name()],
+            "link": notification_data["event_data"]["homepage"],
+        }
 
-    try:
-      resp = requests.post(url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT)
-      if resp.status_code / 100 != 2:
-        error_message = '%s response for flowdock to url: %s' % (resp.status_code, url)
-        logger.error(error_message)
-        logger.error(resp.content)
-        raise NotificationMethodPerformException(error_message)
+        try:
+            resp = requests.post(
+                url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT
+            )
+            if resp.status_code / 100 != 2:
+                error_message = "%s response for flowdock to url: %s" % (
+                    resp.status_code,
+                    url,
+                )
+                logger.error(error_message)
+                logger.error(resp.content)
+                raise NotificationMethodPerformException(error_message)
 
-    except requests.exceptions.RequestException as ex:
-      logger.exception('Flowdock method was unable to be sent')
-      raise NotificationMethodPerformException(ex.message)
+        except requests.exceptions.RequestException as ex:
+            logger.exception("Flowdock method was unable to be sent")
+            raise NotificationMethodPerformException(ex.message)
 
 
 class HipchatMethod(NotificationMethod):
-  """ Method for sending notifications to Hipchat via the API:
+    """ Method for sending notifications to Hipchat via the API:
       https://www.hipchat.com/docs/apiv2/method/send_room_notification
   """
 
-  @classmethod
-  def method_name(cls):
-    return 'hipchat'
+    @classmethod
+    def method_name(cls):
+        return "hipchat"
 
-  def validate(self, namespace_name, repo_name, config_data):
-    if not config_data.get('notification_token', ''):
-      raise CannotValidateNotificationMethodException('Missing Hipchat Room Notification Token')
+    def validate(self, namespace_name, repo_name, config_data):
+        if not config_data.get("notification_token", ""):
+            raise CannotValidateNotificationMethodException(
+                "Missing Hipchat Room Notification Token"
+            )
 
-    if not config_data.get('room_id', ''):
-      raise CannotValidateNotificationMethodException('Missing Hipchat Room ID')
+        if not config_data.get("room_id", ""):
+            raise CannotValidateNotificationMethodException("Missing Hipchat Room ID")
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    config_data = notification_obj.method_config_dict
-    token = config_data.get('notification_token', '')
-    room_id = config_data.get('room_id', '')
+    def perform(self, notification_obj, event_handler, notification_data):
+        config_data = notification_obj.method_config_dict
+        token = config_data.get("notification_token", "")
+        room_id = config_data.get("room_id", "")
 
-    if not token or not room_id:
-      return
+        if not token or not room_id:
+            return
 
-    owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
-    if not owner:
-      # Something went wrong.
-      return
+        owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
+        if not owner:
+            # Something went wrong.
+            return
 
-    url = 'https://api.hipchat.com/v2/room/%s/notification?auth_token=%s' % (room_id, token)
+        url = "https://api.hipchat.com/v2/room/%s/notification?auth_token=%s" % (
+            room_id,
+            token,
+        )
 
-    level = event_handler.get_level(notification_data['event_data'], notification_data)
-    color = {
-      'info': 'gray',
-      'warning': 'yellow',
-      'error': 'red',
-      'success': 'green',
-      'primary': 'purple'
-    }.get(level, 'gray')
+        level = event_handler.get_level(
+            notification_data["event_data"], notification_data
+        )
+        color = {
+            "info": "gray",
+            "warning": "yellow",
+            "error": "red",
+            "success": "green",
+            "primary": "purple",
+        }.get(level, "gray")
 
-    headers = {'Content-type': 'application/json'}
-    payload = {
-      'color': color,
-      'message': event_handler.get_message(notification_data['event_data'], notification_data),
-      'notify': level == 'error',
-      'message_format': 'html',
-    }
+        headers = {"Content-type": "application/json"}
+        payload = {
+            "color": color,
+            "message": event_handler.get_message(
+                notification_data["event_data"], notification_data
+            ),
+            "notify": level == "error",
+            "message_format": "html",
+        }
 
-    try:
-      resp = requests.post(url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT)
-      if resp.status_code / 100 != 2:
-        error_message = '%s response for hipchat to url: %s' % (resp.status_code, url)
-        logger.error(error_message)
-        logger.error(resp.content)
-        raise NotificationMethodPerformException(error_message)
+        try:
+            resp = requests.post(
+                url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT
+            )
+            if resp.status_code / 100 != 2:
+                error_message = "%s response for hipchat to url: %s" % (
+                    resp.status_code,
+                    url,
+                )
+                logger.error(error_message)
+                logger.error(resp.content)
+                raise NotificationMethodPerformException(error_message)
 
-    except requests.exceptions.RequestException as ex:
-      logger.exception('Hipchat method was unable to be sent')
-      raise NotificationMethodPerformException(ex.message)
+        except requests.exceptions.RequestException as ex:
+            logger.exception("Hipchat method was unable to be sent")
+            raise NotificationMethodPerformException(ex.message)
 
 
 from HTMLParser import HTMLParser
 
 
 class SlackAdjuster(HTMLParser):
-  def __init__(self):
-    self.reset()
-    self.result = []
+    def __init__(self):
+        self.reset()
+        self.result = []
 
-  def handle_data(self, d):
-    self.result.append(d)
+    def handle_data(self, d):
+        self.result.append(d)
 
-  def get_attr(self, attrs, name):
-    for attr in attrs:
-      if attr[0] == name:
-        return attr[1]
+    def get_attr(self, attrs, name):
+        for attr in attrs:
+            if attr[0] == name:
+                return attr[1]
 
-    return ''
+        return ""
 
-  def handle_starttag(self, tag, attrs):
-    if tag == 'a':
-      self.result.append('<%s|' % (self.get_attr(attrs, 'href'),))
+    def handle_starttag(self, tag, attrs):
+        if tag == "a":
+            self.result.append("<%s|" % (self.get_attr(attrs, "href"),))
 
-    if tag == 'i':
-      self.result.append('_')
+        if tag == "i":
+            self.result.append("_")
 
-    if tag == 'b' or tag == 'strong':
-      self.result.append('*')
+        if tag == "b" or tag == "strong":
+            self.result.append("*")
 
-    if tag == 'img':
-      self.result.append('')
+        if tag == "img":
+            self.result.append("")
 
-  def handle_endtag(self, tag):
-    if tag == 'a':
-      self.result.append('>')
+    def handle_endtag(self, tag):
+        if tag == "a":
+            self.result.append(">")
 
-    if tag == 'b' or tag == 'strong':
-      self.result.append('*')
+        if tag == "b" or tag == "strong":
+            self.result.append("*")
 
-    if tag == 'i':
-      self.result.append('_')
+        if tag == "i":
+            self.result.append("_")
 
-  def get_data(self):
-    return ''.join(self.result)
+    def get_data(self):
+        return "".join(self.result)
 
 
 def adjust_tags(html):
-  s = SlackAdjuster()
-  s.feed(html)
-  return s.get_data()
+    s = SlackAdjuster()
+    s.feed(html)
+    return s.get_data()
 
 
 class SlackMethod(NotificationMethod):
-  """ Method for sending notifications to Slack via the API:
+    """ Method for sending notifications to Slack via the API:
       https://api.slack.com/docs/attachments
   """
-  @classmethod
-  def method_name(cls):
-    return 'slack'
 
-  def validate(self, namespace_name, repo_name, config_data):
-    if not config_data.get('url', ''):
-      raise CannotValidateNotificationMethodException('Missing Slack Callback URL')
+    @classmethod
+    def method_name(cls):
+        return "slack"
 
-  def format_for_slack(self, message):
-    message = message.replace('\n', '')
-    message = re.sub(r'\s+', ' ', message)
-    message = message.replace('<br>', '\n')
-    return adjust_tags(message)
+    def validate(self, namespace_name, repo_name, config_data):
+        if not config_data.get("url", ""):
+            raise CannotValidateNotificationMethodException(
+                "Missing Slack Callback URL"
+            )
 
-  def perform(self, notification_obj, event_handler, notification_data):
-    config_data = notification_obj.method_config_dict
-    url = config_data.get('url', '')
-    if not url:
-      return
+    def format_for_slack(self, message):
+        message = message.replace("\n", "")
+        message = re.sub(r"\s+", " ", message)
+        message = message.replace("<br>", "\n")
+        return adjust_tags(message)
 
-    owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
-    if not owner:
-      # Something went wrong.
-      return
+    def perform(self, notification_obj, event_handler, notification_data):
+        config_data = notification_obj.method_config_dict
+        url = config_data.get("url", "")
+        if not url:
+            return
 
-    level = event_handler.get_level(notification_data['event_data'], notification_data)
-    color = {
-      'info': '#ffffff',
-      'warning': 'warning',
-      'error': 'danger',
-      'success': 'good',
-      'primary': 'good'
-    }.get(level, '#ffffff')
+        owner = model.user.get_user_or_org(notification_obj.repository.namespace_name)
+        if not owner:
+            # Something went wrong.
+            return
 
-    summary = event_handler.get_summary(notification_data['event_data'], notification_data)
-    message = event_handler.get_message(notification_data['event_data'], notification_data)
+        level = event_handler.get_level(
+            notification_data["event_data"], notification_data
+        )
+        color = {
+            "info": "#ffffff",
+            "warning": "warning",
+            "error": "danger",
+            "success": "good",
+            "primary": "good",
+        }.get(level, "#ffffff")
 
-    headers = {'Content-type': 'application/json'}
-    payload = {
-      'text': summary,
-      'username': 'quayiobot',
-      'attachments': [
-        {
-          'fallback': summary,
-          'text': self.format_for_slack(message),
-          'color': color,
-          'mrkdwn_in': ["text"]
+        summary = event_handler.get_summary(
+            notification_data["event_data"], notification_data
+        )
+        message = event_handler.get_message(
+            notification_data["event_data"], notification_data
+        )
+
+        headers = {"Content-type": "application/json"}
+        payload = {
+            "text": summary,
+            "username": "quayiobot",
+            "attachments": [
+                {
+                    "fallback": summary,
+                    "text": self.format_for_slack(message),
+                    "color": color,
+                    "mrkdwn_in": ["text"],
+                }
+            ],
         }
-      ]
-    }
 
-    try:
-      resp = requests.post(url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT)
-      if resp.status_code / 100 != 2:
-        error_message = '%s response for Slack to url: %s' % (resp.status_code, url)
-        logger.error(error_message)
-        logger.error(resp.content)
-        raise NotificationMethodPerformException(error_message)
+        try:
+            resp = requests.post(
+                url, data=json.dumps(payload), headers=headers, timeout=METHOD_TIMEOUT
+            )
+            if resp.status_code / 100 != 2:
+                error_message = "%s response for Slack to url: %s" % (
+                    resp.status_code,
+                    url,
+                )
+                logger.error(error_message)
+                logger.error(resp.content)
+                raise NotificationMethodPerformException(error_message)
 
-    except requests.exceptions.RequestException as ex:
-      logger.exception('Slack method was unable to be sent: %s', ex.message)
-      raise NotificationMethodPerformException(ex.message)
+        except requests.exceptions.RequestException as ex:
+            logger.exception("Slack method was unable to be sent: %s", ex.message)
+            raise NotificationMethodPerformException(ex.message)
diff --git a/notifications/test/test_notificationevent.py b/notifications/test/test_notificationevent.py
index a3d533820..301ab3bb7 100644
--- a/notifications/test/test_notificationevent.py
+++ b/notifications/test/test_notificationevent.py
@@ -1,189 +1,159 @@
 import pytest
 
-from notifications.notificationevent import (BuildSuccessEvent, NotificationEvent,
-                                             VulnerabilityFoundEvent)
+from notifications.notificationevent import (
+    BuildSuccessEvent,
+    NotificationEvent,
+    VulnerabilityFoundEvent,
+)
 from util.morecollections import AttrDict
 
 from test.fixtures import *
 
 
-@pytest.mark.parametrize('event_kind', NotificationEvent.event_names())
+@pytest.mark.parametrize("event_kind", NotificationEvent.event_names())
 def test_create_notifications(event_kind):
-  assert NotificationEvent.get_event(event_kind) is not None
+    assert NotificationEvent.get_event(event_kind) is not None
 
 
-@pytest.mark.parametrize('event_name', NotificationEvent.event_names())
+@pytest.mark.parametrize("event_name", NotificationEvent.event_names())
 def test_build_notification(event_name, initialized_db):
-  # Create the notification event.
-  found = NotificationEvent.get_event(event_name)
-  sample_data = found.get_sample_data('foo', 'bar', {'level': 'low'})
+    # Create the notification event.
+    found = NotificationEvent.get_event(event_name)
+    sample_data = found.get_sample_data("foo", "bar", {"level": "low"})
 
-  # Make sure all calls succeed.
-  notification_data = {
-    'performer_data': {},
-  }
+    # Make sure all calls succeed.
+    notification_data = {"performer_data": {}}
 
-  found.get_level(sample_data, notification_data)
-  found.get_summary(sample_data, notification_data)
-  found.get_message(sample_data, notification_data)
+    found.get_level(sample_data, notification_data)
+    found.get_summary(sample_data, notification_data)
+    found.get_message(sample_data, notification_data)
 
 
 def test_build_emptyjson():
-  notification_data = AttrDict({
-    'event_config_dict': None,
-  })
+    notification_data = AttrDict({"event_config_dict": None})
+
+    # No build data at all.
+    assert BuildSuccessEvent().should_perform({}, notification_data)
 
-  # No build data at all.
-  assert BuildSuccessEvent().should_perform({}, notification_data)
 
 def test_build_nofilter():
-  notification_data = AttrDict({
-    'event_config_dict': {},
-  })
+    notification_data = AttrDict({"event_config_dict": {}})
 
-  # No build data at all.
-  assert BuildSuccessEvent().should_perform({}, notification_data)
+    # No build data at all.
+    assert BuildSuccessEvent().should_perform({}, notification_data)
 
-  # With trigger metadata but no ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {},
-  }, notification_data)
+    # With trigger metadata but no ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {}}, notification_data
+    )
 
-  # With trigger metadata and a ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/somebranch',
-    },
-  }, notification_data)
+    # With trigger metadata and a ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/somebranch"}}, notification_data
+    )
 
 
 def test_build_emptyfilter():
-  notification_data = AttrDict({
-    'event_config_dict': {"ref-regex": ""},
-  })
+    notification_data = AttrDict({"event_config_dict": {"ref-regex": ""}})
 
-  # No build data at all.
-  assert BuildSuccessEvent().should_perform({}, notification_data)
+    # No build data at all.
+    assert BuildSuccessEvent().should_perform({}, notification_data)
 
-  # With trigger metadata but no ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {},
-  }, notification_data)
+    # With trigger metadata but no ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {}}, notification_data
+    )
 
-  # With trigger metadata and a ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/somebranch',
-    },
-  }, notification_data)
+    # With trigger metadata and a ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/somebranch"}}, notification_data
+    )
 
 
 def test_build_invalidfilter():
-  notification_data = AttrDict({
-    'event_config_dict': {"ref-regex": "]["},
-  })
+    notification_data = AttrDict({"event_config_dict": {"ref-regex": "]["}})
 
-  # No build data at all.
-  assert not BuildSuccessEvent().should_perform({}, notification_data)
+    # No build data at all.
+    assert not BuildSuccessEvent().should_perform({}, notification_data)
 
-  # With trigger metadata but no ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {},
-  }, notification_data)
+    # With trigger metadata but no ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {}}, notification_data
+    )
 
-  # With trigger metadata and a ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/somebranch',
-    },
-  }, notification_data)
+    # With trigger metadata and a ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/somebranch"}}, notification_data
+    )
 
 
 def test_build_withfilter():
-  notification_data = AttrDict({
-    'event_config_dict': {"ref-regex": "refs/heads/master"},
-  })
+    notification_data = AttrDict(
+        {"event_config_dict": {"ref-regex": "refs/heads/master"}}
+    )
 
-  # No build data at all.
-  assert not BuildSuccessEvent().should_perform({}, notification_data)
+    # No build data at all.
+    assert not BuildSuccessEvent().should_perform({}, notification_data)
 
-  # With trigger metadata but no ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {},
-  }, notification_data)
+    # With trigger metadata but no ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {}}, notification_data
+    )
 
-  # With trigger metadata and a not-matching ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/somebranch',
-    },
-  }, notification_data)
+    # With trigger metadata and a not-matching ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/somebranch"}}, notification_data
+    )
 
-  # With trigger metadata and a matching ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/master',
-    },
-  }, notification_data)
+    # With trigger metadata and a matching ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/master"}}, notification_data
+    )
 
 
 def test_build_withwildcardfilter():
-  notification_data = AttrDict({
-    'event_config_dict': {"ref-regex": "refs/heads/.+"},
-  })
+    notification_data = AttrDict({"event_config_dict": {"ref-regex": "refs/heads/.+"}})
 
-  # No build data at all.
-  assert not BuildSuccessEvent().should_perform({}, notification_data)
+    # No build data at all.
+    assert not BuildSuccessEvent().should_perform({}, notification_data)
 
-  # With trigger metadata but no ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {},
-  }, notification_data)
+    # With trigger metadata but no ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {}}, notification_data
+    )
 
-  # With trigger metadata and a not-matching ref.
-  assert not BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/tags/sometag',
-    },
-  }, notification_data)
+    # With trigger metadata and a not-matching ref.
+    assert not BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/tags/sometag"}}, notification_data
+    )
 
-  # With trigger metadata and a matching ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/master',
-    },
-  }, notification_data)
+    # With trigger metadata and a matching ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/master"}}, notification_data
+    )
 
-  # With trigger metadata and another matching ref.
-  assert BuildSuccessEvent().should_perform({
-    'trigger_metadata': {
-      'ref': 'refs/heads/somebranch',
-    },
-  }, notification_data)
+    # With trigger metadata and another matching ref.
+    assert BuildSuccessEvent().should_perform(
+        {"trigger_metadata": {"ref": "refs/heads/somebranch"}}, notification_data
+    )
 
 
 def test_vulnerability_notification_nolevel():
-  notification_data = AttrDict({
-    'event_config_dict': {},
-  })
+    notification_data = AttrDict({"event_config_dict": {}})
 
-  # No level specified.
-  assert VulnerabilityFoundEvent().should_perform({}, notification_data)
+    # No level specified.
+    assert VulnerabilityFoundEvent().should_perform({}, notification_data)
 
 
 def test_vulnerability_notification_nopvulninfo():
-  notification_data = AttrDict({
-    'event_config_dict': {"level": 3},
-  })
+    notification_data = AttrDict({"event_config_dict": {"level": 3}})
 
-  # No vuln info.
-  assert not VulnerabilityFoundEvent().should_perform({}, notification_data)
+    # No vuln info.
+    assert not VulnerabilityFoundEvent().should_perform({}, notification_data)
 
 
 def test_vulnerability_notification_normal():
-  notification_data = AttrDict({
-    'event_config_dict': {"level": 3},
-  })
+    notification_data = AttrDict({"event_config_dict": {"level": 3}})
 
-  info = {"vulnerability": {"priority": "Critical"}}
-  assert VulnerabilityFoundEvent().should_perform(info, notification_data)
+    info = {"vulnerability": {"priority": "Critical"}}
+    assert VulnerabilityFoundEvent().should_perform(info, notification_data)
diff --git a/notifications/test/test_notificationmethod.py b/notifications/test/test_notificationmethod.py
index bde33e574..94f3779fb 100644
--- a/notifications/test/test_notificationmethod.py
+++ b/notifications/test/test_notificationmethod.py
@@ -4,153 +4,222 @@ from mock import patch, Mock
 from httmock import urlmatch, HTTMock
 
 from data import model
-from notifications.notificationmethod import (QuayNotificationMethod, EmailMethod, WebhookMethod,
-                                              FlowdockMethod, HipchatMethod, SlackMethod,
-                                              CannotValidateNotificationMethodException)
+from notifications.notificationmethod import (
+    QuayNotificationMethod,
+    EmailMethod,
+    WebhookMethod,
+    FlowdockMethod,
+    HipchatMethod,
+    SlackMethod,
+    CannotValidateNotificationMethodException,
+)
 from notifications.notificationevent import NotificationEvent
 from notifications.models_interface import Repository, Notification
 
 from test.fixtures import *
 
+
 def assert_validated(method, method_config, error_message, namespace_name, repo_name):
-  if error_message is None:
-    method.validate(namespace_name, repo_name, method_config)
-  else:
-    with pytest.raises(CannotValidateNotificationMethodException) as ipe:
-      method.validate(namespace_name, repo_name, method_config)
-    assert str(ipe.value) == error_message
+    if error_message is None:
+        method.validate(namespace_name, repo_name, method_config)
+    else:
+        with pytest.raises(CannotValidateNotificationMethodException) as ipe:
+            method.validate(namespace_name, repo_name, method_config)
+        assert str(ipe.value) == error_message
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing target'),
-  ({'target': {'name': 'invaliduser', 'kind': 'user'}}, 'Unknown user invaliduser'),
-  ({'target': {'name': 'invalidorg', 'kind': 'org'}}, 'Unknown organization invalidorg'),
-  ({'target': {'name': 'invalidteam', 'kind': 'team'}}, 'Unknown team invalidteam'),
-
-  ({'target': {'name': 'devtable', 'kind': 'user'}}, None),
-  ({'target': {'name': 'buynlarge', 'kind': 'org'}}, None),
-  ({'target': {'name': 'owners', 'kind': 'team'}}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [
+        ({}, "Missing target"),
+        (
+            {"target": {"name": "invaliduser", "kind": "user"}},
+            "Unknown user invaliduser",
+        ),
+        (
+            {"target": {"name": "invalidorg", "kind": "org"}},
+            "Unknown organization invalidorg",
+        ),
+        (
+            {"target": {"name": "invalidteam", "kind": "team"}},
+            "Unknown team invalidteam",
+        ),
+        ({"target": {"name": "devtable", "kind": "user"}}, None),
+        ({"target": {"name": "buynlarge", "kind": "org"}}, None),
+        ({"target": {"name": "owners", "kind": "team"}}, None),
+    ],
+)
 def test_validate_quay_notification(method_config, error_message, initialized_db):
-  method = QuayNotificationMethod()
-  assert_validated(method, method_config, error_message, 'buynlarge', 'orgrepo')
+    method = QuayNotificationMethod()
+    assert_validated(method, method_config, error_message, "buynlarge", "orgrepo")
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing e-mail address'),
-  ({'email': 'a@b.com'}, 'The specified e-mail address is not authorized to receive '
-                         'notifications for this repository'),
-
-  ({'email': 'jschorr@devtable.com'}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [
+        ({}, "Missing e-mail address"),
+        (
+            {"email": "a@b.com"},
+            "The specified e-mail address is not authorized to receive "
+            "notifications for this repository",
+        ),
+        ({"email": "jschorr@devtable.com"}, None),
+    ],
+)
 def test_validate_email(method_config, error_message, initialized_db):
-  method = EmailMethod()
-  assert_validated(method, method_config, error_message, 'devtable', 'simple')
+    method = EmailMethod()
+    assert_validated(method, method_config, error_message, "devtable", "simple")
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing webhook URL'),
-  ({'url': 'http://example.com'}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [({}, "Missing webhook URL"), ({"url": "http://example.com"}, None)],
+)
 def test_validate_webhook(method_config, error_message, initialized_db):
-  method = WebhookMethod()
-  assert_validated(method, method_config, error_message, 'devtable', 'simple')
+    method = WebhookMethod()
+    assert_validated(method, method_config, error_message, "devtable", "simple")
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing Flowdock API Token'),
-  ({'flow_api_token': 'sometoken'}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [({}, "Missing Flowdock API Token"), ({"flow_api_token": "sometoken"}, None)],
+)
 def test_validate_flowdock(method_config, error_message, initialized_db):
-  method = FlowdockMethod()
-  assert_validated(method, method_config, error_message, 'devtable', 'simple')
+    method = FlowdockMethod()
+    assert_validated(method, method_config, error_message, "devtable", "simple")
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing Hipchat Room Notification Token'),
-  ({'notification_token': 'sometoken'}, 'Missing Hipchat Room ID'),
-  ({'notification_token': 'sometoken', 'room_id': 'foo'}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [
+        ({}, "Missing Hipchat Room Notification Token"),
+        ({"notification_token": "sometoken"}, "Missing Hipchat Room ID"),
+        ({"notification_token": "sometoken", "room_id": "foo"}, None),
+    ],
+)
 def test_validate_hipchat(method_config, error_message, initialized_db):
-  method = HipchatMethod()
-  assert_validated(method, method_config, error_message, 'devtable', 'simple')
+    method = HipchatMethod()
+    assert_validated(method, method_config, error_message, "devtable", "simple")
 
 
-@pytest.mark.parametrize('method_config,error_message', [
-  ({}, 'Missing Slack Callback URL'),
-  ({'url': 'http://example.com'}, None),
-])
+@pytest.mark.parametrize(
+    "method_config,error_message",
+    [({}, "Missing Slack Callback URL"), ({"url": "http://example.com"}, None)],
+)
 def test_validate_slack(method_config, error_message, initialized_db):
-  method = SlackMethod()
-  assert_validated(method, method_config, error_message, 'devtable', 'simple')
+    method = SlackMethod()
+    assert_validated(method, method_config, error_message, "devtable", "simple")
 
 
-@pytest.mark.parametrize('target,expected_users', [
-  ({'name': 'devtable', 'kind': 'user'}, ['devtable']),
-  ({'name': 'buynlarge', 'kind': 'org'}, ['buynlarge']),
-  ({'name': 'creators', 'kind': 'team'}, ['creator']),
-])
+@pytest.mark.parametrize(
+    "target,expected_users",
+    [
+        ({"name": "devtable", "kind": "user"}, ["devtable"]),
+        ({"name": "buynlarge", "kind": "org"}, ["buynlarge"]),
+        ({"name": "creators", "kind": "team"}, ["creator"]),
+    ],
+)
 def test_perform_quay_notification(target, expected_users, initialized_db):
-  repository = Repository('buynlarge', 'orgrepo')
-  notification = Notification(uuid='fake', event_name='repo_push', method_name='quay',
-                              event_config_dict={}, method_config_dict={'target': target},
-                              repository=repository)
+    repository = Repository("buynlarge", "orgrepo")
+    notification = Notification(
+        uuid="fake",
+        event_name="repo_push",
+        method_name="quay",
+        event_config_dict={},
+        method_config_dict={"target": target},
+        repository=repository,
+    )
 
-  event_handler = NotificationEvent.get_event('repo_push')
+    event_handler = NotificationEvent.get_event("repo_push")
 
-  sample_data = event_handler.get_sample_data(repository.namespace_name, repository.name, {})
+    sample_data = event_handler.get_sample_data(
+        repository.namespace_name, repository.name, {}
+    )
 
-  method = QuayNotificationMethod()
-  method.perform(notification, event_handler, {'event_data': sample_data})
+    method = QuayNotificationMethod()
+    method.perform(notification, event_handler, {"event_data": sample_data})
 
-  # Ensure that the notification was written for all the expected users.
-  if target['kind'] != 'team':
-    user = model.user.get_namespace_user(target['name'])
-    assert len(model.notification.list_notifications(user, kind_name='repo_push')) > 0
+    # Ensure that the notification was written for all the expected users.
+    if target["kind"] != "team":
+        user = model.user.get_namespace_user(target["name"])
+        assert (
+            len(model.notification.list_notifications(user, kind_name="repo_push")) > 0
+        )
 
 
 def test_perform_email(initialized_db):
-  repository = Repository('buynlarge', 'orgrepo')
-  notification = Notification(uuid='fake', event_name='repo_push', method_name='email',
-                              event_config_dict={}, method_config_dict={'email': 'test@example.com'},
-                              repository=repository)
+    repository = Repository("buynlarge", "orgrepo")
+    notification = Notification(
+        uuid="fake",
+        event_name="repo_push",
+        method_name="email",
+        event_config_dict={},
+        method_config_dict={"email": "test@example.com"},
+        repository=repository,
+    )
 
-  event_handler = NotificationEvent.get_event('repo_push')
-  sample_data = event_handler.get_sample_data(repository.namespace_name, repository.name, {})
+    event_handler = NotificationEvent.get_event("repo_push")
+    sample_data = event_handler.get_sample_data(
+        repository.namespace_name, repository.name, {}
+    )
 
-  mock = Mock()
-  def get_mock(*args, **kwargs):
-    return mock
+    mock = Mock()
 
-  with patch('notifications.notificationmethod.Message', get_mock):
-    method = EmailMethod()
-    method.perform(notification, event_handler, {'event_data': sample_data, 'performer_data': {}})
+    def get_mock(*args, **kwargs):
+        return mock
 
-  mock.send.assert_called_once()
+    with patch("notifications.notificationmethod.Message", get_mock):
+        method = EmailMethod()
+        method.perform(
+            notification,
+            event_handler,
+            {"event_data": sample_data, "performer_data": {}},
+        )
+
+    mock.send.assert_called_once()
 
 
-@pytest.mark.parametrize('method, method_config, netloc', [
-  (WebhookMethod, {'url': 'http://testurl'}, 'testurl'),
-  (FlowdockMethod, {'flow_api_token': 'token'}, 'api.flowdock.com'),
-  (HipchatMethod, {'notification_token': 'token', 'room_id': 'foo'}, 'api.hipchat.com'),
-  (SlackMethod, {'url': 'http://example.com'}, 'example.com'),
-])
+@pytest.mark.parametrize(
+    "method, method_config, netloc",
+    [
+        (WebhookMethod, {"url": "http://testurl"}, "testurl"),
+        (FlowdockMethod, {"flow_api_token": "token"}, "api.flowdock.com"),
+        (
+            HipchatMethod,
+            {"notification_token": "token", "room_id": "foo"},
+            "api.hipchat.com",
+        ),
+        (SlackMethod, {"url": "http://example.com"}, "example.com"),
+    ],
+)
 def test_perform_http_call(method, method_config, netloc, initialized_db):
-  repository = Repository('buynlarge', 'orgrepo')
-  notification = Notification(uuid='fake', event_name='repo_push', method_name=method.method_name(),
-                              event_config_dict={}, method_config_dict=method_config,
-                              repository=repository)
+    repository = Repository("buynlarge", "orgrepo")
+    notification = Notification(
+        uuid="fake",
+        event_name="repo_push",
+        method_name=method.method_name(),
+        event_config_dict={},
+        method_config_dict=method_config,
+        repository=repository,
+    )
 
-  event_handler = NotificationEvent.get_event('repo_push')
-  sample_data = event_handler.get_sample_data(repository.namespace_name, repository.name, {})
+    event_handler = NotificationEvent.get_event("repo_push")
+    sample_data = event_handler.get_sample_data(
+        repository.namespace_name, repository.name, {}
+    )
 
-  url_hit = [False]
-  @urlmatch(netloc=netloc)
-  def url_handler(_, __):
-    url_hit[0] = True
-    return ''
+    url_hit = [False]
 
-  with HTTMock(url_handler):
-    method().perform(notification, event_handler, {'event_data': sample_data, 'performer_data': {}})
+    @urlmatch(netloc=netloc)
+    def url_handler(_, __):
+        url_hit[0] = True
+        return ""
 
-  assert url_hit[0]
+    with HTTMock(url_handler):
+        method().perform(
+            notification,
+            event_handler,
+            {"event_data": sample_data, "performer_data": {}},
+        )
+
+    assert url_hit[0]
diff --git a/oauth/base.py b/oauth/base.py
index 2ed0af706..8c23f5946 100644
--- a/oauth/base.py
+++ b/oauth/base.py
@@ -12,83 +12,89 @@ logger = logging.getLogger(__name__)
 
 
 class OAuthEndpoint(object):
-  def __init__(self, base_url, params=None):
-    self.base_url = base_url
-    self.params = params or {}
+    def __init__(self, base_url, params=None):
+        self.base_url = base_url
+        self.params = params or {}
 
-  def with_param(self, name, value):
-    params_copy = copy.copy(self.params)
-    params_copy[name] = value
-    return OAuthEndpoint(self.base_url, params_copy)
+    def with_param(self, name, value):
+        params_copy = copy.copy(self.params)
+        params_copy[name] = value
+        return OAuthEndpoint(self.base_url, params_copy)
+
+    def with_params(self, parameters):
+        params_copy = copy.copy(self.params)
+        params_copy.update(parameters)
+        return OAuthEndpoint(self.base_url, params_copy)
+
+    def to_url(self):
+        (scheme, netloc, path, _, fragment) = urlparse.urlsplit(self.base_url)
+        updated_query = urllib.urlencode(self.params)
+        return urlparse.urlunsplit((scheme, netloc, path, updated_query, fragment))
 
-  def with_params(self, parameters):
-    params_copy = copy.copy(self.params)
-    params_copy.update(parameters)
-    return OAuthEndpoint(self.base_url, params_copy)
-    
-  def to_url(self):
-    (scheme, netloc, path, _, fragment) = urlparse.urlsplit(self.base_url)
-    updated_query = urllib.urlencode(self.params)
-    return urlparse.urlunsplit((scheme, netloc, path, updated_query, fragment))
 
 class OAuthExchangeCodeException(Exception):
-  """ Exception raised if a code exchange fails. """
-  pass
+    """ Exception raised if a code exchange fails. """
+
+    pass
+
 
 class OAuthGetUserInfoException(Exception):
-  """ Exception raised if a call to get user information fails. """
-  pass
+    """ Exception raised if a call to get user information fails. """
+
+    pass
+
 
 @add_metaclass(ABCMeta)
 class OAuthService(object):
-  """ A base class for defining an external service, exposed via OAuth. """
-  def __init__(self, config, key_name):
-    self.key_name = key_name
-    self.config = config.get(key_name) or {}
+    """ A base class for defining an external service, exposed via OAuth. """
 
-  @abstractmethod
-  def service_id(self):
-    """ The internal ID for this service. Must match the URL portion for the service, e.g. `github`
+    def __init__(self, config, key_name):
+        self.key_name = key_name
+        self.config = config.get(key_name) or {}
+
+    @abstractmethod
+    def service_id(self):
+        """ The internal ID for this service. Must match the URL portion for the service, e.g. `github`
     """
-    pass
+        pass
 
-  @abstractmethod
-  def service_name(self):
-    """ The user-readable name for the service, e.g. `GitHub`"""
-    pass
+    @abstractmethod
+    def service_name(self):
+        """ The user-readable name for the service, e.g. `GitHub`"""
+        pass
 
-  @abstractmethod
-  def token_endpoint(self):
-    """ Returns the endpoint at which the OAuth code can be exchanged for a token. """
-    pass
+    @abstractmethod
+    def token_endpoint(self):
+        """ Returns the endpoint at which the OAuth code can be exchanged for a token. """
+        pass
 
-  @abstractmethod
-  def user_endpoint(self):
-    """ Returns the endpoint at which user information can be looked up. """
-    pass
+    @abstractmethod
+    def user_endpoint(self):
+        """ Returns the endpoint at which user information can be looked up. """
+        pass
 
-  @abstractmethod
-  def authorize_endpoint(self):
-    """ Returns the for authorization of the OAuth service. """
-    pass
+    @abstractmethod
+    def authorize_endpoint(self):
+        """ Returns the for authorization of the OAuth service. """
+        pass
 
-  @abstractmethod
-  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
-    """ Performs validation of the client ID and secret, raising an exception on failure. """
-    pass
+    @abstractmethod
+    def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
+        """ Performs validation of the client ID and secret, raising an exception on failure. """
+        pass
 
-  def requires_form_encoding(self):
-    """ Returns True if form encoding is necessary for the exchange_code_for_token call. """
-    return False
+    def requires_form_encoding(self):
+        """ Returns True if form encoding is necessary for the exchange_code_for_token call. """
+        return False
 
-  def client_id(self):
-    return self.config.get('CLIENT_ID')
+    def client_id(self):
+        return self.config.get("CLIENT_ID")
 
-  def client_secret(self):
-    return self.config.get('CLIENT_SECRET')
+    def client_secret(self):
+        return self.config.get("CLIENT_SECRET")
 
-  def login_binding_field(self):
-    """ Returns the name of the field (`username` or `email`) used for auto binding an external
+    def login_binding_field(self):
+        """ Returns the name of the field (`username` or `email`) used for auto binding an external
         login service account to an *internal* login service account. For example, if the external
         login service is GitHub and the internal login service is LDAP, a value of `email` here
         will cause login-with-Github to conduct a search (via email) in LDAP for a user, an auto
@@ -96,98 +102,129 @@ class OAuthService(object):
         is performing, and login with this external account will simply create a new account in the
         database.
     """
-    return self.config.get('LOGIN_BINDING_FIELD', None)
+        return self.config.get("LOGIN_BINDING_FIELD", None)
 
-  def get_auth_url(self, url_scheme_and_hostname, redirect_suffix, csrf_token, scopes):
-    """ Retrieves the authorization URL for this login service. """
-    redirect_uri = '%s/oauth2/%s/callback%s' % (url_scheme_and_hostname.get_url(),
-                                                self.service_id(),
-                                                redirect_suffix)
-    params = {
-      'client_id': self.client_id(),
-      'redirect_uri': redirect_uri,
-      'scope': ' '.join(scopes),
-      'state': csrf_token,
-    }
+    def get_auth_url(
+        self, url_scheme_and_hostname, redirect_suffix, csrf_token, scopes
+    ):
+        """ Retrieves the authorization URL for this login service. """
+        redirect_uri = "%s/oauth2/%s/callback%s" % (
+            url_scheme_and_hostname.get_url(),
+            self.service_id(),
+            redirect_suffix,
+        )
+        params = {
+            "client_id": self.client_id(),
+            "redirect_uri": redirect_uri,
+            "scope": " ".join(scopes),
+            "state": csrf_token,
+        }
 
-    return self.authorize_endpoint().with_params(params).to_url()
+        return self.authorize_endpoint().with_params(params).to_url()
 
-  def get_redirect_uri(self, url_scheme_and_hostname, redirect_suffix=''):
-    return '%s://%s/oauth2/%s/callback%s' % (url_scheme_and_hostname.url_scheme,
-                                             url_scheme_and_hostname.hostname,
-                                             self.service_id(),
-                                             redirect_suffix)
+    def get_redirect_uri(self, url_scheme_and_hostname, redirect_suffix=""):
+        return "%s://%s/oauth2/%s/callback%s" % (
+            url_scheme_and_hostname.url_scheme,
+            url_scheme_and_hostname.hostname,
+            self.service_id(),
+            redirect_suffix,
+        )
 
-  def get_user_info(self, http_client, token):
-    token_param = {
-      'alt': 'json',
-    }
+    def get_user_info(self, http_client, token):
+        token_param = {"alt": "json"}
 
-    headers = {
-      'Authorization': 'Bearer %s' % token,
-    }
+        headers = {"Authorization": "Bearer %s" % token}
 
-    got_user = http_client.get(self.user_endpoint().to_url(), params=token_param, headers=headers)
-    if got_user.status_code // 100 != 2:
-      raise OAuthGetUserInfoException('Non-2XX response code for user_info call: %s' %
-                                      got_user.status_code)
+        got_user = http_client.get(
+            self.user_endpoint().to_url(), params=token_param, headers=headers
+        )
+        if got_user.status_code // 100 != 2:
+            raise OAuthGetUserInfoException(
+                "Non-2XX response code for user_info call: %s" % got_user.status_code
+            )
 
-    user_info = got_user.json()
-    if user_info is None:
-      raise OAuthGetUserInfoException()
+        user_info = got_user.json()
+        if user_info is None:
+            raise OAuthGetUserInfoException()
 
-    return user_info
+        return user_info
 
-  def exchange_code_for_token(self, app_config, http_client, code, form_encode=False,
-                              redirect_suffix='', client_auth=False):
-    """ Exchanges an OAuth access code for the associated OAuth token. """
-    json_data = self.exchange_code(app_config, http_client, code, form_encode, redirect_suffix,
-                                   client_auth)
+    def exchange_code_for_token(
+        self,
+        app_config,
+        http_client,
+        code,
+        form_encode=False,
+        redirect_suffix="",
+        client_auth=False,
+    ):
+        """ Exchanges an OAuth access code for the associated OAuth token. """
+        json_data = self.exchange_code(
+            app_config, http_client, code, form_encode, redirect_suffix, client_auth
+        )
 
-    access_token = json_data.get('access_token', None)
-    if access_token is None:
-      logger.debug('Got successful get_access_token response with missing token: %s', json_data)
-      raise OAuthExchangeCodeException('Missing `access_token` in OAuth response')
+        access_token = json_data.get("access_token", None)
+        if access_token is None:
+            logger.debug(
+                "Got successful get_access_token response with missing token: %s",
+                json_data,
+            )
+            raise OAuthExchangeCodeException("Missing `access_token` in OAuth response")
 
-    return access_token
+        return access_token
 
-  def exchange_code(self, app_config, http_client, code, form_encode=False, redirect_suffix='',
-                    client_auth=False):
-    """ Exchanges an OAuth access code for associated OAuth token and other data. """
-    url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app_config)
-    payload = {
-      'code': code,
-      'grant_type': 'authorization_code',
-      'redirect_uri': self.get_redirect_uri(url_scheme_and_hostname, redirect_suffix)
-    }
+    def exchange_code(
+        self,
+        app_config,
+        http_client,
+        code,
+        form_encode=False,
+        redirect_suffix="",
+        client_auth=False,
+    ):
+        """ Exchanges an OAuth access code for associated OAuth token and other data. """
+        url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app_config)
+        payload = {
+            "code": code,
+            "grant_type": "authorization_code",
+            "redirect_uri": self.get_redirect_uri(
+                url_scheme_and_hostname, redirect_suffix
+            ),
+        }
 
-    headers = {
-      'Accept': 'application/json'
-    }
+        headers = {"Accept": "application/json"}
 
-    auth = None
-    if client_auth:
-      auth = (self.client_id(), self.client_secret())
-    else:
-      payload['client_id'] = self.client_id()
-      payload['client_secret'] = self.client_secret()
+        auth = None
+        if client_auth:
+            auth = (self.client_id(), self.client_secret())
+        else:
+            payload["client_id"] = self.client_id()
+            payload["client_secret"] = self.client_secret()
 
-    token_url = self.token_endpoint().to_url()
-    if form_encode:
-      get_access_token = http_client.post(token_url, data=payload, headers=headers, auth=auth)
-    else:
-      get_access_token = http_client.post(token_url, params=payload, headers=headers, auth=auth)
+        token_url = self.token_endpoint().to_url()
+        if form_encode:
+            get_access_token = http_client.post(
+                token_url, data=payload, headers=headers, auth=auth
+            )
+        else:
+            get_access_token = http_client.post(
+                token_url, params=payload, headers=headers, auth=auth
+            )
 
-    if get_access_token.status_code // 100 != 2:
-      logger.debug('Got get_access_token response %s', get_access_token.text)
-      raise OAuthExchangeCodeException('Got non-2XX response for code exchange: %s' %
-                                       get_access_token.status_code)
+        if get_access_token.status_code // 100 != 2:
+            logger.debug("Got get_access_token response %s", get_access_token.text)
+            raise OAuthExchangeCodeException(
+                "Got non-2XX response for code exchange: %s"
+                % get_access_token.status_code
+            )
 
-    json_data = get_access_token.json()
-    if not json_data:
-      raise OAuthExchangeCodeException('Got non-JSON response for code exchange')
+        json_data = get_access_token.json()
+        if not json_data:
+            raise OAuthExchangeCodeException("Got non-JSON response for code exchange")
 
-    if 'error' in json_data:
-      raise OAuthExchangeCodeException(json_data.get('error_description', json_data['error']))
+        if "error" in json_data:
+            raise OAuthExchangeCodeException(
+                json_data.get("error_description", json_data["error"])
+            )
 
-    return json_data
+        return json_data
diff --git a/oauth/login.py b/oauth/login.py
index 12bae420b..d9c5e553b 100644
--- a/oauth/login.py
+++ b/oauth/login.py
@@ -5,92 +5,117 @@ from six import add_metaclass
 
 import features
 
-from oauth.base import OAuthService, OAuthExchangeCodeException, OAuthGetUserInfoException
+from oauth.base import (
+    OAuthService,
+    OAuthExchangeCodeException,
+    OAuthGetUserInfoException,
+)
 
 logger = logging.getLogger(__name__)
 
+
 class OAuthLoginException(Exception):
-  """ Exception raised if a login operation fails. """
-  pass
+    """ Exception raised if a login operation fails. """
+
+    pass
 
 
 @add_metaclass(ABCMeta)
 class OAuthLoginService(OAuthService):
-  """ A base class for defining an OAuth-compliant service that can be used for, amongst other
+    """ A base class for defining an OAuth-compliant service that can be used for, amongst other
       things, login and authentication. """
 
-  @abstractmethod
-  def login_enabled(self):
-    """ Returns true if the login service is enabled. """
-    pass
+    @abstractmethod
+    def login_enabled(self):
+        """ Returns true if the login service is enabled. """
+        pass
 
-  @abstractmethod
-  def get_login_service_id(self, user_info):
-    """ Returns the internal ID for the given user under this login service. """
-    pass
+    @abstractmethod
+    def get_login_service_id(self, user_info):
+        """ Returns the internal ID for the given user under this login service. """
+        pass
 
-  @abstractmethod
-  def get_login_service_username(self, user_info):
-    """ Returns the username for the given user under this login service. """
-    pass
+    @abstractmethod
+    def get_login_service_username(self, user_info):
+        """ Returns the username for the given user under this login service. """
+        pass
 
-  @abstractmethod
-  def get_verified_user_email(self, app_config, http_client, token, user_info):
-    """ Returns the verified email address for the given user, if any or None if none. """
-    pass
+    @abstractmethod
+    def get_verified_user_email(self, app_config, http_client, token, user_info):
+        """ Returns the verified email address for the given user, if any or None if none. """
+        pass
 
-  @abstractmethod
-  def get_icon(self):
-    """ Returns the icon to display for this login service. """
-    pass
+    @abstractmethod
+    def get_icon(self):
+        """ Returns the icon to display for this login service. """
+        pass
 
-  @abstractmethod
-  def get_login_scopes(self):
-    """ Returns the list of scopes for login for this service. """
-    pass
+    @abstractmethod
+    def get_login_scopes(self):
+        """ Returns the list of scopes for login for this service. """
+        pass
 
-  def service_verify_user_info_for_login(self, app_config, http_client, token, user_info):
-    """ Performs service-specific verification of user information for login. On failure, a service
+    def service_verify_user_info_for_login(
+        self, app_config, http_client, token, user_info
+    ):
+        """ Performs service-specific verification of user information for login. On failure, a service
         should raise a OAuthLoginService.
     """
-    # By default, does nothing.
-    pass
+        # By default, does nothing.
+        pass
 
-  def exchange_code_for_login(self, app_config, http_client, code, redirect_suffix):
-    """ Exchanges the given OAuth access code for user information on behalf of a user trying to
+    def exchange_code_for_login(self, app_config, http_client, code, redirect_suffix):
+        """ Exchanges the given OAuth access code for user information on behalf of a user trying to
         login or attach their account. Raises a OAuthLoginService exception on failure. Returns
         a tuple consisting of (service_id, service_username, email)
     """
 
-    # Retrieve the token for the OAuth code.
-    try:
-      token = self.exchange_code_for_token(app_config, http_client, code,
-                                           redirect_suffix=redirect_suffix,
-                                           form_encode=self.requires_form_encoding())
-    except OAuthExchangeCodeException as oce:
-      raise OAuthLoginException(str(oce))
+        # Retrieve the token for the OAuth code.
+        try:
+            token = self.exchange_code_for_token(
+                app_config,
+                http_client,
+                code,
+                redirect_suffix=redirect_suffix,
+                form_encode=self.requires_form_encoding(),
+            )
+        except OAuthExchangeCodeException as oce:
+            raise OAuthLoginException(str(oce))
 
-    # Retrieve the user's information with the token.
-    try:
-      user_info = self.get_user_info(http_client, token)
-    except OAuthGetUserInfoException as oge:
-      raise OAuthLoginException(str(oge))
+        # Retrieve the user's information with the token.
+        try:
+            user_info = self.get_user_info(http_client, token)
+        except OAuthGetUserInfoException as oge:
+            raise OAuthLoginException(str(oge))
 
-    if user_info.get('id', None) is None:
-      logger.debug('Got user info response %s', user_info)
-      raise OAuthLoginException('Missing `id` column in returned user information')
+        if user_info.get("id", None) is None:
+            logger.debug("Got user info response %s", user_info)
+            raise OAuthLoginException(
+                "Missing `id` column in returned user information"
+            )
 
-    # Perform any custom verification for this login service.
-    self.service_verify_user_info_for_login(app_config, http_client, token, user_info)
+        # Perform any custom verification for this login service.
+        self.service_verify_user_info_for_login(
+            app_config, http_client, token, user_info
+        )
 
-    # Retrieve the user's email address (if necessary).
-    email_address = self.get_verified_user_email(app_config, http_client, token, user_info)
-    if features.MAILING and email_address is None:
-      raise OAuthLoginException('A verified email address is required to login with this service')
+        # Retrieve the user's email address (if necessary).
+        email_address = self.get_verified_user_email(
+            app_config, http_client, token, user_info
+        )
+        if features.MAILING and email_address is None:
+            raise OAuthLoginException(
+                "A verified email address is required to login with this service"
+            )
 
-    service_user_id = self.get_login_service_id(user_info)
-    service_username = self.get_login_service_username(user_info)
+        service_user_id = self.get_login_service_id(user_info)
+        service_username = self.get_login_service_username(user_info)
 
-    logger.debug('Completed successful exchange for service %s: %s, %s, %s',
-                 self.service_id(), service_user_id, service_username, email_address)
-    return (service_user_id, service_username, email_address)
+        logger.debug(
+            "Completed successful exchange for service %s: %s, %s, %s",
+            self.service_id(),
+            service_user_id,
+            service_username,
+            email_address,
+        )
+        return (service_user_id, service_username, email_address)
diff --git a/oauth/loginmanager.py b/oauth/loginmanager.py
index ea45890ea..4b3c58634 100644
--- a/oauth/loginmanager.py
+++ b/oauth/loginmanager.py
@@ -3,35 +3,37 @@ from oauth.services.google import GoogleOAuthService
 from oauth.oidc import OIDCLoginService
 
 CUSTOM_LOGIN_SERVICES = {
-  'GITHUB_LOGIN_CONFIG': GithubOAuthService,
-  'GOOGLE_LOGIN_CONFIG': GoogleOAuthService,
+    "GITHUB_LOGIN_CONFIG": GithubOAuthService,
+    "GOOGLE_LOGIN_CONFIG": GoogleOAuthService,
 }
 
-PREFIX_BLACKLIST = ['ldap', 'jwt', 'keystone']
+PREFIX_BLACKLIST = ["ldap", "jwt", "keystone"]
+
 
 class OAuthLoginManager(object):
-  """ Helper class which manages all registered OAuth login services. """
-  def __init__(self, config, client=None):
-    self.services = []
+    """ Helper class which manages all registered OAuth login services. """
 
-    # Register the endpoints for each of the OAuth login services.
-    for key in config.keys():
-      # All keys which end in _LOGIN_CONFIG setup a login service.
-      if key.endswith('_LOGIN_CONFIG'):
-        if key in CUSTOM_LOGIN_SERVICES:
-          custom_service = CUSTOM_LOGIN_SERVICES[key](config, key)
-          if custom_service.login_enabled(config):
-            self.services.append(custom_service)
-        else:
-          prefix = key.rstrip('_LOGIN_CONFIG').lower()
-          if prefix in PREFIX_BLACKLIST:
-            raise Exception('Cannot use reserved config name %s' % key)
+    def __init__(self, config, client=None):
+        self.services = []
 
-          self.services.append(OIDCLoginService(config, key, client=client))
+        # Register the endpoints for each of the OAuth login services.
+        for key in config.keys():
+            # All keys which end in _LOGIN_CONFIG setup a login service.
+            if key.endswith("_LOGIN_CONFIG"):
+                if key in CUSTOM_LOGIN_SERVICES:
+                    custom_service = CUSTOM_LOGIN_SERVICES[key](config, key)
+                    if custom_service.login_enabled(config):
+                        self.services.append(custom_service)
+                else:
+                    prefix = key.rstrip("_LOGIN_CONFIG").lower()
+                    if prefix in PREFIX_BLACKLIST:
+                        raise Exception("Cannot use reserved config name %s" % key)
 
-  def get_service(self, service_id):
-    for service in self.services:
-      if service.service_id() == service_id:
-        return service
+                    self.services.append(OIDCLoginService(config, key, client=client))
 
-    return None
\ No newline at end of file
+    def get_service(self, service_id):
+        for service in self.services:
+            if service.service_id() == service_id:
+                return service
+
+        return None
diff --git a/oauth/oidc.py b/oauth/oidc.py
index c7273035b..ff5e89924 100644
--- a/oauth/oidc.py
+++ b/oauth/oidc.py
@@ -11,8 +11,12 @@ from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_der_public_key
 from jwkest.jwk import KEYS
 
-from oauth.base import (OAuthService, OAuthExchangeCodeException, OAuthGetUserInfoException,
-                        OAuthEndpoint)
+from oauth.base import (
+    OAuthService,
+    OAuthExchangeCodeException,
+    OAuthGetUserInfoException,
+    OAuthEndpoint,
+)
 from oauth.login import OAuthLoginException
 from util.security.jwtutil import decode, InvalidTokenError
 
@@ -20,309 +24,376 @@ logger = logging.getLogger(__name__)
 
 
 OIDC_WELLKNOWN = ".well-known/openid-configuration"
-PUBLIC_KEY_CACHE_TTL = 3600 # 1 hour
-ALLOWED_ALGORITHMS = ['RS256']
+PUBLIC_KEY_CACHE_TTL = 3600  # 1 hour
+ALLOWED_ALGORITHMS = ["RS256"]
 JWT_CLOCK_SKEW_SECONDS = 30
 
+
 class DiscoveryFailureException(Exception):
-  """ Exception raised when OIDC discovery fails. """
-  pass
+    """ Exception raised when OIDC discovery fails. """
+
+    pass
+
 
 class PublicKeyLoadException(Exception):
-  """ Exception raised if loading the OIDC public key fails. """
-  pass
+    """ Exception raised if loading the OIDC public key fails. """
+
+    pass
 
 
 class OIDCLoginService(OAuthService):
-  """ Defines a generic service for all OpenID-connect compatible login services. """
-  def __init__(self, config, key_name, client=None):
-    super(OIDCLoginService, self).__init__(config, key_name)
+    """ Defines a generic service for all OpenID-connect compatible login services. """
 
-    self._id = key_name[0:key_name.find('_')].lower()
-    self._http_client = client or config.get('HTTPCLIENT')
-    self._mailing = config.get('FEATURE_MAILING', False)
-    self._public_key_cache = _PublicKeyCache(self, 1, PUBLIC_KEY_CACHE_TTL)
+    def __init__(self, config, key_name, client=None):
+        super(OIDCLoginService, self).__init__(config, key_name)
 
-  def service_id(self):
-    return self._id
+        self._id = key_name[0 : key_name.find("_")].lower()
+        self._http_client = client or config.get("HTTPCLIENT")
+        self._mailing = config.get("FEATURE_MAILING", False)
+        self._public_key_cache = _PublicKeyCache(self, 1, PUBLIC_KEY_CACHE_TTL)
 
-  def service_name(self):
-    return self.config.get('SERVICE_NAME', self.service_id())
+    def service_id(self):
+        return self._id
 
-  def get_icon(self):
-    return self.config.get('SERVICE_ICON', 'fa-user-circle')
+    def service_name(self):
+        return self.config.get("SERVICE_NAME", self.service_id())
 
-  def get_login_scopes(self):
-    default_scopes = ['openid']
+    def get_icon(self):
+        return self.config.get("SERVICE_ICON", "fa-user-circle")
 
-    if self.user_endpoint() is not None:
-      default_scopes.append('profile')
+    def get_login_scopes(self):
+        default_scopes = ["openid"]
 
-    if self._mailing:
-      default_scopes.append('email')
+        if self.user_endpoint() is not None:
+            default_scopes.append("profile")
 
-    supported_scopes = self._oidc_config().get('scopes_supported', default_scopes)
-    login_scopes = self.config.get('LOGIN_SCOPES') or supported_scopes
-    return list(set(login_scopes) & set(supported_scopes))
+        if self._mailing:
+            default_scopes.append("email")
 
-  def authorize_endpoint(self):
-    return self._get_endpoint('authorization_endpoint').with_param('response_type', 'code')
+        supported_scopes = self._oidc_config().get("scopes_supported", default_scopes)
+        login_scopes = self.config.get("LOGIN_SCOPES") or supported_scopes
+        return list(set(login_scopes) & set(supported_scopes))
 
-  def token_endpoint(self):
-    return self._get_endpoint('token_endpoint')
+    def authorize_endpoint(self):
+        return self._get_endpoint("authorization_endpoint").with_param(
+            "response_type", "code"
+        )
 
-  def user_endpoint(self):
-    return self._get_endpoint('userinfo_endpoint')
+    def token_endpoint(self):
+        return self._get_endpoint("token_endpoint")
 
-  def _get_endpoint(self, endpoint_key, **kwargs):
-    """ Returns the OIDC endpoint with the given key found in the OIDC discovery
+    def user_endpoint(self):
+        return self._get_endpoint("userinfo_endpoint")
+
+    def _get_endpoint(self, endpoint_key, **kwargs):
+        """ Returns the OIDC endpoint with the given key found in the OIDC discovery
         document, with the given kwargs added as query parameters. Additionally,
         any defined parameters found in the OIDC configuration block are also
         added.
     """
-    endpoint = self._oidc_config().get(endpoint_key, '')
-    if not endpoint:
-      return None
+        endpoint = self._oidc_config().get(endpoint_key, "")
+        if not endpoint:
+            return None
 
-    (scheme, netloc, path, query, fragment) = urlparse.urlsplit(endpoint)
+        (scheme, netloc, path, query, fragment) = urlparse.urlsplit(endpoint)
 
-    # Add the query parameters from the kwargs and the config.
-    custom_parameters = self.config.get('OIDC_ENDPOINT_CUSTOM_PARAMS', {}).get(endpoint_key, {})
+        # Add the query parameters from the kwargs and the config.
+        custom_parameters = self.config.get("OIDC_ENDPOINT_CUSTOM_PARAMS", {}).get(
+            endpoint_key, {}
+        )
 
-    query_params = urlparse.parse_qs(query, keep_blank_values=True)
-    query_params.update(kwargs)
-    query_params.update(custom_parameters)
-    return OAuthEndpoint(urlparse.urlunsplit((scheme, netloc, path, {}, fragment)), query_params)
+        query_params = urlparse.parse_qs(query, keep_blank_values=True)
+        query_params.update(kwargs)
+        query_params.update(custom_parameters)
+        return OAuthEndpoint(
+            urlparse.urlunsplit((scheme, netloc, path, {}, fragment)), query_params
+        )
 
-  def validate(self):
-    return bool(self.get_login_scopes())
+    def validate(self):
+        return bool(self.get_login_scopes())
 
-  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
-    # TODO: find a way to verify client secret too.
-    check_auth_url = http_client.get(self.get_auth_url(url_scheme_and_hostname, '', '', []))
-    if check_auth_url.status_code // 100 != 2:
-      raise Exception('Got non-200 status code for authorization endpoint')
+    def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
+        # TODO: find a way to verify client secret too.
+        check_auth_url = http_client.get(
+            self.get_auth_url(url_scheme_and_hostname, "", "", [])
+        )
+        if check_auth_url.status_code // 100 != 2:
+            raise Exception("Got non-200 status code for authorization endpoint")
 
-  def requires_form_encoding(self):
-    return True
+    def requires_form_encoding(self):
+        return True
 
-  def get_public_config(self):
-    return {
-      'CLIENT_ID': self.client_id(),
-      'OIDC': True,
-    }
+    def get_public_config(self):
+        return {"CLIENT_ID": self.client_id(), "OIDC": True}
 
-  def exchange_code_for_tokens(self, app_config, http_client, code, redirect_suffix):
-    # Exchange the code for the access token and id_token
-    try:
-      json_data = self.exchange_code(app_config, http_client, code,
-                                     redirect_suffix=redirect_suffix,
-                                     form_encode=self.requires_form_encoding())
-    except OAuthExchangeCodeException as oce:
-      raise OAuthLoginException(str(oce))
+    def exchange_code_for_tokens(self, app_config, http_client, code, redirect_suffix):
+        # Exchange the code for the access token and id_token
+        try:
+            json_data = self.exchange_code(
+                app_config,
+                http_client,
+                code,
+                redirect_suffix=redirect_suffix,
+                form_encode=self.requires_form_encoding(),
+            )
+        except OAuthExchangeCodeException as oce:
+            raise OAuthLoginException(str(oce))
 
-    # Make sure we received both.
-    access_token = json_data.get('access_token', None)
-    if access_token is None:
-      logger.debug('Missing access_token in response: %s', json_data)
-      raise OAuthLoginException('Missing `access_token` in OIDC response')
+        # Make sure we received both.
+        access_token = json_data.get("access_token", None)
+        if access_token is None:
+            logger.debug("Missing access_token in response: %s", json_data)
+            raise OAuthLoginException("Missing `access_token` in OIDC response")
 
-    id_token = json_data.get('id_token', None)
-    if id_token is None:
-      logger.debug('Missing id_token in response: %s', json_data)
-      raise OAuthLoginException('Missing `id_token` in OIDC response')
+        id_token = json_data.get("id_token", None)
+        if id_token is None:
+            logger.debug("Missing id_token in response: %s", json_data)
+            raise OAuthLoginException("Missing `id_token` in OIDC response")
 
-    return id_token, access_token
+        return id_token, access_token
 
-  def exchange_code_for_login(self, app_config, http_client, code, redirect_suffix):
-    # Exchange the code for the access token and id_token
-    id_token, access_token = self.exchange_code_for_tokens(app_config, http_client, code,
-                                                           redirect_suffix)
+    def exchange_code_for_login(self, app_config, http_client, code, redirect_suffix):
+        # Exchange the code for the access token and id_token
+        id_token, access_token = self.exchange_code_for_tokens(
+            app_config, http_client, code, redirect_suffix
+        )
 
-    # Decode the id_token.
-    try:
-      decoded_id_token = self.decode_user_jwt(id_token)
-    except InvalidTokenError as ite:
-      logger.exception('Got invalid token error on OIDC decode: %s', ite)
-      raise OAuthLoginException('Could not decode OIDC token')
-    except PublicKeyLoadException as pke:
-      logger.exception('Could not load public key during OIDC decode: %s', pke)
-      raise OAuthLoginException('Could find public OIDC key')
+        # Decode the id_token.
+        try:
+            decoded_id_token = self.decode_user_jwt(id_token)
+        except InvalidTokenError as ite:
+            logger.exception("Got invalid token error on OIDC decode: %s", ite)
+            raise OAuthLoginException("Could not decode OIDC token")
+        except PublicKeyLoadException as pke:
+            logger.exception("Could not load public key during OIDC decode: %s", pke)
+            raise OAuthLoginException("Could find public OIDC key")
 
-    # If there is a user endpoint, use it to retrieve the user's information. Otherwise, we use
-    # the decoded ID token.
-    if self.user_endpoint():
-      # Retrieve the user information.
-      try:
-        user_info = self.get_user_info(http_client, access_token)
-      except OAuthGetUserInfoException as oge:
-        raise OAuthLoginException(str(oge))
-    else:
-      user_info = decoded_id_token
+        # If there is a user endpoint, use it to retrieve the user's information. Otherwise, we use
+        # the decoded ID token.
+        if self.user_endpoint():
+            # Retrieve the user information.
+            try:
+                user_info = self.get_user_info(http_client, access_token)
+            except OAuthGetUserInfoException as oge:
+                raise OAuthLoginException(str(oge))
+        else:
+            user_info = decoded_id_token
 
-    # Verify subs.
-    if user_info['sub'] != decoded_id_token['sub']:
-      logger.debug('Mismatch in `sub` returned by OIDC user info endpoint: %s vs %s',
-                   user_info['sub'], decoded_id_token['sub'])
-      raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint')
+        # Verify subs.
+        if user_info["sub"] != decoded_id_token["sub"]:
+            logger.debug(
+                "Mismatch in `sub` returned by OIDC user info endpoint: %s vs %s",
+                user_info["sub"],
+                decoded_id_token["sub"],
+            )
+            raise OAuthLoginException(
+                "Mismatch in `sub` returned by OIDC user info endpoint"
+            )
 
-    # Check if we have a verified email address.
-    if self.config.get('VERIFIED_EMAIL_CLAIM_NAME'):
-      email_address = user_info.get(self.config['VERIFIED_EMAIL_CLAIM_NAME'])
-    else:
-      email_address = user_info.get('email') if user_info.get('email_verified') else None
+        # Check if we have a verified email address.
+        if self.config.get("VERIFIED_EMAIL_CLAIM_NAME"):
+            email_address = user_info.get(self.config["VERIFIED_EMAIL_CLAIM_NAME"])
+        else:
+            email_address = (
+                user_info.get("email") if user_info.get("email_verified") else None
+            )
 
-    logger.debug('Found e-mail address `%s` for sub `%s`', email_address, user_info['sub'])
-    if self._mailing:
-      if email_address is None:
-        raise OAuthLoginException('A verified email address is required to login with this service')
+        logger.debug(
+            "Found e-mail address `%s` for sub `%s`", email_address, user_info["sub"]
+        )
+        if self._mailing:
+            if email_address is None:
+                raise OAuthLoginException(
+                    "A verified email address is required to login with this service"
+                )
 
-    # Check for a preferred username.
-    if self.config.get('PREFERRED_USERNAME_CLAIM_NAME'):
-      lusername = user_info.get(self.config['PREFERRED_USERNAME_CLAIM_NAME'])
-    else:
-      lusername = user_info.get('preferred_username')
-      if lusername is None:
-        # Note: Active Directory provides `unique_name` and `upn`.
-        # https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
-        lusername = user_info.get('unique_name', user_info.get('upn'))
+        # Check for a preferred username.
+        if self.config.get("PREFERRED_USERNAME_CLAIM_NAME"):
+            lusername = user_info.get(self.config["PREFERRED_USERNAME_CLAIM_NAME"])
+        else:
+            lusername = user_info.get("preferred_username")
+            if lusername is None:
+                # Note: Active Directory provides `unique_name` and `upn`.
+                # https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
+                lusername = user_info.get("unique_name", user_info.get("upn"))
 
-    if lusername is None:
-      lusername = user_info['sub']
+        if lusername is None:
+            lusername = user_info["sub"]
 
-    if lusername.find('@') >= 0:
-      lusername = lusername[0:lusername.find('@')]
+        if lusername.find("@") >= 0:
+            lusername = lusername[0 : lusername.find("@")]
 
-    return decoded_id_token['sub'], lusername, email_address
+        return decoded_id_token["sub"], lusername, email_address
 
-  @property
-  def _issuer(self):
-    # Read the issuer from the OIDC config, falling back to the configured OIDC server.
-    issuer = self._oidc_config().get('issuer', self.config['OIDC_SERVER'])
+    @property
+    def _issuer(self):
+        # Read the issuer from the OIDC config, falling back to the configured OIDC server.
+        issuer = self._oidc_config().get("issuer", self.config["OIDC_SERVER"])
 
-    # If specified, use the overridden OIDC issuer.
-    return self.config.get('OIDC_ISSUER', issuer)
+        # If specified, use the overridden OIDC issuer.
+        return self.config.get("OIDC_ISSUER", issuer)
 
-  @lru_cache(maxsize=1)
-  def _oidc_config(self):
-    if self.config.get('OIDC_SERVER'):
-      return self._load_oidc_config_via_discovery(self.config.get('DEBUGGING', False))
-    else:
-      return {}
+    @lru_cache(maxsize=1)
+    def _oidc_config(self):
+        if self.config.get("OIDC_SERVER"):
+            return self._load_oidc_config_via_discovery(
+                self.config.get("DEBUGGING", False)
+            )
+        else:
+            return {}
 
-  def _load_oidc_config_via_discovery(self, is_debugging):
-    """ Attempts to load the OIDC config via the OIDC discovery mechanism. If is_debugging is True,
+    def _load_oidc_config_via_discovery(self, is_debugging):
+        """ Attempts to load the OIDC config via the OIDC discovery mechanism. If is_debugging is True,
         non-secure connections are alllowed. Raises an DiscoveryFailureException on failure.
     """
-    oidc_server = self.config['OIDC_SERVER']
-    if not oidc_server.startswith('https://') and not is_debugging:
-      raise DiscoveryFailureException('OIDC server must be accessed over SSL')
+        oidc_server = self.config["OIDC_SERVER"]
+        if not oidc_server.startswith("https://") and not is_debugging:
+            raise DiscoveryFailureException("OIDC server must be accessed over SSL")
 
-    discovery_url = urlparse.urljoin(oidc_server, OIDC_WELLKNOWN)
-    discovery = self._http_client.get(discovery_url, timeout=5, verify=is_debugging is False)
-    if discovery.status_code // 100 != 2:
-      logger.debug('Got %s response for OIDC discovery: %s', discovery.status_code, discovery.text)
-      raise DiscoveryFailureException("Could not load OIDC discovery information")
+        discovery_url = urlparse.urljoin(oidc_server, OIDC_WELLKNOWN)
+        discovery = self._http_client.get(
+            discovery_url, timeout=5, verify=is_debugging is False
+        )
+        if discovery.status_code // 100 != 2:
+            logger.debug(
+                "Got %s response for OIDC discovery: %s",
+                discovery.status_code,
+                discovery.text,
+            )
+            raise DiscoveryFailureException("Could not load OIDC discovery information")
 
-    try:
-      return json.loads(discovery.text)
-    except ValueError:
-      logger.exception('Could not parse OIDC discovery for url: %s', discovery_url)
-      raise DiscoveryFailureException("Could not parse OIDC discovery information")
+        try:
+            return json.loads(discovery.text)
+        except ValueError:
+            logger.exception(
+                "Could not parse OIDC discovery for url: %s", discovery_url
+            )
+            raise DiscoveryFailureException(
+                "Could not parse OIDC discovery information"
+            )
 
-  def decode_user_jwt(self, token):
-    """ Decodes the given JWT under the given provider and returns it. Raises an InvalidTokenError
+    def decode_user_jwt(self, token):
+        """ Decodes the given JWT under the given provider and returns it. Raises an InvalidTokenError
         exception on an invalid token or a PublicKeyLoadException if the public key could not be
         loaded for decoding.
     """
-    # Find the key to use.
-    headers = jwt.get_unverified_header(token)
-    kid = headers.get('kid', None)
-    if kid is None:
-      raise InvalidTokenError('Missing `kid` header')
+        # Find the key to use.
+        headers = jwt.get_unverified_header(token)
+        kid = headers.get("kid", None)
+        if kid is None:
+            raise InvalidTokenError("Missing `kid` header")
 
-    logger.debug('Using key `%s`, attempting to decode token `%s` with aud `%s` and iss `%s`',
-                 kid, token, self.client_id(), self._issuer)
-    try:
-      return decode(token, self._get_public_key(kid), algorithms=ALLOWED_ALGORITHMS,
+        logger.debug(
+            "Using key `%s`, attempting to decode token `%s` with aud `%s` and iss `%s`",
+            kid,
+            token,
+            self.client_id(),
+            self._issuer,
+        )
+        try:
+            return decode(
+                token,
+                self._get_public_key(kid),
+                algorithms=ALLOWED_ALGORITHMS,
+                audience=self.client_id(),
+                issuer=self._issuer,
+                leeway=JWT_CLOCK_SKEW_SECONDS,
+                options=dict(require_nbf=False),
+            )
+        except InvalidTokenError as ite:
+            logger.warning(
+                "Could not decode token `%s` for OIDC: %s. Will attempt again after "
+                + "retrieving public keys.",
+                token,
+                ite,
+            )
+
+            # Public key may have expired. Try to retrieve an updated public key and use it to decode.
+            try:
+                return decode(
+                    token,
+                    self._get_public_key(kid, force_refresh=True),
+                    algorithms=ALLOWED_ALGORITHMS,
                     audience=self.client_id(),
                     issuer=self._issuer,
                     leeway=JWT_CLOCK_SKEW_SECONDS,
-                    options=dict(require_nbf=False))
-    except InvalidTokenError as ite:
-      logger.warning('Could not decode token `%s` for OIDC: %s. Will attempt again after ' +
-                     'retrieving public keys.', token, ite)
+                    options=dict(require_nbf=False),
+                )
+            except InvalidTokenError as ite:
+                logger.warning(
+                    "Could not decode token `%s` for OIDC: %s. Attempted again after "
+                    + "retrieving public keys.",
+                    token,
+                    ite,
+                )
 
-      # Public key may have expired. Try to retrieve an updated public key and use it to decode.
-      try:
-        return decode(token, self._get_public_key(kid, force_refresh=True),
-                      algorithms=ALLOWED_ALGORITHMS,
-                      audience=self.client_id(),
-                      issuer=self._issuer,
-                      leeway=JWT_CLOCK_SKEW_SECONDS,
-                      options=dict(require_nbf=False))
-      except InvalidTokenError as ite:
-        logger.warning('Could not decode token `%s` for OIDC: %s. Attempted again after ' +
-                       'retrieving public keys.', token, ite)
+                # Decode again with verify=False, and log the decoded token to allow for easier debugging.
+                nonverified = decode(
+                    token,
+                    self._get_public_key(kid, force_refresh=True),
+                    algorithms=ALLOWED_ALGORITHMS,
+                    audience=self.client_id(),
+                    issuer=self._issuer,
+                    leeway=JWT_CLOCK_SKEW_SECONDS,
+                    options=dict(require_nbf=False, verify=False),
+                )
+                logger.debug(
+                    "Got an error when trying to verify OIDC JWT: %s", nonverified
+                )
+                raise ite
 
-        # Decode again with verify=False, and log the decoded token to allow for easier debugging.
-        nonverified = decode(token, self._get_public_key(kid, force_refresh=True),
-                             algorithms=ALLOWED_ALGORITHMS,
-                             audience=self.client_id(),
-                             issuer=self._issuer,
-                             leeway=JWT_CLOCK_SKEW_SECONDS,
-                             options=dict(require_nbf=False, verify=False))
-        logger.debug('Got an error when trying to verify OIDC JWT: %s', nonverified)
-        raise ite
-
-  def _get_public_key(self, kid, force_refresh=False):
-    """ Retrieves the public key for this handler with the given kid. Raises a
+    def _get_public_key(self, kid, force_refresh=False):
+        """ Retrieves the public key for this handler with the given kid. Raises a
         PublicKeyLoadException on failure. """
 
-    # If force_refresh is true, we expire all the items in the cache by setting the time to
-    # the current time + the expiration TTL.
-    if force_refresh:
-      self._public_key_cache.expire(time=time.time() + PUBLIC_KEY_CACHE_TTL)
+        # If force_refresh is true, we expire all the items in the cache by setting the time to
+        # the current time + the expiration TTL.
+        if force_refresh:
+            self._public_key_cache.expire(time=time.time() + PUBLIC_KEY_CACHE_TTL)
 
-    # Retrieve the public key from the cache. If the cache does not contain the public key,
-    # it will internally call _load_public_key to retrieve it and then save it.
-    return self._public_key_cache[kid]
+        # Retrieve the public key from the cache. If the cache does not contain the public key,
+        # it will internally call _load_public_key to retrieve it and then save it.
+        return self._public_key_cache[kid]
 
 
 class _PublicKeyCache(TTLCache):
-  def __init__(self, login_service, *args, **kwargs):
-    super(_PublicKeyCache, self).__init__(*args, **kwargs)
+    def __init__(self, login_service, *args, **kwargs):
+        super(_PublicKeyCache, self).__init__(*args, **kwargs)
 
-    self._login_service = login_service
+        self._login_service = login_service
 
-  def __missing__(self, kid):
-    """ Loads the public key for this handler from the OIDC service. Raises PublicKeyLoadException
+    def __missing__(self, kid):
+        """ Loads the public key for this handler from the OIDC service. Raises PublicKeyLoadException
         on failure.
     """
-    keys_url = self._login_service._oidc_config()['jwks_uri']
+        keys_url = self._login_service._oidc_config()["jwks_uri"]
 
-    # Load the keys.
-    try:
-      keys = KEYS()
-      keys.load_from_url(keys_url, verify=not self._login_service.config.get('DEBUGGING', False))
-    except Exception as ex:
-      logger.exception('Exception loading public key')
-      raise PublicKeyLoadException(str(ex))
+        # Load the keys.
+        try:
+            keys = KEYS()
+            keys.load_from_url(
+                keys_url, verify=not self._login_service.config.get("DEBUGGING", False)
+            )
+        except Exception as ex:
+            logger.exception("Exception loading public key")
+            raise PublicKeyLoadException(str(ex))
 
-    # Find the matching key.
-    keys_found = keys.by_kid(kid)
-    if len(keys_found) == 0:
-      raise PublicKeyLoadException('Public key %s not found' % kid)
+        # Find the matching key.
+        keys_found = keys.by_kid(kid)
+        if len(keys_found) == 0:
+            raise PublicKeyLoadException("Public key %s not found" % kid)
 
-    rsa_keys = [key for key in keys_found if key.kty == 'RSA']
-    if len(rsa_keys) == 0:
-      raise PublicKeyLoadException('No RSA form of public key %s not found' % kid)
+        rsa_keys = [key for key in keys_found if key.kty == "RSA"]
+        if len(rsa_keys) == 0:
+            raise PublicKeyLoadException("No RSA form of public key %s not found" % kid)
 
-    matching_key = rsa_keys[0]
-    matching_key.deserialize()
+        matching_key = rsa_keys[0]
+        matching_key.deserialize()
 
-    # Reload the key so that we can give a key *instance* to PyJWT to work around its weird parsing
-    # issues.
-    final_key = load_der_public_key(matching_key.key.exportKey('DER'), backend=default_backend())
-    self[kid] = final_key
-    return final_key
+        # Reload the key so that we can give a key *instance* to PyJWT to work around its weird parsing
+        # issues.
+        final_key = load_der_public_key(
+            matching_key.key.exportKey("DER"), backend=default_backend()
+        )
+        self[kid] = final_key
+        return final_key
diff --git a/oauth/services/github.py b/oauth/services/github.py
index f503a75f2..5ac6e35d4 100644
--- a/oauth/services/github.py
+++ b/oauth/services/github.py
@@ -6,175 +6,187 @@ from util import slash_join
 
 logger = logging.getLogger(__name__)
 
+
 class GithubOAuthService(OAuthLoginService):
-  def __init__(self, config, key_name):
-    super(GithubOAuthService, self).__init__(config, key_name)
+    def __init__(self, config, key_name):
+        super(GithubOAuthService, self).__init__(config, key_name)
 
-  def login_enabled(self, config):
-    return config.get('FEATURE_GITHUB_LOGIN', False)
+    def login_enabled(self, config):
+        return config.get("FEATURE_GITHUB_LOGIN", False)
 
-  def service_id(self):
-    return 'github'
+    def service_id(self):
+        return "github"
 
-  def service_name(self):
-    if self.is_enterprise():
-      return 'GitHub Enterprise'
+    def service_name(self):
+        if self.is_enterprise():
+            return "GitHub Enterprise"
 
-    return 'GitHub'
+        return "GitHub"
 
-  def get_icon(self):
-    return 'fa-github'
+    def get_icon(self):
+        return "fa-github"
 
-  def get_login_scopes(self):
-    if self.config.get('ORG_RESTRICT'):
-      return ['user:email', 'read:org']
+    def get_login_scopes(self):
+        if self.config.get("ORG_RESTRICT"):
+            return ["user:email", "read:org"]
 
-    return ['user:email']
+        return ["user:email"]
 
-  def allowed_organizations(self):
-    if not self.config.get('ORG_RESTRICT', False):
-      return None
+    def allowed_organizations(self):
+        if not self.config.get("ORG_RESTRICT", False):
+            return None
 
-    allowed = self.config.get('ALLOWED_ORGANIZATIONS', None)
-    if allowed is None:
-      return None
+        allowed = self.config.get("ALLOWED_ORGANIZATIONS", None)
+        if allowed is None:
+            return None
 
-    return [org.lower() for org in allowed]
+        return [org.lower() for org in allowed]
 
-  def get_public_url(self, suffix):
-    return slash_join(self._endpoint(), suffix)
+    def get_public_url(self, suffix):
+        return slash_join(self._endpoint(), suffix)
 
-  def _endpoint(self):
-    return self.config.get('GITHUB_ENDPOINT', 'https://github.com')
+    def _endpoint(self):
+        return self.config.get("GITHUB_ENDPOINT", "https://github.com")
 
-  def is_enterprise(self):
-    return self._api_endpoint().find('.github.com') < 0
+    def is_enterprise(self):
+        return self._api_endpoint().find(".github.com") < 0
 
-  def authorize_endpoint(self):
-    return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/authorize'))
+    def authorize_endpoint(self):
+        return OAuthEndpoint(slash_join(self._endpoint(), "/login/oauth/authorize"))
 
-  def token_endpoint(self):
-    return OAuthEndpoint(slash_join(self._endpoint(), '/login/oauth/access_token'))
+    def token_endpoint(self):
+        return OAuthEndpoint(slash_join(self._endpoint(), "/login/oauth/access_token"))
 
-  def user_endpoint(self):
-    return OAuthEndpoint(slash_join(self._api_endpoint(), 'user'))
+    def user_endpoint(self):
+        return OAuthEndpoint(slash_join(self._api_endpoint(), "user"))
 
-  def _api_endpoint(self):
-    return self.config.get('API_ENDPOINT', slash_join(self._endpoint(), '/api/v3/'))
+    def _api_endpoint(self):
+        return self.config.get("API_ENDPOINT", slash_join(self._endpoint(), "/api/v3/"))
 
-  def api_endpoint(self):
-    endpoint = self._api_endpoint()
-    if endpoint.endswith('/'):
-      return endpoint[0:-1]
+    def api_endpoint(self):
+        endpoint = self._api_endpoint()
+        if endpoint.endswith("/"):
+            return endpoint[0:-1]
 
-    return endpoint
+        return endpoint
 
-  def email_endpoint(self):
-    return slash_join(self._api_endpoint(), 'user/emails')
+    def email_endpoint(self):
+        return slash_join(self._api_endpoint(), "user/emails")
 
-  def orgs_endpoint(self):
-    return slash_join(self._api_endpoint(), 'user/orgs')
+    def orgs_endpoint(self):
+        return slash_join(self._api_endpoint(), "user/orgs")
 
-  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
-    # First: Verify that the github endpoint is actually Github by checking for the
-    # X-GitHub-Request-Id here.
-    api_endpoint = self._api_endpoint()
-    result = http_client.get(api_endpoint, auth=(self.client_id(), self.client_secret()), timeout=5)
-    if not 'X-GitHub-Request-Id' in result.headers:
-      raise Exception('Endpoint is not a Github (Enterprise) installation')
+    def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
+        # First: Verify that the github endpoint is actually Github by checking for the
+        # X-GitHub-Request-Id here.
+        api_endpoint = self._api_endpoint()
+        result = http_client.get(
+            api_endpoint, auth=(self.client_id(), self.client_secret()), timeout=5
+        )
+        if not "X-GitHub-Request-Id" in result.headers:
+            raise Exception("Endpoint is not a Github (Enterprise) installation")
 
-    # Next: Verify the client ID and secret.
-    # Note: The following code is a hack until such time as Github officially adds an API endpoint
-    # for verifying a {client_id, client_secret} pair. This workaround was given to us
-    # *by a Github Engineer* (Jan 8, 2015).
-    #
-    # TODO: Replace with the real API call once added.
-    #
-    # Hitting the endpoint applications/{client_id}/tokens/foo will result in the following
-    # behavior IF the client_id is given as the HTTP username and the client_secret as the HTTP
-    # password:
-    #   - If the {client_id, client_secret} pair is invalid in some way, we get a 401 error.
-    #   - If the pair is valid, then we get a 404 because the 'foo' token does not exists.
-    validate_endpoint = slash_join(api_endpoint, 'applications/%s/tokens/foo' % self.client_id())
-    result = http_client.get(validate_endpoint, auth=(self.client_id(), self.client_secret()),
-                             timeout=5)
-    return result.status_code == 404
+        # Next: Verify the client ID and secret.
+        # Note: The following code is a hack until such time as Github officially adds an API endpoint
+        # for verifying a {client_id, client_secret} pair. This workaround was given to us
+        # *by a Github Engineer* (Jan 8, 2015).
+        #
+        # TODO: Replace with the real API call once added.
+        #
+        # Hitting the endpoint applications/{client_id}/tokens/foo will result in the following
+        # behavior IF the client_id is given as the HTTP username and the client_secret as the HTTP
+        # password:
+        #   - If the {client_id, client_secret} pair is invalid in some way, we get a 401 error.
+        #   - If the pair is valid, then we get a 404 because the 'foo' token does not exists.
+        validate_endpoint = slash_join(
+            api_endpoint, "applications/%s/tokens/foo" % self.client_id()
+        )
+        result = http_client.get(
+            validate_endpoint, auth=(self.client_id(), self.client_secret()), timeout=5
+        )
+        return result.status_code == 404
 
-  def validate_organization(self, organization_id, http_client):
-    org_endpoint = slash_join(self._api_endpoint(), 'orgs/%s' % organization_id.lower())
+    def validate_organization(self, organization_id, http_client):
+        org_endpoint = slash_join(
+            self._api_endpoint(), "orgs/%s" % organization_id.lower()
+        )
 
-    result = http_client.get(org_endpoint,
-                             headers={'Accept': 'application/vnd.github.moondragon+json'},
-                             timeout=5)
+        result = http_client.get(
+            org_endpoint,
+            headers={"Accept": "application/vnd.github.moondragon+json"},
+            timeout=5,
+        )
 
-    return result.status_code == 200
+        return result.status_code == 200
 
+    def get_public_config(self):
+        return {
+            "CLIENT_ID": self.client_id(),
+            "AUTHORIZE_ENDPOINT": self.authorize_endpoint().to_url(),
+            "GITHUB_ENDPOINT": self._endpoint(),
+            "ORG_RESTRICT": self.config.get("ORG_RESTRICT", False),
+        }
 
-  def get_public_config(self):
-    return  {
-      'CLIENT_ID': self.client_id(),
-      'AUTHORIZE_ENDPOINT': self.authorize_endpoint().to_url(),
-      'GITHUB_ENDPOINT': self._endpoint(),
-      'ORG_RESTRICT': self.config.get('ORG_RESTRICT', False)
-    }
+    def get_login_service_id(self, user_info):
+        return user_info["id"]
 
-  def get_login_service_id(self, user_info):
-    return user_info['id']
+    def get_login_service_username(self, user_info):
+        return user_info["login"]
 
-  def get_login_service_username(self, user_info):
-    return user_info['login']
+    def get_verified_user_email(self, app_config, http_client, token, user_info):
+        v3_media_type = {"Accept": "application/vnd.github.v3"}
 
-  def get_verified_user_email(self, app_config, http_client, token, user_info):
-    v3_media_type = {
-      'Accept': 'application/vnd.github.v3'
-    }
+        token_param = {"access_token": token}
 
-    token_param = {
-      'access_token': token,
-    }
+        # Find the e-mail address for the user: we will accept any email, but we prefer the primary
+        get_email = http_client.get(
+            self.email_endpoint(), params=token_param, headers=v3_media_type
+        )
+        if get_email.status_code // 100 != 2:
+            raise OAuthLoginException(
+                "Got non-2XX status code for emails endpoint: %s"
+                % get_email.status_code
+            )
 
-    # Find the e-mail address for the user: we will accept any email, but we prefer the primary
-    get_email = http_client.get(self.email_endpoint(), params=token_param, headers=v3_media_type)
-    if get_email.status_code // 100 != 2:
-      raise OAuthLoginException('Got non-2XX status code for emails endpoint: %s' %
-                                get_email.status_code)
+        verified_emails = [email for email in get_email.json() if email["verified"]]
+        primary_emails = [email for email in get_email.json() if email["primary"]]
 
-    verified_emails = [email for email in get_email.json() if email['verified']]
-    primary_emails = [email for email in get_email.json() if email['primary']]
+        # Special case: We don't care about whether an e-mail address is "verified" under GHE.
+        if self.is_enterprise() and not verified_emails:
+            verified_emails = primary_emails
 
-    # Special case: We don't care about whether an e-mail address is "verified" under GHE.
-    if self.is_enterprise() and not verified_emails:
-      verified_emails = primary_emails
+        allowed_emails = primary_emails or verified_emails or []
+        return allowed_emails[0]["email"] if len(allowed_emails) > 0 else None
 
-    allowed_emails = (primary_emails or verified_emails or [])
-    return allowed_emails[0]['email'] if len(allowed_emails) > 0 else None
+    def service_verify_user_info_for_login(
+        self, app_config, http_client, token, user_info
+    ):
+        # Retrieve the user's orgnizations (if organization filtering is turned on)
+        if self.allowed_organizations() is None:
+            return
 
-  def service_verify_user_info_for_login(self, app_config, http_client, token, user_info):
-    # Retrieve the user's orgnizations (if organization filtering is turned on)
-    if self.allowed_organizations() is None:
-      return
+        moondragon_media_type = {"Accept": "application/vnd.github.moondragon+json"}
 
-    moondragon_media_type = {
-      'Accept': 'application/vnd.github.moondragon+json'
-    }
+        token_param = {"access_token": token}
 
-    token_param = {
-      'access_token': token,
-    }
+        get_orgs = http_client.get(
+            self.orgs_endpoint(), params=token_param, headers=moondragon_media_type
+        )
 
-    get_orgs = http_client.get(self.orgs_endpoint(), params=token_param,
-                               headers=moondragon_media_type)
+        if get_orgs.status_code // 100 != 2:
+            logger.debug("get_orgs response: %s", get_orgs.json())
+            raise OAuthLoginException(
+                "Got non-2XX response for org lookup: %s" % get_orgs.status_code
+            )
 
-    if get_orgs.status_code // 100 != 2:
-      logger.debug('get_orgs response: %s', get_orgs.json())
-      raise OAuthLoginException('Got non-2XX response for org lookup: %s' %
-                                get_orgs.status_code)
-
-    organizations = set([org.get('login').lower() for org in get_orgs.json()])
-    matching_organizations = organizations & set(self.allowed_organizations())
-    if not matching_organizations:
-      logger.debug('Found organizations %s, but expected one of %s', organizations,
-                   self.allowed_organizations())
-      err = """You are not a member of an allowed GitHub organization.
+        organizations = set([org.get("login").lower() for org in get_orgs.json()])
+        matching_organizations = organizations & set(self.allowed_organizations())
+        if not matching_organizations:
+            logger.debug(
+                "Found organizations %s, but expected one of %s",
+                organizations,
+                self.allowed_organizations(),
+            )
+            err = """You are not a member of an allowed GitHub organization.
                Please contact your system administrator if you believe this is in error."""
-      raise OAuthLoginException(err)
+            raise OAuthLoginException(err)
diff --git a/oauth/services/gitlab.py b/oauth/services/gitlab.py
index 9b0dcc2ec..4916dbbb6 100644
--- a/oauth/services/gitlab.py
+++ b/oauth/services/gitlab.py
@@ -1,60 +1,63 @@
 from oauth.base import OAuthService, OAuthEndpoint
 from util import slash_join
 
+
 class GitLabOAuthService(OAuthService):
-  def __init__(self, config, key_name):
-    super(GitLabOAuthService, self).__init__(config, key_name)
+    def __init__(self, config, key_name):
+        super(GitLabOAuthService, self).__init__(config, key_name)
 
-  def service_id(self):
-    return 'gitlab'
+    def service_id(self):
+        return "gitlab"
 
-  def service_name(self):
-    return 'GitLab'
+    def service_name(self):
+        return "GitLab"
 
-  def _endpoint(self):
-    return self.config.get('GITLAB_ENDPOINT', 'https://gitlab.com')
+    def _endpoint(self):
+        return self.config.get("GITLAB_ENDPOINT", "https://gitlab.com")
 
-  def user_endpoint(self):
-    raise NotImplementedError
+    def user_endpoint(self):
+        raise NotImplementedError
 
-  def api_endpoint(self):
-    return self._endpoint()
+    def api_endpoint(self):
+        return self._endpoint()
 
-  def get_public_url(self, suffix):
-    return slash_join(self._endpoint(), suffix)
+    def get_public_url(self, suffix):
+        return slash_join(self._endpoint(), suffix)
 
-  def authorize_endpoint(self):
-    return OAuthEndpoint(slash_join(self._endpoint(), '/oauth/authorize'))
+    def authorize_endpoint(self):
+        return OAuthEndpoint(slash_join(self._endpoint(), "/oauth/authorize"))
 
-  def token_endpoint(self):
-    return OAuthEndpoint(slash_join(self._endpoint(), '/oauth/token'))
+    def token_endpoint(self):
+        return OAuthEndpoint(slash_join(self._endpoint(), "/oauth/token"))
 
-  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
-    # We validate the client ID and secret by hitting the OAuth token exchange endpoint with
-    # the real client ID and secret, but a fake auth code to exchange. Gitlab's implementation will
-    # return `invalid_client` as the `error` if the client ID or secret is invalid; otherwise, it
-    # will return another error.
-    url = self.token_endpoint().to_url()
-    redirect_uri = self.get_redirect_uri(url_scheme_and_hostname, redirect_suffix='trigger')
-    data = {
-      'code': 'fakecode',
-      'client_id': self.client_id(),
-      'client_secret': self.client_secret(),
-      'grant_type': 'authorization_code',
-      'redirect_uri': redirect_uri
-    }
+    def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
+        # We validate the client ID and secret by hitting the OAuth token exchange endpoint with
+        # the real client ID and secret, but a fake auth code to exchange. Gitlab's implementation will
+        # return `invalid_client` as the `error` if the client ID or secret is invalid; otherwise, it
+        # will return another error.
+        url = self.token_endpoint().to_url()
+        redirect_uri = self.get_redirect_uri(
+            url_scheme_and_hostname, redirect_suffix="trigger"
+        )
+        data = {
+            "code": "fakecode",
+            "client_id": self.client_id(),
+            "client_secret": self.client_secret(),
+            "grant_type": "authorization_code",
+            "redirect_uri": redirect_uri,
+        }
 
-    # We validate by checking the error code we receive from this call.
-    result = http_client.post(url, data=data, timeout=5)
-    value = result.json()
-    if not value:
-      return False
+        # We validate by checking the error code we receive from this call.
+        result = http_client.post(url, data=data, timeout=5)
+        value = result.json()
+        if not value:
+            return False
 
-    return value.get('error', '') != 'invalid_client'
+        return value.get("error", "") != "invalid_client"
 
-  def get_public_config(self):
-    return {
-      'CLIENT_ID': self.client_id(),
-      'AUTHORIZE_ENDPOINT': self.authorize_endpoint().to_url(),
-      'GITLAB_ENDPOINT': self._endpoint(),
-    }
+    def get_public_config(self):
+        return {
+            "CLIENT_ID": self.client_id(),
+            "AUTHORIZE_ENDPOINT": self.authorize_endpoint().to_url(),
+            "GITLAB_ENDPOINT": self._endpoint(),
+        }
diff --git a/oauth/services/google.py b/oauth/services/google.py
index 515a5b5dd..f66ac12db 100644
--- a/oauth/services/google.py
+++ b/oauth/services/google.py
@@ -1,81 +1,87 @@
 from oauth.base import OAuthEndpoint
 from oauth.login import OAuthLoginService
 
-def _get_email_username(email_address):
-  username = email_address
-  at = username.find('@')
-  if at > 0:
-    username = username[0:at]
 
-  return username
+def _get_email_username(email_address):
+    username = email_address
+    at = username.find("@")
+    if at > 0:
+        username = username[0:at]
+
+    return username
+
 
 class GoogleOAuthService(OAuthLoginService):
-  def __init__(self, config, key_name):
-    super(GoogleOAuthService, self).__init__(config, key_name)
+    def __init__(self, config, key_name):
+        super(GoogleOAuthService, self).__init__(config, key_name)
 
-  def login_enabled(self, config):
-    return config.get('FEATURE_GOOGLE_LOGIN', False)
+    def login_enabled(self, config):
+        return config.get("FEATURE_GOOGLE_LOGIN", False)
 
-  def service_id(self):
-    return 'google'
+    def service_id(self):
+        return "google"
 
-  def service_name(self):
-    return 'Google'
+    def service_name(self):
+        return "Google"
 
-  def get_icon(self):
-    return 'fa-google'
+    def get_icon(self):
+        return "fa-google"
 
-  def get_login_scopes(self):
-    return ['openid', 'email']
+    def get_login_scopes(self):
+        return ["openid", "email"]
 
-  def authorize_endpoint(self):
-    return OAuthEndpoint('https://accounts.google.com/o/oauth2/auth',
-                         params=dict(response_type='code'))
+    def authorize_endpoint(self):
+        return OAuthEndpoint(
+            "https://accounts.google.com/o/oauth2/auth",
+            params=dict(response_type="code"),
+        )
 
-  def token_endpoint(self):
-    return OAuthEndpoint('https://accounts.google.com/o/oauth2/token')
+    def token_endpoint(self):
+        return OAuthEndpoint("https://accounts.google.com/o/oauth2/token")
 
-  def user_endpoint(self):
-    return OAuthEndpoint('https://www.googleapis.com/oauth2/v1/userinfo')
+    def user_endpoint(self):
+        return OAuthEndpoint("https://www.googleapis.com/oauth2/v1/userinfo")
 
-  def requires_form_encoding(self):
-    return True
+    def requires_form_encoding(self):
+        return True
 
-  def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
-    # To verify the Google client ID and secret, we hit the
-    # https://www.googleapis.com/oauth2/v3/token endpoint with an invalid request. If the client
-    # ID or secret are invalid, we get returned a 403 Unauthorized. Otherwise, we get returned
-    # another response code.
-    url = 'https://www.googleapis.com/oauth2/v3/token'
-    data = {
-      'code': 'fakecode',
-      'client_id': self.client_id(),
-      'client_secret': self.client_secret(),
-      'grant_type': 'authorization_code',
-      'redirect_uri': 'http://example.com'
-    }
+    def validate_client_id_and_secret(self, http_client, url_scheme_and_hostname):
+        # To verify the Google client ID and secret, we hit the
+        # https://www.googleapis.com/oauth2/v3/token endpoint with an invalid request. If the client
+        # ID or secret are invalid, we get returned a 403 Unauthorized. Otherwise, we get returned
+        # another response code.
+        url = "https://www.googleapis.com/oauth2/v3/token"
+        data = {
+            "code": "fakecode",
+            "client_id": self.client_id(),
+            "client_secret": self.client_secret(),
+            "grant_type": "authorization_code",
+            "redirect_uri": "http://example.com",
+        }
 
-    result = http_client.post(url, data=data, timeout=5)
-    return result.status_code != 401
+        result = http_client.post(url, data=data, timeout=5)
+        return result.status_code != 401
 
-  def get_public_config(self):
-    return  {
-      'CLIENT_ID': self.client_id(),
-      'AUTHORIZE_ENDPOINT': self.authorize_endpoint().to_url()
-    }
+    def get_public_config(self):
+        return {
+            "CLIENT_ID": self.client_id(),
+            "AUTHORIZE_ENDPOINT": self.authorize_endpoint().to_url(),
+        }
 
-  def get_login_service_id(self, user_info):
-    return user_info['id']
+    def get_login_service_id(self, user_info):
+        return user_info["id"]
 
-  def get_login_service_username(self, user_info):
-    return _get_email_username(user_info['email'])
+    def get_login_service_username(self, user_info):
+        return _get_email_username(user_info["email"])
 
-  def get_verified_user_email(self, app_config, http_client, token, user_info):
-    if not user_info.get('verified_email', False):
-      return None
+    def get_verified_user_email(self, app_config, http_client, token, user_info):
+        if not user_info.get("verified_email", False):
+            return None
 
-    return user_info['email']
+        return user_info["email"]
 
-  def service_verify_user_info_for_login(self, app_config, http_client, token, user_info):
-    # Nothing to do.
-    pass
+    def service_verify_user_info_for_login(
+        self, app_config, http_client, token, user_info
+    ):
+        # Nothing to do.
+        pass
diff --git a/oauth/services/test/test_github.py b/oauth/services/test/test_github.py
index b14ac4952..218e7dbf9 100644
--- a/oauth/services/test/test_github.py
+++ b/oauth/services/test/test_github.py
@@ -2,37 +2,60 @@ import pytest
 
 from oauth.services.github import GithubOAuthService
 
-@pytest.mark.parametrize('trigger_config, domain, api_endpoint, is_enterprise', [
-  ({
-    'CLIENT_ID': 'someclientid',
-    'CLIENT_SECRET': 'someclientsecret',
-    'API_ENDPOINT': 'https://api.github.com/v3',
-  }, 'https://github.com', 'https://api.github.com/v3', False),
-  ({
-    'GITHUB_ENDPOINT': 'https://github.somedomain.com/',
-    'CLIENT_ID': 'someclientid',
-    'CLIENT_SECRET': 'someclientsecret',
-  }, 'https://github.somedomain.com', 'https://github.somedomain.com/api/v3', True),
-  ({
-    'GITHUB_ENDPOINT': 'https://github.somedomain.com/',
-    'API_ENDPOINT': 'http://somedomain.com/api/',
-    'CLIENT_ID': 'someclientid',
-    'CLIENT_SECRET': 'someclientsecret',
-  }, 'https://github.somedomain.com', 'http://somedomain.com/api', True),
-])
+
+@pytest.mark.parametrize(
+    "trigger_config, domain, api_endpoint, is_enterprise",
+    [
+        (
+            {
+                "CLIENT_ID": "someclientid",
+                "CLIENT_SECRET": "someclientsecret",
+                "API_ENDPOINT": "https://api.github.com/v3",
+            },
+            "https://github.com",
+            "https://api.github.com/v3",
+            False,
+        ),
+        (
+            {
+                "GITHUB_ENDPOINT": "https://github.somedomain.com/",
+                "CLIENT_ID": "someclientid",
+                "CLIENT_SECRET": "someclientsecret",
+            },
+            "https://github.somedomain.com",
+            "https://github.somedomain.com/api/v3",
+            True,
+        ),
+        (
+            {
+                "GITHUB_ENDPOINT": "https://github.somedomain.com/",
+                "API_ENDPOINT": "http://somedomain.com/api/",
+                "CLIENT_ID": "someclientid",
+                "CLIENT_SECRET": "someclientsecret",
+            },
+            "https://github.somedomain.com",
+            "http://somedomain.com/api",
+            True,
+        ),
+    ],
+)
 def test_basic_enterprise_config(trigger_config, domain, api_endpoint, is_enterprise):
-  config = {
-    'GITHUB_TRIGGER_CONFIG': trigger_config
-  }
+    config = {"GITHUB_TRIGGER_CONFIG": trigger_config}
 
-  github_trigger = GithubOAuthService(config, 'GITHUB_TRIGGER_CONFIG')
-  assert github_trigger.is_enterprise() == is_enterprise
+    github_trigger = GithubOAuthService(config, "GITHUB_TRIGGER_CONFIG")
+    assert github_trigger.is_enterprise() == is_enterprise
 
-  assert github_trigger.authorize_endpoint().to_url() == '%s/login/oauth/authorize' % domain
+    assert (
+        github_trigger.authorize_endpoint().to_url()
+        == "%s/login/oauth/authorize" % domain
+    )
 
-  assert github_trigger.token_endpoint().to_url() == '%s/login/oauth/access_token' % domain
+    assert (
+        github_trigger.token_endpoint().to_url()
+        == "%s/login/oauth/access_token" % domain
+    )
 
-  assert github_trigger.api_endpoint() == api_endpoint
-  assert github_trigger.user_endpoint().to_url() == '%s/user' % api_endpoint
-  assert github_trigger.email_endpoint() == '%s/user/emails' % api_endpoint
-  assert github_trigger.orgs_endpoint() == '%s/user/orgs' % api_endpoint
+    assert github_trigger.api_endpoint() == api_endpoint
+    assert github_trigger.user_endpoint().to_url() == "%s/user" % api_endpoint
+    assert github_trigger.email_endpoint() == "%s/user/emails" % api_endpoint
+    assert github_trigger.orgs_endpoint() == "%s/user/orgs" % api_endpoint
diff --git a/oauth/test/test_loginmanager.py b/oauth/test/test_loginmanager.py
index 491216104..88372d343 100644
--- a/oauth/test/test_loginmanager.py
+++ b/oauth/test/test_loginmanager.py
@@ -3,60 +3,53 @@ from oauth.services.github import GithubOAuthService
 from oauth.services.google import GoogleOAuthService
 from oauth.oidc import OIDCLoginService
 
-def test_login_manager_github():
-  config = {
-    'FEATURE_GITHUB_LOGIN': True,
-    'GITHUB_LOGIN_CONFIG': {},
-  }
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 1
-  assert isinstance(loginmanager.services[0], GithubOAuthService)
+def test_login_manager_github():
+    config = {"FEATURE_GITHUB_LOGIN": True, "GITHUB_LOGIN_CONFIG": {}}
+
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 1
+    assert isinstance(loginmanager.services[0], GithubOAuthService)
+
 
 def test_github_disabled():
-  config = {
-    'GITHUB_LOGIN_CONFIG': {},
-  }
+    config = {"GITHUB_LOGIN_CONFIG": {}}
+
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 0
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 0
 
 def test_login_manager_google():
-  config = {
-    'FEATURE_GOOGLE_LOGIN': True,
-    'GOOGLE_LOGIN_CONFIG': {},
-  }
+    config = {"FEATURE_GOOGLE_LOGIN": True, "GOOGLE_LOGIN_CONFIG": {}}
+
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 1
+    assert isinstance(loginmanager.services[0], GoogleOAuthService)
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 1
-  assert isinstance(loginmanager.services[0], GoogleOAuthService)
 
 def test_google_disabled():
-  config = {
-    'GOOGLE_LOGIN_CONFIG': {},
-  }
+    config = {"GOOGLE_LOGIN_CONFIG": {}}
+
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 0
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 0
 
 def test_oidc():
-  config = {
-    'SOMECOOL_LOGIN_CONFIG': {},
-    'HTTPCLIENT': None,
-  }
+    config = {"SOMECOOL_LOGIN_CONFIG": {}, "HTTPCLIENT": None}
+
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 1
+    assert isinstance(loginmanager.services[0], OIDCLoginService)
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 1
-  assert isinstance(loginmanager.services[0], OIDCLoginService)
 
 def test_multiple_oidc():
-  config = {
-    'SOMECOOL_LOGIN_CONFIG': {},
-    'ANOTHER_LOGIN_CONFIG': {},
-    'HTTPCLIENT': None,
-  }
+    config = {
+        "SOMECOOL_LOGIN_CONFIG": {},
+        "ANOTHER_LOGIN_CONFIG": {},
+        "HTTPCLIENT": None,
+    }
 
-  loginmanager = OAuthLoginManager(config)
-  assert len(loginmanager.services) == 2
-  assert isinstance(loginmanager.services[0], OIDCLoginService)
-  assert isinstance(loginmanager.services[1], OIDCLoginService)
+    loginmanager = OAuthLoginManager(config)
+    assert len(loginmanager.services) == 2
+    assert isinstance(loginmanager.services[0], OIDCLoginService)
+    assert isinstance(loginmanager.services[1], OIDCLoginService)
diff --git a/oauth/test/test_oidc.py b/oauth/test/test_oidc.py
index 3ab184593..2ad62ac19 100644
--- a/oauth/test/test_oidc.py
+++ b/oauth/test/test_oidc.py
@@ -16,327 +16,401 @@ from oauth.oidc import OIDCLoginService, OAuthLoginException
 from util.config import URLSchemeAndHostname
 
 
-@pytest.fixture(scope='module') # Slow to generate, only do it once.
+@pytest.fixture(scope="module")  # Slow to generate, only do it once.
 def signing_key():
-  private_key = RSA.generate(2048)
-  jwk = RSAKey(key=private_key.publickey()).serialize()
-  return {
-    'id': 'somekey',
-    'private_key': private_key.exportKey('PEM'),
-    'jwk': jwk,
-  }
+    private_key = RSA.generate(2048)
+    jwk = RSAKey(key=private_key.publickey()).serialize()
+    return {"id": "somekey", "private_key": private_key.exportKey("PEM"), "jwk": jwk}
+
 
 @pytest.fixture(scope="module")
 def http_client():
-  sess = requests.Session()
-  adapter = requests.adapters.HTTPAdapter(pool_connections=100,
-                                          pool_maxsize=100)
-  sess.mount('http://', adapter)
-  sess.mount('https://', adapter)
-  return sess
+    sess = requests.Session()
+    adapter = requests.adapters.HTTPAdapter(pool_connections=100, pool_maxsize=100)
+    sess.mount("http://", adapter)
+    sess.mount("https://", adapter)
+    return sess
+
 
 @pytest.fixture(scope="module")
 def valid_code():
-  return 'validcode'
+    return "validcode"
+
 
 @pytest.fixture(params=[True, False])
 def mailing_feature(request):
-  return request.param
+    return request.param
+
 
 @pytest.fixture(params=[True, False])
 def email_verified(request):
-  return request.param
+    return request.param
+
 
 @pytest.fixture(params=[True, False])
 def userinfo_supported(request):
-  return request.param
+    return request.param
+
 
 @pytest.fixture(params=["someusername", "foo@bar.com", None])
 def preferred_username(request):
-  return request.param
+    return request.param
+
 
 @pytest.fixture()
 def app_config(http_client, mailing_feature):
-  return {
-    'PREFERRED_URL_SCHEME': 'http',
-    'SERVER_HOSTNAME': 'localhost',
-    'FEATURE_MAILING': mailing_feature,
-
-    'SOMEOIDC_LOGIN_CONFIG': {
-      'CLIENT_ID': 'foo',
-      'CLIENT_SECRET': 'bar',
-      'SERVICE_NAME': 'Some Cool Service',
-      'SERVICE_ICON': 'http://some/icon',
-      'OIDC_SERVER': 'http://fakeoidc',
-      'DEBUGGING': True,
-    },
-
-    'ANOTHEROIDC_LOGIN_CONFIG': {
-      'CLIENT_ID': 'foo',
-      'CLIENT_SECRET': 'bar',
-      'SERVICE_NAME': 'Some Other Service',
-      'SERVICE_ICON': 'http://some/icon',
-      'OIDC_SERVER': 'http://fakeoidc',
-      'LOGIN_SCOPES': ['openid'],
-      'DEBUGGING': True,
-    },
-
-    'OIDCWITHPARAMS_LOGIN_CONFIG': {
-      'CLIENT_ID': 'foo',
-      'CLIENT_SECRET': 'bar',
-      'SERVICE_NAME': 'Some Other Service',
-      'SERVICE_ICON': 'http://some/icon',
-      'OIDC_SERVER': 'http://fakeoidc',
-      'DEBUGGING': True,
-      'OIDC_ENDPOINT_CUSTOM_PARAMS': {
-        'authorization_endpoint': {
-          'some': 'param',
+    return {
+        "PREFERRED_URL_SCHEME": "http",
+        "SERVER_HOSTNAME": "localhost",
+        "FEATURE_MAILING": mailing_feature,
+        "SOMEOIDC_LOGIN_CONFIG": {
+            "CLIENT_ID": "foo",
+            "CLIENT_SECRET": "bar",
+            "SERVICE_NAME": "Some Cool Service",
+            "SERVICE_ICON": "http://some/icon",
+            "OIDC_SERVER": "http://fakeoidc",
+            "DEBUGGING": True,
         },
-      },
-    },
+        "ANOTHEROIDC_LOGIN_CONFIG": {
+            "CLIENT_ID": "foo",
+            "CLIENT_SECRET": "bar",
+            "SERVICE_NAME": "Some Other Service",
+            "SERVICE_ICON": "http://some/icon",
+            "OIDC_SERVER": "http://fakeoidc",
+            "LOGIN_SCOPES": ["openid"],
+            "DEBUGGING": True,
+        },
+        "OIDCWITHPARAMS_LOGIN_CONFIG": {
+            "CLIENT_ID": "foo",
+            "CLIENT_SECRET": "bar",
+            "SERVICE_NAME": "Some Other Service",
+            "SERVICE_ICON": "http://some/icon",
+            "OIDC_SERVER": "http://fakeoidc",
+            "DEBUGGING": True,
+            "OIDC_ENDPOINT_CUSTOM_PARAMS": {
+                "authorization_endpoint": {"some": "param"}
+            },
+        },
+        "HTTPCLIENT": http_client,
+    }
 
-    'HTTPCLIENT': http_client,
-  }
 
 @pytest.fixture()
 def oidc_service(app_config):
-  return OIDCLoginService(app_config, 'SOMEOIDC_LOGIN_CONFIG')
+    return OIDCLoginService(app_config, "SOMEOIDC_LOGIN_CONFIG")
+
 
 @pytest.fixture()
 def another_oidc_service(app_config):
-  return OIDCLoginService(app_config, 'ANOTHEROIDC_LOGIN_CONFIG')
+    return OIDCLoginService(app_config, "ANOTHEROIDC_LOGIN_CONFIG")
+
 
 @pytest.fixture()
 def oidc_withparams_service(app_config):
-  return OIDCLoginService(app_config, 'OIDCWITHPARAMS_LOGIN_CONFIG')
+    return OIDCLoginService(app_config, "OIDCWITHPARAMS_LOGIN_CONFIG")
+
 
 @pytest.fixture()
 def discovery_content(userinfo_supported):
-  return {
-    'scopes_supported': ['openid', 'profile', 'somescope'],
-    'authorization_endpoint': 'http://fakeoidc/authorize',
-    'token_endpoint': 'http://fakeoidc/token',
-    'userinfo_endpoint': 'http://fakeoidc/userinfo' if userinfo_supported else None,
-    'jwks_uri': 'http://fakeoidc/jwks',
-  }
+    return {
+        "scopes_supported": ["openid", "profile", "somescope"],
+        "authorization_endpoint": "http://fakeoidc/authorize",
+        "token_endpoint": "http://fakeoidc/token",
+        "userinfo_endpoint": "http://fakeoidc/userinfo" if userinfo_supported else None,
+        "jwks_uri": "http://fakeoidc/jwks",
+    }
+
 
 @pytest.fixture()
 def userinfo_content(preferred_username, email_verified):
-  return {
-    'sub': 'cooluser',
-    'preferred_username': preferred_username,
-    'email': 'foo@example.com',
-    'email_verified': email_verified,
-  }
+    return {
+        "sub": "cooluser",
+        "preferred_username": preferred_username,
+        "email": "foo@example.com",
+        "email_verified": email_verified,
+    }
+
 
 @pytest.fixture()
 def id_token(oidc_service, signing_key, userinfo_content, app_config):
-  token_data = {
-    'iss': oidc_service.config['OIDC_SERVER'],
-    'aud': oidc_service.client_id(),
-    'nbf': int(time.time()),
-    'iat': int(time.time()),
-    'exp': int(time.time() + 600),
-    'sub': 'cooluser',
-  }
+    token_data = {
+        "iss": oidc_service.config["OIDC_SERVER"],
+        "aud": oidc_service.client_id(),
+        "nbf": int(time.time()),
+        "iat": int(time.time()),
+        "exp": int(time.time() + 600),
+        "sub": "cooluser",
+    }
 
-  token_data.update(userinfo_content)
+    token_data.update(userinfo_content)
 
-  token_headers = {
-    'kid': signing_key['id'],
-  }
+    token_headers = {"kid": signing_key["id"]}
+
+    return jwt.encode(
+        token_data, signing_key["private_key"], "RS256", headers=token_headers
+    )
 
-  return jwt.encode(token_data, signing_key['private_key'], 'RS256', headers=token_headers)
 
 @pytest.fixture()
 def discovery_handler(discovery_content):
-  @urlmatch(netloc=r'fakeoidc', path=r'.+openid.+')
-  def handler(_, __):
-    return json.dumps(discovery_content)
+    @urlmatch(netloc=r"fakeoidc", path=r".+openid.+")
+    def handler(_, __):
+        return json.dumps(discovery_content)
+
+    return handler
 
-  return handler
 
 @pytest.fixture()
 def authorize_handler(discovery_content):
-  @urlmatch(netloc=r'fakeoidc', path=r'/authorize')
-  def handler(_, request):
-    parsed = urlparse.urlparse(request.url)
-    params = urlparse.parse_qs(parsed.query)
-    return json.dumps({'authorized': True, 'scope': params['scope'][0], 'state': params['state'][0]})
+    @urlmatch(netloc=r"fakeoidc", path=r"/authorize")
+    def handler(_, request):
+        parsed = urlparse.urlparse(request.url)
+        params = urlparse.parse_qs(parsed.query)
+        return json.dumps(
+            {
+                "authorized": True,
+                "scope": params["scope"][0],
+                "state": params["state"][0],
+            }
+        )
+
+    return handler
 
-  return handler
 
 @pytest.fixture()
 def token_handler(oidc_service, id_token, valid_code):
-  @urlmatch(netloc=r'fakeoidc', path=r'/token')
-  def handler(_, request):
-    params = urlparse.parse_qs(request.body)
-    if params.get('redirect_uri')[0] != 'http://localhost/oauth2/someoidc/callback':
-      return {'status_code': 400, 'content': 'Invalid redirect URI'}
+    @urlmatch(netloc=r"fakeoidc", path=r"/token")
+    def handler(_, request):
+        params = urlparse.parse_qs(request.body)
+        if params.get("redirect_uri")[0] != "http://localhost/oauth2/someoidc/callback":
+            return {"status_code": 400, "content": "Invalid redirect URI"}
 
-    if params.get('client_id')[0] != oidc_service.client_id():
-      return {'status_code': 401, 'content': 'Invalid client id'}
+        if params.get("client_id")[0] != oidc_service.client_id():
+            return {"status_code": 401, "content": "Invalid client id"}
 
-    if params.get('client_secret')[0] != oidc_service.client_secret():
-      return {'status_code': 401, 'content': 'Invalid client secret'}
+        if params.get("client_secret")[0] != oidc_service.client_secret():
+            return {"status_code": 401, "content": "Invalid client secret"}
 
-    if params.get('code')[0] != valid_code:
-      return {'status_code': 401, 'content': 'Invalid code'}
+        if params.get("code")[0] != valid_code:
+            return {"status_code": 401, "content": "Invalid code"}
 
-    if params.get('grant_type')[0] != 'authorization_code':
-      return {'status_code': 400, 'content': 'Invalid authorization type'}
+        if params.get("grant_type")[0] != "authorization_code":
+            return {"status_code": 400, "content": "Invalid authorization type"}
 
-    content = {
-      'access_token': 'sometoken',
-      'id_token': id_token,
-    }
-    return {'status_code': 200, 'content': json.dumps(content)}
+        content = {"access_token": "sometoken", "id_token": id_token}
+        return {"status_code": 200, "content": json.dumps(content)}
+
+    return handler
 
-  return handler
 
 @pytest.fixture()
 def jwks_handler(signing_key):
-  def jwk_with_kid(kid, jwk):
-    jwk = jwk.copy()
-    jwk.update({'kid': kid})
-    return jwk
+    def jwk_with_kid(kid, jwk):
+        jwk = jwk.copy()
+        jwk.update({"kid": kid})
+        return jwk
 
-  @urlmatch(netloc=r'fakeoidc', path=r'/jwks')
-  def handler(_, __):
-    content = {'keys': [jwk_with_kid(signing_key['id'], signing_key['jwk'])]}
-    return {'status_code': 200, 'content': json.dumps(content)}
+    @urlmatch(netloc=r"fakeoidc", path=r"/jwks")
+    def handler(_, __):
+        content = {"keys": [jwk_with_kid(signing_key["id"], signing_key["jwk"])]}
+        return {"status_code": 200, "content": json.dumps(content)}
+
+    return handler
 
-  return handler
 
 @pytest.fixture()
 def emptykeys_jwks_handler():
-  @urlmatch(netloc=r'fakeoidc', path=r'/jwks')
-  def handler(_, __):
-    content = {'keys': []}
-    return {'status_code': 200, 'content': json.dumps(content)}
+    @urlmatch(netloc=r"fakeoidc", path=r"/jwks")
+    def handler(_, __):
+        content = {"keys": []}
+        return {"status_code": 200, "content": json.dumps(content)}
+
+    return handler
 
-  return handler
 
 @pytest.fixture
 def userinfo_handler(oidc_service, userinfo_content):
-  @urlmatch(netloc=r'fakeoidc', path=r'/userinfo')
-  def handler(_, req):
-    if req.headers.get('Authorization') != 'Bearer sometoken':
-      return {'status_code': 401, 'content': 'Missing expected header'}
+    @urlmatch(netloc=r"fakeoidc", path=r"/userinfo")
+    def handler(_, req):
+        if req.headers.get("Authorization") != "Bearer sometoken":
+            return {"status_code": 401, "content": "Missing expected header"}
 
-    return {'status_code': 200, 'content': json.dumps(userinfo_content)}
+        return {"status_code": 200, "content": json.dumps(userinfo_content)}
+
+    return handler
 
-  return handler
 
 @pytest.fixture()
 def invalidsub_userinfo_handler(oidc_service):
-  @urlmatch(netloc=r'fakeoidc', path=r'/userinfo')
-  def handler(_, __):
-    content = {
-      'sub': 'invalidsub',
-    }
+    @urlmatch(netloc=r"fakeoidc", path=r"/userinfo")
+    def handler(_, __):
+        content = {"sub": "invalidsub"}
 
-    return {'status_code': 200, 'content': json.dumps(content)}
+        return {"status_code": 200, "content": json.dumps(content)}
 
-  return handler
+    return handler
 
 
 def test_basic_config(oidc_service):
-  assert oidc_service.service_id() == 'someoidc'
-  assert oidc_service.service_name() == 'Some Cool Service'
-  assert oidc_service.get_icon() == 'http://some/icon'
+    assert oidc_service.service_id() == "someoidc"
+    assert oidc_service.service_name() == "Some Cool Service"
+    assert oidc_service.get_icon() == "http://some/icon"
+
 
 def test_discovery(oidc_service, http_client, discovery_content, discovery_handler):
-  with HTTMock(discovery_handler):
-    auth = discovery_content['authorization_endpoint'] + '?response_type=code'
-    assert oidc_service.authorize_endpoint().to_url() == auth
-    assert oidc_service.token_endpoint().to_url() == discovery_content['token_endpoint']
+    with HTTMock(discovery_handler):
+        auth = discovery_content["authorization_endpoint"] + "?response_type=code"
+        assert oidc_service.authorize_endpoint().to_url() == auth
+        assert (
+            oidc_service.token_endpoint().to_url()
+            == discovery_content["token_endpoint"]
+        )
 
-    if discovery_content['userinfo_endpoint'] is None:
-      assert oidc_service.user_endpoint() is None
-    else:
-      assert oidc_service.user_endpoint().to_url() == discovery_content['userinfo_endpoint']
+        if discovery_content["userinfo_endpoint"] is None:
+            assert oidc_service.user_endpoint() is None
+        else:
+            assert (
+                oidc_service.user_endpoint().to_url()
+                == discovery_content["userinfo_endpoint"]
+            )
 
-    assert set(oidc_service.get_login_scopes()) == set(discovery_content['scopes_supported'])
+        assert set(oidc_service.get_login_scopes()) == set(
+            discovery_content["scopes_supported"]
+        )
 
-def test_discovery_with_params(oidc_withparams_service, http_client, discovery_content, discovery_handler):
-  with HTTMock(discovery_handler):
-    assert 'some=param' in oidc_withparams_service.authorize_endpoint().to_url()
 
-def test_filtered_discovery(another_oidc_service, http_client, discovery_content, discovery_handler):
-  with HTTMock(discovery_handler):
-    assert another_oidc_service.get_login_scopes() == ['openid']
+def test_discovery_with_params(
+    oidc_withparams_service, http_client, discovery_content, discovery_handler
+):
+    with HTTMock(discovery_handler):
+        assert "some=param" in oidc_withparams_service.authorize_endpoint().to_url()
+
+
+def test_filtered_discovery(
+    another_oidc_service, http_client, discovery_content, discovery_handler
+):
+    with HTTMock(discovery_handler):
+        assert another_oidc_service.get_login_scopes() == ["openid"]
+
 
 def test_public_config(oidc_service, discovery_handler):
-  with HTTMock(discovery_handler):
-    assert oidc_service.get_public_config()['OIDC']
-    assert oidc_service.get_public_config()['CLIENT_ID'] == 'foo'
+    with HTTMock(discovery_handler):
+        assert oidc_service.get_public_config()["OIDC"]
+        assert oidc_service.get_public_config()["CLIENT_ID"] == "foo"
+
+        assert "CLIENT_SECRET" not in oidc_service.get_public_config()
+        assert "bar" not in oidc_service.get_public_config().values()
 
-    assert 'CLIENT_SECRET' not in oidc_service.get_public_config()
-    assert 'bar' not in oidc_service.get_public_config().values()
 
 def test_auth_url(oidc_service, discovery_handler, http_client, authorize_handler):
-  config = {'PREFERRED_URL_SCHEME': 'https', 'SERVER_HOSTNAME': 'someserver'}
+    config = {"PREFERRED_URL_SCHEME": "https", "SERVER_HOSTNAME": "someserver"}
 
-  with HTTMock(discovery_handler, authorize_handler):
-    url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(config)
-    auth_url = oidc_service.get_auth_url(url_scheme_and_hostname, '', 'some csrf token', ['one', 'two'])
+    with HTTMock(discovery_handler, authorize_handler):
+        url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(config)
+        auth_url = oidc_service.get_auth_url(
+            url_scheme_and_hostname, "", "some csrf token", ["one", "two"]
+        )
 
-    # Hit the URL and ensure it works.
-    result = http_client.get(auth_url).json()
-    assert result['state'] == 'some csrf token'
-    assert result['scope'] == 'one two'
+        # Hit the URL and ensure it works.
+        result = http_client.get(auth_url).json()
+        assert result["state"] == "some csrf token"
+        assert result["scope"] == "one two"
 
-def test_exchange_code_invalidcode(oidc_service, discovery_handler, app_config, http_client,
-                                   token_handler):
-  with HTTMock(token_handler, discovery_handler):
-    with pytest.raises(OAuthLoginException):
-      oidc_service.exchange_code_for_login(app_config, http_client, 'testcode', '')
 
-def test_exchange_code_invalidsub(oidc_service, discovery_handler, app_config, http_client,
-                                  token_handler, invalidsub_userinfo_handler, jwks_handler,
-                                  valid_code, userinfo_supported):
-  # Skip when userinfo is not supported.
-  if not userinfo_supported:
-    return
+def test_exchange_code_invalidcode(
+    oidc_service, discovery_handler, app_config, http_client, token_handler
+):
+    with HTTMock(token_handler, discovery_handler):
+        with pytest.raises(OAuthLoginException):
+            oidc_service.exchange_code_for_login(
+                app_config, http_client, "testcode", ""
+            )
 
-  with HTTMock(jwks_handler, token_handler, invalidsub_userinfo_handler, discovery_handler):
-    # Should fail because the sub of the user info doesn't match that returned by the id_token.
-    with pytest.raises(OAuthLoginException):
-      oidc_service.exchange_code_for_login(app_config, http_client, valid_code, '')
 
-def test_exchange_code_missingkey(oidc_service, discovery_handler, app_config, http_client,
-                                  token_handler, userinfo_handler, emptykeys_jwks_handler,
-                                  valid_code):
-  with HTTMock(emptykeys_jwks_handler, token_handler, userinfo_handler, discovery_handler):
-    # Should fail because the key is missing.
-    with pytest.raises(OAuthLoginException):
-      oidc_service.exchange_code_for_login(app_config, http_client, valid_code, '')
+def test_exchange_code_invalidsub(
+    oidc_service,
+    discovery_handler,
+    app_config,
+    http_client,
+    token_handler,
+    invalidsub_userinfo_handler,
+    jwks_handler,
+    valid_code,
+    userinfo_supported,
+):
+    # Skip when userinfo is not supported.
+    if not userinfo_supported:
+        return
 
-def test_exchange_code_validcode(oidc_service, discovery_handler, app_config, http_client,
-                                 token_handler, userinfo_handler, jwks_handler, valid_code,
-                                 preferred_username, mailing_feature, email_verified):
-  with HTTMock(jwks_handler, token_handler, userinfo_handler, discovery_handler):
-    if mailing_feature and not email_verified:
-      # Should fail because there isn't a verified email address.
-      with pytest.raises(OAuthLoginException):
-        oidc_service.exchange_code_for_login(app_config, http_client, valid_code, '')
-    else:
-      # Should succeed.
-      lid, lusername, lemail = oidc_service.exchange_code_for_login(app_config, http_client,
-                                                                    valid_code, '')
+    with HTTMock(
+        jwks_handler, token_handler, invalidsub_userinfo_handler, discovery_handler
+    ):
+        # Should fail because the sub of the user info doesn't match that returned by the id_token.
+        with pytest.raises(OAuthLoginException):
+            oidc_service.exchange_code_for_login(
+                app_config, http_client, valid_code, ""
+            )
 
-      assert lid == 'cooluser'
 
-      if email_verified:
-        assert lemail == 'foo@example.com'
-      else:
-        assert lemail is None
+def test_exchange_code_missingkey(
+    oidc_service,
+    discovery_handler,
+    app_config,
+    http_client,
+    token_handler,
+    userinfo_handler,
+    emptykeys_jwks_handler,
+    valid_code,
+):
+    with HTTMock(
+        emptykeys_jwks_handler, token_handler, userinfo_handler, discovery_handler
+    ):
+        # Should fail because the key is missing.
+        with pytest.raises(OAuthLoginException):
+            oidc_service.exchange_code_for_login(
+                app_config, http_client, valid_code, ""
+            )
 
-      if preferred_username is not None:
-        if preferred_username.find('@') >= 0:
-          preferred_username = preferred_username[0:preferred_username.find('@')]
 
-        assert lusername == preferred_username
-      else:
-        assert lusername == lid
+def test_exchange_code_validcode(
+    oidc_service,
+    discovery_handler,
+    app_config,
+    http_client,
+    token_handler,
+    userinfo_handler,
+    jwks_handler,
+    valid_code,
+    preferred_username,
+    mailing_feature,
+    email_verified,
+):
+    with HTTMock(jwks_handler, token_handler, userinfo_handler, discovery_handler):
+        if mailing_feature and not email_verified:
+            # Should fail because there isn't a verified email address.
+            with pytest.raises(OAuthLoginException):
+                oidc_service.exchange_code_for_login(
+                    app_config, http_client, valid_code, ""
+                )
+        else:
+            # Should succeed.
+            lid, lusername, lemail = oidc_service.exchange_code_for_login(
+                app_config, http_client, valid_code, ""
+            )
+
+            assert lid == "cooluser"
+
+            if email_verified:
+                assert lemail == "foo@example.com"
+            else:
+                assert lemail is None
+
+            if preferred_username is not None:
+                if preferred_username.find("@") >= 0:
+                    preferred_username = preferred_username[
+                        0 : preferred_username.find("@")
+                    ]
+
+                assert lusername == preferred_username
+            else:
+                assert lusername == lid
diff --git a/path_converters.py b/path_converters.py
index cd5740186..efecb0a74 100644
--- a/path_converters.py
+++ b/path_converters.py
@@ -4,31 +4,34 @@ import features
 
 
 class APIRepositoryPathConverter(BaseConverter):
-  """ Converter for handling repository paths. Does not handle library paths.
+    """ Converter for handling repository paths. Does not handle library paths.
   """
-  def __init__(self, url_map):
-    super(APIRepositoryPathConverter, self).__init__(url_map)
-    self.weight = 200
-    self.regex = r'([^/]+/[^/]+)'
+
+    def __init__(self, url_map):
+        super(APIRepositoryPathConverter, self).__init__(url_map)
+        self.weight = 200
+        self.regex = r"([^/]+/[^/]+)"
 
 
 class RepositoryPathConverter(BaseConverter):
-  """ Converter for handling repository paths. Handles both library and non-library paths (if
+    """ Converter for handling repository paths. Handles both library and non-library paths (if
       configured).
   """
-  def __init__(self, url_map):
-    super(RepositoryPathConverter, self).__init__(url_map)
-    self.weight = 200
 
-    if features.LIBRARY_SUPPORT:
-      # Allow names without namespaces.
-      self.regex = r'[^/]+(/[^/]+)?'
-    else:
-      self.regex = r'([^/]+/[^/]+)'
+    def __init__(self, url_map):
+        super(RepositoryPathConverter, self).__init__(url_map)
+        self.weight = 200
+
+        if features.LIBRARY_SUPPORT:
+            # Allow names without namespaces.
+            self.regex = r"[^/]+(/[^/]+)?"
+        else:
+            self.regex = r"([^/]+/[^/]+)"
 
 
 class RegexConverter(BaseConverter):
-  """ Converter for handling custom regular expression patterns in paths. """
-  def __init__(self, url_map, regex_value):
-    super(RegexConverter, self).__init__(url_map)
-    self.regex = regex_value
+    """ Converter for handling custom regular expression patterns in paths. """
+
+    def __init__(self, url_map, regex_value):
+        super(RegexConverter, self).__init__(url_map)
+        self.regex = regex_value
diff --git a/registry.py b/registry.py
index 0947f00c9..8d4c06944 100644
--- a/registry.py
+++ b/registry.py
@@ -1,19 +1,23 @@
 # NOTE: Must be before we import or call anything that may be synchronous.
 from gevent import monkey
+
 monkey.patch_all()
 
-import endpoints.decorated # Note: We need to import this module to make sure the decorators are registered.
+import endpoints.decorated  # Note: We need to import this module to make sure the decorators are registered.
 import features
 
 from app import app as application
 
-from endpoints.appr import appr_bp, registry # registry needed to ensure routes registered
+from endpoints.appr import (
+    appr_bp,
+    registry,
+)  # registry needed to ensure routes registered
 from endpoints.v1 import v1_bp
 from endpoints.v2 import v2_bp
 
 
-application.register_blueprint(v1_bp, url_prefix='/v1')
-application.register_blueprint(v2_bp, url_prefix='/v2')
+application.register_blueprint(v1_bp, url_prefix="/v1")
+application.register_blueprint(v2_bp, url_prefix="/v2")
 
 if features.APP_REGISTRY:
-  application.register_blueprint(appr_bp, url_prefix='/cnr')
+    application.register_blueprint(appr_bp, url_prefix="/cnr")
diff --git a/release.py b/release.py
index a0439d9a8..d378625c9 100644
--- a/release.py
+++ b/release.py
@@ -1,14 +1,14 @@
 import os
 
 
-_GIT_HEAD_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'GIT_HEAD')
+_GIT_HEAD_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), "GIT_HEAD")
 
-SERVICE = 'quay'
+SERVICE = "quay"
 GIT_HEAD = None
-REGION = os.environ.get('QUAY_REGION')
+REGION = os.environ.get("QUAY_REGION")
 
 
 # Load git head if available
 if os.path.isfile(_GIT_HEAD_PATH):
-  with open(_GIT_HEAD_PATH) as f:
-    GIT_HEAD = f.read().strip()
+    with open(_GIT_HEAD_PATH) as f:
+        GIT_HEAD = f.read().strip()
diff --git a/secscan.py b/secscan.py
index 0059547c7..7ffee924c 100644
--- a/secscan.py
+++ b/secscan.py
@@ -1,9 +1,10 @@
 # NOTE: Must be before we import or call anything that may be synchronous.
 from gevent import monkey
+
 monkey.patch_all()
 
 from app import app as application
 from endpoints.secscan import secscan
 
 
-application.register_blueprint(secscan, url_prefix='/secscan')
+application.register_blueprint(secscan, url_prefix="/secscan")
diff --git a/storage/__init__.py b/storage/__init__.py
index d7220333e..f8d9db587 100644
--- a/storage/__init__.py
+++ b/storage/__init__.py
@@ -1,6 +1,11 @@
 from storage.local import LocalStorage
-from storage.cloud import (S3Storage, GoogleCloudStorage, RadosGWStorage, CloudFrontedS3Storage,
-                           RHOCSStorage)
+from storage.cloud import (
+    S3Storage,
+    GoogleCloudStorage,
+    RadosGWStorage,
+    CloudFrontedS3Storage,
+    RHOCSStorage,
+)
 from storage.fakestorage import FakeStorage
 from storage.distributedstorage import DistributedStorage
 from storage.swift import SwiftStorage
@@ -8,75 +13,119 @@ from storage.azurestorage import AzureStorage
 from storage.downloadproxy import DownloadProxy
 from util.ipresolver import NoopIPResolver
 
-TYPE_LOCAL_STORAGE = 'LocalStorage'
+TYPE_LOCAL_STORAGE = "LocalStorage"
 
 STORAGE_DRIVER_CLASSES = {
-  'LocalStorage': LocalStorage,
-  'S3Storage': S3Storage,
-  'GoogleCloudStorage': GoogleCloudStorage,
-  'RadosGWStorage': RadosGWStorage,
-  'SwiftStorage': SwiftStorage,
-  'CloudFrontedS3Storage': CloudFrontedS3Storage,
-  'AzureStorage': AzureStorage,
-  'RHOCSStorage': RHOCSStorage,
+    "LocalStorage": LocalStorage,
+    "S3Storage": S3Storage,
+    "GoogleCloudStorage": GoogleCloudStorage,
+    "RadosGWStorage": RadosGWStorage,
+    "SwiftStorage": SwiftStorage,
+    "CloudFrontedS3Storage": CloudFrontedS3Storage,
+    "AzureStorage": AzureStorage,
+    "RHOCSStorage": RHOCSStorage,
 }
 
 
-def get_storage_driver(location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver,
-                       storage_params):
-  """ Returns a storage driver class for the given storage configuration
+def get_storage_driver(
+    location,
+    metric_queue,
+    chunk_cleanup_queue,
+    config_provider,
+    ip_resolver,
+    storage_params,
+):
+    """ Returns a storage driver class for the given storage configuration
       (a pair of string name and a dict of parameters). """
-  driver = storage_params[0]
-  parameters = storage_params[1]
-  driver_class = STORAGE_DRIVER_CLASSES.get(driver, FakeStorage)
-  context = StorageContext(location, metric_queue, chunk_cleanup_queue, config_provider,
-                           ip_resolver)
-  return driver_class(context, **parameters)
+    driver = storage_params[0]
+    parameters = storage_params[1]
+    driver_class = STORAGE_DRIVER_CLASSES.get(driver, FakeStorage)
+    context = StorageContext(
+        location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver
+    )
+    return driver_class(context, **parameters)
 
 
 class StorageContext(object):
-  def __init__(self, location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver):
-    self.location = location
-    self.metric_queue = metric_queue
-    self.chunk_cleanup_queue = chunk_cleanup_queue
-    self.config_provider = config_provider
-    self.ip_resolver = ip_resolver or NoopIPResolver()
+    def __init__(
+        self, location, metric_queue, chunk_cleanup_queue, config_provider, ip_resolver
+    ):
+        self.location = location
+        self.metric_queue = metric_queue
+        self.chunk_cleanup_queue = chunk_cleanup_queue
+        self.config_provider = config_provider
+        self.ip_resolver = ip_resolver or NoopIPResolver()
 
 
 class Storage(object):
-  def __init__(self, app=None, metric_queue=None, chunk_cleanup_queue=None, instance_keys=None,
-               config_provider=None, ip_resolver=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app, metric_queue, chunk_cleanup_queue, instance_keys,
-                                 config_provider, ip_resolver)
-    else:
-      self.state = None
+    def __init__(
+        self,
+        app=None,
+        metric_queue=None,
+        chunk_cleanup_queue=None,
+        instance_keys=None,
+        config_provider=None,
+        ip_resolver=None,
+    ):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(
+                app,
+                metric_queue,
+                chunk_cleanup_queue,
+                instance_keys,
+                config_provider,
+                ip_resolver,
+            )
+        else:
+            self.state = None
 
-  def init_app(self, app, metric_queue, chunk_cleanup_queue, instance_keys, config_provider,
-               ip_resolver):
-    storages = {}
-    for location, storage_params in app.config.get('DISTRIBUTED_STORAGE_CONFIG').items():
-      storages[location] = get_storage_driver(location, metric_queue, chunk_cleanup_queue,
-                                              config_provider, ip_resolver, storage_params)
+    def init_app(
+        self,
+        app,
+        metric_queue,
+        chunk_cleanup_queue,
+        instance_keys,
+        config_provider,
+        ip_resolver,
+    ):
+        storages = {}
+        for location, storage_params in app.config.get(
+            "DISTRIBUTED_STORAGE_CONFIG"
+        ).items():
+            storages[location] = get_storage_driver(
+                location,
+                metric_queue,
+                chunk_cleanup_queue,
+                config_provider,
+                ip_resolver,
+                storage_params,
+            )
 
-    preference = app.config.get('DISTRIBUTED_STORAGE_PREFERENCE', None)
-    if not preference:
-      preference = storages.keys()
+        preference = app.config.get("DISTRIBUTED_STORAGE_PREFERENCE", None)
+        if not preference:
+            preference = storages.keys()
 
-    default_locations = app.config.get('DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS') or []
+        default_locations = (
+            app.config.get("DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS") or []
+        )
 
-    download_proxy = None
-    if app.config.get('FEATURE_PROXY_STORAGE', False) and instance_keys is not None:
-      download_proxy = DownloadProxy(app, instance_keys)
+        download_proxy = None
+        if app.config.get("FEATURE_PROXY_STORAGE", False) and instance_keys is not None:
+            download_proxy = DownloadProxy(app, instance_keys)
 
-    d_storage = DistributedStorage(storages, preference, default_locations, download_proxy,
-                                   app.config.get('REGISTRY_STATE') == 'readonly')
+        d_storage = DistributedStorage(
+            storages,
+            preference,
+            default_locations,
+            download_proxy,
+            app.config.get("REGISTRY_STATE") == "readonly",
+        )
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['storage'] = d_storage
-    return d_storage
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["storage"] = d_storage
+        return d_storage
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/storage/azurestorage.py b/storage/azurestorage.py
index f24af76a7..f4313a962 100644
--- a/storage/azurestorage.py
+++ b/storage/azurestorage.py
@@ -13,7 +13,12 @@ import time
 from datetime import datetime, timedelta
 
 from azure.common import AzureException
-from azure.storage.blob import BlockBlobService, ContentSettings, BlobBlock, ContainerPermissions
+from azure.storage.blob import (
+    BlockBlobService,
+    ContentSettings,
+    BlobBlock,
+    ContainerPermissions,
+)
 from azure.storage.common.models import CorsRule
 
 from storage.basestorage import BaseStorage
@@ -21,306 +26,390 @@ from util.registry.filelike import LimitingStream, READ_UNTIL_END
 
 logger = logging.getLogger(__name__)
 
-_COPY_POLL_SLEEP = 0.25 # seconds
-_MAX_COPY_POLL_COUNT = 120 # _COPY_POLL_SLEEPs => 120s
-_MAX_BLOCK_SIZE = 1024 * 1024 * 100 # 100MB
-_BLOCKS_KEY = 'blocks'
-_CONTENT_TYPE_KEY = 'content-type'
+_COPY_POLL_SLEEP = 0.25  # seconds
+_MAX_COPY_POLL_COUNT = 120  # _COPY_POLL_SLEEPs => 120s
+_MAX_BLOCK_SIZE = 1024 * 1024 * 100  # 100MB
+_BLOCKS_KEY = "blocks"
+_CONTENT_TYPE_KEY = "content-type"
 
 
 class AzureStorage(BaseStorage):
-  def __init__(self, context, azure_container, storage_path, azure_account_name,
-               azure_account_key=None, sas_token=None, connection_string=None,
-               is_emulated=False, socket_timeout=20, request_timeout=20):
-    super(AzureStorage, self).__init__()
-    self._context = context
-    self._storage_path = storage_path.lstrip('/')
+    def __init__(
+        self,
+        context,
+        azure_container,
+        storage_path,
+        azure_account_name,
+        azure_account_key=None,
+        sas_token=None,
+        connection_string=None,
+        is_emulated=False,
+        socket_timeout=20,
+        request_timeout=20,
+    ):
+        super(AzureStorage, self).__init__()
+        self._context = context
+        self._storage_path = storage_path.lstrip("/")
 
-    self._azure_account_name = azure_account_key
-    self._azure_account_key = azure_account_key
-    self._azure_sas_token = sas_token
-    self._azure_container = azure_container
-    self._azure_connection_string = connection_string
-    self._request_timeout = request_timeout
+        self._azure_account_name = azure_account_key
+        self._azure_account_key = azure_account_key
+        self._azure_sas_token = sas_token
+        self._azure_container = azure_container
+        self._azure_connection_string = connection_string
+        self._request_timeout = request_timeout
 
-    self._blob_service = BlockBlobService(account_name=azure_account_name,
-                                          account_key=azure_account_key,
-                                          sas_token=sas_token,
-                                          is_emulated=is_emulated,
-                                          connection_string=connection_string,
-                                          socket_timeout=socket_timeout)
+        self._blob_service = BlockBlobService(
+            account_name=azure_account_name,
+            account_key=azure_account_key,
+            sas_token=sas_token,
+            is_emulated=is_emulated,
+            connection_string=connection_string,
+            socket_timeout=socket_timeout,
+        )
 
-  def _blob_name_from_path(self, object_path):
-    if '..' in object_path:
-      raise Exception('Relative paths are not allowed; found %s' % object_path)
+    def _blob_name_from_path(self, object_path):
+        if ".." in object_path:
+            raise Exception("Relative paths are not allowed; found %s" % object_path)
 
-    return os.path.join(self._storage_path, object_path).rstrip('/')
+        return os.path.join(self._storage_path, object_path).rstrip("/")
 
-  def _upload_blob_path_from_uuid(self, uuid):
-    return self._blob_name_from_path(self._upload_blob_name_from_uuid(uuid))
+    def _upload_blob_path_from_uuid(self, uuid):
+        return self._blob_name_from_path(self._upload_blob_name_from_uuid(uuid))
 
-  def _upload_blob_name_from_uuid(self, uuid):
-    return 'uploads/{0}'.format(uuid)
+    def _upload_blob_name_from_uuid(self, uuid):
+        return "uploads/{0}".format(uuid)
 
-  def get_direct_download_url(self, object_path, request_ip=None, expires_in=60,
-                              requires_cors=False, head=False):
-    blob_name = self._blob_name_from_path(object_path)
+    def get_direct_download_url(
+        self,
+        object_path,
+        request_ip=None,
+        expires_in=60,
+        requires_cors=False,
+        head=False,
+    ):
+        blob_name = self._blob_name_from_path(object_path)
 
-    try:
-      sas_token = self._blob_service.generate_blob_shared_access_signature(
-        self._azure_container,
-        blob_name,
-        ContainerPermissions.READ,
-        datetime.utcnow() + timedelta(seconds=expires_in))
-      
-      blob_url = self._blob_service.make_blob_url(self._azure_container, blob_name,
-                                                  sas_token=sas_token)
-    except AzureException:
-      logger.exception('Exception when trying to get direct download for path %s', object_path)
-      raise IOError('Exception when trying to get direct download')
-    
-    return blob_url
+        try:
+            sas_token = self._blob_service.generate_blob_shared_access_signature(
+                self._azure_container,
+                blob_name,
+                ContainerPermissions.READ,
+                datetime.utcnow() + timedelta(seconds=expires_in),
+            )
 
-  def validate(self, client):
-    super(AzureStorage, self).validate(client)
-    self._blob_service.get_container_properties(self._azure_container,
-                                                timeout=self._request_timeout)
+            blob_url = self._blob_service.make_blob_url(
+                self._azure_container, blob_name, sas_token=sas_token
+            )
+        except AzureException:
+            logger.exception(
+                "Exception when trying to get direct download for path %s", object_path
+            )
+            raise IOError("Exception when trying to get direct download")
 
-  def get_content(self, path):
-    blob_name = self._blob_name_from_path(path)
-    try:
-      blob = self._blob_service.get_blob_to_bytes(self._azure_container, blob_name)
-    except AzureException:
-      logger.exception('Exception when trying to get path %s', path)
-      raise IOError('Exception when trying to get path')
+        return blob_url
 
-    return blob.content
+    def validate(self, client):
+        super(AzureStorage, self).validate(client)
+        self._blob_service.get_container_properties(
+            self._azure_container, timeout=self._request_timeout
+        )
 
-  def put_content(self, path, content):
-    blob_name = self._blob_name_from_path(path)
-    try:
-      self._blob_service.create_blob_from_bytes(self._azure_container, blob_name, content)
-    except AzureException:
-      logger.exception('Exception when trying to put path %s', path)
-      raise IOError('Exception when trying to put path')
-
-  def stream_read(self, path):
-    with self.stream_read_file(path) as f:
-      while True:
-        buf = f.read(self.buffer_size)
-        if not buf:
-          break
-        yield buf
-
-  def stream_read_file(self, path):
-    blob_name = self._blob_name_from_path(path)
-
-    try:
-      output_stream = io.BytesIO()
-      self._blob_service.get_blob_to_stream(self._azure_container, blob_name, output_stream)
-      output_stream.seek(0)
-    except AzureException:
-      logger.exception('Exception when trying to stream_file_read path %s', path)
-      raise IOError('Exception when trying to stream_file_read path')
-
-    return output_stream
-
-  def stream_write(self, path, fp, content_type=None, content_encoding=None):
-    blob_name = self._blob_name_from_path(path)
-    content_settings = ContentSettings(
-      content_type=content_type,
-      content_encoding=content_encoding,
-    )
-    
-    try:
-      self._blob_service.create_blob_from_stream(self._azure_container, blob_name, fp,
-                                                 content_settings=content_settings)
-    except AzureException:
-      logger.exception('Exception when trying to stream_write path %s', path)
-      raise IOError('Exception when trying to stream_write path')
-
-  def exists(self, path):
-    blob_name = self._blob_name_from_path(path)
-    try:
-      return self._blob_service.exists(self._azure_container, blob_name,
-                                       timeout=self._request_timeout)
-    except AzureException:
-      logger.exception('Exception when trying to check exists path %s', path)
-      raise IOError('Exception when trying to check exists path')
-
-  def remove(self, path):
-    blob_name = self._blob_name_from_path(path)
-    try:
-      self._blob_service.delete_blob(self._azure_container, blob_name)
-    except AzureException:
-      logger.exception('Exception when trying to remove path %s', path)
-      raise IOError('Exception when trying to remove path')
-
-  def get_checksum(self, path):
-    blob_name = self._blob_name_from_path(path)
-    try:
-      blob = self._blob_service.get_blob_properties(self._azure_container, blob_name)
-    except AzureException:
-      logger.exception('Exception when trying to get_checksum for path %s', path)
-      raise IOError('Exception when trying to get_checksum path')
-    return blob.properties.etag
-
-  def initiate_chunked_upload(self):
-    random_uuid = str(uuid.uuid4())
-    metadata = {
-      _BLOCKS_KEY: [],
-      _CONTENT_TYPE_KEY: None,
-    }
-    return random_uuid, metadata
-
-  def stream_upload_chunk(self, uuid, offset, length, in_fp, storage_metadata, content_type=None):
-    if length == 0:
-      return 0, storage_metadata, None
-
-    upload_blob_path = self._upload_blob_path_from_uuid(uuid)
-    new_metadata = copy.deepcopy(storage_metadata)
-
-    total_bytes_written = 0
-
-    while True:
-      current_length = length - total_bytes_written
-      max_length = (min(current_length, _MAX_BLOCK_SIZE) if length != READ_UNTIL_END
-                                                         else _MAX_BLOCK_SIZE)
-      if max_length <= 0:
-        break
-
-      limited = LimitingStream(in_fp, max_length, seekable=False)
-
-      # Note: Azure fails if a zero-length block is uploaded, so we read all the data here,
-      # and, if there is none, terminate early.
-      block_data = b''
-      for chunk in iter(lambda: limited.read(4096), b""):
-          block_data += chunk
-
-      if len(block_data) == 0:
-        break
-
-      block_index = len(new_metadata[_BLOCKS_KEY])
-      block_id = format(block_index, '05')
-      new_metadata[_BLOCKS_KEY].append(block_id)
-
-      try:
-        self._blob_service.put_block(self._azure_container, upload_blob_path, block_data, block_id,
-                                     validate_content=True)
-      except AzureException as ae:
-        logger.exception('Exception when trying to stream_upload_chunk block %s for %s', block_id,
-                        uuid)
-        return total_bytes_written, new_metadata, ae
-
-      bytes_written = len(block_data)
-      total_bytes_written += bytes_written
-      if bytes_written == 0 or bytes_written < max_length:
-        break
-
-    if content_type is not None:
-      new_metadata[_CONTENT_TYPE_KEY] = content_type
-
-    return total_bytes_written, new_metadata, None
-
-  def complete_chunked_upload(self, uuid, final_path, storage_metadata):
-    """ Complete the chunked upload and store the final results in the path indicated.
-        Returns nothing.
-    """
-    # Commit the blob's blocks.
-    upload_blob_path = self._upload_blob_path_from_uuid(uuid)    
-    block_list = [BlobBlock(block_id) for block_id in storage_metadata[_BLOCKS_KEY]]
-
-    try:
-      self._blob_service.put_block_list(self._azure_container, upload_blob_path, block_list)
-    except AzureException:
-      logger.exception('Exception when trying to put block list for path %s from upload %s',
-                       final_path, uuid)
-      raise IOError('Exception when trying to put block list')      
-
-    # Set the content type on the blob if applicable.
-    if storage_metadata[_CONTENT_TYPE_KEY] is not None:
-      content_settings = ContentSettings(content_type=storage_metadata[_CONTENT_TYPE_KEY])
-      try:
-        self._blob_service.set_blob_properties(self._azure_container, upload_blob_path,
-                                               content_settings=content_settings)
-      except AzureException:
-        logger.exception('Exception when trying to set blob properties for path %s', final_path)
-        raise IOError('Exception when trying to set blob properties')      
-
-    # Copy the blob to its final location.
-    upload_blob_name = self._upload_blob_name_from_uuid(uuid)
-    copy_source_url = self.get_direct_download_url(upload_blob_name, expires_in=300)
-
-    try:
-      blob_name = self._blob_name_from_path(final_path)
-      copy_prop = self._blob_service.copy_blob(self._azure_container, blob_name,
-                                               copy_source_url)
-    except AzureException:
-      logger.exception('Exception when trying to set copy uploaded blob %s to path %s', uuid,
-                       final_path)
-      raise IOError('Exception when trying to copy uploaded blob')      
-
-    self._await_copy(self._azure_container, blob_name, copy_prop)
-    
-    # Delete the original blob.
-    logger.debug('Deleting chunked upload %s at path %s', uuid, upload_blob_path)
-    try:
-      self._blob_service.delete_blob(self._azure_container, upload_blob_path)    
-    except AzureException:
-      logger.exception('Exception when trying to set delete uploaded blob %s', uuid)
-      raise IOError('Exception when trying to delete uploaded blob')      
-
-  def cancel_chunked_upload(self, uuid, storage_metadata):
-    """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
-        Returns nothing.
-    """
-    upload_blob_path = self._upload_blob_path_from_uuid(uuid)
-    logger.debug('Canceling chunked upload %s at path %s', uuid, upload_blob_path)
-    self._blob_service.delete_blob(self._azure_container, upload_blob_path)
-
-  def _await_copy(self, container, blob_name, copy_prop):
-    # Poll for copy completion.
-    count = 0
-    while copy_prop.status == 'pending':
-      props = self._blob_service.get_blob_properties(container, blob_name)
-      copy_prop = props.properties.copy
-
-      if copy_prop.status == 'success':
-        return
-      
-      if copy_prop.status == 'failed' or copy_prop.status == 'aborted':
-        raise IOError('Copy of blob %s failed with status %s' % (blob_name, copy_prop.status))
-
-      count = count + 1
-      if count > _MAX_COPY_POLL_COUNT:
-          raise IOError('Timed out waiting for copy to complete')
-
-      time.sleep(_COPY_POLL_SLEEP)
-    
-  def copy_to(self, destination, path):
-    if (self.__class__ == destination.__class__):
-        logger.debug('Starting copying file from Azure %s to Azure %s via an Azure copy',
-                     self._azure_container, destination)
+    def get_content(self, path):
         blob_name = self._blob_name_from_path(path)
-        copy_source_url = self.get_direct_download_url(path)
-        copy_prop = self._blob_service.copy_blob(destination._azure_container, blob_name,
-                                                 copy_source_url)
-        self._await_copy(destination._azure_container, blob_name, copy_prop)
-        logger.debug('Finished copying file from Azure %s to Azure %s via an Azure copy',
-                     self._azure_container, destination)
-        return
+        try:
+            blob = self._blob_service.get_blob_to_bytes(
+                self._azure_container, blob_name
+            )
+        except AzureException:
+            logger.exception("Exception when trying to get path %s", path)
+            raise IOError("Exception when trying to get path")
 
-    # Fallback to a slower, default copy.
-    logger.debug('Copying file from Azure container %s to %s via a streamed copy',
-                 self._azure_container, destination)
-    with self.stream_read_file(path) as fp:
-      destination.stream_write(path, fp)
+        return blob.content
 
-  def setup(self):
-    # From: https://docs.microsoft.com/en-us/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services
-    cors = [CorsRule(allowed_origins='*', allowed_methods=['GET', 'PUT'], max_age_in_seconds=3000,
-                     exposed_headers=['x-ms-meta-*'],
-                     allowed_headers=['x-ms-meta-data*', 'x-ms-meta-target*', 'x-ms-meta-abc',
-                                      'Content-Type'])]
+    def put_content(self, path, content):
+        blob_name = self._blob_name_from_path(path)
+        try:
+            self._blob_service.create_blob_from_bytes(
+                self._azure_container, blob_name, content
+            )
+        except AzureException:
+            logger.exception("Exception when trying to put path %s", path)
+            raise IOError("Exception when trying to put path")
 
-    self._blob_service.set_blob_service_properties(cors=cors)
+    def stream_read(self, path):
+        with self.stream_read_file(path) as f:
+            while True:
+                buf = f.read(self.buffer_size)
+                if not buf:
+                    break
+                yield buf
+
+    def stream_read_file(self, path):
+        blob_name = self._blob_name_from_path(path)
+
+        try:
+            output_stream = io.BytesIO()
+            self._blob_service.get_blob_to_stream(
+                self._azure_container, blob_name, output_stream
+            )
+            output_stream.seek(0)
+        except AzureException:
+            logger.exception("Exception when trying to stream_file_read path %s", path)
+            raise IOError("Exception when trying to stream_file_read path")
+
+        return output_stream
+
+    def stream_write(self, path, fp, content_type=None, content_encoding=None):
+        blob_name = self._blob_name_from_path(path)
+        content_settings = ContentSettings(
+            content_type=content_type, content_encoding=content_encoding
+        )
+
+        try:
+            self._blob_service.create_blob_from_stream(
+                self._azure_container, blob_name, fp, content_settings=content_settings
+            )
+        except AzureException:
+            logger.exception("Exception when trying to stream_write path %s", path)
+            raise IOError("Exception when trying to stream_write path")
+
+    def exists(self, path):
+        blob_name = self._blob_name_from_path(path)
+        try:
+            return self._blob_service.exists(
+                self._azure_container, blob_name, timeout=self._request_timeout
+            )
+        except AzureException:
+            logger.exception("Exception when trying to check exists path %s", path)
+            raise IOError("Exception when trying to check exists path")
+
+    def remove(self, path):
+        blob_name = self._blob_name_from_path(path)
+        try:
+            self._blob_service.delete_blob(self._azure_container, blob_name)
+        except AzureException:
+            logger.exception("Exception when trying to remove path %s", path)
+            raise IOError("Exception when trying to remove path")
+
+    def get_checksum(self, path):
+        blob_name = self._blob_name_from_path(path)
+        try:
+            blob = self._blob_service.get_blob_properties(
+                self._azure_container, blob_name
+            )
+        except AzureException:
+            logger.exception("Exception when trying to get_checksum for path %s", path)
+            raise IOError("Exception when trying to get_checksum path")
+        return blob.properties.etag
+
+    def initiate_chunked_upload(self):
+        random_uuid = str(uuid.uuid4())
+        metadata = {_BLOCKS_KEY: [], _CONTENT_TYPE_KEY: None}
+        return random_uuid, metadata
+
+    def stream_upload_chunk(
+        self, uuid, offset, length, in_fp, storage_metadata, content_type=None
+    ):
+        if length == 0:
+            return 0, storage_metadata, None
+
+        upload_blob_path = self._upload_blob_path_from_uuid(uuid)
+        new_metadata = copy.deepcopy(storage_metadata)
+
+        total_bytes_written = 0
+
+        while True:
+            current_length = length - total_bytes_written
+            max_length = (
+                min(current_length, _MAX_BLOCK_SIZE)
+                if length != READ_UNTIL_END
+                else _MAX_BLOCK_SIZE
+            )
+            if max_length <= 0:
+                break
+
+            limited = LimitingStream(in_fp, max_length, seekable=False)
+
+            # Note: Azure fails if a zero-length block is uploaded, so we read all the data here,
+            # and, if there is none, terminate early.
+            block_data = b""
+            for chunk in iter(lambda: limited.read(4096), b""):
+                block_data += chunk
+
+            if len(block_data) == 0:
+                break
+
+            block_index = len(new_metadata[_BLOCKS_KEY])
+            block_id = format(block_index, "05")
+            new_metadata[_BLOCKS_KEY].append(block_id)
+
+            try:
+                self._blob_service.put_block(
+                    self._azure_container,
+                    upload_blob_path,
+                    block_data,
+                    block_id,
+                    validate_content=True,
+                )
+            except AzureException as ae:
+                logger.exception(
+                    "Exception when trying to stream_upload_chunk block %s for %s",
+                    block_id,
+                    uuid,
+                )
+                return total_bytes_written, new_metadata, ae
+
+            bytes_written = len(block_data)
+            total_bytes_written += bytes_written
+            if bytes_written == 0 or bytes_written < max_length:
+                break
+
+        if content_type is not None:
+            new_metadata[_CONTENT_TYPE_KEY] = content_type
+
+        return total_bytes_written, new_metadata, None
+
+    def complete_chunked_upload(self, uuid, final_path, storage_metadata):
+        """ Complete the chunked upload and store the final results in the path indicated.
+        Returns nothing.
+    """
+        # Commit the blob's blocks.
+        upload_blob_path = self._upload_blob_path_from_uuid(uuid)
+        block_list = [BlobBlock(block_id) for block_id in storage_metadata[_BLOCKS_KEY]]
+
+        try:
+            self._blob_service.put_block_list(
+                self._azure_container, upload_blob_path, block_list
+            )
+        except AzureException:
+            logger.exception(
+                "Exception when trying to put block list for path %s from upload %s",
+                final_path,
+                uuid,
+            )
+            raise IOError("Exception when trying to put block list")
+
+        # Set the content type on the blob if applicable.
+        if storage_metadata[_CONTENT_TYPE_KEY] is not None:
+            content_settings = ContentSettings(
+                content_type=storage_metadata[_CONTENT_TYPE_KEY]
+            )
+            try:
+                self._blob_service.set_blob_properties(
+                    self._azure_container,
+                    upload_blob_path,
+                    content_settings=content_settings,
+                )
+            except AzureException:
+                logger.exception(
+                    "Exception when trying to set blob properties for path %s",
+                    final_path,
+                )
+                raise IOError("Exception when trying to set blob properties")
+
+        # Copy the blob to its final location.
+        upload_blob_name = self._upload_blob_name_from_uuid(uuid)
+        copy_source_url = self.get_direct_download_url(upload_blob_name, expires_in=300)
+
+        try:
+            blob_name = self._blob_name_from_path(final_path)
+            copy_prop = self._blob_service.copy_blob(
+                self._azure_container, blob_name, copy_source_url
+            )
+        except AzureException:
+            logger.exception(
+                "Exception when trying to set copy uploaded blob %s to path %s",
+                uuid,
+                final_path,
+            )
+            raise IOError("Exception when trying to copy uploaded blob")
+
+        self._await_copy(self._azure_container, blob_name, copy_prop)
+
+        # Delete the original blob.
+        logger.debug("Deleting chunked upload %s at path %s", uuid, upload_blob_path)
+        try:
+            self._blob_service.delete_blob(self._azure_container, upload_blob_path)
+        except AzureException:
+            logger.exception(
+                "Exception when trying to set delete uploaded blob %s", uuid
+            )
+            raise IOError("Exception when trying to delete uploaded blob")
+
+    def cancel_chunked_upload(self, uuid, storage_metadata):
+        """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
+        Returns nothing.
+    """
+        upload_blob_path = self._upload_blob_path_from_uuid(uuid)
+        logger.debug("Canceling chunked upload %s at path %s", uuid, upload_blob_path)
+        self._blob_service.delete_blob(self._azure_container, upload_blob_path)
+
+    def _await_copy(self, container, blob_name, copy_prop):
+        # Poll for copy completion.
+        count = 0
+        while copy_prop.status == "pending":
+            props = self._blob_service.get_blob_properties(container, blob_name)
+            copy_prop = props.properties.copy
+
+            if copy_prop.status == "success":
+                return
+
+            if copy_prop.status == "failed" or copy_prop.status == "aborted":
+                raise IOError(
+                    "Copy of blob %s failed with status %s"
+                    % (blob_name, copy_prop.status)
+                )
+
+            count = count + 1
+            if count > _MAX_COPY_POLL_COUNT:
+                raise IOError("Timed out waiting for copy to complete")
+
+            time.sleep(_COPY_POLL_SLEEP)
+
+    def copy_to(self, destination, path):
+        if self.__class__ == destination.__class__:
+            logger.debug(
+                "Starting copying file from Azure %s to Azure %s via an Azure copy",
+                self._azure_container,
+                destination,
+            )
+            blob_name = self._blob_name_from_path(path)
+            copy_source_url = self.get_direct_download_url(path)
+            copy_prop = self._blob_service.copy_blob(
+                destination._azure_container, blob_name, copy_source_url
+            )
+            self._await_copy(destination._azure_container, blob_name, copy_prop)
+            logger.debug(
+                "Finished copying file from Azure %s to Azure %s via an Azure copy",
+                self._azure_container,
+                destination,
+            )
+            return
+
+        # Fallback to a slower, default copy.
+        logger.debug(
+            "Copying file from Azure container %s to %s via a streamed copy",
+            self._azure_container,
+            destination,
+        )
+        with self.stream_read_file(path) as fp:
+            destination.stream_write(path, fp)
+
+    def setup(self):
+        # From: https://docs.microsoft.com/en-us/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services
+        cors = [
+            CorsRule(
+                allowed_origins="*",
+                allowed_methods=["GET", "PUT"],
+                max_age_in_seconds=3000,
+                exposed_headers=["x-ms-meta-*"],
+                allowed_headers=[
+                    "x-ms-meta-data*",
+                    "x-ms-meta-target*",
+                    "x-ms-meta-abc",
+                    "Content-Type",
+                ],
+            )
+        ]
+
+        self._blob_service.set_blob_service_properties(cors=cors)
diff --git a/storage/basestorage.py b/storage/basestorage.py
index 6cc4e96ac..7ef4a7d1d 100644
--- a/storage/basestorage.py
+++ b/storage/basestorage.py
@@ -6,126 +6,131 @@ from util.registry.filelike import READ_UNTIL_END
 
 logger = logging.getLogger(__name__)
 
+
 class StoragePaths(object):
-  shared_images = 'sharedimages'
+    shared_images = "sharedimages"
 
-  @staticmethod
-  def temp_store_handler():
-    tmpf = tempfile.TemporaryFile()
+    @staticmethod
+    def temp_store_handler():
+        tmpf = tempfile.TemporaryFile()
 
-    def fn(buf):
-      try:
-        tmpf.write(buf)
-      except IOError:
-        pass
+        def fn(buf):
+            try:
+                tmpf.write(buf)
+            except IOError:
+                pass
 
-    return tmpf, fn
+        return tmpf, fn
 
-  def _image_path(self, storage_uuid):
-    return '{0}/{1}/'.format(self.shared_images, storage_uuid)
+    def _image_path(self, storage_uuid):
+        return "{0}/{1}/".format(self.shared_images, storage_uuid)
 
-  def v1_image_layer_path(self, storage_uuid):
-    base_path = self._image_path(storage_uuid)
-    return '{0}layer'.format(base_path)
+    def v1_image_layer_path(self, storage_uuid):
+        base_path = self._image_path(storage_uuid)
+        return "{0}layer".format(base_path)
 
-  def blob_path(self, digest_str):
-    return content_path(digest_str)
+    def blob_path(self, digest_str):
+        return content_path(digest_str)
 
 
 class BaseStorage(StoragePaths):
-  def __init__(self):
-    # Set the IO buffer to 64kB
-    self.buffer_size = 64 * 1024
+    def __init__(self):
+        # Set the IO buffer to 64kB
+        self.buffer_size = 64 * 1024
 
-  def setup(self):
-    """ Called to perform any storage system setup. """
-    pass
+    def setup(self):
+        """ Called to perform any storage system setup. """
+        pass
 
-  def validate(self, client):
-    """ Called to perform storage system validation. The client is an HTTP
+    def validate(self, client):
+        """ Called to perform storage system validation. The client is an HTTP
         client to use for any external calls. """
-    # Put a temporary file to make sure the normal storage paths work.
-    self.put_content('_verify', 'testing 123')
-    if not self.exists('_verify'):
-      raise Exception('Could not find verification file')
+        # Put a temporary file to make sure the normal storage paths work.
+        self.put_content("_verify", "testing 123")
+        if not self.exists("_verify"):
+            raise Exception("Could not find verification file")
 
-  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
-    return None
+    def get_direct_download_url(
+        self, path, request_ip=None, expires_in=60, requires_cors=False, head=False
+    ):
+        return None
 
-  def get_direct_upload_url(self, path, mime_type, requires_cors=True):
-    return None
+    def get_direct_upload_url(self, path, mime_type, requires_cors=True):
+        return None
 
-  def get_supports_resumable_downloads(self):
-    return False
+    def get_supports_resumable_downloads(self):
+        return False
 
-  def get_content(self, path):
-    raise NotImplementedError
+    def get_content(self, path):
+        raise NotImplementedError
 
-  def put_content(self, path, content):
-    raise NotImplementedError
+    def put_content(self, path, content):
+        raise NotImplementedError
 
-  def stream_read(self, path):
-    raise NotImplementedError
+    def stream_read(self, path):
+        raise NotImplementedError
 
-  def stream_read_file(self, path):
-    raise NotImplementedError
+    def stream_read_file(self, path):
+        raise NotImplementedError
 
-  def stream_write(self, path, fp, content_type=None, content_encoding=None):
-    raise NotImplementedError
+    def stream_write(self, path, fp, content_type=None, content_encoding=None):
+        raise NotImplementedError
 
-  def exists(self, path):
-    raise NotImplementedError
+    def exists(self, path):
+        raise NotImplementedError
 
-  def remove(self, path):
-    raise NotImplementedError
+    def remove(self, path):
+        raise NotImplementedError
 
-  def get_checksum(self, path):
-    raise NotImplementedError
+    def get_checksum(self, path):
+        raise NotImplementedError
 
-  def stream_write_to_fp(self, in_fp, out_fp, num_bytes=READ_UNTIL_END):
-    """ Copy the specified number of bytes from the input file stream to the output stream. If
+    def stream_write_to_fp(self, in_fp, out_fp, num_bytes=READ_UNTIL_END):
+        """ Copy the specified number of bytes from the input file stream to the output stream. If
         num_bytes < 0 copy until the stream ends. Returns the number of bytes copied.
     """
-    bytes_copied = 0
-    while bytes_copied < num_bytes or num_bytes == READ_UNTIL_END:
-      size_to_read = min(num_bytes - bytes_copied, self.buffer_size)
-      if size_to_read < 0:
-        size_to_read = self.buffer_size
+        bytes_copied = 0
+        while bytes_copied < num_bytes or num_bytes == READ_UNTIL_END:
+            size_to_read = min(num_bytes - bytes_copied, self.buffer_size)
+            if size_to_read < 0:
+                size_to_read = self.buffer_size
 
-      buf = in_fp.read(size_to_read)
-      if not buf:
-        break
-      out_fp.write(buf)
-      bytes_copied += len(buf)
+            buf = in_fp.read(size_to_read)
+            if not buf:
+                break
+            out_fp.write(buf)
+            bytes_copied += len(buf)
 
-    return bytes_copied
+        return bytes_copied
 
-  def copy_to(self, destination, path):
-    raise NotImplementedError
+    def copy_to(self, destination, path):
+        raise NotImplementedError
 
 
 class BaseStorageV2(BaseStorage):
-  def initiate_chunked_upload(self):
-    """ Start a new chunked upload, returning the uuid and any associated storage metadata
+    def initiate_chunked_upload(self):
+        """ Start a new chunked upload, returning the uuid and any associated storage metadata
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def stream_upload_chunk(self, uuid, offset, length, in_fp, storage_metadata, content_type=None):
-    """ Upload the specified amount of data from the given file pointer to the chunked destination
+    def stream_upload_chunk(
+        self, uuid, offset, length, in_fp, storage_metadata, content_type=None
+    ):
+        """ Upload the specified amount of data from the given file pointer to the chunked destination
         specified, starting at the given offset. Returns the number of bytes uploaded, a new
         version of the storage_metadata and an error object (if one occurred or None if none).
         Pass length as -1 to upload as much data from the in_fp as possible.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def complete_chunked_upload(self, uuid, final_path, storage_metadata):
-    """ Complete the chunked upload and store the final results in the path indicated.
+    def complete_chunked_upload(self, uuid, final_path, storage_metadata):
+        """ Complete the chunked upload and store the final results in the path indicated.
         Returns nothing.
     """
-    raise NotImplementedError
+        raise NotImplementedError
 
-  def cancel_chunked_upload(self, uuid, storage_metadata):
-    """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
+    def cancel_chunked_upload(self, uuid, storage_metadata):
+        """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
         Returns nothing.
     """
-    raise NotImplementedError
+        raise NotImplementedError
diff --git a/storage/distributedstorage.py b/storage/distributedstorage.py
index c7fd456a1..dc8de7a60 100644
--- a/storage/distributedstorage.py
+++ b/storage/distributedstorage.py
@@ -7,77 +7,99 @@ from storage.basestorage import StoragePaths, BaseStorage, BaseStorageV2
 
 logger = logging.getLogger(__name__)
 
+
 def _location_aware(unbound_func, requires_write=False):
-  @wraps(unbound_func)
-  def wrapper(self, locations, *args, **kwargs):
-    if requires_write:
-      assert not self.readonly_mode
+    @wraps(unbound_func)
+    def wrapper(self, locations, *args, **kwargs):
+        if requires_write:
+            assert not self.readonly_mode
 
-    storage = None
-    for preferred in self.preferred_locations:
-      if preferred in locations:
-        storage = self._storages[preferred]
-        break
+        storage = None
+        for preferred in self.preferred_locations:
+            if preferred in locations:
+                storage = self._storages[preferred]
+                break
 
-    if not storage:
-      storage = self._storages[random.sample(locations, 1)[0]]
+        if not storage:
+            storage = self._storages[random.sample(locations, 1)[0]]
 
-    storage_func = getattr(storage, unbound_func.__name__)
-    return storage_func(*args, **kwargs)
-  return wrapper
+        storage_func = getattr(storage, unbound_func.__name__)
+        return storage_func(*args, **kwargs)
+
+    return wrapper
 
 
 class DistributedStorage(StoragePaths):
-  def __init__(self, storages, preferred_locations=None, default_locations=None, proxy=None,
-               readonly_mode=False):
-    self._storages = dict(storages)
-    self.preferred_locations = list(preferred_locations or [])
-    self.default_locations = list(default_locations or [])
-    self.proxy = proxy
-    self.readonly_mode = readonly_mode
+    def __init__(
+        self,
+        storages,
+        preferred_locations=None,
+        default_locations=None,
+        proxy=None,
+        readonly_mode=False,
+    ):
+        self._storages = dict(storages)
+        self.preferred_locations = list(preferred_locations or [])
+        self.default_locations = list(default_locations or [])
+        self.proxy = proxy
+        self.readonly_mode = readonly_mode
 
-  @property
-  def locations(self):
-    """ Returns the names of the locations supported. """
-    return list(self._storages.keys())
+    @property
+    def locations(self):
+        """ Returns the names of the locations supported. """
+        return list(self._storages.keys())
 
-  _get_direct_download_url = _location_aware(BaseStorage.get_direct_download_url)
+    _get_direct_download_url = _location_aware(BaseStorage.get_direct_download_url)
 
-  get_direct_upload_url = _location_aware(BaseStorage.get_direct_upload_url)
-  get_content = _location_aware(BaseStorage.get_content)
-  put_content = _location_aware(BaseStorage.put_content, requires_write=True)
-  stream_read = _location_aware(BaseStorage.stream_read)
-  stream_read_file = _location_aware(BaseStorage.stream_read_file)
-  stream_write = _location_aware(BaseStorage.stream_write, requires_write=True)
-  exists = _location_aware(BaseStorage.exists)
-  remove = _location_aware(BaseStorage.remove, requires_write=True)
-  validate = _location_aware(BaseStorage.validate, requires_write=True)
-  get_checksum = _location_aware(BaseStorage.get_checksum)
-  get_supports_resumable_downloads = _location_aware(BaseStorage.get_supports_resumable_downloads)
+    get_direct_upload_url = _location_aware(BaseStorage.get_direct_upload_url)
+    get_content = _location_aware(BaseStorage.get_content)
+    put_content = _location_aware(BaseStorage.put_content, requires_write=True)
+    stream_read = _location_aware(BaseStorage.stream_read)
+    stream_read_file = _location_aware(BaseStorage.stream_read_file)
+    stream_write = _location_aware(BaseStorage.stream_write, requires_write=True)
+    exists = _location_aware(BaseStorage.exists)
+    remove = _location_aware(BaseStorage.remove, requires_write=True)
+    validate = _location_aware(BaseStorage.validate, requires_write=True)
+    get_checksum = _location_aware(BaseStorage.get_checksum)
+    get_supports_resumable_downloads = _location_aware(
+        BaseStorage.get_supports_resumable_downloads
+    )
 
-  initiate_chunked_upload = _location_aware(BaseStorageV2.initiate_chunked_upload,
-                                            requires_write=True)
-  stream_upload_chunk = _location_aware(BaseStorageV2.stream_upload_chunk,
-                                        requires_write=True)
-  complete_chunked_upload = _location_aware(BaseStorageV2.complete_chunked_upload,
-                                            requires_write=True)
-  cancel_chunked_upload = _location_aware(BaseStorageV2.cancel_chunked_upload,
-                                          requires_write=True)
+    initiate_chunked_upload = _location_aware(
+        BaseStorageV2.initiate_chunked_upload, requires_write=True
+    )
+    stream_upload_chunk = _location_aware(
+        BaseStorageV2.stream_upload_chunk, requires_write=True
+    )
+    complete_chunked_upload = _location_aware(
+        BaseStorageV2.complete_chunked_upload, requires_write=True
+    )
+    cancel_chunked_upload = _location_aware(
+        BaseStorageV2.cancel_chunked_upload, requires_write=True
+    )
 
-  def get_direct_download_url(self, locations, path, request_ip=None, expires_in=600,
-                              requires_cors=False, head=False):
-    download_url = self._get_direct_download_url(locations, path, request_ip, expires_in,
-                                                 requires_cors, head)
-    if download_url is None:
-      return None
+    def get_direct_download_url(
+        self,
+        locations,
+        path,
+        request_ip=None,
+        expires_in=600,
+        requires_cors=False,
+        head=False,
+    ):
+        download_url = self._get_direct_download_url(
+            locations, path, request_ip, expires_in, requires_cors, head
+        )
+        if download_url is None:
+            return None
 
-    if self.proxy is None:
-      return download_url
+        if self.proxy is None:
+            return download_url
 
-    return self.proxy.proxy_download_url(download_url)
+        return self.proxy.proxy_download_url(download_url)
 
-  def copy_between(self, path, source_location, destination_location):
-    """ Copies a file between the source location and the destination location. """
-    source_storage = self._storages[source_location]
-    destination_storage = self._storages[destination_location]
-    source_storage.copy_to(destination_storage, path)
+    def copy_between(self, path, source_location, destination_location):
+        """ Copies a file between the source location and the destination location. """
+        source_storage = self._storages[source_location]
+        destination_storage = self._storages[destination_location]
+        source_storage.copy_to(destination_storage, path)
diff --git a/storage/downloadproxy.py b/storage/downloadproxy.py
index 4576c40bd..4133f0b15 100644
--- a/storage/downloadproxy.py
+++ b/storage/downloadproxy.py
@@ -6,171 +6,198 @@ from urlparse import urlparse
 from flask import abort, request
 from jsonschema import validate, ValidationError
 
-from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
-                                        InvalidBearerTokenException)
+from util.security.registry_jwt import (
+    generate_bearer_token,
+    decode_bearer_token,
+    InvalidBearerTokenException,
+)
 
 logger = logging.getLogger(__name__)
 
 
-PROXY_STORAGE_MAX_LIFETIME_S = 30 # Seconds
-STORAGE_PROXY_SUBJECT = 'storageproxy'
-STORAGE_PROXY_ACCESS_TYPE = 'storageproxy'
+PROXY_STORAGE_MAX_LIFETIME_S = 30  # Seconds
+STORAGE_PROXY_SUBJECT = "storageproxy"
+STORAGE_PROXY_ACCESS_TYPE = "storageproxy"
 
 ACCESS_SCHEMA = {
-  'type': 'array',
-  'description': 'List of access granted to the subject',
-  'items': {
-    'type': 'object',
-    'required': [
-      'type',
-      'scheme',
-      'host',
-      'uri',
-    ],
-    'properties': {
-      'type': {
-        'type': 'string',
-        'description': 'We only allow storage proxy permissions',
-        'enum': [
-          'storageproxy',
-        ],
-      },
-      'scheme': {
-        'type': 'string',
-        'description': 'The scheme for the storage URL being proxied'
-      },
-      'host': {
-        'type': 'string',
-        'description': 'The hostname for the storage URL being proxied'
-      },
-      'uri': {
-        'type': 'string',
-        'description': 'The URI path for the storage URL being proxied'
-      },
+    "type": "array",
+    "description": "List of access granted to the subject",
+    "items": {
+        "type": "object",
+        "required": ["type", "scheme", "host", "uri"],
+        "properties": {
+            "type": {
+                "type": "string",
+                "description": "We only allow storage proxy permissions",
+                "enum": ["storageproxy"],
+            },
+            "scheme": {
+                "type": "string",
+                "description": "The scheme for the storage URL being proxied",
+            },
+            "host": {
+                "type": "string",
+                "description": "The hostname for the storage URL being proxied",
+            },
+            "uri": {
+                "type": "string",
+                "description": "The URI path for the storage URL being proxied",
+            },
+        },
     },
-  },
 }
 
 
 class DownloadProxy(object):
-  """ Helper class to enable proxying of direct download URLs for storage via the registry's
+    """ Helper class to enable proxying of direct download URLs for storage via the registry's
       local NGINX.
   """
-  def __init__(self, app, instance_keys):
-    self.app = app
-    self.instance_keys = instance_keys
 
-    app.add_url_rule('/_storage_proxy_auth', '_storage_proxy_auth', self._validate_proxy_url)
+    def __init__(self, app, instance_keys):
+        self.app = app
+        self.instance_keys = instance_keys
 
-  def proxy_download_url(self, download_url):
-    """ Returns a URL to proxy the specified blob download URL.
+        app.add_url_rule(
+            "/_storage_proxy_auth", "_storage_proxy_auth", self._validate_proxy_url
+        )
+
+    def proxy_download_url(self, download_url):
+        """ Returns a URL to proxy the specified blob download URL.
     """
-    # Parse the URL to be downloaded into its components (host, path, scheme).
-    parsed = urlparse(download_url)
+        # Parse the URL to be downloaded into its components (host, path, scheme).
+        parsed = urlparse(download_url)
 
-    path = parsed.path
-    if parsed.query:
-      path = path + '?' + parsed.query
+        path = parsed.path
+        if parsed.query:
+            path = path + "?" + parsed.query
 
-    if path.startswith('/'):
-      path = path[1:]
+        if path.startswith("/"):
+            path = path[1:]
 
-    access = {
-      'type': STORAGE_PROXY_ACCESS_TYPE,
-      'uri': path,
-      'host': parsed.netloc,
-      'scheme': parsed.scheme,
-    }
+        access = {
+            "type": STORAGE_PROXY_ACCESS_TYPE,
+            "uri": path,
+            "host": parsed.netloc,
+            "scheme": parsed.scheme,
+        }
 
-    # Generate a JWT that signs access to this URL. This JWT will be passed back to the registry
-    # code when the download commences. Note that we don't add any context here, as it isn't
-    # needed.
-    server_hostname = self.app.config['SERVER_HOSTNAME']
-    token = generate_bearer_token(server_hostname, STORAGE_PROXY_SUBJECT, {}, [access],
-                                  PROXY_STORAGE_MAX_LIFETIME_S, self.instance_keys)
+        # Generate a JWT that signs access to this URL. This JWT will be passed back to the registry
+        # code when the download commences. Note that we don't add any context here, as it isn't
+        # needed.
+        server_hostname = self.app.config["SERVER_HOSTNAME"]
+        token = generate_bearer_token(
+            server_hostname,
+            STORAGE_PROXY_SUBJECT,
+            {},
+            [access],
+            PROXY_STORAGE_MAX_LIFETIME_S,
+            self.instance_keys,
+        )
 
-    url_scheme = self.app.config['PREFERRED_URL_SCHEME']
-    server_hostname = self.app.config['SERVER_HOSTNAME']
+        url_scheme = self.app.config["PREFERRED_URL_SCHEME"]
+        server_hostname = self.app.config["SERVER_HOSTNAME"]
 
-    # The proxy path is of the form:
-    # http(s)://registry_server/_storage_proxy/{token}/{scheme}/{hostname}/rest/of/path/here
-    encoded_token = base64.urlsafe_b64encode(token)
-    proxy_url = '%s://%s/_storage_proxy/%s/%s/%s/%s' % (url_scheme, server_hostname, encoded_token,
-                                                        parsed.scheme, parsed.netloc, path)
-    logger.debug('Proxying via URL %s', proxy_url)
-    return proxy_url
+        # The proxy path is of the form:
+        # http(s)://registry_server/_storage_proxy/{token}/{scheme}/{hostname}/rest/of/path/here
+        encoded_token = base64.urlsafe_b64encode(token)
+        proxy_url = "%s://%s/_storage_proxy/%s/%s/%s/%s" % (
+            url_scheme,
+            server_hostname,
+            encoded_token,
+            parsed.scheme,
+            parsed.netloc,
+            path,
+        )
+        logger.debug("Proxying via URL %s", proxy_url)
+        return proxy_url
 
+    def _validate_proxy_url(self):
+        original_uri = request.headers.get("X-Original-URI", None)
+        if not original_uri:
+            logger.error("Missing original URI: %s", request.headers)
+            abort(401)
 
-  def _validate_proxy_url(self):
-    original_uri = request.headers.get('X-Original-URI', None)
-    if not original_uri:
-      logger.error('Missing original URI: %s', request.headers)
-      abort(401)
+        if not original_uri.startswith("/_storage_proxy/"):
+            logger.error("Unknown storage proxy path: %s", original_uri)
+            abort(401)
 
-    if not original_uri.startswith('/_storage_proxy/'):
-      logger.error('Unknown storage proxy path: %s', original_uri)
-      abort(401)
+        # The proxy path is of the form:
+        # /_storage_proxy/{token}/{scheme}/{hostname}/rest/of/path/here
+        without_prefix = original_uri[len("/_storage_proxy/") :]
+        parts = without_prefix.split("/", 3)
+        if len(parts) != 4:
+            logger.error(
+                "Invalid storage proxy path (found %s parts): %s",
+                len(parts),
+                without_prefix,
+            )
+            abort(401)
 
-    # The proxy path is of the form:
-    # /_storage_proxy/{token}/{scheme}/{hostname}/rest/of/path/here
-    without_prefix = original_uri[len('/_storage_proxy/'):]
-    parts = without_prefix.split('/', 3)
-    if len(parts) != 4:
-      logger.error('Invalid storage proxy path (found %s parts): %s', len(parts), without_prefix)
-      abort(401)
+        encoded_token, scheme, host, uri = parts
 
-    encoded_token, scheme, host, uri = parts
+        try:
+            token = base64.urlsafe_b64decode(str(encoded_token))
+        except ValueError:
+            logger.exception("Could not decode proxy token")
+            abort(401)
+        except TypeError:
+            logger.exception("Could not decode proxy token")
+            abort(401)
 
-    try:
-      token = base64.urlsafe_b64decode(str(encoded_token))
-    except ValueError:
-      logger.exception('Could not decode proxy token')
-      abort(401)
-    except TypeError:
-      logger.exception('Could not decode proxy token')
-      abort(401)
+        logger.debug(
+            "Got token %s for storage proxy auth request %s with parts %s",
+            token,
+            original_uri,
+            parts,
+        )
 
-    logger.debug('Got token %s for storage proxy auth request %s with parts %s', token,
-                 original_uri, parts)
+        # Decode the bearer token.
+        try:
+            decoded = decode_bearer_token(token, self.instance_keys, self.app.config)
+        except InvalidBearerTokenException:
+            logger.exception("Invalid token for storage proxy")
+            abort(401)
 
-    # Decode the bearer token.
-    try:
-      decoded = decode_bearer_token(token, self.instance_keys, self.app.config)
-    except InvalidBearerTokenException:
-      logger.exception('Invalid token for storage proxy')
-      abort(401)
+        # Ensure it is for the proxy.
+        if decoded["sub"] != STORAGE_PROXY_SUBJECT:
+            logger.exception(
+                "Invalid subject %s for storage proxy auth", decoded["subject"]
+            )
+            abort(401)
 
-    # Ensure it is for the proxy.
-    if decoded['sub'] != STORAGE_PROXY_SUBJECT:
-      logger.exception('Invalid subject %s for storage proxy auth', decoded['subject'])
-      abort(401)
+        # Validate that the access matches the token format.
+        access = decoded.get("access", {})
+        try:
+            validate(access, ACCESS_SCHEMA)
+        except ValidationError:
+            logger.exception("We should not be minting invalid credentials: %s", access)
+            abort(401)
 
-    # Validate that the access matches the token format.
-    access = decoded.get('access', {})
-    try:
-      validate(access, ACCESS_SCHEMA)
-    except ValidationError:
-      logger.exception('We should not be minting invalid credentials: %s', access)
-      abort(401)
+        # For now, we only expect a single access credential.
+        if len(access) != 1:
+            logger.exception("We should not be minting invalid credentials: %s", access)
+            abort(401)
 
-    # For now, we only expect a single access credential.
-    if len(access) != 1:
-      logger.exception('We should not be minting invalid credentials: %s', access)
-      abort(401)
+        # Ensure the signed access matches the requested URL's pieces.
+        granted_access = access[0]
+        if granted_access["scheme"] != scheme:
+            logger.exception(
+                "Mismatch in scheme. %s expected, %s found",
+                granted_access["scheme"],
+                scheme,
+            )
+            abort(401)
 
-    # Ensure the signed access matches the requested URL's pieces.
-    granted_access = access[0]
-    if granted_access['scheme'] != scheme:
-      logger.exception('Mismatch in scheme. %s expected, %s found', granted_access['scheme'],
-                       scheme)
-      abort(401)
+        if granted_access["host"] != host:
+            logger.exception(
+                "Mismatch in host. %s expected, %s found", granted_access["host"], host
+            )
+            abort(401)
 
-    if granted_access['host'] != host:
-      logger.exception('Mismatch in host. %s expected, %s found', granted_access['host'], host)
-      abort(401)
+        if granted_access["uri"] != uri:
+            logger.exception(
+                "Mismatch in uri. %s expected, %s found", granted_access["uri"], uri
+            )
+            abort(401)
 
-    if granted_access['uri'] != uri:
-      logger.exception('Mismatch in uri. %s expected, %s found', granted_access['uri'], uri)
-      abort(401)
-
-    return 'OK'
+        return "OK"
diff --git a/storage/fakestorage.py b/storage/fakestorage.py
index 7803dc497..5a6221882 100644
--- a/storage/fakestorage.py
+++ b/storage/fakestorage.py
@@ -8,94 +8,103 @@ from storage.basestorage import BaseStorageV2
 
 _GLOBAL_FAKE_STORAGE_MAP = defaultdict(StringIO.StringIO)
 
+
 class FakeStorage(BaseStorageV2):
-  def __init__(self, context):
-    super(FakeStorage, self).__init__()
-    self._fake_storage_map = (defaultdict(StringIO.StringIO)
-                              if context == 'local' else _GLOBAL_FAKE_STORAGE_MAP)
+    def __init__(self, context):
+        super(FakeStorage, self).__init__()
+        self._fake_storage_map = (
+            defaultdict(StringIO.StringIO)
+            if context == "local"
+            else _GLOBAL_FAKE_STORAGE_MAP
+        )
 
-  def _init_path(self, path=None, create=False):
-    return path
+    def _init_path(self, path=None, create=False):
+        return path
 
-  def get_direct_download_url(self, path, request_ip=None, expires_in=60, requires_cors=False, head=False):
-    try:
-      if self.get_content('supports_direct_download') == 'true':
-        return 'http://somefakeurl?goes=here'
-    except:
-      pass
+    def get_direct_download_url(
+        self, path, request_ip=None, expires_in=60, requires_cors=False, head=False
+    ):
+        try:
+            if self.get_content("supports_direct_download") == "true":
+                return "http://somefakeurl?goes=here"
+        except:
+            pass
 
-    return None
+        return None
 
-  def get_content(self, path):
-    if not path in self._fake_storage_map:
-      raise IOError('Fake file %s not found. Exist: %s' % (path, self._fake_storage_map.keys()))
+    def get_content(self, path):
+        if not path in self._fake_storage_map:
+            raise IOError(
+                "Fake file %s not found. Exist: %s"
+                % (path, self._fake_storage_map.keys())
+            )
 
-    self._fake_storage_map.get(path).seek(0)
-    return self._fake_storage_map.get(path).read()
+        self._fake_storage_map.get(path).seek(0)
+        return self._fake_storage_map.get(path).read()
 
-  def put_content(self, path, content):
-    self._fake_storage_map.pop(path, None)
-    self._fake_storage_map[path].write(content)
+    def put_content(self, path, content):
+        self._fake_storage_map.pop(path, None)
+        self._fake_storage_map[path].write(content)
 
-  def stream_read(self, path):
-    io_obj = self._fake_storage_map[path]
-    io_obj.seek(0)
-    while True:
-      buf = io_obj.read(self.buffer_size)
-      if not buf:
-        break
-      yield buf
+    def stream_read(self, path):
+        io_obj = self._fake_storage_map[path]
+        io_obj.seek(0)
+        while True:
+            buf = io_obj.read(self.buffer_size)
+            if not buf:
+                break
+            yield buf
 
-  def stream_read_file(self, path):
-    return StringIO.StringIO(self.get_content(path))
+    def stream_read_file(self, path):
+        return StringIO.StringIO(self.get_content(path))
 
-  def stream_write(self, path, fp, content_type=None, content_encoding=None):
-    out_fp = self._fake_storage_map[path]
-    out_fp.seek(0)
-    self.stream_write_to_fp(fp, out_fp)
+    def stream_write(self, path, fp, content_type=None, content_encoding=None):
+        out_fp = self._fake_storage_map[path]
+        out_fp.seek(0)
+        self.stream_write_to_fp(fp, out_fp)
 
-  def remove(self, path):
-    self._fake_storage_map.pop(path, None)
+    def remove(self, path):
+        self._fake_storage_map.pop(path, None)
 
-  def exists(self, path):
-    if self._fake_storage_map.get('all_files_exist', None):
-      return True
-    return path in self._fake_storage_map
+    def exists(self, path):
+        if self._fake_storage_map.get("all_files_exist", None):
+            return True
+        return path in self._fake_storage_map
 
-  def get_checksum(self, path):
-    return hashlib.sha256(self._fake_storage_map[path].read()).hexdigest()[:7]
+    def get_checksum(self, path):
+        return hashlib.sha256(self._fake_storage_map[path].read()).hexdigest()[:7]
 
-  def initiate_chunked_upload(self):
-    new_uuid = str(uuid4())
-    self._fake_storage_map[new_uuid].seek(0)
-    return new_uuid, {}
+    def initiate_chunked_upload(self):
+        new_uuid = str(uuid4())
+        self._fake_storage_map[new_uuid].seek(0)
+        return new_uuid, {}
 
-  def stream_upload_chunk(self, uuid, offset, length, in_fp, _, content_type=None):
-    if self.exists('except_upload'):
-      return 0, {}, IOError("I'm an exception!")
+    def stream_upload_chunk(self, uuid, offset, length, in_fp, _, content_type=None):
+        if self.exists("except_upload"):
+            return 0, {}, IOError("I'm an exception!")
 
-    upload_storage = self._fake_storage_map[uuid]
-    try:
-      return self.stream_write_to_fp(in_fp, upload_storage, length), {}, None
-    except IOError as ex:
-      return 0, {}, ex
+        upload_storage = self._fake_storage_map[uuid]
+        try:
+            return self.stream_write_to_fp(in_fp, upload_storage, length), {}, None
+        except IOError as ex:
+            return 0, {}, ex
 
-  def complete_chunked_upload(self, uuid, final_path, _):
-    self._fake_storage_map[final_path] = self._fake_storage_map[uuid]
-    self._fake_storage_map.pop(uuid, None)
+    def complete_chunked_upload(self, uuid, final_path, _):
+        self._fake_storage_map[final_path] = self._fake_storage_map[uuid]
+        self._fake_storage_map.pop(uuid, None)
 
-  def cancel_chunked_upload(self, uuid, _):
-    self._fake_storage_map.pop(uuid, None)
+    def cancel_chunked_upload(self, uuid, _):
+        self._fake_storage_map.pop(uuid, None)
 
-  def copy_to(self, destination, path):
-    if self.exists('break_copying'):
-      raise IOError('Broken!')
+    def copy_to(self, destination, path):
+        if self.exists("break_copying"):
+            raise IOError("Broken!")
 
-    if self.exists('fake_copying'):
-      return
+        if self.exists("fake_copying"):
+            return
 
-    if self.exists('except_copying'):
-      raise Exception("I'm an exception!")
+        if self.exists("except_copying"):
+            raise Exception("I'm an exception!")
 
-    content = self.get_content(path)
-    destination.put_content(path, content)
+        content = self.get_content(path)
+        destination.put_content(path, content)
diff --git a/storage/local.py b/storage/local.py
index d6e2eb5da..cdfefde40 100644
--- a/storage/local.py
+++ b/storage/local.py
@@ -14,125 +14,129 @@ logger = logging.getLogger(__name__)
 
 
 class LocalStorage(BaseStorageV2):
-  def __init__(self, context, storage_path):
-    super(LocalStorage, self).__init__()
-    self._root_path = storage_path
+    def __init__(self, context, storage_path):
+        super(LocalStorage, self).__init__()
+        self._root_path = storage_path
 
-  def _init_path(self, path=None, create=False):
-    path = os.path.join(self._root_path, path) if path else self._root_path
-    if create is True:
-      dirname = os.path.dirname(path)
-      if not os.path.exists(dirname):
-        os.makedirs(dirname)
-    return path
+    def _init_path(self, path=None, create=False):
+        path = os.path.join(self._root_path, path) if path else self._root_path
+        if create is True:
+            dirname = os.path.dirname(path)
+            if not os.path.exists(dirname):
+                os.makedirs(dirname)
+        return path
 
-  def get_content(self, path):
-    path = self._init_path(path)
-    with open(path, mode='r') as f:
-      return f.read()
+    def get_content(self, path):
+        path = self._init_path(path)
+        with open(path, mode="r") as f:
+            return f.read()
 
-  def put_content(self, path, content):
-    path = self._init_path(path, create=True)
-    with open(path, mode='w') as f:
-      f.write(content)
-    return path
+    def put_content(self, path, content):
+        path = self._init_path(path, create=True)
+        with open(path, mode="w") as f:
+            f.write(content)
+        return path
 
-  def stream_read(self, path):
-    path = self._init_path(path)
-    with open(path, mode='rb') as f:
-      while True:
-        buf = f.read(self.buffer_size)
-        if not buf:
-          break
-        yield buf
+    def stream_read(self, path):
+        path = self._init_path(path)
+        with open(path, mode="rb") as f:
+            while True:
+                buf = f.read(self.buffer_size)
+                if not buf:
+                    break
+                yield buf
 
-  def stream_read_file(self, path):
-    path = self._init_path(path)
-    return io.open(path, mode='rb')
+    def stream_read_file(self, path):
+        path = self._init_path(path)
+        return io.open(path, mode="rb")
 
-  def stream_write(self, path, fp, content_type=None, content_encoding=None):
-    # Size is mandatory
-    path = self._init_path(path, create=True)
-    with open(path, mode='wb') as out_fp:
-      self.stream_write_to_fp(fp, out_fp)
+    def stream_write(self, path, fp, content_type=None, content_encoding=None):
+        # Size is mandatory
+        path = self._init_path(path, create=True)
+        with open(path, mode="wb") as out_fp:
+            self.stream_write_to_fp(fp, out_fp)
 
-  def exists(self, path):
-    path = self._init_path(path)
-    return os.path.exists(path)
+    def exists(self, path):
+        path = self._init_path(path)
+        return os.path.exists(path)
 
-  def remove(self, path):
-    path = self._init_path(path)
-    if os.path.isdir(path):
-      shutil.rmtree(path)
-      return
-    try:
-      os.remove(path)
-    except OSError:
-      pass
+    def remove(self, path):
+        path = self._init_path(path)
+        if os.path.isdir(path):
+            shutil.rmtree(path)
+            return
+        try:
+            os.remove(path)
+        except OSError:
+            pass
 
-  def get_checksum(self, path):
-    path = self._init_path(path)
-    sha_hash = hashlib.sha256()
-    with open(path, 'r') as to_hash:
-      while True:
-        buf = to_hash.read(self.buffer_size)
-        if not buf:
-          break
-        sha_hash.update(buf)
-    return sha_hash.hexdigest()[:7]
+    def get_checksum(self, path):
+        path = self._init_path(path)
+        sha_hash = hashlib.sha256()
+        with open(path, "r") as to_hash:
+            while True:
+                buf = to_hash.read(self.buffer_size)
+                if not buf:
+                    break
+                sha_hash.update(buf)
+        return sha_hash.hexdigest()[:7]
 
-  def _rel_upload_path(self, uuid):
-    return 'uploads/{0}'.format(uuid)
+    def _rel_upload_path(self, uuid):
+        return "uploads/{0}".format(uuid)
 
-  def initiate_chunked_upload(self):
-    new_uuid = str(uuid4())
+    def initiate_chunked_upload(self):
+        new_uuid = str(uuid4())
 
-    # Just create an empty file at the path
-    with open(self._init_path(self._rel_upload_path(new_uuid), create=True), 'w'):
-      pass
+        # Just create an empty file at the path
+        with open(self._init_path(self._rel_upload_path(new_uuid), create=True), "w"):
+            pass
 
-    return new_uuid, {}
+        return new_uuid, {}
 
-  def stream_upload_chunk(self, uuid, offset, length, in_fp, _, content_type=None):
-    try:
-      with open(self._init_path(self._rel_upload_path(uuid)), 'r+b') as upload_storage:
-        upload_storage.seek(offset)
-        return self.stream_write_to_fp(in_fp, upload_storage, length), {}, None
-    except IOError as ex:
-      return 0, {}, ex
+    def stream_upload_chunk(self, uuid, offset, length, in_fp, _, content_type=None):
+        try:
+            with open(
+                self._init_path(self._rel_upload_path(uuid)), "r+b"
+            ) as upload_storage:
+                upload_storage.seek(offset)
+                return self.stream_write_to_fp(in_fp, upload_storage, length), {}, None
+        except IOError as ex:
+            return 0, {}, ex
 
-  def complete_chunked_upload(self, uuid, final_path, _):
-    content_path = self._rel_upload_path(uuid)
-    final_path_abs = self._init_path(final_path, create=True)
-    if not self.exists(final_path_abs):
-      logger.debug('Moving content into place at path: %s', final_path_abs)
-      shutil.move(self._init_path(content_path), final_path_abs)
-    else:
-      logger.debug('Content already exists at path: %s', final_path_abs)
+    def complete_chunked_upload(self, uuid, final_path, _):
+        content_path = self._rel_upload_path(uuid)
+        final_path_abs = self._init_path(final_path, create=True)
+        if not self.exists(final_path_abs):
+            logger.debug("Moving content into place at path: %s", final_path_abs)
+            shutil.move(self._init_path(content_path), final_path_abs)
+        else:
+            logger.debug("Content already exists at path: %s", final_path_abs)
 
-  def cancel_chunked_upload(self, uuid, _):
-    content_path = self._init_path(self._rel_upload_path(uuid))
-    os.remove(content_path)
+    def cancel_chunked_upload(self, uuid, _):
+        content_path = self._init_path(self._rel_upload_path(uuid))
+        os.remove(content_path)
 
-  def validate(self, client):
-    super(LocalStorage, self).validate(client)
+    def validate(self, client):
+        super(LocalStorage, self).validate(client)
 
-    # Load the set of disk mounts.
-    try:
-      mounts = psutil.disk_partitions(all=True)
-    except:
-      logger.exception('Could not load disk partitions')
-      return
+        # Load the set of disk mounts.
+        try:
+            mounts = psutil.disk_partitions(all=True)
+        except:
+            logger.exception("Could not load disk partitions")
+            return
 
-    # Verify that the storage's root path is under a mounted Docker volume.
-    for mount in mounts:
-      if mount.mountpoint != '/' and self._root_path.startswith(mount.mountpoint):
-        return
+        # Verify that the storage's root path is under a mounted Docker volume.
+        for mount in mounts:
+            if mount.mountpoint != "/" and self._root_path.startswith(mount.mountpoint):
+                return
 
-    raise Exception('Storage path %s is not under a mounted volume.\n\n'
-                    'Registry data must be stored under a mounted volume '
-                    'to prevent data loss' % self._root_path)
+        raise Exception(
+            "Storage path %s is not under a mounted volume.\n\n"
+            "Registry data must be stored under a mounted volume "
+            "to prevent data loss" % self._root_path
+        )
 
-  def copy_to(self, destination, path):
-    with self.stream_read_file(path) as fp:
-      destination.stream_write(path, fp)
+    def copy_to(self, destination, path):
+        with self.stream_read_file(path) as fp:
+            destination.stream_write(path, fp)
diff --git a/storage/swift.py b/storage/swift.py
index f750f8880..d5a0e2133 100644
--- a/storage/swift.py
+++ b/storage/swift.py
@@ -28,423 +28,540 @@ from util.registry.generatorfile import GeneratorFile
 
 logger = logging.getLogger(__name__)
 
-_PartUploadMetadata = namedtuple('_PartUploadMetadata', ['path', 'offset', 'length'])
-_SEGMENTS_KEY = 'segments'
-_EMPTY_SEGMENTS_KEY = 'emptysegments'
-_SEGMENT_DIRECTORY = 'segments'
-_MAXIMUM_SEGMENT_SIZE = 200000000 # ~200 MB
-_DEFAULT_SWIFT_CONNECT_TIMEOUT = 5 # seconds
-_CHUNK_CLEANUP_DELAY = 30 # seconds
+_PartUploadMetadata = namedtuple("_PartUploadMetadata", ["path", "offset", "length"])
+_SEGMENTS_KEY = "segments"
+_EMPTY_SEGMENTS_KEY = "emptysegments"
+_SEGMENT_DIRECTORY = "segments"
+_MAXIMUM_SEGMENT_SIZE = 200000000  # ~200 MB
+_DEFAULT_SWIFT_CONNECT_TIMEOUT = 5  # seconds
+_CHUNK_CLEANUP_DELAY = 30  # seconds
+
 
 class SwiftStorage(BaseStorage):
-  def __init__(self, context, swift_container, storage_path, auth_url, swift_user, swift_password,
-               auth_version=None, os_options=None, ca_cert_path=None, temp_url_key=None,
-               simple_path_concat=False, connect_timeout=None, retry_count=None,
-               retry_on_ratelimit=True):
-    super(SwiftStorage, self).__init__()
-    self._swift_container = swift_container
-    self._context = context
+    def __init__(
+        self,
+        context,
+        swift_container,
+        storage_path,
+        auth_url,
+        swift_user,
+        swift_password,
+        auth_version=None,
+        os_options=None,
+        ca_cert_path=None,
+        temp_url_key=None,
+        simple_path_concat=False,
+        connect_timeout=None,
+        retry_count=None,
+        retry_on_ratelimit=True,
+    ):
+        super(SwiftStorage, self).__init__()
+        self._swift_container = swift_container
+        self._context = context
 
-    self._storage_path = storage_path.lstrip('/')
-    self._simple_path_concat = simple_path_concat
+        self._storage_path = storage_path.lstrip("/")
+        self._simple_path_concat = simple_path_concat
 
-    self._auth_url = auth_url
-    self._ca_cert_path = ca_cert_path
+        self._auth_url = auth_url
+        self._ca_cert_path = ca_cert_path
 
-    self._swift_user = swift_user
-    self._swift_password = swift_password
+        self._swift_user = swift_user
+        self._swift_password = swift_password
 
-    self._temp_url_key = temp_url_key
-    self._connect_timeout = connect_timeout
-    self._retry_count = retry_count
-    self._retry_on_ratelimit = retry_on_ratelimit
+        self._temp_url_key = temp_url_key
+        self._connect_timeout = connect_timeout
+        self._retry_count = retry_count
+        self._retry_on_ratelimit = retry_on_ratelimit
 
-    try:
-      self._auth_version = int(auth_version or '2')
-    except ValueError:
-      self._auth_version = 2
+        try:
+            self._auth_version = int(auth_version or "2")
+        except ValueError:
+            self._auth_version = 2
 
-    self._os_options = os_options or {}
+        self._os_options = os_options or {}
 
-    self._initialized = False
+        self._initialized = False
 
-  def _get_connection(self):
-    return Connection(
-      authurl=self._auth_url,
-      cacert=self._ca_cert_path,
+    def _get_connection(self):
+        return Connection(
+            authurl=self._auth_url,
+            cacert=self._ca_cert_path,
+            user=self._swift_user,
+            key=self._swift_password,
+            auth_version=self._auth_version,
+            os_options=self._os_options,
+            retry_on_ratelimit=self._retry_on_ratelimit,
+            timeout=self._connect_timeout or _DEFAULT_SWIFT_CONNECT_TIMEOUT,
+            retries=self._retry_count or 5,
+        )
 
-      user=self._swift_user,
-      key=self._swift_password,
-
-      auth_version=self._auth_version,
-      os_options=self._os_options,
-
-      retry_on_ratelimit=self._retry_on_ratelimit,
-      timeout=self._connect_timeout or _DEFAULT_SWIFT_CONNECT_TIMEOUT,
-      retries=self._retry_count or 5,
-    )
-
-  def _normalize_path(self, object_path):
-    """ No matter what inputs we get, we are going to return a path without a leading or trailing
+    def _normalize_path(self, object_path):
+        """ No matter what inputs we get, we are going to return a path without a leading or trailing
         '/'
     """
-    if self._simple_path_concat:
-      return (self._storage_path + object_path).rstrip('/')
-    else:
-      return os.path.join(self._storage_path, object_path).rstrip('/')
+        if self._simple_path_concat:
+            return (self._storage_path + object_path).rstrip("/")
+        else:
+            return os.path.join(self._storage_path, object_path).rstrip("/")
 
-  def _get_object(self, path, chunk_size=None):
-    path = self._normalize_path(path)
-    try:
-      _, obj = self._get_connection().get_object(self._swift_container, path,
-                                                 resp_chunk_size=chunk_size)
-      return obj
-    except ClientException as ex:
-      logger.exception('Could not get object at path %s: %s', path, ex)
-      raise IOError('Path %s not found' % path)
+    def _get_object(self, path, chunk_size=None):
+        path = self._normalize_path(path)
+        try:
+            _, obj = self._get_connection().get_object(
+                self._swift_container, path, resp_chunk_size=chunk_size
+            )
+            return obj
+        except ClientException as ex:
+            logger.exception("Could not get object at path %s: %s", path, ex)
+            raise IOError("Path %s not found" % path)
 
-  def _put_object(self, path, content, chunk=None, content_type=None, content_encoding=None,
-                  headers=None):
-    path = self._normalize_path(path)
-    headers = headers or {}
+    def _put_object(
+        self,
+        path,
+        content,
+        chunk=None,
+        content_type=None,
+        content_encoding=None,
+        headers=None,
+    ):
+        path = self._normalize_path(path)
+        headers = headers or {}
 
-    if content_encoding is not None:
-      headers['Content-Encoding'] = content_encoding
+        if content_encoding is not None:
+            headers["Content-Encoding"] = content_encoding
 
-    is_filelike = hasattr(content, 'read')
-    if is_filelike:
-      content = ReadableToIterable(content, md5=True)
+        is_filelike = hasattr(content, "read")
+        if is_filelike:
+            content = ReadableToIterable(content, md5=True)
 
-    try:
-      etag = self._get_connection().put_object(self._swift_container, path, content,
-                                               chunk_size=chunk, content_type=content_type,
-                                               headers=headers)
-    except ClientException:
-      # We re-raise client exception here so that validation of config during setup can see
-      # the client exception messages.
-      raise
+        try:
+            etag = self._get_connection().put_object(
+                self._swift_container,
+                path,
+                content,
+                chunk_size=chunk,
+                content_type=content_type,
+                headers=headers,
+            )
+        except ClientException:
+            # We re-raise client exception here so that validation of config during setup can see
+            # the client exception messages.
+            raise
 
-    # If we wrapped the content in a ReadableToIterable, compare its MD5 to the etag returned. If
-    # they don't match, raise an IOError indicating a write failure.
-    if is_filelike:
-      if etag != content.get_md5sum():
-        logger.error('Got mismatch in md5 etag for path %s: Expected %s, but server has %s', path,
-                     content.get_md5sum(), etag)
-        raise IOError('upload verification failed for path {0}:'
-                      'md5 mismatch, local {1} != remote {2}'
-                      .format(path, content.get_md5sum(), etag))
+        # If we wrapped the content in a ReadableToIterable, compare its MD5 to the etag returned. If
+        # they don't match, raise an IOError indicating a write failure.
+        if is_filelike:
+            if etag != content.get_md5sum():
+                logger.error(
+                    "Got mismatch in md5 etag for path %s: Expected %s, but server has %s",
+                    path,
+                    content.get_md5sum(),
+                    etag,
+                )
+                raise IOError(
+                    "upload verification failed for path {0}:"
+                    "md5 mismatch, local {1} != remote {2}".format(
+                        path, content.get_md5sum(), etag
+                    )
+                )
 
-  def _head_object(self, path):
-    path = self._normalize_path(path)
-    try:
-      return self._get_connection().head_object(self._swift_container, path)
-    except ClientException as ce:
-      if ce.http_status != 404:
-        logger.exception('Could not head object at path %s: %s', path, ce)
+    def _head_object(self, path):
+        path = self._normalize_path(path)
+        try:
+            return self._get_connection().head_object(self._swift_container, path)
+        except ClientException as ce:
+            if ce.http_status != 404:
+                logger.exception("Could not head object at path %s: %s", path, ce)
 
-      return None
+            return None
 
-  @lru_cache(maxsize=1)
-  def _get_root_storage_url(self):
-    """ Returns the root storage URL for this Swift storage. Note that since this requires a call
+    @lru_cache(maxsize=1)
+    def _get_root_storage_url(self):
+        """ Returns the root storage URL for this Swift storage. Note that since this requires a call
         to Swift, we cache the result of this function call.
     """
-    storage_url, _ = self._get_connection().get_auth()
-    return storage_url
+        storage_url, _ = self._get_connection().get_auth()
+        return storage_url
 
-  def get_direct_download_url(self, object_path, request_ip=None, expires_in=60,
-                              requires_cors=False, head=False):
-    if requires_cors:
-      return None
+    def get_direct_download_url(
+        self,
+        object_path,
+        request_ip=None,
+        expires_in=60,
+        requires_cors=False,
+        head=False,
+    ):
+        if requires_cors:
+            return None
 
-    # Reference: http://docs.openstack.org/juno/config-reference/content/object-storage-tempurl.html
-    if not self._temp_url_key:
-      return None
+        # Reference: http://docs.openstack.org/juno/config-reference/content/object-storage-tempurl.html
+        if not self._temp_url_key:
+            return None
 
-    # Retrieve the root storage URL for the connection.
-    try:
-      root_storage_url = self._get_root_storage_url()
-    except ClientException:
-      logger.exception('Got client exception when trying to load Swift auth')
-      return None
-
-    parsed_storage_url = urlparse(root_storage_url)
-    scheme = parsed_storage_url.scheme
-    path = parsed_storage_url.path.rstrip('/')
-    hostname = parsed_storage_url.netloc
-
-    object_path = self._normalize_path(object_path)
-
-    # Generate the signed HMAC body.
-    method = 'HEAD' if head else 'GET'
-    expires = int(time() + expires_in)
-    full_path = '%s/%s/%s' % (path, self._swift_container, object_path)
-
-    hmac_body = '%s\n%s\n%s' % (method, expires, full_path)
-    sig = hmac.new(self._temp_url_key.encode('utf-8'), hmac_body.encode('utf-8'), sha1).hexdigest()
-
-    surl = '{scheme}://{host}{full_path}?temp_url_sig={sig}&temp_url_expires={expires}'
-    return surl.format(scheme=scheme, host=hostname, full_path=full_path, sig=sig, expires=expires)
-
-  def validate(self, client):
-    super(SwiftStorage, self).validate(client)
-
-    if self._temp_url_key:
-      # Generate a direct download URL.
-      dd_url = self.get_direct_download_url('_verify')
-
-      if not dd_url:
-        raise Exception('Could not validate direct download URL; the token may be invalid.')
-
-      # Try to retrieve the direct download URL.
-      response = client.get(dd_url, timeout=2)
-      if response.status_code != 200:
-        logger.debug('Direct download failure: %s => %s with body %s', dd_url,
-                     response.status_code, response.text)
-
-        msg = 'Direct download URL failed with status code %s. Please check your temp-url-key.'
-        raise Exception(msg % response.status_code)
-
-  def get_content(self, path):
-    return self._get_object(path)
-
-  def put_content(self, path, content):
-    self._put_object(path, content)
-
-  def stream_read(self, path):
-    for data in self._get_object(path, self.buffer_size):
-      yield data
-
-  def stream_read_file(self, path):
-    return GeneratorFile(self.stream_read(path))
-
-  def stream_write(self, path, fp, content_type=None, content_encoding=None):
-    self._put_object(path, fp, self.buffer_size, content_type=content_type,
-                     content_encoding=content_encoding)
-
-  def exists(self, path):
-    return bool(self._head_object(path))
-
-  def remove(self, path):
-    # Retrieve the object so we can see if it is segmented. If so, we'll delete its segments after
-    # removing the object.
-    try:
-      headers = self._head_object(path)
-    except ClientException as ex:
-      logger.exception('Could not head for delete of path %s: %s', path, str(ex))
-      raise IOError('Cannot delete path: %s' % path)
-
-    logger.debug('Found headers for path %s to delete: %s', path, headers)
-
-    # Delete the path itself.
-    path = self._normalize_path(path)
-    try:
-      self._get_connection().delete_object(self._swift_container, path)
-    except ClientException as ex:
-      logger.exception('Could not delete path %s: %s', path, str(ex))
-      raise IOError('Cannot delete path: %s' % path)
-
-    # Delete the segments.
-    object_manifest = headers.get('x-object-manifest', headers.get('X-Object-Manifest'))
-    if object_manifest is not None:
-      logger.debug('Found DLO for path %s: %s', path, object_manifest)
-
-      # Remove the container name from the beginning.
-      container_name, prefix_path = object_manifest.split('/', 1)
-      if container_name != self._swift_container:
-        logger.error('Expected container name %s, found path %s', self._swift_container,
-                     prefix_path)
-        raise Exception("How did we end up with an invalid container name?")
-
-      logger.debug('Loading Dynamic Large Object segments for path prefix %s', prefix_path)
-      try:
-        _, container_objects = self._get_connection().get_container(self._swift_container,
-                                                                    full_listing=True,
-                                                                    prefix=prefix_path)
-      except ClientException as ex:
-        logger.exception('Could not load objects with prefix path %s: %s', prefix_path, str(ex))
-        raise IOError('Cannot load path: %s' % prefix_path)
-
-      logger.debug('Found Dynamic Large Object segments for path prefix %s: %s', prefix_path,
-                   len(container_objects))
-      for obj in container_objects:
+        # Retrieve the root storage URL for the connection.
         try:
-          logger.debug('Deleting Dynamic Large Object segment %s for path prefix %s', obj['name'],
-                       prefix_path)
-          self._get_connection().delete_object(self._swift_container, obj['name'])
+            root_storage_url = self._get_root_storage_url()
+        except ClientException:
+            logger.exception("Got client exception when trying to load Swift auth")
+            return None
+
+        parsed_storage_url = urlparse(root_storage_url)
+        scheme = parsed_storage_url.scheme
+        path = parsed_storage_url.path.rstrip("/")
+        hostname = parsed_storage_url.netloc
+
+        object_path = self._normalize_path(object_path)
+
+        # Generate the signed HMAC body.
+        method = "HEAD" if head else "GET"
+        expires = int(time() + expires_in)
+        full_path = "%s/%s/%s" % (path, self._swift_container, object_path)
+
+        hmac_body = "%s\n%s\n%s" % (method, expires, full_path)
+        sig = hmac.new(
+            self._temp_url_key.encode("utf-8"), hmac_body.encode("utf-8"), sha1
+        ).hexdigest()
+
+        surl = (
+            "{scheme}://{host}{full_path}?temp_url_sig={sig}&temp_url_expires={expires}"
+        )
+        return surl.format(
+            scheme=scheme, host=hostname, full_path=full_path, sig=sig, expires=expires
+        )
+
+    def validate(self, client):
+        super(SwiftStorage, self).validate(client)
+
+        if self._temp_url_key:
+            # Generate a direct download URL.
+            dd_url = self.get_direct_download_url("_verify")
+
+            if not dd_url:
+                raise Exception(
+                    "Could not validate direct download URL; the token may be invalid."
+                )
+
+            # Try to retrieve the direct download URL.
+            response = client.get(dd_url, timeout=2)
+            if response.status_code != 200:
+                logger.debug(
+                    "Direct download failure: %s => %s with body %s",
+                    dd_url,
+                    response.status_code,
+                    response.text,
+                )
+
+                msg = "Direct download URL failed with status code %s. Please check your temp-url-key."
+                raise Exception(msg % response.status_code)
+
+    def get_content(self, path):
+        return self._get_object(path)
+
+    def put_content(self, path, content):
+        self._put_object(path, content)
+
+    def stream_read(self, path):
+        for data in self._get_object(path, self.buffer_size):
+            yield data
+
+    def stream_read_file(self, path):
+        return GeneratorFile(self.stream_read(path))
+
+    def stream_write(self, path, fp, content_type=None, content_encoding=None):
+        self._put_object(
+            path,
+            fp,
+            self.buffer_size,
+            content_type=content_type,
+            content_encoding=content_encoding,
+        )
+
+    def exists(self, path):
+        return bool(self._head_object(path))
+
+    def remove(self, path):
+        # Retrieve the object so we can see if it is segmented. If so, we'll delete its segments after
+        # removing the object.
+        try:
+            headers = self._head_object(path)
         except ClientException as ex:
-          logger.exception('Could not delete object with path %s: %s', obj['name'], str(ex))
-          raise IOError('Cannot delete path: %s' %  obj['name'])
+            logger.exception("Could not head for delete of path %s: %s", path, str(ex))
+            raise IOError("Cannot delete path: %s" % path)
 
-  def _random_checksum(self, count):
-    chars = string.ascii_uppercase + string.digits
-    return ''.join(SystemRandom().choice(chars) for _ in range(count))
+        logger.debug("Found headers for path %s to delete: %s", path, headers)
 
-  def get_checksum(self, path):
-    headers = self._head_object(path)
-    if not headers:
-      raise IOError('Cannot lookup path: %s' % path)
+        # Delete the path itself.
+        path = self._normalize_path(path)
+        try:
+            self._get_connection().delete_object(self._swift_container, path)
+        except ClientException as ex:
+            logger.exception("Could not delete path %s: %s", path, str(ex))
+            raise IOError("Cannot delete path: %s" % path)
 
-    return headers.get('etag', '')[1:-1][:7] or self._random_checksum(7)
+        # Delete the segments.
+        object_manifest = headers.get(
+            "x-object-manifest", headers.get("X-Object-Manifest")
+        )
+        if object_manifest is not None:
+            logger.debug("Found DLO for path %s: %s", path, object_manifest)
 
-  @staticmethod
-  def _segment_list_from_metadata(storage_metadata, key=_SEGMENTS_KEY):
-    return [_PartUploadMetadata(*segment_args) for segment_args in storage_metadata[key]]
+            # Remove the container name from the beginning.
+            container_name, prefix_path = object_manifest.split("/", 1)
+            if container_name != self._swift_container:
+                logger.error(
+                    "Expected container name %s, found path %s",
+                    self._swift_container,
+                    prefix_path,
+                )
+                raise Exception("How did we end up with an invalid container name?")
 
-  def initiate_chunked_upload(self):
-    random_uuid = str(uuid4())
+            logger.debug(
+                "Loading Dynamic Large Object segments for path prefix %s", prefix_path
+            )
+            try:
+                _, container_objects = self._get_connection().get_container(
+                    self._swift_container, full_listing=True, prefix=prefix_path
+                )
+            except ClientException as ex:
+                logger.exception(
+                    "Could not load objects with prefix path %s: %s",
+                    prefix_path,
+                    str(ex),
+                )
+                raise IOError("Cannot load path: %s" % prefix_path)
 
-    metadata = {
-      _SEGMENTS_KEY: [],
-      _EMPTY_SEGMENTS_KEY: [],
-    }
+            logger.debug(
+                "Found Dynamic Large Object segments for path prefix %s: %s",
+                prefix_path,
+                len(container_objects),
+            )
+            for obj in container_objects:
+                try:
+                    logger.debug(
+                        "Deleting Dynamic Large Object segment %s for path prefix %s",
+                        obj["name"],
+                        prefix_path,
+                    )
+                    self._get_connection().delete_object(
+                        self._swift_container, obj["name"]
+                    )
+                except ClientException as ex:
+                    logger.exception(
+                        "Could not delete object with path %s: %s", obj["name"], str(ex)
+                    )
+                    raise IOError("Cannot delete path: %s" % obj["name"])
 
-    return random_uuid, metadata
+    def _random_checksum(self, count):
+        chars = string.ascii_uppercase + string.digits
+        return "".join(SystemRandom().choice(chars) for _ in range(count))
 
-  def stream_upload_chunk(self, uuid, offset, length, in_fp, storage_metadata, content_type=None):
-    if length == 0:
-      return 0, storage_metadata, None
+    def get_checksum(self, path):
+        headers = self._head_object(path)
+        if not headers:
+            raise IOError("Cannot lookup path: %s" % path)
 
-    # Note: Swift limits segments in size, so we need to sub-divide chunks into segments
-    # based on the configured maximum.
-    total_bytes_written = 0
-    upload_error = None
-    read_until_end = length == filelike.READ_UNTIL_END
+        return headers.get("etag", "")[1:-1][:7] or self._random_checksum(7)
 
-    while True:
-      try:
-        bytes_written, storage_metadata = self._stream_upload_segment(uuid, offset, length, in_fp,
-                                                                      storage_metadata,
-                                                                      content_type)
-      except IOError as ex:
-        message = ('Error writing to stream in stream_upload_chunk for uuid %s (offset %s' +
-                   ', length %s, metadata: %s): %s')
-        logger.exception(message, uuid, offset, length, storage_metadata, ex)
-        upload_error = ex
-        break
+    @staticmethod
+    def _segment_list_from_metadata(storage_metadata, key=_SEGMENTS_KEY):
+        return [
+            _PartUploadMetadata(*segment_args) for segment_args in storage_metadata[key]
+        ]
 
-      if not read_until_end:
-        length = length - bytes_written
+    def initiate_chunked_upload(self):
+        random_uuid = str(uuid4())
 
-      offset = offset + bytes_written
-      total_bytes_written = total_bytes_written + bytes_written
+        metadata = {_SEGMENTS_KEY: [], _EMPTY_SEGMENTS_KEY: []}
+
+        return random_uuid, metadata
+
+    def stream_upload_chunk(
+        self, uuid, offset, length, in_fp, storage_metadata, content_type=None
+    ):
+        if length == 0:
+            return 0, storage_metadata, None
+
+        # Note: Swift limits segments in size, so we need to sub-divide chunks into segments
+        # based on the configured maximum.
+        total_bytes_written = 0
+        upload_error = None
+        read_until_end = length == filelike.READ_UNTIL_END
+
+        while True:
+            try:
+                bytes_written, storage_metadata = self._stream_upload_segment(
+                    uuid, offset, length, in_fp, storage_metadata, content_type
+                )
+            except IOError as ex:
+                message = (
+                    "Error writing to stream in stream_upload_chunk for uuid %s (offset %s"
+                    + ", length %s, metadata: %s): %s"
+                )
+                logger.exception(message, uuid, offset, length, storage_metadata, ex)
+                upload_error = ex
+                break
+
+            if not read_until_end:
+                length = length - bytes_written
+
+            offset = offset + bytes_written
+            total_bytes_written = total_bytes_written + bytes_written
+
+            if bytes_written == 0 or (not read_until_end and length <= 0):
+                return total_bytes_written, storage_metadata, upload_error
 
-      if bytes_written == 0 or (not read_until_end and length <= 0):
         return total_bytes_written, storage_metadata, upload_error
 
-    return total_bytes_written, storage_metadata, upload_error
+    def _stream_upload_segment(
+        self, uuid, offset, length, in_fp, storage_metadata, content_type
+    ):
+        updated_metadata = copy.deepcopy(storage_metadata)
+        segment_count = len(updated_metadata[_SEGMENTS_KEY])
+        segment_path = "%s/%s/%s" % (_SEGMENT_DIRECTORY, uuid, "%09d" % segment_count)
 
-  def _stream_upload_segment(self, uuid, offset, length, in_fp, storage_metadata, content_type):
-    updated_metadata = copy.deepcopy(storage_metadata)
-    segment_count = len(updated_metadata[_SEGMENTS_KEY])
-    segment_path = '%s/%s/%s' % (_SEGMENT_DIRECTORY, uuid, '%09d' % segment_count)
+        # Track the number of bytes read and if an explicit length is specified, limit the
+        # file stream to that length.
+        if length == filelike.READ_UNTIL_END:
+            length = _MAXIMUM_SEGMENT_SIZE
+        else:
+            length = min(_MAXIMUM_SEGMENT_SIZE, length)
 
-    # Track the number of bytes read and if an explicit length is specified, limit the
-    # file stream to that length.
-    if length == filelike.READ_UNTIL_END:
-      length = _MAXIMUM_SEGMENT_SIZE
-    else:
-      length = min(_MAXIMUM_SEGMENT_SIZE, length)
+        limiting_fp = filelike.LimitingStream(in_fp, length)
 
-    limiting_fp = filelike.LimitingStream(in_fp, length)
+        # If retries are requested, then we need to use a buffered reader to allow for calls to
+        # seek() on retries from within the Swift client.
+        if self._retry_count > 0:
+            limiting_fp = BufferedReader(limiting_fp, buffer_size=length)
 
-    # If retries are requested, then we need to use a buffered reader to allow for calls to
-    # seek() on retries from within the Swift client.
-    if self._retry_count > 0:
-      limiting_fp = BufferedReader(limiting_fp, buffer_size=length)
+        # Write the segment to Swift.
+        self.stream_write(segment_path, limiting_fp, content_type)
 
-    # Write the segment to Swift.
-    self.stream_write(segment_path, limiting_fp, content_type)
+        # We are only going to track keys to which data was confirmed written.
+        bytes_written = limiting_fp.tell()
+        if bytes_written > 0:
+            updated_metadata[_SEGMENTS_KEY].append(
+                _PartUploadMetadata(segment_path, offset, bytes_written)
+            )
+        else:
+            updated_metadata[_EMPTY_SEGMENTS_KEY].append(
+                _PartUploadMetadata(segment_path, offset, bytes_written)
+            )
 
-    # We are only going to track keys to which data was confirmed written.
-    bytes_written = limiting_fp.tell()
-    if bytes_written > 0:
-      updated_metadata[_SEGMENTS_KEY].append(_PartUploadMetadata(segment_path, offset,
-                                                                 bytes_written))
-    else:
-      updated_metadata[_EMPTY_SEGMENTS_KEY].append(_PartUploadMetadata(segment_path, offset,
-                                                                       bytes_written))
+        return bytes_written, updated_metadata
 
-    return bytes_written, updated_metadata
-
-  def complete_chunked_upload(self, uuid, final_path, storage_metadata):
-    """ Complete the chunked upload and store the final results in the path indicated.
+    def complete_chunked_upload(self, uuid, final_path, storage_metadata):
+        """ Complete the chunked upload and store the final results in the path indicated.
         Returns nothing.
     """
-    # Check all potentially empty segments against the segments that were uploaded; if the path
-    # is still empty, then we queue the segment to be deleted.
-    if self._context.chunk_cleanup_queue is not None:
-      nonempty_segments = SwiftStorage._segment_list_from_metadata(storage_metadata,
-                                                                   key=_SEGMENTS_KEY)
-      potentially_empty_segments = SwiftStorage._segment_list_from_metadata(storage_metadata,
-                                                                            key=_EMPTY_SEGMENTS_KEY)
+        # Check all potentially empty segments against the segments that were uploaded; if the path
+        # is still empty, then we queue the segment to be deleted.
+        if self._context.chunk_cleanup_queue is not None:
+            nonempty_segments = SwiftStorage._segment_list_from_metadata(
+                storage_metadata, key=_SEGMENTS_KEY
+            )
+            potentially_empty_segments = SwiftStorage._segment_list_from_metadata(
+                storage_metadata, key=_EMPTY_SEGMENTS_KEY
+            )
 
-      nonempty_paths = set([segment.path for segment in nonempty_segments])
-      for segment in potentially_empty_segments:
-        if segment.path in nonempty_paths:
-          continue
+            nonempty_paths = set([segment.path for segment in nonempty_segments])
+            for segment in potentially_empty_segments:
+                if segment.path in nonempty_paths:
+                    continue
 
-        # Queue the chunk to be deleted, as it is empty and therefore unused.
-        self._context.chunk_cleanup_queue.put(
-          ['segment/%s/%s' % (self._context.location, uuid)],
-          json.dumps({
-            'location': self._context.location,
-            'uuid': uuid,
-            'path': segment.path,
-          }), available_after=_CHUNK_CLEANUP_DELAY)
+                # Queue the chunk to be deleted, as it is empty and therefore unused.
+                self._context.chunk_cleanup_queue.put(
+                    ["segment/%s/%s" % (self._context.location, uuid)],
+                    json.dumps(
+                        {
+                            "location": self._context.location,
+                            "uuid": uuid,
+                            "path": segment.path,
+                        }
+                    ),
+                    available_after=_CHUNK_CLEANUP_DELAY,
+                )
 
-    # Finally, we write an empty file at the proper location with a X-Object-Manifest
-    # header pointing to the prefix for the segments.
-    segments_prefix_path = self._normalize_path('%s/%s' % (_SEGMENT_DIRECTORY, uuid))
-    contained_segments_prefix_path = '%s/%s' % (self._swift_container, segments_prefix_path)
+        # Finally, we write an empty file at the proper location with a X-Object-Manifest
+        # header pointing to the prefix for the segments.
+        segments_prefix_path = self._normalize_path(
+            "%s/%s" % (_SEGMENT_DIRECTORY, uuid)
+        )
+        contained_segments_prefix_path = "%s/%s" % (
+            self._swift_container,
+            segments_prefix_path,
+        )
 
-    self._put_object(final_path, '', headers={'X-Object-Manifest': contained_segments_prefix_path})
+        self._put_object(
+            final_path,
+            "",
+            headers={"X-Object-Manifest": contained_segments_prefix_path},
+        )
 
-  def cancel_chunked_upload(self, uuid, storage_metadata):
-    """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
+    def cancel_chunked_upload(self, uuid, storage_metadata):
+        """ Cancel the chunked upload and clean up any outstanding partially uploaded data.
         Returns nothing.
     """
-    if not self._context.chunk_cleanup_queue:
-      return
+        if not self._context.chunk_cleanup_queue:
+            return
 
-    segments = list(SwiftStorage._segment_list_from_metadata(storage_metadata,
-                                                             key=_SEGMENTS_KEY))
-    segments.extend(SwiftStorage._segment_list_from_metadata(storage_metadata,
-                                                             key=_EMPTY_SEGMENTS_KEY))
+        segments = list(
+            SwiftStorage._segment_list_from_metadata(
+                storage_metadata, key=_SEGMENTS_KEY
+            )
+        )
+        segments.extend(
+            SwiftStorage._segment_list_from_metadata(
+                storage_metadata, key=_EMPTY_SEGMENTS_KEY
+            )
+        )
 
-    # Queue all the uploaded segments to be deleted.
-    for segment in segments:
-      # Queue the chunk to be deleted.
-      self._context.chunk_cleanup_queue.put(
-        ['segment/%s/%s' % (self._context.location, uuid)],
-        json.dumps({
-          'location': self._context.location,
-          'uuid': uuid,
-          'path': segment.path,
-        }), available_after=_CHUNK_CLEANUP_DELAY)
+        # Queue all the uploaded segments to be deleted.
+        for segment in segments:
+            # Queue the chunk to be deleted.
+            self._context.chunk_cleanup_queue.put(
+                ["segment/%s/%s" % (self._context.location, uuid)],
+                json.dumps(
+                    {
+                        "location": self._context.location,
+                        "uuid": uuid,
+                        "path": segment.path,
+                    }
+                ),
+                available_after=_CHUNK_CLEANUP_DELAY,
+            )
 
-  def copy_to(self, destination, path):
-    if (self.__class__ == destination.__class__ and
-        self._swift_user == destination._swift_user and
-        self._swift_password == destination._swift_password and
-        self._auth_url == destination._auth_url and
-        self._auth_version == destination._auth_version):
-      logger.debug('Copying file from swift %s to swift %s via a Swift copy',
-                   self._swift_container, destination)
+    def copy_to(self, destination, path):
+        if (
+            self.__class__ == destination.__class__
+            and self._swift_user == destination._swift_user
+            and self._swift_password == destination._swift_password
+            and self._auth_url == destination._auth_url
+            and self._auth_version == destination._auth_version
+        ):
+            logger.debug(
+                "Copying file from swift %s to swift %s via a Swift copy",
+                self._swift_container,
+                destination,
+            )
 
-      normalized_path = self._normalize_path(path)
-      target = '/%s/%s' % (destination._swift_container, normalized_path)
+            normalized_path = self._normalize_path(path)
+            target = "/%s/%s" % (destination._swift_container, normalized_path)
 
-      try:
-        self._get_connection().copy_object(self._swift_container, normalized_path, target)
-      except ClientException as ex:
-        logger.exception('Could not swift copy path %s: %s', path, ex)
-        raise IOError('Failed to swift copy path %s' % path)
+            try:
+                self._get_connection().copy_object(
+                    self._swift_container, normalized_path, target
+                )
+            except ClientException as ex:
+                logger.exception("Could not swift copy path %s: %s", path, ex)
+                raise IOError("Failed to swift copy path %s" % path)
 
-      return
+            return
 
-    # Fallback to a slower, default copy.
-    logger.debug('Copying file from swift %s to %s via a streamed copy', self._swift_container,
-                 destination)
-    with self.stream_read_file(path) as fp:
-      destination.stream_write(path, fp)
+        # Fallback to a slower, default copy.
+        logger.debug(
+            "Copying file from swift %s to %s via a streamed copy",
+            self._swift_container,
+            destination,
+        )
+        with self.stream_read_file(path) as fp:
+            destination.stream_write(path, fp)
diff --git a/storage/test/test_azure.py b/storage/test/test_azure.py
index aad42a2a5..39b8da53b 100644
--- a/storage/test/test_azure.py
+++ b/storage/test/test_azure.py
@@ -12,206 +12,207 @@ from azure.storage.blob import BlockBlobService
 
 from storage.azurestorage import AzureStorage
 
+
 @contextmanager
 def fake_azure_storage(files=None):
-  service = BlockBlobService(is_emulated=True)
-  endpoint = service.primary_endpoint.split('/')
-  container_name = 'somecontainer'
-  files = files if files is not None else {}
+    service = BlockBlobService(is_emulated=True)
+    endpoint = service.primary_endpoint.split("/")
+    container_name = "somecontainer"
+    files = files if files is not None else {}
 
-  container_prefix = '/' + endpoint[1] + '/' + container_name
+    container_prefix = "/" + endpoint[1] + "/" + container_name
 
-  @urlmatch(netloc=endpoint[0], path=container_prefix + '$')
-  def get_container(url, request):
-    return {'status_code': 200, 'content': '{}'}
+    @urlmatch(netloc=endpoint[0], path=container_prefix + "$")
+    def get_container(url, request):
+        return {"status_code": 200, "content": "{}"}
 
-  @urlmatch(netloc=endpoint[0], path=container_prefix + '/.+')
-  def container_file(url, request):
-    filename = url.path[len(container_prefix)+1:]
+    @urlmatch(netloc=endpoint[0], path=container_prefix + "/.+")
+    def container_file(url, request):
+        filename = url.path[len(container_prefix) + 1 :]
 
-    if request.method == 'GET' or request.method == 'HEAD':
-      return {
-        'status_code': 200 if filename in files else 404,
-        'content': files.get(filename),
-        'headers': {
-          'ETag': 'foobar',
-        },
-      }
+        if request.method == "GET" or request.method == "HEAD":
+            return {
+                "status_code": 200 if filename in files else 404,
+                "content": files.get(filename),
+                "headers": {"ETag": "foobar"},
+            }
 
-    if request.method == 'DELETE':
-      files.pop(filename)
-      return {
-        'status_code': 201,
-        'content': '',
-        'headers': {
-          'ETag': 'foobar',
-        },
-      }
-      
+        if request.method == "DELETE":
+            files.pop(filename)
+            return {"status_code": 201, "content": "", "headers": {"ETag": "foobar"}}
 
-    if request.method == 'PUT':
-      query_params = parse_qs(url.query)
-      if query_params.get('comp') == ['properties']:
-        return {
-          'status_code': 201,
-          'content': '{}',
-          'headers': {
-            'x-ms-request-server-encrypted': "false",
-            'last-modified': 'Wed, 21 Oct 2015 07:28:00 GMT',
-          }
-        }
+        if request.method == "PUT":
+            query_params = parse_qs(url.query)
+            if query_params.get("comp") == ["properties"]:
+                return {
+                    "status_code": 201,
+                    "content": "{}",
+                    "headers": {
+                        "x-ms-request-server-encrypted": "false",
+                        "last-modified": "Wed, 21 Oct 2015 07:28:00 GMT",
+                    },
+                }
 
-      if query_params.get('comp') == ['block']:
-        block_id = query_params['blockid'][0]
-        files[filename] = files.get(filename) or {}
-        files[filename][block_id] = request.body
-        return {
-          'status_code': 201,
-          'content': '{}',
-          'headers': {
-            'Content-MD5': base64.b64encode(md5.new(request.body).digest()),
-            'ETag': 'foo',
-            'x-ms-request-server-encrypted': "false",
-            'last-modified': 'Wed, 21 Oct 2015 07:28:00 GMT',
-          }
-        }
-      
-      if query_params.get('comp') == ['blocklist']:
-        parsed = minidom.parseString(request.body)
-        latest = parsed.getElementsByTagName('Latest')
-        combined = []
-        for latest_block in latest:
-          combined.append(files[filename][latest_block.childNodes[0].data])
+            if query_params.get("comp") == ["block"]:
+                block_id = query_params["blockid"][0]
+                files[filename] = files.get(filename) or {}
+                files[filename][block_id] = request.body
+                return {
+                    "status_code": 201,
+                    "content": "{}",
+                    "headers": {
+                        "Content-MD5": base64.b64encode(md5.new(request.body).digest()),
+                        "ETag": "foo",
+                        "x-ms-request-server-encrypted": "false",
+                        "last-modified": "Wed, 21 Oct 2015 07:28:00 GMT",
+                    },
+                }
 
-        files[filename] = ''.join(combined)
-        return {
-          'status_code': 201,
-          'content': '{}',
-          'headers': {
-            'Content-MD5': base64.b64encode(md5.new(files[filename]).digest()),
-            'ETag': 'foo',
-            'x-ms-request-server-encrypted': "false",
-            'last-modified': 'Wed, 21 Oct 2015 07:28:00 GMT',
-          }
-        }
+            if query_params.get("comp") == ["blocklist"]:
+                parsed = minidom.parseString(request.body)
+                latest = parsed.getElementsByTagName("Latest")
+                combined = []
+                for latest_block in latest:
+                    combined.append(files[filename][latest_block.childNodes[0].data])
 
-      if request.headers.get('x-ms-copy-source'):
-        copy_source = request.headers['x-ms-copy-source']
-        copy_path = urlparse(copy_source).path[len(container_prefix) + 1:]
-        files[filename] = files[copy_path]
-        return {
-          'status_code': 201,
-          'content': '{}',
-          'headers': {
-            'x-ms-request-server-encrypted': "false",
-            'x-ms-copy-status': 'success',
-            'last-modified': 'Wed, 21 Oct 2015 07:28:00 GMT',
-          }
-        }
+                files[filename] = "".join(combined)
+                return {
+                    "status_code": 201,
+                    "content": "{}",
+                    "headers": {
+                        "Content-MD5": base64.b64encode(
+                            md5.new(files[filename]).digest()
+                        ),
+                        "ETag": "foo",
+                        "x-ms-request-server-encrypted": "false",
+                        "last-modified": "Wed, 21 Oct 2015 07:28:00 GMT",
+                    },
+                }
 
-      files[filename] = request.body
+            if request.headers.get("x-ms-copy-source"):
+                copy_source = request.headers["x-ms-copy-source"]
+                copy_path = urlparse(copy_source).path[len(container_prefix) + 1 :]
+                files[filename] = files[copy_path]
+                return {
+                    "status_code": 201,
+                    "content": "{}",
+                    "headers": {
+                        "x-ms-request-server-encrypted": "false",
+                        "x-ms-copy-status": "success",
+                        "last-modified": "Wed, 21 Oct 2015 07:28:00 GMT",
+                    },
+                }
 
-      return {
-        'status_code': 201,
-        'content': '{}',
-        'headers': {
-          'Content-MD5': base64.b64encode(md5.new(request.body).digest()),
-          'ETag': 'foo',
-          'x-ms-request-server-encrypted': "false",
-          'last-modified': 'Wed, 21 Oct 2015 07:28:00 GMT',
-        }
-      }
+            files[filename] = request.body
 
-    return {'status_code': 405, 'content': ''}
+            return {
+                "status_code": 201,
+                "content": "{}",
+                "headers": {
+                    "Content-MD5": base64.b64encode(md5.new(request.body).digest()),
+                    "ETag": "foo",
+                    "x-ms-request-server-encrypted": "false",
+                    "last-modified": "Wed, 21 Oct 2015 07:28:00 GMT",
+                },
+            }
+
+        return {"status_code": 405, "content": ""}
+
+    @urlmatch(netloc=endpoint[0], path=".+")
+    def catchall(url, request):
+        return {"status_code": 405, "content": ""}
+
+    with HTTMock(get_container, container_file, catchall):
+        yield AzureStorage(None, "somecontainer", "", "someaccount", is_emulated=True)
 
-  @urlmatch(netloc=endpoint[0], path='.+')
-  def catchall(url, request):
-    return {'status_code': 405, 'content': ''}
 
-  with HTTMock(get_container, container_file, catchall):
-    yield AzureStorage(None, 'somecontainer', '', 'someaccount', is_emulated=True)
-    
 def test_validate():
-  with fake_azure_storage() as s:
-    s.validate(None)
+    with fake_azure_storage() as s:
+        s.validate(None)
+
 
 def test_basics():
-  with fake_azure_storage() as s:
-    s.put_content('hello', 'hello world')
-    assert s.exists('hello')
-    assert s.get_content('hello') == 'hello world'
-    assert s.get_checksum('hello')
-    assert ''.join(list(s.stream_read('hello'))) == 'hello world'
-    assert s.stream_read_file('hello').read() == 'hello world'
+    with fake_azure_storage() as s:
+        s.put_content("hello", "hello world")
+        assert s.exists("hello")
+        assert s.get_content("hello") == "hello world"
+        assert s.get_checksum("hello")
+        assert "".join(list(s.stream_read("hello"))) == "hello world"
+        assert s.stream_read_file("hello").read() == "hello world"
+
+        s.remove("hello")
+        assert not s.exists("hello")
 
-    s.remove('hello')
-    assert not s.exists('hello')
 
 def test_does_not_exist():
-  with fake_azure_storage() as s:
-    assert not s.exists('hello')
+    with fake_azure_storage() as s:
+        assert not s.exists("hello")
 
-    with pytest.raises(IOError):
-      s.get_content('hello')
+        with pytest.raises(IOError):
+            s.get_content("hello")
 
-    with pytest.raises(IOError):
-      s.get_checksum('hello')
+        with pytest.raises(IOError):
+            s.get_checksum("hello")
 
-    with pytest.raises(IOError):
-      list(s.stream_read('hello'))
+        with pytest.raises(IOError):
+            list(s.stream_read("hello"))
+
+        with pytest.raises(IOError):
+            s.stream_read_file("hello")
 
-    with pytest.raises(IOError):
-      s.stream_read_file('hello')
 
 def test_stream_write():
-  fp = io.BytesIO()
-  fp.write('hello world!')
-  fp.seek(0)
+    fp = io.BytesIO()
+    fp.write("hello world!")
+    fp.seek(0)
 
-  with fake_azure_storage() as s:
-    s.stream_write('hello', fp)
+    with fake_azure_storage() as s:
+        s.stream_write("hello", fp)
 
-    assert s.get_content('hello') == 'hello world!'
+        assert s.get_content("hello") == "hello world!"
 
-@pytest.mark.parametrize('chunk_size', [
-  (1),
-  (5),
-  (10),
-])
+
+@pytest.mark.parametrize("chunk_size", [(1), (5), (10)])
 def test_chunked_uploading(chunk_size):
-  with fake_azure_storage() as s:
-    string_data = 'hello world!'
-    chunks = [string_data[index:index+chunk_size] for index in range(0, len(string_data), chunk_size)]
+    with fake_azure_storage() as s:
+        string_data = "hello world!"
+        chunks = [
+            string_data[index : index + chunk_size]
+            for index in range(0, len(string_data), chunk_size)
+        ]
 
-    uuid, metadata = s.initiate_chunked_upload()
-    start_index = 0
-    
-    for chunk in chunks:
-      fp = io.BytesIO()
-      fp.write(chunk)
-      fp.seek(0)
+        uuid, metadata = s.initiate_chunked_upload()
+        start_index = 0
 
-      total_bytes_written, metadata, error = s.stream_upload_chunk(uuid, start_index, -1, fp,
-                                                                   metadata)
-      assert total_bytes_written == len(chunk)
-      assert metadata
-      assert not error
+        for chunk in chunks:
+            fp = io.BytesIO()
+            fp.write(chunk)
+            fp.seek(0)
 
-      start_index += total_bytes_written
+            total_bytes_written, metadata, error = s.stream_upload_chunk(
+                uuid, start_index, -1, fp, metadata
+            )
+            assert total_bytes_written == len(chunk)
+            assert metadata
+            assert not error
+
+            start_index += total_bytes_written
+
+        s.complete_chunked_upload(uuid, "chunked", metadata)
+        assert s.get_content("chunked") == string_data
 
-    s.complete_chunked_upload(uuid, 'chunked', metadata)
-    assert s.get_content('chunked') == string_data
 
 def test_get_direct_download_url():
-  with fake_azure_storage() as s:
-    s.put_content('hello', 'world')
-    assert 'sig' in s.get_direct_download_url('hello')
+    with fake_azure_storage() as s:
+        s.put_content("hello", "world")
+        assert "sig" in s.get_direct_download_url("hello")
+
 
 def test_copy_to():
-  files = {}
+    files = {}
 
-  with fake_azure_storage(files=files) as s:
-    s.put_content('hello', 'hello world')
-    with fake_azure_storage(files=files) as s2:
-      s.copy_to(s2, 'hello')
-      assert s2.exists('hello')
+    with fake_azure_storage(files=files) as s:
+        s.put_content("hello", "hello world")
+        with fake_azure_storage(files=files) as s2:
+            s.copy_to(s2, "hello")
+            assert s2.exists("hello")
diff --git a/storage/test/test_cloud_storage.py b/storage/test/test_cloud_storage.py
index f9f418058..b374898ac 100644
--- a/storage/test/test_cloud_storage.py
+++ b/storage/test/test_cloud_storage.py
@@ -14,245 +14,237 @@ from storage.cloud import _CloudStorage, _PartUploadMetadata
 from storage.cloud import _CHUNKS_KEY
 
 _TEST_CONTENT = os.urandom(1024)
-_TEST_BUCKET = 'some_bucket'
-_TEST_USER = 'someuser'
-_TEST_PASSWORD = 'somepassword'
-_TEST_PATH = 'some/cool/path'
-_TEST_CONTEXT = StorageContext('nyc', None, None, None, None)
+_TEST_BUCKET = "some_bucket"
+_TEST_USER = "someuser"
+_TEST_PASSWORD = "somepassword"
+_TEST_PATH = "some/cool/path"
+_TEST_CONTEXT = StorageContext("nyc", None, None, None, None)
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def storage_engine():
-  with mock_s3():
-    # Create a test bucket and put some test content.
-    boto.connect_s3().create_bucket(_TEST_BUCKET)
-    engine = S3Storage(_TEST_CONTEXT, 'some/path', _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
-    engine.put_content(_TEST_PATH, _TEST_CONTENT)
+    with mock_s3():
+        # Create a test bucket and put some test content.
+        boto.connect_s3().create_bucket(_TEST_BUCKET)
+        engine = S3Storage(
+            _TEST_CONTEXT, "some/path", _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD
+        )
+        engine.put_content(_TEST_PATH, _TEST_CONTENT)
 
-    yield engine
+        yield engine
 
 
 def test_basicop(storage_engine):
-  # Ensure the content exists.
-  assert storage_engine.exists(_TEST_PATH)
+    # Ensure the content exists.
+    assert storage_engine.exists(_TEST_PATH)
 
-  # Verify it can be retrieved.
-  assert storage_engine.get_content(_TEST_PATH) == _TEST_CONTENT
+    # Verify it can be retrieved.
+    assert storage_engine.get_content(_TEST_PATH) == _TEST_CONTENT
 
-  # Retrieve a checksum for the content.
-  storage_engine.get_checksum(_TEST_PATH)
-
-  # Remove the file.
-  storage_engine.remove(_TEST_PATH)
-
-  # Ensure it no longer exists.
-  with pytest.raises(IOError):
-    storage_engine.get_content(_TEST_PATH)
-
-  with pytest.raises(IOError):
+    # Retrieve a checksum for the content.
     storage_engine.get_checksum(_TEST_PATH)
 
-  assert not storage_engine.exists(_TEST_PATH)
+    # Remove the file.
+    storage_engine.remove(_TEST_PATH)
+
+    # Ensure it no longer exists.
+    with pytest.raises(IOError):
+        storage_engine.get_content(_TEST_PATH)
+
+    with pytest.raises(IOError):
+        storage_engine.get_checksum(_TEST_PATH)
+
+    assert not storage_engine.exists(_TEST_PATH)
 
 
-@pytest.mark.parametrize('bucket, username, password', [
-  pytest.param(_TEST_BUCKET, _TEST_USER, _TEST_PASSWORD, id='same credentials'),
-  pytest.param('another_bucket', 'blech', 'password', id='different credentials'),
-])
+@pytest.mark.parametrize(
+    "bucket, username, password",
+    [
+        pytest.param(_TEST_BUCKET, _TEST_USER, _TEST_PASSWORD, id="same credentials"),
+        pytest.param("another_bucket", "blech", "password", id="different credentials"),
+    ],
+)
 def test_copy(bucket, username, password, storage_engine):
-  # Copy the content to another engine.
-  another_engine = S3Storage(_TEST_CONTEXT, 'another/path', _TEST_BUCKET, _TEST_USER,
-                             _TEST_PASSWORD)
-  boto.connect_s3().create_bucket('another_bucket')
-  storage_engine.copy_to(another_engine, _TEST_PATH)
+    # Copy the content to another engine.
+    another_engine = S3Storage(
+        _TEST_CONTEXT, "another/path", _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD
+    )
+    boto.connect_s3().create_bucket("another_bucket")
+    storage_engine.copy_to(another_engine, _TEST_PATH)
 
-  # Verify it can be retrieved.
-  assert another_engine.get_content(_TEST_PATH) == _TEST_CONTENT
+    # Verify it can be retrieved.
+    assert another_engine.get_content(_TEST_PATH) == _TEST_CONTENT
 
 
 def test_copy_with_error(storage_engine):
-  another_engine = S3Storage(_TEST_CONTEXT, 'another/path', 'anotherbucket', 'foo',
-                             'bar')
+    another_engine = S3Storage(
+        _TEST_CONTEXT, "another/path", "anotherbucket", "foo", "bar"
+    )
 
-  with pytest.raises(IOError):
-    storage_engine.copy_to(another_engine, _TEST_PATH)
+    with pytest.raises(IOError):
+        storage_engine.copy_to(another_engine, _TEST_PATH)
 
 
 def test_stream_read(storage_engine):
-  # Read the streaming content.
-  data = ''.join(storage_engine.stream_read(_TEST_PATH))
-  assert data == _TEST_CONTENT
+    # Read the streaming content.
+    data = "".join(storage_engine.stream_read(_TEST_PATH))
+    assert data == _TEST_CONTENT
 
 
 def test_stream_read_file(storage_engine):
-  with storage_engine.stream_read_file(_TEST_PATH) as f:
-    assert f.read() == _TEST_CONTENT
+    with storage_engine.stream_read_file(_TEST_PATH) as f:
+        assert f.read() == _TEST_CONTENT
 
 
 def test_stream_write(storage_engine):
-  new_data = os.urandom(4096)
-  storage_engine.stream_write(_TEST_PATH, StringIO(new_data), content_type='Cool/Type')
-  assert storage_engine.get_content(_TEST_PATH) == new_data
+    new_data = os.urandom(4096)
+    storage_engine.stream_write(
+        _TEST_PATH, StringIO(new_data), content_type="Cool/Type"
+    )
+    assert storage_engine.get_content(_TEST_PATH) == new_data
 
 
 def test_stream_write_error():
-  with mock_s3():
-    # Create an engine but not the bucket.
-    engine = S3Storage(_TEST_CONTEXT, 'some/path', _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
+    with mock_s3():
+        # Create an engine but not the bucket.
+        engine = S3Storage(
+            _TEST_CONTEXT, "some/path", _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD
+        )
 
-    # Attempt to write to the uncreated bucket, which should raise an error.
-    with pytest.raises(IOError):
-      engine.stream_write(_TEST_PATH, StringIO('hello world'), content_type='Cool/Type')
+        # Attempt to write to the uncreated bucket, which should raise an error.
+        with pytest.raises(IOError):
+            engine.stream_write(
+                _TEST_PATH, StringIO("hello world"), content_type="Cool/Type"
+            )
 
-    assert not engine.exists(_TEST_PATH)
+        assert not engine.exists(_TEST_PATH)
 
 
-@pytest.mark.parametrize('chunk_count', [
-  0,
-  1,
-  50,
-])
-@pytest.mark.parametrize('force_client_side', [
-  False,
-  True
-])
+@pytest.mark.parametrize("chunk_count", [0, 1, 50])
+@pytest.mark.parametrize("force_client_side", [False, True])
 def test_chunk_upload(storage_engine, chunk_count, force_client_side):
-  if chunk_count == 0 and force_client_side:
-    return
+    if chunk_count == 0 and force_client_side:
+        return
 
-  upload_id, metadata = storage_engine.initiate_chunked_upload()
-  final_data = ''
+    upload_id, metadata = storage_engine.initiate_chunked_upload()
+    final_data = ""
 
-  for index in range(0, chunk_count):
-    chunk_data = os.urandom(1024)
-    final_data = final_data + chunk_data
-    bytes_written, new_metadata, error = storage_engine.stream_upload_chunk(upload_id, 0,
-                                                                            len(chunk_data),
-                                                                            StringIO(chunk_data),
-                                                                            metadata)
-    metadata = new_metadata
+    for index in range(0, chunk_count):
+        chunk_data = os.urandom(1024)
+        final_data = final_data + chunk_data
+        bytes_written, new_metadata, error = storage_engine.stream_upload_chunk(
+            upload_id, 0, len(chunk_data), StringIO(chunk_data), metadata
+        )
+        metadata = new_metadata
 
-    assert bytes_written == len(chunk_data)
-    assert error is None
-    assert len(metadata[_CHUNKS_KEY]) == index + 1
+        assert bytes_written == len(chunk_data)
+        assert error is None
+        assert len(metadata[_CHUNKS_KEY]) == index + 1
 
-  # Complete the chunked upload.
-  storage_engine.complete_chunked_upload(upload_id, 'some/chunked/path', metadata,
-                                         force_client_side=force_client_side)
+    # Complete the chunked upload.
+    storage_engine.complete_chunked_upload(
+        upload_id, "some/chunked/path", metadata, force_client_side=force_client_side
+    )
 
-  # Ensure the file contents are valid.
-  assert storage_engine.get_content('some/chunked/path') == final_data
+    # Ensure the file contents are valid.
+    assert storage_engine.get_content("some/chunked/path") == final_data
 
 
-@pytest.mark.parametrize('chunk_count', [
-  0,
-  1,
-  50,
-])
+@pytest.mark.parametrize("chunk_count", [0, 1, 50])
 def test_cancel_chunked_upload(storage_engine, chunk_count):
-  upload_id, metadata = storage_engine.initiate_chunked_upload()
+    upload_id, metadata = storage_engine.initiate_chunked_upload()
 
-  for _ in range(0, chunk_count):
-    chunk_data = os.urandom(1024)
-    _, new_metadata, _ = storage_engine.stream_upload_chunk(upload_id, 0,
-                                                            len(chunk_data),
-                                                            StringIO(chunk_data),
-                                                            metadata)
-    metadata = new_metadata
+    for _ in range(0, chunk_count):
+        chunk_data = os.urandom(1024)
+        _, new_metadata, _ = storage_engine.stream_upload_chunk(
+            upload_id, 0, len(chunk_data), StringIO(chunk_data), metadata
+        )
+        metadata = new_metadata
 
-  # Cancel the upload.
-  storage_engine.cancel_chunked_upload(upload_id, metadata)
+    # Cancel the upload.
+    storage_engine.cancel_chunked_upload(upload_id, metadata)
 
-  # Ensure all chunks were deleted.
-  for chunk in metadata[_CHUNKS_KEY]:
-    assert not storage_engine.exists(chunk.path)
+    # Ensure all chunks were deleted.
+    for chunk in metadata[_CHUNKS_KEY]:
+        assert not storage_engine.exists(chunk.path)
 
 
 def test_large_chunks_upload(storage_engine):
-  # Make the max chunk size much smaller for testing.
-  storage_engine.maximum_chunk_size = storage_engine.minimum_chunk_size * 2
+    # Make the max chunk size much smaller for testing.
+    storage_engine.maximum_chunk_size = storage_engine.minimum_chunk_size * 2
 
-  upload_id, metadata = storage_engine.initiate_chunked_upload()
+    upload_id, metadata = storage_engine.initiate_chunked_upload()
 
-  # Write a "super large" chunk, to ensure that it is broken into smaller chunks.
-  chunk_data = os.urandom(int(storage_engine.maximum_chunk_size * 2.5))
-  bytes_written, new_metadata, _ = storage_engine.stream_upload_chunk(upload_id, 0,
-                                                                      -1,
-                                                                      StringIO(chunk_data),
-                                                                      metadata)
-  assert len(chunk_data) == bytes_written
+    # Write a "super large" chunk, to ensure that it is broken into smaller chunks.
+    chunk_data = os.urandom(int(storage_engine.maximum_chunk_size * 2.5))
+    bytes_written, new_metadata, _ = storage_engine.stream_upload_chunk(
+        upload_id, 0, -1, StringIO(chunk_data), metadata
+    )
+    assert len(chunk_data) == bytes_written
 
-  # Complete the chunked upload.
-  storage_engine.complete_chunked_upload(upload_id, 'some/chunked/path', new_metadata)
+    # Complete the chunked upload.
+    storage_engine.complete_chunked_upload(upload_id, "some/chunked/path", new_metadata)
 
-  # Ensure the file contents are valid.
-  assert len(chunk_data) == len(storage_engine.get_content('some/chunked/path'))
-  assert storage_engine.get_content('some/chunked/path') == chunk_data
+    # Ensure the file contents are valid.
+    assert len(chunk_data) == len(storage_engine.get_content("some/chunked/path"))
+    assert storage_engine.get_content("some/chunked/path") == chunk_data
 
 
 def test_large_chunks_with_ragged_edge(storage_engine):
-  # Make the max chunk size much smaller for testing and force it to have a ragged edge.
-  storage_engine.maximum_chunk_size = storage_engine.minimum_chunk_size * 2 + 10
+    # Make the max chunk size much smaller for testing and force it to have a ragged edge.
+    storage_engine.maximum_chunk_size = storage_engine.minimum_chunk_size * 2 + 10
 
-  upload_id, metadata = storage_engine.initiate_chunked_upload()
+    upload_id, metadata = storage_engine.initiate_chunked_upload()
 
-  # Write a few "super large" chunks, to ensure that it is broken into smaller chunks.
-  all_data = ''
-  for _ in range(0, 2):
-    chunk_data = os.urandom(int(storage_engine.maximum_chunk_size) + 20)
-    bytes_written, new_metadata, _ = storage_engine.stream_upload_chunk(upload_id, 0,
-                                                                        -1,
-                                                                        StringIO(chunk_data),
-                                                                        metadata)
-    assert len(chunk_data) == bytes_written
-    all_data = all_data + chunk_data
-    metadata = new_metadata
+    # Write a few "super large" chunks, to ensure that it is broken into smaller chunks.
+    all_data = ""
+    for _ in range(0, 2):
+        chunk_data = os.urandom(int(storage_engine.maximum_chunk_size) + 20)
+        bytes_written, new_metadata, _ = storage_engine.stream_upload_chunk(
+            upload_id, 0, -1, StringIO(chunk_data), metadata
+        )
+        assert len(chunk_data) == bytes_written
+        all_data = all_data + chunk_data
+        metadata = new_metadata
 
-  # Complete the chunked upload.
-  storage_engine.complete_chunked_upload(upload_id, 'some/chunked/path', new_metadata)
+    # Complete the chunked upload.
+    storage_engine.complete_chunked_upload(upload_id, "some/chunked/path", new_metadata)
 
-  # Ensure the file contents are valid.
-  assert len(all_data) == len(storage_engine.get_content('some/chunked/path'))
-  assert storage_engine.get_content('some/chunked/path') == all_data
+    # Ensure the file contents are valid.
+    assert len(all_data) == len(storage_engine.get_content("some/chunked/path"))
+    assert storage_engine.get_content("some/chunked/path") == all_data
 
 
-@pytest.mark.parametrize('max_size, parts', [
-  (50, [
-    _PartUploadMetadata('foo', 0, 50),
-    _PartUploadMetadata('foo', 50, 50),
-  ]),
-
-  (40, [
-    _PartUploadMetadata('foo', 0, 25),
-    _PartUploadMetadata('foo', 25, 25),
-    _PartUploadMetadata('foo', 50, 25),
-    _PartUploadMetadata('foo', 75, 25)
-  ]),
-
-  (51, [
-    _PartUploadMetadata('foo', 0, 50),
-    _PartUploadMetadata('foo', 50, 50),
-  ]),
-
-  (49, [
-    _PartUploadMetadata('foo', 0, 25),
-    _PartUploadMetadata('foo', 25, 25),
-    _PartUploadMetadata('foo', 50, 25),
-    _PartUploadMetadata('foo', 75, 25),
-  ]),
-
-  (99, [
-    _PartUploadMetadata('foo', 0, 50),
-    _PartUploadMetadata('foo', 50, 50),
-  ]),
-
-  (100, [
-    _PartUploadMetadata('foo', 0, 100),
-  ]),
-])
+@pytest.mark.parametrize(
+    "max_size, parts",
+    [
+        (50, [_PartUploadMetadata("foo", 0, 50), _PartUploadMetadata("foo", 50, 50)]),
+        (
+            40,
+            [
+                _PartUploadMetadata("foo", 0, 25),
+                _PartUploadMetadata("foo", 25, 25),
+                _PartUploadMetadata("foo", 50, 25),
+                _PartUploadMetadata("foo", 75, 25),
+            ],
+        ),
+        (51, [_PartUploadMetadata("foo", 0, 50), _PartUploadMetadata("foo", 50, 50)]),
+        (
+            49,
+            [
+                _PartUploadMetadata("foo", 0, 25),
+                _PartUploadMetadata("foo", 25, 25),
+                _PartUploadMetadata("foo", 50, 25),
+                _PartUploadMetadata("foo", 75, 25),
+            ],
+        ),
+        (99, [_PartUploadMetadata("foo", 0, 50), _PartUploadMetadata("foo", 50, 50)]),
+        (100, [_PartUploadMetadata("foo", 0, 100)]),
+    ],
+)
 def test_rechunked(max_size, parts):
-  chunk = _PartUploadMetadata('foo', 0, 100)
-  rechunked = list(_CloudStorage._rechunk(chunk, max_size))
-  assert len(rechunked) == len(parts)
-  for index, chunk in enumerate(rechunked):
-    assert chunk == parts[index]
+    chunk = _PartUploadMetadata("foo", 0, 100)
+    rechunked = list(_CloudStorage._rechunk(chunk, max_size))
+    assert len(rechunked) == len(parts)
+    for index, chunk in enumerate(rechunked):
+        assert chunk == parts[index]
diff --git a/storage/test/test_cloudfront.py b/storage/test/test_cloudfront.py
index face652dc..560ff043a 100644
--- a/storage/test/test_cloudfront.py
+++ b/storage/test/test_cloudfront.py
@@ -8,73 +8,114 @@ import boto
 from app import config_provider
 from storage import CloudFrontedS3Storage, StorageContext
 from util.ipresolver import IPResolver
-from util.ipresolver.test.test_ipresolver import test_aws_ip, aws_ip_range_data, test_ip_range_cache
+from util.ipresolver.test.test_ipresolver import (
+    test_aws_ip,
+    aws_ip_range_data,
+    test_ip_range_cache,
+)
 from test.fixtures import *
 
 _TEST_CONTENT = os.urandom(1024)
-_TEST_BUCKET = 'some_bucket'
-_TEST_USER = 'someuser'
-_TEST_PASSWORD = 'somepassword'
-_TEST_PATH = 'some/cool/path'
+_TEST_BUCKET = "some_bucket"
+_TEST_USER = "someuser"
+_TEST_PASSWORD = "somepassword"
+_TEST_PATH = "some/cool/path"
+
 
 @pytest.fixture(params=[True, False])
 def ipranges_populated(request):
-  return request.param
+    return request.param
+
 
 @pytest.fixture()
 def test_empty_ip_range_cache(empty_range_data):
-  sync_token = empty_range_data['syncToken']
-  all_amazon = IPResolver._parse_amazon_ranges(empty_range_data)
-  fake_cache = {
-    'sync_token': sync_token,
-  }
-  return fake_cache
+    sync_token = empty_range_data["syncToken"]
+    all_amazon = IPResolver._parse_amazon_ranges(empty_range_data)
+    fake_cache = {"sync_token": sync_token}
+    return fake_cache
+
 
 @pytest.fixture()
 def empty_range_data():
-  empty_range_data = {
-    'syncToken': 123456789,
-    'prefixes': [],
-  }
-  return empty_range_data
+    empty_range_data = {"syncToken": 123456789, "prefixes": []}
+    return empty_range_data
+
 
 @mock_s3
-def test_direct_download(test_aws_ip, test_empty_ip_range_cache, test_ip_range_cache, aws_ip_range_data, ipranges_populated, app):
-  ipresolver = IPResolver(app)
-  if ipranges_populated:
-    ipresolver.sync_token = test_ip_range_cache['sync_token'] if ipranges_populated else test_empty_ip_range_cache['sync_token']
-    ipresolver.amazon_ranges = test_ip_range_cache['all_amazon'] if ipranges_populated else test_empty_ip_range_cache['all_amazon']
-    context = StorageContext('nyc', None, None, config_provider, ipresolver)
+def test_direct_download(
+    test_aws_ip,
+    test_empty_ip_range_cache,
+    test_ip_range_cache,
+    aws_ip_range_data,
+    ipranges_populated,
+    app,
+):
+    ipresolver = IPResolver(app)
+    if ipranges_populated:
+        ipresolver.sync_token = (
+            test_ip_range_cache["sync_token"]
+            if ipranges_populated
+            else test_empty_ip_range_cache["sync_token"]
+        )
+        ipresolver.amazon_ranges = (
+            test_ip_range_cache["all_amazon"]
+            if ipranges_populated
+            else test_empty_ip_range_cache["all_amazon"]
+        )
+        context = StorageContext("nyc", None, None, config_provider, ipresolver)
+
+        # Create a test bucket and put some test content.
+        boto.connect_s3().create_bucket(_TEST_BUCKET)
+
+        engine = CloudFrontedS3Storage(
+            context,
+            "cloudfrontdomain",
+            "keyid",
+            "test/data/test.pem",
+            "some/path",
+            _TEST_BUCKET,
+            _TEST_USER,
+            _TEST_PASSWORD,
+        )
+        engine.put_content(_TEST_PATH, _TEST_CONTENT)
+        assert engine.exists(_TEST_PATH)
+
+        # Request a direct download URL for a request from a known AWS IP, and ensure we are returned an S3 URL.
+        assert "s3.amazonaws.com" in engine.get_direct_download_url(
+            _TEST_PATH, test_aws_ip
+        )
+
+        if ipranges_populated:
+            # Request a direct download URL for a request from a non-AWS IP, and ensure we are returned a CloudFront URL.
+            assert "cloudfrontdomain" in engine.get_direct_download_url(
+                _TEST_PATH, "1.2.3.4"
+            )
+        else:
+            # Request a direct download URL for a request from a non-AWS IP, but since IP Ranges isn't populated, we still
+            # get back an S3 URL.
+            assert "s3.amazonaws.com" in engine.get_direct_download_url(
+                _TEST_PATH, "1.2.3.4"
+            )
+
+
+@mock_s3
+def test_direct_download_no_ip(test_aws_ip, aws_ip_range_data, ipranges_populated, app):
+    ipresolver = IPResolver(app)
+    context = StorageContext("nyc", None, None, config_provider, ipresolver)
 
     # Create a test bucket and put some test content.
     boto.connect_s3().create_bucket(_TEST_BUCKET)
 
-    engine = CloudFrontedS3Storage(context, 'cloudfrontdomain', 'keyid', 'test/data/test.pem', 'some/path',
-                                  _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
+    engine = CloudFrontedS3Storage(
+        context,
+        "cloudfrontdomain",
+        "keyid",
+        "test/data/test.pem",
+        "some/path",
+        _TEST_BUCKET,
+        _TEST_USER,
+        _TEST_PASSWORD,
+    )
     engine.put_content(_TEST_PATH, _TEST_CONTENT)
     assert engine.exists(_TEST_PATH)
-
-    # Request a direct download URL for a request from a known AWS IP, and ensure we are returned an S3 URL.
-    assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH, test_aws_ip)
-
-    if ipranges_populated:
-      # Request a direct download URL for a request from a non-AWS IP, and ensure we are returned a CloudFront URL.
-      assert 'cloudfrontdomain' in engine.get_direct_download_url(_TEST_PATH, '1.2.3.4')
-    else:
-      # Request a direct download URL for a request from a non-AWS IP, but since IP Ranges isn't populated, we still
-      # get back an S3 URL.
-      assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH, '1.2.3.4')
-
-@mock_s3
-def test_direct_download_no_ip(test_aws_ip, aws_ip_range_data, ipranges_populated, app):
-  ipresolver = IPResolver(app)
-  context = StorageContext('nyc', None, None, config_provider, ipresolver)
-
-  # Create a test bucket and put some test content.
-  boto.connect_s3().create_bucket(_TEST_BUCKET)
-
-  engine = CloudFrontedS3Storage(context, 'cloudfrontdomain', 'keyid', 'test/data/test.pem', 'some/path',
-                                _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)
-  engine.put_content(_TEST_PATH, _TEST_CONTENT)
-  assert engine.exists(_TEST_PATH)
-  assert 's3.amazonaws.com' in engine.get_direct_download_url(_TEST_PATH)
+    assert "s3.amazonaws.com" in engine.get_direct_download_url(_TEST_PATH)
diff --git a/storage/test/test_storageproxy.py b/storage/test/test_storageproxy.py
index 2bda31224..e4de6d189 100644
--- a/storage/test/test_storageproxy.py
+++ b/storage/test/test_storageproxy.py
@@ -15,81 +15,84 @@ from test.fixtures import *
 
 @pytest.fixture(params=[True, False])
 def is_proxying_enabled(request):
-  return request.param
+    return request.param
 
 
 @pytest.fixture()
 def server_executor(app):
-  def reload_app(server_hostname):
-    # Close any existing connection.
-    close_db_filter(None)
+    def reload_app(server_hostname):
+        # Close any existing connection.
+        close_db_filter(None)
 
-    # Reload the database config.
-    app.config['SERVER_HOSTNAME'] = server_hostname[len('http://'):]
-    configure(app.config)
-    return 'OK'
+        # Reload the database config.
+        app.config["SERVER_HOSTNAME"] = server_hostname[len("http://") :]
+        configure(app.config)
+        return "OK"
 
-  executor = LiveServerExecutor()
-  executor.register('reload_app', reload_app)
-  return executor
+    executor = LiveServerExecutor()
+    executor.register("reload_app", reload_app)
+    return executor
 
 
 @pytest.fixture()
 def liveserver_app(app, server_executor, init_db_path, is_proxying_enabled):
-  server_executor.apply_blueprint_to_app(app)
+    server_executor.apply_blueprint_to_app(app)
 
-  if os.environ.get('DEBUG') == 'true':
-    app.config['DEBUG'] = True
+    if os.environ.get("DEBUG") == "true":
+        app.config["DEBUG"] = True
 
-  app.config['TESTING'] = True
-  app.config['INSTANCE_SERVICE_KEY_KID_LOCATION'] = 'test/data/test.kid'
-  app.config['INSTANCE_SERVICE_KEY_LOCATION'] = 'test/data/test.pem'
-  app.config['INSTANCE_SERVICE_KEY_SERVICE'] = 'quay'
+    app.config["TESTING"] = True
+    app.config["INSTANCE_SERVICE_KEY_KID_LOCATION"] = "test/data/test.kid"
+    app.config["INSTANCE_SERVICE_KEY_LOCATION"] = "test/data/test.pem"
+    app.config["INSTANCE_SERVICE_KEY_SERVICE"] = "quay"
 
-  app.config['FEATURE_PROXY_STORAGE'] = is_proxying_enabled
+    app.config["FEATURE_PROXY_STORAGE"] = is_proxying_enabled
 
-  app.config['DISTRIBUTED_STORAGE_CONFIG'] = {
-    'test': ['FakeStorage', {}],
-  }
-  app.config['DISTRIBUTED_STORAGE_PREFERENCE'] = ['test']
-  return app
+    app.config["DISTRIBUTED_STORAGE_CONFIG"] = {"test": ["FakeStorage", {}]}
+    app.config["DISTRIBUTED_STORAGE_PREFERENCE"] = ["test"]
+    return app
 
 
 @pytest.fixture()
 def instance_keys(liveserver_app):
-  return InstanceKeys(liveserver_app)
+    return InstanceKeys(liveserver_app)
 
 
 @pytest.fixture()
 def storage(liveserver_app, instance_keys):
-  return Storage(liveserver_app, instance_keys=instance_keys)
+    return Storage(liveserver_app, instance_keys=instance_keys)
 
 
 @pytest.fixture()
 def app_reloader(liveserver, server_executor):
-  server_executor.on(liveserver).reload_app(liveserver.url)
-  yield
+    server_executor.on(liveserver).reload_app(liveserver.url)
+    yield
 
 
-@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI') is not None,
-                    reason="not supported for non SQLite testing")
-def test_storage_proxy_auth(storage, liveserver_app, liveserver_session, is_proxying_enabled,
-                            app_reloader):
-  # Activate direct download on the fake storage.
-  storage.put_content(['test'], 'supports_direct_download', 'true')
+@pytest.mark.skipif(
+    os.environ.get("TEST_DATABASE_URI") is not None,
+    reason="not supported for non SQLite testing",
+)
+def test_storage_proxy_auth(
+    storage, liveserver_app, liveserver_session, is_proxying_enabled, app_reloader
+):
+    # Activate direct download on the fake storage.
+    storage.put_content(["test"], "supports_direct_download", "true")
 
-  # Get the unwrapped URL.
-  direct_download_url = storage.get_direct_download_url(['test'], 'somepath')
-  proxy_index = direct_download_url.find('/_storage_proxy/')
-  if is_proxying_enabled:
-    assert proxy_index >= 0
-  else:
-    assert proxy_index == -1
+    # Get the unwrapped URL.
+    direct_download_url = storage.get_direct_download_url(["test"], "somepath")
+    proxy_index = direct_download_url.find("/_storage_proxy/")
+    if is_proxying_enabled:
+        assert proxy_index >= 0
+    else:
+        assert proxy_index == -1
 
-  # Ensure that auth returns the expected value.
-  headers = {
-    'X-Original-URI': direct_download_url[proxy_index:] if proxy_index else 'someurihere'
-  }
+    # Ensure that auth returns the expected value.
+    headers = {
+        "X-Original-URI": direct_download_url[proxy_index:]
+        if proxy_index
+        else "someurihere"
+    }
 
-  resp = liveserver_session.get('_storage_proxy_auth', headers=headers)
-  assert resp.status_code == (500 if not is_proxying_enabled else 200)
+    resp = liveserver_session.get("_storage_proxy_auth", headers=headers)
+    assert resp.status_code == (500 if not is_proxying_enabled else 200)
diff --git a/storage/test/test_swift.py b/storage/test/test_swift.py
index 8e0d3a77a..b8919ef06 100644
--- a/storage/test/test_swift.py
+++ b/storage/test/test_swift.py
@@ -11,317 +11,329 @@ from storage.swift import SwiftStorage, _EMPTY_SEGMENTS_KEY
 from swiftclient.client import ClientException
 
 base_args = {
-  'context': StorageContext('nyc', None, None, None, None),
-  'swift_container': 'container-name',
-  'storage_path': '/basepath',
-  'auth_url': 'https://auth.com',
-  'swift_user': 'root',
-  'swift_password': 'password',
+    "context": StorageContext("nyc", None, None, None, None),
+    "swift_container": "container-name",
+    "storage_path": "/basepath",
+    "auth_url": "https://auth.com",
+    "swift_user": "root",
+    "swift_password": "password",
 }
 
-class MockSwiftStorage(SwiftStorage):
-  def __init__(self, *args, **kwargs):
-    super(MockSwiftStorage, self).__init__(*args, **kwargs)
-    self._connection = MagicMock()
 
-  def _get_connection(self):
-    return self._connection
+class MockSwiftStorage(SwiftStorage):
+    def __init__(self, *args, **kwargs):
+        super(MockSwiftStorage, self).__init__(*args, **kwargs)
+        self._connection = MagicMock()
+
+    def _get_connection(self):
+        return self._connection
+
 
 class FakeSwiftStorage(SwiftStorage):
-  def __init__(self, fail_checksum=False,connection=None, *args, **kwargs):
-    super(FakeSwiftStorage, self).__init__(*args, **kwargs)
-    self._connection = connection or FakeSwift(fail_checksum=fail_checksum,
-                                               temp_url_key=kwargs.get('temp_url_key'))
+    def __init__(self, fail_checksum=False, connection=None, *args, **kwargs):
+        super(FakeSwiftStorage, self).__init__(*args, **kwargs)
+        self._connection = connection or FakeSwift(
+            fail_checksum=fail_checksum, temp_url_key=kwargs.get("temp_url_key")
+        )
 
-  def _get_connection(self):
-    return self._connection
+    def _get_connection(self):
+        return self._connection
 
 
 class FakeSwift(object):
-  def __init__(self, fail_checksum=False, temp_url_key=None):
-    self.containers = defaultdict(dict)
-    self.fail_checksum = fail_checksum
-    self.temp_url_key = temp_url_key
+    def __init__(self, fail_checksum=False, temp_url_key=None):
+        self.containers = defaultdict(dict)
+        self.fail_checksum = fail_checksum
+        self.temp_url_key = temp_url_key
 
-  def get_auth(self):
-    if self.temp_url_key == 'exception':
-      raise ClientException('I failed!')
-      
-    return 'http://fake/swift', None
+    def get_auth(self):
+        if self.temp_url_key == "exception":
+            raise ClientException("I failed!")
 
-  def head_object(self, container, path):
-    return self.containers.get(container, {}).get(path, {}).get('headers', None)
+        return "http://fake/swift", None
 
-  def copy_object(self, container, path, target):
-    pieces = target.split('/', 2)
-    _, content = self.get_object(container, path)
-    self.put_object(pieces[1], pieces[2], content)
+    def head_object(self, container, path):
+        return self.containers.get(container, {}).get(path, {}).get("headers", None)
 
-  def get_container(self, container, prefix=None, full_listing=None):
-    container_entries = self.containers[container]
-    objs = []
-    for path, data in list(container_entries.iteritems()):
-      if not prefix or path.startswith(prefix):
-        objs.append({
-          'name': path,
-          'bytes': len(data['content']),
-        })
-    return {}, objs
+    def copy_object(self, container, path, target):
+        pieces = target.split("/", 2)
+        _, content = self.get_object(container, path)
+        self.put_object(pieces[1], pieces[2], content)
 
-  def put_object(self, container, path, content, chunk_size=None, content_type=None, headers=None):
-    if not isinstance(content, str):
-      if hasattr(content, 'read'):
-        content = content.read()
-      else:
-        content = ''.join(content)
+    def get_container(self, container, prefix=None, full_listing=None):
+        container_entries = self.containers[container]
+        objs = []
+        for path, data in list(container_entries.iteritems()):
+            if not prefix or path.startswith(prefix):
+                objs.append({"name": path, "bytes": len(data["content"])})
+        return {}, objs
 
-    self.containers[container][path] = {
-      'content': content,
-      'chunk_size': chunk_size,
-      'content_type': content_type,
-      'headers': headers or {'is': True},
-    }
+    def put_object(
+        self, container, path, content, chunk_size=None, content_type=None, headers=None
+    ):
+        if not isinstance(content, str):
+            if hasattr(content, "read"):
+                content = content.read()
+            else:
+                content = "".join(content)
 
-    digest = hashlib.md5()
-    digest.update(content)
-    return digest.hexdigest() if not self.fail_checksum else 'invalid'
+        self.containers[container][path] = {
+            "content": content,
+            "chunk_size": chunk_size,
+            "content_type": content_type,
+            "headers": headers or {"is": True},
+        }
 
-  def get_object(self, container, path, resp_chunk_size=None):
-    data = self.containers[container].get(path, {})
-    if 'X-Object-Manifest' in data['headers']:
-      new_contents = []
-      prefix = data['headers']['X-Object-Manifest']
-      for key, value in self.containers[container].iteritems():
-        if ('container-name/' + key).startswith(prefix):
-          new_contents.append((key, value['content']))
+        digest = hashlib.md5()
+        digest.update(content)
+        return digest.hexdigest() if not self.fail_checksum else "invalid"
 
-      new_contents.sort(key=lambda value: value[0])
+    def get_object(self, container, path, resp_chunk_size=None):
+        data = self.containers[container].get(path, {})
+        if "X-Object-Manifest" in data["headers"]:
+            new_contents = []
+            prefix = data["headers"]["X-Object-Manifest"]
+            for key, value in self.containers[container].iteritems():
+                if ("container-name/" + key).startswith(prefix):
+                    new_contents.append((key, value["content"]))
 
-      data = dict(data)
-      data['content'] = ''.join([nc[1] for nc in new_contents])
-      return bool(data), data.get('content')
+            new_contents.sort(key=lambda value: value[0])
 
-    return bool(data), data.get('content')
+            data = dict(data)
+            data["content"] = "".join([nc[1] for nc in new_contents])
+            return bool(data), data.get("content")
 
-  def delete_object(self, container, path):
-    self.containers[container].pop(path, None)
+        return bool(data), data.get("content")
+
+    def delete_object(self, container, path):
+        self.containers[container].pop(path, None)
 
 
 class FakeQueue(object):
-  def __init__(self):
-    self.items = []
+    def __init__(self):
+        self.items = []
 
-  def get(self):
-    if not self.items:
-      return None
+    def get(self):
+        if not self.items:
+            return None
 
-    return self.items.pop()
+        return self.items.pop()
+
+    def put(self, names, item, available_after=0):
+        self.items.append(
+            {"names": names, "item": item, "available_after": available_after}
+        )
 
-  def put(self, names, item, available_after=0):
-    self.items.append({
-      'names': names,
-      'item': item,
-      'available_after': available_after,
-    })
 
 def test_fixed_path_concat():
-  swift = MockSwiftStorage(**base_args)
-  swift.exists('object/path')
-  swift._get_connection().head_object.assert_called_with('container-name', 'basepath/object/path')
+    swift = MockSwiftStorage(**base_args)
+    swift.exists("object/path")
+    swift._get_connection().head_object.assert_called_with(
+        "container-name", "basepath/object/path"
+    )
+
 
 def test_simple_path_concat():
-  simple_concat_args = dict(base_args)
-  simple_concat_args['simple_path_concat'] = True
-  swift = MockSwiftStorage(**simple_concat_args)
-  swift.exists('object/path')
-  swift._get_connection().head_object.assert_called_with('container-name', 'basepathobject/path')
+    simple_concat_args = dict(base_args)
+    simple_concat_args["simple_path_concat"] = True
+    swift = MockSwiftStorage(**simple_concat_args)
+    swift.exists("object/path")
+    swift._get_connection().head_object.assert_called_with(
+        "container-name", "basepathobject/path"
+    )
+
 
 def test_delete_unknown_path():
-  swift = SwiftStorage(**base_args)
-  with pytest.raises(IOError):
-    swift.remove('someunknownpath')
+    swift = SwiftStorage(**base_args)
+    with pytest.raises(IOError):
+        swift.remove("someunknownpath")
+
 
 def test_simple_put_get():
-  swift = FakeSwiftStorage(**base_args)
-  assert not swift.exists('somepath')
+    swift = FakeSwiftStorage(**base_args)
+    assert not swift.exists("somepath")
+
+    swift.put_content("somepath", "hello world!")
+    assert swift.exists("somepath")
+    assert swift.get_content("somepath") == "hello world!"
 
-  swift.put_content('somepath', 'hello world!')
-  assert swift.exists('somepath')
-  assert swift.get_content('somepath') == 'hello world!'
 
 def test_stream_read_write():
-  swift = FakeSwiftStorage(**base_args)
-  assert not swift.exists('somepath')
+    swift = FakeSwiftStorage(**base_args)
+    assert not swift.exists("somepath")
+
+    swift.stream_write("somepath", io.BytesIO("some content here"))
+    assert swift.exists("somepath")
+    assert swift.get_content("somepath") == "some content here"
+    assert "".join(list(swift.stream_read("somepath"))) == "some content here"
 
-  swift.stream_write('somepath', io.BytesIO('some content here'))
-  assert swift.exists('somepath')
-  assert swift.get_content('somepath') == 'some content here'
-  assert ''.join(list(swift.stream_read('somepath'))) == 'some content here'
 
 def test_stream_read_write_invalid_checksum():
-  swift = FakeSwiftStorage(fail_checksum=True, **base_args)
-  assert not swift.exists('somepath')
+    swift = FakeSwiftStorage(fail_checksum=True, **base_args)
+    assert not swift.exists("somepath")
+
+    with pytest.raises(IOError):
+        swift.stream_write("somepath", io.BytesIO("some content here"))
 
-  with pytest.raises(IOError):
-    swift.stream_write('somepath', io.BytesIO('some content here'))
 
 def test_remove():
-  swift = FakeSwiftStorage(**base_args)
-  assert not swift.exists('somepath')
+    swift = FakeSwiftStorage(**base_args)
+    assert not swift.exists("somepath")
 
-  swift.put_content('somepath', 'hello world!')
-  assert swift.exists('somepath')
+    swift.put_content("somepath", "hello world!")
+    assert swift.exists("somepath")
+
+    swift.remove("somepath")
+    assert not swift.exists("somepath")
 
-  swift.remove('somepath')
-  assert not swift.exists('somepath')
 
 def test_copy_to():
-  swift = FakeSwiftStorage(**base_args)
+    swift = FakeSwiftStorage(**base_args)
 
-  modified_args = copy.deepcopy(base_args)
-  modified_args['swift_container'] = 'another_container'
+    modified_args = copy.deepcopy(base_args)
+    modified_args["swift_container"] = "another_container"
 
-  another_swift = FakeSwiftStorage(connection=swift._connection, **modified_args)
+    another_swift = FakeSwiftStorage(connection=swift._connection, **modified_args)
 
-  swift.put_content('somepath', 'some content here')
-  swift.copy_to(another_swift, 'somepath')
+    swift.put_content("somepath", "some content here")
+    swift.copy_to(another_swift, "somepath")
 
-  assert swift.exists('somepath')
-  assert another_swift.exists('somepath')
+    assert swift.exists("somepath")
+    assert another_swift.exists("somepath")
+
+    assert swift.get_content("somepath") == "some content here"
+    assert another_swift.get_content("somepath") == "some content here"
 
-  assert swift.get_content('somepath') == 'some content here'
-  assert another_swift.get_content('somepath') == 'some content here'
 
 def test_copy_to_different():
-  swift = FakeSwiftStorage(**base_args)
+    swift = FakeSwiftStorage(**base_args)
 
-  modified_args = copy.deepcopy(base_args)
-  modified_args['swift_user'] = 'foobarbaz'
-  modified_args['swift_container'] = 'another_container'
+    modified_args = copy.deepcopy(base_args)
+    modified_args["swift_user"] = "foobarbaz"
+    modified_args["swift_container"] = "another_container"
 
-  another_swift = FakeSwiftStorage(**modified_args)
+    another_swift = FakeSwiftStorage(**modified_args)
 
-  swift.put_content('somepath', 'some content here')
-  swift.copy_to(another_swift, 'somepath')
+    swift.put_content("somepath", "some content here")
+    swift.copy_to(another_swift, "somepath")
 
-  assert swift.exists('somepath')
-  assert another_swift.exists('somepath')
+    assert swift.exists("somepath")
+    assert another_swift.exists("somepath")
+
+    assert swift.get_content("somepath") == "some content here"
+    assert another_swift.get_content("somepath") == "some content here"
 
-  assert swift.get_content('somepath') == 'some content here'
-  assert another_swift.get_content('somepath') == 'some content here'
 
 def test_checksum():
-  swift = FakeSwiftStorage(**base_args)
-  swift.put_content('somepath', 'hello world!')
-  assert swift.get_checksum('somepath') is not None
+    swift = FakeSwiftStorage(**base_args)
+    swift.put_content("somepath", "hello world!")
+    assert swift.get_checksum("somepath") is not None
 
-@pytest.mark.parametrize('read_until_end', [
-  (True,),
-  (False,),
-])
-@pytest.mark.parametrize('max_chunk_size', [
-  (10000000),
-  (10),
-  (5),
-  (2),
-  (1),
-])
-@pytest.mark.parametrize('chunks', [
-  (['this', 'is', 'some', 'chunked', 'data', '']),
-  (['this is a very large chunk of data', '']),
-  (['h', 'e', 'l', 'l', 'o', '']),
-])
+
+@pytest.mark.parametrize("read_until_end", [(True,), (False,)])
+@pytest.mark.parametrize("max_chunk_size", [(10000000), (10), (5), (2), (1)])
+@pytest.mark.parametrize(
+    "chunks",
+    [
+        (["this", "is", "some", "chunked", "data", ""]),
+        (["this is a very large chunk of data", ""]),
+        (["h", "e", "l", "l", "o", ""]),
+    ],
+)
 def test_chunked_upload(chunks, max_chunk_size, read_until_end):
-  swift = FakeSwiftStorage(**base_args)
-  uuid, metadata = swift.initiate_chunked_upload()
+    swift = FakeSwiftStorage(**base_args)
+    uuid, metadata = swift.initiate_chunked_upload()
 
-  offset = 0
+    offset = 0
 
-  with patch('storage.swift._MAXIMUM_SEGMENT_SIZE', max_chunk_size):
-    for chunk in chunks:
-      chunk_length = len(chunk) if not read_until_end else -1
-      bytes_written, metadata, error = swift.stream_upload_chunk(uuid, offset, chunk_length,
-                                                                 io.BytesIO(chunk), metadata)
-      assert error is None
-      assert len(chunk) == bytes_written
-      offset += len(chunk)
+    with patch("storage.swift._MAXIMUM_SEGMENT_SIZE", max_chunk_size):
+        for chunk in chunks:
+            chunk_length = len(chunk) if not read_until_end else -1
+            bytes_written, metadata, error = swift.stream_upload_chunk(
+                uuid, offset, chunk_length, io.BytesIO(chunk), metadata
+            )
+            assert error is None
+            assert len(chunk) == bytes_written
+            offset += len(chunk)
 
-    swift.complete_chunked_upload(uuid, 'somepath', metadata)
-    assert swift.get_content('somepath') == ''.join(chunks)
+        swift.complete_chunked_upload(uuid, "somepath", metadata)
+        assert swift.get_content("somepath") == "".join(chunks)
 
-    # Ensure each of the segments exist.
-    for segment in metadata['segments']:
-      assert swift.exists(segment.path)
+        # Ensure each of the segments exist.
+        for segment in metadata["segments"]:
+            assert swift.exists(segment.path)
 
-    # Delete the file and ensure all of its segments were removed.
-    swift.remove('somepath')
-    assert not swift.exists('somepath')
+        # Delete the file and ensure all of its segments were removed.
+        swift.remove("somepath")
+        assert not swift.exists("somepath")
 
-    for segment in metadata['segments']:
-      assert not swift.exists(segment.path)
+        for segment in metadata["segments"]:
+            assert not swift.exists(segment.path)
 
 
 def test_cancel_chunked_upload():
-  chunk_cleanup_queue = FakeQueue()
+    chunk_cleanup_queue = FakeQueue()
 
-  args = dict(base_args)
-  args['context'] = StorageContext('nyc', None, chunk_cleanup_queue, None, None)
+    args = dict(base_args)
+    args["context"] = StorageContext("nyc", None, chunk_cleanup_queue, None, None)
 
-  swift = FakeSwiftStorage(**args)
-  uuid, metadata = swift.initiate_chunked_upload()
+    swift = FakeSwiftStorage(**args)
+    uuid, metadata = swift.initiate_chunked_upload()
 
-  chunks = ['this', 'is', 'some', 'chunked', 'data', '']
-  offset = 0
-  for chunk in chunks:
-    bytes_written, metadata, error = swift.stream_upload_chunk(uuid, offset, len(chunk),
-                                                               io.BytesIO(chunk), metadata)
-    assert error is None
-    assert len(chunk) == bytes_written
-    offset += len(chunk)
+    chunks = ["this", "is", "some", "chunked", "data", ""]
+    offset = 0
+    for chunk in chunks:
+        bytes_written, metadata, error = swift.stream_upload_chunk(
+            uuid, offset, len(chunk), io.BytesIO(chunk), metadata
+        )
+        assert error is None
+        assert len(chunk) == bytes_written
+        offset += len(chunk)
 
-  swift.cancel_chunked_upload(uuid, metadata)
+    swift.cancel_chunked_upload(uuid, metadata)
 
-  found = chunk_cleanup_queue.get()
-  assert found is not None
+    found = chunk_cleanup_queue.get()
+    assert found is not None
 
 
 def test_empty_chunks_queued_for_deletion():
-  chunk_cleanup_queue = FakeQueue()
-  args = dict(base_args)
-  args['context'] = StorageContext('nyc', None, chunk_cleanup_queue, None, None)
+    chunk_cleanup_queue = FakeQueue()
+    args = dict(base_args)
+    args["context"] = StorageContext("nyc", None, chunk_cleanup_queue, None, None)
 
-  swift = FakeSwiftStorage(**args)
-  uuid, metadata = swift.initiate_chunked_upload()
+    swift = FakeSwiftStorage(**args)
+    uuid, metadata = swift.initiate_chunked_upload()
 
-  chunks = ['this', '', 'is', 'some', '', 'chunked', 'data', '']
-  offset = 0
-  for chunk in chunks:
-    length = len(chunk)
-    if length == 0:
-      length = 1
+    chunks = ["this", "", "is", "some", "", "chunked", "data", ""]
+    offset = 0
+    for chunk in chunks:
+        length = len(chunk)
+        if length == 0:
+            length = 1
 
-    bytes_written, metadata, error = swift.stream_upload_chunk(uuid, offset, length,
-                                                               io.BytesIO(chunk), metadata)
-    assert error is None
-    assert len(chunk) == bytes_written
-    offset += len(chunk)
+        bytes_written, metadata, error = swift.stream_upload_chunk(
+            uuid, offset, length, io.BytesIO(chunk), metadata
+        )
+        assert error is None
+        assert len(chunk) == bytes_written
+        offset += len(chunk)
 
-  swift.complete_chunked_upload(uuid, 'somepath', metadata)
-  assert ''.join(chunks) == swift.get_content('somepath')
+    swift.complete_chunked_upload(uuid, "somepath", metadata)
+    assert "".join(chunks) == swift.get_content("somepath")
 
-  # Check the chunk deletion queue and ensure we have the last chunk queued.
-  found = chunk_cleanup_queue.get()
-  assert found is not None
+    # Check the chunk deletion queue and ensure we have the last chunk queued.
+    found = chunk_cleanup_queue.get()
+    assert found is not None
 
-  found2 = chunk_cleanup_queue.get()
-  assert found2 is None
+    found2 = chunk_cleanup_queue.get()
+    assert found2 is None
 
-@pytest.mark.parametrize('temp_url_key, expects_url', [
-  (None, False),
-  ('foobarbaz', True),
-  ('exception', False),
-])
+
+@pytest.mark.parametrize(
+    "temp_url_key, expects_url",
+    [(None, False), ("foobarbaz", True), ("exception", False)],
+)
 def test_get_direct_download_url(temp_url_key, expects_url):
-  swift = FakeSwiftStorage(temp_url_key=temp_url_key, **base_args)
-  swift.put_content('somepath', 'hello world!')
-  assert (swift.get_direct_download_url('somepath') is not None) == expects_url
+    swift = FakeSwiftStorage(temp_url_key=temp_url_key, **base_args)
+    swift.put_content("somepath", "hello world!")
+    assert (swift.get_direct_download_url("somepath") is not None) == expects_url
diff --git a/test/analytics.py b/test/analytics.py
index 0114dd9f4..8817a0a56 100644
--- a/test/analytics.py
+++ b/test/analytics.py
@@ -1,6 +1,7 @@
 class FakeMixpanel(object):
-  def track(*args, **kwargs):
-    pass
+    def track(*args, **kwargs):
+        pass
+
 
 def init_app(app):
-  return FakeMixpanel()
+    return FakeMixpanel()
diff --git a/test/clients/client.py b/test/clients/client.py
index 62112b062..20eabc5bd 100644
--- a/test/clients/client.py
+++ b/test/clients/client.py
@@ -2,130 +2,149 @@ from abc import ABCMeta, abstractmethod
 from collections import namedtuple
 from six import add_metaclass
 
-Command = namedtuple('Command', ['command'])
+Command = namedtuple("Command", ["command"])
 
 # NOTE: FileCopy is done via `scp`, instead of `ssh` which is how Command is run.
-FileCopy = namedtuple('FileCopy', ['source', 'destination'])
+FileCopy = namedtuple("FileCopy", ["source", "destination"])
 
 
 @add_metaclass(ABCMeta)
 class Client(object):
-  """ Client defines the interface for all clients being tested. """
+    """ Client defines the interface for all clients being tested. """
 
-  @abstractmethod
-  def setup_client(self, registry_host, verify_tls):
-    """ Returns the commands necessary to setup the client inside the VM.
+    @abstractmethod
+    def setup_client(self, registry_host, verify_tls):
+        """ Returns the commands necessary to setup the client inside the VM.
     """
 
-  @abstractmethod
-  def populate_test_image(self, registry_host, namespace, name):
-    """ Returns the commands necessary to populate the test image. """
+    @abstractmethod
+    def populate_test_image(self, registry_host, namespace, name):
+        """ Returns the commands necessary to populate the test image. """
 
-  @abstractmethod
-  def print_version(self):
-    """ Returns the commands necessary to print the version of the client. """
+    @abstractmethod
+    def print_version(self):
+        """ Returns the commands necessary to print the version of the client. """
 
-  @abstractmethod
-  def login(self, registry_host, username, password):
-    """ Returns the commands necessary to login. """
+    @abstractmethod
+    def login(self, registry_host, username, password):
+        """ Returns the commands necessary to login. """
 
-  @abstractmethod
-  def push(self, registry_host, namespace, name):
-    """ Returns the commands necessary to test pushing. """
+    @abstractmethod
+    def push(self, registry_host, namespace, name):
+        """ Returns the commands necessary to test pushing. """
 
-  @abstractmethod
-  def pre_pull_cleanup(self, registry_host, namespace, name):
-    """ Returns the commands necessary to cleanup before pulling. """
+    @abstractmethod
+    def pre_pull_cleanup(self, registry_host, namespace, name):
+        """ Returns the commands necessary to cleanup before pulling. """
 
-  @abstractmethod
-  def pull(self, registry_host, namespace, name):
-    """ Returns the commands necessary to test pulling. """
+    @abstractmethod
+    def pull(self, registry_host, namespace, name):
+        """ Returns the commands necessary to test pulling. """
 
-  @abstractmethod
-  def verify(self, registry_host, namespace, name):
-    """ Returns the commands necessary to verify the pulled image. """
+    @abstractmethod
+    def verify(self, registry_host, namespace, name):
+        """ Returns the commands necessary to verify the pulled image. """
 
 
 class DockerClient(Client):
-  def __init__(self, requires_v1=False, requires_email=False):
-    self.requires_v1 = requires_v1
-    self.requires_email = requires_email
+    def __init__(self, requires_v1=False, requires_email=False):
+        self.requires_v1 = requires_v1
+        self.requires_email = requires_email
 
-  def setup_client(self, registry_host, verify_tls):
-    if not verify_tls:
-      cp_command = ('sudo cp /home/core/50-insecure-registry.conf ' +
-                    '/etc/systemd/system/docker.service.d/50-insecure-registry.conf')
+    def setup_client(self, registry_host, verify_tls):
+        if not verify_tls:
+            cp_command = (
+                "sudo cp /home/core/50-insecure-registry.conf "
+                + "/etc/systemd/system/docker.service.d/50-insecure-registry.conf"
+            )
 
-      yield Command('sudo mkdir -p /etc/systemd/system/docker.service.d/')
-      yield FileCopy('50-insecure-registry.conf', '/home/core')
-      yield Command(cp_command)
-      yield Command('sudo systemctl daemon-reload')
+            yield Command("sudo mkdir -p /etc/systemd/system/docker.service.d/")
+            yield FileCopy("50-insecure-registry.conf", "/home/core")
+            yield Command(cp_command)
+            yield Command("sudo systemctl daemon-reload")
 
-    yield FileCopy('Dockerfile.test', '/home/core/Dockerfile')
+        yield FileCopy("Dockerfile.test", "/home/core/Dockerfile")
 
-  def populate_test_image(self, registry_host, namespace, name):
-    if self.requires_v1:
-      # These versions of Docker don't support the new TLS cert on quay.io, so we need to pull
-      # from v1.quay.io and then retag so the build works.
-      yield Command('docker pull v1.quay.io/quay/busybox')
-      yield Command('docker tag v1.quay.io/quay/busybox quay.io/quay/busybox')
+    def populate_test_image(self, registry_host, namespace, name):
+        if self.requires_v1:
+            # These versions of Docker don't support the new TLS cert on quay.io, so we need to pull
+            # from v1.quay.io and then retag so the build works.
+            yield Command("docker pull v1.quay.io/quay/busybox")
+            yield Command("docker tag v1.quay.io/quay/busybox quay.io/quay/busybox")
 
-    yield Command('docker build -t %s/%s/%s .' % (registry_host, namespace, name))
+        yield Command("docker build -t %s/%s/%s ." % (registry_host, namespace, name))
 
-  def print_version(self):
-    yield Command('docker version')
+    def print_version(self):
+        yield Command("docker version")
 
-  def login(self, registry_host, username, password):
-    email_param = ""
-    if self.requires_email:
-      # cli will block forever if email is not set for version under 1.10.3
-      email_param = "--email=none "
+    def login(self, registry_host, username, password):
+        email_param = ""
+        if self.requires_email:
+            # cli will block forever if email is not set for version under 1.10.3
+            email_param = "--email=none "
 
-    yield Command('docker login --username=%s --password=%s %s %s' %
-                  (username, password, email_param, registry_host))
+        yield Command(
+            "docker login --username=%s --password=%s %s %s"
+            % (username, password, email_param, registry_host)
+        )
 
-  def push(self, registry_host, namespace, name):
-    yield Command('docker push %s/%s/%s' % (registry_host, namespace, name))
+    def push(self, registry_host, namespace, name):
+        yield Command("docker push %s/%s/%s" % (registry_host, namespace, name))
 
-  def pre_pull_cleanup(self, registry_host, namespace, name):
-    prefix = 'v1.' if self.requires_v1 else ''
-    yield Command('docker rmi -f %s/%s/%s' % (registry_host, namespace, name))
-    yield Command('docker rmi -f %squay.io/quay/busybox' % prefix)
+    def pre_pull_cleanup(self, registry_host, namespace, name):
+        prefix = "v1." if self.requires_v1 else ""
+        yield Command("docker rmi -f %s/%s/%s" % (registry_host, namespace, name))
+        yield Command("docker rmi -f %squay.io/quay/busybox" % prefix)
 
-  def pull(self, registry_host, namespace, name):
-    yield Command('docker pull %s/%s/%s' % (registry_host, namespace, name))
+    def pull(self, registry_host, namespace, name):
+        yield Command("docker pull %s/%s/%s" % (registry_host, namespace, name))
 
-  def verify(self, registry_host, namespace, name):
-    yield Command('docker run %s/%s/%s echo testfile' % (registry_host, namespace, name))
+    def verify(self, registry_host, namespace, name):
+        yield Command(
+            "docker run %s/%s/%s echo testfile" % (registry_host, namespace, name)
+        )
 
 
 class PodmanClient(Client):
-  def __init__(self):
-    self.verify_tls = False
+    def __init__(self):
+        self.verify_tls = False
 
-  def setup_client(self, registry_host, verify_tls):
-    yield FileCopy('Dockerfile.test', '/home/vagrant/Dockerfile')
-    self.verify_tls = verify_tls
+    def setup_client(self, registry_host, verify_tls):
+        yield FileCopy("Dockerfile.test", "/home/vagrant/Dockerfile")
+        self.verify_tls = verify_tls
 
-  def populate_test_image(self, registry_host, namespace, name):
-    yield Command('sudo podman build -t %s/%s/%s /home/vagrant/' % (registry_host, namespace, name))
+    def populate_test_image(self, registry_host, namespace, name):
+        yield Command(
+            "sudo podman build -t %s/%s/%s /home/vagrant/"
+            % (registry_host, namespace, name)
+        )
 
-  def print_version(self):
-    yield Command('sudo podman version')
+    def print_version(self):
+        yield Command("sudo podman version")
 
-  def login(self, registry_host, username, password):
-    yield Command('sudo podman login --tls-verify=%s --username=%s --password=%s %s' %
-                  (self.verify_tls, username, password, registry_host))
+    def login(self, registry_host, username, password):
+        yield Command(
+            "sudo podman login --tls-verify=%s --username=%s --password=%s %s"
+            % (self.verify_tls, username, password, registry_host)
+        )
 
-  def push(self, registry_host, namespace, name):
-    yield Command('sudo podman push --tls-verify=%s %s/%s/%s' % (self.verify_tls, registry_host, namespace, name))
+    def push(self, registry_host, namespace, name):
+        yield Command(
+            "sudo podman push --tls-verify=%s %s/%s/%s"
+            % (self.verify_tls, registry_host, namespace, name)
+        )
 
-  def pre_pull_cleanup(self, registry_host, namespace, name):
-    yield Command('sudo podman rmi -f %s/%s/%s' % (registry_host, namespace, name))
-    yield Command('sudo podman rmi -f quay.io/quay/busybox')
+    def pre_pull_cleanup(self, registry_host, namespace, name):
+        yield Command("sudo podman rmi -f %s/%s/%s" % (registry_host, namespace, name))
+        yield Command("sudo podman rmi -f quay.io/quay/busybox")
 
-  def pull(self, registry_host, namespace, name):
-    yield Command('sudo podman pull --tls-verify=%s %s/%s/%s' % (self.verify_tls, registry_host, namespace, name))
+    def pull(self, registry_host, namespace, name):
+        yield Command(
+            "sudo podman pull --tls-verify=%s %s/%s/%s"
+            % (self.verify_tls, registry_host, namespace, name)
+        )
 
-  def verify(self, registry_host, namespace, name):
-    yield Command('sudo podman run %s/%s/%s echo testfile' % (registry_host, namespace, name))
+    def verify(self, registry_host, namespace, name):
+        yield Command(
+            "sudo podman run %s/%s/%s echo testfile" % (registry_host, namespace, name)
+        )
diff --git a/test/conftest.py b/test/conftest.py
index accd9e40e..4ab888475 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -4,7 +4,7 @@ import pytest
 
 
 def pytest_collection_modifyitems(config, items):
-  """
+    """
   This adds a pytest marker that consistently shards all collected tests.
 
   Use it like the following:
@@ -16,23 +16,27 @@ def pytest_collection_modifyitems(config, items):
   Copyright (c) 2015-2018 Cisco Systems, Inc.
   Copyright (c) 2018 Red Hat, Inc.
   """
-  mark_opt = config.getoption('-m')
-  if not mark_opt.startswith('shard_'):
-    return
+    mark_opt = config.getoption("-m")
+    if not mark_opt.startswith("shard_"):
+        return
 
-  desired_shard, _, total_shards = mark_opt[len('shard_'):].partition('_of_')
-  if not total_shards or not desired_shard:
-    return
+    desired_shard, _, total_shards = mark_opt[len("shard_") :].partition("_of_")
+    if not total_shards or not desired_shard:
+        return
 
-  desired_shard = int(desired_shard)
-  total_shards = int(total_shards)
+    desired_shard = int(desired_shard)
+    total_shards = int(total_shards)
 
-  if not 0 < desired_shard <= total_shards:
-    raise ValueError('desired_shard must be greater than 0 and not bigger than total_shards')
+    if not 0 < desired_shard <= total_shards:
+        raise ValueError(
+            "desired_shard must be greater than 0 and not bigger than total_shards"
+        )
 
-  for test_counter, item in enumerate(items):
-    shard = test_counter%total_shards + 1
-    marker = getattr(pytest.mark, 'shard_{}_of_{}'.format(shard, total_shards))
-    item.add_marker(marker)
+    for test_counter, item in enumerate(items):
+        shard = test_counter % total_shards + 1
+        marker = getattr(pytest.mark, "shard_{}_of_{}".format(shard, total_shards))
+        item.add_marker(marker)
 
-  print('Running sharded test group #{} out of {}'.format(desired_shard, total_shards))
+    print (
+        "Running sharded test group #{} out of {}".format(desired_shard, total_shards)
+    )
diff --git a/test/fixtures.py b/test/fixtures.py
index f3a63413d..20826fcc4 100644
--- a/test/fixtures.py
+++ b/test/fixtures.py
@@ -10,7 +10,13 @@ import inspect
 
 from flask import Flask, jsonify
 from flask_login import LoginManager
-from flask_principal import identity_loaded, Permission, Identity, identity_changed, Principal
+from flask_principal import (
+    identity_loaded,
+    Permission,
+    Identity,
+    identity_changed,
+    Principal,
+)
 from flask_mail import Mail
 from peewee import SqliteDatabase, InternalError
 from mock import patch
@@ -19,7 +25,12 @@ from app import app as application
 from auth.permissions import on_identity_loaded
 from data import model
 from data.database import close_db_filter, db, configure
-from data.model.user import LoginWrappedDBUser, create_robot, lookup_robot, create_user_noverify
+from data.model.user import (
+    LoginWrappedDBUser,
+    create_robot,
+    lookup_robot,
+    create_user_noverify,
+)
 from data.model.repository import create_repository
 from data.model.repo_mirror import enable_mirroring_for_repository
 from data.userfiles import Userfiles
@@ -33,141 +44,146 @@ from endpoints.webhooks import webhooks
 
 from initdb import initialize_database, populate_database
 
-from path_converters import APIRepositoryPathConverter, RegexConverter, RepositoryPathConverter
+from path_converters import (
+    APIRepositoryPathConverter,
+    RegexConverter,
+    RepositoryPathConverter,
+)
 from test.testconfig import FakeTransaction
 
 INIT_DB_PATH = 0
 
+
 @pytest.fixture(scope="session")
 def init_db_path(tmpdir_factory):
-  """ Creates a new database and appropriate configuration. Note that the initial database
+    """ Creates a new database and appropriate configuration. Note that the initial database
       is created *once* per session. In the non-full-db-test case, the database_uri fixture
       makes a copy of the SQLite database file on disk and passes a new copy to each test.
   """
-  # NOTE: We use a global here because pytest runs this code multiple times, due to the fixture
-  # being imported instead of being in a conftest. Moving to conftest has its own issues, and this
-  # call is quite slow, so we simply cache it here.
-  global INIT_DB_PATH
-  INIT_DB_PATH = INIT_DB_PATH or _init_db_path(tmpdir_factory)
-  return INIT_DB_PATH
+    # NOTE: We use a global here because pytest runs this code multiple times, due to the fixture
+    # being imported instead of being in a conftest. Moving to conftest has its own issues, and this
+    # call is quite slow, so we simply cache it here.
+    global INIT_DB_PATH
+    INIT_DB_PATH = INIT_DB_PATH or _init_db_path(tmpdir_factory)
+    return INIT_DB_PATH
+
 
 def _init_db_path(tmpdir_factory):
-  if os.environ.get('TEST_DATABASE_URI'):
-    return _init_db_path_real_db(os.environ.get('TEST_DATABASE_URI'))
+    if os.environ.get("TEST_DATABASE_URI"):
+        return _init_db_path_real_db(os.environ.get("TEST_DATABASE_URI"))
+
+    return _init_db_path_sqlite(tmpdir_factory)
 
-  return _init_db_path_sqlite(tmpdir_factory)
 
 def _init_db_path_real_db(db_uri):
-  """ Initializes a real database for testing by populating it from scratch. Note that this does
+    """ Initializes a real database for testing by populating it from scratch. Note that this does
       *not* add the tables (merely data). Callers must have migrated the database before calling
       the test suite.
   """
-  configure({
-    "DB_URI": db_uri,
-    "SECRET_KEY": "superdupersecret!!!1",
-    "DB_CONNECTION_ARGS": {
-      'threadlocals': True,
-      'autorollback': True,
-    },
-    "DB_TRANSACTION_FACTORY": _create_transaction,
-    "DATABASE_SECRET_KEY": "anothercrazykey!",
-  })
+    configure(
+        {
+            "DB_URI": db_uri,
+            "SECRET_KEY": "superdupersecret!!!1",
+            "DB_CONNECTION_ARGS": {"threadlocals": True, "autorollback": True},
+            "DB_TRANSACTION_FACTORY": _create_transaction,
+            "DATABASE_SECRET_KEY": "anothercrazykey!",
+        }
+    )
+
+    populate_database()
+    return db_uri
 
-  populate_database()
-  return db_uri
 
 def _init_db_path_sqlite(tmpdir_factory):
-  """ Initializes a SQLite database for testing by populating it from scratch and placing it into
+    """ Initializes a SQLite database for testing by populating it from scratch and placing it into
       a temp directory file.
   """
-  sqlitedbfile = str(tmpdir_factory.mktemp("data").join("test.db"))
-  sqlitedb = 'sqlite:///{0}'.format(sqlitedbfile)
-  conf = {"TESTING": True,
-          "DEBUG": True,
-          "SECRET_KEY": "superdupersecret!!!1",
-          "DATABASE_SECRET_KEY": "anothercrazykey!",
-          "DB_URI": sqlitedb}
-  os.environ['DB_URI'] = str(sqlitedb)
-  db.initialize(SqliteDatabase(sqlitedbfile))
-  application.config.update(conf)
-  application.config.update({"DB_URI": sqlitedb})
-  initialize_database()
+    sqlitedbfile = str(tmpdir_factory.mktemp("data").join("test.db"))
+    sqlitedb = "sqlite:///{0}".format(sqlitedbfile)
+    conf = {
+        "TESTING": True,
+        "DEBUG": True,
+        "SECRET_KEY": "superdupersecret!!!1",
+        "DATABASE_SECRET_KEY": "anothercrazykey!",
+        "DB_URI": sqlitedb,
+    }
+    os.environ["DB_URI"] = str(sqlitedb)
+    db.initialize(SqliteDatabase(sqlitedbfile))
+    application.config.update(conf)
+    application.config.update({"DB_URI": sqlitedb})
+    initialize_database()
 
-  db.obj.execute_sql('PRAGMA foreign_keys = ON;')
-  db.obj.execute_sql('PRAGMA encoding="UTF-8";')
+    db.obj.execute_sql("PRAGMA foreign_keys = ON;")
+    db.obj.execute_sql('PRAGMA encoding="UTF-8";')
 
-  populate_database()
-  close_db_filter(None)
-  return str(sqlitedbfile)
+    populate_database()
+    close_db_filter(None)
+    return str(sqlitedbfile)
 
 
 @pytest.yield_fixture()
 def database_uri(monkeypatch, init_db_path, sqlitedb_file):
-  """ Returns the database URI to use for testing. In the SQLite case, a new, distinct copy of
+    """ Returns the database URI to use for testing. In the SQLite case, a new, distinct copy of
       the SQLite database is created by copying the initialized database file (sqlitedb_file)
       on a per-test basis. In the non-SQLite case, a reference to the existing database URI is
       returned.
   """
-  if os.environ.get('TEST_DATABASE_URI'):
-    db_uri = os.environ['TEST_DATABASE_URI']
-    monkeypatch.setenv("DB_URI", db_uri)
-    yield db_uri
-  else:
-    # Copy the golden database file to a new path.
-    shutil.copy2(init_db_path, sqlitedb_file)
+    if os.environ.get("TEST_DATABASE_URI"):
+        db_uri = os.environ["TEST_DATABASE_URI"]
+        monkeypatch.setenv("DB_URI", db_uri)
+        yield db_uri
+    else:
+        # Copy the golden database file to a new path.
+        shutil.copy2(init_db_path, sqlitedb_file)
 
-    # Monkeypatch the DB_URI.
-    db_path = 'sqlite:///{0}'.format(sqlitedb_file)
-    monkeypatch.setenv("DB_URI", db_path)
-    yield db_path
+        # Monkeypatch the DB_URI.
+        db_path = "sqlite:///{0}".format(sqlitedb_file)
+        monkeypatch.setenv("DB_URI", db_path)
+        yield db_path
 
-    # Delete the DB copy.
-    assert '..' not in sqlitedb_file
-    assert 'test.db' in sqlitedb_file
-    os.remove(sqlitedb_file)
+        # Delete the DB copy.
+        assert ".." not in sqlitedb_file
+        assert "test.db" in sqlitedb_file
+        os.remove(sqlitedb_file)
 
 
 @pytest.fixture()
 def sqlitedb_file(tmpdir):
-  """ Returns the path at which the initialized, golden SQLite database file will be placed. """
-  test_db_file = tmpdir.mkdir("quaydb").join("test.db")
-  return str(test_db_file)
+    """ Returns the path at which the initialized, golden SQLite database file will be placed. """
+    test_db_file = tmpdir.mkdir("quaydb").join("test.db")
+    return str(test_db_file)
+
 
 def _create_transaction(db):
-  return FakeTransaction()
+    return FakeTransaction()
+
 
 @pytest.fixture()
 def appconfig(database_uri):
-  """ Returns application configuration for testing that references the proper database URI. """
-  conf = {
-    "TESTING": True,
-    "DEBUG": True,
-    "DB_URI": database_uri,
-    "SECRET_KEY": 'superdupersecret!!!1',
-    "DATABASE_SECRET_KEY": "anothercrazykey!",
-    "DB_CONNECTION_ARGS": {
-      'threadlocals': True,
-      'autorollback': True,
-    },
-    "DB_TRANSACTION_FACTORY": _create_transaction,
-    "DATA_MODEL_CACHE_CONFIG": {
-      'engine': 'inmemory',
-    },
-    "USERFILES_PATH": "userfiles/",
-    "MAIL_SERVER": "",
-    "MAIL_DEFAULT_SENDER": "support@quay.io",
-    "DATABASE_SECRET_KEY": "anothercrazykey!",
-  }
-  return conf
+    """ Returns application configuration for testing that references the proper database URI. """
+    conf = {
+        "TESTING": True,
+        "DEBUG": True,
+        "DB_URI": database_uri,
+        "SECRET_KEY": "superdupersecret!!!1",
+        "DATABASE_SECRET_KEY": "anothercrazykey!",
+        "DB_CONNECTION_ARGS": {"threadlocals": True, "autorollback": True},
+        "DB_TRANSACTION_FACTORY": _create_transaction,
+        "DATA_MODEL_CACHE_CONFIG": {"engine": "inmemory"},
+        "USERFILES_PATH": "userfiles/",
+        "MAIL_SERVER": "",
+        "MAIL_DEFAULT_SENDER": "support@quay.io",
+        "DATABASE_SECRET_KEY": "anothercrazykey!",
+    }
+    return conf
 
 
-AllowedAutoJoin = namedtuple('AllowedAutoJoin', ['frame_start_index', 'pattern_prefixes'])
+AllowedAutoJoin = namedtuple(
+    "AllowedAutoJoin", ["frame_start_index", "pattern_prefixes"]
+)
 
 
-ALLOWED_AUTO_JOINS = [
-  AllowedAutoJoin(0, ['test_']),
-  AllowedAutoJoin(0, ['<', 'test_']),
-]
+ALLOWED_AUTO_JOINS = [AllowedAutoJoin(0, ["test_"]), AllowedAutoJoin(0, ["<", "test_"])]
 
 CALLER_FRAMES_OFFSET = 3
 FRAME_NAME_INDEX = 3
@@ -175,127 +191,142 @@ FRAME_NAME_INDEX = 3
 
 @pytest.fixture()
 def initialized_db(appconfig):
-  """ Configures the database for the database found in the appconfig. """
-  under_test_real_database = bool(os.environ.get('TEST_DATABASE_URI'))
+    """ Configures the database for the database found in the appconfig. """
+    under_test_real_database = bool(os.environ.get("TEST_DATABASE_URI"))
 
-  # Configure the database.
-  configure(appconfig)
+    # Configure the database.
+    configure(appconfig)
 
-  # Initialize caches.
-  model._basequery._lookup_team_roles()
-  model._basequery.get_public_repo_visibility()
-  model.log.get_log_entry_kinds()
+    # Initialize caches.
+    model._basequery._lookup_team_roles()
+    model._basequery.get_public_repo_visibility()
+    model.log.get_log_entry_kinds()
 
-  if not under_test_real_database:
-    # Make absolutely sure foreign key constraints are on.
-    db.obj.execute_sql('PRAGMA foreign_keys = ON;')
-    db.obj.execute_sql('PRAGMA encoding="UTF-8";')
-    assert db.obj.execute_sql('PRAGMA foreign_keys;').fetchone()[0] == 1
-    assert db.obj.execute_sql('PRAGMA encoding;').fetchone()[0] == 'UTF-8'
+    if not under_test_real_database:
+        # Make absolutely sure foreign key constraints are on.
+        db.obj.execute_sql("PRAGMA foreign_keys = ON;")
+        db.obj.execute_sql('PRAGMA encoding="UTF-8";')
+        assert db.obj.execute_sql("PRAGMA foreign_keys;").fetchone()[0] == 1
+        assert db.obj.execute_sql("PRAGMA encoding;").fetchone()[0] == "UTF-8"
 
-  # If under a test *real* database, setup a savepoint.
-  if under_test_real_database:
-    with db.transaction():
-      test_savepoint = db.savepoint()
-      test_savepoint.__enter__()
+    # If under a test *real* database, setup a savepoint.
+    if under_test_real_database:
+        with db.transaction():
+            test_savepoint = db.savepoint()
+            test_savepoint.__enter__()
 
-      yield # Run the test.
-
-      try:
-        test_savepoint.rollback()
-        test_savepoint.__exit__(None, None, None)
-      except InternalError:
-        # If postgres fails with an exception (like IntegrityError) mid-transaction, it terminates
-        # it immediately, so when we go to remove the savepoint, it complains. We can safely ignore
-        # this case.
-        pass
-  else:
-    if os.environ.get('DISALLOW_AUTO_JOINS', 'false').lower() == 'true':
-      # Patch get_rel_instance to fail if we try to load any non-joined foreign key. This will allow
-      # us to catch missing joins when running tests.
-      def get_rel_instance(self, instance):
-        value = instance.__data__.get(self.name)
-        if value is not None or self.name in instance.__rel__:
-          if self.name not in instance.__rel__:
-            # NOTE: We only raise an exception if this auto-lookup occurs from non-testing code.
-            # Testing code can be a bit inefficient.
-            lookup_allowed = False
+            yield  # Run the test.
 
             try:
-              outerframes = inspect.getouterframes(inspect.currentframe())
-            except IndexError:
-              # Happens due to a bug in Jinja.
-              outerframes = []
-
-            for allowed_auto_join in ALLOWED_AUTO_JOINS:
-              if lookup_allowed:
-                break
-
-              if len(outerframes) >= allowed_auto_join.frame_start_index + CALLER_FRAMES_OFFSET:
-                found_match = True
-                for index, pattern_prefix in enumerate(allowed_auto_join.pattern_prefixes):
-                  frame_info = outerframes[index + CALLER_FRAMES_OFFSET]
-                  if not frame_info[FRAME_NAME_INDEX].startswith(pattern_prefix):
-                    found_match = False
-                    break
-
-                if found_match:
-                  lookup_allowed = True
-                  break
-
-            if not lookup_allowed:
-              raise Exception('Missing join on instance `%s` for field `%s`', instance, self.name)
-
-            obj = self.rel_model.get(self.field.rel_field == value)
-            instance.__rel__[self.name] = obj
-          return instance.__rel__[self.name]
-        elif not self.field.null:
-          raise self.rel_model.DoesNotExist
-
-        return value
-
-      with patch('peewee.ForeignKeyAccessor.get_rel_instance', get_rel_instance):
-        yield
+                test_savepoint.rollback()
+                test_savepoint.__exit__(None, None, None)
+            except InternalError:
+                # If postgres fails with an exception (like IntegrityError) mid-transaction, it terminates
+                # it immediately, so when we go to remove the savepoint, it complains. We can safely ignore
+                # this case.
+                pass
     else:
-      yield
+        if os.environ.get("DISALLOW_AUTO_JOINS", "false").lower() == "true":
+            # Patch get_rel_instance to fail if we try to load any non-joined foreign key. This will allow
+            # us to catch missing joins when running tests.
+            def get_rel_instance(self, instance):
+                value = instance.__data__.get(self.name)
+                if value is not None or self.name in instance.__rel__:
+                    if self.name not in instance.__rel__:
+                        # NOTE: We only raise an exception if this auto-lookup occurs from non-testing code.
+                        # Testing code can be a bit inefficient.
+                        lookup_allowed = False
+
+                        try:
+                            outerframes = inspect.getouterframes(inspect.currentframe())
+                        except IndexError:
+                            # Happens due to a bug in Jinja.
+                            outerframes = []
+
+                        for allowed_auto_join in ALLOWED_AUTO_JOINS:
+                            if lookup_allowed:
+                                break
+
+                            if (
+                                len(outerframes)
+                                >= allowed_auto_join.frame_start_index
+                                + CALLER_FRAMES_OFFSET
+                            ):
+                                found_match = True
+                                for index, pattern_prefix in enumerate(
+                                    allowed_auto_join.pattern_prefixes
+                                ):
+                                    frame_info = outerframes[
+                                        index + CALLER_FRAMES_OFFSET
+                                    ]
+                                    if not frame_info[FRAME_NAME_INDEX].startswith(
+                                        pattern_prefix
+                                    ):
+                                        found_match = False
+                                        break
+
+                                if found_match:
+                                    lookup_allowed = True
+                                    break
+
+                        if not lookup_allowed:
+                            raise Exception(
+                                "Missing join on instance `%s` for field `%s`",
+                                instance,
+                                self.name,
+                            )
+
+                        obj = self.rel_model.get(self.field.rel_field == value)
+                        instance.__rel__[self.name] = obj
+                    return instance.__rel__[self.name]
+                elif not self.field.null:
+                    raise self.rel_model.DoesNotExist
+
+                return value
+
+            with patch("peewee.ForeignKeyAccessor.get_rel_instance", get_rel_instance):
+                yield
+        else:
+            yield
+
 
 @pytest.fixture()
 def app(appconfig, initialized_db):
-  """ Used by pytest-flask plugin to inject a custom app instance for testing. """
-  app = Flask(__name__)
-  login_manager = LoginManager(app)
+    """ Used by pytest-flask plugin to inject a custom app instance for testing. """
+    app = Flask(__name__)
+    login_manager = LoginManager(app)
 
-  @app.errorhandler(model.DataModelException)
-  def handle_dme(ex):
-    response = jsonify({'message': str(ex)})
-    response.status_code = 400
-    return response
+    @app.errorhandler(model.DataModelException)
+    def handle_dme(ex):
+        response = jsonify({"message": str(ex)})
+        response.status_code = 400
+        return response
 
-  @login_manager.user_loader
-  def load_user(user_uuid):
-    return LoginWrappedDBUser(user_uuid)
+    @login_manager.user_loader
+    def load_user(user_uuid):
+        return LoginWrappedDBUser(user_uuid)
 
-  @identity_loaded.connect_via(app)
-  def on_identity_loaded_for_test(sender, identity):
-    on_identity_loaded(sender, identity)
+    @identity_loaded.connect_via(app)
+    def on_identity_loaded_for_test(sender, identity):
+        on_identity_loaded(sender, identity)
 
-  Principal(app, use_sessions=False)
+    Principal(app, use_sessions=False)
 
-  app.url_map.converters['regex'] = RegexConverter
-  app.url_map.converters['apirepopath'] = APIRepositoryPathConverter
-  app.url_map.converters['repopath'] = RepositoryPathConverter
+    app.url_map.converters["regex"] = RegexConverter
+    app.url_map.converters["apirepopath"] = APIRepositoryPathConverter
+    app.url_map.converters["repopath"] = RepositoryPathConverter
 
-  app.register_blueprint(api_bp, url_prefix='/api')
-  app.register_blueprint(appr_bp, url_prefix='/cnr')
-  app.register_blueprint(web, url_prefix='/')
-  app.register_blueprint(verbs_bp, url_prefix='/c1')
-  app.register_blueprint(v1_bp, url_prefix='/v1')
-  app.register_blueprint(v2_bp, url_prefix='/v2')
-  app.register_blueprint(webhooks, url_prefix='/webhooks')
+    app.register_blueprint(api_bp, url_prefix="/api")
+    app.register_blueprint(appr_bp, url_prefix="/cnr")
+    app.register_blueprint(web, url_prefix="/")
+    app.register_blueprint(verbs_bp, url_prefix="/c1")
+    app.register_blueprint(v1_bp, url_prefix="/v1")
+    app.register_blueprint(v2_bp, url_prefix="/v2")
+    app.register_blueprint(webhooks, url_prefix="/webhooks")
 
-  app.config.update(appconfig)
+    app.config.update(appconfig)
 
-  Userfiles(app)
-  Mail(app)
+    Userfiles(app)
+    Mail(app)
 
-  return app
+    return app
diff --git a/test/helpers.py b/test/helpers.py
index 3493ed645..cb0181c37 100644
--- a/test/helpers.py
+++ b/test/helpers.py
@@ -5,32 +5,40 @@ import socket
 from contextlib import contextmanager
 from data.database import LogEntryKind, LogEntry3
 
+
 class assert_action_logged(object):
-  """ Specialized assertion for ensuring that a log entry of a particular kind was added under the
+    """ Specialized assertion for ensuring that a log entry of a particular kind was added under the
       context of this call.
   """
-  def __init__(self, log_kind):
-    self.log_kind = log_kind
-    self.existing_count = 0
 
-  def _get_log_count(self):
-    return LogEntry3.select().where(LogEntry3.kind == LogEntryKind.get(name=self.log_kind)).count()
+    def __init__(self, log_kind):
+        self.log_kind = log_kind
+        self.existing_count = 0
 
-  def __enter__(self):
-    self.existing_count = self._get_log_count()
-    return self
+    def _get_log_count(self):
+        return (
+            LogEntry3.select()
+            .where(LogEntry3.kind == LogEntryKind.get(name=self.log_kind))
+            .count()
+        )
+
+    def __enter__(self):
+        self.existing_count = self._get_log_count()
+        return self
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        if exc_val is None:
+            updated_count = self._get_log_count()
+            error_msg = "Missing new log entry of kind %s" % self.log_kind
+            assert self.existing_count == (updated_count - 1), error_msg
 
-  def __exit__(self, exc_type, exc_val, exc_tb):
-    if exc_val is None:
-      updated_count = self._get_log_count()
-      error_msg = 'Missing new log entry of kind %s' % self.log_kind
-      assert self.existing_count == (updated_count - 1), error_msg
 
 _LIVESERVER_TIMEOUT = 5
 
+
 @contextmanager
 def liveserver_app(flask_app, port):
-  """
+    """
       Based on https://github.com/jarus/flask-testing/blob/master/flask_testing/utils.py
 
       Runs the given Flask app as a live web server locally, on the given port, starting it
@@ -40,44 +48,49 @@ def liveserver_app(flask_app, port):
       with liveserver_app(flask_app, port):
         # Code that makes use of the app.
   """
-  shared = {}
+    shared = {}
 
-  def _can_ping_server():
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    def _can_ping_server():
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+        try:
+            sock.connect(("localhost", port))
+        except socket.error:
+            success = False
+        else:
+            success = True
+        finally:
+            sock.close()
+
+        return success
+
+    def _spawn_live_server():
+        worker = lambda app, port: app.run(port=port, use_reloader=False)
+        shared["process"] = multiprocessing.Process(
+            target=worker, args=(flask_app, port)
+        )
+        shared["process"].start()
+
+        start_time = time.time()
+        while True:
+            elapsed_time = time.time() - start_time
+            if elapsed_time > _LIVESERVER_TIMEOUT:
+                _terminate_live_server()
+                raise RuntimeError(
+                    "Failed to start the server after %d seconds. "
+                    % _LIVESERVER_TIMEOUT
+                )
+
+            if _can_ping_server():
+                break
+
+    def _terminate_live_server():
+        if shared.get("process"):
+            shared.get("process").terminate()
+            shared.pop("process")
 
     try:
-      sock.connect(('localhost', port))
-    except socket.error:
-      success = False
-    else:
-      success = True
+        _spawn_live_server()
+        yield
     finally:
-      sock.close()
-
-    return success
-
-  def _spawn_live_server():
-    worker = lambda app, port: app.run(port=port, use_reloader=False)
-    shared['process'] = multiprocessing.Process(target=worker, args=(flask_app, port))
-    shared['process'].start()
-
-    start_time = time.time()
-    while True:
-      elapsed_time = (time.time() - start_time)
-      if elapsed_time > _LIVESERVER_TIMEOUT:
         _terminate_live_server()
-        raise RuntimeError("Failed to start the server after %d seconds. " % _LIVESERVER_TIMEOUT)
-
-      if _can_ping_server():
-        break
-
-  def _terminate_live_server():
-    if shared.get('process'):
-      shared.get('process').terminate()
-      shared.pop('process')
-
-  try:
-    _spawn_live_server()
-    yield
-  finally:
-    _terminate_live_server()
diff --git a/test/queue_threads.py b/test/queue_threads.py
index 0ed06109b..52e03112d 100644
--- a/test/queue_threads.py
+++ b/test/queue_threads.py
@@ -10,68 +10,70 @@ from data.queue import WorkQueue
 from initdb import wipe_database, initialize_database, populate_database
 
 
-QUEUE_NAME = 'testqueuename'
+QUEUE_NAME = "testqueuename"
+
 
 class AutoUpdatingQueue(object):
-  def __init__(self, queue_to_wrap):
-    self._queue = queue_to_wrap
+    def __init__(self, queue_to_wrap):
+        self._queue = queue_to_wrap
 
-  def _wrapper(self, func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      to_return = func(*args, **kwargs)
-      self._queue.update_metrics()
-      return to_return
-    return wrapper
+    def _wrapper(self, func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            to_return = func(*args, **kwargs)
+            self._queue.update_metrics()
+            return to_return
 
-  def __getattr__(self, attr_name):
-    method_or_attr = getattr(self._queue, attr_name)
-    if callable(method_or_attr):
-      return self._wrapper(method_or_attr)
-    else:
-      return method_or_attr
+        return wrapper
+
+    def __getattr__(self, attr_name):
+        method_or_attr = getattr(self._queue, attr_name)
+        if callable(method_or_attr):
+            return self._wrapper(method_or_attr)
+        else:
+            return method_or_attr
 
 
 class QueueTestCase(unittest.TestCase):
-  TEST_MESSAGE_1 = json.dumps({'data': 1})
+    TEST_MESSAGE_1 = json.dumps({"data": 1})
 
-  def setUp(self):
-    self.transaction_factory = app.config['DB_TRANSACTION_FACTORY']
-    self.queue = AutoUpdatingQueue(WorkQueue(QUEUE_NAME, self.transaction_factory))
-    wipe_database()
-    initialize_database()
-    populate_database()
+    def setUp(self):
+        self.transaction_factory = app.config["DB_TRANSACTION_FACTORY"]
+        self.queue = AutoUpdatingQueue(WorkQueue(QUEUE_NAME, self.transaction_factory))
+        wipe_database()
+        initialize_database()
+        populate_database()
 
 
 class TestQueueThreads(QueueTestCase):
-  def test_queue_threads(self):
-    count = [20]
-    for i in range(count[0]):
-      self.queue.put([str(i)], self.TEST_MESSAGE_1)
+    def test_queue_threads(self):
+        count = [20]
+        for i in range(count[0]):
+            self.queue.put([str(i)], self.TEST_MESSAGE_1)
 
-    lock = Lock()
-    def get(lock, count, queue):
-      item = queue.get()
-      if item is None:
-        return
-      self.assertEqual(self.TEST_MESSAGE_1, item.body)
-      with lock:
-        count[0] -= 1
+        lock = Lock()
 
-    threads = []
-    # The thread count needs to be a few times higher than the queue size
-    # count because some threads will get a None and thus won't decrement
-    # the counter.
-    for i in range(100):
-      t = Thread(target=get, args=(lock, count, self.queue))
-      threads.append(t)
-    for t in threads:
-      t.start()
-    for t in threads:
-      t.join()
-    self.assertEqual(count[0], 0)
+        def get(lock, count, queue):
+            item = queue.get()
+            if item is None:
+                return
+            self.assertEqual(self.TEST_MESSAGE_1, item.body)
+            with lock:
+                count[0] -= 1
+
+        threads = []
+        # The thread count needs to be a few times higher than the queue size
+        # count because some threads will get a None and thus won't decrement
+        # the counter.
+        for i in range(100):
+            t = Thread(target=get, args=(lock, count, self.queue))
+            threads.append(t)
+        for t in threads:
+            t.start()
+        for t in threads:
+            t.join()
+        self.assertEqual(count[0], 0)
 
 
-if __name__ == '__main__':
-  unittest.main()
-
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/registry/fixtures.py b/test/registry/fixtures.py
index facdfcaad..467ee35d6 100644
--- a/test/registry/fixtures.py
+++ b/test/registry/fixtures.py
@@ -13,9 +13,20 @@ from flask import jsonify, g
 from flask_principal import Identity
 
 from app import storage
-from data.database import (close_db_filter, configure, DerivedStorageForImage, QueueItem, Image,
-                           TagManifest, TagManifestToManifest, Manifest, ManifestLegacyImage,
-                           ManifestBlob, NamespaceGeoRestriction, User)
+from data.database import (
+    close_db_filter,
+    configure,
+    DerivedStorageForImage,
+    QueueItem,
+    Image,
+    TagManifest,
+    TagManifestToManifest,
+    Manifest,
+    ManifestLegacyImage,
+    ManifestBlob,
+    NamespaceGeoRestriction,
+    User,
+)
 from data import model
 from data.registry_model import registry_model
 from endpoints.csrf import generate_csrf_token
@@ -26,170 +37,182 @@ from test.registry.liveserverfixture import LiveServerExecutor
 
 @pytest.fixture()
 def registry_server_executor(app):
-  def generate_csrf():
-    return generate_csrf_token()
+    def generate_csrf():
+        return generate_csrf_token()
 
-  def set_supports_direct_download(enabled):
-    storage.put_content(['local_us'], 'supports_direct_download', 'true' if enabled else 'false')
-    return 'OK'
+    def set_supports_direct_download(enabled):
+        storage.put_content(
+            ["local_us"], "supports_direct_download", "true" if enabled else "false"
+        )
+        return "OK"
 
-  def delete_image(image_id):
-    image = Image.get(docker_image_id=image_id)
-    image.docker_image_id = 'DELETED'
-    image.save()
-    return 'OK'
+    def delete_image(image_id):
+        image = Image.get(docker_image_id=image_id)
+        image.docker_image_id = "DELETED"
+        image.save()
+        return "OK"
 
-  def get_storage_replication_entry(image_id):
-    image = Image.get(docker_image_id=image_id)
-    QueueItem.select().where(QueueItem.queue_name ** ('%' + image.storage.uuid + '%')).get()
-    return 'OK'
+    def get_storage_replication_entry(image_id):
+        image = Image.get(docker_image_id=image_id)
+        QueueItem.select().where(
+            QueueItem.queue_name ** ("%" + image.storage.uuid + "%")
+        ).get()
+        return "OK"
 
-  def set_feature(feature_name, value):
-    import features
-    from app import app
-    old_value = features._FEATURES[feature_name].value
-    features._FEATURES[feature_name].value = value
-    app.config['FEATURE_%s' % feature_name] = value
-    return jsonify({'old_value': old_value})
+    def set_feature(feature_name, value):
+        import features
+        from app import app
 
-  def set_config_key(config_key, value):
-    from app import app as current_app
+        old_value = features._FEATURES[feature_name].value
+        features._FEATURES[feature_name].value = value
+        app.config["FEATURE_%s" % feature_name] = value
+        return jsonify({"old_value": old_value})
 
-    old_value = app.config.get(config_key)
-    app.config[config_key] = value
-    current_app.config[config_key] = value
+    def set_config_key(config_key, value):
+        from app import app as current_app
 
-    # Close any existing connection.
-    close_db_filter(None)
+        old_value = app.config.get(config_key)
+        app.config[config_key] = value
+        current_app.config[config_key] = value
 
-    # Reload the database config.
-    configure(app.config)
+        # Close any existing connection.
+        close_db_filter(None)
 
-    return jsonify({'old_value': old_value})
+        # Reload the database config.
+        configure(app.config)
 
-  def clear_derived_cache():
-    DerivedStorageForImage.delete().execute()
-    return 'OK'
+        return jsonify({"old_value": old_value})
 
-  def clear_uncompressed_size(image_id):
-    image = model.image.get_image_by_id('devtable', 'newrepo', image_id)
-    image.storage.uncompressed_size = None
-    image.storage.save()
-    return 'OK'
+    def clear_derived_cache():
+        DerivedStorageForImage.delete().execute()
+        return "OK"
 
-  def add_token():
-    another_token = model.token.create_delegate_token('devtable', 'newrepo', 'my-new-token',
-                                                      'write')
-    return model.token.get_full_token_string(another_token)
+    def clear_uncompressed_size(image_id):
+        image = model.image.get_image_by_id("devtable", "newrepo", image_id)
+        image.storage.uncompressed_size = None
+        image.storage.save()
+        return "OK"
 
-  def break_database():
-    # Close any existing connection.
-    close_db_filter(None)
+    def add_token():
+        another_token = model.token.create_delegate_token(
+            "devtable", "newrepo", "my-new-token", "write"
+        )
+        return model.token.get_full_token_string(another_token)
 
-    # Reload the database config with an invalid connection.
-    config = copy.copy(app.config)
-    config['DB_URI'] = 'sqlite:///not/a/valid/database'
-    configure(config)
+    def break_database():
+        # Close any existing connection.
+        close_db_filter(None)
 
-    return 'OK'
+        # Reload the database config with an invalid connection.
+        config = copy.copy(app.config)
+        config["DB_URI"] = "sqlite:///not/a/valid/database"
+        configure(config)
 
-  def reload_app(server_hostname):
-    # Close any existing connection.
-    close_db_filter(None)
+        return "OK"
 
-    # Reload the database config.
-    app.config['SERVER_HOSTNAME'] = server_hostname[len('http://'):]
-    configure(app.config)
+    def reload_app(server_hostname):
+        # Close any existing connection.
+        close_db_filter(None)
 
-    # Reload random after the process split, as it cannot be used uninitialized across forks.
-    Random.atfork()
+        # Reload the database config.
+        app.config["SERVER_HOSTNAME"] = server_hostname[len("http://") :]
+        configure(app.config)
 
-    # Required for anonymous calls to not exception.
-    g.identity = Identity(None, 'none')
+        # Reload random after the process split, as it cannot be used uninitialized across forks.
+        Random.atfork()
 
-    if os.environ.get('DEBUGLOG') == 'true':
-      logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
+        # Required for anonymous calls to not exception.
+        g.identity = Identity(None, "none")
 
-    return 'OK'
+        if os.environ.get("DEBUGLOG") == "true":
+            logging.config.fileConfig(
+                logfile_path(debug=True), disable_existing_loggers=False
+            )
 
-  def create_app_repository(namespace, name):
-    user = model.user.get_user(namespace)
-    model.repository.create_repository(namespace, name, user, repo_kind='application')
-    return 'OK'
+        return "OK"
 
-  def disable_namespace(namespace):
-    namespace_obj = model.user.get_namespace_user(namespace)
-    namespace_obj.enabled = False
-    namespace_obj.save()
-    return 'OK'
+    def create_app_repository(namespace, name):
+        user = model.user.get_user(namespace)
+        model.repository.create_repository(
+            namespace, name, user, repo_kind="application"
+        )
+        return "OK"
 
-  def delete_manifests():
-    ManifestLegacyImage.delete().execute()
-    ManifestBlob.delete().execute()
-    Manifest.delete().execute()
-    TagManifestToManifest.delete().execute()
-    TagManifest.delete().execute()
-    return 'OK'
+    def disable_namespace(namespace):
+        namespace_obj = model.user.get_namespace_user(namespace)
+        namespace_obj.enabled = False
+        namespace_obj.save()
+        return "OK"
 
-  def set_geo_block_for_namespace(namespace_name, iso_country_code):
-    NamespaceGeoRestriction.create(namespace=User.get(username=namespace_name),
-                                   description='',
-                                   unstructured_json={},
-                                   restricted_region_iso_code=iso_country_code)
-    return 'OK'
+    def delete_manifests():
+        ManifestLegacyImage.delete().execute()
+        ManifestBlob.delete().execute()
+        Manifest.delete().execute()
+        TagManifestToManifest.delete().execute()
+        TagManifest.delete().execute()
+        return "OK"
 
-  executor = LiveServerExecutor()
-  executor.register('generate_csrf', generate_csrf)
-  executor.register('set_supports_direct_download', set_supports_direct_download)
-  executor.register('delete_image', delete_image)
-  executor.register('get_storage_replication_entry', get_storage_replication_entry)
-  executor.register('set_feature', set_feature)
-  executor.register('set_config_key', set_config_key)
-  executor.register('clear_derived_cache', clear_derived_cache)
-  executor.register('clear_uncompressed_size', clear_uncompressed_size)
-  executor.register('add_token', add_token)
-  executor.register('break_database', break_database)
-  executor.register('reload_app', reload_app)
-  executor.register('create_app_repository', create_app_repository)
-  executor.register('disable_namespace', disable_namespace)
-  executor.register('delete_manifests', delete_manifests)
-  executor.register('set_geo_block_for_namespace', set_geo_block_for_namespace)
-  return executor
+    def set_geo_block_for_namespace(namespace_name, iso_country_code):
+        NamespaceGeoRestriction.create(
+            namespace=User.get(username=namespace_name),
+            description="",
+            unstructured_json={},
+            restricted_region_iso_code=iso_country_code,
+        )
+        return "OK"
+
+    executor = LiveServerExecutor()
+    executor.register("generate_csrf", generate_csrf)
+    executor.register("set_supports_direct_download", set_supports_direct_download)
+    executor.register("delete_image", delete_image)
+    executor.register("get_storage_replication_entry", get_storage_replication_entry)
+    executor.register("set_feature", set_feature)
+    executor.register("set_config_key", set_config_key)
+    executor.register("clear_derived_cache", clear_derived_cache)
+    executor.register("clear_uncompressed_size", clear_uncompressed_size)
+    executor.register("add_token", add_token)
+    executor.register("break_database", break_database)
+    executor.register("reload_app", reload_app)
+    executor.register("create_app_repository", create_app_repository)
+    executor.register("disable_namespace", disable_namespace)
+    executor.register("delete_manifests", delete_manifests)
+    executor.register("set_geo_block_for_namespace", set_geo_block_for_namespace)
+    return executor
 
 
-@pytest.fixture(params=['pre_oci_model', 'oci_model'])
+@pytest.fixture(params=["pre_oci_model", "oci_model"])
 def data_model(request):
-  return request.param
+    return request.param
 
 
 @pytest.fixture()
 def liveserver_app(app, registry_server_executor, init_db_path, data_model):
-  # Change the data model being used.
-  registry_model.set_for_testing(data_model == 'oci_model')
+    # Change the data model being used.
+    registry_model.set_for_testing(data_model == "oci_model")
 
-  registry_server_executor.apply_blueprint_to_app(app)
+    registry_server_executor.apply_blueprint_to_app(app)
 
-  if os.environ.get('DEBUG', 'false').lower() == 'true':
-    app.config['DEBUG'] = True
+    if os.environ.get("DEBUG", "false").lower() == "true":
+        app.config["DEBUG"] = True
 
-  # Copy the clean database to a new path. We cannot share the DB created by the
-  # normal app fixture, as it is already open in the local process.
-  local_db_file = NamedTemporaryFile(delete=True)
-  local_db_file.close()
+    # Copy the clean database to a new path. We cannot share the DB created by the
+    # normal app fixture, as it is already open in the local process.
+    local_db_file = NamedTemporaryFile(delete=True)
+    local_db_file.close()
 
-  shutil.copy2(init_db_path, local_db_file.name)
-  app.config['DB_URI'] = 'sqlite:///{0}'.format(local_db_file.name)
-  return app
+    shutil.copy2(init_db_path, local_db_file.name)
+    app.config["DB_URI"] = "sqlite:///{0}".format(local_db_file.name)
+    return app
 
 
 @pytest.fixture()
 def app_reloader(request, liveserver, registry_server_executor):
-  registry_server_executor.on(liveserver).reload_app(liveserver.url)
-  yield
+    registry_server_executor.on(liveserver).reload_app(liveserver.url)
+    yield
 
 
 class FeatureFlagValue(object):
-  """ Helper object which temporarily sets the value of a feature flag.
+    """ Helper object which temporarily sets the value of a feature flag.
 
       Usage:
 
@@ -197,23 +220,23 @@ class FeatureFlagValue(object):
         ... Features.ANONYMOUS_ACCESS is False in this context ...
   """
 
-  def __init__(self, feature_flag, test_value, executor):
-    self.feature_flag = feature_flag
-    self.test_value = test_value
-    self.executor = executor
+    def __init__(self, feature_flag, test_value, executor):
+        self.feature_flag = feature_flag
+        self.test_value = test_value
+        self.executor = executor
 
-    self.old_value = None
+        self.old_value = None
 
-  def __enter__(self):
-    result = self.executor.set_feature(self.feature_flag, self.test_value)
-    self.old_value = result.json()['old_value']
+    def __enter__(self):
+        result = self.executor.set_feature(self.feature_flag, self.test_value)
+        self.old_value = result.json()["old_value"]
 
-  def __exit__(self, type, value, traceback):
-    self.executor.set_feature(self.feature_flag, self.old_value)
+    def __exit__(self, type, value, traceback):
+        self.executor.set_feature(self.feature_flag, self.old_value)
 
 
 class ConfigChange(object):
-  """ Helper object which temporarily sets the value of a config key.
+    """ Helper object which temporarily sets the value of a config key.
 
       Usage:
 
@@ -221,66 +244,70 @@ class ConfigChange(object):
         ... app.config['SOMEKEY'] is 'value' in this context ...
   """
 
-  def __init__(self, config_key, test_value, executor, liveserver):
-    self.config_key = config_key
-    self.test_value = test_value
-    self.executor = executor
-    self.liveserver = liveserver
+    def __init__(self, config_key, test_value, executor, liveserver):
+        self.config_key = config_key
+        self.test_value = test_value
+        self.executor = executor
+        self.liveserver = liveserver
 
-    self.old_value = None
+        self.old_value = None
 
-  def __enter__(self):
-    result = self.executor.set_config_key(self.config_key, self.test_value)
-    self.old_value = result.json()['old_value']
+    def __enter__(self):
+        result = self.executor.set_config_key(self.config_key, self.test_value)
+        self.old_value = result.json()["old_value"]
 
-  def __exit__(self, type, value, traceback):
-    self.executor.set_config_key(self.config_key, self.old_value)
+    def __exit__(self, type, value, traceback):
+        self.executor.set_config_key(self.config_key, self.old_value)
 
 
 class ApiCaller(object):
-  def __init__(self, liveserver_session, registry_server_executor):
-    self.liveserver_session = liveserver_session
-    self.registry_server_executor = registry_server_executor
+    def __init__(self, liveserver_session, registry_server_executor):
+        self.liveserver_session = liveserver_session
+        self.registry_server_executor = registry_server_executor
 
-  def conduct_auth(self, username, password):
-    r = self.post('/api/v1/signin',
-                  data=json.dumps(dict(username=username, password=password)),
-                  headers={'Content-Type': 'application/json'})
-    assert r.status_code == 200
+    def conduct_auth(self, username, password):
+        r = self.post(
+            "/api/v1/signin",
+            data=json.dumps(dict(username=username, password=password)),
+            headers={"Content-Type": "application/json"},
+        )
+        assert r.status_code == 200
 
-  def _adjust_params(self, kwargs):
-    csrf_token = self.registry_server_executor.on_session(self.liveserver_session).generate_csrf()
+    def _adjust_params(self, kwargs):
+        csrf_token = self.registry_server_executor.on_session(
+            self.liveserver_session
+        ).generate_csrf()
 
-    if 'params' not in kwargs:
-      kwargs['params'] = {}
+        if "params" not in kwargs:
+            kwargs["params"] = {}
 
-    kwargs['params'].update({
-      '_csrf_token': csrf_token,
-    })
-    return kwargs
+        kwargs["params"].update({"_csrf_token": csrf_token})
+        return kwargs
 
-  def get(self, url, **kwargs):
-    kwargs = self._adjust_params(kwargs)
-    return self.liveserver_session.get(url, **kwargs)
+    def get(self, url, **kwargs):
+        kwargs = self._adjust_params(kwargs)
+        return self.liveserver_session.get(url, **kwargs)
 
-  def post(self, url, **kwargs):
-    kwargs = self._adjust_params(kwargs)
-    return self.liveserver_session.post(url, **kwargs)
+    def post(self, url, **kwargs):
+        kwargs = self._adjust_params(kwargs)
+        return self.liveserver_session.post(url, **kwargs)
 
-  def put(self, url, **kwargs):
-    kwargs = self._adjust_params(kwargs)
-    return self.liveserver_session.put(url, **kwargs)
+    def put(self, url, **kwargs):
+        kwargs = self._adjust_params(kwargs)
+        return self.liveserver_session.put(url, **kwargs)
 
-  def delete(self, url, **kwargs):
-    kwargs = self._adjust_params(kwargs)
-    return self.liveserver_session.delete(url, **kwargs)
+    def delete(self, url, **kwargs):
+        kwargs = self._adjust_params(kwargs)
+        return self.liveserver_session.delete(url, **kwargs)
 
-  def change_repo_visibility(self, namespace, repository, visibility):
-    self.post('/api/v1/repository/%s/%s/changevisibility' % (namespace, repository),
-              data=json.dumps(dict(visibility=visibility)),
-              headers={'Content-Type': 'application/json'})
+    def change_repo_visibility(self, namespace, repository, visibility):
+        self.post(
+            "/api/v1/repository/%s/%s/changevisibility" % (namespace, repository),
+            data=json.dumps(dict(visibility=visibility)),
+            headers={"Content-Type": "application/json"},
+        )
 
 
 @pytest.fixture(scope="function")
 def api_caller(liveserver, registry_server_executor):
-  return ApiCaller(liveserver.new_session(), registry_server_executor)
+    return ApiCaller(liveserver.new_session(), registry_server_executor)
diff --git a/test/registry/liveserverfixture.py b/test/registry/liveserverfixture.py
index c7f42bf7a..82b34b9be 100644
--- a/test/registry/liveserverfixture.py
+++ b/test/registry/liveserverfixture.py
@@ -16,189 +16,197 @@ from flask.blueprints import Blueprint
 
 
 class liveFlaskServer(object):
-  """ Helper class for spawning a live Flask server for testing.
+    """ Helper class for spawning a live Flask server for testing.
 
       Based on https://github.com/jarus/flask-testing/blob/master/flask_testing/utils.py#L421
   """
-  def __init__(self, app, port_value):
-    self.app = app
-    self._port_value = port_value
-    self._process = None
 
-  def get_server_url(self):
-    """
+    def __init__(self, app, port_value):
+        self.app = app
+        self._port_value = port_value
+        self._process = None
+
+    def get_server_url(self):
+        """
     Return the url of the test server
     """
-    return 'http://localhost:%s' % self._port_value.value
+        return "http://localhost:%s" % self._port_value.value
 
-  def terminate_live_server(self):
-    if self._process:
-      self._process.terminate()
+    def terminate_live_server(self):
+        if self._process:
+            self._process.terminate()
 
-  def spawn_live_server(self):
-    self._process = None
-    port_value = self._port_value
+    def spawn_live_server(self):
+        self._process = None
+        port_value = self._port_value
 
-    def worker(app, port):
-      # Based on solution: http://stackoverflow.com/a/27598916
-      # Monkey-patch the server_bind so we can determine the port bound by Flask.
-      # This handles the case where the port specified is `0`, which means that
-      # the OS chooses the port. This is the only known way (currently) of getting
-      # the port out of Flask once we call `run`.
-      original_socket_bind = socketserver.TCPServer.server_bind
-      def socket_bind_wrapper(self):
-        ret = original_socket_bind(self)
+        def worker(app, port):
+            # Based on solution: http://stackoverflow.com/a/27598916
+            # Monkey-patch the server_bind so we can determine the port bound by Flask.
+            # This handles the case where the port specified is `0`, which means that
+            # the OS chooses the port. This is the only known way (currently) of getting
+            # the port out of Flask once we call `run`.
+            original_socket_bind = socketserver.TCPServer.server_bind
 
-        # Get the port and save it into the port_value, so the parent process
-        # can read it.
-        (_, port) = self.socket.getsockname()
-        port_value.value = port
-        socketserver.TCPServer.server_bind = original_socket_bind
-        return ret
+            def socket_bind_wrapper(self):
+                ret = original_socket_bind(self)
 
-      socketserver.TCPServer.server_bind = socket_bind_wrapper
-      app.run(port=port, use_reloader=False)
+                # Get the port and save it into the port_value, so the parent process
+                # can read it.
+                (_, port) = self.socket.getsockname()
+                port_value.value = port
+                socketserver.TCPServer.server_bind = original_socket_bind
+                return ret
 
-    retry_count = self.app.config.get('LIVESERVER_RETRY_COUNT', 3)
-    started = False
-    for _ in range(0, retry_count):
-      if started:
-        break
+            socketserver.TCPServer.server_bind = socket_bind_wrapper
+            app.run(port=port, use_reloader=False)
 
-      self._process = multiprocessing.Process(target=worker, args=(self.app, 0))
-      self._process.start()
+        retry_count = self.app.config.get("LIVESERVER_RETRY_COUNT", 3)
+        started = False
+        for _ in range(0, retry_count):
+            if started:
+                break
 
-      # We must wait for the server to start listening, but give up
-      # after a specified maximum timeout
-      timeout = self.app.config.get('LIVESERVER_TIMEOUT', 10)
-      start_time = time.time()
+            self._process = multiprocessing.Process(target=worker, args=(self.app, 0))
+            self._process.start()
 
-      while True:
-        time.sleep(0.1)
+            # We must wait for the server to start listening, but give up
+            # after a specified maximum timeout
+            timeout = self.app.config.get("LIVESERVER_TIMEOUT", 10)
+            start_time = time.time()
 
-        elapsed_time = (time.time() - start_time)
-        if elapsed_time > timeout:
-          break
+            while True:
+                time.sleep(0.1)
 
-        if self._can_connect():
-          self.app.config['SERVER_HOSTNAME'] = 'localhost:%s' % self._port_value.value
-          started = True
-          break
+                elapsed_time = time.time() - start_time
+                if elapsed_time > timeout:
+                    break
 
-    if not started:
-      raise RuntimeError("Failed to start the server after %d retries. " % retry_count)
+                if self._can_connect():
+                    self.app.config["SERVER_HOSTNAME"] = (
+                        "localhost:%s" % self._port_value.value
+                    )
+                    started = True
+                    break
 
-  def _can_connect(self):
-    host, port = self._get_server_address()
-    if port == 0:
-      # Port specified by the user was 0, and the OS has not yet assigned
-      # the proper port.
-      return False
+        if not started:
+            raise RuntimeError(
+                "Failed to start the server after %d retries. " % retry_count
+            )
 
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    try:
-      sock.connect((host, port))
-    except socket.error:
-      success = False
-    else:
-      success = True
-    finally:
-      sock.close()
+    def _can_connect(self):
+        host, port = self._get_server_address()
+        if port == 0:
+            # Port specified by the user was 0, and the OS has not yet assigned
+            # the proper port.
+            return False
 
-    return success
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        try:
+            sock.connect((host, port))
+        except socket.error:
+            success = False
+        else:
+            success = True
+        finally:
+            sock.close()
 
-  def _get_server_address(self):
-    """
+        return success
+
+    def _get_server_address(self):
+        """
     Gets the server address used to test the connection with a socket.
     Respects both the LIVESERVER_PORT config value and overriding
     get_server_url()
     """
-    parts = urlparse(self.get_server_url())
+        parts = urlparse(self.get_server_url())
 
-    host = parts.hostname
-    port = parts.port
+        host = parts.hostname
+        port = parts.port
 
-    if port is None:
-      if parts.scheme == 'http':
-        port = 80
-      elif parts.scheme == 'https':
-        port = 443
-      else:
-        raise RuntimeError("Unsupported server url scheme: %s" % parts.scheme)
+        if port is None:
+            if parts.scheme == "http":
+                port = 80
+            elif parts.scheme == "https":
+                port = 443
+            else:
+                raise RuntimeError("Unsupported server url scheme: %s" % parts.scheme)
 
-    return host, port
+        return host, port
 
 
 class LiveFixtureServerSession(object):
-  """ Helper class for calling the live server via a single requests Session. """
-  def __init__(self, base_url):
-    self.base_url = base_url
-    self.session = requests.Session()
+    """ Helper class for calling the live server via a single requests Session. """
 
-  def _get_url(self, url):
-    return urljoin(self.base_url, url)
+    def __init__(self, base_url):
+        self.base_url = base_url
+        self.session = requests.Session()
 
-  def get(self, url, **kwargs):
-    return self.session.get(self._get_url(url), **kwargs)
+    def _get_url(self, url):
+        return urljoin(self.base_url, url)
 
-  def post(self, url, **kwargs):
-    return self.session.post(self._get_url(url), **kwargs)
+    def get(self, url, **kwargs):
+        return self.session.get(self._get_url(url), **kwargs)
 
-  def put(self, url, **kwargs):
-    return self.session.put(self._get_url(url), **kwargs)
+    def post(self, url, **kwargs):
+        return self.session.post(self._get_url(url), **kwargs)
 
-  def delete(self, url, **kwargs):
-    return self.session.delete(self._get_url(url), **kwargs)
+    def put(self, url, **kwargs):
+        return self.session.put(self._get_url(url), **kwargs)
 
-  def request(self, method, url, **kwargs):
-    return self.session.request(method, self._get_url(url), **kwargs)
+    def delete(self, url, **kwargs):
+        return self.session.delete(self._get_url(url), **kwargs)
+
+    def request(self, method, url, **kwargs):
+        return self.session.request(method, self._get_url(url), **kwargs)
 
 
 class LiveFixtureServer(object):
-  """ Helper for interacting with a live server. """
-  def __init__(self, url):
-    self.url = url
+    """ Helper for interacting with a live server. """
 
-  @contextmanager
-  def session(self):
-    """ Yields a session for speaking to the live server. """
-    yield LiveFixtureServerSession(self.url)
+    def __init__(self, url):
+        self.url = url
 
-  def new_session(self):
-    """ Returns a new session for speaking to the live server. """
-    return LiveFixtureServerSession(self.url)
+    @contextmanager
+    def session(self):
+        """ Yields a session for speaking to the live server. """
+        yield LiveFixtureServerSession(self.url)
+
+    def new_session(self):
+        """ Returns a new session for speaking to the live server. """
+        return LiveFixtureServerSession(self.url)
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def liveserver(liveserver_app):
-  """ Runs a live Flask server for the app for the duration of the test.
+    """ Runs a live Flask server for the app for the duration of the test.
 
       Based on https://github.com/jarus/flask-testing/blob/master/flask_testing/utils.py#L421
   """
-  context = liveserver_app.test_request_context()
-  context.push()
+    context = liveserver_app.test_request_context()
+    context.push()
 
-  port = multiprocessing.Value('i', 0)
-  live_server = liveFlaskServer(liveserver_app, port)
+    port = multiprocessing.Value("i", 0)
+    live_server = liveFlaskServer(liveserver_app, port)
 
-  try:
-    live_server.spawn_live_server()
-    yield LiveFixtureServer(live_server.get_server_url())
-  finally:
-    context.pop()
-    live_server.terminate_live_server()
+    try:
+        live_server.spawn_live_server()
+        yield LiveFixtureServer(live_server.get_server_url())
+    finally:
+        context.pop()
+        live_server.terminate_live_server()
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture(scope="function")
 def liveserver_session(liveserver, liveserver_app):
-  """ Fixtures which instantiates a liveserver and returns a single session for
+    """ Fixtures which instantiates a liveserver and returns a single session for
       interacting with that server.
   """
-  return LiveFixtureServerSession(liveserver.url)
+    return LiveFixtureServerSession(liveserver.url)
 
 
 class LiveServerExecutor(object):
-  """ Helper class which can be used to register functions to be executed in the
+    """ Helper class which can be used to register functions to be executed in the
       same process as the live server. This is necessary because the live server
       runs in a different process and, therefore, in order to execute state changes
       outside of the server's normal flows (i.e. via code), it must be executed
@@ -226,58 +234,64 @@ class LiveServerExecutor(object):
           # Invokes 'performoperation' in the liveserver's process.
           my_server_executor.on(liveserver).performoperation('first', 'second')
   """
-  def __init__(self):
-    self.funcs = {}
 
-  def register(self, fn_name, fn):
-    """ Registers the given function under the given name. """
-    self.funcs[fn_name] = fn
+    def __init__(self):
+        self.funcs = {}
 
-  def apply_blueprint_to_app(self, app):
-    """ Applies a blueprint to the app, to support invocation from this executor. """
-    testbp = Blueprint('testbp', __name__)
+    def register(self, fn_name, fn):
+        """ Registers the given function under the given name. """
+        self.funcs[fn_name] = fn
 
-    def build_invoker(fn_name, fn):
-      path = '/' + fn_name
-      @testbp.route(path, methods=['POST'], endpoint=fn_name)
-      def _(**kwargs):
-        arg_values = request.get_json()['args']
-        return fn(*arg_values)
+    def apply_blueprint_to_app(self, app):
+        """ Applies a blueprint to the app, to support invocation from this executor. """
+        testbp = Blueprint("testbp", __name__)
 
-    for fn_name, fn in self.funcs.iteritems():
-      build_invoker(fn_name, fn)
+        def build_invoker(fn_name, fn):
+            path = "/" + fn_name
 
-    app.register_blueprint(testbp, url_prefix='/__test')
+            @testbp.route(path, methods=["POST"], endpoint=fn_name)
+            def _(**kwargs):
+                arg_values = request.get_json()["args"]
+                return fn(*arg_values)
 
-  def on(self, server):
-    """ Returns an invoker for the given live server. """
-    return liveServerExecutorInvoker(self.funcs, server)
+        for fn_name, fn in self.funcs.iteritems():
+            build_invoker(fn_name, fn)
 
-  def on_session(self, server_session):
-    """ Returns an invoker for the given live server session. """
-    return liveServerExecutorInvoker(self.funcs, server_session)
+        app.register_blueprint(testbp, url_prefix="/__test")
+
+    def on(self, server):
+        """ Returns an invoker for the given live server. """
+        return liveServerExecutorInvoker(self.funcs, server)
+
+    def on_session(self, server_session):
+        """ Returns an invoker for the given live server session. """
+        return liveServerExecutorInvoker(self.funcs, server_session)
 
 
 class liveServerExecutorInvoker(object):
-  def __init__(self, funcs, server_or_session):
-    self._funcs = funcs
-    self._server_or_session = server_or_session
+    def __init__(self, funcs, server_or_session):
+        self._funcs = funcs
+        self._server_or_session = server_or_session
 
-  def __getattribute__(self, name):
-    if name.startswith('_'):
-      return object.__getattribute__(self, name)
+    def __getattribute__(self, name):
+        if name.startswith("_"):
+            return object.__getattribute__(self, name)
 
-    if name not in self._funcs:
-      raise AttributeError('Unknown function: %s' % name)
+        if name not in self._funcs:
+            raise AttributeError("Unknown function: %s" % name)
 
-    def invoker(*args):
-      path = '/__test/%s' % name
-      headers = {'Content-Type': 'application/json'}
+        def invoker(*args):
+            path = "/__test/%s" % name
+            headers = {"Content-Type": "application/json"}
 
-      if isinstance(self._server_or_session, LiveFixtureServerSession):
-        return self._server_or_session.post(path, data=json.dumps({'args': args}), headers=headers)
-      else:
-        with self._server_or_session.session() as session:
-          return session.post(path, data=json.dumps({'args': args}), headers=headers)
+            if isinstance(self._server_or_session, LiveFixtureServerSession):
+                return self._server_or_session.post(
+                    path, data=json.dumps({"args": args}), headers=headers
+                )
+            else:
+                with self._server_or_session.session() as session:
+                    return session.post(
+                        path, data=json.dumps({"args": args}), headers=headers
+                    )
 
-    return invoker
+        return invoker
diff --git a/test/registry/protocol_fixtures.py b/test/registry/protocol_fixtures.py
index cefdab22f..b1cce6c7d 100644
--- a/test/registry/protocol_fixtures.py
+++ b/test/registry/protocol_fixtures.py
@@ -16,213 +16,261 @@ from test.registry.protocol_v2 import V2Protocol
 
 @pytest.fixture(scope="session")
 def basic_images():
-  """ Returns basic images for push and pull testing. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('parent contents')
-  image_bytes = layer_bytes_for_contents('some contents')
-  return [
-    Image(id='parentid', bytes=parent_bytes, parent_id=None),
-    Image(id='someid', bytes=image_bytes, parent_id='parentid'),
-  ]
+    """ Returns basic images for push and pull testing. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("parent contents")
+    image_bytes = layer_bytes_for_contents("some contents")
+    return [
+        Image(id="parentid", bytes=parent_bytes, parent_id=None),
+        Image(id="someid", bytes=image_bytes, parent_id="parentid"),
+    ]
 
 
 @pytest.fixture(scope="session")
 def unicode_images():
-  """ Returns basic images for push and pull testing that contain unicode in the image metadata. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('parent contents')
-  image_bytes = layer_bytes_for_contents('some contents')
-  return [
-    Image(id='parentid', bytes=parent_bytes, parent_id=None),
-    Image(id='someid', bytes=image_bytes, parent_id='parentid',
-          config={'comment': u'the Pawe\xc5\x82 Kami\xc5\x84ski image',
-                  'author': u'Sômé guy'}),
-  ]
+    """ Returns basic images for push and pull testing that contain unicode in the image metadata. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("parent contents")
+    image_bytes = layer_bytes_for_contents("some contents")
+    return [
+        Image(id="parentid", bytes=parent_bytes, parent_id=None),
+        Image(
+            id="someid",
+            bytes=image_bytes,
+            parent_id="parentid",
+            config={
+                "comment": u"the Pawe\xc5\x82 Kami\xc5\x84ski image",
+                "author": u"Sômé guy",
+            },
+        ),
+    ]
 
 
 @pytest.fixture(scope="session")
 def different_images():
-  """ Returns different basic images for push and pull testing. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('different parent contents')
-  image_bytes = layer_bytes_for_contents('some different contents')
-  return [
-    Image(id='anotherparentid', bytes=parent_bytes, parent_id=None),
-    Image(id='anothersomeid', bytes=image_bytes, parent_id='anotherparentid'),
-  ]
+    """ Returns different basic images for push and pull testing. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("different parent contents")
+    image_bytes = layer_bytes_for_contents("some different contents")
+    return [
+        Image(id="anotherparentid", bytes=parent_bytes, parent_id=None),
+        Image(id="anothersomeid", bytes=image_bytes, parent_id="anotherparentid"),
+    ]
 
 
 @pytest.fixture(scope="session")
 def sized_images():
-  """ Returns basic images (with sizes) for push and pull testing. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('parent contents', mode='')
-  image_bytes = layer_bytes_for_contents('some contents', mode='')
-  return [
-    Image(id='parentid', bytes=parent_bytes, parent_id=None, size=len(parent_bytes),
-          config={'foo': 'bar'}),
-    Image(id='someid', bytes=image_bytes, parent_id='parentid', size=len(image_bytes),
-          config={'foo': 'childbar', 'Entrypoint': ['hello']},
-          created='2018-04-03T18:37:09.284840891Z'),
-  ]
+    """ Returns basic images (with sizes) for push and pull testing. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("parent contents", mode="")
+    image_bytes = layer_bytes_for_contents("some contents", mode="")
+    return [
+        Image(
+            id="parentid",
+            bytes=parent_bytes,
+            parent_id=None,
+            size=len(parent_bytes),
+            config={"foo": "bar"},
+        ),
+        Image(
+            id="someid",
+            bytes=image_bytes,
+            parent_id="parentid",
+            size=len(image_bytes),
+            config={"foo": "childbar", "Entrypoint": ["hello"]},
+            created="2018-04-03T18:37:09.284840891Z",
+        ),
+    ]
 
 
 @pytest.fixture(scope="session")
 def multi_layer_images():
-  """ Returns complex images (with sizes) for push and pull testing. """
-  # Note: order is from base layer down to leaf.
-  layer1_bytes = layer_bytes_for_contents('layer 1 contents', mode='', other_files={
-    'file1': 'from-layer-1',
-  })
+    """ Returns complex images (with sizes) for push and pull testing. """
+    # Note: order is from base layer down to leaf.
+    layer1_bytes = layer_bytes_for_contents(
+        "layer 1 contents", mode="", other_files={"file1": "from-layer-1"}
+    )
 
-  layer2_bytes = layer_bytes_for_contents('layer 2 contents', mode='', other_files={
-    'file2': 'from-layer-2',
-  })
+    layer2_bytes = layer_bytes_for_contents(
+        "layer 2 contents", mode="", other_files={"file2": "from-layer-2"}
+    )
 
-  layer3_bytes = layer_bytes_for_contents('layer 3 contents', mode='', other_files={
-    'file1': 'from-layer-3',
-    'file3': 'from-layer-3',
-  })
+    layer3_bytes = layer_bytes_for_contents(
+        "layer 3 contents",
+        mode="",
+        other_files={"file1": "from-layer-3", "file3": "from-layer-3"},
+    )
 
-  layer4_bytes = layer_bytes_for_contents('layer 4 contents', mode='', other_files={
-    'file3': 'from-layer-4',
-  })
+    layer4_bytes = layer_bytes_for_contents(
+        "layer 4 contents", mode="", other_files={"file3": "from-layer-4"}
+    )
 
-  layer5_bytes = layer_bytes_for_contents('layer 5 contents', mode='', other_files={
-    'file4': 'from-layer-5',
-  })
+    layer5_bytes = layer_bytes_for_contents(
+        "layer 5 contents", mode="", other_files={"file4": "from-layer-5"}
+    )
 
-  return [
-    Image(id='layer1', bytes=layer1_bytes, parent_id=None, size=len(layer1_bytes),
-          config={'internal_id': 'layer1'}),
-    Image(id='layer2', bytes=layer2_bytes, parent_id='layer1', size=len(layer2_bytes),
-          config={'internal_id': 'layer2'}),
-    Image(id='layer3', bytes=layer3_bytes, parent_id='layer2', size=len(layer3_bytes),
-          config={'internal_id': 'layer3'}),
-    Image(id='layer4', bytes=layer4_bytes, parent_id='layer3', size=len(layer4_bytes),
-          config={'internal_id': 'layer4'}),
-    Image(id='someid', bytes=layer5_bytes, parent_id='layer4', size=len(layer5_bytes),
-          config={'internal_id': 'layer5'}),
-  ]
+    return [
+        Image(
+            id="layer1",
+            bytes=layer1_bytes,
+            parent_id=None,
+            size=len(layer1_bytes),
+            config={"internal_id": "layer1"},
+        ),
+        Image(
+            id="layer2",
+            bytes=layer2_bytes,
+            parent_id="layer1",
+            size=len(layer2_bytes),
+            config={"internal_id": "layer2"},
+        ),
+        Image(
+            id="layer3",
+            bytes=layer3_bytes,
+            parent_id="layer2",
+            size=len(layer3_bytes),
+            config={"internal_id": "layer3"},
+        ),
+        Image(
+            id="layer4",
+            bytes=layer4_bytes,
+            parent_id="layer3",
+            size=len(layer4_bytes),
+            config={"internal_id": "layer4"},
+        ),
+        Image(
+            id="someid",
+            bytes=layer5_bytes,
+            parent_id="layer4",
+            size=len(layer5_bytes),
+            config={"internal_id": "layer5"},
+        ),
+    ]
 
 
 @pytest.fixture(scope="session")
 def remote_images():
-  """ Returns images with at least one remote layer for push and pull testing. """
-  # Note: order is from base layer down to leaf.
-  remote_bytes = layer_bytes_for_contents('remote contents')
-  parent_bytes = layer_bytes_for_contents('parent contents')
-  image_bytes = layer_bytes_for_contents('some contents')
-  return [
-    Image(id='remoteid', bytes=remote_bytes, parent_id=None, urls=['http://some/url']),
-    Image(id='parentid', bytes=parent_bytes, parent_id='remoteid'),
-    Image(id='someid', bytes=image_bytes, parent_id='parentid'),
-  ]
+    """ Returns images with at least one remote layer for push and pull testing. """
+    # Note: order is from base layer down to leaf.
+    remote_bytes = layer_bytes_for_contents("remote contents")
+    parent_bytes = layer_bytes_for_contents("parent contents")
+    image_bytes = layer_bytes_for_contents("some contents")
+    return [
+        Image(
+            id="remoteid", bytes=remote_bytes, parent_id=None, urls=["http://some/url"]
+        ),
+        Image(id="parentid", bytes=parent_bytes, parent_id="remoteid"),
+        Image(id="someid", bytes=image_bytes, parent_id="parentid"),
+    ]
 
 
 @pytest.fixture(scope="session")
 def images_with_empty_layer():
-  """ Returns images for push and pull testing that contain an empty layer. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('parent contents')
-  empty_bytes = layer_bytes_for_contents('', empty=True)
-  image_bytes = layer_bytes_for_contents('some contents')
-  middle_bytes = layer_bytes_for_contents('middle')
+    """ Returns images for push and pull testing that contain an empty layer. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("parent contents")
+    empty_bytes = layer_bytes_for_contents("", empty=True)
+    image_bytes = layer_bytes_for_contents("some contents")
+    middle_bytes = layer_bytes_for_contents("middle")
 
-  return [
-    Image(id='parentid', bytes=parent_bytes, parent_id=None),
-    Image(id='emptyid', bytes=empty_bytes, parent_id='parentid', is_empty=True),
-    Image(id='middleid', bytes=middle_bytes, parent_id='emptyid'),
-    Image(id='emptyid2', bytes=empty_bytes, parent_id='middleid', is_empty=True),
-    Image(id='someid', bytes=image_bytes, parent_id='emptyid2'),
-  ]
+    return [
+        Image(id="parentid", bytes=parent_bytes, parent_id=None),
+        Image(id="emptyid", bytes=empty_bytes, parent_id="parentid", is_empty=True),
+        Image(id="middleid", bytes=middle_bytes, parent_id="emptyid"),
+        Image(id="emptyid2", bytes=empty_bytes, parent_id="middleid", is_empty=True),
+        Image(id="someid", bytes=image_bytes, parent_id="emptyid2"),
+    ]
 
 
 @pytest.fixture(scope="session")
 def unicode_emoji_images():
-  """ Returns basic images for push and pull testing that contain unicode in the image metadata. """
-  # Note: order is from base layer down to leaf.
-  parent_bytes = layer_bytes_for_contents('parent contents')
-  image_bytes = layer_bytes_for_contents('some contents')
-  return [
-    Image(id='parentid', bytes=parent_bytes, parent_id=None),
-    Image(id='someid', bytes=image_bytes, parent_id='parentid',
-          config={'comment': u'😱',
-                  'author': u'Sômé guy'}),
-  ]
+    """ Returns basic images for push and pull testing that contain unicode in the image metadata. """
+    # Note: order is from base layer down to leaf.
+    parent_bytes = layer_bytes_for_contents("parent contents")
+    image_bytes = layer_bytes_for_contents("some contents")
+    return [
+        Image(id="parentid", bytes=parent_bytes, parent_id=None),
+        Image(
+            id="someid",
+            bytes=image_bytes,
+            parent_id="parentid",
+            config={"comment": u"😱", "author": u"Sômé guy"},
+        ),
+    ]
 
 
 @pytest.fixture(scope="session")
 def jwk():
-  return RSAKey(key=RSA.generate(2048))
+    return RSAKey(key=RSA.generate(2048))
 
 
 @pytest.fixture(params=[V2Protocol])
 def v2_protocol(request, jwk):
-  return request.param(jwk)
+    return request.param(jwk)
 
 
 @pytest.fixture()
 def v22_protocol(request, jwk):
-  return V2Protocol(jwk, schema2=True)
+    return V2Protocol(jwk, schema2=True)
 
 
 @pytest.fixture(params=[V1Protocol])
 def v1_protocol(request, jwk):
-  return request.param(jwk)
+    return request.param(jwk)
 
 
-@pytest.fixture(params=['schema1', 'schema2'])
+@pytest.fixture(params=["schema1", "schema2"])
 def manifest_protocol(request, data_model, jwk):
-  return V2Protocol(jwk, schema2=(request == 'schema2' and data_model == 'oci_model'))
+    return V2Protocol(jwk, schema2=(request == "schema2" and data_model == "oci_model"))
 
 
-@pytest.fixture(params=['v1', 'v2_1', 'v2_2'])
+@pytest.fixture(params=["v1", "v2_1", "v2_2"])
 def pusher(request, data_model, jwk):
-  if request.param == 'v1':
-    return V1Protocol(jwk)
+    if request.param == "v1":
+        return V1Protocol(jwk)
 
-  if request.param == 'v2_2' and data_model == 'oci_model':
-    return V2Protocol(jwk, schema2=True)
+    if request.param == "v2_2" and data_model == "oci_model":
+        return V2Protocol(jwk, schema2=True)
 
-  return V2Protocol(jwk)
+    return V2Protocol(jwk)
 
 
-
-@pytest.fixture(params=['v1', 'v2_1'])
+@pytest.fixture(params=["v1", "v2_1"])
 def legacy_puller(request, data_model, jwk):
-  if request.param == 'v1':
-    return V1Protocol(jwk)
+    if request.param == "v1":
+        return V1Protocol(jwk)
 
-  return V2Protocol(jwk)
+    return V2Protocol(jwk)
 
 
-@pytest.fixture(params=['v1', 'v2_1'])
+@pytest.fixture(params=["v1", "v2_1"])
 def legacy_pusher(request, data_model, jwk):
-  if request.param == 'v1':
-    return V1Protocol(jwk)
+    if request.param == "v1":
+        return V1Protocol(jwk)
 
-  return V2Protocol(jwk)
+    return V2Protocol(jwk)
 
 
-@pytest.fixture(params=['v1', 'v2_1', 'v2_2'])
+@pytest.fixture(params=["v1", "v2_1", "v2_2"])
 def puller(request, data_model, jwk):
-  if request.param == 'v1':
-    return V1Protocol(jwk)
+    if request.param == "v1":
+        return V1Protocol(jwk)
 
-  if request.param == 'v2_2' and data_model == 'oci_model':
-    return V2Protocol(jwk, schema2=True)
+    if request.param == "v2_2" and data_model == "oci_model":
+        return V2Protocol(jwk, schema2=True)
 
-  return V2Protocol(jwk)
+    return V2Protocol(jwk)
 
 
 @pytest.fixture(params=[V1Protocol, V2Protocol])
 def loginer(request, jwk):
-  return request.param(jwk)
+    return request.param(jwk)
 
 
 @pytest.fixture(scope="session")
 def random_layer_data():
-  size = 4096
-  contents = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(size))
-  return layer_bytes_for_contents(contents)
+    size = 4096
+    contents = "".join(
+        random.choice(string.ascii_uppercase + string.digits) for _ in range(size)
+    )
+    return layer_bytes_for_contents(contents)
diff --git a/test/registry/protocol_v1.py b/test/registry/protocol_v1.py
index 0c8d4a58d..2c166e6d1 100644
--- a/test/registry/protocol_v1.py
+++ b/test/registry/protocol_v1.py
@@ -4,260 +4,353 @@ from cStringIO import StringIO
 from enum import Enum, unique
 
 from digest.checksums import compute_simple, compute_tarsum
-from test.registry.protocols import (RegistryProtocol, Failures, ProtocolOptions, PushResult,
-                                     PullResult)
+from test.registry.protocols import (
+    RegistryProtocol,
+    Failures,
+    ProtocolOptions,
+    PushResult,
+    PullResult,
+)
+
 
 @unique
 class V1ProtocolSteps(Enum):
-  """ Defines the various steps of the protocol, for matching failures. """
-  PUT_IMAGES = 'put-images'
-  GET_IMAGES = 'get-images'
-  PUT_TAG = 'put-tag'
-  PUT_IMAGE_JSON = 'put-image-json'
-  DELETE_TAG = 'delete-tag'
-  GET_TAG = 'get-tag'
-  GET_LAYER = 'get-layer'
+    """ Defines the various steps of the protocol, for matching failures. """
+
+    PUT_IMAGES = "put-images"
+    GET_IMAGES = "get-images"
+    PUT_TAG = "put-tag"
+    PUT_IMAGE_JSON = "put-image-json"
+    DELETE_TAG = "delete-tag"
+    GET_TAG = "get-tag"
+    GET_LAYER = "get-layer"
 
 
 class V1Protocol(RegistryProtocol):
-  FAILURE_CODES = {
-    V1ProtocolSteps.PUT_IMAGES: {
-      Failures.INVALID_AUTHENTICATION: 403,
-      Failures.UNAUTHENTICATED: 401,
-      Failures.UNAUTHORIZED: 403,
-      Failures.APP_REPOSITORY: 405,
-      Failures.SLASH_REPOSITORY: 404,
-      Failures.INVALID_REPOSITORY: 400,
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-      Failures.NAMESPACE_DISABLED: 400,
-      Failures.READ_ONLY: 405,
-      Failures.MIRROR_ONLY: 405,
-      Failures.MIRROR_MISCONFIGURED: 500,
-      Failures.MIRROR_ROBOT_MISSING: 400,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V1ProtocolSteps.GET_IMAGES: {
-      Failures.INVALID_AUTHENTICATION: 403,
-      Failures.UNAUTHENTICATED: 403,
-      Failures.UNAUTHORIZED: 403,
-      Failures.APP_REPOSITORY: 404,
-      Failures.ANONYMOUS_NOT_ALLOWED: 401,
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-      Failures.NAMESPACE_DISABLED: 400,
-    },
-    V1ProtocolSteps.PUT_IMAGE_JSON: {
-      Failures.INVALID_IMAGES: 400,
-      Failures.READ_ONLY: 405,
-      Failures.MIRROR_ONLY: 405,
-      Failures.MIRROR_MISCONFIGURED: 500,
-      Failures.MIRROR_ROBOT_MISSING: 400,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V1ProtocolSteps.PUT_TAG: {
-      Failures.MISSING_TAG: 404,
-      Failures.INVALID_TAG: 400,
-      Failures.INVALID_IMAGES: 400,
-      Failures.NAMESPACE_DISABLED: 400,
-      Failures.READ_ONLY: 405,
-      Failures.MIRROR_ONLY: 405,
-      Failures.MIRROR_MISCONFIGURED: 500,
-      Failures.MIRROR_ROBOT_MISSING: 400,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V1ProtocolSteps.GET_LAYER: {
-      Failures.GEO_BLOCKED: 403,
-    },
-    V1ProtocolSteps.GET_TAG: {
-      Failures.UNKNOWN_TAG: 404,
-    },
-  }
-
-  def __init__(self, jwk):
-    pass
-
-  def _auth_for_credentials(self, credentials):
-    if credentials is None:
-      return None
-
-    return credentials
-
-  def ping(self, session):
-    assert session.get('/v1/_ping').status_code == 200
-
-  def login(self, session, username, password, scopes, expect_success):
-    data = {
-      'username': username,
-      'password': password,
+    FAILURE_CODES = {
+        V1ProtocolSteps.PUT_IMAGES: {
+            Failures.INVALID_AUTHENTICATION: 403,
+            Failures.UNAUTHENTICATED: 401,
+            Failures.UNAUTHORIZED: 403,
+            Failures.APP_REPOSITORY: 405,
+            Failures.SLASH_REPOSITORY: 404,
+            Failures.INVALID_REPOSITORY: 400,
+            Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+            Failures.NAMESPACE_DISABLED: 400,
+            Failures.READ_ONLY: 405,
+            Failures.MIRROR_ONLY: 405,
+            Failures.MIRROR_MISCONFIGURED: 500,
+            Failures.MIRROR_ROBOT_MISSING: 400,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V1ProtocolSteps.GET_IMAGES: {
+            Failures.INVALID_AUTHENTICATION: 403,
+            Failures.UNAUTHENTICATED: 403,
+            Failures.UNAUTHORIZED: 403,
+            Failures.APP_REPOSITORY: 404,
+            Failures.ANONYMOUS_NOT_ALLOWED: 401,
+            Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+            Failures.NAMESPACE_DISABLED: 400,
+        },
+        V1ProtocolSteps.PUT_IMAGE_JSON: {
+            Failures.INVALID_IMAGES: 400,
+            Failures.READ_ONLY: 405,
+            Failures.MIRROR_ONLY: 405,
+            Failures.MIRROR_MISCONFIGURED: 500,
+            Failures.MIRROR_ROBOT_MISSING: 400,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V1ProtocolSteps.PUT_TAG: {
+            Failures.MISSING_TAG: 404,
+            Failures.INVALID_TAG: 400,
+            Failures.INVALID_IMAGES: 400,
+            Failures.NAMESPACE_DISABLED: 400,
+            Failures.READ_ONLY: 405,
+            Failures.MIRROR_ONLY: 405,
+            Failures.MIRROR_MISCONFIGURED: 500,
+            Failures.MIRROR_ROBOT_MISSING: 400,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V1ProtocolSteps.GET_LAYER: {Failures.GEO_BLOCKED: 403},
+        V1ProtocolSteps.GET_TAG: {Failures.UNKNOWN_TAG: 404},
     }
 
-    response = self.conduct(session, 'POST', '/v1/users/', json_data=data, expected_status=400)
-    assert (response.text == '"Username or email already exists"') == expect_success
+    def __init__(self, jwk):
+        pass
 
-  def pull(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    auth = self._auth_for_credentials(credentials)
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
-    prefix = '/v1/repositories/%s/' % self.repo_name(namespace, repo_name)
+    def _auth_for_credentials(self, credentials):
+        if credentials is None:
+            return None
 
-    # Ping!
-    self.ping(session)
+        return credentials
 
-    # GET /v1/repositories/{namespace}/{repository}/images
-    headers = {'X-Docker-Token': 'true'}
-    result = self.conduct(session, 'GET', prefix + 'images', auth=auth, headers=headers,
-                          expected_status=(200, expected_failure, V1ProtocolSteps.GET_IMAGES))
-    if result.status_code != 200:
-      return
+    def ping(self, session):
+        assert session.get("/v1/_ping").status_code == 200
 
-    headers = {}
-    if credentials is not None:
-      headers['Authorization'] = 'token ' + result.headers['www-authenticate']
-    else:
-      assert not 'www-authenticate' in result.headers
+    def login(self, session, username, password, scopes, expect_success):
+        data = {"username": username, "password": password}
 
-    # GET /v1/repositories/{namespace}/{repository}/tags
-    image_ids = self.conduct(session, 'GET', prefix + 'tags', headers=headers).json()
+        response = self.conduct(
+            session, "POST", "/v1/users/", json_data=data, expected_status=400
+        )
+        assert (response.text == '"Username or email already exists"') == expect_success
 
-    for tag_name in tag_names:
-      # GET /v1/repositories/{namespace}/{repository}/tags/<tag_name>
-      image_id_data = self.conduct(session, 'GET', prefix + 'tags/' + tag_name,
-                                   headers=headers,
-                                   expected_status=(200, expected_failure,
-                                                    V1ProtocolSteps.GET_TAG))
+    def pull(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        auth = self._auth_for_credentials(credentials)
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+        prefix = "/v1/repositories/%s/" % self.repo_name(namespace, repo_name)
 
-      if tag_name not in image_ids:
-        assert expected_failure == Failures.UNKNOWN_TAG
-        return None
+        # Ping!
+        self.ping(session)
 
-      tag_image_id = image_ids[tag_name]
-      assert image_id_data.json() == tag_image_id
+        # GET /v1/repositories/{namespace}/{repository}/images
+        headers = {"X-Docker-Token": "true"}
+        result = self.conduct(
+            session,
+            "GET",
+            prefix + "images",
+            auth=auth,
+            headers=headers,
+            expected_status=(200, expected_failure, V1ProtocolSteps.GET_IMAGES),
+        )
+        if result.status_code != 200:
+            return
 
-      # Retrieve the ancestry of the tagged image.
-      image_prefix = '/v1/images/%s/' % tag_image_id
-      ancestors = self.conduct(session, 'GET', image_prefix + 'ancestry', headers=headers).json()
+        headers = {}
+        if credentials is not None:
+            headers["Authorization"] = "token " + result.headers["www-authenticate"]
+        else:
+            assert not "www-authenticate" in result.headers
 
-      assert len(ancestors) == len(images)
-      for index, image_id in enumerate(reversed(ancestors)):
-        # /v1/images/{imageID}/{ancestry, json, layer}
-        image_prefix = '/v1/images/%s/' % image_id
-        self.conduct(session, 'GET', image_prefix + 'ancestry', headers=headers)
+        # GET /v1/repositories/{namespace}/{repository}/tags
+        image_ids = self.conduct(
+            session, "GET", prefix + "tags", headers=headers
+        ).json()
 
-        result = self.conduct(session, 'GET', image_prefix + 'json', headers=headers)
-        assert result.json()['id'] == image_id
+        for tag_name in tag_names:
+            # GET /v1/repositories/{namespace}/{repository}/tags/<tag_name>
+            image_id_data = self.conduct(
+                session,
+                "GET",
+                prefix + "tags/" + tag_name,
+                headers=headers,
+                expected_status=(200, expected_failure, V1ProtocolSteps.GET_TAG),
+            )
 
-        # Ensure we can HEAD the image layer.
-        self.conduct(session, 'HEAD', image_prefix + 'layer', headers=headers)
+            if tag_name not in image_ids:
+                assert expected_failure == Failures.UNKNOWN_TAG
+                return None
 
-        # And retrieve the layer data.
-        result = self.conduct(session, 'GET', image_prefix + 'layer', headers=headers,
-                              expected_status=(200, expected_failure, V1ProtocolSteps.GET_LAYER),
-                              options=options)
-        if result.status_code == 200:
-          assert result.content == images[index].bytes
+            tag_image_id = image_ids[tag_name]
+            assert image_id_data.json() == tag_image_id
 
-    return PullResult(manifests=None, image_ids=image_ids)
+            # Retrieve the ancestry of the tagged image.
+            image_prefix = "/v1/images/%s/" % tag_image_id
+            ancestors = self.conduct(
+                session, "GET", image_prefix + "ancestry", headers=headers
+            ).json()
 
-  def push(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    auth = self._auth_for_credentials(credentials)
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+            assert len(ancestors) == len(images)
+            for index, image_id in enumerate(reversed(ancestors)):
+                # /v1/images/{imageID}/{ancestry, json, layer}
+                image_prefix = "/v1/images/%s/" % image_id
+                self.conduct(session, "GET", image_prefix + "ancestry", headers=headers)
 
-    # Ping!
-    self.ping(session)
+                result = self.conduct(
+                    session, "GET", image_prefix + "json", headers=headers
+                )
+                assert result.json()["id"] == image_id
 
-    # PUT /v1/repositories/{namespace}/{repository}/
-    result = self.conduct(session, 'PUT',
-                          '/v1/repositories/%s/' % self.repo_name(namespace, repo_name),
-                          expected_status=(201, expected_failure, V1ProtocolSteps.PUT_IMAGES),
-                          json_data={},
-                          auth=auth)
-    if result.status_code != 201:
-      return
+                # Ensure we can HEAD the image layer.
+                self.conduct(session, "HEAD", image_prefix + "layer", headers=headers)
 
-    headers = {}
-    headers['Authorization'] = 'token ' + result.headers['www-authenticate']
+                # And retrieve the layer data.
+                result = self.conduct(
+                    session,
+                    "GET",
+                    image_prefix + "layer",
+                    headers=headers,
+                    expected_status=(200, expected_failure, V1ProtocolSteps.GET_LAYER),
+                    options=options,
+                )
+                if result.status_code == 200:
+                    assert result.content == images[index].bytes
 
-    for image in images:
-      assert image.urls is None
+        return PullResult(manifests=None, image_ids=image_ids)
 
-      # PUT /v1/images/{imageID}/json
-      image_json_data = {'id': image.id}
-      if image.size is not None:
-        image_json_data['Size'] = image.size
+    def push(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        auth = self._auth_for_credentials(credentials)
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-      if image.parent_id is not None:
-        image_json_data['parent'] = image.parent_id
+        # Ping!
+        self.ping(session)
 
-      if image.config is not None:
-        image_json_data['config'] = image.config
+        # PUT /v1/repositories/{namespace}/{repository}/
+        result = self.conduct(
+            session,
+            "PUT",
+            "/v1/repositories/%s/" % self.repo_name(namespace, repo_name),
+            expected_status=(201, expected_failure, V1ProtocolSteps.PUT_IMAGES),
+            json_data={},
+            auth=auth,
+        )
+        if result.status_code != 201:
+            return
 
-      if image.created is not None:
-        image_json_data['created'] = image.created
+        headers = {}
+        headers["Authorization"] = "token " + result.headers["www-authenticate"]
 
-      image_json = json.dumps(image_json_data)
-      response = self.conduct(session, 'PUT', '/v1/images/%s/json' % image.id,
-                              data=image_json, headers=headers,
-                              expected_status=(200, expected_failure,
-                                               V1ProtocolSteps.PUT_IMAGE_JSON))
-      if response.status_code != 200:
-        return
+        for image in images:
+            assert image.urls is None
 
-      # PUT /v1/images/{imageID}/checksum (old style)
-      old_checksum = compute_tarsum(StringIO(image.bytes), image_json)
-      checksum_headers = {'X-Docker-Checksum': old_checksum}
-      checksum_headers.update(headers)
+            # PUT /v1/images/{imageID}/json
+            image_json_data = {"id": image.id}
+            if image.size is not None:
+                image_json_data["Size"] = image.size
 
-      self.conduct(session, 'PUT', '/v1/images/%s/checksum' % image.id,
-                   headers=checksum_headers)
+            if image.parent_id is not None:
+                image_json_data["parent"] = image.parent_id
 
-      # PUT /v1/images/{imageID}/layer
-      self.conduct(session, 'PUT', '/v1/images/%s/layer' % image.id,
-                   data=StringIO(image.bytes), headers=headers)
+            if image.config is not None:
+                image_json_data["config"] = image.config
 
-      # PUT /v1/images/{imageID}/checksum (new style)
-      checksum = compute_simple(StringIO(image.bytes), image_json)
-      checksum_headers = {'X-Docker-Checksum-Payload': checksum}
-      checksum_headers.update(headers)
+            if image.created is not None:
+                image_json_data["created"] = image.created
 
-      self.conduct(session, 'PUT', '/v1/images/%s/checksum' % image.id,
-                   headers=checksum_headers)
+            image_json = json.dumps(image_json_data)
+            response = self.conduct(
+                session,
+                "PUT",
+                "/v1/images/%s/json" % image.id,
+                data=image_json,
+                headers=headers,
+                expected_status=(200, expected_failure, V1ProtocolSteps.PUT_IMAGE_JSON),
+            )
+            if response.status_code != 200:
+                return
 
-    # PUT /v1/repositories/{namespace}/{repository}/tags/latest
-    for tag_name in tag_names:
-      self.conduct(session, 'PUT',
-                   '/v1/repositories/%s/tags/%s' % (self.repo_name(namespace, repo_name), tag_name),
-                   data='"%s"' % images[-1].id,
-                   headers=headers,
-                   expected_status=(200, expected_failure, V1ProtocolSteps.PUT_TAG))
+            # PUT /v1/images/{imageID}/checksum (old style)
+            old_checksum = compute_tarsum(StringIO(image.bytes), image_json)
+            checksum_headers = {"X-Docker-Checksum": old_checksum}
+            checksum_headers.update(headers)
 
-    # PUT /v1/repositories/{namespace}/{repository}/images
-    self.conduct(session, 'PUT',
-                 '/v1/repositories/%s/images' % self.repo_name(namespace, repo_name),
-                 expected_status=204, headers=headers)
+            self.conduct(
+                session,
+                "PUT",
+                "/v1/images/%s/checksum" % image.id,
+                headers=checksum_headers,
+            )
 
-    return PushResult(manifests=None, headers=headers)
+            # PUT /v1/images/{imageID}/layer
+            self.conduct(
+                session,
+                "PUT",
+                "/v1/images/%s/layer" % image.id,
+                data=StringIO(image.bytes),
+                headers=headers,
+            )
 
-  def delete(self, session, namespace, repo_name, tag_names, credentials=None,
-             expected_failure=None, options=None):
-    auth = self._auth_for_credentials(credentials)
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+            # PUT /v1/images/{imageID}/checksum (new style)
+            checksum = compute_simple(StringIO(image.bytes), image_json)
+            checksum_headers = {"X-Docker-Checksum-Payload": checksum}
+            checksum_headers.update(headers)
 
-    # Ping!
-    self.ping(session)
+            self.conduct(
+                session,
+                "PUT",
+                "/v1/images/%s/checksum" % image.id,
+                headers=checksum_headers,
+            )
 
-    for tag_name in tag_names:
-      # DELETE /v1/repositories/{namespace}/{repository}/tags/{tag}
-      self.conduct(session, 'DELETE',
-                   '/v1/repositories/%s/tags/%s' % (self.repo_name(namespace, repo_name), tag_name),
-                   auth=auth,
-                   expected_status=(200, expected_failure, V1ProtocolSteps.DELETE_TAG))
+        # PUT /v1/repositories/{namespace}/{repository}/tags/latest
+        for tag_name in tag_names:
+            self.conduct(
+                session,
+                "PUT",
+                "/v1/repositories/%s/tags/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                data='"%s"' % images[-1].id,
+                headers=headers,
+                expected_status=(200, expected_failure, V1ProtocolSteps.PUT_TAG),
+            )
 
-  def tag(self, session, namespace, repo_name, tag_name, image, credentials=None,
-          expected_failure=None, options=None):
-    auth = self._auth_for_credentials(credentials)
-    self.conduct(session, 'PUT',
-                 '/v1/repositories/%s/tags/%s' % (self.repo_name(namespace, repo_name), tag_name),
-                 data='"%s"' % image.id,
-                 auth=auth,
-                 expected_status=(200, expected_failure, V1ProtocolSteps.PUT_TAG))
+        # PUT /v1/repositories/{namespace}/{repository}/images
+        self.conduct(
+            session,
+            "PUT",
+            "/v1/repositories/%s/images" % self.repo_name(namespace, repo_name),
+            expected_status=204,
+            headers=headers,
+        )
+
+        return PushResult(manifests=None, headers=headers)
+
+    def delete(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        auth = self._auth_for_credentials(credentials)
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+
+        # Ping!
+        self.ping(session)
+
+        for tag_name in tag_names:
+            # DELETE /v1/repositories/{namespace}/{repository}/tags/{tag}
+            self.conduct(
+                session,
+                "DELETE",
+                "/v1/repositories/%s/tags/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                auth=auth,
+                expected_status=(200, expected_failure, V1ProtocolSteps.DELETE_TAG),
+            )
+
+    def tag(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_name,
+        image,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        auth = self._auth_for_credentials(credentials)
+        self.conduct(
+            session,
+            "PUT",
+            "/v1/repositories/%s/tags/%s"
+            % (self.repo_name(namespace, repo_name), tag_name),
+            data='"%s"' % image.id,
+            auth=auth,
+            expected_status=(200, expected_failure, V1ProtocolSteps.PUT_TAG),
+        )
diff --git a/test/registry/protocol_v2.py b/test/registry/protocol_v2.py
index a9362d9f0..a097d7cac 100644
--- a/test/registry/protocol_v2.py
+++ b/test/registry/protocol_v2.py
@@ -3,703 +3,962 @@ import json
 
 from enum import Enum, unique
 
-from image.docker.schema1 import (DockerSchema1ManifestBuilder, DockerSchema1Manifest,
-                                  DOCKER_SCHEMA1_CONTENT_TYPES)
+from image.docker.schema1 import (
+    DockerSchema1ManifestBuilder,
+    DockerSchema1Manifest,
+    DOCKER_SCHEMA1_CONTENT_TYPES,
+)
 from image.docker.schema2 import DOCKER_SCHEMA2_CONTENT_TYPES
 from image.docker.schema2.manifest import DockerSchema2ManifestBuilder
 from image.docker.schema2.config import DockerSchema2Config
 from image.docker.schema2.list import DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
 from image.docker.schemas import parse_manifest_from_bytes
-from test.registry.protocols import (RegistryProtocol, Failures, ProtocolOptions, PushResult,
-                                     PullResult)
+from test.registry.protocols import (
+    RegistryProtocol,
+    Failures,
+    ProtocolOptions,
+    PushResult,
+    PullResult,
+)
 from util.bytes import Bytes
 
 
 @unique
 class V2ProtocolSteps(Enum):
-  """ Defines the various steps of the protocol, for matching failures. """
-  AUTH = 'auth'
-  BLOB_HEAD_CHECK = 'blob-head-check'
-  GET_MANIFEST = 'get-manifest'
-  GET_MANIFEST_LIST = 'get-manifest-list'
-  PUT_MANIFEST = 'put-manifest'
-  PUT_MANIFEST_LIST = 'put-manifest-list'
-  MOUNT_BLOB = 'mount-blob'
-  CATALOG = 'catalog'
-  LIST_TAGS = 'list-tags'
-  START_UPLOAD = 'start-upload'
-  GET_BLOB = 'get-blob'
+    """ Defines the various steps of the protocol, for matching failures. """
+
+    AUTH = "auth"
+    BLOB_HEAD_CHECK = "blob-head-check"
+    GET_MANIFEST = "get-manifest"
+    GET_MANIFEST_LIST = "get-manifest-list"
+    PUT_MANIFEST = "put-manifest"
+    PUT_MANIFEST_LIST = "put-manifest-list"
+    MOUNT_BLOB = "mount-blob"
+    CATALOG = "catalog"
+    LIST_TAGS = "list-tags"
+    START_UPLOAD = "start-upload"
+    GET_BLOB = "get-blob"
 
 
 class V2Protocol(RegistryProtocol):
-  FAILURE_CODES = {
-    V2ProtocolSteps.AUTH: {
-      Failures.UNAUTHENTICATED: 401,
-      Failures.INVALID_AUTHENTICATION: 401,
-      Failures.INVALID_REGISTRY: 400,
-      Failures.APP_REPOSITORY: 405,
-      Failures.ANONYMOUS_NOT_ALLOWED: 401,
-      Failures.INVALID_REPOSITORY: 400,
-      Failures.SLASH_REPOSITORY: 400,
-      Failures.NAMESPACE_DISABLED: 405,
-    },
-    V2ProtocolSteps.MOUNT_BLOB: {
-      Failures.UNAUTHORIZED_FOR_MOUNT: 202,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V2ProtocolSteps.GET_MANIFEST: {
-      Failures.UNKNOWN_TAG: 404,
-      Failures.UNAUTHORIZED: 401,
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-      Failures.ANONYMOUS_NOT_ALLOWED: 401,
-    },
-    V2ProtocolSteps.GET_BLOB: {
-      Failures.GEO_BLOCKED: 403,
-    },
-    V2ProtocolSteps.BLOB_HEAD_CHECK: {
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-    },
-    V2ProtocolSteps.START_UPLOAD: {
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-      Failures.READ_ONLY: 401,
-      Failures.MIRROR_ONLY: 401,
-      Failures.MIRROR_MISCONFIGURED: 401,
-      Failures.MIRROR_ROBOT_MISSING: 401,
-      Failures.READ_ONLY: 401,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V2ProtocolSteps.PUT_MANIFEST: {
-      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
-      Failures.MISSING_TAG: 404,
-      Failures.INVALID_TAG: 404,
-      Failures.INVALID_IMAGES: 400,
-      Failures.INVALID_BLOB: 400,
-      Failures.UNSUPPORTED_CONTENT_TYPE: 415,
-      Failures.READ_ONLY: 401,
-      Failures.MIRROR_ONLY: 401,
-      Failures.MIRROR_MISCONFIGURED: 401,
-      Failures.MIRROR_ROBOT_MISSING: 401,
-      Failures.READONLY_REGISTRY: 405,
-    },
-    V2ProtocolSteps.PUT_MANIFEST_LIST: {
-      Failures.INVALID_MANIFEST: 400,
-      Failures.READ_ONLY: 401,
-      Failures.MIRROR_ONLY: 401,
-      Failures.MIRROR_MISCONFIGURED: 401,
-      Failures.MIRROR_ROBOT_MISSING: 401,
-      Failures.READONLY_REGISTRY: 405,
-    }
-  }
-
-  def __init__(self, jwk, schema2=False):
-    self.jwk = jwk
-    self.schema2 = schema2
-
-  def ping(self, session):
-    result = session.get('/v2/')
-    assert result.status_code == 401
-    assert result.headers['Docker-Distribution-API-Version'] == 'registry/2.0'
-
-  def login(self, session, username, password, scopes, expect_success):
-    scopes = scopes if isinstance(scopes, list) else [scopes]
-    params = {
-      'account': username,
-      'service': 'localhost:5000',
-      'scope': scopes,
+    FAILURE_CODES = {
+        V2ProtocolSteps.AUTH: {
+            Failures.UNAUTHENTICATED: 401,
+            Failures.INVALID_AUTHENTICATION: 401,
+            Failures.INVALID_REGISTRY: 400,
+            Failures.APP_REPOSITORY: 405,
+            Failures.ANONYMOUS_NOT_ALLOWED: 401,
+            Failures.INVALID_REPOSITORY: 400,
+            Failures.SLASH_REPOSITORY: 400,
+            Failures.NAMESPACE_DISABLED: 405,
+        },
+        V2ProtocolSteps.MOUNT_BLOB: {
+            Failures.UNAUTHORIZED_FOR_MOUNT: 202,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V2ProtocolSteps.GET_MANIFEST: {
+            Failures.UNKNOWN_TAG: 404,
+            Failures.UNAUTHORIZED: 401,
+            Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+            Failures.ANONYMOUS_NOT_ALLOWED: 401,
+        },
+        V2ProtocolSteps.GET_BLOB: {Failures.GEO_BLOCKED: 403},
+        V2ProtocolSteps.BLOB_HEAD_CHECK: {Failures.DISALLOWED_LIBRARY_NAMESPACE: 400},
+        V2ProtocolSteps.START_UPLOAD: {
+            Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+            Failures.READ_ONLY: 401,
+            Failures.MIRROR_ONLY: 401,
+            Failures.MIRROR_MISCONFIGURED: 401,
+            Failures.MIRROR_ROBOT_MISSING: 401,
+            Failures.READ_ONLY: 401,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V2ProtocolSteps.PUT_MANIFEST: {
+            Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+            Failures.MISSING_TAG: 404,
+            Failures.INVALID_TAG: 404,
+            Failures.INVALID_IMAGES: 400,
+            Failures.INVALID_BLOB: 400,
+            Failures.UNSUPPORTED_CONTENT_TYPE: 415,
+            Failures.READ_ONLY: 401,
+            Failures.MIRROR_ONLY: 401,
+            Failures.MIRROR_MISCONFIGURED: 401,
+            Failures.MIRROR_ROBOT_MISSING: 401,
+            Failures.READONLY_REGISTRY: 405,
+        },
+        V2ProtocolSteps.PUT_MANIFEST_LIST: {
+            Failures.INVALID_MANIFEST: 400,
+            Failures.READ_ONLY: 401,
+            Failures.MIRROR_ONLY: 401,
+            Failures.MIRROR_MISCONFIGURED: 401,
+            Failures.MIRROR_ROBOT_MISSING: 401,
+            Failures.READONLY_REGISTRY: 405,
+        },
     }
 
-    auth = (username, password)
-    if not username or not password:
-      auth = None
+    def __init__(self, jwk, schema2=False):
+        self.jwk = jwk
+        self.schema2 = schema2
 
-    response = session.get('/v2/auth', params=params, auth=auth)
-    if expect_success:
-      assert response.status_code / 100 == 2
-    else:
-      assert response.status_code / 100 == 4
+    def ping(self, session):
+        result = session.get("/v2/")
+        assert result.status_code == 401
+        assert result.headers["Docker-Distribution-API-Version"] == "registry/2.0"
 
-    return response
+    def login(self, session, username, password, scopes, expect_success):
+        scopes = scopes if isinstance(scopes, list) else [scopes]
+        params = {"account": username, "service": "localhost:5000", "scope": scopes}
 
-  def auth(self, session, credentials, namespace, repo_name, scopes=None,
-           expected_failure=None):
-    """
+        auth = (username, password)
+        if not username or not password:
+            auth = None
+
+        response = session.get("/v2/auth", params=params, auth=auth)
+        if expect_success:
+            assert response.status_code / 100 == 2
+        else:
+            assert response.status_code / 100 == 4
+
+        return response
+
+    def auth(
+        self,
+        session,
+        credentials,
+        namespace,
+        repo_name,
+        scopes=None,
+        expected_failure=None,
+    ):
+        """
     Performs the V2 Auth flow, returning the token (if any) and the response.
 
     Spec: https://docs.docker.com/registry/spec/auth/token/
     """
 
-    scopes = scopes or []
-    auth = None
-    username = None
+        scopes = scopes or []
+        auth = None
+        username = None
 
-    if credentials is not None:
-      username, _ = credentials
-      auth = credentials
+        if credentials is not None:
+            username, _ = credentials
+            auth = credentials
 
-    params = {
-      'account': username,
-      'service': 'localhost:5000',
-    }
+        params = {"account": username, "service": "localhost:5000"}
 
-    if scopes:
-      params['scope'] = scopes
+        if scopes:
+            params["scope"] = scopes
 
-    response = self.conduct(session, 'GET', '/v2/auth', params=params, auth=auth,
-                            expected_status=(200, expected_failure, V2ProtocolSteps.AUTH))
-    expect_token = (expected_failure is None or
-                    not V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure))
-    if expect_token:
-      assert response.json().get('token') is not None
-      return response.json().get('token'), response
+        response = self.conduct(
+            session,
+            "GET",
+            "/v2/auth",
+            params=params,
+            auth=auth,
+            expected_status=(200, expected_failure, V2ProtocolSteps.AUTH),
+        )
+        expect_token = expected_failure is None or not V2Protocol.FAILURE_CODES[
+            V2ProtocolSteps.AUTH
+        ].get(expected_failure)
+        if expect_token:
+            assert response.json().get("token") is not None
+            return response.json().get("token"), response
 
-    return None, response
+        return None, response
 
-  def pull_list(self, session, namespace, repo_name, tag_names, manifestlist,
-                credentials=None, expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:push,pull' % self.repo_name(namespace, repo_name)]
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+    def pull_list(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        manifestlist,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:push,pull" % self.repo_name(namespace, repo_name)
+        ]
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-    # Ping!
-    self.ping(session)
+        # Ping!
+        self.ping(session)
 
-    # Perform auth and retrieve a token.
-    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                         expected_failure=expected_failure)
-    if token is None:
-      assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
-      return
+        # Perform auth and retrieve a token.
+        token, _ = self.auth(
+            session,
+            credentials,
+            namespace,
+            repo_name,
+            scopes=scopes,
+            expected_failure=expected_failure,
+        )
+        if token is None:
+            assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
+            return
 
-    headers = {
-      'Authorization': 'Bearer ' + token,
-      'Accept': ','.join(DOCKER_SCHEMA2_CONTENT_TYPES),
-    }
+        headers = {
+            "Authorization": "Bearer " + token,
+            "Accept": ",".join(DOCKER_SCHEMA2_CONTENT_TYPES),
+        }
 
-    for tag_name in tag_names:
-      # Retrieve the manifest for the tag or digest.
-      response = self.conduct(session, 'GET',
-                              '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name),
-                                                       tag_name),
-                              expected_status=(200, expected_failure,
-                                               V2ProtocolSteps.GET_MANIFEST_LIST),
-                              headers=headers)
-      if expected_failure is not None:
-        return None
+        for tag_name in tag_names:
+            # Retrieve the manifest for the tag or digest.
+            response = self.conduct(
+                session,
+                "GET",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                expected_status=(
+                    200,
+                    expected_failure,
+                    V2ProtocolSteps.GET_MANIFEST_LIST,
+                ),
+                headers=headers,
+            )
+            if expected_failure is not None:
+                return None
 
-      # Parse the returned manifest list and ensure it matches.
-      ct = response.headers['Content-Type']
-      assert ct == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
-      retrieved = parse_manifest_from_bytes(Bytes.for_string_or_unicode(response.text), ct)
-      assert retrieved.schema_version == 2
-      assert retrieved.is_manifest_list
-      assert retrieved.digest == manifestlist.digest
+            # Parse the returned manifest list and ensure it matches.
+            ct = response.headers["Content-Type"]
+            assert ct == DOCKER_SCHEMA2_MANIFESTLIST_CONTENT_TYPE
+            retrieved = parse_manifest_from_bytes(
+                Bytes.for_string_or_unicode(response.text), ct
+            )
+            assert retrieved.schema_version == 2
+            assert retrieved.is_manifest_list
+            assert retrieved.digest == manifestlist.digest
 
-      # Pull each of the manifests inside and ensure they can be retrieved.
-      for manifest_digest in retrieved.child_manifest_digests():
-        response = self.conduct(session, 'GET',
-                                '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name),
-                                                         manifest_digest),
-                                expected_status=(200, expected_failure,
-                                                 V2ProtocolSteps.GET_MANIFEST),
-                                headers=headers)
-        if expected_failure is not None:
-          return None
+            # Pull each of the manifests inside and ensure they can be retrieved.
+            for manifest_digest in retrieved.child_manifest_digests():
+                response = self.conduct(
+                    session,
+                    "GET",
+                    "/v2/%s/manifests/%s"
+                    % (self.repo_name(namespace, repo_name), manifest_digest),
+                    expected_status=(
+                        200,
+                        expected_failure,
+                        V2ProtocolSteps.GET_MANIFEST,
+                    ),
+                    headers=headers,
+                )
+                if expected_failure is not None:
+                    return None
 
-        ct = response.headers['Content-Type']
-        manifest = parse_manifest_from_bytes(Bytes.for_string_or_unicode(response.text), ct)
-        assert not manifest.is_manifest_list
-        assert manifest.digest == manifest_digest
+                ct = response.headers["Content-Type"]
+                manifest = parse_manifest_from_bytes(
+                    Bytes.for_string_or_unicode(response.text), ct
+                )
+                assert not manifest.is_manifest_list
+                assert manifest.digest == manifest_digest
 
-  def push_list(self, session, namespace, repo_name, tag_names, manifestlist, manifests, blobs,
-                credentials=None, expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:push,pull' % self.repo_name(namespace, repo_name)]
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+    def push_list(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        manifestlist,
+        manifests,
+        blobs,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:push,pull" % self.repo_name(namespace, repo_name)
+        ]
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-    # Ping!
-    self.ping(session)
+        # Ping!
+        self.ping(session)
 
-    # Perform auth and retrieve a token.
-    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                         expected_failure=expected_failure)
-    if token is None:
-      assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
-      return
+        # Perform auth and retrieve a token.
+        token, _ = self.auth(
+            session,
+            credentials,
+            namespace,
+            repo_name,
+            scopes=scopes,
+            expected_failure=expected_failure,
+        )
+        if token is None:
+            assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
+            return
 
-    headers = {
-      'Authorization': 'Bearer ' + token,
-      'Accept': ','.join(options.accept_mimetypes) if options.accept_mimetypes is not None else '*/*',
-    }
+        headers = {
+            "Authorization": "Bearer " + token,
+            "Accept": ",".join(options.accept_mimetypes)
+            if options.accept_mimetypes is not None
+            else "*/*",
+        }
 
-    # Push all blobs.
-    if not self._push_blobs(blobs, session, namespace, repo_name, headers, options,
-                            expected_failure):
-      return
+        # Push all blobs.
+        if not self._push_blobs(
+            blobs, session, namespace, repo_name, headers, options, expected_failure
+        ):
+            return
 
-    # Push the individual manifests.
-    for manifest in manifests:
-      manifest_headers = {'Content-Type': manifest.media_type}
-      manifest_headers.update(headers)
+        # Push the individual manifests.
+        for manifest in manifests:
+            manifest_headers = {"Content-Type": manifest.media_type}
+            manifest_headers.update(headers)
 
-      self.conduct(session, 'PUT',
-                   '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name), manifest.digest),
-                   data=manifest.bytes.as_encoded_str(),
-                   expected_status=(202, expected_failure, V2ProtocolSteps.PUT_MANIFEST),
-                   headers=manifest_headers)
+            self.conduct(
+                session,
+                "PUT",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), manifest.digest),
+                data=manifest.bytes.as_encoded_str(),
+                expected_status=(202, expected_failure, V2ProtocolSteps.PUT_MANIFEST),
+                headers=manifest_headers,
+            )
 
-    # Push the manifest list.
-    for tag_name in tag_names:
-      manifest_headers = {'Content-Type': manifestlist.media_type}
-      manifest_headers.update(headers)
+        # Push the manifest list.
+        for tag_name in tag_names:
+            manifest_headers = {"Content-Type": manifestlist.media_type}
+            manifest_headers.update(headers)
 
-      if options.manifest_content_type is not None:
-        manifest_headers['Content-Type'] = options.manifest_content_type
+            if options.manifest_content_type is not None:
+                manifest_headers["Content-Type"] = options.manifest_content_type
 
-      self.conduct(session, 'PUT',
-                   '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name), tag_name),
-                   data=manifestlist.bytes.as_encoded_str(),
-                   expected_status=(202, expected_failure, V2ProtocolSteps.PUT_MANIFEST_LIST),
-                   headers=manifest_headers)
+            self.conduct(
+                session,
+                "PUT",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                data=manifestlist.bytes.as_encoded_str(),
+                expected_status=(
+                    202,
+                    expected_failure,
+                    V2ProtocolSteps.PUT_MANIFEST_LIST,
+                ),
+                headers=manifest_headers,
+            )
 
-    return PushResult(manifests=None, headers=headers)
+        return PushResult(manifests=None, headers=headers)
 
-  def build_schema2(self, images, blobs, options):
-    builder = DockerSchema2ManifestBuilder()
-    for image in images:
-      checksum = 'sha256:' + hashlib.sha256(image.bytes).hexdigest()
+    def build_schema2(self, images, blobs, options):
+        builder = DockerSchema2ManifestBuilder()
+        for image in images:
+            checksum = "sha256:" + hashlib.sha256(image.bytes).hexdigest()
 
-      if image.urls is None:
-        blobs[checksum] = image.bytes
+            if image.urls is None:
+                blobs[checksum] = image.bytes
 
-      # If invalid blob references were requested, just make it up.
-      if options.manifest_invalid_blob_references:
-        checksum = 'sha256:' + hashlib.sha256('notarealthing').hexdigest()
+            # If invalid blob references were requested, just make it up.
+            if options.manifest_invalid_blob_references:
+                checksum = "sha256:" + hashlib.sha256("notarealthing").hexdigest()
 
-      if not image.is_empty:
-        builder.add_layer(checksum, len(image.bytes), urls=image.urls)
+            if not image.is_empty:
+                builder.add_layer(checksum, len(image.bytes), urls=image.urls)
 
-    def history_for_image(image):
-      history = {
-        'created': '2018-04-03T18:37:09.284840891Z',
-        'created_by': (('/bin/sh -c #(nop) ENTRYPOINT %s' % image.config['Entrypoint'])
-                       if image.config and image.config.get('Entrypoint')
-                       else '/bin/sh -c #(nop) %s' % image.id),
-      }
+        def history_for_image(image):
+            history = {
+                "created": "2018-04-03T18:37:09.284840891Z",
+                "created_by": (
+                    ("/bin/sh -c #(nop) ENTRYPOINT %s" % image.config["Entrypoint"])
+                    if image.config and image.config.get("Entrypoint")
+                    else "/bin/sh -c #(nop) %s" % image.id
+                ),
+            }
 
-      if image.is_empty:
-        history['empty_layer'] = True
+            if image.is_empty:
+                history["empty_layer"] = True
 
-      return history
+            return history
 
-    config = {
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": []
-      },
-      "history": [history_for_image(image) for image in images],
-    }
+        config = {
+            "os": "linux",
+            "rootfs": {"type": "layers", "diff_ids": []},
+            "history": [history_for_image(image) for image in images],
+        }
 
-    if images[-1].config:
-      config['config'] = images[-1].config
+        if images[-1].config:
+            config["config"] = images[-1].config
 
-    config_json = json.dumps(config, ensure_ascii=options.ensure_ascii)
-    schema2_config = DockerSchema2Config(Bytes.for_string_or_unicode(config_json))
-    builder.set_config(schema2_config)
+        config_json = json.dumps(config, ensure_ascii=options.ensure_ascii)
+        schema2_config = DockerSchema2Config(Bytes.for_string_or_unicode(config_json))
+        builder.set_config(schema2_config)
 
-    blobs[schema2_config.digest] = schema2_config.bytes.as_encoded_str()
-    return builder.build(ensure_ascii=options.ensure_ascii)
+        blobs[schema2_config.digest] = schema2_config.bytes.as_encoded_str()
+        return builder.build(ensure_ascii=options.ensure_ascii)
 
-  def build_schema1(self, namespace, repo_name, tag_name, images, blobs, options, arch='amd64'):
-    builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name, arch)
+    def build_schema1(
+        self, namespace, repo_name, tag_name, images, blobs, options, arch="amd64"
+    ):
+        builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name, arch)
 
-    for image in reversed(images):
-      assert image.urls is None
+        for image in reversed(images):
+            assert image.urls is None
 
-      checksum = 'sha256:' + hashlib.sha256(image.bytes).hexdigest()
-      blobs[checksum] = image.bytes
+            checksum = "sha256:" + hashlib.sha256(image.bytes).hexdigest()
+            blobs[checksum] = image.bytes
 
-      # If invalid blob references were requested, just make it up.
-      if options.manifest_invalid_blob_references:
-        checksum = 'sha256:' + hashlib.sha256('notarealthing').hexdigest()
+            # If invalid blob references were requested, just make it up.
+            if options.manifest_invalid_blob_references:
+                checksum = "sha256:" + hashlib.sha256("notarealthing").hexdigest()
 
-      layer_dict = {'id': image.id, 'parent': image.parent_id}
-      if image.config is not None:
-        layer_dict['config'] = image.config
+            layer_dict = {"id": image.id, "parent": image.parent_id}
+            if image.config is not None:
+                layer_dict["config"] = image.config
 
-      if image.size is not None:
-        layer_dict['Size'] = image.size
+            if image.size is not None:
+                layer_dict["Size"] = image.size
 
-      if image.created is not None:
-        layer_dict['created'] = image.created
+            if image.created is not None:
+                layer_dict["created"] = image.created
 
-      builder.add_layer(checksum, json.dumps(layer_dict, ensure_ascii=options.ensure_ascii))
+            builder.add_layer(
+                checksum, json.dumps(layer_dict, ensure_ascii=options.ensure_ascii)
+            )
 
-    # Build the manifest.
-    built = builder.build(self.jwk, ensure_ascii=options.ensure_ascii)
+        # Build the manifest.
+        built = builder.build(self.jwk, ensure_ascii=options.ensure_ascii)
 
-    # Validate it before we send it.
-    DockerSchema1Manifest(built.bytes)
-    return built
+        # Validate it before we send it.
+        DockerSchema1Manifest(built.bytes)
+        return built
 
-  def push(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:push,pull' % self.repo_name(namespace, repo_name)]
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+    def push(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:push,pull" % self.repo_name(namespace, repo_name)
+        ]
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-    # Ping!
-    self.ping(session)
+        # Ping!
+        self.ping(session)
 
-    # Perform auth and retrieve a token.
-    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                         expected_failure=expected_failure)
-    if token is None:
-      assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
-      return
+        # Perform auth and retrieve a token.
+        token, _ = self.auth(
+            session,
+            credentials,
+            namespace,
+            repo_name,
+            scopes=scopes,
+            expected_failure=expected_failure,
+        )
+        if token is None:
+            assert V2Protocol.FAILURE_CODES[V2ProtocolSteps.AUTH].get(expected_failure)
+            return
 
-    headers = {
-      'Authorization': 'Bearer ' + token,
-      'Accept': ','.join(options.accept_mimetypes) if options.accept_mimetypes is not None else '*/*',
-    }
+        headers = {
+            "Authorization": "Bearer " + token,
+            "Accept": ",".join(options.accept_mimetypes)
+            if options.accept_mimetypes is not None
+            else "*/*",
+        }
 
-    # Build fake manifests.
-    manifests = {}
-    blobs = {}
-    for tag_name in tag_names:
-      if self.schema2:
-        manifests[tag_name] = self.build_schema2(images, blobs, options)
-      else:
-        manifests[tag_name] = self.build_schema1(namespace, repo_name, tag_name, images, blobs,
-                                                 options)
-
-    # Push the blob data.
-    if not self._push_blobs(blobs, session, namespace, repo_name, headers, options,
-                            expected_failure):
-      return
-
-    # Write a manifest for each tag.
-    for tag_name in tag_names:
-      manifest = manifests[tag_name]
-
-      # Write the manifest. If we expect it to be invalid, we expect a 404 code. Otherwise, we
-      # expect a 202 response for success.
-      put_code = 404 if options.manifest_invalid_blob_references else 202
-      manifest_headers = {'Content-Type': manifest.media_type}
-      manifest_headers.update(headers)
-
-      if options.manifest_content_type is not None:
-        manifest_headers['Content-Type'] = options.manifest_content_type
-
-      tag_or_digest = tag_name if not options.push_by_manifest_digest else manifest.digest
-      self.conduct(session, 'PUT',
-                   '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name), tag_or_digest),
-                   data=manifest.bytes.as_encoded_str(),
-                   expected_status=(put_code, expected_failure, V2ProtocolSteps.PUT_MANIFEST),
-                   headers=manifest_headers)
-
-    return PushResult(manifests=manifests, headers=headers)
-
-  def _push_blobs(self, blobs, session, namespace, repo_name, headers, options, expected_failure):
-    for blob_digest, blob_bytes in blobs.iteritems():
-      if not options.skip_head_checks:
-        # Blob data should not yet exist.
-        self.conduct(session, 'HEAD',
-                     '/v2/%s/blobs/%s' % (self.repo_name(namespace, repo_name), blob_digest),
-                     expected_status=(404, expected_failure, V2ProtocolSteps.BLOB_HEAD_CHECK),
-                     headers=headers)
-
-      # Check for mounting of blobs.
-      if options.mount_blobs and blob_digest in options.mount_blobs:
-        self.conduct(session, 'POST',
-                     '/v2/%s/blobs/uploads/' % self.repo_name(namespace, repo_name),
-                     params={
-                       'mount': blob_digest,
-                       'from': options.mount_blobs[blob_digest],
-                     },
-                     expected_status=(201, expected_failure, V2ProtocolSteps.MOUNT_BLOB),
-                     headers=headers)
-        if expected_failure is not None:
-          return
-      else:
-        # Start a new upload of the blob data.
-        response = self.conduct(session, 'POST',
-                                '/v2/%s/blobs/uploads/' % self.repo_name(namespace, repo_name),
-                                expected_status=(202, expected_failure,
-                                                 V2ProtocolSteps.START_UPLOAD),
-                                headers=headers)
-        if response.status_code != 202:
-          continue
-
-        upload_uuid = response.headers['Docker-Upload-UUID']
-        new_upload_location = response.headers['Location']
-        assert new_upload_location.startswith('http://localhost:5000')
-
-        # We need to make this relative just for the tests because the live server test
-        # case modifies the port.
-        location = response.headers['Location'][len('http://localhost:5000'):]
-
-        # PATCH the data into the blob.
-        if options.chunks_for_upload is None:
-          self.conduct(session, 'PATCH', location, data=blob_bytes, expected_status=204,
-                       headers=headers)
-        else:
-          # If chunked upload is requested, upload the data as a series of chunks, checking
-          # status at every point.
-          for chunk_data in options.chunks_for_upload:
-            if len(chunk_data) == 3:
-              (start_byte, end_byte, expected_code) = chunk_data
+        # Build fake manifests.
+        manifests = {}
+        blobs = {}
+        for tag_name in tag_names:
+            if self.schema2:
+                manifests[tag_name] = self.build_schema2(images, blobs, options)
             else:
-              (start_byte, end_byte) = chunk_data
-              expected_code = 204
+                manifests[tag_name] = self.build_schema1(
+                    namespace, repo_name, tag_name, images, blobs, options
+                )
 
-            patch_headers = {'Range': 'bytes=%s-%s' % (start_byte, end_byte)}
-            patch_headers.update(headers)
+        # Push the blob data.
+        if not self._push_blobs(
+            blobs, session, namespace, repo_name, headers, options, expected_failure
+        ):
+            return
 
-            contents_chunk = blob_bytes[start_byte:end_byte]
-            self.conduct(session, 'PATCH', location, data=contents_chunk,
-                         expected_status=expected_code,
-                         headers=patch_headers)
-            if expected_code != 204:
-              return False
+        # Write a manifest for each tag.
+        for tag_name in tag_names:
+            manifest = manifests[tag_name]
 
-            # Retrieve the upload status at each point, and ensure it is valid.
-            status_url = '/v2/%s/blobs/uploads/%s' % (self.repo_name(namespace, repo_name),
-                                                      upload_uuid)
-            response = self.conduct(session, 'GET', status_url, expected_status=204,
-                                    headers=headers)
-            assert response.headers['Docker-Upload-UUID'] == upload_uuid
-            assert response.headers['Range'] == "bytes=0-%s" % end_byte
+            # Write the manifest. If we expect it to be invalid, we expect a 404 code. Otherwise, we
+            # expect a 202 response for success.
+            put_code = 404 if options.manifest_invalid_blob_references else 202
+            manifest_headers = {"Content-Type": manifest.media_type}
+            manifest_headers.update(headers)
 
-        if options.cancel_blob_upload:
-          self.conduct(session, 'DELETE', location, params=dict(digest=blob_digest),
-                       expected_status=204, headers=headers)
+            if options.manifest_content_type is not None:
+                manifest_headers["Content-Type"] = options.manifest_content_type
 
-          # Ensure the upload was canceled.
-          status_url = '/v2/%s/blobs/uploads/%s' % (self.repo_name(namespace, repo_name),
-                                                    upload_uuid)
-          self.conduct(session, 'GET', status_url, expected_status=404, headers=headers)
-          return False
+            tag_or_digest = (
+                tag_name if not options.push_by_manifest_digest else manifest.digest
+            )
+            self.conduct(
+                session,
+                "PUT",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), tag_or_digest),
+                data=manifest.bytes.as_encoded_str(),
+                expected_status=(
+                    put_code,
+                    expected_failure,
+                    V2ProtocolSteps.PUT_MANIFEST,
+                ),
+                headers=manifest_headers,
+            )
 
-        # Finish the blob upload with a PUT.
-        response = self.conduct(session, 'PUT', location, params=dict(digest=blob_digest),
-                                expected_status=201, headers=headers)
-        assert response.headers['Docker-Content-Digest'] == blob_digest
+        return PushResult(manifests=manifests, headers=headers)
 
-      # Ensure the blob exists now.
-      response = self.conduct(session, 'HEAD',
-                              '/v2/%s/blobs/%s' % (self.repo_name(namespace, repo_name),
-                                                   blob_digest),
-                              expected_status=200, headers=headers)
+    def _push_blobs(
+        self, blobs, session, namespace, repo_name, headers, options, expected_failure
+    ):
+        for blob_digest, blob_bytes in blobs.iteritems():
+            if not options.skip_head_checks:
+                # Blob data should not yet exist.
+                self.conduct(
+                    session,
+                    "HEAD",
+                    "/v2/%s/blobs/%s"
+                    % (self.repo_name(namespace, repo_name), blob_digest),
+                    expected_status=(
+                        404,
+                        expected_failure,
+                        V2ProtocolSteps.BLOB_HEAD_CHECK,
+                    ),
+                    headers=headers,
+                )
 
-      assert response.headers['Docker-Content-Digest'] == blob_digest
-      assert response.headers['Content-Length'] == str(len(blob_bytes))
+            # Check for mounting of blobs.
+            if options.mount_blobs and blob_digest in options.mount_blobs:
+                self.conduct(
+                    session,
+                    "POST",
+                    "/v2/%s/blobs/uploads/" % self.repo_name(namespace, repo_name),
+                    params={
+                        "mount": blob_digest,
+                        "from": options.mount_blobs[blob_digest],
+                    },
+                    expected_status=(201, expected_failure, V2ProtocolSteps.MOUNT_BLOB),
+                    headers=headers,
+                )
+                if expected_failure is not None:
+                    return
+            else:
+                # Start a new upload of the blob data.
+                response = self.conduct(
+                    session,
+                    "POST",
+                    "/v2/%s/blobs/uploads/" % self.repo_name(namespace, repo_name),
+                    expected_status=(
+                        202,
+                        expected_failure,
+                        V2ProtocolSteps.START_UPLOAD,
+                    ),
+                    headers=headers,
+                )
+                if response.status_code != 202:
+                    continue
 
-      # And retrieve the blob data.
-      if not options.skip_blob_push_checks:
-        result = self.conduct(session, 'GET',
-                              '/v2/%s/blobs/%s' % (self.repo_name(namespace, repo_name), blob_digest),
-                              headers=headers, expected_status=200)
-        assert result.content == blob_bytes
+                upload_uuid = response.headers["Docker-Upload-UUID"]
+                new_upload_location = response.headers["Location"]
+                assert new_upload_location.startswith("http://localhost:5000")
 
-    return True
+                # We need to make this relative just for the tests because the live server test
+                # case modifies the port.
+                location = response.headers["Location"][len("http://localhost:5000") :]
 
-  def delete(self, session, namespace, repo_name, tag_names, credentials=None,
-             expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:*' % self.repo_name(namespace, repo_name)]
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+                # PATCH the data into the blob.
+                if options.chunks_for_upload is None:
+                    self.conduct(
+                        session,
+                        "PATCH",
+                        location,
+                        data=blob_bytes,
+                        expected_status=204,
+                        headers=headers,
+                    )
+                else:
+                    # If chunked upload is requested, upload the data as a series of chunks, checking
+                    # status at every point.
+                    for chunk_data in options.chunks_for_upload:
+                        if len(chunk_data) == 3:
+                            (start_byte, end_byte, expected_code) = chunk_data
+                        else:
+                            (start_byte, end_byte) = chunk_data
+                            expected_code = 204
 
-    # Ping!
-    self.ping(session)
+                        patch_headers = {
+                            "Range": "bytes=%s-%s" % (start_byte, end_byte)
+                        }
+                        patch_headers.update(headers)
 
-    # Perform auth and retrieve a token.
-    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                         expected_failure=expected_failure)
-    if token is None:
-      return None
+                        contents_chunk = blob_bytes[start_byte:end_byte]
+                        self.conduct(
+                            session,
+                            "PATCH",
+                            location,
+                            data=contents_chunk,
+                            expected_status=expected_code,
+                            headers=patch_headers,
+                        )
+                        if expected_code != 204:
+                            return False
 
-    headers = {
-      'Authorization': 'Bearer ' + token,
-    }
+                        # Retrieve the upload status at each point, and ensure it is valid.
+                        status_url = "/v2/%s/blobs/uploads/%s" % (
+                            self.repo_name(namespace, repo_name),
+                            upload_uuid,
+                        )
+                        response = self.conduct(
+                            session,
+                            "GET",
+                            status_url,
+                            expected_status=204,
+                            headers=headers,
+                        )
+                        assert response.headers["Docker-Upload-UUID"] == upload_uuid
+                        assert response.headers["Range"] == "bytes=0-%s" % end_byte
 
-    for tag_name in tag_names:
-      self.conduct(session, 'DELETE',
-                   '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name), tag_name),
-                   headers=headers,
-                   expected_status=202)
+                if options.cancel_blob_upload:
+                    self.conduct(
+                        session,
+                        "DELETE",
+                        location,
+                        params=dict(digest=blob_digest),
+                        expected_status=204,
+                        headers=headers,
+                    )
 
+                    # Ensure the upload was canceled.
+                    status_url = "/v2/%s/blobs/uploads/%s" % (
+                        self.repo_name(namespace, repo_name),
+                        upload_uuid,
+                    )
+                    self.conduct(
+                        session, "GET", status_url, expected_status=404, headers=headers
+                    )
+                    return False
 
-  def pull(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:pull' % self.repo_name(namespace, repo_name)]
-    tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
+                # Finish the blob upload with a PUT.
+                response = self.conduct(
+                    session,
+                    "PUT",
+                    location,
+                    params=dict(digest=blob_digest),
+                    expected_status=201,
+                    headers=headers,
+                )
+                assert response.headers["Docker-Content-Digest"] == blob_digest
 
-    # Ping!
-    self.ping(session)
+            # Ensure the blob exists now.
+            response = self.conduct(
+                session,
+                "HEAD",
+                "/v2/%s/blobs/%s" % (self.repo_name(namespace, repo_name), blob_digest),
+                expected_status=200,
+                headers=headers,
+            )
 
-    # Perform auth and retrieve a token.
-    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                         expected_failure=expected_failure)
-    if token is None and not options.attempt_pull_without_token:
-      return None
+            assert response.headers["Docker-Content-Digest"] == blob_digest
+            assert response.headers["Content-Length"] == str(len(blob_bytes))
 
-    headers = {}
-    if token:
-      headers = {
-        'Authorization': 'Bearer ' + token,
-      }
+            # And retrieve the blob data.
+            if not options.skip_blob_push_checks:
+                result = self.conduct(
+                    session,
+                    "GET",
+                    "/v2/%s/blobs/%s"
+                    % (self.repo_name(namespace, repo_name), blob_digest),
+                    headers=headers,
+                    expected_status=200,
+                )
+                assert result.content == blob_bytes
 
-    if self.schema2:
-      headers['Accept'] = ','.join(options.accept_mimetypes
-                                   if options.accept_mimetypes is not None
-                                   else DOCKER_SCHEMA2_CONTENT_TYPES)
+        return True
 
-    manifests = {}
-    image_ids = {}
-    for tag_name in tag_names:
-      # Retrieve the manifest for the tag or digest.
-      response = self.conduct(session, 'GET',
-                              '/v2/%s/manifests/%s' % (self.repo_name(namespace, repo_name),
-                                                       tag_name),
-                              expected_status=(200, expected_failure, V2ProtocolSteps.GET_MANIFEST),
-                              headers=headers)
-      if response.status_code == 401:
-        assert 'WWW-Authenticate' in response.headers
+    def delete(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:*" % self.repo_name(namespace, repo_name)
+        ]
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-      response.encoding = 'utf-8'
-      if expected_failure is not None:
-        return None
+        # Ping!
+        self.ping(session)
 
-      # Ensure the manifest returned by us is valid.
-      ct = response.headers['Content-Type']
-      if not self.schema2:
-        assert ct in DOCKER_SCHEMA1_CONTENT_TYPES
+        # Perform auth and retrieve a token.
+        token, _ = self.auth(
+            session,
+            credentials,
+            namespace,
+            repo_name,
+            scopes=scopes,
+            expected_failure=expected_failure,
+        )
+        if token is None:
+            return None
 
-      manifest = parse_manifest_from_bytes(Bytes.for_string_or_unicode(response.text), ct)
-      manifests[tag_name] = manifest
+        headers = {"Authorization": "Bearer " + token}
 
-      if manifest.schema_version == 1:
-        image_ids[tag_name] = manifest.leaf_layer_v1_image_id
+        for tag_name in tag_names:
+            self.conduct(
+                session,
+                "DELETE",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                headers=headers,
+                expected_status=202,
+            )
 
-      # Verify the blobs.
-      layer_index = 0
-      empty_count = 0
-      blob_digests = list(manifest.blob_digests)
-      for image in images:
-        if manifest.schema_version == 2 and image.is_empty:
-          empty_count += 1
-          continue
+    def pull(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:pull" % self.repo_name(namespace, repo_name)
+        ]
+        tag_names = [tag_names] if isinstance(tag_names, str) else tag_names
 
-        # If the layer is remote, then we expect the blob to *not* exist in the system.
-        blob_digest = blob_digests[layer_index]
-        expected_status = 404 if image.urls else 200
-        result = self.conduct(session, 'GET',
-                              '/v2/%s/blobs/%s' % (self.repo_name(namespace, repo_name),
-                                                   blob_digest),
-                              expected_status=(expected_status, expected_failure,
-                                               V2ProtocolSteps.GET_BLOB),
-                              headers=headers,
-                              options=options)
+        # Ping!
+        self.ping(session)
 
-        if expected_status == 200:
-          assert result.content == image.bytes
+        # Perform auth and retrieve a token.
+        token, _ = self.auth(
+            session,
+            credentials,
+            namespace,
+            repo_name,
+            scopes=scopes,
+            expected_failure=expected_failure,
+        )
+        if token is None and not options.attempt_pull_without_token:
+            return None
 
-        layer_index += 1
+        headers = {}
+        if token:
+            headers = {"Authorization": "Bearer " + token}
 
-      assert (len(blob_digests) + empty_count) >= len(images) # Schema 2 has 1 extra for config
+        if self.schema2:
+            headers["Accept"] = ",".join(
+                options.accept_mimetypes
+                if options.accept_mimetypes is not None
+                else DOCKER_SCHEMA2_CONTENT_TYPES
+            )
 
-    return PullResult(manifests=manifests, image_ids=image_ids)
+        manifests = {}
+        image_ids = {}
+        for tag_name in tag_names:
+            # Retrieve the manifest for the tag or digest.
+            response = self.conduct(
+                session,
+                "GET",
+                "/v2/%s/manifests/%s"
+                % (self.repo_name(namespace, repo_name), tag_name),
+                expected_status=(200, expected_failure, V2ProtocolSteps.GET_MANIFEST),
+                headers=headers,
+            )
+            if response.status_code == 401:
+                assert "WWW-Authenticate" in response.headers
 
+            response.encoding = "utf-8"
+            if expected_failure is not None:
+                return None
 
-  def tags(self, session, namespace, repo_name, page_size=2, credentials=None, options=None,
-           expected_failure=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or ['repository:%s:pull' % self.repo_name(namespace, repo_name)]
+            # Ensure the manifest returned by us is valid.
+            ct = response.headers["Content-Type"]
+            if not self.schema2:
+                assert ct in DOCKER_SCHEMA1_CONTENT_TYPES
 
-    # Ping!
-    self.ping(session)
+            manifest = parse_manifest_from_bytes(
+                Bytes.for_string_or_unicode(response.text), ct
+            )
+            manifests[tag_name] = manifest
 
-    # Perform auth and retrieve a token.
-    headers = {}
-    if credentials is not None:
-      token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                           expected_failure=expected_failure)
-      if token is None:
-        return None
+            if manifest.schema_version == 1:
+                image_ids[tag_name] = manifest.leaf_layer_v1_image_id
 
-      headers = {
-        'Authorization': 'Bearer ' + token,
-      }
+            # Verify the blobs.
+            layer_index = 0
+            empty_count = 0
+            blob_digests = list(manifest.blob_digests)
+            for image in images:
+                if manifest.schema_version == 2 and image.is_empty:
+                    empty_count += 1
+                    continue
 
-    results = []
-    url = '/v2/%s/tags/list' % (self.repo_name(namespace, repo_name))
-    params = {}
-    if page_size is not None:
-      params['n'] = page_size
+                # If the layer is remote, then we expect the blob to *not* exist in the system.
+                blob_digest = blob_digests[layer_index]
+                expected_status = 404 if image.urls else 200
+                result = self.conduct(
+                    session,
+                    "GET",
+                    "/v2/%s/blobs/%s"
+                    % (self.repo_name(namespace, repo_name), blob_digest),
+                    expected_status=(
+                        expected_status,
+                        expected_failure,
+                        V2ProtocolSteps.GET_BLOB,
+                    ),
+                    headers=headers,
+                    options=options,
+                )
 
-    while True:
-      response = self.conduct(session, 'GET', url, headers=headers, params=params,
-                              expected_status=(200, expected_failure, V2ProtocolSteps.LIST_TAGS))
-      data = response.json()
+                if expected_status == 200:
+                    assert result.content == image.bytes
 
-      assert len(data['tags']) <= page_size
-      results.extend(data['tags'])
+                layer_index += 1
+
+            assert (len(blob_digests) + empty_count) >= len(
+                images
+            )  # Schema 2 has 1 extra for config
+
+        return PullResult(manifests=manifests, image_ids=image_ids)
+
+    def tags(
+        self,
+        session,
+        namespace,
+        repo_name,
+        page_size=2,
+        credentials=None,
+        options=None,
+        expected_failure=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or [
+            "repository:%s:pull" % self.repo_name(namespace, repo_name)
+        ]
+
+        # Ping!
+        self.ping(session)
+
+        # Perform auth and retrieve a token.
+        headers = {}
+        if credentials is not None:
+            token, _ = self.auth(
+                session,
+                credentials,
+                namespace,
+                repo_name,
+                scopes=scopes,
+                expected_failure=expected_failure,
+            )
+            if token is None:
+                return None
+
+            headers = {"Authorization": "Bearer " + token}
+
+        results = []
+        url = "/v2/%s/tags/list" % (self.repo_name(namespace, repo_name))
+        params = {}
+        if page_size is not None:
+            params["n"] = page_size
+
+        while True:
+            response = self.conduct(
+                session,
+                "GET",
+                url,
+                headers=headers,
+                params=params,
+                expected_status=(200, expected_failure, V2ProtocolSteps.LIST_TAGS),
+            )
+            data = response.json()
+
+            assert len(data["tags"]) <= page_size
+            results.extend(data["tags"])
+
+            if not response.headers.get("Link"):
+                return results
+
+            link_url = response.headers["Link"]
+            v2_index = link_url.find("/v2/")
+            url = link_url[v2_index:]
 
-      if not response.headers.get('Link'):
         return results
 
-      link_url = response.headers['Link']
-      v2_index = link_url.find('/v2/')
-      url = link_url[v2_index:]
+    def catalog(
+        self,
+        session,
+        page_size=2,
+        credentials=None,
+        options=None,
+        expected_failure=None,
+        namespace=None,
+        repo_name=None,
+        bearer_token=None,
+    ):
+        options = options or ProtocolOptions()
+        scopes = options.scopes or []
 
-    return results
+        # Ping!
+        self.ping(session)
 
-  def catalog(self, session, page_size=2, credentials=None, options=None, expected_failure=None,
-              namespace=None, repo_name=None, bearer_token=None):
-    options = options or ProtocolOptions()
-    scopes = options.scopes or []
+        # Perform auth and retrieve a token.
+        headers = {}
+        if credentials is not None:
+            token, _ = self.auth(
+                session,
+                credentials,
+                namespace,
+                repo_name,
+                scopes=scopes,
+                expected_failure=expected_failure,
+            )
+            if token is None:
+                return None
 
-    # Ping!
-    self.ping(session)
+            headers = {"Authorization": "Bearer " + token}
 
-    # Perform auth and retrieve a token.
-    headers = {}
-    if credentials is not None:
-      token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
-                           expected_failure=expected_failure)
-      if token is None:
-        return None
+        if bearer_token is not None:
+            headers = {"Authorization": "Bearer " + bearer_token}
 
-      headers = {
-        'Authorization': 'Bearer ' + token,
-      }
+        results = []
+        url = "/v2/_catalog"
+        params = {}
+        if page_size is not None:
+            params["n"] = page_size
 
-    if bearer_token is not None:
-      headers = {
-        'Authorization': 'Bearer ' + bearer_token,
-      }
+        while True:
+            response = self.conduct(
+                session,
+                "GET",
+                url,
+                headers=headers,
+                params=params,
+                expected_status=(200, expected_failure, V2ProtocolSteps.CATALOG),
+            )
+            data = response.json()
 
-    results = []
-    url = '/v2/_catalog'
-    params = {}
-    if page_size is not None:
-      params['n'] = page_size
+            assert len(data["repositories"]) <= page_size
+            results.extend(data["repositories"])
 
-    while True:
-      response = self.conduct(session, 'GET', url, headers=headers, params=params,
-                              expected_status=(200, expected_failure, V2ProtocolSteps.CATALOG))
-      data = response.json()
+            if not response.headers.get("Link"):
+                return results
 
-      assert len(data['repositories']) <= page_size
-      results.extend(data['repositories'])
+            link_url = response.headers["Link"]
+            v2_index = link_url.find("/v2/")
+            url = link_url[v2_index:]
 
-      if not response.headers.get('Link'):
         return results
-
-      link_url = response.headers['Link']
-      v2_index = link_url.find('/v2/')
-      url = link_url[v2_index:]
-
-    return results
\ No newline at end of file
diff --git a/test/registry/protocols.py b/test/registry/protocols.py
index 071664a9a..0a3759c92 100644
--- a/test/registry/protocols.py
+++ b/test/registry/protocols.py
@@ -9,140 +9,187 @@ from six import add_metaclass
 
 from image.docker.schema2 import EMPTY_LAYER_BYTES
 
-Image = namedtuple('Image', ['id', 'parent_id', 'bytes', 'size', 'config', 'created', 'urls',
-                             'is_empty'])
+Image = namedtuple(
+    "Image",
+    ["id", "parent_id", "bytes", "size", "config", "created", "urls", "is_empty"],
+)
 Image.__new__.__defaults__ = (None, None, None, None, False)
 
-PushResult = namedtuple('PushResult', ['manifests', 'headers'])
-PullResult = namedtuple('PullResult', ['manifests', 'image_ids'])
+PushResult = namedtuple("PushResult", ["manifests", "headers"])
+PullResult = namedtuple("PullResult", ["manifests", "image_ids"])
 
 
-def layer_bytes_for_contents(contents, mode='|gz', other_files=None, empty=False):
-  if empty:
-    return EMPTY_LAYER_BYTES
+def layer_bytes_for_contents(contents, mode="|gz", other_files=None, empty=False):
+    if empty:
+        return EMPTY_LAYER_BYTES
 
-  layer_data = StringIO()
-  tar_file = tarfile.open(fileobj=layer_data, mode='w' + mode)
+    layer_data = StringIO()
+    tar_file = tarfile.open(fileobj=layer_data, mode="w" + mode)
 
-  def add_file(name, contents):
-    tar_file_info = tarfile.TarInfo(name=name)
-    tar_file_info.type = tarfile.REGTYPE
-    tar_file_info.size = len(contents)
-    tar_file_info.mtime = 1
+    def add_file(name, contents):
+        tar_file_info = tarfile.TarInfo(name=name)
+        tar_file_info.type = tarfile.REGTYPE
+        tar_file_info.size = len(contents)
+        tar_file_info.mtime = 1
 
-    tar_file.addfile(tar_file_info, StringIO(contents))
+        tar_file.addfile(tar_file_info, StringIO(contents))
 
-  add_file('contents', contents)
+    add_file("contents", contents)
 
-  if other_files is not None:
-    for file_name, file_contents in other_files.iteritems():
-      add_file(file_name, file_contents)
+    if other_files is not None:
+        for file_name, file_contents in other_files.iteritems():
+            add_file(file_name, file_contents)
 
-  tar_file.close()
+    tar_file.close()
 
-  layer_bytes = layer_data.getvalue()
-  layer_data.close()
-  return layer_bytes
+    layer_bytes = layer_data.getvalue()
+    layer_data.close()
+    return layer_bytes
 
 
 @unique
 class Failures(Enum):
-  """ Defines the various forms of expected failure. """
-  UNAUTHENTICATED = 'unauthenticated'
-  UNAUTHORIZED = 'unauthorized'
-  INVALID_AUTHENTICATION = 'invalid-authentication'
-  INVALID_REGISTRY = 'invalid-registry'
-  INVALID_REPOSITORY = 'invalid-repository'
-  SLASH_REPOSITORY = 'slash-repository'
-  APP_REPOSITORY = 'app-repository'
-  UNKNOWN_TAG = 'unknown-tag'
-  ANONYMOUS_NOT_ALLOWED = 'anonymous-not-allowed'
-  DISALLOWED_LIBRARY_NAMESPACE = 'disallowed-library-namespace'
-  MISSING_TAG = 'missing-tag'
-  INVALID_TAG = 'invalid-tag'
-  INVALID_MANIFEST = 'invalid-manifest'
-  INVALID_IMAGES = 'invalid-images'
-  UNSUPPORTED_CONTENT_TYPE = 'unsupported-content-type'
-  INVALID_BLOB = 'invalid-blob'
-  NAMESPACE_DISABLED = 'namespace-disabled'
-  UNAUTHORIZED_FOR_MOUNT = 'unauthorized-for-mount'
-  GEO_BLOCKED = 'geo-blocked'
-  READ_ONLY = 'read-only'
-  MIRROR_ONLY = 'mirror-only'
-  MIRROR_MISCONFIGURED = 'mirror-misconfigured'
-  MIRROR_ROBOT_MISSING = 'mirror-robot-missing'
-  READONLY_REGISTRY = 'readonly-registry'
+    """ Defines the various forms of expected failure. """
+
+    UNAUTHENTICATED = "unauthenticated"
+    UNAUTHORIZED = "unauthorized"
+    INVALID_AUTHENTICATION = "invalid-authentication"
+    INVALID_REGISTRY = "invalid-registry"
+    INVALID_REPOSITORY = "invalid-repository"
+    SLASH_REPOSITORY = "slash-repository"
+    APP_REPOSITORY = "app-repository"
+    UNKNOWN_TAG = "unknown-tag"
+    ANONYMOUS_NOT_ALLOWED = "anonymous-not-allowed"
+    DISALLOWED_LIBRARY_NAMESPACE = "disallowed-library-namespace"
+    MISSING_TAG = "missing-tag"
+    INVALID_TAG = "invalid-tag"
+    INVALID_MANIFEST = "invalid-manifest"
+    INVALID_IMAGES = "invalid-images"
+    UNSUPPORTED_CONTENT_TYPE = "unsupported-content-type"
+    INVALID_BLOB = "invalid-blob"
+    NAMESPACE_DISABLED = "namespace-disabled"
+    UNAUTHORIZED_FOR_MOUNT = "unauthorized-for-mount"
+    GEO_BLOCKED = "geo-blocked"
+    READ_ONLY = "read-only"
+    MIRROR_ONLY = "mirror-only"
+    MIRROR_MISCONFIGURED = "mirror-misconfigured"
+    MIRROR_ROBOT_MISSING = "mirror-robot-missing"
+    READONLY_REGISTRY = "readonly-registry"
 
 
 class ProtocolOptions(object):
-  def __init__(self):
-    self.scopes = None
-    self.cancel_blob_upload = False
-    self.manifest_invalid_blob_references = False
-    self.chunks_for_upload = None
-    self.skip_head_checks = False
-    self.manifest_content_type = None
-    self.accept_mimetypes = None
-    self.mount_blobs = None
-    self.push_by_manifest_digest = False
-    self.request_addr = None
-    self.skip_blob_push_checks = False
-    self.ensure_ascii = True
-    self.attempt_pull_without_token = False
+    def __init__(self):
+        self.scopes = None
+        self.cancel_blob_upload = False
+        self.manifest_invalid_blob_references = False
+        self.chunks_for_upload = None
+        self.skip_head_checks = False
+        self.manifest_content_type = None
+        self.accept_mimetypes = None
+        self.mount_blobs = None
+        self.push_by_manifest_digest = False
+        self.request_addr = None
+        self.skip_blob_push_checks = False
+        self.ensure_ascii = True
+        self.attempt_pull_without_token = False
 
 
 @add_metaclass(ABCMeta)
 class RegistryProtocol(object):
-  """ Interface for protocols. """
-  FAILURE_CODES = {}
+    """ Interface for protocols. """
 
-  @abstractmethod
-  def login(self, session, username, password, scopes, expect_success):
-    """ Performs the login flow with the given credentials, over the given scopes. """
+    FAILURE_CODES = {}
 
-  @abstractmethod
-  def pull(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    """ Pulls the given tag via the given session, using the given credentials, and
+    @abstractmethod
+    def login(self, session, username, password, scopes, expect_success):
+        """ Performs the login flow with the given credentials, over the given scopes. """
+
+    @abstractmethod
+    def pull(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        """ Pulls the given tag via the given session, using the given credentials, and
         ensures the given images match.
     """
 
-  @abstractmethod
-  def push(self, session, namespace, repo_name, tag_names, images, credentials=None,
-           expected_failure=None, options=None):
-    """ Pushes the specified images as the given tag via the given session, using
+    @abstractmethod
+    def push(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        images,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        """ Pushes the specified images as the given tag via the given session, using
         the given credentials.
     """
 
-  @abstractmethod
-  def delete(self, session, namespace, repo_name, tag_names, credentials=None,
-             expected_failure=None, options=None):
-    """ Deletes some tags. """
-    
-  def repo_name(self, namespace, repo_name):
-    if namespace:
-      return '%s/%s' % (namespace, repo_name)
+    @abstractmethod
+    def delete(
+        self,
+        session,
+        namespace,
+        repo_name,
+        tag_names,
+        credentials=None,
+        expected_failure=None,
+        options=None,
+    ):
+        """ Deletes some tags. """
 
-    return repo_name
+    def repo_name(self, namespace, repo_name):
+        if namespace:
+            return "%s/%s" % (namespace, repo_name)
 
-  def conduct(self, session, method, url, expected_status=200, params=None, data=None,
-              json_data=None, headers=None, auth=None, options=None):
-    if json_data is not None:
-      data = json.dumps(json_data).encode('utf-8')
-      headers = headers or {}
-      headers['Content-Type'] = 'application/json'
+        return repo_name
 
-    if options and options.request_addr:
-      headers = headers or {}
-      headers['X-Override-Remote-Addr-For-Testing'] = options.request_addr
+    def conduct(
+        self,
+        session,
+        method,
+        url,
+        expected_status=200,
+        params=None,
+        data=None,
+        json_data=None,
+        headers=None,
+        auth=None,
+        options=None,
+    ):
+        if json_data is not None:
+            data = json.dumps(json_data).encode("utf-8")
+            headers = headers or {}
+            headers["Content-Type"] = "application/json"
 
-    if isinstance(expected_status, tuple):
-      expected_status, expected_failure, protocol_step = expected_status
-      if expected_failure is not None:
-        failures = self.__class__.FAILURE_CODES.get(protocol_step, {})
-        expected_status = failures.get(expected_failure, expected_status)
+        if options and options.request_addr:
+            headers = headers or {}
+            headers["X-Override-Remote-Addr-For-Testing"] = options.request_addr
 
-    result = session.request(method, url, params=params, data=data, headers=headers, auth=auth)
-    msg = "Expected response %s, got %s: %s" % (expected_status, result.status_code, result.text)
-    assert result.status_code == expected_status, msg
-    return result
+        if isinstance(expected_status, tuple):
+            expected_status, expected_failure, protocol_step = expected_status
+            if expected_failure is not None:
+                failures = self.__class__.FAILURE_CODES.get(protocol_step, {})
+                expected_status = failures.get(expected_failure, expected_status)
+
+        result = session.request(
+            method, url, params=params, data=data, headers=headers, auth=auth
+        )
+        msg = "Expected response %s, got %s: %s" % (
+            expected_status,
+            result.status_code,
+            result.text,
+        )
+        assert result.status_code == expected_status, msg
+        return result
diff --git a/test/registry/registry_tests.py b/test/registry/registry_tests.py
index ec4a6e5d5..1a7552e8e 100644
--- a/test/registry/registry_tests.py
+++ b/test/registry/registry_tests.py
@@ -15,7 +15,12 @@ from test.registry.liveserverfixture import *
 from test.registry.fixtures import *
 from test.registry.protocol_fixtures import *
 
-from test.registry.protocols import Failures, Image, layer_bytes_for_contents, ProtocolOptions
+from test.registry.protocols import (
+    Failures,
+    Image,
+    layer_bytes_for_contents,
+    ProtocolOptions,
+)
 
 from app import instance_keys
 from data.model.tag import list_repository_tags
@@ -27,2296 +32,3892 @@ from util.security.registry_jwt import decode_bearer_header
 from util.timedeltastring import convert_to_timedelta
 
 
-def test_basic_push_pull(pusher, puller, basic_images, liveserver_session, app_reloader):
-  """ Test: Basic push and pull of an image to a new repository. """
-  credentials = ('devtable', 'password')
+def test_basic_push_pull(
+    pusher, puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull of an image to a new repository. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_empty_layer(pusher, puller, images_with_empty_layer, liveserver_session, app_reloader):
-  """ Test: Push and pull of an image with an empty layer to a new repository. """
-  credentials = ('devtable', 'password')
+def test_empty_layer(
+    pusher, puller, images_with_empty_layer, liveserver_session, app_reloader
+):
+    """ Test: Push and pull of an image with an empty layer to a new repository. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+    )
 
 
-def test_empty_layer_push_again(pusher, puller, images_with_empty_layer, liveserver_session,
-                                app_reloader):
-  """ Test: Push and pull of an image with an empty layer to a new repository and then push it
+def test_empty_layer_push_again(
+    pusher, puller, images_with_empty_layer, liveserver_session, app_reloader
+):
+    """ Test: Push and pull of an image with an empty layer to a new repository and then push it
       again. """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+    )
 
-  # Push to the repository again, to ensure everything is skipped properly.
-  options = ProtocolOptions()
-  options.skip_head_checks = True
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials, options=options)
+    # Push to the repository again, to ensure everything is skipped properly.
+    options = ProtocolOptions()
+    options.skip_head_checks = True
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_multi_layer_images_push_pull(pusher, puller, multi_layer_images, liveserver_session,
-                                      app_reloader):
-  """ Test: Basic push and pull of a multi-layered image to a new repository. """
-  credentials = ('devtable', 'password')
+def test_multi_layer_images_push_pull(
+    pusher, puller, multi_layer_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull of a multi-layered image to a new repository. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', multi_layer_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        multi_layer_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', multi_layer_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        multi_layer_images,
+        credentials=credentials,
+    )
 
 
-def test_overwrite_tag(pusher, puller, basic_images, different_images, liveserver_session,
-                       app_reloader):
-  """ Test: Basic push and pull of an image to a new repository, followed by a push to the same
+def test_overwrite_tag(
+    pusher, puller, basic_images, different_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull of an image to a new repository, followed by a push to the same
       tag with different images. """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', different_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        different_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', different_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        different_images,
+        credentials=credentials,
+    )
 
 
-def test_no_tag_manifests(pusher, puller, basic_images, liveserver_session, app_reloader,
-                          liveserver, registry_server_executor, data_model):
-  """ Test: Basic pull without manifests. """
-  if data_model == 'oci_model':
-    # Skip; OCI model doesn't have tag backfill.
-    return
+def test_no_tag_manifests(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+    data_model,
+):
+    """ Test: Basic pull without manifests. """
+    if data_model == "oci_model":
+        # Skip; OCI model doesn't have tag backfill.
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Delete all tag manifests.
-  registry_server_executor.on(liveserver).delete_manifests()
+    # Delete all tag manifests.
+    registry_server_executor.on(liveserver).delete_manifests()
 
-  # Ensure we can still pull.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Ensure we can still pull.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_basic_push_pull_by_manifest(manifest_protocol, basic_images, liveserver_session,
-                                     app_reloader):
-  """ Test: Basic push and pull-by-manifest of an image to a new repository. """
-  credentials = ('devtable', 'password')
+def test_basic_push_pull_by_manifest(
+    manifest_protocol, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull-by-manifest of an image to a new repository. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                                  credentials=credentials)
+    # Push a new repository.
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository by digests to verify.
-  digests = [str(manifest.digest) for manifest in result.manifests.values()]
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', digests, basic_images,
-                         credentials=credentials)
+    # Pull the repository by digests to verify.
+    digests = [str(manifest.digest) for manifest in result.manifests.values()]
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        digests,
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_basic_push_by_manifest_digest(manifest_protocol, basic_images, liveserver_session,
-                                       app_reloader):
-  """ Test: Basic push-by-manifest and pull-by-manifest of an image to a new repository. """
-  credentials = ('devtable', 'password')
+def test_basic_push_by_manifest_digest(
+    manifest_protocol, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push-by-manifest and pull-by-manifest of an image to a new repository. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  options = ProtocolOptions()
-  options.push_by_manifest_digest = True
+    # Push a new repository.
+    options = ProtocolOptions()
+    options.push_by_manifest_digest = True
 
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                                  credentials=credentials, options=options)
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the repository by digests to verify.
-  digests = [str(manifest.digest) for manifest in result.manifests.values()]
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', digests, basic_images,
-                         credentials=credentials)
+    # Pull the repository by digests to verify.
+    digests = [str(manifest.digest) for manifest in result.manifests.values()]
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        digests,
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_push_invalid_credentials(pusher, basic_images, liveserver_session, app_reloader):
-  """ Test: Ensure we get auth errors when trying to push with invalid credentials. """
-  invalid_credentials = ('devtable', 'notcorrectpassword')
+def test_push_invalid_credentials(
+    pusher, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Ensure we get auth errors when trying to push with invalid credentials. """
+    invalid_credentials = ("devtable", "notcorrectpassword")
 
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=invalid_credentials, expected_failure=Failures.UNAUTHENTICATED)
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=invalid_credentials,
+        expected_failure=Failures.UNAUTHENTICATED,
+    )
 
 
-def test_pull_invalid_credentials(puller, basic_images, liveserver_session, app_reloader):
-  """ Test: Ensure we get auth errors when trying to pull with invalid credentials. """
-  invalid_credentials = ('devtable', 'notcorrectpassword')
+def test_pull_invalid_credentials(
+    puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Ensure we get auth errors when trying to pull with invalid credentials. """
+    invalid_credentials = ("devtable", "notcorrectpassword")
 
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=invalid_credentials, expected_failure=Failures.UNAUTHENTICATED)
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=invalid_credentials,
+        expected_failure=Failures.UNAUTHENTICATED,
+    )
 
 
-def test_push_pull_formerly_bad_repo_name(pusher, puller, basic_images, liveserver_session,
-                                          app_reloader):
-  """ Test: Basic push and pull of an image to a new repository with a name that formerly
+def test_push_pull_formerly_bad_repo_name(
+    pusher, puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull of an image to a new repository with a name that formerly
             failed. """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'foo.bar', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "foo.bar",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'foo.bar', 'latest', basic_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "foo.bar",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_application_repo(pusher, puller, basic_images, liveserver_session, app_reloader,
-                          registry_server_executor, liveserver):
-  """ Test: Attempting to push or pull from an *application* repository raises a 405. """
-  credentials = ('devtable', 'password')
-  registry_server_executor.on(liveserver).create_app_repository('devtable', 'someapprepo')
+def test_application_repo(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    registry_server_executor,
+    liveserver,
+):
+    """ Test: Attempting to push or pull from an *application* repository raises a 405. """
+    credentials = ("devtable", "password")
+    registry_server_executor.on(liveserver).create_app_repository(
+        "devtable", "someapprepo"
+    )
 
-  # Attempt to push to the repository.
-  pusher.push(liveserver_session, 'devtable', 'someapprepo', 'latest', basic_images,
-              credentials=credentials, expected_failure=Failures.APP_REPOSITORY)
+    # Attempt to push to the repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "someapprepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.APP_REPOSITORY,
+    )
 
-  # Attempt to pull from the repository.
-  puller.pull(liveserver_session, 'devtable', 'someapprepo', 'latest', basic_images,
-              credentials=credentials, expected_failure=Failures.APP_REPOSITORY)
+    # Attempt to pull from the repository.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "someapprepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.APP_REPOSITORY,
+    )
 
 
-def test_middle_layer_different_sha(v2_protocol, v1_protocol, liveserver_session,
-                                    app_reloader):
-  """ Test: Pushing of a 3-layer image with the *same* V1 ID's, but the middle layer having
+def test_middle_layer_different_sha(
+    v2_protocol, v1_protocol, liveserver_session, app_reloader
+):
+    """ Test: Pushing of a 3-layer image with the *same* V1 ID's, but the middle layer having
             different bytes, must result in new IDs being generated for the leaf layer, as
             they point to different "images".
   """
-  credentials = ('devtable', 'password')
-  first_images = [
-    Image(id='baseimage', parent_id=None, size=None, bytes=layer_bytes_for_contents('base')),
-    Image(id='middleimage', parent_id='baseimage', size=None,
-          bytes=layer_bytes_for_contents('middle')),
-    Image(id='leafimage', parent_id='middleimage', size=None,
-          bytes=layer_bytes_for_contents('leaf')),
-  ]
+    credentials = ("devtable", "password")
+    first_images = [
+        Image(
+            id="baseimage",
+            parent_id=None,
+            size=None,
+            bytes=layer_bytes_for_contents("base"),
+        ),
+        Image(
+            id="middleimage",
+            parent_id="baseimage",
+            size=None,
+            bytes=layer_bytes_for_contents("middle"),
+        ),
+        Image(
+            id="leafimage",
+            parent_id="middleimage",
+            size=None,
+            bytes=layer_bytes_for_contents("leaf"),
+        ),
+    ]
 
-  # First push and pull the images, to ensure we have the basics setup and working.
-  v2_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', first_images,
-                   credentials=credentials)
-  first_pull_result = v2_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest',
-                                       first_images, credentials=credentials)
-  first_manifest = first_pull_result.manifests['latest']
-  assert set([image.id for image in first_images]) == set(first_manifest.image_ids)
-  assert first_pull_result.image_ids['latest'] == 'leafimage'
+    # First push and pull the images, to ensure we have the basics setup and working.
+    v2_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        first_images,
+        credentials=credentials,
+    )
+    first_pull_result = v2_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        first_images,
+        credentials=credentials,
+    )
+    first_manifest = first_pull_result.manifests["latest"]
+    assert set([image.id for image in first_images]) == set(first_manifest.image_ids)
+    assert first_pull_result.image_ids["latest"] == "leafimage"
 
-  # Next, create an image list with the middle image's *bytes* changed.
-  second_images = list(first_images)
-  second_images[1] = Image(id='middleimage', parent_id='baseimage', size=None,
-                           bytes=layer_bytes_for_contents('different middle bytes'))
+    # Next, create an image list with the middle image's *bytes* changed.
+    second_images = list(first_images)
+    second_images[1] = Image(
+        id="middleimage",
+        parent_id="baseimage",
+        size=None,
+        bytes=layer_bytes_for_contents("different middle bytes"),
+    )
 
-  # Push and pull the image, ensuring that the produced ID for the middle and leaf layers
-  # are synthesized.
-  options = ProtocolOptions()
-  options.skip_head_checks = True
+    # Push and pull the image, ensuring that the produced ID for the middle and leaf layers
+    # are synthesized.
+    options = ProtocolOptions()
+    options.skip_head_checks = True
 
-  v2_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', second_images,
-                   credentials=credentials, options=options)
-  second_pull_result = v1_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest',
-                                        second_images, credentials=credentials, options=options)
+    v2_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        second_images,
+        credentials=credentials,
+        options=options,
+    )
+    second_pull_result = v1_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        second_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  assert second_pull_result.image_ids['latest'] != 'leafimage'
+    assert second_pull_result.image_ids["latest"] != "leafimage"
 
 
 def add_robot(api_caller, _):
-  api_caller.conduct_auth('devtable', 'password')
-  resp = api_caller.get('/api/v1/organization/buynlarge/robots/ownerbot')
-  return ('buynlarge+ownerbot', resp.json()['token'])
+    api_caller.conduct_auth("devtable", "password")
+    resp = api_caller.get("/api/v1/organization/buynlarge/robots/ownerbot")
+    return ("buynlarge+ownerbot", resp.json()["token"])
 
 
 def add_token(_, executor):
-  return ('$token', executor.add_token().text)
+    return ("$token", executor.add_token().text)
 
 
 # TODO: Test logging to elastic search log model.
-@pytest.mark.parametrize('credentials, namespace, expected_performer, is_public_namespace', [
-  (('devtable', 'password'), 'devtable', 'devtable', False),
-  (('devtable', 'password'), 'buynlarge', 'devtable', False),
-  (('devtable', 'password'), 'sellnsmall', 'devtable', True),
-  (add_robot, 'buynlarge', 'buynlarge+ownerbot', False),
-  (('$oauthtoken', '%s%s' % ('b' * 40, 'c' * 40)), 'devtable', 'devtable', False),
-  (('$app', '%s%s' % ('a' * 60, 'b' * 60)), 'devtable', 'devtable', False),
+@pytest.mark.parametrize(
+    "credentials, namespace, expected_performer, is_public_namespace",
+    [
+        (("devtable", "password"), "devtable", "devtable", False),
+        (("devtable", "password"), "buynlarge", "devtable", False),
+        (("devtable", "password"), "sellnsmall", "devtable", True),
+        (add_robot, "buynlarge", "buynlarge+ownerbot", False),
+        (("$oauthtoken", "%s%s" % ("b" * 40, "c" * 40)), "devtable", "devtable", False),
+        (("$app", "%s%s" % ("a" * 60, "b" * 60)), "devtable", "devtable", False),
+        (add_token, "devtable", None, False),
+    ],
+)
+@pytest.mark.parametrize("disable_pull_logs", [False, True])
+def test_push_pull_logging(
+    credentials,
+    namespace,
+    expected_performer,
+    disable_pull_logs,
+    is_public_namespace,
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    liveserver,
+    api_caller,
+    app_reloader,
+    registry_server_executor,
+):
+    """ Test: Basic push and pull, ensuring that logs are added for each operation. """
 
-  (add_token, 'devtable', None, False),
-])
-@pytest.mark.parametrize('disable_pull_logs', [
-  False,
-  True,
-])
-def test_push_pull_logging(credentials, namespace, expected_performer, disable_pull_logs,
-                           is_public_namespace, pusher, puller, basic_images,
-                           liveserver_session, liveserver, api_caller, app_reloader,
-                           registry_server_executor):
-  """ Test: Basic push and pull, ensuring that logs are added for each operation. """
+    with FeatureFlagValue(
+        "DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES",
+        disable_pull_logs,
+        registry_server_executor.on(liveserver),
+    ):
+        # Create the repository before the test push.
+        start_images = [
+            Image(
+                id="startimage",
+                parent_id=None,
+                size=None,
+                bytes=layer_bytes_for_contents("start image"),
+            )
+        ]
+        pusher.push(
+            liveserver_session,
+            namespace,
+            "newrepo",
+            "latest",
+            start_images,
+            credentials=("devtable", "password"),
+        )
 
-  with FeatureFlagValue('DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES', disable_pull_logs,
-                        registry_server_executor.on(liveserver)):
-    # Create the repository before the test push.
-    start_images = [Image(id='startimage', parent_id=None, size=None,
-                          bytes=layer_bytes_for_contents('start image'))]
-    pusher.push(liveserver_session, namespace, 'newrepo', 'latest', start_images,
-                credentials=('devtable', 'password'))
+        # Retrieve the credentials to use. This must be done after the repo is created, because
+        # some credentials creation code adds the new entity to the repository.
+        if not isinstance(credentials, tuple):
+            credentials = credentials(
+                api_caller, registry_server_executor.on(liveserver)
+            )
 
-    # Retrieve the credentials to use. This must be done after the repo is created, because
-    # some credentials creation code adds the new entity to the repository.
-    if not isinstance(credentials, tuple):
-      credentials = credentials(api_caller, registry_server_executor.on(liveserver))
+        # Push to the repository with the specified credentials.
+        pusher.push(
+            liveserver_session,
+            namespace,
+            "newrepo",
+            "anothertag",
+            basic_images,
+            credentials=credentials,
+        )
 
-    # Push to the repository with the specified credentials.
-    pusher.push(liveserver_session, namespace, 'newrepo', 'anothertag', basic_images,
-                credentials=credentials)
+        # Check the logs for the push.
+        api_caller.conduct_auth("devtable", "password")
 
-    # Check the logs for the push.
-    api_caller.conduct_auth('devtable', 'password')
+        result = api_caller.get("/api/v1/repository/%s/newrepo/logs" % namespace)
+        logs = result.json()["logs"]
+        assert len(logs) == 2
+        assert logs[0]["kind"] == "push_repo"
+        assert logs[0]["metadata"]["namespace"] == namespace
+        assert logs[0]["metadata"]["repo"] == "newrepo"
 
-    result = api_caller.get('/api/v1/repository/%s/newrepo/logs' % namespace)
-    logs = result.json()['logs']
-    assert len(logs) == 2
-    assert logs[0]['kind'] == 'push_repo'
-    assert logs[0]['metadata']['namespace'] == namespace
-    assert logs[0]['metadata']['repo'] == 'newrepo'
+        if expected_performer is not None:
+            assert logs[0]["performer"]["name"] == expected_performer
 
-    if expected_performer is not None:
-      assert logs[0]['performer']['name'] == expected_performer
+        # Pull the repository to verify.
+        puller.pull(
+            liveserver_session,
+            namespace,
+            "newrepo",
+            "anothertag",
+            basic_images,
+            credentials=credentials,
+        )
+
+        # Check the logs for the pull if applicable.
+        result = api_caller.get("/api/v1/repository/%s/newrepo/logs" % namespace)
+        logs = result.json()["logs"]
+
+        if not disable_pull_logs or not is_public_namespace:
+            assert len(logs) == 3
+            assert logs[0]["kind"] == "pull_repo"
+            assert logs[0]["metadata"]["namespace"] == namespace
+            assert logs[0]["metadata"]["repo"] == "newrepo"
+
+            if expected_performer is not None:
+                assert logs[0]["performer"]["name"] == expected_performer
+        else:
+            assert len(logs) == 2
+            assert logs[0]["kind"] == "push_repo"
+
+
+def test_pull_publicrepo_anonymous(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    api_caller,
+    liveserver,
+):
+    """ Test: Pull a public repository anonymously. """
+    # Add a new repository under the public user, so we have a repository to pull.
+    pusher.push(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("public", "password"),
+    )
+
+    # First try to pull the (currently private) repo anonymously, which should fail (since it is
+    # private)
+    puller.pull(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        expected_failure=Failures.UNAUTHORIZED,
+    )
+
+    # Using a non-public user should also fail.
+    puller.pull(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("devtable", "password"),
+        expected_failure=Failures.UNAUTHORIZED,
+    )
+
+    # Make the repository public.
+    api_caller.conduct_auth("public", "password")
+    api_caller.change_repo_visibility("public", "newrepo", "public")
+
+    # Pull the repository anonymously, which should succeed because the repository is public.
+    puller.pull(liveserver_session, "public", "newrepo", "latest", basic_images)
+
+
+def test_pull_publicrepo_no_anonymous_access(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    api_caller,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Attempts to pull a public repository anonymously, with the feature flag disabled. """
+    # Add a new repository under the public user, so we have a repository to pull.
+    pusher.push(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("public", "password"),
+    )
+
+    # First try to pull the (currently private) repo anonymously, which should fail (since it is
+    # private)
+    puller.pull(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        expected_failure=Failures.UNAUTHORIZED,
+    )
+
+    # Using a non-public user should also fail.
+    puller.pull(
+        liveserver_session,
+        "public",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("devtable", "password"),
+        expected_failure=Failures.UNAUTHORIZED,
+    )
+
+    # Make the repository public.
+    api_caller.conduct_auth("public", "password")
+    api_caller.change_repo_visibility("public", "newrepo", "public")
+
+    with FeatureFlagValue(
+        "ANONYMOUS_ACCESS", False, registry_server_executor.on(liveserver)
+    ):
+        # Attempt again to pull the (now public) repo anonymously, which should fail since
+        # the feature flag for anonymous access is turned off.
+        options = ProtocolOptions()
+        options.attempt_pull_without_token = True
+
+        puller.pull(
+            liveserver_session,
+            "public",
+            "newrepo",
+            "latest",
+            basic_images,
+            expected_failure=Failures.ANONYMOUS_NOT_ALLOWED,
+            options=options,
+        )
+
+        # Using a non-public user should now succeed.
+        puller.pull(
+            liveserver_session,
+            "public",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=("devtable", "password"),
+        )
+
+
+def test_basic_organization_flow(
+    pusher, puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Basic push and pull of an image to a new repository by members of an organization. """
+    # Add a new repository under the organization via the creator user.
+    pusher.push(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("creator", "password"),
+    )
+
+    # Ensure that the creator can pull it.
+    puller.pull(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("creator", "password"),
+    )
+
+    # Ensure that the admin can pull it.
+    puller.pull(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("devtable", "password"),
+    )
+
+    # Ensure that the reader *cannot* pull it.
+    puller.pull(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("reader", "password"),
+        expected_failure=Failures.UNAUTHORIZED,
+    )
+
+
+def test_library_support(
+    pusher, puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Pushing and pulling from the implicit library namespace. """
+    credentials = ("devtable", "password")
+
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
     # Pull the repository to verify.
-    puller.pull(liveserver_session, namespace, 'newrepo', 'anothertag', basic_images,
-                credentials=credentials)
-
-    # Check the logs for the pull if applicable.
-    result = api_caller.get('/api/v1/repository/%s/newrepo/logs' % namespace)
-    logs = result.json()['logs']
-
-    if not disable_pull_logs or not is_public_namespace:
-      assert len(logs) == 3
-      assert logs[0]['kind'] == 'pull_repo'
-      assert logs[0]['metadata']['namespace'] == namespace
-      assert logs[0]['metadata']['repo'] == 'newrepo'
-
-      if expected_performer is not None:
-        assert logs[0]['performer']['name'] == expected_performer
-    else:
-      assert len(logs) == 2
-      assert logs[0]['kind'] == 'push_repo'
-
-
-def test_pull_publicrepo_anonymous(pusher, puller, basic_images, liveserver_session,
-                                   app_reloader, api_caller, liveserver):
-  """ Test: Pull a public repository anonymously. """
-  # Add a new repository under the public user, so we have a repository to pull.
-  pusher.push(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              credentials=('public', 'password'))
-
-  # First try to pull the (currently private) repo anonymously, which should fail (since it is
-  # private)
-  puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              expected_failure=Failures.UNAUTHORIZED)
-
-  # Using a non-public user should also fail.
-  puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              credentials=('devtable', 'password'),
-              expected_failure=Failures.UNAUTHORIZED)
-
-  # Make the repository public.
-  api_caller.conduct_auth('public', 'password')
-  api_caller.change_repo_visibility('public', 'newrepo', 'public')
-
-  # Pull the repository anonymously, which should succeed because the repository is public.
-  puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images)
-
-
-def test_pull_publicrepo_no_anonymous_access(pusher, puller, basic_images, liveserver_session,
-                                             app_reloader, api_caller, liveserver,
-                                             registry_server_executor):
-  """ Test: Attempts to pull a public repository anonymously, with the feature flag disabled. """
-  # Add a new repository under the public user, so we have a repository to pull.
-  pusher.push(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              credentials=('public', 'password'))
-
-  # First try to pull the (currently private) repo anonymously, which should fail (since it is
-  # private)
-  puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              expected_failure=Failures.UNAUTHORIZED)
-
-  # Using a non-public user should also fail.
-  puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-              credentials=('devtable', 'password'),
-              expected_failure=Failures.UNAUTHORIZED)
-
-  # Make the repository public.
-  api_caller.conduct_auth('public', 'password')
-  api_caller.change_repo_visibility('public', 'newrepo', 'public')
-
-  with FeatureFlagValue('ANONYMOUS_ACCESS', False, registry_server_executor.on(liveserver)):
-    # Attempt again to pull the (now public) repo anonymously, which should fail since
-    # the feature flag for anonymous access is turned off.
-    options = ProtocolOptions()
-    options.attempt_pull_without_token = True
-
-    puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-                expected_failure=Failures.ANONYMOUS_NOT_ALLOWED,
-                options=options)
-
-    # Using a non-public user should now succeed.
-    puller.pull(liveserver_session, 'public', 'newrepo', 'latest', basic_images,
-                credentials=('devtable', 'password'))
-
-
-def test_basic_organization_flow(pusher, puller, basic_images, liveserver_session, app_reloader):
-  """ Test: Basic push and pull of an image to a new repository by members of an organization. """
-  # Add a new repository under the organization via the creator user.
-  pusher.push(liveserver_session, 'buynlarge', 'newrepo', 'latest', basic_images,
-              credentials=('creator', 'password'))
-
-  # Ensure that the creator can pull it.
-  puller.pull(liveserver_session, 'buynlarge', 'newrepo', 'latest', basic_images,
-              credentials=('creator', 'password'))
-
-  # Ensure that the admin can pull it.
-  puller.pull(liveserver_session, 'buynlarge', 'newrepo', 'latest', basic_images,
-              credentials=('devtable', 'password'))
-
-  # Ensure that the reader *cannot* pull it.
-  puller.pull(liveserver_session, 'buynlarge', 'newrepo', 'latest', basic_images,
-              credentials=('reader', 'password'),
-              expected_failure=Failures.UNAUTHORIZED)
-
-
-def test_library_support(pusher, puller, basic_images, liveserver_session, app_reloader):
-  """ Test: Pushing and pulling from the implicit library namespace. """
-  credentials = ('devtable', 'password')
-
-  # Push a new repository.
-  pusher.push(liveserver_session, '', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
-
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, '', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
-
-  # Pull the repository from the library namespace to verify.
-  puller.pull(liveserver_session, 'library', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
-
-
-def test_library_namespace_with_support_disabled(pusher, puller, basic_images, liveserver_session,
-                                                 app_reloader, liveserver,
-                                                 registry_server_executor):
-  """ Test: Pushing and pulling from the explicit library namespace, even when the
-            implicit one is disabled.
-  """
-  credentials = ('devtable', 'password')
-
-  with FeatureFlagValue('LIBRARY_SUPPORT', False, registry_server_executor.on(liveserver)):
-    # Push a new repository.
-    pusher.push(liveserver_session, 'library', 'newrepo', 'latest', basic_images,
-                credentials=credentials)
+    puller.pull(
+        liveserver_session,
+        "",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
     # Pull the repository from the library namespace to verify.
-    puller.pull(liveserver_session, 'library', 'newrepo', 'latest', basic_images,
-                credentials=credentials)
+    puller.pull(
+        liveserver_session,
+        "library",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_push_library_with_support_disabled(pusher, basic_images, liveserver_session,
-                                            app_reloader, liveserver,
-                                            registry_server_executor):
-  """ Test: Pushing to the implicit library namespace, when disabled,
+def test_library_namespace_with_support_disabled(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Pushing and pulling from the explicit library namespace, even when the
+            implicit one is disabled.
+  """
+    credentials = ("devtable", "password")
+
+    with FeatureFlagValue(
+        "LIBRARY_SUPPORT", False, registry_server_executor.on(liveserver)
+    ):
+        # Push a new repository.
+        pusher.push(
+            liveserver_session,
+            "library",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
+
+        # Pull the repository from the library namespace to verify.
+        puller.pull(
+            liveserver_session,
+            "library",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
+
+
+def test_push_library_with_support_disabled(
+    pusher,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Pushing to the implicit library namespace, when disabled,
             should fail.
   """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  with FeatureFlagValue('LIBRARY_SUPPORT', False, registry_server_executor.on(liveserver)):
-    # Attempt to push a new repository.
-    pusher.push(liveserver_session, '', 'newrepo', 'latest', basic_images,
-                credentials=credentials,
-                expected_failure=Failures.DISALLOWED_LIBRARY_NAMESPACE)
+    with FeatureFlagValue(
+        "LIBRARY_SUPPORT", False, registry_server_executor.on(liveserver)
+    ):
+        # Attempt to push a new repository.
+        pusher.push(
+            liveserver_session,
+            "",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+            expected_failure=Failures.DISALLOWED_LIBRARY_NAMESPACE,
+        )
 
 
-def test_pull_library_with_support_disabled(puller, basic_images, liveserver_session,
-                                            app_reloader, liveserver,
-                                            registry_server_executor):
-  """ Test: Pushing to the implicit library namespace, when disabled,
+def test_pull_library_with_support_disabled(
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Pushing to the implicit library namespace, when disabled,
             should fail.
   """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  with FeatureFlagValue('LIBRARY_SUPPORT', False, registry_server_executor.on(liveserver)):
-    # Attempt to pull the repository from the library namespace.
-    puller.pull(liveserver_session, '', 'newrepo', 'latest', basic_images,
-                credentials=credentials,
-                expected_failure=Failures.DISALLOWED_LIBRARY_NAMESPACE)
+    with FeatureFlagValue(
+        "LIBRARY_SUPPORT", False, registry_server_executor.on(liveserver)
+    ):
+        # Attempt to pull the repository from the library namespace.
+        puller.pull(
+            liveserver_session,
+            "",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+            expected_failure=Failures.DISALLOWED_LIBRARY_NAMESPACE,
+        )
 
 
-def test_image_replication(pusher, puller, basic_images, liveserver_session, app_reloader,
-                           liveserver, registry_server_executor):
-  """ Test: Ensure that entries are created for replication of the images pushed. """
-  credentials = ('devtable', 'password')
+def test_image_replication(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Ensure that entries are created for replication of the images pushed. """
+    credentials = ("devtable", "password")
 
-  with FeatureFlagValue('STORAGE_REPLICATION', True, registry_server_executor.on(liveserver)):
-    pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                credentials=credentials)
+    with FeatureFlagValue(
+        "STORAGE_REPLICATION", True, registry_server_executor.on(liveserver)
+    ):
+        pusher.push(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
 
-    result = puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials)
+        result = puller.pull(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
 
-    # Ensure that entries were created for each image.
-    for image_id in result.image_ids.values():
-      r = registry_server_executor.on(liveserver).get_storage_replication_entry(image_id)
-      assert r.text == 'OK'
+        # Ensure that entries were created for each image.
+        for image_id in result.image_ids.values():
+            r = registry_server_executor.on(liveserver).get_storage_replication_entry(
+                image_id
+            )
+            assert r.text == "OK"
 
 
-def test_image_replication_empty_layers(pusher, puller, images_with_empty_layer, liveserver_session,
-                                        app_reloader, liveserver, registry_server_executor):
-  """ Test: Ensure that entries are created for replication of the images pushed. """
-  credentials = ('devtable', 'password')
+def test_image_replication_empty_layers(
+    pusher,
+    puller,
+    images_with_empty_layer,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Ensure that entries are created for replication of the images pushed. """
+    credentials = ("devtable", "password")
 
-  with FeatureFlagValue('STORAGE_REPLICATION', True, registry_server_executor.on(liveserver)):
-    pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-                credentials=credentials)
+    with FeatureFlagValue(
+        "STORAGE_REPLICATION", True, registry_server_executor.on(liveserver)
+    ):
+        pusher.push(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            images_with_empty_layer,
+            credentials=credentials,
+        )
 
-    result = puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         images_with_empty_layer, credentials=credentials)
+        result = puller.pull(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            images_with_empty_layer,
+            credentials=credentials,
+        )
 
-    # Ensure that entries were created for each image.
-    for image_id in result.image_ids.values():
-      r = registry_server_executor.on(liveserver).get_storage_replication_entry(image_id)
-      assert r.text == 'OK'
+        # Ensure that entries were created for each image.
+        for image_id in result.image_ids.values():
+            r = registry_server_executor.on(liveserver).get_storage_replication_entry(
+                image_id
+            )
+            assert r.text == "OK"
 
 
-@pytest.mark.parametrize('repo_name, expected_failure', [
-  ('something', None),
-  ('some/slash', Failures.SLASH_REPOSITORY),
-  pytest.param('x' * 255, None, id='Valid long name'),
-  pytest.param('x' * 256, Failures.INVALID_REPOSITORY, id='Name too long'),
-])
-def test_push_reponame(repo_name, expected_failure, pusher, puller, basic_images,
-                       liveserver_session, app_reloader):
-  """ Test: Attempt to add a repository with various names.
+@pytest.mark.parametrize(
+    "repo_name, expected_failure",
+    [
+        ("something", None),
+        ("some/slash", Failures.SLASH_REPOSITORY),
+        pytest.param("x" * 255, None, id="Valid long name"),
+        pytest.param("x" * 256, Failures.INVALID_REPOSITORY, id="Name too long"),
+    ],
+)
+def test_push_reponame(
+    repo_name,
+    expected_failure,
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+):
+    """ Test: Attempt to add a repository with various names.
   """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  pusher.push(liveserver_session, 'devtable', repo_name, 'latest', basic_images,
-              credentials=credentials,
-              expected_failure=expected_failure)
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        repo_name,
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=expected_failure,
+    )
 
-  if expected_failure is None:
-    puller.pull(liveserver_session, 'devtable', repo_name, 'latest', basic_images,
-                credentials=credentials)
+    if expected_failure is None:
+        puller.pull(
+            liveserver_session,
+            "devtable",
+            repo_name,
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
 
 
-@pytest.mark.parametrize('tag_name, expected_failure', [
-  ('l', None),
-  ('1', None),
-  ('x' * 128, None),
+@pytest.mark.parametrize(
+    "tag_name, expected_failure",
+    [
+        ("l", None),
+        ("1", None),
+        ("x" * 128, None),
+        ("", Failures.MISSING_TAG),
+        ("x" * 129, Failures.INVALID_TAG),
+        (".fail", Failures.INVALID_TAG),
+        ("-fail", Failures.INVALID_TAG),
+    ],
+)
+def test_tag_validaton(
+    tag_name, expected_failure, pusher, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Various forms of tags and whether they succeed or fail as expected. """
+    credentials = ("devtable", "password")
 
-  ('', Failures.MISSING_TAG),
-  ('x' * 129, Failures.INVALID_TAG),
-  ('.fail', Failures.INVALID_TAG),
-  ('-fail', Failures.INVALID_TAG),
-])
-def test_tag_validaton(tag_name, expected_failure, pusher, basic_images, liveserver_session,
-                       app_reloader):
-  """ Test: Various forms of tags and whether they succeed or fail as expected. """
-  credentials = ('devtable', 'password')
-
-  pusher.push(liveserver_session, 'devtable', 'newrepo', tag_name, basic_images,
-              credentials=credentials,
-              expected_failure=expected_failure)
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        tag_name,
+        basic_images,
+        credentials=credentials,
+        expected_failure=expected_failure,
+    )
 
 
 def test_invalid_parent(legacy_pusher, liveserver_session, app_reloader):
-  """ Test: Attempt to push an image with an invalid/missing parent. """
-  images = [
-    Image(id='childimage', parent_id='parentimage', size=None,
-          bytes=layer_bytes_for_contents('child')),
-  ]
+    """ Test: Attempt to push an image with an invalid/missing parent. """
+    images = [
+        Image(
+            id="childimage",
+            parent_id="parentimage",
+            size=None,
+            bytes=layer_bytes_for_contents("child"),
+        )
+    ]
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  legacy_pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-                     credentials=credentials,
-                     expected_failure=Failures.INVALID_IMAGES)
+    legacy_pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        expected_failure=Failures.INVALID_IMAGES,
+    )
 
 
 def test_wrong_image_order(legacy_pusher, liveserver_session, app_reloader):
-  """ Test: Attempt to push an image with its layers in the wrong order. """
-  images = [
-    Image(id='childimage', parent_id='parentimage', size=None,
-          bytes=layer_bytes_for_contents('child')),
-    Image(id='parentimage', parent_id=None, size=None,
-          bytes=layer_bytes_for_contents('parent')),
-  ]
+    """ Test: Attempt to push an image with its layers in the wrong order. """
+    images = [
+        Image(
+            id="childimage",
+            parent_id="parentimage",
+            size=None,
+            bytes=layer_bytes_for_contents("child"),
+        ),
+        Image(
+            id="parentimage",
+            parent_id=None,
+            size=None,
+            bytes=layer_bytes_for_contents("parent"),
+        ),
+    ]
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  legacy_pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-                     credentials=credentials,
-                     expected_failure=Failures.INVALID_IMAGES)
+    legacy_pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        expected_failure=Failures.INVALID_IMAGES,
+    )
 
 
-@pytest.mark.parametrize('labels', [
-  # Basic labels.
-  [('foo', 'bar', 'text/plain'), ('baz', 'meh', 'text/plain')],
-
-  # Theoretically invalid, but allowed when pushed via registry protocol.
-  [('theoretically-invalid--label', 'foo', 'text/plain')],
-
-  # JSON label.
-  [('somejson', '{"some": "json"}', 'application/json'), ('plain', '', 'text/plain')],
-
-  # JSON-esque (but not valid JSON) labels.
-  [('foo', '[hello world]', 'text/plain'), ('bar', '{wassup?!}', 'text/plain')],
-])
-def test_labels(labels, manifest_protocol, liveserver_session, api_caller, app_reloader):
-  """ Test: Image pushed with labels has those labels found in the database after the
+@pytest.mark.parametrize(
+    "labels",
+    [
+        # Basic labels.
+        [("foo", "bar", "text/plain"), ("baz", "meh", "text/plain")],
+        # Theoretically invalid, but allowed when pushed via registry protocol.
+        [("theoretically-invalid--label", "foo", "text/plain")],
+        # JSON label.
+        [
+            ("somejson", '{"some": "json"}', "application/json"),
+            ("plain", "", "text/plain"),
+        ],
+        # JSON-esque (but not valid JSON) labels.
+        [("foo", "[hello world]", "text/plain"), ("bar", "{wassup?!}", "text/plain")],
+    ],
+)
+def test_labels(
+    labels, manifest_protocol, liveserver_session, api_caller, app_reloader
+):
+    """ Test: Image pushed with labels has those labels found in the database after the
       push succeeds.
   """
-  images = [
-    Image(id='theimage', parent_id=None, bytes=layer_bytes_for_contents('image'),
-          config={'Labels': {key: value for (key, value, _) in labels}}),
-  ]
+    images = [
+        Image(
+            id="theimage",
+            parent_id=None,
+            bytes=layer_bytes_for_contents("image"),
+            config={"Labels": {key: value for (key, value, _) in labels}},
+        )
+    ]
 
-  credentials = ('devtable', 'password')
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-                                  credentials=credentials)
+    credentials = ("devtable", "password")
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+    )
 
-  digest = result.manifests['latest'].digest
-  api_caller.conduct_auth('devtable', 'password')
+    digest = result.manifests["latest"].digest
+    api_caller.conduct_auth("devtable", "password")
 
-  data = api_caller.get('/api/v1/repository/devtable/newrepo/manifest/%s/labels' % digest).json()
-  labels_found = data['labels']
-  assert len(labels_found) == len(labels)
+    data = api_caller.get(
+        "/api/v1/repository/devtable/newrepo/manifest/%s/labels" % digest
+    ).json()
+    labels_found = data["labels"]
+    assert len(labels_found) == len(labels)
 
-  labels_found_map = {l['key']: l for l in labels_found}
-  assert set(images[0].config['Labels'].keys()) == set(labels_found_map.keys())
+    labels_found_map = {l["key"]: l for l in labels_found}
+    assert set(images[0].config["Labels"].keys()) == set(labels_found_map.keys())
 
-  for key, _, media_type in labels:
-    assert labels_found_map[key]['source_type'] == 'manifest'
-    assert labels_found_map[key]['media_type'] == media_type
+    for key, _, media_type in labels:
+        assert labels_found_map[key]["source_type"] == "manifest"
+        assert labels_found_map[key]["media_type"] == media_type
 
 
-@pytest.mark.parametrize('label_value, expected_expiration', [
-  ('1d', True),
-  ('1h', True),
-  ('2w', True),
-
-  ('1g', False),
-  ('something', False),
-])
-def test_expiration_label(label_value, expected_expiration, manifest_protocol, liveserver_session,
-                          api_caller, app_reloader):
-  """ Test: Tag pushed with a valid `quay.expires-after` will have its expiration set to its
+@pytest.mark.parametrize(
+    "label_value, expected_expiration",
+    [("1d", True), ("1h", True), ("2w", True), ("1g", False), ("something", False)],
+)
+def test_expiration_label(
+    label_value,
+    expected_expiration,
+    manifest_protocol,
+    liveserver_session,
+    api_caller,
+    app_reloader,
+):
+    """ Test: Tag pushed with a valid `quay.expires-after` will have its expiration set to its
             start time plus the duration specified. If the duration is invalid, no expiration will
             be set.
   """
-  images = [
-    Image(id='theimage', parent_id=None, bytes=layer_bytes_for_contents('image'),
-          config={'Labels': {'quay.expires-after': label_value}}),
-  ]
+    images = [
+        Image(
+            id="theimage",
+            parent_id=None,
+            bytes=layer_bytes_for_contents("image"),
+            config={"Labels": {"quay.expires-after": label_value}},
+        )
+    ]
 
-  credentials = ('devtable', 'password')
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-                         credentials=credentials)
+    credentials = ("devtable", "password")
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+    )
 
-  api_caller.conduct_auth('devtable', 'password')
+    api_caller.conduct_auth("devtable", "password")
 
-  tag_data = api_caller.get('/api/v1/repository/devtable/newrepo/tag').json()['tags'][0]
-  if expected_expiration:
-    diff = convert_to_timedelta(label_value).total_seconds()
-    assert tag_data['end_ts'] == tag_data['start_ts'] + diff
-  else:
-    assert tag_data.get('end_ts') is None
+    tag_data = api_caller.get("/api/v1/repository/devtable/newrepo/tag").json()["tags"][
+        0
+    ]
+    if expected_expiration:
+        diff = convert_to_timedelta(label_value).total_seconds()
+        assert tag_data["end_ts"] == tag_data["start_ts"] + diff
+    else:
+        assert tag_data.get("end_ts") is None
 
 
-@pytest.mark.parametrize('content_type', [
-  'application/vnd.oci.image.manifest.v1+json',
-  'application/vnd.docker.distribution.manifest.v2+json',
-])
-def test_unsupported_manifest_content_type(content_type, manifest_protocol, basic_images,
-                                           data_model, liveserver_session, app_reloader):
-  """ Test: Attempt to push a manifest with an unsupported media type. """
-  if data_model == 'oci_model':
-    # Skip; OCI requires the new manifest content types.
-    return
+@pytest.mark.parametrize(
+    "content_type",
+    [
+        "application/vnd.oci.image.manifest.v1+json",
+        "application/vnd.docker.distribution.manifest.v2+json",
+    ],
+)
+def test_unsupported_manifest_content_type(
+    content_type,
+    manifest_protocol,
+    basic_images,
+    data_model,
+    liveserver_session,
+    app_reloader,
+):
+    """ Test: Attempt to push a manifest with an unsupported media type. """
+    if data_model == "oci_model":
+        # Skip; OCI requires the new manifest content types.
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  options = ProtocolOptions()
-  options.manifest_content_type = content_type
+    options = ProtocolOptions()
+    options.manifest_content_type = content_type
 
-  # Attempt to push a new repository.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials,
-                         options=options,
-                         expected_failure=Failures.UNSUPPORTED_CONTENT_TYPE)
+    # Attempt to push a new repository.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.UNSUPPORTED_CONTENT_TYPE,
+    )
 
 
-@pytest.mark.parametrize('accept_mimetypes', [
-  ['application/vnd.oci.image.manifest.v1+json'],
-  ['application/vnd.docker.distribution.manifest.v2+json',
-   'application/vnd.docker.distribution.manifest.list.v2+json'],
-  ['application/vnd.foo.bar'],
-])
-def test_unsupported_manifest_accept_headers(accept_mimetypes, manifest_protocol, basic_images,
-                                             data_model, liveserver_session, app_reloader):
-  """ Test: Attempt to push a manifest with an unsupported accept headers. """
-  if data_model == 'oci_model':
-    # Skip; OCI requires the new manifest content types.
-    return
+@pytest.mark.parametrize(
+    "accept_mimetypes",
+    [
+        ["application/vnd.oci.image.manifest.v1+json"],
+        [
+            "application/vnd.docker.distribution.manifest.v2+json",
+            "application/vnd.docker.distribution.manifest.list.v2+json",
+        ],
+        ["application/vnd.foo.bar"],
+    ],
+)
+def test_unsupported_manifest_accept_headers(
+    accept_mimetypes,
+    manifest_protocol,
+    basic_images,
+    data_model,
+    liveserver_session,
+    app_reloader,
+):
+    """ Test: Attempt to push a manifest with an unsupported accept headers. """
+    if data_model == "oci_model":
+        # Skip; OCI requires the new manifest content types.
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  options = ProtocolOptions()
-  options.manifest_content_type = DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
-  options.accept_mimetypes = accept_mimetypes
+    options = ProtocolOptions()
+    options.manifest_content_type = DOCKER_SCHEMA1_MANIFEST_CONTENT_TYPE
+    options.accept_mimetypes = accept_mimetypes
 
-  # Attempt to push a new repository.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials,
-                         options=options,
-                         expected_failure=Failures.UNSUPPORTED_CONTENT_TYPE)
+    # Attempt to push a new repository.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.UNSUPPORTED_CONTENT_TYPE,
+    )
 
 
-def test_invalid_blob_reference(manifest_protocol, basic_images, liveserver_session, app_reloader):
-  """ Test: Attempt to push a manifest with an invalid blob reference. """
-  credentials = ('devtable', 'password')
+def test_invalid_blob_reference(
+    manifest_protocol, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Attempt to push a manifest with an invalid blob reference. """
+    credentials = ("devtable", "password")
 
-  options = ProtocolOptions()
-  options.manifest_invalid_blob_references = True
+    options = ProtocolOptions()
+    options.manifest_invalid_blob_references = True
 
-  # Attempt to push a new repository.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials,
-                         options=options,
-                         expected_failure=Failures.INVALID_BLOB)
+    # Attempt to push a new repository.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.INVALID_BLOB,
+    )
 
 
-def test_delete_tag(pusher, puller, basic_images, different_images, liveserver_session,
-                    app_reloader):
-  """ Test: Push a repository, delete a tag, and attempt to pull. """
-  credentials = ('devtable', 'password')
+def test_delete_tag(
+    pusher, puller, basic_images, different_images, liveserver_session, app_reloader
+):
+    """ Test: Push a repository, delete a tag, and attempt to pull. """
+    credentials = ("devtable", "password")
 
-  # Push the tags.
-  result = pusher.push(liveserver_session, 'devtable', 'newrepo', 'one',
-                       basic_images, credentials=credentials)
+    # Push the tags.
+    result = pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "one",
+        basic_images,
+        credentials=credentials,
+    )
 
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'two',
-              different_images, credentials=credentials)
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "two",
+        different_images,
+        credentials=credentials,
+    )
 
-  # Delete tag `one` by digest or tag.
-  pusher.delete(liveserver_session, 'devtable', 'newrepo',
-                result.manifests['one'].digest if result.manifests else 'one',
-                credentials=credentials)
+    # Delete tag `one` by digest or tag.
+    pusher.delete(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        result.manifests["one"].digest if result.manifests else "one",
+        credentials=credentials,
+    )
 
-  # Attempt to pull tag `one` and ensure it doesn't work.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'one', basic_images,
-              credentials=credentials,
-              expected_failure=Failures.UNKNOWN_TAG)
+    # Attempt to pull tag `one` and ensure it doesn't work.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "one",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG,
+    )
 
-  # Pull tag `two` to verify it works.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'two', different_images,
-              credentials=credentials)
+    # Pull tag `two` to verify it works.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "two",
+        different_images,
+        credentials=credentials,
+    )
 
 
-def test_delete_manifest(manifest_protocol, puller, basic_images, different_images,
-                         liveserver_session, app_reloader):
-  """ Test: Push a tag, push the tag again, push it back to the original manifest,
+def test_delete_manifest(
+    manifest_protocol,
+    puller,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+):
+    """ Test: Push a tag, push the tag again, push it back to the original manifest,
             delete the tag, verify cannot pull. """
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
-  options.skip_head_checks = True
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
+    options.skip_head_checks = True
 
-  # Push the latest tag.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         basic_images, credentials=credentials)
+    # Push the latest tag.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Necessary for older data model.
-  time.sleep(2)
+    # Necessary for older data model.
+    time.sleep(2)
 
-  # Push the latest tag to a different manifest.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         different_images, credentials=credentials, options=options)
+    # Push the latest tag to a different manifest.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        different_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', different_images,
-              credentials=credentials)
+    # Verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        different_images,
+        credentials=credentials,
+    )
 
-  # Necessary for older data model.
-  time.sleep(2)
+    # Necessary for older data model.
+    time.sleep(2)
 
-  # Push the latest tag back to the original images.
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                                  basic_images, credentials=credentials, options=options)
+    # Push the latest tag back to the original images.
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Necessary for older data model.
-  time.sleep(2)
+    # Necessary for older data model.
+    time.sleep(2)
 
-  # Delete the basic images manifest.
-  manifest_protocol.delete(liveserver_session, 'devtable', 'newrepo',
-                           result.manifests['latest'].digest,
-                           credentials=credentials)
+    # Delete the basic images manifest.
+    manifest_protocol.delete(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        result.manifests["latest"].digest,
+        credentials=credentials,
+    )
 
-  # Attempt to pull tag `latest` and ensure it doesn't work.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials,
-              expected_failure=Failures.UNKNOWN_TAG)
+    # Attempt to pull tag `latest` and ensure it doesn't work.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG,
+    )
 
 
-def test_cancel_upload(manifest_protocol, basic_images, liveserver_session, app_reloader):
-  """ Test: Cancelation of blob uploads. """
-  credentials = ('devtable', 'password')
+def test_cancel_upload(
+    manifest_protocol, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Cancelation of blob uploads. """
+    credentials = ("devtable", "password")
 
-  options = ProtocolOptions()
-  options.cancel_blob_upload = True
+    options = ProtocolOptions()
+    options.cancel_blob_upload = True
 
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         basic_images, credentials=credentials)
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-def test_blob_caching(manifest_protocol, basic_images, liveserver_session, app_reloader,
-                      liveserver, registry_server_executor):
-  """ Test: Pulling of blobs after initially pulled will result in the blobs being cached. """
-  credentials = ('devtable', 'password')
+def test_blob_caching(
+    manifest_protocol,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Pulling of blobs after initially pulled will result in the blobs being cached. """
+    credentials = ("devtable", "password")
 
-  # Push a tag.
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                                  basic_images, credentials=credentials)
+    # Push a tag.
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
+    # Conduct the initial pull to prime the cache.
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Conduct the initial pull to prime the cache.
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials)
-
-  # Disconnect the server from the database.
-  registry_server_executor.on(liveserver).break_database()
-
-  # Pull each blob, which should succeed due to caching. If caching is broken, this will
-  # fail when it attempts to hit the database.
-  for layer in result.manifests['latest'].layers:
-    blob_id = str(layer.digest)
-    r = liveserver_session.get('/v2/devtable/newrepo/blobs/%s' % blob_id, headers=result.headers)
-    assert r.status_code == 200
-
-
-@pytest.mark.parametrize('chunks', [
-  # Two chunks.
-  [(0, 100), (100, None)],
-
-  # Multiple chunks.
-  [(0, 10), (10, 20), (20, None)],
-  [(0, 10), (10, 20), (20, 30), (30, 40), (40, 50), (50, None)],
-
-  # Overlapping chunks.
-  [(0, 1024), (10, None)],
-])
-def test_chunked_blob_uploading(chunks, random_layer_data, manifest_protocol, puller,
-                                liveserver_session, app_reloader):
-  """ Test: Uploading of blobs as chunks. """
-  credentials = ('devtable', 'password')
-
-  adjusted_chunks = []
-  for start_byte, end_byte in chunks:
-    adjusted_chunks.append((start_byte, end_byte if end_byte else len(random_layer_data)))
-
-  images = [
-    Image(id='theimage', parent_id=None, bytes=random_layer_data),
-  ]
-
-  options = ProtocolOptions()
-  options.chunks_for_upload = adjusted_chunks
-
-  # Push the image, using the specified chunking.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         images, credentials=credentials, options=options)
-
-  # Pull to verify the image was created.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-              credentials=credentials)
-
-
-def test_chunked_uploading_mismatched_chunks(manifest_protocol, random_layer_data,
-                                             liveserver_session, app_reloader):
-  """ Test: Attempt to upload chunks with data missing. """
-  credentials = ('devtable', 'password')
-
-  images = [
-    Image(id='theimage', parent_id=None, bytes=random_layer_data),
-  ]
-
-  # Note: Byte #100 is missing.
-  options = ProtocolOptions()
-  options.chunks_for_upload = [(0, 100), (101, len(random_layer_data), 416)]
-
-  # Attempt to push, with the chunked upload failing.
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         images, credentials=credentials, options=options)
-
-
-def test_pull_disabled_namespace(pusher, puller, basic_images, liveserver_session,
-                                 app_reloader, liveserver, registry_server_executor):
-  """ Test: Attempt to pull a repository from a disabled namespace results in an error. """
-  credentials = ('devtable', 'password')
-
-  # Push a new repository.
-  pusher.push(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
-              credentials=credentials)
-
-  # Disable the namespace.
-  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
-
-  # Attempt to pull, which should fail.
-  puller.pull(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
-              credentials=credentials, expected_failure=Failures.NAMESPACE_DISABLED)
-
-
-def test_push_disabled_namespace(pusher, basic_images, liveserver_session,
-                                 app_reloader, liveserver, registry_server_executor):
-  """ Test: Attempt to push a repository from a disabled namespace results in an error. """
-  credentials = ('devtable', 'password')
-
-  # Disable the namespace.
-  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
-
-  # Attempt to push, which should fail.
-  pusher.push(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
-              credentials=credentials, expected_failure=Failures.NAMESPACE_DISABLED)
-
-
-def test_private_catalog_no_access(v2_protocol, liveserver_session, app_reloader, liveserver,
-                                   registry_server_executor):
-  """ Test: Ensure that accessing a private catalog with anonymous access results in no database
-      connections.
-  """
-  with FeatureFlagValue('PUBLIC_CATALOG', False, registry_server_executor.on(liveserver)):
     # Disconnect the server from the database.
     registry_server_executor.on(liveserver).break_database()
 
-    results = v2_protocol.catalog(liveserver_session)
-    assert not results
+    # Pull each blob, which should succeed due to caching. If caching is broken, this will
+    # fail when it attempts to hit the database.
+    for layer in result.manifests["latest"].layers:
+        blob_id = str(layer.digest)
+        r = liveserver_session.get(
+            "/v2/devtable/newrepo/blobs/%s" % blob_id, headers=result.headers
+        )
+        assert r.status_code == 200
 
 
-@pytest.mark.parametrize('public_catalog, credentials, expected_repos', [
-  # No public access and no credentials => No results.
-  (False, None, None),
+@pytest.mark.parametrize(
+    "chunks",
+    [
+        # Two chunks.
+        [(0, 100), (100, None)],
+        # Multiple chunks.
+        [(0, 10), (10, 20), (20, None)],
+        [(0, 10), (10, 20), (20, 30), (30, 40), (40, 50), (50, None)],
+        # Overlapping chunks.
+        [(0, 1024), (10, None)],
+    ],
+)
+def test_chunked_blob_uploading(
+    chunks,
+    random_layer_data,
+    manifest_protocol,
+    puller,
+    liveserver_session,
+    app_reloader,
+):
+    """ Test: Uploading of blobs as chunks. """
+    credentials = ("devtable", "password")
 
-  # Public access and no credentials => public repositories.
-  (True, None, ['public/publicrepo']),
+    adjusted_chunks = []
+    for start_byte, end_byte in chunks:
+        adjusted_chunks.append(
+            (start_byte, end_byte if end_byte else len(random_layer_data))
+        )
 
-  # Private creds => private repositories.
-  (False, ('devtable', 'password'), ['devtable/simple', 'devtable/complex', 'devtable/gargantuan']),
-  (True, ('devtable', 'password'), ['devtable/simple', 'devtable/complex', 'devtable/gargantuan']),
-])
-@pytest.mark.parametrize('page_size', [
-  1,
-  2,
-  10,
-  50,
-  100,
-])
-def test_catalog(public_catalog, credentials, expected_repos, page_size, v2_protocol,
-                 liveserver_session, app_reloader, liveserver, registry_server_executor):
-  """ Test: Retrieving results from the V2 catalog. """
-  with FeatureFlagValue('PUBLIC_CATALOG', public_catalog, registry_server_executor.on(liveserver)):
-    results = v2_protocol.catalog(liveserver_session, page_size=page_size, credentials=credentials,
-                                  namespace='devtable', repo_name='simple')
+    images = [Image(id="theimage", parent_id=None, bytes=random_layer_data)]
 
-  if expected_repos is None:
+    options = ProtocolOptions()
+    options.chunks_for_upload = adjusted_chunks
+
+    # Push the image, using the specified chunking.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        options=options,
+    )
+
+    # Pull to verify the image was created.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+    )
+
+
+def test_chunked_uploading_mismatched_chunks(
+    manifest_protocol, random_layer_data, liveserver_session, app_reloader
+):
+    """ Test: Attempt to upload chunks with data missing. """
+    credentials = ("devtable", "password")
+
+    images = [Image(id="theimage", parent_id=None, bytes=random_layer_data)]
+
+    # Note: Byte #100 is missing.
+    options = ProtocolOptions()
+    options.chunks_for_upload = [(0, 100), (101, len(random_layer_data), 416)]
+
+    # Attempt to push, with the chunked upload failing.
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        options=options,
+    )
+
+
+def test_pull_disabled_namespace(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Attempt to pull a repository from a disabled namespace results in an error. """
+    credentials = ("devtable", "password")
+
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "buynlarge",
+        "someneworgrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
+
+    # Disable the namespace.
+    registry_server_executor.on(liveserver).disable_namespace("buynlarge")
+
+    # Attempt to pull, which should fail.
+    puller.pull(
+        liveserver_session,
+        "buynlarge",
+        "someneworgrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.NAMESPACE_DISABLED,
+    )
+
+
+def test_push_disabled_namespace(
+    pusher,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Attempt to push a repository from a disabled namespace results in an error. """
+    credentials = ("devtable", "password")
+
+    # Disable the namespace.
+    registry_server_executor.on(liveserver).disable_namespace("buynlarge")
+
+    # Attempt to push, which should fail.
+    pusher.push(
+        liveserver_session,
+        "buynlarge",
+        "someneworgrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.NAMESPACE_DISABLED,
+    )
+
+
+def test_private_catalog_no_access(
+    v2_protocol, liveserver_session, app_reloader, liveserver, registry_server_executor
+):
+    """ Test: Ensure that accessing a private catalog with anonymous access results in no database
+      connections.
+  """
+    with FeatureFlagValue(
+        "PUBLIC_CATALOG", False, registry_server_executor.on(liveserver)
+    ):
+        # Disconnect the server from the database.
+        registry_server_executor.on(liveserver).break_database()
+
+        results = v2_protocol.catalog(liveserver_session)
+        assert not results
+
+
+@pytest.mark.parametrize(
+    "public_catalog, credentials, expected_repos",
+    [
+        # No public access and no credentials => No results.
+        (False, None, None),
+        # Public access and no credentials => public repositories.
+        (True, None, ["public/publicrepo"]),
+        # Private creds => private repositories.
+        (
+            False,
+            ("devtable", "password"),
+            ["devtable/simple", "devtable/complex", "devtable/gargantuan"],
+        ),
+        (
+            True,
+            ("devtable", "password"),
+            ["devtable/simple", "devtable/complex", "devtable/gargantuan"],
+        ),
+    ],
+)
+@pytest.mark.parametrize("page_size", [1, 2, 10, 50, 100])
+def test_catalog(
+    public_catalog,
+    credentials,
+    expected_repos,
+    page_size,
+    v2_protocol,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Retrieving results from the V2 catalog. """
+    with FeatureFlagValue(
+        "PUBLIC_CATALOG", public_catalog, registry_server_executor.on(liveserver)
+    ):
+        results = v2_protocol.catalog(
+            liveserver_session,
+            page_size=page_size,
+            credentials=credentials,
+            namespace="devtable",
+            repo_name="simple",
+        )
+
+    if expected_repos is None:
+        assert len(results) == 0
+    else:
+        assert set(expected_repos).issubset(set(results))
+
+
+def test_catalog_caching(
+    v2_protocol,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Calling the catalog after initially pulled will result in the catalog being cached. """
+    credentials = ("devtable", "password")
+
+    # Conduct the initial catalog call to prime the cache.
+    results = v2_protocol.catalog(
+        liveserver_session,
+        credentials=credentials,
+        namespace="devtable",
+        repo_name="simple",
+    )
+
+    token, _ = v2_protocol.auth(liveserver_session, credentials, "devtable", "simple")
+
+    # Disconnect the server from the database.
+    registry_server_executor.on(liveserver).break_database()
+
+    # Call the catalog again, which should now be cached.
+    cached_results = v2_protocol.catalog(liveserver_session, bearer_token=token)
+    assert len(cached_results) == len(results)
+    assert set(cached_results) == set(results)
+
+
+def test_catalog_disabled_namespace(
+    v2_protocol,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    credentials = ("devtable", "password")
+
+    # Get a valid token.
+    token, _ = v2_protocol.auth(liveserver_session, credentials, "devtable", "simple")
+
+    # Disable the devtable namespace.
+    registry_server_executor.on(liveserver).disable_namespace("devtable")
+
+    # Try to retrieve the catalog and ensure it fails to return any results.
+    results = v2_protocol.catalog(liveserver_session, bearer_token=token)
     assert len(results) == 0
-  else:
-    assert set(expected_repos).issubset(set(results))
 
 
-def test_catalog_caching(v2_protocol, basic_images, liveserver_session, app_reloader,
-                         liveserver, registry_server_executor):
-  """ Test: Calling the catalog after initially pulled will result in the catalog being cached. """
-  credentials = ('devtable', 'password')
+@pytest.mark.parametrize(
+    "username, namespace, repository",
+    [
+        ("devtable", "devtable", "simple"),
+        ("devtable", "devtable", "gargantuan"),
+        ("public", "public", "publicrepo"),
+        ("devtable", "buynlarge", "orgrepo"),
+    ],
+)
+@pytest.mark.parametrize("page_size", [1, 2, 10, 50, 100])
+def test_tags(
+    username,
+    namespace,
+    repository,
+    page_size,
+    v2_protocol,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Retrieving results from the V2 catalog. """
+    credentials = (username, "password")
+    results = v2_protocol.tags(
+        liveserver_session,
+        page_size=page_size,
+        credentials=credentials,
+        namespace=namespace,
+        repo_name=repository,
+    )
 
-  # Conduct the initial catalog call to prime the cache.
-  results = v2_protocol.catalog(liveserver_session, credentials=credentials,
-                                namespace='devtable', repo_name='simple')
+    expected_tags = [tag.name for tag in list_repository_tags(namespace, repository)]
+    assert len(results) == len(expected_tags)
+    assert set([r for r in results]) == set(expected_tags)
 
-  token, _ = v2_protocol.auth(liveserver_session, credentials, 'devtable', 'simple')
-
-  # Disconnect the server from the database.
-  registry_server_executor.on(liveserver).break_database()
-
-  # Call the catalog again, which should now be cached.
-  cached_results = v2_protocol.catalog(liveserver_session, bearer_token=token)
-  assert len(cached_results) == len(results)
-  assert set(cached_results) == set(results)
+    # Invoke the tags endpoint again to ensure caching works.
+    results = v2_protocol.tags(
+        liveserver_session,
+        page_size=page_size,
+        credentials=credentials,
+        namespace=namespace,
+        repo_name=repository,
+    )
+    assert len(results) == len(expected_tags)
+    assert set([r for r in results]) == set(expected_tags)
 
 
-def test_catalog_disabled_namespace(v2_protocol, basic_images, liveserver_session, app_reloader,
-                                    liveserver, registry_server_executor):
-  credentials = ('devtable', 'password')
+def test_tags_disabled_namespace(
+    v2_protocol,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    liveserver,
+    registry_server_executor,
+):
+    credentials = ("devtable", "password")
 
-  # Get a valid token.
-  token, _ = v2_protocol.auth(liveserver_session, credentials, 'devtable', 'simple')
+    # Disable the buynlarge namespace.
+    registry_server_executor.on(liveserver).disable_namespace("buynlarge")
 
-  # Disable the devtable namespace.
-  registry_server_executor.on(liveserver).disable_namespace('devtable')
-
-  # Try to retrieve the catalog and ensure it fails to return any results.
-  results = v2_protocol.catalog(liveserver_session, bearer_token=token)
-  assert len(results) == 0
+    # Try to retrieve the tags and ensure it fails.
+    v2_protocol.tags(
+        liveserver_session,
+        credentials=credentials,
+        namespace="buynlarge",
+        repo_name="orgrepo",
+        expected_failure=Failures.NAMESPACE_DISABLED,
+    )
 
 
-@pytest.mark.parametrize('username, namespace, repository', [
-  ('devtable', 'devtable', 'simple'),
-  ('devtable', 'devtable', 'gargantuan'),
-  ('public', 'public', 'publicrepo'),
-  ('devtable', 'buynlarge', 'orgrepo'),
-])
-@pytest.mark.parametrize('page_size', [
-  1,
-  2,
-  10,
-  50,
-  100,
-])
-def test_tags(username, namespace, repository, page_size, v2_protocol, liveserver_session,
-              app_reloader, liveserver, registry_server_executor):
-  """ Test: Retrieving results from the V2 catalog. """
-  credentials = (username, 'password')
-  results = v2_protocol.tags(liveserver_session, page_size=page_size, credentials=credentials,
-                             namespace=namespace, repo_name=repository)
+def test_pull_torrent(
+    pusher,
+    basic_images,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Retrieve a torrent for pulling the image via the Quay CLI. """
+    credentials = ("devtable", "password")
 
-  expected_tags = [tag.name for tag in list_repository_tags(namespace, repository)]
-  assert len(results) == len(expected_tags)
-  assert set([r for r in results]) == set(expected_tags)
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Invoke the tags endpoint again to ensure caching works.
-  results = v2_protocol.tags(liveserver_session, page_size=page_size, credentials=credentials,
-                             namespace=namespace, repo_name=repository)
-  assert len(results) == len(expected_tags)
-  assert set([r for r in results]) == set(expected_tags)
+    # Required for torrent.
+    registry_server_executor.on(liveserver).set_supports_direct_download(True)
+
+    # For each layer, retrieve a torrent for the blob.
+    for image in basic_images:
+        digest = "sha256:" + hashlib.sha256(image.bytes).hexdigest()
+        response = liveserver_session.get(
+            "/c1/torrent/devtable/newrepo/blobs/%s" % digest, auth=credentials
+        )
+        torrent_info = bencode.bdecode(response.content)
+
+        # Check the announce URL.
+        assert torrent_info["url-list"] == "http://somefakeurl?goes=here"
+
+        # Check the metadata.
+        assert torrent_info.get("info", {}).get("pieces") is not None
+        assert torrent_info.get("announce") is not None
+
+        # Check the pieces.
+        sha = resumablehashlib.sha1()
+        sha.update(image.bytes)
+
+        expected = binascii.hexlify(sha.digest())
+        found = binascii.hexlify(torrent_info["info"]["pieces"])
+        assert expected == found
 
 
-def test_tags_disabled_namespace(v2_protocol, basic_images, liveserver_session, app_reloader,
-                                 liveserver, registry_server_executor):
-  credentials = ('devtable', 'password')
+def test_squashed_image_disabled_namespace(
+    pusher,
+    sized_images,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Attempting to pull a squashed image from a disabled namespace. """
+    credentials = ("devtable", "password")
 
-  # Disable the buynlarge namespace.
-  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        sized_images,
+        credentials=credentials,
+    )
 
-  # Try to retrieve the tags and ensure it fails.
-  v2_protocol.tags(liveserver_session, credentials=credentials, namespace='buynlarge',
-                   repo_name='orgrepo', expected_failure=Failures.NAMESPACE_DISABLED)
+    # Disable the buynlarge namespace.
+    registry_server_executor.on(liveserver).disable_namespace("buynlarge")
+
+    # Attempt to pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/buynlarge/newrepo/latest", auth=credentials
+    )
+    assert response.status_code == 400
 
 
-def test_pull_torrent(pusher, basic_images, liveserver_session, liveserver,
-                      registry_server_executor, app_reloader):
-  """ Test: Retrieve a torrent for pulling the image via the Quay CLI. """
-  credentials = ('devtable', 'password')
+def test_squashed_image_disabled_user(
+    pusher,
+    sized_images,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Attempting to pull a squashed image via a disabled user. """
+    credentials = ("devtable", "password")
 
-  # Push an image to download.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "buynlarge",
+        "newrepo",
+        "latest",
+        sized_images,
+        credentials=credentials,
+    )
 
-  # Required for torrent.
-  registry_server_executor.on(liveserver).set_supports_direct_download(True)
+    # Disable the devtable namespace.
+    registry_server_executor.on(liveserver).disable_namespace("devtable")
 
-  # For each layer, retrieve a torrent for the blob.
-  for image in basic_images:
-    digest = 'sha256:' + hashlib.sha256(image.bytes).hexdigest()
-    response = liveserver_session.get('/c1/torrent/devtable/newrepo/blobs/%s' % digest,
-                                      auth=credentials)
-    torrent_info = bencode.bdecode(response.content)
-
-    # Check the announce URL.
-    assert torrent_info['url-list'] == 'http://somefakeurl?goes=here'
-
-    # Check the metadata.
-    assert torrent_info.get('info', {}).get('pieces') is not None
-    assert torrent_info.get('announce') is not None
-
-    # Check the pieces.
-    sha = resumablehashlib.sha1()
-    sha.update(image.bytes)
-
-    expected = binascii.hexlify(sha.digest())
-    found = binascii.hexlify(torrent_info['info']['pieces'])
-    assert expected == found
+    # Attempt to pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/buynlarge/newrepo/latest", auth=credentials
+    )
+    assert response.status_code == 403
 
 
-def test_squashed_image_disabled_namespace(pusher, sized_images, liveserver_session,
-                                           liveserver, registry_server_executor, app_reloader):
-  """ Test: Attempting to pull a squashed image from a disabled namespace. """
-  credentials = ('devtable', 'password')
+@pytest.mark.parametrize("use_estimates", [False, True])
+def test_multilayer_squashed_images(
+    use_estimates,
+    pusher,
+    multi_layer_images,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Pulling of multilayer, complex squashed images. """
+    credentials = ("devtable", "password")
 
-  # Push an image to download.
-  pusher.push(liveserver_session, 'buynlarge', 'newrepo', 'latest', sized_images,
-              credentials=credentials)
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        multi_layer_images,
+        credentials=credentials,
+    )
 
-  # Disable the buynlarge namespace.
-  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
+    if use_estimates:
+        # Clear the uncompressed size stored for the images, to ensure that we estimate instead.
+        for image in multi_layer_images:
+            registry_server_executor.on(liveserver).clear_uncompressed_size(image.id)
 
-  # Attempt to pull the squashed version.
-  response = liveserver_session.get('/c1/squash/buynlarge/newrepo/latest', auth=credentials)
-  assert response.status_code == 400
-
-
-def test_squashed_image_disabled_user(pusher, sized_images, liveserver_session,
-                                      liveserver, registry_server_executor, app_reloader):
-  """ Test: Attempting to pull a squashed image via a disabled user. """
-  credentials = ('devtable', 'password')
-
-  # Push an image to download.
-  pusher.push(liveserver_session, 'buynlarge', 'newrepo', 'latest', sized_images,
-              credentials=credentials)
-
-  # Disable the devtable namespace.
-  registry_server_executor.on(liveserver).disable_namespace('devtable')
-
-  # Attempt to pull the squashed version.
-  response = liveserver_session.get('/c1/squash/buynlarge/newrepo/latest', auth=credentials)
-  assert response.status_code == 403
-
-
-@pytest.mark.parametrize('use_estimates', [
-  False,
-  True,
-])
-def test_multilayer_squashed_images(use_estimates, pusher, multi_layer_images, liveserver_session,
-                                    liveserver, registry_server_executor, app_reloader):
-  """ Test: Pulling of multilayer, complex squashed images. """
-  credentials = ('devtable', 'password')
-
-  # Push an image to download.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', multi_layer_images,
-              credentials=credentials)
-
-  if use_estimates:
-    # Clear the uncompressed size stored for the images, to ensure that we estimate instead.
-    for image in multi_layer_images:
-      registry_server_executor.on(liveserver).clear_uncompressed_size(image.id)
-
-  # Pull the squashed version.
-  response = liveserver_session.get('/c1/squash/devtable/newrepo/latest', auth=credentials)
-  assert response.status_code == 200
-
-  tar = tarfile.open(fileobj=StringIO(response.content))
-
-  # Verify the squashed image.
-  expected_image_id = '9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a'
-  expected_names = ['repositories',
-                    expected_image_id,
-                    '%s/json' % expected_image_id,
-                    '%s/VERSION' % expected_image_id,
-                    '%s/layer.tar' % expected_image_id]
-
-  assert tar.getnames() == expected_names
-
-  # Verify the JSON image data.
-  json_data = (tar.extractfile(tar.getmember('%s/json' % expected_image_id)).read())
-
-  # Ensure the JSON loads and parses.
-  result = json.loads(json_data)
-  assert result['id'] == expected_image_id
-  assert result['config']['internal_id'] == 'layer5'
-
-  # Ensure that squashed layer tar can be opened.
-  tar = tarfile.open(fileobj=tar.extractfile(tar.getmember('%s/layer.tar' % expected_image_id)))
-  assert set(tar.getnames()) == {'contents', 'file1', 'file2', 'file3', 'file4'}
-
-  # Check the contents of various files.
-  assert tar.extractfile('contents').read() == 'layer 5 contents'
-  assert tar.extractfile('file1').read() == 'from-layer-3'
-  assert tar.extractfile('file2').read() == 'from-layer-2'
-  assert tar.extractfile('file3').read() == 'from-layer-4'
-  assert tar.extractfile('file4').read() == 'from-layer-5'
-
-
-@pytest.mark.parametrize('use_estimates', [
-  False,
-  True,
-])
-@pytest.mark.parametrize('is_readonly', [
-  False,
-  True,
-])
-def test_squashed_images(use_estimates, pusher, sized_images, liveserver_session, is_readonly,
-                         liveserver, registry_server_executor, app_reloader):
-  """ Test: Pulling of squashed images. """
-  credentials = ('devtable', 'password')
-
-  # Push an image to download.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', sized_images,
-              credentials=credentials)
-
-  if use_estimates:
-    # Clear the uncompressed size stored for the images, to ensure that we estimate instead.
-    for image in sized_images:
-      registry_server_executor.on(liveserver).clear_uncompressed_size(image.id)
-
-  # Pull the squashed version.
-  with ConfigChange('REGISTRY_STATE', 'readonly' if is_readonly else 'normal',
-                    registry_server_executor.on(liveserver), liveserver):
-    response = liveserver_session.get('/c1/squash/devtable/newrepo/latest', auth=credentials)
+    # Pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/devtable/newrepo/latest", auth=credentials
+    )
     assert response.status_code == 200
 
     tar = tarfile.open(fileobj=StringIO(response.content))
 
     # Verify the squashed image.
-    expected_image_id = next((name for name in tar.getnames()
-                              if not '/' in name and name != 'repositories'))
-    expected_names = ['repositories',
-                      expected_image_id,
-                      '%s/json' % expected_image_id,
-                      '%s/VERSION' % expected_image_id,
-                      '%s/layer.tar' % expected_image_id]
+    expected_image_id = (
+        "9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a"
+    )
+    expected_names = [
+        "repositories",
+        expected_image_id,
+        "%s/json" % expected_image_id,
+        "%s/VERSION" % expected_image_id,
+        "%s/layer.tar" % expected_image_id,
+    ]
 
     assert tar.getnames() == expected_names
 
     # Verify the JSON image data.
-    json_data = (tar.extractfile(tar.getmember('%s/json' % expected_image_id)).read())
+    json_data = tar.extractfile(tar.getmember("%s/json" % expected_image_id)).read()
 
     # Ensure the JSON loads and parses.
     result = json.loads(json_data)
-    assert result['id'] == expected_image_id
-    assert result['config']['foo'] == 'childbar'
+    assert result["id"] == expected_image_id
+    assert result["config"]["internal_id"] == "layer5"
 
     # Ensure that squashed layer tar can be opened.
-    tar = tarfile.open(fileobj=tar.extractfile(tar.getmember('%s/layer.tar' % expected_image_id)))
-    assert tar.getnames() == ['contents']
+    tar = tarfile.open(
+        fileobj=tar.extractfile(tar.getmember("%s/layer.tar" % expected_image_id))
+    )
+    assert set(tar.getnames()) == {"contents", "file1", "file2", "file3", "file4"}
 
-    # Check the contents.
-    assert tar.extractfile('contents').read() == 'some contents'
+    # Check the contents of various files.
+    assert tar.extractfile("contents").read() == "layer 5 contents"
+    assert tar.extractfile("file1").read() == "from-layer-3"
+    assert tar.extractfile("file2").read() == "from-layer-2"
+    assert tar.extractfile("file3").read() == "from-layer-4"
+    assert tar.extractfile("file4").read() == "from-layer-5"
+
+
+@pytest.mark.parametrize("use_estimates", [False, True])
+@pytest.mark.parametrize("is_readonly", [False, True])
+def test_squashed_images(
+    use_estimates,
+    pusher,
+    sized_images,
+    liveserver_session,
+    is_readonly,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Pulling of squashed images. """
+    credentials = ("devtable", "password")
+
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        sized_images,
+        credentials=credentials,
+    )
+
+    if use_estimates:
+        # Clear the uncompressed size stored for the images, to ensure that we estimate instead.
+        for image in sized_images:
+            registry_server_executor.on(liveserver).clear_uncompressed_size(image.id)
+
+    # Pull the squashed version.
+    with ConfigChange(
+        "REGISTRY_STATE",
+        "readonly" if is_readonly else "normal",
+        registry_server_executor.on(liveserver),
+        liveserver,
+    ):
+        response = liveserver_session.get(
+            "/c1/squash/devtable/newrepo/latest", auth=credentials
+        )
+        assert response.status_code == 200
+
+        tar = tarfile.open(fileobj=StringIO(response.content))
+
+        # Verify the squashed image.
+        expected_image_id = next(
+            (
+                name
+                for name in tar.getnames()
+                if not "/" in name and name != "repositories"
+            )
+        )
+        expected_names = [
+            "repositories",
+            expected_image_id,
+            "%s/json" % expected_image_id,
+            "%s/VERSION" % expected_image_id,
+            "%s/layer.tar" % expected_image_id,
+        ]
+
+        assert tar.getnames() == expected_names
+
+        # Verify the JSON image data.
+        json_data = tar.extractfile(tar.getmember("%s/json" % expected_image_id)).read()
+
+        # Ensure the JSON loads and parses.
+        result = json.loads(json_data)
+        assert result["id"] == expected_image_id
+        assert result["config"]["foo"] == "childbar"
+
+        # Ensure that squashed layer tar can be opened.
+        tar = tarfile.open(
+            fileobj=tar.extractfile(tar.getmember("%s/layer.tar" % expected_image_id))
+        )
+        assert tar.getnames() == ["contents"]
+
+        # Check the contents.
+        assert tar.extractfile("contents").read() == "some contents"
 
 
 EXPECTED_ACI_MANIFEST = {
-  "acKind": "ImageManifest",
-  "app": {
-    "environment": [],
-    "mountPoints": [],
-    "group": "root",
-    "user": "root",
-    "workingDirectory": "/",
-    "exec": [u'/bin/sh', u'-c', u'""hello""'],
-    "isolators": [],
-    "eventHandlers": [],
-    "ports": [],
-    "annotations": [
-      {"name": "created", "value": "2018-04-03T18:37:09.284840891Z"},
-      {"name": "homepage", "value": "http://localhost:5000/devtable/newrepo:latest"},
-      {"name": "quay.io/derived-image", "value": "DERIVED_IMAGE_ID"},
-    ]
-  },
-  "labels": [
-    {"name": "version", "value": "latest"},
-    {"name": "arch", "value": "amd64"},
-    {"name": "os", "value": "linux"}
-  ],
-  "acVersion": "0.6.1",
-  "name": "localhost/devtable/newrepo",
+    "acKind": "ImageManifest",
+    "app": {
+        "environment": [],
+        "mountPoints": [],
+        "group": "root",
+        "user": "root",
+        "workingDirectory": "/",
+        "exec": [u"/bin/sh", u"-c", u'""hello""'],
+        "isolators": [],
+        "eventHandlers": [],
+        "ports": [],
+        "annotations": [
+            {"name": "created", "value": "2018-04-03T18:37:09.284840891Z"},
+            {
+                "name": "homepage",
+                "value": "http://localhost:5000/devtable/newrepo:latest",
+            },
+            {"name": "quay.io/derived-image", "value": "DERIVED_IMAGE_ID"},
+        ],
+    },
+    "labels": [
+        {"name": "version", "value": "latest"},
+        {"name": "arch", "value": "amd64"},
+        {"name": "os", "value": "linux"},
+    ],
+    "acVersion": "0.6.1",
+    "name": "localhost/devtable/newrepo",
 }
 
-@pytest.mark.parametrize('is_readonly', [
-  False,
-  True,
-])
-def test_aci_conversion(pusher, sized_images, liveserver_session, is_readonly,
-                        liveserver, registry_server_executor, app_reloader):
-  """ Test: Pulling of ACI converted images. """
-  credentials = ('devtable', 'password')
 
-  # Push an image to download.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', sized_images,
-              credentials=credentials)
+@pytest.mark.parametrize("is_readonly", [False, True])
+def test_aci_conversion(
+    pusher,
+    sized_images,
+    liveserver_session,
+    is_readonly,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Pulling of ACI converted images. """
+    credentials = ("devtable", "password")
 
-  # Pull the ACI version.
-  with ConfigChange('REGISTRY_STATE', 'readonly' if is_readonly else 'normal',
-                    registry_server_executor.on(liveserver), liveserver):
-    response = liveserver_session.get('/c1/aci/server_name/devtable/newrepo/latest/aci/linux/amd64',
-                                      auth=credentials)
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        sized_images,
+        credentials=credentials,
+    )
+
+    # Pull the ACI version.
+    with ConfigChange(
+        "REGISTRY_STATE",
+        "readonly" if is_readonly else "normal",
+        registry_server_executor.on(liveserver),
+        liveserver,
+    ):
+        response = liveserver_session.get(
+            "/c1/aci/server_name/devtable/newrepo/latest/aci/linux/amd64",
+            auth=credentials,
+        )
+        assert response.status_code == 200
+        tar = tarfile.open(fileobj=StringIO(response.content))
+        assert set(tar.getnames()) == {"manifest", "rootfs", "rootfs/contents"}
+
+        assert tar.extractfile("rootfs/contents").read() == "some contents"
+        loaded = json.loads(tar.extractfile("manifest").read())
+        for annotation in loaded["app"]["annotations"]:
+            if annotation["name"] == "quay.io/derived-image":
+                annotation["value"] = "DERIVED_IMAGE_ID"
+
+        assert loaded == EXPECTED_ACI_MANIFEST
+
+    if not is_readonly:
+        # Wait for the ACI signature to be written.
+        time.sleep(1)
+
+        # Pull the ACI signature.
+        response = liveserver_session.get(
+            "/c1/aci/server_name/devtable/newrepo/latest/aci.asc/linux/amd64",
+            auth=credentials,
+        )
+        assert response.status_code == 200
+
+
+@pytest.mark.parametrize("schema_version", [1, 2])
+def test_aci_conversion_manifest_list(
+    v22_protocol,
+    sized_images,
+    different_images,
+    liveserver_session,
+    data_model,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+    schema_version,
+):
+    """ Test: Pulling of ACI converted image from a manifest list. """
+    if data_model != "oci_model":
+        return
+
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
+
+    # Build the manifests that will go in the list.
+    blobs = {}
+
+    signed = v22_protocol.build_schema1(
+        "devtable", "newrepo", "latest", sized_images, blobs, options, arch="amd64"
+    )
+    first_manifest = signed.unsigned()
+    if schema_version == 2:
+        first_manifest = v22_protocol.build_schema2(sized_images, blobs, options)
+
+    second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
+
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(first_manifest, "amd64", "linux")
+    builder.add_manifest(second_manifest, "arm", "linux")
+    manifestlist = builder.build()
+
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
+
+    # Pull the ACI version.
+    response = liveserver_session.get(
+        "/c1/aci/server_name/devtable/newrepo/latest/aci/linux/amd64", auth=credentials
+    )
     assert response.status_code == 200
     tar = tarfile.open(fileobj=StringIO(response.content))
-    assert set(tar.getnames()) == {'manifest', 'rootfs', 'rootfs/contents'}
+    assert set(tar.getnames()) == {"manifest", "rootfs", "rootfs/contents"}
 
-    assert tar.extractfile('rootfs/contents').read() == 'some contents'
-    loaded = json.loads(tar.extractfile('manifest').read())
-    for annotation in loaded['app']['annotations']:
-      if annotation['name'] == 'quay.io/derived-image':
-        annotation['value'] = 'DERIVED_IMAGE_ID'
+    assert tar.extractfile("rootfs/contents").read() == "some contents"
+
+    loaded = json.loads(tar.extractfile("manifest").read())
+    for annotation in loaded["app"]["annotations"]:
+        if annotation["name"] == "quay.io/derived-image":
+            annotation["value"] = "DERIVED_IMAGE_ID"
 
     assert loaded == EXPECTED_ACI_MANIFEST
 
-  if not is_readonly:
     # Wait for the ACI signature to be written.
     time.sleep(1)
 
     # Pull the ACI signature.
     response = liveserver_session.get(
-      '/c1/aci/server_name/devtable/newrepo/latest/aci.asc/linux/amd64',
-      auth=credentials)
+        "/c1/aci/server_name/devtable/newrepo/latest/aci.asc/linux/amd64",
+        auth=credentials,
+    )
     assert response.status_code == 200
 
 
-@pytest.mark.parametrize('schema_version', [
-  1,
-  2,
-])
-def test_aci_conversion_manifest_list(v22_protocol, sized_images, different_images,
-                                      liveserver_session, data_model, liveserver,
-                                      registry_server_executor, app_reloader, schema_version):
-  """ Test: Pulling of ACI converted image from a manifest list. """
-  if data_model != 'oci_model':
-    return
+@pytest.mark.parametrize(
+    "push_user, push_namespace, push_repo, mount_repo_name, expected_failure",
+    [
+        # Successful mount, same namespace.
+        ("devtable", "devtable", "baserepo", "devtable/baserepo", None),
+        # Successful mount, cross namespace.
+        ("devtable", "buynlarge", "baserepo", "buynlarge/baserepo", None),
+        # Unsuccessful mount, unknown repo.
+        (
+            "devtable",
+            "devtable",
+            "baserepo",
+            "unknown/repohere",
+            Failures.UNAUTHORIZED_FOR_MOUNT,
+        ),
+        # Unsuccessful mount, no access.
+        (
+            "public",
+            "public",
+            "baserepo",
+            "public/baserepo",
+            Failures.UNAUTHORIZED_FOR_MOUNT,
+        ),
+    ],
+)
+def test_blob_mounting(
+    push_user,
+    push_namespace,
+    push_repo,
+    mount_repo_name,
+    expected_failure,
+    manifest_protocol,
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+):
+    # Push an image so we can attempt to mount it.
+    pusher.push(
+        liveserver_session,
+        push_namespace,
+        push_repo,
+        "latest",
+        basic_images,
+        credentials=(push_user, "password"),
+    )
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    # Push again, trying to mount the image layer(s) from the mount repo.
+    options = ProtocolOptions()
+    options.scopes = [
+        "repository:devtable/newrepo:push,pull",
+        "repository:%s:pull" % (mount_repo_name),
+    ]
+    options.mount_blobs = {
+        "sha256:" + hashlib.sha256(image.bytes).hexdigest(): mount_repo_name
+        for image in basic_images
+    }
 
-  # Build the manifests that will go in the list.
-  blobs = {}
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=("devtable", "password"),
+        options=options,
+        expected_failure=expected_failure,
+    )
 
-  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', sized_images, blobs, options,
-                                      arch='amd64')
-  first_manifest = signed.unsigned()
-  if schema_version == 2:
-    first_manifest = v22_protocol.build_schema2(sized_images, blobs, options)
-
-  second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
-
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(first_manifest, 'amd64', 'linux')
-  builder.add_manifest(second_manifest, 'arm', 'linux')
-  manifestlist = builder.build()
-
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials, options=options)
-
-  # Pull the ACI version.
-  response = liveserver_session.get('/c1/aci/server_name/devtable/newrepo/latest/aci/linux/amd64',
-                                    auth=credentials)
-  assert response.status_code == 200
-  tar = tarfile.open(fileobj=StringIO(response.content))
-  assert set(tar.getnames()) == {'manifest', 'rootfs', 'rootfs/contents'}
-
-  assert tar.extractfile('rootfs/contents').read() == 'some contents'
-
-  loaded = json.loads(tar.extractfile('manifest').read())
-  for annotation in loaded['app']['annotations']:
-    if annotation['name'] == 'quay.io/derived-image':
-      annotation['value'] = 'DERIVED_IMAGE_ID'
-
-  assert loaded == EXPECTED_ACI_MANIFEST
-
-  # Wait for the ACI signature to be written.
-  time.sleep(1)
-
-  # Pull the ACI signature.
-  response = liveserver_session.get('/c1/aci/server_name/devtable/newrepo/latest/aci.asc/linux/amd64',
-                                    auth=credentials)
-  assert response.status_code == 200
+    if expected_failure is None:
+        # Pull to ensure it worked.
+        puller.pull(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=("devtable", "password"),
+        )
 
 
-@pytest.mark.parametrize('push_user, push_namespace, push_repo, mount_repo_name, expected_failure', [
-  # Successful mount, same namespace.
-  ('devtable', 'devtable', 'baserepo', 'devtable/baserepo', None),
+def test_blob_mounting_with_empty_layers(
+    manifest_protocol,
+    pusher,
+    puller,
+    images_with_empty_layer,
+    liveserver_session,
+    app_reloader,
+):
+    # Push an image so we can attempt to mount it.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "simple",
+        "latest",
+        images_with_empty_layer,
+        credentials=("devtable", "password"),
+    )
 
-  # Successful mount, cross namespace.
-  ('devtable', 'buynlarge', 'baserepo', 'buynlarge/baserepo', None),
+    # Push again, trying to mount the image layer(s) from the mount repo.
+    options = ProtocolOptions()
+    options.scopes = [
+        "repository:devtable/newrepo:push,pull",
+        "repository:%s:pull" % ("devtable/simple"),
+    ]
+    options.mount_blobs = {
+        "sha256:" + hashlib.sha256(image.bytes).hexdigest(): "devtable/simple"
+        for image in images_with_empty_layer
+    }
+    options.skip_head_checks = True
 
-  # Unsuccessful mount, unknown repo.
-  ('devtable', 'devtable', 'baserepo', 'unknown/repohere', Failures.UNAUTHORIZED_FOR_MOUNT),
-
-  # Unsuccessful mount, no access.
-  ('public', 'public', 'baserepo', 'public/baserepo', Failures.UNAUTHORIZED_FOR_MOUNT),
-])
-def test_blob_mounting(push_user, push_namespace, push_repo, mount_repo_name, expected_failure,
-                       manifest_protocol, pusher, puller, basic_images, liveserver_session,
-                       app_reloader):
-  # Push an image so we can attempt to mount it.
-  pusher.push(liveserver_session, push_namespace, push_repo, 'latest', basic_images,
-              credentials=(push_user, 'password'))
-
-  # Push again, trying to mount the image layer(s) from the mount repo.
-  options = ProtocolOptions()
-  options.scopes = ['repository:devtable/newrepo:push,pull',
-                    'repository:%s:pull' % (mount_repo_name)]
-  options.mount_blobs = {'sha256:' + hashlib.sha256(image.bytes).hexdigest(): mount_repo_name
-                         for image in basic_images}
-
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         basic_images,
-                         credentials=('devtable', 'password'),
-                         options=options,
-                         expected_failure=expected_failure)
-
-  if expected_failure is None:
-    # Pull to ensure it worked.
-    puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                credentials=('devtable', 'password'))
+    manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=("devtable", "password"),
+        options=options,
+    )
 
 
-def test_blob_mounting_with_empty_layers(manifest_protocol, pusher, puller, images_with_empty_layer,
-                                         liveserver_session, app_reloader):
-  # Push an image so we can attempt to mount it.
-  pusher.push(liveserver_session, 'devtable', 'simple', 'latest', images_with_empty_layer,
-              credentials=('devtable', 'password'))
+def get_robot_password(api_caller, username="ownerbot", namespace="buynlarge"):
+    api_caller.conduct_auth("devtable", "password")
 
-  # Push again, trying to mount the image layer(s) from the mount repo.
-  options = ProtocolOptions()
-  options.scopes = ['repository:devtable/newrepo:push,pull',
-                    'repository:%s:pull' % ('devtable/simple')]
-  options.mount_blobs = {'sha256:' + hashlib.sha256(image.bytes).hexdigest(): 'devtable/simple'
-                         for image in images_with_empty_layer}
-  options.skip_head_checks = True
+    if namespace == "buynlarge":
+        url = "/api/v1/organization/%s/robots/%s" % (namespace, username)
 
-  manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest',
-                         images_with_empty_layer,
-                         credentials=('devtable', 'password'),
-                         options=options)
+    # devtable is a User, not an organization. Use a different endpoint
+    elif namespace == "devtable":
+        url = "/api/v1/user/robots/%s" % username
 
+    else:
+        raise NotImplementedError(
+            "Other robots have not been implemented for this test."
+        )
 
-def get_robot_password(api_caller, username='ownerbot', namespace='buynlarge'):
-  api_caller.conduct_auth('devtable', 'password')
-
-  if namespace == 'buynlarge':
-    url = '/api/v1/organization/%s/robots/%s' % (namespace, username)
-
-  # devtable is a User, not an organization. Use a different endpoint
-  elif namespace == 'devtable':
-    url = '/api/v1/user/robots/%s' % username
-
-  else:
-    raise NotImplementedError('Other robots have not been implemented for this test.')
-
-  resp = api_caller.get(url)
-  return resp.json()['token']
+    resp = api_caller.get(url)
+    return resp.json()["token"]
 
 
 def get_encrypted_password(api_caller):
-  api_caller.conduct_auth('devtable', 'password')
-  resp = api_caller.post('/api/v1/user/clientkey', data=json.dumps(dict(password='password')),
-                         headers={'Content-Type': 'application/json'})
-  return resp.json()['key']
+    api_caller.conduct_auth("devtable", "password")
+    resp = api_caller.post(
+        "/api/v1/user/clientkey",
+        data=json.dumps(dict(password="password")),
+        headers={"Content-Type": "application/json"},
+    )
+    return resp.json()["key"]
 
 
-@pytest.mark.parametrize('username, password, expect_success', [
-  # Invalid username.
-  ('invaliduser', 'somepassword', False),
+@pytest.mark.parametrize(
+    "username, password, expect_success",
+    [
+        # Invalid username.
+        ("invaliduser", "somepassword", False),
+        # Invalid password.
+        ("devtable", "invalidpassword", False),
+        # Invalid OAuth token.
+        ("$oauthtoken", "unknown", False),
+        # Invalid CLI token.
+        ("$app", "invalid", False),
+        # Valid.
+        ("devtable", "password", True),
+        # Robot.
+        ("buynlarge+ownerbot", get_robot_password, True),
+        # Encrypted password.
+        ("devtable", get_encrypted_password, True),
+        # OAuth.
+        ("$oauthtoken", "%s%s" % ("b" * 40, "c" * 40), True),
+        # CLI Token.
+        ("$app", "%s%s" % ("a" * 60, "b" * 60), True),
+    ],
+)
+def test_login(
+    username,
+    password,
+    expect_success,
+    loginer,
+    liveserver_session,
+    api_caller,
+    app_reloader,
+):
+    """ Test: Login flow. """
+    if not isinstance(password, str):
+        password = password(api_caller)
 
-  # Invalid password.
-  ('devtable', 'invalidpassword', False),
-
-  # Invalid OAuth token.
-  ('$oauthtoken', 'unknown', False),
-
-  # Invalid CLI token.
-  ('$app', 'invalid', False),
-
-  # Valid.
-  ('devtable', 'password', True),
-
-  # Robot.
-  ('buynlarge+ownerbot', get_robot_password, True),
-
-  # Encrypted password.
-  ('devtable', get_encrypted_password, True),
-
-  # OAuth.
-  ('$oauthtoken', '%s%s' % ('b' * 40, 'c' * 40), True),
-
-  # CLI Token.
-  ('$app', '%s%s' % ('a' * 60, 'b' * 60), True),
-])
-def test_login(username, password, expect_success, loginer, liveserver_session,
-               api_caller, app_reloader):
-  """ Test: Login flow. """
-  if not isinstance(password, str):
-    password = password(api_caller)
-
-  loginer.login(liveserver_session, username, password, [], expect_success)
+    loginer.login(liveserver_session, username, password, [], expect_success)
 
 
-@pytest.mark.parametrize('username, password, scopes, expected_access, expect_success', [
-  # No scopes.
-  ('devtable', 'password', [], [], True),
+@pytest.mark.parametrize(
+    "username, password, scopes, expected_access, expect_success",
+    [
+        # No scopes.
+        ("devtable", "password", [], [], True),
+        # Basic pull.
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/simple:pull"],
+            [{"type": "repository", "name": "devtable/simple", "actions": ["pull"]}],
+            True,
+        ),
+        # Basic push.
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/simple:push"],
+            [{"type": "repository", "name": "devtable/simple", "actions": ["push"]}],
+            True,
+        ),
+        # Basic push/pull.
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/simple:push,pull"],
+            [
+                {
+                    "type": "repository",
+                    "name": "devtable/simple",
+                    "actions": ["push", "pull"],
+                }
+            ],
+            True,
+        ),
+        # Admin.
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/simple:push,pull,*"],
+            [
+                {
+                    "type": "repository",
+                    "name": "devtable/simple",
+                    "actions": ["push", "pull", "*"],
+                }
+            ],
+            True,
+        ),
+        # Basic pull with endpoint.
+        (
+            "devtable",
+            "password",
+            ["repository:localhost:5000/devtable/simple:pull"],
+            [
+                {
+                    "type": "repository",
+                    "name": "localhost:5000/devtable/simple",
+                    "actions": ["pull"],
+                }
+            ],
+            True,
+        ),
+        # Basic pull with invalid endpoint.
+        (
+            "devtable",
+            "password",
+            ["repository:someinvalid/devtable/simple:pull"],
+            [],
+            False,
+        ),
+        # Pull with no access.
+        (
+            "public",
+            "password",
+            ["repository:devtable/simple:pull"],
+            [{"type": "repository", "name": "devtable/simple", "actions": []}],
+            True,
+        ),
+        # Anonymous push and pull on a private repository.
+        (
+            "",
+            "",
+            ["repository:devtable/simple:pull,push"],
+            [{"type": "repository", "name": "devtable/simple", "actions": []}],
+            True,
+        ),
+        # Pull and push with no push access.
+        (
+            "reader",
+            "password",
+            ["repository:buynlarge/orgrepo:pull,push"],
+            [{"type": "repository", "name": "buynlarge/orgrepo", "actions": ["pull"]}],
+            True,
+        ),
+        # OAuth.
+        (
+            "$oauthtoken",
+            "%s%s" % ("b" * 40, "c" * 40),
+            ["repository:public/publicrepo:pull,push"],
+            [{"type": "repository", "name": "public/publicrepo", "actions": ["pull"]}],
+            True,
+        ),
+        # Anonymous public repo.
+        (
+            "",
+            "",
+            ["repository:public/publicrepo:pull,push"],
+            [{"type": "repository", "name": "public/publicrepo", "actions": ["pull"]}],
+            True,
+        ),
+        # Multiple scopes.
+        (
+            "devtable",
+            "password",
+            [
+                "repository:devtable/simple:push,pull,*",
+                "repository:buynlarge/orgrepo:pull",
+            ],
+            [
+                {
+                    "type": "repository",
+                    "name": "devtable/simple",
+                    "actions": ["push", "pull", "*"],
+                },
+                {
+                    "type": "repository",
+                    "name": "buynlarge/orgrepo",
+                    "actions": ["pull"],
+                },
+            ],
+            True,
+        ),
+        # Multiple scopes.
+        (
+            "devtable",
+            "password",
+            [
+                "repository:devtable/simple:push,pull,*",
+                "repository:public/publicrepo:push,pull",
+            ],
+            [
+                {
+                    "type": "repository",
+                    "name": "devtable/simple",
+                    "actions": ["push", "pull", "*"],
+                },
+                {
+                    "type": "repository",
+                    "name": "public/publicrepo",
+                    "actions": ["pull"],
+                },
+            ],
+            True,
+        ),
+        # Read-Only only allows Pulls
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/readonly:pull,push,*"],
+            [{"type": "repository", "name": "devtable/readonly", "actions": ["pull"]}],
+            True,
+        ),
+        # Mirror only allows Pulls
+        (
+            "devtable",
+            "password",
+            ["repository:devtable/mirrored:pull,push,*"],
+            [{"type": "repository", "name": "devtable/mirrored", "actions": ["pull"]}],
+            True,
+        ),
+        # Mirror State as specified Robot --> Allow Pushes
+        (
+            "devtable+dtrobot",
+            get_robot_password,
+            ["repository:devtable/mirrored:push,pull,*"],
+            [
+                {
+                    "type": "repository",
+                    "name": "devtable/mirrored",
+                    "actions": ["push", "pull"],
+                }
+            ],
+            True,
+        ),
+        # Mirror State as a Robot w/ write permissions but not the assigned Robot -> No pushes
+        (
+            "devtable+dtrobot2",
+            get_robot_password,
+            ["repository:devtable/mirrored:push,pull,*"],
+            [{"type": "repository", "name": "devtable/mirrored", "actions": ["pull"]}],
+            True,
+        ),
+        # TODO: Add: mirror state with no robot but the robot has write permissions -> no pushes
+    ],
+)
+def test_login_scopes(
+    username,
+    password,
+    scopes,
+    expected_access,
+    expect_success,
+    v2_protocol,
+    liveserver_session,
+    api_caller,
+    app_reloader,
+):
+    """ Test: Login via the V2 auth protocol reacts correctly to requested scopes. """
+    if not isinstance(password, str):
+        robot_namespace, robot_username = username.split("+")
+        password = password(
+            api_caller, namespace=robot_namespace, username=robot_username
+        )
 
-  # Basic pull.
-  ('devtable', 'password', ['repository:devtable/simple:pull'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': ['pull']},
-  ], True),
+    response = v2_protocol.login(
+        liveserver_session, username, password, scopes, expect_success
+    )
+    if not expect_success:
+        return
 
-  # Basic push.
-  ('devtable', 'password', ['repository:devtable/simple:push'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': ['push']},
-  ], True),
-
-  # Basic push/pull.
-  ('devtable', 'password', ['repository:devtable/simple:push,pull'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': ['push', 'pull']},
-  ], True),
-
-  # Admin.
-  ('devtable', 'password', ['repository:devtable/simple:push,pull,*'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': ['push', 'pull', '*']},
-  ], True),
-
-  # Basic pull with endpoint.
-  ('devtable', 'password', ['repository:localhost:5000/devtable/simple:pull'], [
-    {'type': 'repository', 'name': 'localhost:5000/devtable/simple', 'actions': ['pull']},
-  ], True),
-
-  # Basic pull with invalid endpoint.
-  ('devtable', 'password', ['repository:someinvalid/devtable/simple:pull'], [], False),
-
-  # Pull with no access.
-  ('public', 'password', ['repository:devtable/simple:pull'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': []},
-  ], True),
-
-  # Anonymous push and pull on a private repository.
-  ('', '', ['repository:devtable/simple:pull,push'], [
-    {'type': 'repository', 'name': 'devtable/simple', 'actions': []},
-  ], True),
-
-  # Pull and push with no push access.
-  ('reader', 'password', ['repository:buynlarge/orgrepo:pull,push'], [
-    {'type': 'repository', 'name': 'buynlarge/orgrepo', 'actions': ['pull']},
-  ], True),
-
-  # OAuth.
-  ('$oauthtoken', '%s%s' % ('b' * 40, 'c' * 40),
-    ['repository:public/publicrepo:pull,push'], [
-    {'type': 'repository', 'name': 'public/publicrepo', 'actions': ['pull']},
-  ], True),
-
-  # Anonymous public repo.
-  ('', '', ['repository:public/publicrepo:pull,push'], [
-    {'type': 'repository', 'name': 'public/publicrepo', 'actions': ['pull']},
-  ], True),
-
-  # Multiple scopes.
-  ('devtable', 'password',
-   ['repository:devtable/simple:push,pull,*', 'repository:buynlarge/orgrepo:pull'], [
-     {'type': 'repository', 'name': 'devtable/simple', 'actions': ['push', 'pull', '*']},
-     {'type': 'repository', 'name': 'buynlarge/orgrepo', 'actions': ['pull']},
-   ], True),
-
-  # Multiple scopes.
-  ('devtable', 'password',
-   ['repository:devtable/simple:push,pull,*', 'repository:public/publicrepo:push,pull'], [
-     {'type': 'repository', 'name': 'devtable/simple', 'actions': ['push', 'pull', '*']},
-     {'type': 'repository', 'name': 'public/publicrepo', 'actions': ['pull']},
-   ], True),
-
-  # Read-Only only allows Pulls
-  ('devtable', 'password', ['repository:devtable/readonly:pull,push,*'], [
-    {'type': 'repository', 'name': 'devtable/readonly', 'actions': ['pull']},
-  ], True),
-
-  # Mirror only allows Pulls
-  ('devtable', 'password', ['repository:devtable/mirrored:pull,push,*'], [
-    {'type': 'repository', 'name': 'devtable/mirrored', 'actions': ['pull']},
-  ], True),
-
-  # Mirror State as specified Robot --> Allow Pushes
-  ('devtable+dtrobot', get_robot_password, ['repository:devtable/mirrored:push,pull,*'], [
-    {'type': 'repository', 'name': 'devtable/mirrored', 'actions': ['push', 'pull']},
-  ], True),
-
-  # Mirror State as a Robot w/ write permissions but not the assigned Robot -> No pushes
-  ('devtable+dtrobot2', get_robot_password, ['repository:devtable/mirrored:push,pull,*'], [
-    {'type': 'repository', 'name': 'devtable/mirrored', 'actions': ['pull']},
-  ], True),
-
-  # TODO: Add: mirror state with no robot but the robot has write permissions -> no pushes
-
-])
-def test_login_scopes(username, password, scopes, expected_access, expect_success, v2_protocol,
-                      liveserver_session, api_caller, app_reloader):
-  """ Test: Login via the V2 auth protocol reacts correctly to requested scopes. """
-  if not isinstance(password, str):
-    robot_namespace, robot_username = username.split('+')
-    password = password(api_caller, namespace=robot_namespace, username=robot_username)
-
-  response = v2_protocol.login(liveserver_session, username, password, scopes, expect_success)
-  if not expect_success:
-    return
-
-  # Validate the returned token.
-  encoded = response.json()['token']
-  payload = decode_bearer_header('Bearer ' + encoded, instance_keys,
-                                 {'SERVER_HOSTNAME': 'localhost:5000'})
-  assert payload is not None
-  assert payload['access'] == expected_access
+    # Validate the returned token.
+    encoded = response.json()["token"]
+    payload = decode_bearer_header(
+        "Bearer " + encoded, instance_keys, {"SERVER_HOSTNAME": "localhost:5000"}
+    )
+    assert payload is not None
+    assert payload["access"] == expected_access
 
 
 def test_push_pull_same_blobs(pusher, puller, liveserver_session, app_reloader):
-  """ Test: Push and pull of an image to a new repository where a blob is shared between layers. """
-  credentials = ('devtable', 'password')
+    """ Test: Push and pull of an image to a new repository where a blob is shared between layers. """
+    credentials = ("devtable", "password")
 
-  layer_bytes = layer_bytes_for_contents('some contents')
-  images = [
-    Image(id='parentid', bytes=layer_bytes, parent_id=None),
-    Image(id='someid', bytes=layer_bytes, parent_id='parentid'),
-  ]
+    layer_bytes = layer_bytes_for_contents("some contents")
+    images = [
+        Image(id="parentid", bytes=layer_bytes, parent_id=None),
+        Image(id="someid", bytes=layer_bytes, parent_id="parentid"),
+    ]
 
-  options = ProtocolOptions()
-  options.skip_head_checks = True # Since the blob will already exist.
+    options = ProtocolOptions()
+    options.skip_head_checks = True  # Since the blob will already exist.
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-              credentials=credentials, options=options)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', images,
-              credentials=credentials, options=options)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_push_tag_existing_image(v1_protocol, puller, basic_images, liveserver_session, app_reloader):
-  """ Test: Push a new tag on an existing manifest/image. """
-  credentials = ('devtable', 'password')
+def test_push_tag_existing_image(
+    v1_protocol, puller, basic_images, liveserver_session, app_reloader
+):
+    """ Test: Push a new tag on an existing manifest/image. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  v1_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                   credentials=credentials)
+    # Push a new repository.
+    v1_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Push the same image/manifest to another tag in the repository.
-  v1_protocol.tag(liveserver_session, 'devtable', 'newrepo', 'anothertag', basic_images[-1],
-                  credentials=credentials)
+    # Push the same image/manifest to another tag in the repository.
+    v1_protocol.tag(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "anothertag",
+        basic_images[-1],
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'anothertag', basic_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "anothertag",
+        basic_images,
+        credentials=credentials,
+    )
 
 
-@pytest.mark.parametrize('schema_version', [
-  1,
-  2,
-])
-@pytest.mark.parametrize('is_amd', [
-  True,
-  False
-])
-def test_push_pull_manifest_list_back_compat(v22_protocol, legacy_puller, basic_images,
-                                             different_images, liveserver_session, app_reloader,
-                                             schema_version, data_model, is_amd):
-  """ Test: Push a new tag with a manifest list containing two manifests, one (possibly) legacy
+@pytest.mark.parametrize("schema_version", [1, 2])
+@pytest.mark.parametrize("is_amd", [True, False])
+def test_push_pull_manifest_list_back_compat(
+    v22_protocol,
+    legacy_puller,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+    schema_version,
+    data_model,
+    is_amd,
+):
+    """ Test: Push a new tag with a manifest list containing two manifests, one (possibly) legacy
       and one not, and, if there is a legacy manifest, ensure it can be pulled.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifests that will go in the list.
-  blobs = {}
+    # Build the manifests that will go in the list.
+    blobs = {}
 
-  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options,
-                                      arch='amd64' if is_amd else 'something')
-  first_manifest = signed.unsigned()
-  if schema_version == 2:
-    first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    signed = v22_protocol.build_schema1(
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        blobs,
+        options,
+        arch="amd64" if is_amd else "something",
+    )
+    first_manifest = signed.unsigned()
+    if schema_version == 2:
+        first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
+    second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(first_manifest, 'amd64' if is_amd else 'something', 'linux')
-  builder.add_manifest(second_manifest, 'arm', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(first_manifest, "amd64" if is_amd else "something", "linux")
+    builder.add_manifest(second_manifest, "arm", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the tag and ensure we (don't) get back the basic images, since they are(n't) part of the
-  # amd64+linux manifest.
-  legacy_puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                     credentials=credentials,
-                     expected_failure=Failures.UNKNOWN_TAG if not is_amd else None)
+    # Pull the tag and ensure we (don't) get back the basic images, since they are(n't) part of the
+    # amd64+linux manifest.
+    legacy_puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG if not is_amd else None,
+    )
 
 
-@pytest.mark.parametrize('schema_version', [
-  1,
-  2,
-])
-def test_push_pull_manifest_list(v22_protocol, basic_images, different_images, liveserver_session,
-                                 app_reloader, schema_version, data_model):
-  """ Test: Push a new tag with a manifest list containing two manifests, one (possibly) legacy
+@pytest.mark.parametrize("schema_version", [1, 2])
+def test_push_pull_manifest_list(
+    v22_protocol,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+    schema_version,
+    data_model,
+):
+    """ Test: Push a new tag with a manifest list containing two manifests, one (possibly) legacy
       and one not, and pull it.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifests that will go in the list.
-  blobs = {}
+    # Build the manifests that will go in the list.
+    blobs = {}
 
-  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options)
-  first_manifest = signed.unsigned()
-  if schema_version == 2:
-    first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    signed = v22_protocol.build_schema1(
+        "devtable", "newrepo", "latest", basic_images, blobs, options
+    )
+    first_manifest = signed.unsigned()
+    if schema_version == 2:
+        first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
+    second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(first_manifest, 'amd64', 'linux')
-  builder.add_manifest(second_manifest, 'arm', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(first_manifest, "amd64", "linux")
+    builder.add_manifest(second_manifest, "arm", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull and verify the manifest list.
-  v22_protocol.pull_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         credentials=credentials, options=options)
+    # Pull and verify the manifest list.
+    v22_protocol.pull_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_push_pull_manifest_remote_layers(v22_protocol, legacy_puller, liveserver_session,
-                                          app_reloader, remote_images, data_model):
-  """ Test: Push a new tag with a manifest which contains at least one remote layer, and then
+def test_push_pull_manifest_remote_layers(
+    v22_protocol,
+    legacy_puller,
+    liveserver_session,
+    app_reloader,
+    remote_images,
+    data_model,
+):
+    """ Test: Push a new tag with a manifest which contains at least one remote layer, and then
       pull that manifest back.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  v22_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', remote_images,
-                    credentials=credentials)
+    # Push a new repository.
+    v22_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        remote_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  v22_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', remote_images,
-                    credentials=credentials)
+    # Pull the repository to verify.
+    v22_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        remote_images,
+        credentials=credentials,
+    )
 
-  # Ensure that the image cannot be pulled by a legacy protocol.
-  legacy_puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', remote_images,
-                     credentials=credentials, expected_failure=Failures.UNKNOWN_TAG)
+    # Ensure that the image cannot be pulled by a legacy protocol.
+    legacy_puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        remote_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG,
+    )
 
 
-def test_push_manifest_list_missing_manifest(v22_protocol, basic_images, liveserver_session,
-                                             app_reloader, data_model):
-  """ Test: Attempt to push a new tag with a manifest list containing an invalid manifest.
+def test_push_manifest_list_missing_manifest(
+    v22_protocol, basic_images, liveserver_session, app_reloader, data_model
+):
+    """ Test: Attempt to push a new tag with a manifest list containing an invalid manifest.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifests that will go in the list.
-  blobs = {}
-  manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    # Build the manifests that will go in the list.
+    blobs = {}
+    manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  # Create and push the manifest list, but without the manifest itself.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(manifest, 'amd64', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list, but without the manifest itself.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(manifest, "amd64", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [], blobs,
-                         credentials=credentials, options=options,
-                         expected_failure=Failures.INVALID_MANIFEST)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [],
+        blobs,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.INVALID_MANIFEST,
+    )
 
 
-def test_push_pull_manifest_list_again(v22_protocol, basic_images, different_images,
-                                       liveserver_session, app_reloader, data_model):
-  """ Test: Push a new tag with a manifest list containing two manifests, push it again, and pull
+def test_push_pull_manifest_list_again(
+    v22_protocol,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+    data_model,
+):
+    """ Test: Push a new tag with a manifest list containing two manifests, push it again, and pull
       it.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifests that will go in the list.
-  blobs = {}
+    # Build the manifests that will go in the list.
+    blobs = {}
 
-  first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
-  second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
+    first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(first_manifest, 'amd64', 'linux')
-  builder.add_manifest(second_manifest, 'arm', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(first_manifest, "amd64", "linux")
+    builder.add_manifest(second_manifest, "arm", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Push the manifest list again. This should more or less no-op.
-  options.skip_head_checks = True
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials, options=options)
+    # Push the manifest list again. This should more or less no-op.
+    options.skip_head_checks = True
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull and verify the manifest list.
-  v22_protocol.pull_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         credentials=credentials, options=options)
+    # Pull and verify the manifest list.
+    v22_protocol.pull_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_push_pull_manifest_list_duplicate_manifest(v22_protocol, basic_images, liveserver_session,
-                                                    app_reloader, data_model):
-  """ Test: Push a manifest list that contains the same child manifest twice.
+def test_push_pull_manifest_list_duplicate_manifest(
+    v22_protocol, basic_images, liveserver_session, app_reloader, data_model
+):
+    """ Test: Push a manifest list that contains the same child manifest twice.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifest that will go in the list.
-  blobs = {}
-  manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    # Build the manifest that will go in the list.
+    blobs = {}
+    manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(manifest, 'amd64', 'linux')
-  builder.add_manifest(manifest, 'amd32', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(manifest, "amd64", "linux")
+    builder.add_manifest(manifest, "amd32", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull and verify the manifest list.
-  v22_protocol.pull_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         credentials=credentials, options=options)
+    # Pull and verify the manifest list.
+    v22_protocol.pull_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_squashed_images_empty_layer(pusher, images_with_empty_layer, liveserver_session,
-                                     liveserver, registry_server_executor, app_reloader):
-  """ Test: Pulling of squashed images for a manifest with empty layers. """
-  credentials = ('devtable', 'password')
+def test_squashed_images_empty_layer(
+    pusher,
+    images_with_empty_layer,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Pulling of squashed images for a manifest with empty layers. """
+    credentials = ("devtable", "password")
 
-  # Push an image to download.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', images_with_empty_layer,
-              credentials=credentials)
+    # Push an image to download.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        images_with_empty_layer,
+        credentials=credentials,
+    )
 
-  # Pull the squashed version.
-  response = liveserver_session.get('/c1/squash/devtable/newrepo/latest', auth=credentials)
-  assert response.status_code == 200
+    # Pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/devtable/newrepo/latest", auth=credentials
+    )
+    assert response.status_code == 200
 
-  tar = tarfile.open(fileobj=StringIO(response.content))
+    tar = tarfile.open(fileobj=StringIO(response.content))
 
-  # Verify the squashed image.
-  expected_image_id = '9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a'
-  expected_names = ['repositories',
-                    expected_image_id,
-                    '%s/json' % expected_image_id,
-                    '%s/VERSION' % expected_image_id,
-                    '%s/layer.tar' % expected_image_id]
+    # Verify the squashed image.
+    expected_image_id = (
+        "9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a"
+    )
+    expected_names = [
+        "repositories",
+        expected_image_id,
+        "%s/json" % expected_image_id,
+        "%s/VERSION" % expected_image_id,
+        "%s/layer.tar" % expected_image_id,
+    ]
 
-  assert tar.getnames() == expected_names
+    assert tar.getnames() == expected_names
 
 
-def test_squashed_image_unsupported(v22_protocol, basic_images, liveserver_session, liveserver,
-                                    app_reloader, data_model):
-  """ Test: Attempting to pull a squashed image for a manifest list without an amd64+linux entry.
+def test_squashed_image_unsupported(
+    v22_protocol, basic_images, liveserver_session, liveserver, app_reloader, data_model
+):
+    """ Test: Attempting to pull a squashed image for a manifest list without an amd64+linux entry.
   """
-  credentials = ('devtable', 'password')
-  if data_model != 'oci_model':
-    return
+    credentials = ("devtable", "password")
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifest that will go in the list.
-  blobs = {}
-  manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    # Build the manifest that will go in the list.
+    blobs = {}
+    manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(manifest, 'foobar', 'someos')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(manifest, "foobar", "someos")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Attempt to pull the squashed version.
-  response = liveserver_session.get('/c1/squash/devtable/newrepo/latest', auth=credentials)
-  assert response.status_code == 404
+    # Attempt to pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/devtable/newrepo/latest", auth=credentials
+    )
+    assert response.status_code == 404
 
 
-def test_squashed_image_manifest_list(v22_protocol, basic_images, liveserver_session, liveserver,
-                                      app_reloader, data_model):
-  """ Test: Pull a squashed image for a manifest list with an amd64+linux entry.
+def test_squashed_image_manifest_list(
+    v22_protocol, basic_images, liveserver_session, liveserver, app_reloader, data_model
+):
+    """ Test: Pull a squashed image for a manifest list with an amd64+linux entry.
   """
-  credentials = ('devtable', 'password')
-  if data_model != 'oci_model':
-    return
+    credentials = ("devtable", "password")
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifest that will go in the list.
-  blobs = {}
-  manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    # Build the manifest that will go in the list.
+    blobs = {}
+    manifest = v22_protocol.build_schema2(basic_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(manifest, 'amd64', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(manifest, "amd64", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [manifest], blobs,
-                         credentials=credentials, options=options)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the squashed version.
-  response = liveserver_session.get('/c1/squash/devtable/newrepo/latest', auth=credentials)
-  assert response.status_code == 200
+    # Pull the squashed version.
+    response = liveserver_session.get(
+        "/c1/squash/devtable/newrepo/latest", auth=credentials
+    )
+    assert response.status_code == 200
 
-  # Verify the squashed image.
-  tar = tarfile.open(fileobj=StringIO(response.content))
-  expected_image_id = '9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a'
-  expected_names = ['repositories',
-                    expected_image_id,
-                    '%s/json' % expected_image_id,
-                    '%s/VERSION' % expected_image_id,
-                    '%s/layer.tar' % expected_image_id]
+    # Verify the squashed image.
+    tar = tarfile.open(fileobj=StringIO(response.content))
+    expected_image_id = (
+        "9d35b270436387f821e08de0dfdd501efd70de893ec2c2c7cb01ef19008bee7a"
+    )
+    expected_names = [
+        "repositories",
+        expected_image_id,
+        "%s/json" % expected_image_id,
+        "%s/VERSION" % expected_image_id,
+        "%s/layer.tar" % expected_image_id,
+    ]
 
-  assert tar.getnames() == expected_names
+    assert tar.getnames() == expected_names
 
 
-def test_verify_schema2(v22_protocol, basic_images, liveserver_session, liveserver,
-                        app_reloader, data_model):
-  """ Test: Ensure that pushing of schema 2 manifests results in a pull of a schema2 manifest. """
-  credentials = ('devtable', 'password')
-  if data_model != 'oci_model':
-    return
+def test_verify_schema2(
+    v22_protocol, basic_images, liveserver_session, liveserver, app_reloader, data_model
+):
+    """ Test: Ensure that pushing of schema 2 manifests results in a pull of a schema2 manifest. """
+    credentials = ("devtable", "password")
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  v22_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                    credentials=credentials)
+    # Push a new repository.
+    v22_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  result = v22_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                             credentials=credentials)
-  manifest = result.manifests['latest']
-  assert manifest.schema_version == 2
+    # Pull the repository to verify.
+    result = v22_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
+    manifest = result.manifests["latest"]
+    assert manifest.schema_version == 2
 
 
-def test_geo_blocking(pusher, puller, basic_images, liveserver_session,
-                      liveserver, registry_server_executor, app_reloader):
-  """ Test: Attempt to pull an image from a geoblocked IP address. """
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
-  options.skip_blob_push_checks = True # Otherwise, cache gets established.
+def test_geo_blocking(
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    liveserver,
+    registry_server_executor,
+    app_reloader,
+):
+    """ Test: Attempt to pull an image from a geoblocked IP address. """
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
+    options.skip_blob_push_checks = True  # Otherwise, cache gets established.
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials, options=options)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  registry_server_executor.on(liveserver).set_geo_block_for_namespace('devtable', 'US')
+    registry_server_executor.on(liveserver).set_geo_block_for_namespace(
+        "devtable", "US"
+    )
 
-  # Attempt to pull the repository to verify. This should fail with a 403 due to
-  # the geoblocking of the IP being using.
-  options = ProtocolOptions()
-  options.request_addr = '6.0.0.0'
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials, options=options,
-              expected_failure=Failures.GEO_BLOCKED)
+    # Attempt to pull the repository to verify. This should fail with a 403 due to
+    # the geoblocking of the IP being using.
+    options = ProtocolOptions()
+    options.request_addr = "6.0.0.0"
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.GEO_BLOCKED,
+    )
 
 
-@pytest.mark.parametrize('has_amd64_linux', [
-  False,
-  True,
-])
-def test_pull_manifest_list_schema2_only(v22_protocol, basic_images, different_images,
-                                         liveserver_session, app_reloader, data_model,
-                                         has_amd64_linux):
-  """ Test: Push a new tag with a manifest list containing two manifests, one schema2 (possibly)
+@pytest.mark.parametrize("has_amd64_linux", [False, True])
+def test_pull_manifest_list_schema2_only(
+    v22_protocol,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+    data_model,
+    has_amd64_linux,
+):
+    """ Test: Push a new tag with a manifest list containing two manifests, one schema2 (possibly)
       amd64 and one not, and pull it when only accepting a schema2 manifest type. Since the manifest
       list content type is not being sent, this should return just the manifest (or none if no
       linux+amd64 is present.)
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Build the manifests that will go in the list.
-  options = ProtocolOptions()
-  blobs = {}
+    # Build the manifests that will go in the list.
+    options = ProtocolOptions()
+    blobs = {}
 
-  first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
-  second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
+    first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
+    second_manifest = v22_protocol.build_schema2(different_images, blobs, options)
 
-  # Create and push the manifest list.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(first_manifest, 'amd64' if has_amd64_linux else 'amd32', 'linux')
-  builder.add_manifest(second_manifest, 'arm', 'linux')
-  manifestlist = builder.build()
+    # Create and push the manifest list.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(
+        first_manifest, "amd64" if has_amd64_linux else "amd32", "linux"
+    )
+    builder.add_manifest(second_manifest, "arm", "linux")
+    manifestlist = builder.build()
 
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [first_manifest, second_manifest], blobs,
-                         credentials=credentials)
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [first_manifest, second_manifest],
+        blobs,
+        credentials=credentials,
+    )
 
-  # Pull and verify the manifest.
-  options.accept_mimetypes = [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE]
-  result = v22_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                             credentials=credentials, options=options,
-                             expected_failure=None if has_amd64_linux else Failures.UNKNOWN_TAG)
+    # Pull and verify the manifest.
+    options.accept_mimetypes = [DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE]
+    result = v22_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+        expected_failure=None if has_amd64_linux else Failures.UNKNOWN_TAG,
+    )
 
-  if has_amd64_linux:
-    assert result.manifests['latest'].media_type == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE
+    if has_amd64_linux:
+        assert (
+            result.manifests["latest"].media_type
+            == DOCKER_SCHEMA2_MANIFEST_CONTENT_TYPE
+        )
 
 
-def test_push_pull_unicode(pusher, puller, unicode_images, liveserver_session, app_reloader):
-  """ Test: Push an image with unicode inside and then pull it. """
-  credentials = ('devtable', 'password')
+def test_push_pull_unicode(
+    pusher, puller, unicode_images, liveserver_session, app_reloader
+):
+    """ Test: Push an image with unicode inside and then pull it. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_images,
+        credentials=credentials,
+    )
 
 
-def test_push_pull_unicode_direct(pusher, puller, unicode_images, liveserver_session, app_reloader):
-  """ Test: Push an image with *unescaped* unicode inside and then pull it. """
-  credentials = ('devtable', 'password')
+def test_push_pull_unicode_direct(
+    pusher, puller, unicode_images, liveserver_session, app_reloader
+):
+    """ Test: Push an image with *unescaped* unicode inside and then pull it. """
+    credentials = ("devtable", "password")
 
-  # Turn off automatic unicode encoding when building the manifests.
-  options = ProtocolOptions()
-  options.ensure_ascii = False
+    # Turn off automatic unicode encoding when building the manifests.
+    options = ProtocolOptions()
+    options.ensure_ascii = False
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_images,
-              credentials=credentials, options=options)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_images,
-              credentials=credentials, options=options)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_images,
+        credentials=credentials,
+        options=options,
+    )
 
 
-def test_push_legacy_pull_not_allowed(v22_protocol, v1_protocol, remote_images, liveserver_session,
-                                      app_reloader, data_model):
-  """ Test: Push a V2 Schema 2 manifest and attempt to pull via V1 when there is no assigned legacy
+def test_push_legacy_pull_not_allowed(
+    v22_protocol,
+    v1_protocol,
+    remote_images,
+    liveserver_session,
+    app_reloader,
+    data_model,
+):
+    """ Test: Push a V2 Schema 2 manifest and attempt to pull via V1 when there is no assigned legacy
       image.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  v22_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', remote_images,
-                    credentials=credentials)
+    # Push a new repository.
+    v22_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        remote_images,
+        credentials=credentials,
+    )
 
-  # Attempt to pull. Should fail with a 404.
-  v1_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', remote_images,
-                   credentials=credentials, expected_failure=Failures.UNKNOWN_TAG)
+    # Attempt to pull. Should fail with a 404.
+    v1_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        remote_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG,
+    )
 
 
-def test_push_pull_emoji_unicode(pusher, puller, unicode_emoji_images, liveserver_session,
-                                 app_reloader):
-  """ Test: Push an image with unicode inside and then pull it. """
-  credentials = ('devtable', 'password')
+def test_push_pull_emoji_unicode(
+    pusher, puller, unicode_emoji_images, liveserver_session, app_reloader
+):
+    """ Test: Push an image with unicode inside and then pull it. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_emoji_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_emoji_images,
+        credentials=credentials,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_emoji_images,
-              credentials=credentials)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_emoji_images,
+        credentials=credentials,
+    )
 
 
-def test_push_pull_emoji_unicode_direct(pusher, puller, unicode_emoji_images, liveserver_session,
-                                        app_reloader):
-  """ Test: Push an image with *unescaped* unicode inside and then pull it. """
-  credentials = ('devtable', 'password')
+def test_push_pull_emoji_unicode_direct(
+    pusher, puller, unicode_emoji_images, liveserver_session, app_reloader
+):
+    """ Test: Push an image with *unescaped* unicode inside and then pull it. """
+    credentials = ("devtable", "password")
 
-  # Turn off automatic unicode encoding when building the manifests.
-  options = ProtocolOptions()
-  options.ensure_ascii = False
+    # Turn off automatic unicode encoding when building the manifests.
+    options = ProtocolOptions()
+    options.ensure_ascii = False
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_emoji_images,
-              credentials=credentials, options=options)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_emoji_images,
+        credentials=credentials,
+        options=options,
+    )
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', unicode_emoji_images,
-              credentials=credentials, options=options)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        unicode_emoji_images,
+        credentials=credentials,
+        options=options,
+    )
 
 
-@pytest.mark.parametrize('accepted_mimetypes', [
-  [],
-  ['application/json'],
-])
-def test_push_pull_older_mimetype(pusher, puller, basic_images, liveserver_session, app_reloader,
-                                  accepted_mimetypes):
-  """ Test: Push and pull an image, but override the accepted mimetypes to that sent by older
+@pytest.mark.parametrize("accepted_mimetypes", [[], ["application/json"]])
+def test_push_pull_older_mimetype(
+    pusher, puller, basic_images, liveserver_session, app_reloader, accepted_mimetypes
+):
+    """ Test: Push and pull an image, but override the accepted mimetypes to that sent by older
             Docker clients.
   """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Turn off automatic unicode encoding when building the manifests.
-  options = ProtocolOptions()
-  options.accept_mimetypes = accepted_mimetypes
+    # Turn off automatic unicode encoding when building the manifests.
+    options = ProtocolOptions()
+    options.accept_mimetypes = accepted_mimetypes
 
-  # Pull the repository to verify.
-  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials, options=options)
+    # Pull the repository to verify.
+    puller.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+        options=options,
+    )
 
-def test_attempt_push_mismatched_manifest(v22_protocol, basic_images, liveserver_session,
-                                          app_reloader, data_model):
-  """ Test: Attempt to push a manifest list refering to a schema 1 manifest with a different
+
+def test_attempt_push_mismatched_manifest(
+    v22_protocol, basic_images, liveserver_session, app_reloader, data_model
+):
+    """ Test: Attempt to push a manifest list refering to a schema 1 manifest with a different
       architecture than that specified in the manifest list.
   """
-  if data_model != 'oci_model':
-    return
+    if data_model != "oci_model":
+        return
 
-  credentials = ('devtable', 'password')
-  options = ProtocolOptions()
+    credentials = ("devtable", "password")
+    options = ProtocolOptions()
 
-  # Build the manifest that will go in the list. This will be amd64.
-  blobs = {}
-  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options)
-  manifest = signed.unsigned()
+    # Build the manifest that will go in the list. This will be amd64.
+    blobs = {}
+    signed = v22_protocol.build_schema1(
+        "devtable", "newrepo", "latest", basic_images, blobs, options
+    )
+    manifest = signed.unsigned()
 
-  # Create the manifest list, but refer to the manifest as arm.
-  builder = DockerSchema2ManifestListBuilder()
-  builder.add_manifest(manifest, 'arm', 'linux')
-  manifestlist = builder.build()
+    # Create the manifest list, but refer to the manifest as arm.
+    builder = DockerSchema2ManifestListBuilder()
+    builder.add_manifest(manifest, "arm", "linux")
+    manifestlist = builder.build()
 
-  # Attempt to push the manifest, which should fail.
-  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
-                         [manifest], blobs,
-                         credentials=credentials, options=options,
-                         expected_failure=Failures.INVALID_MANIFEST)
+    # Attempt to push the manifest, which should fail.
+    v22_protocol.push_list(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        manifestlist,
+        [manifest],
+        blobs,
+        credentials=credentials,
+        options=options,
+        expected_failure=Failures.INVALID_MANIFEST,
+    )
 
 
-@pytest.mark.parametrize('delete_method', [
-  'registry',
-  'api',
-])
-def test_attempt_pull_by_manifest_digest_for_deleted_tag(delete_method, manifest_protocol,
-                                                         basic_images, liveserver_session,
-                                                         app_reloader, api_caller):
-  """ Test: Attempt to pull a deleted tag's manifest by digest. """
-  credentials = ('devtable', 'password')
+@pytest.mark.parametrize("delete_method", ["registry", "api"])
+def test_attempt_pull_by_manifest_digest_for_deleted_tag(
+    delete_method,
+    manifest_protocol,
+    basic_images,
+    liveserver_session,
+    app_reloader,
+    api_caller,
+):
+    """ Test: Attempt to pull a deleted tag's manifest by digest. """
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  result = manifest_protocol.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                                  credentials=credentials)
-  digests = [str(manifest.digest) for manifest in result.manifests.values()]
-  assert len(digests) == 1
+    # Push a new repository.
+    result = manifest_protocol.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
+    digests = [str(manifest.digest) for manifest in result.manifests.values()]
+    assert len(digests) == 1
 
-  # Ensure we can pull by tag.
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                         credentials=credentials)
+    # Ensure we can pull by tag.
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Ensure we can pull by digest.
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', digests[0], basic_images,
-                         credentials=credentials)
+    # Ensure we can pull by digest.
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        digests[0],
+        basic_images,
+        credentials=credentials,
+    )
 
-  if delete_method == 'api':
-    api_caller.conduct_auth('devtable', 'password')
-    resp = api_caller.delete('/api/v1/repository/devtable/newrepo/tag/latest')
-    resp.raise_for_status()
-  else:
-    # Delete the tag by digest.
-    manifest_protocol.delete(liveserver_session, 'devtable', 'newrepo', digests[0],
-                             credentials=credentials)
+    if delete_method == "api":
+        api_caller.conduct_auth("devtable", "password")
+        resp = api_caller.delete("/api/v1/repository/devtable/newrepo/tag/latest")
+        resp.raise_for_status()
+    else:
+        # Delete the tag by digest.
+        manifest_protocol.delete(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            digests[0],
+            credentials=credentials,
+        )
 
-  # Attempt to pull from the repository by digests to verify it shows they are not accessible.
-  manifest_protocol.pull(liveserver_session, 'devtable', 'newrepo', digests[0], basic_images,
-                         credentials=credentials, expected_failure=Failures.UNKNOWN_TAG)
+    # Attempt to pull from the repository by digests to verify it shows they are not accessible.
+    manifest_protocol.pull(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        digests[0],
+        basic_images,
+        credentials=credentials,
+        expected_failure=Failures.UNKNOWN_TAG,
+    )
 
 
 @pytest.mark.parametrize(
-  'state,         use_robot,   create_mirror,   robot_exists,  expected_failure', [
-  ('NORMAL',      True,        True,            True,          None),
-  ('NORMAL',      False,       True,            True,          None),
-  ('NORMAL',      True,        True,            False,         Failures.INVALID_AUTHENTICATION),
-  ('NORMAL',      False,       True,            False,         None),
-  ('NORMAL',      True,        False,           True,          None),
-  ('NORMAL',      False,       False,           True,          None),
-  ('NORMAL',      True,        False,           False,         Failures.INVALID_AUTHENTICATION),
-  ('NORMAL',      False,       False,           False,         None),
-
-  ('READ_ONLY',   True,        True,            True,          Failures.READ_ONLY),
-  ('READ_ONLY',   False,       True,            True,          Failures.READ_ONLY),
-  ('READ_ONLY',   True,        True,            False,         Failures.INVALID_AUTHENTICATION),
-  ('READ_ONLY',   False,       True,            False,         Failures.READ_ONLY),
-  ('READ_ONLY',   True,        False,           True,          Failures.READ_ONLY),
-  ('READ_ONLY',   False,       False,           True,          Failures.READ_ONLY),
-  ('READ_ONLY',   True,        False,           False,         Failures.INVALID_AUTHENTICATION),
-  ('READ_ONLY',   False,       False,           False,         Failures.READ_ONLY),
-
-  ('MIRROR',      True,        True,            True,          None),
-  ('MIRROR',      False,       True,            True,          Failures.MIRROR_ONLY),
-  ('MIRROR',      True,        False,           True,          Failures.MIRROR_MISCONFIGURED),
-  ('MIRROR',      False,       False,           True,          Failures.MIRROR_MISCONFIGURED),
-  ('MIRROR',      True,        True,            False,         Failures.INVALID_AUTHENTICATION),
-  ('MIRROR',      False,       True,            False,         Failures.MIRROR_ROBOT_MISSING),
-  ('MIRROR',      True,        False,           False,         Failures.INVALID_AUTHENTICATION),
-  ('MIRROR',      False,       False,           False,         Failures.MIRROR_MISCONFIGURED),
-])
-def test_repository_states(state, use_robot, create_mirror, robot_exists, expected_failure, pusher,
-                           puller, basic_images, liveserver_session, api_caller, app_reloader):
-  """
+    "state,         use_robot,   create_mirror,   robot_exists,  expected_failure",
+    [
+        ("NORMAL", True, True, True, None),
+        ("NORMAL", False, True, True, None),
+        ("NORMAL", True, True, False, Failures.INVALID_AUTHENTICATION),
+        ("NORMAL", False, True, False, None),
+        ("NORMAL", True, False, True, None),
+        ("NORMAL", False, False, True, None),
+        ("NORMAL", True, False, False, Failures.INVALID_AUTHENTICATION),
+        ("NORMAL", False, False, False, None),
+        ("READ_ONLY", True, True, True, Failures.READ_ONLY),
+        ("READ_ONLY", False, True, True, Failures.READ_ONLY),
+        ("READ_ONLY", True, True, False, Failures.INVALID_AUTHENTICATION),
+        ("READ_ONLY", False, True, False, Failures.READ_ONLY),
+        ("READ_ONLY", True, False, True, Failures.READ_ONLY),
+        ("READ_ONLY", False, False, True, Failures.READ_ONLY),
+        ("READ_ONLY", True, False, False, Failures.INVALID_AUTHENTICATION),
+        ("READ_ONLY", False, False, False, Failures.READ_ONLY),
+        ("MIRROR", True, True, True, None),
+        ("MIRROR", False, True, True, Failures.MIRROR_ONLY),
+        ("MIRROR", True, False, True, Failures.MIRROR_MISCONFIGURED),
+        ("MIRROR", False, False, True, Failures.MIRROR_MISCONFIGURED),
+        ("MIRROR", True, True, False, Failures.INVALID_AUTHENTICATION),
+        ("MIRROR", False, True, False, Failures.MIRROR_ROBOT_MISSING),
+        ("MIRROR", True, False, False, Failures.INVALID_AUTHENTICATION),
+        ("MIRROR", False, False, False, Failures.MIRROR_MISCONFIGURED),
+    ],
+)
+def test_repository_states(
+    state,
+    use_robot,
+    create_mirror,
+    robot_exists,
+    expected_failure,
+    pusher,
+    puller,
+    basic_images,
+    liveserver_session,
+    api_caller,
+    app_reloader,
+):
+    """
   Verify the push behavior of the Repository dependent upon its state.
   """
-  namespace = 'devtable'
-  repo = 'staterepo'
-  tag = 'latest'
-  credentials = ('devtable', 'password')
-  robot = 'dtrobot'
-  robot_full_name = '%s+%s' % (namespace, robot)
+    namespace = "devtable"
+    repo = "staterepo"
+    tag = "latest"
+    credentials = ("devtable", "password")
+    robot = "dtrobot"
+    robot_full_name = "%s+%s" % (namespace, robot)
 
-  # Create repository
-  pusher.push(liveserver_session, namespace, repo, tag, basic_images, credentials=credentials)
+    # Create repository
+    pusher.push(
+        liveserver_session, namespace, repo, tag, basic_images, credentials=credentials
+    )
 
-  # Login with API Caller
-  api_caller.conduct_auth(*credentials)
+    # Login with API Caller
+    api_caller.conduct_auth(*credentials)
 
-  # When testing the Robot, assume the robot existed and had the correct permissions *before*
-  # mirroring was configured.
-  if use_robot:
-    url = '/api/v1/repository/%s/%s/permissions/user/%s' % (namespace, repo, robot_full_name)
-    data = json.dumps({'role': 'write'})
-    resp = api_caller.put(url, data=data, headers={'content-type': 'application/json'})
-    assert resp
+    # When testing the Robot, assume the robot existed and had the correct permissions *before*
+    # mirroring was configured.
+    if use_robot:
+        url = "/api/v1/repository/%s/%s/permissions/user/%s" % (
+            namespace,
+            repo,
+            robot_full_name,
+        )
+        data = json.dumps({"role": "write"})
+        resp = api_caller.put(
+            url, data=data, headers={"content-type": "application/json"}
+        )
+        assert resp
 
-  if create_mirror:
-    params = {
-      'is_enabled': True,
-      'external_reference': 'quay.io/foo/bar',
-      'external_registry_username': 'fakeusername',
-      'external_registry_password': 'fakepassword',
-      'sync_interval': 1000,
-      'sync_start_date': '2020-01-01T00:00:00Z',
-      'root_rule': {
-        'rule_type': 'TAG_GLOB_CSV',
-        'rule_value': ['latest', '1.3*', 'foo']
-      },
-      'robot_username': robot_full_name,
-      'external_registry_config': {
-        'verify_tls': True,
-        'proxy': {
-          'https_proxy': 'https://proxy.example.net',
-          'http_proxy': 'http://insecure.proxy.com',
-          'no_proxy': 'local.lan.com'
+    if create_mirror:
+        params = {
+            "is_enabled": True,
+            "external_reference": "quay.io/foo/bar",
+            "external_registry_username": "fakeusername",
+            "external_registry_password": "fakepassword",
+            "sync_interval": 1000,
+            "sync_start_date": "2020-01-01T00:00:00Z",
+            "root_rule": {
+                "rule_type": "TAG_GLOB_CSV",
+                "rule_value": ["latest", "1.3*", "foo"],
+            },
+            "robot_username": robot_full_name,
+            "external_registry_config": {
+                "verify_tls": True,
+                "proxy": {
+                    "https_proxy": "https://proxy.example.net",
+                    "http_proxy": "http://insecure.proxy.com",
+                    "no_proxy": "local.lan.com",
+                },
+            },
         }
-      }
-    }
 
-    url = '/api/v1/repository/%s/%s/mirror' % (namespace, repo)
-    data = json.dumps(params)
-    headers = {'Content-Type': 'application/json'}
-    resp = api_caller.post(url, data=data, headers=headers)
-    assert resp  # Mirror was created successfully
+        url = "/api/v1/repository/%s/%s/mirror" % (namespace, repo)
+        data = json.dumps(params)
+        headers = {"Content-Type": "application/json"}
+        resp = api_caller.post(url, data=data, headers=headers)
+        assert resp  # Mirror was created successfully
 
-  # Set the state of the Repository
-  url = '/api/v1/repository/%s/%s/changestate' % (namespace, repo)
-  data = json.dumps({'state': state})
-  resp = api_caller.put(url, data=data, headers={'content-type': 'application/json'})
-  assert resp  # State was changed successfully
+    # Set the state of the Repository
+    url = "/api/v1/repository/%s/%s/changestate" % (namespace, repo)
+    data = json.dumps({"state": state})
+    resp = api_caller.put(url, data=data, headers={"content-type": "application/json"})
+    assert resp  # State was changed successfully
 
-  # If testing the registry as the Robot user, use the Robot's credentials for all proceeding
-  # API Calls
-  if use_robot:
-    resp = api_caller.get('/api/v1/user/robots/%s' % robot)
-    data = resp.json()
-    assert resp  # Robot credentials fetched successfully
-    credentials = (data['name'], data['token'])
+    # If testing the registry as the Robot user, use the Robot's credentials for all proceeding
+    # API Calls
+    if use_robot:
+        resp = api_caller.get("/api/v1/user/robots/%s" % robot)
+        data = resp.json()
+        assert resp  # Robot credentials fetched successfully
+        credentials = (data["name"], data["token"])
 
-  # Verify pulls/reads still work
-  puller.pull(liveserver_session, namespace, repo, tag, basic_images, credentials=credentials)
+    # Verify pulls/reads still work
+    puller.pull(
+        liveserver_session, namespace, repo, tag, basic_images, credentials=credentials
+    )
 
-  # Verify the case where the robot user no longer exists
-  if not robot_exists:
-    resp = api_caller.delete('/api/v1/user/robots/%s' % robot)
-    assert resp
+    # Verify the case where the robot user no longer exists
+    if not robot_exists:
+        resp = api_caller.delete("/api/v1/user/robots/%s" % robot)
+        assert resp
 
-  # Verify that the Repository.state determines whether pushes/changes are allowed
-  options = ProtocolOptions()
-  options.skip_head_checks = True
-  pusher.push(liveserver_session, namespace, repo, tag, basic_images, credentials=credentials,
-              expected_failure=expected_failure, options=options)
+    # Verify that the Repository.state determines whether pushes/changes are allowed
+    options = ProtocolOptions()
+    options.skip_head_checks = True
+    pusher.push(
+        liveserver_session,
+        namespace,
+        repo,
+        tag,
+        basic_images,
+        credentials=credentials,
+        expected_failure=expected_failure,
+        options=options,
+    )
 
 
-def test_readonly_push_pull(pusher, puller, basic_images, different_images, liveserver_session,
-                            app_reloader, api_caller, liveserver, registry_server_executor):
-  """ Test: Basic push an image to a new repository, followed by changing the system to readonly
+def test_readonly_push_pull(
+    pusher,
+    puller,
+    basic_images,
+    different_images,
+    liveserver_session,
+    app_reloader,
+    api_caller,
+    liveserver,
+    registry_server_executor,
+):
+    """ Test: Basic push an image to a new repository, followed by changing the system to readonly
             and then attempting a pull and a push.
   """
-  credentials = ('devtable', 'password')
+    credentials = ("devtable", "password")
 
-  # Push a new repository.
-  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-              credentials=credentials)
+    # Push a new repository.
+    pusher.push(
+        liveserver_session,
+        "devtable",
+        "newrepo",
+        "latest",
+        basic_images,
+        credentials=credentials,
+    )
 
-  # Change to read-only mode.
-  with ConfigChange('REGISTRY_STATE', 'readonly', registry_server_executor.on(liveserver),
-                    liveserver):
-    # Pull the repository to verify.
-    puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                credentials=credentials)
+    # Change to read-only mode.
+    with ConfigChange(
+        "REGISTRY_STATE",
+        "readonly",
+        registry_server_executor.on(liveserver),
+        liveserver,
+    ):
+        # Pull the repository to verify.
+        puller.pull(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
 
-    # Attempt to push to the repository, which should fail.
-    pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', different_images,
-                credentials=credentials, expected_failure=Failures.READONLY_REGISTRY)
+        # Attempt to push to the repository, which should fail.
+        pusher.push(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            different_images,
+            credentials=credentials,
+            expected_failure=Failures.READONLY_REGISTRY,
+        )
 
-    # Pull again to verify nothing has changed.
-    puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
-                credentials=credentials)
+        # Pull again to verify nothing has changed.
+        puller.pull(
+            liveserver_session,
+            "devtable",
+            "newrepo",
+            "latest",
+            basic_images,
+            credentials=credentials,
+        )
diff --git a/test/specs.py b/test/specs.py
index 148396f87..cf4d3631e 100644
--- a/test/specs.py
+++ b/test/specs.py
@@ -6,505 +6,907 @@ from base64 import b64encode
 
 
 NO_REPO = None
-PUBLIC = 'public'
-PUBLIC_REPO_NAME = 'publicrepo'
-PUBLIC_REPO = PUBLIC + '/' + PUBLIC_REPO_NAME
+PUBLIC = "public"
+PUBLIC_REPO_NAME = "publicrepo"
+PUBLIC_REPO = PUBLIC + "/" + PUBLIC_REPO_NAME
 
-PRIVATE = 'devtable'
-PRIVATE_REPO_NAME = 'shared'
-PRIVATE_REPO = PRIVATE + '/' + PRIVATE_REPO_NAME
+PRIVATE = "devtable"
+PRIVATE_REPO_NAME = "shared"
+PRIVATE_REPO = PRIVATE + "/" + PRIVATE_REPO_NAME
 
-ORG = 'buynlarge'
-ORG_REPO = ORG + '/orgrepo'
-ANOTHER_ORG_REPO = ORG + '/anotherorgrepo'
-NEW_ORG_REPO = ORG + '/neworgrepo'
+ORG = "buynlarge"
+ORG_REPO = ORG + "/orgrepo"
+ANOTHER_ORG_REPO = ORG + "/anotherorgrepo"
+NEW_ORG_REPO = ORG + "/neworgrepo"
 
-ORG_REPO_NAME = 'orgrepo'
-ORG_READERS = 'readers'
-ORG_OWNER = 'devtable'
-ORG_OWNERS = 'owners'
-ORG_READERS = 'readers'
+ORG_REPO_NAME = "orgrepo"
+ORG_READERS = "readers"
+ORG_OWNER = "devtable"
+ORG_OWNERS = "owners"
+ORG_READERS = "readers"
 
-FAKE_MANIFEST = 'unknown_tag'
-FAKE_DIGEST = 'sha256:' + hashlib.sha256('fake').hexdigest()
-FAKE_IMAGE_ID = 'fake-image'
-FAKE_UPLOAD_ID = 'fake-upload'
-FAKE_TAG_NAME = 'fake-tag'
-FAKE_USERNAME = 'fakeuser'
-FAKE_TOKEN = 'fake-token'
-FAKE_WEBHOOK = 'fake-webhook'
+FAKE_MANIFEST = "unknown_tag"
+FAKE_DIGEST = "sha256:" + hashlib.sha256("fake").hexdigest()
+FAKE_IMAGE_ID = "fake-image"
+FAKE_UPLOAD_ID = "fake-upload"
+FAKE_TAG_NAME = "fake-tag"
+FAKE_USERNAME = "fakeuser"
+FAKE_TOKEN = "fake-token"
+FAKE_WEBHOOK = "fake-webhook"
 
-BUILD_UUID = '123'
-TRIGGER_UUID = '123'
+BUILD_UUID = "123"
+TRIGGER_UUID = "123"
 
 NEW_ORG_REPO_DETAILS = {
-  'repository': 'fake-repository',
-  'visibility': 'private',
-  'description': '',
-  'namespace': ORG,
+    "repository": "fake-repository",
+    "visibility": "private",
+    "description": "",
+    "namespace": ORG,
 }
 
 NEW_USER_DETAILS = {
-  'username': 'bobby',
-  'password': 'password',
-  'email': 'bobby@tables.com',
+    "username": "bobby",
+    "password": "password",
+    "email": "bobby@tables.com",
 }
 
-SEND_RECOVERY_DETAILS = {
-  'email': 'jacob.moshenko@gmail.com',
-}
+SEND_RECOVERY_DETAILS = {"email": "jacob.moshenko@gmail.com"}
 
-SIGNIN_DETAILS = {
-  'username': 'devtable',
-  'password': 'password',
-}
+SIGNIN_DETAILS = {"username": "devtable", "password": "password"}
 
-FILE_DROP_DETAILS = {
-  'mimeType': 'application/zip',
-}
+FILE_DROP_DETAILS = {"mimeType": "application/zip"}
 
-CHANGE_PERMISSION_DETAILS = {
-  'role': 'admin',
-}
+CHANGE_PERMISSION_DETAILS = {"role": "admin"}
 
-CREATE_BUILD_DETAILS = {
-  'file_id': 'fake-file-id',
-}
+CREATE_BUILD_DETAILS = {"file_id": "fake-file-id"}
 
-CHANGE_VISIBILITY_DETAILS = {
-  'visibility': 'public',
-}
+CHANGE_VISIBILITY_DETAILS = {"visibility": "public"}
 
-CREATE_TOKEN_DETAILS = {
-  'friendlyName': 'A new token',
-}
+CREATE_TOKEN_DETAILS = {"friendlyName": "A new token"}
 
-UPDATE_REPO_DETAILS = {
-  'description': 'A new description',
-}
+UPDATE_REPO_DETAILS = {"description": "A new description"}
 
 
 class IndexV1TestSpec(object):
-  def __init__(self, url, sess_repo=None, anon_code=403, no_access_code=403,
-               read_code=200, creator_code=200, admin_code=200):
-    self._url = url
-    self._method = 'GET'
-    self._data = None
+    def __init__(
+        self,
+        url,
+        sess_repo=None,
+        anon_code=403,
+        no_access_code=403,
+        read_code=200,
+        creator_code=200,
+        admin_code=200,
+    ):
+        self._url = url
+        self._method = "GET"
+        self._data = None
 
-    self.sess_repo = sess_repo
+        self.sess_repo = sess_repo
 
-    self.anon_code = anon_code
-    self.no_access_code = no_access_code
-    self.read_code = read_code
-    self.creator_code = creator_code
-    self.admin_code = admin_code
+        self.anon_code = anon_code
+        self.no_access_code = no_access_code
+        self.read_code = read_code
+        self.creator_code = creator_code
+        self.admin_code = admin_code
 
-  def gen_basic_auth(self, username, password):
-    encoded = b64encode('%s:%s' % (username, password))
-    return 'basic %s' % encoded
+    def gen_basic_auth(self, username, password):
+        encoded = b64encode("%s:%s" % (username, password))
+        return "basic %s" % encoded
 
-  def set_data_from_obj(self, json_serializable):
-    self._data = json.dumps(json_serializable)
-    return self
+    def set_data_from_obj(self, json_serializable):
+        self._data = json.dumps(json_serializable)
+        return self
 
-  def set_method(self, method):
-    self._method = method
-    return self
+    def set_method(self, method):
+        self._method = method
+        return self
 
-  def get_client_args(self):
-    kwargs = {
-      'method': self._method
-    }
+    def get_client_args(self):
+        kwargs = {"method": self._method}
 
-    if self._data or self._method == 'POST' or self._method == 'PUT' or self._method == 'PATCH':
-      kwargs['data'] = self._data if self._data else '{}'
-      kwargs['content_type'] = 'application/json'
+        if (
+            self._data
+            or self._method == "POST"
+            or self._method == "PUT"
+            or self._method == "PATCH"
+        ):
+            kwargs["data"] = self._data if self._data else "{}"
+            kwargs["content_type"] = "application/json"
 
-    return self._url, kwargs
+        return self._url, kwargs
 
 
 def build_v1_index_specs():
-  return [
-    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 404, 404, 404, 404, 404),
-    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 404),
-
-    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.put_image_checksum',
-                          image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_checksum',
-                          image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_checksum',
-                          image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_checksum',
-                          image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 404, 404, 404, 404, 404),
-    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 404),
-
-    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 404, 404, 404, 404, 404),
-    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 404),
-
-    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
-                  PUBLIC_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
-                  PRIVATE_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
-                  ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
-                  ANOTHER_ORG_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.create_user'), NO_REPO, 400, 400, 400, 400,
-                  400).set_method('POST').set_data_from_obj(NEW_USER_DETAILS),
-
-    IndexV1TestSpec(url_for('v1.get_user'), NO_REPO, 404, 200, 200, 200, 200),
-
-    IndexV1TestSpec(url_for('v1.update_user', username=FAKE_USERNAME),
-                  NO_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.create_repository', repository=PUBLIC_REPO),
-                  NO_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.create_repository', repository=PRIVATE_REPO),
-                  NO_REPO, 403, 403, 403, 403, 201).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.create_repository', repository=ORG_REPO),
-                  NO_REPO, 403, 403, 403, 403, 201).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.create_repository', repository=ANOTHER_ORG_REPO),
-                  NO_REPO, 403, 403, 403, 403, 201).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.create_repository', repository=NEW_ORG_REPO),
-                  NO_REPO, 401, 403, 403, 201, 201).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.update_images', repository=PUBLIC_REPO),
-                  NO_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.update_images', repository=PRIVATE_REPO),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.update_images', repository=ORG_REPO), NO_REPO,
-                  403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.update_images', repository=ANOTHER_ORG_REPO), NO_REPO,
-                  403, 403, 403, 403, 400).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.get_repository_images',
-                          repository=PUBLIC_REPO),
-                  NO_REPO, 200, 200, 200, 200, 200),
-    IndexV1TestSpec(url_for('v1.get_repository_images',
-                          repository=PRIVATE_REPO),
-                  NO_REPO, 403, 403, 200, 403, 200),
-    IndexV1TestSpec(url_for('v1.get_repository_images',
-                          repository=ORG_REPO),
-                  NO_REPO, 403, 403, 200, 403, 200),
-    IndexV1TestSpec(url_for('v1.get_repository_images',
-                          repository=ANOTHER_ORG_REPO),
-                  NO_REPO, 403, 403, 403, 403, 200),
-
-    IndexV1TestSpec(url_for('v1.delete_repository_images',
-                          repository=PUBLIC_REPO),
-                  NO_REPO, 501, 501, 501, 501, 501).set_method('DELETE'),
-
-    IndexV1TestSpec(url_for('v1.put_repository_auth', repository=PUBLIC_REPO),
-                  NO_REPO, 501, 501, 501, 501, 501).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.get_search'), NO_REPO, 200, 200, 200, 200, 200),
-
-    IndexV1TestSpec(url_for('v1.ping'), NO_REPO, 200, 200, 200, 200, 200),
-
-    IndexV1TestSpec(url_for('v1.get_tags', repository=PUBLIC_REPO), NO_REPO,
-                  200, 200, 200, 200, 200),
-    IndexV1TestSpec(url_for('v1.get_tags', repository=PRIVATE_REPO), NO_REPO,
-                  403, 403, 200, 403, 200),
-    IndexV1TestSpec(url_for('v1.get_tags', repository=ORG_REPO), NO_REPO,
-                  403, 403, 200, 403, 200),
-    IndexV1TestSpec(url_for('v1.get_tags', repository=ANOTHER_ORG_REPO), NO_REPO,
-                  403, 403, 403, 403, 200),
-
-    IndexV1TestSpec(url_for('v1.get_tag', repository=PUBLIC_REPO,
-                          tag=FAKE_TAG_NAME), NO_REPO, 404, 404, 404, 404, 404),
-    IndexV1TestSpec(url_for('v1.get_tag', repository=PRIVATE_REPO,
-                          tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_tag', repository=ORG_REPO,
-                          tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 403, 404),
-    IndexV1TestSpec(url_for('v1.get_tag', repository=ANOTHER_ORG_REPO,
-                          tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 403, 403, 404),
-
-    IndexV1TestSpec(url_for('v1.put_tag', repository=PUBLIC_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 403).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_tag', repository=PRIVATE_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_tag', repository=ORG_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-    IndexV1TestSpec(url_for('v1.put_tag', repository=ANOTHER_ORG_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('PUT'),
-
-    IndexV1TestSpec(url_for('v1.delete_tag', repository=PUBLIC_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 403).set_method('DELETE'),
-    IndexV1TestSpec(url_for('v1.delete_tag', repository=PRIVATE_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('DELETE'),
-    IndexV1TestSpec(url_for('v1.delete_tag', repository=ORG_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('DELETE'),
-    IndexV1TestSpec(url_for('v1.delete_tag', repository=ANOTHER_ORG_REPO,
-                          tag=FAKE_TAG_NAME),
-                  NO_REPO, 403, 403, 403, 403, 400).set_method('DELETE'),
-  ]
+    return [
+        IndexV1TestSpec(
+            url_for("v1.get_image_layer", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            404,
+            404,
+            404,
+            404,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_layer", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_layer", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_layer", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.put_image_layer", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_layer", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_layer", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_layer", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_checksum", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_checksum", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_checksum", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_checksum", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.get_image_json", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            404,
+            404,
+            404,
+            404,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_json", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_json", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_json", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_ancestry", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            404,
+            404,
+            404,
+            404,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_ancestry", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_ancestry", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_image_ancestry", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.put_image_json", image_id=FAKE_IMAGE_ID),
+            PUBLIC_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_json", image_id=FAKE_IMAGE_ID),
+            PRIVATE_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_json", image_id=FAKE_IMAGE_ID),
+            ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_image_json", image_id=FAKE_IMAGE_ID),
+            ANOTHER_ORG_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(url_for("v1.create_user"), NO_REPO, 400, 400, 400, 400, 400)
+        .set_method("POST")
+        .set_data_from_obj(NEW_USER_DETAILS),
+        IndexV1TestSpec(url_for("v1.get_user"), NO_REPO, 404, 200, 200, 200, 200),
+        IndexV1TestSpec(
+            url_for("v1.update_user", username=FAKE_USERNAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.create_repository", repository=PUBLIC_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.create_repository", repository=PRIVATE_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            201,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.create_repository", repository=ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            201,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.create_repository", repository=ANOTHER_ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            201,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.create_repository", repository=NEW_ORG_REPO),
+            NO_REPO,
+            401,
+            403,
+            403,
+            201,
+            201,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.update_images", repository=PUBLIC_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.update_images", repository=PRIVATE_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.update_images", repository=ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.update_images", repository=ANOTHER_ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.get_repository_images", repository=PUBLIC_REPO),
+            NO_REPO,
+            200,
+            200,
+            200,
+            200,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_repository_images", repository=PRIVATE_REPO),
+            NO_REPO,
+            403,
+            403,
+            200,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_repository_images", repository=ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            200,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_repository_images", repository=ANOTHER_ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.delete_repository_images", repository=PUBLIC_REPO),
+            NO_REPO,
+            501,
+            501,
+            501,
+            501,
+            501,
+        ).set_method("DELETE"),
+        IndexV1TestSpec(
+            url_for("v1.put_repository_auth", repository=PUBLIC_REPO),
+            NO_REPO,
+            501,
+            501,
+            501,
+            501,
+            501,
+        ).set_method("PUT"),
+        IndexV1TestSpec(url_for("v1.get_search"), NO_REPO, 200, 200, 200, 200, 200),
+        IndexV1TestSpec(url_for("v1.ping"), NO_REPO, 200, 200, 200, 200, 200),
+        IndexV1TestSpec(
+            url_for("v1.get_tags", repository=PUBLIC_REPO),
+            NO_REPO,
+            200,
+            200,
+            200,
+            200,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tags", repository=PRIVATE_REPO),
+            NO_REPO,
+            403,
+            403,
+            200,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tags", repository=ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            200,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tags", repository=ANOTHER_ORG_REPO),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            200,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tag", repository=PUBLIC_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            404,
+            404,
+            404,
+            404,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tag", repository=PRIVATE_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tag", repository=ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            404,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.get_tag", repository=ANOTHER_ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            404,
+        ),
+        IndexV1TestSpec(
+            url_for("v1.put_tag", repository=PUBLIC_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_tag", repository=PRIVATE_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_tag", repository=ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.put_tag", repository=ANOTHER_ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("PUT"),
+        IndexV1TestSpec(
+            url_for("v1.delete_tag", repository=PUBLIC_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            403,
+        ).set_method("DELETE"),
+        IndexV1TestSpec(
+            url_for("v1.delete_tag", repository=PRIVATE_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("DELETE"),
+        IndexV1TestSpec(
+            url_for("v1.delete_tag", repository=ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("DELETE"),
+        IndexV1TestSpec(
+            url_for("v1.delete_tag", repository=ANOTHER_ORG_REPO, tag=FAKE_TAG_NAME),
+            NO_REPO,
+            403,
+            403,
+            403,
+            403,
+            400,
+        ).set_method("DELETE"),
+    ]
 
 
 class IndexV2TestSpec(object):
-  def __init__(self, index_name, method_name, repo_name, scope=None, **kwargs):
-    self.index_name = index_name
-    self.repo_name = repo_name
-    self.method_name = method_name
+    def __init__(self, index_name, method_name, repo_name, scope=None, **kwargs):
+        self.index_name = index_name
+        self.repo_name = repo_name
+        self.method_name = method_name
 
-    default_scope = 'push,pull' if method_name != 'GET' and method_name != 'HEAD' else 'pull'
-    self.scope = scope or default_scope
+        default_scope = (
+            "push,pull" if method_name != "GET" and method_name != "HEAD" else "pull"
+        )
+        self.scope = scope or default_scope
 
-    self.kwargs = kwargs
+        self.kwargs = kwargs
 
-    self.anon_code = 401
-    self.no_access_code = 403
-    self.read_code = 200
-    self.admin_code = 200
-    self.creator_code = 200
+        self.anon_code = 401
+        self.no_access_code = 403
+        self.read_code = 200
+        self.admin_code = 200
+        self.creator_code = 200
 
+    def request_status(
+        self,
+        anon_code=401,
+        no_access_code=403,
+        read_code=200,
+        creator_code=200,
+        admin_code=200,
+    ):
+        self.anon_code = anon_code
+        self.no_access_code = no_access_code
+        self.read_code = read_code
+        self.creator_code = creator_code
+        self.admin_code = admin_code
+        return self
 
-  def request_status(self, anon_code=401, no_access_code=403, read_code=200, creator_code=200,
-                     admin_code=200):
-    self.anon_code = anon_code
-    self.no_access_code = no_access_code
-    self.read_code = read_code
-    self.creator_code = creator_code
-    self.admin_code = admin_code
-    return self
+    def get_url(self):
+        return url_for(self.index_name, repository=self.repo_name, **self.kwargs)
 
-  def get_url(self):
-    return url_for(self.index_name, repository=self.repo_name, **self.kwargs)
+    def gen_basic_auth(self, username, password):
+        encoded = b64encode("%s:%s" % (username, password))
+        return "basic %s" % encoded
 
-  def gen_basic_auth(self, username, password):
-    encoded = b64encode('%s:%s' % (username, password))
-    return 'basic %s' % encoded
-
-  def get_scope_string(self):
-    return 'repository:%s:%s' % (self.repo_name, self.scope)
+    def get_scope_string(self):
+        return "repository:%s:%s" % (self.repo_name, self.scope)
 
 
 def build_v2_index_specs():
-  return [
-    # v2.list_all_tags
-    IndexV2TestSpec('v2.list_all_tags', 'GET', PUBLIC_REPO).
-      request_status(200, 200, 200, 200, 200),
-
-    IndexV2TestSpec('v2.list_all_tags', 'GET', PRIVATE_REPO).
-      request_status(401, 401, 200, 401, 200),
-
-    IndexV2TestSpec('v2.list_all_tags', 'GET', ORG_REPO).
-      request_status(401, 401, 200, 401, 200),
-
-    IndexV2TestSpec('v2.list_all_tags', 'GET', ANOTHER_ORG_REPO).
-      request_status(401, 401, 401, 401, 200),
-
-    # v2.fetch_manifest_by_tagname
-    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
-      request_status(404, 404, 404, 404, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PRIVATE_REPO,
-      manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', ORG_REPO, manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', ANOTHER_ORG_REPO,
-      manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.fetch_manifest_by_digest
-    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(404, 404, 404, 404, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', ORG_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', ANOTHER_ORG_REPO,
-      manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.write_manifest_by_tagname
-    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PRIVATE_REPO,
-      manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', ORG_REPO, manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', ANOTHER_ORG_REPO,
-      manifest_ref=FAKE_MANIFEST).
-      request_status(401, 401, 401, 401, 400),
-
-    # v2.write_manifest_by_digest
-    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', ORG_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', ANOTHER_ORG_REPO,
-      manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 400),
-
-    # v2.delete_manifest_by_digest
-    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PUBLIC_REPO,
-      manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PRIVATE_REPO,
-      manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', ORG_REPO, manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', ANOTHER_ORG_REPO,
-      manifest_ref=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.check_blob_exists
-    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PUBLIC_REPO, digest=FAKE_DIGEST).
-      request_status(404, 404, 404, 404, 404),
-
-    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PRIVATE_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', ORG_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', ANOTHER_ORG_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.download_blob
-    IndexV2TestSpec('v2.download_blob', 'GET', PUBLIC_REPO, digest=FAKE_DIGEST).
-      request_status(404, 404, 404, 404, 404),
-
-    IndexV2TestSpec('v2.download_blob', 'GET', PRIVATE_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.download_blob', 'GET', ORG_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 404, 401, 404),
-
-    IndexV2TestSpec('v2.download_blob', 'GET', ANOTHER_ORG_REPO, digest=FAKE_DIGEST).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.start_blob_upload
-    IndexV2TestSpec('v2.start_blob_upload', 'POST', PUBLIC_REPO).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.start_blob_upload', 'POST', PRIVATE_REPO).
-      request_status(401, 401, 401, 401, 202),
-
-    IndexV2TestSpec('v2.start_blob_upload', 'POST', ORG_REPO).
-      request_status(401, 401, 401, 401, 202),
-
-    IndexV2TestSpec('v2.start_blob_upload', 'POST', ANOTHER_ORG_REPO).
-      request_status(401, 401, 401, 401, 202),
-
-    # v2.fetch_existing_upload
-    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PUBLIC_REPO, 'push,pull',
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PRIVATE_REPO, 'push,pull',
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', ORG_REPO, 'push,pull',
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', ANOTHER_ORG_REPO, 'push,pull',
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.upload_chunk
-    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.upload_chunk', 'PATCH', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.upload_chunk', 'PATCH', ANOTHER_ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    # v2.monolithic_upload_or_last_chunk
-    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PUBLIC_REPO,
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PRIVATE_REPO,
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', ORG_REPO,
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 400),
-
-    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', ANOTHER_ORG_REPO,
-      upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 400),
-
-    # v2.cancel_upload
-    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 401),
-
-    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.cancel_upload', 'DELETE', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-
-    IndexV2TestSpec('v2.cancel_upload', 'DELETE', ANOTHER_ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
-      request_status(401, 401, 401, 401, 404),
-  ]
-
+    return [
+        # v2.list_all_tags
+        IndexV2TestSpec("v2.list_all_tags", "GET", PUBLIC_REPO).request_status(
+            200, 200, 200, 200, 200
+        ),
+        IndexV2TestSpec("v2.list_all_tags", "GET", PRIVATE_REPO).request_status(
+            401, 401, 200, 401, 200
+        ),
+        IndexV2TestSpec("v2.list_all_tags", "GET", ORG_REPO).request_status(
+            401, 401, 200, 401, 200
+        ),
+        IndexV2TestSpec("v2.list_all_tags", "GET", ANOTHER_ORG_REPO).request_status(
+            401, 401, 401, 401, 200
+        ),
+        # v2.fetch_manifest_by_tagname
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_tagname",
+            "GET",
+            PUBLIC_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(404, 404, 404, 404, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_tagname",
+            "GET",
+            PRIVATE_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_tagname", "GET", ORG_REPO, manifest_ref=FAKE_MANIFEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_tagname",
+            "GET",
+            ANOTHER_ORG_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.fetch_manifest_by_digest
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_digest", "GET", PUBLIC_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(404, 404, 404, 404, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_digest", "GET", PRIVATE_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_digest", "GET", ORG_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_manifest_by_digest",
+            "GET",
+            ANOTHER_ORG_REPO,
+            manifest_ref=FAKE_DIGEST,
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.write_manifest_by_tagname
+        IndexV2TestSpec(
+            "v2.write_manifest_by_tagname",
+            "PUT",
+            PUBLIC_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_tagname",
+            "PUT",
+            PRIVATE_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_tagname", "PUT", ORG_REPO, manifest_ref=FAKE_MANIFEST
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_tagname",
+            "PUT",
+            ANOTHER_ORG_REPO,
+            manifest_ref=FAKE_MANIFEST,
+        ).request_status(401, 401, 401, 401, 400),
+        # v2.write_manifest_by_digest
+        IndexV2TestSpec(
+            "v2.write_manifest_by_digest", "PUT", PUBLIC_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_digest", "PUT", PRIVATE_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_digest", "PUT", ORG_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.write_manifest_by_digest",
+            "PUT",
+            ANOTHER_ORG_REPO,
+            manifest_ref=FAKE_DIGEST,
+        ).request_status(401, 401, 401, 401, 400),
+        # v2.delete_manifest_by_digest
+        IndexV2TestSpec(
+            "v2.delete_manifest_by_digest",
+            "DELETE",
+            PUBLIC_REPO,
+            manifest_ref=FAKE_DIGEST,
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.delete_manifest_by_digest",
+            "DELETE",
+            PRIVATE_REPO,
+            manifest_ref=FAKE_DIGEST,
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.delete_manifest_by_digest", "DELETE", ORG_REPO, manifest_ref=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.delete_manifest_by_digest",
+            "DELETE",
+            ANOTHER_ORG_REPO,
+            manifest_ref=FAKE_DIGEST,
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.check_blob_exists
+        IndexV2TestSpec(
+            "v2.check_blob_exists", "HEAD", PUBLIC_REPO, digest=FAKE_DIGEST
+        ).request_status(404, 404, 404, 404, 404),
+        IndexV2TestSpec(
+            "v2.check_blob_exists", "HEAD", PRIVATE_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.check_blob_exists", "HEAD", ORG_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.check_blob_exists", "HEAD", ANOTHER_ORG_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.download_blob
+        IndexV2TestSpec(
+            "v2.download_blob", "GET", PUBLIC_REPO, digest=FAKE_DIGEST
+        ).request_status(404, 404, 404, 404, 404),
+        IndexV2TestSpec(
+            "v2.download_blob", "GET", PRIVATE_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.download_blob", "GET", ORG_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 404, 401, 404),
+        IndexV2TestSpec(
+            "v2.download_blob", "GET", ANOTHER_ORG_REPO, digest=FAKE_DIGEST
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.start_blob_upload
+        IndexV2TestSpec("v2.start_blob_upload", "POST", PUBLIC_REPO).request_status(
+            401, 401, 401, 401, 401
+        ),
+        IndexV2TestSpec("v2.start_blob_upload", "POST", PRIVATE_REPO).request_status(
+            401, 401, 401, 401, 202
+        ),
+        IndexV2TestSpec("v2.start_blob_upload", "POST", ORG_REPO).request_status(
+            401, 401, 401, 401, 202
+        ),
+        IndexV2TestSpec(
+            "v2.start_blob_upload", "POST", ANOTHER_ORG_REPO
+        ).request_status(401, 401, 401, 401, 202),
+        # v2.fetch_existing_upload
+        IndexV2TestSpec(
+            "v2.fetch_existing_upload",
+            "GET",
+            PUBLIC_REPO,
+            "push,pull",
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.fetch_existing_upload",
+            "GET",
+            PRIVATE_REPO,
+            "push,pull",
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_existing_upload",
+            "GET",
+            ORG_REPO,
+            "push,pull",
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.fetch_existing_upload",
+            "GET",
+            ANOTHER_ORG_REPO,
+            "push,pull",
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.upload_chunk
+        IndexV2TestSpec(
+            "v2.upload_chunk", "PATCH", PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.upload_chunk", "PATCH", PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.upload_chunk", "PATCH", ORG_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.upload_chunk", "PATCH", ANOTHER_ORG_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+        # v2.monolithic_upload_or_last_chunk
+        IndexV2TestSpec(
+            "v2.monolithic_upload_or_last_chunk",
+            "PUT",
+            PUBLIC_REPO,
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.monolithic_upload_or_last_chunk",
+            "PUT",
+            PRIVATE_REPO,
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.monolithic_upload_or_last_chunk",
+            "PUT",
+            ORG_REPO,
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 400),
+        IndexV2TestSpec(
+            "v2.monolithic_upload_or_last_chunk",
+            "PUT",
+            ANOTHER_ORG_REPO,
+            upload_uuid=FAKE_UPLOAD_ID,
+        ).request_status(401, 401, 401, 401, 400),
+        # v2.cancel_upload
+        IndexV2TestSpec(
+            "v2.cancel_upload", "DELETE", PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 401),
+        IndexV2TestSpec(
+            "v2.cancel_upload", "DELETE", PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.cancel_upload", "DELETE", ORG_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+        IndexV2TestSpec(
+            "v2.cancel_upload", "DELETE", ANOTHER_ORG_REPO, upload_uuid=FAKE_UPLOAD_ID
+        ).request_status(401, 401, 401, 401, 404),
+    ]
diff --git a/test/test_endpoints.py b/test/test_endpoints.py
index 6cee29192..5a7c408b7 100644
--- a/test/test_endpoints.py
+++ b/test/test_endpoints.py
@@ -34,668 +34,980 @@ from util.security.token import encode_public_private_token
 from util.registry.gzipinputstream import WINDOW_BUFFER_SIZE
 
 try:
-  app.register_blueprint(web_bp, url_prefix='')
+    app.register_blueprint(web_bp, url_prefix="")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 try:
-  app.register_blueprint(webhooks_bp, url_prefix='/webhooks')
+    app.register_blueprint(webhooks_bp, url_prefix="/webhooks")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 try:
-  app.register_blueprint(keyserver.key_server, url_prefix='')
+    app.register_blueprint(keyserver.key_server, url_prefix="")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 try:
-  app.register_blueprint(api_bp, url_prefix='/api')
+    app.register_blueprint(api_bp, url_prefix="/api")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
 
 
-CSRF_TOKEN_KEY = '_csrf_token'
-CSRF_TOKEN = '123csrfforme'
+CSRF_TOKEN_KEY = "_csrf_token"
+CSRF_TOKEN = "123csrfforme"
 
 
 class EndpointTestCase(unittest.TestCase):
-  maxDiff = None
+    maxDiff = None
 
-  def _add_csrf(self, without_csrf):
-    parts = urlparse(without_csrf)
-    query = parse_qs(parts[4])
+    def _add_csrf(self, without_csrf):
+        parts = urlparse(without_csrf)
+        query = parse_qs(parts[4])
 
-    self._set_csrf()
-    query[CSRF_TOKEN_KEY] = CSRF_TOKEN
-    return urlunparse(list(parts[0:4]) + [urlencode(query)] + list(parts[5:]))
+        self._set_csrf()
+        query[CSRF_TOKEN_KEY] = CSRF_TOKEN
+        return urlunparse(list(parts[0:4]) + [urlencode(query)] + list(parts[5:]))
 
-  def _set_csrf(self):
-    with self.app.session_transaction() as sess:
-      sess[CSRF_TOKEN_KEY] = CSRF_TOKEN
-      sess[OAUTH_CSRF_TOKEN_NAME] = 'someoauthtoken'
+    def _set_csrf(self):
+        with self.app.session_transaction() as sess:
+            sess[CSRF_TOKEN_KEY] = CSRF_TOKEN
+            sess[OAUTH_CSRF_TOKEN_NAME] = "someoauthtoken"
 
-  def setUp(self):
-    setup_database_for_testing(self)
-    self.app = app.test_client()
-    self.ctx = app.test_request_context()
-    self.ctx.__enter__()
+    def setUp(self):
+        setup_database_for_testing(self)
+        self.app = app.test_client()
+        self.ctx = app.test_request_context()
+        self.ctx.__enter__()
 
-  def tearDown(self):
-    finished_database_for_testing(self)
-    self.ctx.__exit__(True, None, None)
+    def tearDown(self):
+        finished_database_for_testing(self)
+        self.ctx.__exit__(True, None, None)
 
-  def getResponse(self, resource_name, expected_code=200, **kwargs):
-    rv = self.app.get(url_for(resource_name, **kwargs))
-    self.assertEquals(rv.status_code, expected_code)
-    return rv.data
+    def getResponse(self, resource_name, expected_code=200, **kwargs):
+        rv = self.app.get(url_for(resource_name, **kwargs))
+        self.assertEquals(rv.status_code, expected_code)
+        return rv.data
 
-  def deleteResponse(self, resource_name, headers=None, expected_code=200, **kwargs):
-    headers = headers or {}
-    rv = self.app.delete(url_for(resource_name, **kwargs), headers=headers)
-    self.assertEquals(rv.status_code, expected_code)
-    return rv.data
+    def deleteResponse(self, resource_name, headers=None, expected_code=200, **kwargs):
+        headers = headers or {}
+        rv = self.app.delete(url_for(resource_name, **kwargs), headers=headers)
+        self.assertEquals(rv.status_code, expected_code)
+        return rv.data
 
-  def deleteEmptyResponse(self, resource_name, headers=None, expected_code=204, **kwargs):
-    headers = headers or {}
-    rv = self.app.delete(url_for(resource_name, **kwargs), headers=headers)
-    self.assertEquals(rv.status_code, expected_code)
-    self.assertEquals(rv.data, '') # ensure response body empty
-    return
+    def deleteEmptyResponse(
+        self, resource_name, headers=None, expected_code=204, **kwargs
+    ):
+        headers = headers or {}
+        rv = self.app.delete(url_for(resource_name, **kwargs), headers=headers)
+        self.assertEquals(rv.status_code, expected_code)
+        self.assertEquals(rv.data, "")  # ensure response body empty
+        return
 
-  def putResponse(self, resource_name, headers=None, data=None, expected_code=200, **kwargs):
-    headers = headers or {}
-    data = data or {}
-    rv = self.app.put(url_for(resource_name, **kwargs), headers=headers, data=py_json.dumps(data))
-    self.assertEquals(rv.status_code, expected_code)
-    return rv.data
+    def putResponse(
+        self, resource_name, headers=None, data=None, expected_code=200, **kwargs
+    ):
+        headers = headers or {}
+        data = data or {}
+        rv = self.app.put(
+            url_for(resource_name, **kwargs), headers=headers, data=py_json.dumps(data)
+        )
+        self.assertEquals(rv.status_code, expected_code)
+        return rv.data
 
-  def postResponse(self, resource_name, headers=None, data=None, form=None, with_csrf=True, expected_code=200, **kwargs):
-    headers = headers or {}
-    form = form or {}
-    url = url_for(resource_name, **kwargs)
-    if with_csrf:
-      url = self._add_csrf(url)
+    def postResponse(
+        self,
+        resource_name,
+        headers=None,
+        data=None,
+        form=None,
+        with_csrf=True,
+        expected_code=200,
+        **kwargs
+    ):
+        headers = headers or {}
+        form = form or {}
+        url = url_for(resource_name, **kwargs)
+        if with_csrf:
+            url = self._add_csrf(url)
 
-    post_data = None
-    if form:
-      post_data = form
-    elif data:
-      post_data = py_json.dumps(data)
+        post_data = None
+        if form:
+            post_data = form
+        elif data:
+            post_data = py_json.dumps(data)
 
-    rv = self.app.post(url, headers=headers, data=post_data)
-    if expected_code is not None:
-      self.assertEquals(rv.status_code, expected_code)
+        rv = self.app.post(url, headers=headers, data=post_data)
+        if expected_code is not None:
+            self.assertEquals(rv.status_code, expected_code)
 
-    return rv
+        return rv
+
+    def login(self, username, password):
+        rv = self.app.post(
+            self._add_csrf(api.url_for(Signin)),
+            data=py_json.dumps(dict(username=username, password=password)),
+            headers={"Content-Type": "application/json"},
+        )
+        self.assertEquals(rv.status_code, 200)
 
-  def login(self, username, password):
-    rv = self.app.post(self._add_csrf(api.url_for(Signin)),
-                       data=py_json.dumps(dict(username=username, password=password)),
-                       headers={"Content-Type": "application/json"})
-    self.assertEquals(rv.status_code, 200)
 
 class BuildLogsTestCase(EndpointTestCase):
-  build_uuid = 'deadpork-dead-pork-dead-porkdeadpork'
+    build_uuid = "deadpork-dead-pork-dead-porkdeadpork"
 
-  def test_buildlogs_invalid_build_uuid(self):
-    self.login('public', 'password')
-    self.getResponse('web.buildlogs', build_uuid='bad_build_uuid', expected_code=400)
+    def test_buildlogs_invalid_build_uuid(self):
+        self.login("public", "password")
+        self.getResponse(
+            "web.buildlogs", build_uuid="bad_build_uuid", expected_code=400
+        )
 
-  def test_buildlogs_not_logged_in(self):
-    self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=403)
+    def test_buildlogs_not_logged_in(self):
+        self.getResponse("web.buildlogs", build_uuid=self.build_uuid, expected_code=403)
 
-  def test_buildlogs_unauthorized(self):
-    self.login('reader', 'password')
-    self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=403)
+    def test_buildlogs_unauthorized(self):
+        self.login("reader", "password")
+        self.getResponse("web.buildlogs", build_uuid=self.build_uuid, expected_code=403)
 
-  def test_buildlogs_logsarchived(self):
-    self.login('public', 'password')
-    with patch('data.model.build.RepositoryBuild', logs_archived=True):
-      self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=403)
+    def test_buildlogs_logsarchived(self):
+        self.login("public", "password")
+        with patch("data.model.build.RepositoryBuild", logs_archived=True):
+            self.getResponse(
+                "web.buildlogs", build_uuid=self.build_uuid, expected_code=403
+            )
+
+    def test_buildlogs_successful(self):
+        self.login("public", "password")
+        logs = ["log1", "log2"]
+        with patch(
+            "endpoints.web.build_logs.get_log_entries", return_value=(None, logs)
+        ):
+            resp = self.getResponse(
+                "web.buildlogs", build_uuid=self.build_uuid, expected_code=200
+            )
+            self.assertEquals({"logs": logs}, py_json.loads(resp))
 
-  def test_buildlogs_successful(self):
-    self.login('public', 'password')
-    logs = ['log1', 'log2']
-    with patch('endpoints.web.build_logs.get_log_entries', return_value=(None, logs) ):
-      resp = self.getResponse('web.buildlogs', build_uuid=self.build_uuid, expected_code=200)
-      self.assertEquals({"logs": logs}, py_json.loads(resp))
 
 class ArchivedLogsTestCase(EndpointTestCase):
-  build_uuid = 'deadpork-dead-pork-dead-porkdeadpork'
+    build_uuid = "deadpork-dead-pork-dead-porkdeadpork"
 
-  def test_logarchive_invalid_build_uuid(self):
-    self.login('public', 'password')
-    self.getResponse('web.logarchive', file_id='bad_build_uuid', expected_code=403)
+    def test_logarchive_invalid_build_uuid(self):
+        self.login("public", "password")
+        self.getResponse("web.logarchive", file_id="bad_build_uuid", expected_code=403)
 
-  def test_logarchive_not_logged_in(self):
-    self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=403)
+    def test_logarchive_not_logged_in(self):
+        self.getResponse("web.logarchive", file_id=self.build_uuid, expected_code=403)
 
-  def test_logarchive_unauthorized(self):
-    self.login('reader', 'password')
-    self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=403)
+    def test_logarchive_unauthorized(self):
+        self.login("reader", "password")
+        self.getResponse("web.logarchive", file_id=self.build_uuid, expected_code=403)
 
-  def test_logarchive_file_not_found(self):
-    self.login('public', 'password')
-    self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=403)
+    def test_logarchive_file_not_found(self):
+        self.login("public", "password")
+        self.getResponse("web.logarchive", file_id=self.build_uuid, expected_code=403)
 
-  def test_logarchive_successful(self):
-    self.login('public', 'password')
-    data = b"my_file_stream"
-    mock_file = BytesIO(zlib.compressobj(-1, zlib.DEFLATED, WINDOW_BUFFER_SIZE).compress(data))
-    with patch('endpoints.web.log_archive._storage.stream_read_file', return_value=mock_file):
-      self.getResponse('web.logarchive', file_id=self.build_uuid, expected_code=200)
+    def test_logarchive_successful(self):
+        self.login("public", "password")
+        data = b"my_file_stream"
+        mock_file = BytesIO(
+            zlib.compressobj(-1, zlib.DEFLATED, WINDOW_BUFFER_SIZE).compress(data)
+        )
+        with patch(
+            "endpoints.web.log_archive._storage.stream_read_file",
+            return_value=mock_file,
+        ):
+            self.getResponse(
+                "web.logarchive", file_id=self.build_uuid, expected_code=200
+            )
 
 
 class WebhookEndpointTestCase(EndpointTestCase):
-  def test_invalid_build_trigger_webhook(self):
-    self.postResponse('webhooks.build_trigger_webhook', trigger_uuid='invalidtrigger',
-                      expected_code=404)
+    def test_invalid_build_trigger_webhook(self):
+        self.postResponse(
+            "webhooks.build_trigger_webhook",
+            trigger_uuid="invalidtrigger",
+            expected_code=404,
+        )
 
-  def test_valid_build_trigger_webhook_invalid_auth(self):
-    trigger = list(model.build.list_build_triggers('devtable', 'building'))[0]
-    self.postResponse('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid,
-                      expected_code=403)
+    def test_valid_build_trigger_webhook_invalid_auth(self):
+        trigger = list(model.build.list_build_triggers("devtable", "building"))[0]
+        self.postResponse(
+            "webhooks.build_trigger_webhook",
+            trigger_uuid=trigger.uuid,
+            expected_code=403,
+        )
 
-  def test_valid_build_trigger_webhook_cookie_auth(self):
-    self.login('devtable', 'password')
+    def test_valid_build_trigger_webhook_cookie_auth(self):
+        self.login("devtable", "password")
 
-    # Cookie auth is not supported, so this should 403
-    trigger = list(model.build.list_build_triggers('devtable', 'building'))[0]
-    self.postResponse('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid,
-                      expected_code=403)
+        # Cookie auth is not supported, so this should 403
+        trigger = list(model.build.list_build_triggers("devtable", "building"))[0]
+        self.postResponse(
+            "webhooks.build_trigger_webhook",
+            trigger_uuid=trigger.uuid,
+            expected_code=403,
+        )
 
-  def test_valid_build_trigger_webhook_missing_payload(self):
-    auth_header = 'Basic %s' % (base64.b64encode('devtable:password'))
-    trigger = list(model.build.list_build_triggers('devtable', 'building'))[0]
-    self.postResponse('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid,
-                      expected_code=400, headers={'Authorization': auth_header})
+    def test_valid_build_trigger_webhook_missing_payload(self):
+        auth_header = "Basic %s" % (base64.b64encode("devtable:password"))
+        trigger = list(model.build.list_build_triggers("devtable", "building"))[0]
+        self.postResponse(
+            "webhooks.build_trigger_webhook",
+            trigger_uuid=trigger.uuid,
+            expected_code=400,
+            headers={"Authorization": auth_header},
+        )
+
+    def test_valid_build_trigger_webhook_invalid_payload(self):
+        auth_header = "Basic %s" % (base64.b64encode("devtable:password"))
+        trigger = list(model.build.list_build_triggers("devtable", "building"))[0]
+        self.postResponse(
+            "webhooks.build_trigger_webhook",
+            trigger_uuid=trigger.uuid,
+            expected_code=400,
+            headers={"Authorization": auth_header, "Content-Type": "application/json"},
+            data={"invalid": "payload"},
+        )
 
-  def test_valid_build_trigger_webhook_invalid_payload(self):
-    auth_header = 'Basic %s' % (base64.b64encode('devtable:password'))
-    trigger = list(model.build.list_build_triggers('devtable', 'building'))[0]
-    self.postResponse('webhooks.build_trigger_webhook', trigger_uuid=trigger.uuid,
-                      expected_code=400,
-                      headers={'Authorization': auth_header, 'Content-Type': 'application/json'},
-                      data={'invalid': 'payload'})
 
 class WebEndpointTestCase(EndpointTestCase):
-  def test_index(self):
-    self.getResponse('web.index')
+    def test_index(self):
+        self.getResponse("web.index")
 
-  def test_robots(self):
-    self.getResponse('web.robots')
+    def test_robots(self):
+        self.getResponse("web.robots")
 
-  def test_repo_view(self):
-    self.getResponse('web.repository', path='devtable/simple')
+    def test_repo_view(self):
+        self.getResponse("web.repository", path="devtable/simple")
 
-  def test_unicode_repo_view(self):
-    self.getResponse('web.repository', path='%E2%80%8Bcoreos/hyperkube%E2%80%8B')
+    def test_unicode_repo_view(self):
+        self.getResponse("web.repository", path="%E2%80%8Bcoreos/hyperkube%E2%80%8B")
 
-  def test_org_view(self):
-    self.getResponse('web.org_view', path='buynlarge')
+    def test_org_view(self):
+        self.getResponse("web.org_view", path="buynlarge")
 
-  def test_user_view(self):
-    self.getResponse('web.user_view', path='devtable')
+    def test_user_view(self):
+        self.getResponse("web.user_view", path="devtable")
 
-  def test_confirm_repo_email(self):
-    code = model.repository.create_email_authorization_for_repo('devtable', 'simple', 'foo@bar.com')
-    self.getResponse('web.confirm_repo_email', code=code.code)
+    def test_confirm_repo_email(self):
+        code = model.repository.create_email_authorization_for_repo(
+            "devtable", "simple", "foo@bar.com"
+        )
+        self.getResponse("web.confirm_repo_email", code=code.code)
 
-    found = model.repository.get_email_authorized_for_repo('devtable', 'simple', 'foo@bar.com')
-    self.assertTrue(found.confirmed)
+        found = model.repository.get_email_authorized_for_repo(
+            "devtable", "simple", "foo@bar.com"
+        )
+        self.assertTrue(found.confirmed)
 
-  def test_confirm_email(self):
-    user = model.user.get_user('devtable')
-    self.assertNotEquals(user.email, 'foo@bar.com')
+    def test_confirm_email(self):
+        user = model.user.get_user("devtable")
+        self.assertNotEquals(user.email, "foo@bar.com")
 
-    confirmation_code = model.user.create_confirm_email_code(user, 'foo@bar.com')
-    self.getResponse('web.confirm_email', code=confirmation_code, expected_code=302)
+        confirmation_code = model.user.create_confirm_email_code(user, "foo@bar.com")
+        self.getResponse("web.confirm_email", code=confirmation_code, expected_code=302)
 
-    user = model.user.get_user('devtable')
-    self.assertEquals(user.email, 'foo@bar.com')
+        user = model.user.get_user("devtable")
+        self.assertEquals(user.email, "foo@bar.com")
 
-  def test_confirm_recovery(self):
-    # Try for an invalid code.
-    self.getResponse('web.confirm_recovery', code='someinvalidcode', expected_code=200)
+    def test_confirm_recovery(self):
+        # Try for an invalid code.
+        self.getResponse(
+            "web.confirm_recovery", code="someinvalidcode", expected_code=200
+        )
 
-    # Create a valid code and try.
-    user = model.user.get_user('devtable')
-    confirmation_code = model.user.create_reset_password_email_code(user.email)
-    self.getResponse('web.confirm_recovery', code=confirmation_code, expected_code=302)
+        # Create a valid code and try.
+        user = model.user.get_user("devtable")
+        confirmation_code = model.user.create_reset_password_email_code(user.email)
+        self.getResponse(
+            "web.confirm_recovery", code=confirmation_code, expected_code=302
+        )
 
-  def test_confirm_recovery_verified(self):
-    # Create a valid code and try.
-    user = model.user.get_user('devtable')
-    user.verified = False
-    user.save()
+    def test_confirm_recovery_verified(self):
+        # Create a valid code and try.
+        user = model.user.get_user("devtable")
+        user.verified = False
+        user.save()
 
-    confirmation_code = model.user.create_reset_password_email_code(user.email)
-    self.getResponse('web.confirm_recovery', code=confirmation_code, expected_code=302)
+        confirmation_code = model.user.create_reset_password_email_code(user.email)
+        self.getResponse(
+            "web.confirm_recovery", code=confirmation_code, expected_code=302
+        )
 
-    # Ensure the current user is the expected user and that they are verified.
-    user = model.user.get_user('devtable')
-    self.assertTrue(user.verified)
+        # Ensure the current user is the expected user and that they are verified.
+        user = model.user.get_user("devtable")
+        self.assertTrue(user.verified)
 
-    self.getResponse('web.receipt', expected_code=404) # Will 401 if no user.
+        self.getResponse("web.receipt", expected_code=404)  # Will 401 if no user.
 
-  def test_request_authorization_code(self):
-    # Try for an invalid client.
-    self.getResponse('web.request_authorization_code', client_id='foo', redirect_uri='bar',
-                     scope='baz', expected_code=404)
+    def test_request_authorization_code(self):
+        # Try for an invalid client.
+        self.getResponse(
+            "web.request_authorization_code",
+            client_id="foo",
+            redirect_uri="bar",
+            scope="baz",
+            expected_code=404,
+        )
 
-    # Try for a valid client.
-    org = model.organization.get_organization('buynlarge')
-    assert org
+        # Try for a valid client.
+        org = model.organization.get_organization("buynlarge")
+        assert org
 
-    app = model.oauth.create_application(org, 'test', 'http://foo/bar', 'http://foo/bar/baz')
-    self.getResponse('web.request_authorization_code',
-                     client_id=app.client_id,
-                     redirect_uri=app.redirect_uri,
-                     scope='repo:read',
-                     expected_code=200)
+        app = model.oauth.create_application(
+            org, "test", "http://foo/bar", "http://foo/bar/baz"
+        )
+        self.getResponse(
+            "web.request_authorization_code",
+            client_id=app.client_id,
+            redirect_uri=app.redirect_uri,
+            scope="repo:read",
+            expected_code=200,
+        )
 
-  def test_build_status_badge(self):
-    # Try for an invalid repository.
-    self.getResponse('web.build_status_badge', repository='foo/bar', expected_code=404)
+    def test_build_status_badge(self):
+        # Try for an invalid repository.
+        self.getResponse(
+            "web.build_status_badge", repository="foo/bar", expected_code=404
+        )
 
-    # Try for a public repository.
-    self.getResponse('web.build_status_badge', repository='public/publicrepo')
+        # Try for a public repository.
+        self.getResponse("web.build_status_badge", repository="public/publicrepo")
 
-    # Try for an private repository.
-    self.getResponse('web.build_status_badge', repository='devtable/simple',
-                     expected_code=404)
+        # Try for an private repository.
+        self.getResponse(
+            "web.build_status_badge", repository="devtable/simple", expected_code=404
+        )
 
-    # Try for an private repository with an invalid token.
-    self.getResponse('web.build_status_badge', repository='devtable/simple',
-                     token='sometoken', expected_code=404)
+        # Try for an private repository with an invalid token.
+        self.getResponse(
+            "web.build_status_badge",
+            repository="devtable/simple",
+            token="sometoken",
+            expected_code=404,
+        )
 
-    # Try for an private repository with a valid token.
-    repository = model.repository.get_repository('devtable', 'simple')
-    self.getResponse('web.build_status_badge', repository='devtable/simple',
-                     token=repository.badge_token)
+        # Try for an private repository with a valid token.
+        repository = model.repository.get_repository("devtable", "simple")
+        self.getResponse(
+            "web.build_status_badge",
+            repository="devtable/simple",
+            token=repository.badge_token,
+        )
 
-  def test_attach_custom_build_trigger(self):
-    self.getResponse('web.attach_custom_build_trigger', repository='foo/bar', expected_code=401)
-    self.getResponse('web.attach_custom_build_trigger', repository='devtable/simple', expected_code=401)
+    def test_attach_custom_build_trigger(self):
+        self.getResponse(
+            "web.attach_custom_build_trigger", repository="foo/bar", expected_code=401
+        )
+        self.getResponse(
+            "web.attach_custom_build_trigger",
+            repository="devtable/simple",
+            expected_code=401,
+        )
 
-    self.login('freshuser', 'password')
-    self.getResponse('web.attach_custom_build_trigger', repository='devtable/simple', expected_code=403)
+        self.login("freshuser", "password")
+        self.getResponse(
+            "web.attach_custom_build_trigger",
+            repository="devtable/simple",
+            expected_code=403,
+        )
 
-    self.login('devtable', 'password')
-    self.getResponse('web.attach_custom_build_trigger', repository='devtable/simple', expected_code=302)
+        self.login("devtable", "password")
+        self.getResponse(
+            "web.attach_custom_build_trigger",
+            repository="devtable/simple",
+            expected_code=302,
+        )
 
-  def test_redirect_to_repository(self):
-    self.getResponse('web.redirect_to_repository', repository='foo/bar', expected_code=404)
-    self.getResponse('web.redirect_to_repository', repository='public/publicrepo', expected_code=302)
-    self.getResponse('web.redirect_to_repository', repository='devtable/simple', expected_code=403)
+    def test_redirect_to_repository(self):
+        self.getResponse(
+            "web.redirect_to_repository", repository="foo/bar", expected_code=404
+        )
+        self.getResponse(
+            "web.redirect_to_repository",
+            repository="public/publicrepo",
+            expected_code=302,
+        )
+        self.getResponse(
+            "web.redirect_to_repository",
+            repository="devtable/simple",
+            expected_code=403,
+        )
 
-    self.login('devtable', 'password')
-    self.getResponse('web.redirect_to_repository', repository='devtable/simple', expected_code=302)
+        self.login("devtable", "password")
+        self.getResponse(
+            "web.redirect_to_repository",
+            repository="devtable/simple",
+            expected_code=302,
+        )
 
-  def test_redirect_to_namespace(self):
-    self.getResponse('web.redirect_to_namespace', namespace='unknown', expected_code=404)
-    self.getResponse('web.redirect_to_namespace', namespace='devtable', expected_code=302)
-    self.getResponse('web.redirect_to_namespace', namespace='buynlarge', expected_code=302)
+    def test_redirect_to_namespace(self):
+        self.getResponse(
+            "web.redirect_to_namespace", namespace="unknown", expected_code=404
+        )
+        self.getResponse(
+            "web.redirect_to_namespace", namespace="devtable", expected_code=302
+        )
+        self.getResponse(
+            "web.redirect_to_namespace", namespace="buynlarge", expected_code=302
+        )
 
 
 class OAuthTestCase(EndpointTestCase):
-  def test_authorize_nologin(self):
-    form = {
-      'client_id': 'someclient',
-      'redirect_uri': 'http://localhost:5000/foobar',
-      'scope': 'user:admin',
-    }
+    def test_authorize_nologin(self):
+        form = {
+            "client_id": "someclient",
+            "redirect_uri": "http://localhost:5000/foobar",
+            "scope": "user:admin",
+        }
 
-    self.postResponse('web.authorize_application', form=form, with_csrf=True, expected_code=401)
+        self.postResponse(
+            "web.authorize_application", form=form, with_csrf=True, expected_code=401
+        )
 
-  def test_authorize_invalidclient(self):
-    self.login('devtable', 'password')
+    def test_authorize_invalidclient(self):
+        self.login("devtable", "password")
 
-    form = {
-      'client_id': 'someclient',
-      'redirect_uri': 'http://localhost:5000/foobar',
-      'scope': 'user:admin',
-    }
+        form = {
+            "client_id": "someclient",
+            "redirect_uri": "http://localhost:5000/foobar",
+            "scope": "user:admin",
+        }
 
-    resp = self.postResponse('web.authorize_application', form=form, with_csrf=True, expected_code=302)
-    self.assertEquals('http://localhost:5000/foobar?error=unauthorized_client', resp.headers['Location'])
+        resp = self.postResponse(
+            "web.authorize_application", form=form, with_csrf=True, expected_code=302
+        )
+        self.assertEquals(
+            "http://localhost:5000/foobar?error=unauthorized_client",
+            resp.headers["Location"],
+        )
 
-  def test_authorize_invalidscope(self):
-    self.login('devtable', 'password')
+    def test_authorize_invalidscope(self):
+        self.login("devtable", "password")
 
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'invalid:scope',
-    }
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "invalid:scope",
+        }
 
-    resp = self.postResponse('web.authorize_application', form=form, with_csrf=True, expected_code=302)
-    self.assertEquals('http://localhost:8000/o2c.html?error=invalid_scope', resp.headers['Location'])
+        resp = self.postResponse(
+            "web.authorize_application", form=form, with_csrf=True, expected_code=302
+        )
+        self.assertEquals(
+            "http://localhost:8000/o2c.html?error=invalid_scope",
+            resp.headers["Location"],
+        )
 
-  def test_authorize_invalidredirecturi(self):
-    self.login('devtable', 'password')
+    def test_authorize_invalidredirecturi(self):
+        self.login("devtable", "password")
 
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://some/invalid/uri',
-      'scope': 'user:admin',
-    }
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://some/invalid/uri",
+            "scope": "user:admin",
+        }
 
-    self.postResponse('web.authorize_application', form=form, with_csrf=True, expected_code=400)
+        self.postResponse(
+            "web.authorize_application", form=form, with_csrf=True, expected_code=400
+        )
 
-  def test_authorize_success(self):
-    self.login('devtable', 'password')
+    def test_authorize_success(self):
+        self.login("devtable", "password")
 
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    resp = self.postResponse('web.authorize_application', form=form, with_csrf=True, expected_code=302)
-    self.assertTrue('access_token=' in resp.headers['Location'])
+        resp = self.postResponse(
+            "web.authorize_application", form=form, with_csrf=True, expected_code=302
+        )
+        self.assertTrue("access_token=" in resp.headers["Location"])
 
-  def test_authorize_nocsrf(self):
-    self.login('devtable', 'password')
+    def test_authorize_nocsrf(self):
+        self.login("devtable", "password")
 
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    self.postResponse('web.authorize_application', form=form, with_csrf=False, expected_code=403)
+        self.postResponse(
+            "web.authorize_application", form=form, with_csrf=False, expected_code=403
+        )
 
-  def test_authorize_nocsrf_withinvalidheader(self):
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+    def test_authorize_nocsrf_withinvalidheader(self):
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    headers = dict(authorization='Some random header')
-    self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False, expected_code=401)
+        headers = dict(authorization="Some random header")
+        self.postResponse(
+            "web.authorize_application",
+            headers=headers,
+            form=form,
+            with_csrf=False,
+            expected_code=401,
+        )
 
-  def test_authorize_nocsrf_withbadheader(self):
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+    def test_authorize_nocsrf_withbadheader(self):
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    headers = dict(authorization='Basic ' + base64.b64encode('devtable:invalidpassword'))
-    self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False,
-                      expected_code=401)
+        headers = dict(
+            authorization="Basic " + base64.b64encode("devtable:invalidpassword")
+        )
+        self.postResponse(
+            "web.authorize_application",
+            headers=headers,
+            form=form,
+            with_csrf=False,
+            expected_code=401,
+        )
 
-  def test_authorize_nocsrf_correctheader(self):
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+    def test_authorize_nocsrf_correctheader(self):
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    # Try without the client id being in the whitelist.
-    headers = dict(authorization='Basic ' + base64.b64encode('devtable:password'))
-    self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False,
-                      expected_code=403)
+        # Try without the client id being in the whitelist.
+        headers = dict(authorization="Basic " + base64.b64encode("devtable:password"))
+        self.postResponse(
+            "web.authorize_application",
+            headers=headers,
+            form=form,
+            with_csrf=False,
+            expected_code=403,
+        )
 
-    # Add the client ID to the whitelist and try again.
-    app.config['DIRECT_OAUTH_CLIENTID_WHITELIST'] = ['deadbeef']
+        # Add the client ID to the whitelist and try again.
+        app.config["DIRECT_OAUTH_CLIENTID_WHITELIST"] = ["deadbeef"]
 
-    headers = dict(authorization='Basic ' + base64.b64encode('devtable:password'))
-    resp = self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False, expected_code=302)
-    self.assertTrue('access_token=' in resp.headers['Location'])
+        headers = dict(authorization="Basic " + base64.b64encode("devtable:password"))
+        resp = self.postResponse(
+            "web.authorize_application",
+            headers=headers,
+            form=form,
+            with_csrf=False,
+            expected_code=302,
+        )
+        self.assertTrue("access_token=" in resp.headers["Location"])
 
-  def test_authorize_nocsrf_ratelimiting(self):
-    # Note: Defined in initdb.py
-    form = {
-      'client_id': 'deadbeef',
-      'redirect_uri': 'http://localhost:8000/o2c.html',
-      'scope': 'user:admin',
-    }
+    def test_authorize_nocsrf_ratelimiting(self):
+        # Note: Defined in initdb.py
+        form = {
+            "client_id": "deadbeef",
+            "redirect_uri": "http://localhost:8000/o2c.html",
+            "scope": "user:admin",
+        }
 
-    # Try without the client id being in the whitelist a few times, making sure we eventually get rate limited.
-    headers = dict(authorization='Basic ' + base64.b64encode('devtable:invalidpassword'))
-    self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False, expected_code=401)
+        # Try without the client id being in the whitelist a few times, making sure we eventually get rate limited.
+        headers = dict(
+            authorization="Basic " + base64.b64encode("devtable:invalidpassword")
+        )
+        self.postResponse(
+            "web.authorize_application",
+            headers=headers,
+            form=form,
+            with_csrf=False,
+            expected_code=401,
+        )
 
-    counter = 0
-    while True:
-      r = self.postResponse('web.authorize_application', headers=headers, form=form, with_csrf=False, expected_code=None)
-      self.assertNotEquals(200, r.status_code)
-      counter = counter + 1
-      if counter > 5:
-        self.fail('Exponential backoff did not fire')
+        counter = 0
+        while True:
+            r = self.postResponse(
+                "web.authorize_application",
+                headers=headers,
+                form=form,
+                with_csrf=False,
+                expected_code=None,
+            )
+            self.assertNotEquals(200, r.status_code)
+            counter = counter + 1
+            if counter > 5:
+                self.fail("Exponential backoff did not fire")
 
-      if r.status_code == 429:
-        break
+            if r.status_code == 429:
+                break
 
 
 class KeyServerTestCase(EndpointTestCase):
-  def _get_test_jwt_payload(self):
-    return {
-      'iss': 'sample_service',
-      'aud': keyserver.JWT_AUDIENCE,
-      'exp': int(time.time()) + 60,
-      'iat': int(time.time()),
-      'nbf': int(time.time()),
-    }
+    def _get_test_jwt_payload(self):
+        return {
+            "iss": "sample_service",
+            "aud": keyserver.JWT_AUDIENCE,
+            "exp": int(time.time()) + 60,
+            "iat": int(time.time()),
+            "nbf": int(time.time()),
+        }
 
-  def test_list_service_keys(self):
-    # Retrieve all the keys.
-    all_keys = model.service_keys.list_all_keys()
-    visible_jwks = [jwk_with_kid(key) for key in model.service_keys.list_service_keys('sample_service')]
+    def test_list_service_keys(self):
+        # Retrieve all the keys.
+        all_keys = model.service_keys.list_all_keys()
+        visible_jwks = [
+            jwk_with_kid(key)
+            for key in model.service_keys.list_service_keys("sample_service")
+        ]
 
-    invisible_jwks = []
-    for key in all_keys:
-      is_expired = key.expiration_date and key.expiration_date <= datetime.utcnow()
-      if key.service != 'sample_service' or key.approval is None or is_expired:
-        invisible_jwks.append(key.jwk)
+        invisible_jwks = []
+        for key in all_keys:
+            is_expired = (
+                key.expiration_date and key.expiration_date <= datetime.utcnow()
+            )
+            if key.service != "sample_service" or key.approval is None or is_expired:
+                invisible_jwks.append(key.jwk)
 
-    rv = self.getResponse('key_server.list_service_keys', service='sample_service')
-    jwkset = py_json.loads(rv)
+        rv = self.getResponse("key_server.list_service_keys", service="sample_service")
+        jwkset = py_json.loads(rv)
 
-    # Make sure the hidden keys are not returned and the visible ones are returned.
-    self.assertTrue(len(visible_jwks) > 0)
-    self.assertTrue(len(invisible_jwks) > 0)
-    self.assertEquals(len(visible_jwks), len(jwkset['keys']))
+        # Make sure the hidden keys are not returned and the visible ones are returned.
+        self.assertTrue(len(visible_jwks) > 0)
+        self.assertTrue(len(invisible_jwks) > 0)
+        self.assertEquals(len(visible_jwks), len(jwkset["keys"]))
 
-    for jwk in jwkset['keys']:
-      self.assertIn(jwk, visible_jwks)
-      self.assertNotIn(jwk, invisible_jwks)
+        for jwk in jwkset["keys"]:
+            self.assertIn(jwk, visible_jwks)
+            self.assertNotIn(jwk, invisible_jwks)
+
+    def test_get_service_key(self):
+        # 200 for an approved key
+        self.getResponse(
+            "key_server.get_service_key", service="sample_service", kid="kid1"
+        )
+
+        # 409 for an unapproved key
+        self.getResponse(
+            "key_server.get_service_key",
+            service="sample_service",
+            kid="kid3",
+            expected_code=409,
+        )
+
+        # 404 for a non-existant key
+        self.getResponse(
+            "key_server.get_service_key",
+            service="sample_service",
+            kid="kid9999",
+            expected_code=404,
+        )
+
+        # 403 for an approved but expired key that is inside of the 2 week window.
+        self.getResponse(
+            "key_server.get_service_key",
+            service="sample_service",
+            kid="kid6",
+            expected_code=403,
+        )
+
+        # 404 for an approved, expired key that is outside of the 2 week window.
+        self.getResponse(
+            "key_server.get_service_key",
+            service="sample_service",
+            kid="kid7",
+            expected_code=404,
+        )
+
+    def test_put_service_key(self):
+        # No Authorization header should yield a 400
+        self.putResponse(
+            "key_server.put_service_key",
+            service="sample_service",
+            kid="kid420",
+            expected_code=400,
+        )
+
+        # Mint a JWT with our test payload
+        private_key = RSA.generate(2048)
+        jwk = RSAKey(key=private_key.publickey()).serialize()
+        payload = self._get_test_jwt_payload()
+        token = jwt.encode(payload, private_key.exportKey("PEM"), "RS256")
+
+        # Invalid service name should yield a 400.
+        self.putResponse(
+            "key_server.put_service_key",
+            service="sample service",
+            kid="kid420",
+            headers={
+                "Authorization": "Bearer %s" % token,
+                "Content-Type": "application/json",
+            },
+            data=jwk,
+            expected_code=400,
+        )
+
+        # Publish a new key
+        with assert_action_logged("service_key_create"):
+            self.putResponse(
+                "key_server.put_service_key",
+                service="sample_service",
+                kid="kid420",
+                headers={
+                    "Authorization": "Bearer %s" % token,
+                    "Content-Type": "application/json",
+                },
+                data=jwk,
+                expected_code=202,
+            )
+
+        # Ensure that the key exists but is unapproved.
+        self.getResponse(
+            "key_server.get_service_key",
+            service="sample_service",
+            kid="kid420",
+            expected_code=409,
+        )
+
+        # Attempt to rotate the key. Since not approved, it will fail.
+        token = jwt.encode(
+            payload, private_key.exportKey("PEM"), "RS256", headers={"kid": "kid420"}
+        )
+        self.putResponse(
+            "key_server.put_service_key",
+            service="sample_service",
+            kid="kid6969",
+            headers={
+                "Authorization": "Bearer %s" % token,
+                "Content-Type": "application/json",
+            },
+            data=jwk,
+            expected_code=403,
+        )
+
+        # Approve the key.
+        model.service_keys.approve_service_key(
+            "kid420", ServiceKeyApprovalType.SUPERUSER, approver=1
+        )
+
+        # Rotate that new key
+        with assert_action_logged("service_key_rotate"):
+            token = jwt.encode(
+                payload,
+                private_key.exportKey("PEM"),
+                "RS256",
+                headers={"kid": "kid420"},
+            )
+            self.putResponse(
+                "key_server.put_service_key",
+                service="sample_service",
+                kid="kid6969",
+                headers={
+                    "Authorization": "Bearer %s" % token,
+                    "Content-Type": "application/json",
+                },
+                data=jwk,
+                expected_code=200,
+            )
+
+        # Rotation should only work when signed by the previous key
+        private_key = RSA.generate(2048)
+        jwk = RSAKey(key=private_key.publickey()).serialize()
+        token = jwt.encode(
+            payload, private_key.exportKey("PEM"), "RS256", headers={"kid": "kid420"}
+        )
+        self.putResponse(
+            "key_server.put_service_key",
+            service="sample_service",
+            kid="kid6969",
+            headers={
+                "Authorization": "Bearer %s" % token,
+                "Content-Type": "application/json",
+            },
+            data=jwk,
+            expected_code=403,
+        )
+
+    def test_attempt_delete_service_key_with_no_kid_signer(self):
+        # Generate two keys, approving the first.
+        private_key, _ = model.service_keys.generate_service_key(
+            "sample_service", None, kid="first"
+        )
+
+        # Mint a JWT with our test payload but *no kid*.
+        token = jwt.encode(
+            self._get_test_jwt_payload(),
+            private_key.exportKey("PEM"),
+            "RS256",
+            headers={},
+        )
+
+        # Using the credentials of our key, attempt to delete our unapproved key
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            headers={"Authorization": "Bearer %s" % token},
+            expected_code=400,
+            service="sample_service",
+            kid="first",
+        )
+
+    def test_attempt_delete_service_key_with_expired_key(self):
+        # Generate two keys, approving the first.
+        private_key, _ = model.service_keys.generate_service_key(
+            "sample_service", None, kid="first"
+        )
+        model.service_keys.approve_service_key(
+            "first", ServiceKeyApprovalType.SUPERUSER, approver=1
+        )
+        model.service_keys.generate_service_key("sample_service", None, kid="second")
+
+        # Mint a JWT with our test payload
+        token = jwt.encode(
+            self._get_test_jwt_payload(),
+            private_key.exportKey("PEM"),
+            "RS256",
+            headers={"kid": "first"},
+        )
+
+        # Set the expiration of the first to now - some time.
+        model.service_keys.set_key_expiration(
+            "first", datetime.utcnow() - timedelta(seconds=100)
+        )
+
+        # Using the credentials of our second key, attempt to delete our unapproved key
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            headers={"Authorization": "Bearer %s" % token},
+            expected_code=403,
+            service="sample_service",
+            kid="second",
+        )
+
+        # Set the expiration to the future and delete the key.
+        model.service_keys.set_key_expiration(
+            "first", datetime.utcnow() + timedelta(seconds=100)
+        )
+
+        with assert_action_logged("service_key_delete"):
+            self.deleteEmptyResponse(
+                "key_server.delete_service_key",
+                headers={"Authorization": "Bearer %s" % token},
+                expected_code=204,
+                service="sample_service",
+                kid="second",
+            )
+
+    def test_delete_unapproved_service_key(self):
+        # No Authorization header should yield a 400
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            expected_code=400,
+            service="sample_service",
+            kid="kid1",
+        )
+
+        # Generate an unapproved key.
+        private_key, _ = model.service_keys.generate_service_key(
+            "sample_service", None, kid="unapprovedkeyhere"
+        )
+
+        # Mint a JWT with our test payload
+        token = jwt.encode(
+            self._get_test_jwt_payload(),
+            private_key.exportKey("PEM"),
+            "RS256",
+            headers={"kid": "unapprovedkeyhere"},
+        )
+
+        # Delete our unapproved key with itself.
+        with assert_action_logged("service_key_delete"):
+            self.deleteEmptyResponse(
+                "key_server.delete_service_key",
+                headers={"Authorization": "Bearer %s" % token},
+                expected_code=204,
+                service="sample_service",
+                kid="unapprovedkeyhere",
+            )
+
+    def test_delete_chained_service_key(self):
+        # No Authorization header should yield a 400
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            expected_code=400,
+            service="sample_service",
+            kid="kid1",
+        )
+
+        # Generate two keys.
+        private_key, _ = model.service_keys.generate_service_key(
+            "sample_service", None, kid="kid123"
+        )
+        model.service_keys.generate_service_key("sample_service", None, kid="kid321")
+
+        # Mint a JWT with our test payload
+        token = jwt.encode(
+            self._get_test_jwt_payload(),
+            private_key.exportKey("PEM"),
+            "RS256",
+            headers={"kid": "kid123"},
+        )
+
+        # Using the credentials of our second key, attempt tp delete our unapproved key
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            headers={"Authorization": "Bearer %s" % token},
+            expected_code=403,
+            service="sample_service",
+            kid="kid321",
+        )
+
+        # Approve the second key.
+        model.service_keys.approve_service_key(
+            "kid123", ServiceKeyApprovalType.SUPERUSER, approver=1
+        )
+
+        # Using the credentials of our approved key, delete our unapproved key
+        with assert_action_logged("service_key_delete"):
+            self.deleteEmptyResponse(
+                "key_server.delete_service_key",
+                headers={"Authorization": "Bearer %s" % token},
+                expected_code=204,
+                service="sample_service",
+                kid="kid321",
+            )
+
+        # Attempt to delete a key signed by a key from a different service
+        bad_token = jwt.encode(
+            self._get_test_jwt_payload(),
+            private_key.exportKey("PEM"),
+            "RS256",
+            headers={"kid": "kid5"},
+        )
+        self.deleteResponse(
+            "key_server.delete_service_key",
+            headers={"Authorization": "Bearer %s" % bad_token},
+            expected_code=403,
+            service="sample_service",
+            kid="kid123",
+        )
+
+        # Delete a self-signed, approved key
+        with assert_action_logged("service_key_delete"):
+            self.deleteEmptyResponse(
+                "key_server.delete_service_key",
+                headers={"Authorization": "Bearer %s" % token},
+                expected_code=204,
+                service="sample_service",
+                kid="kid123",
+            )
 
 
-  def test_get_service_key(self):
-    # 200 for an approved key
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid1')
-
-    # 409 for an unapproved key
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid3',
-                     expected_code=409)
-
-    # 404 for a non-existant key
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid9999',
-                     expected_code=404)
-
-    # 403 for an approved but expired key that is inside of the 2 week window.
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid6',
-                     expected_code=403)
-
-    # 404 for an approved, expired key that is outside of the 2 week window.
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid7',
-                     expected_code=404)
-
-  def test_put_service_key(self):
-    # No Authorization header should yield a 400
-    self.putResponse('key_server.put_service_key', service='sample_service', kid='kid420',
-                     expected_code=400)
-
-    # Mint a JWT with our test payload
-    private_key = RSA.generate(2048)
-    jwk = RSAKey(key=private_key.publickey()).serialize()
-    payload = self._get_test_jwt_payload()
-    token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256')
-
-    # Invalid service name should yield a 400.
-    self.putResponse('key_server.put_service_key', service='sample service', kid='kid420',
-                     headers={
-                      'Authorization': 'Bearer %s' % token,
-                      'Content-Type': 'application/json',
-                     }, data=jwk, expected_code=400)
-
-    # Publish a new key
-    with assert_action_logged('service_key_create'):
-      self.putResponse('key_server.put_service_key', service='sample_service', kid='kid420',
-                       headers={
-                        'Authorization': 'Bearer %s' % token,
-                        'Content-Type': 'application/json',
-                       }, data=jwk, expected_code=202)
-
-    # Ensure that the key exists but is unapproved.
-    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid420',
-                     expected_code=409)
-
-    # Attempt to rotate the key. Since not approved, it will fail.
-    token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256', headers={'kid': 'kid420'})
-    self.putResponse('key_server.put_service_key', service='sample_service', kid='kid6969',
-                     headers={
-                       'Authorization': 'Bearer %s' % token,
-                       'Content-Type': 'application/json',
-                     }, data=jwk, expected_code=403)
-
-    # Approve the key.
-    model.service_keys.approve_service_key('kid420', ServiceKeyApprovalType.SUPERUSER, approver=1)
-
-    # Rotate that new key
-    with assert_action_logged('service_key_rotate'):
-      token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256', headers={'kid': 'kid420'})
-      self.putResponse('key_server.put_service_key', service='sample_service', kid='kid6969',
-                       headers={
-                         'Authorization': 'Bearer %s' % token,
-                         'Content-Type': 'application/json',
-                       }, data=jwk, expected_code=200)
-
-    # Rotation should only work when signed by the previous key
-    private_key = RSA.generate(2048)
-    jwk = RSAKey(key=private_key.publickey()).serialize()
-    token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256', headers={'kid': 'kid420'})
-    self.putResponse('key_server.put_service_key', service='sample_service', kid='kid6969',
-                     headers={
-                       'Authorization': 'Bearer %s' % token,
-                       'Content-Type': 'application/json',
-                     }, data=jwk, expected_code=403)
-
-
-  def test_attempt_delete_service_key_with_no_kid_signer(self):
-    # Generate two keys, approving the first.
-    private_key, _ = model.service_keys.generate_service_key('sample_service', None, kid='first')
-
-    # Mint a JWT with our test payload but *no kid*.
-    token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256',
-                       headers={})
-
-    # Using the credentials of our key, attempt to delete our unapproved key
-    self.deleteResponse('key_server.delete_service_key',
-                        headers={'Authorization': 'Bearer %s' % token},
-                        expected_code=400, service='sample_service', kid='first')
-
-
-  def test_attempt_delete_service_key_with_expired_key(self):
-    # Generate two keys, approving the first.
-    private_key, _ = model.service_keys.generate_service_key('sample_service', None, kid='first')
-    model.service_keys.approve_service_key('first', ServiceKeyApprovalType.SUPERUSER, approver=1)
-    model.service_keys.generate_service_key('sample_service', None, kid='second')
-
-    # Mint a JWT with our test payload
-    token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256',
-                       headers={'kid': 'first'})
-
-    # Set the expiration of the first to now - some time.
-    model.service_keys.set_key_expiration('first', datetime.utcnow() - timedelta(seconds=100))
-
-    # Using the credentials of our second key, attempt to delete our unapproved key
-    self.deleteResponse('key_server.delete_service_key',
-                        headers={'Authorization': 'Bearer %s' % token},
-                        expected_code=403, service='sample_service', kid='second')
-
-    # Set the expiration to the future and delete the key.
-    model.service_keys.set_key_expiration('first', datetime.utcnow() + timedelta(seconds=100))
-
-    with assert_action_logged('service_key_delete'):
-      self.deleteEmptyResponse('key_server.delete_service_key',
-                          headers={'Authorization': 'Bearer %s' % token},
-                          expected_code=204, service='sample_service', kid='second')
-
-
-  def test_delete_unapproved_service_key(self):
-    # No Authorization header should yield a 400
-    self.deleteResponse('key_server.delete_service_key', expected_code=400,
-                        service='sample_service', kid='kid1')
-
-    # Generate an unapproved key.
-    private_key, _ = model.service_keys.generate_service_key('sample_service', None,
-                                                             kid='unapprovedkeyhere')
-
-    # Mint a JWT with our test payload
-    token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256',
-                       headers={'kid': 'unapprovedkeyhere'})
-
-    # Delete our unapproved key with itself.
-    with assert_action_logged('service_key_delete'):
-      self.deleteEmptyResponse('key_server.delete_service_key',
-                          headers={'Authorization': 'Bearer %s' % token},
-                          expected_code=204, service='sample_service', kid='unapprovedkeyhere')
-
-
-  def test_delete_chained_service_key(self):
-    # No Authorization header should yield a 400
-    self.deleteResponse('key_server.delete_service_key', expected_code=400,
-                        service='sample_service', kid='kid1')
-
-    # Generate two keys.
-    private_key, _ = model.service_keys.generate_service_key('sample_service', None, kid='kid123')
-    model.service_keys.generate_service_key('sample_service', None, kid='kid321')
-
-    # Mint a JWT with our test payload
-    token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256',
-                       headers={'kid': 'kid123'})
-
-    # Using the credentials of our second key, attempt tp delete our unapproved key
-    self.deleteResponse('key_server.delete_service_key',
-                        headers={'Authorization': 'Bearer %s' % token},
-                        expected_code=403, service='sample_service', kid='kid321')
-
-    # Approve the second key.
-    model.service_keys.approve_service_key('kid123', ServiceKeyApprovalType.SUPERUSER, approver=1)
-
-    # Using the credentials of our approved key, delete our unapproved key
-    with assert_action_logged('service_key_delete'):
-      self.deleteEmptyResponse('key_server.delete_service_key',
-                          headers={'Authorization': 'Bearer %s' % token},
-                          expected_code=204, service='sample_service', kid='kid321')
-
-    # Attempt to delete a key signed by a key from a different service
-    bad_token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256',
-                           headers={'kid': 'kid5'})
-    self.deleteResponse('key_server.delete_service_key',
-                        headers={'Authorization': 'Bearer %s' % bad_token},
-                        expected_code=403, service='sample_service', kid='kid123')
-
-    # Delete a self-signed, approved key
-    with assert_action_logged('service_key_delete'):
-      self.deleteEmptyResponse('key_server.delete_service_key',
-                          headers={'Authorization': 'Bearer %s' % token},
-                          expected_code=204, service='sample_service', kid='kid123')
-
-
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_external_jwt_authn.py b/test/test_external_jwt_authn.py
index d92a04105..0be8d44a3 100644
--- a/test/test_external_jwt_authn.py
+++ b/test/test_external_jwt_authn.py
@@ -19,309 +19,337 @@ from test.helpers import liveserver_app
 
 _PORT_NUMBER = 5001
 
+
 @contextmanager
 def fake_jwt(requires_email=True):
-  """ Context manager which instantiates and runs a webserver with a fake JWT implementation,
+    """ Context manager which instantiates and runs a webserver with a fake JWT implementation,
       until the result is yielded.
 
       Usage:
       with fake_jwt() as jwt_auth:
         # Make jwt_auth requests.
   """
-  jwt_app, port, public_key = _create_app(requires_email)
-  server_url = 'http://' + jwt_app.config['SERVER_HOSTNAME']
+    jwt_app, port, public_key = _create_app(requires_email)
+    server_url = "http://" + jwt_app.config["SERVER_HOSTNAME"]
 
-  verify_url = server_url + '/user/verify'
-  query_url = server_url + '/user/query'
-  getuser_url = server_url + '/user/get'
+    verify_url = server_url + "/user/verify"
+    query_url = server_url + "/user/query"
+    getuser_url = server_url + "/user/get"
 
-  jwt_auth = ExternalJWTAuthN(verify_url, query_url, getuser_url, 'authy', '',
-                              app.config['HTTPCLIENT'], 300,
-                              public_key_path=public_key.name,
-                              requires_email=requires_email)
+    jwt_auth = ExternalJWTAuthN(
+        verify_url,
+        query_url,
+        getuser_url,
+        "authy",
+        "",
+        app.config["HTTPCLIENT"],
+        300,
+        public_key_path=public_key.name,
+        requires_email=requires_email,
+    )
+
+    with liveserver_app(jwt_app, port):
+        yield jwt_auth
 
-  with liveserver_app(jwt_app, port):
-    yield jwt_auth
 
 def _generate_certs():
-  public_key = NamedTemporaryFile(delete=True)
+    public_key = NamedTemporaryFile(delete=True)
 
-  key = RSA.generate(1024)
-  private_key_data = key.exportKey('PEM')
+    key = RSA.generate(1024)
+    private_key_data = key.exportKey("PEM")
 
-  pubkey = key.publickey()
-  public_key.write(pubkey.exportKey('OpenSSH'))
-  public_key.seek(0)
+    pubkey = key.publickey()
+    public_key.write(pubkey.exportKey("OpenSSH"))
+    public_key.seek(0)
+
+    return (public_key, private_key_data)
 
-  return (public_key, private_key_data)
 
 def _create_app(emails=True):
-  global _PORT_NUMBER
-  _PORT_NUMBER = _PORT_NUMBER + 1
+    global _PORT_NUMBER
+    _PORT_NUMBER = _PORT_NUMBER + 1
 
-  public_key, private_key_data = _generate_certs()
+    public_key, private_key_data = _generate_certs()
 
-  users = [
-    {'name': 'cool.user', 'email': 'user@domain.com', 'password': 'password'},
-    {'name': 'some.neat.user', 'email': 'neat@domain.com', 'password': 'foobar'},
+    users = [
+        {"name": "cool.user", "email": "user@domain.com", "password": "password"},
+        {"name": "some.neat.user", "email": "neat@domain.com", "password": "foobar"},
+        # Feature Flag: Email Blacklisting
+        {
+            "name": "blacklistedcom",
+            "email": "foo@blacklisted.com",
+            "password": "somepass",
+        },
+        {
+            "name": "blacklistednet",
+            "email": "foo@blacklisted.net",
+            "password": "somepass",
+        },
+        {
+            "name": "blacklistedorg",
+            "email": "foo@blacklisted.org",
+            "password": "somepass",
+        },
+        {
+            "name": "notblacklistedcom",
+            "email": "foo@notblacklisted.com",
+            "password": "somepass",
+        },
+    ]
 
-    # Feature Flag: Email Blacklisting
-    {'name': 'blacklistedcom', 'email': 'foo@blacklisted.com', 'password': 'somepass'},
-    {'name': 'blacklistednet', 'email': 'foo@blacklisted.net', 'password': 'somepass'},
-    {'name': 'blacklistedorg', 'email': 'foo@blacklisted.org', 'password': 'somepass'},
-    {'name': 'notblacklistedcom', 'email': 'foo@notblacklisted.com', 'password': 'somepass'},
-  ]
+    jwt_app = Flask("testjwt")
+    jwt_app.config["SERVER_HOSTNAME"] = "localhost:%s" % _PORT_NUMBER
 
-  jwt_app = Flask('testjwt')
-  jwt_app.config['SERVER_HOSTNAME'] = 'localhost:%s' % _PORT_NUMBER
+    def _get_basic_auth():
+        data = base64.b64decode(request.headers["Authorization"][len("Basic ") :])
+        return data.split(":", 1)
 
-  def _get_basic_auth():
-    data = base64.b64decode(request.headers['Authorization'][len('Basic '):])
-    return data.split(':', 1)
+    @jwt_app.route("/user/query", methods=["GET"])
+    def query_users():
+        query = request.args.get("query")
+        results = []
 
-  @jwt_app.route('/user/query', methods=['GET'])
-  def query_users():
-    query = request.args.get('query')
-    results = []
+        for user in users:
+            if user["name"].startswith(query):
+                result = {"username": user["name"]}
 
-    for user in users:
-      if user['name'].startswith(query):
-        result = {
-          'username': user['name'],
-        }
+                if emails:
+                    result["email"] = user["email"]
 
-        if emails:
-          result['email'] = user['email']
-
-        results.append(result)
-
-    token_data = {
-      'iss': 'authy',
-      'aud': 'quay.io/jwtauthn/query',
-      'nbf': datetime.utcnow(),
-      'iat': datetime.utcnow(),
-      'exp': datetime.utcnow() + timedelta(seconds=60),
-      'results': results,
-    }
-
-    encoded = jwt.encode(token_data, private_key_data, 'RS256')
-    return jsonify({
-      'token': encoded
-    })
-
-  @jwt_app.route('/user/get', methods=['GET'])
-  def get_user():
-    username = request.args.get('username')
-
-    if username == 'disabled':
-      return make_response('User is currently disabled', 401)
-
-    for user in users:
-      if user['name'] == username or user['email'] == username:
-        token_data = {
-          'iss': 'authy',
-          'aud': 'quay.io/jwtauthn/getuser',
-          'nbf': datetime.utcnow(),
-          'iat': datetime.utcnow(),
-          'exp': datetime.utcnow() + timedelta(seconds=60),
-          'sub': user['name'],
-          'email': user['email'],
-        }
-
-        encoded = jwt.encode(token_data, private_key_data, 'RS256')
-        return jsonify({
-          'token': encoded
-        })
-
-    return make_response('Invalid username or password', 404)
-
-  @jwt_app.route('/user/verify', methods=['GET'])
-  def verify_user():
-    username, password = _get_basic_auth()
-
-    if username == 'disabled':
-      return make_response('User is currently disabled', 401)
-
-    for user in users:
-      if user['name'] == username or user['email'] == username:
-        if password != user['password']:
-          return make_response('', 404)
+                results.append(result)
 
         token_data = {
-          'iss': 'authy',
-          'aud': 'quay.io/jwtauthn',
-          'nbf': datetime.utcnow(),
-          'iat': datetime.utcnow(),
-          'exp': datetime.utcnow() + timedelta(seconds=60),
-          'sub': user['name'],
-          'email': user['email'],
+            "iss": "authy",
+            "aud": "quay.io/jwtauthn/query",
+            "nbf": datetime.utcnow(),
+            "iat": datetime.utcnow(),
+            "exp": datetime.utcnow() + timedelta(seconds=60),
+            "results": results,
         }
 
-        encoded = jwt.encode(token_data, private_key_data, 'RS256')
-        return jsonify({
-          'token': encoded
-        })
+        encoded = jwt.encode(token_data, private_key_data, "RS256")
+        return jsonify({"token": encoded})
 
-    return make_response('Invalid username or password', 404)
+    @jwt_app.route("/user/get", methods=["GET"])
+    def get_user():
+        username = request.args.get("username")
 
-  jwt_app.config['TESTING'] = True
-  return jwt_app, _PORT_NUMBER, public_key
+        if username == "disabled":
+            return make_response("User is currently disabled", 401)
+
+        for user in users:
+            if user["name"] == username or user["email"] == username:
+                token_data = {
+                    "iss": "authy",
+                    "aud": "quay.io/jwtauthn/getuser",
+                    "nbf": datetime.utcnow(),
+                    "iat": datetime.utcnow(),
+                    "exp": datetime.utcnow() + timedelta(seconds=60),
+                    "sub": user["name"],
+                    "email": user["email"],
+                }
+
+                encoded = jwt.encode(token_data, private_key_data, "RS256")
+                return jsonify({"token": encoded})
+
+        return make_response("Invalid username or password", 404)
+
+    @jwt_app.route("/user/verify", methods=["GET"])
+    def verify_user():
+        username, password = _get_basic_auth()
+
+        if username == "disabled":
+            return make_response("User is currently disabled", 401)
+
+        for user in users:
+            if user["name"] == username or user["email"] == username:
+                if password != user["password"]:
+                    return make_response("", 404)
+
+                token_data = {
+                    "iss": "authy",
+                    "aud": "quay.io/jwtauthn",
+                    "nbf": datetime.utcnow(),
+                    "iat": datetime.utcnow(),
+                    "exp": datetime.utcnow() + timedelta(seconds=60),
+                    "sub": user["name"],
+                    "email": user["email"],
+                }
+
+                encoded = jwt.encode(token_data, private_key_data, "RS256")
+                return jsonify({"token": encoded})
+
+        return make_response("Invalid username or password", 404)
+
+    jwt_app.config["TESTING"] = True
+    return jwt_app, _PORT_NUMBER, public_key
 
 
 class JWTAuthTestMixin:
-  """ Mixin defining all the JWT auth tests. """
-  maxDiff = None
+    """ Mixin defining all the JWT auth tests. """
 
-  @property
-  def emails(self):
-    raise NotImplementedError
+    maxDiff = None
 
-  def setUp(self):
-    setup_database_for_testing(self)
-    self.app = app.test_client()
-    self.ctx = app.test_request_context()
-    self.ctx.__enter__()
+    @property
+    def emails(self):
+        raise NotImplementedError
 
-    self.session = requests.Session()
+    def setUp(self):
+        setup_database_for_testing(self)
+        self.app = app.test_client()
+        self.ctx = app.test_request_context()
+        self.ctx.__enter__()
 
-  def tearDown(self):
-    finished_database_for_testing(self)
-    self.ctx.__exit__(True, None, None)
+        self.session = requests.Session()
 
-  def test_verify_and_link_user(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      result, error_message = jwt_auth.verify_and_link_user('invaliduser', 'foobar')
-      self.assertEquals('Invalid username or password', error_message)
-      self.assertIsNone(result)
+    def tearDown(self):
+        finished_database_for_testing(self)
+        self.ctx.__exit__(True, None, None)
 
-      result, _ = jwt_auth.verify_and_link_user('cool.user', 'invalidpassword')
-      self.assertIsNone(result)
+    def test_verify_and_link_user(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            result, error_message = jwt_auth.verify_and_link_user(
+                "invaliduser", "foobar"
+            )
+            self.assertEquals("Invalid username or password", error_message)
+            self.assertIsNone(result)
 
-      result, _ = jwt_auth.verify_and_link_user('cool.user', 'password')
-      self.assertIsNotNone(result)
-      self.assertEquals('cool_user', result.username)
+            result, _ = jwt_auth.verify_and_link_user("cool.user", "invalidpassword")
+            self.assertIsNone(result)
 
-      result, _ = jwt_auth.verify_and_link_user('some.neat.user', 'foobar')
-      self.assertIsNotNone(result)
-      self.assertEquals('some_neat_user', result.username)
+            result, _ = jwt_auth.verify_and_link_user("cool.user", "password")
+            self.assertIsNotNone(result)
+            self.assertEquals("cool_user", result.username)
 
-  def test_confirm_existing_user(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      # Create the users in the DB.
-      result, _ = jwt_auth.verify_and_link_user('cool.user', 'password')
-      self.assertIsNotNone(result)
+            result, _ = jwt_auth.verify_and_link_user("some.neat.user", "foobar")
+            self.assertIsNotNone(result)
+            self.assertEquals("some_neat_user", result.username)
 
-      result, _ = jwt_auth.verify_and_link_user('some.neat.user', 'foobar')
-      self.assertIsNotNone(result)
+    def test_confirm_existing_user(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            # Create the users in the DB.
+            result, _ = jwt_auth.verify_and_link_user("cool.user", "password")
+            self.assertIsNotNone(result)
 
-      # Confirm a user with the same internal and external username.
-      result, _ = jwt_auth.confirm_existing_user('cool_user', 'invalidpassword')
-      self.assertIsNone(result)
+            result, _ = jwt_auth.verify_and_link_user("some.neat.user", "foobar")
+            self.assertIsNotNone(result)
 
-      result, _ = jwt_auth.confirm_existing_user('cool_user', 'password')
-      self.assertIsNotNone(result)
-      self.assertEquals('cool_user', result.username)
+            # Confirm a user with the same internal and external username.
+            result, _ = jwt_auth.confirm_existing_user("cool_user", "invalidpassword")
+            self.assertIsNone(result)
 
-      # Fail to confirm the *external* username, which should return nothing.
-      result, _ = jwt_auth.confirm_existing_user('some.neat.user', 'password')
-      self.assertIsNone(result)
+            result, _ = jwt_auth.confirm_existing_user("cool_user", "password")
+            self.assertIsNotNone(result)
+            self.assertEquals("cool_user", result.username)
 
-      # Now confirm the internal username.
-      result, _ = jwt_auth.confirm_existing_user('some_neat_user', 'foobar')
-      self.assertIsNotNone(result)
-      self.assertEquals('some_neat_user', result.username)
+            # Fail to confirm the *external* username, which should return nothing.
+            result, _ = jwt_auth.confirm_existing_user("some.neat.user", "password")
+            self.assertIsNone(result)
 
-  def test_disabled_user_custom_error(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      result, error_message = jwt_auth.verify_and_link_user('disabled', 'password')
-      self.assertIsNone(result)
-      self.assertEquals('User is currently disabled', error_message)
+            # Now confirm the internal username.
+            result, _ = jwt_auth.confirm_existing_user("some_neat_user", "foobar")
+            self.assertIsNotNone(result)
+            self.assertEquals("some_neat_user", result.username)
 
-  def test_query(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      # Lookup `cool`.
-      results, identifier, error_message = jwt_auth.query_users('cool')
-      self.assertIsNone(error_message)
-      self.assertEquals('jwtauthn', identifier)
-      self.assertEquals(1, len(results))
+    def test_disabled_user_custom_error(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            result, error_message = jwt_auth.verify_and_link_user(
+                "disabled", "password"
+            )
+            self.assertIsNone(result)
+            self.assertEquals("User is currently disabled", error_message)
 
-      self.assertEquals('cool.user', results[0].username)
-      self.assertEquals('user@domain.com' if self.emails else None, results[0].email)
+    def test_query(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            # Lookup `cool`.
+            results, identifier, error_message = jwt_auth.query_users("cool")
+            self.assertIsNone(error_message)
+            self.assertEquals("jwtauthn", identifier)
+            self.assertEquals(1, len(results))
 
-      # Lookup `some`.
-      results, identifier, error_message = jwt_auth.query_users('some')
-      self.assertIsNone(error_message)
-      self.assertEquals('jwtauthn', identifier)
-      self.assertEquals(1, len(results))
+            self.assertEquals("cool.user", results[0].username)
+            self.assertEquals(
+                "user@domain.com" if self.emails else None, results[0].email
+            )
 
-      self.assertEquals('some.neat.user', results[0].username)
-      self.assertEquals('neat@domain.com' if self.emails else None, results[0].email)
+            # Lookup `some`.
+            results, identifier, error_message = jwt_auth.query_users("some")
+            self.assertIsNone(error_message)
+            self.assertEquals("jwtauthn", identifier)
+            self.assertEquals(1, len(results))
 
-      # Lookup `unknown`.
-      results, identifier, error_message = jwt_auth.query_users('unknown')
-      self.assertIsNone(error_message)
-      self.assertEquals('jwtauthn', identifier)
-      self.assertEquals(0, len(results))
+            self.assertEquals("some.neat.user", results[0].username)
+            self.assertEquals(
+                "neat@domain.com" if self.emails else None, results[0].email
+            )
 
-  def test_get_user(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      # Lookup cool.user.
-      result, error_message = jwt_auth.get_user('cool.user')
-      self.assertIsNone(error_message)
-      self.assertIsNotNone(result)
+            # Lookup `unknown`.
+            results, identifier, error_message = jwt_auth.query_users("unknown")
+            self.assertIsNone(error_message)
+            self.assertEquals("jwtauthn", identifier)
+            self.assertEquals(0, len(results))
 
-      self.assertEquals('cool.user', result.username)
-      self.assertEquals('user@domain.com', result.email)
+    def test_get_user(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            # Lookup cool.user.
+            result, error_message = jwt_auth.get_user("cool.user")
+            self.assertIsNone(error_message)
+            self.assertIsNotNone(result)
 
-      # Lookup some.neat.user.
-      result, error_message = jwt_auth.get_user('some.neat.user')
-      self.assertIsNone(error_message)
-      self.assertIsNotNone(result)
+            self.assertEquals("cool.user", result.username)
+            self.assertEquals("user@domain.com", result.email)
 
-      self.assertEquals('some.neat.user', result.username)
-      self.assertEquals('neat@domain.com', result.email)
+            # Lookup some.neat.user.
+            result, error_message = jwt_auth.get_user("some.neat.user")
+            self.assertIsNone(error_message)
+            self.assertIsNotNone(result)
 
-      # Lookup unknown user.
-      result, error_message = jwt_auth.get_user('unknownuser')
-      self.assertIsNone(result)
+            self.assertEquals("some.neat.user", result.username)
+            self.assertEquals("neat@domain.com", result.email)
 
-  def test_link_user(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      # Link cool.user.
-      user, error_message = jwt_auth.link_user('cool.user')
-      self.assertIsNone(error_message)
-      self.assertIsNotNone(user)
-      self.assertEquals('cool_user', user.username)
+            # Lookup unknown user.
+            result, error_message = jwt_auth.get_user("unknownuser")
+            self.assertIsNone(result)
 
-      # Link again. Should return the same user record.
-      user_again, _ = jwt_auth.link_user('cool.user')
-      self.assertEquals(user_again.id, user.id)
+    def test_link_user(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            # Link cool.user.
+            user, error_message = jwt_auth.link_user("cool.user")
+            self.assertIsNone(error_message)
+            self.assertIsNotNone(user)
+            self.assertEquals("cool_user", user.username)
 
-      # Confirm cool.user.
-      result, _ = jwt_auth.confirm_existing_user('cool_user', 'password')
-      self.assertIsNotNone(result)
-      self.assertEquals('cool_user', result.username)
+            # Link again. Should return the same user record.
+            user_again, _ = jwt_auth.link_user("cool.user")
+            self.assertEquals(user_again.id, user.id)
 
-  def test_link_invalid_user(self):
-    with fake_jwt(self.emails) as jwt_auth:
-      user, error_message = jwt_auth.link_user('invaliduser')
-      self.assertIsNotNone(error_message)
-      self.assertIsNone(user)
+            # Confirm cool.user.
+            result, _ = jwt_auth.confirm_existing_user("cool_user", "password")
+            self.assertIsNotNone(result)
+            self.assertEquals("cool_user", result.username)
+
+    def test_link_invalid_user(self):
+        with fake_jwt(self.emails) as jwt_auth:
+            user, error_message = jwt_auth.link_user("invaliduser")
+            self.assertIsNotNone(error_message)
+            self.assertIsNone(user)
 
 
 class JWTAuthNoEmailTestCase(JWTAuthTestMixin, unittest.TestCase):
-  """ Test cases for JWT auth, with emails disabled. """
-  @property
-  def emails(self):
-    return False
+    """ Test cases for JWT auth, with emails disabled. """
+
+    @property
+    def emails(self):
+        return False
 
 
 class JWTAuthTestCase(JWTAuthTestMixin, unittest.TestCase):
-  """ Test cases for JWT auth, with emails enabled. """
-  @property
-  def emails(self):
-    return True
+    """ Test cases for JWT auth, with emails enabled. """
+
+    @property
+    def emails(self):
+        return True
 
 
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_keystone_auth.py b/test/test_keystone_auth.py
index a5b1fc9d9..ac97be631 100644
--- a/test/test_keystone_auth.py
+++ b/test/test_keystone_auth.py
@@ -13,406 +13,429 @@ from initdb import setup_database_for_testing, finished_database_for_testing
 
 _PORT_NUMBER = 5001
 
+
 @contextmanager
 def fake_keystone(version=3, requires_email=True):
-  """ Context manager which instantiates and runs a webserver with a fake Keystone implementation,
+    """ Context manager which instantiates and runs a webserver with a fake Keystone implementation,
       until the result is yielded.
 
       Usage:
       with fake_keystone(version) as keystone_auth:
         # Make keystone_auth requests.
   """
-  keystone_app, port = _create_app(requires_email)
-  server_url = 'http://' + keystone_app.config['SERVER_HOSTNAME']
-  endpoint_url = server_url + '/v3'
-  if version == 2:
-    endpoint_url = server_url + '/v2.0/auth'
+    keystone_app, port = _create_app(requires_email)
+    server_url = "http://" + keystone_app.config["SERVER_HOSTNAME"]
+    endpoint_url = server_url + "/v3"
+    if version == 2:
+        endpoint_url = server_url + "/v2.0/auth"
 
-  keystone_auth = get_keystone_users(version, endpoint_url,
-                                    'adminuser', 'adminpass', 'admintenant',
-                                    requires_email=requires_email)
-  with liveserver_app(keystone_app, port):
-    yield keystone_auth
+    keystone_auth = get_keystone_users(
+        version,
+        endpoint_url,
+        "adminuser",
+        "adminpass",
+        "admintenant",
+        requires_email=requires_email,
+    )
+    with liveserver_app(keystone_app, port):
+        yield keystone_auth
 
 
 def _create_app(requires_email=True):
-  global _PORT_NUMBER
-  _PORT_NUMBER = _PORT_NUMBER + 1
+    global _PORT_NUMBER
+    _PORT_NUMBER = _PORT_NUMBER + 1
 
-  server_url = 'http://localhost:%s' % (_PORT_NUMBER)
+    server_url = "http://localhost:%s" % (_PORT_NUMBER)
 
-  users = [
-    {'username': 'adminuser', 'name': 'Admin User', 'password': 'adminpass'},
-    {'username': 'cool.user', 'name': 'Cool User', 'password': 'password'},
-    {'username': 'some.neat.user', 'name': 'Neat User', 'password': 'foobar'},
-  ]
+    users = [
+        {"username": "adminuser", "name": "Admin User", "password": "adminpass"},
+        {"username": "cool.user", "name": "Cool User", "password": "password"},
+        {"username": "some.neat.user", "name": "Neat User", "password": "foobar"},
+    ]
 
-  # Feature Flag: Email-based Blacklisting
-  # Create additional, mocked Users
-  test_domains = ('blacklisted.com', 'blacklisted.net', 'blacklisted.org',
-                  'notblacklisted.com', 'mail.blacklisted.com')
-  for domain in test_domains:
-    mock_email = 'foo@' + domain  # e.g. foo@blacklisted.com
-    new_user = {
-      'username': mock_email,  # Simplifies consistent querying in tests
-      'name': domain.replace('.', ''),  # blacklisted.com => blacklistedcom
-      'email': mock_email,
-      'password': 'somepass'
-    }
-    users.append(new_user)
-
-  groups = [
-    {'id': 'somegroupid', 'name': 'somegroup', 'description': 'Hi there!',
-     'members': ['adminuser', 'cool.user']},
-    {'id': 'admintenant', 'name': 'somegroup', 'description': 'Hi there!',
-     'members': ['adminuser', 'cool.user']},
-  ]
-
-  def _get_user(username):
-    for user in users:
-      if user['username'] == username:
-        user_data = {}
-        user_data['id'] = username
-        user_data['name'] = username
-        if requires_email:
-          user_data['email'] = user.get('email') or username + '@example.com'
-        return user_data
-
-    return None
-
-  ks_app = Flask('testks')
-  ks_app.config['SERVER_HOSTNAME'] = 'localhost:%s' % _PORT_NUMBER
-  if os.environ.get('DEBUG') == 'true':
-    ks_app.config['DEBUG'] = True
-
-  @ks_app.route('/v2.0/admin/users/<userid>', methods=['GET'])
-  def getuser(userid):
-    for user in users:
-      if user['username'] == userid:
-        user_data = {}
-        if requires_email:
-          user_data['email'] = user.get('email') or userid + '@example.com'
-        return json.dumps({
-          'user': user_data
-        })
-
-    abort(404)
-
-  # v2 referred to all groups as tenants, so replace occurrences of 'group' with 'tenant'
-  @ks_app.route('/v2.0/admin/tenants/<tenant>/users', methods=['GET'])
-  def getv2_tenant_members(tenant):
-      return getv3groupmembers(tenant)
-
-  @ks_app.route('/v3/identity/groups/<groupid>/users', methods=['GET'])
-  def getv3groupmembers(groupid):
-    for group in groups:
-      if group['id'] == groupid:
-        group_data = {
-          "links": {},
-          "users": [_get_user(username) for username in group['members']],
+    # Feature Flag: Email-based Blacklisting
+    # Create additional, mocked Users
+    test_domains = (
+        "blacklisted.com",
+        "blacklisted.net",
+        "blacklisted.org",
+        "notblacklisted.com",
+        "mail.blacklisted.com",
+    )
+    for domain in test_domains:
+        mock_email = "foo@" + domain  # e.g. foo@blacklisted.com
+        new_user = {
+            "username": mock_email,  # Simplifies consistent querying in tests
+            "name": domain.replace(".", ""),  # blacklisted.com => blacklistedcom
+            "email": mock_email,
+            "password": "somepass",
         }
+        users.append(new_user)
 
-        return json.dumps(group_data)
+    groups = [
+        {
+            "id": "somegroupid",
+            "name": "somegroup",
+            "description": "Hi there!",
+            "members": ["adminuser", "cool.user"],
+        },
+        {
+            "id": "admintenant",
+            "name": "somegroup",
+            "description": "Hi there!",
+            "members": ["adminuser", "cool.user"],
+        },
+    ]
 
-    abort(404)
+    def _get_user(username):
+        for user in users:
+            if user["username"] == username:
+                user_data = {}
+                user_data["id"] = username
+                user_data["name"] = username
+                if requires_email:
+                    user_data["email"] = user.get("email") or username + "@example.com"
+                return user_data
 
-  @ks_app.route('/v3/identity/groups/<groupid>', methods=['GET'])
-  def getv3group(groupid):
-    for group in groups:
-      if group['id'] == groupid:
-        group_data = {
-          "description": group['description'],
-          "domain_id": "default",
-          "id": groupid,
-          "links": {},
-          "name": group['name'],
-        }
+        return None
 
-        return json.dumps({'group': group_data})
+    ks_app = Flask("testks")
+    ks_app.config["SERVER_HOSTNAME"] = "localhost:%s" % _PORT_NUMBER
+    if os.environ.get("DEBUG") == "true":
+        ks_app.config["DEBUG"] = True
 
-    abort(404)
+    @ks_app.route("/v2.0/admin/users/<userid>", methods=["GET"])
+    def getuser(userid):
+        for user in users:
+            if user["username"] == userid:
+                user_data = {}
+                if requires_email:
+                    user_data["email"] = user.get("email") or userid + "@example.com"
+                return json.dumps({"user": user_data})
 
-  @ks_app.route('/v3/identity/users/<userid>', methods=['GET'])
-  def getv3user(userid):
-    for user in users:
-      if user['username'] == userid:
-        user_data = {
-          "domain_id": "default",
-          "enabled": True,
-          "id": user['username'],
-          "links": {},
-          "name": user['username'],
-        }
+        abort(404)
 
-        if requires_email:
-          user_data['email'] = user.get('email') or user['username'] + '@example.com'
+    # v2 referred to all groups as tenants, so replace occurrences of 'group' with 'tenant'
+    @ks_app.route("/v2.0/admin/tenants/<tenant>/users", methods=["GET"])
+    def getv2_tenant_members(tenant):
+        return getv3groupmembers(tenant)
 
-        return json.dumps({
-          'user': user_data
-        })
+    @ks_app.route("/v3/identity/groups/<groupid>/users", methods=["GET"])
+    def getv3groupmembers(groupid):
+        for group in groups:
+            if group["id"] == groupid:
+                group_data = {
+                    "links": {},
+                    "users": [_get_user(username) for username in group["members"]],
+                }
 
-    abort(404)
+                return json.dumps(group_data)
 
-  @ks_app.route('/v3/identity/users', methods=['GET'])
-  def v3identity():
-    returned = []
-    for user in users:
-      if not request.args.get('name') or user['username'].startswith(request.args.get('name')):
-        returned.append({
-          "domain_id": "default",
-          "enabled": True,
-          "id": user['username'],
-          "links": {},
-          "name": user['username'],
-          "email": user.get('email') or user['username'] + '@example.com',
-        })
+        abort(404)
 
-    return json.dumps({"users": returned})
+    @ks_app.route("/v3/identity/groups/<groupid>", methods=["GET"])
+    def getv3group(groupid):
+        for group in groups:
+            if group["id"] == groupid:
+                group_data = {
+                    "description": group["description"],
+                    "domain_id": "default",
+                    "id": groupid,
+                    "links": {},
+                    "name": group["name"],
+                }
 
-  @ks_app.route('/v3/auth/tokens', methods=['POST'])
-  def v3tokens():
-    creds = request.json['auth']['identity']['password']['user']
-    for user in users:
-      if creds['name'] == user['username'] and creds['password'] == user['password']:
-        data = json.dumps({
-          "token": {
-            "methods": [
-              "password"
-            ],
-            "roles": [
-              {
-                "id": "9fe2ff9ee4384b1894a90878d3e92bab",
-                "name": "_member_"
-              },
-              {
-                "id": "c703057be878458588961ce9a0ce686b",
-                "name": "admin"
-              }
-            ],
-            "project": {
-              "domain": {
-                "id": "default",
-                "name": "Default"
-              },
-              "id": "8538a3f13f9541b28c2620eb19065e45",
-              "name": "admin"
-            },
-            "catalog": [
-              {
-                "endpoints": [
-                  {
-                    "url": server_url + '/v3/identity',
-                    "region": "RegionOne",
-                    "interface": "admin",
-                    "id": "29beb2f1567642eb810b042b6719ea88"
-                  },
-                ],
-                "type": "identity",
-                "id": "bd73972c0e14fb69bae8ff76e112a90",
-                "name": "keystone"
-              }
-            ],
-            "extras": {
+                return json.dumps({"group": group_data})
 
-            },
-            "user": {
-              "domain": {
-                "id": "default",
-                "name": "Default"
-              },
-              "id": user['username'],
-              "name": "admin"
-            },
-            "audit_ids": [
-              "yRt0UrxJSs6-WYJgwEMMmg"
-            ],
-            "issued_at": "2014-06-16T22:24:26.089380",
-            "expires_at": "2020-06-16T23:24:26Z",
-          }
-        })
+        abort(404)
 
-        response = make_response(data, 200)
-        response.headers['X-Subject-Token'] = 'sometoken'
-        return response
+    @ks_app.route("/v3/identity/users/<userid>", methods=["GET"])
+    def getv3user(userid):
+        for user in users:
+            if user["username"] == userid:
+                user_data = {
+                    "domain_id": "default",
+                    "enabled": True,
+                    "id": user["username"],
+                    "links": {},
+                    "name": user["username"],
+                }
 
-    abort(403)
+                if requires_email:
+                    user_data["email"] = (
+                        user.get("email") or user["username"] + "@example.com"
+                    )
 
-  @ks_app.route('/v2.0/auth/tokens', methods=['POST'])
-  def tokens():
-    creds = request.json['auth'][u'passwordCredentials']
-    for user in users:
-      if creds['username'] == user['username'] and creds['password'] == user['password']:
-        return json.dumps({
-          "access": {
-            "token": {
-              "issued_at": "2014-06-16T22:24:26.089380",
-              "expires": "2020-06-16T23:24:26Z",
-              "id": creds['username'],
-              "tenant": {"id": "sometenant"},
-            },
-            "serviceCatalog":[
-              {
-                "endpoints": [
-                  {
-                    "adminURL": server_url + '/v2.0/admin',
-                  }
-                ],
-                "endpoints_links": [],
-                "type": "identity",
-                "name": "admin",
-              },
-            ],
-            "user": {
-              "username": creds['username'],
-              "roles_links": [],
-              "id": creds['username'],
-              "roles": [],
-              "name": user['name'],
-            },
-            "metadata": {
-              "is_admin": 0,
-              "roles": [],
-            },
-          },
-        })
+                return json.dumps({"user": user_data})
 
-    abort(403)
+        abort(404)
 
-  return ks_app, _PORT_NUMBER
+    @ks_app.route("/v3/identity/users", methods=["GET"])
+    def v3identity():
+        returned = []
+        for user in users:
+            if not request.args.get("name") or user["username"].startswith(
+                request.args.get("name")
+            ):
+                returned.append(
+                    {
+                        "domain_id": "default",
+                        "enabled": True,
+                        "id": user["username"],
+                        "links": {},
+                        "name": user["username"],
+                        "email": user.get("email") or user["username"] + "@example.com",
+                    }
+                )
+
+        return json.dumps({"users": returned})
+
+    @ks_app.route("/v3/auth/tokens", methods=["POST"])
+    def v3tokens():
+        creds = request.json["auth"]["identity"]["password"]["user"]
+        for user in users:
+            if (
+                creds["name"] == user["username"]
+                and creds["password"] == user["password"]
+            ):
+                data = json.dumps(
+                    {
+                        "token": {
+                            "methods": ["password"],
+                            "roles": [
+                                {
+                                    "id": "9fe2ff9ee4384b1894a90878d3e92bab",
+                                    "name": "_member_",
+                                },
+                                {
+                                    "id": "c703057be878458588961ce9a0ce686b",
+                                    "name": "admin",
+                                },
+                            ],
+                            "project": {
+                                "domain": {"id": "default", "name": "Default"},
+                                "id": "8538a3f13f9541b28c2620eb19065e45",
+                                "name": "admin",
+                            },
+                            "catalog": [
+                                {
+                                    "endpoints": [
+                                        {
+                                            "url": server_url + "/v3/identity",
+                                            "region": "RegionOne",
+                                            "interface": "admin",
+                                            "id": "29beb2f1567642eb810b042b6719ea88",
+                                        }
+                                    ],
+                                    "type": "identity",
+                                    "id": "bd73972c0e14fb69bae8ff76e112a90",
+                                    "name": "keystone",
+                                }
+                            ],
+                            "extras": {},
+                            "user": {
+                                "domain": {"id": "default", "name": "Default"},
+                                "id": user["username"],
+                                "name": "admin",
+                            },
+                            "audit_ids": ["yRt0UrxJSs6-WYJgwEMMmg"],
+                            "issued_at": "2014-06-16T22:24:26.089380",
+                            "expires_at": "2020-06-16T23:24:26Z",
+                        }
+                    }
+                )
+
+                response = make_response(data, 200)
+                response.headers["X-Subject-Token"] = "sometoken"
+                return response
+
+        abort(403)
+
+    @ks_app.route("/v2.0/auth/tokens", methods=["POST"])
+    def tokens():
+        creds = request.json["auth"][u"passwordCredentials"]
+        for user in users:
+            if (
+                creds["username"] == user["username"]
+                and creds["password"] == user["password"]
+            ):
+                return json.dumps(
+                    {
+                        "access": {
+                            "token": {
+                                "issued_at": "2014-06-16T22:24:26.089380",
+                                "expires": "2020-06-16T23:24:26Z",
+                                "id": creds["username"],
+                                "tenant": {"id": "sometenant"},
+                            },
+                            "serviceCatalog": [
+                                {
+                                    "endpoints": [
+                                        {"adminURL": server_url + "/v2.0/admin"}
+                                    ],
+                                    "endpoints_links": [],
+                                    "type": "identity",
+                                    "name": "admin",
+                                }
+                            ],
+                            "user": {
+                                "username": creds["username"],
+                                "roles_links": [],
+                                "id": creds["username"],
+                                "roles": [],
+                                "name": user["name"],
+                            },
+                            "metadata": {"is_admin": 0, "roles": []},
+                        }
+                    }
+                )
+
+        abort(403)
+
+    return ks_app, _PORT_NUMBER
 
 
 class KeystoneAuthTestsMixin:
-  maxDiff = None
+    maxDiff = None
 
-  @property
-  def emails(self):
-    raise NotImplementedError
+    @property
+    def emails(self):
+        raise NotImplementedError
 
-  def fake_keystone(self):
-    raise NotImplementedError
+    def fake_keystone(self):
+        raise NotImplementedError
 
-  def setUp(self):
-    setup_database_for_testing(self)
-    self.session = requests.Session()
+    def setUp(self):
+        setup_database_for_testing(self)
+        self.session = requests.Session()
 
-  def tearDown(self):
-    finished_database_for_testing(self)
+    def tearDown(self):
+        finished_database_for_testing(self)
 
-  def test_invalid_user(self):
-    with self.fake_keystone() as keystone:
-      (user, _) = keystone.verify_credentials('unknownuser', 'password')
-      self.assertIsNone(user)
+    def test_invalid_user(self):
+        with self.fake_keystone() as keystone:
+            (user, _) = keystone.verify_credentials("unknownuser", "password")
+            self.assertIsNone(user)
 
-  def test_invalid_password(self):
-    with self.fake_keystone() as keystone:
-      (user, _) = keystone.verify_credentials('cool.user', 'notpassword')
-      self.assertIsNone(user)
+    def test_invalid_password(self):
+        with self.fake_keystone() as keystone:
+            (user, _) = keystone.verify_credentials("cool.user", "notpassword")
+            self.assertIsNone(user)
 
-  def test_cooluser(self):
-    with self.fake_keystone() as keystone:
-      (user, _) = keystone.verify_credentials('cool.user', 'password')
-      self.assertEquals(user.username, 'cool.user')
-      self.assertEquals(user.email, 'cool.user@example.com' if self.emails else None)
+    def test_cooluser(self):
+        with self.fake_keystone() as keystone:
+            (user, _) = keystone.verify_credentials("cool.user", "password")
+            self.assertEquals(user.username, "cool.user")
+            self.assertEquals(
+                user.email, "cool.user@example.com" if self.emails else None
+            )
 
-  def test_neatuser(self):
-    with self.fake_keystone() as keystone:
-      (user, _) = keystone.verify_credentials('some.neat.user', 'foobar')
-      self.assertEquals(user.username, 'some.neat.user')
-      self.assertEquals(user.email, 'some.neat.user@example.com' if self.emails else None)
+    def test_neatuser(self):
+        with self.fake_keystone() as keystone:
+            (user, _) = keystone.verify_credentials("some.neat.user", "foobar")
+            self.assertEquals(user.username, "some.neat.user")
+            self.assertEquals(
+                user.email, "some.neat.user@example.com" if self.emails else None
+            )
 
 
 class KeystoneV2AuthNoEmailTests(KeystoneAuthTestsMixin, unittest.TestCase):
-  def fake_keystone(self):
-    return fake_keystone(2, requires_email=False)
+    def fake_keystone(self):
+        return fake_keystone(2, requires_email=False)
+
+    @property
+    def emails(self):
+        return False
 
-  @property
-  def emails(self):
-    return False
 
 class KeystoneV3AuthNoEmailTests(KeystoneAuthTestsMixin, unittest.TestCase):
-  def fake_keystone(self):
-    return fake_keystone(3, requires_email=False)
+    def fake_keystone(self):
+        return fake_keystone(3, requires_email=False)
+
+    @property
+    def emails(self):
+        return False
 
-  @property
-  def emails(self):
-    return False
 
 class KeystoneV2AuthTests(KeystoneAuthTestsMixin, unittest.TestCase):
-  def fake_keystone(self):
-    return fake_keystone(2, requires_email=True)
+    def fake_keystone(self):
+        return fake_keystone(2, requires_email=True)
+
+    @property
+    def emails(self):
+        return True
 
-  @property
-  def emails(self):
-    return True
 
 class KeystoneV3AuthTests(KeystoneAuthTestsMixin, unittest.TestCase):
-  def fake_keystone(self):
-    return fake_keystone(3, requires_email=True)
+    def fake_keystone(self):
+        return fake_keystone(3, requires_email=True)
 
-  def emails(self):
-    return True
+    def emails(self):
+        return True
 
-  def test_query(self):
-    with self.fake_keystone() as keystone:
-      # Lookup cool.
-      (response, federated_id, error_message) = keystone.query_users('cool')
-      self.assertIsNone(error_message)
-      self.assertEquals(1, len(response))
-      self.assertEquals('keystone', federated_id)
+    def test_query(self):
+        with self.fake_keystone() as keystone:
+            # Lookup cool.
+            (response, federated_id, error_message) = keystone.query_users("cool")
+            self.assertIsNone(error_message)
+            self.assertEquals(1, len(response))
+            self.assertEquals("keystone", federated_id)
 
-      user_info = response[0]
-      self.assertEquals("cool.user", user_info.username)
+            user_info = response[0]
+            self.assertEquals("cool.user", user_info.username)
 
-      # Lookup unknown.
-      (response, federated_id, error_message) = keystone.query_users('unknown')
-      self.assertIsNone(error_message)
-      self.assertEquals(0, len(response))
-      self.assertEquals('keystone', federated_id)
+            # Lookup unknown.
+            (response, federated_id, error_message) = keystone.query_users("unknown")
+            self.assertIsNone(error_message)
+            self.assertEquals(0, len(response))
+            self.assertEquals("keystone", federated_id)
 
-  def test_link_user(self):
-    with self.fake_keystone() as keystone:
-      # Link someuser.
-      user, error_message = keystone.link_user('cool.user')
-      self.assertIsNone(error_message)
-      self.assertIsNotNone(user)
-      self.assertEquals('cool_user', user.username)
-      self.assertEquals('cool.user@example.com', user.email)
+    def test_link_user(self):
+        with self.fake_keystone() as keystone:
+            # Link someuser.
+            user, error_message = keystone.link_user("cool.user")
+            self.assertIsNone(error_message)
+            self.assertIsNotNone(user)
+            self.assertEquals("cool_user", user.username)
+            self.assertEquals("cool.user@example.com", user.email)
 
-      # Link again. Should return the same user record.
-      user_again, _ = keystone.link_user('cool.user')
-      self.assertEquals(user_again.id, user.id)
+            # Link again. Should return the same user record.
+            user_again, _ = keystone.link_user("cool.user")
+            self.assertEquals(user_again.id, user.id)
 
-      # Confirm someuser.
-      result, _ = keystone.confirm_existing_user('cool_user', 'password')
-      self.assertIsNotNone(result)
-      self.assertEquals('cool_user', result.username)
+            # Confirm someuser.
+            result, _ = keystone.confirm_existing_user("cool_user", "password")
+            self.assertIsNotNone(result)
+            self.assertEquals("cool_user", result.username)
 
-  def test_check_group_lookup_args(self):
-    with self.fake_keystone() as keystone:
-      (status, err) = keystone.check_group_lookup_args({})
-      self.assertFalse(status)
-      self.assertEquals('Missing group_id', err)
+    def test_check_group_lookup_args(self):
+        with self.fake_keystone() as keystone:
+            (status, err) = keystone.check_group_lookup_args({})
+            self.assertFalse(status)
+            self.assertEquals("Missing group_id", err)
 
-      (status, err) = keystone.check_group_lookup_args({'group_id': 'unknownid'})
-      self.assertFalse(status)
-      self.assertEquals('Group not found', err)
+            (status, err) = keystone.check_group_lookup_args({"group_id": "unknownid"})
+            self.assertFalse(status)
+            self.assertEquals("Group not found", err)
 
-      (status, err) = keystone.check_group_lookup_args({'group_id': 'somegroupid'})
-      self.assertTrue(status)
-      self.assertIsNone(err)
+            (status, err) = keystone.check_group_lookup_args(
+                {"group_id": "somegroupid"}
+            )
+            self.assertTrue(status)
+            self.assertIsNone(err)
 
-  def test_iterate_group_members(self):
-    with self.fake_keystone() as keystone:
-      (itt, err) = keystone.iterate_group_members({'group_id': 'somegroupid'})
-      self.assertIsNone(err)
+    def test_iterate_group_members(self):
+        with self.fake_keystone() as keystone:
+            (itt, err) = keystone.iterate_group_members({"group_id": "somegroupid"})
+            self.assertIsNone(err)
 
-      results = list(itt)
-      results.sort()
+            results = list(itt)
+            results.sort()
 
-      self.assertEquals(2, len(results))
-      self.assertEquals('adminuser', results[0][0].id)
-      self.assertEquals('cool.user', results[1][0].id)
+            self.assertEquals(2, len(results))
+            self.assertEquals("adminuser", results[0][0].id)
+            self.assertEquals("cool.user", results[1][0].id)
 
 
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_ldap.py b/test/test_ldap.py
index f904ad57d..efe0eea20 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -10,573 +10,636 @@ from mockldap import MockLdap
 from mock import patch
 from contextlib import contextmanager
 
-def _create_ldap(requires_email=True):
-  base_dn = ['dc=quay', 'dc=io']
-  admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-  admin_passwd = 'password'
-  user_rdn = ['ou=employees']
-  uid_attr = 'uid'
-  email_attr = 'mail'
-  secondary_user_rdns = ['ou=otheremployees']
 
-  ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                   uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns,
-                   requires_email=requires_email)
-  return ldap
+def _create_ldap(requires_email=True):
+    base_dn = ["dc=quay", "dc=io"]
+    admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+    admin_passwd = "password"
+    user_rdn = ["ou=employees"]
+    uid_attr = "uid"
+    email_attr = "mail"
+    secondary_user_rdns = ["ou=otheremployees"]
+
+    ldap = LDAPUsers(
+        "ldap://localhost",
+        base_dn,
+        admin_dn,
+        admin_passwd,
+        user_rdn,
+        uid_attr,
+        email_attr,
+        secondary_user_rdns=secondary_user_rdns,
+        requires_email=requires_email,
+    )
+    return ldap
+
 
 @contextmanager
 def mock_ldap(requires_email=True):
-  mock_data = {
-    'dc=quay,dc=io': {'dc': ['quay', 'io']},
-    'ou=employees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'employees'
-    },
-    'ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees'
-    },
-    'cn=AwesomeFolk,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'cn': 'AwesomeFolk'
-    },
-    'uid=testy,ou=employees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'employees',
-      'uid': ['testy'],
-      'userPassword': ['password'],
-      'mail': ['bar@baz.com'],
-      'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io', 'cn=*Guys,dc=quay,dc=io'],
-    },
-    'uid=someuser,ou=employees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'employees',
-      'uid': ['someuser'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@bar.com'],
-      'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io', 'cn=*Guys,dc=quay,dc=io'],
-    },
-    'uid=nomail,ou=employees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'employees',
-      'uid': ['nomail'],
-      'userPassword': ['somepass']
-    },
-    'uid=cool.user,ou=employees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'employees',
-      'uid': ['cool.user', 'referred'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@bar.com']
-    },
-    'uid=referred,ou=employees,dc=quay,dc=io': {
-      'uid': ['referred'],
-      '_referral': 'ldap:///uid=cool.user,ou=employees,dc=quay,dc=io'
-    },
-    'uid=invalidreferred,ou=employees,dc=quay,dc=io': {
-      'uid': ['invalidreferred'],
-      '_referral': 'ldap:///uid=someinvaliduser,ou=employees,dc=quay,dc=io'
-    },
-    'uid=multientry,ou=subgroup1,ou=employees,dc=quay,dc=io': {
-      'uid': ['multientry'],
-      'mail': ['foo@bar.com'],
-      'userPassword': ['somepass'],
-    },
-    'uid=multientry,ou=subgroup2,ou=employees,dc=quay,dc=io': {
-      'uid': ['multientry'],
-      'another': ['key']
-    },
-    'uid=secondaryuser,ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees',
-      'uid': ['secondaryuser'],
-      'userPassword': ['somepass'],
-      'mail': ['foosecondary@bar.com']
-    },
-
-    # Feature: Email Blacklisting
-    'uid=blacklistedcom,ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees',
-      'uid': ['blacklistedcom'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@blacklisted.com']
-    },
-    'uid=blacklistednet,ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees',
-      'uid': ['blacklistednet'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@blacklisted.net']
-    },
-    'uid=blacklistedorg,ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees',
-      'uid': ['blacklistedorg'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@blacklisted.org']
-    },
-    'uid=notblacklistedcom,ou=otheremployees,dc=quay,dc=io': {
-      'dc': ['quay', 'io'],
-      'ou': 'otheremployees',
-      'uid': ['notblacklistedcom'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@notblacklisted.com']
-    },
-  }
-
-  if not requires_email:
-    for path in mock_data:
-      mock_data[path].pop('mail', None)
-
-  mockldap = MockLdap(mock_data)
-
-  def initializer(uri, trace_level=0):
-    obj = mockldap[uri]
-
-    # Seed to "support" wildcard queries, which MockLDAP does not support natively.
-    cool_block = {
-      'dc': ['quay', 'io'],
-      'ou': 'employees',
-      'uid': ['cool.user', 'referred'],
-      'userPassword': ['somepass'],
-      'mail': ['foo@bar.com']
+    mock_data = {
+        "dc=quay,dc=io": {"dc": ["quay", "io"]},
+        "ou=employees,dc=quay,dc=io": {"dc": ["quay", "io"], "ou": "employees"},
+        "ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+        },
+        "cn=AwesomeFolk,dc=quay,dc=io": {"dc": ["quay", "io"], "cn": "AwesomeFolk"},
+        "uid=testy,ou=employees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "employees",
+            "uid": ["testy"],
+            "userPassword": ["password"],
+            "mail": ["bar@baz.com"],
+            "memberOf": ["cn=AwesomeFolk,dc=quay,dc=io", "cn=*Guys,dc=quay,dc=io"],
+        },
+        "uid=someuser,ou=employees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "employees",
+            "uid": ["someuser"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@bar.com"],
+            "memberOf": ["cn=AwesomeFolk,dc=quay,dc=io", "cn=*Guys,dc=quay,dc=io"],
+        },
+        "uid=nomail,ou=employees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "employees",
+            "uid": ["nomail"],
+            "userPassword": ["somepass"],
+        },
+        "uid=cool.user,ou=employees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "employees",
+            "uid": ["cool.user", "referred"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@bar.com"],
+        },
+        "uid=referred,ou=employees,dc=quay,dc=io": {
+            "uid": ["referred"],
+            "_referral": "ldap:///uid=cool.user,ou=employees,dc=quay,dc=io",
+        },
+        "uid=invalidreferred,ou=employees,dc=quay,dc=io": {
+            "uid": ["invalidreferred"],
+            "_referral": "ldap:///uid=someinvaliduser,ou=employees,dc=quay,dc=io",
+        },
+        "uid=multientry,ou=subgroup1,ou=employees,dc=quay,dc=io": {
+            "uid": ["multientry"],
+            "mail": ["foo@bar.com"],
+            "userPassword": ["somepass"],
+        },
+        "uid=multientry,ou=subgroup2,ou=employees,dc=quay,dc=io": {
+            "uid": ["multientry"],
+            "another": ["key"],
+        },
+        "uid=secondaryuser,ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+            "uid": ["secondaryuser"],
+            "userPassword": ["somepass"],
+            "mail": ["foosecondary@bar.com"],
+        },
+        # Feature: Email Blacklisting
+        "uid=blacklistedcom,ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+            "uid": ["blacklistedcom"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@blacklisted.com"],
+        },
+        "uid=blacklistednet,ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+            "uid": ["blacklistednet"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@blacklisted.net"],
+        },
+        "uid=blacklistedorg,ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+            "uid": ["blacklistedorg"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@blacklisted.org"],
+        },
+        "uid=notblacklistedcom,ou=otheremployees,dc=quay,dc=io": {
+            "dc": ["quay", "io"],
+            "ou": "otheremployees",
+            "uid": ["notblacklistedcom"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@notblacklisted.com"],
+        },
     }
 
     if not requires_email:
-      cool_block.pop('mail', None)
+        for path in mock_data:
+            mock_data[path].pop("mail", None)
 
-    obj.search_s.seed('ou=employees,dc=quay,dc=io', 2, '(|(uid=cool*)(mail=cool*))')([
-      ('uid=cool.user,ou=employees,dc=quay,dc=io', cool_block)
-    ])
+    mockldap = MockLdap(mock_data)
 
-    obj.search_s.seed('ou=otheremployees,dc=quay,dc=io', 2, '(|(uid=cool*)(mail=cool*))')([])
+    def initializer(uri, trace_level=0):
+        obj = mockldap[uri]
 
-    obj.search_s.seed('ou=employees,dc=quay,dc=io', 2, '(|(uid=unknown*)(mail=unknown*))')([])
-    obj.search_s.seed('ou=otheremployees,dc=quay,dc=io', 2,
-                      '(|(uid=unknown*)(mail=unknown*))')([])
+        # Seed to "support" wildcard queries, which MockLDAP does not support natively.
+        cool_block = {
+            "dc": ["quay", "io"],
+            "ou": "employees",
+            "uid": ["cool.user", "referred"],
+            "userPassword": ["somepass"],
+            "mail": ["foo@bar.com"],
+        }
 
-    no_users_found_exception = Exception()
-    no_users_found_exception.message = { 'matched': 'dc=quay,dc=io', 'desc': 'No such object' }
+        if not requires_email:
+            cool_block.pop("mail", None)
 
-    obj.search_s.seed('ou=nonexistent,dc=quay,dc=io', 2)(no_users_found_exception)
-    obj.search_s.seed('ou=employees,dc=quay,dc=io', 2)([
-        ('uid=cool.user,ou=employees,dc=quay,dc=io', cool_block)
-    ])
-    obj.search.seed('ou=employees,dc=quay,dc=io', 2, '(objectClass=*)')([
-        ('uid=cool.user,ou=employees,dc=quay,dc=io', cool_block)
-    ])
-    obj.search.seed('ou=employees,dc=quay,dc=io', 2)([
-        ('uid=cool.user,ou=employees,dc=quay,dc=io', cool_block)
-    ])
+        obj.search_s.seed(
+            "ou=employees,dc=quay,dc=io", 2, "(|(uid=cool*)(mail=cool*))"
+        )([("uid=cool.user,ou=employees,dc=quay,dc=io", cool_block)])
 
-    obj._results = {}
-    original_result_fn = obj.result
+        obj.search_s.seed(
+            "ou=otheremployees,dc=quay,dc=io", 2, "(|(uid=cool*)(mail=cool*))"
+        )([])
 
-    def result(messageid):
-      if messageid is None:
-        return None, [], None, None
-      
-      # NOTE: Added because of weirdness with using mock-ldap.
-      if isinstance(messageid, list):
-        return None, messageid
+        obj.search_s.seed(
+            "ou=employees,dc=quay,dc=io", 2, "(|(uid=unknown*)(mail=unknown*))"
+        )([])
+        obj.search_s.seed(
+            "ou=otheremployees,dc=quay,dc=io", 2, "(|(uid=unknown*)(mail=unknown*))"
+        )([])
 
-      if messageid in obj._results:
-        return obj._results[messageid]
+        no_users_found_exception = Exception()
+        no_users_found_exception.message = {
+            "matched": "dc=quay,dc=io",
+            "desc": "No such object",
+        }
 
-      return original_result_fn(messageid)
+        obj.search_s.seed("ou=nonexistent,dc=quay,dc=io", 2)(no_users_found_exception)
+        obj.search_s.seed("ou=employees,dc=quay,dc=io", 2)(
+            [("uid=cool.user,ou=employees,dc=quay,dc=io", cool_block)]
+        )
+        obj.search.seed("ou=employees,dc=quay,dc=io", 2, "(objectClass=*)")(
+            [("uid=cool.user,ou=employees,dc=quay,dc=io", cool_block)]
+        )
+        obj.search.seed("ou=employees,dc=quay,dc=io", 2)(
+            [("uid=cool.user,ou=employees,dc=quay,dc=io", cool_block)]
+        )
 
-    def result3(messageid):
-      if messageid is None:
-        return None, [], None, None     
+        obj._results = {}
+        original_result_fn = obj.result
 
-      return obj._results[messageid]
+        def result(messageid):
+            if messageid is None:
+                return None, [], None, None
 
-    def search_ext(user_search_dn, scope, search_flt=None, serverctrls=None,
-                   sizelimit=None, attrlist=None):
-      if scope != ldap.SCOPE_SUBTREE:
-        return None
+            # NOTE: Added because of weirdness with using mock-ldap.
+            if isinstance(messageid, list):
+                return None, messageid
 
-      if not serverctrls:
-        if search_flt:
-          rdata = obj.search_s(user_search_dn, scope, search_flt, attrlist=attrlist)
-        else:
-          if attrlist:
-            rdata = obj.search_s(user_search_dn, scope, attrlist=attrlist)
-          else:
-            rdata = obj.search_s(user_search_dn, scope)
+            if messageid in obj._results:
+                return obj._results[messageid]
 
-        obj._results['messageid'] = (None, rdata)
-        return 'messageid'
+            return original_result_fn(messageid)
 
-      page_control = serverctrls[0]
-      if page_control.controlType != ldap.controls.SimplePagedResultsControl.controlType:
-        return None
+        def result3(messageid):
+            if messageid is None:
+                return None, [], None, None
 
-      if search_flt:
-        msgid = obj.search(user_search_dn, scope, search_flt, attrlist=attrlist)
-      else:
-        if attrlist:
-          msgid = obj.search(user_search_dn, scope, attrlist=attrlist)
-        else:
-          msgid = obj.search(user_search_dn, scope)
+            return obj._results[messageid]
 
-      _, rdata = obj.result(msgid)
-      msgid = 'messageid'
-      cookie = int(page_control.cookie) if page_control.cookie else 0
+        def search_ext(
+            user_search_dn,
+            scope,
+            search_flt=None,
+            serverctrls=None,
+            sizelimit=None,
+            attrlist=None,
+        ):
+            if scope != ldap.SCOPE_SUBTREE:
+                return None
 
-      results = rdata[cookie:cookie+page_control.size]
-      cookie = cookie + page_control.size
-      if cookie > len(results):
-        page_control.cookie = None
-      else:
-        page_control.cookie = cookie
+            if not serverctrls:
+                if search_flt:
+                    rdata = obj.search_s(
+                        user_search_dn, scope, search_flt, attrlist=attrlist
+                    )
+                else:
+                    if attrlist:
+                        rdata = obj.search_s(user_search_dn, scope, attrlist=attrlist)
+                    else:
+                        rdata = obj.search_s(user_search_dn, scope)
 
-      obj._results['messageid'] = (None, results, None, [page_control])
-      return msgid
+                obj._results["messageid"] = (None, rdata)
+                return "messageid"
 
-    def search_ext_s(user_search_dn, scope, sizelimit=None):
-      return [obj.search_s(user_search_dn, scope)]
+            page_control = serverctrls[0]
+            if (
+                page_control.controlType
+                != ldap.controls.SimplePagedResultsControl.controlType
+            ):
+                return None
 
-    obj.search_ext = search_ext
-    obj.result = result
-    obj.result3 = result3
-    obj.search_ext_s = search_ext_s
+            if search_flt:
+                msgid = obj.search(user_search_dn, scope, search_flt, attrlist=attrlist)
+            else:
+                if attrlist:
+                    msgid = obj.search(user_search_dn, scope, attrlist=attrlist)
+                else:
+                    msgid = obj.search(user_search_dn, scope)
 
-    return obj
+            _, rdata = obj.result(msgid)
+            msgid = "messageid"
+            cookie = int(page_control.cookie) if page_control.cookie else 0
 
-  mockldap.start()
-  with patch('ldap.initialize', new=initializer):
-    yield _create_ldap(requires_email=requires_email)
-  mockldap.stop()
+            results = rdata[cookie : cookie + page_control.size]
+            cookie = cookie + page_control.size
+            if cookie > len(results):
+                page_control.cookie = None
+            else:
+                page_control.cookie = cookie
+
+            obj._results["messageid"] = (None, results, None, [page_control])
+            return msgid
+
+        def search_ext_s(user_search_dn, scope, sizelimit=None):
+            return [obj.search_s(user_search_dn, scope)]
+
+        obj.search_ext = search_ext
+        obj.result = result
+        obj.result3 = result3
+        obj.search_ext_s = search_ext_s
+
+        return obj
+
+    mockldap.start()
+    with patch("ldap.initialize", new=initializer):
+        yield _create_ldap(requires_email=requires_email)
+    mockldap.stop()
 
 
 class TestLDAP(unittest.TestCase):
-  def setUp(self):
-    setup_database_for_testing(self)
-    self.app = app.test_client()
-    self.ctx = app.test_request_context()
-    self.ctx.__enter__()
+    def setUp(self):
+        setup_database_for_testing(self)
+        self.app = app.test_client()
+        self.ctx = app.test_request_context()
+        self.ctx.__enter__()
 
-  def tearDown(self):
-    finished_database_for_testing(self)
-    self.ctx.__exit__(True, None, None)
+    def tearDown(self):
+        finished_database_for_testing(self)
+        self.ctx.__exit__(True, None, None)
 
-  def test_invalid_admin_password(self):
-    base_dn = ['dc=quay', 'dc=io']
-    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-    admin_passwd = 'INVALIDPASSWORD'
-    user_rdn = ['ou=employees']
-    uid_attr = 'uid'
-    email_attr = 'mail'
+    def test_invalid_admin_password(self):
+        base_dn = ["dc=quay", "dc=io"]
+        admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+        admin_passwd = "INVALIDPASSWORD"
+        user_rdn = ["ou=employees"]
+        uid_attr = "uid"
+        email_attr = "mail"
 
-    with mock_ldap():
-      ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                       uid_attr, email_attr)
+        with mock_ldap():
+            ldap = LDAPUsers(
+                "ldap://localhost",
+                base_dn,
+                admin_dn,
+                admin_passwd,
+                user_rdn,
+                uid_attr,
+                email_attr,
+            )
 
-      # Try to login.
-      (response, err_msg) = ldap.verify_and_link_user('someuser', 'somepass')
-      self.assertIsNone(response)
-      self.assertEquals('LDAP Admin dn or password is invalid', err_msg)
+            # Try to login.
+            (response, err_msg) = ldap.verify_and_link_user("someuser", "somepass")
+            self.assertIsNone(response)
+            self.assertEquals("LDAP Admin dn or password is invalid", err_msg)
 
-  def test_login(self):
-    with mock_ldap() as ldap:
-      # Verify we can login.
-      (response, _) = ldap.verify_and_link_user('someuser', 'somepass')
-      self.assertEquals(response.username, 'someuser')
-      self.assertTrue(model.user.has_user_prompt(response, 'confirm_username'))
+    def test_login(self):
+        with mock_ldap() as ldap:
+            # Verify we can login.
+            (response, _) = ldap.verify_and_link_user("someuser", "somepass")
+            self.assertEquals(response.username, "someuser")
+            self.assertTrue(model.user.has_user_prompt(response, "confirm_username"))
 
-      # Verify we can confirm the user.
-      (response, _) = ldap.confirm_existing_user('someuser', 'somepass')
-      self.assertEquals(response.username, 'someuser')
+            # Verify we can confirm the user.
+            (response, _) = ldap.confirm_existing_user("someuser", "somepass")
+            self.assertEquals(response.username, "someuser")
 
-  def test_login_empty_password(self):
-    with mock_ldap() as ldap:
-      # Verify we cannot login.
-      (response, err_msg) = ldap.verify_and_link_user('someuser', '')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Anonymous binding not allowed')
+    def test_login_empty_password(self):
+        with mock_ldap() as ldap:
+            # Verify we cannot login.
+            (response, err_msg) = ldap.verify_and_link_user("someuser", "")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Anonymous binding not allowed")
 
-      # Verify we cannot confirm the user.
-      (response, err_msg) = ldap.confirm_existing_user('someuser', '')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid user')
+            # Verify we cannot confirm the user.
+            (response, err_msg) = ldap.confirm_existing_user("someuser", "")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid user")
 
-  def test_login_whitespace_password(self):
-    with mock_ldap() as ldap:
-      # Verify we cannot login.
-      (response, err_msg) = ldap.verify_and_link_user('someuser', '    ')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid password')
+    def test_login_whitespace_password(self):
+        with mock_ldap() as ldap:
+            # Verify we cannot login.
+            (response, err_msg) = ldap.verify_and_link_user("someuser", "    ")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid password")
 
-      # Verify we cannot confirm the user.
-      (response, err_msg) = ldap.confirm_existing_user('someuser', '    ')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid user')
+            # Verify we cannot confirm the user.
+            (response, err_msg) = ldap.confirm_existing_user("someuser", "    ")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid user")
 
-  def test_login_secondary(self):
-    with mock_ldap() as ldap:
-      # Verify we can login.
-      (response, _) = ldap.verify_and_link_user('secondaryuser', 'somepass')
-      self.assertEquals(response.username, 'secondaryuser')
+    def test_login_secondary(self):
+        with mock_ldap() as ldap:
+            # Verify we can login.
+            (response, _) = ldap.verify_and_link_user("secondaryuser", "somepass")
+            self.assertEquals(response.username, "secondaryuser")
 
-      # Verify we can confirm the user.
-      (response, _) = ldap.confirm_existing_user('secondaryuser', 'somepass')
-      self.assertEquals(response.username, 'secondaryuser')
+            # Verify we can confirm the user.
+            (response, _) = ldap.confirm_existing_user("secondaryuser", "somepass")
+            self.assertEquals(response.username, "secondaryuser")
 
-  def test_invalid_wildcard(self):
-    with mock_ldap() as ldap:
-      # Verify we cannot login with a wildcard.
-      (response, err_msg) = ldap.verify_and_link_user('some*', 'somepass')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Username not found')
+    def test_invalid_wildcard(self):
+        with mock_ldap() as ldap:
+            # Verify we cannot login with a wildcard.
+            (response, err_msg) = ldap.verify_and_link_user("some*", "somepass")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Username not found")
 
-      # Verify we cannot confirm the user.
-      (response, err_msg) = ldap.confirm_existing_user('some*', 'somepass')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid user')
+            # Verify we cannot confirm the user.
+            (response, err_msg) = ldap.confirm_existing_user("some*", "somepass")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid user")
 
-  def test_invalid_password(self):
-    with mock_ldap() as ldap:
-      # Verify we cannot login with an invalid password.
-      (response, err_msg) = ldap.verify_and_link_user('someuser', 'invalidpass')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid password')
+    def test_invalid_password(self):
+        with mock_ldap() as ldap:
+            # Verify we cannot login with an invalid password.
+            (response, err_msg) = ldap.verify_and_link_user("someuser", "invalidpass")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid password")
 
-      # Verify we cannot confirm the user.
-      (response, err_msg) = ldap.confirm_existing_user('someuser', 'invalidpass')
-      self.assertIsNone(response)
-      self.assertEquals(err_msg, 'Invalid user')
+            # Verify we cannot confirm the user.
+            (response, err_msg) = ldap.confirm_existing_user("someuser", "invalidpass")
+            self.assertIsNone(response)
+            self.assertEquals(err_msg, "Invalid user")
 
-  def test_missing_mail(self):
-    with mock_ldap() as ldap:
-      (response, err_msg) = ldap.get_user('nomail')
-      self.assertIsNone(response)
-      self.assertEquals('Missing mail field "mail" in user record', err_msg)
+    def test_missing_mail(self):
+        with mock_ldap() as ldap:
+            (response, err_msg) = ldap.get_user("nomail")
+            self.assertIsNone(response)
+            self.assertEquals('Missing mail field "mail" in user record', err_msg)
 
-  def test_missing_mail_allowed(self):
-    with mock_ldap(requires_email=False) as ldap:
-      (response, _) = ldap.get_user('nomail')
-      self.assertEquals(response.username, 'nomail')
+    def test_missing_mail_allowed(self):
+        with mock_ldap(requires_email=False) as ldap:
+            (response, _) = ldap.get_user("nomail")
+            self.assertEquals(response.username, "nomail")
 
-  def test_confirm_different_username(self):
-    with mock_ldap() as ldap:
-      # Verify that the user is logged in and their username was adjusted.
-      (response, _) = ldap.verify_and_link_user('cool.user', 'somepass')
-      self.assertEquals(response.username, 'cool_user')
+    def test_confirm_different_username(self):
+        with mock_ldap() as ldap:
+            # Verify that the user is logged in and their username was adjusted.
+            (response, _) = ldap.verify_and_link_user("cool.user", "somepass")
+            self.assertEquals(response.username, "cool_user")
 
-      # Verify we can confirm the user's quay username.
-      (response, _) = ldap.confirm_existing_user('cool_user', 'somepass')
-      self.assertEquals(response.username, 'cool_user')
+            # Verify we can confirm the user's quay username.
+            (response, _) = ldap.confirm_existing_user("cool_user", "somepass")
+            self.assertEquals(response.username, "cool_user")
 
-      # Verify that we *cannot* confirm the LDAP username.
-      (response, _) = ldap.confirm_existing_user('cool.user', 'somepass')
-      self.assertIsNone(response)
+            # Verify that we *cannot* confirm the LDAP username.
+            (response, _) = ldap.confirm_existing_user("cool.user", "somepass")
+            self.assertIsNone(response)
 
-  def test_referral(self):
-    with mock_ldap() as ldap:
-      (response, _) = ldap.verify_and_link_user('referred', 'somepass')
-      self.assertEquals(response.username, 'cool_user')
+    def test_referral(self):
+        with mock_ldap() as ldap:
+            (response, _) = ldap.verify_and_link_user("referred", "somepass")
+            self.assertEquals(response.username, "cool_user")
 
-      # Verify we can confirm the user's quay username.
-      (response, _) = ldap.confirm_existing_user('cool_user', 'somepass')
-      self.assertEquals(response.username, 'cool_user')
+            # Verify we can confirm the user's quay username.
+            (response, _) = ldap.confirm_existing_user("cool_user", "somepass")
+            self.assertEquals(response.username, "cool_user")
 
-  def test_invalid_referral(self):
-    with mock_ldap() as ldap:
-      (response, _) = ldap.verify_and_link_user('invalidreferred', 'somepass')
-      self.assertIsNone(response)
+    def test_invalid_referral(self):
+        with mock_ldap() as ldap:
+            (response, _) = ldap.verify_and_link_user("invalidreferred", "somepass")
+            self.assertIsNone(response)
 
-  def test_multientry(self):
-    with mock_ldap() as ldap:
-      (response, _) = ldap.verify_and_link_user('multientry', 'somepass')
-      self.assertEquals(response.username, 'multientry')
+    def test_multientry(self):
+        with mock_ldap() as ldap:
+            (response, _) = ldap.verify_and_link_user("multientry", "somepass")
+            self.assertEquals(response.username, "multientry")
 
-  def test_login_empty_userdn(self):
-    with mock_ldap():
-      base_dn = ['ou=employees', 'dc=quay', 'dc=io']
-      admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-      admin_passwd = 'password'
-      user_rdn = []
-      uid_attr = 'uid'
-      email_attr = 'mail'
-      secondary_user_rdns = ['ou=otheremployees']
+    def test_login_empty_userdn(self):
+        with mock_ldap():
+            base_dn = ["ou=employees", "dc=quay", "dc=io"]
+            admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+            admin_passwd = "password"
+            user_rdn = []
+            uid_attr = "uid"
+            email_attr = "mail"
+            secondary_user_rdns = ["ou=otheremployees"]
 
-      ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                       uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns)
+            ldap = LDAPUsers(
+                "ldap://localhost",
+                base_dn,
+                admin_dn,
+                admin_passwd,
+                user_rdn,
+                uid_attr,
+                email_attr,
+                secondary_user_rdns=secondary_user_rdns,
+            )
 
-      # Verify we can login.
-      (response, _) = ldap.verify_and_link_user('someuser', 'somepass')
-      self.assertEquals(response.username, 'someuser')
+            # Verify we can login.
+            (response, _) = ldap.verify_and_link_user("someuser", "somepass")
+            self.assertEquals(response.username, "someuser")
 
-      # Verify we can confirm the user.
-      (response, _) = ldap.confirm_existing_user('someuser', 'somepass')
-      self.assertEquals(response.username, 'someuser')
+            # Verify we can confirm the user.
+            (response, _) = ldap.confirm_existing_user("someuser", "somepass")
+            self.assertEquals(response.username, "someuser")
 
-  def test_link_user(self):
-    with mock_ldap() as ldap:
-      # Link someuser.
-      user, error_message = ldap.link_user('someuser')
-      self.assertIsNone(error_message)
-      self.assertIsNotNone(user)
-      self.assertEquals('someuser', user.username)
+    def test_link_user(self):
+        with mock_ldap() as ldap:
+            # Link someuser.
+            user, error_message = ldap.link_user("someuser")
+            self.assertIsNone(error_message)
+            self.assertIsNotNone(user)
+            self.assertEquals("someuser", user.username)
 
-      # Link again. Should return the same user record.
-      user_again, _ = ldap.link_user('someuser')
-      self.assertEquals(user_again.id, user.id)
+            # Link again. Should return the same user record.
+            user_again, _ = ldap.link_user("someuser")
+            self.assertEquals(user_again.id, user.id)
 
-      # Confirm someuser.
-      result, _ = ldap.confirm_existing_user('someuser', 'somepass')
-      self.assertIsNotNone(result)
-      self.assertEquals('someuser', result.username)
-      self.assertTrue(model.user.has_user_prompt(user, 'confirm_username'))
+            # Confirm someuser.
+            result, _ = ldap.confirm_existing_user("someuser", "somepass")
+            self.assertIsNotNone(result)
+            self.assertEquals("someuser", result.username)
+            self.assertTrue(model.user.has_user_prompt(user, "confirm_username"))
 
-  def test_query(self):
-    with mock_ldap() as ldap:
-      # Lookup cool.
-      (response, federated_id, error_message) = ldap.query_users('cool')
-      self.assertIsNone(error_message)
-      self.assertEquals(1, len(response))
-      self.assertEquals('ldap', federated_id)
+    def test_query(self):
+        with mock_ldap() as ldap:
+            # Lookup cool.
+            (response, federated_id, error_message) = ldap.query_users("cool")
+            self.assertIsNone(error_message)
+            self.assertEquals(1, len(response))
+            self.assertEquals("ldap", federated_id)
 
-      user_info = response[0]
-      self.assertEquals("cool.user", user_info.username)
-      self.assertEquals("foo@bar.com", user_info.email)
+            user_info = response[0]
+            self.assertEquals("cool.user", user_info.username)
+            self.assertEquals("foo@bar.com", user_info.email)
 
-      # Lookup unknown.
-      (response, federated_id, error_message) = ldap.query_users('unknown')
-      self.assertIsNone(error_message)
-      self.assertEquals(0, len(response))
-      self.assertEquals('ldap', federated_id)
+            # Lookup unknown.
+            (response, federated_id, error_message) = ldap.query_users("unknown")
+            self.assertIsNone(error_message)
+            self.assertEquals(0, len(response))
+            self.assertEquals("ldap", federated_id)
 
-  def test_timeout(self):
-    base_dn = ['dc=quay', 'dc=io']
-    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-    admin_passwd = 'password'
-    user_rdn = ['ou=employees']
-    uid_attr = 'uid'
-    email_attr = 'mail'
-    secondary_user_rdns = ['ou=otheremployees']
+    def test_timeout(self):
+        base_dn = ["dc=quay", "dc=io"]
+        admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+        admin_passwd = "password"
+        user_rdn = ["ou=employees"]
+        uid_attr = "uid"
+        email_attr = "mail"
+        secondary_user_rdns = ["ou=otheremployees"]
 
-    with self.assertRaisesRegexp(Exception, "Can't contact LDAP server"):
-      ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                       uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns,
-                       requires_email=False, timeout=5)
-      ldap.query_users('cool')
+        with self.assertRaisesRegexp(Exception, "Can't contact LDAP server"):
+            ldap = LDAPUsers(
+                "ldap://localhost",
+                base_dn,
+                admin_dn,
+                admin_passwd,
+                user_rdn,
+                uid_attr,
+                email_attr,
+                secondary_user_rdns=secondary_user_rdns,
+                requires_email=False,
+                timeout=5,
+            )
+            ldap.query_users("cool")
 
-  def test_iterate_group_members(self):
-    with mock_ldap() as ldap:
-      (it, err) = ldap.iterate_group_members({'group_dn': 'cn=AwesomeFolk'},
-                                             disable_pagination=True)
-      self.assertIsNone(err)
+    def test_iterate_group_members(self):
+        with mock_ldap() as ldap:
+            (it, err) = ldap.iterate_group_members(
+                {"group_dn": "cn=AwesomeFolk"}, disable_pagination=True
+            )
+            self.assertIsNone(err)
 
-      results = list(it)
-      self.assertEquals(2, len(results))
+            results = list(it)
+            self.assertEquals(2, len(results))
 
-      first = results[0][0]
-      second = results[1][0]
+            first = results[0][0]
+            second = results[1][0]
 
-      if first.id == 'testy':
-        testy, someuser = first, second
-      else:
-        testy, someuser = second, first
+            if first.id == "testy":
+                testy, someuser = first, second
+            else:
+                testy, someuser = second, first
 
-      self.assertEquals('testy', testy.id)
-      self.assertEquals('testy', testy.username)
-      self.assertEquals('bar@baz.com', testy.email)
+            self.assertEquals("testy", testy.id)
+            self.assertEquals("testy", testy.username)
+            self.assertEquals("bar@baz.com", testy.email)
 
-      self.assertEquals('someuser', someuser.id)
-      self.assertEquals('someuser', someuser.username)
-      self.assertEquals('foo@bar.com', someuser.email)
+            self.assertEquals("someuser", someuser.id)
+            self.assertEquals("someuser", someuser.username)
+            self.assertEquals("foo@bar.com", someuser.email)
 
-  def test_iterate_group_members_with_pagination(self):
-    with mock_ldap() as ldap:
-      for dn in ['cn=AwesomeFolk', 'cn=*Guys']:
-        (it, err) = ldap.iterate_group_members({'group_dn': dn}, page_size=1)
-        self.assertIsNone(err)
+    def test_iterate_group_members_with_pagination(self):
+        with mock_ldap() as ldap:
+            for dn in ["cn=AwesomeFolk", "cn=*Guys"]:
+                (it, err) = ldap.iterate_group_members({"group_dn": dn}, page_size=1)
+                self.assertIsNone(err)
 
-        results = list(it)
-        self.assertEquals(2, len(results))
+                results = list(it)
+                self.assertEquals(2, len(results))
 
-        first = results[0][0]
-        second = results[1][0]
+                first = results[0][0]
+                second = results[1][0]
 
-        if first.id == 'testy':
-          testy, someuser = first, second
-        else:
-          testy, someuser = second, first
+                if first.id == "testy":
+                    testy, someuser = first, second
+                else:
+                    testy, someuser = second, first
 
-        self.assertEquals('testy', testy.id)
-        self.assertEquals('testy', testy.username)
-        self.assertEquals('bar@baz.com', testy.email)
+                self.assertEquals("testy", testy.id)
+                self.assertEquals("testy", testy.username)
+                self.assertEquals("bar@baz.com", testy.email)
 
-        self.assertEquals('someuser', someuser.id)
-        self.assertEquals('someuser', someuser.username)
-        self.assertEquals('foo@bar.com', someuser.email)
+                self.assertEquals("someuser", someuser.id)
+                self.assertEquals("someuser", someuser.username)
+                self.assertEquals("foo@bar.com", someuser.email)
 
-  def test_check_group_lookup_args(self):
-    with mock_ldap() as ldap:
-      (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=invalid'},
-                                                   disable_pagination=True)
-      self.assertFalse(result)
-      self.assertIsNotNone(err)
+    def test_check_group_lookup_args(self):
+        with mock_ldap() as ldap:
+            (result, err) = ldap.check_group_lookup_args(
+                {"group_dn": "cn=invalid"}, disable_pagination=True
+            )
+            self.assertFalse(result)
+            self.assertIsNotNone(err)
 
-      (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=AwesomeFolk'},
-                                                   disable_pagination=True)
-      self.assertTrue(result)
-      self.assertIsNone(err)
+            (result, err) = ldap.check_group_lookup_args(
+                {"group_dn": "cn=AwesomeFolk"}, disable_pagination=True
+            )
+            self.assertTrue(result)
+            self.assertIsNone(err)
 
-      (result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=*Guys'},
-                                                   disable_pagination=True)
-      self.assertTrue(result)
-      self.assertIsNone(err)
+            (result, err) = ldap.check_group_lookup_args(
+                {"group_dn": "cn=*Guys"}, disable_pagination=True
+            )
+            self.assertTrue(result)
+            self.assertIsNone(err)
 
-  def test_metadata(self):
-    with mock_ldap() as ldap:
-      assert 'base_dn' in ldap.service_metadata()
+    def test_metadata(self):
+        with mock_ldap() as ldap:
+            assert "base_dn" in ldap.service_metadata()
+
+    def test_at_least_one_user_exists_invalid_creds(self):
+        base_dn = ["dc=quay", "dc=io"]
+        admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+        admin_passwd = "INVALIDPASSWORD"
+        user_rdn = ["ou=employees"]
+        uid_attr = "uid"
+        email_attr = "mail"
+
+        with mock_ldap():
+            ldap = LDAPUsers(
+                "ldap://localhost",
+                base_dn,
+                admin_dn,
+                admin_passwd,
+                user_rdn,
+                uid_attr,
+                email_attr,
+            )
+
+            # Try to query with invalid credentials.
+            (response, err_msg) = ldap.at_least_one_user_exists()
+            self.assertFalse(response)
+            self.assertEquals("LDAP Admin dn or password is invalid", err_msg)
+
+    def test_at_least_one_user_exists_no_users(self):
+        base_dn = ["dc=quay", "dc=io"]
+        admin_dn = "uid=testy,ou=employees,dc=quay,dc=io"
+        admin_passwd = "password"
+        user_rdn = ["ou=nonexistent"]
+        uid_attr = "uid"
+        email_attr = "mail"
+
+        with mock_ldap():
+            ldap = LDAPUsers(
+                "ldap://localhost",
+                base_dn,
+                admin_dn,
+                admin_passwd,
+                user_rdn,
+                uid_attr,
+                email_attr,
+            )
+
+            # Try to find users in a nonexistent group.
+            (response, err_msg) = ldap.at_least_one_user_exists()
+            self.assertFalse(response)
+            assert err_msg is not None
+
+    def test_at_least_one_user_exists_true(self):
+        with mock_ldap() as ldap:
+            # Ensure we have at least a single user in the valid group
+            (response, err_msg) = ldap.at_least_one_user_exists()
+            self.assertIsNone(err_msg)
+            self.assertTrue(response)
 
 
-  def test_at_least_one_user_exists_invalid_creds(self):
-    base_dn = ['dc=quay', 'dc=io']
-    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-    admin_passwd = 'INVALIDPASSWORD'
-    user_rdn = ['ou=employees']
-    uid_attr = 'uid'
-    email_attr = 'mail'
-
-    with mock_ldap():
-      ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                        uid_attr, email_attr)
-
-      # Try to query with invalid credentials.
-      (response, err_msg) = ldap.at_least_one_user_exists()
-      self.assertFalse(response)
-      self.assertEquals('LDAP Admin dn or password is invalid', err_msg)
-
-  def test_at_least_one_user_exists_no_users(self):
-    base_dn = ['dc=quay', 'dc=io']
-    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
-    admin_passwd = 'password'
-    user_rdn = ['ou=nonexistent']
-    uid_attr = 'uid'
-    email_attr = 'mail'
-
-    with mock_ldap():
-      ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
-                       uid_attr, email_attr)
-
-      # Try to find users in a nonexistent group.
-      (response, err_msg) = ldap.at_least_one_user_exists()
-      self.assertFalse(response)
-      assert err_msg is not None
-
-  def test_at_least_one_user_exists_true(self):
-    with mock_ldap() as ldap:
-      # Ensure we have at least a single user in the valid group
-      (response, err_msg) = ldap.at_least_one_user_exists()
-      self.assertIsNone(err_msg)
-      self.assertTrue(response)
-
-
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_oauth_login.py b/test/test_oauth_login.py
index 4a522f0e9..7520a7581 100644
--- a/test/test_oauth_login.py
+++ b/test/test_oauth_login.py
@@ -15,195 +15,232 @@ from endpoints.oauth.login import oauthlogin as oauthlogin_bp
 from test.test_endpoints import EndpointTestCase
 from test.test_ldap import mock_ldap
 
+
 class AuthForTesting(object):
-  def __init__(self, auth_engine):
-    self.auth_engine = auth_engine
-    self.existing_state = None
+    def __init__(self, auth_engine):
+        self.auth_engine = auth_engine
+        self.existing_state = None
 
-  def __enter__(self):
-    self.existing_state = authentication.state
-    authentication.state = self.auth_engine
+    def __enter__(self):
+        self.existing_state = authentication.state
+        authentication.state = self.auth_engine
+
+    def __exit__(self, type, value, traceback):
+        authentication.state = self.existing_state
 
-  def __exit__(self, type, value, traceback):
-    authentication.state = self.existing_state
 
 try:
-  app.register_blueprint(oauthlogin_bp, url_prefix='/oauth2')
+    app.register_blueprint(oauthlogin_bp, url_prefix="/oauth2")
 except ValueError:
-  # This blueprint was already registered
-  pass
+    # This blueprint was already registered
+    pass
+
 
 class OAuthLoginTestCase(EndpointTestCase):
-  def invoke_oauth_tests(self, callback_endpoint, attach_endpoint, service_name, service_ident,
-                         new_username, test_attach=True):
-    # Test callback.
-    created = self.invoke_oauth_test(callback_endpoint, service_name, service_ident, new_username)
+    def invoke_oauth_tests(
+        self,
+        callback_endpoint,
+        attach_endpoint,
+        service_name,
+        service_ident,
+        new_username,
+        test_attach=True,
+    ):
+        # Test callback.
+        created = self.invoke_oauth_test(
+            callback_endpoint, service_name, service_ident, new_username
+        )
 
-    # Delete the created user.
-    self.assertNotEquals(created.username, 'devtable')
-    model.user.delete_user(created, [])
+        # Delete the created user.
+        self.assertNotEquals(created.username, "devtable")
+        model.user.delete_user(created, [])
 
-    # Test attach.
-    if test_attach:
-      self.login('devtable', 'password')
-      self.invoke_oauth_test(attach_endpoint, service_name, service_ident, 'devtable')
+        # Test attach.
+        if test_attach:
+            self.login("devtable", "password")
+            self.invoke_oauth_test(
+                attach_endpoint, service_name, service_ident, "devtable"
+            )
 
-  def invoke_oauth_test(self, endpoint_name, service_name, service_ident, username):
-    self._set_csrf()
-    
-    # No CSRF.
-    self.getResponse('oauthlogin.' + endpoint_name, expected_code=403)
+    def invoke_oauth_test(self, endpoint_name, service_name, service_ident, username):
+        self._set_csrf()
 
-    # Invalid CSRF.
-    self.getResponse('oauthlogin.' + endpoint_name, state='somestate', expected_code=403)
+        # No CSRF.
+        self.getResponse("oauthlogin." + endpoint_name, expected_code=403)
 
-    # Valid CSRF, invalid code.
-    self.getResponse('oauthlogin.' + endpoint_name, state='someoauthtoken',
-                     code='invalidcode', expected_code=400)
+        # Invalid CSRF.
+        self.getResponse(
+            "oauthlogin." + endpoint_name, state="somestate", expected_code=403
+        )
 
-    # Valid CSRF, valid code.
-    self.getResponse('oauthlogin.' + endpoint_name, state='someoauthtoken',
-                     code='somecode', expected_code=302)
+        # Valid CSRF, invalid code.
+        self.getResponse(
+            "oauthlogin." + endpoint_name,
+            state="someoauthtoken",
+            code="invalidcode",
+            expected_code=400,
+        )
 
-    # Ensure the user was added/modified.
-    found_user = model.user.get_user(username)
-    self.assertIsNotNone(found_user)
+        # Valid CSRF, valid code.
+        self.getResponse(
+            "oauthlogin." + endpoint_name,
+            state="someoauthtoken",
+            code="somecode",
+            expected_code=302,
+        )
 
-    federated_login = model.user.lookup_federated_login(found_user, service_name)
-    self.assertIsNotNone(federated_login)
-    self.assertEquals(federated_login.service_ident, service_ident)
-    return found_user
+        # Ensure the user was added/modified.
+        found_user = model.user.get_user(username)
+        self.assertIsNotNone(found_user)
 
-  def test_google_oauth(self):
-    @urlmatch(netloc=r'accounts.google.com', path='/o/oauth2/token')
-    def account_handler(_, request):
-      parsed = dict(urlparse.parse_qsl(request.body))
-      if parsed['code'] == 'somecode':
-        content = {'access_token': 'someaccesstoken'}
-        return py_json.dumps(content)
-      else:
-        return {'status_code': 400, 'content': '{"message": "Invalid code"}'}
+        federated_login = model.user.lookup_federated_login(found_user, service_name)
+        self.assertIsNotNone(federated_login)
+        self.assertEquals(federated_login.service_ident, service_ident)
+        return found_user
 
-    @urlmatch(netloc=r'www.googleapis.com', path='/oauth2/v1/userinfo')
-    def user_handler(_, __):
-      content = {
-        'id': 'someid',
-        'email': 'someemail@example.com',
-        'verified_email': True,
-      }
-      return py_json.dumps(content)
+    def test_google_oauth(self):
+        @urlmatch(netloc=r"accounts.google.com", path="/o/oauth2/token")
+        def account_handler(_, request):
+            parsed = dict(urlparse.parse_qsl(request.body))
+            if parsed["code"] == "somecode":
+                content = {"access_token": "someaccesstoken"}
+                return py_json.dumps(content)
+            else:
+                return {"status_code": 400, "content": '{"message": "Invalid code"}'}
 
-    with HTTMock(account_handler, user_handler):
-      self.invoke_oauth_tests('google_oauth_callback', 'google_oauth_attach', 'google',
-                              'someid', 'someemail')
+        @urlmatch(netloc=r"www.googleapis.com", path="/oauth2/v1/userinfo")
+        def user_handler(_, __):
+            content = {
+                "id": "someid",
+                "email": "someemail@example.com",
+                "verified_email": True,
+            }
+            return py_json.dumps(content)
 
-  def test_github_oauth(self):
-    @urlmatch(netloc=r'github.com', path='/login/oauth/access_token')
-    def account_handler(url, _):
-      parsed = dict(urlparse.parse_qsl(url.query))
-      if parsed['code'] == 'somecode':
-        content = {'access_token': 'someaccesstoken'}
-        return py_json.dumps(content)
-      else:
-        return {'status_code': 400, 'content': '{"message": "Invalid code"}'}
+        with HTTMock(account_handler, user_handler):
+            self.invoke_oauth_tests(
+                "google_oauth_callback",
+                "google_oauth_attach",
+                "google",
+                "someid",
+                "someemail",
+            )
 
-    @urlmatch(netloc=r'github.com', path='/api/v3/user')
-    def user_handler(_, __):
-      content = {
-        'id': 'someid',
-        'login': 'someusername'
-      }
-      return py_json.dumps(content)
+    def test_github_oauth(self):
+        @urlmatch(netloc=r"github.com", path="/login/oauth/access_token")
+        def account_handler(url, _):
+            parsed = dict(urlparse.parse_qsl(url.query))
+            if parsed["code"] == "somecode":
+                content = {"access_token": "someaccesstoken"}
+                return py_json.dumps(content)
+            else:
+                return {"status_code": 400, "content": '{"message": "Invalid code"}'}
 
-    @urlmatch(netloc=r'github.com', path='/api/v3/user/emails')
-    def email_handler(_, __):
-      content = [{
-        'email': 'someemail@example.com',
-        'verified': True,
-        'primary': True,
-      }]
-      return py_json.dumps(content)
+        @urlmatch(netloc=r"github.com", path="/api/v3/user")
+        def user_handler(_, __):
+            content = {"id": "someid", "login": "someusername"}
+            return py_json.dumps(content)
 
-    with HTTMock(account_handler, email_handler, user_handler):
-      self.invoke_oauth_tests('github_oauth_callback', 'github_oauth_attach', 'github',
-                              'someid', 'someusername')
+        @urlmatch(netloc=r"github.com", path="/api/v3/user/emails")
+        def email_handler(_, __):
+            content = [
+                {"email": "someemail@example.com", "verified": True, "primary": True}
+            ]
+            return py_json.dumps(content)
 
-  def _get_oidc_mocks(self):
-    private_key = RSA.generate(2048)
-    generatedjwk = RSAKey(key=private_key.publickey()).serialize()
-    kid = 'somekey'
-    private_pem = private_key.exportKey('PEM')
+        with HTTMock(account_handler, email_handler, user_handler):
+            self.invoke_oauth_tests(
+                "github_oauth_callback",
+                "github_oauth_attach",
+                "github",
+                "someid",
+                "someusername",
+            )
 
-    token_data = {
-      'iss': app.config['TESTOIDC_LOGIN_CONFIG']['OIDC_SERVER'],
-      'aud': app.config['TESTOIDC_LOGIN_CONFIG']['CLIENT_ID'],
-      'nbf': int(time.time()),
-      'iat': int(time.time()),
-      'exp': int(time.time() + 600),
-      'sub': 'cool.user',
-    }
+    def _get_oidc_mocks(self):
+        private_key = RSA.generate(2048)
+        generatedjwk = RSAKey(key=private_key.publickey()).serialize()
+        kid = "somekey"
+        private_pem = private_key.exportKey("PEM")
 
-    token_headers = {
-      'kid': kid,
-    }
+        token_data = {
+            "iss": app.config["TESTOIDC_LOGIN_CONFIG"]["OIDC_SERVER"],
+            "aud": app.config["TESTOIDC_LOGIN_CONFIG"]["CLIENT_ID"],
+            "nbf": int(time.time()),
+            "iat": int(time.time()),
+            "exp": int(time.time() + 600),
+            "sub": "cool.user",
+        }
 
-    id_token = jwt.encode(token_data, private_pem, 'RS256', headers=token_headers)
+        token_headers = {"kid": kid}
 
-    @urlmatch(netloc=r'fakeoidc', path='/token')
-    def token_handler(_, request):
-      if request.body.find("code=somecode") >= 0:
-        content = {'access_token': 'someaccesstoken', 'id_token': id_token}
-        return py_json.dumps(content)
-      else:
-        return {'status_code': 400, 'content': '{"message": "Invalid code"}'}
+        id_token = jwt.encode(token_data, private_pem, "RS256", headers=token_headers)
 
-    @urlmatch(netloc=r'fakeoidc', path='/user')
-    def user_handler(_, __):
-      content = {
-        'sub': 'cool.user',
-        'preferred_username': 'someusername',
-        'email': 'someemail@example.com',
-        'email_verified': True,
-      }
-      return py_json.dumps(content)
+        @urlmatch(netloc=r"fakeoidc", path="/token")
+        def token_handler(_, request):
+            if request.body.find("code=somecode") >= 0:
+                content = {"access_token": "someaccesstoken", "id_token": id_token}
+                return py_json.dumps(content)
+            else:
+                return {"status_code": 400, "content": '{"message": "Invalid code"}'}
 
-    @urlmatch(netloc=r'fakeoidc', path='/jwks')
-    def jwks_handler(_, __):
-      jwk = generatedjwk.copy()
-      jwk.update({'kid': kid})
+        @urlmatch(netloc=r"fakeoidc", path="/user")
+        def user_handler(_, __):
+            content = {
+                "sub": "cool.user",
+                "preferred_username": "someusername",
+                "email": "someemail@example.com",
+                "email_verified": True,
+            }
+            return py_json.dumps(content)
 
-      content = {'keys': [jwk]}
-      return py_json.dumps(content)
+        @urlmatch(netloc=r"fakeoidc", path="/jwks")
+        def jwks_handler(_, __):
+            jwk = generatedjwk.copy()
+            jwk.update({"kid": kid})
 
-    @urlmatch(netloc=r'fakeoidc', path='.+openid.+')
-    def discovery_handler(_, __):
-      content = {
-        'scopes_supported': ['profile'],
-        'authorization_endpoint': 'http://fakeoidc/authorize',
-        'token_endpoint': 'http://fakeoidc/token',
-        'userinfo_endpoint': 'http://fakeoidc/userinfo',
-        'jwks_uri': 'http://fakeoidc/jwks',
-      }
-      return py_json.dumps(content)
+            content = {"keys": [jwk]}
+            return py_json.dumps(content)
 
-    return (discovery_handler, jwks_handler, token_handler, user_handler)
+        @urlmatch(netloc=r"fakeoidc", path=".+openid.+")
+        def discovery_handler(_, __):
+            content = {
+                "scopes_supported": ["profile"],
+                "authorization_endpoint": "http://fakeoidc/authorize",
+                "token_endpoint": "http://fakeoidc/token",
+                "userinfo_endpoint": "http://fakeoidc/userinfo",
+                "jwks_uri": "http://fakeoidc/jwks",
+            }
+            return py_json.dumps(content)
 
-  def test_oidc_database_auth(self):
-    oidc_mocks = self._get_oidc_mocks()
-    with HTTMock(*oidc_mocks):
-      self.invoke_oauth_tests('testoidc_oauth_callback', 'testoidc_oauth_attach', 'testoidc',
-                              'cool.user', 'someusername')
+        return (discovery_handler, jwks_handler, token_handler, user_handler)
 
-  def test_oidc_ldap_auth(self):
-    # Test with database auth.
-    oidc_mocks = self._get_oidc_mocks()
-    with mock_ldap() as ldap:
-      with AuthForTesting(ldap):
+    def test_oidc_database_auth(self):
+        oidc_mocks = self._get_oidc_mocks()
         with HTTMock(*oidc_mocks):
-          self.invoke_oauth_tests('testoidc_oauth_callback', 'testoidc_oauth_attach', 'testoidc',
-                                  'cool.user', 'cool_user', test_attach=False)
+            self.invoke_oauth_tests(
+                "testoidc_oauth_callback",
+                "testoidc_oauth_attach",
+                "testoidc",
+                "cool.user",
+                "someusername",
+            )
+
+    def test_oidc_ldap_auth(self):
+        # Test with database auth.
+        oidc_mocks = self._get_oidc_mocks()
+        with mock_ldap() as ldap:
+            with AuthForTesting(ldap):
+                with HTTMock(*oidc_mocks):
+                    self.invoke_oauth_tests(
+                        "testoidc_oauth_callback",
+                        "testoidc_oauth_attach",
+                        "testoidc",
+                        "cool.user",
+                        "cool_user",
+                        test_attach=False,
+                    )
 
 
-if __name__ == '__main__':
-  unittest.main()
-
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_secscan.py b/test/test_secscan.py
index 54f526d3b..6f2c4a639 100644
--- a/test/test_secscan.py
+++ b/test/test_secscan.py
@@ -13,807 +13,940 @@ from util.morecollections import AttrDict
 from util.secscan.api import SecurityScannerAPI, APIRequestFailure
 from util.secscan.analyzer import LayerAnalyzer
 from util.secscan.fake import fake_security_scanner
-from util.secscan.notifier import SecurityNotificationHandler, ProcessNotificationPageResult
+from util.secscan.notifier import (
+    SecurityNotificationHandler,
+    ProcessNotificationPageResult,
+)
 from util.security.instancekeys import InstanceKeys
 from workers.security_notification_worker import SecurityNotificationWorker
 
 
-ADMIN_ACCESS_USER = 'devtable'
-SIMPLE_REPO = 'simple'
-COMPLEX_REPO = 'complex'
+ADMIN_ACCESS_USER = "devtable"
+SIMPLE_REPO = "simple"
+COMPLEX_REPO = "complex"
 
 
 def process_notification_data(notification_data):
-  handler = SecurityNotificationHandler(100)
-  result = handler.process_notification_page_data(notification_data)
-  handler.send_notifications()
-  return result == ProcessNotificationPageResult.FINISHED_PROCESSING
+    handler = SecurityNotificationHandler(100)
+    result = handler.process_notification_page_data(notification_data)
+    handler.send_notifications()
+    return result == ProcessNotificationPageResult.FINISHED_PROCESSING
 
 
 class TestSecurityScanner(unittest.TestCase):
-  def setUp(self):
-    # Enable direct download in fake storage.
-    storage.put_content(['local_us'], 'supports_direct_download', 'true')
+    def setUp(self):
+        # Enable direct download in fake storage.
+        storage.put_content(["local_us"], "supports_direct_download", "true")
 
-    # Have fake storage say all files exist for the duration of the test.
-    storage.put_content(['local_us'], 'all_files_exist', 'true')
+        # Have fake storage say all files exist for the duration of the test.
+        storage.put_content(["local_us"], "all_files_exist", "true")
 
-    # Setup the database with fake storage.
-    setup_database_for_testing(self)
-    self.app = app.test_client()
-    self.ctx = app.test_request_context()
-    self.ctx.__enter__()
+        # Setup the database with fake storage.
+        setup_database_for_testing(self)
+        self.app = app.test_client()
+        self.ctx = app.test_request_context()
+        self.ctx.__enter__()
 
+        instance_keys = InstanceKeys(app)
+        self.api = SecurityScannerAPI(
+            app.config,
+            storage,
+            app.config["SERVER_HOSTNAME"],
+            app.config["HTTPCLIENT"],
+            uri_creator=get_blob_download_uri_getter(
+                app.test_request_context("/"), url_scheme_and_hostname
+            ),
+            instance_keys=instance_keys,
+        )
 
-    instance_keys = InstanceKeys(app)
-    self.api = SecurityScannerAPI(app.config, storage, app.config['SERVER_HOSTNAME'], app.config['HTTPCLIENT'],
-                                  uri_creator=get_blob_download_uri_getter(app.test_request_context('/'),
-                                                                           url_scheme_and_hostname),
-                                  instance_keys=instance_keys)
+    def tearDown(self):
+        storage.remove(["local_us"], "supports_direct_download")
+        storage.remove(["local_us"], "all_files_exist")
 
-  def tearDown(self):
-    storage.remove(['local_us'], 'supports_direct_download')
-    storage.remove(['local_us'], 'all_files_exist')
+        finished_database_for_testing(self)
+        self.ctx.__exit__(True, None, None)
 
-    finished_database_for_testing(self)
-    self.ctx.__exit__(True, None, None)
+    def assertAnalyzed(self, layer, security_scanner, isAnalyzed, engineVersion):
+        self.assertEquals(isAnalyzed, layer.security_indexed)
+        self.assertEquals(engineVersion, layer.security_indexed_engine)
 
-  def assertAnalyzed(self, layer, security_scanner, isAnalyzed, engineVersion):
-    self.assertEquals(isAnalyzed, layer.security_indexed)
-    self.assertEquals(engineVersion, layer.security_indexed_engine)
+        if isAnalyzed:
+            self.assertTrue(
+                security_scanner.has_layer(security_scanner.layer_id(layer))
+            )
 
-    if isAnalyzed:
-      self.assertTrue(security_scanner.has_layer(security_scanner.layer_id(layer)))
+            # Ensure all parent layers are marked as analyzed.
+            parents = model.image.get_parent_images(
+                ADMIN_ACCESS_USER, SIMPLE_REPO, layer
+            )
+            for parent in parents:
+                self.assertTrue(parent.security_indexed)
+                self.assertEquals(engineVersion, parent.security_indexed_engine)
+                self.assertTrue(
+                    security_scanner.has_layer(security_scanner.layer_id(parent))
+                )
 
-      # Ensure all parent layers are marked as analyzed.
-      parents = model.image.get_parent_images(ADMIN_ACCESS_USER, SIMPLE_REPO, layer)
-      for parent in parents:
-        self.assertTrue(parent.security_indexed)
-        self.assertEquals(engineVersion, parent.security_indexed_engine)
-        self.assertTrue(security_scanner.has_layer(security_scanner.layer_id(parent)))
+    def test_get_layer(self):
+        """ Test for basic retrieval of layers from the security scanner. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
 
-  def test_get_layer(self):
-    """ Test for basic retrieval of layers from the security scanner. """
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
+        with fake_security_scanner() as security_scanner:
+            # Ensure the layer doesn't exist yet.
+            self.assertFalse(
+                security_scanner.has_layer(security_scanner.layer_id(layer))
+            )
+            self.assertIsNone(self.api.get_layer_data(layer))
 
-    with fake_security_scanner() as security_scanner:
-      # Ensure the layer doesn't exist yet.
-      self.assertFalse(security_scanner.has_layer(security_scanner.layer_id(layer)))
-      self.assertIsNone(self.api.get_layer_data(layer))
+            # Add the layer.
+            security_scanner.add_layer(security_scanner.layer_id(layer))
 
-      # Add the layer.
-      security_scanner.add_layer(security_scanner.layer_id(layer))
+            # Retrieve the results.
+            result = self.api.get_layer_data(layer, include_vulnerabilities=True)
+            self.assertIsNotNone(result)
+            self.assertEquals(result["Layer"]["Name"], security_scanner.layer_id(layer))
 
-      # Retrieve the results.
-      result = self.api.get_layer_data(layer, include_vulnerabilities=True)
-      self.assertIsNotNone(result)
-      self.assertEquals(result['Layer']['Name'], security_scanner.layer_id(layer))
+    def test_analyze_layer_nodirectdownload_success(self):
+        """ Tests analyzing a layer when direct download is disabled. """
 
-  def test_analyze_layer_nodirectdownload_success(self):
-    """ Tests analyzing a layer when direct download is disabled. """
+        # Disable direct download in fake storage.
+        storage.put_content(["local_us"], "supports_direct_download", "false")
 
-    # Disable direct download in fake storage.
-    storage.put_content(['local_us'], 'supports_direct_download', 'false')
+        try:
+            app.register_blueprint(v2_bp, url_prefix="/v2")
+        except:
+            # Already registered.
+            pass
 
-    try:
-      app.register_blueprint(v2_bp, url_prefix='/v2')
-    except:
-      # Already registered.
-      pass
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        # Ensure that the download is a registry+JWT download.
+        uri, auth_header = self.api._get_image_url_and_auth(layer)
+        self.assertIsNotNone(uri)
+        self.assertIsNotNone(auth_header)
 
-    # Ensure that the download is a registry+JWT download.
-    uri, auth_header = self.api._get_image_url_and_auth(layer)
-    self.assertIsNotNone(uri)
-    self.assertIsNotNone(auth_header)
+        # Ensure the download doesn't work without the header.
+        rv = self.app.head(uri)
+        self.assertEquals(rv.status_code, 401)
 
-    # Ensure the download doesn't work without the header.
-    rv = self.app.head(uri)
-    self.assertEquals(rv.status_code, 401)
+        # Ensure the download works with the header. Note we use a HEAD here, as GET causes DB
+        # access which messes with the test runner's rollback.
+        rv = self.app.head(uri, headers=[("authorization", auth_header)])
+        self.assertEquals(rv.status_code, 200)
 
-    # Ensure the download works with the header. Note we use a HEAD here, as GET causes DB
-    # access which messes with the test runner's rollback.
-    rv = self.app.head(uri, headers=[('authorization', auth_header)])
-    self.assertEquals(rv.status_code, 200)
+        # Ensure the code works when called via analyze.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-    # Ensure the code works when called via analyze.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
 
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
+    def test_analyze_layer_success(self):
+        """ Tests that analyzing a layer successfully marks it as analyzed. """
 
-  def test_analyze_layer_success(self):
-    """ Tests that analyzing a layer successfully marks it as analyzed. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
 
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
+    def test_analyze_layer_failure(self):
+        """ Tests that failing to analyze a layer (because it 422s) marks it as analyzed but failed. """
 
-  def test_analyze_layer_failure(self):
-    """ Tests that failing to analyze a layer (because it 422s) marks it as analyzed but failed. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        with fake_security_scanner() as security_scanner:
+            security_scanner.set_fail_layer_id(security_scanner.layer_id(layer))
 
-    with fake_security_scanner() as security_scanner:
-      security_scanner.set_fail_layer_id(security_scanner.layer_id(layer))
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, 1)
 
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, 1)
+    def test_analyze_layer_internal_error(self):
+        """ Tests that failing to analyze a layer (because it 500s) marks it as not analyzed. """
 
-  def test_analyze_layer_internal_error(self):
-    """ Tests that failing to analyze a layer (because it 500s) marks it as not analyzed. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        with fake_security_scanner() as security_scanner:
+            security_scanner.set_internal_error_layer_id(
+                security_scanner.layer_id(layer)
+            )
 
-    with fake_security_scanner() as security_scanner:
-      security_scanner.set_internal_error_layer_id(security_scanner.layer_id(layer))
+            analyzer = LayerAnalyzer(app.config, self.api)
+            with self.assertRaises(APIRequestFailure):
+                analyzer.analyze_recursively(layer)
 
-      analyzer = LayerAnalyzer(app.config, self.api)
-      with self.assertRaises(APIRequestFailure):
-        analyzer.analyze_recursively(layer)
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, -1)
 
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, -1)
+    def test_analyze_layer_error(self):
+        """ Tests that failing to analyze a layer (because it 400s) marks it as analyzed but failed. """
 
-  def test_analyze_layer_error(self):
-    """ Tests that failing to analyze a layer (because it 400s) marks it as analyzed but failed. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        with fake_security_scanner() as security_scanner:
+            # Make is so trying to analyze the parent will fail with an error.
+            security_scanner.set_error_layer_id(security_scanner.layer_id(layer.parent))
 
-    with fake_security_scanner() as security_scanner:
-      # Make is so trying to analyze the parent will fail with an error.
-      security_scanner.set_error_layer_id(security_scanner.layer_id(layer.parent))
+            # Try to the layer and its parents, but with one request causing an error.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-      # Try to the layer and its parents, but with one request causing an error.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+            # Make sure it is marked as analyzed, but in a failed state.
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, 1)
 
-      # Make sure it is marked as analyzed, but in a failed state.
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, 1)
+    def test_analyze_layer_unexpected_status(self):
+        """ Tests that a response from a scanner with an unexpected status code fails correctly. """
 
-  def test_analyze_layer_unexpected_status(self):
-    """ Tests that a response from a scanner with an unexpected status code fails correctly. """
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        with fake_security_scanner() as security_scanner:
+            # Make is so trying to analyze the parent will fail with an error.
+            security_scanner.set_unexpected_status_layer_id(
+                security_scanner.layer_id(layer.parent)
+            )
 
-    with fake_security_scanner() as security_scanner:
-      # Make is so trying to analyze the parent will fail with an error.
-      security_scanner.set_unexpected_status_layer_id(security_scanner.layer_id(layer.parent))
+            # Try to the layer and its parents, but with one request causing an error.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            with self.assertRaises(APIRequestFailure):
+                analyzer.analyze_recursively(layer)
 
-      # Try to the layer and its parents, but with one request causing an error.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      with self.assertRaises(APIRequestFailure):
-        analyzer.analyze_recursively(layer)
+            # Make sure it isn't analyzed.
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, -1)
 
-      # Make sure it isn't analyzed.
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, -1)
+    def test_analyze_layer_missing_parent_handled(self):
+        """ Tests that a missing parent causes an automatic reanalysis, which succeeds. """
 
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-  def test_analyze_layer_missing_parent_handled(self):
-    """ Tests that a missing parent causes an automatic reanalysis, which succeeds. """
+        with fake_security_scanner() as security_scanner:
+            # Analyze the layer and its parents.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+            # Make sure it was analyzed.
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
 
-    with fake_security_scanner() as security_scanner:
-      # Analyze the layer and its parents.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+            # Mark the layer as not yet scanned.
+            layer.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
+            layer.security_indexed = False
+            layer.save()
 
-      # Make sure it was analyzed.
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
+            # Remove the layer's parent entirely from the security scanner.
+            security_scanner.remove_layer(security_scanner.layer_id(layer.parent))
 
-      # Mark the layer as not yet scanned.
-      layer.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
-      layer.security_indexed = False
-      layer.save()
+            # Analyze again, which should properly re-analyze the missing parent and this layer.
+            analyzer.analyze_recursively(layer)
 
-      # Remove the layer's parent entirely from the security scanner.
-      security_scanner.remove_layer(security_scanner.layer_id(layer.parent))
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
 
-      # Analyze again, which should properly re-analyze the missing parent and this layer.
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-  def test_analyze_layer_invalid_parent(self):
-    """ Tests that trying to reanalyze a parent that is invalid causes the layer to be marked
+    def test_analyze_layer_invalid_parent(self):
+        """ Tests that trying to reanalyze a parent that is invalid causes the layer to be marked
         as analyzed, but failed.
     """
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
 
-    with fake_security_scanner() as security_scanner:
-      # Analyze the layer and its parents.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+        with fake_security_scanner() as security_scanner:
+            # Analyze the layer and its parents.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
 
-      # Make sure it was analyzed.
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
+            # Make sure it was analyzed.
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
 
-      # Mark the layer as not yet scanned.
-      layer.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
-      layer.security_indexed = False
-      layer.save()
+            # Mark the layer as not yet scanned.
+            layer.security_indexed_engine = IMAGE_NOT_SCANNED_ENGINE_VERSION
+            layer.security_indexed = False
+            layer.save()
 
-      # Remove the layer's parent entirely from the security scanner.
-      security_scanner.remove_layer(security_scanner.layer_id(layer.parent))
+            # Remove the layer's parent entirely from the security scanner.
+            security_scanner.remove_layer(security_scanner.layer_id(layer.parent))
 
-      # Make is so trying to analyze the parent will fail.
-      security_scanner.set_error_layer_id(security_scanner.layer_id(layer.parent))
+            # Make is so trying to analyze the parent will fail.
+            security_scanner.set_error_layer_id(security_scanner.layer_id(layer.parent))
 
-      # Try to analyze again, which should try to reindex the parent and fail.
-      analyzer.analyze_recursively(layer)
+            # Try to analyze again, which should try to reindex the parent and fail.
+            analyzer.analyze_recursively(layer)
 
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, 1)
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, 1)
 
-  def test_analyze_layer_unsupported_parent(self):
-    """ Tests that attempting to analyze a layer whose parent is unanalyzable, results in the layer
+    def test_analyze_layer_unsupported_parent(self):
+        """ Tests that attempting to analyze a layer whose parent is unanalyzable, results in the layer
         being marked as analyzed, but failed.
     """
 
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
-
-    with fake_security_scanner() as security_scanner:
-      # Make is so trying to analyze the parent will fail.
-      security_scanner.set_fail_layer_id(security_scanner.layer_id(layer.parent))
-
-      # Attempt to the layer and its parents. This should mark the layer itself as unanalyzable.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, 1)
-
-  def test_analyze_layer_missing_storage(self):
-    """ Tests trying to analyze a layer with missing storage. """
-
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
-
-    # Delete the storage for the layer.
-    path = model.storage.get_layer_path(layer.storage)
-    locations = app.config['DISTRIBUTED_STORAGE_PREFERENCE']
-    storage.remove(locations, path)
-    storage.remove(locations, 'all_files_exist')
-
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, False, 1)
-
-  def assert_analyze_layer_notify(self, security_indexed_engine, security_indexed,
-                                  expect_notification):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    self.assertFalse(layer.security_indexed)
-    self.assertEquals(-1, layer.security_indexed_engine)
-
-    # Ensure there are no existing events.
-    self.assertIsNone(notification_queue.get())
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    model.notification.create_repo_notification(repo, 'vulnerability_found',
-                                                'quay_notification', {}, {'level': 100})
-
-    # Update the layer's state before analyzing.
-    layer.security_indexed_engine = security_indexed_engine
-    layer.security_indexed = security_indexed
-    layer.save()
-
-    with fake_security_scanner() as security_scanner:
-      security_scanner.set_vulns(security_scanner.layer_id(layer), [
-        {
-          "Name": "CVE-2014-9471",
-          "Namespace": "debian:8",
-          "Description": "Some service",
-          "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-          "Severity": "Low",
-          "FixedBy": "9.23-5"
-        },
-
-        {
-          "Name": "CVE-2016-7530",
-          "Namespace": "debian:8",
-          "Description": "Some other service",
-          "Link": "https://security-tracker.debian.org/tracker/CVE-2016-7530",
-          "Severity": "Unknown",
-          "FixedBy": "19.343-2"
-        }
-      ])
-
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-    # Ensure an event was written for the tag (if necessary).
-    time.sleep(1)
-    queue_item = notification_queue.get()
-
-    if expect_notification:
-      self.assertIsNotNone(queue_item)
-
-      body = json.loads(queue_item.body)
-      self.assertEquals(set(['latest', 'prod']), set(body['event_data']['tags']))
-      self.assertEquals('CVE-2014-9471', body['event_data']['vulnerability']['id'])
-      self.assertEquals('Low', body['event_data']['vulnerability']['priority'])
-      self.assertTrue(body['event_data']['vulnerability']['has_fix'])
-
-      self.assertEquals('CVE-2014-9471', body['event_data']['vulnerabilities'][0]['id'])
-      self.assertEquals(2, len(body['event_data']['vulnerabilities']))
-
-      # Ensure we get the correct event message out as well.
-      event = VulnerabilityFoundEvent()
-      msg = '1 Low and 1 more vulnerabilities were detected in repository devtable/simple in 2 tags'
-      self.assertEquals(msg, event.get_summary(body['event_data'], {}))
-      self.assertEquals('info', event.get_level(body['event_data'], {}))
-    else:
-      self.assertIsNone(queue_item)
-
-    # Ensure its security indexed engine was updated.
-    updated_layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-    self.assertEquals(updated_layer.id, layer.id)
-    self.assertTrue(updated_layer.security_indexed_engine > 0)
-
-  def test_analyze_layer_success_events(self):
-    # Not previously indexed at all => Notification
-    self.assert_analyze_layer_notify(IMAGE_NOT_SCANNED_ENGINE_VERSION, False, True)
-
-  def test_analyze_layer_success_no_notification(self):
-    # Previously successfully indexed => No notification
-    self.assert_analyze_layer_notify(0, True, False)
-
-  def test_analyze_layer_failed_then_success_notification(self):
-    # Previously failed to index => Notification
-    self.assert_analyze_layer_notify(0, False, True)
-
-  def test_notification_new_layers_not_vulnerable(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer_id = '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification',
-                                                {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    # Fire off the notification processing.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-      # Add a notification for the layer.
-      notification_data = security_scanner.add_notification([layer_id], [], {}, {})
-
-      # Process the notification.
-      self.assertTrue(process_notification_data(notification_data))
-
-      # Ensure that there are no event queue items for the layer.
-      self.assertIsNone(notification_queue.get())
-
-  def test_notification_delete(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer_id = '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification',
-                                                {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    # Fire off the notification processing.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-      # Add a notification for the layer.
-      notification_data = security_scanner.add_notification([layer_id], None, {}, None)
-
-      # Process the notification.
-      self.assertTrue(process_notification_data(notification_data))
-
-      # Ensure that there are no event queue items for the layer.
-      self.assertIsNone(notification_queue.get())
-
-  def test_notification_new_layers(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer_id = '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification',
-                                                {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    # Fire off the notification processing.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-      vuln_info = {
-        "Name": "CVE-TEST",
-        "Namespace": "debian:8",
-        "Description": "Some service",
-        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-        "Severity": "Low",
-        "FixedIn": {"Version": "9.23-5"},
-      }
-      security_scanner.set_vulns(layer_id, [vuln_info])
-
-      # Add a notification for the layer.
-      notification_data = security_scanner.add_notification([], [layer_id], vuln_info, vuln_info)
-
-      # Process the notification.
-      self.assertTrue(process_notification_data(notification_data))
-
-      # Ensure an event was written for the tag.
-      time.sleep(1)
-      queue_item = notification_queue.get()
-      self.assertIsNotNone(queue_item)
-
-      item_body = json.loads(queue_item.body)
-      self.assertEquals(sorted(['prod', 'latest']), sorted(item_body['event_data']['tags']))
-      self.assertEquals('CVE-TEST', item_body['event_data']['vulnerability']['id'])
-      self.assertEquals('Low', item_body['event_data']['vulnerability']['priority'])
-      self.assertTrue(item_body['event_data']['vulnerability']['has_fix'])
-
-  def test_notification_no_new_layers(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification',
-                                                {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    # Fire off the notification processing.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-      # Add a notification for the layer.
-      notification_data = security_scanner.add_notification([], [], {}, {})
-
-      # Process the notification.
-      self.assertTrue(process_notification_data(notification_data))
-
-      # Ensure that there are no event queue items for the layer.
-      self.assertIsNone(notification_queue.get())
-
-  def notification_tuple(self, notification):
-    # TODO: Replace this with a method once we refactor the notification stuff into its
-    # own module.
-    return AttrDict({
-      'event_config_dict': json.loads(notification.event_config_json),
-      'method_config_dict': json.loads(notification.config_json),
-    })
-
-  def test_notification_no_new_layers_increased_severity(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer_id = '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
-
-    # Add a repo event for the layer.
-    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    notification = model.notification.create_repo_notification(repo, 'vulnerability_found',
-                                                               'quay_notification', {},
-                                                               {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    # Fire off the notification processing.
-    with fake_security_scanner() as security_scanner:
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-
-      old_vuln_info = {
-        "Name": "CVE-TEST",
-        "Namespace": "debian:8",
-        "Description": "Some service",
-        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-        "Severity": "Low",
-      }
-
-      new_vuln_info = {
-        "Name": "CVE-TEST",
-        "Namespace": "debian:8",
-        "Description": "Some service",
-        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-        "Severity": "Critical",
-        "FixedIn": {'Version': "9.23-5"},
-      }
-
-      security_scanner.set_vulns(layer_id, [new_vuln_info])
-
-      # Add a notification for the layer.
-      notification_data = security_scanner.add_notification([layer_id], [layer_id],
-                                                            old_vuln_info, new_vuln_info)
-
-      # Process the notification.
-      self.assertTrue(process_notification_data(notification_data))
-
-      # Ensure an event was written for the tag.
-      time.sleep(1)
-      queue_item = notification_queue.get()
-      self.assertIsNotNone(queue_item)
-
-      item_body = json.loads(queue_item.body)
-      self.assertEquals(sorted(['prod', 'latest']), sorted(item_body['event_data']['tags']))
-      self.assertEquals('CVE-TEST', item_body['event_data']['vulnerability']['id'])
-      self.assertEquals('Critical', item_body['event_data']['vulnerability']['priority'])
-      self.assertTrue(item_body['event_data']['vulnerability']['has_fix'])
-
-      # Verify that an event would be raised.
-      event_data = item_body['event_data']
-      notification = self.notification_tuple(notification)
-      self.assertTrue(VulnerabilityFoundEvent().should_perform(event_data, notification))
-
-      # Create another notification with a matching level and verify it will be raised.
-      notification = model.notification.create_repo_notification(repo, 'vulnerability_found',
-                                                                 'quay_notification', {},
-                                                                 {'level': 1})
-
-      notification = self.notification_tuple(notification)
-      self.assertTrue(VulnerabilityFoundEvent().should_perform(event_data, notification))
-
-      # Create another notification with a higher level and verify it won't be raised.
-      notification = model.notification.create_repo_notification(repo, 'vulnerability_found',
-                                                                 'quay_notification', {},
-                                                                 {'level': 0})
-      notification = self.notification_tuple(notification)
-      self.assertFalse(VulnerabilityFoundEvent().should_perform(event_data, notification))
-
-  def test_select_images_to_scan(self):
-    # Set all images to have a security index of a version to that of the config.
-    expected_version = app.config['SECURITY_SCANNER_ENGINE_VERSION_TARGET']
-    Image.update(security_indexed_engine=expected_version).execute()
-
-    # Ensure no images are available for scanning.
-    self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version))
-    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version)) == 0)
-
-    # Check for a higher version.
-    self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1))
-    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1)) > 0)
-
-  def test_notification_worker(self):
-    layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer2 = model.tag.get_tag_image(ADMIN_ACCESS_USER, COMPLEX_REPO, 'prod', include_storage=True)
-
-    # Add a repo events for the layers.
-    simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    complex_repo = model.repository.get_repository(ADMIN_ACCESS_USER, COMPLEX_REPO)
-
-    model.notification.create_repo_notification(simple_repo, 'vulnerability_found',
-                                                'quay_notification', {}, {'level': 100})
-    model.notification.create_repo_notification(complex_repo, 'vulnerability_found',
-                                                'quay_notification', {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    with fake_security_scanner() as security_scanner:
-      # Test with an unknown notification.
-      worker = SecurityNotificationWorker(None)
-      self.assertFalse(worker.perform_notification_work({
-        'Name': 'unknownnotification'
-      }))
-
-      # Add some analyzed layers.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer1)
-      analyzer.analyze_recursively(layer2)
-
-      # Add a notification with pages of data.
-      new_vuln_info = {
-        "Name": "CVE-TEST",
-        "Namespace": "debian:8",
-        "Description": "Some service",
-        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-        "Severity": "Critical",
-        "FixedIn": {'Version': "9.23-5"},
-      }
-
-      security_scanner.set_vulns(security_scanner.layer_id(layer1), [new_vuln_info])
-      security_scanner.set_vulns(security_scanner.layer_id(layer2), [new_vuln_info])
-
-      layer_ids = [security_scanner.layer_id(layer1), security_scanner.layer_id(layer2)]
-      notification_data = security_scanner.add_notification([], layer_ids, None, new_vuln_info)
-
-      # Test with a known notification with pages.
-      data = {
-        'Name': notification_data['Name'],
-      }
-
-      worker = SecurityNotificationWorker(None)
-      self.assertTrue(worker.perform_notification_work(data, layer_limit=2))
-
-      # Make sure all pages were processed by ensuring we have two notifications.
-      time.sleep(1)
-      self.assertIsNotNone(notification_queue.get())
-      self.assertIsNotNone(notification_queue.get())
-
-  def test_notification_worker_offset_pages_not_indexed(self):
-    # Try without indexes.
-    self.assert_notification_worker_offset_pages(indexed=False)
-
-  def test_notification_worker_offset_pages_indexed(self):
-    # Try with indexes.
-    self.assert_notification_worker_offset_pages(indexed=True)
-
-  def assert_notification_worker_offset_pages(self, indexed=False):
-    layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-    layer2 = model.tag.get_tag_image(ADMIN_ACCESS_USER, COMPLEX_REPO, 'prod', include_storage=True)
-
-    # Add a repo events for the layers.
-    simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-    complex_repo = model.repository.get_repository(ADMIN_ACCESS_USER, COMPLEX_REPO)
-
-    model.notification.create_repo_notification(simple_repo, 'vulnerability_found',
-                                                'quay_notification', {}, {'level': 100})
-    model.notification.create_repo_notification(complex_repo, 'vulnerability_found',
-                                                'quay_notification', {}, {'level': 100})
-
-    # Ensure that there are no event queue items for the layer.
-    self.assertIsNone(notification_queue.get())
-
-    with fake_security_scanner() as security_scanner:
-      # Test with an unknown notification.
-      worker = SecurityNotificationWorker(None)
-      self.assertFalse(worker.perform_notification_work({
-        'Name': 'unknownnotification'
-      }))
-
-      # Add some analyzed layers.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer1)
-      analyzer.analyze_recursively(layer2)
-
-      # Add a notification with pages of data.
-      new_vuln_info = {
-        "Name": "CVE-TEST",
-        "Namespace": "debian:8",
-        "Description": "Some service",
-        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
-        "Severity": "Critical",
-        "FixedIn": {'Version': "9.23-5"},
-      }
-
-      security_scanner.set_vulns(security_scanner.layer_id(layer1), [new_vuln_info])
-      security_scanner.set_vulns(security_scanner.layer_id(layer2), [new_vuln_info])
-
-      # Define offsetting sets of layer IDs, to test cross-pagination support. In this test, we
-      # will only serve 2 layer IDs per page: the first page will serve both of the 'New' layer IDs,
-      # but since the first 2 'Old' layer IDs are "earlier" than the shared ID of
-      # `devtable/simple:latest`, they won't get served in the 'New' list until the *second* page.
-      # The notification handling system should correctly not notify for this layer, even though it
-      # is marked 'New' on page 1 and marked 'Old' on page 2. Clair will served these
-      # IDs sorted in the same manner.
-      idx_old_layer_ids = [{'LayerName': 'old1', 'Index': 1},
-                           {'LayerName': 'old2', 'Index': 2},
-                           {'LayerName': security_scanner.layer_id(layer1), 'Index': 3}]
-
-      idx_new_layer_ids = [{'LayerName': security_scanner.layer_id(layer1), 'Index': 3},
-                           {'LayerName': security_scanner.layer_id(layer2), 'Index': 4}]
-
-      old_layer_ids = [t['LayerName'] for t in idx_old_layer_ids]
-      new_layer_ids = [t['LayerName'] for t in idx_new_layer_ids]
-
-      if not indexed:
-        idx_old_layer_ids = None
-        idx_new_layer_ids = None
-
-      notification_data = security_scanner.add_notification(old_layer_ids, new_layer_ids, None,
-                                                            new_vuln_info, max_per_page=2,
-                                                            indexed_old_layer_ids=idx_old_layer_ids,
-                                                            indexed_new_layer_ids=idx_new_layer_ids)
-
-      # Test with a known notification with pages.
-      data = {
-        'Name': notification_data['Name'],
-      }
-
-      worker = SecurityNotificationWorker(None)
-      self.assertTrue(worker.perform_notification_work(data, layer_limit=2))
-
-      # Make sure all pages were processed by ensuring we have only one notification. If the second
-      # page was not processed, then the `Old` entry for layer1 will not be found, and we'd get two
-      # notifications.
-      time.sleep(1)
-      self.assertIsNotNone(notification_queue.get())
-      self.assertIsNone(notification_queue.get())
-
-
-  def test_layer_gc(self):
-    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
-
-    # Delete the prod tag so that only the `latest` tag remains.
-    model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, 'prod')
-
-    with fake_security_scanner() as security_scanner:
-      # Analyze the layer.
-      analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
-
-      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      self.assertAnalyzed(layer, security_scanner, True, 1)
-      self.assertTrue(security_scanner.has_layer(security_scanner.layer_id(layer)))
-
-      namespace_user = model.user.get_user(ADMIN_ACCESS_USER)
-      model.user.change_user_tag_expiration(namespace_user, 0)
-
-      # Delete the tag in the repository and GC.
-      model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
-      time.sleep(1)
-
-      repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
-      model.gc.garbage_collect_repo(repo)
-
-      # Ensure that the security scanner no longer has the image.
-      self.assertFalse(security_scanner.has_layer(security_scanner.layer_id(layer)))
-
-
-if __name__ == '__main__':
-  unittest.main()
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
+
+        with fake_security_scanner() as security_scanner:
+            # Make is so trying to analyze the parent will fail.
+            security_scanner.set_fail_layer_id(security_scanner.layer_id(layer.parent))
+
+            # Attempt to the layer and its parents. This should mark the layer itself as unanalyzable.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, 1)
+
+    def test_analyze_layer_missing_storage(self):
+        """ Tests trying to analyze a layer with missing storage. """
+
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
+
+        # Delete the storage for the layer.
+        path = model.storage.get_layer_path(layer.storage)
+        locations = app.config["DISTRIBUTED_STORAGE_PREFERENCE"]
+        storage.remove(locations, path)
+        storage.remove(locations, "all_files_exist")
+
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, False, 1)
+
+    def assert_analyze_layer_notify(
+        self, security_indexed_engine, security_indexed, expect_notification
+    ):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        self.assertFalse(layer.security_indexed)
+        self.assertEquals(-1, layer.security_indexed_engine)
+
+        # Ensure there are no existing events.
+        self.assertIsNone(notification_queue.get())
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Update the layer's state before analyzing.
+        layer.security_indexed_engine = security_indexed_engine
+        layer.security_indexed = security_indexed
+        layer.save()
+
+        with fake_security_scanner() as security_scanner:
+            security_scanner.set_vulns(
+                security_scanner.layer_id(layer),
+                [
+                    {
+                        "Name": "CVE-2014-9471",
+                        "Namespace": "debian:8",
+                        "Description": "Some service",
+                        "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                        "Severity": "Low",
+                        "FixedBy": "9.23-5",
+                    },
+                    {
+                        "Name": "CVE-2016-7530",
+                        "Namespace": "debian:8",
+                        "Description": "Some other service",
+                        "Link": "https://security-tracker.debian.org/tracker/CVE-2016-7530",
+                        "Severity": "Unknown",
+                        "FixedBy": "19.343-2",
+                    },
+                ],
+            )
+
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+        # Ensure an event was written for the tag (if necessary).
+        time.sleep(1)
+        queue_item = notification_queue.get()
+
+        if expect_notification:
+            self.assertIsNotNone(queue_item)
+
+            body = json.loads(queue_item.body)
+            self.assertEquals(set(["latest", "prod"]), set(body["event_data"]["tags"]))
+            self.assertEquals(
+                "CVE-2014-9471", body["event_data"]["vulnerability"]["id"]
+            )
+            self.assertEquals("Low", body["event_data"]["vulnerability"]["priority"])
+            self.assertTrue(body["event_data"]["vulnerability"]["has_fix"])
+
+            self.assertEquals(
+                "CVE-2014-9471", body["event_data"]["vulnerabilities"][0]["id"]
+            )
+            self.assertEquals(2, len(body["event_data"]["vulnerabilities"]))
+
+            # Ensure we get the correct event message out as well.
+            event = VulnerabilityFoundEvent()
+            msg = "1 Low and 1 more vulnerabilities were detected in repository devtable/simple in 2 tags"
+            self.assertEquals(msg, event.get_summary(body["event_data"], {}))
+            self.assertEquals("info", event.get_level(body["event_data"], {}))
+        else:
+            self.assertIsNone(queue_item)
+
+        # Ensure its security indexed engine was updated.
+        updated_layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest"
+        )
+        self.assertEquals(updated_layer.id, layer.id)
+        self.assertTrue(updated_layer.security_indexed_engine > 0)
+
+    def test_analyze_layer_success_events(self):
+        # Not previously indexed at all => Notification
+        self.assert_analyze_layer_notify(IMAGE_NOT_SCANNED_ENGINE_VERSION, False, True)
+
+    def test_analyze_layer_success_no_notification(self):
+        # Previously successfully indexed => No notification
+        self.assert_analyze_layer_notify(0, True, False)
+
+    def test_analyze_layer_failed_then_success_notification(self):
+        # Previously failed to index => Notification
+        self.assert_analyze_layer_notify(0, False, True)
+
+    def test_notification_new_layers_not_vulnerable(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer_id = "%s.%s" % (layer.docker_image_id, layer.storage.uuid)
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        # Fire off the notification processing.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+            # Add a notification for the layer.
+            notification_data = security_scanner.add_notification(
+                [layer_id], [], {}, {}
+            )
+
+            # Process the notification.
+            self.assertTrue(process_notification_data(notification_data))
+
+            # Ensure that there are no event queue items for the layer.
+            self.assertIsNone(notification_queue.get())
+
+    def test_notification_delete(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer_id = "%s.%s" % (layer.docker_image_id, layer.storage.uuid)
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        # Fire off the notification processing.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+            # Add a notification for the layer.
+            notification_data = security_scanner.add_notification(
+                [layer_id], None, {}, None
+            )
+
+            # Process the notification.
+            self.assertTrue(process_notification_data(notification_data))
+
+            # Ensure that there are no event queue items for the layer.
+            self.assertIsNone(notification_queue.get())
+
+    def test_notification_new_layers(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer_id = "%s.%s" % (layer.docker_image_id, layer.storage.uuid)
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        # Fire off the notification processing.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+            vuln_info = {
+                "Name": "CVE-TEST",
+                "Namespace": "debian:8",
+                "Description": "Some service",
+                "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                "Severity": "Low",
+                "FixedIn": {"Version": "9.23-5"},
+            }
+            security_scanner.set_vulns(layer_id, [vuln_info])
+
+            # Add a notification for the layer.
+            notification_data = security_scanner.add_notification(
+                [], [layer_id], vuln_info, vuln_info
+            )
+
+            # Process the notification.
+            self.assertTrue(process_notification_data(notification_data))
+
+            # Ensure an event was written for the tag.
+            time.sleep(1)
+            queue_item = notification_queue.get()
+            self.assertIsNotNone(queue_item)
+
+            item_body = json.loads(queue_item.body)
+            self.assertEquals(
+                sorted(["prod", "latest"]), sorted(item_body["event_data"]["tags"])
+            )
+            self.assertEquals(
+                "CVE-TEST", item_body["event_data"]["vulnerability"]["id"]
+            )
+            self.assertEquals(
+                "Low", item_body["event_data"]["vulnerability"]["priority"]
+            )
+            self.assertTrue(item_body["event_data"]["vulnerability"]["has_fix"])
+
+    def test_notification_no_new_layers(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        # Fire off the notification processing.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+            # Add a notification for the layer.
+            notification_data = security_scanner.add_notification([], [], {}, {})
+
+            # Process the notification.
+            self.assertTrue(process_notification_data(notification_data))
+
+            # Ensure that there are no event queue items for the layer.
+            self.assertIsNone(notification_queue.get())
+
+    def notification_tuple(self, notification):
+        # TODO: Replace this with a method once we refactor the notification stuff into its
+        # own module.
+        return AttrDict(
+            {
+                "event_config_dict": json.loads(notification.event_config_json),
+                "method_config_dict": json.loads(notification.config_json),
+            }
+        )
+
+    def test_notification_no_new_layers_increased_severity(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer_id = "%s.%s" % (layer.docker_image_id, layer.storage.uuid)
+
+        # Add a repo event for the layer.
+        repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        notification = model.notification.create_repo_notification(
+            repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        # Fire off the notification processing.
+        with fake_security_scanner() as security_scanner:
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+
+            old_vuln_info = {
+                "Name": "CVE-TEST",
+                "Namespace": "debian:8",
+                "Description": "Some service",
+                "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                "Severity": "Low",
+            }
+
+            new_vuln_info = {
+                "Name": "CVE-TEST",
+                "Namespace": "debian:8",
+                "Description": "Some service",
+                "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                "Severity": "Critical",
+                "FixedIn": {"Version": "9.23-5"},
+            }
+
+            security_scanner.set_vulns(layer_id, [new_vuln_info])
+
+            # Add a notification for the layer.
+            notification_data = security_scanner.add_notification(
+                [layer_id], [layer_id], old_vuln_info, new_vuln_info
+            )
+
+            # Process the notification.
+            self.assertTrue(process_notification_data(notification_data))
+
+            # Ensure an event was written for the tag.
+            time.sleep(1)
+            queue_item = notification_queue.get()
+            self.assertIsNotNone(queue_item)
+
+            item_body = json.loads(queue_item.body)
+            self.assertEquals(
+                sorted(["prod", "latest"]), sorted(item_body["event_data"]["tags"])
+            )
+            self.assertEquals(
+                "CVE-TEST", item_body["event_data"]["vulnerability"]["id"]
+            )
+            self.assertEquals(
+                "Critical", item_body["event_data"]["vulnerability"]["priority"]
+            )
+            self.assertTrue(item_body["event_data"]["vulnerability"]["has_fix"])
+
+            # Verify that an event would be raised.
+            event_data = item_body["event_data"]
+            notification = self.notification_tuple(notification)
+            self.assertTrue(
+                VulnerabilityFoundEvent().should_perform(event_data, notification)
+            )
+
+            # Create another notification with a matching level and verify it will be raised.
+            notification = model.notification.create_repo_notification(
+                repo, "vulnerability_found", "quay_notification", {}, {"level": 1}
+            )
+
+            notification = self.notification_tuple(notification)
+            self.assertTrue(
+                VulnerabilityFoundEvent().should_perform(event_data, notification)
+            )
+
+            # Create another notification with a higher level and verify it won't be raised.
+            notification = model.notification.create_repo_notification(
+                repo, "vulnerability_found", "quay_notification", {}, {"level": 0}
+            )
+            notification = self.notification_tuple(notification)
+            self.assertFalse(
+                VulnerabilityFoundEvent().should_perform(event_data, notification)
+            )
+
+    def test_select_images_to_scan(self):
+        # Set all images to have a security index of a version to that of the config.
+        expected_version = app.config["SECURITY_SCANNER_ENGINE_VERSION_TARGET"]
+        Image.update(security_indexed_engine=expected_version).execute()
+
+        # Ensure no images are available for scanning.
+        self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version))
+        self.assertTrue(
+            len(model.image.get_images_eligible_for_scan(expected_version)) == 0
+        )
+
+        # Check for a higher version.
+        self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1))
+        self.assertTrue(
+            len(model.image.get_images_eligible_for_scan(expected_version + 1)) > 0
+        )
+
+    def test_notification_worker(self):
+        layer1 = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer2 = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, COMPLEX_REPO, "prod", include_storage=True
+        )
+
+        # Add a repo events for the layers.
+        simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        complex_repo = model.repository.get_repository(ADMIN_ACCESS_USER, COMPLEX_REPO)
+
+        model.notification.create_repo_notification(
+            simple_repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+        model.notification.create_repo_notification(
+            complex_repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        with fake_security_scanner() as security_scanner:
+            # Test with an unknown notification.
+            worker = SecurityNotificationWorker(None)
+            self.assertFalse(
+                worker.perform_notification_work({"Name": "unknownnotification"})
+            )
+
+            # Add some analyzed layers.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer1)
+            analyzer.analyze_recursively(layer2)
+
+            # Add a notification with pages of data.
+            new_vuln_info = {
+                "Name": "CVE-TEST",
+                "Namespace": "debian:8",
+                "Description": "Some service",
+                "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                "Severity": "Critical",
+                "FixedIn": {"Version": "9.23-5"},
+            }
+
+            security_scanner.set_vulns(
+                security_scanner.layer_id(layer1), [new_vuln_info]
+            )
+            security_scanner.set_vulns(
+                security_scanner.layer_id(layer2), [new_vuln_info]
+            )
+
+            layer_ids = [
+                security_scanner.layer_id(layer1),
+                security_scanner.layer_id(layer2),
+            ]
+            notification_data = security_scanner.add_notification(
+                [], layer_ids, None, new_vuln_info
+            )
+
+            # Test with a known notification with pages.
+            data = {"Name": notification_data["Name"]}
+
+            worker = SecurityNotificationWorker(None)
+            self.assertTrue(worker.perform_notification_work(data, layer_limit=2))
+
+            # Make sure all pages were processed by ensuring we have two notifications.
+            time.sleep(1)
+            self.assertIsNotNone(notification_queue.get())
+            self.assertIsNotNone(notification_queue.get())
+
+    def test_notification_worker_offset_pages_not_indexed(self):
+        # Try without indexes.
+        self.assert_notification_worker_offset_pages(indexed=False)
+
+    def test_notification_worker_offset_pages_indexed(self):
+        # Try with indexes.
+        self.assert_notification_worker_offset_pages(indexed=True)
+
+    def assert_notification_worker_offset_pages(self, indexed=False):
+        layer1 = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+        layer2 = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, COMPLEX_REPO, "prod", include_storage=True
+        )
+
+        # Add a repo events for the layers.
+        simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+        complex_repo = model.repository.get_repository(ADMIN_ACCESS_USER, COMPLEX_REPO)
+
+        model.notification.create_repo_notification(
+            simple_repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+        model.notification.create_repo_notification(
+            complex_repo, "vulnerability_found", "quay_notification", {}, {"level": 100}
+        )
+
+        # Ensure that there are no event queue items for the layer.
+        self.assertIsNone(notification_queue.get())
+
+        with fake_security_scanner() as security_scanner:
+            # Test with an unknown notification.
+            worker = SecurityNotificationWorker(None)
+            self.assertFalse(
+                worker.perform_notification_work({"Name": "unknownnotification"})
+            )
+
+            # Add some analyzed layers.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer1)
+            analyzer.analyze_recursively(layer2)
+
+            # Add a notification with pages of data.
+            new_vuln_info = {
+                "Name": "CVE-TEST",
+                "Namespace": "debian:8",
+                "Description": "Some service",
+                "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
+                "Severity": "Critical",
+                "FixedIn": {"Version": "9.23-5"},
+            }
+
+            security_scanner.set_vulns(
+                security_scanner.layer_id(layer1), [new_vuln_info]
+            )
+            security_scanner.set_vulns(
+                security_scanner.layer_id(layer2), [new_vuln_info]
+            )
+
+            # Define offsetting sets of layer IDs, to test cross-pagination support. In this test, we
+            # will only serve 2 layer IDs per page: the first page will serve both of the 'New' layer IDs,
+            # but since the first 2 'Old' layer IDs are "earlier" than the shared ID of
+            # `devtable/simple:latest`, they won't get served in the 'New' list until the *second* page.
+            # The notification handling system should correctly not notify for this layer, even though it
+            # is marked 'New' on page 1 and marked 'Old' on page 2. Clair will served these
+            # IDs sorted in the same manner.
+            idx_old_layer_ids = [
+                {"LayerName": "old1", "Index": 1},
+                {"LayerName": "old2", "Index": 2},
+                {"LayerName": security_scanner.layer_id(layer1), "Index": 3},
+            ]
+
+            idx_new_layer_ids = [
+                {"LayerName": security_scanner.layer_id(layer1), "Index": 3},
+                {"LayerName": security_scanner.layer_id(layer2), "Index": 4},
+            ]
+
+            old_layer_ids = [t["LayerName"] for t in idx_old_layer_ids]
+            new_layer_ids = [t["LayerName"] for t in idx_new_layer_ids]
+
+            if not indexed:
+                idx_old_layer_ids = None
+                idx_new_layer_ids = None
+
+            notification_data = security_scanner.add_notification(
+                old_layer_ids,
+                new_layer_ids,
+                None,
+                new_vuln_info,
+                max_per_page=2,
+                indexed_old_layer_ids=idx_old_layer_ids,
+                indexed_new_layer_ids=idx_new_layer_ids,
+            )
+
+            # Test with a known notification with pages.
+            data = {"Name": notification_data["Name"]}
+
+            worker = SecurityNotificationWorker(None)
+            self.assertTrue(worker.perform_notification_work(data, layer_limit=2))
+
+            # Make sure all pages were processed by ensuring we have only one notification. If the second
+            # page was not processed, then the `Old` entry for layer1 will not be found, and we'd get two
+            # notifications.
+            time.sleep(1)
+            self.assertIsNotNone(notification_queue.get())
+            self.assertIsNone(notification_queue.get())
+
+    def test_layer_gc(self):
+        layer = model.tag.get_tag_image(
+            ADMIN_ACCESS_USER, SIMPLE_REPO, "latest", include_storage=True
+        )
+
+        # Delete the prod tag so that only the `latest` tag remains.
+        model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, "prod")
+
+        with fake_security_scanner() as security_scanner:
+            # Analyze the layer.
+            analyzer = LayerAnalyzer(app.config, self.api)
+            analyzer.analyze_recursively(layer)
+
+            layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            self.assertAnalyzed(layer, security_scanner, True, 1)
+            self.assertTrue(
+                security_scanner.has_layer(security_scanner.layer_id(layer))
+            )
+
+            namespace_user = model.user.get_user(ADMIN_ACCESS_USER)
+            model.user.change_user_tag_expiration(namespace_user, 0)
+
+            # Delete the tag in the repository and GC.
+            model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, "latest")
+            time.sleep(1)
+
+            repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+            model.gc.garbage_collect_repo(repo)
+
+            # Ensure that the security scanner no longer has the image.
+            self.assertFalse(
+                security_scanner.has_layer(security_scanner.layer_id(layer))
+            )
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_sni.py b/test/test_sni.py
index c3ec39091..f00146261 100644
--- a/test/test_sni.py
+++ b/test/test_sni.py
@@ -1,4 +1,5 @@
 import ssl
 
+
 def test_sni_support():
-  assert ssl.HAS_SNI
+    assert ssl.HAS_SNI
diff --git a/test/test_v1_endpoint_security.py b/test/test_v1_endpoint_security.py
index 018c4a7e0..8415e724a 100644
--- a/test/test_v1_endpoint_security.py
+++ b/test/test_v1_endpoint_security.py
@@ -9,113 +9,124 @@ from specs import build_v1_index_specs
 
 from endpoints.v1 import v1_bp
 
-app.register_blueprint(v1_bp, url_prefix='/v1')
+app.register_blueprint(v1_bp, url_prefix="/v1")
 
-NO_ACCESS_USER = 'freshuser'
-READ_ACCESS_USER = 'reader'
-CREATOR_ACCESS_USER = 'creator'
-ADMIN_ACCESS_USER = 'devtable'
+NO_ACCESS_USER = "freshuser"
+READ_ACCESS_USER = "reader"
+CREATOR_ACCESS_USER = "creator"
+ADMIN_ACCESS_USER = "devtable"
 
 
 class EndpointTestCase(unittest.TestCase):
-  def setUp(self):
-    setup_database_for_testing(self)
+    def setUp(self):
+        setup_database_for_testing(self)
 
-  def tearDown(self):
-    finished_database_for_testing(self)
+    def tearDown(self):
+        finished_database_for_testing(self)
 
 
 class _SpecTestBuilder(type):
-  @staticmethod
-  def _test_generator(url, expected_status, open_kwargs, session_var_list):
-    def test(self):
-      with app.test_client() as c:
-        if session_var_list:
-          # Temporarily remove the teardown functions
-          teardown_funcs = []
-          if None in app.teardown_request_funcs:
-            teardown_funcs = app.teardown_request_funcs[None]
-            app.teardown_request_funcs[None] = []
+    @staticmethod
+    def _test_generator(url, expected_status, open_kwargs, session_var_list):
+        def test(self):
+            with app.test_client() as c:
+                if session_var_list:
+                    # Temporarily remove the teardown functions
+                    teardown_funcs = []
+                    if None in app.teardown_request_funcs:
+                        teardown_funcs = app.teardown_request_funcs[None]
+                        app.teardown_request_funcs[None] = []
 
-          with c.session_transaction() as sess:
-            for sess_key, sess_val in session_var_list:
-              sess[sess_key] = sess_val
+                    with c.session_transaction() as sess:
+                        for sess_key, sess_val in session_var_list:
+                            sess[sess_key] = sess_val
 
-          # Restore the teardown functions
-          app.teardown_request_funcs[None] = teardown_funcs
+                    # Restore the teardown functions
+                    app.teardown_request_funcs[None] = teardown_funcs
 
-        rv = c.open(url, **open_kwargs)
-        msg = '%s %s: %s expected: %s' % (open_kwargs['method'], url,
-                                          rv.status_code, expected_status)
-        self.assertEqual(rv.status_code, expected_status, msg)
-    return test
+                rv = c.open(url, **open_kwargs)
+                msg = "%s %s: %s expected: %s" % (
+                    open_kwargs["method"],
+                    url,
+                    rv.status_code,
+                    expected_status,
+                )
+                self.assertEqual(rv.status_code, expected_status, msg)
 
+        return test
 
-  def __new__(cls, name, bases, attrs):
-    with app.test_request_context() as ctx:
-      specs = attrs['spec_func']()
-      for test_spec in specs:
-        url, open_kwargs = test_spec.get_client_args()
+    def __new__(cls, name, bases, attrs):
+        with app.test_request_context() as ctx:
+            specs = attrs["spec_func"]()
+            for test_spec in specs:
+                url, open_kwargs = test_spec.get_client_args()
 
-        if attrs['auth_username']:
-          basic_auth = test_spec.gen_basic_auth(attrs['auth_username'],
-                                                'password')
-          open_kwargs['headers'] = [('authorization', '%s' % basic_auth)]
+                if attrs["auth_username"]:
+                    basic_auth = test_spec.gen_basic_auth(
+                        attrs["auth_username"], "password"
+                    )
+                    open_kwargs["headers"] = [("authorization", "%s" % basic_auth)]
 
-        session_vars = []
-        if test_spec.sess_repo:
-          ns, repo = parse_namespace_repository(test_spec.sess_repo, 'library')
-          session_vars.append(('namespace', ns))
-          session_vars.append(('repository', repo))
+                session_vars = []
+                if test_spec.sess_repo:
+                    ns, repo = parse_namespace_repository(
+                        test_spec.sess_repo, "library"
+                    )
+                    session_vars.append(("namespace", ns))
+                    session_vars.append(("repository", repo))
 
-        expected_status = getattr(test_spec, attrs['result_attr'])
-        test = _SpecTestBuilder._test_generator(url, expected_status,
-                                                open_kwargs,
-                                                session_vars)
+                expected_status = getattr(test_spec, attrs["result_attr"])
+                test = _SpecTestBuilder._test_generator(
+                    url, expected_status, open_kwargs, session_vars
+                )
 
-        test_name_url = url.replace('/', '_').replace('-', '_')
-        sess_repo = str(test_spec.sess_repo).replace('/', '_')
-        test_name = 'test_%s%s_%s_%s' % (open_kwargs['method'].lower(),
-                                      test_name_url, sess_repo, attrs['result_attr'])
-        attrs[test_name] = test
+                test_name_url = url.replace("/", "_").replace("-", "_")
+                sess_repo = str(test_spec.sess_repo).replace("/", "_")
+                test_name = "test_%s%s_%s_%s" % (
+                    open_kwargs["method"].lower(),
+                    test_name_url,
+                    sess_repo,
+                    attrs["result_attr"],
+                )
+                attrs[test_name] = test
 
-    return type(name, bases, attrs)
+        return type(name, bases, attrs)
 
 
 class TestAnonymousAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v1_index_specs
-  result_attr = 'anon_code'
-  auth_username = None
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v1_index_specs
+    result_attr = "anon_code"
+    auth_username = None
 
 
 class TestNoAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v1_index_specs
-  result_attr = 'no_access_code'
-  auth_username = NO_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v1_index_specs
+    result_attr = "no_access_code"
+    auth_username = NO_ACCESS_USER
 
 
 class TestReadAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v1_index_specs
-  result_attr = 'read_code'
-  auth_username = READ_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v1_index_specs
+    result_attr = "read_code"
+    auth_username = READ_ACCESS_USER
 
 
 class TestCreatorAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v1_index_specs
-  result_attr = 'creator_code'
-  auth_username = CREATOR_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v1_index_specs
+    result_attr = "creator_code"
+    auth_username = CREATOR_ACCESS_USER
 
 
 class TestAdminAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v1_index_specs
-  result_attr = 'admin_code'
-  auth_username = ADMIN_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v1_index_specs
+    result_attr = "admin_code"
+    auth_username = ADMIN_ACCESS_USER
 
 
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/test_v2_endpoint_security.py b/test/test_v2_endpoint_security.py
index dadd18721..169dcafb1 100644
--- a/test/test_v2_endpoint_security.py
+++ b/test/test_v2_endpoint_security.py
@@ -1,116 +1,143 @@
 import unittest
 import json
 
-import endpoints.decorated # Register the various exceptions via decorators.
+import endpoints.decorated  # Register the various exceptions via decorators.
 
 from app import app
 from endpoints.v2 import v2_bp
 from initdb import setup_database_for_testing, finished_database_for_testing
 from test.specs import build_v2_index_specs
 
-app.register_blueprint(v2_bp, url_prefix='/v2')
+app.register_blueprint(v2_bp, url_prefix="/v2")
 
-NO_ACCESS_USER = 'freshuser'
-READ_ACCESS_USER = 'reader'
-ADMIN_ACCESS_USER = 'devtable'
-CREATOR_ACCESS_USER = 'creator'
+NO_ACCESS_USER = "freshuser"
+READ_ACCESS_USER = "reader"
+ADMIN_ACCESS_USER = "devtable"
+CREATOR_ACCESS_USER = "creator"
 
 
 class EndpointTestCase(unittest.TestCase):
-  def setUp(self):
-    setup_database_for_testing(self)
+    def setUp(self):
+        setup_database_for_testing(self)
 
-  def tearDown(self):
-    finished_database_for_testing(self)
+    def tearDown(self):
+        finished_database_for_testing(self)
 
 
 class _SpecTestBuilder(type):
-  @staticmethod
-  def _test_generator(url, test_spec, attrs):
-    def test(self):
-      with app.test_client() as c:
-        headers = []
-        expected_index_status = getattr(test_spec, attrs['result_attr'])
+    @staticmethod
+    def _test_generator(url, test_spec, attrs):
+        def test(self):
+            with app.test_client() as c:
+                headers = []
+                expected_index_status = getattr(test_spec, attrs["result_attr"])
 
-        if attrs['auth_username']:
+                if attrs["auth_username"]:
 
-          # Get a signed JWT.
-          username = attrs['auth_username']
-          password = 'password'
+                    # Get a signed JWT.
+                    username = attrs["auth_username"]
+                    password = "password"
 
-          jwt_scope = test_spec.get_scope_string()
-          query_string = 'service=' + app.config['SERVER_HOSTNAME'] + '&scope=' + jwt_scope
+                    jwt_scope = test_spec.get_scope_string()
+                    query_string = (
+                        "service="
+                        + app.config["SERVER_HOSTNAME"]
+                        + "&scope="
+                        + jwt_scope
+                    )
 
-          arv = c.open('/v2/auth',
-                       headers=[('authorization', test_spec.gen_basic_auth(username, password))],
-                       query_string=query_string)
+                    arv = c.open(
+                        "/v2/auth",
+                        headers=[
+                            (
+                                "authorization",
+                                test_spec.gen_basic_auth(username, password),
+                            )
+                        ],
+                        query_string=query_string,
+                    )
 
-          msg = 'Auth failed for %s %s: got %s, expected: 200' % (
-            test_spec.method_name, test_spec.index_name, arv.status_code)
-          self.assertEqual(arv.status_code, 200, msg)
+                    msg = "Auth failed for %s %s: got %s, expected: 200" % (
+                        test_spec.method_name,
+                        test_spec.index_name,
+                        arv.status_code,
+                    )
+                    self.assertEqual(arv.status_code, 200, msg)
 
-          headers = [('authorization', 'Bearer ' + json.loads(arv.data)['token'])]
+                    headers = [
+                        ("authorization", "Bearer " + json.loads(arv.data)["token"])
+                    ]
 
-        rv = c.open(url, headers=headers, method=test_spec.method_name)
-        msg = '%s %s: got %s, expected: %s (auth: %s | headers %s)' % (test_spec.method_name,
-          test_spec.index_name, rv.status_code, expected_index_status, attrs['auth_username'],
-          len(headers))
+                rv = c.open(url, headers=headers, method=test_spec.method_name)
+                msg = "%s %s: got %s, expected: %s (auth: %s | headers %s)" % (
+                    test_spec.method_name,
+                    test_spec.index_name,
+                    rv.status_code,
+                    expected_index_status,
+                    attrs["auth_username"],
+                    len(headers),
+                )
 
-        self.assertEqual(rv.status_code, expected_index_status, msg)
+                self.assertEqual(rv.status_code, expected_index_status, msg)
 
-    return test
+        return test
 
+    def __new__(cls, name, bases, attrs):
+        with app.test_request_context() as ctx:
+            specs = attrs["spec_func"]()
+            for test_spec in specs:
+                test_name = "%s_%s_%s_%s_%s" % (
+                    test_spec.index_name,
+                    test_spec.method_name,
+                    test_spec.repo_name,
+                    attrs["auth_username"] or "anon",
+                    attrs["result_attr"],
+                )
+                test_name = test_name.replace("/", "_").replace("-", "_")
 
-  def __new__(cls, name, bases, attrs):
-    with app.test_request_context() as ctx:
-      specs = attrs['spec_func']()
-      for test_spec in specs:
-        test_name = '%s_%s_%s_%s_%s' % (test_spec.index_name, test_spec.method_name,
-                                        test_spec.repo_name, attrs['auth_username'] or 'anon',
-                                        attrs['result_attr'])
-        test_name = test_name.replace('/', '_').replace('-', '_')
+                test_name = "test_" + test_name.lower().replace("v2.", "v2_")
+                url = test_spec.get_url()
+                attrs[test_name] = _SpecTestBuilder._test_generator(
+                    url, test_spec, attrs
+                )
 
-        test_name = 'test_' + test_name.lower().replace('v2.', 'v2_')
-        url = test_spec.get_url()
-        attrs[test_name] = _SpecTestBuilder._test_generator(url, test_spec, attrs)
-
-    return type(name, bases, attrs)
+        return type(name, bases, attrs)
 
 
 class TestAnonymousAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v2_index_specs
-  result_attr = 'anon_code'
-  auth_username = None
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v2_index_specs
+    result_attr = "anon_code"
+    auth_username = None
 
 
 class TestNoAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v2_index_specs
-  result_attr = 'no_access_code'
-  auth_username = NO_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v2_index_specs
+    result_attr = "no_access_code"
+    auth_username = NO_ACCESS_USER
 
 
 class TestReadAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v2_index_specs
-  result_attr = 'read_code'
-  auth_username = READ_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v2_index_specs
+    result_attr = "read_code"
+    auth_username = READ_ACCESS_USER
 
 
 class TestCreatorAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v2_index_specs
-  result_attr = 'creator_code'
-  auth_username = CREATOR_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v2_index_specs
+    result_attr = "creator_code"
+    auth_username = CREATOR_ACCESS_USER
 
 
 class TestAdminAccess(EndpointTestCase):
-  __metaclass__ = _SpecTestBuilder
-  spec_func = build_v2_index_specs
-  result_attr = 'admin_code'
-  auth_username = ADMIN_ACCESS_USER
+    __metaclass__ = _SpecTestBuilder
+    spec_func = build_v2_index_specs
+    result_attr = "admin_code"
+    auth_username = ADMIN_ACCESS_USER
 
 
-if __name__ == '__main__':
-  unittest.main()
+if __name__ == "__main__":
+    unittest.main()
diff --git a/test/testconfig.py b/test/testconfig.py
index 52be3c1f4..0f8b9c371 100644
--- a/test/testconfig.py
+++ b/test/testconfig.py
@@ -7,108 +7,113 @@ from config import DefaultConfig
 
 
 class FakeTransaction(object):
-  def __enter__(self):
-    return self
+    def __enter__(self):
+        return self
 
-  def __exit__(self, exc_type, value, traceback):
-    pass
+    def __exit__(self, exc_type, value, traceback):
+        pass
 
 
 TEST_DB_FILE = NamedTemporaryFile(delete=True)
 
 
 class TestConfig(DefaultConfig):
-  TESTING = True
-  SECRET_KEY = "superdupersecret!!!1"
-  DATABASE_SECRET_KEY = 'anothercrazykey!'
-  BILLING_TYPE = 'FakeStripe'
+    TESTING = True
+    SECRET_KEY = "superdupersecret!!!1"
+    DATABASE_SECRET_KEY = "anothercrazykey!"
+    BILLING_TYPE = "FakeStripe"
 
-  TEST_DB_FILE = TEST_DB_FILE
-  DB_URI = os.environ.get('TEST_DATABASE_URI', 'sqlite:///{0}'.format(TEST_DB_FILE.name))
-  DB_CONNECTION_ARGS = {
-    'threadlocals': True,
-    'autorollback': True,
-  }
+    TEST_DB_FILE = TEST_DB_FILE
+    DB_URI = os.environ.get(
+        "TEST_DATABASE_URI", "sqlite:///{0}".format(TEST_DB_FILE.name)
+    )
+    DB_CONNECTION_ARGS = {"threadlocals": True, "autorollback": True}
 
-  @staticmethod
-  def create_transaction(db):
-    return FakeTransaction()
+    @staticmethod
+    def create_transaction(db):
+        return FakeTransaction()
 
-  DB_TRANSACTION_FACTORY = create_transaction
+    DB_TRANSACTION_FACTORY = create_transaction
 
-  DISTRIBUTED_STORAGE_CONFIG = {'local_us': ['FakeStorage', {}], 'local_eu': ['FakeStorage', {}]}
-  DISTRIBUTED_STORAGE_PREFERENCE = ['local_us']
+    DISTRIBUTED_STORAGE_CONFIG = {
+        "local_us": ["FakeStorage", {}],
+        "local_eu": ["FakeStorage", {}],
+    }
+    DISTRIBUTED_STORAGE_PREFERENCE = ["local_us"]
 
-  BUILDLOGS_MODULE_AND_CLASS = ('test.testlogs', 'testlogs.TestBuildLogs')
-  BUILDLOGS_OPTIONS = ['devtable', 'building', 'deadbeef-dead-beef-dead-beefdeadbeef', False]
+    BUILDLOGS_MODULE_AND_CLASS = ("test.testlogs", "testlogs.TestBuildLogs")
+    BUILDLOGS_OPTIONS = [
+        "devtable",
+        "building",
+        "deadbeef-dead-beef-dead-beefdeadbeef",
+        False,
+    ]
 
-  USERFILES_LOCATION = 'local_us'
-  USERFILES_PATH= "userfiles/"
+    USERFILES_LOCATION = "local_us"
+    USERFILES_PATH = "userfiles/"
 
-  FEATURE_SUPER_USERS = True
-  FEATURE_BILLING = True
-  FEATURE_MAILING = True
-  SUPER_USERS = ['devtable']
+    FEATURE_SUPER_USERS = True
+    FEATURE_BILLING = True
+    FEATURE_MAILING = True
+    SUPER_USERS = ["devtable"]
 
-  LICENSE_USER_LIMIT = 500
-  LICENSE_EXPIRATION = datetime.now() + timedelta(weeks=520)
-  LICENSE_EXPIRATION_WARNING = datetime.now() + timedelta(weeks=520)
+    LICENSE_USER_LIMIT = 500
+    LICENSE_EXPIRATION = datetime.now() + timedelta(weeks=520)
+    LICENSE_EXPIRATION_WARNING = datetime.now() + timedelta(weeks=520)
 
-  FEATURE_GITHUB_BUILD = True
-  FEATURE_BITTORRENT = True
-  FEATURE_ACI_CONVERSION = True
+    FEATURE_GITHUB_BUILD = True
+    FEATURE_BITTORRENT = True
+    FEATURE_ACI_CONVERSION = True
 
-  CLOUDWATCH_NAMESPACE = None
+    CLOUDWATCH_NAMESPACE = None
 
-  FEATURE_SECURITY_SCANNER = True
-  FEATURE_SECURITY_NOTIFICATIONS = True
-  SECURITY_SCANNER_ENDPOINT = 'http://fakesecurityscanner/'
-  SECURITY_SCANNER_API_VERSION = 'v1'
-  SECURITY_SCANNER_ENGINE_VERSION_TARGET = 1
-  SECURITY_SCANNER_API_TIMEOUT_SECONDS = 1
+    FEATURE_SECURITY_SCANNER = True
+    FEATURE_SECURITY_NOTIFICATIONS = True
+    SECURITY_SCANNER_ENDPOINT = "http://fakesecurityscanner/"
+    SECURITY_SCANNER_API_VERSION = "v1"
+    SECURITY_SCANNER_ENGINE_VERSION_TARGET = 1
+    SECURITY_SCANNER_API_TIMEOUT_SECONDS = 1
 
-  FEATURE_SIGNING = True
+    FEATURE_SIGNING = True
 
-  SIGNING_ENGINE = 'gpg2'
+    SIGNING_ENGINE = "gpg2"
 
-  GPG2_PRIVATE_KEY_NAME = 'EEB32221'
-  GPG2_PRIVATE_KEY_FILENAME = 'test/data/signing-private.gpg'
-  GPG2_PUBLIC_KEY_FILENAME = 'test/data/signing-public.gpg'
+    GPG2_PRIVATE_KEY_NAME = "EEB32221"
+    GPG2_PRIVATE_KEY_FILENAME = "test/data/signing-private.gpg"
+    GPG2_PUBLIC_KEY_FILENAME = "test/data/signing-public.gpg"
 
-  INSTANCE_SERVICE_KEY_KID_LOCATION = 'test/data/test.kid'
-  INSTANCE_SERVICE_KEY_LOCATION = 'test/data/test.pem'
+    INSTANCE_SERVICE_KEY_KID_LOCATION = "test/data/test.kid"
+    INSTANCE_SERVICE_KEY_LOCATION = "test/data/test.pem"
 
-  PROMETHEUS_AGGREGATOR_URL = None
+    PROMETHEUS_AGGREGATOR_URL = None
 
-  GITHUB_LOGIN_CONFIG = {}
-  GOOGLE_LOGIN_CONFIG = {}
+    GITHUB_LOGIN_CONFIG = {}
+    GOOGLE_LOGIN_CONFIG = {}
 
-  FEATURE_GITHUB_LOGIN = True
-  FEATURE_GOOGLE_LOGIN = True
+    FEATURE_GITHUB_LOGIN = True
+    FEATURE_GOOGLE_LOGIN = True
 
-  TESTOIDC_LOGIN_CONFIG = {
-    'CLIENT_ID': 'foo',
-    'CLIENT_SECRET': 'bar',
-    'OIDC_SERVER': 'http://fakeoidc',
-    'DEBUGGING': True,
-    'LOGIN_BINDING_FIELD': 'sub',
-  }
+    TESTOIDC_LOGIN_CONFIG = {
+        "CLIENT_ID": "foo",
+        "CLIENT_SECRET": "bar",
+        "OIDC_SERVER": "http://fakeoidc",
+        "DEBUGGING": True,
+        "LOGIN_BINDING_FIELD": "sub",
+    }
 
-  RECAPTCHA_SITE_KEY = 'somekey'
-  RECAPTCHA_SECRET_KEY = 'somesecretkey'
+    RECAPTCHA_SITE_KEY = "somekey"
+    RECAPTCHA_SECRET_KEY = "somesecretkey"
 
-  FEATURE_APP_REGISTRY = True
-  FEATURE_TEAM_SYNCING = True
-  FEATURE_CHANGE_TAG_EXPIRATION = True
+    FEATURE_APP_REGISTRY = True
+    FEATURE_TEAM_SYNCING = True
+    FEATURE_CHANGE_TAG_EXPIRATION = True
 
-  TAG_EXPIRATION_OPTIONS = ['0s', '1s', '1d', '1w', '2w', '4w']
+    TAG_EXPIRATION_OPTIONS = ["0s", "1s", "1d", "1w", "2w", "4w"]
 
-  DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
+    DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT = None
 
-  DATA_MODEL_CACHE_CONFIG = {
-    'engine': 'inmemory',
-  }
+    DATA_MODEL_CACHE_CONFIG = {"engine": "inmemory"}
 
-  FEATURE_REPO_MIRROR = True
+    FEATURE_REPO_MIRROR = True
 
-  V3_UPGRADE_MODE = 'complete'
+    V3_UPGRADE_MODE = "complete"
diff --git a/test/testlogs.py b/test/testlogs.py
index 893c49b58..2c2868d0b 100644
--- a/test/testlogs.py
+++ b/test/testlogs.py
@@ -17,222 +17,247 @@ get_sentence = partial(generate_lorem_ipsum, html=False, n=1, min=5, max=10)
 
 
 def maybe_advance_script(is_get_status=False):
-  def inner_advance(func):
-    @wraps(func)
-    def wrapper(self, *args, **kwargs):
-      advance_units = random.randint(1, 500)
-      logger.debug('Advancing script %s units', advance_units)
-      while advance_units > 0 and self.remaining_script:
-        units = self.remaining_script[0][0]
+    def inner_advance(func):
+        @wraps(func)
+        def wrapper(self, *args, **kwargs):
+            advance_units = random.randint(1, 500)
+            logger.debug("Advancing script %s units", advance_units)
+            while advance_units > 0 and self.remaining_script:
+                units = self.remaining_script[0][0]
 
-        if advance_units > units:
-          advance_units -= units
-          self.advance_script(is_get_status)
-        else:
-          break
+                if advance_units > units:
+                    advance_units -= units
+                    self.advance_script(is_get_status)
+                else:
+                    break
 
-      return func(self, *args, **kwargs)
-    return wrapper
-  return inner_advance
+            return func(self, *args, **kwargs)
+
+        return wrapper
+
+    return inner_advance
 
 
 class TestBuildLogs(RedisBuildLogs):
-  COMMAND_TYPES = ['FROM', 'MAINTAINER', 'RUN', 'CMD', 'EXPOSE', 'ENV', 'ADD',
-                   'ENTRYPOINT', 'VOLUME', 'USER', 'WORKDIR']
-  STATUS_TEMPLATE = {
-    'total_commands': None,
-    'current_command': None,
-    'push_completion': 0.0,
-    'pull_completion': 0.0,
-  }
-
-  def __init__(self, redis_config, namespace, repository, test_build_id, allow_delegate=True):
-    super(TestBuildLogs, self).__init__(redis_config)
-    self.namespace = namespace
-    self.repository = repository
-    self.test_build_id = test_build_id
-    self.allow_delegate = allow_delegate
-    self.remaining_script = self._generate_script()
-    logger.debug('Total script size: %s', len(self.remaining_script))
-    self._logs = []
-
-    self._status = {}
-    self._last_status = {}
-
-  def advance_script(self, is_get_status):
-    (_, log, status_wrapper) = self.remaining_script.pop(0)
-    if log is not None:
-      self._logs.append(log)
-
-    if status_wrapper is not None:
-      (phase, status) = status_wrapper
-
-      if not is_get_status:
-        from data import model
-        build_obj = model.build.get_repository_build(self.test_build_id)
-        build_obj.phase = phase
-        build_obj.save()
-
-        self._status = status
-        self._last_status = status
-
-  def _generate_script(self):
-    script = []
-
-    # generate the init phase
-    script.append(self._generate_phase(400, 'initializing'))
-    script.extend(self._generate_logs(random.randint(1, 3)))
-
-    # move to the building phase
-    script.append(self._generate_phase(400, 'building'))
-    total_commands = random.randint(5, 20)
-    for command_num in range(1, total_commands + 1):
-      command_weight = random.randint(50, 100)
-      script.append(self._generate_command(command_num, total_commands, command_weight))
-
-      # we want 0 logs some percent of the time
-      num_logs = max(0, random.randint(-50, 400))
-      script.extend(self._generate_logs(num_logs))
-
-    # move to the pushing phase
-    script.append(self._generate_phase(400, 'pushing'))
-    script.extend(self._generate_push_statuses(total_commands))
-
-    # move to the error or complete phase
-    if random.randint(0, 1) == 0:
-      script.append(self._generate_phase(400, 'complete'))
-    else:
-      script.append(self._generate_phase(400, 'error'))
-      script.append((1, {'message': 'Something bad happened! Oh noes!',
-                         'type': self.ERROR}, None))
-
-    return script
-
-  def _generate_phase(self, start_weight, phase_name):
-    message = {
-      'message': phase_name,
-      'type': self.PHASE,
-      'datetime':  str(datetime.datetime.now())
+    COMMAND_TYPES = [
+        "FROM",
+        "MAINTAINER",
+        "RUN",
+        "CMD",
+        "EXPOSE",
+        "ENV",
+        "ADD",
+        "ENTRYPOINT",
+        "VOLUME",
+        "USER",
+        "WORKDIR",
+    ]
+    STATUS_TEMPLATE = {
+        "total_commands": None,
+        "current_command": None,
+        "push_completion": 0.0,
+        "pull_completion": 0.0,
     }
 
-    return (start_weight, message,
-            (phase_name, deepcopy(self.STATUS_TEMPLATE)))
+    def __init__(
+        self, redis_config, namespace, repository, test_build_id, allow_delegate=True
+    ):
+        super(TestBuildLogs, self).__init__(redis_config)
+        self.namespace = namespace
+        self.repository = repository
+        self.test_build_id = test_build_id
+        self.allow_delegate = allow_delegate
+        self.remaining_script = self._generate_script()
+        logger.debug("Total script size: %s", len(self.remaining_script))
+        self._logs = []
 
-  def _generate_command(self, command_num, total_commands, command_weight):
-    sentence = get_sentence()
-    command = random.choice(self.COMMAND_TYPES)
-    if command == 'FROM':
-      sentence = random.choice(['ubuntu', 'lopter/raring-base',
-                                'quay.io/devtable/simple',
-                                'quay.io/buynlarge/orgrepo',
-                                'stackbrew/ubuntu:precise'])
+        self._status = {}
+        self._last_status = {}
 
-    msg = {
-      'message': 'Step %s: %s %s' % (command_num, command, sentence),
-      'type': self.COMMAND,
-      'datetime':  str(datetime.datetime.now())
-    }
-    status = deepcopy(self.STATUS_TEMPLATE)
-    status['total_commands'] = total_commands
-    status['current_command'] = command_num
-    return (command_weight, msg, ('building', status))
+    def advance_script(self, is_get_status):
+        (_, log, status_wrapper) = self.remaining_script.pop(0)
+        if log is not None:
+            self._logs.append(log)
 
-  @staticmethod
-  def _generate_logs(count):
-    others = []
-    if random.randint(0, 10) <= 8:
-      premessage = {
-        'message': '\x1b[91m' + get_sentence(),
-        'data': {'datetime':  str(datetime.datetime.now())}
-      }
+        if status_wrapper is not None:
+            (phase, status) = status_wrapper
 
-      postmessage = {
-        'message': '\x1b[0m',
-        'data': {'datetime':  str(datetime.datetime.now())}
-      }
+            if not is_get_status:
+                from data import model
 
-      count = count - 2
-      others = [(1, premessage, None), (1, postmessage, None)]
+                build_obj = model.build.get_repository_build(self.test_build_id)
+                build_obj.phase = phase
+                build_obj.save()
 
-    def get_message():
-      return {
-        'message': get_sentence(),
-        'data': {'datetime':  str(datetime.datetime.now())}
-      }
+                self._status = status
+                self._last_status = status
 
-    return others + [(1, get_message(), None) for _ in range(count)]
+    def _generate_script(self):
+        script = []
 
-  @staticmethod
-  def _compute_total_completion(statuses, total_images):
-    percentage_with_sizes = float(len(statuses.values()))/total_images
-    sent_bytes = sum([status[u'current'] for status in statuses.values()])
-    total_bytes = sum([status[u'total'] for status in statuses.values()])
-    return float(sent_bytes)/total_bytes*percentage_with_sizes
+        # generate the init phase
+        script.append(self._generate_phase(400, "initializing"))
+        script.extend(self._generate_logs(random.randint(1, 3)))
 
-  @staticmethod
-  def _generate_push_statuses(total_commands):
-    push_status_template = deepcopy(TestBuildLogs.STATUS_TEMPLATE)
-    push_status_template['current_command'] = total_commands
-    push_status_template['total_commands'] = total_commands
+        # move to the building phase
+        script.append(self._generate_phase(400, "building"))
+        total_commands = random.randint(5, 20)
+        for command_num in range(1, total_commands + 1):
+            command_weight = random.randint(50, 100)
+            script.append(
+                self._generate_command(command_num, total_commands, command_weight)
+            )
 
-    push_statuses = []
+            # we want 0 logs some percent of the time
+            num_logs = max(0, random.randint(-50, 400))
+            script.extend(self._generate_logs(num_logs))
 
-    one_mb = 1 * 1024 * 1024
+        # move to the pushing phase
+        script.append(self._generate_phase(400, "pushing"))
+        script.extend(self._generate_push_statuses(total_commands))
 
-    num_images = random.randint(2, 7)
-    sizes = [random.randint(one_mb, one_mb * 5) for _ in range(num_images)]
+        # move to the error or complete phase
+        if random.randint(0, 1) == 0:
+            script.append(self._generate_phase(400, "complete"))
+        else:
+            script.append(self._generate_phase(400, "error"))
+            script.append(
+                (
+                    1,
+                    {"message": "Something bad happened! Oh noes!", "type": self.ERROR},
+                    None,
+                )
+            )
 
-    image_completion = {}
-    for image_num, image_size in enumerate(sizes):
-      image_id = 'image_id_%s' % image_num
+        return script
 
-      image_completion[image_id] = {
-        'current': 0,
-        'total': image_size,
-      }
+    def _generate_phase(self, start_weight, phase_name):
+        message = {
+            "message": phase_name,
+            "type": self.PHASE,
+            "datetime": str(datetime.datetime.now()),
+        }
 
-      for i in range(one_mb, image_size, one_mb):
-        image_completion[image_id]['current'] = i
-        new_status = deepcopy(push_status_template)
-        completion = TestBuildLogs._compute_total_completion(image_completion,
-                                                             num_images)
-        new_status['push_completion'] = completion
-        push_statuses.append((250, None, ('pushing', new_status)))
+        return (start_weight, message, (phase_name, deepcopy(self.STATUS_TEMPLATE)))
 
-    return push_statuses
+    def _generate_command(self, command_num, total_commands, command_weight):
+        sentence = get_sentence()
+        command = random.choice(self.COMMAND_TYPES)
+        if command == "FROM":
+            sentence = random.choice(
+                [
+                    "ubuntu",
+                    "lopter/raring-base",
+                    "quay.io/devtable/simple",
+                    "quay.io/buynlarge/orgrepo",
+                    "stackbrew/ubuntu:precise",
+                ]
+            )
 
-  @maybe_advance_script()
-  def get_log_entries(self, build_id, start_index):
-    if build_id == self.test_build_id:
-      return (len(self._logs), self._logs[start_index:])
-    elif not self.allow_delegate:
-      return None
-    else:
-      return super(TestBuildLogs, self).get_log_entries(build_id, start_index)
+        msg = {
+            "message": "Step %s: %s %s" % (command_num, command, sentence),
+            "type": self.COMMAND,
+            "datetime": str(datetime.datetime.now()),
+        }
+        status = deepcopy(self.STATUS_TEMPLATE)
+        status["total_commands"] = total_commands
+        status["current_command"] = command_num
+        return (command_weight, msg, ("building", status))
 
-  @maybe_advance_script(True)
-  def get_status(self, build_id):
-    if build_id == self.test_build_id:
-      returnable_status = self._last_status
-      self._last_status = self._status
-      return returnable_status
-    elif not self.allow_delegate:
-      return None
-    else:
-      return super(TestBuildLogs, self).get_status(build_id)
+    @staticmethod
+    def _generate_logs(count):
+        others = []
+        if random.randint(0, 10) <= 8:
+            premessage = {
+                "message": "\x1b[91m" + get_sentence(),
+                "data": {"datetime": str(datetime.datetime.now())},
+            }
 
-  def expire_log_entries(self, build_id):
-    if build_id == self.test_build_id:
-      return
-    if not self.allow_delegate:
-      return None
-    else:
-      return super(TestBuildLogs, self).expire_log_entries(build_id)
+            postmessage = {
+                "message": "\x1b[0m",
+                "data": {"datetime": str(datetime.datetime.now())},
+            }
 
-  def delete_log_entries(self, build_id):
-    if build_id == self.test_build_id:
-      return
-    if not self.allow_delegate:
-      return None
-    else:
-      return super(TestBuildLogs, self).delete_log_entries(build_id)
+            count = count - 2
+            others = [(1, premessage, None), (1, postmessage, None)]
+
+        def get_message():
+            return {
+                "message": get_sentence(),
+                "data": {"datetime": str(datetime.datetime.now())},
+            }
+
+        return others + [(1, get_message(), None) for _ in range(count)]
+
+    @staticmethod
+    def _compute_total_completion(statuses, total_images):
+        percentage_with_sizes = float(len(statuses.values())) / total_images
+        sent_bytes = sum([status[u"current"] for status in statuses.values()])
+        total_bytes = sum([status[u"total"] for status in statuses.values()])
+        return float(sent_bytes) / total_bytes * percentage_with_sizes
+
+    @staticmethod
+    def _generate_push_statuses(total_commands):
+        push_status_template = deepcopy(TestBuildLogs.STATUS_TEMPLATE)
+        push_status_template["current_command"] = total_commands
+        push_status_template["total_commands"] = total_commands
+
+        push_statuses = []
+
+        one_mb = 1 * 1024 * 1024
+
+        num_images = random.randint(2, 7)
+        sizes = [random.randint(one_mb, one_mb * 5) for _ in range(num_images)]
+
+        image_completion = {}
+        for image_num, image_size in enumerate(sizes):
+            image_id = "image_id_%s" % image_num
+
+            image_completion[image_id] = {"current": 0, "total": image_size}
+
+            for i in range(one_mb, image_size, one_mb):
+                image_completion[image_id]["current"] = i
+                new_status = deepcopy(push_status_template)
+                completion = TestBuildLogs._compute_total_completion(
+                    image_completion, num_images
+                )
+                new_status["push_completion"] = completion
+                push_statuses.append((250, None, ("pushing", new_status)))
+
+        return push_statuses
+
+    @maybe_advance_script()
+    def get_log_entries(self, build_id, start_index):
+        if build_id == self.test_build_id:
+            return (len(self._logs), self._logs[start_index:])
+        elif not self.allow_delegate:
+            return None
+        else:
+            return super(TestBuildLogs, self).get_log_entries(build_id, start_index)
+
+    @maybe_advance_script(True)
+    def get_status(self, build_id):
+        if build_id == self.test_build_id:
+            returnable_status = self._last_status
+            self._last_status = self._status
+            return returnable_status
+        elif not self.allow_delegate:
+            return None
+        else:
+            return super(TestBuildLogs, self).get_status(build_id)
+
+    def expire_log_entries(self, build_id):
+        if build_id == self.test_build_id:
+            return
+        if not self.allow_delegate:
+            return None
+        else:
+            return super(TestBuildLogs, self).expire_log_entries(build_id)
+
+    def delete_log_entries(self, build_id):
+        if build_id == self.test_build_id:
+            return
+        if not self.allow_delegate:
+            return None
+        else:
+            return super(TestBuildLogs, self).delete_log_entries(build_id)
diff --git a/tools/freeloaders.py b/tools/freeloaders.py
index c2ccc0f75..668618129 100644
--- a/tools/freeloaders.py
+++ b/tools/freeloaders.py
@@ -3,23 +3,33 @@ from data.database import User
 from app import billing as stripe
 from data.plans import get_plan
 
+
 def get_private_allowed(customer):
-  if not customer.stripe_id:
-    return 0
+    if not customer.stripe_id:
+        return 0
 
-  subscription = stripe.Customer.retrieve(customer.stripe_id).get('subscription', None)
-  if subscription is None:
-    return 0
+    subscription = stripe.Customer.retrieve(customer.stripe_id).get(
+        "subscription", None
+    )
+    if subscription is None:
+        return 0
+
+    plan = get_plan(subscription.plan.id)
+    return plan["privateRepos"]
 
-  plan = get_plan(subscription.plan.id)
-  return plan['privateRepos']
 
 # Find customers who have more private repositories than their plans allow
 users = User.select()
 
-usage = [(user.username, model.user.get_private_repo_count(user.username),
-          get_private_allowed(user)) for user in users]
+usage = [
+    (
+        user.username,
+        model.user.get_private_repo_count(user.username),
+        get_private_allowed(user),
+    )
+    for user in users
+]
 
 for username, used, allowed in usage:
-  if used > allowed:
-    print('Violation: %s %s > %s' % (username, used, allowed))
+    if used > allowed:
+        print ("Violation: %s %s > %s" % (username, used, allowed))
diff --git a/tools/generatekeypair.py b/tools/generatekeypair.py
index 82bda1141..ca3586b57 100644
--- a/tools/generatekeypair.py
+++ b/tools/generatekeypair.py
@@ -5,29 +5,30 @@ from Crypto.PublicKey import RSA
 from jwkest.jwk import RSAKey
 from util.security.fingerprint import canonical_kid
 
+
 def generate_key_pair(filename, kid=None):
-  private_key = RSA.generate(2048)
-  jwk = RSAKey(key=private_key.publickey()).serialize()
-  if kid is None:
-    kid = canonical_kid(jwk)
+    private_key = RSA.generate(2048)
+    jwk = RSAKey(key=private_key.publickey()).serialize()
+    if kid is None:
+        kid = canonical_kid(jwk)
 
-  print("Writing public key to %s.jwk" % filename)
-  with open('%s.jwk' % filename, mode='w') as f:
-    f.truncate(0)
-    f.write(json.dumps(jwk))
+    print ("Writing public key to %s.jwk" % filename)
+    with open("%s.jwk" % filename, mode="w") as f:
+        f.truncate(0)
+        f.write(json.dumps(jwk))
 
-  print("Writing key ID to %s.kid" % filename)
-  with open('%s.kid' % filename, mode='w') as f:
-    f.truncate(0)
-    f.write(kid)
+    print ("Writing key ID to %s.kid" % filename)
+    with open("%s.kid" % filename, mode="w") as f:
+        f.truncate(0)
+        f.write(kid)
 
-  print("Writing private key to %s.pem" % filename)
-  with open('%s.pem' % filename, mode='w') as f:
-    f.truncate(0)
-    f.write(private_key.exportKey())
+    print ("Writing private key to %s.pem" % filename)
+    with open("%s.pem" % filename, mode="w") as f:
+        f.truncate(0)
+        f.write(private_key.exportKey())
 
 
-parser = argparse.ArgumentParser(description='Generates a key pair into files')
-parser.add_argument('filename', help='The filename prefix for the generated key files')
+parser = argparse.ArgumentParser(description="Generates a key pair into files")
+parser.add_argument("filename", help="The filename prefix for the generated key files")
 args = parser.parse_args()
 generate_key_pair(args.filename)
diff --git a/tools/invoices.py b/tools/invoices.py
index 9a7028bc1..d1a2bea40 100644
--- a/tools/invoices.py
+++ b/tools/invoices.py
@@ -1,5 +1,6 @@
 import stripe as _stripe
-_stripe.api_version = '2016-06-15'
+
+_stripe.api_version = "2016-06-15"
 
 import logging
 import time
@@ -15,280 +16,310 @@ from app import billing as stripe
 
 
 def _format_timestamp(stripe_timestamp):
-  if stripe_timestamp is None:
-    return None
-  date_obj = date.fromtimestamp(stripe_timestamp)
-  return date_obj.strftime('%m/%d/%Y')
+    if stripe_timestamp is None:
+        return None
+    date_obj = date.fromtimestamp(stripe_timestamp)
+    return date_obj.strftime("%m/%d/%Y")
 
 
 def _format_money(stripe_money):
-  return stripe_money/100.0
+    return stripe_money / 100.0
 
 
 def _paginate_list(stripe_klass, num_days, **incoming_kwargs):
-  now = datetime.utcnow()
-  starting_from = now - timedelta(days=num_days)
-  starting_timestamp = str(int(time.mktime(starting_from.timetuple())))
-  created = {'gte': starting_timestamp}
+    now = datetime.utcnow()
+    starting_from = now - timedelta(days=num_days)
+    starting_timestamp = str(int(time.mktime(starting_from.timetuple())))
+    created = {"gte": starting_timestamp}
 
-  list_req_kwargs = dict(incoming_kwargs)
-  has_more = True
+    list_req_kwargs = dict(incoming_kwargs)
+    has_more = True
 
-  while has_more:
-    list_response = stripe_klass.list(limit=100, created=created, **list_req_kwargs)
+    while has_more:
+        list_response = stripe_klass.list(limit=100, created=created, **list_req_kwargs)
 
-    for list_response_item in list_response.data:
-      yield list_response_item
+        for list_response_item in list_response.data:
+            yield list_response_item
 
-    has_more = list_response.has_more
+        has_more = list_response.has_more
 
-    list_req_kwargs['starting_after'] = list_response_item.id
+        list_req_kwargs["starting_after"] = list_response_item.id
 
 
 def list_charges(num_days):
-  """ List all charges that have occurred in the past specified number of days.
+    """ List all charges that have occurred in the past specified number of days.
   """
 
-  for charge in _paginate_list(stripe.Charge, num_days, expand=['data.invoice']):
-    yield charge
+    for charge in _paginate_list(stripe.Charge, num_days, expand=["data.invoice"]):
+        yield charge
 
 
 def list_refunds(num_days):
-  """ List all refunds that have occurred in the past specified number of days.
+    """ List all refunds that have occurred in the past specified number of days.
   """
-  expand = ['data.charge', 'data.charge.invoice']
-  for refund in _paginate_list(stripe.Refund, num_days, expand=expand):
-    yield refund
+    expand = ["data.charge", "data.charge.invoice"]
+    for refund in _paginate_list(stripe.Refund, num_days, expand=expand):
+        yield refund
 
 
 def format_refund(refund):
-  """ Generator which will return one or more line items corresponding to the
+    """ Generator which will return one or more line items corresponding to the
       specified refund.
   """
-  refund_period_start = None
-  refund_period_end = None
-  invoice_iterable = expand_invoice(refund.charge.invoice, refund.charge.amount)
-  for _, period_start, period_end, _ in invoice_iterable:
-    if period_start is not None and (period_start < refund_period_start or
-                                     refund_period_start is None):
-      refund_period_start = period_start
-    if period_end is not None and (period_end > refund_period_end or
-                                   refund_period_end is None):
-      refund_period_end = period_end
+    refund_period_start = None
+    refund_period_end = None
+    invoice_iterable = expand_invoice(refund.charge.invoice, refund.charge.amount)
+    for _, period_start, period_end, _ in invoice_iterable:
+        if period_start is not None and (
+            period_start < refund_period_start or refund_period_start is None
+        ):
+            refund_period_start = period_start
+        if period_end is not None and (
+            period_end > refund_period_end or refund_period_end is None
+        ):
+            refund_period_end = period_end
+
+    card = refund.charge.source
+    yield (
+        refund.created,
+        [
+            _format_timestamp(refund.created),
+            _format_timestamp(refund_period_start),
+            _format_timestamp(refund_period_end),
+            _format_money(-1 * refund.amount),
+            "credit_card",
+            "Refunded",
+            None,
+            refund.id,
+            refund.charge.customer,
+            card.address_city,
+            card.address_state,
+            card.address_country,
+            card.address_zip,
+            card.country,
+        ],
+    )
 
-  card = refund.charge.source
-  yield (refund.created, [
-    _format_timestamp(refund.created),
-    _format_timestamp(refund_period_start),
-    _format_timestamp(refund_period_end),
-    _format_money(-1 * refund.amount),
-    'credit_card',
-    'Refunded',
-    None,
-    refund.id,
-    refund.charge.customer,
-    card.address_city,
-    card.address_state,
-    card.address_country,
-    card.address_zip,
-    card.country,
-  ])
 
 def _date_key(line_item):
-  return line_item.start, line_item.end
+    return line_item.start, line_item.end
 
 
 def expand_invoice(invoice, total_amount):
-  if invoice is None:
-    yield total_amount, None, None, None
-  else:
-    data_iter = groupby(invoice.lines.data, lambda li: (li.period.start, li.period.end))
-    for (period_start, period_end), line_items_iter in data_iter:
-      line_items = list(line_items_iter)
-      period_amount = sum(line_item.amount for line_item in line_items)
-      yield period_amount, period_start, period_end, line_items[-1].plan
+    if invoice is None:
+        yield total_amount, None, None, None
+    else:
+        data_iter = groupby(
+            invoice.lines.data, lambda li: (li.period.start, li.period.end)
+        )
+        for (period_start, period_end), line_items_iter in data_iter:
+            line_items = list(line_items_iter)
+            period_amount = sum(line_item.amount for line_item in line_items)
+            yield period_amount, period_start, period_end, line_items[-1].plan
 
 
 def format_charge(charge):
-  """ Generator which will return one or more line items corresponding to the
+    """ Generator which will return one or more line items corresponding to the
       line items for this charge.
       """
-  ch_status = 'Paid'
-  if charge.failure_code is not None:
-    ch_status = 'Failed'
+    ch_status = "Paid"
+    if charge.failure_code is not None:
+        ch_status = "Failed"
 
-  card = charge.source
+    card = charge.source
 
-  # Amount remaining to be accounted for
-  remaining_charge_amount = charge.amount
+    # Amount remaining to be accounted for
+    remaining_charge_amount = charge.amount
 
-  discount_start = sys.maxint
-  discount_end = sys.maxint
-  discount_percent = 0
-  try:
-    if charge.invoice and charge.invoice.discount:
-      discount_obj = charge.invoice.discount
-      assert discount_obj.coupon.amount_off is None
+    discount_start = sys.maxint
+    discount_end = sys.maxint
+    discount_percent = 0
+    try:
+        if charge.invoice and charge.invoice.discount:
+            discount_obj = charge.invoice.discount
+            assert discount_obj.coupon.amount_off is None
 
-      discount_start = discount_obj.start
-      discount_end = sys.maxint if not discount_obj.end else discount_obj.end
-      discount_percent = discount_obj.coupon.percent_off/100.0
-      assert discount_percent > 0
-  except AssertionError:
-    logging.exception('Discount of strange variety: %s', discount_obj)
-    raise
-
-  invoice_iterable = expand_invoice(charge.invoice, charge.amount)
-  for line_amount, period_start, period_end, plan in invoice_iterable:
-    yield (charge.created, [
-      _format_timestamp(charge.created),
-      _format_timestamp(period_start),
-      _format_timestamp(period_end),
-      _format_money(line_amount),
-      'credit_card',
-      ch_status,
-      plan.name if plan is not None else None,
-      charge.id,
-      charge.customer,
-      card.address_city,
-      card.address_state,
-      card.address_country,
-      card.address_zip,
-      card.country,
-    ])
-
-    remaining_charge_amount -= line_amount
-
-    # Assumption: a discount applies if the beginning of a subscription
-    # billing period is in the window when the discount is active.
-    # Assumption the second: A discount is inclusive at the start second
-    # and exclusive on the end second.
-    #
-    # I can't find docs or examples to prove or disprove either asusmption.
-    if period_start >= discount_start and period_start < discount_end:
-      discount_amount = -1 * line_amount * discount_percent
-
-      try:
-        assert period_start != discount_start
-      except AssertionError:
-        logging.exception('We found a line item which matches the discount start: %s',
-                          charge.id)
+            discount_start = discount_obj.start
+            discount_end = sys.maxint if not discount_obj.end else discount_obj.end
+            discount_percent = discount_obj.coupon.percent_off / 100.0
+            assert discount_percent > 0
+    except AssertionError:
+        logging.exception("Discount of strange variety: %s", discount_obj)
         raise
 
-      try:
-        assert period_start != discount_end
-      except AssertionError:
-        logging.exception('We found a line item which matches the discount end: %s',
-                          charge.id)
-        raise
+    invoice_iterable = expand_invoice(charge.invoice, charge.amount)
+    for line_amount, period_start, period_end, plan in invoice_iterable:
+        yield (
+            charge.created,
+            [
+                _format_timestamp(charge.created),
+                _format_timestamp(period_start),
+                _format_timestamp(period_end),
+                _format_money(line_amount),
+                "credit_card",
+                ch_status,
+                plan.name if plan is not None else None,
+                charge.id,
+                charge.customer,
+                card.address_city,
+                card.address_state,
+                card.address_country,
+                card.address_zip,
+                card.country,
+            ],
+        )
 
-      discount_name = 'Discount' if plan is None else '{} Discount'.format(plan.name)
+        remaining_charge_amount -= line_amount
 
-      yield (charge.created, [
-        _format_timestamp(charge.created),
-        _format_timestamp(period_start) if period_start is not None else None,
-        _format_timestamp(period_end) if period_end is not None else None,
-        _format_money(discount_amount),
-        'credit_card',
-        ch_status,
-        discount_name,
-        charge.id,
-        charge.customer,
-        card.address_city,
-        card.address_state,
-        card.address_country,
-        card.address_zip,
-        card.country,
-      ])
+        # Assumption: a discount applies if the beginning of a subscription
+        # billing period is in the window when the discount is active.
+        # Assumption the second: A discount is inclusive at the start second
+        # and exclusive on the end second.
+        #
+        # I can't find docs or examples to prove or disprove either asusmption.
+        if period_start >= discount_start and period_start < discount_end:
+            discount_amount = -1 * line_amount * discount_percent
 
-      remaining_charge_amount -= discount_amount
+            try:
+                assert period_start != discount_start
+            except AssertionError:
+                logging.exception(
+                    "We found a line item which matches the discount start: %s",
+                    charge.id,
+                )
+                raise
 
-  # Make sure our line items added up to the actual charge amount
-  if remaining_charge_amount != 0:
-    logging.warning('Unable to fully account (%s) for charge amount (%s): %s',
-                    remaining_charge_amount, charge.amount, charge.id)
+            try:
+                assert period_start != discount_end
+            except AssertionError:
+                logging.exception(
+                    "We found a line item which matches the discount end: %s", charge.id
+                )
+                raise
+
+            discount_name = (
+                "Discount" if plan is None else "{} Discount".format(plan.name)
+            )
+
+            yield (
+                charge.created,
+                [
+                    _format_timestamp(charge.created),
+                    _format_timestamp(period_start)
+                    if period_start is not None
+                    else None,
+                    _format_timestamp(period_end) if period_end is not None else None,
+                    _format_money(discount_amount),
+                    "credit_card",
+                    ch_status,
+                    discount_name,
+                    charge.id,
+                    charge.customer,
+                    card.address_city,
+                    card.address_state,
+                    card.address_country,
+                    card.address_zip,
+                    card.country,
+                ],
+            )
+
+            remaining_charge_amount -= discount_amount
+
+    # Make sure our line items added up to the actual charge amount
+    if remaining_charge_amount != 0:
+        logging.warning(
+            "Unable to fully account (%s) for charge amount (%s): %s",
+            remaining_charge_amount,
+            charge.amount,
+            charge.id,
+        )
 
 
 class _UnicodeWriter(object):
-  """
+    """
   A CSV writer which will write rows to CSV file "f",
   which is encoded in the given encoding.
   """
-  def __init__(self, f, dialect=csv.excel, encoding='utf-8', **kwds):
-    # Redirect output to a queue
-    self.queue = StringIO()
-    self.writer = csv.writer(self.queue, dialect=dialect, **kwds)
-    self.stream = f
-    self.encoder = codecs.getincrementalencoder(encoding)()
 
-  @staticmethod
-  def _encode_cell(cell):
-    if cell is None:
-      return cell
-    return unicode(cell).encode('utf-8')
+    def __init__(self, f, dialect=csv.excel, encoding="utf-8", **kwds):
+        # Redirect output to a queue
+        self.queue = StringIO()
+        self.writer = csv.writer(self.queue, dialect=dialect, **kwds)
+        self.stream = f
+        self.encoder = codecs.getincrementalencoder(encoding)()
 
-  def writerow(self, row):
-    self.writer.writerow([self._encode_cell(s) for s in row])
-    # Fetch UTF-8 output from the queue ...
-    data = self.queue.getvalue()
-    data = data.decode('utf-8')
-    # ... and reencode it into the target encoding
-    data = self.encoder.encode(data)
-    # write to the target stream
-    self.stream.write(data)
-    # empty queue
-    self.queue.truncate(0)
+    @staticmethod
+    def _encode_cell(cell):
+        if cell is None:
+            return cell
+        return unicode(cell).encode("utf-8")
+
+    def writerow(self, row):
+        self.writer.writerow([self._encode_cell(s) for s in row])
+        # Fetch UTF-8 output from the queue ...
+        data = self.queue.getvalue()
+        data = data.decode("utf-8")
+        # ... and reencode it into the target encoding
+        data = self.encoder.encode(data)
+        # write to the target stream
+        self.stream.write(data)
+        # empty queue
+        self.queue.truncate(0)
 
 
 def _merge_row_streams(*row_generators):
-  """ Descending merge sort of multiple row streams in the form of (tx_date, [row data]).
+    """ Descending merge sort of multiple row streams in the form of (tx_date, [row data]).
       Works recursively on an arbitrary number of row streams.
   """
-  if len(row_generators) == 1:
-    for only_candidate in row_generators[0]:
-      yield only_candidate
+    if len(row_generators) == 1:
+        for only_candidate in row_generators[0]:
+            yield only_candidate
 
-  else:
-    my_generator = row_generators[0]
-    other_generator = _merge_row_streams(*row_generators[1:])
+    else:
+        my_generator = row_generators[0]
+        other_generator = _merge_row_streams(*row_generators[1:])
 
-    other_done = False
-
-    try:
-      other_next = next(other_generator)
-    except StopIteration:
-      other_done = True
-
-    for my_next in my_generator:
-      while not other_done and other_next[0] > my_next[0]:
-        yield other_next
+        other_done = False
 
         try:
-          other_next = next(other_generator)
+            other_next = next(other_generator)
         except StopIteration:
-          other_done = True
-      yield my_next
+            other_done = True
 
-    for other_next in other_generator:
-      yield other_next
+        for my_next in my_generator:
+            while not other_done and other_next[0] > my_next[0]:
+                yield other_next
+
+                try:
+                    other_next = next(other_generator)
+                except StopIteration:
+                    other_done = True
+            yield my_next
+
+        for other_next in other_generator:
+            yield other_next
 
 
-if __name__ == '__main__':
-  logging.basicConfig(level=logging.WARN)
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.WARN)
 
-  days = 30
-  if len(sys.argv) > 1:
-    days = int(sys.argv[1])
+    days = 30
+    if len(sys.argv) > 1:
+        days = int(sys.argv[1])
 
-  refund_rows = (refund_line_item
-                 for one_refund in list_refunds(days)
-                 for refund_line_item in format_refund(one_refund))
+    refund_rows = (
+        refund_line_item
+        for one_refund in list_refunds(days)
+        for refund_line_item in format_refund(one_refund)
+    )
 
-  rows = (line_item
-          for one_charge in list_charges(days)
-          for line_item in format_charge(one_charge))
+    rows = (
+        line_item
+        for one_charge in list_charges(days)
+        for line_item in format_charge(one_charge)
+    )
 
-  transaction_writer = _UnicodeWriter(sys.stdout)
-  for _, row in _merge_row_streams(refund_rows, rows):
-    transaction_writer.writerow(row)
-    sys.stdout.flush()
+    transaction_writer = _UnicodeWriter(sys.stdout)
+    for _, row in _merge_row_streams(refund_rows, rows):
+        transaction_writer.writerow(row)
+        sys.stdout.flush()
diff --git a/tools/migratebranchregex.py b/tools/migratebranchregex.py
index 791d2b477..67e0aa2e3 100644
--- a/tools/migratebranchregex.py
+++ b/tools/migratebranchregex.py
@@ -11,40 +11,46 @@ configure(app.config)
 
 logger = logging.getLogger(__name__)
 
+
 def run_branchregex_migration():
-  encountered = set()
-  while True:
-    found = list(RepositoryBuildTrigger.select().where(RepositoryBuildTrigger.config ** "%branch_regex%",
-                                                       ~(RepositoryBuildTrigger.config ** "%branchtag_regex%")))
-    found = [f for f in found if not f.uuid in encountered]
+    encountered = set()
+    while True:
+        found = list(
+            RepositoryBuildTrigger.select().where(
+                RepositoryBuildTrigger.config ** "%branch_regex%",
+                ~(RepositoryBuildTrigger.config ** "%branchtag_regex%"),
+            )
+        )
+        found = [f for f in found if not f.uuid in encountered]
 
-    if not found:
-      logger.debug('No additional records found')
-      return
+        if not found:
+            logger.debug("No additional records found")
+            return
 
-    logger.debug('Found %s records to be changed', len(found))
-    for trigger in found:
-      encountered.add(trigger.uuid)
+        logger.debug("Found %s records to be changed", len(found))
+        for trigger in found:
+            encountered.add(trigger.uuid)
 
-      try:
-        config = json.loads(trigger.config)
-      except:
-        logging.error("Cannot parse config for trigger %s", trigger.uuid)
-        continue
+            try:
+                config = json.loads(trigger.config)
+            except:
+                logging.error("Cannot parse config for trigger %s", trigger.uuid)
+                continue
 
-      logger.debug("Checking trigger %s", trigger.uuid)
-      existing_regex = config['branch_regex']
-      logger.debug("Found branch regex '%s'", existing_regex)
+            logger.debug("Checking trigger %s", trigger.uuid)
+            existing_regex = config["branch_regex"]
+            logger.debug("Found branch regex '%s'", existing_regex)
 
-      sub_regex = existing_regex.split('|')
-      new_regex = '|'.join(['heads/' + sub for sub in sub_regex])
-      config['branchtag_regex'] = new_regex
+            sub_regex = existing_regex.split("|")
+            new_regex = "|".join(["heads/" + sub for sub in sub_regex])
+            config["branchtag_regex"] = new_regex
+
+            logger.debug("Updating to branchtag regex '%s'", new_regex)
+            update_build_trigger(trigger, config)
 
-      logger.debug("Updating to branchtag regex '%s'", new_regex)
-      update_build_trigger(trigger, config)
 
 if __name__ == "__main__":
-  logging.basicConfig(level=logging.DEBUG)
-  logging.getLogger('boto').setLevel(logging.CRITICAL)
+    logging.basicConfig(level=logging.DEBUG)
+    logging.getLogger("boto").setLevel(logging.CRITICAL)
 
-  run_branchregex_migration()
+    run_branchregex_migration()
diff --git a/tools/relationships.py b/tools/relationships.py
index c2cad5de5..48bb1cdbb 100644
--- a/tools/relationships.py
+++ b/tools/relationships.py
@@ -2,43 +2,45 @@ from data.database import User, Repository, TeamMember
 
 
 def fix_ident(ident):
-  return str(ident).translate(None, '-/.')
+    return str(ident).translate(None, "-/.")
 
 
-with open('outfile.dot', 'w') as outfile:
-  outfile.write('digraph relationships {\n')
+with open("outfile.dot", "w") as outfile:
+    outfile.write("digraph relationships {\n")
 
-  for repo in Repository.select():
-    ns = fix_ident(repo.namespace_user.username)
-    outfile.write('%s_%s -> %s\n' % (ns, fix_ident(repo.name), ns))
+    for repo in Repository.select():
+        ns = fix_ident(repo.namespace_user.username)
+        outfile.write("%s_%s -> %s\n" % (ns, fix_ident(repo.name), ns))
 
-  teams_in_orgs = set()
+    teams_in_orgs = set()
 
-  for member in TeamMember.select():
-    if '+' in member.user.username:
-      continue
+    for member in TeamMember.select():
+        if "+" in member.user.username:
+            continue
 
-    org_name = fix_ident(member.team.organization.username)
+        org_name = fix_ident(member.team.organization.username)
 
-    team_to_org = (member.team.name, member.team.organization.username)
-    if not team_to_org in teams_in_orgs:
-      teams_in_orgs.add(team_to_org)
-      outfile.write('%s_%s -> %s\n' % (org_name, fix_ident(member.team.name),
-                                       org_name))
+        team_to_org = (member.team.name, member.team.organization.username)
+        if not team_to_org in teams_in_orgs:
+            teams_in_orgs.add(team_to_org)
+            outfile.write(
+                "%s_%s -> %s\n" % (org_name, fix_ident(member.team.name), org_name)
+            )
 
-    team_name = fix_ident(member.team.name)
+        team_name = fix_ident(member.team.name)
 
-    outfile.write('%s -> %s_%s\n' % (fix_ident(member.user.username), org_name,
-                                     team_name))
-    outfile.write('%s_%s [shape=box]\n' % (org_name, team_name))
+        outfile.write(
+            "%s -> %s_%s\n" % (fix_ident(member.user.username), org_name, team_name)
+        )
+        outfile.write("%s_%s [shape=box]\n" % (org_name, team_name))
 
-  for user in User.select():
-    if '+' in user.username:
-      continue
+    for user in User.select():
+        if "+" in user.username:
+            continue
 
-    if user.organization:
-      outfile.write('%s [shape=circle]\n' % fix_ident(user.username))
-    else:
-      outfile.write('%s [shape=triangle]\n' % fix_ident(user.username))
+        if user.organization:
+            outfile.write("%s [shape=circle]\n" % fix_ident(user.username))
+        else:
+            outfile.write("%s [shape=triangle]\n" % fix_ident(user.username))
 
-  outfile.write('}')
+    outfile.write("}")
diff --git a/util/__init__.py b/util/__init__.py
index 77f20ba27..abec1f5ec 100644
--- a/util/__init__.py
+++ b/util/__init__.py
@@ -1,19 +1,19 @@
-
 def get_app_url(config):
-  """ Returns the application's URL, based on the given config. """
-  return '%s://%s' % (config['PREFERRED_URL_SCHEME'], config['SERVER_HOSTNAME'])
+    """ Returns the application's URL, based on the given config. """
+    return "%s://%s" % (config["PREFERRED_URL_SCHEME"], config["SERVER_HOSTNAME"])
+
 
 def slash_join(*args):
-  """
+    """
   Joins together strings and guarantees there is only one '/' in between the
   each string joined. Double slashes ('//') are assumed to be intentional and
   are not deduplicated.
   """
-  def rmslash(path):
-    path = path[1:] if len(path) > 0 and path[0] == '/' else path
-    path = path[:-1] if len(path) > 0 and path[-1] == '/' else path
-    return path
 
-  args = [rmslash(path) for path in args]
-  return '/'.join(args)
+    def rmslash(path):
+        path = path[1:] if len(path) > 0 and path[0] == "/" else path
+        path = path[:-1] if len(path) > 0 and path[-1] == "/" else path
+        return path
 
+    args = [rmslash(path) for path in args]
+    return "/".join(args)
diff --git a/util/abchelpers.py b/util/abchelpers.py
index b1ba0b0f5..596ba982b 100644
--- a/util/abchelpers.py
+++ b/util/abchelpers.py
@@ -1,19 +1,21 @@
 class NoopIsANoopException(TypeError):
-  """ Raised if the nooper decorator is unnecessary on a class. """
-  pass
+    """ Raised if the nooper decorator is unnecessary on a class. """
+
+    pass
 
 
 def nooper(cls):
-  """ Decorates a class that derives from an ABCMeta, filling in any unimplemented methods with
+    """ Decorates a class that derives from an ABCMeta, filling in any unimplemented methods with
       no-ops.
   """
-  def empty_func(*args, **kwargs):
-    # pylint: disable=unused-argument
-    pass
 
-  empty_methods = {m_name: empty_func for m_name in cls.__abstractmethods__}
+    def empty_func(*args, **kwargs):
+        # pylint: disable=unused-argument
+        pass
 
-  if not empty_methods:
-    raise NoopIsANoopException('nooper implemented no abstract methods on %s' % cls)
+    empty_methods = {m_name: empty_func for m_name in cls.__abstractmethods__}
 
-  return type(cls.__name__, (cls,), empty_methods)
+    if not empty_methods:
+        raise NoopIsANoopException("nooper implemented no abstract methods on %s" % cls)
+
+    return type(cls.__name__, (cls,), empty_methods)
diff --git a/util/asyncwrapper.py b/util/asyncwrapper.py
index 2496a18ec..e85a8e09a 100644
--- a/util/asyncwrapper.py
+++ b/util/asyncwrapper.py
@@ -6,63 +6,67 @@ from concurrent.futures import Executor, Future, CancelledError
 
 
 class AsyncExecutorWrapper(object):
-  """ This class will wrap a syncronous library transparently in a way which
+    """ This class will wrap a syncronous library transparently in a way which
       will move all calls off to an asynchronous Executor, and will change all
       returned values to be Future objects.
   """
-  SYNC_FLAG_FIELD = '__AsyncExecutorWrapper__sync__'
 
-  def __init__(self, delegate, executor):
-    """ Wrap the specified synchronous delegate instance, and submit() all
+    SYNC_FLAG_FIELD = "__AsyncExecutorWrapper__sync__"
+
+    def __init__(self, delegate, executor):
+        """ Wrap the specified synchronous delegate instance, and submit() all
         method calls to the specified Executor instance.
     """
-    self._delegate = delegate
-    self._executor = executor
+        self._delegate = delegate
+        self._executor = executor
 
-  def __getattr__(self, attr_name):
-    maybe_callable = getattr(self._delegate, attr_name) # Will raise proper attribute error
-    if callable(maybe_callable):
-      # Build a callable which when executed places the request
-      # onto a queue
-      @wraps(maybe_callable)
-      def wrapped_method(*args, **kwargs):
-        if getattr(maybe_callable, self.SYNC_FLAG_FIELD, False):
-          sync_result = Future()
-          try:
-            sync_result.set_result(maybe_callable(*args, **kwargs))
-          except Exception as ex:
-            sync_result.set_exception(ex)
-          return sync_result
+    def __getattr__(self, attr_name):
+        maybe_callable = getattr(
+            self._delegate, attr_name
+        )  # Will raise proper attribute error
+        if callable(maybe_callable):
+            # Build a callable which when executed places the request
+            # onto a queue
+            @wraps(maybe_callable)
+            def wrapped_method(*args, **kwargs):
+                if getattr(maybe_callable, self.SYNC_FLAG_FIELD, False):
+                    sync_result = Future()
+                    try:
+                        sync_result.set_result(maybe_callable(*args, **kwargs))
+                    except Exception as ex:
+                        sync_result.set_exception(ex)
+                    return sync_result
 
-        try:
-          return self._executor.submit(maybe_callable, *args, **kwargs)
-        except queue.Full as ex:
-          queue_full = Future()
-          queue_full.set_exception(ex)
-          return queue_full
+                try:
+                    return self._executor.submit(maybe_callable, *args, **kwargs)
+                except queue.Full as ex:
+                    queue_full = Future()
+                    queue_full.set_exception(ex)
+                    return queue_full
 
-      return wrapped_method
-    else:
-      return maybe_callable
+            return wrapped_method
+        else:
+            return maybe_callable
 
-  @classmethod
-  def sync(cls, f):
-    """ Annotate the given method to flag it as synchronous so that AsyncExecutorWrapper
+    @classmethod
+    def sync(cls, f):
+        """ Annotate the given method to flag it as synchronous so that AsyncExecutorWrapper
         will return the result immediately without submitting it to the executor.
     """
-    setattr(f, cls.SYNC_FLAG_FIELD, True)
-    return f
+        setattr(f, cls.SYNC_FLAG_FIELD, True)
+        return f
 
 
 class NullExecutorCancelled(CancelledError):
-  def __init__(self):
-    super(NullExecutorCancelled, self).__init__('Null executor always fails.')
+    def __init__(self):
+        super(NullExecutorCancelled, self).__init__("Null executor always fails.")
 
 
 class NullExecutor(Executor):
-  """ Executor instance which always returns a Future completed with a
+    """ Executor instance which always returns a Future completed with a
       CancelledError exception. """
-  def submit(self, _, *args, **kwargs):
-    always_fail = Future()
-    always_fail.set_exception(NullExecutorCancelled())
-    return always_fail
+
+    def submit(self, _, *args, **kwargs):
+        always_fail = Future()
+        always_fail.set_exception(NullExecutorCancelled())
+        return always_fail
diff --git a/util/audit.py b/util/audit.py
index 4f2752970..6d3c3216e 100644
--- a/util/audit.py
+++ b/util/audit.py
@@ -15,76 +15,88 @@ from data.readreplica import ReadOnlyModeException
 
 logger = logging.getLogger(__name__)
 
-Repository = namedtuple('Repository', ['namespace_name', 'name', 'id', 'is_free_namespace'])
+Repository = namedtuple(
+    "Repository", ["namespace_name", "name", "id", "is_free_namespace"]
+)
+
 
 def wrap_repository(repo_obj):
-  return Repository(namespace_name=repo_obj.namespace_user.username, name=repo_obj.name,
-                    id=repo_obj.id, is_free_namespace=repo_obj.namespace_user.stripe_id is None)
+    return Repository(
+        namespace_name=repo_obj.namespace_user.username,
+        name=repo_obj.name,
+        id=repo_obj.id,
+        is_free_namespace=repo_obj.namespace_user.stripe_id is None,
+    )
 
 
-def track_and_log(event_name, repo_obj, analytics_name=None, analytics_sample=1, **kwargs):
-  repo_name = repo_obj.name
-  namespace_name = repo_obj.namespace_name
-  metadata = {
-    'repo': repo_name,
-    'namespace': namespace_name,
-  }
-  metadata.update(kwargs)
+def track_and_log(
+    event_name, repo_obj, analytics_name=None, analytics_sample=1, **kwargs
+):
+    repo_name = repo_obj.name
+    namespace_name = repo_obj.namespace_name
+    metadata = {"repo": repo_name, "namespace": namespace_name}
+    metadata.update(kwargs)
 
-  is_free_namespace = False
-  if hasattr(repo_obj, 'is_free_namespace'):
-    is_free_namespace = repo_obj.is_free_namespace
+    is_free_namespace = False
+    if hasattr(repo_obj, "is_free_namespace"):
+        is_free_namespace = repo_obj.is_free_namespace
 
-  # Add auth context metadata.
-  analytics_id = 'anonymous'
-  auth_context = get_authenticated_context()
-  if auth_context is not None:
-    analytics_id, context_metadata = auth_context.analytics_id_and_public_metadata()
-    metadata.update(context_metadata)
+    # Add auth context metadata.
+    analytics_id = "anonymous"
+    auth_context = get_authenticated_context()
+    if auth_context is not None:
+        analytics_id, context_metadata = auth_context.analytics_id_and_public_metadata()
+        metadata.update(context_metadata)
 
-  # Publish the user event (if applicable)
-  logger.debug('Checking publishing %s to the user events system', event_name)
-  if auth_context and auth_context.has_nonrobot_user:
-    logger.debug('Publishing %s to the user events system', event_name)
-    user_event_data = {
-      'action': event_name,
-      'repository': repo_name,
-      'namespace': namespace_name,
-    }
+    # Publish the user event (if applicable)
+    logger.debug("Checking publishing %s to the user events system", event_name)
+    if auth_context and auth_context.has_nonrobot_user:
+        logger.debug("Publishing %s to the user events system", event_name)
+        user_event_data = {
+            "action": event_name,
+            "repository": repo_name,
+            "namespace": namespace_name,
+        }
 
-    event = userevents.get_event(auth_context.authed_user.username)
-    event.publish_event_data('docker-cli', user_event_data)
+        event = userevents.get_event(auth_context.authed_user.username)
+        event.publish_event_data("docker-cli", user_event_data)
 
-  # Save the action to mixpanel.
-  if random.random() < analytics_sample:
-    if analytics_name is None:
-      analytics_name = event_name
+    # Save the action to mixpanel.
+    if random.random() < analytics_sample:
+        if analytics_name is None:
+            analytics_name = event_name
 
-    logger.debug('Logging the %s to analytics engine', analytics_name)
+        logger.debug("Logging the %s to analytics engine", analytics_name)
 
-    request_parsed = urlparse(request.url_root)
-    extra_params = {
-      'repository': '%s/%s' % (namespace_name, repo_name),
-      'user-agent': request.user_agent.string,
-      'hostname': request_parsed.hostname,
-    }
+        request_parsed = urlparse(request.url_root)
+        extra_params = {
+            "repository": "%s/%s" % (namespace_name, repo_name),
+            "user-agent": request.user_agent.string,
+            "hostname": request_parsed.hostname,
+        }
 
-    analytics.track(analytics_id, analytics_name, extra_params)
+        analytics.track(analytics_id, analytics_name, extra_params)
 
-  # Add the resolved information to the metadata.
-  logger.debug('Resolving IP address %s', get_request_ip())
-  resolved_ip = ip_resolver.resolve_ip(get_request_ip())
-  if resolved_ip is not None:
-    metadata['resolved_ip'] = resolved_ip._asdict()
+    # Add the resolved information to the metadata.
+    logger.debug("Resolving IP address %s", get_request_ip())
+    resolved_ip = ip_resolver.resolve_ip(get_request_ip())
+    if resolved_ip is not None:
+        metadata["resolved_ip"] = resolved_ip._asdict()
 
-  logger.debug('Resolved IP address %s', get_request_ip())
+    logger.debug("Resolved IP address %s", get_request_ip())
 
-  # Log the action to the database.
-  logger.debug('Logging the %s to logs system', event_name)
-  try:
-    logs_model.log_action(event_name, namespace_name, performer=get_authenticated_user(),
-                          ip=get_request_ip(), metadata=metadata, repository=repo_obj,
-                          is_free_namespace=is_free_namespace)
-    logger.debug('Track and log of %s complete', event_name)
-  except ReadOnlyModeException:
-    pass
+    # Log the action to the database.
+    logger.debug("Logging the %s to logs system", event_name)
+    try:
+        logs_model.log_action(
+            event_name,
+            namespace_name,
+            performer=get_authenticated_user(),
+            ip=get_request_ip(),
+            metadata=metadata,
+            repository=repo_obj,
+            is_free_namespace=is_free_namespace,
+        )
+        logger.debug("Track and log of %s complete", event_name)
+    except ReadOnlyModeException:
+        pass
diff --git a/util/backoff.py b/util/backoff.py
index 15429936e..cd47eb03f 100644
--- a/util/backoff.py
+++ b/util/backoff.py
@@ -1,5 +1,5 @@
 def exponential_backoff(attempts, scaling_factor, base):
-  backoff = 5 * (pow(2, attempts) - 1)
-  backoff_time = backoff * scaling_factor
-  retry_at = backoff_time/10 + base
-  return retry_at
+    backoff = 5 * (pow(2, attempts) - 1)
+    backoff_time = backoff * scaling_factor
+    retry_at = backoff_time / 10 + base
+    return retry_at
diff --git a/util/bytes.py b/util/bytes.py
index edf5531d7..869398f2a 100644
--- a/util/bytes.py
+++ b/util/bytes.py
@@ -1,32 +1,33 @@
 class Bytes(object):
-  """ Wrapper around strings and unicode objects to ensure we are always using
+    """ Wrapper around strings and unicode objects to ensure we are always using
       the correct encoded or decoded data.
   """
-  def __init__(self, data):
-    assert isinstance(data, str)
-    self._encoded_data = data
 
-  @classmethod
-  def for_string_or_unicode(cls, input):
-    # If the string is a unicode string, then encode its data as UTF-8. Note that
-    # we don't catch any decode exceptions here, as we want those to be raised.
-    if isinstance(input, unicode):
-      return Bytes(input.encode('utf-8'))
+    def __init__(self, data):
+        assert isinstance(data, str)
+        self._encoded_data = data
 
-    # Next, try decoding as UTF-8. If we have a utf-8 encoded string, then we have no
-    # additional conversion to do.
-    try:
-      input.decode('utf-8')
-      return Bytes(input)
-    except UnicodeDecodeError:
-      pass
+    @classmethod
+    def for_string_or_unicode(cls, input):
+        # If the string is a unicode string, then encode its data as UTF-8. Note that
+        # we don't catch any decode exceptions here, as we want those to be raised.
+        if isinstance(input, unicode):
+            return Bytes(input.encode("utf-8"))
 
-    # Finally, if the data is (somehow) a unicode string inside a `str` type, then
-    # re-encoded the data.
-    return Bytes(input.encode('utf-8'))
+        # Next, try decoding as UTF-8. If we have a utf-8 encoded string, then we have no
+        # additional conversion to do.
+        try:
+            input.decode("utf-8")
+            return Bytes(input)
+        except UnicodeDecodeError:
+            pass
 
-  def as_encoded_str(self):
-    return self._encoded_data
+        # Finally, if the data is (somehow) a unicode string inside a `str` type, then
+        # re-encoded the data.
+        return Bytes(input.encode("utf-8"))
 
-  def as_unicode(self):
-    return self._encoded_data.decode('utf-8')
+    def as_encoded_str(self):
+        return self._encoded_data
+
+    def as_unicode(self):
+        return self._encoded_data.decode("utf-8")
diff --git a/util/cache.py b/util/cache.py
index 64f626539..28933e5fe 100644
--- a/util/cache.py
+++ b/util/cache.py
@@ -4,33 +4,38 @@ from flask_restful.utils import unpack
 
 
 def cache_control(max_age=55):
-  def wrap(f):
-    @wraps(f)
-    def add_max_age(*args, **kwargs):
-      response = f(*args, **kwargs)
-      response.headers['Cache-Control'] = 'max-age=%d' % max_age
-      return response
-    return add_max_age
-  return wrap
+    def wrap(f):
+        @wraps(f)
+        def add_max_age(*args, **kwargs):
+            response = f(*args, **kwargs)
+            response.headers["Cache-Control"] = "max-age=%d" % max_age
+            return response
+
+        return add_max_age
+
+    return wrap
 
 
 def cache_control_flask_restful(max_age=55):
-  def wrap(f):
-    @wraps(f)
-    def add_max_age(*args, **kwargs):
-      response = f(*args, **kwargs)
-      body, status_code, headers = unpack(response)
-      headers['Cache-Control'] = 'max-age=%d' % max_age
-      return body, status_code, headers
-    return add_max_age
-  return wrap
+    def wrap(f):
+        @wraps(f)
+        def add_max_age(*args, **kwargs):
+            response = f(*args, **kwargs)
+            body, status_code, headers = unpack(response)
+            headers["Cache-Control"] = "max-age=%d" % max_age
+            return body, status_code, headers
+
+        return add_max_age
+
+    return wrap
 
 
 def no_cache(f):
-  @wraps(f)
-  def add_no_cache(*args, **kwargs):
-    response = f(*args, **kwargs)
-    if response is not None:
-      response.headers['Cache-Control'] = 'no-cache, no-store, must-revalidate'
-    return response
-  return add_no_cache
+    @wraps(f)
+    def add_no_cache(*args, **kwargs):
+        response = f(*args, **kwargs)
+        if response is not None:
+            response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        return response
+
+    return add_no_cache
diff --git a/util/canonicaljson.py b/util/canonicaljson.py
index 17f61df8d..6796edc29 100644
--- a/util/canonicaljson.py
+++ b/util/canonicaljson.py
@@ -1,7 +1,8 @@
 import collections
 
+
 def canonicalize(json_obj):
-  """This function canonicalizes a Python object that will be serialized as JSON.
+    """This function canonicalizes a Python object that will be serialized as JSON.
 
   Args:
     json_obj (object): the Python object that will later be serialized as JSON.
@@ -10,9 +11,11 @@ def canonicalize(json_obj):
     object: json_obj now sorted to its canonical form.
 
   """
-  if isinstance(json_obj, collections.MutableMapping):
-    sorted_obj = sorted({key: canonicalize(val) for key, val in json_obj.items()}.items())
-    return collections.OrderedDict(sorted_obj)
-  elif isinstance(json_obj, (list, tuple)):
-    return [canonicalize(val) for val in json_obj]
-  return json_obj
+    if isinstance(json_obj, collections.MutableMapping):
+        sorted_obj = sorted(
+            {key: canonicalize(val) for key, val in json_obj.items()}.items()
+        )
+        return collections.OrderedDict(sorted_obj)
+    elif isinstance(json_obj, (list, tuple)):
+        return [canonicalize(val) for val in json_obj]
+    return json_obj
diff --git a/util/config/__init__.py b/util/config/__init__.py
index cbb177ff9..85dfc248a 100644
--- a/util/config/__init__.py
+++ b/util/config/__init__.py
@@ -1,29 +1,29 @@
 class URLSchemeAndHostname:
-  """
+    """
   Immutable configuration for a given preferred url scheme (e.g. http or https), and a hostname (e.g. localhost:5000)
   """
-  def __init__(self, url_scheme, hostname):
-    self._url_scheme = url_scheme
-    self._hostname = hostname
 
-  @classmethod
-  def from_app_config(cls, app_config):
-    """
+    def __init__(self, url_scheme, hostname):
+        self._url_scheme = url_scheme
+        self._hostname = hostname
+
+    @classmethod
+    def from_app_config(cls, app_config):
+        """
     Helper method to instantiate class from app config, a frequent pattern
     :param app_config:
     :return:
     """
-    return cls(app_config['PREFERRED_URL_SCHEME'], app_config['SERVER_HOSTNAME'])
+        return cls(app_config["PREFERRED_URL_SCHEME"], app_config["SERVER_HOSTNAME"])
 
-  @property
-  def url_scheme(self):
-    return self._url_scheme
+    @property
+    def url_scheme(self):
+        return self._url_scheme
 
-  @property
-  def hostname(self):
-    return self._hostname
-
-  def get_url(self):
-    """ Returns the application's URL, based on the given url scheme and hostname. """
-    return '%s://%s' % (self._url_scheme, self._hostname)
+    @property
+    def hostname(self):
+        return self._hostname
 
+    def get_url(self):
+        """ Returns the application's URL, based on the given url scheme and hostname. """
+        return "%s://%s" % (self._url_scheme, self._hostname)
diff --git a/util/config/configdocs/configdoc.py b/util/config/configdocs/configdoc.py
index d73a8b5cd..406933c52 100644
--- a/util/config/configdocs/configdoc.py
+++ b/util/config/configdocs/configdoc.py
@@ -11,26 +11,29 @@ from util.config.schema import CONFIG_SCHEMA
 
 
 def make_custom_sort(orders):
-  """ Sort in a specified order any dictionary nested in a complex structure """
+    """ Sort in a specified order any dictionary nested in a complex structure """
+
+    orders = [{k: -i for (i, k) in enumerate(reversed(order), 1)} for order in orders]
+
+    def process(stuff):
+        if isinstance(stuff, dict):
+            l = [(k, process(v)) for (k, v) in stuff.iteritems()]
+            keys = set(stuff)
+            for order in orders:
+                if keys.issubset(order) or keys.issuperset(order):
+                    return OrderedDict(sorted(l, key=lambda x: order.get(x[0], 0)))
+            return OrderedDict(sorted(l))
+        if isinstance(stuff, list):
+            return [process(x) for x in stuff]
+        return stuff
+
+    return process
 
-  orders = [{k: -i for (i, k) in enumerate(reversed(order), 1)} for order in orders]
-  def process(stuff):
-    if isinstance(stuff, dict):
-      l = [(k, process(v)) for (k, v) in stuff.iteritems()]
-      keys = set(stuff)
-      for order in orders:
-        if keys.issubset(order) or keys.issuperset(order):
-          return OrderedDict(sorted(l, key=lambda x: order.get(x[0], 0)))
-      return OrderedDict(sorted(l))
-    if isinstance(stuff, list):
-      return [process(x) for x in stuff]
-    return stuff
-  return process
 
 SCHEMA_HTML_FILE = "schema.html"
 
-schema = json.dumps(CONFIG_SCHEMA, sort_keys = True)
-schema = json.loads(schema, object_pairs_hook = OrderedDict)
+schema = json.dumps(CONFIG_SCHEMA, sort_keys=True)
+schema = json.loads(schema, object_pairs_hook=OrderedDict)
 
 req = sorted(schema["required"])
 custom_sort = make_custom_sort([req])
@@ -39,5 +42,5 @@ schema = custom_sort(schema)
 parsed_items = docsmodel.DocsModel().parse(schema)[1:]
 output = html_output.HtmlOutput().generate_output(parsed_items)
 
-with open(SCHEMA_HTML_FILE, 'wt') as f:
-  f.write(output)
+with open(SCHEMA_HTML_FILE, "wt") as f:
+    f.write(output)
diff --git a/util/config/configdocs/docsmodel.py b/util/config/configdocs/docsmodel.py
index ebf8e0264..0848f0e88 100644
--- a/util/config/configdocs/docsmodel.py
+++ b/util/config/configdocs/docsmodel.py
@@ -1,93 +1,93 @@
 import json
 import collections
 
-class ParsedItem(dict):
-  """ Parsed Schema item """
 
-  def __init__(self, json_object, name, required, level):
-    """Fills dict with basic item information"""
-    super(ParsedItem, self).__init__()
-    self['name'] = name
-    self['title'] = json_object.get('title', '')
-    self['type'] = json_object.get('type')
-    self['description'] = json_object.get('description', '')
-    self['level'] = level
-    self['required'] = required
-    self['x-reference'] = json_object.get('x-reference', '')
-    self['x-example'] = json_object.get('x-example', '')
-    self['pattern'] = json_object.get('pattern', '')
-    self['enum'] = json_object.get('enum', '')
+class ParsedItem(dict):
+    """ Parsed Schema item """
+
+    def __init__(self, json_object, name, required, level):
+        """Fills dict with basic item information"""
+        super(ParsedItem, self).__init__()
+        self["name"] = name
+        self["title"] = json_object.get("title", "")
+        self["type"] = json_object.get("type")
+        self["description"] = json_object.get("description", "")
+        self["level"] = level
+        self["required"] = required
+        self["x-reference"] = json_object.get("x-reference", "")
+        self["x-example"] = json_object.get("x-example", "")
+        self["pattern"] = json_object.get("pattern", "")
+        self["enum"] = json_object.get("enum", "")
+
 
 class DocsModel:
-  """ Documentation model and Schema Parser """
+    """ Documentation model and Schema Parser """
 
-  def __init__(self):
-    self.__parsed_items = None
+    def __init__(self):
+        self.__parsed_items = None
 
-  def parse(self, json_object):
-    """ Returns multi-level list of recursively parsed items """
+    def parse(self, json_object):
+        """ Returns multi-level list of recursively parsed items """
 
-    self.__parsed_items = list()
-    self.__parse_schema(json_object, 'root', True, 0)
-    return self.__parsed_items
+        self.__parsed_items = list()
+        self.__parse_schema(json_object, "root", True, 0)
+        return self.__parsed_items
 
-  def __parse_schema(self, schema, name, required, level):
-    """ Parses schema, which type is object, array or leaf.
+    def __parse_schema(self, schema, name, required, level):
+        """ Parses schema, which type is object, array or leaf.
     Appends new ParsedItem to self.__parsed_items lis """
-    parsed_item = ParsedItem(schema, name, required, level)
-    self.__parsed_items.append(parsed_item)
-    required = schema.get('required', [])
+        parsed_item = ParsedItem(schema, name, required, level)
+        self.__parsed_items.append(parsed_item)
+        required = schema.get("required", [])
 
-    if 'enum' in schema:
-      parsed_item['item'] = schema.get('enum')
-    item_type = schema.get('type')
-    if item_type == 'object' and name != 'DISTRIBUTED_STORAGE_CONFIG':
-      self.__parse_object(parsed_item, schema, required, level)
-    elif item_type == 'array':
-      self.__parse_array(parsed_item, schema, required, level)
-    else:
-      parse_leaf(parsed_item, schema)
+        if "enum" in schema:
+            parsed_item["item"] = schema.get("enum")
+        item_type = schema.get("type")
+        if item_type == "object" and name != "DISTRIBUTED_STORAGE_CONFIG":
+            self.__parse_object(parsed_item, schema, required, level)
+        elif item_type == "array":
+            self.__parse_array(parsed_item, schema, required, level)
+        else:
+            parse_leaf(parsed_item, schema)
 
-  def __parse_object(self, parsed_item, schema, required, level):
-    """ Parses schema of type object """
-    for key, value in schema.get('properties', {}).items():
-      self.__parse_schema(value, key, key in required, level + 1)
+    def __parse_object(self, parsed_item, schema, required, level):
+        """ Parses schema of type object """
+        for key, value in schema.get("properties", {}).items():
+            self.__parse_schema(value, key, key in required, level + 1)
 
-  def __parse_array(self, parsed_item, schema, required, level):
-    """ Parses schema of type array """
-    items = schema.get('items')
-    parsed_item['minItems'] = schema.get('minItems', None)
-    parsed_item['maxItems'] = schema.get('maxItems', None)
-    parsed_item['uniqueItems'] = schema.get('uniqueItems', False)
-    if isinstance(items, dict):
-      # item is single schema describing all elements in an array
-      self.__parse_schema(
-            items,
-            'array item',
-            required,
-            level + 1)
+    def __parse_array(self, parsed_item, schema, required, level):
+        """ Parses schema of type array """
+        items = schema.get("items")
+        parsed_item["minItems"] = schema.get("minItems", None)
+        parsed_item["maxItems"] = schema.get("maxItems", None)
+        parsed_item["uniqueItems"] = schema.get("uniqueItems", False)
+        if isinstance(items, dict):
+            # item is single schema describing all elements in an array
+            self.__parse_schema(items, "array item", required, level + 1)
+
+        elif isinstance(items, list):
+            # item is a list of schemas
+            for index, list_item in enumerate(items):
+                self.__parse_schema(
+                    list_item,
+                    "array item {}".format(index),
+                    index in required,
+                    level + 1,
+                )
 
-    elif isinstance(items, list):
-      # item is a list of schemas
-      for index, list_item in enumerate(items):
-        self.__parse_schema(
-                  list_item,
-                  'array item {}'.format(index),
-                  index in required,
-                  level + 1)
 
 def parse_leaf(parsed_item, schema):
-  """ Parses schema of a number and a string """
-  if parsed_item['name'] != 'root':
-    parsed_item['description'] = schema.get('description','')
-    parsed_item['x-reference'] = schema.get('x-reference','')
-    parsed_item['pattern'] = schema.get('pattern','')
-    parsed_item['enum'] = ", ".join(schema.get('enum','')).encode()
+    """ Parses schema of a number and a string """
+    if parsed_item["name"] != "root":
+        parsed_item["description"] = schema.get("description", "")
+        parsed_item["x-reference"] = schema.get("x-reference", "")
+        parsed_item["pattern"] = schema.get("pattern", "")
+        parsed_item["enum"] = ", ".join(schema.get("enum", "")).encode()
 
-    ex = schema.get('x-example', '')
-    if isinstance(ex, list):
-      parsed_item['x-example'] = ", ".join(ex).encode()
-    elif isinstance(ex, collections.OrderedDict):
-      parsed_item['x-example'] = json.dumps(ex)
-    else:
-      parsed_item['x-example'] = ex
+        ex = schema.get("x-example", "")
+        if isinstance(ex, list):
+            parsed_item["x-example"] = ", ".join(ex).encode()
+        elif isinstance(ex, collections.OrderedDict):
+            parsed_item["x-example"] = json.dumps(ex)
+        else:
+            parsed_item["x-example"] = ex
diff --git a/util/config/configdocs/html_output.py b/util/config/configdocs/html_output.py
index 6b0cad921..dd461da54 100644
--- a/util/config/configdocs/html_output.py
+++ b/util/config/configdocs/html_output.py
@@ -1,63 +1,102 @@
 class HtmlOutput:
-  """ Generates HTML from documentation model """
+    """ Generates HTML from documentation model """
 
-  def __init__(self):
-    pass
+    def __init__(self):
+        pass
 
-  def generate_output(self, parsed_items):
-    """Returns generated HTML strin"""
-    return self.__get_html_begin() + \
-        self.__get_html_middle(parsed_items) + \
-        self.__get_html_end()
+    def generate_output(self, parsed_items):
+        """Returns generated HTML strin"""
+        return (
+            self.__get_html_begin()
+            + self.__get_html_middle(parsed_items)
+            + self.__get_html_end()
+        )
 
-  def __get_html_begin(self):
-    return '<!DOCTYPE html>\n<html>\n<head>\n<link rel="stylesheet" type="text/css" href="style.css" />\n</head>\n<body>\n'
+    def __get_html_begin(self):
+        return '<!DOCTYPE html>\n<html>\n<head>\n<link rel="stylesheet" type="text/css" href="style.css" />\n</head>\n<body>\n'
 
-  def __get_html_end(self):
-    return '</body>\n</html>'
+    def __get_html_end(self):
+        return "</body>\n</html>"
 
-  def __get_html_middle(self, parsed_items):
-    output = ''
-    root_item = parsed_items[0]
+    def __get_html_middle(self, parsed_items):
+        output = ""
+        root_item = parsed_items[0]
 
-    #output += '<h1 class="root_title">{}</h1>\n'.format(root_item['title'])
-    #output += '<h1 class="root_title">{}</h1>\n'.format(root_item['title'])
-    output +=  "Schema for Red Hat Quay"
+        # output += '<h1 class="root_title">{}</h1>\n'.format(root_item['title'])
+        # output += '<h1 class="root_title">{}</h1>\n'.format(root_item['title'])
+        output += "Schema for Red Hat Quay"
 
-    output += '<ul class="level0">\n'
-    last_level = 0
-    is_root = True
-    for item in parsed_items:
-      level = item['level'] - 1
-      if last_level < level:
-        output += '<ul class="level{}">\n'.format(level)
-      for i  in range(last_level - level):
-        output += '</ul>\n'
-      last_level = level
-      output += self.__get_html_item(item, is_root)
-      is_root = False
-    output += '</ul>\n'
-    return output
+        output += '<ul class="level0">\n'
+        last_level = 0
+        is_root = True
+        for item in parsed_items:
+            level = item["level"] - 1
+            if last_level < level:
+                output += '<ul class="level{}">\n'.format(level)
+            for i in range(last_level - level):
+                output += "</ul>\n"
+            last_level = level
+            output += self.__get_html_item(item, is_root)
+            is_root = False
+        output += "</ul>\n"
+        return output
 
-  def __get_required_field(self, parsed_item):
-    return 'required' if parsed_item['required'] else ''
-
-  def __get_html_item(self, parsed_item, is_root):
-    item = '<li class="schema item"> \n'
-    item += '<div class="name">{}</div> \n'.format(parsed_item['name'])
-    item += '<div class="type">[{}]</div> \n'.format(parsed_item['type'])
-    item += '<div class="required">{}</div> \n'.format(self.__get_required_field(parsed_item))
-    item += '<div class="docs">\n' if not is_root else '<div class="root_docs">\n'
-    item += '<div class="title">{}</div>\n'.format(parsed_item['title'])
-    item += ': ' if parsed_item['title'] != '' and parsed_item['description'] != '' else ''
-    item += '<div class="description">{}</div>\n'.format(parsed_item['description'])
-    item += '<div class="enum">enum: {}</div>\n'.format(parsed_item['enum']) if parsed_item['enum'] != '' else ''
-    item += '<div class="minItems">Min Items: {}</div>\n'.format(parsed_item['minItems']) if parsed_item['type'] == "array" and parsed_item['minItems'] != "None" else ''
-    item += '<div class="uniqueItems">Unique Items: {}</div>\n'.format(parsed_item['uniqueItems']) if parsed_item['type'] == "array" and parsed_item['uniqueItems'] else ''
-    item += '<div class="pattern">Pattern: {}</div>\n'.format(parsed_item['pattern']) if parsed_item['pattern'] != 'None' and parsed_item['pattern'] != '' else ''
-    item += '<div class="x-reference"><a href="{}">Reference: {}</a></div>\n'.format(parsed_item['x-reference'],parsed_item['x-reference']) if parsed_item['x-reference'] != '' else ''
-    item += '<div class="x-example">Example: <code>{}</code></div>\n'.format(parsed_item['x-example']) if parsed_item['x-example'] != '' else ''
-    item += '</div>\n'
-    item += '</li>\n'
-    return item
+    def __get_required_field(self, parsed_item):
+        return "required" if parsed_item["required"] else ""
 
+    def __get_html_item(self, parsed_item, is_root):
+        item = '<li class="schema item"> \n'
+        item += '<div class="name">{}</div> \n'.format(parsed_item["name"])
+        item += '<div class="type">[{}]</div> \n'.format(parsed_item["type"])
+        item += '<div class="required">{}</div> \n'.format(
+            self.__get_required_field(parsed_item)
+        )
+        item += '<div class="docs">\n' if not is_root else '<div class="root_docs">\n'
+        item += '<div class="title">{}</div>\n'.format(parsed_item["title"])
+        item += (
+            ": "
+            if parsed_item["title"] != "" and parsed_item["description"] != ""
+            else ""
+        )
+        item += '<div class="description">{}</div>\n'.format(parsed_item["description"])
+        item += (
+            '<div class="enum">enum: {}</div>\n'.format(parsed_item["enum"])
+            if parsed_item["enum"] != ""
+            else ""
+        )
+        item += (
+            '<div class="minItems">Min Items: {}</div>\n'.format(
+                parsed_item["minItems"]
+            )
+            if parsed_item["type"] == "array" and parsed_item["minItems"] != "None"
+            else ""
+        )
+        item += (
+            '<div class="uniqueItems">Unique Items: {}</div>\n'.format(
+                parsed_item["uniqueItems"]
+            )
+            if parsed_item["type"] == "array" and parsed_item["uniqueItems"]
+            else ""
+        )
+        item += (
+            '<div class="pattern">Pattern: {}</div>\n'.format(parsed_item["pattern"])
+            if parsed_item["pattern"] != "None" and parsed_item["pattern"] != ""
+            else ""
+        )
+        item += (
+            '<div class="x-reference"><a href="{}">Reference: {}</a></div>\n'.format(
+                parsed_item["x-reference"], parsed_item["x-reference"]
+            )
+            if parsed_item["x-reference"] != ""
+            else ""
+        )
+        item += (
+            '<div class="x-example">Example: <code>{}</code></div>\n'.format(
+                parsed_item["x-example"]
+            )
+            if parsed_item["x-example"] != ""
+            else ""
+        )
+        item += "</div>\n"
+        item += "</li>\n"
+        return item
diff --git a/util/config/configutil.py b/util/config/configutil.py
index b74d69190..860761050 100644
--- a/util/config/configutil.py
+++ b/util/config/configutil.py
@@ -1,108 +1,145 @@
 from random import SystemRandom
 from uuid import uuid4
 
+
 def generate_secret_key():
-  cryptogen = SystemRandom()
-  return  str(cryptogen.getrandbits(256))
+    cryptogen = SystemRandom()
+    return str(cryptogen.getrandbits(256))
 
 
 def add_enterprise_config_defaults(config_obj, current_secret_key):
-  """ Adds/Sets the config defaults for enterprise registry config. """
-  # These have to be false.
-  config_obj['TESTING'] = False
-  config_obj['USE_CDN'] = False
+    """ Adds/Sets the config defaults for enterprise registry config. """
+    # These have to be false.
+    config_obj["TESTING"] = False
+    config_obj["USE_CDN"] = False
 
-  # Default for V3 upgrade.
-  config_obj['V3_UPGRADE_MODE'] = config_obj.get('V3_UPGRADE_MODE', 'complete')
+    # Default for V3 upgrade.
+    config_obj["V3_UPGRADE_MODE"] = config_obj.get("V3_UPGRADE_MODE", "complete")
 
-  # Defaults for Red Hat Quay.
-  config_obj['REGISTRY_TITLE'] = config_obj.get('REGISTRY_TITLE', 'Red Hat Quay')
-  config_obj['REGISTRY_TITLE_SHORT'] =  config_obj.get('REGISTRY_TITLE_SHORT', 'Red Hat Quay')
+    # Defaults for Red Hat Quay.
+    config_obj["REGISTRY_TITLE"] = config_obj.get("REGISTRY_TITLE", "Red Hat Quay")
+    config_obj["REGISTRY_TITLE_SHORT"] = config_obj.get(
+        "REGISTRY_TITLE_SHORT", "Red Hat Quay"
+    )
 
-  # Default features that are on.
-  config_obj['FEATURE_USER_LOG_ACCESS'] = config_obj.get('FEATURE_USER_LOG_ACCESS', True)
-  config_obj['FEATURE_USER_CREATION'] = config_obj.get('FEATURE_USER_CREATION', True)
-  config_obj['FEATURE_ANONYMOUS_ACCESS'] = config_obj.get('FEATURE_ANONYMOUS_ACCESS', True)
-  config_obj['FEATURE_REQUIRE_TEAM_INVITE'] = config_obj.get('FEATURE_REQUIRE_TEAM_INVITE', True)
-  config_obj['FEATURE_CHANGE_TAG_EXPIRATION'] = config_obj.get('FEATURE_CHANGE_TAG_EXPIRATION',
-                                                               True)
-  config_obj['FEATURE_DIRECT_LOGIN'] = config_obj.get('FEATURE_DIRECT_LOGIN', True)
-  config_obj['FEATURE_APP_SPECIFIC_TOKENS'] = config_obj.get('FEATURE_APP_SPECIFIC_TOKENS', True)
-  config_obj['FEATURE_PARTIAL_USER_AUTOCOMPLETE'] = config_obj.get('FEATURE_PARTIAL_USER_AUTOCOMPLETE', True)
-  config_obj['FEATURE_USERNAME_CONFIRMATION'] = config_obj.get('FEATURE_USERNAME_CONFIRMATION', True)
-  config_obj['FEATURE_RESTRICTED_V1_PUSH'] = config_obj.get('FEATURE_RESTRICTED_V1_PUSH', True)
+    # Default features that are on.
+    config_obj["FEATURE_USER_LOG_ACCESS"] = config_obj.get(
+        "FEATURE_USER_LOG_ACCESS", True
+    )
+    config_obj["FEATURE_USER_CREATION"] = config_obj.get("FEATURE_USER_CREATION", True)
+    config_obj["FEATURE_ANONYMOUS_ACCESS"] = config_obj.get(
+        "FEATURE_ANONYMOUS_ACCESS", True
+    )
+    config_obj["FEATURE_REQUIRE_TEAM_INVITE"] = config_obj.get(
+        "FEATURE_REQUIRE_TEAM_INVITE", True
+    )
+    config_obj["FEATURE_CHANGE_TAG_EXPIRATION"] = config_obj.get(
+        "FEATURE_CHANGE_TAG_EXPIRATION", True
+    )
+    config_obj["FEATURE_DIRECT_LOGIN"] = config_obj.get("FEATURE_DIRECT_LOGIN", True)
+    config_obj["FEATURE_APP_SPECIFIC_TOKENS"] = config_obj.get(
+        "FEATURE_APP_SPECIFIC_TOKENS", True
+    )
+    config_obj["FEATURE_PARTIAL_USER_AUTOCOMPLETE"] = config_obj.get(
+        "FEATURE_PARTIAL_USER_AUTOCOMPLETE", True
+    )
+    config_obj["FEATURE_USERNAME_CONFIRMATION"] = config_obj.get(
+        "FEATURE_USERNAME_CONFIRMATION", True
+    )
+    config_obj["FEATURE_RESTRICTED_V1_PUSH"] = config_obj.get(
+        "FEATURE_RESTRICTED_V1_PUSH", True
+    )
 
-  # Default features that are off.
-  config_obj['FEATURE_MAILING'] = config_obj.get('FEATURE_MAILING', False)
-  config_obj['FEATURE_BUILD_SUPPORT'] = config_obj.get('FEATURE_BUILD_SUPPORT', False)
-  config_obj['FEATURE_ACI_CONVERSION'] = config_obj.get('FEATURE_ACI_CONVERSION', False)
-  config_obj['FEATURE_APP_REGISTRY'] = config_obj.get('FEATURE_APP_REGISTRY', False)
-  config_obj['FEATURE_REPO_MIRROR'] = config_obj.get('FEATURE_REPO_MIRROR', False)
+    # Default features that are off.
+    config_obj["FEATURE_MAILING"] = config_obj.get("FEATURE_MAILING", False)
+    config_obj["FEATURE_BUILD_SUPPORT"] = config_obj.get("FEATURE_BUILD_SUPPORT", False)
+    config_obj["FEATURE_ACI_CONVERSION"] = config_obj.get(
+        "FEATURE_ACI_CONVERSION", False
+    )
+    config_obj["FEATURE_APP_REGISTRY"] = config_obj.get("FEATURE_APP_REGISTRY", False)
+    config_obj["FEATURE_REPO_MIRROR"] = config_obj.get("FEATURE_REPO_MIRROR", False)
 
-  # Default repo mirror config.
-  config_obj['REPO_MIRROR_TLS_VERIFY'] = config_obj.get('REPO_MIRROR_TLS_VERIFY', True)
-  config_obj['REPO_MIRROR_SERVER_HOSTNAME'] = config_obj.get('REPO_MIRROR_SERVER_HOSTNAME', None)
+    # Default repo mirror config.
+    config_obj["REPO_MIRROR_TLS_VERIFY"] = config_obj.get(
+        "REPO_MIRROR_TLS_VERIFY", True
+    )
+    config_obj["REPO_MIRROR_SERVER_HOSTNAME"] = config_obj.get(
+        "REPO_MIRROR_SERVER_HOSTNAME", None
+    )
 
-  # Default the signer config.
-  config_obj['GPG2_PRIVATE_KEY_FILENAME'] = config_obj.get('GPG2_PRIVATE_KEY_FILENAME',
-                                                           'signing-private.gpg')
-  config_obj['GPG2_PUBLIC_KEY_FILENAME'] = config_obj.get('GPG2_PUBLIC_KEY_FILENAME',
-                                                          'signing-public.gpg')
-  config_obj['SIGNING_ENGINE'] = config_obj.get('SIGNING_ENGINE', 'gpg2')
+    # Default the signer config.
+    config_obj["GPG2_PRIVATE_KEY_FILENAME"] = config_obj.get(
+        "GPG2_PRIVATE_KEY_FILENAME", "signing-private.gpg"
+    )
+    config_obj["GPG2_PUBLIC_KEY_FILENAME"] = config_obj.get(
+        "GPG2_PUBLIC_KEY_FILENAME", "signing-public.gpg"
+    )
+    config_obj["SIGNING_ENGINE"] = config_obj.get("SIGNING_ENGINE", "gpg2")
 
-  # Default security scanner config.
-  config_obj['FEATURE_SECURITY_NOTIFICATIONS'] = config_obj.get(
-    'FEATURE_SECURITY_NOTIFICATIONS', True)
+    # Default security scanner config.
+    config_obj["FEATURE_SECURITY_NOTIFICATIONS"] = config_obj.get(
+        "FEATURE_SECURITY_NOTIFICATIONS", True
+    )
 
-  config_obj['FEATURE_SECURITY_SCANNER'] = config_obj.get(
-    'FEATURE_SECURITY_SCANNER', False)
+    config_obj["FEATURE_SECURITY_SCANNER"] = config_obj.get(
+        "FEATURE_SECURITY_SCANNER", False
+    )
 
-  config_obj['SECURITY_SCANNER_ISSUER_NAME'] = config_obj.get(
-    'SECURITY_SCANNER_ISSUER_NAME', 'security_scanner')
+    config_obj["SECURITY_SCANNER_ISSUER_NAME"] = config_obj.get(
+        "SECURITY_SCANNER_ISSUER_NAME", "security_scanner"
+    )
 
-  # Default time machine config.
-  config_obj['TAG_EXPIRATION_OPTIONS'] = config_obj.get('TAG_EXPIRATION_OPTIONS',
-                                                        ['0s', '1d', '1w', '2w', '4w'])
-  config_obj['DEFAULT_TAG_EXPIRATION'] = config_obj.get('DEFAULT_TAG_EXPIRATION', '2w')
+    # Default time machine config.
+    config_obj["TAG_EXPIRATION_OPTIONS"] = config_obj.get(
+        "TAG_EXPIRATION_OPTIONS", ["0s", "1d", "1w", "2w", "4w"]
+    )
+    config_obj["DEFAULT_TAG_EXPIRATION"] = config_obj.get(
+        "DEFAULT_TAG_EXPIRATION", "2w"
+    )
 
-  # Default mail setings.
-  config_obj['MAIL_USE_TLS'] = config_obj.get('MAIL_USE_TLS', True)
-  config_obj['MAIL_PORT'] = config_obj.get('MAIL_PORT', 587)
-  config_obj['MAIL_DEFAULT_SENDER'] = config_obj.get('MAIL_DEFAULT_SENDER', 'support@quay.io')
+    # Default mail setings.
+    config_obj["MAIL_USE_TLS"] = config_obj.get("MAIL_USE_TLS", True)
+    config_obj["MAIL_PORT"] = config_obj.get("MAIL_PORT", 587)
+    config_obj["MAIL_DEFAULT_SENDER"] = config_obj.get(
+        "MAIL_DEFAULT_SENDER", "support@quay.io"
+    )
 
-  # Default auth type.
-  if not 'AUTHENTICATION_TYPE' in config_obj:
-    config_obj['AUTHENTICATION_TYPE'] = 'Database'
+    # Default auth type.
+    if not "AUTHENTICATION_TYPE" in config_obj:
+        config_obj["AUTHENTICATION_TYPE"] = "Database"
 
-  # Default secret key.
-  if not 'SECRET_KEY' in config_obj:
-    if current_secret_key:
-      config_obj['SECRET_KEY'] = current_secret_key
-    else:
-      config_obj['SECRET_KEY'] = generate_secret_key()
+    # Default secret key.
+    if not "SECRET_KEY" in config_obj:
+        if current_secret_key:
+            config_obj["SECRET_KEY"] = current_secret_key
+        else:
+            config_obj["SECRET_KEY"] = generate_secret_key()
 
-  # Default database secret key.
-  if not 'DATABASE_SECRET_KEY' in config_obj:
-    config_obj['DATABASE_SECRET_KEY'] = generate_secret_key()
+    # Default database secret key.
+    if not "DATABASE_SECRET_KEY" in config_obj:
+        config_obj["DATABASE_SECRET_KEY"] = generate_secret_key()
 
-  # Default torrent pepper.
-  if not 'BITTORRENT_FILENAME_PEPPER' in config_obj:
-    config_obj['BITTORRENT_FILENAME_PEPPER'] = str(uuid4())
+    # Default torrent pepper.
+    if not "BITTORRENT_FILENAME_PEPPER" in config_obj:
+        config_obj["BITTORRENT_FILENAME_PEPPER"] = str(uuid4())
 
-  # Default storage configuration.
-  if not 'DISTRIBUTED_STORAGE_CONFIG' in config_obj:
-    config_obj['DISTRIBUTED_STORAGE_PREFERENCE'] = ['default']
-    config_obj['DISTRIBUTED_STORAGE_CONFIG'] = {
-      'default': ['LocalStorage', {'storage_path': '/datastorage/registry'}]
-    }
+    # Default storage configuration.
+    if not "DISTRIBUTED_STORAGE_CONFIG" in config_obj:
+        config_obj["DISTRIBUTED_STORAGE_PREFERENCE"] = ["default"]
+        config_obj["DISTRIBUTED_STORAGE_CONFIG"] = {
+            "default": ["LocalStorage", {"storage_path": "/datastorage/registry"}]
+        }
 
-    config_obj['USERFILES_LOCATION'] = 'default'
-    config_obj['USERFILES_PATH'] = 'userfiles/'
+        config_obj["USERFILES_LOCATION"] = "default"
+        config_obj["USERFILES_PATH"] = "userfiles/"
 
-    config_obj['LOG_ARCHIVE_LOCATION'] = 'default'
+        config_obj["LOG_ARCHIVE_LOCATION"] = "default"
 
-  # Misc configuration.
-  config_obj['PREFERRED_URL_SCHEME'] = config_obj.get('PREFERRED_URL_SCHEME', 'http')
-  config_obj['ENTERPRISE_LOGO_URL'] = config_obj.get(
-    'ENTERPRISE_LOGO_URL', '/static/img/quay-horizontal-color.svg')
-  config_obj['TEAM_RESYNC_STALE_TIME'] = config_obj.get('TEAM_RESYNC_STALE_TIME', '60m')
+    # Misc configuration.
+    config_obj["PREFERRED_URL_SCHEME"] = config_obj.get("PREFERRED_URL_SCHEME", "http")
+    config_obj["ENTERPRISE_LOGO_URL"] = config_obj.get(
+        "ENTERPRISE_LOGO_URL", "/static/img/quay-horizontal-color.svg"
+    )
+    config_obj["TEAM_RESYNC_STALE_TIME"] = config_obj.get(
+        "TEAM_RESYNC_STALE_TIME", "60m"
+    )
diff --git a/util/config/database.py b/util/config/database.py
index cbd6ea78b..a6fdb6951 100644
--- a/util/config/database.py
+++ b/util/config/database.py
@@ -4,9 +4,9 @@ from data.appr_model.models import NEW_MODELS
 
 
 def sync_database_with_config(config):
-  """ This ensures all implicitly required reference table entries exist in the database. """
+    """ This ensures all implicitly required reference table entries exist in the database. """
 
-  location_names = config.get('DISTRIBUTED_STORAGE_CONFIG', {}).keys()
-  if location_names:
-    model.image.ensure_image_locations(*location_names)
-    blob.ensure_blob_locations(NEW_MODELS, *location_names)
+    location_names = config.get("DISTRIBUTED_STORAGE_CONFIG", {}).keys()
+    if location_names:
+        model.image.ensure_image_locations(*location_names)
+        blob.ensure_blob_locations(NEW_MODELS, *location_names)
diff --git a/util/config/provider/__init__.py b/util/config/provider/__init__.py
index 50a31ed9d..dbed3c6f7 100644
--- a/util/config/provider/__init__.py
+++ b/util/config/provider/__init__.py
@@ -2,12 +2,15 @@ from util.config.provider.fileprovider import FileConfigProvider
 from util.config.provider.testprovider import TestConfigProvider
 from util.config.provider.k8sprovider import KubernetesConfigProvider
 
-def get_config_provider(config_volume, yaml_filename, py_filename, testing=False, kubernetes=False):
-  """ Loads and returns the config provider for the current environment. """
-  if testing:
-    return TestConfigProvider()
 
-  if kubernetes:
-    return KubernetesConfigProvider(config_volume, yaml_filename, py_filename)
+def get_config_provider(
+    config_volume, yaml_filename, py_filename, testing=False, kubernetes=False
+):
+    """ Loads and returns the config provider for the current environment. """
+    if testing:
+        return TestConfigProvider()
 
-  return FileConfigProvider(config_volume, yaml_filename, py_filename)
+    if kubernetes:
+        return KubernetesConfigProvider(config_volume, yaml_filename, py_filename)
+
+    return FileConfigProvider(config_volume, yaml_filename, py_filename)
diff --git a/util/config/provider/basefileprovider.py b/util/config/provider/basefileprovider.py
index db90fa6e5..8503821f9 100644
--- a/util/config/provider/basefileprovider.py
+++ b/util/config/provider/basefileprovider.py
@@ -1,62 +1,68 @@
 import os
 import logging
 
-from util.config.provider.baseprovider import (BaseProvider, import_yaml, export_yaml,
-                                               CannotWriteConfigException)
+from util.config.provider.baseprovider import (
+    BaseProvider,
+    import_yaml,
+    export_yaml,
+    CannotWriteConfigException,
+)
 
 logger = logging.getLogger(__name__)
 
+
 class BaseFileProvider(BaseProvider):
-  """ Base implementation of the config provider that reads the data from the file system. """
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    self.config_volume = config_volume
-    self.yaml_filename = yaml_filename
-    self.py_filename = py_filename
+    """ Base implementation of the config provider that reads the data from the file system. """
 
-    self.yaml_path = os.path.join(config_volume, yaml_filename)
-    self.py_path = os.path.join(config_volume, py_filename)
+    def __init__(self, config_volume, yaml_filename, py_filename):
+        self.config_volume = config_volume
+        self.yaml_filename = yaml_filename
+        self.py_filename = py_filename
 
-  def update_app_config(self, app_config):
-    if os.path.exists(self.py_path):
-      logger.debug('Applying config file: %s', self.py_path)
-      app_config.from_pyfile(self.py_path)
+        self.yaml_path = os.path.join(config_volume, yaml_filename)
+        self.py_path = os.path.join(config_volume, py_filename)
 
-    if os.path.exists(self.yaml_path):
-      logger.debug('Applying config file: %s', self.yaml_path)
-      import_yaml(app_config, self.yaml_path)
+    def update_app_config(self, app_config):
+        if os.path.exists(self.py_path):
+            logger.debug("Applying config file: %s", self.py_path)
+            app_config.from_pyfile(self.py_path)
 
-  def get_config(self):
-    if not self.config_exists():
-      return None
+        if os.path.exists(self.yaml_path):
+            logger.debug("Applying config file: %s", self.yaml_path)
+            import_yaml(app_config, self.yaml_path)
 
-    config_obj = {}
-    import_yaml(config_obj, self.yaml_path)
-    return config_obj
+    def get_config(self):
+        if not self.config_exists():
+            return None
 
-  def config_exists(self):
-    return self.volume_file_exists(self.yaml_filename)
+        config_obj = {}
+        import_yaml(config_obj, self.yaml_path)
+        return config_obj
 
-  def volume_exists(self):
-    return os.path.exists(self.config_volume)
+    def config_exists(self):
+        return self.volume_file_exists(self.yaml_filename)
 
-  def volume_file_exists(self, relative_file_path):
-    return os.path.exists(os.path.join(self.config_volume, relative_file_path))
+    def volume_exists(self):
+        return os.path.exists(self.config_volume)
 
-  def get_volume_file(self, relative_file_path, mode='r'):
-    return open(os.path.join(self.config_volume, relative_file_path), mode=mode)
+    def volume_file_exists(self, relative_file_path):
+        return os.path.exists(os.path.join(self.config_volume, relative_file_path))
 
-  def get_volume_path(self, directory, relative_file_path):
-    return os.path.join(directory, relative_file_path)
+    def get_volume_file(self, relative_file_path, mode="r"):
+        return open(os.path.join(self.config_volume, relative_file_path), mode=mode)
 
-  def list_volume_directory(self, path):
-    dirpath = os.path.join(self.config_volume, path)
-    if not os.path.exists(dirpath):
-      return None
+    def get_volume_path(self, directory, relative_file_path):
+        return os.path.join(directory, relative_file_path)
 
-    if not os.path.isdir(dirpath):
-      return None
+    def list_volume_directory(self, path):
+        dirpath = os.path.join(self.config_volume, path)
+        if not os.path.exists(dirpath):
+            return None
 
-    return os.listdir(dirpath)
+        if not os.path.isdir(dirpath):
+            return None
 
-  def get_config_root(self):
-    return self.config_volume
+        return os.listdir(dirpath)
+
+    def get_config_root(self):
+        return self.config_volume
diff --git a/util/config/provider/baseprovider.py b/util/config/provider/baseprovider.py
index 9541f546a..737c7261d 100644
--- a/util/config/provider/baseprovider.py
+++ b/util/config/provider/baseprovider.py
@@ -12,112 +12,114 @@ logger = logging.getLogger(__name__)
 
 
 class CannotWriteConfigException(Exception):
-  """ Exception raised when the config cannot be written. """
-  pass
+    """ Exception raised when the config cannot be written. """
+
+    pass
 
 
 class SetupIncompleteException(Exception):
-  """ Exception raised when attempting to verify config that has not yet been setup. """
-  pass
+    """ Exception raised when attempting to verify config that has not yet been setup. """
+
+    pass
 
 
 def import_yaml(config_obj, config_file):
-  with open(config_file) as f:
-    c = yaml.safe_load(f)
-    if not c:
-      logger.debug('Empty YAML config file')
-      return
+    with open(config_file) as f:
+        c = yaml.safe_load(f)
+        if not c:
+            logger.debug("Empty YAML config file")
+            return
 
-    if isinstance(c, str):
-      raise Exception('Invalid YAML config file: ' + str(c))
+        if isinstance(c, str):
+            raise Exception("Invalid YAML config file: " + str(c))
 
-    for key in c.iterkeys():
-      if key.isupper():
-        config_obj[key] = c[key]
+        for key in c.iterkeys():
+            if key.isupper():
+                config_obj[key] = c[key]
 
-  if config_obj.get('SETUP_COMPLETE', True):
-    try:
-      validate(config_obj, CONFIG_SCHEMA)
-    except ValidationError:
-      # TODO: Change this into a real error
-      logger.exception('Could not validate config schema')
-  else:
-    logger.debug('Skipping config schema validation because setup is not complete')
+    if config_obj.get("SETUP_COMPLETE", True):
+        try:
+            validate(config_obj, CONFIG_SCHEMA)
+        except ValidationError:
+            # TODO: Change this into a real error
+            logger.exception("Could not validate config schema")
+    else:
+        logger.debug("Skipping config schema validation because setup is not complete")
 
-  return config_obj
+    return config_obj
 
 
 def get_yaml(config_obj):
-  return yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True)
+    return yaml.safe_dump(config_obj, encoding="utf-8", allow_unicode=True)
 
 
 def export_yaml(config_obj, config_file):
-  try:
-    with open(config_file, 'w') as f:
-      f.write(get_yaml(config_obj))
-  except IOError as ioe:
-    raise CannotWriteConfigException(str(ioe))
+    try:
+        with open(config_file, "w") as f:
+            f.write(get_yaml(config_obj))
+    except IOError as ioe:
+        raise CannotWriteConfigException(str(ioe))
 
 
 @add_metaclass(ABCMeta)
 class BaseProvider(object):
-  """ A configuration provider helps to load, save, and handle config override in the application.
+    """ A configuration provider helps to load, save, and handle config override in the application.
   """
 
-  @property
-  def provider_id(self):
-    raise NotImplementedError
+    @property
+    def provider_id(self):
+        raise NotImplementedError
 
-  @abstractmethod
-  def update_app_config(self, app_config):
-    """ Updates the given application config object with the loaded override config. """
+    @abstractmethod
+    def update_app_config(self, app_config):
+        """ Updates the given application config object with the loaded override config. """
 
-  @abstractmethod
-  def get_config(self):
-    """ Returns the contents of the config override file, or None if none. """
+    @abstractmethod
+    def get_config(self):
+        """ Returns the contents of the config override file, or None if none. """
 
-  @abstractmethod
-  def save_config(self, config_object):
-    """ Updates the contents of the config override file to those given. """
+    @abstractmethod
+    def save_config(self, config_object):
+        """ Updates the contents of the config override file to those given. """
 
-  @abstractmethod
-  def config_exists(self):
-    """ Returns true if a config override file exists in the config volume. """
+    @abstractmethod
+    def config_exists(self):
+        """ Returns true if a config override file exists in the config volume. """
 
-  @abstractmethod
-  def volume_exists(self):
-    """ Returns whether the config override volume exists. """
+    @abstractmethod
+    def volume_exists(self):
+        """ Returns whether the config override volume exists. """
 
-  @abstractmethod
-  def volume_file_exists(self, relative_file_path):
-    """ Returns whether the file with the given relative path exists under the config override
+    @abstractmethod
+    def volume_file_exists(self, relative_file_path):
+        """ Returns whether the file with the given relative path exists under the config override
         volume. """
 
-  @abstractmethod
-  def get_volume_file(self, relative_file_path, mode='r'):
-    """ Returns a Python file referring to the given path under the config override volume. """
+    @abstractmethod
+    def get_volume_file(self, relative_file_path, mode="r"):
+        """ Returns a Python file referring to the given path under the config override volume. """
 
-  @abstractmethod
-  def remove_volume_file(self, relative_file_path):
-    """ Removes the config override volume file with the given path. """
+    @abstractmethod
+    def remove_volume_file(self, relative_file_path):
+        """ Removes the config override volume file with the given path. """
 
-  @abstractmethod
-  def list_volume_directory(self, path):
-    """ Returns a list of strings representing the names of the files found in the config override
+    @abstractmethod
+    def list_volume_directory(self, path):
+        """ Returns a list of strings representing the names of the files found in the config override
         directory under the given path. If the path doesn't exist, returns None.
     """
 
-  @abstractmethod
-  def save_volume_file(self, flask_file, relative_file_path):
-    """ Saves the given flask file to the config override volume, with the given
+    @abstractmethod
+    def save_volume_file(self, flask_file, relative_file_path):
+        """ Saves the given flask file to the config override volume, with the given
         relative path.
     """
 
-  @abstractmethod
-  def get_volume_path(self, directory, filename):
-    """ Helper for constructing relative file paths, which may differ between providers.
+    @abstractmethod
+    def get_volume_path(self, directory, filename):
+        """ Helper for constructing relative file paths, which may differ between providers.
         For example, kubernetes can't have subfolders in configmaps """
 
-  @abstractmethod
-  def get_config_root(self):
-    """ Returns the config root directory. """
+    @abstractmethod
+    def get_config_root(self):
+        """ Returns the config root directory. """
diff --git a/util/config/provider/fileprovider.py b/util/config/provider/fileprovider.py
index feae57b80..99b902a16 100644
--- a/util/config/provider/fileprovider.py
+++ b/util/config/provider/fileprovider.py
@@ -7,41 +7,45 @@ from util.config.provider.basefileprovider import BaseFileProvider
 
 logger = logging.getLogger(__name__)
 
+
 def _ensure_parent_dir(filepath):
-  """ Ensures that the parent directory of the given file path exists. """
-  try:
-    parentpath = os.path.abspath(os.path.join(filepath, os.pardir))
-    if not os.path.isdir(parentpath):
-      os.makedirs(parentpath)
-  except IOError as ioe:
-    raise CannotWriteConfigException(str(ioe))
+    """ Ensures that the parent directory of the given file path exists. """
+    try:
+        parentpath = os.path.abspath(os.path.join(filepath, os.pardir))
+        if not os.path.isdir(parentpath):
+            os.makedirs(parentpath)
+    except IOError as ioe:
+        raise CannotWriteConfigException(str(ioe))
 
 
 class FileConfigProvider(BaseFileProvider):
-  """ Implementation of the config provider that reads and writes the data
+    """ Implementation of the config provider that reads and writes the data
       from/to the file system. """
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    super(FileConfigProvider, self).__init__(config_volume, yaml_filename, py_filename)
 
-  @property
-  def provider_id(self):
-    return 'file'
+    def __init__(self, config_volume, yaml_filename, py_filename):
+        super(FileConfigProvider, self).__init__(
+            config_volume, yaml_filename, py_filename
+        )
 
-  def save_config(self, config_obj):
-    export_yaml(config_obj, self.yaml_path)
+    @property
+    def provider_id(self):
+        return "file"
 
-  def remove_volume_file(self, relative_file_path):
-    filepath = os.path.join(self.config_volume, relative_file_path)
-    os.remove(filepath)
+    def save_config(self, config_obj):
+        export_yaml(config_obj, self.yaml_path)
 
-  def save_volume_file(self, flask_file, relative_file_path):
-    filepath = os.path.join(self.config_volume, relative_file_path)
-    _ensure_parent_dir(filepath)
+    def remove_volume_file(self, relative_file_path):
+        filepath = os.path.join(self.config_volume, relative_file_path)
+        os.remove(filepath)
 
-    # Write the file.
-    try:
-      flask_file.save(filepath)
-    except IOError as ioe:
-      raise CannotWriteConfigException(str(ioe))
+    def save_volume_file(self, flask_file, relative_file_path):
+        filepath = os.path.join(self.config_volume, relative_file_path)
+        _ensure_parent_dir(filepath)
 
-    return filepath
+        # Write the file.
+        try:
+            flask_file.save(filepath)
+        except IOError as ioe:
+            raise CannotWriteConfigException(str(ioe))
+
+        return filepath
diff --git a/util/config/provider/k8sprovider.py b/util/config/provider/k8sprovider.py
index 14bf99c4b..23f4305cb 100644
--- a/util/config/provider/k8sprovider.py
+++ b/util/config/provider/k8sprovider.py
@@ -13,176 +13,200 @@ from util.config.provider.basefileprovider import BaseFileProvider
 
 logger = logging.getLogger(__name__)
 
-KUBERNETES_API_HOST = os.environ.get('KUBERNETES_SERVICE_HOST', '')
-port = os.environ.get('KUBERNETES_SERVICE_PORT')
+KUBERNETES_API_HOST = os.environ.get("KUBERNETES_SERVICE_HOST", "")
+port = os.environ.get("KUBERNETES_SERVICE_PORT")
 if port:
-  KUBERNETES_API_HOST += ':' + port
+    KUBERNETES_API_HOST += ":" + port
 
-SERVICE_ACCOUNT_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token'
+SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+
+QE_NAMESPACE = os.environ.get("QE_K8S_NAMESPACE", "quay-enterprise")
+QE_CONFIG_SECRET = os.environ.get(
+    "QE_K8S_CONFIG_SECRET", "quay-enterprise-config-secret"
+)
 
-QE_NAMESPACE = os.environ.get('QE_K8S_NAMESPACE', 'quay-enterprise')
-QE_CONFIG_SECRET = os.environ.get('QE_K8S_CONFIG_SECRET', 'quay-enterprise-config-secret')
 
 class KubernetesConfigProvider(BaseFileProvider):
-  """ Implementation of the config provider that reads and writes configuration
+    """ Implementation of the config provider that reads and writes configuration
       data from a Kubernetes Secret. """
-  def __init__(self, config_volume, yaml_filename, py_filename, api_host=None,
-               service_account_token_path=None):
-    super(KubernetesConfigProvider, self).__init__(config_volume, yaml_filename, py_filename)
-    service_account_token_path = service_account_token_path or SERVICE_ACCOUNT_TOKEN_PATH
-    api_host = api_host or KUBERNETES_API_HOST
 
-    # Load the service account token from the local store.
-    if not os.path.exists(service_account_token_path):
-      raise Exception('Cannot load Kubernetes service account token')
+    def __init__(
+        self,
+        config_volume,
+        yaml_filename,
+        py_filename,
+        api_host=None,
+        service_account_token_path=None,
+    ):
+        super(KubernetesConfigProvider, self).__init__(
+            config_volume, yaml_filename, py_filename
+        )
+        service_account_token_path = (
+            service_account_token_path or SERVICE_ACCOUNT_TOKEN_PATH
+        )
+        api_host = api_host or KUBERNETES_API_HOST
 
-    with open(service_account_token_path, 'r') as f:
-      self._service_token = f.read()
-    
-    self._api_host = api_host
+        # Load the service account token from the local store.
+        if not os.path.exists(service_account_token_path):
+            raise Exception("Cannot load Kubernetes service account token")
 
-  @property
-  def provider_id(self):
-    return 'k8s'
+        with open(service_account_token_path, "r") as f:
+            self._service_token = f.read()
 
-  def get_volume_path(self, directory, filename):
-    # NOTE: Overridden to ensure we don't have subdirectories, which aren't supported
-    # in Kubernetes secrets.
-    return "_".join([directory.rstrip('/'), filename])
+        self._api_host = api_host
 
-  def volume_exists(self):
-    secret = self._lookup_secret()
-    return secret is not None
+    @property
+    def provider_id(self):
+        return "k8s"
 
-  def volume_file_exists(self, relative_file_path):
-    if '/' in relative_file_path:
-      raise Exception('Expected path from get_volume_path, but found slashes')
+    def get_volume_path(self, directory, filename):
+        # NOTE: Overridden to ensure we don't have subdirectories, which aren't supported
+        # in Kubernetes secrets.
+        return "_".join([directory.rstrip("/"), filename])
 
-    # NOTE: Overridden because we don't have subdirectories, which aren't supported
-    # in Kubernetes secrets.
-    secret = self._lookup_secret()
-    if not secret or not secret.get('data'):
-      return False
-    return relative_file_path in secret['data']
+    def volume_exists(self):
+        secret = self._lookup_secret()
+        return secret is not None
 
-  def list_volume_directory(self, path):
-    # NOTE: Overridden because we don't have subdirectories, which aren't supported
-    # in Kubernetes secrets.
-    secret = self._lookup_secret()
+    def volume_file_exists(self, relative_file_path):
+        if "/" in relative_file_path:
+            raise Exception("Expected path from get_volume_path, but found slashes")
 
-    if not secret:
-      return []
+        # NOTE: Overridden because we don't have subdirectories, which aren't supported
+        # in Kubernetes secrets.
+        secret = self._lookup_secret()
+        if not secret or not secret.get("data"):
+            return False
+        return relative_file_path in secret["data"]
 
-    paths = []
-    for filename in secret.get('data', {}):
-      if filename.startswith(path):
-        paths.append(filename[len(path) + 1:])
-    return paths
+    def list_volume_directory(self, path):
+        # NOTE: Overridden because we don't have subdirectories, which aren't supported
+        # in Kubernetes secrets.
+        secret = self._lookup_secret()
 
-  def save_config(self, config_obj):
-    self._update_secret_file(self.yaml_filename, get_yaml(config_obj))
+        if not secret:
+            return []
 
-  def remove_volume_file(self, relative_file_path):
-    try:
-      self._update_secret_file(relative_file_path, None)
-    except IOError as ioe:
-      raise CannotWriteConfigException(str(ioe))
+        paths = []
+        for filename in secret.get("data", {}):
+            if filename.startswith(path):
+                paths.append(filename[len(path) + 1 :])
+        return paths
 
-  def save_volume_file(self, flask_file, relative_file_path):
-    # Write the file to a temp location.
-    buf = StringIO()
-    try:
-      try:
-        flask_file.save(buf)
-      except IOError as ioe:
-        raise CannotWriteConfigException(str(ioe))
+    def save_config(self, config_obj):
+        self._update_secret_file(self.yaml_filename, get_yaml(config_obj))
 
-      self._update_secret_file(relative_file_path, buf.getvalue())
-    finally:
-      buf.close()
-
-  def _assert_success(self, response):
-    if response.status_code != 200:
-      logger.error('Kubernetes API call failed with response: %s => %s', response.status_code,
-                   response.text)
-      raise CannotWriteConfigException('Kubernetes API call failed: %s' % response.text)
-
-  def _update_secret_file(self, relative_file_path, value=None):
-    if '/' in relative_file_path:
-      raise Exception('Expected path from get_volume_path, but found slashes')
-
-    # Check first that the namespace for Red Hat Quay exists. If it does not, report that
-    # as an error, as it seems to be a common issue.
-    namespace_url = 'namespaces/%s' % (QE_NAMESPACE)
-    response = self._execute_k8s_api('GET', namespace_url)
-    if response.status_code // 100 != 2:
-      msg = 'A Kubernetes namespace with name `%s` must be created to save config' % QE_NAMESPACE
-      raise CannotWriteConfigException(msg)
-
-    # Check if the secret exists. If not, then we create an empty secret and then update the file
-    # inside.
-    secret_url = 'namespaces/%s/secrets/%s' % (QE_NAMESPACE, QE_CONFIG_SECRET)
-    secret = self._lookup_secret()
-    if secret is None:
-      self._assert_success(self._execute_k8s_api('POST', secret_url, {
-        "kind": "Secret",
-        "apiVersion": "v1",
-        "metadata": {
-          "name": QE_CONFIG_SECRET
-        },
-        "data": {}
-      }))
-
-    # Update the secret to reflect the file change.
-    secret['data'] = secret.get('data', {})
-
-    if value is not None:
-      secret['data'][relative_file_path] = base64.b64encode(value)
-    else:
-      secret['data'].pop(relative_file_path)
-
-    self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
-
-    # Wait until the local mounted copy of the secret has been updated, as
-    # this is an eventual consistency operation, but the caller expects immediate
-    # consistency.
-    while True:
-      matching_files = set()
-      for secret_filename, encoded_value in secret['data'].iteritems():
-        expected_value = base64.b64decode(encoded_value)
+    def remove_volume_file(self, relative_file_path):
         try:
-          with self.get_volume_file(secret_filename) as f:
-            contents = f.read()
+            self._update_secret_file(relative_file_path, None)
+        except IOError as ioe:
+            raise CannotWriteConfigException(str(ioe))
 
-          if contents == expected_value:
-            matching_files.add(secret_filename)
-        except IOError:
-          continue
+    def save_volume_file(self, flask_file, relative_file_path):
+        # Write the file to a temp location.
+        buf = StringIO()
+        try:
+            try:
+                flask_file.save(buf)
+            except IOError as ioe:
+                raise CannotWriteConfigException(str(ioe))
 
-      if matching_files == set(secret['data'].keys()):
-        break
+            self._update_secret_file(relative_file_path, buf.getvalue())
+        finally:
+            buf.close()
 
-      # Sleep for a second and then try again.
-      time.sleep(1)
+    def _assert_success(self, response):
+        if response.status_code != 200:
+            logger.error(
+                "Kubernetes API call failed with response: %s => %s",
+                response.status_code,
+                response.text,
+            )
+            raise CannotWriteConfigException(
+                "Kubernetes API call failed: %s" % response.text
+            )
 
-  def _lookup_secret(self):
-    secret_url = 'namespaces/%s/secrets/%s' % (QE_NAMESPACE, QE_CONFIG_SECRET)
-    response = self._execute_k8s_api('GET', secret_url)
-    if response.status_code != 200:
-      return None
-    return json.loads(response.text)
+    def _update_secret_file(self, relative_file_path, value=None):
+        if "/" in relative_file_path:
+            raise Exception("Expected path from get_volume_path, but found slashes")
 
-  def _execute_k8s_api(self, method, relative_url, data=None):
-    headers = {
-      'Authorization': 'Bearer ' + self._service_token
-    }
+        # Check first that the namespace for Red Hat Quay exists. If it does not, report that
+        # as an error, as it seems to be a common issue.
+        namespace_url = "namespaces/%s" % (QE_NAMESPACE)
+        response = self._execute_k8s_api("GET", namespace_url)
+        if response.status_code // 100 != 2:
+            msg = (
+                "A Kubernetes namespace with name `%s` must be created to save config"
+                % QE_NAMESPACE
+            )
+            raise CannotWriteConfigException(msg)
 
-    if data:
-      headers['Content-Type'] = 'application/json'
+        # Check if the secret exists. If not, then we create an empty secret and then update the file
+        # inside.
+        secret_url = "namespaces/%s/secrets/%s" % (QE_NAMESPACE, QE_CONFIG_SECRET)
+        secret = self._lookup_secret()
+        if secret is None:
+            self._assert_success(
+                self._execute_k8s_api(
+                    "POST",
+                    secret_url,
+                    {
+                        "kind": "Secret",
+                        "apiVersion": "v1",
+                        "metadata": {"name": QE_CONFIG_SECRET},
+                        "data": {},
+                    },
+                )
+            )
 
-    data = json.dumps(data) if data else None
-    session = Session()
-    url = 'https://%s/api/v1/%s' % (self._api_host, relative_url)
+        # Update the secret to reflect the file change.
+        secret["data"] = secret.get("data", {})
 
-    request = Request(method, url, data=data, headers=headers)
-    return session.send(request.prepare(), verify=False, timeout=2)
+        if value is not None:
+            secret["data"][relative_file_path] = base64.b64encode(value)
+        else:
+            secret["data"].pop(relative_file_path)
+
+        self._assert_success(self._execute_k8s_api("PUT", secret_url, secret))
+
+        # Wait until the local mounted copy of the secret has been updated, as
+        # this is an eventual consistency operation, but the caller expects immediate
+        # consistency.
+        while True:
+            matching_files = set()
+            for secret_filename, encoded_value in secret["data"].iteritems():
+                expected_value = base64.b64decode(encoded_value)
+                try:
+                    with self.get_volume_file(secret_filename) as f:
+                        contents = f.read()
+
+                    if contents == expected_value:
+                        matching_files.add(secret_filename)
+                except IOError:
+                    continue
+
+            if matching_files == set(secret["data"].keys()):
+                break
+
+            # Sleep for a second and then try again.
+            time.sleep(1)
+
+    def _lookup_secret(self):
+        secret_url = "namespaces/%s/secrets/%s" % (QE_NAMESPACE, QE_CONFIG_SECRET)
+        response = self._execute_k8s_api("GET", secret_url)
+        if response.status_code != 200:
+            return None
+        return json.loads(response.text)
+
+    def _execute_k8s_api(self, method, relative_url, data=None):
+        headers = {"Authorization": "Bearer " + self._service_token}
+
+        if data:
+            headers["Content-Type"] = "application/json"
+
+        data = json.dumps(data) if data else None
+        session = Session()
+        url = "https://%s/api/v1/%s" % (self._api_host, relative_url)
+
+        request = Request(method, url, data=data, headers=headers)
+        return session.send(request.prepare(), verify=False, timeout=2)
diff --git a/util/config/provider/test/test_fileprovider.py b/util/config/provider/test/test_fileprovider.py
index 7a1336085..1241b17f9 100644
--- a/util/config/provider/test/test_fileprovider.py
+++ b/util/config/provider/test/test_fileprovider.py
@@ -1,29 +1,30 @@
 import pytest
 
-from util.config.provider import FileConfigProvider 
+from util.config.provider import FileConfigProvider
 
 from test.fixtures import *
 
 
 class TestFileConfigProvider(FileConfigProvider):
-  def __init__(self):
-    self.yaml_filename = 'yaml_filename'
-    self._service_token = 'service_token'
-    self.config_volume = 'config_volume' 
-    self.py_filename = 'py_filename'
-    self.yaml_path = os.path.join(self.config_volume, self.yaml_filename)
-    self.py_path = os.path.join(self.config_volume, self.py_filename)
+    def __init__(self):
+        self.yaml_filename = "yaml_filename"
+        self._service_token = "service_token"
+        self.config_volume = "config_volume"
+        self.py_filename = "py_filename"
+        self.yaml_path = os.path.join(self.config_volume, self.yaml_filename)
+        self.py_path = os.path.join(self.config_volume, self.py_filename)
 
 
-@pytest.mark.parametrize('directory,filename,expected', [
-  ("directory", "file", "directory/file"),
-  ("directory/dir", "file", "directory/dir/file"),
-  ("directory/dir/", "file", "directory/dir/file"),
-  ("directory", "file/test", "directory/file/test"),
-])
+@pytest.mark.parametrize(
+    "directory,filename,expected",
+    [
+        ("directory", "file", "directory/file"),
+        ("directory/dir", "file", "directory/dir/file"),
+        ("directory/dir/", "file", "directory/dir/file"),
+        ("directory", "file/test", "directory/file/test"),
+    ],
+)
 def test_get_volume_path(directory, filename, expected):
-  provider = TestFileConfigProvider()
-
-  assert expected == provider.get_volume_path(directory, filename)
-
+    provider = TestFileConfigProvider()
 
+    assert expected == provider.get_volume_path(directory, filename)
diff --git a/util/config/provider/testprovider.py b/util/config/provider/testprovider.py
index 487aec67c..7862035cf 100644
--- a/util/config/provider/testprovider.py
+++ b/util/config/provider/testprovider.py
@@ -5,73 +5,78 @@ from datetime import datetime, timedelta
 
 from util.config.provider.baseprovider import BaseProvider
 
-REAL_FILES = ['test/data/signing-private.gpg', 'test/data/signing-public.gpg', 'test/data/test.pem']
+REAL_FILES = [
+    "test/data/signing-private.gpg",
+    "test/data/signing-public.gpg",
+    "test/data/test.pem",
+]
+
 
 class TestConfigProvider(BaseProvider):
-  """ Implementation of the config provider for testing. Everything is kept in-memory instead on
+    """ Implementation of the config provider for testing. Everything is kept in-memory instead on
       the real file system. """
 
-  def get_config_root(self):
-    raise Exception('Test Config does not have a config root')
+    def get_config_root(self):
+        raise Exception("Test Config does not have a config root")
 
-  def __init__(self):
-    self.clear()
+    def __init__(self):
+        self.clear()
 
-  def clear(self):
-    self.files = {}
-    self._config = {}
+    def clear(self):
+        self.files = {}
+        self._config = {}
 
-  @property
-  def provider_id(self):
-    return 'test'
+    @property
+    def provider_id(self):
+        return "test"
 
-  def update_app_config(self, app_config):
-    self._config = app_config
+    def update_app_config(self, app_config):
+        self._config = app_config
 
-  def get_config(self):
-    if not 'config.yaml' in self.files:
-      return None
+    def get_config(self):
+        if not "config.yaml" in self.files:
+            return None
 
-    return json.loads(self.files.get('config.yaml', '{}'))
+        return json.loads(self.files.get("config.yaml", "{}"))
 
-  def save_config(self, config_obj):
-    self.files['config.yaml'] = json.dumps(config_obj)
+    def save_config(self, config_obj):
+        self.files["config.yaml"] = json.dumps(config_obj)
 
-  def config_exists(self):
-    return 'config.yaml' in self.files
+    def config_exists(self):
+        return "config.yaml" in self.files
 
-  def volume_exists(self):
-    return True
+    def volume_exists(self):
+        return True
 
-  def volume_file_exists(self, filename):
-    if filename in REAL_FILES:
-      return True
+    def volume_file_exists(self, filename):
+        if filename in REAL_FILES:
+            return True
 
-    return filename in self.files
+        return filename in self.files
 
-  def save_volume_file(self, flask_file, filename):
-    self.files[filename] = flask_file.read()
+    def save_volume_file(self, flask_file, filename):
+        self.files[filename] = flask_file.read()
 
-  def get_volume_file(self, filename, mode='r'):
-    if filename in REAL_FILES:
-      return open(filename, mode=mode)
+    def get_volume_file(self, filename, mode="r"):
+        if filename in REAL_FILES:
+            return open(filename, mode=mode)
 
-    return io.BytesIO(self.files[filename])
+        return io.BytesIO(self.files[filename])
 
-  def remove_volume_file(self, filename):
-    self.files.pop(filename, None)
+    def remove_volume_file(self, filename):
+        self.files.pop(filename, None)
 
-  def list_volume_directory(self, path):
-    paths = []
-    for filename in self.files:
-      if filename.startswith(path):
-        paths.append(filename[len(path)+1:])
+    def list_volume_directory(self, path):
+        paths = []
+        for filename in self.files:
+            if filename.startswith(path):
+                paths.append(filename[len(path) + 1 :])
 
-    return paths
+        return paths
 
-  def reset_for_test(self):
-    self._config['SUPER_USERS'] = ['devtable']
-    self.files = {}
+    def reset_for_test(self):
+        self._config["SUPER_USERS"] = ["devtable"]
+        self.files = {}
 
-  def get_volume_path(self, directory, filename):
-    return os.path.join(directory, filename)
+    def get_volume_path(self, directory, filename):
+        return os.path.join(directory, filename)
diff --git a/util/config/schema.py b/util/config/schema.py
index 959d9d49f..dd9374b9b 100644
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -2,1231 +2,1132 @@
 # not be documented for external users. These will generally be used for internal test or only
 # given to customers when they have been briefed on the side effects of using them.
 INTERNAL_ONLY_PROPERTIES = {
-  '__module__',
-  '__doc__',
-  'create_transaction',
-
-  'SESSION_COOKIE_HTTPONLY',
-  'SESSION_COOKIE_SAMESITE',
-
-  'DATABASE_SECRET_KEY',
-  'TESTING',
-  'SEND_FILE_MAX_AGE_DEFAULT',
-  'DISABLED_FOR_AUDIT_LOGS',
-  'DISABLED_FOR_PULL_LOGS',
-  'FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES',
-
-  'ACTION_LOG_MAX_PAGE',
-  'NON_RATE_LIMITED_NAMESPACES',
-
-  'REPLICATION_QUEUE_NAME',
-  'DOCKERFILE_BUILD_QUEUE_NAME',
-  'CHUNK_CLEANUP_QUEUE_NAME',
-  'SECSCAN_NOTIFICATION_QUEUE_NAME',
-  'SECURITY_SCANNER_ISSUER_NAME',
-  'NOTIFICATION_QUEUE_NAME',
-  'NAMESPACE_GC_QUEUE_NAME',
-  'EXPORT_ACTION_LOGS_QUEUE_NAME',
-
-  'FEATURE_BILLING',
-  'BILLING_TYPE',
-
-  'INSTANCE_SERVICE_KEY_LOCATION',
-  'INSTANCE_SERVICE_KEY_REFRESH',
-  'INSTANCE_SERVICE_KEY_SERVICE',
-  'INSTANCE_SERVICE_KEY_KID_LOCATION',
-  'INSTANCE_SERVICE_KEY_EXPIRATION',
-  'UNAPPROVED_SERVICE_KEY_TTL_SEC',
-  'EXPIRED_SERVICE_KEY_TTL_SEC',
-  'REGISTRY_JWT_AUTH_MAX_FRESH_S',
-
-  'BITTORRENT_FILENAME_PEPPER',
-  'BITTORRENT_WEBSEED_LIFETIME',
-
-  'SERVICE_LOG_ACCOUNT_ID',
-  'BUILDLOGS_OPTIONS',
-  'LIBRARY_NAMESPACE',
-  'STAGGER_WORKERS',
-  'QUEUE_WORKER_METRICS_REFRESH_SECONDS',
-  'PUSH_TEMP_TAG_EXPIRATION_SEC',
-  'GARBAGE_COLLECTION_FREQUENCY',
-  'PAGE_TOKEN_KEY',
-  'BUILD_MANAGER',
-  'JWTPROXY_AUDIENCE',
-  'JWTPROXY_SIGNER',
-  'SECURITY_SCANNER_INDEXING_MIN_ID',
-  'STATIC_SITE_BUCKET',
-  'LABEL_KEY_RESERVED_PREFIXES',
-  'TEAM_SYNC_WORKER_FREQUENCY',
-  'JSONIFY_PRETTYPRINT_REGULAR',
-  'TUF_GUN_PREFIX',
-  'LOGGING_LEVEL',
-  'SIGNED_GRANT_EXPIRATION_SEC',
-  'PROMETHEUS_AGGREGATOR_URL',
-  'DB_TRANSACTION_FACTORY',
-  'NOTIFICATION_SEND_TIMEOUT',
-  'QUEUE_METRICS_TYPE',
-  'MAIL_FAIL_SILENTLY',
-  'LOCAL_OAUTH_HANDLER',
-  'USE_CDN',
-  'ANALYTICS_TYPE',
-  'LAST_ACCESSED_UPDATE_THRESHOLD_S',
-
-  'EXCEPTION_LOG_TYPE',
-  'SENTRY_DSN',
-  'SENTRY_PUBLIC_DSN',
-
-  'BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT',
-  'THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT',
-  'IP_DATA_API_KEY',
-
-  'SECURITY_SCANNER_ENDPOINT_BATCH',
-  'SECURITY_SCANNER_API_TIMEOUT_SECONDS',
-  'SECURITY_SCANNER_API_TIMEOUT_POST_SECONDS',
-  'SECURITY_SCANNER_ENGINE_VERSION_TARGET',
-  'SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS',
-  'SECURITY_SCANNER_API_VERSION',
-
-  'REPO_MIRROR_INTERVAL',
-
-  'DATA_MODEL_CACHE_CONFIG',
-
-  # TODO: move this into the schema once we support signing in QE.
-  'FEATURE_SIGNING',
-  'TUF_SERVER',
-
-  'V1_ONLY_DOMAIN',
-  'LOGS_MODEL',
-  'LOGS_MODEL_CONFIG',
+    "__module__",
+    "__doc__",
+    "create_transaction",
+    "SESSION_COOKIE_HTTPONLY",
+    "SESSION_COOKIE_SAMESITE",
+    "DATABASE_SECRET_KEY",
+    "TESTING",
+    "SEND_FILE_MAX_AGE_DEFAULT",
+    "DISABLED_FOR_AUDIT_LOGS",
+    "DISABLED_FOR_PULL_LOGS",
+    "FEATURE_DISABLE_PULL_LOGS_FOR_FREE_NAMESPACES",
+    "ACTION_LOG_MAX_PAGE",
+    "NON_RATE_LIMITED_NAMESPACES",
+    "REPLICATION_QUEUE_NAME",
+    "DOCKERFILE_BUILD_QUEUE_NAME",
+    "CHUNK_CLEANUP_QUEUE_NAME",
+    "SECSCAN_NOTIFICATION_QUEUE_NAME",
+    "SECURITY_SCANNER_ISSUER_NAME",
+    "NOTIFICATION_QUEUE_NAME",
+    "NAMESPACE_GC_QUEUE_NAME",
+    "EXPORT_ACTION_LOGS_QUEUE_NAME",
+    "FEATURE_BILLING",
+    "BILLING_TYPE",
+    "INSTANCE_SERVICE_KEY_LOCATION",
+    "INSTANCE_SERVICE_KEY_REFRESH",
+    "INSTANCE_SERVICE_KEY_SERVICE",
+    "INSTANCE_SERVICE_KEY_KID_LOCATION",
+    "INSTANCE_SERVICE_KEY_EXPIRATION",
+    "UNAPPROVED_SERVICE_KEY_TTL_SEC",
+    "EXPIRED_SERVICE_KEY_TTL_SEC",
+    "REGISTRY_JWT_AUTH_MAX_FRESH_S",
+    "BITTORRENT_FILENAME_PEPPER",
+    "BITTORRENT_WEBSEED_LIFETIME",
+    "SERVICE_LOG_ACCOUNT_ID",
+    "BUILDLOGS_OPTIONS",
+    "LIBRARY_NAMESPACE",
+    "STAGGER_WORKERS",
+    "QUEUE_WORKER_METRICS_REFRESH_SECONDS",
+    "PUSH_TEMP_TAG_EXPIRATION_SEC",
+    "GARBAGE_COLLECTION_FREQUENCY",
+    "PAGE_TOKEN_KEY",
+    "BUILD_MANAGER",
+    "JWTPROXY_AUDIENCE",
+    "JWTPROXY_SIGNER",
+    "SECURITY_SCANNER_INDEXING_MIN_ID",
+    "STATIC_SITE_BUCKET",
+    "LABEL_KEY_RESERVED_PREFIXES",
+    "TEAM_SYNC_WORKER_FREQUENCY",
+    "JSONIFY_PRETTYPRINT_REGULAR",
+    "TUF_GUN_PREFIX",
+    "LOGGING_LEVEL",
+    "SIGNED_GRANT_EXPIRATION_SEC",
+    "PROMETHEUS_AGGREGATOR_URL",
+    "DB_TRANSACTION_FACTORY",
+    "NOTIFICATION_SEND_TIMEOUT",
+    "QUEUE_METRICS_TYPE",
+    "MAIL_FAIL_SILENTLY",
+    "LOCAL_OAUTH_HANDLER",
+    "USE_CDN",
+    "ANALYTICS_TYPE",
+    "LAST_ACCESSED_UPDATE_THRESHOLD_S",
+    "EXCEPTION_LOG_TYPE",
+    "SENTRY_DSN",
+    "SENTRY_PUBLIC_DSN",
+    "BILLED_NAMESPACE_MAXIMUM_BUILD_COUNT",
+    "THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT",
+    "IP_DATA_API_KEY",
+    "SECURITY_SCANNER_ENDPOINT_BATCH",
+    "SECURITY_SCANNER_API_TIMEOUT_SECONDS",
+    "SECURITY_SCANNER_API_TIMEOUT_POST_SECONDS",
+    "SECURITY_SCANNER_ENGINE_VERSION_TARGET",
+    "SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS",
+    "SECURITY_SCANNER_API_VERSION",
+    "REPO_MIRROR_INTERVAL",
+    "DATA_MODEL_CACHE_CONFIG",
+    # TODO: move this into the schema once we support signing in QE.
+    "FEATURE_SIGNING",
+    "TUF_SERVER",
+    "V1_ONLY_DOMAIN",
+    "LOGS_MODEL",
+    "LOGS_MODEL_CONFIG",
 }
 
 CONFIG_SCHEMA = {
-  'type': 'object',
-  'description': 'Schema for Quay configuration',
-  'required': [
-    'PREFERRED_URL_SCHEME',
-    'SERVER_HOSTNAME',
-    'DB_URI',
-    'AUTHENTICATION_TYPE',
-    'DISTRIBUTED_STORAGE_CONFIG',
-    'BUILDLOGS_REDIS',
-    'USER_EVENTS_REDIS',
-    'DISTRIBUTED_STORAGE_PREFERENCE',
-    'DEFAULT_TAG_EXPIRATION',
-    'TAG_EXPIRATION_OPTIONS',
-  ],
-  'properties': {
-    'V3_UPGRADE_MODE': {
-      'type': 'string',
-      'description': 'The current stage of the V3 upgrade.',
-      'enum': ['background', 'complete', 'production-transition', 'post-oci-rollout',
-               'post-oci-roll-back-compat'],
-      'x-example': 'background',
-    },
-
-    'REGISTRY_STATE': {
-      'type': 'string',
-      'description': 'The state of the registry.',
-      'enum': ['normal', 'readonly'],
-      'x-example': 'readonly',
-    },
-
-    # Hosting.
-    'PREFERRED_URL_SCHEME': {
-      'type': 'string',
-      'description': 'The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https`',
-      'enum': ['http', 'https'],
-      'x-example': 'https',
-    },
-    'SERVER_HOSTNAME': {
-      'type': 'string',
-      'description': 'The URL at which Quay is accessible, without the scheme.',
-      'x-example': 'quay.io',
-    },
-    'EXTERNAL_TLS_TERMINATION': {
-      'type': 'boolean',
-      'description': 'If TLS is supported, but terminated at a layer before Quay, must be true.',
-      'x-example': True,
-    },
-
-    # SSL/TLS.
-    'SSL_CIPHERS': {
-      'type': 'array',
-      'description': 'If specified, the nginx-defined list of SSL ciphers to enabled and disabled',
-      'x-example': ['CAMELLIA', '!3DES'],
-      'x-reference': 'http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers',
-    },
-    'SSL_PROTOCOLS': {
-      'type': 'array',
-      'description': 'If specified, the nginx-defined list of SSL protocols to enabled and disabled',
-      'x-example': ['TLSv1.1', 'TLSv1.2'],
-      'x-reference': 'http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols',
-    },
-
-    # User-visible configuration.
-    'REGISTRY_TITLE': {
-      'type': 'string',
-      'description': 'If specified, the long-form title for the registry. Defaults to `Red Hat Quay`.',
-      'x-example': 'Corp Container Service',
-    },
-    'REGISTRY_TITLE_SHORT': {
-      'type': 'string',
-      'description': 'If specified, the short-form title for the registry. Defaults to `Red Hat Quay`.',
-      'x-example': 'CCS',
-    },
-    'CONTACT_INFO': {
-      'type': 'array',
-      'uniqueItems': True,
-      'description': 'If specified, contact information to display on the contact page. ' +
-                     'If only a single piece of contact information is specified, the contact footer will link directly.',
-      'items': [
-        {
-          'type': 'string',
-          'pattern': '^mailto:(.)+$',
-          'x-example': 'mailto:support@quay.io',
-          'description': 'Adds a link to send an e-mail',
+    "type": "object",
+    "description": "Schema for Quay configuration",
+    "required": [
+        "PREFERRED_URL_SCHEME",
+        "SERVER_HOSTNAME",
+        "DB_URI",
+        "AUTHENTICATION_TYPE",
+        "DISTRIBUTED_STORAGE_CONFIG",
+        "BUILDLOGS_REDIS",
+        "USER_EVENTS_REDIS",
+        "DISTRIBUTED_STORAGE_PREFERENCE",
+        "DEFAULT_TAG_EXPIRATION",
+        "TAG_EXPIRATION_OPTIONS",
+    ],
+    "properties": {
+        "V3_UPGRADE_MODE": {
+            "type": "string",
+            "description": "The current stage of the V3 upgrade.",
+            "enum": [
+                "background",
+                "complete",
+                "production-transition",
+                "post-oci-rollout",
+                "post-oci-roll-back-compat",
+            ],
+            "x-example": "background",
         },
-        {
-          'type': 'string',
-          'pattern': '^irc://(.)+$',
-          'x-example': 'irc://chat.freenode.net:6665/quay',
-          'description': 'Adds a link to visit an IRC chat room',
+        "REGISTRY_STATE": {
+            "type": "string",
+            "description": "The state of the registry.",
+            "enum": ["normal", "readonly"],
+            "x-example": "readonly",
         },
-        {
-          'type': 'string',
-          'pattern': '^tel:(.)+$',
-          'x-example': 'tel:+1-888-930-3475',
-          'description': 'Adds a link to call a phone number',
+        # Hosting.
+        "PREFERRED_URL_SCHEME": {
+            "type": "string",
+            "description": "The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https`",
+            "enum": ["http", "https"],
+            "x-example": "https",
         },
-        {
-          'type': 'string',
-          'pattern': '^http(s)?://(.)+$',
-          'x-example': 'https://twitter.com/quayio',
-          'description': 'Adds a link to a defined URL',
+        "SERVER_HOSTNAME": {
+            "type": "string",
+            "description": "The URL at which Quay is accessible, without the scheme.",
+            "x-example": "quay.io",
         },
-      ],
-    },
-    'SEARCH_RESULTS_PER_PAGE' : {
-        'type': 'number',
-        'description': 'Number of results returned per page by search page. Defaults to 10',
-        'x-example': 10,
-    },
-    'SEARCH_MAX_RESULT_PAGE_COUNT' : {
-        'type': 'number',
-        'description': 'Maximum number of pages the user can paginate in search before they are limited. Defaults to 10',
-        'x-example': 10,
-    },
-
-    # E-mail.
-    'FEATURE_MAILING': {
-      'type': 'boolean',
-      'description': 'Whether emails are enabled. Defaults to True',
-      'x-example': True,
-    },
-    'MAIL_SERVER': {
-      'type': 'string',
-      'description': 'The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.',
-      'x-example': 'smtp.somedomain.com',
-    },
-    'MAIL_USE_TLS': {
-      'type': 'boolean',
-      'description': 'If specified, whether to use TLS for sending e-mails.',
-      'x-example': True,
-    },
-    'MAIL_PORT': {
-      'type': 'number',
-      'description': 'The SMTP port to use. If not specified, defaults to 587.',
-      'x-example': 588,
-    },
-    'MAIL_USERNAME': {
-      'type': ['string', 'null'],
-      'description': 'The SMTP username to use when sending e-mails.',
-      'x-example': 'myuser',
-    },
-    'MAIL_PASSWORD': {
-      'type': ['string', 'null'],
-      'description': 'The SMTP password to use when sending e-mails.',
-      'x-example': 'mypassword',
-    },
-    'MAIL_DEFAULT_SENDER': {
-      'type': ['string', 'null'],
-      'description': 'If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`.',
-      'x-example': 'support@myco.com',
-    },
-
-    # Database.
-    'DB_URI': {
-      'type': 'string',
-      'description': 'The URI at which to access the database, including any credentials.',
-      'x-example': 'mysql+pymysql://username:password@dns.of.database/quay',
-      'x-reference': 'https://www.postgresql.org/docs/9.3/static/libpq-connect.html#AEN39495',
-    },
-    'DB_CONNECTION_ARGS': {
-      'type': 'object',
-      'description': 'If specified, connection arguments for the database such as timeouts and SSL.',
-      'properties': {
-        'threadlocals': {
-          'type': 'boolean',
-          'description': 'Whether to use thread-local connections. Should *ALWAYS* be `true`'
+        "EXTERNAL_TLS_TERMINATION": {
+            "type": "boolean",
+            "description": "If TLS is supported, but terminated at a layer before Quay, must be true.",
+            "x-example": True,
         },
-        'autorollback': {
-          'type': 'boolean',
-          'description': 'Whether to use auto-rollback connections. Should *ALWAYS* be `true`'
+        # SSL/TLS.
+        "SSL_CIPHERS": {
+            "type": "array",
+            "description": "If specified, the nginx-defined list of SSL ciphers to enabled and disabled",
+            "x-example": ["CAMELLIA", "!3DES"],
+            "x-reference": "http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers",
         },
-        'ssl': {
-          'type': 'object',
-          'description': 'SSL connection configuration',
-          'properties': {
-            'ca': {
-              'type': 'string',
-              'description': '*Absolute container path* to the CA certificate to use for SSL connections',
-              'x-example': 'conf/stack/ssl-ca-cert.pem',
+        "SSL_PROTOCOLS": {
+            "type": "array",
+            "description": "If specified, the nginx-defined list of SSL protocols to enabled and disabled",
+            "x-example": ["TLSv1.1", "TLSv1.2"],
+            "x-reference": "http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols",
+        },
+        # User-visible configuration.
+        "REGISTRY_TITLE": {
+            "type": "string",
+            "description": "If specified, the long-form title for the registry. Defaults to `Red Hat Quay`.",
+            "x-example": "Corp Container Service",
+        },
+        "REGISTRY_TITLE_SHORT": {
+            "type": "string",
+            "description": "If specified, the short-form title for the registry. Defaults to `Red Hat Quay`.",
+            "x-example": "CCS",
+        },
+        "CONTACT_INFO": {
+            "type": "array",
+            "uniqueItems": True,
+            "description": "If specified, contact information to display on the contact page. "
+            + "If only a single piece of contact information is specified, the contact footer will link directly.",
+            "items": [
+                {
+                    "type": "string",
+                    "pattern": "^mailto:(.)+$",
+                    "x-example": "mailto:support@quay.io",
+                    "description": "Adds a link to send an e-mail",
+                },
+                {
+                    "type": "string",
+                    "pattern": "^irc://(.)+$",
+                    "x-example": "irc://chat.freenode.net:6665/quay",
+                    "description": "Adds a link to visit an IRC chat room",
+                },
+                {
+                    "type": "string",
+                    "pattern": "^tel:(.)+$",
+                    "x-example": "tel:+1-888-930-3475",
+                    "description": "Adds a link to call a phone number",
+                },
+                {
+                    "type": "string",
+                    "pattern": "^http(s)?://(.)+$",
+                    "x-example": "https://twitter.com/quayio",
+                    "description": "Adds a link to a defined URL",
+                },
+            ],
+        },
+        "SEARCH_RESULTS_PER_PAGE": {
+            "type": "number",
+            "description": "Number of results returned per page by search page. Defaults to 10",
+            "x-example": 10,
+        },
+        "SEARCH_MAX_RESULT_PAGE_COUNT": {
+            "type": "number",
+            "description": "Maximum number of pages the user can paginate in search before they are limited. Defaults to 10",
+            "x-example": 10,
+        },
+        # E-mail.
+        "FEATURE_MAILING": {
+            "type": "boolean",
+            "description": "Whether emails are enabled. Defaults to True",
+            "x-example": True,
+        },
+        "MAIL_SERVER": {
+            "type": "string",
+            "description": "The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.",
+            "x-example": "smtp.somedomain.com",
+        },
+        "MAIL_USE_TLS": {
+            "type": "boolean",
+            "description": "If specified, whether to use TLS for sending e-mails.",
+            "x-example": True,
+        },
+        "MAIL_PORT": {
+            "type": "number",
+            "description": "The SMTP port to use. If not specified, defaults to 587.",
+            "x-example": 588,
+        },
+        "MAIL_USERNAME": {
+            "type": ["string", "null"],
+            "description": "The SMTP username to use when sending e-mails.",
+            "x-example": "myuser",
+        },
+        "MAIL_PASSWORD": {
+            "type": ["string", "null"],
+            "description": "The SMTP password to use when sending e-mails.",
+            "x-example": "mypassword",
+        },
+        "MAIL_DEFAULT_SENDER": {
+            "type": ["string", "null"],
+            "description": "If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`.",
+            "x-example": "support@myco.com",
+        },
+        # Database.
+        "DB_URI": {
+            "type": "string",
+            "description": "The URI at which to access the database, including any credentials.",
+            "x-example": "mysql+pymysql://username:password@dns.of.database/quay",
+            "x-reference": "https://www.postgresql.org/docs/9.3/static/libpq-connect.html#AEN39495",
+        },
+        "DB_CONNECTION_ARGS": {
+            "type": "object",
+            "description": "If specified, connection arguments for the database such as timeouts and SSL.",
+            "properties": {
+                "threadlocals": {
+                    "type": "boolean",
+                    "description": "Whether to use thread-local connections. Should *ALWAYS* be `true`",
+                },
+                "autorollback": {
+                    "type": "boolean",
+                    "description": "Whether to use auto-rollback connections. Should *ALWAYS* be `true`",
+                },
+                "ssl": {
+                    "type": "object",
+                    "description": "SSL connection configuration",
+                    "properties": {
+                        "ca": {
+                            "type": "string",
+                            "description": "*Absolute container path* to the CA certificate to use for SSL connections",
+                            "x-example": "conf/stack/ssl-ca-cert.pem",
+                        }
+                    },
+                    "required": ["ca"],
+                },
             },
-          },
-          'required': ['ca'],
+            "required": ["threadlocals", "autorollback"],
         },
-      },
-      'required': ['threadlocals', 'autorollback'],
-    },
-    'ALLOW_PULLS_WITHOUT_STRICT_LOGGING': {
-      'type': 'boolean',
-      'description': 'If true, pulls in which the pull audit log entry cannot be written will ' +
-                     'still succeed. Useful if the database can fallback into a read-only state ' +
-                     'and it is desired for pulls to continue during that time. Defaults to False.',
-      'x-example': True,
-    },
-
-    # Storage.
-    'FEATURE_STORAGE_REPLICATION': {
-      'type': 'boolean',
-      'description': 'Whether to automatically replicate between storage engines. Defaults to False',
-      'x-example': False,
-    },
-    'FEATURE_PROXY_STORAGE': {
-      'type': 'boolean',
-      'description': 'Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False',
-      'x-example': False,
-    },
-    'MAXIMUM_LAYER_SIZE': {
-      'type': 'string',
-      'description': 'Maximum allowed size of an image layer. Defaults to 20G',
-      'x-example': '100G',
-      'pattern': '^[0-9]+(G|M)$',
-    },
-    'DISTRIBUTED_STORAGE_CONFIG': {
-      'type': 'object',
-      'description': 'Configuration for storage engine(s) to use in Quay. Each key is a unique ID' +
-                     ' for a storage engine, with the value being a tuple of the type and ' +
-                     ' configuration for that engine.',
-      'x-example': {
-        'local_storage': ['LocalStorage', {'storage_path': 'some/path/'}],
-      },
-      'items': {
-        'type': 'array',
-      },
-    },
-    'DISTRIBUTED_STORAGE_PREFERENCE': {
-      'type': 'array',
-      'description': 'The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to ' +
-                     'use. A preferred engine means it is first checked for pullig and images are ' +
-                     'pushed to it.',
-      'items': {
-        'type': 'string',
-        'uniqueItems': True,
-      },
-      'x-example': ['s3_us_east', 's3_us_west'],
-    },
-    'DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS': {
-      'type': 'array',
-      'description': 'The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose ' +
-                     'images should be fully replicated, by default, to all other storage engines.',
-      'items': {
-        'type': 'string',
-        'uniqueItems': True,
-      },
-      'x-example': ['s3_us_east', 's3_us_west'],
-    },
-    'USERFILES_LOCATION': {
-      'type': 'string',
-      'description': 'ID of the storage engine in which to place user-uploaded files',
-      'x-example': 's3_us_east',
-    },
-    'USERFILES_PATH': {
-      'type': 'string',
-      'description': 'Path under storage in which to place user-uploaded files',
-      'x-example': 'userfiles',
-    },
-    'ACTION_LOG_ARCHIVE_LOCATION': {
-      'type': 'string',
-      'description': 'If action log archiving is enabled, the storage engine in which to place the ' +
-                     'archived data.',
-      'x-example': 's3_us_east',
-    },
-    'ACTION_LOG_ARCHIVE_PATH': {
-      'type': 'string',
-      'description': 'If action log archiving is enabled, the path in storage in which to place the ' +
-                     'archived data.',
-      'x-example': 'archives/actionlogs',
-    },
-    'ACTION_LOG_ROTATION_THRESHOLD': {
-        'type': 'string',
-        'description': 'If action log archiving is enabled, the time interval after which to ' +
-                       'archive data.',
-        'x-example': '30d',
-    },
-    'LOG_ARCHIVE_LOCATION': {
-      'type': 'string',
-      'description': 'If builds are enabled, the storage engine in which to place the ' +
-                     'archived build logs.',
-      'x-example': 's3_us_east',
-    },
-    'LOG_ARCHIVE_PATH': {
-      'type': 'string',
-      'description': 'If builds are enabled, the path in storage in which to place the ' +
-                     'archived build logs.',
-      'x-example': 'archives/buildlogs',
-    },
-
-    # Authentication.
-    'AUTHENTICATION_TYPE': {
-      'type': 'string',
-      'description': 'The authentication engine to use for credential authentication.',
-      'x-example': 'Database',
-      'enum': ['Database', 'LDAP', 'JWT', 'Keystone', 'OIDC', 'AppToken'],
-    },
-    'SUPER_USERS': {
-      'type': 'array',
-      'description': 'Quay usernames of those users to be granted superuser privileges',
-      'uniqueItems': True,
-      'items': {
-        'type': 'string',
-      },
-    },
-    'DIRECT_OAUTH_CLIENTID_WHITELIST': {
-      'type': 'array',
-      'description': 'A list of client IDs of *Quay-managed* applications that are allowed ' +
-                     'to perform direct OAuth approval without user approval.',
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/direct-oauth.html',
-      'uniqueItems': True,
-      'items': {
-        'type': 'string',
-      },
-    },
-
-    # Redis.
-    'BUILDLOGS_REDIS': {
-      'type': 'object',
-      'description': 'Connection information for Redis for build logs caching',
-      'required': ['host'],
-      'properties': {
-        'host': {
-          'type': 'string',
-          'description': 'The hostname at which Redis is accessible',
-          'x-example': 'my.redis.cluster',
+        "ALLOW_PULLS_WITHOUT_STRICT_LOGGING": {
+            "type": "boolean",
+            "description": "If true, pulls in which the pull audit log entry cannot be written will "
+            + "still succeed. Useful if the database can fallback into a read-only state "
+            + "and it is desired for pulls to continue during that time. Defaults to False.",
+            "x-example": True,
         },
-        'port': {
-          'type': 'number',
-          'description': 'The port at which Redis is accessible',
-          'x-example': 1234,
+        # Storage.
+        "FEATURE_STORAGE_REPLICATION": {
+            "type": "boolean",
+            "description": "Whether to automatically replicate between storage engines. Defaults to False",
+            "x-example": False,
         },
-        'password': {
-          'type': 'string',
-          'description': 'The password to connect to the Redis instance',
-          'x-example': 'mypassword',
+        "FEATURE_PROXY_STORAGE": {
+            "type": "boolean",
+            "description": "Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False",
+            "x-example": False,
         },
-      },
-    },
-    'USER_EVENTS_REDIS': {
-      'type': 'object',
-      'description': 'Connection information for Redis for user event handling',
-      'required': ['host'],
-      'properties': {
-        'host': {
-          'type': 'string',
-          'description': 'The hostname at which Redis is accessible',
-          'x-example': 'my.redis.cluster',
+        "MAXIMUM_LAYER_SIZE": {
+            "type": "string",
+            "description": "Maximum allowed size of an image layer. Defaults to 20G",
+            "x-example": "100G",
+            "pattern": "^[0-9]+(G|M)$",
         },
-        'port': {
-          'type': 'number',
-          'description': 'The port at which Redis is accessible',
-          'x-example': 1234,
-        },
-        'password': {
-          'type': 'string',
-          'description': 'The password to connect to the Redis instance',
-          'x-example': 'mypassword',
-        },
-      },
-    },
-
-    # OAuth configuration.
-    'GITHUB_LOGIN_CONFIG': {
-      'type': ['object', 'null'],
-      'description': 'Configuration for using GitHub (Enterprise) as an external login provider',
-      'required': ['CLIENT_ID', 'CLIENT_SECRET'],
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-auth.html',
-      'properties': {
-        'GITHUB_ENDPOINT': {
-          'type': 'string',
-          'description': 'The endpoint of the GitHub (Enterprise) being hit',
-          'x-example': 'https://github.com/',
-        },
-        'API_ENDPOINT': {
-          'type': 'string',
-          'description': 'The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com',
-          'x-example': 'https://api.github.com/',
-        },
-        'CLIENT_ID': {
-          'type': 'string',
-          'description': 'The registered client ID for this Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG',
-          'x-example': '0e8dbe15c4c7630b6780',
-          'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
-        },
-        'CLIENT_SECRET': {
-          'type': 'string',
-          'description': 'The registered client secret for this Quay instance',
-          'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
-          'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
-        },
-        'ORG_RESTRICT': {
-          'type': 'boolean',
-          'description': 'If true, only users within the organization whitelist can login using this provider',
-          'x-example': True,
-        },
-        'ALLOWED_ORGANIZATIONS': {
-          'type': 'array',
-          'description': 'The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option',
-          'uniqueItems': True,
-          'items': {
-              'type': 'string',
-          },
-        },
-      },
-    },
-    'BITBUCKET_TRIGGER_CONFIG': {
-      'type': ['object', 'null'],
-      'description': 'Configuration for using BitBucket for build triggers',
-      'required': ['CONSUMER_KEY', 'CONSUMER_SECRET'],
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/bitbucket-build.html',
-      'properties': {
-        'CONSUMER_KEY': {
-          'type': 'string',
-          'description': 'The registered consumer key (client ID) for this Quay instance',
-          'x-example': '0e8dbe15c4c7630b6780',
-        },
-        'CONSUMER_SECRET': {
-          'type': 'string',
-          'description': 'The registered consumer secret (client secret) for this Quay instance',
-          'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
-        },
-      },
-    },
-    'GITHUB_TRIGGER_CONFIG': {
-      'type': ['object', 'null'],
-      'description': 'Configuration for using GitHub (Enterprise) for build triggers',
-      'required': ['GITHUB_ENDPOINT', 'CLIENT_ID', 'CLIENT_SECRET'],
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-build.html',
-      'properties': {
-        'GITHUB_ENDPOINT': {
-          'type': 'string',
-          'description': 'The endpoint of the GitHub (Enterprise) being hit',
-          'x-example': 'https://github.com/',
-        },
-        'API_ENDPOINT': {
-          'type': 'string',
-          'description': 'The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com',
-          'x-example': 'https://api.github.com/',
-        },
-        'CLIENT_ID': {
-          'type': 'string',
-          'description': 'The registered client ID for this Quay instance; cannot be shared with GITHUB_LOGIN_CONFIG',
-          'x-example': '0e8dbe15c4c7630b6780',
-          'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
-        },
-        'CLIENT_SECRET': {
-          'type': 'string',
-          'description': 'The registered client secret for this Quay instance',
-          'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
-          'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/github-app.html',
-        },
-      },
-    },
-    'GOOGLE_LOGIN_CONFIG': {
-      'type': ['object', 'null'],
-      'description': 'Configuration for using Google for external authentication',
-      'required': ['CLIENT_ID', 'CLIENT_SECRET'],
-      'properties': {
-        'CLIENT_ID': {
-          'type': 'string',
-          'description': 'The registered client ID for this Quay instance',
-          'x-example': '0e8dbe15c4c7630b6780',
-        },
-        'CLIENT_SECRET': {
-          'type': 'string',
-          'description': 'The registered client secret for this Quay instance',
-          'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
-        },
-      },
-    },
-    'GITLAB_TRIGGER_CONFIG': {
-      'type': ['object', 'null'],
-      'description': 'Configuration for using Gitlab (Enterprise) for external authentication',
-      'required': ['GITLAB_ENDPOINT', 'CLIENT_ID', 'CLIENT_SECRET'],
-      'properties': {
-        'GITLAB_ENDPOINT': {
-          'type': 'string',
-          'description': 'The endpoint at which Gitlab(Enterprise) is running',
-          'x-example': 'https://gitlab.com',
-        },
-        'CLIENT_ID': {
-          'type': 'string',
-          'description': 'The registered client ID for this Quay instance',
-          'x-example': '0e8dbe15c4c7630b6780',
-        },
-        'CLIENT_SECRET': {
-          'type': 'string',
-          'description': 'The registered client secret for this Quay instance',
-          'x-example': 'e4a58ddd3d7408b7aec109e85564a0d153d3e846',
-        },
-      },
-    },
-
-    'BRANDING': {
-      'type': ['object', 'null'],
-      'description': 'Custom branding for logos and URLs in the Quay UI',
-      'required': ['logo'],
-      'properties': {
-        'logo': {
-          'type': 'string',
-          'description': 'Main logo image URL',
-          'x-example': '/static/img/quay-horizontal-color.svg',
-        },
-        'footer_img': {
-          'type': 'string',
-          'description': 'Logo for UI footer',
-          'x-example': '/static/img/RedHat.svg',
-        },
-        'footer_url': {
-          'type': 'string',
-          'description': 'Link for footer image',
-          'x-example': 'https://redhat.com',
-        }
-      }
-    },
-
-    # Health.
-    'HEALTH_CHECKER': {
-      'description': 'The configured health check.',
-      'x-example': ('RDSAwareHealthCheck', {'access_key': 'foo', 'secret_key': 'bar'}),
-    },
-
-    # Metrics.
-    'PROMETHEUS_NAMESPACE': {
-      'type': 'string',
-      'description': 'The prefix applied to all exposed Prometheus metrics. Defaults to `quay`',
-      'x-example': 'myregistry',
-    },
-
-    # Misc configuration.
-    'BLACKLIST_V2_SPEC': {
-      'type': 'string',
-      'description': 'The Docker CLI versions to which Quay will respond that V2 is *unsupported*. Defaults to `<1.6.0`',
-      'x-reference': 'http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec',
-      'x-example': '<1.8.0',
-    },
-    'USER_RECOVERY_TOKEN_LIFETIME': {
-      'type': 'string',
-      'description': 'The length of time a token for recovering a user accounts is valid. Defaults to 30m.',
-      'x-example': '10m',
-      'pattern': '^[0-9]+(w|m|d|h|s)$',
-    },
-    'SESSION_COOKIE_SECURE': {
-      'type': 'boolean',
-      'description': 'Whether the `secure` property should be set on session cookies. ' +
-                     'Defaults to False. Recommended to be True for all installations using SSL.',
-      'x-example': True,
-      'x-reference': 'https://en.wikipedia.org/wiki/Secure_cookies',
-    },
-    'PUBLIC_NAMESPACES': {
-      'type': 'array',
-      'description': 'If a namespace is defined in the public namespace list, then it will appear on *all*' +
-                     ' user\'s repository list pages, regardless of whether that user is a member of the namespace.' +
-                     ' Typically, this is used by an enterprise customer in configuring a set of "well-known"' +
-                     ' namespaces.',
-      'uniqueItems': True,
-      'items': {
-        'type': 'string',
-      },
-    },
-    'AVATAR_KIND': {
-      'type': 'string',
-      'description': 'The types of avatars to display, either generated inline (local) or Gravatar (gravatar)',
-      'enum': ['local', 'gravatar'],
-    },
-    'V2_PAGINATION_SIZE': {
-      'type': 'number',
-      'description': 'The number of results returned per page in V2 registry APIs',
-      'x-example': 100,
-    },
-    'ENABLE_HEALTH_DEBUG_SECRET': {
-      'type': ['string', 'null'],
-      'description': 'If specified, a secret that can be given to health endpoints to see full debug info when' +
-                     'not authenticated as a superuser',
-      'x-example': 'somesecrethere',
-    },
-    'BROWSER_API_CALLS_XHR_ONLY': {
-      'type': 'boolean',
-      'description': 'If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.',
-      'x-example': False,
-    },
-
-    # Time machine and tag expiration settings.
-    'FEATURE_CHANGE_TAG_EXPIRATION': {
-      'type': 'boolean',
-      'description': 'Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.',
-      'x-example': False,
-    },
-    'DEFAULT_TAG_EXPIRATION': {
-      'type': 'string',
-      'description': 'The default, configurable tag expiration time for time machine. Defaults to `2w`.',
-      'pattern': '^[0-9]+(w|m|d|h|s)$',
-    },
-    'TAG_EXPIRATION_OPTIONS': {
-      'type': 'array',
-      'description': 'The options that users can select for expiration of tags in their namespace (if enabled)',
-      'items': {
-        'type': 'string',
-        'pattern': '^[0-9]+(w|m|d|h|s)$',
-      },
-    },
-
-    # Team syncing.
-    'FEATURE_TEAM_SYNCING': {
-      'type': 'boolean',
-      'description': 'Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone)',
-      'x-example': True,
-    },
-    'TEAM_RESYNC_STALE_TIME': {
-      'type': 'string',
-      'description': 'If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m)',
-      'x-example': '2h',
-      'pattern': '^[0-9]+(w|m|d|h|s)$',
-    },
-    'FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP': {
-      'type': 'boolean',
-      'description': 'If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.',
-      'x-example': True,
-    },
-
-    # Security scanning.
-    'FEATURE_SECURITY_SCANNER': {
-      'type': 'boolean',
-      'description': 'Whether to turn of/off the security scanner. Defaults to False',
-      'x-example': False,
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/security-scanning.html',
-    },
-    'FEATURE_SECURITY_NOTIFICATIONS': {
-      'type': 'boolean',
-      'description': 'If the security scanner is enabled, whether to turn of/off security notificaitons. Defaults to False',
-      'x-example': False,
-    },
-    'SECURITY_SCANNER_ENDPOINT' : {
-      'type': 'string',
-      'pattern': '^http(s)?://(.)+$',
-      'description': 'The endpoint for the security scanner',
-      'x-example': 'http://192.168.99.101:6060' ,
-    },
-    'SECURITY_SCANNER_INDEXING_INTERVAL': {
-      'type': 'number',
-      'description': 'The number of seconds between indexing intervals in the security scanner. Defaults to 30.',
-      'x-example': 30,
-    },
-
-    # Repository mirroring
-    'REPO_MIRROR_INTERVAL': {
-      'type': 'number',
-      'description': 'The number of seconds between checking for repository mirror candidates. Defaults to 30.',
-      'x-example': 30,
-    },
-
-    # Bittorrent support.
-    'FEATURE_BITTORRENT': {
-      'type': 'boolean',
-      'description': 'Whether to allow using Bittorrent-based pulls. Defaults to False',
-      'x-example': False,
-      'x-reference': 'https://coreos.com/quay-enterprise/docs/latest/bittorrent.html',
-    },
-    'BITTORRENT_PIECE_SIZE': {
-       'type': 'number',
-       'description': 'The bittorent piece size to use. If not specified, defaults to 512 * 1024.',
-       'x-example': 512 * 1024,
-    },
-    'BITTORRENT_ANNOUNCE_URL': {
-       'type': 'string',
-       'pattern': '^http(s)?://(.)+$',
-       'description': 'The URL of the announce endpoint on the bittorrent tracker',
-       'x-example': 'https://localhost:6881/announce',
-    },
-
-    # Build
-    'FEATURE_GITHUB_BUILD': {
-      'type': 'boolean',
-      'description': 'Whether to support GitHub build triggers. Defaults to False',
-      'x-example': False,
-    },
-    'FEATURE_BITBUCKET_BUILD': {
-      'type': 'boolean',
-      'description': 'Whether to support Bitbucket build triggers. Defaults to False',
-      'x-example': False,
-    },
-    'FEATURE_GITLAB_BUILD': {
-      'type': 'boolean',
-      'description': 'Whether to support GitLab build triggers. Defaults to False',
-      'x-example': False,
-    },
-    'FEATURE_BUILD_SUPPORT': {
-      'type': 'boolean',
-      'description': 'Whether to support Dockerfile build. Defaults to True',
-      'x-example': True,
-    },
-    'DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT': {
-      'type': ['number', 'null'],
-      'description': 'If not None, the default maximum number of builds that can be queued in a namespace.',
-      'x-example': 20,
-    },
-    'SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD': {
-      'type': ['number', 'null'],
-      'description': 'If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.',
-      'x-example': 10,
-    },
-    'SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD': {
-      'type': ['number', 'null'],
-      'description': 'If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.',
-      'x-example': 50,
-    },
-
-    # Login
-    'FEATURE_GITHUB_LOGIN': {
-      'type': 'boolean',
-      'description': 'Whether GitHub login is supported. Defaults to False',
-      'x-example': False,
-    },
-    'FEATURE_GOOGLE_LOGIN': {
-      'type': 'boolean',
-      'description': 'Whether Google login is supported. Defaults to False',
-      'x-example': False,
-    },
-
-    # Recaptcha
-    'FEATURE_RECAPTCHA': {
-      'type': 'boolean',
-      'description': 'Whether Recaptcha is necessary for user login and recovery. Defaults to False',
-      'x-example': False,
-      'x-reference': 'https://www.google.com/recaptcha/intro/',
-    },
-    'RECAPTCHA_SITE_KEY': {
-      'type': ['string', 'null'],
-      'description': 'If recaptcha is enabled, the site key for the Recaptcha service',
-    },
-    'RECAPTCHA_SECRET_KEY': {
-      'type': ['string', 'null'],
-      'description': 'If recaptcha is enabled, the secret key for the Recaptcha service',
-    },
-
-    # External application tokens.
-    'FEATURE_APP_SPECIFIC_TOKENS': {
-      'type': 'boolean',
-      'description': 'If enabled, users can create tokens for use by the Docker CLI. Defaults to True',
-      'x-example': False,
-    },
-
-    'APP_SPECIFIC_TOKEN_EXPIRATION': {
-      'type': ['string', 'null'],
-      'description': 'The expiration for external app tokens. Defaults to None.',
-      'pattern': '^[0-9]+(w|m|d|h|s)$',
-    },
-
-    'EXPIRED_APP_SPECIFIC_TOKEN_GC': {
-      'type': ['string', 'null'],
-      'description': 'Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.',
-      'pattern': '^[0-9]+(w|m|d|h|s)$',
-    },
-
-    # Feature Flag: Garbage collection.
-    'FEATURE_GARBAGE_COLLECTION': {
-      'type': 'boolean',
-      'description': 'Whether garbage collection of repositories is enabled. Defaults to True',
-      'x-example': False,
-    },
-
-    # Feature Flag: Rate limits.
-    'FEATURE_RATE_LIMITS': {
-      'type': 'boolean',
-      'description': 'Whether to enable rate limits on API and registry endpoints. Defaults to False',
-      'x-example': True,
-    },
-
-    # Feature Flag: Aggregated log retrieval.
-    'FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL': {
-      'type': 'boolean',
-      'description': 'Whether to allow retrieval of aggregated log counts. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Log export.
-    'FEATURE_LOG_EXPORT': {
-      'type': 'boolean',
-      'description': 'Whether to allow exporting of action logs. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: User last accessed.
-    'FEATURE_USER_LAST_ACCESSED': {
-      'type': 'boolean',
-      'description': 'Whether to record the last time a user was accessed. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Permanent Sessions.
-    'FEATURE_PERMANENT_SESSIONS': {
-      'type': 'boolean',
-      'description': 'Whether sessions are permanent. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Super User Support.
-    'FEATURE_SUPER_USERS': {
-      'type': 'boolean',
-      'description': 'Whether super users are supported. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Anonymous Users.
-    'FEATURE_ANONYMOUS_ACCESS': {
-      'type': 'boolean',
-      'description': ' Whether to allow anonymous users to browse and pull public repositories. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: User Creation.
-    'FEATURE_USER_CREATION': {
-      'type': 'boolean',
-      'description': 'Whether users can be created (by non-super users). Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Invite Only User Creation.
-    'FEATURE_INVITE_ONLY_USER_CREATION': {
-      'type': 'boolean',
-      'description': 'Whether users being created must be invited by another user. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Encrypted Basic Auth.
-    'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': {
-      'type': 'boolean',
-      'description': 'Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Direct Login.
-    'FEATURE_DIRECT_LOGIN': {
-      'type': 'boolean',
-      'description': 'Whether users can directly login to the UI. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Advertising V2.
-    'FEATURE_ADVERTISE_V2': {
-      'type': 'boolean',
-      'description': 'Whether the v2/ endpoint is visible. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Log Rotation.
-    'FEATURE_ACTION_LOG_ROTATION': {
-      'type': 'boolean',
-      'description': 'Whether or not to rotate old action logs to storage. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: ACI Conversion.
-    'FEATURE_ACI_CONVERSION': {
-      'type': 'boolean',
-      'description': 'Whether to enable conversion to ACIs. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Library Support.
-    'FEATURE_LIBRARY_SUPPORT': {
-      'type': 'boolean',
-      'description': 'Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Require Team Invite.
-    'FEATURE_REQUIRE_TEAM_INVITE': {
-      'type': 'boolean',
-      'description': 'Whether to require invitations when adding a user to a team. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: Collecting and Supporting Metadata.
-    'FEATURE_USER_METADATA': {
-      'type': 'boolean',
-      'description': 'Whether to collect and support user metadata. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Support App Registry.
-    'FEATURE_APP_REGISTRY': {
-      'type': 'boolean',
-      'description': 'Whether to enable support for App repositories. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Read only app registry.
-    'FEATURE_READONLY_APP_REGISTRY': {
-      'type': 'boolean',
-      'description': 'Whether to App repositories are read-only. Defaults to False',
-      'x-example': True,
-    },
-
-    # Feature Flag: Public Reposiotires in _catalog Endpoint.
-    'FEATURE_PUBLIC_CATALOG': {
-      'type': 'boolean',
-      'description': 'If set to true, the _catalog endpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Reader Build Logs.
-    'FEATURE_READER_BUILD_LOGS': {
-      'type': 'boolean',
-      'description': 'If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False',
-      'x-example': False,
-    },
-
-    # Feature Flag: Usernames Autocomplete.
-    'FEATURE_PARTIAL_USER_AUTOCOMPLETE': {
-      'type': 'boolean',
-      'description': 'If set to true, autocompletion will apply to partial usernames. Defaults to True',
-      'x-example': True,
-    },
-
-    # Feature Flag: User log access.
-    'FEATURE_USER_LOG_ACCESS': {
-      'type': 'boolean',
-      'description': 'If set to true, users will have access to audit logs for their namespace. Defaults to False',
-      'x-example': True,
-    },
-
-    # Feature Flag: User renaming.
-    'FEATURE_USER_RENAME': {
-      'type': 'boolean',
-      'description': 'If set to true, users can rename their own namespace. Defaults to False',
-      'x-example': True,
-    },
-
-    # Feature Flag: Username confirmation.
-    'FEATURE_USERNAME_CONFIRMATION': {
-      'type': 'boolean',
-      'description': 'If set to true, users can confirm their generated usernames. Defaults to True',
-      'x-example': False,
-    },
-
-    # Feature Flag: V1 push restriction.
-    'FEATURE_RESTRICTED_V1_PUSH': {
-      'type': 'boolean',
-      'description': 'If set to true, only namespaces listed in V1_PUSH_WHITELIST support V1 push. Defaults to True',
-      'x-example': False,
-    },
-
-    # Feature Flag: Support Repository Mirroring.
-    'FEATURE_REPO_MIRROR': {
-      'type': 'boolean',
-      'description': 'Whether to enable support for repository mirroring. Defaults to False',
-      'x-example': False,
-    },
-
-    'REPO_MIRROR_TLS_VERIFY': {
-      'type': 'boolean',
-      'description': 'Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True',
-      'x-example': True,
-    },
-
-    'REPO_MIRROR_SERVER_HOSTNAME': {
-      'type': 'string',
-      'description': 'Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset',
-      'x-example': "openshift-quay-service",
-    },
-
-    # Feature Flag: V1 push restriction.
-    'V1_PUSH_WHITELIST': {
-      'type': 'array',
-      'description': 'The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true.',
-      'x-example': ['some', 'namespaces'],
-    },
-
-    # Logs model
-    'LOGS_MODEL': {
-      'type': 'string',
-      'description': 'Logs model for action logs',
-      'enum': ['database', 'transition_reads_both_writes_es', 'elasticsearch'],
-      'x-example': 'database',
-    },
-
-    'LOGS_MODEL_CONFIG': {
-      'type': 'object',
-      'description': 'Logs model config for action logs',
-      'x-reference': 'https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html',
-
-      'properties': {
-        'producer': {
-          'type': 'string',
-          'description': 'Logs producer if logging to Elasticsearch',
-          'enum': ['kafka', 'elasticsearch', 'kinesis_stream'],
-          'x-example': 'kafka',
-        },
-
-        'elasticsearch_config': {
-          'type': 'object',
-          'description': 'Elasticsearch cluster configuration',
-          'properties': {
-            'host': {
-              'type': 'string',
-              'description': 'Elasticsearch cluster endpoint',
-              'x-example': 'host.elasticsearch.example'
+        "DISTRIBUTED_STORAGE_CONFIG": {
+            "type": "object",
+            "description": "Configuration for storage engine(s) to use in Quay. Each key is a unique ID"
+            + " for a storage engine, with the value being a tuple of the type and "
+            + " configuration for that engine.",
+            "x-example": {
+                "local_storage": ["LocalStorage", {"storage_path": "some/path/"}]
             },
-
-            'port': {
-              'type': 'number',
-              'description': 'Elasticsearch cluster endpoint port',
-              'x-example': 1234
-            },
-
-            'access_key': {
-              'type': 'string',
-              'description': 'Elasticsearch user (or IAM key for AWS ES)',
-              'x-example': 'some_string'
-            },
-
-            'secret_key': {
-              'type': 'string',
-              'description': 'Elasticsearch password (or IAM secret for AWS ES)',
-              'x-example': 'some_secret_string'
-            },
-
-            'aws_region': {
-              'type': 'string',
-              'description': 'Amazon web service region',
-              'x-example': 'us-east-1'
-            },
-
-            'use_ssl': {
-              'type': 'boolean',
-              'description': 'Use ssl for Elasticsearch. Defaults to True',
-              'x-example': True
-            },
-
-            'index_prefix': {
-              'type': 'string',
-              'description': 'Elasticsearch\'s index prefix',
-              'x-example': 'logentry_',
-            },
-
-            'index_settings': {
-              'type': 'object',
-              'description': 'Elasticsearch\'s index settings'
-            },
-          },
+            "items": {"type": "array"},
         },
-
-        'kafka_config': {
-          'type': 'object',
-          'description': 'Kafka cluster configuration',
-          'properties': {
-            'bootstrap_servers': {
-              'type': 'array',
-              'description': 'List of Kafka brokers to bootstrap the client from',
-              'uniqueItems': True,
-              'items': {
-                'type': 'string',
-              },
-            },
-            'topic': {
-              'type': 'string',
-              'description': 'Kafka topic to publish log entries to',
-              'x-example': 'logentry',
-            },
-            'max_block_seconds': {
-              'type': 'number',
-              'description': 'Max number of seconds to block during a `send()`, either because the buffer is full or metadata unavailable',
-              'x-example': 10,
-            },
-          },
+        "DISTRIBUTED_STORAGE_PREFERENCE": {
+            "type": "array",
+            "description": "The preferred storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) to "
+            + "use. A preferred engine means it is first checked for pullig and images are "
+            + "pushed to it.",
+            "items": {"type": "string", "uniqueItems": True},
+            "x-example": ["s3_us_east", "s3_us_west"],
         },
-
-        'kinesis_stream_config': {
-          'type': 'object',
-          'description': 'AWS Kinesis Stream configuration',
-          'properties': {
-            'stream_name': {
-              'type': 'string',
-              'description': 'Kinesis stream to send action logs to',
-              'x-example': 'logentry-kinesis-stream',
-            },
-            'aws_region': {
-              'type': 'string',
-              'description': 'AWS region',
-              'x-example': 'us-east-1',
-            },
-            'aws_access_key': {
-              'type': 'string',
-              'description': 'AWS access key',
-              'x-example': 'some_access_key',
-            },
-            'aws_secret_key': {
-              'type': 'string',
-              'description': 'AWS secret key',
-              'x-example': 'some_secret_key',
-            },
-            'connect_timeout': {
-              'type': 'number',
-              'description': 'Number of seconds before timeout when attempting to make a connection',
-              'x-example': 5,
-            },
-            'read_timeout': {
-              'type': 'number',
-              'description': 'Number of seconds before timeout when reading from a connection',
-              'x-example': 5,
-            },
-            'retries': {
-              'type': 'number',
-              'description': 'Max number of attempts made on a single request',
-              'x-example': 5,
-            },
-            'max_pool_connections': {
-              'type': 'number',
-              'description': 'The maximum number of connections to keep in a connection pool',
-              'x-example': 10,
-            }
-          },
+        "DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS": {
+            "type": "array",
+            "description": "The list of storage engine(s) (by ID in DISTRIBUTED_STORAGE_CONFIG) whose "
+            + "images should be fully replicated, by default, to all other storage engines.",
+            "items": {"type": "string", "uniqueItems": True},
+            "x-example": ["s3_us_east", "s3_us_west"],
+        },
+        "USERFILES_LOCATION": {
+            "type": "string",
+            "description": "ID of the storage engine in which to place user-uploaded files",
+            "x-example": "s3_us_east",
+        },
+        "USERFILES_PATH": {
+            "type": "string",
+            "description": "Path under storage in which to place user-uploaded files",
+            "x-example": "userfiles",
+        },
+        "ACTION_LOG_ARCHIVE_LOCATION": {
+            "type": "string",
+            "description": "If action log archiving is enabled, the storage engine in which to place the "
+            + "archived data.",
+            "x-example": "s3_us_east",
+        },
+        "ACTION_LOG_ARCHIVE_PATH": {
+            "type": "string",
+            "description": "If action log archiving is enabled, the path in storage in which to place the "
+            + "archived data.",
+            "x-example": "archives/actionlogs",
+        },
+        "ACTION_LOG_ROTATION_THRESHOLD": {
+            "type": "string",
+            "description": "If action log archiving is enabled, the time interval after which to "
+            + "archive data.",
+            "x-example": "30d",
+        },
+        "LOG_ARCHIVE_LOCATION": {
+            "type": "string",
+            "description": "If builds are enabled, the storage engine in which to place the "
+            + "archived build logs.",
+            "x-example": "s3_us_east",
+        },
+        "LOG_ARCHIVE_PATH": {
+            "type": "string",
+            "description": "If builds are enabled, the path in storage in which to place the "
+            + "archived build logs.",
+            "x-example": "archives/buildlogs",
+        },
+        # Authentication.
+        "AUTHENTICATION_TYPE": {
+            "type": "string",
+            "description": "The authentication engine to use for credential authentication.",
+            "x-example": "Database",
+            "enum": ["Database", "LDAP", "JWT", "Keystone", "OIDC", "AppToken"],
+        },
+        "SUPER_USERS": {
+            "type": "array",
+            "description": "Quay usernames of those users to be granted superuser privileges",
+            "uniqueItems": True,
+            "items": {"type": "string"},
+        },
+        "DIRECT_OAUTH_CLIENTID_WHITELIST": {
+            "type": "array",
+            "description": "A list of client IDs of *Quay-managed* applications that are allowed "
+            + "to perform direct OAuth approval without user approval.",
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/direct-oauth.html",
+            "uniqueItems": True,
+            "items": {"type": "string"},
+        },
+        # Redis.
+        "BUILDLOGS_REDIS": {
+            "type": "object",
+            "description": "Connection information for Redis for build logs caching",
+            "required": ["host"],
+            "properties": {
+                "host": {
+                    "type": "string",
+                    "description": "The hostname at which Redis is accessible",
+                    "x-example": "my.redis.cluster",
+                },
+                "port": {
+                    "type": "number",
+                    "description": "The port at which Redis is accessible",
+                    "x-example": 1234,
+                },
+                "password": {
+                    "type": "string",
+                    "description": "The password to connect to the Redis instance",
+                    "x-example": "mypassword",
+                },
+            },
+        },
+        "USER_EVENTS_REDIS": {
+            "type": "object",
+            "description": "Connection information for Redis for user event handling",
+            "required": ["host"],
+            "properties": {
+                "host": {
+                    "type": "string",
+                    "description": "The hostname at which Redis is accessible",
+                    "x-example": "my.redis.cluster",
+                },
+                "port": {
+                    "type": "number",
+                    "description": "The port at which Redis is accessible",
+                    "x-example": 1234,
+                },
+                "password": {
+                    "type": "string",
+                    "description": "The password to connect to the Redis instance",
+                    "x-example": "mypassword",
+                },
+            },
+        },
+        # OAuth configuration.
+        "GITHUB_LOGIN_CONFIG": {
+            "type": ["object", "null"],
+            "description": "Configuration for using GitHub (Enterprise) as an external login provider",
+            "required": ["CLIENT_ID", "CLIENT_SECRET"],
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-auth.html",
+            "properties": {
+                "GITHUB_ENDPOINT": {
+                    "type": "string",
+                    "description": "The endpoint of the GitHub (Enterprise) being hit",
+                    "x-example": "https://github.com/",
+                },
+                "API_ENDPOINT": {
+                    "type": "string",
+                    "description": "The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com",
+                    "x-example": "https://api.github.com/",
+                },
+                "CLIENT_ID": {
+                    "type": "string",
+                    "description": "The registered client ID for this Quay instance; cannot be shared with GITHUB_TRIGGER_CONFIG",
+                    "x-example": "0e8dbe15c4c7630b6780",
+                    "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html",
+                },
+                "CLIENT_SECRET": {
+                    "type": "string",
+                    "description": "The registered client secret for this Quay instance",
+                    "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846",
+                    "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html",
+                },
+                "ORG_RESTRICT": {
+                    "type": "boolean",
+                    "description": "If true, only users within the organization whitelist can login using this provider",
+                    "x-example": True,
+                },
+                "ALLOWED_ORGANIZATIONS": {
+                    "type": "array",
+                    "description": "The names of the GitHub (Enterprise) organizations whitelisted to work with the ORG_RESTRICT option",
+                    "uniqueItems": True,
+                    "items": {"type": "string"},
+                },
+            },
+        },
+        "BITBUCKET_TRIGGER_CONFIG": {
+            "type": ["object", "null"],
+            "description": "Configuration for using BitBucket for build triggers",
+            "required": ["CONSUMER_KEY", "CONSUMER_SECRET"],
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/bitbucket-build.html",
+            "properties": {
+                "CONSUMER_KEY": {
+                    "type": "string",
+                    "description": "The registered consumer key (client ID) for this Quay instance",
+                    "x-example": "0e8dbe15c4c7630b6780",
+                },
+                "CONSUMER_SECRET": {
+                    "type": "string",
+                    "description": "The registered consumer secret (client secret) for this Quay instance",
+                    "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846",
+                },
+            },
+        },
+        "GITHUB_TRIGGER_CONFIG": {
+            "type": ["object", "null"],
+            "description": "Configuration for using GitHub (Enterprise) for build triggers",
+            "required": ["GITHUB_ENDPOINT", "CLIENT_ID", "CLIENT_SECRET"],
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-build.html",
+            "properties": {
+                "GITHUB_ENDPOINT": {
+                    "type": "string",
+                    "description": "The endpoint of the GitHub (Enterprise) being hit",
+                    "x-example": "https://github.com/",
+                },
+                "API_ENDPOINT": {
+                    "type": "string",
+                    "description": "The endpoint of the GitHub (Enterprise) API to use. Must be overridden for github.com",
+                    "x-example": "https://api.github.com/",
+                },
+                "CLIENT_ID": {
+                    "type": "string",
+                    "description": "The registered client ID for this Quay instance; cannot be shared with GITHUB_LOGIN_CONFIG",
+                    "x-example": "0e8dbe15c4c7630b6780",
+                    "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html",
+                },
+                "CLIENT_SECRET": {
+                    "type": "string",
+                    "description": "The registered client secret for this Quay instance",
+                    "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846",
+                    "x-reference": "https://coreos.com/quay-enterprise/docs/latest/github-app.html",
+                },
+            },
+        },
+        "GOOGLE_LOGIN_CONFIG": {
+            "type": ["object", "null"],
+            "description": "Configuration for using Google for external authentication",
+            "required": ["CLIENT_ID", "CLIENT_SECRET"],
+            "properties": {
+                "CLIENT_ID": {
+                    "type": "string",
+                    "description": "The registered client ID for this Quay instance",
+                    "x-example": "0e8dbe15c4c7630b6780",
+                },
+                "CLIENT_SECRET": {
+                    "type": "string",
+                    "description": "The registered client secret for this Quay instance",
+                    "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846",
+                },
+            },
+        },
+        "GITLAB_TRIGGER_CONFIG": {
+            "type": ["object", "null"],
+            "description": "Configuration for using Gitlab (Enterprise) for external authentication",
+            "required": ["GITLAB_ENDPOINT", "CLIENT_ID", "CLIENT_SECRET"],
+            "properties": {
+                "GITLAB_ENDPOINT": {
+                    "type": "string",
+                    "description": "The endpoint at which Gitlab(Enterprise) is running",
+                    "x-example": "https://gitlab.com",
+                },
+                "CLIENT_ID": {
+                    "type": "string",
+                    "description": "The registered client ID for this Quay instance",
+                    "x-example": "0e8dbe15c4c7630b6780",
+                },
+                "CLIENT_SECRET": {
+                    "type": "string",
+                    "description": "The registered client secret for this Quay instance",
+                    "x-example": "e4a58ddd3d7408b7aec109e85564a0d153d3e846",
+                },
+            },
+        },
+        "BRANDING": {
+            "type": ["object", "null"],
+            "description": "Custom branding for logos and URLs in the Quay UI",
+            "required": ["logo"],
+            "properties": {
+                "logo": {
+                    "type": "string",
+                    "description": "Main logo image URL",
+                    "x-example": "/static/img/quay-horizontal-color.svg",
+                },
+                "footer_img": {
+                    "type": "string",
+                    "description": "Logo for UI footer",
+                    "x-example": "/static/img/RedHat.svg",
+                },
+                "footer_url": {
+                    "type": "string",
+                    "description": "Link for footer image",
+                    "x-example": "https://redhat.com",
+                },
+            },
+        },
+        # Health.
+        "HEALTH_CHECKER": {
+            "description": "The configured health check.",
+            "x-example": (
+                "RDSAwareHealthCheck",
+                {"access_key": "foo", "secret_key": "bar"},
+            ),
+        },
+        # Metrics.
+        "PROMETHEUS_NAMESPACE": {
+            "type": "string",
+            "description": "The prefix applied to all exposed Prometheus metrics. Defaults to `quay`",
+            "x-example": "myregistry",
+        },
+        # Misc configuration.
+        "BLACKLIST_V2_SPEC": {
+            "type": "string",
+            "description": "The Docker CLI versions to which Quay will respond that V2 is *unsupported*. Defaults to `<1.6.0`",
+            "x-reference": "http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec",
+            "x-example": "<1.8.0",
+        },
+        "USER_RECOVERY_TOKEN_LIFETIME": {
+            "type": "string",
+            "description": "The length of time a token for recovering a user accounts is valid. Defaults to 30m.",
+            "x-example": "10m",
+            "pattern": "^[0-9]+(w|m|d|h|s)$",
+        },
+        "SESSION_COOKIE_SECURE": {
+            "type": "boolean",
+            "description": "Whether the `secure` property should be set on session cookies. "
+            + "Defaults to False. Recommended to be True for all installations using SSL.",
+            "x-example": True,
+            "x-reference": "https://en.wikipedia.org/wiki/Secure_cookies",
+        },
+        "PUBLIC_NAMESPACES": {
+            "type": "array",
+            "description": "If a namespace is defined in the public namespace list, then it will appear on *all*"
+            + " user's repository list pages, regardless of whether that user is a member of the namespace."
+            + ' Typically, this is used by an enterprise customer in configuring a set of "well-known"'
+            + " namespaces.",
+            "uniqueItems": True,
+            "items": {"type": "string"},
+        },
+        "AVATAR_KIND": {
+            "type": "string",
+            "description": "The types of avatars to display, either generated inline (local) or Gravatar (gravatar)",
+            "enum": ["local", "gravatar"],
+        },
+        "V2_PAGINATION_SIZE": {
+            "type": "number",
+            "description": "The number of results returned per page in V2 registry APIs",
+            "x-example": 100,
+        },
+        "ENABLE_HEALTH_DEBUG_SECRET": {
+            "type": ["string", "null"],
+            "description": "If specified, a secret that can be given to health endpoints to see full debug info when"
+            + "not authenticated as a superuser",
+            "x-example": "somesecrethere",
+        },
+        "BROWSER_API_CALLS_XHR_ONLY": {
+            "type": "boolean",
+            "description": "If enabled, only API calls marked as being made by an XHR will be allowed from browsers. Defaults to True.",
+            "x-example": False,
+        },
+        # Time machine and tag expiration settings.
+        "FEATURE_CHANGE_TAG_EXPIRATION": {
+            "type": "boolean",
+            "description": "Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.",
+            "x-example": False,
+        },
+        "DEFAULT_TAG_EXPIRATION": {
+            "type": "string",
+            "description": "The default, configurable tag expiration time for time machine. Defaults to `2w`.",
+            "pattern": "^[0-9]+(w|m|d|h|s)$",
+        },
+        "TAG_EXPIRATION_OPTIONS": {
+            "type": "array",
+            "description": "The options that users can select for expiration of tags in their namespace (if enabled)",
+            "items": {"type": "string", "pattern": "^[0-9]+(w|m|d|h|s)$"},
+        },
+        # Team syncing.
+        "FEATURE_TEAM_SYNCING": {
+            "type": "boolean",
+            "description": "Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone)",
+            "x-example": True,
+        },
+        "TEAM_RESYNC_STALE_TIME": {
+            "type": "string",
+            "description": "If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m)",
+            "x-example": "2h",
+            "pattern": "^[0-9]+(w|m|d|h|s)$",
+        },
+        "FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP": {
+            "type": "boolean",
+            "description": "If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.",
+            "x-example": True,
+        },
+        # Security scanning.
+        "FEATURE_SECURITY_SCANNER": {
+            "type": "boolean",
+            "description": "Whether to turn of/off the security scanner. Defaults to False",
+            "x-example": False,
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/security-scanning.html",
+        },
+        "FEATURE_SECURITY_NOTIFICATIONS": {
+            "type": "boolean",
+            "description": "If the security scanner is enabled, whether to turn of/off security notificaitons. Defaults to False",
+            "x-example": False,
+        },
+        "SECURITY_SCANNER_ENDPOINT": {
+            "type": "string",
+            "pattern": "^http(s)?://(.)+$",
+            "description": "The endpoint for the security scanner",
+            "x-example": "http://192.168.99.101:6060",
+        },
+        "SECURITY_SCANNER_INDEXING_INTERVAL": {
+            "type": "number",
+            "description": "The number of seconds between indexing intervals in the security scanner. Defaults to 30.",
+            "x-example": 30,
+        },
+        # Repository mirroring
+        "REPO_MIRROR_INTERVAL": {
+            "type": "number",
+            "description": "The number of seconds between checking for repository mirror candidates. Defaults to 30.",
+            "x-example": 30,
+        },
+        # Bittorrent support.
+        "FEATURE_BITTORRENT": {
+            "type": "boolean",
+            "description": "Whether to allow using Bittorrent-based pulls. Defaults to False",
+            "x-example": False,
+            "x-reference": "https://coreos.com/quay-enterprise/docs/latest/bittorrent.html",
+        },
+        "BITTORRENT_PIECE_SIZE": {
+            "type": "number",
+            "description": "The bittorent piece size to use. If not specified, defaults to 512 * 1024.",
+            "x-example": 512 * 1024,
+        },
+        "BITTORRENT_ANNOUNCE_URL": {
+            "type": "string",
+            "pattern": "^http(s)?://(.)+$",
+            "description": "The URL of the announce endpoint on the bittorrent tracker",
+            "x-example": "https://localhost:6881/announce",
+        },
+        # Build
+        "FEATURE_GITHUB_BUILD": {
+            "type": "boolean",
+            "description": "Whether to support GitHub build triggers. Defaults to False",
+            "x-example": False,
+        },
+        "FEATURE_BITBUCKET_BUILD": {
+            "type": "boolean",
+            "description": "Whether to support Bitbucket build triggers. Defaults to False",
+            "x-example": False,
+        },
+        "FEATURE_GITLAB_BUILD": {
+            "type": "boolean",
+            "description": "Whether to support GitLab build triggers. Defaults to False",
+            "x-example": False,
+        },
+        "FEATURE_BUILD_SUPPORT": {
+            "type": "boolean",
+            "description": "Whether to support Dockerfile build. Defaults to True",
+            "x-example": True,
+        },
+        "DEFAULT_NAMESPACE_MAXIMUM_BUILD_COUNT": {
+            "type": ["number", "null"],
+            "description": "If not None, the default maximum number of builds that can be queued in a namespace.",
+            "x-example": 20,
+        },
+        "SUCCESSIVE_TRIGGER_INTERNAL_ERROR_DISABLE_THRESHOLD": {
+            "type": ["number", "null"],
+            "description": "If not None, the number of successive internal errors that can occur before a build trigger is automatically disabled. Defaults to 5.",
+            "x-example": 10,
+        },
+        "SUCCESSIVE_TRIGGER_FAILURE_DISABLE_THRESHOLD": {
+            "type": ["number", "null"],
+            "description": "If not None, the number of successive failures that can occur before a build trigger is automatically disabled. Defaults to 100.",
+            "x-example": 50,
+        },
+        # Login
+        "FEATURE_GITHUB_LOGIN": {
+            "type": "boolean",
+            "description": "Whether GitHub login is supported. Defaults to False",
+            "x-example": False,
+        },
+        "FEATURE_GOOGLE_LOGIN": {
+            "type": "boolean",
+            "description": "Whether Google login is supported. Defaults to False",
+            "x-example": False,
+        },
+        # Recaptcha
+        "FEATURE_RECAPTCHA": {
+            "type": "boolean",
+            "description": "Whether Recaptcha is necessary for user login and recovery. Defaults to False",
+            "x-example": False,
+            "x-reference": "https://www.google.com/recaptcha/intro/",
+        },
+        "RECAPTCHA_SITE_KEY": {
+            "type": ["string", "null"],
+            "description": "If recaptcha is enabled, the site key for the Recaptcha service",
+        },
+        "RECAPTCHA_SECRET_KEY": {
+            "type": ["string", "null"],
+            "description": "If recaptcha is enabled, the secret key for the Recaptcha service",
+        },
+        # External application tokens.
+        "FEATURE_APP_SPECIFIC_TOKENS": {
+            "type": "boolean",
+            "description": "If enabled, users can create tokens for use by the Docker CLI. Defaults to True",
+            "x-example": False,
+        },
+        "APP_SPECIFIC_TOKEN_EXPIRATION": {
+            "type": ["string", "null"],
+            "description": "The expiration for external app tokens. Defaults to None.",
+            "pattern": "^[0-9]+(w|m|d|h|s)$",
+        },
+        "EXPIRED_APP_SPECIFIC_TOKEN_GC": {
+            "type": ["string", "null"],
+            "description": "Duration of time expired external app tokens will remain before being garbage collected. Defaults to 1d.",
+            "pattern": "^[0-9]+(w|m|d|h|s)$",
+        },
+        # Feature Flag: Garbage collection.
+        "FEATURE_GARBAGE_COLLECTION": {
+            "type": "boolean",
+            "description": "Whether garbage collection of repositories is enabled. Defaults to True",
+            "x-example": False,
+        },
+        # Feature Flag: Rate limits.
+        "FEATURE_RATE_LIMITS": {
+            "type": "boolean",
+            "description": "Whether to enable rate limits on API and registry endpoints. Defaults to False",
+            "x-example": True,
+        },
+        # Feature Flag: Aggregated log retrieval.
+        "FEATURE_AGGREGATED_LOG_COUNT_RETRIEVAL": {
+            "type": "boolean",
+            "description": "Whether to allow retrieval of aggregated log counts. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Log export.
+        "FEATURE_LOG_EXPORT": {
+            "type": "boolean",
+            "description": "Whether to allow exporting of action logs. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: User last accessed.
+        "FEATURE_USER_LAST_ACCESSED": {
+            "type": "boolean",
+            "description": "Whether to record the last time a user was accessed. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Permanent Sessions.
+        "FEATURE_PERMANENT_SESSIONS": {
+            "type": "boolean",
+            "description": "Whether sessions are permanent. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Super User Support.
+        "FEATURE_SUPER_USERS": {
+            "type": "boolean",
+            "description": "Whether super users are supported. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Anonymous Users.
+        "FEATURE_ANONYMOUS_ACCESS": {
+            "type": "boolean",
+            "description": " Whether to allow anonymous users to browse and pull public repositories. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: User Creation.
+        "FEATURE_USER_CREATION": {
+            "type": "boolean",
+            "description": "Whether users can be created (by non-super users). Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Invite Only User Creation.
+        "FEATURE_INVITE_ONLY_USER_CREATION": {
+            "type": "boolean",
+            "description": "Whether users being created must be invited by another user. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Encrypted Basic Auth.
+        "FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH": {
+            "type": "boolean",
+            "description": "Whether non-encrypted passwords (as opposed to encrypted tokens) can be used for basic auth. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Direct Login.
+        "FEATURE_DIRECT_LOGIN": {
+            "type": "boolean",
+            "description": "Whether users can directly login to the UI. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Advertising V2.
+        "FEATURE_ADVERTISE_V2": {
+            "type": "boolean",
+            "description": "Whether the v2/ endpoint is visible. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Log Rotation.
+        "FEATURE_ACTION_LOG_ROTATION": {
+            "type": "boolean",
+            "description": "Whether or not to rotate old action logs to storage. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: ACI Conversion.
+        "FEATURE_ACI_CONVERSION": {
+            "type": "boolean",
+            "description": "Whether to enable conversion to ACIs. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Library Support.
+        "FEATURE_LIBRARY_SUPPORT": {
+            "type": "boolean",
+            "description": 'Whether to allow for "namespace-less" repositories when pulling and pushing from Docker. Defaults to True',
+            "x-example": True,
+        },
+        # Feature Flag: Require Team Invite.
+        "FEATURE_REQUIRE_TEAM_INVITE": {
+            "type": "boolean",
+            "description": "Whether to require invitations when adding a user to a team. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: Collecting and Supporting Metadata.
+        "FEATURE_USER_METADATA": {
+            "type": "boolean",
+            "description": "Whether to collect and support user metadata. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Support App Registry.
+        "FEATURE_APP_REGISTRY": {
+            "type": "boolean",
+            "description": "Whether to enable support for App repositories. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Read only app registry.
+        "FEATURE_READONLY_APP_REGISTRY": {
+            "type": "boolean",
+            "description": "Whether to App repositories are read-only. Defaults to False",
+            "x-example": True,
+        },
+        # Feature Flag: Public Reposiotires in _catalog Endpoint.
+        "FEATURE_PUBLIC_CATALOG": {
+            "type": "boolean",
+            "description": "If set to true, the _catalog endpoint returns public repositories. Otherwise, only private repositories can be returned. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Reader Build Logs.
+        "FEATURE_READER_BUILD_LOGS": {
+            "type": "boolean",
+            "description": "If set to true, build logs may be read by those with read access to the repo, rather than only write access or admin access. Defaults to False",
+            "x-example": False,
+        },
+        # Feature Flag: Usernames Autocomplete.
+        "FEATURE_PARTIAL_USER_AUTOCOMPLETE": {
+            "type": "boolean",
+            "description": "If set to true, autocompletion will apply to partial usernames. Defaults to True",
+            "x-example": True,
+        },
+        # Feature Flag: User log access.
+        "FEATURE_USER_LOG_ACCESS": {
+            "type": "boolean",
+            "description": "If set to true, users will have access to audit logs for their namespace. Defaults to False",
+            "x-example": True,
+        },
+        # Feature Flag: User renaming.
+        "FEATURE_USER_RENAME": {
+            "type": "boolean",
+            "description": "If set to true, users can rename their own namespace. Defaults to False",
+            "x-example": True,
+        },
+        # Feature Flag: Username confirmation.
+        "FEATURE_USERNAME_CONFIRMATION": {
+            "type": "boolean",
+            "description": "If set to true, users can confirm their generated usernames. Defaults to True",
+            "x-example": False,
+        },
+        # Feature Flag: V1 push restriction.
+        "FEATURE_RESTRICTED_V1_PUSH": {
+            "type": "boolean",
+            "description": "If set to true, only namespaces listed in V1_PUSH_WHITELIST support V1 push. Defaults to True",
+            "x-example": False,
+        },
+        # Feature Flag: Support Repository Mirroring.
+        "FEATURE_REPO_MIRROR": {
+            "type": "boolean",
+            "description": "Whether to enable support for repository mirroring. Defaults to False",
+            "x-example": False,
+        },
+        "REPO_MIRROR_TLS_VERIFY": {
+            "type": "boolean",
+            "description": "Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True",
+            "x-example": True,
+        },
+        "REPO_MIRROR_SERVER_HOSTNAME": {
+            "type": "string",
+            "description": "Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset",
+            "x-example": "openshift-quay-service",
+        },
+        # Feature Flag: V1 push restriction.
+        "V1_PUSH_WHITELIST": {
+            "type": "array",
+            "description": "The array of namespace names that support V1 push if FEATURE_RESTRICTED_V1_PUSH is set to true.",
+            "x-example": ["some", "namespaces"],
+        },
+        # Logs model
+        "LOGS_MODEL": {
+            "type": "string",
+            "description": "Logs model for action logs",
+            "enum": ["database", "transition_reads_both_writes_es", "elasticsearch"],
+            "x-example": "database",
+        },
+        "LOGS_MODEL_CONFIG": {
+            "type": "object",
+            "description": "Logs model config for action logs",
+            "x-reference": "https://www.elastic.co/guide/en/elasticsearch/guide/master/_index_settings.html",
+            "properties": {
+                "producer": {
+                    "type": "string",
+                    "description": "Logs producer if logging to Elasticsearch",
+                    "enum": ["kafka", "elasticsearch", "kinesis_stream"],
+                    "x-example": "kafka",
+                },
+                "elasticsearch_config": {
+                    "type": "object",
+                    "description": "Elasticsearch cluster configuration",
+                    "properties": {
+                        "host": {
+                            "type": "string",
+                            "description": "Elasticsearch cluster endpoint",
+                            "x-example": "host.elasticsearch.example",
+                        },
+                        "port": {
+                            "type": "number",
+                            "description": "Elasticsearch cluster endpoint port",
+                            "x-example": 1234,
+                        },
+                        "access_key": {
+                            "type": "string",
+                            "description": "Elasticsearch user (or IAM key for AWS ES)",
+                            "x-example": "some_string",
+                        },
+                        "secret_key": {
+                            "type": "string",
+                            "description": "Elasticsearch password (or IAM secret for AWS ES)",
+                            "x-example": "some_secret_string",
+                        },
+                        "aws_region": {
+                            "type": "string",
+                            "description": "Amazon web service region",
+                            "x-example": "us-east-1",
+                        },
+                        "use_ssl": {
+                            "type": "boolean",
+                            "description": "Use ssl for Elasticsearch. Defaults to True",
+                            "x-example": True,
+                        },
+                        "index_prefix": {
+                            "type": "string",
+                            "description": "Elasticsearch's index prefix",
+                            "x-example": "logentry_",
+                        },
+                        "index_settings": {
+                            "type": "object",
+                            "description": "Elasticsearch's index settings",
+                        },
+                    },
+                },
+                "kafka_config": {
+                    "type": "object",
+                    "description": "Kafka cluster configuration",
+                    "properties": {
+                        "bootstrap_servers": {
+                            "type": "array",
+                            "description": "List of Kafka brokers to bootstrap the client from",
+                            "uniqueItems": True,
+                            "items": {"type": "string"},
+                        },
+                        "topic": {
+                            "type": "string",
+                            "description": "Kafka topic to publish log entries to",
+                            "x-example": "logentry",
+                        },
+                        "max_block_seconds": {
+                            "type": "number",
+                            "description": "Max number of seconds to block during a `send()`, either because the buffer is full or metadata unavailable",
+                            "x-example": 10,
+                        },
+                    },
+                },
+                "kinesis_stream_config": {
+                    "type": "object",
+                    "description": "AWS Kinesis Stream configuration",
+                    "properties": {
+                        "stream_name": {
+                            "type": "string",
+                            "description": "Kinesis stream to send action logs to",
+                            "x-example": "logentry-kinesis-stream",
+                        },
+                        "aws_region": {
+                            "type": "string",
+                            "description": "AWS region",
+                            "x-example": "us-east-1",
+                        },
+                        "aws_access_key": {
+                            "type": "string",
+                            "description": "AWS access key",
+                            "x-example": "some_access_key",
+                        },
+                        "aws_secret_key": {
+                            "type": "string",
+                            "description": "AWS secret key",
+                            "x-example": "some_secret_key",
+                        },
+                        "connect_timeout": {
+                            "type": "number",
+                            "description": "Number of seconds before timeout when attempting to make a connection",
+                            "x-example": 5,
+                        },
+                        "read_timeout": {
+                            "type": "number",
+                            "description": "Number of seconds before timeout when reading from a connection",
+                            "x-example": 5,
+                        },
+                        "retries": {
+                            "type": "number",
+                            "description": "Max number of attempts made on a single request",
+                            "x-example": 5,
+                        },
+                        "max_pool_connections": {
+                            "type": "number",
+                            "description": "The maximum number of connections to keep in a connection pool",
+                            "x-example": 10,
+                        },
+                    },
+                },
+            },
+        },
+        # Feature Flag: Blacklist Email Domains
+        "FEATURE_BLACKLISTED_EMAILS": {
+            "type": "boolean",
+            "description": "If set to true, no new User accounts may be created if their email domain is blacklisted.",
+            "x-example": False,
+        },
+        # Blacklisted Email Domains
+        "BLACKLISTED_EMAIL_DOMAINS": {
+            "type": "array",
+            "description": "The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.",
+            "x-example": ["example.com", "example.org"],
         },
-      },
     },
-
-    # Feature Flag: Blacklist Email Domains
-    'FEATURE_BLACKLISTED_EMAILS': {
-      'type': 'boolean',
-      'description': 'If set to true, no new User accounts may be created if their email domain is blacklisted.',
-      'x-example': False,
-    },
-
-    # Blacklisted Email Domains
-    'BLACKLISTED_EMAIL_DOMAINS': {
-      'type': 'array',
-      'description': 'The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.',
-      'x-example': ['example.com', 'example.org'],
-    },
-  }
 }
diff --git a/util/config/superusermanager.py b/util/config/superusermanager.py
index 2f587166e..22f377df4 100644
--- a/util/config/superusermanager.py
+++ b/util/config/superusermanager.py
@@ -1,38 +1,41 @@
 from multiprocessing.sharedctypes import Array
 from util.validation import MAX_USERNAME_LENGTH
 
+
 class SuperUserManager(object):
-  """ In-memory helper class for quickly accessing (and updating) the valid
+    """ In-memory helper class for quickly accessing (and updating) the valid
       set of super users. This class communicates across processes to ensure
       that the shared set is always the same.
   """
 
-  def __init__(self, app):
-    usernames = app.config.get('SUPER_USERS', [])
-    usernames_str = ','.join(usernames)
+    def __init__(self, app):
+        usernames = app.config.get("SUPER_USERS", [])
+        usernames_str = ",".join(usernames)
 
-    self._max_length = len(usernames_str) + MAX_USERNAME_LENGTH + 1
-    self._array = Array('c', self._max_length, lock=True)
-    self._array.value = usernames_str
+        self._max_length = len(usernames_str) + MAX_USERNAME_LENGTH + 1
+        self._array = Array("c", self._max_length, lock=True)
+        self._array.value = usernames_str
 
-  def is_superuser(self, username):
-    """ Returns if the given username represents a super user. """
-    usernames = self._array.value.split(',')
-    return username in usernames
+    def is_superuser(self, username):
+        """ Returns if the given username represents a super user. """
+        usernames = self._array.value.split(",")
+        return username in usernames
 
-  def register_superuser(self, username):
-    """ Registers a new username as a super user for the duration of the container.
+    def register_superuser(self, username):
+        """ Registers a new username as a super user for the duration of the container.
         Note that this does *not* change any underlying config files.
     """
-    usernames = self._array.value.split(',')
-    usernames.append(username)
-    new_string = ','.join(usernames)
+        usernames = self._array.value.split(",")
+        usernames.append(username)
+        new_string = ",".join(usernames)
 
-    if len(new_string) <= self._max_length:
-      self._array.value = new_string
-    else:
-      raise Exception('Maximum superuser count reached. Please report this to support.')
+        if len(new_string) <= self._max_length:
+            self._array.value = new_string
+        else:
+            raise Exception(
+                "Maximum superuser count reached. Please report this to support."
+            )
 
-  def has_superusers(self):
-    """ Returns whether there are any superusers defined. """
-    return bool(self._array.value)
+    def has_superusers(self):
+        """ Returns whether there are any superusers defined. """
+        return bool(self._array.value)
diff --git a/util/config/test/test_schema.py b/util/config/test/test_schema.py
index dba0f4354..276054445 100644
--- a/util/config/test/test_schema.py
+++ b/util/config/test/test_schema.py
@@ -1,7 +1,8 @@
 from config import DefaultConfig
 from util.config.schema import CONFIG_SCHEMA, INTERNAL_ONLY_PROPERTIES
 
+
 def test_ensure_schema_defines_all_fields():
-  for key in vars(DefaultConfig):
-    has_key = key in CONFIG_SCHEMA['properties'] or key in INTERNAL_ONLY_PROPERTIES
-    assert has_key, "Property `%s` is missing from config schema" % key
+    for key in vars(DefaultConfig):
+        has_key = key in CONFIG_SCHEMA["properties"] or key in INTERNAL_ONLY_PROPERTIES
+        assert has_key, "Property `%s` is missing from config schema" % key
diff --git a/util/config/test/test_validator.py b/util/config/test/test_validator.py
index de98dd6a4..7fadb070f 100644
--- a/util/config/test/test_validator.py
+++ b/util/config/test/test_validator.py
@@ -3,30 +3,30 @@ import pytest
 from util.config.validator import is_valid_config_upload_filename
 from util.config.validator import CONFIG_FILENAMES, CONFIG_FILE_SUFFIXES
 
+
 def test_valid_config_upload_filenames():
-  for filename in CONFIG_FILENAMES:
-    assert is_valid_config_upload_filename(filename)
+    for filename in CONFIG_FILENAMES:
+        assert is_valid_config_upload_filename(filename)
 
-  for suffix in CONFIG_FILE_SUFFIXES:
-    assert is_valid_config_upload_filename('foo' + suffix)
-    assert not is_valid_config_upload_filename(suffix + 'foo')
+    for suffix in CONFIG_FILE_SUFFIXES:
+        assert is_valid_config_upload_filename("foo" + suffix)
+        assert not is_valid_config_upload_filename(suffix + "foo")
 
 
-@pytest.mark.parametrize('filename, expect_valid', [
-  ('', False),
-  ('foo', False),
-  ('config.yaml', False),
-
-  ('ssl.cert', True),
-  ('ssl.key', True),
-
-  ('ssl.crt', False),
-
-  ('foobar-cloudfront-signing-key.pem', True),
-  ('foobaz-cloudfront-signing-key.pem', True),
-  ('barbaz-cloudfront-signing-key.pem', True),
-
-  ('barbaz-cloudfront-signing-key.pem.bak', False),
-])
+@pytest.mark.parametrize(
+    "filename, expect_valid",
+    [
+        ("", False),
+        ("foo", False),
+        ("config.yaml", False),
+        ("ssl.cert", True),
+        ("ssl.key", True),
+        ("ssl.crt", False),
+        ("foobar-cloudfront-signing-key.pem", True),
+        ("foobaz-cloudfront-signing-key.pem", True),
+        ("barbaz-cloudfront-signing-key.pem", True),
+        ("barbaz-cloudfront-signing-key.pem.bak", False),
+    ],
+)
 def test_is_valid_config_upload_filename(filename, expect_valid):
-  assert is_valid_config_upload_filename(filename) == expect_valid
+    assert is_valid_config_upload_filename(filename) == expect_valid
diff --git a/util/config/validator.py b/util/config/validator.py
index 427325d0e..2884015bf 100644
--- a/util/config/validator.py
+++ b/util/config/validator.py
@@ -18,111 +18,140 @@ from util.config.validators.validate_ssl import SSLValidator, SSL_FILENAMES
 from util.config.validators.validate_google_login import GoogleLoginValidator
 from util.config.validators.validate_bitbucket_trigger import BitbucketTriggerValidator
 from util.config.validators.validate_gitlab_trigger import GitLabTriggerValidator
-from util.config.validators.validate_github import GitHubLoginValidator, GitHubTriggerValidator
+from util.config.validators.validate_github import (
+    GitHubLoginValidator,
+    GitHubTriggerValidator,
+)
 from util.config.validators.validate_oidc import OIDCLoginValidator
 from util.config.validators.validate_timemachine import TimeMachineValidator
 from util.config.validators.validate_access import AccessSettingsValidator
-from util.config.validators.validate_actionlog_archiving import ActionLogArchivingValidator
+from util.config.validators.validate_actionlog_archiving import (
+    ActionLogArchivingValidator,
+)
 from util.config.validators.validate_apptokenauth import AppTokenAuthValidator
 
 logger = logging.getLogger(__name__)
 
+
 class ConfigValidationException(Exception):
-  """ Exception raised when the configuration fails to validate for a known reason. """
-  pass
+    """ Exception raised when the configuration fails to validate for a known reason. """
+
+    pass
+
 
 # Note: Only add files required for HTTPS to the SSL_FILESNAMES list.
-DB_SSL_FILENAMES = ['database.pem']
-JWT_FILENAMES = ['jwt-authn.cert']
-ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']
+DB_SSL_FILENAMES = ["database.pem"]
+JWT_FILENAMES = ["jwt-authn.cert"]
+ACI_CERT_FILENAMES = ["signing-public.gpg", "signing-private.gpg"]
 LDAP_FILENAMES = [LDAP_CERT_FILENAME]
-CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES +
-                    LDAP_FILENAMES)
-CONFIG_FILE_SUFFIXES = ['-cloudfront-signing-key.pem']
-EXTRA_CA_DIRECTORY = 'extra_ca_certs'
-EXTRA_CA_DIRECTORY_PREFIX = 'extra_ca_certs_'
+CONFIG_FILENAMES = (
+    SSL_FILENAMES
+    + DB_SSL_FILENAMES
+    + JWT_FILENAMES
+    + ACI_CERT_FILENAMES
+    + LDAP_FILENAMES
+)
+CONFIG_FILE_SUFFIXES = ["-cloudfront-signing-key.pem"]
+EXTRA_CA_DIRECTORY = "extra_ca_certs"
+EXTRA_CA_DIRECTORY_PREFIX = "extra_ca_certs_"
 
 VALIDATORS = {
-  DatabaseValidator.name: DatabaseValidator.validate,
-  RedisValidator.name: RedisValidator.validate,
-  StorageValidator.name: StorageValidator.validate,
-  GitHubLoginValidator.name: GitHubLoginValidator.validate,
-  GitHubTriggerValidator.name: GitHubTriggerValidator.validate,
-  GitLabTriggerValidator.name: GitLabTriggerValidator.validate,
-  BitbucketTriggerValidator.name: BitbucketTriggerValidator.validate,
-  GoogleLoginValidator.name: GoogleLoginValidator.validate,
-  SSLValidator.name: SSLValidator.validate,
-  LDAPValidator.name: LDAPValidator.validate,
-  JWTAuthValidator.name: JWTAuthValidator.validate,
-  KeystoneValidator.name: KeystoneValidator.validate,
-  SignerValidator.name: SignerValidator.validate,
-  SecurityScannerValidator.name: SecurityScannerValidator.validate,
-  BittorrentValidator.name: BittorrentValidator.validate,
-  OIDCLoginValidator.name: OIDCLoginValidator.validate,
-  TimeMachineValidator.name: TimeMachineValidator.validate,
-  AccessSettingsValidator.name: AccessSettingsValidator.validate,
-  ActionLogArchivingValidator.name: ActionLogArchivingValidator.validate,
-  AppTokenAuthValidator.name: AppTokenAuthValidator.validate,
+    DatabaseValidator.name: DatabaseValidator.validate,
+    RedisValidator.name: RedisValidator.validate,
+    StorageValidator.name: StorageValidator.validate,
+    GitHubLoginValidator.name: GitHubLoginValidator.validate,
+    GitHubTriggerValidator.name: GitHubTriggerValidator.validate,
+    GitLabTriggerValidator.name: GitLabTriggerValidator.validate,
+    BitbucketTriggerValidator.name: BitbucketTriggerValidator.validate,
+    GoogleLoginValidator.name: GoogleLoginValidator.validate,
+    SSLValidator.name: SSLValidator.validate,
+    LDAPValidator.name: LDAPValidator.validate,
+    JWTAuthValidator.name: JWTAuthValidator.validate,
+    KeystoneValidator.name: KeystoneValidator.validate,
+    SignerValidator.name: SignerValidator.validate,
+    SecurityScannerValidator.name: SecurityScannerValidator.validate,
+    BittorrentValidator.name: BittorrentValidator.validate,
+    OIDCLoginValidator.name: OIDCLoginValidator.validate,
+    TimeMachineValidator.name: TimeMachineValidator.validate,
+    AccessSettingsValidator.name: AccessSettingsValidator.validate,
+    ActionLogArchivingValidator.name: ActionLogArchivingValidator.validate,
+    AppTokenAuthValidator.name: AppTokenAuthValidator.validate,
 }
 
-def validate_service_for_config(service, validator_context):
-  """ Attempts to validate the configuration for the given service. """
-  if not service in VALIDATORS:
-    return {
-      'status': False
-    }
 
-  try:
-    VALIDATORS[service](validator_context)
-    return {
-      'status': True
-    }
-  except Exception as ex:
-    logger.exception('Validation exception')
-    return {
-      'status': False,
-      'reason': str(ex)
-    }
+def validate_service_for_config(service, validator_context):
+    """ Attempts to validate the configuration for the given service. """
+    if not service in VALIDATORS:
+        return {"status": False}
+
+    try:
+        VALIDATORS[service](validator_context)
+        return {"status": True}
+    except Exception as ex:
+        logger.exception("Validation exception")
+        return {"status": False, "reason": str(ex)}
 
 
 def is_valid_config_upload_filename(filename):
-  """ Returns true if and only if the given filename is one which is supported for upload
+    """ Returns true if and only if the given filename is one which is supported for upload
       from the configuration UI tool.
   """
-  if filename in CONFIG_FILENAMES:
-    return True
+    if filename in CONFIG_FILENAMES:
+        return True
 
-  return any([filename.endswith(suffix) for suffix in CONFIG_FILE_SUFFIXES])
+    return any([filename.endswith(suffix) for suffix in CONFIG_FILE_SUFFIXES])
 
 
 class ValidatorContext(object):
-  """ Context to run validators in, with any additional runtime configuration they need
+    """ Context to run validators in, with any additional runtime configuration they need
   """
-  def __init__(self, config, user_password=None, http_client=None, context=None,
-               url_scheme_and_hostname=None, jwt_auth_max=None, registry_title=None,
-               ip_resolver=None, feature_sec_scanner=False, is_testing=False,
-               uri_creator=None, config_provider=None, instance_keys=None,
-               init_scripts_location=None):
-    self.config = config
-    self.user = get_authenticated_user()
-    self.user_password = user_password
-    self.http_client = http_client
-    self.context = context
-    self.url_scheme_and_hostname = url_scheme_and_hostname
-    self.jwt_auth_max = jwt_auth_max
-    self.registry_title = registry_title
-    self.ip_resolver = ip_resolver
-    self.feature_sec_scanner = feature_sec_scanner
-    self.is_testing = is_testing
-    self.uri_creator = uri_creator
-    self.config_provider = config_provider
-    self.instance_keys = instance_keys
-    self.init_scripts_location = init_scripts_location
 
-  @classmethod
-  def from_app(cls, app, config, user_password, ip_resolver, instance_keys, client=None,
-               config_provider=None, init_scripts_location=None):
-    """
+    def __init__(
+        self,
+        config,
+        user_password=None,
+        http_client=None,
+        context=None,
+        url_scheme_and_hostname=None,
+        jwt_auth_max=None,
+        registry_title=None,
+        ip_resolver=None,
+        feature_sec_scanner=False,
+        is_testing=False,
+        uri_creator=None,
+        config_provider=None,
+        instance_keys=None,
+        init_scripts_location=None,
+    ):
+        self.config = config
+        self.user = get_authenticated_user()
+        self.user_password = user_password
+        self.http_client = http_client
+        self.context = context
+        self.url_scheme_and_hostname = url_scheme_and_hostname
+        self.jwt_auth_max = jwt_auth_max
+        self.registry_title = registry_title
+        self.ip_resolver = ip_resolver
+        self.feature_sec_scanner = feature_sec_scanner
+        self.is_testing = is_testing
+        self.uri_creator = uri_creator
+        self.config_provider = config_provider
+        self.instance_keys = instance_keys
+        self.init_scripts_location = init_scripts_location
+
+    @classmethod
+    def from_app(
+        cls,
+        app,
+        config,
+        user_password,
+        ip_resolver,
+        instance_keys,
+        client=None,
+        config_provider=None,
+        init_scripts_location=None,
+    ):
+        """
     Creates a ValidatorContext from an app config, with a given config to validate
     :param app: the Flask app to pull configuration information from
     :param config: the config to validate
@@ -134,19 +163,23 @@ class ValidatorContext(object):
     :param init_scripts_location: location where initial load scripts are stored
     :return: ValidatorContext
     """
-    url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app.config)
+        url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app.config)
 
-    return cls(config,
-               user_password=user_password,
-               http_client=client or app.config['HTTPCLIENT'],
-               context=app.app_context,
-               url_scheme_and_hostname=url_scheme_and_hostname,
-               jwt_auth_max=app.config.get('JWT_AUTH_MAX_FRESH_S', 300),
-               registry_title=app.config['REGISTRY_TITLE'],
-               ip_resolver=ip_resolver,
-               feature_sec_scanner=app.config.get('FEATURE_SECURITY_SCANNER', False),
-               is_testing=app.config.get('TESTING', False),
-               uri_creator=get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname),
-               config_provider=config_provider,
-               instance_keys=instance_keys,
-               init_scripts_location=init_scripts_location)
+        return cls(
+            config,
+            user_password=user_password,
+            http_client=client or app.config["HTTPCLIENT"],
+            context=app.app_context,
+            url_scheme_and_hostname=url_scheme_and_hostname,
+            jwt_auth_max=app.config.get("JWT_AUTH_MAX_FRESH_S", 300),
+            registry_title=app.config["REGISTRY_TITLE"],
+            ip_resolver=ip_resolver,
+            feature_sec_scanner=app.config.get("FEATURE_SECURITY_SCANNER", False),
+            is_testing=app.config.get("TESTING", False),
+            uri_creator=get_blob_download_uri_getter(
+                app.test_request_context("/"), url_scheme_and_hostname
+            ),
+            config_provider=config_provider,
+            instance_keys=instance_keys,
+            init_scripts_location=init_scripts_location,
+        )
diff --git a/util/config/validators/__init__.py b/util/config/validators/__init__.py
index 31268c45f..aa69bbdc7 100644
--- a/util/config/validators/__init__.py
+++ b/util/config/validators/__init__.py
@@ -1,20 +1,22 @@
 from abc import ABCMeta, abstractmethod, abstractproperty
 from six import add_metaclass
 
+
 class ConfigValidationException(Exception):
-  """ Exception raised when the configuration fails to validate for a known reason. """
-  pass
+    """ Exception raised when the configuration fails to validate for a known reason. """
+
+    pass
 
 
 @add_metaclass(ABCMeta)
 class BaseValidator(object):
-  @abstractproperty
-  def name(self):
-    """ The key for the validation API. """
-    pass
+    @abstractproperty
+    def name(self):
+        """ The key for the validation API. """
+        pass
 
-  @classmethod
-  @abstractmethod
-  def validate(cls, validator_context):
-    """ Raises Exception if failure to validate. """
-    pass
+    @classmethod
+    @abstractmethod
+    def validate(cls, validator_context):
+        """ Raises Exception if failure to validate. """
+        pass
diff --git a/util/config/validators/test/test_validate_access.py b/util/config/validators/test/test_validate_access.py
index 75a9deb52..486e2c0f2 100644
--- a/util/config/validators/test/test_validate_access.py
+++ b/util/config/validators/test/test_validate_access.py
@@ -6,24 +6,44 @@ from util.config.validators.validate_access import AccessSettingsValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config, expected_exception', [
-  ({}, None),
-  ({'FEATURE_DIRECT_LOGIN': False}, ConfigValidationException),
-  ({'FEATURE_DIRECT_LOGIN': False, 'SOMETHING_LOGIN_CONFIG': {}}, None),
-  ({'FEATURE_DIRECT_LOGIN': False, 'FEATURE_GITHUB_LOGIN': True}, None),
-  ({'FEATURE_DIRECT_LOGIN': False, 'FEATURE_GOOGLE_LOGIN': True}, None),
-  ({'FEATURE_USER_CREATION': True, 'FEATURE_INVITE_ONLY_USER_CREATION': False}, None),
-  ({'FEATURE_USER_CREATION': True, 'FEATURE_INVITE_ONLY_USER_CREATION': True}, None),
-  ({'FEATURE_INVITE_ONLY_USER_CREATION': True}, None),
-  ({'FEATURE_USER_CREATION': False, 'FEATURE_INVITE_ONLY_USER_CREATION': True},
-   ConfigValidationException),
-  ({'FEATURE_USER_CREATION': False, 'FEATURE_INVITE_ONLY_USER_CREATION': False}, None),
-])
-def test_validate_invalid_oidc_login_config(unvalidated_config, expected_exception, app):
-  validator = AccessSettingsValidator()
 
-  if expected_exception is not None:
-    with pytest.raises(expected_exception):
-      validator.validate(ValidatorContext(unvalidated_config))
-  else:
-    validator.validate(ValidatorContext(unvalidated_config))
+@pytest.mark.parametrize(
+    "unvalidated_config, expected_exception",
+    [
+        ({}, None),
+        ({"FEATURE_DIRECT_LOGIN": False}, ConfigValidationException),
+        ({"FEATURE_DIRECT_LOGIN": False, "SOMETHING_LOGIN_CONFIG": {}}, None),
+        ({"FEATURE_DIRECT_LOGIN": False, "FEATURE_GITHUB_LOGIN": True}, None),
+        ({"FEATURE_DIRECT_LOGIN": False, "FEATURE_GOOGLE_LOGIN": True}, None),
+        (
+            {"FEATURE_USER_CREATION": True, "FEATURE_INVITE_ONLY_USER_CREATION": False},
+            None,
+        ),
+        (
+            {"FEATURE_USER_CREATION": True, "FEATURE_INVITE_ONLY_USER_CREATION": True},
+            None,
+        ),
+        ({"FEATURE_INVITE_ONLY_USER_CREATION": True}, None),
+        (
+            {"FEATURE_USER_CREATION": False, "FEATURE_INVITE_ONLY_USER_CREATION": True},
+            ConfigValidationException,
+        ),
+        (
+            {
+                "FEATURE_USER_CREATION": False,
+                "FEATURE_INVITE_ONLY_USER_CREATION": False,
+            },
+            None,
+        ),
+    ],
+)
+def test_validate_invalid_oidc_login_config(
+    unvalidated_config, expected_exception, app
+):
+    validator = AccessSettingsValidator()
+
+    if expected_exception is not None:
+        with pytest.raises(expected_exception):
+            validator.validate(ValidatorContext(unvalidated_config))
+    else:
+        validator.validate(ValidatorContext(unvalidated_config))
diff --git a/util/config/validators/test/test_validate_actionlog_archiving.py b/util/config/validators/test/test_validate_actionlog_archiving.py
index 058639084..d53fcc237 100644
--- a/util/config/validators/test/test_validate_actionlog_archiving.py
+++ b/util/config/validators/test/test_validate_actionlog_archiving.py
@@ -2,51 +2,70 @@ import pytest
 
 from util.config.validator import ValidatorContext
 from util.config.validators import ConfigValidationException
-from util.config.validators.validate_actionlog_archiving import ActionLogArchivingValidator
+from util.config.validators.validate_actionlog_archiving import (
+    ActionLogArchivingValidator,
+)
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'ACTION_LOG_ARCHIVE_PATH': 'foo'}),
-  ({'ACTION_LOG_ARCHIVE_LOCATION': ''}),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [({}), ({"ACTION_LOG_ARCHIVE_PATH": "foo"}), ({"ACTION_LOG_ARCHIVE_LOCATION": ""})],
+)
 def test_skip_validate_actionlog(unvalidated_config, app):
-  validator = ActionLogArchivingValidator()
-  validator.validate(ValidatorContext(unvalidated_config))
+    validator = ActionLogArchivingValidator()
+    validator.validate(ValidatorContext(unvalidated_config))
 
 
-@pytest.mark.parametrize('config, expected_error', [
-  ({'FEATURE_ACTION_LOG_ROTATION': True}, 'Missing action log archive path'),
-  ({'FEATURE_ACTION_LOG_ROTATION': True,
-    'ACTION_LOG_ARCHIVE_PATH': ''}, 'Missing action log archive path'),
-  ({'FEATURE_ACTION_LOG_ROTATION': True,
-    'ACTION_LOG_ARCHIVE_PATH': 'foo'}, 'Missing action log archive storage location'),
-  ({'FEATURE_ACTION_LOG_ROTATION': True,
-    'ACTION_LOG_ARCHIVE_PATH': 'foo',
-    'ACTION_LOG_ARCHIVE_LOCATION': ''}, 'Missing action log archive storage location'),
-  ({'FEATURE_ACTION_LOG_ROTATION': True,
-    'ACTION_LOG_ARCHIVE_PATH': 'foo',
-    'ACTION_LOG_ARCHIVE_LOCATION': 'invalid'},
-    'Action log archive storage location `invalid` not found in storage config'),
-])
+@pytest.mark.parametrize(
+    "config, expected_error",
+    [
+        ({"FEATURE_ACTION_LOG_ROTATION": True}, "Missing action log archive path"),
+        (
+            {"FEATURE_ACTION_LOG_ROTATION": True, "ACTION_LOG_ARCHIVE_PATH": ""},
+            "Missing action log archive path",
+        ),
+        (
+            {"FEATURE_ACTION_LOG_ROTATION": True, "ACTION_LOG_ARCHIVE_PATH": "foo"},
+            "Missing action log archive storage location",
+        ),
+        (
+            {
+                "FEATURE_ACTION_LOG_ROTATION": True,
+                "ACTION_LOG_ARCHIVE_PATH": "foo",
+                "ACTION_LOG_ARCHIVE_LOCATION": "",
+            },
+            "Missing action log archive storage location",
+        ),
+        (
+            {
+                "FEATURE_ACTION_LOG_ROTATION": True,
+                "ACTION_LOG_ARCHIVE_PATH": "foo",
+                "ACTION_LOG_ARCHIVE_LOCATION": "invalid",
+            },
+            "Action log archive storage location `invalid` not found in storage config",
+        ),
+    ],
+)
 def test_invalid_config(config, expected_error, app):
-  validator = ActionLogArchivingValidator()
+    validator = ActionLogArchivingValidator()
 
-  with pytest.raises(ConfigValidationException) as ipe:
-    validator.validate(ValidatorContext(config))
+    with pytest.raises(ConfigValidationException) as ipe:
+        validator.validate(ValidatorContext(config))
+
+    assert str(ipe.value) == expected_error
 
-  assert str(ipe.value) == expected_error
 
 def test_valid_config(app):
-  config = ValidatorContext({
-    'FEATURE_ACTION_LOG_ROTATION': True,
-    'ACTION_LOG_ARCHIVE_PATH': 'somepath',
-    'ACTION_LOG_ARCHIVE_LOCATION': 'somelocation',
-    'DISTRIBUTED_STORAGE_CONFIG': {
-      'somelocation': {},
-    },
-  })
+    config = ValidatorContext(
+        {
+            "FEATURE_ACTION_LOG_ROTATION": True,
+            "ACTION_LOG_ARCHIVE_PATH": "somepath",
+            "ACTION_LOG_ARCHIVE_LOCATION": "somelocation",
+            "DISTRIBUTED_STORAGE_CONFIG": {"somelocation": {}},
+        }
+    )
 
-  validator = ActionLogArchivingValidator()
-  validator.validate(config)
+    validator = ActionLogArchivingValidator()
+    validator.validate(config)
diff --git a/util/config/validators/test/test_validate_apptokenauth.py b/util/config/validators/test/test_validate_apptokenauth.py
index 87227f702..49f1f3679 100644
--- a/util/config/validators/test/test_validate_apptokenauth.py
+++ b/util/config/validators/test/test_validate_apptokenauth.py
@@ -6,25 +6,36 @@ from util.config.validators.validate_apptokenauth import AppTokenAuthValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'AUTHENTICATION_TYPE': 'AppToken'}),
-  ({'AUTHENTICATION_TYPE': 'AppToken', 'FEATURE_APP_SPECIFIC_TOKENS': False}),
-  ({'AUTHENTICATION_TYPE': 'AppToken', 'FEATURE_APP_SPECIFIC_TOKENS': True, 
-    'FEATURE_DIRECT_LOGIN': True}),
-])
-def test_validate_invalid_auth_config(unvalidated_config, app):
-  validator = AppTokenAuthValidator()
 
-  with pytest.raises(ConfigValidationException):
-    validator.validate(ValidatorContext(unvalidated_config))
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({"AUTHENTICATION_TYPE": "AppToken"}),
+        ({"AUTHENTICATION_TYPE": "AppToken", "FEATURE_APP_SPECIFIC_TOKENS": False}),
+        (
+            {
+                "AUTHENTICATION_TYPE": "AppToken",
+                "FEATURE_APP_SPECIFIC_TOKENS": True,
+                "FEATURE_DIRECT_LOGIN": True,
+            }
+        ),
+    ],
+)
+def test_validate_invalid_auth_config(unvalidated_config, app):
+    validator = AppTokenAuthValidator()
+
+    with pytest.raises(ConfigValidationException):
+        validator.validate(ValidatorContext(unvalidated_config))
 
 
 def test_validate_auth(app):
-  config = ValidatorContext({
-    'AUTHENTICATION_TYPE': 'AppToken',
-    'FEATURE_APP_SPECIFIC_TOKENS': True,
-    'FEATURE_DIRECT_LOGIN': False,
-  })
+    config = ValidatorContext(
+        {
+            "AUTHENTICATION_TYPE": "AppToken",
+            "FEATURE_APP_SPECIFIC_TOKENS": True,
+            "FEATURE_DIRECT_LOGIN": False,
+        }
+    )
 
-  validator = AppTokenAuthValidator()
-  validator.validate(config)
+    validator = AppTokenAuthValidator()
+    validator.validate(config)
diff --git a/util/config/validators/test/test_validate_bitbucket_trigger.py b/util/config/validators/test/test_validate_bitbucket_trigger.py
index 6159ecbc1..239f751ff 100644
--- a/util/config/validators/test/test_validate_bitbucket_trigger.py
+++ b/util/config/validators/test/test_validate_bitbucket_trigger.py
@@ -9,40 +9,45 @@ from util.config.validators.validate_bitbucket_trigger import BitbucketTriggerVa
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  (ValidatorContext({})),
-  (ValidatorContext({'BITBUCKET_TRIGGER_CONFIG': {}})),
-  (ValidatorContext({'BITBUCKET_TRIGGER_CONFIG': {'CONSUMER_KEY': 'foo'}})),
-  (ValidatorContext({'BITBUCKET_TRIGGER_CONFIG': {'CONSUMER_SECRET': 'foo'}})),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        (ValidatorContext({})),
+        (ValidatorContext({"BITBUCKET_TRIGGER_CONFIG": {}})),
+        (ValidatorContext({"BITBUCKET_TRIGGER_CONFIG": {"CONSUMER_KEY": "foo"}})),
+        (ValidatorContext({"BITBUCKET_TRIGGER_CONFIG": {"CONSUMER_SECRET": "foo"}})),
+    ],
+)
 def test_validate_invalid_bitbucket_trigger_config(unvalidated_config, app):
-  validator = BitbucketTriggerValidator()
-
-  with pytest.raises(ConfigValidationException):
-    validator.validate(unvalidated_config)
-
-def test_validate_bitbucket_trigger(app):
-  url_hit = [False]
-
-  @urlmatch(netloc=r'bitbucket.org')
-  def handler(url, request):
-    url_hit[0] = True
-    return {
-      'status_code': 200,
-      'content': 'oauth_token=foo&oauth_token_secret=bar',
-    }
-
-  with HTTMock(handler):
     validator = BitbucketTriggerValidator()
 
-    url_scheme_and_hostname = URLSchemeAndHostname('http', 'localhost:5000')
-    unvalidated_config = ValidatorContext({
-      'BITBUCKET_TRIGGER_CONFIG': {
-        'CONSUMER_KEY': 'foo',
-        'CONSUMER_SECRET': 'bar',
-      },
-    }, url_scheme_and_hostname=url_scheme_and_hostname)
+    with pytest.raises(ConfigValidationException):
+        validator.validate(unvalidated_config)
 
-    validator.validate(unvalidated_config)
 
-    assert url_hit[0]
+def test_validate_bitbucket_trigger(app):
+    url_hit = [False]
+
+    @urlmatch(netloc=r"bitbucket.org")
+    def handler(url, request):
+        url_hit[0] = True
+        return {"status_code": 200, "content": "oauth_token=foo&oauth_token_secret=bar"}
+
+    with HTTMock(handler):
+        validator = BitbucketTriggerValidator()
+
+        url_scheme_and_hostname = URLSchemeAndHostname("http", "localhost:5000")
+        unvalidated_config = ValidatorContext(
+            {
+                "BITBUCKET_TRIGGER_CONFIG": {
+                    "CONSUMER_KEY": "foo",
+                    "CONSUMER_SECRET": "bar",
+                }
+            },
+            url_scheme_and_hostname=url_scheme_and_hostname,
+        )
+
+        validator.validate(unvalidated_config)
+
+        assert url_hit[0]
diff --git a/util/config/validators/test/test_validate_database.py b/util/config/validators/test/test_validate_database.py
index 68b21acd6..697d15ce4 100644
--- a/util/config/validators/test/test_validate_database.py
+++ b/util/config/validators/test/test_validate_database.py
@@ -6,18 +6,22 @@ from util.config.validators.validate_database import DatabaseValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config,user,user_password,expected', [
-  (ValidatorContext(None), None, None, TypeError),
-  (ValidatorContext({}), None, None, KeyError),
-  (ValidatorContext({'DB_URI': 'sqlite:///:memory:'}), None, None, None),
-  (ValidatorContext({'DB_URI': 'invalid:///:memory:'}), None, None, KeyError),
-  (ValidatorContext({'DB_NOTURI': 'sqlite:///:memory:'}), None, None, KeyError),
-])
-def test_validate_database(unvalidated_config, user, user_password, expected, app):
-  validator = DatabaseValidator()
 
-  if expected is not None:
-    with pytest.raises(expected):
-      validator.validate(unvalidated_config)
-  else:
-    validator.validate(unvalidated_config)
+@pytest.mark.parametrize(
+    "unvalidated_config,user,user_password,expected",
+    [
+        (ValidatorContext(None), None, None, TypeError),
+        (ValidatorContext({}), None, None, KeyError),
+        (ValidatorContext({"DB_URI": "sqlite:///:memory:"}), None, None, None),
+        (ValidatorContext({"DB_URI": "invalid:///:memory:"}), None, None, KeyError),
+        (ValidatorContext({"DB_NOTURI": "sqlite:///:memory:"}), None, None, KeyError),
+    ],
+)
+def test_validate_database(unvalidated_config, user, user_password, expected, app):
+    validator = DatabaseValidator()
+
+    if expected is not None:
+        with pytest.raises(expected):
+            validator.validate(unvalidated_config)
+    else:
+        validator.validate(unvalidated_config)
diff --git a/util/config/validators/test/test_validate_github.py b/util/config/validators/test/test_validate_github.py
index b0e919c22..7883ef0ea 100644
--- a/util/config/validators/test/test_validate_github.py
+++ b/util/config/validators/test/test_validate_github.py
@@ -5,65 +5,87 @@ from httmock import urlmatch, HTTMock
 from config import build_requests_session
 from util.config.validator import ValidatorContext
 from util.config.validators import ConfigValidationException
-from util.config.validators.validate_github import GitHubLoginValidator, GitHubTriggerValidator
+from util.config.validators.validate_github import (
+    GitHubLoginValidator,
+    GitHubTriggerValidator,
+)
 
 from test.fixtures import *
 
+
 @pytest.fixture(params=[GitHubLoginValidator, GitHubTriggerValidator])
 def github_validator(request):
-  return request.param
+    return request.param
 
 
-@pytest.mark.parametrize('github_config', [
-  ({}),
-  ({'GITHUB_ENDPOINT': 'foo'}),
-  ({'GITHUB_ENDPOINT': 'http://github.com'}),
-  ({'GITHUB_ENDPOINT': 'http://github.com', 'CLIENT_ID': 'foo'}),
-  ({'GITHUB_ENDPOINT': 'http://github.com', 'CLIENT_SECRET': 'foo'}),
-  ({
-    'GITHUB_ENDPOINT': 'http://github.com',
-    'CLIENT_ID': 'foo',
-    'CLIENT_SECRET': 'foo',
-    'ORG_RESTRICT': True
-  }),
-  ({
-    'GITHUB_ENDPOINT': 'http://github.com',
-    'CLIENT_ID': 'foo',
-    'CLIENT_SECRET': 'foo',
-    'ORG_RESTRICT': True,
-    'ALLOWED_ORGANIZATIONS': [],
-  }),
-])
+@pytest.mark.parametrize(
+    "github_config",
+    [
+        ({}),
+        ({"GITHUB_ENDPOINT": "foo"}),
+        ({"GITHUB_ENDPOINT": "http://github.com"}),
+        ({"GITHUB_ENDPOINT": "http://github.com", "CLIENT_ID": "foo"}),
+        ({"GITHUB_ENDPOINT": "http://github.com", "CLIENT_SECRET": "foo"}),
+        (
+            {
+                "GITHUB_ENDPOINT": "http://github.com",
+                "CLIENT_ID": "foo",
+                "CLIENT_SECRET": "foo",
+                "ORG_RESTRICT": True,
+            }
+        ),
+        (
+            {
+                "GITHUB_ENDPOINT": "http://github.com",
+                "CLIENT_ID": "foo",
+                "CLIENT_SECRET": "foo",
+                "ORG_RESTRICT": True,
+                "ALLOWED_ORGANIZATIONS": [],
+            }
+        ),
+    ],
+)
 def test_validate_invalid_github_config(github_config, github_validator, app):
-  with pytest.raises(ConfigValidationException):
-    unvalidated_config = {}
-    unvalidated_config[github_validator.config_key] = github_config
-    github_validator.validate(ValidatorContext(unvalidated_config))
+    with pytest.raises(ConfigValidationException):
+        unvalidated_config = {}
+        unvalidated_config[github_validator.config_key] = github_config
+        github_validator.validate(ValidatorContext(unvalidated_config))
+
 
 def test_validate_github(github_validator, app):
-  url_hit = [False, False]
+    url_hit = [False, False]
 
-  @urlmatch(netloc=r'somehost')
-  def handler(url, request):
-    url_hit[0] = True
-    return {'status_code': 200, 'content': '', 'headers': {'X-GitHub-Request-Id': 'foo'}}
+    @urlmatch(netloc=r"somehost")
+    def handler(url, request):
+        url_hit[0] = True
+        return {
+            "status_code": 200,
+            "content": "",
+            "headers": {"X-GitHub-Request-Id": "foo"},
+        }
 
-  @urlmatch(netloc=r'somehost', path=r'/api/v3/applications/foo/tokens/foo')
-  def app_handler(url, request):
-    url_hit[1] = True
-    return {'status_code': 404, 'content': '', 'headers': {'X-GitHub-Request-Id': 'foo'}}
+    @urlmatch(netloc=r"somehost", path=r"/api/v3/applications/foo/tokens/foo")
+    def app_handler(url, request):
+        url_hit[1] = True
+        return {
+            "status_code": 404,
+            "content": "",
+            "headers": {"X-GitHub-Request-Id": "foo"},
+        }
 
-  with HTTMock(app_handler, handler):
-    unvalidated_config = ValidatorContext({
-      github_validator.config_key: {
-        'GITHUB_ENDPOINT': 'http://somehost',
-        'CLIENT_ID': 'foo',
-        'CLIENT_SECRET': 'bar',
-      },
-    })
+    with HTTMock(app_handler, handler):
+        unvalidated_config = ValidatorContext(
+            {
+                github_validator.config_key: {
+                    "GITHUB_ENDPOINT": "http://somehost",
+                    "CLIENT_ID": "foo",
+                    "CLIENT_SECRET": "bar",
+                }
+            }
+        )
 
-    unvalidated_config.http_client = build_requests_session()
-    github_validator.validate(unvalidated_config)
+        unvalidated_config.http_client = build_requests_session()
+        github_validator.validate(unvalidated_config)
 
-  assert url_hit[0]
-  assert url_hit[1]
+    assert url_hit[0]
+    assert url_hit[1]
diff --git a/util/config/validators/test/test_validate_gitlab_trigger.py b/util/config/validators/test/test_validate_gitlab_trigger.py
index fedd156ed..b5e95d3a4 100644
--- a/util/config/validators/test/test_validate_gitlab_trigger.py
+++ b/util/config/validators/test/test_validate_gitlab_trigger.py
@@ -11,39 +11,62 @@ from util.config.validators.validate_gitlab_trigger import GitLabTriggerValidato
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'GITLAB_TRIGGER_CONFIG': {'GITLAB_ENDPOINT': 'foo'}}),
-  ({'GITLAB_TRIGGER_CONFIG': {'GITLAB_ENDPOINT': 'http://someendpoint', 'CLIENT_ID': 'foo'}}),
-  ({'GITLAB_TRIGGER_CONFIG': {'GITLAB_ENDPOINT': 'http://someendpoint', 'CLIENT_SECRET': 'foo'}}),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({}),
+        ({"GITLAB_TRIGGER_CONFIG": {"GITLAB_ENDPOINT": "foo"}}),
+        (
+            {
+                "GITLAB_TRIGGER_CONFIG": {
+                    "GITLAB_ENDPOINT": "http://someendpoint",
+                    "CLIENT_ID": "foo",
+                }
+            }
+        ),
+        (
+            {
+                "GITLAB_TRIGGER_CONFIG": {
+                    "GITLAB_ENDPOINT": "http://someendpoint",
+                    "CLIENT_SECRET": "foo",
+                }
+            }
+        ),
+    ],
+)
 def test_validate_invalid_gitlab_trigger_config(unvalidated_config, app):
-  validator = GitLabTriggerValidator()
-
-  with pytest.raises(ConfigValidationException):
-    validator.validate(ValidatorContext(unvalidated_config))
-
-def test_validate_gitlab_enterprise_trigger(app):
-  url_hit = [False]
-
-  @urlmatch(netloc=r'somegitlab', path='/oauth/token')
-  def handler(_, __):
-    url_hit[0] = True
-    return {'status_code': 400, 'content': json.dumps({'error': 'invalid code'})}
-
-  with HTTMock(handler):
     validator = GitLabTriggerValidator()
 
-    url_scheme_and_hostname = URLSchemeAndHostname('http', 'localhost:5000')
+    with pytest.raises(ConfigValidationException):
+        validator.validate(ValidatorContext(unvalidated_config))
 
-    unvalidated_config = ValidatorContext({
-      'GITLAB_TRIGGER_CONFIG': {
-        'GITLAB_ENDPOINT': 'http://somegitlab',
-        'CLIENT_ID': 'foo',
-        'CLIENT_SECRET': 'bar',
-      },
-    }, http_client=build_requests_session(), url_scheme_and_hostname=url_scheme_and_hostname)
 
-    validator.validate(unvalidated_config)
+def test_validate_gitlab_enterprise_trigger(app):
+    url_hit = [False]
 
-  assert url_hit[0]
+    @urlmatch(netloc=r"somegitlab", path="/oauth/token")
+    def handler(_, __):
+        url_hit[0] = True
+        return {"status_code": 400, "content": json.dumps({"error": "invalid code"})}
+
+    with HTTMock(handler):
+        validator = GitLabTriggerValidator()
+
+        url_scheme_and_hostname = URLSchemeAndHostname("http", "localhost:5000")
+
+        unvalidated_config = ValidatorContext(
+            {
+                "GITLAB_TRIGGER_CONFIG": {
+                    "GITLAB_ENDPOINT": "http://somegitlab",
+                    "CLIENT_ID": "foo",
+                    "CLIENT_SECRET": "bar",
+                }
+            },
+            http_client=build_requests_session(),
+            url_scheme_and_hostname=url_scheme_and_hostname,
+        )
+
+        validator.validate(unvalidated_config)
+
+    assert url_hit[0]
diff --git a/util/config/validators/test/test_validate_google_login.py b/util/config/validators/test/test_validate_google_login.py
index ff823a7a7..da04d64a3 100644
--- a/util/config/validators/test/test_validate_google_login.py
+++ b/util/config/validators/test/test_validate_google_login.py
@@ -9,37 +9,40 @@ from util.config.validators.validate_google_login import GoogleLoginValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'GOOGLE_LOGIN_CONFIG': {}}),
-  ({'GOOGLE_LOGIN_CONFIG': {'CLIENT_ID': 'foo'}}),
-  ({'GOOGLE_LOGIN_CONFIG': {'CLIENT_SECRET': 'foo'}}),
-])
-def test_validate_invalid_google_login_config(unvalidated_config, app):
-  validator = GoogleLoginValidator()
 
-  with pytest.raises(ConfigValidationException):
-    validator.validate(ValidatorContext(unvalidated_config))
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({}),
+        ({"GOOGLE_LOGIN_CONFIG": {}}),
+        ({"GOOGLE_LOGIN_CONFIG": {"CLIENT_ID": "foo"}}),
+        ({"GOOGLE_LOGIN_CONFIG": {"CLIENT_SECRET": "foo"}}),
+    ],
+)
+def test_validate_invalid_google_login_config(unvalidated_config, app):
+    validator = GoogleLoginValidator()
+
+    with pytest.raises(ConfigValidationException):
+        validator.validate(ValidatorContext(unvalidated_config))
+
 
 def test_validate_google_login(app):
-  url_hit = [False]
-  @urlmatch(netloc=r'www.googleapis.com', path='/oauth2/v3/token')
-  def handler(_, __):
-    url_hit[0] = True
-    return {'status_code': 200, 'content': ''}
+    url_hit = [False]
 
-  validator = GoogleLoginValidator()
+    @urlmatch(netloc=r"www.googleapis.com", path="/oauth2/v3/token")
+    def handler(_, __):
+        url_hit[0] = True
+        return {"status_code": 200, "content": ""}
 
-  with HTTMock(handler):
-    unvalidated_config = ValidatorContext({
-      'GOOGLE_LOGIN_CONFIG': {
-        'CLIENT_ID': 'foo',
-        'CLIENT_SECRET': 'bar',
-      },
-    })
+    validator = GoogleLoginValidator()
 
-    unvalidated_config.http_client = build_requests_session()
+    with HTTMock(handler):
+        unvalidated_config = ValidatorContext(
+            {"GOOGLE_LOGIN_CONFIG": {"CLIENT_ID": "foo", "CLIENT_SECRET": "bar"}}
+        )
 
-    validator.validate(unvalidated_config)
+        unvalidated_config.http_client = build_requests_session()
 
-  assert url_hit[0]
+        validator.validate(unvalidated_config)
+
+    assert url_hit[0]
diff --git a/util/config/validators/test/test_validate_jwt.py b/util/config/validators/test/test_validate_jwt.py
index f3e314108..9b0d88fe3 100644
--- a/util/config/validators/test/test_validate_jwt.py
+++ b/util/config/validators/test/test_validate_jwt.py
@@ -12,54 +12,63 @@ from test.fixtures import *
 from app import config_provider
 
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'AUTHENTICATION_TYPE': 'Database'}),
-])
+@pytest.mark.parametrize(
+    "unvalidated_config", [({}), ({"AUTHENTICATION_TYPE": "Database"})]
+)
 def test_validate_noop(unvalidated_config, app):
-  config = ValidatorContext(unvalidated_config)
-  config.config_provider = config_provider
-  JWTAuthValidator.validate(config)
-
-
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'AUTHENTICATION_TYPE': 'JWT'}),
-  ({'AUTHENTICATION_TYPE': 'JWT', 'JWT_AUTH_ISSUER': 'foo'}),
-  ({'AUTHENTICATION_TYPE': 'JWT', 'JWT_VERIFY_ENDPOINT': 'foo'}),
-])
-def test_invalid_config(unvalidated_config, app):
-  with pytest.raises(ConfigValidationException):
     config = ValidatorContext(unvalidated_config)
     config.config_provider = config_provider
     JWTAuthValidator.validate(config)
 
 
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({"AUTHENTICATION_TYPE": "JWT"}),
+        ({"AUTHENTICATION_TYPE": "JWT", "JWT_AUTH_ISSUER": "foo"}),
+        ({"AUTHENTICATION_TYPE": "JWT", "JWT_VERIFY_ENDPOINT": "foo"}),
+    ],
+)
+def test_invalid_config(unvalidated_config, app):
+    with pytest.raises(ConfigValidationException):
+        config = ValidatorContext(unvalidated_config)
+        config.config_provider = config_provider
+        JWTAuthValidator.validate(config)
+
+
 # TODO: fix these when re-adding jwt auth mechanism to jwt validators
-@pytest.mark.skip(reason='No way of currently testing this')
-@pytest.mark.parametrize('username, password, expected_exception', [
-  ('invaliduser', 'invalidpass', ConfigValidationException),
-  ('cool.user', 'invalidpass', ConfigValidationException),
-  ('invaliduser', 'somepass', ConfigValidationException),
-  ('cool.user', 'password', None),
-])
+@pytest.mark.skip(reason="No way of currently testing this")
+@pytest.mark.parametrize(
+    "username, password, expected_exception",
+    [
+        ("invaliduser", "invalidpass", ConfigValidationException),
+        ("cool.user", "invalidpass", ConfigValidationException),
+        ("invaliduser", "somepass", ConfigValidationException),
+        ("cool.user", "password", None),
+    ],
+)
 def test_validated_jwt(username, password, expected_exception, app):
-  with fake_jwt() as jwt_auth:
-    config = {}
-    config['AUTHENTICATION_TYPE'] = 'JWT'
-    config['JWT_AUTH_ISSUER'] = jwt_auth.issuer
-    config['JWT_VERIFY_ENDPOINT'] = jwt_auth.verify_url
-    config['JWT_QUERY_ENDPOINT'] = jwt_auth.query_url
-    config['JWT_GETUSER_ENDPOINT'] = jwt_auth.getuser_url
+    with fake_jwt() as jwt_auth:
+        config = {}
+        config["AUTHENTICATION_TYPE"] = "JWT"
+        config["JWT_AUTH_ISSUER"] = jwt_auth.issuer
+        config["JWT_VERIFY_ENDPOINT"] = jwt_auth.verify_url
+        config["JWT_QUERY_ENDPOINT"] = jwt_auth.query_url
+        config["JWT_GETUSER_ENDPOINT"] = jwt_auth.getuser_url
 
-    unvalidated_config = ValidatorContext(config)
-    unvalidated_config.user = AttrDict(dict(username=username))
-    unvalidated_config.user_password = password
-    unvalidated_config.config_provider = config_provider
+        unvalidated_config = ValidatorContext(config)
+        unvalidated_config.user = AttrDict(dict(username=username))
+        unvalidated_config.user_password = password
+        unvalidated_config.config_provider = config_provider
 
-    unvalidated_config.http_client = build_requests_session()
+        unvalidated_config.http_client = build_requests_session()
 
-    if expected_exception is not None:
-      with pytest.raises(ConfigValidationException):
-        JWTAuthValidator.validate(unvalidated_config, public_key_path=jwt_auth.public_key_path)
-    else:
-        JWTAuthValidator.validate(unvalidated_config, public_key_path=jwt_auth.public_key_path)
+        if expected_exception is not None:
+            with pytest.raises(ConfigValidationException):
+                JWTAuthValidator.validate(
+                    unvalidated_config, public_key_path=jwt_auth.public_key_path
+                )
+        else:
+            JWTAuthValidator.validate(
+                unvalidated_config, public_key_path=jwt_auth.public_key_path
+            )
diff --git a/util/config/validators/test/test_validate_keystone.py b/util/config/validators/test/test_validate_keystone.py
index f3776a0b7..590775de0 100644
--- a/util/config/validators/test/test_validate_keystone.py
+++ b/util/config/validators/test/test_validate_keystone.py
@@ -8,47 +8,65 @@ from test.test_keystone_auth import fake_keystone
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'AUTHENTICATION_TYPE': 'Database'}),
-])
-def test_validate_noop(unvalidated_config, app):
-  KeystoneValidator.validate(ValidatorContext(unvalidated_config))
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'AUTHENTICATION_TYPE': 'Keystone'}),
-  ({'AUTHENTICATION_TYPE': 'Keystone', 'KEYSTONE_AUTH_URL': 'foo'}),
-  ({'AUTHENTICATION_TYPE': 'Keystone', 'KEYSTONE_AUTH_URL': 'foo',
-    'KEYSTONE_ADMIN_USERNAME': 'bar'}),
-  ({'AUTHENTICATION_TYPE': 'Keystone', 'KEYSTONE_AUTH_URL': 'foo',
-    'KEYSTONE_ADMIN_USERNAME': 'bar', 'KEYSTONE_ADMIN_PASSWORD': 'baz'}),
-])
-def test_invalid_config(unvalidated_config, app):
-  with pytest.raises(ConfigValidationException):
+@pytest.mark.parametrize(
+    "unvalidated_config", [({}), ({"AUTHENTICATION_TYPE": "Database"})]
+)
+def test_validate_noop(unvalidated_config, app):
     KeystoneValidator.validate(ValidatorContext(unvalidated_config))
 
 
-@pytest.mark.parametrize('admin_tenant_id, expected_exception', [
-  ('somegroupid', None),
-  ('groupwithnousers', ConfigValidationException),
-  ('somegroupid', None),
-  ('groupwithnousers', ConfigValidationException),
-])
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({"AUTHENTICATION_TYPE": "Keystone"}),
+        ({"AUTHENTICATION_TYPE": "Keystone", "KEYSTONE_AUTH_URL": "foo"}),
+        (
+            {
+                "AUTHENTICATION_TYPE": "Keystone",
+                "KEYSTONE_AUTH_URL": "foo",
+                "KEYSTONE_ADMIN_USERNAME": "bar",
+            }
+        ),
+        (
+            {
+                "AUTHENTICATION_TYPE": "Keystone",
+                "KEYSTONE_AUTH_URL": "foo",
+                "KEYSTONE_ADMIN_USERNAME": "bar",
+                "KEYSTONE_ADMIN_PASSWORD": "baz",
+            }
+        ),
+    ],
+)
+def test_invalid_config(unvalidated_config, app):
+    with pytest.raises(ConfigValidationException):
+        KeystoneValidator.validate(ValidatorContext(unvalidated_config))
+
+
+@pytest.mark.parametrize(
+    "admin_tenant_id, expected_exception",
+    [
+        ("somegroupid", None),
+        ("groupwithnousers", ConfigValidationException),
+        ("somegroupid", None),
+        ("groupwithnousers", ConfigValidationException),
+    ],
+)
 def test_validated_keystone(admin_tenant_id, expected_exception, app):
-  with fake_keystone(2) as keystone_auth:
-    auth_url = keystone_auth.auth_url
+    with fake_keystone(2) as keystone_auth:
+        auth_url = keystone_auth.auth_url
 
-    config = {}
-    config['AUTHENTICATION_TYPE'] = 'Keystone'
-    config['KEYSTONE_AUTH_URL'] = auth_url
-    config['KEYSTONE_ADMIN_USERNAME'] = 'adminuser'
-    config['KEYSTONE_ADMIN_PASSWORD'] = 'adminpass'
-    config['KEYSTONE_ADMIN_TENANT'] = admin_tenant_id
+        config = {}
+        config["AUTHENTICATION_TYPE"] = "Keystone"
+        config["KEYSTONE_AUTH_URL"] = auth_url
+        config["KEYSTONE_ADMIN_USERNAME"] = "adminuser"
+        config["KEYSTONE_ADMIN_PASSWORD"] = "adminpass"
+        config["KEYSTONE_ADMIN_TENANT"] = admin_tenant_id
 
-    unvalidated_config = ValidatorContext(config)
+        unvalidated_config = ValidatorContext(config)
 
-    if expected_exception is not None:
-      with pytest.raises(ConfigValidationException):
-        KeystoneValidator.validate(unvalidated_config)
-    else:
-      KeystoneValidator.validate(unvalidated_config)
+        if expected_exception is not None:
+            with pytest.raises(ConfigValidationException):
+                KeystoneValidator.validate(unvalidated_config)
+        else:
+            KeystoneValidator.validate(unvalidated_config)
diff --git a/util/config/validators/test/test_validate_ldap.py b/util/config/validators/test/test_validate_ldap.py
index 4738e4c26..ded93573a 100644
--- a/util/config/validators/test/test_validate_ldap.py
+++ b/util/config/validators/test/test_validate_ldap.py
@@ -10,63 +10,76 @@ from test.test_ldap import mock_ldap
 from test.fixtures import *
 from app import config_provider
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'AUTHENTICATION_TYPE': 'Database'}),
-])
-def test_validate_noop(unvalidated_config, app):
-  config = ValidatorContext(unvalidated_config, config_provider=config_provider)
-  LDAPValidator.validate(config)
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'AUTHENTICATION_TYPE': 'LDAP'}),
-  ({'AUTHENTICATION_TYPE': 'LDAP', 'LDAP_ADMIN_DN': 'foo'}),
-])
-def test_invalid_config(unvalidated_config, app):
-  with pytest.raises(ConfigValidationException):
+@pytest.mark.parametrize(
+    "unvalidated_config", [({}), ({"AUTHENTICATION_TYPE": "Database"})]
+)
+def test_validate_noop(unvalidated_config, app):
     config = ValidatorContext(unvalidated_config, config_provider=config_provider)
     LDAPValidator.validate(config)
 
 
-@pytest.mark.parametrize('uri', [
-  'foo',
-  'http://foo',
-  'ldap:foo',
-])
-def test_invalid_uri(uri, app):
-  config = {}
-  config['AUTHENTICATION_TYPE'] = 'LDAP'
-  config['LDAP_BASE_DN'] = ['dc=quay', 'dc=io']
-  config['LDAP_ADMIN_DN'] = 'uid=testy,ou=employees,dc=quay,dc=io'
-  config['LDAP_ADMIN_PASSWD'] = 'password'
-  config['LDAP_USER_RDN'] = ['ou=employees']
-  config['LDAP_URI'] = uri
-
-  with pytest.raises(ConfigValidationException):
-    config = ValidatorContext(config, config_provider=config_provider)
-    LDAPValidator.validate(config)
-
-
-@pytest.mark.parametrize('admin_dn, admin_passwd, user_rdn, expected_exception', [
-  ('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=employees'], None),
-  ('uid=invalidadmindn', 'password', ['ou=employees'], ConfigValidationException),
-  ('uid=testy,ou=employees,dc=quay,dc=io', 'invalid_password', ['ou=employees'], ConfigValidationException),
-  ('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=invalidgroup'], ConfigValidationException),
-])
-def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception, app):
-  config = {}
-  config['AUTHENTICATION_TYPE'] = 'LDAP'
-  config['LDAP_BASE_DN'] = ['dc=quay', 'dc=io']
-  config['LDAP_ADMIN_DN'] = admin_dn
-  config['LDAP_ADMIN_PASSWD'] = admin_passwd
-  config['LDAP_USER_RDN'] = user_rdn
-
-  unvalidated_config = ValidatorContext(config, config_provider=config_provider)
-
-  if expected_exception is not None:
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({"AUTHENTICATION_TYPE": "LDAP"}),
+        ({"AUTHENTICATION_TYPE": "LDAP", "LDAP_ADMIN_DN": "foo"}),
+    ],
+)
+def test_invalid_config(unvalidated_config, app):
     with pytest.raises(ConfigValidationException):
-      with mock_ldap():
-        LDAPValidator.validate(unvalidated_config)
-  else:
-    with mock_ldap():
-      LDAPValidator.validate(unvalidated_config)
+        config = ValidatorContext(unvalidated_config, config_provider=config_provider)
+        LDAPValidator.validate(config)
+
+
+@pytest.mark.parametrize("uri", ["foo", "http://foo", "ldap:foo"])
+def test_invalid_uri(uri, app):
+    config = {}
+    config["AUTHENTICATION_TYPE"] = "LDAP"
+    config["LDAP_BASE_DN"] = ["dc=quay", "dc=io"]
+    config["LDAP_ADMIN_DN"] = "uid=testy,ou=employees,dc=quay,dc=io"
+    config["LDAP_ADMIN_PASSWD"] = "password"
+    config["LDAP_USER_RDN"] = ["ou=employees"]
+    config["LDAP_URI"] = uri
+
+    with pytest.raises(ConfigValidationException):
+        config = ValidatorContext(config, config_provider=config_provider)
+        LDAPValidator.validate(config)
+
+
+@pytest.mark.parametrize(
+    "admin_dn, admin_passwd, user_rdn, expected_exception",
+    [
+        ("uid=testy,ou=employees,dc=quay,dc=io", "password", ["ou=employees"], None),
+        ("uid=invalidadmindn", "password", ["ou=employees"], ConfigValidationException),
+        (
+            "uid=testy,ou=employees,dc=quay,dc=io",
+            "invalid_password",
+            ["ou=employees"],
+            ConfigValidationException,
+        ),
+        (
+            "uid=testy,ou=employees,dc=quay,dc=io",
+            "password",
+            ["ou=invalidgroup"],
+            ConfigValidationException,
+        ),
+    ],
+)
+def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception, app):
+    config = {}
+    config["AUTHENTICATION_TYPE"] = "LDAP"
+    config["LDAP_BASE_DN"] = ["dc=quay", "dc=io"]
+    config["LDAP_ADMIN_DN"] = admin_dn
+    config["LDAP_ADMIN_PASSWD"] = admin_passwd
+    config["LDAP_USER_RDN"] = user_rdn
+
+    unvalidated_config = ValidatorContext(config, config_provider=config_provider)
+
+    if expected_exception is not None:
+        with pytest.raises(ConfigValidationException):
+            with mock_ldap():
+                LDAPValidator.validate(unvalidated_config)
+    else:
+        with mock_ldap():
+            LDAPValidator.validate(unvalidated_config)
diff --git a/util/config/validators/test/test_validate_oidc.py b/util/config/validators/test/test_validate_oidc.py
index e884d4480..929ef2591 100644
--- a/util/config/validators/test/test_validate_oidc.py
+++ b/util/config/validators/test/test_validate_oidc.py
@@ -11,40 +11,46 @@ from util.config.validators.validate_oidc import OIDCLoginValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'SOMETHING_LOGIN_CONFIG': {}}),
-  ({'SOMETHING_LOGIN_CONFIG': {'OIDC_SERVER': 'foo'}}),
-  ({'SOMETHING_LOGIN_CONFIG': {'OIDC_SERVER': 'foo', 'CLIENT_ID': 'foobar'}}),
-  ({'SOMETHING_LOGIN_CONFIG': {'OIDC_SERVER': 'foo', 'CLIENT_SECRET': 'foobar'}}),
-])
-def test_validate_invalid_oidc_login_config(unvalidated_config, app):
-  validator = OIDCLoginValidator()
 
-  with pytest.raises(ConfigValidationException):
-    validator.validate(ValidatorContext(unvalidated_config))
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({"SOMETHING_LOGIN_CONFIG": {}}),
+        ({"SOMETHING_LOGIN_CONFIG": {"OIDC_SERVER": "foo"}}),
+        ({"SOMETHING_LOGIN_CONFIG": {"OIDC_SERVER": "foo", "CLIENT_ID": "foobar"}}),
+        ({"SOMETHING_LOGIN_CONFIG": {"OIDC_SERVER": "foo", "CLIENT_SECRET": "foobar"}}),
+    ],
+)
+def test_validate_invalid_oidc_login_config(unvalidated_config, app):
+    validator = OIDCLoginValidator()
+
+    with pytest.raises(ConfigValidationException):
+        validator.validate(ValidatorContext(unvalidated_config))
+
 
 def test_validate_oidc_login(app):
-  url_hit = [False]
-  @urlmatch(netloc=r'someserver', path=r'/\.well-known/openid-configuration')
-  def handler(_, __):
-    url_hit[0] = True
-    data = {
-      'token_endpoint': 'foobar',
-    }
-    return {'status_code': 200, 'content': json.dumps(data)}
+    url_hit = [False]
 
-  with HTTMock(handler):
-    validator = OIDCLoginValidator()
-    unvalidated_config = ValidatorContext({
-      'SOMETHING_LOGIN_CONFIG': {
-        'CLIENT_ID': 'foo',
-        'CLIENT_SECRET': 'bar',
-        'OIDC_SERVER': 'http://someserver',
-        'DEBUGGING': True, # Allows for HTTP.
-      },
-    })
-    unvalidated_config.http_client = build_requests_session()
+    @urlmatch(netloc=r"someserver", path=r"/\.well-known/openid-configuration")
+    def handler(_, __):
+        url_hit[0] = True
+        data = {"token_endpoint": "foobar"}
+        return {"status_code": 200, "content": json.dumps(data)}
 
-    validator.validate(unvalidated_config)
+    with HTTMock(handler):
+        validator = OIDCLoginValidator()
+        unvalidated_config = ValidatorContext(
+            {
+                "SOMETHING_LOGIN_CONFIG": {
+                    "CLIENT_ID": "foo",
+                    "CLIENT_SECRET": "bar",
+                    "OIDC_SERVER": "http://someserver",
+                    "DEBUGGING": True,  # Allows for HTTP.
+                }
+            }
+        )
+        unvalidated_config.http_client = build_requests_session()
 
-  assert url_hit[0]
+        validator.validate(unvalidated_config)
+
+    assert url_hit[0]
diff --git a/util/config/validators/test/test_validate_redis.py b/util/config/validators/test/test_validate_redis.py
index 39a1ce5ee..d4cb766f9 100644
--- a/util/config/validators/test/test_validate_redis.py
+++ b/util/config/validators/test/test_validate_redis.py
@@ -13,22 +13,35 @@ from test.fixtures import *
 from util.morecollections import AttrDict
 
 
-@pytest.mark.parametrize('unvalidated_config,user,user_password,use_mock,expected', [
-  ({}, None, None, False, ConfigValidationException),
-  ({'BUILDLOGS_REDIS': {}}, None, None, False, ConfigValidationException),
-  ({'BUILDLOGS_REDIS': {'host': 'somehost'}}, None, None, False, redis.ConnectionError),
-  ({'BUILDLOGS_REDIS': {'host': 'localhost'}}, None, None, True, None),
-])
-def test_validate_redis(unvalidated_config, user, user_password, use_mock, expected, app):
-  with patch('redis.StrictRedis' if use_mock else 'redis.None', mock_strict_redis_client):
-    validator = RedisValidator()
-    unvalidated_config = ValidatorContext(unvalidated_config)
+@pytest.mark.parametrize(
+    "unvalidated_config,user,user_password,use_mock,expected",
+    [
+        ({}, None, None, False, ConfigValidationException),
+        ({"BUILDLOGS_REDIS": {}}, None, None, False, ConfigValidationException),
+        (
+            {"BUILDLOGS_REDIS": {"host": "somehost"}},
+            None,
+            None,
+            False,
+            redis.ConnectionError,
+        ),
+        ({"BUILDLOGS_REDIS": {"host": "localhost"}}, None, None, True, None),
+    ],
+)
+def test_validate_redis(
+    unvalidated_config, user, user_password, use_mock, expected, app
+):
+    with patch(
+        "redis.StrictRedis" if use_mock else "redis.None", mock_strict_redis_client
+    ):
+        validator = RedisValidator()
+        unvalidated_config = ValidatorContext(unvalidated_config)
 
-    unvalidated_config.user = AttrDict(dict(username=user))
-    unvalidated_config.user_password = user_password
+        unvalidated_config.user = AttrDict(dict(username=user))
+        unvalidated_config.user_password = user_password
 
-    if expected is not None:
-      with pytest.raises(expected):
-        validator.validate(unvalidated_config)
-    else:
-      validator.validate(unvalidated_config)
+        if expected is not None:
+            with pytest.raises(expected):
+                validator.validate(unvalidated_config)
+        else:
+            validator.validate(unvalidated_config)
diff --git a/util/config/validators/test/test_validate_secscan.py b/util/config/validators/test/test_validate_secscan.py
index ee4dfdcac..15c3e0445 100644
--- a/util/config/validators/test/test_validate_secscan.py
+++ b/util/config/validators/test/test_validate_secscan.py
@@ -8,41 +8,58 @@ from util.secscan.fake import fake_security_scanner
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({'DISTRIBUTED_STORAGE_PREFERENCE': []}),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config", [({"DISTRIBUTED_STORAGE_PREFERENCE": []})]
+)
 def test_validate_noop(unvalidated_config, app):
 
-  unvalidated_config = ValidatorContext(unvalidated_config, feature_sec_scanner=False, is_testing=True,
-                                        http_client=build_requests_session(),
-                                        url_scheme_and_hostname=URLSchemeAndHostname('http', 'localhost:5000'))
+    unvalidated_config = ValidatorContext(
+        unvalidated_config,
+        feature_sec_scanner=False,
+        is_testing=True,
+        http_client=build_requests_session(),
+        url_scheme_and_hostname=URLSchemeAndHostname("http", "localhost:5000"),
+    )
 
-  SecurityScannerValidator.validate(unvalidated_config)
+    SecurityScannerValidator.validate(unvalidated_config)
 
 
-@pytest.mark.parametrize('unvalidated_config, expected_error', [
-  ({
-    'TESTING': True,
-    'DISTRIBUTED_STORAGE_PREFERENCE': [],
-    'FEATURE_SECURITY_SCANNER': True,
-    'SECURITY_SCANNER_ENDPOINT': 'http://invalidhost',
-  }, Exception),
-
-  ({
-    'TESTING': True,
-    'DISTRIBUTED_STORAGE_PREFERENCE': [],
-    'FEATURE_SECURITY_SCANNER': True,
-    'SECURITY_SCANNER_ENDPOINT': 'http://fakesecurityscanner',
-  }, None),
-])
+@pytest.mark.parametrize(
+    "unvalidated_config, expected_error",
+    [
+        (
+            {
+                "TESTING": True,
+                "DISTRIBUTED_STORAGE_PREFERENCE": [],
+                "FEATURE_SECURITY_SCANNER": True,
+                "SECURITY_SCANNER_ENDPOINT": "http://invalidhost",
+            },
+            Exception,
+        ),
+        (
+            {
+                "TESTING": True,
+                "DISTRIBUTED_STORAGE_PREFERENCE": [],
+                "FEATURE_SECURITY_SCANNER": True,
+                "SECURITY_SCANNER_ENDPOINT": "http://fakesecurityscanner",
+            },
+            None,
+        ),
+    ],
+)
 def test_validate(unvalidated_config, expected_error, app):
-  unvalidated_config = ValidatorContext(unvalidated_config, feature_sec_scanner=True, is_testing=True,
-                                        http_client=build_requests_session(),
-                                        url_scheme_and_hostname=URLSchemeAndHostname('http', 'localhost:5000'))
+    unvalidated_config = ValidatorContext(
+        unvalidated_config,
+        feature_sec_scanner=True,
+        is_testing=True,
+        http_client=build_requests_session(),
+        url_scheme_and_hostname=URLSchemeAndHostname("http", "localhost:5000"),
+    )
 
-  with fake_security_scanner(hostname='fakesecurityscanner'):
-    if expected_error is not None:
-      with pytest.raises(expected_error):
-        SecurityScannerValidator.validate(unvalidated_config)
-    else:
-      SecurityScannerValidator.validate(unvalidated_config)
+    with fake_security_scanner(hostname="fakesecurityscanner"):
+        if expected_error is not None:
+            with pytest.raises(expected_error):
+                SecurityScannerValidator.validate(unvalidated_config)
+        else:
+            SecurityScannerValidator.validate(unvalidated_config)
diff --git a/util/config/validators/test/test_validate_signer.py b/util/config/validators/test/test_validate_signer.py
index f45f91c11..d7ac8bccb 100644
--- a/util/config/validators/test/test_validate_signer.py
+++ b/util/config/validators/test/test_validate_signer.py
@@ -6,15 +6,19 @@ from util.config.validators.validate_signer import SignerValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config,expected', [
-  ({}, None),
-  ({'SIGNING_ENGINE': 'foobar'}, ConfigValidationException),
-  ({'SIGNING_ENGINE': 'gpg2'}, Exception),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config,expected",
+    [
+        ({}, None),
+        ({"SIGNING_ENGINE": "foobar"}, ConfigValidationException),
+        ({"SIGNING_ENGINE": "gpg2"}, Exception),
+    ],
+)
 def test_validate_signer(unvalidated_config, expected, app):
-  validator = SignerValidator()
-  if expected is not None:
-    with pytest.raises(expected):
-      validator.validate(ValidatorContext(unvalidated_config))
-  else:
-    validator.validate(ValidatorContext(unvalidated_config))
+    validator = SignerValidator()
+    if expected is not None:
+        with pytest.raises(expected):
+            validator.validate(ValidatorContext(unvalidated_config))
+    else:
+        validator.validate(ValidatorContext(unvalidated_config))
diff --git a/util/config/validators/test/test_validate_ssl.py b/util/config/validators/test/test_validate_ssl.py
index 52da218da..5fcbd1da1 100644
--- a/util/config/validators/test/test_validate_ssl.py
+++ b/util/config/validators/test/test_validate_ssl.py
@@ -11,65 +11,91 @@ from util.security.test.test_ssl_util import generate_test_cert
 from test.fixtures import *
 from app import config_provider
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-  ({'PREFERRED_URL_SCHEME': 'http'}),
-  ({'PREFERRED_URL_SCHEME': 'https', 'EXTERNAL_TLS_TERMINATION': True}),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config",
+    [
+        ({}),
+        ({"PREFERRED_URL_SCHEME": "http"}),
+        ({"PREFERRED_URL_SCHEME": "https", "EXTERNAL_TLS_TERMINATION": True}),
+    ],
+)
 def test_skip_validate_ssl(unvalidated_config, app):
-  validator = SSLValidator()
-  validator.validate(ValidatorContext(unvalidated_config))
+    validator = SSLValidator()
+    validator.validate(ValidatorContext(unvalidated_config))
 
 
-@pytest.mark.parametrize('cert, server_hostname, expected_error, error_message', [
-  ('invalidcert', 'someserver', ConfigValidationException, 'Could not load SSL certificate: no start line'),
-  (generate_test_cert(hostname='someserver'), 'someserver', None, None),
-  (generate_test_cert(hostname='invalidserver'), 'someserver', ConfigValidationException,
-   'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"'),
-  (generate_test_cert(hostname='someserver'), 'someserver:1234', None, None),
-  (generate_test_cert(hostname='invalidserver'), 'someserver:1234', ConfigValidationException,
-   'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"'),
-  (generate_test_cert(hostname='someserver:1234'), 'someserver:1234', ConfigValidationException,
-   'Supported names "someserver:1234" in SSL cert do not match server hostname "someserver"'),
-  (generate_test_cert(hostname='someserver:more'), 'someserver:more', None, None),
-  (generate_test_cert(hostname='someserver:more'), 'someserver:more:1234', None, None),
-])
+@pytest.mark.parametrize(
+    "cert, server_hostname, expected_error, error_message",
+    [
+        (
+            "invalidcert",
+            "someserver",
+            ConfigValidationException,
+            "Could not load SSL certificate: no start line",
+        ),
+        (generate_test_cert(hostname="someserver"), "someserver", None, None),
+        (
+            generate_test_cert(hostname="invalidserver"),
+            "someserver",
+            ConfigValidationException,
+            'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"',
+        ),
+        (generate_test_cert(hostname="someserver"), "someserver:1234", None, None),
+        (
+            generate_test_cert(hostname="invalidserver"),
+            "someserver:1234",
+            ConfigValidationException,
+            'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"',
+        ),
+        (
+            generate_test_cert(hostname="someserver:1234"),
+            "someserver:1234",
+            ConfigValidationException,
+            'Supported names "someserver:1234" in SSL cert do not match server hostname "someserver"',
+        ),
+        (generate_test_cert(hostname="someserver:more"), "someserver:more", None, None),
+        (
+            generate_test_cert(hostname="someserver:more"),
+            "someserver:more:1234",
+            None,
+            None,
+        ),
+    ],
+)
 def test_validate_ssl(cert, server_hostname, expected_error, error_message, app):
-  with NamedTemporaryFile(delete=False) as cert_file:
-    cert_file.write(cert[0])
-    cert_file.seek(0)
+    with NamedTemporaryFile(delete=False) as cert_file:
+        cert_file.write(cert[0])
+        cert_file.seek(0)
 
-    with NamedTemporaryFile(delete=False) as key_file:
-      key_file.write(cert[1])
-      key_file.seek(0)
+        with NamedTemporaryFile(delete=False) as key_file:
+            key_file.write(cert[1])
+            key_file.seek(0)
 
-    def return_true(filename):
-      return True
+        def return_true(filename):
+            return True
 
-    def get_volume_file(filename):
-      if filename == SSL_FILENAMES[0]:
-        return open(cert_file.name)
+        def get_volume_file(filename):
+            if filename == SSL_FILENAMES[0]:
+                return open(cert_file.name)
 
-      if filename == SSL_FILENAMES[1]:
-        return open(key_file.name)
+            if filename == SSL_FILENAMES[1]:
+                return open(key_file.name)
 
-      return None
+            return None
 
-    config = {
-      'PREFERRED_URL_SCHEME': 'https',
-      'SERVER_HOSTNAME': server_hostname,
-    }
+        config = {"PREFERRED_URL_SCHEME": "https", "SERVER_HOSTNAME": server_hostname}
 
-    with patch('app.config_provider.volume_file_exists', return_true):
-      with patch('app.config_provider.get_volume_file', get_volume_file):
-        validator = SSLValidator()
-        config = ValidatorContext(config)
-        config.config_provider = config_provider
+        with patch("app.config_provider.volume_file_exists", return_true):
+            with patch("app.config_provider.get_volume_file", get_volume_file):
+                validator = SSLValidator()
+                config = ValidatorContext(config)
+                config.config_provider = config_provider
 
-        if expected_error is not None:
-          with pytest.raises(expected_error) as ipe:
-            validator.validate(config)
+                if expected_error is not None:
+                    with pytest.raises(expected_error) as ipe:
+                        validator.validate(config)
 
-          assert str(ipe.value) == error_message
-        else:
-          validator.validate(config)
+                    assert str(ipe.value) == error_message
+                else:
+                    validator.validate(config)
diff --git a/util/config/validators/test/test_validate_storage.py b/util/config/validators/test/test_validate_storage.py
index 9d3cf4cd7..1dd0e7d4f 100644
--- a/util/config/validators/test/test_validate_storage.py
+++ b/util/config/validators/test/test_validate_storage.py
@@ -8,33 +8,48 @@ from util.config.validators.validate_storage import StorageValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config, expected', [
-  ({}, ConfigValidationException),
-  ({'DISTRIBUTED_STORAGE_CONFIG': {}}, ConfigValidationException),
-  ({'DISTRIBUTED_STORAGE_CONFIG': {'local': None}}, ConfigValidationException),
-  ({'DISTRIBUTED_STORAGE_CONFIG': {'local': ['FakeStorage', {}]}}, None),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config, expected",
+    [
+        ({}, ConfigValidationException),
+        ({"DISTRIBUTED_STORAGE_CONFIG": {}}, ConfigValidationException),
+        ({"DISTRIBUTED_STORAGE_CONFIG": {"local": None}}, ConfigValidationException),
+        ({"DISTRIBUTED_STORAGE_CONFIG": {"local": ["FakeStorage", {}]}}, None),
+    ],
+)
 def test_validate_storage(unvalidated_config, expected, app):
-  validator = StorageValidator()
-  if expected is not None:
-    with pytest.raises(expected):
-      validator.validate(ValidatorContext(unvalidated_config))
-  else:
-    validator.validate(ValidatorContext(unvalidated_config))
+    validator = StorageValidator()
+    if expected is not None:
+        with pytest.raises(expected):
+            validator.validate(ValidatorContext(unvalidated_config))
+    else:
+        validator.validate(ValidatorContext(unvalidated_config))
+
 
 def test_validate_s3_storage(app):
-  validator = StorageValidator()
-  with mock_s3():
-    with pytest.raises(ConfigValidationException) as ipe:
-      validator.validate(ValidatorContext({
-        'DISTRIBUTED_STORAGE_CONFIG': {
-          'default': ('S3Storage', {
-            's3_access_key': 'invalid',
-            's3_secret_key': 'invalid',
-            's3_bucket': 'somebucket',
-            'storage_path': ''
-          }),
-        }
-      }))
+    validator = StorageValidator()
+    with mock_s3():
+        with pytest.raises(ConfigValidationException) as ipe:
+            validator.validate(
+                ValidatorContext(
+                    {
+                        "DISTRIBUTED_STORAGE_CONFIG": {
+                            "default": (
+                                "S3Storage",
+                                {
+                                    "s3_access_key": "invalid",
+                                    "s3_secret_key": "invalid",
+                                    "s3_bucket": "somebucket",
+                                    "storage_path": "",
+                                },
+                            )
+                        }
+                    }
+                )
+            )
 
-    assert str(ipe.value) == 'Invalid storage configuration: default: S3ResponseError: 404 Not Found'
\ No newline at end of file
+        assert (
+            str(ipe.value)
+            == "Invalid storage configuration: default: S3ResponseError: 404 Not Found"
+        )
diff --git a/util/config/validators/test/test_validate_timemachine.py b/util/config/validators/test/test_validate_timemachine.py
index 1c3b29ba5..177ab5177 100644
--- a/util/config/validators/test/test_validate_timemachine.py
+++ b/util/config/validators/test/test_validate_timemachine.py
@@ -4,29 +4,31 @@ from util.config.validator import ValidatorContext
 from util.config.validators import ConfigValidationException
 from util.config.validators.validate_timemachine import TimeMachineValidator
 
-@pytest.mark.parametrize('unvalidated_config', [
-  ({}),
-])
+
+@pytest.mark.parametrize("unvalidated_config", [({})])
 def test_validate_noop(unvalidated_config):
-  TimeMachineValidator.validate(ValidatorContext(unvalidated_config))
+    TimeMachineValidator.validate(ValidatorContext(unvalidated_config))
 
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('default_exp,options,expected_exception', [
-  ('2d', ['1w', '2d'], None),
 
-  ('2d', ['1w'], 'Default expiration must be in expiration options set'),
-  ('2d', ['2d', '1M'], 'Invalid tag expiration option: 1M'),
-])
+@pytest.mark.parametrize(
+    "default_exp,options,expected_exception",
+    [
+        ("2d", ["1w", "2d"], None),
+        ("2d", ["1w"], "Default expiration must be in expiration options set"),
+        ("2d", ["2d", "1M"], "Invalid tag expiration option: 1M"),
+    ],
+)
 def test_validate(default_exp, options, expected_exception, app):
-  config = {}
-  config['DEFAULT_TAG_EXPIRATION'] = default_exp
-  config['TAG_EXPIRATION_OPTIONS'] = options
+    config = {}
+    config["DEFAULT_TAG_EXPIRATION"] = default_exp
+    config["TAG_EXPIRATION_OPTIONS"] = options
 
-  if expected_exception is not None:
-    with pytest.raises(ConfigValidationException) as cve:
-      TimeMachineValidator.validate(ValidatorContext(config))
-    assert str(cve.value) == str(expected_exception)
-  else:
-    TimeMachineValidator.validate(ValidatorContext(config))
+    if expected_exception is not None:
+        with pytest.raises(ConfigValidationException) as cve:
+            TimeMachineValidator.validate(ValidatorContext(config))
+        assert str(cve.value) == str(expected_exception)
+    else:
+        TimeMachineValidator.validate(ValidatorContext(config))
diff --git a/util/config/validators/test/test_validate_torrent.py b/util/config/validators/test/test_validate_torrent.py
index f87304a05..d77c43650 100644
--- a/util/config/validators/test/test_validate_torrent.py
+++ b/util/config/validators/test/test_validate_torrent.py
@@ -10,30 +10,36 @@ from util.config.validators.validate_torrent import BittorrentValidator
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('unvalidated_config,expected', [
-  ({}, ConfigValidationException),
-  ({'BITTORRENT_ANNOUNCE_URL': 'http://faketorrent/announce'}, None),
-])
+
+@pytest.mark.parametrize(
+    "unvalidated_config,expected",
+    [
+        ({}, ConfigValidationException),
+        ({"BITTORRENT_ANNOUNCE_URL": "http://faketorrent/announce"}, None),
+    ],
+)
 def test_validate_torrent(unvalidated_config, expected, app):
-  announcer_hit = [False]
+    announcer_hit = [False]
 
-  @urlmatch(netloc=r'faketorrent', path='/announce')
-  def handler(url, request):
-    announcer_hit[0] = True
-    return {'status_code': 200, 'content': ''}
+    @urlmatch(netloc=r"faketorrent", path="/announce")
+    def handler(url, request):
+        announcer_hit[0] = True
+        return {"status_code": 200, "content": ""}
 
-  with HTTMock(handler):
-    validator = BittorrentValidator()
-    if expected is not None:
-      with pytest.raises(expected):
-        config = ValidatorContext(unvalidated_config, instance_keys=instance_keys)
-        config.http_client = build_requests_session()
+    with HTTMock(handler):
+        validator = BittorrentValidator()
+        if expected is not None:
+            with pytest.raises(expected):
+                config = ValidatorContext(
+                    unvalidated_config, instance_keys=instance_keys
+                )
+                config.http_client = build_requests_session()
 
-        validator.validate(config)
-      assert not announcer_hit[0]
-    else:
-      config = ValidatorContext(unvalidated_config, instance_keys=instance_keys)
-      config.http_client = build_requests_session()
+                validator.validate(config)
+            assert not announcer_hit[0]
+        else:
+            config = ValidatorContext(unvalidated_config, instance_keys=instance_keys)
+            config.http_client = build_requests_session()
 
-      validator.validate(config)
-      assert announcer_hit[0]
+            validator.validate(config)
+            assert announcer_hit[0]
diff --git a/util/config/validators/validate_access.py b/util/config/validators/validate_access.py
index 60568222d..554c6e101 100644
--- a/util/config/validators/validate_access.py
+++ b/util/config/validators/validate_access.py
@@ -2,27 +2,31 @@ from util.config.validators import BaseValidator, ConfigValidationException
 from oauth.loginmanager import OAuthLoginManager
 from oauth.oidc import OIDCLoginService
 
+
 class AccessSettingsValidator(BaseValidator):
-  name = "access"
+    name = "access"
 
-  @classmethod
-  def validate(cls, validator_context):
-    config = validator_context.config
-    client = validator_context.http_client
+    @classmethod
+    def validate(cls, validator_context):
+        config = validator_context.config
+        client = validator_context.http_client
 
-    if not config.get('FEATURE_DIRECT_LOGIN', True):
-      # Make sure we have at least one OIDC enabled.
-      github_login = config.get('FEATURE_GITHUB_LOGIN', False)
-      google_login = config.get('FEATURE_GOOGLE_LOGIN', False)
+        if not config.get("FEATURE_DIRECT_LOGIN", True):
+            # Make sure we have at least one OIDC enabled.
+            github_login = config.get("FEATURE_GITHUB_LOGIN", False)
+            google_login = config.get("FEATURE_GOOGLE_LOGIN", False)
 
-      login_manager = OAuthLoginManager(config, client=client)
-      custom_oidc = [s for s in login_manager.services if isinstance(s, OIDCLoginService)]
+            login_manager = OAuthLoginManager(config, client=client)
+            custom_oidc = [
+                s for s in login_manager.services if isinstance(s, OIDCLoginService)
+            ]
 
-      if not github_login and not google_login and not custom_oidc:
-        msg = 'Cannot disable credentials login to UI without configured OIDC service'
-        raise ConfigValidationException(msg)
+            if not github_login and not google_login and not custom_oidc:
+                msg = "Cannot disable credentials login to UI without configured OIDC service"
+                raise ConfigValidationException(msg)
 
-    if (not config.get('FEATURE_USER_CREATION', True) and
-        config.get('FEATURE_INVITE_ONLY_USER_CREATION', False)):
-      msg = "Invite only user creation requires user creation to be enabled"
-      raise ConfigValidationException(msg)
+        if not config.get("FEATURE_USER_CREATION", True) and config.get(
+            "FEATURE_INVITE_ONLY_USER_CREATION", False
+        ):
+            msg = "Invite only user creation requires user creation to be enabled"
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_actionlog_archiving.py b/util/config/validators/validate_actionlog_archiving.py
index 03c63fe95..e2711b287 100644
--- a/util/config/validators/validate_actionlog_archiving.py
+++ b/util/config/validators/validate_actionlog_archiving.py
@@ -1,24 +1,30 @@
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class ActionLogArchivingValidator(BaseValidator):
-  name = "actionlogarchiving"
+    name = "actionlogarchiving"
 
-  @classmethod
-  def validate(cls, validator_context):
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        config = validator_context.config
 
-    """ Validates the action log archiving configuration. """
-    if not config.get('FEATURE_ACTION_LOG_ROTATION', False):
-      return
+        """ Validates the action log archiving configuration. """
+        if not config.get("FEATURE_ACTION_LOG_ROTATION", False):
+            return
 
-    if not config.get('ACTION_LOG_ARCHIVE_PATH'):
-      raise ConfigValidationException('Missing action log archive path')
+        if not config.get("ACTION_LOG_ARCHIVE_PATH"):
+            raise ConfigValidationException("Missing action log archive path")
 
-    if not config.get('ACTION_LOG_ARCHIVE_LOCATION'):
-      raise ConfigValidationException('Missing action log archive storage location')
+        if not config.get("ACTION_LOG_ARCHIVE_LOCATION"):
+            raise ConfigValidationException(
+                "Missing action log archive storage location"
+            )
 
-    location = config['ACTION_LOG_ARCHIVE_LOCATION']
-    storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG') or {}
-    if location not in storage_config:
-      msg = 'Action log archive storage location `%s` not found in storage config' % location
-      raise ConfigValidationException(msg)
+        location = config["ACTION_LOG_ARCHIVE_LOCATION"]
+        storage_config = config.get("DISTRIBUTED_STORAGE_CONFIG") or {}
+        if location not in storage_config:
+            msg = (
+                "Action log archive storage location `%s` not found in storage config"
+                % location
+            )
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_apptokenauth.py b/util/config/validators/validate_apptokenauth.py
index be2096117..c042ef050 100644
--- a/util/config/validators/validate_apptokenauth.py
+++ b/util/config/validators/validate_apptokenauth.py
@@ -1,21 +1,22 @@
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class AppTokenAuthValidator(BaseValidator):
-  name = "apptoken-auth"
+    name = "apptoken-auth"
 
-  @classmethod
-  def validate(cls, validator_context):
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        config = validator_context.config
 
-    if config.get('AUTHENTICATION_TYPE', 'Database') != 'AppToken':
-      return
+        if config.get("AUTHENTICATION_TYPE", "Database") != "AppToken":
+            return
 
-    # Ensure that app tokens are enabled, as they are required.
-    if not config.get('FEATURE_APP_SPECIFIC_TOKENS', False):
-      msg = 'Application token support must be enabled to use External Application Token auth'
-      raise ConfigValidationException(msg)
+        # Ensure that app tokens are enabled, as they are required.
+        if not config.get("FEATURE_APP_SPECIFIC_TOKENS", False):
+            msg = "Application token support must be enabled to use External Application Token auth"
+            raise ConfigValidationException(msg)
 
-    # Ensure that direct login is disabled.
-    if config.get('FEATURE_DIRECT_LOGIN', True):
-      msg = 'Direct login must be disabled to use External Application Token auth'
-      raise ConfigValidationException(msg)
+        # Ensure that direct login is disabled.
+        if config.get("FEATURE_DIRECT_LOGIN", True):
+            msg = "Direct login must be disabled to use External Application Token auth"
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_bitbucket_trigger.py b/util/config/validators/validate_bitbucket_trigger.py
index c8cb87887..14455e19d 100644
--- a/util/config/validators/validate_bitbucket_trigger.py
+++ b/util/config/validators/validate_bitbucket_trigger.py
@@ -2,29 +2,32 @@ from bitbucket import BitBucket
 
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class BitbucketTriggerValidator(BaseValidator):
-  name = "bitbucket-trigger"
+    name = "bitbucket-trigger"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the config for BitBucket. """
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the config for BitBucket. """
+        config = validator_context.config
 
-    trigger_config = config.get('BITBUCKET_TRIGGER_CONFIG')
-    if not trigger_config:
-      raise ConfigValidationException('Missing client ID and client secret')
+        trigger_config = config.get("BITBUCKET_TRIGGER_CONFIG")
+        if not trigger_config:
+            raise ConfigValidationException("Missing client ID and client secret")
 
-    if not trigger_config.get('CONSUMER_KEY'):
-      raise ConfigValidationException('Missing Consumer Key')
+        if not trigger_config.get("CONSUMER_KEY"):
+            raise ConfigValidationException("Missing Consumer Key")
 
-    if not trigger_config.get('CONSUMER_SECRET'):
-      raise ConfigValidationException('Missing Consumer Secret')
+        if not trigger_config.get("CONSUMER_SECRET"):
+            raise ConfigValidationException("Missing Consumer Secret")
 
-    key = trigger_config['CONSUMER_KEY']
-    secret = trigger_config['CONSUMER_SECRET']
-    callback_url = '%s/oauth1/bitbucket/callback/trigger/' % (validator_context.url_scheme_and_hostname.get_url())
+        key = trigger_config["CONSUMER_KEY"]
+        secret = trigger_config["CONSUMER_SECRET"]
+        callback_url = "%s/oauth1/bitbucket/callback/trigger/" % (
+            validator_context.url_scheme_and_hostname.get_url()
+        )
 
-    bitbucket_client = BitBucket(key, secret, callback_url)
-    (result, _, _) = bitbucket_client.get_authorization_url()
-    if not result:
-      raise ConfigValidationException('Invalid consumer key or secret')
+        bitbucket_client = BitBucket(key, secret, callback_url)
+        (result, _, _) = bitbucket_client.get_authorization_url()
+        if not result:
+            raise ConfigValidationException("Invalid consumer key or secret")
diff --git a/util/config/validators/validate_database.py b/util/config/validators/validate_database.py
index dfa267397..c182bc46b 100644
--- a/util/config/validators/validate_database.py
+++ b/util/config/validators/validate_database.py
@@ -3,18 +3,21 @@ from peewee import OperationalError
 from data.database import validate_database_precondition
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class DatabaseValidator(BaseValidator):
-  name = "database"
+    name = "database"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates connecting to the database. """
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates connecting to the database. """
+        config = validator_context.config
 
-    try:
-      validate_database_precondition(config['DB_URI'], config.get('DB_CONNECTION_ARGS', {}))
-    except OperationalError as ex:
-      if ex.args and len(ex.args) > 1:
-        raise ConfigValidationException(ex.args[1])
-      else:
-        raise ex
+        try:
+            validate_database_precondition(
+                config["DB_URI"], config.get("DB_CONNECTION_ARGS", {})
+            )
+        except OperationalError as ex:
+            if ex.args and len(ex.args) > 1:
+                raise ConfigValidationException(ex.args[1])
+            else:
+                raise ex
diff --git a/util/config/validators/validate_github.py b/util/config/validators/validate_github.py
index 3b5e2ed1b..6a43908d5 100644
--- a/util/config/validators/validate_github.py
+++ b/util/config/validators/validate_github.py
@@ -1,53 +1,63 @@
 from oauth.services.github import GithubOAuthService
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class BaseGitHubValidator(BaseValidator):
-  name = None
-  config_key = None
+    name = None
+    config_key = None
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the OAuth credentials and API endpoint for a Github service. """
-    config = validator_context.config
-    client = validator_context.http_client
-    url_scheme_and_hostname = validator_context.url_scheme_and_hostname
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the OAuth credentials and API endpoint for a Github service. """
+        config = validator_context.config
+        client = validator_context.http_client
+        url_scheme_and_hostname = validator_context.url_scheme_and_hostname
 
-    github_config = config.get(cls.config_key)
-    if not github_config:
-      raise ConfigValidationException('Missing GitHub client id and client secret')
+        github_config = config.get(cls.config_key)
+        if not github_config:
+            raise ConfigValidationException(
+                "Missing GitHub client id and client secret"
+            )
 
-    endpoint = github_config.get('GITHUB_ENDPOINT')
-    if not endpoint:
-      raise ConfigValidationException('Missing GitHub Endpoint')
+        endpoint = github_config.get("GITHUB_ENDPOINT")
+        if not endpoint:
+            raise ConfigValidationException("Missing GitHub Endpoint")
 
-    if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
-      raise ConfigValidationException('Github Endpoint must start with http:// or https://')
+        if endpoint.find("http://") != 0 and endpoint.find("https://") != 0:
+            raise ConfigValidationException(
+                "Github Endpoint must start with http:// or https://"
+            )
 
-    if not github_config.get('CLIENT_ID'):
-      raise ConfigValidationException('Missing Client ID')
+        if not github_config.get("CLIENT_ID"):
+            raise ConfigValidationException("Missing Client ID")
 
-    if not github_config.get('CLIENT_SECRET'):
-      raise ConfigValidationException('Missing Client Secret')
+        if not github_config.get("CLIENT_SECRET"):
+            raise ConfigValidationException("Missing Client Secret")
 
-    if github_config.get('ORG_RESTRICT') and not github_config.get('ALLOWED_ORGANIZATIONS'):
-      raise ConfigValidationException('Organization restriction must have at least one allowed ' +
-                                      'organization')
+        if github_config.get("ORG_RESTRICT") and not github_config.get(
+            "ALLOWED_ORGANIZATIONS"
+        ):
+            raise ConfigValidationException(
+                "Organization restriction must have at least one allowed "
+                + "organization"
+            )
 
-    oauth = GithubOAuthService(config, cls.config_key)
-    result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
-    if not result:
-      raise ConfigValidationException('Invalid client id or client secret')
+        oauth = GithubOAuthService(config, cls.config_key)
+        result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
+        if not result:
+            raise ConfigValidationException("Invalid client id or client secret")
 
-    if github_config.get('ALLOWED_ORGANIZATIONS'):
-      for org_id in github_config.get('ALLOWED_ORGANIZATIONS'):
-        if not oauth.validate_organization(org_id, client):
-          raise ConfigValidationException('Invalid organization: %s' % org_id)
+        if github_config.get("ALLOWED_ORGANIZATIONS"):
+            for org_id in github_config.get("ALLOWED_ORGANIZATIONS"):
+                if not oauth.validate_organization(org_id, client):
+                    raise ConfigValidationException("Invalid organization: %s" % org_id)
 
 
 class GitHubLoginValidator(BaseGitHubValidator):
-  name = "github-login"
-  config_key = "GITHUB_LOGIN_CONFIG"
+    name = "github-login"
+    config_key = "GITHUB_LOGIN_CONFIG"
+
 
 class GitHubTriggerValidator(BaseGitHubValidator):
-  name = "github-trigger"
-  config_key = "GITHUB_TRIGGER_CONFIG"
+    name = "github-trigger"
+    config_key = "GITHUB_TRIGGER_CONFIG"
diff --git a/util/config/validators/validate_gitlab_trigger.py b/util/config/validators/validate_gitlab_trigger.py
index 50c381881..2e499c060 100644
--- a/util/config/validators/validate_gitlab_trigger.py
+++ b/util/config/validators/validate_gitlab_trigger.py
@@ -1,32 +1,37 @@
 from oauth.services.gitlab import GitLabOAuthService
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class GitLabTriggerValidator(BaseValidator):
-  name = "gitlab-trigger"
+    name = "gitlab-trigger"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the OAuth credentials and API endpoint for a GitLab service. """
-    config = validator_context.config
-    url_scheme_and_hostname = validator_context.url_scheme_and_hostname
-    client = validator_context.http_client
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the OAuth credentials and API endpoint for a GitLab service. """
+        config = validator_context.config
+        url_scheme_and_hostname = validator_context.url_scheme_and_hostname
+        client = validator_context.http_client
 
-    github_config = config.get('GITLAB_TRIGGER_CONFIG')
-    if not github_config:
-      raise ConfigValidationException('Missing GitLab client id and client secret')
+        github_config = config.get("GITLAB_TRIGGER_CONFIG")
+        if not github_config:
+            raise ConfigValidationException(
+                "Missing GitLab client id and client secret"
+            )
 
-    endpoint = github_config.get('GITLAB_ENDPOINT')
-    if endpoint:
-      if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
-        raise ConfigValidationException('GitLab Endpoint must start with http:// or https://')
+        endpoint = github_config.get("GITLAB_ENDPOINT")
+        if endpoint:
+            if endpoint.find("http://") != 0 and endpoint.find("https://") != 0:
+                raise ConfigValidationException(
+                    "GitLab Endpoint must start with http:// or https://"
+                )
 
-    if not github_config.get('CLIENT_ID'):
-      raise ConfigValidationException('Missing Client ID')
+        if not github_config.get("CLIENT_ID"):
+            raise ConfigValidationException("Missing Client ID")
 
-    if not github_config.get('CLIENT_SECRET'):
-      raise ConfigValidationException('Missing Client Secret')
+        if not github_config.get("CLIENT_SECRET"):
+            raise ConfigValidationException("Missing Client Secret")
 
-    oauth = GitLabOAuthService(config, 'GITLAB_TRIGGER_CONFIG')
-    result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
-    if not result:
-      raise ConfigValidationException('Invalid client id or client secret')
+        oauth = GitLabOAuthService(config, "GITLAB_TRIGGER_CONFIG")
+        result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
+        if not result:
+            raise ConfigValidationException("Invalid client id or client secret")
diff --git a/util/config/validators/validate_google_login.py b/util/config/validators/validate_google_login.py
index e03aae8d8..c8a038563 100644
--- a/util/config/validators/validate_google_login.py
+++ b/util/config/validators/validate_google_login.py
@@ -1,27 +1,28 @@
 from oauth.services.google import GoogleOAuthService
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class GoogleLoginValidator(BaseValidator):
-  name = "google-login"
+    name = "google-login"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the Google Login client ID and secret. """
-    config = validator_context.config
-    client = validator_context.http_client
-    url_scheme_and_hostname = validator_context.url_scheme_and_hostname
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the Google Login client ID and secret. """
+        config = validator_context.config
+        client = validator_context.http_client
+        url_scheme_and_hostname = validator_context.url_scheme_and_hostname
 
-    google_login_config = config.get('GOOGLE_LOGIN_CONFIG')
-    if not google_login_config:
-      raise ConfigValidationException('Missing client ID and client secret')
+        google_login_config = config.get("GOOGLE_LOGIN_CONFIG")
+        if not google_login_config:
+            raise ConfigValidationException("Missing client ID and client secret")
 
-    if not google_login_config.get('CLIENT_ID'):
-      raise ConfigValidationException('Missing Client ID')
+        if not google_login_config.get("CLIENT_ID"):
+            raise ConfigValidationException("Missing Client ID")
 
-    if not google_login_config.get('CLIENT_SECRET'):
-      raise ConfigValidationException('Missing Client Secret')
+        if not google_login_config.get("CLIENT_SECRET"):
+            raise ConfigValidationException("Missing Client Secret")
 
-    oauth = GoogleOAuthService(config, 'GOOGLE_LOGIN_CONFIG')
-    result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
-    if not result:
-      raise ConfigValidationException('Invalid client id or client secret')
+        oauth = GoogleOAuthService(config, "GOOGLE_LOGIN_CONFIG")
+        result = oauth.validate_client_id_and_secret(client, url_scheme_and_hostname)
+        if not result:
+            raise ConfigValidationException("Invalid client id or client secret")
diff --git a/util/config/validators/validate_jwt.py b/util/config/validators/validate_jwt.py
index d7b5e36f5..8dce41f94 100644
--- a/util/config/validators/validate_jwt.py
+++ b/util/config/validators/validate_jwt.py
@@ -2,47 +2,54 @@ import os
 from data.users.externaljwt import ExternalJWTAuthN
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class JWTAuthValidator(BaseValidator):
-  name = "jwt"
+    name = "jwt"
 
-  @classmethod
-  def validate(cls, validator_context, public_key_path=None):
-    """ Validates the JWT authentication system. """
-    config = validator_context.config
-    http_client = validator_context.http_client
-    jwt_auth_max = validator_context.jwt_auth_max
-    config_provider = validator_context.config_provider
+    @classmethod
+    def validate(cls, validator_context, public_key_path=None):
+        """ Validates the JWT authentication system. """
+        config = validator_context.config
+        http_client = validator_context.http_client
+        jwt_auth_max = validator_context.jwt_auth_max
+        config_provider = validator_context.config_provider
 
-    if config.get('AUTHENTICATION_TYPE', 'Database') != 'JWT':
-      return
+        if config.get("AUTHENTICATION_TYPE", "Database") != "JWT":
+            return
 
-    verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
-    query_endpoint = config.get('JWT_QUERY_ENDPOINT', None)
-    getuser_endpoint = config.get('JWT_GETUSER_ENDPOINT', None)
+        verify_endpoint = config.get("JWT_VERIFY_ENDPOINT")
+        query_endpoint = config.get("JWT_QUERY_ENDPOINT", None)
+        getuser_endpoint = config.get("JWT_GETUSER_ENDPOINT", None)
 
-    issuer = config.get('JWT_AUTH_ISSUER')
+        issuer = config.get("JWT_AUTH_ISSUER")
 
-    if not verify_endpoint:
-      raise ConfigValidationException('Missing JWT Verification endpoint')
+        if not verify_endpoint:
+            raise ConfigValidationException("Missing JWT Verification endpoint")
 
-    if not issuer:
-      raise ConfigValidationException('Missing JWT Issuer ID')
+        if not issuer:
+            raise ConfigValidationException("Missing JWT Issuer ID")
 
+        override_config_directory = config_provider.get_config_dir_path()
 
-    override_config_directory = config_provider.get_config_dir_path()
+        # Try to instatiate the JWT authentication mechanism. This will raise an exception if
+        # the key cannot be found.
+        users = ExternalJWTAuthN(
+            verify_endpoint,
+            query_endpoint,
+            getuser_endpoint,
+            issuer,
+            override_config_directory,
+            http_client,
+            jwt_auth_max,
+            public_key_path=public_key_path,
+            requires_email=config.get("FEATURE_MAILING", True),
+        )
 
-    # Try to instatiate the JWT authentication mechanism. This will raise an exception if
-    # the key cannot be found.
-    users = ExternalJWTAuthN(verify_endpoint, query_endpoint, getuser_endpoint, issuer,
-                             override_config_directory,
-                             http_client,
-                             jwt_auth_max,
-                             public_key_path=public_key_path,
-                             requires_email=config.get('FEATURE_MAILING', True))
-
-    # Verify that we can reach the jwt server
-    (result, err_msg) = users.ping()
-    if not result:
-      msg = ('Verification of JWT failed: %s. \n\nWe cannot reach the JWT server' +
-             'OR JWT auth is misconfigured') % err_msg
-      raise ConfigValidationException(msg)
+        # Verify that we can reach the jwt server
+        (result, err_msg) = users.ping()
+        if not result:
+            msg = (
+                "Verification of JWT failed: %s. \n\nWe cannot reach the JWT server"
+                + "OR JWT auth is misconfigured"
+            ) % err_msg
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_keystone.py b/util/config/validators/validate_keystone.py
index c9dcc22c8..b8e63e34a 100644
--- a/util/config/validators/validate_keystone.py
+++ b/util/config/validators/validate_keystone.py
@@ -1,44 +1,53 @@
 from util.config.validators import BaseValidator, ConfigValidationException
 from data.users.keystone import get_keystone_users
 
+
 class KeystoneValidator(BaseValidator):
-  name = "keystone"
+    name = "keystone"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the Keystone authentication system. """
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the Keystone authentication system. """
+        config = validator_context.config
 
-    if config.get('AUTHENTICATION_TYPE', 'Database') != 'Keystone':
-      return
+        if config.get("AUTHENTICATION_TYPE", "Database") != "Keystone":
+            return
 
-    auth_url = config.get('KEYSTONE_AUTH_URL')
-    auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
-    admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
-    admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
-    admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
+        auth_url = config.get("KEYSTONE_AUTH_URL")
+        auth_version = int(config.get("KEYSTONE_AUTH_VERSION", 2))
+        admin_username = config.get("KEYSTONE_ADMIN_USERNAME")
+        admin_password = config.get("KEYSTONE_ADMIN_PASSWORD")
+        admin_tenant = config.get("KEYSTONE_ADMIN_TENANT")
 
-    if not auth_url:
-      raise ConfigValidationException('Missing authentication URL')
+        if not auth_url:
+            raise ConfigValidationException("Missing authentication URL")
 
-    if not admin_username:
-      raise ConfigValidationException('Missing admin username')
+        if not admin_username:
+            raise ConfigValidationException("Missing admin username")
 
-    if not admin_password:
-      raise ConfigValidationException('Missing admin password')
+        if not admin_password:
+            raise ConfigValidationException("Missing admin password")
 
-    if not admin_tenant:
-      raise ConfigValidationException('Missing admin tenant')
+        if not admin_tenant:
+            raise ConfigValidationException("Missing admin tenant")
 
-    requires_email = config.get('FEATURE_MAILING', True)
-    users = get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant,
-                               requires_email)
+        requires_email = config.get("FEATURE_MAILING", True)
+        users = get_keystone_users(
+            auth_version,
+            auth_url,
+            admin_username,
+            admin_password,
+            admin_tenant,
+            requires_email,
+        )
 
-    # Verify that the superuser exists. If not, raise an exception.
-    (result, err_msg) = users.at_least_one_user_exists()
-    if not result:
-      msg = ('Verification that users exist failed: %s. \n\nNo users exist ' +
-             'in the admin tenant/project ' +
-             'in the remote authentication system ' +
-             'OR Keystone auth is misconfigured.') % err_msg
-      raise ConfigValidationException(msg)
+        # Verify that the superuser exists. If not, raise an exception.
+        (result, err_msg) = users.at_least_one_user_exists()
+        if not result:
+            msg = (
+                "Verification that users exist failed: %s. \n\nNo users exist "
+                + "in the admin tenant/project "
+                + "in the remote authentication system "
+                + "OR Keystone auth is misconfigured."
+            ) % err_msg
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_ldap.py b/util/config/validators/validate_ldap.py
index edb803704..0a5605814 100644
--- a/util/config/validators/validate_ldap.py
+++ b/util/config/validators/validate_ldap.py
@@ -6,63 +6,81 @@ from data.users import LDAP_CERT_FILENAME
 from data.users.externalldap import LDAPConnection, LDAPUsers
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class LDAPValidator(BaseValidator):
-  name = "ldap"
+    name = "ldap"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the LDAP connection. """
-    config = validator_context.config
-    config_provider = validator_context.config_provider
-    init_scripts_location = validator_context.init_scripts_location
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the LDAP connection. """
+        config = validator_context.config
+        config_provider = validator_context.config_provider
+        init_scripts_location = validator_context.init_scripts_location
 
-    if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
-      return
+        if config.get("AUTHENTICATION_TYPE", "Database") != "LDAP":
+            return
 
-    # If there is a custom LDAP certificate, then reinstall the certificates for the container.
-    if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
-      subprocess.check_call([os.path.join(init_scripts_location, 'certs_install.sh')],
-                            env={ 'QUAYCONFIG': config_provider.get_config_dir_path() })
+        # If there is a custom LDAP certificate, then reinstall the certificates for the container.
+        if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
+            subprocess.check_call(
+                [os.path.join(init_scripts_location, "certs_install.sh")],
+                env={"QUAYCONFIG": config_provider.get_config_dir_path()},
+            )
 
-    # Note: raises ldap.INVALID_CREDENTIALS on failure
-    admin_dn = config.get('LDAP_ADMIN_DN')
-    admin_passwd = config.get('LDAP_ADMIN_PASSWD')
+        # Note: raises ldap.INVALID_CREDENTIALS on failure
+        admin_dn = config.get("LDAP_ADMIN_DN")
+        admin_passwd = config.get("LDAP_ADMIN_PASSWD")
 
-    if not admin_dn:
-      raise ConfigValidationException('Missing Admin DN for LDAP configuration')
+        if not admin_dn:
+            raise ConfigValidationException("Missing Admin DN for LDAP configuration")
 
-    if not admin_passwd:
-      raise ConfigValidationException('Missing Admin Password for LDAP configuration')
+        if not admin_passwd:
+            raise ConfigValidationException(
+                "Missing Admin Password for LDAP configuration"
+            )
 
-    ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
-    if not ldap_uri.startswith('ldap://') and not ldap_uri.startswith('ldaps://'):
-      raise ConfigValidationException('LDAP URI must start with ldap:// or ldaps://')
+        ldap_uri = config.get("LDAP_URI", "ldap://localhost")
+        if not ldap_uri.startswith("ldap://") and not ldap_uri.startswith("ldaps://"):
+            raise ConfigValidationException(
+                "LDAP URI must start with ldap:// or ldaps://"
+            )
 
-    allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
+        allow_tls_fallback = config.get("LDAP_ALLOW_INSECURE_FALLBACK", False)
 
-    try:
-      with LDAPConnection(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback):
-        pass
-    except ldap.LDAPError as ex:
-      values = ex.args[0] if ex.args else {}
-      if not isinstance(values, dict):
-        raise ConfigValidationException(str(ex.args))
+        try:
+            with LDAPConnection(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback):
+                pass
+        except ldap.LDAPError as ex:
+            values = ex.args[0] if ex.args else {}
+            if not isinstance(values, dict):
+                raise ConfigValidationException(str(ex.args))
 
-      raise ConfigValidationException(values.get('desc', 'Unknown error'))
+            raise ConfigValidationException(values.get("desc", "Unknown error"))
 
-    base_dn = config.get('LDAP_BASE_DN')
-    user_rdn = config.get('LDAP_USER_RDN', [])
-    uid_attr = config.get('LDAP_UID_ATTR', 'uid')
-    email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
-    requires_email = config.get('FEATURE_MAILING', True)
+        base_dn = config.get("LDAP_BASE_DN")
+        user_rdn = config.get("LDAP_USER_RDN", [])
+        uid_attr = config.get("LDAP_UID_ATTR", "uid")
+        email_attr = config.get("LDAP_EMAIL_ATTR", "mail")
+        requires_email = config.get("FEATURE_MAILING", True)
 
-    users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
-                      allow_tls_fallback, requires_email=requires_email)
+        users = LDAPUsers(
+            ldap_uri,
+            base_dn,
+            admin_dn,
+            admin_passwd,
+            user_rdn,
+            uid_attr,
+            email_attr,
+            allow_tls_fallback,
+            requires_email=requires_email,
+        )
 
-    # Ensure at least one user exists to verify the connection is setup properly.
-    (result, err_msg) = users.at_least_one_user_exists()
-    if not result:
-      msg = ('Verification that users exist failed: %s. \n\nNo users exist ' +
-             'in the remote authentication system ' +
-             'OR LDAP auth is misconfigured.') % err_msg
-      raise ConfigValidationException(msg)
+        # Ensure at least one user exists to verify the connection is setup properly.
+        (result, err_msg) = users.at_least_one_user_exists()
+        if not result:
+            msg = (
+                "Verification that users exist failed: %s. \n\nNo users exist "
+                + "in the remote authentication system "
+                + "OR LDAP auth is misconfigured."
+            ) % err_msg
+            raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_oidc.py b/util/config/validators/validate_oidc.py
index 8126d4db7..4565423dc 100644
--- a/util/config/validators/validate_oidc.py
+++ b/util/config/validators/validate_oidc.py
@@ -2,35 +2,39 @@ from oauth.loginmanager import OAuthLoginManager
 from oauth.oidc import OIDCLoginService, DiscoveryFailureException
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class OIDCLoginValidator(BaseValidator):
-  name = "oidc-login"
+    name = "oidc-login"
 
-  @classmethod
-  def validate(cls, validator_context):
-    config = validator_context.config
-    client = validator_context.http_client
+    @classmethod
+    def validate(cls, validator_context):
+        config = validator_context.config
+        client = validator_context.http_client
 
-    login_manager = OAuthLoginManager(config, client=client)
-    for service in login_manager.services:
-      if not isinstance(service, OIDCLoginService):
-        continue
+        login_manager = OAuthLoginManager(config, client=client)
+        for service in login_manager.services:
+            if not isinstance(service, OIDCLoginService):
+                continue
 
-      if service.config.get('OIDC_SERVER') is None:
-        msg = 'Missing OIDC_SERVER on OIDC service %s' % service.service_id()
-        raise ConfigValidationException(msg)
+            if service.config.get("OIDC_SERVER") is None:
+                msg = "Missing OIDC_SERVER on OIDC service %s" % service.service_id()
+                raise ConfigValidationException(msg)
 
-      if service.config.get('CLIENT_ID') is None:
-        msg = 'Missing CLIENT_ID on OIDC service %s' % service.service_id()
-        raise ConfigValidationException(msg)
+            if service.config.get("CLIENT_ID") is None:
+                msg = "Missing CLIENT_ID on OIDC service %s" % service.service_id()
+                raise ConfigValidationException(msg)
 
-      if service.config.get('CLIENT_SECRET') is None:
-        msg = 'Missing CLIENT_SECRET on OIDC service %s' % service.service_id()
-        raise ConfigValidationException(msg)
+            if service.config.get("CLIENT_SECRET") is None:
+                msg = "Missing CLIENT_SECRET on OIDC service %s" % service.service_id()
+                raise ConfigValidationException(msg)
 
-      try:
-        if not service.validate():
-          msg = 'Could not validate OIDC service %s' % service.service_id()
-          raise ConfigValidationException(msg)
-      except DiscoveryFailureException as dfe:
-        msg = 'Could not validate OIDC service %s: %s' % (service.service_id(), dfe.message)
-        raise ConfigValidationException(msg)
+            try:
+                if not service.validate():
+                    msg = "Could not validate OIDC service %s" % service.service_id()
+                    raise ConfigValidationException(msg)
+            except DiscoveryFailureException as dfe:
+                msg = "Could not validate OIDC service %s: %s" % (
+                    service.service_id(),
+                    dfe.message,
+                )
+                raise ConfigValidationException(msg)
diff --git a/util/config/validators/validate_redis.py b/util/config/validators/validate_redis.py
index 55beffb84..993283685 100644
--- a/util/config/validators/validate_redis.py
+++ b/util/config/validators/validate_redis.py
@@ -2,17 +2,18 @@ import redis
 
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class RedisValidator(BaseValidator):
-  name = "redis"
+    name = "redis"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates connecting to redis. """
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates connecting to redis. """
+        config = validator_context.config
 
-    redis_config = config.get('BUILDLOGS_REDIS', {})
-    if not 'host' in  redis_config:
-      raise ConfigValidationException('Missing redis hostname')
+        redis_config = config.get("BUILDLOGS_REDIS", {})
+        if not "host" in redis_config:
+            raise ConfigValidationException("Missing redis hostname")
 
-    client = redis.StrictRedis(socket_connect_timeout=5, **redis_config)
-    client.ping()
+        client = redis.StrictRedis(socket_connect_timeout=5, **redis_config)
+        client.ping()
diff --git a/util/config/validators/validate_secscan.py b/util/config/validators/validate_secscan.py
index c690e68d4..e8fbb5398 100644
--- a/util/config/validators/validate_secscan.py
+++ b/util/config/validators/validate_secscan.py
@@ -4,49 +4,64 @@ import time
 from util.secscan.api import SecurityScannerAPI
 from util.config.validators import BaseValidator, ConfigValidationException
 
+
 class SecurityScannerValidator(BaseValidator):
-  name = "security-scanner"
+    name = "security-scanner"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the configuration for talking to a Quay Security Scanner. """
-    config = validator_context.config
-    client = validator_context.http_client
-    feature_sec_scanner = validator_context.feature_sec_scanner
-    is_testing = validator_context.is_testing
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the configuration for talking to a Quay Security Scanner. """
+        config = validator_context.config
+        client = validator_context.http_client
+        feature_sec_scanner = validator_context.feature_sec_scanner
+        is_testing = validator_context.is_testing
 
-    server_hostname = validator_context.url_scheme_and_hostname.hostname
-    uri_creator = validator_context.uri_creator
+        server_hostname = validator_context.url_scheme_and_hostname.hostname
+        uri_creator = validator_context.uri_creator
 
-    if not feature_sec_scanner:
-      return
+        if not feature_sec_scanner:
+            return
 
-    api = SecurityScannerAPI(config, None, server_hostname, client=client, skip_validation=True, uri_creator=uri_creator)
+        api = SecurityScannerAPI(
+            config,
+            None,
+            server_hostname,
+            client=client,
+            skip_validation=True,
+            uri_creator=uri_creator,
+        )
 
-    # if not is_testing:
-      # Generate a temporary Quay key to use for signing the outgoing requests.
-      # setup_jwt_proxy()
+        # if not is_testing:
+        # Generate a temporary Quay key to use for signing the outgoing requests.
+        # setup_jwt_proxy()
 
-    # We have to wait for JWT proxy to restart with the newly generated key.
-    max_tries = 5
-    response = None
-    last_exception = None
-
-    while max_tries > 0:
-      try:
-        response = api.ping()
+        # We have to wait for JWT proxy to restart with the newly generated key.
+        max_tries = 5
+        response = None
         last_exception = None
-        if response.status_code == 200:
-          return
-      except Exception as ex:
-        last_exception = ex
 
-      time.sleep(1)
-      max_tries = max_tries - 1
+        while max_tries > 0:
+            try:
+                response = api.ping()
+                last_exception = None
+                if response.status_code == 200:
+                    return
+            except Exception as ex:
+                last_exception = ex
 
-    if last_exception is not None:
-      message = str(last_exception)
-      raise ConfigValidationException('Could not ping security scanner: %s' % message)
-    else:
-      message = 'Expected 200 status code, got %s: %s' % (response.status_code, response.text)
-      raise ConfigValidationException('Could not ping security scanner: %s' % message)
+            time.sleep(1)
+            max_tries = max_tries - 1
+
+        if last_exception is not None:
+            message = str(last_exception)
+            raise ConfigValidationException(
+                "Could not ping security scanner: %s" % message
+            )
+        else:
+            message = "Expected 200 status code, got %s: %s" % (
+                response.status_code,
+                response.text,
+            )
+            raise ConfigValidationException(
+                "Could not ping security scanner: %s" % message
+            )
diff --git a/util/config/validators/validate_signer.py b/util/config/validators/validate_signer.py
index f151ab19d..668ddfe2b 100644
--- a/util/config/validators/validate_signer.py
+++ b/util/config/validators/validate_signer.py
@@ -3,20 +3,23 @@ from StringIO import StringIO
 from util.config.validators import BaseValidator, ConfigValidationException
 from util.security.signing import SIGNING_ENGINES
 
+
 class SignerValidator(BaseValidator):
-  name = "signer"
+    name = "signer"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the GPG public+private key pair used for signing converted ACIs. """
-    config = validator_context.config
-    config_provider = validator_context.config_provider
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the GPG public+private key pair used for signing converted ACIs. """
+        config = validator_context.config
+        config_provider = validator_context.config_provider
 
-    if config.get('SIGNING_ENGINE') is None:
-      return
+        if config.get("SIGNING_ENGINE") is None:
+            return
 
-    if config['SIGNING_ENGINE'] not in SIGNING_ENGINES:
-      raise ConfigValidationException('Unknown signing engine: %s' % config['SIGNING_ENGINE'])
+        if config["SIGNING_ENGINE"] not in SIGNING_ENGINES:
+            raise ConfigValidationException(
+                "Unknown signing engine: %s" % config["SIGNING_ENGINE"]
+            )
 
-    engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, config_provider)
-    engine.detached_sign(StringIO('test string'))
+        engine = SIGNING_ENGINES[config["SIGNING_ENGINE"]](config, config_provider)
+        engine.detached_sign(StringIO("test string"))
diff --git a/util/config/validators/validate_ssl.py b/util/config/validators/validate_ssl.py
index 6c02d7cb3..40c5d1d88 100644
--- a/util/config/validators/validate_ssl.py
+++ b/util/config/validators/validate_ssl.py
@@ -1,72 +1,88 @@
 from util.config.validators import BaseValidator, ConfigValidationException
-from util.security.ssl import load_certificate, CertInvalidException, KeyInvalidException
+from util.security.ssl import (
+    load_certificate,
+    CertInvalidException,
+    KeyInvalidException,
+)
+
+SSL_FILENAMES = ["ssl.cert", "ssl.key"]
 
-SSL_FILENAMES = ['ssl.cert', 'ssl.key']
 
 class SSLValidator(BaseValidator):
-  name = "ssl"
+    name = "ssl"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the SSL configuration (if enabled). """
-    config = validator_context.config
-    config_provider = validator_context.config_provider
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the SSL configuration (if enabled). """
+        config = validator_context.config
+        config_provider = validator_context.config_provider
 
-    # Skip if non-SSL.
-    if config.get('PREFERRED_URL_SCHEME', 'http') != 'https':
-      return
+        # Skip if non-SSL.
+        if config.get("PREFERRED_URL_SCHEME", "http") != "https":
+            return
 
-    # Skip if externally terminated.
-    if config.get('EXTERNAL_TLS_TERMINATION', False) is True:
-      return
+        # Skip if externally terminated.
+        if config.get("EXTERNAL_TLS_TERMINATION", False) is True:
+            return
 
-    # Verify that we have all the required SSL files.
-    for filename in SSL_FILENAMES:
-      if not config_provider.volume_file_exists(filename):
-        raise ConfigValidationException('Missing required SSL file: %s' % filename)
+        # Verify that we have all the required SSL files.
+        for filename in SSL_FILENAMES:
+            if not config_provider.volume_file_exists(filename):
+                raise ConfigValidationException(
+                    "Missing required SSL file: %s" % filename
+                )
 
-    # Read the contents of the SSL certificate.
-    with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
-      cert_contents = f.read()
+        # Read the contents of the SSL certificate.
+        with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
+            cert_contents = f.read()
 
-    # Validate the certificate.
-    try:
-      certificate = load_certificate(cert_contents)
-    except CertInvalidException as cie:
-      raise ConfigValidationException('Could not load SSL certificate: %s' % cie)
+        # Validate the certificate.
+        try:
+            certificate = load_certificate(cert_contents)
+        except CertInvalidException as cie:
+            raise ConfigValidationException("Could not load SSL certificate: %s" % cie)
 
-    # Verify the certificate has not expired.
-    if certificate.expired:
-      raise ConfigValidationException('The specified SSL certificate has expired.')
+        # Verify the certificate has not expired.
+        if certificate.expired:
+            raise ConfigValidationException(
+                "The specified SSL certificate has expired."
+            )
 
-    # Verify the hostname matches the name in the certificate.
-    if not certificate.matches_name(_ssl_cn(config['SERVER_HOSTNAME'])):
-      msg = ('Supported names "%s" in SSL cert do not match server hostname "%s"' %
-             (', '.join(list(certificate.names)), _ssl_cn(config['SERVER_HOSTNAME'])))
-      raise ConfigValidationException(msg)
+        # Verify the hostname matches the name in the certificate.
+        if not certificate.matches_name(_ssl_cn(config["SERVER_HOSTNAME"])):
+            msg = (
+                'Supported names "%s" in SSL cert do not match server hostname "%s"'
+                % (
+                    ", ".join(list(certificate.names)),
+                    _ssl_cn(config["SERVER_HOSTNAME"]),
+                )
+            )
+            raise ConfigValidationException(msg)
 
-    # Verify the private key against the certificate.
-    private_key_path = None
-    with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
-      private_key_path = f.name
+        # Verify the private key against the certificate.
+        private_key_path = None
+        with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
+            private_key_path = f.name
 
-    if not private_key_path:
-      # Only in testing.
-      return
+        if not private_key_path:
+            # Only in testing.
+            return
 
-    try:
-      certificate.validate_private_key(private_key_path)
-    except KeyInvalidException as kie:
-      raise ConfigValidationException('SSL private key failed to validate: %s' % kie)
+        try:
+            certificate.validate_private_key(private_key_path)
+        except KeyInvalidException as kie:
+            raise ConfigValidationException(
+                "SSL private key failed to validate: %s" % kie
+            )
 
 
 def _ssl_cn(server_hostname):
-  """ Return the common name (fully qualified host name) from the SERVER_HOSTNAME. """
-  host_port = server_hostname.rsplit(':', 1)
+    """ Return the common name (fully qualified host name) from the SERVER_HOSTNAME. """
+    host_port = server_hostname.rsplit(":", 1)
 
-  # SERVER_HOSTNAME includes the port
-  if len(host_port) == 2:
-    if host_port[-1].isdigit():
-      return host_port[-2]
+    # SERVER_HOSTNAME includes the port
+    if len(host_port) == 2:
+        if host_port[-1].isdigit():
+            return host_port[-2]
 
-  return server_hostname
+    return server_hostname
diff --git a/util/config/validators/validate_storage.py b/util/config/validators/validate_storage.py
index 3fe6b4324..fc23957e6 100644
--- a/util/config/validators/validate_storage.py
+++ b/util/config/validators/validate_storage.py
@@ -3,52 +3,60 @@ from util.config.validators import BaseValidator, ConfigValidationException
 
 
 class StorageValidator(BaseValidator):
-  name = "registry-storage"
+    name = "registry-storage"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates registry storage. """
-    config = validator_context.config
-    client = validator_context.http_client
-    ip_resolver = validator_context.ip_resolver
-    config_provider = validator_context.config_provider
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates registry storage. """
+        config = validator_context.config
+        client = validator_context.http_client
+        ip_resolver = validator_context.ip_resolver
+        config_provider = validator_context.config_provider
 
-    replication_enabled = config.get('FEATURE_STORAGE_REPLICATION', False)
+        replication_enabled = config.get("FEATURE_STORAGE_REPLICATION", False)
 
-    providers = _get_storage_providers(config, ip_resolver, config_provider).items()
-    if not providers:
-      raise ConfigValidationException('Storage configuration required')
+        providers = _get_storage_providers(config, ip_resolver, config_provider).items()
+        if not providers:
+            raise ConfigValidationException("Storage configuration required")
 
-    for name, (storage_type, driver) in providers:
-      # We can skip localstorage validation, since we can't guarantee that
-      # this will be the same machine Q.E. will run under
-      if storage_type == TYPE_LOCAL_STORAGE:
-          continue
+        for name, (storage_type, driver) in providers:
+            # We can skip localstorage validation, since we can't guarantee that
+            # this will be the same machine Q.E. will run under
+            if storage_type == TYPE_LOCAL_STORAGE:
+                continue
 
-      try:
-        if replication_enabled and storage_type == 'LocalStorage':
-          raise ConfigValidationException('Locally mounted directory not supported ' +
-                                          'with storage replication')
+            try:
+                if replication_enabled and storage_type == "LocalStorage":
+                    raise ConfigValidationException(
+                        "Locally mounted directory not supported "
+                        + "with storage replication"
+                    )
 
-        # Run validation on the driver.
-        driver.validate(client)
+                # Run validation on the driver.
+                driver.validate(client)
 
-        # Run setup on the driver if the read/write succeeded.
-        driver.setup()
-      except Exception as ex:
-        msg = str(ex).strip().split("\n")[0]
-        raise ConfigValidationException('Invalid storage configuration: %s: %s' % (name, msg))
+                # Run setup on the driver if the read/write succeeded.
+                driver.setup()
+            except Exception as ex:
+                msg = str(ex).strip().split("\n")[0]
+                raise ConfigValidationException(
+                    "Invalid storage configuration: %s: %s" % (name, msg)
+                )
 
 
 def _get_storage_providers(config, ip_resolver, config_provider):
-  storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG', {})
-  drivers = {}
+    storage_config = config.get("DISTRIBUTED_STORAGE_CONFIG", {})
+    drivers = {}
 
-  try:
-    for name, parameters in storage_config.items():
-      driver = get_storage_driver(None, None, None, config_provider, ip_resolver, parameters)
-      drivers[name] = (parameters[0], driver)
-  except TypeError:
-    raise ConfigValidationException('Missing required parameter(s) for storage %s' % name)
+    try:
+        for name, parameters in storage_config.items():
+            driver = get_storage_driver(
+                None, None, None, config_provider, ip_resolver, parameters
+            )
+            drivers[name] = (parameters[0], driver)
+    except TypeError:
+        raise ConfigValidationException(
+            "Missing required parameter(s) for storage %s" % name
+        )
 
-  return drivers
+    return drivers
diff --git a/util/config/validators/validate_timemachine.py b/util/config/validators/validate_timemachine.py
index c246a2686..542f40dad 100644
--- a/util/config/validators/validate_timemachine.py
+++ b/util/config/validators/validate_timemachine.py
@@ -5,27 +5,36 @@ from util.timedeltastring import convert_to_timedelta
 
 logger = logging.getLogger(__name__)
 
+
 class TimeMachineValidator(BaseValidator):
-  name = "time-machine"
+    name = "time-machine"
 
-  @classmethod
-  def validate(cls, validator_context):
-    config = validator_context.config
+    @classmethod
+    def validate(cls, validator_context):
+        config = validator_context.config
 
-    if not 'DEFAULT_TAG_EXPIRATION' in config:
-      # Old style config
-      return
+        if not "DEFAULT_TAG_EXPIRATION" in config:
+            # Old style config
+            return
 
-    try:
-      convert_to_timedelta(config['DEFAULT_TAG_EXPIRATION']).total_seconds()
-    except ValueError as ve:
-      raise ConfigValidationException('Invalid default expiration: %s' % ve.message)
+        try:
+            convert_to_timedelta(config["DEFAULT_TAG_EXPIRATION"]).total_seconds()
+        except ValueError as ve:
+            raise ConfigValidationException(
+                "Invalid default expiration: %s" % ve.message
+            )
 
-    if not config['DEFAULT_TAG_EXPIRATION'] in config.get('TAG_EXPIRATION_OPTIONS', []):
-      raise ConfigValidationException('Default expiration must be in expiration options set')
+        if not config["DEFAULT_TAG_EXPIRATION"] in config.get(
+            "TAG_EXPIRATION_OPTIONS", []
+        ):
+            raise ConfigValidationException(
+                "Default expiration must be in expiration options set"
+            )
 
-    for ts in config.get('TAG_EXPIRATION_OPTIONS', []):
-      try:
-        convert_to_timedelta(ts)
-      except ValueError as ve:
-        raise ConfigValidationException('Invalid tag expiration option: %s' % ts)
+        for ts in config.get("TAG_EXPIRATION_OPTIONS", []):
+            try:
+                convert_to_timedelta(ts)
+            except ValueError as ve:
+                raise ConfigValidationException(
+                    "Invalid tag expiration option: %s" % ts
+                )
diff --git a/util/config/validators/validate_torrent.py b/util/config/validators/validate_torrent.py
index b4dcae7ce..fdf2fd772 100644
--- a/util/config/validators/validate_torrent.py
+++ b/util/config/validators/validate_torrent.py
@@ -7,53 +7,67 @@ from util.registry.torrent import jwt_from_infohash, TorrentConfiguration
 
 logger = logging.getLogger(__name__)
 
+
 class BittorrentValidator(BaseValidator):
-  name = "bittorrent"
+    name = "bittorrent"
 
-  @classmethod
-  def validate(cls, validator_context):
-    """ Validates the configuration for using BitTorrent for downloads. """
-    config = validator_context.config
-    client = validator_context.http_client
+    @classmethod
+    def validate(cls, validator_context):
+        """ Validates the configuration for using BitTorrent for downloads. """
+        config = validator_context.config
+        client = validator_context.http_client
 
-    announce_url = config.get('BITTORRENT_ANNOUNCE_URL')
-    if not announce_url:
-      raise ConfigValidationException('Missing announce URL')
+        announce_url = config.get("BITTORRENT_ANNOUNCE_URL")
+        if not announce_url:
+            raise ConfigValidationException("Missing announce URL")
 
-    # Ensure that the tracker is reachable and accepts requests signed with a registry key.
-    params = {
-      'info_hash': sha1('test').digest(),
-      'peer_id': '-QUAY00-6wfG2wk6wWLc',
-      'uploaded': 0,
-      'downloaded': 0,
-      'left': 0,
-      'numwant': 0,
-      'port': 80,
-    }
+        # Ensure that the tracker is reachable and accepts requests signed with a registry key.
+        params = {
+            "info_hash": sha1("test").digest(),
+            "peer_id": "-QUAY00-6wfG2wk6wWLc",
+            "uploaded": 0,
+            "downloaded": 0,
+            "left": 0,
+            "numwant": 0,
+            "port": 80,
+        }
 
-    torrent_config = TorrentConfiguration.for_testing(validator_context.instance_keys, announce_url,
-                                                      validator_context.registry_title)
-    encoded_jwt = jwt_from_infohash(torrent_config, params['info_hash'])
-    params['jwt'] = encoded_jwt
+        torrent_config = TorrentConfiguration.for_testing(
+            validator_context.instance_keys,
+            announce_url,
+            validator_context.registry_title,
+        )
+        encoded_jwt = jwt_from_infohash(torrent_config, params["info_hash"])
+        params["jwt"] = encoded_jwt
 
-    resp = client.get(announce_url, timeout=5, params=params)
-    logger.debug('Got tracker response: %s: %s', resp.status_code, resp.text)
+        resp = client.get(announce_url, timeout=5, params=params)
+        logger.debug("Got tracker response: %s: %s", resp.status_code, resp.text)
 
-    if resp.status_code == 404:
-      raise ConfigValidationException('Announce path not found; did you forget `/announce`?')
+        if resp.status_code == 404:
+            raise ConfigValidationException(
+                "Announce path not found; did you forget `/announce`?"
+            )
 
-    if resp.status_code == 500:
-      raise ConfigValidationException('Did not get expected response from Tracker; ' +
-                                      'please check your settings')
+        if resp.status_code == 500:
+            raise ConfigValidationException(
+                "Did not get expected response from Tracker; "
+                + "please check your settings"
+            )
 
-    if resp.status_code == 200:
-      if 'invalid jwt' in resp.text:
-        raise ConfigValidationException('Could not authorize to Tracker; is your Tracker ' +
-                                        'properly configured?')
+        if resp.status_code == 200:
+            if "invalid jwt" in resp.text:
+                raise ConfigValidationException(
+                    "Could not authorize to Tracker; is your Tracker "
+                    + "properly configured?"
+                )
 
-      if 'failure reason' in resp.text:
-        raise ConfigValidationException('Could not validate signed announce request: ' + resp.text)
+            if "failure reason" in resp.text:
+                raise ConfigValidationException(
+                    "Could not validate signed announce request: " + resp.text
+                )
 
-      if 'go_goroutines' in resp.text:
-        raise ConfigValidationException('Could not validate signed announce request: ' +
-                                        'provided port is used for Prometheus')
+            if "go_goroutines" in resp.text:
+                raise ConfigValidationException(
+                    "Could not validate signed announce request: "
+                    + "provided port is used for Prometheus"
+                )
diff --git a/util/dict_wrappers.py b/util/dict_wrappers.py
index 8c53161ff..052862595 100644
--- a/util/dict_wrappers.py
+++ b/util/dict_wrappers.py
@@ -1,8 +1,9 @@
 import json
 from jsonpath_rw import parse
 
+
 class SafeDictSetter(object):
-  """ Specialized write-only dictionary wrapper class that allows for setting
+    """ Specialized write-only dictionary wrapper class that allows for setting
       nested keys via a path syntax.
 
       Example:
@@ -10,83 +11,87 @@ class SafeDictSetter(object):
         sds['foo.bar.baz'] = 'hello' # Sets 'foo' = {'bar': {'baz': 'hello'}}
         sds['somekey'] = None # Does not set the key since the value is None
   """
-  def __init__(self, initial_object=None):
-    self._object = initial_object or {}
 
-  def __setitem__(self, path, value):
-    self.set(path, value)
+    def __init__(self, initial_object=None):
+        self._object = initial_object or {}
 
-  def set(self, path, value, allow_none=False):
-    """ Sets the value of the given path to the given value. """
-    if value is None and not allow_none:
-      return
+    def __setitem__(self, path, value):
+        self.set(path, value)
 
-    pieces = path.split('.')
-    current = self._object
+    def set(self, path, value, allow_none=False):
+        """ Sets the value of the given path to the given value. """
+        if value is None and not allow_none:
+            return
 
-    for piece in pieces[:len(pieces)-1]:
-      current_obj = current.get(piece, {})
-      if not isinstance(current_obj, dict):
-        raise Exception('Key %s is a non-object value: %s' % (piece, current_obj))
+        pieces = path.split(".")
+        current = self._object
 
-      current[piece] = current_obj
-      current = current_obj
+        for piece in pieces[: len(pieces) - 1]:
+            current_obj = current.get(piece, {})
+            if not isinstance(current_obj, dict):
+                raise Exception(
+                    "Key %s is a non-object value: %s" % (piece, current_obj)
+                )
 
-    current[pieces[-1]] = value
+            current[piece] = current_obj
+            current = current_obj
 
-  def dict_value(self):
-    """ Returns the dict value built. """
-    return self._object
+        current[pieces[-1]] = value
 
-  def json_value(self):
-    """ Returns the JSON string value of the dictionary built. """
-    return json.dumps(self._object)
+    def dict_value(self):
+        """ Returns the dict value built. """
+        return self._object
+
+    def json_value(self):
+        """ Returns the JSON string value of the dictionary built. """
+        return json.dumps(self._object)
 
 
 class JSONPathDict(object):
-  """ Specialized read-only dictionary wrapper class that uses the jsonpath_rw library
+    """ Specialized read-only dictionary wrapper class that uses the jsonpath_rw library
       to access keys via an X-Path-like syntax.
 
       Example:
         pd = JSONPathDict({'hello': {'hi': 'there'}})
         pd['hello.hi'] # Returns 'there'
   """
-  def __init__(self, dict_value):
-    """ Init the helper with the JSON object.
+
+    def __init__(self, dict_value):
+        """ Init the helper with the JSON object.
     """
-    self._object = dict_value
+        self._object = dict_value
 
-  def __getitem__(self, path):
-    return self.get(path)
+    def __getitem__(self, path):
+        return self.get(path)
 
-  def __iter__(self):
-    return self._object.itervalues()
+    def __iter__(self):
+        return self._object.itervalues()
 
-  def iterkeys(self):
-    return self._object.iterkeys()
+    def iterkeys(self):
+        return self._object.iterkeys()
 
-  def get(self, path, not_found_handler=None):
-    """ Returns the value found at the given path. Path is a json-path expression. """
-    if self._object == {} or self._object is None:
-      return None
-    jsonpath_expr = parse(path)
+    def get(self, path, not_found_handler=None):
+        """ Returns the value found at the given path. Path is a json-path expression. """
+        if self._object == {} or self._object is None:
+            return None
+        jsonpath_expr = parse(path)
 
-    try:
-      matches = jsonpath_expr.find(self._object)
-    except IndexError:
-      return None
+        try:
+            matches = jsonpath_expr.find(self._object)
+        except IndexError:
+            return None
 
-    if not matches:
-      return not_found_handler() if not_found_handler else None
+        if not matches:
+            return not_found_handler() if not_found_handler else None
 
-    match = matches[0].value
-    if not match:
-      return not_found_handler() if not_found_handler else None
+        match = matches[0].value
+        if not match:
+            return not_found_handler() if not_found_handler else None
 
-    if isinstance(match, dict):
-      return JSONPathDict(match)
+        if isinstance(match, dict):
+            return JSONPathDict(match)
 
-    return match
+        return match
 
-  def keys(self):
-    return self._object.keys()
+    def keys(self):
+        return self._object.keys()
diff --git a/util/dockerfileparse.py b/util/dockerfileparse.py
index 3904ae96e..6a5192d3c 100644
--- a/util/dockerfileparse.py
+++ b/util/dockerfileparse.py
@@ -1,106 +1,104 @@
 import re
 
-LINE_CONTINUATION_REGEX = re.compile(r'(\s)*\\(\s)*\n')
-COMMAND_REGEX = re.compile('([A-Za-z]+)\s(.*)')
+LINE_CONTINUATION_REGEX = re.compile(r"(\s)*\\(\s)*\n")
+COMMAND_REGEX = re.compile("([A-Za-z]+)\s(.*)")
+
+COMMENT_CHARACTER = "#"
+LATEST_TAG = "latest"
 
-COMMENT_CHARACTER = '#'
-LATEST_TAG = 'latest'
 
 class ParsedDockerfile(object):
-  def __init__(self, commands):
-    self.commands = commands
+    def __init__(self, commands):
+        self.commands = commands
 
-  def _get_commands_of_kind(self, kind):
-    return [command for command in self.commands if command['command'] == kind]
+    def _get_commands_of_kind(self, kind):
+        return [command for command in self.commands if command["command"] == kind]
 
-  def _get_from_image_identifier(self):
-    from_commands = self._get_commands_of_kind('FROM')
-    if not from_commands:
-      return None
+    def _get_from_image_identifier(self):
+        from_commands = self._get_commands_of_kind("FROM")
+        if not from_commands:
+            return None
 
-    return from_commands[-1]['parameters']
+        return from_commands[-1]["parameters"]
 
-  @staticmethod
-  def parse_image_identifier(image_identifier):
-    """ Parses a docker image identifier, and returns a tuple of image name and tag, where the tag
+    @staticmethod
+    def parse_image_identifier(image_identifier):
+        """ Parses a docker image identifier, and returns a tuple of image name and tag, where the tag
         is filled in with "latest" if left unspecified.
     """
-    # Note:
-    # Dockerfile images references can be of multiple forms:
-    #   server:port/some/path
-    #   somepath
-    #   server/some/path
-    #   server/some/path:tag
-    #   server:port/some/path:tag
-    parts = image_identifier.strip().split(':')
+        # Note:
+        # Dockerfile images references can be of multiple forms:
+        #   server:port/some/path
+        #   somepath
+        #   server/some/path
+        #   server/some/path:tag
+        #   server:port/some/path:tag
+        parts = image_identifier.strip().split(":")
 
-    if len(parts) == 1:
-      # somepath
-      return (parts[0], LATEST_TAG)
+        if len(parts) == 1:
+            # somepath
+            return (parts[0], LATEST_TAG)
 
-    # Otherwise, determine if the last part is a port
-    # or a tag.
-    if parts[-1].find('/') >= 0:
-      # Last part is part of the hostname.
-      return (image_identifier, LATEST_TAG)
+        # Otherwise, determine if the last part is a port
+        # or a tag.
+        if parts[-1].find("/") >= 0:
+            # Last part is part of the hostname.
+            return (image_identifier, LATEST_TAG)
 
-    # Remaining cases:
-    #   server/some/path:tag
-    #   server:port/some/path:tag
-    return (':'.join(parts[0:-1]), parts[-1])
+        # Remaining cases:
+        #   server/some/path:tag
+        #   server:port/some/path:tag
+        return (":".join(parts[0:-1]), parts[-1])
 
-  def get_base_image(self):
-    """ Return the base image without the tag name. """
-    return self.get_image_and_tag()[0]
+    def get_base_image(self):
+        """ Return the base image without the tag name. """
+        return self.get_image_and_tag()[0]
 
-  def get_image_and_tag(self):
-    """ Returns the image and tag from the FROM line of the dockerfile. """
-    image_identifier = self._get_from_image_identifier()
-    if image_identifier is None:
-      return (None, None)
+    def get_image_and_tag(self):
+        """ Returns the image and tag from the FROM line of the dockerfile. """
+        image_identifier = self._get_from_image_identifier()
+        if image_identifier is None:
+            return (None, None)
 
-    return self.parse_image_identifier(image_identifier)
+        return self.parse_image_identifier(image_identifier)
 
 
 def strip_comments(contents):
-  lines = []
-  for line in contents.split('\n'):
-    index = line.find(COMMENT_CHARACTER)
-    if index < 0:
-      lines.append(line)
-      continue
+    lines = []
+    for line in contents.split("\n"):
+        index = line.find(COMMENT_CHARACTER)
+        if index < 0:
+            lines.append(line)
+            continue
 
-    line = line[:index]
-    lines.append(line)
+        line = line[:index]
+        lines.append(line)
 
-  return '\n'.join(lines)
+    return "\n".join(lines)
 
 
 def join_continued_lines(contents):
-  return LINE_CONTINUATION_REGEX.sub('', contents)
+    return LINE_CONTINUATION_REGEX.sub("", contents)
 
 
 def parse_dockerfile(contents):
-  # If we receive ASCII, translate into unicode.
-  try:
-    contents = contents.decode('utf-8')
-  except ValueError:
-    # Already unicode or unable to convert.
-    pass
+    # If we receive ASCII, translate into unicode.
+    try:
+        contents = contents.decode("utf-8")
+    except ValueError:
+        # Already unicode or unable to convert.
+        pass
 
-  contents = join_continued_lines(strip_comments(contents))
-  lines = [line.strip() for line in contents.split('\n') if len(line) > 0]
+    contents = join_continued_lines(strip_comments(contents))
+    lines = [line.strip() for line in contents.split("\n") if len(line) > 0]
 
-  commands = []
-  for line in lines:
-    match_command = COMMAND_REGEX.match(line)
-    if match_command:
-      command = match_command.group(1).upper()
-      parameters = match_command.group(2)
+    commands = []
+    for line in lines:
+        match_command = COMMAND_REGEX.match(line)
+        if match_command:
+            command = match_command.group(1).upper()
+            parameters = match_command.group(2)
 
-      commands.append({
-        'command': command,
-        'parameters': parameters
-      })
+            commands.append({"command": command, "parameters": parameters})
 
-  return ParsedDockerfile(commands)
+    return ParsedDockerfile(commands)
diff --git a/util/dynamic.py b/util/dynamic.py
index 975a4d930..80f3f26ab 100644
--- a/util/dynamic.py
+++ b/util/dynamic.py
@@ -1,7 +1,7 @@
 def import_class(module_name, class_name):
-  """ Import a class given the specified module name and class name. """
-  klass = __import__(module_name)
-  class_segments = class_name.split('.')
-  for segment in class_segments:
-    klass = getattr(klass, segment)
-  return klass
+    """ Import a class given the specified module name and class name. """
+    klass = __import__(module_name)
+    class_segments = class_name.split(".")
+    for segment in class_segments:
+        klass = getattr(klass, segment)
+    return klass
diff --git a/util/expiresdict.py b/util/expiresdict.py
index 71d953bc2..ae3150d50 100644
--- a/util/expiresdict.py
+++ b/util/expiresdict.py
@@ -4,81 +4,85 @@ from six import iteritems
 
 
 class ExpiresEntry(object):
-  """ A single entry under a ExpiresDict. """
-  def __init__(self, value, expires=None):
-    self.value = value
-    self._expiration = expires
+    """ A single entry under a ExpiresDict. """
 
-  @property
-  def expired(self):
-    if self._expiration is None:
-      return False
+    def __init__(self, value, expires=None):
+        self.value = value
+        self._expiration = expires
 
-    return datetime.now() >= self._expiration
+    @property
+    def expired(self):
+        if self._expiration is None:
+            return False
+
+        return datetime.now() >= self._expiration
 
 
 class ExpiresDict(object):
-  """ ExpiresDict defines a dictionary-like class whose keys have expiration. The rebuilder is
+    """ ExpiresDict defines a dictionary-like class whose keys have expiration. The rebuilder is
       a function that returns the full contents of the cached dictionary as a dict of the keys
       and whose values are TTLEntry's. If the rebuilder is None, then no rebuilding is performed.
   """
-  def __init__(self, rebuilder=None):
-    self._rebuilder = rebuilder
-    self._items = {}
 
-  def __getitem__(self, key):
-    found = self.get(key)
-    if found is None:
-      raise KeyError
+    def __init__(self, rebuilder=None):
+        self._rebuilder = rebuilder
+        self._items = {}
 
-    return found
+    def __getitem__(self, key):
+        found = self.get(key)
+        if found is None:
+            raise KeyError
 
-  def get(self, key, default_value=None):
-    # Check the cache first. If the key is found and it has not yet expired,
-    # return it.
-    found = self._items.get(key)
-    if found is not None and not found.expired:
-      return found.value
+        return found
 
-    # Otherwise the key has expired or was not found. Rebuild the cache and check it again.
-    items = self._rebuild()
-    found_item = items.get(key)
-    if found_item is None:
-      return default_value
+    def get(self, key, default_value=None):
+        # Check the cache first. If the key is found and it has not yet expired,
+        # return it.
+        found = self._items.get(key)
+        if found is not None and not found.expired:
+            return found.value
 
-    return found_item.value
+        # Otherwise the key has expired or was not found. Rebuild the cache and check it again.
+        items = self._rebuild()
+        found_item = items.get(key)
+        if found_item is None:
+            return default_value
 
-  def __contains__(self, key):
-    return self.get(key) is not None
+        return found_item.value
 
-  def _rebuild(self):
-    if self._rebuilder is None:
-      return self._items
+    def __contains__(self, key):
+        return self.get(key) is not None
 
-    items = self._rebuilder()
-    self._items = items
-    return items
+    def _rebuild(self):
+        if self._rebuilder is None:
+            return self._items
 
-  def _alive_items(self):
-    return {k: entry.value for (k, entry) in self._items.items() if not entry.expired}
+        items = self._rebuilder()
+        self._items = items
+        return items
 
-  def items(self):
-    return self._alive_items().items()
+    def _alive_items(self):
+        return {
+            k: entry.value for (k, entry) in self._items.items() if not entry.expired
+        }
 
-  def iteritems(self):
-    return iteritems(self._alive_items())
+    def items(self):
+        return self._alive_items().items()
 
-  def __iter__(self):
-    return iter(self._alive_items())
+    def iteritems(self):
+        return iteritems(self._alive_items())
 
-  def __delitem__(self, key):
-    del self._items[key]
+    def __iter__(self):
+        return iter(self._alive_items())
 
-  def __len__(self):
-    return len(self._alive_items())
+    def __delitem__(self, key):
+        del self._items[key]
 
-  def set(self, key, value, expires=None):
-    self._items[key] = ExpiresEntry(value, expires=expires)
+    def __len__(self):
+        return len(self._alive_items())
 
-  def __setitem__(self, key, value):
-    return self.set(key, value)
+    def set(self, key, value, expires=None):
+        self._items[key] = ExpiresEntry(value, expires=expires)
+
+    def __setitem__(self, key, value):
+        return self.set(key, value)
diff --git a/util/failover.py b/util/failover.py
index c88d47a6f..556669561 100644
--- a/util/failover.py
+++ b/util/failover.py
@@ -7,15 +7,17 @@ logger = logging.getLogger(__name__)
 
 
 class FailoverException(Exception):
-  """ Exception raised when an operation should be retried by the failover decorator.
+    """ Exception raised when an operation should be retried by the failover decorator.
       Wraps the exception of the initial failure.
   """
-  def __init__(self, exception):
-    super(FailoverException, self).__init__()
-    self.exception = exception
+
+    def __init__(self, exception):
+        super(FailoverException, self).__init__()
+        self.exception = exception
+
 
 def failover(func):
-  """ Wraps a function such that it can be retried on specified failures.
+    """ Wraps a function such that it can be retried on specified failures.
       Raises FailoverException when all failovers are exhausted.
       Example:
 
@@ -37,14 +39,16 @@ def failover(func):
         )
         print('Successfully contacted ' + r.url)
   """
-  @wraps(func)
-  def wrapper(*args_sets):
-    for arg_set in args_sets:
-      try:
-        return func(*arg_set[0], **arg_set[1])
-      except FailoverException as ex:
-        logger.debug('failing over')
-        exception = ex.exception
-        continue
-    raise exception
-  return wrapper
+
+    @wraps(func)
+    def wrapper(*args_sets):
+        for arg_set in args_sets:
+            try:
+                return func(*arg_set[0], **arg_set[1])
+            except FailoverException as ex:
+                logger.debug("failing over")
+                exception = ex.exception
+                continue
+        raise exception
+
+    return wrapper
diff --git a/util/fixuseradmin.py b/util/fixuseradmin.py
index 2421f80df..a4282576f 100644
--- a/util/fixuseradmin.py
+++ b/util/fixuseradmin.py
@@ -6,23 +6,24 @@ from data.database import Namespace, Repository, RepositoryPermission, Role
 from data.model.permission import get_user_repo_permissions
 from data.model.user import get_active_users, get_nonrobot_user
 
-DESCRIPTION = '''
+DESCRIPTION = """
 Fix user repositories missing admin permissions for owning user.
-'''
+"""
 
 parser = argparse.ArgumentParser(description=DESCRIPTION)
-parser.add_argument('users', nargs='*', help='Users to check')
-parser.add_argument('-a', '--all', action='store_true', help='Check all users')
-parser.add_argument('-n', '--dry-run', action='store_true', help="Don't act")
+parser.add_argument("users", nargs="*", help="Users to check")
+parser.add_argument("-a", "--all", action="store_true", help="Check all users")
+parser.add_argument("-n", "--dry-run", action="store_true", help="Don't act")
 
-ADMIN = Role.get(name='admin')
+ADMIN = Role.get(name="admin")
 
 
 def repos_for_namespace(namespace):
-    return (Repository
-            .select(Repository.id, Repository.name, Namespace.username)
-            .join(Namespace)
-            .where(Namespace.username == namespace))
+    return (
+        Repository.select(Repository.id, Repository.name, Namespace.username)
+        .join(Namespace)
+        .where(Namespace.username == namespace)
+    )
 
 
 def has_admin(user, repo):
@@ -41,11 +42,11 @@ def ensure_admin(user, repos, dry_run=False):
     repos = [repo for repo in repos if not has_admin(user, repo)]
 
     for repo in repos:
-        print('User {} missing admin on: {}'.format(user.username, repo.name))
+        print ("User {} missing admin on: {}".format(user.username, repo.name))
 
         if not dry_run:
             RepositoryPermission.create(user=user, repository=repo, role=ADMIN)
-            print('Granted {} admin on: {}'.format(user.username, repo.name))
+            print ("Granted {} admin on: {}".format(user.username, repo.name))
 
     return len(repos)
 
@@ -55,16 +56,17 @@ def main():
     found = 0
 
     if not args.all and len(args.users) == 0:
-        sys.exit('Need a list of users or --all')
+        sys.exit("Need a list of users or --all")
 
     for user in get_users(all_users=args.all, users_list=args.users):
         if user is not None:
             repos = repos_for_namespace(user.username)
             found += ensure_admin(user, repos, dry_run=args.dry_run)
 
-    print('\nFound {} user repos missing admin'
-          ' permissions for owner.'.format(found))
+    print (
+        "\nFound {} user repos missing admin" " permissions for owner.".format(found)
+    )
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()
diff --git a/util/headers.py b/util/headers.py
index 353cc61dc..067312803 100644
--- a/util/headers.py
+++ b/util/headers.py
@@ -1,20 +1,21 @@
 import base64
 
+
 def parse_basic_auth(header_value):
-  """ Attempts to parse the given header value as a Base64-encoded Basic auth header. """
+    """ Attempts to parse the given header value as a Base64-encoded Basic auth header. """
 
-  if not header_value:
-    return None
+    if not header_value:
+        return None
 
-  parts = header_value.split(' ')
-  if len(parts) != 2 or parts[0].lower() != 'basic':
-    return None
+    parts = header_value.split(" ")
+    if len(parts) != 2 or parts[0].lower() != "basic":
+        return None
 
-  try:
-    basic_parts = base64.b64decode(parts[1]).split(':', 1)
-    if len(basic_parts) != 2:
-      return None
+    try:
+        basic_parts = base64.b64decode(parts[1]).split(":", 1)
+        if len(basic_parts) != 2:
+            return None
 
-    return basic_parts
-  except ValueError:
-    return None
\ No newline at end of file
+        return basic_parts
+    except ValueError:
+        return None
diff --git a/util/html.py b/util/html.py
index 28dfb4800..c650295b1 100644
--- a/util/html.py
+++ b/util/html.py
@@ -1,60 +1,68 @@
 from bs4 import BeautifulSoup, Tag, NavigableString
 
-_NEWLINE_INDICATOR = '<<<newline>>>'
+_NEWLINE_INDICATOR = "<<<newline>>>"
+
 
 def _bold(elem):
-  elem.replace_with('*%s*' % elem.text)
+    elem.replace_with("*%s*" % elem.text)
+
 
 def _unordered_list(elem):
-  constructed = ''
-  for child in elem.children:
-    if child.name == 'li':
-      constructed += '* %s\n' % child.text
-  elem.replace_with(constructed)
+    constructed = ""
+    for child in elem.children:
+        if child.name == "li":
+            constructed += "* %s\n" % child.text
+    elem.replace_with(constructed)
+
 
 def _horizontal_rule(elem):
-  elem.replace_with('%s\n' % ('-' * 80))
+    elem.replace_with("%s\n" % ("-" * 80))
+
 
 def _anchor(elem):
-  elem.replace_with('[%s](%s)' % (elem.text, elem['href']))
+    elem.replace_with("[%s](%s)" % (elem.text, elem["href"]))
+
 
 def _table(elem):
-  elem.replace_with('%s%s' % (elem.text, _NEWLINE_INDICATOR))
+    elem.replace_with("%s%s" % (elem.text, _NEWLINE_INDICATOR))
 
 
 _ELEMENT_REPLACER = {
-  'b': _bold,
-  'strong': _bold,
-  'ul': _unordered_list,
-  'hr': _horizontal_rule,
-  'a': _anchor,
-  'table': _table,
+    "b": _bold,
+    "strong": _bold,
+    "ul": _unordered_list,
+    "hr": _horizontal_rule,
+    "a": _anchor,
+    "table": _table,
 }
 
+
 def _collapse_whitespace(text):
-  new_lines = []
-  lines = text.split('\n')
-  for line in lines:
-    if not line.strip():
-      continue
+    new_lines = []
+    lines = text.split("\n")
+    for line in lines:
+        if not line.strip():
+            continue
 
-    new_lines.append(line.strip().replace(_NEWLINE_INDICATOR, '\n'))
+        new_lines.append(line.strip().replace(_NEWLINE_INDICATOR, "\n"))
+
+    return "\n".join(new_lines)
 
-  return '\n'.join(new_lines)
 
 def html2text(html):
-  soup = BeautifulSoup(html, 'html5lib')
-  _html2text(soup)
-  return _collapse_whitespace(soup.text)
+    soup = BeautifulSoup(html, "html5lib")
+    _html2text(soup)
+    return _collapse_whitespace(soup.text)
+
 
 def _html2text(elem):
-  for child in elem.children:
-    if isinstance(child, Tag):
-      _html2text(child)
-    elif isinstance(child, NavigableString):
-      # No changes necessary
-      continue
+    for child in elem.children:
+        if isinstance(child, Tag):
+            _html2text(child)
+        elif isinstance(child, NavigableString):
+            # No changes necessary
+            continue
 
-  if elem.parent:
-    if elem.name in _ELEMENT_REPLACER:
-      _ELEMENT_REPLACER[elem.name](elem)
+    if elem.parent:
+        if elem.name in _ELEMENT_REPLACER:
+            _ELEMENT_REPLACER[elem.name](elem)
diff --git a/util/http.py b/util/http.py
index bd3c854ec..9d91ad277 100644
--- a/util/http.py
+++ b/util/http.py
@@ -11,72 +11,71 @@ logger = logging.getLogger(__name__)
 
 
 DEFAULT_MESSAGE = {}
-DEFAULT_MESSAGE[400] = 'Invalid Request'
-DEFAULT_MESSAGE[401] = 'Unauthorized'
-DEFAULT_MESSAGE[403] = 'Permission Denied'
-DEFAULT_MESSAGE[404] = 'Not Found'
-DEFAULT_MESSAGE[409] = 'Conflict'
-DEFAULT_MESSAGE[501] = 'Not Implemented'
+DEFAULT_MESSAGE[400] = "Invalid Request"
+DEFAULT_MESSAGE[401] = "Unauthorized"
+DEFAULT_MESSAGE[403] = "Permission Denied"
+DEFAULT_MESSAGE[404] = "Not Found"
+DEFAULT_MESSAGE[409] = "Conflict"
+DEFAULT_MESSAGE[501] = "Not Implemented"
 
 
 def _abort(status_code, data_object, description, headers):
-  # Add CORS headers to all errors
-  options_resp = current_app.make_default_options_response()
-  headers['Access-Control-Allow-Origin'] = '*'
-  headers['Access-Control-Allow-Methods'] = options_resp.headers['allow']
-  headers['Access-Control-Max-Age'] = str(21600)
-  headers['Access-Control-Allow-Headers'] = ['Authorization', 'Content-Type']
+    # Add CORS headers to all errors
+    options_resp = current_app.make_default_options_response()
+    headers["Access-Control-Allow-Origin"] = "*"
+    headers["Access-Control-Allow-Methods"] = options_resp.headers["allow"]
+    headers["Access-Control-Max-Age"] = str(21600)
+    headers["Access-Control-Allow-Headers"] = ["Authorization", "Content-Type"]
 
-  resp = make_response(json.dumps(data_object), status_code, headers)
+    resp = make_response(json.dumps(data_object), status_code, headers)
 
-  # Report the abort to the user.
-  # Raising HTTPException as workaround for https://github.com/pallets/werkzeug/issues/1098
-  new_exception = HTTPException(response=resp, description=description)
-  new_exception.code = status_code
-  raise new_exception
+    # Report the abort to the user.
+    # Raising HTTPException as workaround for https://github.com/pallets/werkzeug/issues/1098
+    new_exception = HTTPException(response=resp, description=description)
+    new_exception.code = status_code
+    raise new_exception
 
 
 def exact_abort(status_code, message=None):
-  data = {}
+    data = {}
 
-  if message is not None:
-    data['error'] = message
+    if message is not None:
+        data["error"] = message
 
-  _abort(status_code, data, message or None, {})
+    _abort(status_code, data, message or None, {})
 
 
 def abort(status_code, message=None, issue=None, headers=None, **kwargs):
-  message = (str(message) % kwargs if message else
-             DEFAULT_MESSAGE.get(status_code, ''))
+    message = str(message) % kwargs if message else DEFAULT_MESSAGE.get(status_code, "")
 
-  params = dict(request.view_args or {})
-  params.update(kwargs)
+    params = dict(request.view_args or {})
+    params.update(kwargs)
 
-  params['url'] = request.url
-  params['status_code'] = status_code
-  params['message'] = message
+    params["url"] = request.url
+    params["status_code"] = status_code
+    params["message"] = message
 
-  # Add the user information.
-  auth_context = get_authenticated_context()
-  if auth_context is not None:
-    message = '%s (authorized: %s)' % (message, auth_context.description)
+    # Add the user information.
+    auth_context = get_authenticated_context()
+    if auth_context is not None:
+        message = "%s (authorized: %s)" % (message, auth_context.description)
 
-  # Log the abort.
-  logger.error('Error %s: %s; Arguments: %s' % (status_code, message, params))
+    # Log the abort.
+    logger.error("Error %s: %s; Arguments: %s" % (status_code, message, params))
 
-  # Calculate the issue URL (if the issue ID was supplied).
-  issue_url = None
-  if issue:
-    issue_url = 'http://docs.quay.io/issues/%s.html' % (issue)
+    # Calculate the issue URL (if the issue ID was supplied).
+    issue_url = None
+    if issue:
+        issue_url = "http://docs.quay.io/issues/%s.html" % (issue)
 
-  # Create the final response data and message.
-  data = {}
-  data['error'] = message
+    # Create the final response data and message.
+    data = {}
+    data["error"] = message
 
-  if issue_url:
-    data['info_url'] = issue_url
+    if issue_url:
+        data["info_url"] = issue_url
 
-  if headers is None:
-    headers = {}
+    if headers is None:
+        headers = {}
 
-  _abort(status_code, data, message, headers)
+    _abort(status_code, data, message, headers)
diff --git a/util/invoice.py b/util/invoice.py
index 00c4f7292..24437171f 100644
--- a/util/invoice.py
+++ b/util/invoice.py
@@ -6,55 +6,60 @@ import StringIO
 
 from app import app
 
-jinja_options = {
-  "loader": FileSystemLoader('util'),
-}
+jinja_options = {"loader": FileSystemLoader("util")}
 
 env = Environment(**jinja_options)
 
 
 def renderInvoiceToPdf(invoice, user):
-  """ Renders a nice PDF display for the given invoice. """
-  sourceHtml = renderInvoiceToHtml(invoice, user)
-  output = StringIO.StringIO()
-  pisaStatus = pisa.CreatePDF(sourceHtml, dest=output)
-  if pisaStatus.err:
-    return None
+    """ Renders a nice PDF display for the given invoice. """
+    sourceHtml = renderInvoiceToHtml(invoice, user)
+    output = StringIO.StringIO()
+    pisaStatus = pisa.CreatePDF(sourceHtml, dest=output)
+    if pisaStatus.err:
+        return None
 
-  value = output.getvalue()
-  output.close()
-  return value
+    value = output.getvalue()
+    output.close()
+    return value
 
 
 def renderInvoiceToHtml(invoice, user):
-  """ Renders a nice HTML display for the given invoice. """
-  from endpoints.api.billing import get_invoice_fields
+    """ Renders a nice HTML display for the given invoice. """
+    from endpoints.api.billing import get_invoice_fields
 
-  def get_price(price):
-    if not price:
-      return '$0'
+    def get_price(price):
+        if not price:
+            return "$0"
 
-    return '$' + '{0:.2f}'.format(float(price) / 100)
+        return "$" + "{0:.2f}".format(float(price) / 100)
 
-  def get_range(line):
-   if line.period and line.period.start and line.period.end:
-     return ': ' + format_date(line.period.start) + ' - ' + format_date(line.period.end)
-   return ''
+    def get_range(line):
+        if line.period and line.period.start and line.period.end:
+            return (
+                ": "
+                + format_date(line.period.start)
+                + " - "
+                + format_date(line.period.end)
+            )
+        return ""
 
-  def format_date(timestamp):
-    return datetime.fromtimestamp(timestamp).strftime('%Y-%m-%d')
+    def format_date(timestamp):
+        return datetime.fromtimestamp(timestamp).strftime("%Y-%m-%d")
 
-  app_logo = app.config.get('ENTERPRISE_LOGO_URL', 'https://quay.io/static/img/quay-logo.png')
-  data = {
-    'user': user.username,
-    'invoice': invoice,
-    'invoice_date': format_date(invoice.date),
-    'getPrice': get_price,
-    'getRange': get_range,
-    'custom_fields': get_invoice_fields(user)[0],
-    'logo': app_logo,
-  }
+    app_logo = app.config.get(
+        "ENTERPRISE_LOGO_URL", "https://quay.io/static/img/quay-logo.png"
+    )
+    data = {
+        "user": user.username,
+        "invoice": invoice,
+        "invoice_date": format_date(invoice.date),
+        "getPrice": get_price,
+        "getRange": get_range,
+        "custom_fields": get_invoice_fields(user)[0],
+        "logo": app_logo,
+    }
 
-  template = env.get_template('invoice.tmpl')
-  rendered = template.render(data)
-  return rendered
+    template = env.get_template("invoice.tmpl")
+    rendered = template.render(data)
+    return rendered
diff --git a/util/ipresolver/__init__.py b/util/ipresolver/__init__.py
index 2b2877d52..c2f8d35b3 100644
--- a/util/ipresolver/__init__.py
+++ b/util/ipresolver/__init__.py
@@ -16,138 +16,150 @@ import requests
 
 from util.abchelpers import nooper
 
-ResolvedLocation = namedtuple('ResolvedLocation', ['provider', 'service', 'sync_token',
-                                                   'country_iso_code'])
+ResolvedLocation = namedtuple(
+    "ResolvedLocation", ["provider", "service", "sync_token", "country_iso_code"]
+)
 
-AWS_SERVICES = {'EC2', 'CODEBUILD'}
+AWS_SERVICES = {"EC2", "CODEBUILD"}
 
 logger = logging.getLogger(__name__)
 
 
 def _get_aws_ip_ranges():
-  try:
-    with open('util/ipresolver/aws-ip-ranges.json', 'r') as f:
-      return json.loads(f.read())
-  except IOError:
-    logger.exception('Could not load AWS IP Ranges')
-    return None
-  except ValueError:
-    logger.exception('Could not load AWS IP Ranges')
-    return None
-  except TypeError:
-    logger.exception('Could not load AWS IP Ranges')
-    return None
+    try:
+        with open("util/ipresolver/aws-ip-ranges.json", "r") as f:
+            return json.loads(f.read())
+    except IOError:
+        logger.exception("Could not load AWS IP Ranges")
+        return None
+    except ValueError:
+        logger.exception("Could not load AWS IP Ranges")
+        return None
+    except TypeError:
+        logger.exception("Could not load AWS IP Ranges")
+        return None
 
 
 @add_metaclass(ABCMeta)
 class IPResolverInterface(object):
-  """ Helper class for resolving information about an IP address. """
-  @abstractmethod
-  def resolve_ip(self, ip_address):
-    """ Attempts to return resolved information about the specified IP Address. If such an attempt
+    """ Helper class for resolving information about an IP address. """
+
+    @abstractmethod
+    def resolve_ip(self, ip_address):
+        """ Attempts to return resolved information about the specified IP Address. If such an attempt
         fails, returns None.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def is_ip_possible_threat(self, ip_address):
-    """ Attempts to return whether the given IP address is a possible abuser or spammer.
+    @abstractmethod
+    def is_ip_possible_threat(self, ip_address):
+        """ Attempts to return whether the given IP address is a possible abuser or spammer.
         Returns False if the IP address information could not be looked up.
     """
-    pass
+        pass
 
 
 @nooper
 class NoopIPResolver(IPResolverInterface):
-  """ No-op version of the security scanner API. """
-  pass
+    """ No-op version of the security scanner API. """
+
+    pass
 
 
 class IPResolver(IPResolverInterface):
-  def __init__(self, app):
-    self.app = app
-    self.geoip_db = geoip2.database.Reader('util/ipresolver/GeoLite2-Country.mmdb')
-    self.amazon_ranges = None
-    self.sync_token = None
+    def __init__(self, app):
+        self.app = app
+        self.geoip_db = geoip2.database.Reader("util/ipresolver/GeoLite2-Country.mmdb")
+        self.amazon_ranges = None
+        self.sync_token = None
 
-    logger.info('Loading AWS IP ranges from disk')
-    aws_ip_ranges_data = _get_aws_ip_ranges()
-    if aws_ip_ranges_data is not None and aws_ip_ranges_data.get('syncToken'):
-      logger.info('Building AWS IP ranges')
-      self.amazon_ranges = IPResolver._parse_amazon_ranges(aws_ip_ranges_data)
-      self.sync_token = aws_ip_ranges_data['syncToken']
-      logger.info('Finished building AWS IP ranges')
+        logger.info("Loading AWS IP ranges from disk")
+        aws_ip_ranges_data = _get_aws_ip_ranges()
+        if aws_ip_ranges_data is not None and aws_ip_ranges_data.get("syncToken"):
+            logger.info("Building AWS IP ranges")
+            self.amazon_ranges = IPResolver._parse_amazon_ranges(aws_ip_ranges_data)
+            self.sync_token = aws_ip_ranges_data["syncToken"]
+            logger.info("Finished building AWS IP ranges")
 
-  @ttl_cache(maxsize=100, ttl=600)
-  def is_ip_possible_threat(self, ip_address):
-    if self.app.config.get('THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT') is None:
-      return False
+    @ttl_cache(maxsize=100, ttl=600)
+    def is_ip_possible_threat(self, ip_address):
+        if self.app.config.get("THREAT_NAMESPACE_MAXIMUM_BUILD_COUNT") is None:
+            return False
 
-    if self.app.config.get('IP_DATA_API_KEY') is None:
-      return False
+        if self.app.config.get("IP_DATA_API_KEY") is None:
+            return False
 
-    if not ip_address:
-      return False
+        if not ip_address:
+            return False
 
-    api_key = self.app.config['IP_DATA_API_KEY']
+        api_key = self.app.config["IP_DATA_API_KEY"]
+
+        try:
+            logger.debug("Requesting IP data for IP %s", ip_address)
+            r = requests.get(
+                "https://api.ipdata.co/%s/threat?api-key=%s" % (ip_address, api_key),
+                timeout=1,
+            )
+            if r.status_code != 200:
+                logger.debug(
+                    "Got non-200 response for IP %s: %s", ip_address, r.status_code
+                )
+                return False
+
+            logger.debug(
+                "Got IP data for IP %s: %s => %s", ip_address, r.status_code, r.json()
+            )
+            threat_data = r.json()
+            return threat_data.get("is_threat", False) or threat_data.get(
+                "is_bogon", False
+            )
+        except requests.RequestException:
+            logger.exception("Got exception when trying to lookup IP Address")
+        except ValueError:
+            logger.exception("Got exception when trying to lookup IP Address")
+        except Exception:
+            logger.exception("Got exception when trying to lookup IP Address")
 
-    try:
-      logger.debug('Requesting IP data for IP %s', ip_address)
-      r = requests.get('https://api.ipdata.co/%s/threat?api-key=%s' % (ip_address, api_key),
-                       timeout=1)
-      if r.status_code != 200:
-        logger.debug('Got non-200 response for IP %s: %s', ip_address, r.status_code)
         return False
 
-      logger.debug('Got IP data for IP %s: %s => %s', ip_address, r.status_code, r.json())
-      threat_data = r.json()
-      return threat_data.get('is_threat', False) or threat_data.get('is_bogon', False)
-    except requests.RequestException:
-      logger.exception('Got exception when trying to lookup IP Address')
-    except ValueError:
-      logger.exception('Got exception when trying to lookup IP Address')
-    except Exception:
-      logger.exception('Got exception when trying to lookup IP Address')
-
-    return False
-
-  def resolve_ip(self, ip_address):
-    """ Attempts to return resolved information about the specified IP Address. If such an attempt
+    def resolve_ip(self, ip_address):
+        """ Attempts to return resolved information about the specified IP Address. If such an attempt
         fails, returns None.
     """
-    if not ip_address:
-      return None
+        if not ip_address:
+            return None
 
-    try:
-      parsed_ip = IPAddress(ip_address)
-    except AddrFormatError:
-      return ResolvedLocation('invalid_ip', None, self.sync_token, None)
+        try:
+            parsed_ip = IPAddress(ip_address)
+        except AddrFormatError:
+            return ResolvedLocation("invalid_ip", None, self.sync_token, None)
 
-    # Try geoip classification
-    try:
-      geoinfo = self.geoip_db.country(ip_address)
-    except geoip2.errors.AddressNotFoundError:
-      geoinfo = None
+        # Try geoip classification
+        try:
+            geoinfo = self.geoip_db.country(ip_address)
+        except geoip2.errors.AddressNotFoundError:
+            geoinfo = None
+
+        if self.amazon_ranges is None or parsed_ip not in self.amazon_ranges:
+            if geoinfo:
+                return ResolvedLocation(
+                    "internet",
+                    geoinfo.country.iso_code,
+                    self.sync_token,
+                    geoinfo.country.iso_code,
+                )
+
+            return ResolvedLocation("internet", None, self.sync_token, None)
 
-    if self.amazon_ranges is None or parsed_ip not in self.amazon_ranges:
-      if geoinfo:
         return ResolvedLocation(
-          'internet',
-          geoinfo.country.iso_code,
-          self.sync_token,
-          geoinfo.country.iso_code,
+            "aws", None, self.sync_token, geoinfo.country.iso_code if geoinfo else None
         )
 
-      return ResolvedLocation('internet', None, self.sync_token, None)
+    @staticmethod
+    def _parse_amazon_ranges(ranges):
+        all_amazon = IPSet()
+        for service_description in ranges["prefixes"]:
+            if service_description["service"] in AWS_SERVICES:
+                all_amazon.add(IPNetwork(service_description["ip_prefix"]))
 
-    return ResolvedLocation('aws', None, self.sync_token,
-                            geoinfo.country.iso_code if geoinfo else None)
-
-  @staticmethod
-  def _parse_amazon_ranges(ranges):
-    all_amazon = IPSet()
-    for service_description in ranges['prefixes']:
-      if service_description['service'] in AWS_SERVICES:
-        all_amazon.add(IPNetwork(service_description['ip_prefix']))
-
-    return all_amazon
+        return all_amazon
diff --git a/util/ipresolver/test/test_ipresolver.py b/util/ipresolver/test/test_ipresolver.py
index 2266ce2bc..c08d41531 100644
--- a/util/ipresolver/test/test_ipresolver.py
+++ b/util/ipresolver/test/test_ipresolver.py
@@ -5,47 +5,49 @@ from mock import patch
 from util.ipresolver import IPResolver, ResolvedLocation
 from test.fixtures import *
 
+
 @pytest.fixture()
 def test_aws_ip():
-  return '10.0.0.1'
+    return "10.0.0.1"
+
 
 @pytest.fixture()
 def aws_ip_range_data():
-  fake_range_doc = {
-    'syncToken': 123456789,
-    'prefixes': [
-      {
-        'ip_prefix': '10.0.0.0/8',
-        'region': 'GLOBAL',
-        'service': 'EC2',
-      },
-      {
-        'ip_prefix': '6.0.0.0/8',
-        'region': 'GLOBAL',
-        'service': 'EC2',
-      },
-    ],
-  }
-  return fake_range_doc
+    fake_range_doc = {
+        "syncToken": 123456789,
+        "prefixes": [
+            {"ip_prefix": "10.0.0.0/8", "region": "GLOBAL", "service": "EC2"},
+            {"ip_prefix": "6.0.0.0/8", "region": "GLOBAL", "service": "EC2"},
+        ],
+    }
+    return fake_range_doc
+
 
 @pytest.fixture()
 def test_ip_range_cache(aws_ip_range_data):
-  sync_token = aws_ip_range_data['syncToken']
-  all_amazon = IPResolver._parse_amazon_ranges(aws_ip_range_data)
-  fake_cache = {
-    'sync_token': sync_token,
-    'all_amazon': all_amazon,
-  }
-  return fake_cache
+    sync_token = aws_ip_range_data["syncToken"]
+    all_amazon = IPResolver._parse_amazon_ranges(aws_ip_range_data)
+    fake_cache = {"sync_token": sync_token, "all_amazon": all_amazon}
+    return fake_cache
 
 
 def test_resolved(aws_ip_range_data, test_ip_range_cache, test_aws_ip, app):
-  ipresolver = IPResolver(app)
-  ipresolver.amazon_ranges = test_ip_range_cache['all_amazon']
-  ipresolver.sync_token = test_ip_range_cache['sync_token']
+    ipresolver = IPResolver(app)
+    ipresolver.amazon_ranges = test_ip_range_cache["all_amazon"]
+    ipresolver.sync_token = test_ip_range_cache["sync_token"]
 
-  assert ipresolver.resolve_ip(test_aws_ip) == ResolvedLocation(provider='aws', service=None, sync_token=123456789, country_iso_code=None)
-  assert ipresolver.resolve_ip('10.0.0.2') == ResolvedLocation(provider='aws', service=None, sync_token=123456789, country_iso_code=None)
-  assert ipresolver.resolve_ip('6.0.0.2') == ResolvedLocation(provider='aws', service=None, sync_token=123456789, country_iso_code=u'US')
-  assert ipresolver.resolve_ip('1.2.3.4') == ResolvedLocation(provider='internet', service=u'US', sync_token=123456789, country_iso_code=u'US')
-  assert ipresolver.resolve_ip('127.0.0.1') == ResolvedLocation(provider='internet', service=None, sync_token=123456789, country_iso_code=None)
+    assert ipresolver.resolve_ip(test_aws_ip) == ResolvedLocation(
+        provider="aws", service=None, sync_token=123456789, country_iso_code=None
+    )
+    assert ipresolver.resolve_ip("10.0.0.2") == ResolvedLocation(
+        provider="aws", service=None, sync_token=123456789, country_iso_code=None
+    )
+    assert ipresolver.resolve_ip("6.0.0.2") == ResolvedLocation(
+        provider="aws", service=None, sync_token=123456789, country_iso_code=u"US"
+    )
+    assert ipresolver.resolve_ip("1.2.3.4") == ResolvedLocation(
+        provider="internet", service=u"US", sync_token=123456789, country_iso_code=u"US"
+    )
+    assert ipresolver.resolve_ip("127.0.0.1") == ResolvedLocation(
+        provider="internet", service=None, sync_token=123456789, country_iso_code=None
+    )
diff --git a/util/itertoolrecipes.py b/util/itertoolrecipes.py
index 1cd33386d..0b57827e3 100644
--- a/util/itertoolrecipes.py
+++ b/util/itertoolrecipes.py
@@ -2,5 +2,5 @@ from itertools import islice
 
 # From: https://docs.python.org/2/library/itertools.html
 def take(n, iterable):
-  """ Return first n items of the iterable as a list """
-  return list(islice(iterable, n))
+    """ Return first n items of the iterable as a list """
+    return list(islice(iterable, n))
diff --git a/util/jinjautil.py b/util/jinjautil.py
index 27385b55f..b3ee36a34 100644
--- a/util/jinjautil.py
+++ b/util/jinjautil.py
@@ -5,95 +5,124 @@ from jinja2 import Environment, FileSystemLoader
 
 
 def icon_path(icon_name):
-  return '%s/static/img/icons/%s.png' % (get_app_url(), icon_name)
+    return "%s/static/img/icons/%s.png" % (get_app_url(), icon_name)
+
 
 def icon_image(icon_name):
-  return  '<img src="%s" alt="%s">' % (icon_path(icon_name), icon_name)
+    return '<img src="%s" alt="%s">' % (icon_path(icon_name), icon_name)
+
 
 def team_reference(teamname):
-  avatar_html = avatar.get_mail_html(teamname, teamname, 24, 'team')
-  return "<span>%s <b>%s</b></span>" % (avatar_html, teamname)
+    avatar_html = avatar.get_mail_html(teamname, teamname, 24, "team")
+    return "<span>%s <b>%s</b></span>" % (avatar_html, teamname)
+
 
 def user_reference(username):
-  user = model.user.get_namespace_user(username)
-  if not user:
-    return username
+    user = model.user.get_namespace_user(username)
+    if not user:
+        return username
 
-  if user.robot:
-    parts = parse_robot_username(username)
-    user = model.user.get_namespace_user(parts[0])
+    if user.robot:
+        parts = parse_robot_username(username)
+        user = model.user.get_namespace_user(parts[0])
 
-    return """<span><img src="%s" alt="Robot"> <b>%s</b></span>""" % (icon_path('wrench'), username)
+        return """<span><img src="%s" alt="Robot"> <b>%s</b></span>""" % (
+            icon_path("wrench"),
+            username,
+        )
 
-  avatar_html = avatar.get_mail_html(user.username, user.email, 24,
-                                     'org' if user.organization else 'user')
+    avatar_html = avatar.get_mail_html(
+        user.username, user.email, 24, "org" if user.organization else "user"
+    )
 
-  return """
+    return """
   <span>
   %s
   <b>%s</b>
-  </span>""" % (avatar_html, username)
+  </span>""" % (
+        avatar_html,
+        username,
+    )
 
 
 def repository_tag_reference(repository_path_and_tag):
-  (repository_path, tag) = repository_path_and_tag
-  (namespace, repository) = repository_path.split('/')
-  owner = model.user.get_namespace_user(namespace)
-  if not owner:
-    return tag
+    (repository_path, tag) = repository_path_and_tag
+    (namespace, repository) = repository_path.split("/")
+    owner = model.user.get_namespace_user(namespace)
+    if not owner:
+        return tag
+
+    return """<a href="%s/repository/%s/%s?tag=%s&tab=tags">%s</a>""" % (
+        get_app_url(),
+        namespace,
+        repository,
+        tag,
+        tag,
+    )
 
-  return """<a href="%s/repository/%s/%s?tag=%s&tab=tags">%s</a>""" % (get_app_url(), namespace,
-                                                                       repository, tag, tag)
 
 def repository_reference(pair):
-  if isinstance(pair, tuple):
-    (namespace, repository) = pair
-  else:
-    pair = pair.split('/')
-    namespace = pair[0]
-    repository = pair[1]
+    if isinstance(pair, tuple):
+        (namespace, repository) = pair
+    else:
+        pair = pair.split("/")
+        namespace = pair[0]
+        repository = pair[1]
 
-  owner = model.user.get_namespace_user(namespace)
-  if not owner:
-    return "%s/%s" % (namespace, repository)
+    owner = model.user.get_namespace_user(namespace)
+    if not owner:
+        return "%s/%s" % (namespace, repository)
 
-  avatar_html = avatar.get_mail_html(owner.username, owner.email, 16,
-                                     'org' if owner.organization else 'user')
+    avatar_html = avatar.get_mail_html(
+        owner.username, owner.email, 16, "org" if owner.organization else "user"
+    )
 
-  return """
+    return """
   <span style="white-space: nowrap;">
   %s
   <a href="%s/repository/%s/%s">%s/%s</a>
   </span>
-  """ % (avatar_html, get_app_url(), namespace, repository, namespace, repository)
+  """ % (
+        avatar_html,
+        get_app_url(),
+        namespace,
+        repository,
+        namespace,
+        repository,
+    )
 
 
 def admin_reference(username):
-  user = model.user.get_user_or_org(username)
-  if not user:
-    return 'account settings'
+    user = model.user.get_user_or_org(username)
+    if not user:
+        return "account settings"
 
-  if user.organization:
-    return """
+    if user.organization:
+        return """
     <a href="%s/organization/%s?tab=settings">organization's admin setting</a>
-    """ % (get_app_url(), username)
-  else:
-    return """
+    """ % (
+            get_app_url(),
+            username,
+        )
+    else:
+        return """
     <a href="%s/user/">account settings</a>
-    """ % (get_app_url())
+    """ % (
+            get_app_url()
+        )
 
 
 def get_template_env(searchpath):
-  template_loader = FileSystemLoader(searchpath=searchpath)
-  template_env = Environment(loader=template_loader)
-  add_filters(template_env)
-  return template_env
+    template_loader = FileSystemLoader(searchpath=searchpath)
+    template_env = Environment(loader=template_loader)
+    add_filters(template_env)
+    return template_env
 
 
 def add_filters(template_env):
-  template_env.filters['icon_image'] = icon_image
-  template_env.filters['team_reference'] = team_reference
-  template_env.filters['user_reference'] = user_reference
-  template_env.filters['admin_reference'] = admin_reference
-  template_env.filters['repository_reference'] = repository_reference
-  template_env.filters['repository_tag_reference'] = repository_tag_reference
+    template_env.filters["icon_image"] = icon_image
+    template_env.filters["team_reference"] = team_reference
+    template_env.filters["user_reference"] = user_reference
+    template_env.filters["admin_reference"] = admin_reference
+    template_env.filters["repository_reference"] = repository_reference
+    template_env.filters["repository_tag_reference"] = repository_tag_reference
diff --git a/util/label_validator.py b/util/label_validator.py
index dc7f67ae1..437c08241 100644
--- a/util/label_validator.py
+++ b/util/label_validator.py
@@ -1,20 +1,24 @@
 class LabelValidator(object):
-  """ Helper class for validating that labels meet prefix requirements. """
-  def __init__(self, app):
-    self.app = app
+    """ Helper class for validating that labels meet prefix requirements. """
 
-    overridden_prefixes = app.config.get('LABEL_KEY_RESERVED_PREFIXES', [])
-    for prefix in overridden_prefixes:
-      if not prefix.endswith('.'):
-        raise Exception('Prefix "%s" in LABEL_KEY_RESERVED_PREFIXES must end in a dot', prefix)
+    def __init__(self, app):
+        self.app = app
 
-    default_prefixes = app.config.get('DEFAULT_LABEL_KEY_RESERVED_PREFIXES', [])
-    self.reserved_prefixed_set = set(default_prefixes + overridden_prefixes)
+        overridden_prefixes = app.config.get("LABEL_KEY_RESERVED_PREFIXES", [])
+        for prefix in overridden_prefixes:
+            if not prefix.endswith("."):
+                raise Exception(
+                    'Prefix "%s" in LABEL_KEY_RESERVED_PREFIXES must end in a dot',
+                    prefix,
+                )
 
-  def has_reserved_prefix(self, label_key):
-    """ Validates that the provided label key does not match any reserved prefixes. """
-    for prefix in self.reserved_prefixed_set:
-      if label_key.startswith(prefix):
-        return True
+        default_prefixes = app.config.get("DEFAULT_LABEL_KEY_RESERVED_PREFIXES", [])
+        self.reserved_prefixed_set = set(default_prefixes + overridden_prefixes)
 
-    return False
+    def has_reserved_prefix(self, label_key):
+        """ Validates that the provided label key does not match any reserved prefixes. """
+        for prefix in self.reserved_prefixed_set:
+            if label_key.startswith(prefix):
+                return True
+
+        return False
diff --git a/util/locking.py b/util/locking.py
index 1ea1eaf0e..da91c59cc 100644
--- a/util/locking.py
+++ b/util/locking.py
@@ -9,58 +9,72 @@ logger = logging.getLogger(__name__)
 
 
 class LockNotAcquiredException(Exception):
-  """ Exception raised if a GlobalLock could not be acquired. """
+    """ Exception raised if a GlobalLock could not be acquired. """
 
 
 class GlobalLock(object):
-  """ A lock object that blocks globally via Redis. Note that Redis is not considered a tier-1
+    """ A lock object that blocks globally via Redis. Note that Redis is not considered a tier-1
       service, so this lock should not be used for any critical code paths.
   """
-  def __init__(self, name, lock_ttl=600):
-    self._lock_name = name
-    self._redis_info = dict(app.config['USER_EVENTS_REDIS'])
-    self._redis_info.update({'socket_connect_timeout': 5,
-                             'socket_timeout': 5,
-                             'single_connection_client': True})
 
-    self._lock_ttl = lock_ttl
-    self._redlock = None
+    def __init__(self, name, lock_ttl=600):
+        self._lock_name = name
+        self._redis_info = dict(app.config["USER_EVENTS_REDIS"])
+        self._redis_info.update(
+            {
+                "socket_connect_timeout": 5,
+                "socket_timeout": 5,
+                "single_connection_client": True,
+            }
+        )
 
-  def __enter__(self):
-    if not self.acquire():
-      raise LockNotAcquiredException()
+        self._lock_ttl = lock_ttl
+        self._redlock = None
 
-  def __exit__(self, type, value, traceback):
-    self.release()
+    def __enter__(self):
+        if not self.acquire():
+            raise LockNotAcquiredException()
 
-  def acquire(self):
-    logger.debug('Acquiring global lock %s', self._lock_name)
-    try:
-      self._redlock = RedLock(self._lock_name, connection_details=[self._redis_info],
-                              ttl=self._lock_ttl)
-      acquired = self._redlock.acquire()
-      if not acquired:
-        logger.debug('Was unable to not acquire lock %s', self._lock_name)
-        return False
+    def __exit__(self, type, value, traceback):
+        self.release()
 
-      logger.debug('Acquired lock %s', self._lock_name)
-      return True
-    except RedLockError:
-      logger.debug('Could not acquire lock %s', self._lock_name)
-      return False
-    except RedisError as re:
-      logger.debug('Could not connect to Redis for lock %s: %s', self._lock_name, re)
-      return False
+    def acquire(self):
+        logger.debug("Acquiring global lock %s", self._lock_name)
+        try:
+            self._redlock = RedLock(
+                self._lock_name,
+                connection_details=[self._redis_info],
+                ttl=self._lock_ttl,
+            )
+            acquired = self._redlock.acquire()
+            if not acquired:
+                logger.debug("Was unable to not acquire lock %s", self._lock_name)
+                return False
 
-  def release(self):
-    if self._redlock is not None:
-      logger.debug('Releasing lock %s', self._lock_name)
-      try:
-        self._redlock.release()
-      except RedLockError:
-        logger.debug('Could not release lock %s', self._lock_name)
-      except RedisError as re:
-        logger.debug('Could not connect to Redis for releasing lock %s: %s', self._lock_name, re)
+            logger.debug("Acquired lock %s", self._lock_name)
+            return True
+        except RedLockError:
+            logger.debug("Could not acquire lock %s", self._lock_name)
+            return False
+        except RedisError as re:
+            logger.debug(
+                "Could not connect to Redis for lock %s: %s", self._lock_name, re
+            )
+            return False
 
-      logger.debug('Released lock %s', self._lock_name)
-      self._redlock = None
+    def release(self):
+        if self._redlock is not None:
+            logger.debug("Releasing lock %s", self._lock_name)
+            try:
+                self._redlock.release()
+            except RedLockError:
+                logger.debug("Could not release lock %s", self._lock_name)
+            except RedisError as re:
+                logger.debug(
+                    "Could not connect to Redis for releasing lock %s: %s",
+                    self._lock_name,
+                    re,
+                )
+
+            logger.debug("Released lock %s", self._lock_name)
+            self._redlock = None
diff --git a/util/log.py b/util/log.py
index 9bf55e25a..45e61987b 100644
--- a/util/log.py
+++ b/util/log.py
@@ -3,7 +3,7 @@ from _init import CONF_DIR
 
 
 def logfile_path(jsonfmt=False, debug=False):
-  """
+    """
     Returns the a logfileconf path following this rules:
       - conf/logging_debug_json.conf # jsonfmt=true,  debug=true
       - conf/logging_json.conf       # jsonfmt=true,  debug=false
@@ -11,20 +11,20 @@ def logfile_path(jsonfmt=False, debug=False):
       - conf/logging.conf            # jsonfmt=false, debug=false
     Can be parametrized via envvars: JSONLOG=true, DEBUGLOG=true
   """
-  _json = ""
-  _debug = ""
+    _json = ""
+    _debug = ""
 
-  if jsonfmt or os.getenv('JSONLOG', 'false').lower() == 'true':
-    _json = "_json"
+    if jsonfmt or os.getenv("JSONLOG", "false").lower() == "true":
+        _json = "_json"
 
-  if debug or os.getenv('DEBUGLOG', 'false').lower() == 'true':
-    _debug = "_debug"
+    if debug or os.getenv("DEBUGLOG", "false").lower() == "true":
+        _debug = "_debug"
 
-  return os.path.join(CONF_DIR, "logging%s%s.conf" % (_debug, _json))
+    return os.path.join(CONF_DIR, "logging%s%s.conf" % (_debug, _json))
 
 
 def filter_logs(values, filtered_fields):
-  """
+    """
     Takes a dict and a list of keys to filter.
     eg:
      with filtered_fields:
@@ -34,14 +34,14 @@ def filter_logs(values, filtered_fields):
     the returned dict is:
       {'k1': {k2: 'filtered'}, 'k3': 'some-value'}
   """
-  for field in filtered_fields:
-    cdict = values
+    for field in filtered_fields:
+        cdict = values
 
-    for key in field['key'][:-1]:
-      if key in cdict:
-        cdict = cdict[key]
+        for key in field["key"][:-1]:
+            if key in cdict:
+                cdict = cdict[key]
 
-    last_key = field['key'][-1]
+        last_key = field["key"][-1]
 
-    if last_key in cdict and cdict[last_key]:
-      cdict[last_key] = field['fn'](cdict[last_key])
+        if last_key in cdict and cdict[last_key]:
+            cdict[last_key] = field["fn"](cdict[last_key])
diff --git a/util/metrics/metricqueue.py b/util/metrics/metricqueue.py
index 30e3974a0..0a629aec4 100644
--- a/util/metrics/metricqueue.py
+++ b/util/metrics/metricqueue.py
@@ -12,199 +12,279 @@ from trollius import Return
 logger = logging.getLogger(__name__)
 
 # Buckets for the API response times.
-API_RESPONSE_TIME_BUCKETS = [.01, .025, .05, .1, .25, .5, 1.0, 2.5, 5.0]
+API_RESPONSE_TIME_BUCKETS = [0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0]
 
 # Buckets for the builder start times.
-BUILDER_START_TIME_BUCKETS = [.5, 1.0, 5.0, 10.0, 30.0, 60.0, 120.0, 180.0, 240.0, 300.0, 600.0]
+BUILDER_START_TIME_BUCKETS = [
+    0.5,
+    1.0,
+    5.0,
+    10.0,
+    30.0,
+    60.0,
+    120.0,
+    180.0,
+    240.0,
+    300.0,
+    600.0,
+]
 
 
 class MetricQueue(object):
-  """ Object to which various metrics are written, for distribution to metrics collection
+    """ Object to which various metrics are written, for distribution to metrics collection
       system(s) such as Prometheus.
   """
-  def __init__(self, prom):
-    # Define the various exported metrics.
-    self.resp_time = prom.create_histogram('response_time', 'HTTP response time in seconds',
-                                           labelnames=['endpoint'],
-                                           buckets=API_RESPONSE_TIME_BUCKETS)
-    self.resp_code = prom.create_counter('response_code', 'HTTP response code',
-                                         labelnames=['endpoint', 'code'])
-    self.non_200 = prom.create_counter('response_non200', 'Non-200 HTTP response codes',
-                                       labelnames=['endpoint'])
-    self.error_500 = prom.create_counter('response_500', '5XX HTTP response codes',
-                                         labelnames=['endpoint'])
-    self.multipart_upload_start = prom.create_counter('multipart_upload_start',
-                                                      'Multipart upload started')
-    self.multipart_upload_end = prom.create_counter('multipart_upload_end',
-                                                    'Multipart upload ends.', labelnames=['type'])
-    self.build_capacity_shortage = prom.create_gauge('build_capacity_shortage',
-                                                     'Build capacity shortage.')
-    self.builder_time_to_start = prom.create_histogram('builder_tts',
-                                                       'Time from triggering to starting a builder.',
-                                                       labelnames=['builder_type'],
-                                                       buckets=BUILDER_START_TIME_BUCKETS)
-    self.builder_time_to_build = prom.create_histogram('builder_ttb',
-                                                       'Time from triggering to actually starting a build',
-                                                       labelnames=['builder_type'],
-                                                       buckets=BUILDER_START_TIME_BUCKETS)
-    self.build_time = prom.create_histogram('build_time', 'Time spent building', labelnames=['builder_type'])
-    self.builder_fallback = prom.create_counter('builder_fallback', 'Builder fell back to secondary executor')
-    self.build_start_success = prom.create_counter('build_start_success', 'Executor succeeded in starting a build', labelnames=['builder_type'])
-    self.build_start_failure = prom.create_counter('build_start_failure', 'Executor failed to start a build', labelnames=['builder_type'])
-    self.percent_building = prom.create_gauge('build_percent_building', 'Percent building.')
-    self.build_counter = prom.create_counter('builds', 'Number of builds', labelnames=['name'])
-    self.ephemeral_build_workers = prom.create_counter('ephemeral_build_workers',
-      'Number of started ephemeral build workers')
-    self.ephemeral_build_worker_failure = prom.create_counter('ephemeral_build_worker_failure',
-      'Number of failed-to-start ephemeral build workers')
 
-    self.work_queue_running = prom.create_gauge('work_queue_running', 'Running items in a queue',
-                                                labelnames=['queue_name'])
-    self.work_queue_available = prom.create_gauge('work_queue_available',
-                                                  'Available items in a queue',
-                                                  labelnames=['queue_name'])
+    def __init__(self, prom):
+        # Define the various exported metrics.
+        self.resp_time = prom.create_histogram(
+            "response_time",
+            "HTTP response time in seconds",
+            labelnames=["endpoint"],
+            buckets=API_RESPONSE_TIME_BUCKETS,
+        )
+        self.resp_code = prom.create_counter(
+            "response_code", "HTTP response code", labelnames=["endpoint", "code"]
+        )
+        self.non_200 = prom.create_counter(
+            "response_non200", "Non-200 HTTP response codes", labelnames=["endpoint"]
+        )
+        self.error_500 = prom.create_counter(
+            "response_500", "5XX HTTP response codes", labelnames=["endpoint"]
+        )
+        self.multipart_upload_start = prom.create_counter(
+            "multipart_upload_start", "Multipart upload started"
+        )
+        self.multipart_upload_end = prom.create_counter(
+            "multipart_upload_end", "Multipart upload ends.", labelnames=["type"]
+        )
+        self.build_capacity_shortage = prom.create_gauge(
+            "build_capacity_shortage", "Build capacity shortage."
+        )
+        self.builder_time_to_start = prom.create_histogram(
+            "builder_tts",
+            "Time from triggering to starting a builder.",
+            labelnames=["builder_type"],
+            buckets=BUILDER_START_TIME_BUCKETS,
+        )
+        self.builder_time_to_build = prom.create_histogram(
+            "builder_ttb",
+            "Time from triggering to actually starting a build",
+            labelnames=["builder_type"],
+            buckets=BUILDER_START_TIME_BUCKETS,
+        )
+        self.build_time = prom.create_histogram(
+            "build_time", "Time spent building", labelnames=["builder_type"]
+        )
+        self.builder_fallback = prom.create_counter(
+            "builder_fallback", "Builder fell back to secondary executor"
+        )
+        self.build_start_success = prom.create_counter(
+            "build_start_success",
+            "Executor succeeded in starting a build",
+            labelnames=["builder_type"],
+        )
+        self.build_start_failure = prom.create_counter(
+            "build_start_failure",
+            "Executor failed to start a build",
+            labelnames=["builder_type"],
+        )
+        self.percent_building = prom.create_gauge(
+            "build_percent_building", "Percent building."
+        )
+        self.build_counter = prom.create_counter(
+            "builds", "Number of builds", labelnames=["name"]
+        )
+        self.ephemeral_build_workers = prom.create_counter(
+            "ephemeral_build_workers", "Number of started ephemeral build workers"
+        )
+        self.ephemeral_build_worker_failure = prom.create_counter(
+            "ephemeral_build_worker_failure",
+            "Number of failed-to-start ephemeral build workers",
+        )
 
-    self.work_queue_available_not_running = prom.create_gauge('work_queue_available_not_running',
-                                                              'Available items that are not yet running',
-                                                              labelnames=['queue_name'])
+        self.work_queue_running = prom.create_gauge(
+            "work_queue_running", "Running items in a queue", labelnames=["queue_name"]
+        )
+        self.work_queue_available = prom.create_gauge(
+            "work_queue_available",
+            "Available items in a queue",
+            labelnames=["queue_name"],
+        )
 
-    self.repository_pull = prom.create_counter('repository_pull', 'Repository Pull Count',
-                                               labelnames=['namespace', 'repo_name', 'protocol',
-                                                           'status'])
+        self.work_queue_available_not_running = prom.create_gauge(
+            "work_queue_available_not_running",
+            "Available items that are not yet running",
+            labelnames=["queue_name"],
+        )
 
-    self.repository_push = prom.create_counter('repository_push', 'Repository Push Count',
-                                               labelnames=['namespace', 'repo_name', 'protocol',
-                                                           'status'])
+        self.repository_pull = prom.create_counter(
+            "repository_pull",
+            "Repository Pull Count",
+            labelnames=["namespace", "repo_name", "protocol", "status"],
+        )
 
-    self.repository_build_queued = prom.create_counter('repository_build_queued',
-                                                       'Repository Build Queued Count',
-                                                       labelnames=['namespace', 'repo_name'])
+        self.repository_push = prom.create_counter(
+            "repository_push",
+            "Repository Push Count",
+            labelnames=["namespace", "repo_name", "protocol", "status"],
+        )
 
-    self.repository_build_completed = prom.create_counter('repository_build_completed',
-                                                          'Repository Build Complete Count',
-                                                          labelnames=['namespace', 'repo_name',
-                                                                      'status', 'executor'])
+        self.repository_build_queued = prom.create_counter(
+            "repository_build_queued",
+            "Repository Build Queued Count",
+            labelnames=["namespace", "repo_name"],
+        )
 
-    self.chunk_size = prom.create_histogram('chunk_size',
-                                            'Registry blob chunk size',
-                                            labelnames=['storage_region'])
+        self.repository_build_completed = prom.create_counter(
+            "repository_build_completed",
+            "Repository Build Complete Count",
+            labelnames=["namespace", "repo_name", "status", "executor"],
+        )
 
-    self.chunk_upload_time = prom.create_histogram('chunk_upload_time',
-                                                   'Registry blob chunk upload time',
-                                                   labelnames=['storage_region'])
+        self.chunk_size = prom.create_histogram(
+            "chunk_size", "Registry blob chunk size", labelnames=["storage_region"]
+        )
 
-    self.authentication_count = prom.create_counter('authentication_count',
-                                                    'Authentication count',
-                                                    labelnames=['kind', 'status'])
+        self.chunk_upload_time = prom.create_histogram(
+            "chunk_upload_time",
+            "Registry blob chunk upload time",
+            labelnames=["storage_region"],
+        )
 
-    self.repository_count = prom.create_gauge('repository_count', 'Number of repositories')
-    self.user_count = prom.create_gauge('user_count', 'Number of users')
-    self.org_count = prom.create_gauge('org_count', 'Number of Organizations')
-    self.robot_count = prom.create_gauge('robot_count', 'Number of robot accounts')
+        self.authentication_count = prom.create_counter(
+            "authentication_count",
+            "Authentication count",
+            labelnames=["kind", "status"],
+        )
 
-    self.instance_key_renewal_success = prom.create_counter('instance_key_renewal_success',
-                                                            'Instance Key Renewal Success Count',
-                                                            labelnames=['key_id'])
+        self.repository_count = prom.create_gauge(
+            "repository_count", "Number of repositories"
+        )
+        self.user_count = prom.create_gauge("user_count", "Number of users")
+        self.org_count = prom.create_gauge("org_count", "Number of Organizations")
+        self.robot_count = prom.create_gauge("robot_count", "Number of robot accounts")
 
-    self.instance_key_renewal_failure = prom.create_counter('instance_key_renewal_failure',
-                                                            'Instance Key Renewal Failure Count',
-                                                            labelnames=['key_id'])
+        self.instance_key_renewal_success = prom.create_counter(
+            "instance_key_renewal_success",
+            "Instance Key Renewal Success Count",
+            labelnames=["key_id"],
+        )
 
-    self.invalid_instance_key_count = prom.create_counter('invalid_registry_instance_key_count',
-                                                          'Invalid registry instance key count',
-                                                          labelnames=['key_id'])
+        self.instance_key_renewal_failure = prom.create_counter(
+            "instance_key_renewal_failure",
+            "Instance Key Renewal Failure Count",
+            labelnames=["key_id"],
+        )
 
-    self.verb_action_passes = prom.create_counter('verb_action_passes', 'Verb Pass Count',
-                                                  labelnames=['kind', 'pass_count'])
+        self.invalid_instance_key_count = prom.create_counter(
+            "invalid_registry_instance_key_count",
+            "Invalid registry instance key count",
+            labelnames=["key_id"],
+        )
 
-    self.push_byte_count = prom.create_counter('registry_push_byte_count',
-                                               'Number of bytes pushed to the registry')
+        self.verb_action_passes = prom.create_counter(
+            "verb_action_passes", "Verb Pass Count", labelnames=["kind", "pass_count"]
+        )
 
-    self.pull_byte_count = prom.create_counter('estimated_registry_pull_byte_count',
-                                               'Number of (estimated) bytes pulled from the registry',
-                                               labelnames=['protocol_version'])
+        self.push_byte_count = prom.create_counter(
+            "registry_push_byte_count", "Number of bytes pushed to the registry"
+        )
 
-    # Deprecated: Define an in-memory queue for reporting metrics to CloudWatch or another
-    # provider.
-    self._queue = None
+        self.pull_byte_count = prom.create_counter(
+            "estimated_registry_pull_byte_count",
+            "Number of (estimated) bytes pulled from the registry",
+            labelnames=["protocol_version"],
+        )
 
-  def enable_deprecated(self, maxsize=10000):
-    self._queue = Queue(maxsize)
+        # Deprecated: Define an in-memory queue for reporting metrics to CloudWatch or another
+        # provider.
+        self._queue = None
 
-  def put_deprecated(self, name, value, **kwargs):
-    if self._queue is None:
-      logger.debug('No metric queue %s %s %s', name, value, kwargs)
-      return
+    def enable_deprecated(self, maxsize=10000):
+        self._queue = Queue(maxsize)
 
-    try:
-      kwargs.setdefault('timestamp', datetime.datetime.now())
-      kwargs.setdefault('dimensions', {})
-      self._queue.put_nowait((name, value, kwargs))
-    except Full:
-      logger.error('Metric queue full')
+    def put_deprecated(self, name, value, **kwargs):
+        if self._queue is None:
+            logger.debug("No metric queue %s %s %s", name, value, kwargs)
+            return
 
-  def get_deprecated(self):
-    return self._queue.get()
+        try:
+            kwargs.setdefault("timestamp", datetime.datetime.now())
+            kwargs.setdefault("dimensions", {})
+            self._queue.put_nowait((name, value, kwargs))
+        except Full:
+            logger.error("Metric queue full")
 
-  def get_nowait_deprecated(self):
-    return self._queue.get_nowait()
+    def get_deprecated(self):
+        return self._queue.get()
+
+    def get_nowait_deprecated(self):
+        return self._queue.get_nowait()
 
 
 def duration_collector_async(metric, labelvalues):
-  """ Decorates a method to have its duration time logged to the metric. """
-  def decorator(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      trigger_time = time.time()
-      try:
-        rv = func(*args, **kwargs)
-      except Return as e:
-        metric.Observe(time.time() - trigger_time, labelvalues=labelvalues)
-        raise e
-      return rv
-    return wrapper
-  return decorator
+    """ Decorates a method to have its duration time logged to the metric. """
+
+    def decorator(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            trigger_time = time.time()
+            try:
+                rv = func(*args, **kwargs)
+            except Return as e:
+                metric.Observe(time.time() - trigger_time, labelvalues=labelvalues)
+                raise e
+            return rv
+
+        return wrapper
+
+    return decorator
 
 
 def time_decorator(name, metric_queue):
-  """ Decorates an endpoint method to have its request time logged to the metrics queue. """
-  after = _time_after_request(name, metric_queue)
-  def decorator(func):
-    @wraps(func)
-    def wrapper(*args, **kwargs):
-      _time_before_request()
-      rv = func(*args, **kwargs)
-      after(rv)
-      return rv
-    return wrapper
-  return decorator
+    """ Decorates an endpoint method to have its request time logged to the metrics queue. """
+    after = _time_after_request(name, metric_queue)
+
+    def decorator(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            _time_before_request()
+            rv = func(*args, **kwargs)
+            after(rv)
+            return rv
+
+        return wrapper
+
+    return decorator
 
 
 def time_blueprint(bp, metric_queue):
-  """ Decorates a blueprint to have its request time logged to the metrics queue. """
-  bp.before_request(_time_before_request)
-  bp.after_request(_time_after_request(bp.name, metric_queue))
+    """ Decorates a blueprint to have its request time logged to the metrics queue. """
+    bp.before_request(_time_before_request)
+    bp.after_request(_time_after_request(bp.name, metric_queue))
 
 
 def _time_before_request():
-  g._request_start_time = time.time()
+    g._request_start_time = time.time()
 
 
 def _time_after_request(name, metric_queue):
-  def f(r):
-    start = getattr(g, '_request_start_time', None)
-    if start is None:
-      return r
+    def f(r):
+        start = getattr(g, "_request_start_time", None)
+        if start is None:
+            return r
 
-    dur = time.time() - start
+        dur = time.time() - start
 
-    metric_queue.resp_time.Observe(dur, labelvalues=[request.endpoint])
-    metric_queue.resp_code.Inc(labelvalues=[request.endpoint, r.status_code])
+        metric_queue.resp_time.Observe(dur, labelvalues=[request.endpoint])
+        metric_queue.resp_code.Inc(labelvalues=[request.endpoint, r.status_code])
 
-    if r.status_code >= 500:
-      metric_queue.error_500.Inc(labelvalues=[request.endpoint])
-    elif r.status_code < 200 or r.status_code >= 300:
-      metric_queue.non_200.Inc(labelvalues=[request.endpoint])
+        if r.status_code >= 500:
+            metric_queue.error_500.Inc(labelvalues=[request.endpoint])
+        elif r.status_code < 200 or r.status_code >= 300:
+            metric_queue.non_200.Inc(labelvalues=[request.endpoint])
 
-    return r
-  return f
+        return r
+
+    return f
diff --git a/util/metrics/prometheus.py b/util/metrics/prometheus.py
index 1461f143d..b14d48dab 100644
--- a/util/metrics/prometheus.py
+++ b/util/metrics/prometheus.py
@@ -14,155 +14,180 @@ QUEUE_MAX = 1000
 MAX_BATCH_SIZE = 100
 REGISTER_WAIT = datetime.timedelta(hours=1)
 
+
 class PrometheusPlugin(object):
-  """ Application plugin for reporting metrics to Prometheus. """
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    """ Application plugin for reporting metrics to Prometheus. """
 
-  def init_app(self, app):
-    prom_url = app.config.get('PROMETHEUS_AGGREGATOR_URL')
-    prom_namespace = app.config.get('PROMETHEUS_NAMESPACE')
-    logger.debug('Initializing prometheus with aggregator url: %s', prom_url)
-    prometheus = Prometheus(prom_url, prom_namespace)
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['prometheus'] = prometheus
-    return prometheus
+    def init_app(self, app):
+        prom_url = app.config.get("PROMETHEUS_AGGREGATOR_URL")
+        prom_namespace = app.config.get("PROMETHEUS_NAMESPACE")
+        logger.debug("Initializing prometheus with aggregator url: %s", prom_url)
+        prometheus = Prometheus(prom_url, prom_namespace)
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["prometheus"] = prometheus
+        return prometheus
+
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 class Prometheus(object):
-  """ Aggregator for collecting stats that are reported to Prometheus. """
-  def __init__(self, url=None, namespace=None):
-    self._metric_collectors = []
-    self._url = url
-    self._namespace = namespace or ''
+    """ Aggregator for collecting stats that are reported to Prometheus. """
 
-    if url is not None:
-      self._queue = Queue(QUEUE_MAX)
-      self._sender = _QueueSender(self._queue, url, self._metric_collectors)
-      self._sender.start()
-      logger.debug('Prometheus aggregator sending to %s', url)
-    else:
-      self._queue = None
-      logger.debug('Prometheus aggregator disabled')
+    def __init__(self, url=None, namespace=None):
+        self._metric_collectors = []
+        self._url = url
+        self._namespace = namespace or ""
 
-  def enqueue(self, call, data):
-    if not self._queue:
-      return
+        if url is not None:
+            self._queue = Queue(QUEUE_MAX)
+            self._sender = _QueueSender(self._queue, url, self._metric_collectors)
+            self._sender.start()
+            logger.debug("Prometheus aggregator sending to %s", url)
+        else:
+            self._queue = None
+            logger.debug("Prometheus aggregator disabled")
 
-    v = json.dumps({
-      'Call': call,
-      'Data': data,
-    })
+    def enqueue(self, call, data):
+        if not self._queue:
+            return
 
-    if call == 'register':
-      self._metric_collectors.append(v)
-      return
+        v = json.dumps({"Call": call, "Data": data})
 
-    try:
-      self._queue.put_nowait(v)
-    except Full:
-      # If the queue is full, it is because 1) no aggregator was enabled or 2)
-      # the aggregator is taking a long time to respond to requests. In the case
-      # of 1, it's probably enterprise mode and we don't care. In the case of 2,
-      # the response timeout error is printed inside the queue handler. In either case,
-      # we don't need to print an error here.
-      pass
+        if call == "register":
+            self._metric_collectors.append(v)
+            return
 
-  def create_gauge(self, *args, **kwargs):
-    return self._create_collector('Gauge', args, kwargs)
+        try:
+            self._queue.put_nowait(v)
+        except Full:
+            # If the queue is full, it is because 1) no aggregator was enabled or 2)
+            # the aggregator is taking a long time to respond to requests. In the case
+            # of 1, it's probably enterprise mode and we don't care. In the case of 2,
+            # the response timeout error is printed inside the queue handler. In either case,
+            # we don't need to print an error here.
+            pass
 
-  def create_counter(self, *args, **kwargs):
-    return self._create_collector('Counter', args, kwargs)
+    def create_gauge(self, *args, **kwargs):
+        return self._create_collector("Gauge", args, kwargs)
 
-  def create_summary(self, *args, **kwargs):
-    return self._create_collector('Summary', args, kwargs)
+    def create_counter(self, *args, **kwargs):
+        return self._create_collector("Counter", args, kwargs)
 
-  def create_histogram(self, *args, **kwargs):
-    return self._create_collector('Histogram', args, kwargs)
+    def create_summary(self, *args, **kwargs):
+        return self._create_collector("Summary", args, kwargs)
 
-  def create_untyped(self, *args, **kwargs):
-    return self._create_collector('Untyped', args, kwargs)
+    def create_histogram(self, *args, **kwargs):
+        return self._create_collector("Histogram", args, kwargs)
 
-  def _create_collector(self, collector_type, args, kwargs):
-    kwargs['namespace'] = kwargs.get('namespace', self._namespace)
-    return _Collector(self.enqueue, collector_type, *args, **kwargs)
+    def create_untyped(self, *args, **kwargs):
+        return self._create_collector("Untyped", args, kwargs)
+
+    def _create_collector(self, collector_type, args, kwargs):
+        kwargs["namespace"] = kwargs.get("namespace", self._namespace)
+        return _Collector(self.enqueue, collector_type, *args, **kwargs)
 
 
 class _QueueSender(Thread):
-  """ Helper class which uses a thread to asynchronously send metrics to the local Prometheus
+    """ Helper class which uses a thread to asynchronously send metrics to the local Prometheus
       aggregator. """
-  def __init__(self, queue, url, metric_collectors):
-    Thread.__init__(self)
-    self.daemon = True
-    self.next_register = datetime.datetime.now()
-    self._queue = queue
-    self._url = url
-    self._metric_collectors = metric_collectors
 
-  def run(self):
-    while True:
-      reqs = []
-      reqs.append(self._queue.get())
+    def __init__(self, queue, url, metric_collectors):
+        Thread.__init__(self)
+        self.daemon = True
+        self.next_register = datetime.datetime.now()
+        self._queue = queue
+        self._url = url
+        self._metric_collectors = metric_collectors
 
-      while len(reqs) < MAX_BATCH_SIZE:
-        try:
-          req = self._queue.get_nowait()
-          reqs.append(req)
-        except Empty:
-          break
+    def run(self):
+        while True:
+            reqs = []
+            reqs.append(self._queue.get())
 
-      try:
-        resp = requests.post(self._url + '/call', '\n'.join(reqs))
-        if resp.status_code == 500 and self.next_register <= datetime.datetime.now():
-          resp = requests.post(self._url + '/call', '\n'.join(self._metric_collectors))
-          self.next_register = datetime.datetime.now() + REGISTER_WAIT
-          logger.debug('Register returned %s for %s metrics; setting next to %s', resp.status_code,
-                       len(self._metric_collectors), self.next_register)
-        elif resp.status_code != 200:
-          logger.debug('Failed sending to prometheus: %s: %s: %s', resp.status_code, resp.text,
-                       ', '.join(reqs))
-        else:
-          logger.debug('Sent %d prometheus metrics', len(reqs))
-      except:
-        logger.exception('Failed to write to prometheus aggregator: %s', reqs)
+            while len(reqs) < MAX_BATCH_SIZE:
+                try:
+                    req = self._queue.get_nowait()
+                    reqs.append(req)
+                except Empty:
+                    break
+
+            try:
+                resp = requests.post(self._url + "/call", "\n".join(reqs))
+                if (
+                    resp.status_code == 500
+                    and self.next_register <= datetime.datetime.now()
+                ):
+                    resp = requests.post(
+                        self._url + "/call", "\n".join(self._metric_collectors)
+                    )
+                    self.next_register = datetime.datetime.now() + REGISTER_WAIT
+                    logger.debug(
+                        "Register returned %s for %s metrics; setting next to %s",
+                        resp.status_code,
+                        len(self._metric_collectors),
+                        self.next_register,
+                    )
+                elif resp.status_code != 200:
+                    logger.debug(
+                        "Failed sending to prometheus: %s: %s: %s",
+                        resp.status_code,
+                        resp.text,
+                        ", ".join(reqs),
+                    )
+                else:
+                    logger.debug("Sent %d prometheus metrics", len(reqs))
+            except:
+                logger.exception("Failed to write to prometheus aggregator: %s", reqs)
 
 
 class _Collector(object):
-  """ Collector for a Prometheus metric. """
-  def __init__(self, enqueue_method, collector_type, collector_name, collector_help,
-               namespace='', subsystem='', **kwargs):
-    self._enqueue_method = enqueue_method
-    self._base_args = {
-      'Name': collector_name,
-      'Namespace': namespace,
-      'Subsystem': subsystem,
-      'Type': collector_type,
-    }
+    """ Collector for a Prometheus metric. """
 
-    registration_params = dict(kwargs)
-    registration_params.update(self._base_args)
-    registration_params['Help'] = collector_help
+    def __init__(
+        self,
+        enqueue_method,
+        collector_type,
+        collector_name,
+        collector_help,
+        namespace="",
+        subsystem="",
+        **kwargs
+    ):
+        self._enqueue_method = enqueue_method
+        self._base_args = {
+            "Name": collector_name,
+            "Namespace": namespace,
+            "Subsystem": subsystem,
+            "Type": collector_type,
+        }
 
-    self._enqueue_method('register', registration_params)
+        registration_params = dict(kwargs)
+        registration_params.update(self._base_args)
+        registration_params["Help"] = collector_help
 
-  def __getattr__(self, method):
-    def f(value=0, labelvalues=()):
-      data = dict(self._base_args)
-      data.update({
-        'Value': value,
-        'LabelValues': [str(i) for i in labelvalues],
-        'Method': method,
-      })
+        self._enqueue_method("register", registration_params)
 
-      self._enqueue_method('put', data)
+    def __getattr__(self, method):
+        def f(value=0, labelvalues=()):
+            data = dict(self._base_args)
+            data.update(
+                {
+                    "Value": value,
+                    "LabelValues": [str(i) for i in labelvalues],
+                    "Method": method,
+                }
+            )
 
-    return f
+            self._enqueue_method("put", data)
+
+        return f
diff --git a/util/metrics/test/test_metricqueue.py b/util/metrics/test/test_metricqueue.py
index 62f1665d9..0b3d342a9 100644
--- a/util/metrics/test/test_metricqueue.py
+++ b/util/metrics/test/test_metricqueue.py
@@ -10,49 +10,55 @@ from util.metrics.metricqueue import duration_collector_async
 
 mock_histogram = Mock()
 
+
 class NonReturn(Exception):
-  pass 
+    pass
 
 
 @coroutine
 @duration_collector_async(mock_histogram, labelvalues=["testlabel"])
 def duration_decorated():
-  time.sleep(1)
-  raise Return("fin")
+    time.sleep(1)
+    raise Return("fin")
 
 
 @coroutine
 @duration_collector_async(mock_histogram, labelvalues=["testlabel"])
 def duration_decorated_error():
-  raise NonReturn("not a Return error")
+    raise NonReturn("not a Return error")
+
 
 @coroutine
 def calls_decorated():
-  yield From(duration_decorated())
+    yield From(duration_decorated())
 
 
 def test_duration_decorator():
-  loop = get_event_loop()
-  loop.run_until_complete(duration_decorated())
-  assert mock_histogram.Observe.called
-  assert 1 - mock_histogram.Observe.call_args[0][0] < 1  # duration should be close to 1s
-  assert mock_histogram.Observe.call_args[1]["labelvalues"] == ["testlabel"]
+    loop = get_event_loop()
+    loop.run_until_complete(duration_decorated())
+    assert mock_histogram.Observe.called
+    assert (
+        1 - mock_histogram.Observe.call_args[0][0] < 1
+    )  # duration should be close to 1s
+    assert mock_histogram.Observe.call_args[1]["labelvalues"] == ["testlabel"]
 
 
 def test_duration_decorator_error():
-  loop = get_event_loop()
-  mock_histogram.reset_mock()
+    loop = get_event_loop()
+    mock_histogram.reset_mock()
 
-  with pytest.raises(NonReturn):
-    loop.run_until_complete(duration_decorated_error())
-  assert not mock_histogram.Observe.called
+    with pytest.raises(NonReturn):
+        loop.run_until_complete(duration_decorated_error())
+    assert not mock_histogram.Observe.called
 
 
 def test_duration_decorator_caller():
-  mock_histogram.reset_mock()
+    mock_histogram.reset_mock()
 
-  loop = get_event_loop()
-  loop.run_until_complete(calls_decorated())
-  assert mock_histogram.Observe.called
-  assert 1 - mock_histogram.Observe.call_args[0][0] < 1  # duration should be close to 1s
-  assert mock_histogram.Observe.call_args[1]["labelvalues"] == ["testlabel"]
+    loop = get_event_loop()
+    loop.run_until_complete(calls_decorated())
+    assert mock_histogram.Observe.called
+    assert (
+        1 - mock_histogram.Observe.call_args[0][0] < 1
+    )  # duration should be close to 1s
+    assert mock_histogram.Observe.call_args[1]["labelvalues"] == ["testlabel"]
diff --git a/util/migrate/__init__.py b/util/migrate/__init__.py
index 9f72f7872..abc67cde0 100644
--- a/util/migrate/__init__.py
+++ b/util/migrate/__init__.py
@@ -1,38 +1,51 @@
 import logging
 
 from sqlalchemy.types import TypeDecorator, Text, String
-from sqlalchemy.dialects.mysql import TEXT as MySQLText, LONGTEXT, VARCHAR as MySQLString
+from sqlalchemy.dialects.mysql import (
+    TEXT as MySQLText,
+    LONGTEXT,
+    VARCHAR as MySQLString,
+)
 
 
 logger = logging.getLogger(__name__)
 
 
 class UTF8LongText(TypeDecorator):
-  """ Platform-independent UTF-8 LONGTEXT type.
+    """ Platform-independent UTF-8 LONGTEXT type.
 
   Uses MySQL's LongText with charset utf8mb4, otherwise uses TEXT, because
   other engines default to UTF-8 and have longer TEXT fields.
   """
-  impl = Text
 
-  def load_dialect_impl(self, dialect):
-    if dialect.name == 'mysql':
-      return dialect.type_descriptor(LONGTEXT(charset='utf8mb4', collation='utf8mb4_unicode_ci'))
-    else:
-      return dialect.type_descriptor(Text())
+    impl = Text
+
+    def load_dialect_impl(self, dialect):
+        if dialect.name == "mysql":
+            return dialect.type_descriptor(
+                LONGTEXT(charset="utf8mb4", collation="utf8mb4_unicode_ci")
+            )
+        else:
+            return dialect.type_descriptor(Text())
 
 
 class UTF8CharField(TypeDecorator):
-  """ Platform-independent UTF-8 Char type.
+    """ Platform-independent UTF-8 Char type.
 
   Uses MySQL's VARCHAR with charset utf8mb4, otherwise uses String, because
   other engines default to UTF-8.
   """
-  impl = String
 
-  def load_dialect_impl(self, dialect):
-    if dialect.name == 'mysql':
-      return dialect.type_descriptor(MySQLString(charset='utf8mb4', collation='utf8mb4_unicode_ci',
-                                                 length=self.impl.length))
-    else:
-      return dialect.type_descriptor(String(length=self.impl.length))
+    impl = String
+
+    def load_dialect_impl(self, dialect):
+        if dialect.name == "mysql":
+            return dialect.type_descriptor(
+                MySQLString(
+                    charset="utf8mb4",
+                    collation="utf8mb4_unicode_ci",
+                    length=self.impl.length,
+                )
+            )
+        else:
+            return dialect.type_descriptor(String(length=self.impl.length))
diff --git a/util/migrate/allocator.py b/util/migrate/allocator.py
index 44f4b59e4..0ad22d78e 100644
--- a/util/migrate/allocator.py
+++ b/util/migrate/allocator.py
@@ -10,166 +10,193 @@ logger.setLevel(logging.INFO)
 
 
 class NoAvailableKeysError(ValueError):
-  pass
+    pass
 
 
 class CompletedKeys(object):
-  def __init__(self, max_index, min_index=0):
-    self._max_index = max_index
-    self._min_index = min_index
-    self.num_remaining = max_index - min_index
-    self._slabs = RBTree()
+    def __init__(self, max_index, min_index=0):
+        self._max_index = max_index
+        self._min_index = min_index
+        self.num_remaining = max_index - min_index
+        self._slabs = RBTree()
 
-  def _get_previous_or_none(self, index):
-    try:
-      return self._slabs.floor_item(index)
-    except KeyError:
-      return None
+    def _get_previous_or_none(self, index):
+        try:
+            return self._slabs.floor_item(index)
+        except KeyError:
+            return None
 
-  def is_available(self, index):
-    logger.debug('Testing index %s', index)
-    if index >= self._max_index or index < self._min_index:
-      logger.debug('Index out of range')
-      return False
+    def is_available(self, index):
+        logger.debug("Testing index %s", index)
+        if index >= self._max_index or index < self._min_index:
+            logger.debug("Index out of range")
+            return False
 
-    try:
-      prev_start, prev_length = self._slabs.floor_item(index)
-      logger.debug('Prev range: %s-%s', prev_start, prev_start + prev_length)
-      return (prev_start + prev_length) <= index
-    except KeyError:
-      return True
+        try:
+            prev_start, prev_length = self._slabs.floor_item(index)
+            logger.debug("Prev range: %s-%s", prev_start, prev_start + prev_length)
+            return (prev_start + prev_length) <= index
+        except KeyError:
+            return True
 
-  def mark_completed(self, start_index, past_last_index):
-    logger.debug('Marking the range completed: %s-%s', start_index, past_last_index)
-    num_completed = min(past_last_index, self._max_index) - max(start_index, self._min_index)
+    def mark_completed(self, start_index, past_last_index):
+        logger.debug("Marking the range completed: %s-%s", start_index, past_last_index)
+        num_completed = min(past_last_index, self._max_index) - max(
+            start_index, self._min_index
+        )
 
-    # Find the item directly before this and see if there is overlap
-    to_discard = set()
-    try:
-      prev_start, prev_length = self._slabs.floor_item(start_index)
-      max_prev_completed = prev_start + prev_length
-      if max_prev_completed >= start_index:
-        # we are going to merge with the range before us
-        logger.debug('Merging with the prev range: %s-%s', prev_start, prev_start + prev_length)
-        to_discard.add(prev_start)
-        num_completed = max(num_completed - (max_prev_completed - start_index), 0)
-        start_index = prev_start
-        past_last_index = max(past_last_index, prev_start + prev_length)
-    except KeyError:
-      pass
+        # Find the item directly before this and see if there is overlap
+        to_discard = set()
+        try:
+            prev_start, prev_length = self._slabs.floor_item(start_index)
+            max_prev_completed = prev_start + prev_length
+            if max_prev_completed >= start_index:
+                # we are going to merge with the range before us
+                logger.debug(
+                    "Merging with the prev range: %s-%s",
+                    prev_start,
+                    prev_start + prev_length,
+                )
+                to_discard.add(prev_start)
+                num_completed = max(
+                    num_completed - (max_prev_completed - start_index), 0
+                )
+                start_index = prev_start
+                past_last_index = max(past_last_index, prev_start + prev_length)
+        except KeyError:
+            pass
 
-    # Find all keys between the start and last index and merge them into one block
-    for merge_start, merge_length in self._slabs.iter_items(start_index, past_last_index + 1):
-      if merge_start in to_discard:
-        logger.debug('Already merged with block %s-%s', merge_start, merge_start + merge_length)
-        continue
+        # Find all keys between the start and last index and merge them into one block
+        for merge_start, merge_length in self._slabs.iter_items(
+            start_index, past_last_index + 1
+        ):
+            if merge_start in to_discard:
+                logger.debug(
+                    "Already merged with block %s-%s",
+                    merge_start,
+                    merge_start + merge_length,
+                )
+                continue
 
-      candidate_next_index = merge_start + merge_length
-      logger.debug('Merging with block %s-%s', merge_start, candidate_next_index)
-      num_completed -= merge_length - max(candidate_next_index - past_last_index, 0)
-      to_discard.add(merge_start)
-      past_last_index = max(past_last_index, candidate_next_index)
+            candidate_next_index = merge_start + merge_length
+            logger.debug("Merging with block %s-%s", merge_start, candidate_next_index)
+            num_completed -= merge_length - max(
+                candidate_next_index - past_last_index, 0
+            )
+            to_discard.add(merge_start)
+            past_last_index = max(past_last_index, candidate_next_index)
 
-    # write the new block which is fully merged
-    discard = False
-    if past_last_index >= self._max_index:
-      logger.debug('Discarding block and setting new max to: %s', start_index)
-      self._max_index = start_index
-      discard = True
+        # write the new block which is fully merged
+        discard = False
+        if past_last_index >= self._max_index:
+            logger.debug("Discarding block and setting new max to: %s", start_index)
+            self._max_index = start_index
+            discard = True
 
-    if start_index <= self._min_index:
-      logger.debug('Discarding block and setting new min to: %s', past_last_index)
-      self._min_index = past_last_index
-      discard = True
+        if start_index <= self._min_index:
+            logger.debug("Discarding block and setting new min to: %s", past_last_index)
+            self._min_index = past_last_index
+            discard = True
 
-    if to_discard:
-      logger.debug('Discarding %s obsolete blocks', len(to_discard))
-      self._slabs.remove_items(to_discard)
+        if to_discard:
+            logger.debug("Discarding %s obsolete blocks", len(to_discard))
+            self._slabs.remove_items(to_discard)
 
-    if not discard:
-      logger.debug('Writing new block with range: %s-%s', start_index, past_last_index)
-      self._slabs.insert(start_index, past_last_index - start_index)
+        if not discard:
+            logger.debug(
+                "Writing new block with range: %s-%s", start_index, past_last_index
+            )
+            self._slabs.insert(start_index, past_last_index - start_index)
 
-    # Update the number of remaining items with the adjustments we've made
-    assert num_completed >= 0
-    self.num_remaining -= num_completed
-    logger.debug('Total blocks: %s', len(self._slabs))
+        # Update the number of remaining items with the adjustments we've made
+        assert num_completed >= 0
+        self.num_remaining -= num_completed
+        logger.debug("Total blocks: %s", len(self._slabs))
 
-  def get_block_start_index(self, block_size_estimate):
-    logger.debug('Total range: %s-%s', self._min_index, self._max_index)
-    if self._max_index <= self._min_index:
-      raise NoAvailableKeysError('All indexes have been marked completed')
+    def get_block_start_index(self, block_size_estimate):
+        logger.debug("Total range: %s-%s", self._min_index, self._max_index)
+        if self._max_index <= self._min_index:
+            raise NoAvailableKeysError("All indexes have been marked completed")
 
-    num_holes = len(self._slabs) + 1
-    random_hole = random.randint(0, num_holes - 1)
-    logger.debug('Selected random hole %s with %s total holes', random_hole, num_holes)
+        num_holes = len(self._slabs) + 1
+        random_hole = random.randint(0, num_holes - 1)
+        logger.debug(
+            "Selected random hole %s with %s total holes", random_hole, num_holes
+        )
 
-    hole_start = self._min_index
-    past_hole_end = self._max_index
+        hole_start = self._min_index
+        past_hole_end = self._max_index
 
-    # Now that we have picked a hole, we need to define the bounds
-    if random_hole > 0:
-      # There will be a slab before this hole, find where it ends
-      bound_entries = self._slabs.nsmallest(random_hole + 1)[-2:]
-      left_index, left_len = bound_entries[0]
-      logger.debug('Left range %s-%s', left_index, left_index + left_len)
-      hole_start = left_index + left_len
+        # Now that we have picked a hole, we need to define the bounds
+        if random_hole > 0:
+            # There will be a slab before this hole, find where it ends
+            bound_entries = self._slabs.nsmallest(random_hole + 1)[-2:]
+            left_index, left_len = bound_entries[0]
+            logger.debug("Left range %s-%s", left_index, left_index + left_len)
+            hole_start = left_index + left_len
 
-      if len(bound_entries) > 1:
-        right_index, right_len = bound_entries[1]
-        logger.debug('Right range %s-%s', right_index, right_index + right_len)
-        past_hole_end, _ = bound_entries[1]
-    elif not self._slabs.is_empty():
-      right_index, right_len = self._slabs.nsmallest(1)[0]
-      logger.debug('Right range %s-%s', right_index, right_index + right_len)
-      past_hole_end, _ = self._slabs.nsmallest(1)[0]
+            if len(bound_entries) > 1:
+                right_index, right_len = bound_entries[1]
+                logger.debug("Right range %s-%s", right_index, right_index + right_len)
+                past_hole_end, _ = bound_entries[1]
+        elif not self._slabs.is_empty():
+            right_index, right_len = self._slabs.nsmallest(1)[0]
+            logger.debug("Right range %s-%s", right_index, right_index + right_len)
+            past_hole_end, _ = self._slabs.nsmallest(1)[0]
 
-    # Now that we have our hole bounds, select a random block from [0:len - block_size_estimate]
-    logger.debug('Selecting from hole range: %s-%s', hole_start, past_hole_end)
-    rand_max_bound = max(hole_start, past_hole_end - block_size_estimate)
-    logger.debug('Rand max bound: %s', rand_max_bound)
-    return random.randint(hole_start, rand_max_bound)
+        # Now that we have our hole bounds, select a random block from [0:len - block_size_estimate]
+        logger.debug("Selecting from hole range: %s-%s", hole_start, past_hole_end)
+        rand_max_bound = max(hole_start, past_hole_end - block_size_estimate)
+        logger.debug("Rand max bound: %s", rand_max_bound)
+        return random.randint(hole_start, rand_max_bound)
 
 
 def yield_random_entries(batch_query, primary_key_field, batch_size, max_id, min_id=0):
-  """ This method will yield items from random blocks in the database. We will track metadata
+    """ This method will yield items from random blocks in the database. We will track metadata
       about which keys are available for work, and we will complete the backfill when there is no
       more work to be done. The method yields tuples of (candidate, Event), and if the work was
       already done by another worker, the caller should set the event. Batch candidates must have
       an "id" field which can be inspected.
   """
 
-  min_id = max(min_id, 0)
-  max_id = max(max_id, 1)
-  allocator = CompletedKeys(max_id + 1, min_id)
+    min_id = max(min_id, 0)
+    max_id = max(max_id, 1)
+    allocator = CompletedKeys(max_id + 1, min_id)
 
-  try:
-    while True:
-      start_index = allocator.get_block_start_index(batch_size)
-      end_index = min(start_index + batch_size, max_id + 1)
-      all_candidates = list(batch_query()
-                            .where(primary_key_field >= start_index,
-                                   primary_key_field < end_index)
-                            .order_by(primary_key_field))
+    try:
+        while True:
+            start_index = allocator.get_block_start_index(batch_size)
+            end_index = min(start_index + batch_size, max_id + 1)
+            all_candidates = list(
+                batch_query()
+                .where(primary_key_field >= start_index, primary_key_field < end_index)
+                .order_by(primary_key_field)
+            )
 
-      if len(all_candidates) == 0:
-        logger.info('No candidates, marking entire block completed %s-%s', start_index, end_index)
-        allocator.mark_completed(start_index, end_index)
-        continue
+            if len(all_candidates) == 0:
+                logger.info(
+                    "No candidates, marking entire block completed %s-%s",
+                    start_index,
+                    end_index,
+                )
+                allocator.mark_completed(start_index, end_index)
+                continue
 
-      logger.info('Found %s candidates, processing block', len(all_candidates))
-      batch_completed = 0
-      for candidate in all_candidates:
-        abort_early = Event()
-        yield candidate, abort_early, allocator.num_remaining - batch_completed
-        batch_completed += 1
-        if abort_early.is_set():
-          logger.info('Overlap with another worker, aborting')
-          break
+            logger.info("Found %s candidates, processing block", len(all_candidates))
+            batch_completed = 0
+            for candidate in all_candidates:
+                abort_early = Event()
+                yield candidate, abort_early, allocator.num_remaining - batch_completed
+                batch_completed += 1
+                if abort_early.is_set():
+                    logger.info("Overlap with another worker, aborting")
+                    break
 
-      completed_through = candidate.id + 1
-      logger.info('Marking id range as completed: %s-%s', start_index, completed_through)
-      allocator.mark_completed(start_index, completed_through)
+            completed_through = candidate.id + 1
+            logger.info(
+                "Marking id range as completed: %s-%s", start_index, completed_through
+            )
+            allocator.mark_completed(start_index, completed_through)
 
-  except NoAvailableKeysError:
-    logger.info('No more work')
+    except NoAvailableKeysError:
+        logger.info("No more work")
diff --git a/util/migrate/cleanup_old_robots.py b/util/migrate/cleanup_old_robots.py
index b94b5f1dc..3a205343f 100644
--- a/util/migrate/cleanup_old_robots.py
+++ b/util/migrate/cleanup_old_robots.py
@@ -9,46 +9,50 @@ logger.setLevel(logging.INFO)
 
 
 def cleanup_old_robots(page_size=50, force=False):
-  """ Deletes any robots that live under namespaces that no longer exist. """
-  if not force and not app.config.get('SETUP_COMPLETE', False):
-    return
+    """ Deletes any robots that live under namespaces that no longer exist. """
+    if not force and not app.config.get("SETUP_COMPLETE", False):
+        return
 
-  # Collect the robot accounts to delete.
-  page_number = 1
-  to_delete = []
-  encountered_namespaces = {}
+    # Collect the robot accounts to delete.
+    page_number = 1
+    to_delete = []
+    encountered_namespaces = {}
 
-  while True:
-    found_bots = False
-    for robot in list(User.select().where(User.robot == True).paginate(page_number, page_size)):
-      found_bots = True
-      logger.info("Checking robot %s (page %s)", robot.username, page_number)
-      parsed = parse_robot_username(robot.username)
-      if parsed is None:
-        continue
+    while True:
+        found_bots = False
+        for robot in list(
+            User.select().where(User.robot == True).paginate(page_number, page_size)
+        ):
+            found_bots = True
+            logger.info("Checking robot %s (page %s)", robot.username, page_number)
+            parsed = parse_robot_username(robot.username)
+            if parsed is None:
+                continue
 
-      namespace, _ = parsed
-      if namespace in encountered_namespaces:
-        if not encountered_namespaces[namespace]:
-          logger.info('Marking %s to be deleted', robot.username)
-          to_delete.append(robot)
-      else:
-        try:
-          User.get(username=namespace)
-          encountered_namespaces[namespace] = True
-        except User.DoesNotExist:
-          # Save the robot account for deletion.
-          logger.info('Marking %s to be deleted', robot.username)
-          to_delete.append(robot)
-          encountered_namespaces[namespace] = False
+            namespace, _ = parsed
+            if namespace in encountered_namespaces:
+                if not encountered_namespaces[namespace]:
+                    logger.info("Marking %s to be deleted", robot.username)
+                    to_delete.append(robot)
+            else:
+                try:
+                    User.get(username=namespace)
+                    encountered_namespaces[namespace] = True
+                except User.DoesNotExist:
+                    # Save the robot account for deletion.
+                    logger.info("Marking %s to be deleted", robot.username)
+                    to_delete.append(robot)
+                    encountered_namespaces[namespace] = False
 
-    if not found_bots:
-      break
+        if not found_bots:
+            break
 
-    page_number = page_number + 1
+        page_number = page_number + 1
 
-  # Cleanup any robot accounts whose corresponding namespace doesn't exist.
-  logger.info('Found %s robots to delete', len(to_delete))
-  for index, robot in enumerate(to_delete):
-    logger.info('Deleting robot %s of %s (%s)', index, len(to_delete), robot.username)
-    robot.delete_instance(recursive=True, delete_nullable=True)
+    # Cleanup any robot accounts whose corresponding namespace doesn't exist.
+    logger.info("Found %s robots to delete", len(to_delete))
+    for index, robot in enumerate(to_delete):
+        logger.info(
+            "Deleting robot %s of %s (%s)", index, len(to_delete), robot.username
+        )
+        robot.delete_instance(recursive=True, delete_nullable=True)
diff --git a/util/migrate/delete_access_tokens.py b/util/migrate/delete_access_tokens.py
index 24c1990db..2b318a419 100644
--- a/util/migrate/delete_access_tokens.py
+++ b/util/migrate/delete_access_tokens.py
@@ -10,39 +10,48 @@ logger = logging.getLogger(__name__)
 
 BATCH_SIZE = 1000
 
+
 def delete_temporary_access_tokens(older_than):
-  # Find the highest ID up to which we should delete
-  up_to_id = (AccessToken
-              .select(AccessToken.id)
-              .where(AccessToken.created < older_than)
-              .limit(1)
-              .order_by(AccessToken.id.desc())
-              .get().id)
-  logger.debug('Deleting temporary access tokens with ids lower than: %s', up_to_id)
+    # Find the highest ID up to which we should delete
+    up_to_id = (
+        AccessToken.select(AccessToken.id)
+        .where(AccessToken.created < older_than)
+        .limit(1)
+        .order_by(AccessToken.id.desc())
+        .get()
+        .id
+    )
+    logger.debug("Deleting temporary access tokens with ids lower than: %s", up_to_id)
+
+    access_tokens_in_builds = RepositoryBuild.select(
+        RepositoryBuild.access_token
+    ).distinct()
+
+    while up_to_id > 0:
+        starting_at_id = max(up_to_id - BATCH_SIZE, 0)
+        logger.debug(
+            "Deleting tokens with ids between %s and %s", starting_at_id, up_to_id
+        )
+        start_time = datetime.utcnow()
+        (
+            AccessToken.delete()
+            .where(
+                AccessToken.id >= starting_at_id,
+                AccessToken.id < up_to_id,
+                AccessToken.temporary == True,
+                ~(AccessToken.id << access_tokens_in_builds),
+            )
+            .execute()
+        )
+
+        time_to_delete = datetime.utcnow() - start_time
+
+        up_to_id -= BATCH_SIZE
+
+        logger.debug("Sleeping for %s seconds", time_to_delete.total_seconds())
+        time.sleep(time_to_delete.total_seconds())
 
 
-  access_tokens_in_builds = (RepositoryBuild.select(RepositoryBuild.access_token).distinct())
-
-  while up_to_id > 0:
-    starting_at_id = max(up_to_id - BATCH_SIZE, 0)
-    logger.debug('Deleting tokens with ids between %s and %s', starting_at_id, up_to_id)
-    start_time = datetime.utcnow()
-    (AccessToken
-     .delete()
-     .where(AccessToken.id >= starting_at_id,
-            AccessToken.id < up_to_id,
-            AccessToken.temporary == True,
-            ~(AccessToken.id << access_tokens_in_builds))
-     .execute())
-
-    time_to_delete = datetime.utcnow() - start_time
-
-    up_to_id -= BATCH_SIZE
-
-    logger.debug('Sleeping for %s seconds', time_to_delete.total_seconds())
-    time.sleep(time_to_delete.total_seconds())
-
-
-if __name__ == '__main__':
-  logging.basicConfig(level=logging.DEBUG)
-  delete_temporary_access_tokens(datetime.utcnow() - timedelta(days=2))
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.DEBUG)
+    delete_temporary_access_tokens(datetime.utcnow() - timedelta(days=2))
diff --git a/util/migrate/table_ops.py b/util/migrate/table_ops.py
index 634e84287..361d9ceba 100644
--- a/util/migrate/table_ops.py
+++ b/util/migrate/table_ops.py
@@ -1,13 +1,26 @@
 def copy_table_contents(source_table, destination_table, conn):
-  if conn.engine.name == 'postgresql':
-    conn.execute('INSERT INTO "%s" SELECT * FROM "%s"' % (destination_table, source_table))
-    result = list(conn.execute('Select Max(id) from "%s"' % destination_table))[0]
-    if result[0] is not None:
-      new_start_id = result[0] + 1
-      conn.execute('ALTER SEQUENCE "%s_id_seq" RESTART WITH %s' % (destination_table, new_start_id))
-  else:
-    conn.execute("INSERT INTO `%s` SELECT * FROM `%s` WHERE 1" % (destination_table, source_table))
-    result = list(conn.execute('Select Max(id) from `%s` WHERE 1' % destination_table))[0]
-    if result[0] is not None:
-      new_start_id = result[0] + 1
-      conn.execute("ALTER TABLE `%s` AUTO_INCREMENT = %s" % (destination_table, new_start_id))
+    if conn.engine.name == "postgresql":
+        conn.execute(
+            'INSERT INTO "%s" SELECT * FROM "%s"' % (destination_table, source_table)
+        )
+        result = list(conn.execute('Select Max(id) from "%s"' % destination_table))[0]
+        if result[0] is not None:
+            new_start_id = result[0] + 1
+            conn.execute(
+                'ALTER SEQUENCE "%s_id_seq" RESTART WITH %s'
+                % (destination_table, new_start_id)
+            )
+    else:
+        conn.execute(
+            "INSERT INTO `%s` SELECT * FROM `%s` WHERE 1"
+            % (destination_table, source_table)
+        )
+        result = list(
+            conn.execute("Select Max(id) from `%s` WHERE 1" % destination_table)
+        )[0]
+        if result[0] is not None:
+            new_start_id = result[0] + 1
+            conn.execute(
+                "ALTER TABLE `%s` AUTO_INCREMENT = %s"
+                % (destination_table, new_start_id)
+            )
diff --git a/util/migrate/test/test_backfill_allocator.py b/util/migrate/test/test_backfill_allocator.py
index c7a7f4f6f..ce84edac7 100644
--- a/util/migrate/test/test_backfill_allocator.py
+++ b/util/migrate/test/test_backfill_allocator.py
@@ -3,174 +3,189 @@ import random
 import pytest
 
 from datetime import datetime, timedelta
-from util.migrate.allocator import CompletedKeys, NoAvailableKeysError, yield_random_entries
+from util.migrate.allocator import (
+    CompletedKeys,
+    NoAvailableKeysError,
+    yield_random_entries,
+)
+
 
 def test_merge_blocks_operations():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
-  candidates.mark_completed(1, 5)
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
+    candidates.mark_completed(1, 5)
 
-  assert candidates.is_available(5)
-  assert candidates.is_available(0)
-  assert not candidates.is_available(1)
-  assert not candidates.is_available(4)
-  assert not candidates.is_available(11)
-  assert not candidates.is_available(10)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 6
+    assert candidates.is_available(5)
+    assert candidates.is_available(0)
+    assert not candidates.is_available(1)
+    assert not candidates.is_available(4)
+    assert not candidates.is_available(11)
+    assert not candidates.is_available(10)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 6
 
-  candidates.mark_completed(5, 6)
-  assert not candidates.is_available(5)
-  assert candidates.is_available(6)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 5
+    candidates.mark_completed(5, 6)
+    assert not candidates.is_available(5)
+    assert candidates.is_available(6)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 5
+
+    candidates.mark_completed(3, 8)
+    assert candidates.is_available(9)
+    assert candidates.is_available(8)
+    assert not candidates.is_available(7)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 3
 
-  candidates.mark_completed(3, 8)
-  assert candidates.is_available(9)
-  assert candidates.is_available(8)
-  assert not candidates.is_available(7)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 3
 
 def test_adjust_max():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
-  assert len(candidates._slabs) == 0
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
+    assert len(candidates._slabs) == 0
 
-  assert candidates.is_available(9)
-  candidates.mark_completed(5, 12)
-  assert len(candidates._slabs) == 0
-  assert candidates.num_remaining == 5
+    assert candidates.is_available(9)
+    candidates.mark_completed(5, 12)
+    assert len(candidates._slabs) == 0
+    assert candidates.num_remaining == 5
+
+    assert not candidates.is_available(9)
+    assert candidates.is_available(4)
 
-  assert not candidates.is_available(9)
-  assert candidates.is_available(4)
 
 def test_adjust_min():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
-  assert len(candidates._slabs) == 0
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
+    assert len(candidates._slabs) == 0
 
-  assert candidates.is_available(2)
-  candidates.mark_completed(0, 3)
-  assert len(candidates._slabs) == 0
-  assert candidates.num_remaining == 7
+    assert candidates.is_available(2)
+    candidates.mark_completed(0, 3)
+    assert len(candidates._slabs) == 0
+    assert candidates.num_remaining == 7
+
+    assert not candidates.is_available(2)
+    assert candidates.is_available(4)
 
-  assert not candidates.is_available(2)
-  assert candidates.is_available(4)
 
 def test_inside_block():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
-  candidates.mark_completed(1, 8)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 3
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
+    candidates.mark_completed(1, 8)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 3
+
+    candidates.mark_completed(2, 5)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 3
+    assert not candidates.is_available(1)
+    assert not candidates.is_available(5)
 
-  candidates.mark_completed(2, 5)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 3
-  assert not candidates.is_available(1)
-  assert not candidates.is_available(5)
 
 def test_wrap_block():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
-  candidates.mark_completed(2, 5)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 7
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
+    candidates.mark_completed(2, 5)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 7
+
+    candidates.mark_completed(1, 8)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 3
+    assert not candidates.is_available(1)
+    assert not candidates.is_available(5)
 
-  candidates.mark_completed(1, 8)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 3
-  assert not candidates.is_available(1)
-  assert not candidates.is_available(5)
 
 def test_non_contiguous():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
 
-  candidates.mark_completed(1, 5)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 6
-  assert candidates.is_available(5)
-  assert candidates.is_available(6)
+    candidates.mark_completed(1, 5)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 6
+    assert candidates.is_available(5)
+    assert candidates.is_available(6)
+
+    candidates.mark_completed(6, 8)
+    assert len(candidates._slabs) == 2
+    assert candidates.num_remaining == 4
+    assert candidates.is_available(5)
+    assert not candidates.is_available(6)
 
-  candidates.mark_completed(6, 8)
-  assert len(candidates._slabs) == 2
-  assert candidates.num_remaining == 4
-  assert candidates.is_available(5)
-  assert not candidates.is_available(6)
 
 def test_big_merge():
-  candidates = CompletedKeys(10)
-  assert candidates.num_remaining == 10
+    candidates = CompletedKeys(10)
+    assert candidates.num_remaining == 10
 
-  candidates.mark_completed(1, 5)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 6
+    candidates.mark_completed(1, 5)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 6
 
-  candidates.mark_completed(6, 8)
-  assert len(candidates._slabs) == 2
-  assert candidates.num_remaining == 4
+    candidates.mark_completed(6, 8)
+    assert len(candidates._slabs) == 2
+    assert candidates.num_remaining == 4
+
+    candidates.mark_completed(5, 6)
+    assert len(candidates._slabs) == 1
+    assert candidates.num_remaining == 3
 
-  candidates.mark_completed(5, 6)
-  assert len(candidates._slabs) == 1
-  assert candidates.num_remaining == 3
 
 def test_range_limits():
-  candidates = CompletedKeys(10)
-  assert not candidates.is_available(-1)
-  assert not candidates.is_available(10)
+    candidates = CompletedKeys(10)
+    assert not candidates.is_available(-1)
+    assert not candidates.is_available(10)
+
+    assert candidates.is_available(9)
+    assert candidates.is_available(0)
 
-  assert candidates.is_available(9)
-  assert candidates.is_available(0)
 
 def test_random_saturation():
-  candidates = CompletedKeys(100)
-  with pytest.raises(NoAvailableKeysError):
-    for _ in range(101):
-      start = candidates.get_block_start_index(10)
-      assert candidates.is_available(start)
-      candidates.mark_completed(start, start + 10)
+    candidates = CompletedKeys(100)
+    with pytest.raises(NoAvailableKeysError):
+        for _ in range(101):
+            start = candidates.get_block_start_index(10)
+            assert candidates.is_available(start)
+            candidates.mark_completed(start, start + 10)
+
+    assert candidates.num_remaining == 0
 
-  assert candidates.num_remaining == 0
 
 def test_huge_dataset():
-  candidates = CompletedKeys(1024 * 1024)
-  start_time = datetime.now()
-  iterations = 0
-  with pytest.raises(NoAvailableKeysError):
-    while (datetime.now() - start_time) < timedelta(seconds=10):
-      start = candidates.get_block_start_index(1024)
-      assert candidates.is_available(start)
-      candidates.mark_completed(start, start + random.randint(512, 1024))
-      iterations += 1
+    candidates = CompletedKeys(1024 * 1024)
+    start_time = datetime.now()
+    iterations = 0
+    with pytest.raises(NoAvailableKeysError):
+        while (datetime.now() - start_time) < timedelta(seconds=10):
+            start = candidates.get_block_start_index(1024)
+            assert candidates.is_available(start)
+            candidates.mark_completed(start, start + random.randint(512, 1024))
+            iterations += 1
 
-  assert iterations > 1024
-  assert candidates.num_remaining == 0
+    assert iterations > 1024
+    assert candidates.num_remaining == 0
 
 
 class FakeQuery(object):
-  def __init__(self, result_list):
-    self._result_list = result_list
+    def __init__(self, result_list):
+        self._result_list = result_list
 
-  def limit(self, *args, **kwargs):
-    return self
+    def limit(self, *args, **kwargs):
+        return self
 
-  def where(self, *args, **kwargs):
-    return self
+    def where(self, *args, **kwargs):
+        return self
 
-  def order_by(self, *args, **kwargs):
-    return self
+    def order_by(self, *args, **kwargs):
+        return self
 
-  def __iter__(self):
-    return self._result_list.__iter__()
+    def __iter__(self):
+        return self._result_list.__iter__()
 
 
 FAKE_PK_FIELD = 10  # Must be able to compare to integers
 
-def test_no_work():
-  def create_empty_query():
-    return FakeQuery([])
 
-  for _ in yield_random_entries(create_empty_query, FAKE_PK_FIELD, 1, 10):
-    assert False, 'There should never be any actual work!'
+def test_no_work():
+    def create_empty_query():
+        return FakeQuery([])
+
+    for _ in yield_random_entries(create_empty_query, FAKE_PK_FIELD, 1, 10):
+        assert False, "There should never be any actual work!"
diff --git a/util/migrate/test/test_cleanup_old_robots.py b/util/migrate/test/test_cleanup_old_robots.py
index 3af1e1f01..c8c0e7a2a 100644
--- a/util/migrate/test/test_cleanup_old_robots.py
+++ b/util/migrate/test/test_cleanup_old_robots.py
@@ -5,39 +5,40 @@ from util.migrate.cleanup_old_robots import cleanup_old_robots
 
 from test.fixtures import *
 
+
 def test_cleanup_old_robots(initialized_db):
-  before_robot_count = User.select().where(User.robot == True).count()
-  before_user_count = User.select().count()
+    before_robot_count = User.select().where(User.robot == True).count()
+    before_user_count = User.select().count()
 
-  # Run the cleanup once, and ensure it does nothing.
-  cleanup_old_robots(force=True)
+    # Run the cleanup once, and ensure it does nothing.
+    cleanup_old_robots(force=True)
 
-  after_robot_count = User.select().where(User.robot == True).count()
-  after_user_count = User.select().count()
+    after_robot_count = User.select().where(User.robot == True).count()
+    after_user_count = User.select().count()
 
-  assert before_robot_count == after_robot_count
-  assert before_user_count == after_user_count
+    assert before_robot_count == after_robot_count
+    assert before_user_count == after_user_count
 
-  # Create some orphan robots.
-  created = set()
-  for index in range(0, 50):
-    created.add('doesnotexist+a%s' % index)
-    created.add('anothernamespace+b%s' % index)
+    # Create some orphan robots.
+    created = set()
+    for index in range(0, 50):
+        created.add("doesnotexist+a%s" % index)
+        created.add("anothernamespace+b%s" % index)
 
-    User.create(username='doesnotexist+a%s' % index, robot=True)
-    User.create(username='anothernamespace+b%s' % index, robot=True)
+        User.create(username="doesnotexist+a%s" % index, robot=True)
+        User.create(username="anothernamespace+b%s" % index, robot=True)
 
-  before_robot_count = User.select().where(User.robot == True).count()
-  before_user_count = User.select().count()
+    before_robot_count = User.select().where(User.robot == True).count()
+    before_user_count = User.select().count()
 
-  cleanup_old_robots(page_size=10, force=True)
+    cleanup_old_robots(page_size=10, force=True)
 
-  after_robot_count = User.select().where(User.robot == True).count()
-  after_user_count = User.select().count()
+    after_robot_count = User.select().where(User.robot == True).count()
+    after_user_count = User.select().count()
 
-  assert before_robot_count == after_robot_count + len(created)
-  assert before_user_count == after_user_count + len(created)
+    assert before_robot_count == after_robot_count + len(created)
+    assert before_user_count == after_user_count + len(created)
 
-  for name in created:
-    with pytest.raises(User.DoesNotExist):
-      User.get(username=name)
+    for name in created:
+        with pytest.raises(User.DoesNotExist):
+            User.get(username=name)
diff --git a/util/morecollections.py b/util/morecollections.py
index c9f5ff0cb..068dae2ec 100644
--- a/util/morecollections.py
+++ b/util/morecollections.py
@@ -1,58 +1,59 @@
 class AttrDict(dict):
-  def __init__(self, *args, **kwargs):
-    super(AttrDict, self).__init__(*args, **kwargs)
-    self.__dict__ = self
+    def __init__(self, *args, **kwargs):
+        super(AttrDict, self).__init__(*args, **kwargs)
+        self.__dict__ = self
 
-  @classmethod
-  def deep_copy(cls, attr_dict):
-    copy = AttrDict(attr_dict)
-    for key, value in copy.items():
-      if isinstance(value, AttrDict):
-        copy[key] = cls.deep_copy(value)
-    return copy
+    @classmethod
+    def deep_copy(cls, attr_dict):
+        copy = AttrDict(attr_dict)
+        for key, value in copy.items():
+            if isinstance(value, AttrDict):
+                copy[key] = cls.deep_copy(value)
+        return copy
 
 
 class FastIndexList(object):
-  """ List which keeps track of the indicies of its items in a fast manner, and allows for
+    """ List which keeps track of the indicies of its items in a fast manner, and allows for
       quick removal of items.
   """
-  def __init__(self):
-    self._list = []
-    self._index_map = {}
-    self._index_offset = 0
-    self._counter = 0
 
-  def add(self, item):
-    """ Adds an item to the index list. """
-    self._list.append(item)
-    self._index_map[item] = self._counter
-    self._counter = self._counter + 1
+    def __init__(self):
+        self._list = []
+        self._index_map = {}
+        self._index_offset = 0
+        self._counter = 0
 
-  def values(self):
-    """ Returns an iterable stream of all the values in the list. """
-    return list(self._list)
+    def add(self, item):
+        """ Adds an item to the index list. """
+        self._list.append(item)
+        self._index_map[item] = self._counter
+        self._counter = self._counter + 1
 
-  def index(self, value):
-    """ Returns the index of the given item in the list or None if none. """
-    found = self._index_map.get(value, None)
-    if found is None:
-      return None
+    def values(self):
+        """ Returns an iterable stream of all the values in the list. """
+        return list(self._list)
 
-    return found - self._index_offset
+    def index(self, value):
+        """ Returns the index of the given item in the list or None if none. """
+        found = self._index_map.get(value, None)
+        if found is None:
+            return None
 
-  def pop_until(self, index_inclusive):
-    """ Pops off any items in the list until the given index, inclusive, and returns them. """
-    values = self._list[0:index_inclusive+1]
-    for value in values:
-      self._index_map.pop(value, None)
+        return found - self._index_offset
 
-    self._index_offset = self._index_offset + index_inclusive + 1
-    self._list = self._list[index_inclusive+1:]
-    return values
+    def pop_until(self, index_inclusive):
+        """ Pops off any items in the list until the given index, inclusive, and returns them. """
+        values = self._list[0 : index_inclusive + 1]
+        for value in values:
+            self._index_map.pop(value, None)
+
+        self._index_offset = self._index_offset + index_inclusive + 1
+        self._list = self._list[index_inclusive + 1 :]
+        return values
 
 
 class IndexedStreamingDiffTracker(object):
-  """ Helper class which tracks the difference between two streams of strings,
+    """ Helper class which tracks the difference between two streams of strings,
       calling the `added` callback for strings when they are successfully verified
       as being present in the first stream and not present in the second stream.
       Unlike StreamingDiffTracker, this class expects each string value to have an
@@ -61,166 +62,172 @@ class IndexedStreamingDiffTracker(object):
       in clearing up items that we know won't be present. The `index` is *not*
       assumed to start at 0 or be contiguous, merely increasing.
   """
-  def __init__(self, reporter, result_per_stream):
-    self._reporter = reporter
-    self._reports_per_stream = result_per_stream
-    self._new_stream_finished = False
-    self._old_stream_finished = False
 
-    self._new_stream = []
-    self._old_stream = []
+    def __init__(self, reporter, result_per_stream):
+        self._reporter = reporter
+        self._reports_per_stream = result_per_stream
+        self._new_stream_finished = False
+        self._old_stream_finished = False
 
-    self._new_stream_map = {}
-    self._old_stream_map = {}
+        self._new_stream = []
+        self._old_stream = []
 
-  def push_new(self, stream_tuples):
-    """ Pushes a list of values for the `New` stream.
+        self._new_stream_map = {}
+        self._old_stream_map = {}
+
+    def push_new(self, stream_tuples):
+        """ Pushes a list of values for the `New` stream.
     """
-    stream_tuples_list = list(stream_tuples)
-    assert len(stream_tuples_list) <= self._reports_per_stream
+        stream_tuples_list = list(stream_tuples)
+        assert len(stream_tuples_list) <= self._reports_per_stream
 
-    if len(stream_tuples_list) < self._reports_per_stream:
-      self._new_stream_finished = True
+        if len(stream_tuples_list) < self._reports_per_stream:
+            self._new_stream_finished = True
 
-    for (item, index) in stream_tuples_list:
-      if self._new_stream:
-        assert index > self._new_stream[-1].index
+        for (item, index) in stream_tuples_list:
+            if self._new_stream:
+                assert index > self._new_stream[-1].index
 
-      self._new_stream_map[index] = item
-      self._new_stream.append(AttrDict(item=item, index=index))
+            self._new_stream_map[index] = item
+            self._new_stream.append(AttrDict(item=item, index=index))
 
-    self._process()
+        self._process()
 
-  def push_old(self, stream_tuples):
-    """ Pushes a list of values for the `Old` stream.
+    def push_old(self, stream_tuples):
+        """ Pushes a list of values for the `Old` stream.
     """
-    if self._new_stream_finished and not self._new_stream:
-      # Nothing more to do.
-      return
+        if self._new_stream_finished and not self._new_stream:
+            # Nothing more to do.
+            return
 
-    stream_tuples_list = list(stream_tuples)
-    assert len(stream_tuples_list) <= self._reports_per_stream
+        stream_tuples_list = list(stream_tuples)
+        assert len(stream_tuples_list) <= self._reports_per_stream
 
-    if len(stream_tuples_list) < self._reports_per_stream:
-      self._old_stream_finished = True
+        if len(stream_tuples_list) < self._reports_per_stream:
+            self._old_stream_finished = True
 
-    for (item, index) in stream_tuples:
-      if self._old_stream:
-        assert index > self._old_stream[-1].index
+        for (item, index) in stream_tuples:
+            if self._old_stream:
+                assert index > self._old_stream[-1].index
 
-      self._old_stream_map[index] = item
-      self._old_stream.append(AttrDict(item=item, index=index))
+            self._old_stream_map[index] = item
+            self._old_stream.append(AttrDict(item=item, index=index))
 
-    self._process()
+        self._process()
 
-  def done(self):
-    self._old_stream_finished = True
-    self._process()
+    def done(self):
+        self._old_stream_finished = True
+        self._process()
 
-  def _process(self):
-    # Process any new items that can be reported.
-    old_lower_bound = self._old_stream[0].index if self._old_stream else -1
-    for item_info in self._new_stream:
-      # If the new item's index <= the old_lower_bound, then we know
-      # we can check the old item map for it.
-      if item_info.index <= old_lower_bound or self._old_stream_finished:
-        if self._old_stream_map.get(item_info.index, None) is None:
-          self._reporter(item_info.item)
+    def _process(self):
+        # Process any new items that can be reported.
+        old_lower_bound = self._old_stream[0].index if self._old_stream else -1
+        for item_info in self._new_stream:
+            # If the new item's index <= the old_lower_bound, then we know
+            # we can check the old item map for it.
+            if item_info.index <= old_lower_bound or self._old_stream_finished:
+                if self._old_stream_map.get(item_info.index, None) is None:
+                    self._reporter(item_info.item)
 
-        # Remove the item from the map.
-        self._new_stream_map.pop(item_info.index, None)
+                # Remove the item from the map.
+                self._new_stream_map.pop(item_info.index, None)
 
-    # Rebuild the new stream list (faster than just removing).
-    self._new_stream = [item_info for item_info in self._new_stream
-                        if self._new_stream_map.get(item_info.index)]
+        # Rebuild the new stream list (faster than just removing).
+        self._new_stream = [
+            item_info
+            for item_info in self._new_stream
+            if self._new_stream_map.get(item_info.index)
+        ]
 
-    # Process any old items that can be removed.
-    new_lower_bound = self._new_stream[0].index if self._new_stream else -1
-    for item_info in list(self._old_stream):
-      # Any items with indexes below the new lower bound can be removed,
-      # as any comparison from the new stream was done above.
-      if item_info.index < new_lower_bound:
-        self._old_stream_map.pop(item_info.index, None)
-
-    # Rebuild the old stream list (faster than just removing).
-    self._old_stream = [item_info for item_info in self._old_stream
-                        if self._old_stream_map.get(item_info.index)]
+        # Process any old items that can be removed.
+        new_lower_bound = self._new_stream[0].index if self._new_stream else -1
+        for item_info in list(self._old_stream):
+            # Any items with indexes below the new lower bound can be removed,
+            # as any comparison from the new stream was done above.
+            if item_info.index < new_lower_bound:
+                self._old_stream_map.pop(item_info.index, None)
 
+        # Rebuild the old stream list (faster than just removing).
+        self._old_stream = [
+            item_info
+            for item_info in self._old_stream
+            if self._old_stream_map.get(item_info.index)
+        ]
 
 
 class StreamingDiffTracker(object):
-  """ Helper class which tracks the difference between two streams of strings, calling the
+    """ Helper class which tracks the difference between two streams of strings, calling the
       `added` callback for strings when they are successfully verified as being present in
       the first stream and not present in the second stream. This class requires that the
       streams of strings be consistently ordered *in some way common to both* (but the
       strings themselves do not need to be sorted).
   """
-  def __init__(self, reporter, result_per_stream):
-    self._reporter = reporter
-    self._reports_per_stream = result_per_stream
-    self._old_stream_finished = False
 
-    self._old_stream = FastIndexList()
-    self._new_stream = FastIndexList()
+    def __init__(self, reporter, result_per_stream):
+        self._reporter = reporter
+        self._reports_per_stream = result_per_stream
+        self._old_stream_finished = False
 
-  def done(self):
-    self._old_stream_finished = True
-    self.push_new([])
+        self._old_stream = FastIndexList()
+        self._new_stream = FastIndexList()
 
-  def push_new(self, stream_values):
-    """ Pushes a list of values for the `New` stream.
+    def done(self):
+        self._old_stream_finished = True
+        self.push_new([])
+
+    def push_new(self, stream_values):
+        """ Pushes a list of values for the `New` stream.
     """
 
-    # Add all the new values to the list.
-    counter = 0
-    for value in stream_values:
-      self._new_stream.add(value)
-      counter = counter + 1
+        # Add all the new values to the list.
+        counter = 0
+        for value in stream_values:
+            self._new_stream.add(value)
+            counter = counter + 1
 
-    assert counter <= self._reports_per_stream
+        assert counter <= self._reports_per_stream
+
+        # Process them all to see if anything has changed.
+        for value in self._new_stream.values():
+            old_index = self._old_stream.index(value)
+            if old_index is not None:
+                # The item is present, so we cannot report it. However, since we've reached this point,
+                # all items *before* this item in the `Old` stream are no longer necessary, so we can
+                # throw them out, along with this item.
+                self._old_stream.pop_until(old_index)
+            else:
+                # If the old stream has completely finished, then we can report, knowing no more old
+                # information will be present.
+                if self._old_stream_finished:
+                    self._reporter(value)
+                    self._new_stream.pop_until(self._new_stream.index(value))
+
+    def push_old(self, stream_values):
+        """ Pushes a stream of values for the `Old` stream.
+    """
 
-    # Process them all to see if anything has changed.
-    for value in self._new_stream.values():
-      old_index = self._old_stream.index(value)
-      if old_index is not None:
-        # The item is present, so we cannot report it. However, since we've reached this point,
-        # all items *before* this item in the `Old` stream are no longer necessary, so we can
-        # throw them out, along with this item.
-        self._old_stream.pop_until(old_index)
-      else:
-        # If the old stream has completely finished, then we can report, knowing no more old
-        # information will be present.
         if self._old_stream_finished:
-          self._reporter(value)
-          self._new_stream.pop_until(self._new_stream.index(value))
+            return
 
-  def push_old(self, stream_values):
-    """ Pushes a stream of values for the `Old` stream.
-    """
+        value_list = list(stream_values)
+        assert len(value_list) <= self._reports_per_stream
 
-    if self._old_stream_finished:
-      return
+        for value in value_list:
+            # If the value exists in the new stream somewhere, then we know that all items *before*
+            # that index in the new stream will not be in the old stream, so we can report them. We can
+            # also remove the matching `New` item, as it is clearly in both streams.
+            new_index = self._new_stream.index(value)
+            if new_index is not None:
+                # Report all items up to the current item.
+                for item in self._new_stream.pop_until(new_index - 1):
+                    self._reporter(item)
 
-    value_list = list(stream_values)
-    assert len(value_list) <= self._reports_per_stream
-
-    for value in value_list:
-      # If the value exists in the new stream somewhere, then we know that all items *before*
-      # that index in the new stream will not be in the old stream, so we can report them. We can
-      # also remove the matching `New` item, as it is clearly in both streams.
-      new_index = self._new_stream.index(value)
-      if new_index is not None:
-        # Report all items up to the current item.
-        for item in self._new_stream.pop_until(new_index - 1):
-          self._reporter(item)
-
-        # Remove the current item from the new stream.
-        self._new_stream.pop_until(0)
-      else:
-        # This item may be seen later. Add it to the old stream set.
-        self._old_stream.add(value)
-
-    # Check to see if the `Old` stream has finished.
-    if len(value_list) < self._reports_per_stream:
-      self._old_stream_finished = True
+                # Remove the current item from the new stream.
+                self._new_stream.pop_until(0)
+            else:
+                # This item may be seen later. Add it to the old stream set.
+                self._old_stream.add(value)
 
+        # Check to see if the `Old` stream has finished.
+        if len(value_list) < self._reports_per_stream:
+            self._old_stream_finished = True
diff --git a/util/names.py b/util/names.py
index b02fef9c1..b1278bd80 100644
--- a/util/names.py
+++ b/util/names.py
@@ -1,99 +1,106 @@
 import urllib
 import re
 
-import anunidecode # Don't listen to pylint's lies. This import is required for unidecode below.
+import anunidecode  # Don't listen to pylint's lies. This import is required for unidecode below.
 
 from uuid import uuid4
 
-REPOSITORY_NAME_REGEX = re.compile(r'^[\.a-zA-Z0-9_-]{1,255}$')
+REPOSITORY_NAME_REGEX = re.compile(r"^[\.a-zA-Z0-9_-]{1,255}$")
 
-VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}'
-FULL_TAG_PATTERN = r'^[\w][\w.-]{0,127}$'
+VALID_TAG_PATTERN = r"[\w][\w.-]{0,127}"
+FULL_TAG_PATTERN = r"^[\w][\w.-]{0,127}$"
 
 TAG_REGEX = re.compile(FULL_TAG_PATTERN)
-TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
-             'and can contain 1-128 characters')
+TAG_ERROR = (
+    'Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
+    "and can contain 1-128 characters"
+)
 
 
 class ImplicitLibraryNamespaceNotAllowed(Exception):
-  """ Exception raised if the implicit library namespace was specified but is
+    """ Exception raised if the implicit library namespace was specified but is
       not allowed. """
-  pass
+
+    pass
 
 
-def escape_tag(tag, default='latest'):
-  """ Escapes a Docker tag, ensuring it matches the tag regular expression. """
-  if not tag:
-    return default
+def escape_tag(tag, default="latest"):
+    """ Escapes a Docker tag, ensuring it matches the tag regular expression. """
+    if not tag:
+        return default
 
-  tag = re.sub(r'^[^\w]', '_', tag)
-  tag = re.sub(r'[^\w\.-]', '_', tag)
-  return tag[0:127]
+    tag = re.sub(r"^[^\w]", "_", tag)
+    tag = re.sub(r"[^\w\.-]", "_", tag)
+    return tag[0:127]
 
 
-def parse_namespace_repository(repository, library_namespace, include_tag=False,
-                               allow_library=True):
-  repository = repository.encode('unidecode', 'ignore')
+def parse_namespace_repository(
+    repository, library_namespace, include_tag=False, allow_library=True
+):
+    repository = repository.encode("unidecode", "ignore")
 
-  parts = repository.rstrip('/').split('/', 1)
-  if len(parts) < 2:
-    namespace = library_namespace
-    repository = parts[0]
-    if not allow_library:
-      raise ImplicitLibraryNamespaceNotAllowed()
-  else:
-    (namespace, repository) = parts
-
-  if include_tag:
-    parts = repository.split(':', 1)
+    parts = repository.rstrip("/").split("/", 1)
     if len(parts) < 2:
-      tag = 'latest'
+        namespace = library_namespace
+        repository = parts[0]
+        if not allow_library:
+            raise ImplicitLibraryNamespaceNotAllowed()
     else:
-      (repository, tag) = parts
+        (namespace, repository) = parts
 
-  repository = urllib.quote_plus(repository)
-  if include_tag:
-    return (namespace, repository, tag)
-  return (namespace, repository)
+    if include_tag:
+        parts = repository.split(":", 1)
+        if len(parts) < 2:
+            tag = "latest"
+        else:
+            (repository, tag) = parts
+
+    repository = urllib.quote_plus(repository)
+    if include_tag:
+        return (namespace, repository, tag)
+    return (namespace, repository)
 
 
 def format_robot_username(parent_username, robot_shortname):
-  return '%s+%s' % (parent_username, robot_shortname)
+    return "%s+%s" % (parent_username, robot_shortname)
 
 
 def parse_robot_username(robot_username):
-  if not '+' in robot_username:
-    return None
+    if not "+" in robot_username:
+        return None
 
-  return robot_username.split('+', 2)
+    return robot_username.split("+", 2)
 
 
 def parse_urn(urn):
-  """ Parses a URN, returning a pair that contains a list of URN
+    """ Parses a URN, returning a pair that contains a list of URN
       namespace parts, followed by the URN's unique ID.
   """
-  if not urn.startswith('urn:'):
-    return None
+    if not urn.startswith("urn:"):
+        return None
 
-  parts = urn[len('urn:'):].split(':')
-  return (parts[0:len(parts) - 1], parts[len(parts) - 1])
+    parts = urn[len("urn:") :].split(":")
+    return (parts[0 : len(parts) - 1], parts[len(parts) - 1])
 
 
 def parse_single_urn(urn):
-  """ Parses a URN, returning a pair that contains the first
+    """ Parses a URN, returning a pair that contains the first
       namespace part, followed by the URN's unique ID.
   """
-  result = parse_urn(urn)
-  if result is None or not len(result[0]):
-    return None
+    result = parse_urn(urn)
+    if result is None or not len(result[0]):
+        return None
+
+    return (result[0][0], result[1])
 
-  return (result[0][0], result[1])
 
 uuid_generator = lambda: str(uuid4())
 
 
 def urn_generator(namespace_portions, id_generator=uuid_generator):
-  prefix = 'urn:%s:' % ':'.join(namespace_portions)
-  def generate_urn():
-    return prefix + id_generator()
-  return generate_urn
+    prefix = "urn:%s:" % ":".join(namespace_portions)
+
+    def generate_urn():
+        return prefix + id_generator()
+
+    return generate_urn
diff --git a/util/pagination.py b/util/pagination.py
index 579541496..541491cc2 100644
--- a/util/pagination.py
+++ b/util/pagination.py
@@ -7,20 +7,22 @@ from util.security.crypto import encrypt_string, decrypt_string
 # TTL (in seconds) for page tokens.
 _PAGE_TOKEN_TTL = datetime.timedelta(days=2).total_seconds()
 
+
 def decrypt_page_token(token_string):
-  if token_string is None:
-    return None
+    if token_string is None:
+        return None
 
-  unencrypted = decrypt_string(token_string, app.config['PAGE_TOKEN_KEY'], ttl=_PAGE_TOKEN_TTL)
-  if unencrypted is None:
-    return None
+    unencrypted = decrypt_string(
+        token_string, app.config["PAGE_TOKEN_KEY"], ttl=_PAGE_TOKEN_TTL
+    )
+    if unencrypted is None:
+        return None
 
-  try:
-    return json.loads(unencrypted)
-  except ValueError:
-    return None
+    try:
+        return json.loads(unencrypted)
+    except ValueError:
+        return None
 
 
 def encrypt_page_token(page_token):
-  return encrypt_string(json.dumps(page_token), app.config['PAGE_TOKEN_KEY'])
-
+    return encrypt_string(json.dumps(page_token), app.config["PAGE_TOKEN_KEY"])
diff --git a/util/registry/aufs.py b/util/registry/aufs.py
index b90b2cd6f..67d2b6e1b 100644
--- a/util/registry/aufs.py
+++ b/util/registry/aufs.py
@@ -1,31 +1,34 @@
 import os
 
-AUFS_METADATA = u'.wh..wh.'
-AUFS_WHITEOUT = u'.wh.'
+AUFS_METADATA = u".wh..wh."
+AUFS_WHITEOUT = u".wh."
 AUFS_WHITEOUT_PREFIX_LENGTH = len(AUFS_WHITEOUT)
 
+
 def is_aufs_metadata(absolute):
-  """ Returns whether the given absolute references an AUFS metadata file. """
-  filename = os.path.basename(absolute)
-  return filename.startswith(AUFS_METADATA) or absolute.startswith(AUFS_METADATA)
+    """ Returns whether the given absolute references an AUFS metadata file. """
+    filename = os.path.basename(absolute)
+    return filename.startswith(AUFS_METADATA) or absolute.startswith(AUFS_METADATA)
+
 
 def get_deleted_filename(absolute):
-  """ Returns the name of the deleted file referenced by the AUFS whiteout file at
+    """ Returns the name of the deleted file referenced by the AUFS whiteout file at
       the given path or None if the file path does not reference a whiteout file.
   """
-  filename = os.path.basename(absolute)
-  if not filename.startswith(AUFS_WHITEOUT):
-    return None
+    filename = os.path.basename(absolute)
+    if not filename.startswith(AUFS_WHITEOUT):
+        return None
+
+    return filename[AUFS_WHITEOUT_PREFIX_LENGTH:]
 
-  return filename[AUFS_WHITEOUT_PREFIX_LENGTH:]
 
 def get_deleted_prefix(absolute):
-  """ Returns the path prefix of the deleted file referenced by the AUFS whiteout file at
+    """ Returns the path prefix of the deleted file referenced by the AUFS whiteout file at
      the given path or None if the file path does not reference a whiteout file.
   """
-  deleted_filename = get_deleted_filename(absolute)
-  if deleted_filename is None:
-    return None
+    deleted_filename = get_deleted_filename(absolute)
+    if deleted_filename is None:
+        return None
 
-  dirname = os.path.dirname(absolute)
-  return os.path.join('/', dirname, deleted_filename)[1:]
+    dirname = os.path.dirname(absolute)
+    return os.path.join("/", dirname, deleted_filename)[1:]
diff --git a/util/registry/dockerver.py b/util/registry/dockerver.py
index f73cd0e1f..04c6e353f 100644
--- a/util/registry/dockerver.py
+++ b/util/registry/dockerver.py
@@ -2,33 +2,34 @@ import re
 
 from semantic_version import Version
 
-_USER_AGENT_SEARCH_REGEX = re.compile(r'docker\/([0-9]+(?:\.[0-9]+){1,2})')
-_EXACT_1_5_USER_AGENT = re.compile(r'^Go 1\.1 package http$')
-_ONE_FIVE_ZERO = '1.5.0'
+_USER_AGENT_SEARCH_REGEX = re.compile(r"docker\/([0-9]+(?:\.[0-9]+){1,2})")
+_EXACT_1_5_USER_AGENT = re.compile(r"^Go 1\.1 package http$")
+_ONE_FIVE_ZERO = "1.5.0"
+
 
 def docker_version(user_agent_string):
-  """ Extract the Docker version from the user agent, taking special care to
+    """ Extract the Docker version from the user agent, taking special care to
       handle the case of a 1.5 client requesting an auth token, which sends
       a broken user agent. If we can not positively identify a version, return
       None.
       """
 
-  # First search for a well defined semver portion in the UA header.
-  found_semver = _USER_AGENT_SEARCH_REGEX.search(user_agent_string)
-  if found_semver:
-    # Docker changed their versioning scheme on Feb 17, 2017 to use date-based versioning:
-    # https://github.com/docker/docker/pull/31075
+    # First search for a well defined semver portion in the UA header.
+    found_semver = _USER_AGENT_SEARCH_REGEX.search(user_agent_string)
+    if found_semver:
+        # Docker changed their versioning scheme on Feb 17, 2017 to use date-based versioning:
+        # https://github.com/docker/docker/pull/31075
 
-    # This scheme allows for 0s to appear as prefixes in the major or minor portions of the version,
-    # which violates semver. Strip them out.
-    portions = found_semver.group(1).split('.')
-    updated_portions = [(p[:-1].lstrip('0') + p[-1]) for p in portions]
-    return Version('.'.join(updated_portions), partial=True)
+        # This scheme allows for 0s to appear as prefixes in the major or minor portions of the version,
+        # which violates semver. Strip them out.
+        portions = found_semver.group(1).split(".")
+        updated_portions = [(p[:-1].lstrip("0") + p[-1]) for p in portions]
+        return Version(".".join(updated_portions), partial=True)
 
-  # Check if we received the very specific header which represents a 1.5 request
-  # to the auth endpoints.
-  elif _EXACT_1_5_USER_AGENT.match(user_agent_string):
-    return Version(_ONE_FIVE_ZERO)
+    # Check if we received the very specific header which represents a 1.5 request
+    # to the auth endpoints.
+    elif _EXACT_1_5_USER_AGENT.match(user_agent_string):
+        return Version(_ONE_FIVE_ZERO)
 
-  else:
-    return None
+    else:
+        return None
diff --git a/util/registry/filelike.py b/util/registry/filelike.py
index 81e65ec59..7db0ec3a1 100644
--- a/util/registry/filelike.py
+++ b/util/registry/filelike.py
@@ -6,162 +6,164 @@ READ_UNTIL_END = -1
 
 
 class BaseStreamFilelike(object):
-  def __init__(self, fileobj):
-    self._fileobj = fileobj
-    self._cursor_position = 0
+    def __init__(self, fileobj):
+        self._fileobj = fileobj
+        self._cursor_position = 0
 
-  def close(self):
-    self._fileobj.close()
+    def close(self):
+        self._fileobj.close()
 
-  def read(self, size=READ_UNTIL_END):
-    buf = self._fileobj.read(size)
-    if buf is None:
-      return None
-    self._cursor_position += len(buf)
-    return buf
+    def read(self, size=READ_UNTIL_END):
+        buf = self._fileobj.read(size)
+        if buf is None:
+            return None
+        self._cursor_position += len(buf)
+        return buf
 
-  def tell(self):
-    return self._cursor_position
+    def tell(self):
+        return self._cursor_position
 
-  def seek(self, index, whence=WHENCE_ABSOLUTE):
-    num_bytes_to_ff = 0
-    if whence == WHENCE_ABSOLUTE:
-      if index < self._cursor_position:
-        raise IOError('Cannot seek backwards')
-      num_bytes_to_ff = index - self._cursor_position
+    def seek(self, index, whence=WHENCE_ABSOLUTE):
+        num_bytes_to_ff = 0
+        if whence == WHENCE_ABSOLUTE:
+            if index < self._cursor_position:
+                raise IOError("Cannot seek backwards")
+            num_bytes_to_ff = index - self._cursor_position
 
-    elif whence == WHENCE_RELATIVE:
-      if index < 0:
-        raise IOError('Cannnot seek backwards')
-      num_bytes_to_ff = index
+        elif whence == WHENCE_RELATIVE:
+            if index < 0:
+                raise IOError("Cannnot seek backwards")
+            num_bytes_to_ff = index
 
-    elif whence == WHENCE_RELATIVE_END:
-      raise IOError('Stream does not have a known end point')
+        elif whence == WHENCE_RELATIVE_END:
+            raise IOError("Stream does not have a known end point")
 
-    bytes_forward = num_bytes_to_ff
-    while num_bytes_to_ff > 0:
-      buf = self._fileobj.read(num_bytes_to_ff)
-      if not buf:
-        raise IOError('Seek past end of file')
-      num_bytes_to_ff -= len(buf)
+        bytes_forward = num_bytes_to_ff
+        while num_bytes_to_ff > 0:
+            buf = self._fileobj.read(num_bytes_to_ff)
+            if not buf:
+                raise IOError("Seek past end of file")
+            num_bytes_to_ff -= len(buf)
 
-    self._cursor_position += bytes_forward
-    return bytes_forward
+        self._cursor_position += bytes_forward
+        return bytes_forward
 
 
 class SocketReader(BaseStreamFilelike):
-  def __init__(self, fileobj):
-    super(SocketReader, self).__init__(fileobj)
-    self.handlers = []
+    def __init__(self, fileobj):
+        super(SocketReader, self).__init__(fileobj)
+        self.handlers = []
 
-  def add_handler(self, handler):
-    self.handlers.append(handler)
+    def add_handler(self, handler):
+        self.handlers.append(handler)
 
-  def read(self, size=READ_UNTIL_END):
-    buf = super(SocketReader, self).read(size)
-    for handler in self.handlers:
-      handler(buf)
-    return buf
+    def read(self, size=READ_UNTIL_END):
+        buf = super(SocketReader, self).read(size)
+        for handler in self.handlers:
+            handler(buf)
+        return buf
 
 
 def wrap_with_handler(in_fp, handler):
-  wrapper = SocketReader(in_fp)
-  wrapper.add_handler(handler)
-  return wrapper
+    wrapper = SocketReader(in_fp)
+    wrapper.add_handler(handler)
+    return wrapper
 
 
 class FilelikeStreamConcat(object):
-  """ A file-like object which concats all the file-like objects in the specified generator into
+    """ A file-like object which concats all the file-like objects in the specified generator into
       a single stream.
   """
-  def __init__(self, file_generator):
-    self._file_generator = file_generator
-    self._current_file = file_generator.next()
-    self._current_position = 0
-    self._closed = False
 
-  def tell(self):
-    return self._current_position
+    def __init__(self, file_generator):
+        self._file_generator = file_generator
+        self._current_file = file_generator.next()
+        self._current_position = 0
+        self._closed = False
 
-  def close(self):
-    self._closed = True
+    def tell(self):
+        return self._current_position
 
-  def read(self, size=READ_UNTIL_END):
-    buf = ''
-    current_size = size
+    def close(self):
+        self._closed = True
 
-    while size == READ_UNTIL_END or len(buf) < size:
-      current_buf = self._current_file.read(current_size)
-      if current_buf:
-        buf += current_buf
-        self._current_position += len(current_buf)
-        if size != READ_UNTIL_END:
-          current_size -= len(current_buf)
+    def read(self, size=READ_UNTIL_END):
+        buf = ""
+        current_size = size
 
-      else:
-        # That file was out of data, prime a new one
-        self._current_file.close()
-        try:
-          self._current_file = self._file_generator.next()
-        except StopIteration:
-          return buf
+        while size == READ_UNTIL_END or len(buf) < size:
+            current_buf = self._current_file.read(current_size)
+            if current_buf:
+                buf += current_buf
+                self._current_position += len(current_buf)
+                if size != READ_UNTIL_END:
+                    current_size -= len(current_buf)
 
-    return buf
+            else:
+                # That file was out of data, prime a new one
+                self._current_file.close()
+                try:
+                    self._current_file = self._file_generator.next()
+                except StopIteration:
+                    return buf
+
+        return buf
 
 
 class StreamSlice(BaseStreamFilelike):
-  """ A file-like object which returns a file-like object that represents a slice of the data in
+    """ A file-like object which returns a file-like object that represents a slice of the data in
       the specified file obj. All methods will act as if the slice is its own file.
   """
 
-  def __init__(self, fileobj, start_offset=0, end_offset_exclusive=READ_UNTIL_END):
-    super(StreamSlice, self).__init__(fileobj)
-    self._end_offset_exclusive = end_offset_exclusive
-    self._start_offset = start_offset
+    def __init__(self, fileobj, start_offset=0, end_offset_exclusive=READ_UNTIL_END):
+        super(StreamSlice, self).__init__(fileobj)
+        self._end_offset_exclusive = end_offset_exclusive
+        self._start_offset = start_offset
 
-    if start_offset > 0:
-      self.seek(start_offset)
+        if start_offset > 0:
+            self.seek(start_offset)
 
-  def read(self, size=READ_UNTIL_END):
-    if self._end_offset_exclusive == READ_UNTIL_END:
-      # We weren't asked to limit the end of the stream
-      return super(StreamSlice, self).read(size)
+    def read(self, size=READ_UNTIL_END):
+        if self._end_offset_exclusive == READ_UNTIL_END:
+            # We weren't asked to limit the end of the stream
+            return super(StreamSlice, self).read(size)
 
-    # Compute the max bytes to read until the end or until we reach the user requested max
-    max_bytes_to_read = self._end_offset_exclusive - super(StreamSlice, self).tell()
-    if size != READ_UNTIL_END:
-      max_bytes_to_read = min(max_bytes_to_read, size)
+        # Compute the max bytes to read until the end or until we reach the user requested max
+        max_bytes_to_read = self._end_offset_exclusive - super(StreamSlice, self).tell()
+        if size != READ_UNTIL_END:
+            max_bytes_to_read = min(max_bytes_to_read, size)
 
-    return super(StreamSlice, self).read(max_bytes_to_read)
+        return super(StreamSlice, self).read(max_bytes_to_read)
 
-  def _file_min(self, first, second):
-    if first == READ_UNTIL_END:
-      return second
+    def _file_min(self, first, second):
+        if first == READ_UNTIL_END:
+            return second
 
-    if second == READ_UNTIL_END:
-      return first
+        if second == READ_UNTIL_END:
+            return first
 
-    return min(first, second)
+        return min(first, second)
 
-  def tell(self):
-    return super(StreamSlice, self).tell() - self._start_offset
+    def tell(self):
+        return super(StreamSlice, self).tell() - self._start_offset
 
-  def seek(self, index, whence=WHENCE_ABSOLUTE):
-    index = self._file_min(self._end_offset_exclusive, index)
-    super(StreamSlice, self).seek(index, whence)
+    def seek(self, index, whence=WHENCE_ABSOLUTE):
+        index = self._file_min(self._end_offset_exclusive, index)
+        super(StreamSlice, self).seek(index, whence)
 
 
 class LimitingStream(StreamSlice):
-  """ A file-like object which mimics the specified file stream being limited to the given number
+    """ A file-like object which mimics the specified file stream being limited to the given number
       of bytes. All calls after that limit (if specified) will act as if the file has no additional
       data.
   """
-  def __init__(self, fileobj, read_limit=READ_UNTIL_END, seekable=True):
-    super(LimitingStream, self).__init__(fileobj, 0, read_limit)
-    self._seekable = seekable
-  
-  def seek(self, index, whence=WHENCE_ABSOLUTE):
-    if not self._seekable:
-      raise AttributeError
-    
-    super(LimitingStream, self).seek(index, whence)
+
+    def __init__(self, fileobj, read_limit=READ_UNTIL_END, seekable=True):
+        super(LimitingStream, self).__init__(fileobj, 0, read_limit)
+        self._seekable = seekable
+
+    def seek(self, index, whence=WHENCE_ABSOLUTE):
+        if not self._seekable:
+            raise AttributeError
+
+        super(LimitingStream, self).seek(index, whence)
diff --git a/util/registry/gzipinputstream.py b/util/registry/gzipinputstream.py
index 10dc060f1..e063811dc 100644
--- a/util/registry/gzipinputstream.py
+++ b/util/registry/gzipinputstream.py
@@ -9,7 +9,7 @@ WINDOW_BUFFER_SIZE = 16 + zlib.MAX_WBITS
 
 
 class GzipInputStream(object):
-  """
+    """
   Simple class that allow streaming reads from GZip files.
 
   Python 2.x gzip.GZipFile relies on .seek() and .tell(), so it
@@ -18,96 +18,96 @@ class GzipInputStream(object):
   Adapted from: https://gist.github.com/beaufour/4205533
   """
 
-  def __init__(self, fileobj):
-    """
+    def __init__(self, fileobj):
+        """
     Initialize with the given file-like object.
 
     @param fileobj: file-like object,
     """
-    self._file = fileobj
-    self._zip = zlib.decompressobj(WINDOW_BUFFER_SIZE)
-    self._offset = 0  # position in unzipped stream
-    self._data = ""
+        self._file = fileobj
+        self._zip = zlib.decompressobj(WINDOW_BUFFER_SIZE)
+        self._offset = 0  # position in unzipped stream
+        self._data = ""
 
-  def __fill(self, num_bytes):
-    """
+    def __fill(self, num_bytes):
+        """
     Fill the internal buffer with 'num_bytes' of data.
 
     @param num_bytes: int, number of bytes to read in (0 = everything)
     """
 
-    if not self._zip:
-      return
+        if not self._zip:
+            return
 
-    while not num_bytes or len(self._data) < num_bytes:
-      data = self._file.read(BLOCK_SIZE)
-      if not data:
-        self._data = self._data + self._zip.flush()
-        self._zip = None  # no more data
-        break
+        while not num_bytes or len(self._data) < num_bytes:
+            data = self._file.read(BLOCK_SIZE)
+            if not data:
+                self._data = self._data + self._zip.flush()
+                self._zip = None  # no more data
+                break
 
-      self._data = self._data + self._zip.decompress(data)
+            self._data = self._data + self._zip.decompress(data)
 
-  def __iter__(self):
-    return self
+    def __iter__(self):
+        return self
 
-  def seek(self, offset, whence=0):
-    if whence == 0:
-      position = offset
-    elif whence == 1:
-      position = self._offset + offset
-    else:
-      raise IOError("Illegal argument")
+    def seek(self, offset, whence=0):
+        if whence == 0:
+            position = offset
+        elif whence == 1:
+            position = self._offset + offset
+        else:
+            raise IOError("Illegal argument")
 
-    if position < self._offset:
-      raise IOError("Cannot seek backwards")
+        if position < self._offset:
+            raise IOError("Cannot seek backwards")
 
-    # skip forward, in blocks
-    while position > self._offset:
-      if not self.read(min(position - self._offset, BLOCK_SIZE)):
-        break
+        # skip forward, in blocks
+        while position > self._offset:
+            if not self.read(min(position - self._offset, BLOCK_SIZE)):
+                break
 
-  def tell(self):
-    return self._offset
+    def tell(self):
+        return self._offset
 
-  def read(self, size=0):
-    self.__fill(size)
-    if size:
-      data = self._data[:size]
-      self._data = self._data[size:]
-    else:
-      data = self._data
-      self._data = ""
+    def read(self, size=0):
+        self.__fill(size)
+        if size:
+            data = self._data[:size]
+            self._data = self._data[size:]
+        else:
+            data = self._data
+            self._data = ""
 
-    self._offset = self._offset + len(data)
-    return data
+        self._offset = self._offset + len(data)
+        return data
 
-  def next(self):
-    line = self.readline()
-    if not line:
-      raise StopIteration()
-    return line
+    def next(self):
+        line = self.readline()
+        if not line:
+            raise StopIteration()
+        return line
 
-  def readline(self):
-    # make sure we have an entire line
-    while self._zip and "\n" not in self._data:
-      self.__fill(len(self._data) + 512)
+    def readline(self):
+        # make sure we have an entire line
+        while self._zip and "\n" not in self._data:
+            self.__fill(len(self._data) + 512)
 
-    pos = string.find(self._data, "\n") + 1
-    if pos <= 0:
-      return self.read()
+        pos = string.find(self._data, "\n") + 1
+        if pos <= 0:
+            return self.read()
 
-    return self.read(pos)
+        return self.read(pos)
 
-  def readlines(self):
-    lines = []
-    while True:
-      line = self.readline()
-      if not line:
-        break
+    def readlines(self):
+        lines = []
+        while True:
+            line = self.readline()
+            if not line:
+                break
 
-      lines.append(line)
-    return lines
+            lines.append(line)
+        return lines
 
-  def close(self):
-    self._file.close()
+    def close(self):
+        self._file.close()
diff --git a/util/registry/gzipstream.py b/util/registry/gzipstream.py
index 3a3f28542..026ae8edb 100644
--- a/util/registry/gzipstream.py
+++ b/util/registry/gzipstream.py
@@ -12,42 +12,46 @@ ZLIB_GZIP_WINDOW = zlib.MAX_WBITS | 32
 
 CHUNK_SIZE = 5 * 1024 * 1024
 
+
 class SizeInfo(object):
-  def __init__(self):
-    self.uncompressed_size = 0
-    self.compressed_size = 0
-    self.is_valid = True
+    def __init__(self):
+        self.uncompressed_size = 0
+        self.compressed_size = 0
+        self.is_valid = True
+
 
 def calculate_size_handler():
-  """ Returns an object and a SocketReader handler. The handler will gunzip the data it receives,
+    """ Returns an object and a SocketReader handler. The handler will gunzip the data it receives,
       adding the size found to the object.
   """
 
-  size_info = SizeInfo()
-  decompressor = zlib.decompressobj(ZLIB_GZIP_WINDOW)
+    size_info = SizeInfo()
+    decompressor = zlib.decompressobj(ZLIB_GZIP_WINDOW)
 
-  def fn(buf):
-    if not size_info.is_valid:
-      return
+    def fn(buf):
+        if not size_info.is_valid:
+            return
 
-    # Note: We set a maximum CHUNK_SIZE to prevent the decompress from taking too much
-    # memory. As a result, we have to loop until the unconsumed tail is empty.
-    current_data = buf
-    size_info.compressed_size += len(current_data)
+        # Note: We set a maximum CHUNK_SIZE to prevent the decompress from taking too much
+        # memory. As a result, we have to loop until the unconsumed tail is empty.
+        current_data = buf
+        size_info.compressed_size += len(current_data)
 
-    while len(current_data) > 0:
-      try:
-        size_info.uncompressed_size += len(decompressor.decompress(current_data, CHUNK_SIZE))
-      except:
-        # The gzip stream is not valid for some reason.
-        size_info.uncompressed_size = None
-        size_info.is_valid = False
-        return
+        while len(current_data) > 0:
+            try:
+                size_info.uncompressed_size += len(
+                    decompressor.decompress(current_data, CHUNK_SIZE)
+                )
+            except:
+                # The gzip stream is not valid for some reason.
+                size_info.uncompressed_size = None
+                size_info.is_valid = False
+                return
 
-      current_data = decompressor.unconsumed_tail
+            current_data = decompressor.unconsumed_tail
 
-      # Make sure we allow the scheduler to do other work if we get stuck in this tight loop.
-      if len(current_data) > 0:
-        time.sleep(0)
+            # Make sure we allow the scheduler to do other work if we get stuck in this tight loop.
+            if len(current_data) > 0:
+                time.sleep(0)
 
-  return size_info, fn
+    return size_info, fn
diff --git a/util/registry/gzipwrap.py b/util/registry/gzipwrap.py
index cf1c5d423..3c538488e 100644
--- a/util/registry/gzipwrap.py
+++ b/util/registry/gzipwrap.py
@@ -3,57 +3,62 @@ from gzip import GzipFile
 # 256K buffer to Gzip
 GZIP_BUFFER_SIZE = 1024 * 256
 
+
 class GzipWrap(object):
-  def __init__(self, input, filename=None, compresslevel=1):
-    self.input = iter(input)
-    self.buffer = ''
-    self.zipper = GzipFile(filename, mode='wb', fileobj=self, compresslevel=compresslevel, mtime=0)
-    self.is_done = False
+    def __init__(self, input, filename=None, compresslevel=1):
+        self.input = iter(input)
+        self.buffer = ""
+        self.zipper = GzipFile(
+            filename, mode="wb", fileobj=self, compresslevel=compresslevel, mtime=0
+        )
+        self.is_done = False
 
-  def read(self, size=-1):
-    if size is None or size < 0:
-      raise Exception('Call to GzipWrap with unbound size will result in poor performance')
+    def read(self, size=-1):
+        if size is None or size < 0:
+            raise Exception(
+                "Call to GzipWrap with unbound size will result in poor performance"
+            )
 
-    # If the buffer already has enough bytes, then simply pop them off of
-    # the beginning and return them.
-    if len(self.buffer) >= size or self.is_done:
-      ret = self.buffer[0:size]
-      self.buffer = self.buffer[size:]
-      return ret
+        # If the buffer already has enough bytes, then simply pop them off of
+        # the beginning and return them.
+        if len(self.buffer) >= size or self.is_done:
+            ret = self.buffer[0:size]
+            self.buffer = self.buffer[size:]
+            return ret
 
-    # Otherwise, zip the input until we have enough bytes.
-    while True:
-      # Attempt to retrieve the next bytes to write.
-      is_done = False
+        # Otherwise, zip the input until we have enough bytes.
+        while True:
+            # Attempt to retrieve the next bytes to write.
+            is_done = False
 
-      input_size = 0
-      input_buffer = ''
-      while input_size < GZIP_BUFFER_SIZE:
-        try:
-          s = self.input.next()
-          input_buffer += s
-          input_size = input_size + len(s)
-        except StopIteration:
-          is_done = True
-          break
+            input_size = 0
+            input_buffer = ""
+            while input_size < GZIP_BUFFER_SIZE:
+                try:
+                    s = self.input.next()
+                    input_buffer += s
+                    input_size = input_size + len(s)
+                except StopIteration:
+                    is_done = True
+                    break
 
-      self.zipper.write(input_buffer)
+            self.zipper.write(input_buffer)
 
-      if is_done:
-        self.zipper.flush()
-        self.zipper.close()
-        self.is_done = True
+            if is_done:
+                self.zipper.flush()
+                self.zipper.close()
+                self.is_done = True
 
-      if len(self.buffer) >= size or is_done:
-        ret = self.buffer[0:size]
-        self.buffer = self.buffer[size:]
-        return ret
+            if len(self.buffer) >= size or is_done:
+                ret = self.buffer[0:size]
+                self.buffer = self.buffer[size:]
+                return ret
 
-  def flush(self):
-    pass
+    def flush(self):
+        pass
 
-  def write(self, data):
-    self.buffer += data
+    def write(self, data):
+        self.buffer += data
 
-  def close(self):
-    self.input.close()
+    def close(self):
+        self.input.close()
diff --git a/util/registry/queuefile.py b/util/registry/queuefile.py
index 3f0dc32ce..a68c87480 100644
--- a/util/registry/queuefile.py
+++ b/util/registry/queuefile.py
@@ -1,76 +1,77 @@
 class QueueFile(object):
-  """ Class which implements a file-like interface and reads QueueResult's from a blocking
+    """ Class which implements a file-like interface and reads QueueResult's from a blocking
       multiprocessing queue.
   """
-  def __init__(self, queue, name=None):
-    self._queue = queue
-    self._closed = False
-    self._done = False
-    self._buffer = ''
-    self._total_size = 0
-    self._name = name
-    self.raised_exception = False
-    self._exception_handlers = []
 
-  def add_exception_handler(self, handler):
-    self._exception_handlers.append(handler)
+    def __init__(self, queue, name=None):
+        self._queue = queue
+        self._closed = False
+        self._done = False
+        self._buffer = ""
+        self._total_size = 0
+        self._name = name
+        self.raised_exception = False
+        self._exception_handlers = []
 
-  def read(self, size=-1):
-    # If the queuefile was closed or we have finished, send back any remaining data.
-    if self._closed or self._done:
-      if size == -1:
-        buf = self._buffer
-        self._buffer = ''
+    def add_exception_handler(self, handler):
+        self._exception_handlers.append(handler)
+
+    def read(self, size=-1):
+        # If the queuefile was closed or we have finished, send back any remaining data.
+        if self._closed or self._done:
+            if size == -1:
+                buf = self._buffer
+                self._buffer = ""
+                return buf
+
+            buf = self._buffer[0:size]
+            self._buffer = self._buffer[size:]
+            return buf
+
+        # Loop until we reach the requested data size (or forever if all data was requested).
+        while (len(self._buffer) < size) or (size == -1):
+            result = self._queue.get(block=True)
+
+            # Check for any exceptions raised by the queue process.
+            if result.exception is not None:
+                self._closed = True
+                self.raised_exception = True
+
+                # Fire off the exception to any registered handlers. If no handlers were registered,
+                # then raise the exception locally.
+                handled = False
+                for handler in self._exception_handlers:
+                    handler(result.exception)
+                    handled = True
+
+                if handled:
+                    return ""
+                else:
+                    raise result.exception
+
+            # Check for no further data. If the QueueProcess has finished producing data, then break
+            # out of the loop to return the data already acquired.
+            if result.data is None:
+                self._done = True
+                break
+
+            # Add the data to the buffer.
+            self._buffer += result.data
+            self._total_size += len(result.data)
+
+        # Return the requested slice of the buffer.
+        if size == -1:
+            buf = self._buffer
+            self._buffer = ""
+            return buf
+
+        buf = self._buffer[0:size]
+        self._buffer = self._buffer[size:]
         return buf
 
-      buf = self._buffer[0:size]
-      self._buffer = self._buffer[size:]
-      return buf
+    def flush(self):
+        # Purposefully not implemented.
+        pass
 
-    # Loop until we reach the requested data size (or forever if all data was requested).
-    while (len(self._buffer) < size) or (size == -1):
-      result = self._queue.get(block=True)
-
-      # Check for any exceptions raised by the queue process.
-      if result.exception is not None:
+    def close(self):
         self._closed = True
-        self.raised_exception = True
-
-        # Fire off the exception to any registered handlers. If no handlers were registered,
-        # then raise the exception locally.
-        handled = False
-        for handler in self._exception_handlers:
-          handler(result.exception)
-          handled = True
-
-        if handled:
-          return ''
-        else:
-          raise result.exception
-
-      # Check for no further data. If the QueueProcess has finished producing data, then break
-      # out of the loop to return the data already acquired.
-      if result.data is None:
-        self._done = True
-        break
-
-      # Add the data to the buffer.
-      self._buffer += result.data
-      self._total_size += len(result.data)
-
-    # Return the requested slice of the buffer.
-    if size == -1:
-      buf = self._buffer
-      self._buffer = ''
-      return buf
-
-    buf = self._buffer[0:size]
-    self._buffer = self._buffer[size:]
-    return buf
-
-  def flush(self):
-    # Purposefully not implemented.
-    pass
-
-  def close(self):
-    self._closed = True
diff --git a/util/registry/queueprocess.py b/util/registry/queueprocess.py
index 5cf3f20d0..feaa6c15d 100644
--- a/util/registry/queueprocess.py
+++ b/util/registry/queueprocess.py
@@ -10,67 +10,72 @@ import traceback
 logger = multiprocessing.log_to_stderr()
 logger.setLevel(logging.INFO)
 
+
 class QueueProcess(object):
-  """ Helper class which invokes a worker in a process to produce
+    """ Helper class which invokes a worker in a process to produce
       data for one (or more) queues.
   """
-  def __init__(self, get_producer, chunk_size, max_size, args, finished=None):
-    self._get_producer = get_producer
-    self._queues = []
-    self._chunk_size = chunk_size
-    self._max_size = max_size
-    self._args = args or []
-    self._finished = finished
 
-  def create_queue(self):
-    """ Adds a multiprocessing queue to the list of queues. Any queues added
+    def __init__(self, get_producer, chunk_size, max_size, args, finished=None):
+        self._get_producer = get_producer
+        self._queues = []
+        self._chunk_size = chunk_size
+        self._max_size = max_size
+        self._args = args or []
+        self._finished = finished
+
+    def create_queue(self):
+        """ Adds a multiprocessing queue to the list of queues. Any queues added
         will have the data produced appended.
     """
-    queue = Queue(self._max_size / self._chunk_size)
-    self._queues.append(queue)
-    return queue
+        queue = Queue(self._max_size / self._chunk_size)
+        self._queues.append(queue)
+        return queue
 
-  @staticmethod
-  def run_process(target, args, finished=None):
-    def _target(tar, arg, fin):
-      try:
-        tar(*args)
-      finally:
-        if fin:
-          fin()
+    @staticmethod
+    def run_process(target, args, finished=None):
+        def _target(tar, arg, fin):
+            try:
+                tar(*args)
+            finally:
+                if fin:
+                    fin()
 
-    Process(target=_target, args=(target, args, finished)).start()
+        Process(target=_target, args=(target, args, finished)).start()
 
-  def run(self):
-    # Important! gipc is used here because normal multiprocessing does not work
-    # correctly with gevent when we sleep.
-    args = (self._get_producer, self._queues, self._chunk_size, self._args)
-    QueueProcess.run_process(_run, args, finished=self._finished)
+    def run(self):
+        # Important! gipc is used here because normal multiprocessing does not work
+        # correctly with gevent when we sleep.
+        args = (self._get_producer, self._queues, self._chunk_size, self._args)
+        QueueProcess.run_process(_run, args, finished=self._finished)
 
 
-QueueResult = namedtuple('QueueResult', ['data', 'exception'])
+QueueResult = namedtuple("QueueResult", ["data", "exception"])
+
 
 def _run(get_producer, queues, chunk_size, args):
-  producer = get_producer(*args)
-  while True:
-    try:
-      result = QueueResult(producer(chunk_size) or None, None)
-    except Exception as ex:
-      message = '%s\n%s' % (ex.message, "".join(traceback.format_exception(*sys.exc_info())))
-      result = QueueResult(None, Exception(message))
+    producer = get_producer(*args)
+    while True:
+        try:
+            result = QueueResult(producer(chunk_size) or None, None)
+        except Exception as ex:
+            message = "%s\n%s" % (
+                ex.message,
+                "".join(traceback.format_exception(*sys.exc_info())),
+            )
+            result = QueueResult(None, Exception(message))
 
-    for queue in queues:
-      try:
-        queue.put(result, block=True)
-      except Exception as ex:
-        logger.exception('Exception writing to queue.')
-        return
+        for queue in queues:
+            try:
+                queue.put(result, block=True)
+            except Exception as ex:
+                logger.exception("Exception writing to queue.")
+                return
 
-    # Terminate the producer loop if the data produced is empty or an exception occurred.
-    if result.data is None or result.exception is not None:
-      break
-
-    # Important! This allows the thread that writes the queue data to the pipe
-    # to do so. Otherwise, this hangs.
-    time.sleep(0)
+        # Terminate the producer loop if the data produced is empty or an exception occurred.
+        if result.data is None or result.exception is not None:
+            break
 
+        # Important! This allows the thread that writes the queue data to the pipe
+        # to do so. Otherwise, this hangs.
+        time.sleep(0)
diff --git a/util/registry/replication.py b/util/registry/replication.py
index f9eca981c..aeda88dbc 100644
--- a/util/registry/replication.py
+++ b/util/registry/replication.py
@@ -8,27 +8,34 @@ from app import image_replication_queue
 
 DEFAULT_BATCH_SIZE = 1000
 
+
 @contextmanager
 def queue_replication_batch(namespace, batch_size=DEFAULT_BATCH_SIZE):
-  """
+    """
   Context manager implementation which returns a target callable that takes the storage
   to queue for replication. When the the context block exits the items generated by
   the callable will be bulk inserted into the queue with the specified batch size.
   """
-  namespace_user = model.user.get_namespace_user(namespace)
+    namespace_user = model.user.get_namespace_user(namespace)
 
-  with image_replication_queue.batch_insert(batch_size) as queue_put:
-    def queue_storage_replication_batch(storage):
-      if features.STORAGE_REPLICATION:
-        queue_put([storage.uuid], json.dumps({
-          'namespace_user_id': namespace_user.id,
-          'storage_id': storage.uuid,
-        }))
+    with image_replication_queue.batch_insert(batch_size) as queue_put:
 
-    yield queue_storage_replication_batch
+        def queue_storage_replication_batch(storage):
+            if features.STORAGE_REPLICATION:
+                queue_put(
+                    [storage.uuid],
+                    json.dumps(
+                        {
+                            "namespace_user_id": namespace_user.id,
+                            "storage_id": storage.uuid,
+                        }
+                    ),
+                )
+
+        yield queue_storage_replication_batch
 
 
 def queue_storage_replication(namespace, storage):
-  """ Queues replication for the given image storage under the given namespace (if enabled). """
-  with queue_replication_batch(namespace, 1) as batch_spawn:
-    batch_spawn(storage)
+    """ Queues replication for the given image storage under the given namespace (if enabled). """
+    with queue_replication_batch(namespace, 1) as batch_spawn:
+        batch_spawn(storage)
diff --git a/util/registry/streamlayerformat.py b/util/registry/streamlayerformat.py
index f6330ef4c..494a65aed 100644
--- a/util/registry/streamlayerformat.py
+++ b/util/registry/streamlayerformat.py
@@ -6,65 +6,69 @@ import marisa_trie
 from util.registry.aufs import is_aufs_metadata, get_deleted_prefix
 from util.registry.tarlayerformat import TarLayerFormat
 
+
 class StreamLayerMerger(TarLayerFormat):
-  """ Class which creates a generator of the combined TAR data for a set of Docker layers. """
-  def __init__(self, get_tar_stream_iterator, path_prefix=None, reporter=None):
-    super(StreamLayerMerger, self).__init__(get_tar_stream_iterator, path_prefix, reporter=reporter)
+    """ Class which creates a generator of the combined TAR data for a set of Docker layers. """
 
-    self.path_trie = marisa_trie.Trie()
-    self.path_encountered = set()
+    def __init__(self, get_tar_stream_iterator, path_prefix=None, reporter=None):
+        super(StreamLayerMerger, self).__init__(
+            get_tar_stream_iterator, path_prefix, reporter=reporter
+        )
 
-    self.deleted_prefix_trie = marisa_trie.Trie()
-    self.deleted_prefixes_encountered = set()
+        self.path_trie = marisa_trie.Trie()
+        self.path_encountered = set()
 
-  def after_tar_layer(self):
-    # Update the tries.
-    self.path_trie = marisa_trie.Trie(self.path_encountered)
-    self.deleted_prefix_trie = marisa_trie.Trie(self.deleted_prefixes_encountered)
+        self.deleted_prefix_trie = marisa_trie.Trie()
+        self.deleted_prefixes_encountered = set()
 
-  @staticmethod
-  def _normalize_path(path):
-    return os.path.relpath(path.decode('utf-8'), './')
+    def after_tar_layer(self):
+        # Update the tries.
+        self.path_trie = marisa_trie.Trie(self.path_encountered)
+        self.deleted_prefix_trie = marisa_trie.Trie(self.deleted_prefixes_encountered)
 
-  def _check_deleted(self, absolute):
-    ubsolute = unicode(absolute)
-    for prefix in self.deleted_prefix_trie.iter_prefixes(ubsolute):
-      if not os.path.relpath(ubsolute, prefix).startswith('..'):
+    @staticmethod
+    def _normalize_path(path):
+        return os.path.relpath(path.decode("utf-8"), "./")
+
+    def _check_deleted(self, absolute):
+        ubsolute = unicode(absolute)
+        for prefix in self.deleted_prefix_trie.iter_prefixes(ubsolute):
+            if not os.path.relpath(ubsolute, prefix).startswith(".."):
+                return True
+
+        return False
+
+    def is_skipped_file(self, filename):
+        absolute = StreamLayerMerger._normalize_path(filename)
+
+        # Skip metadata.
+        if is_aufs_metadata(absolute):
+            return True
+
+        # Check if the file is under a deleted path.
+        if self._check_deleted(absolute):
+            return True
+
+        # Check if this file has already been encountered somewhere. If so,
+        # skip it.
+        ubsolute = unicode(absolute)
+        if ubsolute in self.path_trie:
+            return True
+
+        return False
+
+    def should_append_file(self, filename):
+        if self.is_skipped_file(filename):
+            return False
+
+        absolute = StreamLayerMerger._normalize_path(filename)
+
+        # Add any prefix of deleted paths to the prefix list.
+        deleted_prefix = get_deleted_prefix(absolute)
+        if deleted_prefix is not None:
+            self.deleted_prefixes_encountered.add(deleted_prefix)
+            return False
+
+        # Otherwise, add the path to the encountered list and return it.
+        self.path_encountered.add(absolute)
         return True
-
-    return False
-
-  def is_skipped_file(self, filename):
-    absolute = StreamLayerMerger._normalize_path(filename)
-
-    # Skip metadata.
-    if is_aufs_metadata(absolute):
-      return True
-
-    # Check if the file is under a deleted path.
-    if self._check_deleted(absolute):
-      return True
-
-    # Check if this file has already been encountered somewhere. If so,
-    # skip it.
-    ubsolute = unicode(absolute)
-    if ubsolute in self.path_trie:
-      return True
-
-    return False
-
-  def should_append_file(self, filename):
-    if self.is_skipped_file(filename):
-      return False
-
-    absolute = StreamLayerMerger._normalize_path(filename)
-
-    # Add any prefix of deleted paths to the prefix list.
-    deleted_prefix = get_deleted_prefix(absolute)
-    if deleted_prefix is not None:
-      self.deleted_prefixes_encountered.add(deleted_prefix)
-      return False
-
-    # Otherwise, add the path to the encountered list and return it.
-    self.path_encountered.add(absolute)
-    return True
diff --git a/util/registry/tarlayerformat.py b/util/registry/tarlayerformat.py
index 250a178eb..ade92371f 100644
--- a/util/registry/tarlayerformat.py
+++ b/util/registry/tarlayerformat.py
@@ -8,181 +8,188 @@ from six import add_metaclass
 
 from util.abchelpers import nooper
 
+
 class TarLayerReadException(Exception):
-  """ Exception raised when reading a layer has failed. """
-  pass
+    """ Exception raised when reading a layer has failed. """
+
+    pass
 
 
 # 9MB (+ padding below) so that it matches the 10MB expected by Gzip.
 CHUNK_SIZE = 1024 * 1024 * 9
 
+
 @add_metaclass(ABCMeta)
 class TarLayerFormatterReporter(object):
-  @abstractmethod
-  def report_pass(self, stream_count):
-    """ Reports a formatting pass. """
-    pass
+    @abstractmethod
+    def report_pass(self, stream_count):
+        """ Reports a formatting pass. """
+        pass
 
 
 @nooper
 class NoopReporter(TarLayerFormatterReporter):
-  pass
+    pass
 
 
 @add_metaclass(ABCMeta)
 class TarLayerFormat(object):
-  """ Class which creates a generator of the combined TAR data. """
-  def __init__(self, tar_stream_getter_iterator, path_prefix=None, reporter=None):
-    self.tar_stream_getter_iterator = tar_stream_getter_iterator
-    self.path_prefix = path_prefix or ''
-    self.reporter = reporter or NoopReporter()
+    """ Class which creates a generator of the combined TAR data. """
 
-  def get_generator(self):
-    for stream_getter in self.tar_stream_getter_iterator():
-      current_tar_stream = stream_getter()
+    def __init__(self, tar_stream_getter_iterator, path_prefix=None, reporter=None):
+        self.tar_stream_getter_iterator = tar_stream_getter_iterator
+        self.path_prefix = path_prefix or ""
+        self.reporter = reporter or NoopReporter()
 
-      # Read the current TAR. If it is empty, we just continue
-      # to the next one.
-      tar_file = TarLayerFormat._tar_file_from_stream(current_tar_stream)
-      if not tar_file:
-        continue
+    def get_generator(self):
+        for stream_getter in self.tar_stream_getter_iterator():
+            current_tar_stream = stream_getter()
 
-      # For each of the tar entries, yield them IF and ONLY IF we have not
-      # encountered the path before.
-      dangling_hard_links = defaultdict(list)
-      try:
-        for tar_info in tar_file:
-          if not self.should_append_file(tar_info.name):
-            continue
+            # Read the current TAR. If it is empty, we just continue
+            # to the next one.
+            tar_file = TarLayerFormat._tar_file_from_stream(current_tar_stream)
+            if not tar_file:
+                continue
 
-          # Note: We use a copy here because we need to make sure we copy over all the internal
-          # data of the tar header. We cannot use frombuf(tobuf()), however, because it doesn't
-          # properly handle large filenames.
-          clone = copy.deepcopy(tar_info)
-          clone.name = os.path.join(self.path_prefix, clone.name)
+            # For each of the tar entries, yield them IF and ONLY IF we have not
+            # encountered the path before.
+            dangling_hard_links = defaultdict(list)
+            try:
+                for tar_info in tar_file:
+                    if not self.should_append_file(tar_info.name):
+                        continue
 
-          # If the entry is a *hard* link, then prefix it as well. Soft links are relative.
-          if clone.linkname and clone.type == tarfile.LNKTYPE:
-            # If the entry is a dangling hard link, we skip here. Dangling hard links will be handled
-            # in a second pass.
-            if self.is_skipped_file(tar_info.linkname):
-              dangling_hard_links[tar_info.linkname].append(tar_info)
-              continue
+                    # Note: We use a copy here because we need to make sure we copy over all the internal
+                    # data of the tar header. We cannot use frombuf(tobuf()), however, because it doesn't
+                    # properly handle large filenames.
+                    clone = copy.deepcopy(tar_info)
+                    clone.name = os.path.join(self.path_prefix, clone.name)
 
-            clone.linkname = os.path.join(self.path_prefix, clone.linkname)
+                    # If the entry is a *hard* link, then prefix it as well. Soft links are relative.
+                    if clone.linkname and clone.type == tarfile.LNKTYPE:
+                        # If the entry is a dangling hard link, we skip here. Dangling hard links will be handled
+                        # in a second pass.
+                        if self.is_skipped_file(tar_info.linkname):
+                            dangling_hard_links[tar_info.linkname].append(tar_info)
+                            continue
 
-          # Yield the tar header.
-          yield clone.tobuf()
+                        clone.linkname = os.path.join(self.path_prefix, clone.linkname)
 
-          # Try to extract any file contents for the tar. If found, we yield them as well.
-          if tar_info.isreg():
-            for block in TarLayerFormat._emit_file(tar_file, tar_info):
-              yield block
-      except UnicodeDecodeError as ude:
-        raise TarLayerReadException('Decode error: %s' % ude)
+                    # Yield the tar header.
+                    yield clone.tobuf()
 
-      # Close the layer stream now that we're done with it.
-      tar_file.close()
+                    # Try to extract any file contents for the tar. If found, we yield them as well.
+                    if tar_info.isreg():
+                        for block in TarLayerFormat._emit_file(tar_file, tar_info):
+                            yield block
+            except UnicodeDecodeError as ude:
+                raise TarLayerReadException("Decode error: %s" % ude)
 
-      # If there are any dangling hard links, open a new stream and retarget the dangling hard
-      # links to a new copy of the contents, which will be placed under the *first* dangling hard
-      # link's name.
-      if len(dangling_hard_links) > 0:
-        tar_file = TarLayerFormat._tar_file_from_stream(stream_getter())
-        if not tar_file:
-          raise TarLayerReadException('Could not re-read tar layer')
+            # Close the layer stream now that we're done with it.
+            tar_file.close()
 
-        for tar_info in tar_file:
-          # If we encounter a file that holds the data for a dangling link,
-          # emit it under the name of the first dangling hard link. All other
-          # dangling hard links will be retargeted to this first name.
-          if tar_info.name in dangling_hard_links:
-            first_dangling = dangling_hard_links[tar_info.name][0]
+            # If there are any dangling hard links, open a new stream and retarget the dangling hard
+            # links to a new copy of the contents, which will be placed under the *first* dangling hard
+            # link's name.
+            if len(dangling_hard_links) > 0:
+                tar_file = TarLayerFormat._tar_file_from_stream(stream_getter())
+                if not tar_file:
+                    raise TarLayerReadException("Could not re-read tar layer")
 
-            # Copy the first dangling hard link, change it to a normal file,
-            # and emit the deleted file's contents for it.
-            clone = copy.deepcopy(first_dangling)
-            clone.name = os.path.join(self.path_prefix, first_dangling.name)
-            clone.type = tar_info.type
-            clone.size = tar_info.size
-            clone.pax_headers = tar_info.pax_headers
-            yield clone.tobuf()
+                for tar_info in tar_file:
+                    # If we encounter a file that holds the data for a dangling link,
+                    # emit it under the name of the first dangling hard link. All other
+                    # dangling hard links will be retargeted to this first name.
+                    if tar_info.name in dangling_hard_links:
+                        first_dangling = dangling_hard_links[tar_info.name][0]
 
-            for block in TarLayerFormat._emit_file(tar_file, tar_info):
-              yield block
+                        # Copy the first dangling hard link, change it to a normal file,
+                        # and emit the deleted file's contents for it.
+                        clone = copy.deepcopy(first_dangling)
+                        clone.name = os.path.join(self.path_prefix, first_dangling.name)
+                        clone.type = tar_info.type
+                        clone.size = tar_info.size
+                        clone.pax_headers = tar_info.pax_headers
+                        yield clone.tobuf()
 
-          elif (tar_info.type == tarfile.LNKTYPE and
-                tar_info.linkname in dangling_hard_links and
-                not self.is_skipped_file(tar_info.name)):
-            # Retarget if necessary. All dangling hard links (but the first) will
-            # need to be retargeted.
-            first_dangling = dangling_hard_links[tar_info.linkname][0]
-            if tar_info.name == first_dangling.name:
-              # Skip; the first dangling is handled above.
-              continue
+                        for block in TarLayerFormat._emit_file(tar_file, tar_info):
+                            yield block
 
-            # Retarget the hard link to the first dangling hard link.
-            clone = copy.deepcopy(tar_info)
-            clone.name = os.path.join(self.path_prefix, clone.name)
-            clone.linkname = os.path.join(self.path_prefix, first_dangling.name)
-            yield clone.tobuf()
+                    elif (
+                        tar_info.type == tarfile.LNKTYPE
+                        and tar_info.linkname in dangling_hard_links
+                        and not self.is_skipped_file(tar_info.name)
+                    ):
+                        # Retarget if necessary. All dangling hard links (but the first) will
+                        # need to be retargeted.
+                        first_dangling = dangling_hard_links[tar_info.linkname][0]
+                        if tar_info.name == first_dangling.name:
+                            # Skip; the first dangling is handled above.
+                            continue
 
-        # Close the layer stream now that we're done with it.
-        tar_file.close()
+                        # Retarget the hard link to the first dangling hard link.
+                        clone = copy.deepcopy(tar_info)
+                        clone.name = os.path.join(self.path_prefix, clone.name)
+                        clone.linkname = os.path.join(
+                            self.path_prefix, first_dangling.name
+                        )
+                        yield clone.tobuf()
 
-      # Conduct any post-tar work.
-      self.after_tar_layer()
-      self.reporter.report_pass(2 if len(dangling_hard_links) > 0 else 1)
+                # Close the layer stream now that we're done with it.
+                tar_file.close()
 
-    # Last two records are empty in TAR spec.
-    yield '\0' * 512
-    yield '\0' * 512
+            # Conduct any post-tar work.
+            self.after_tar_layer()
+            self.reporter.report_pass(2 if len(dangling_hard_links) > 0 else 1)
 
-  @abstractmethod
-  def is_skipped_file(self, filename):
-    """ Returns true if the file with the given name will be skipped during append.
+        # Last two records are empty in TAR spec.
+        yield "\0" * 512
+        yield "\0" * 512
+
+    @abstractmethod
+    def is_skipped_file(self, filename):
+        """ Returns true if the file with the given name will be skipped during append.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def should_append_file(self, filename):
-    """ Returns true if the file with the given name should be appended when producing
+    @abstractmethod
+    def should_append_file(self, filename):
+        """ Returns true if the file with the given name should be appended when producing
         the new TAR.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def after_tar_layer(self):
-    """ Invoked after a TAR layer is added, to do any post-add work. """
-    pass
+    @abstractmethod
+    def after_tar_layer(self):
+        """ Invoked after a TAR layer is added, to do any post-add work. """
+        pass
 
-  @staticmethod
-  def _tar_file_from_stream(stream):
-    tar_file = None
-    try:
-      tar_file = tarfile.open(mode='r|*', fileobj=stream)
-    except tarfile.ReadError as re:
-      if str(re) != 'empty file':
-        raise TarLayerReadException('Could not read layer')
+    @staticmethod
+    def _tar_file_from_stream(stream):
+        tar_file = None
+        try:
+            tar_file = tarfile.open(mode="r|*", fileobj=stream)
+        except tarfile.ReadError as re:
+            if str(re) != "empty file":
+                raise TarLayerReadException("Could not read layer")
 
-    return tar_file
+        return tar_file
 
-  @staticmethod
-  def _emit_file(tar_file, tar_info):
-    file_stream = tar_file.extractfile(tar_info)
-    if file_stream is not None:
-      length = 0
-      while True:
-        current_block = file_stream.read(CHUNK_SIZE)
-        if not len(current_block):
-          break
+    @staticmethod
+    def _emit_file(tar_file, tar_info):
+        file_stream = tar_file.extractfile(tar_info)
+        if file_stream is not None:
+            length = 0
+            while True:
+                current_block = file_stream.read(CHUNK_SIZE)
+                if not len(current_block):
+                    break
 
-        yield current_block
-        length += len(current_block)
+                yield current_block
+                length += len(current_block)
 
-      file_stream.close()
+            file_stream.close()
 
-      # Files must be padding to 512 byte multiples.
-      if length % 512 != 0:
-        yield '\0' * (512 - (length % 512))
-        
\ No newline at end of file
+            # Files must be padding to 512 byte multiples.
+            if length % 512 != 0:
+                yield "\0" * (512 - (length % 512))
diff --git a/util/registry/test/test_dockerver.py b/util/registry/test/test_dockerver.py
index 2c6d3a11d..313269d05 100644
--- a/util/registry/test/test_dockerver.py
+++ b/util/registry/test/test_dockerver.py
@@ -3,45 +3,66 @@ import pytest
 from util.registry.dockerver import docker_version
 from semantic_version import Version, Spec
 
-@pytest.mark.parametrize('ua_string, ver_info', [
-  # Old "semantic" versioning.
-  ('docker/1.6.0 go/go1.4.2 git-commit/1234567 kernel/4.2.0-18-generic os/linux arch/amd64',
-   Version('1.6.0')),
-  ('docker/1.7.1 go/go1.4.2 kernel/4.1.7-15.23.amzn1.x86_64 os/linux arch/amd64',
-   Version('1.7.1')),
-  ('docker/1.6.2 go/go1.4.2 git-commit/7c8fca2-dirty kernel/4.0.5 os/linux arch/amd64',
-   Version('1.6.2')),
-  ('docker/1.9.0 go/go1.4.2 git-commit/76d6bc9 kernel/3.16.0-4-amd64 os/linux arch/amd64',
-   Version('1.9.0')),
-  ('docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.10.0-229.20.1.el7.x86_64 os/linux arch/amd64',
-   Version('1.9.1')),
-  ('docker/1.8.2-circleci go/go1.4.2 git-commit/a8b52f5 kernel/3.13.0-71-generic os/linux arch/amd64',
-   Version('1.8.2')),
-  ('Go 1.1 package http', Version('1.5.0')),
-  ('curl', None),
-  ('docker/1.8 stuff', Version('1.8', partial=True)),
 
-  # Newer date-based versioning: YY.MM.revnum
-  ('docker/17.03.0 my_version_sucks', Version('17.3.0')),
-  ('docker/17.03.0-foobar my_version_sucks', Version('17.3.0')),
-  ('docker/17.10.2 go/go1.4.2 git-commit/a34a1d5 kernel/3.10.0-229.20.1.el7.x86_64 os/linux arch/amd64',
-   Version('17.10.2')),
-  ('docker/17.00.4 my_version_sucks', Version('17.0.4')),
-  ('docker/17.12.00 my_version_sucks', Version('17.12.0')),
-])
+@pytest.mark.parametrize(
+    "ua_string, ver_info",
+    [
+        # Old "semantic" versioning.
+        (
+            "docker/1.6.0 go/go1.4.2 git-commit/1234567 kernel/4.2.0-18-generic os/linux arch/amd64",
+            Version("1.6.0"),
+        ),
+        (
+            "docker/1.7.1 go/go1.4.2 kernel/4.1.7-15.23.amzn1.x86_64 os/linux arch/amd64",
+            Version("1.7.1"),
+        ),
+        (
+            "docker/1.6.2 go/go1.4.2 git-commit/7c8fca2-dirty kernel/4.0.5 os/linux arch/amd64",
+            Version("1.6.2"),
+        ),
+        (
+            "docker/1.9.0 go/go1.4.2 git-commit/76d6bc9 kernel/3.16.0-4-amd64 os/linux arch/amd64",
+            Version("1.9.0"),
+        ),
+        (
+            "docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.10.0-229.20.1.el7.x86_64 os/linux arch/amd64",
+            Version("1.9.1"),
+        ),
+        (
+            "docker/1.8.2-circleci go/go1.4.2 git-commit/a8b52f5 kernel/3.13.0-71-generic os/linux arch/amd64",
+            Version("1.8.2"),
+        ),
+        ("Go 1.1 package http", Version("1.5.0")),
+        ("curl", None),
+        ("docker/1.8 stuff", Version("1.8", partial=True)),
+        # Newer date-based versioning: YY.MM.revnum
+        ("docker/17.03.0 my_version_sucks", Version("17.3.0")),
+        ("docker/17.03.0-foobar my_version_sucks", Version("17.3.0")),
+        (
+            "docker/17.10.2 go/go1.4.2 git-commit/a34a1d5 kernel/3.10.0-229.20.1.el7.x86_64 os/linux arch/amd64",
+            Version("17.10.2"),
+        ),
+        ("docker/17.00.4 my_version_sucks", Version("17.0.4")),
+        ("docker/17.12.00 my_version_sucks", Version("17.12.0")),
+    ],
+)
 def test_parsing(ua_string, ver_info):
-  parsed_ver = docker_version(ua_string)
-  assert parsed_ver == ver_info, 'Expected %s, Found %s' % (ver_info, parsed_ver)
+    parsed_ver = docker_version(ua_string)
+    assert parsed_ver == ver_info, "Expected %s, Found %s" % (ver_info, parsed_ver)
 
-@pytest.mark.parametrize('spec, no_match_cases, match_cases', [
-  (Spec('<1.6.0'), ['1.6.0', '1.6.1', '1.9.0', '100.5.2'], ['0.0.0', '1.5.99']),
-  (Spec('<1.9.0'), ['1.9.0', '100.5.2'], ['0.0.0', '1.5.99', '1.6.0', '1.6.1']),
-  (Spec('<1.6.0,>0.0.1'), ['1.6.0', '1.6.1', '1.9.0', '0.0.0'], ['1.5.99']),
-  (Spec('>17.3.0'), ['17.3.0', '1.13.0'], ['17.4.0', '17.12.1']),
-])
+
+@pytest.mark.parametrize(
+    "spec, no_match_cases, match_cases",
+    [
+        (Spec("<1.6.0"), ["1.6.0", "1.6.1", "1.9.0", "100.5.2"], ["0.0.0", "1.5.99"]),
+        (Spec("<1.9.0"), ["1.9.0", "100.5.2"], ["0.0.0", "1.5.99", "1.6.0", "1.6.1"]),
+        (Spec("<1.6.0,>0.0.1"), ["1.6.0", "1.6.1", "1.9.0", "0.0.0"], ["1.5.99"]),
+        (Spec(">17.3.0"), ["17.3.0", "1.13.0"], ["17.4.0", "17.12.1"]),
+    ],
+)
 def test_specs(spec, no_match_cases, match_cases):
-  for no_match_case in no_match_cases:
-    assert not spec.match(Version(no_match_case))
+    for no_match_case in no_match_cases:
+        assert not spec.match(Version(no_match_case))
 
-  for match_case in match_cases:
-    assert spec.match(Version(match_case))
+    for match_case in match_cases:
+        assert spec.match(Version(match_case))
diff --git a/util/registry/test/test_filelike.py b/util/registry/test/test_filelike.py
index 406aa0d3b..2170cfcdb 100644
--- a/util/registry/test/test_filelike.py
+++ b/util/registry/test/test_filelike.py
@@ -1,132 +1,151 @@
 from StringIO import StringIO
 from util.registry.filelike import FilelikeStreamConcat, LimitingStream, StreamSlice
 
+
 def somegenerator():
-  yield 'some'
-  yield 'cool'
-  yield 'file-contents'
+    yield "some"
+    yield "cool"
+    yield "file-contents"
+
 
 def test_parts():
-  gens = iter([StringIO(s) for s in somegenerator()])
-  fileobj = FilelikeStreamConcat(gens)
+    gens = iter([StringIO(s) for s in somegenerator()])
+    fileobj = FilelikeStreamConcat(gens)
+
+    assert fileobj.read(2) == "so"
+    assert fileobj.read(3) == "mec"
+    assert fileobj.read(7) == "oolfile"
+    assert fileobj.read(-1) == "-contents"
 
-  assert fileobj.read(2) == 'so'
-  assert fileobj.read(3) == 'mec'
-  assert fileobj.read(7) == 'oolfile'
-  assert fileobj.read(-1) == '-contents'
 
 def test_entire():
-  gens = iter([StringIO(s) for s in somegenerator()])
-  fileobj = FilelikeStreamConcat(gens)
-  assert fileobj.read(-1) == 'somecoolfile-contents'
+    gens = iter([StringIO(s) for s in somegenerator()])
+    fileobj = FilelikeStreamConcat(gens)
+    assert fileobj.read(-1) == "somecoolfile-contents"
+
 
 def test_nolimit():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj)
-  assert stream.read(-1) == 'this is a cool test'
-  assert len('this is a cool test') == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj)
+    assert stream.read(-1) == "this is a cool test"
+    assert len("this is a cool test") == stream.tell()
+
 
 def test_simplelimit():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 4)
-  assert stream.read(-1) == 'this'
-  assert 4 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 4)
+    assert stream.read(-1) == "this"
+    assert 4 == stream.tell()
+
 
 def test_simplelimit_readdefined():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 4)
-  assert stream.read(2) == 'th'
-  assert 2 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 4)
+    assert stream.read(2) == "th"
+    assert 2 == stream.tell()
+
 
 def test_nolimit_readdefined():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, -1)
-  assert stream.read(2) == 'th'
-  assert 2 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, -1)
+    assert stream.read(2) == "th"
+    assert 2 == stream.tell()
+
 
 def test_limit_multiread():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 7)
-  assert stream.read(4) == 'this'
-  assert stream.read(3) == ' is'
-  assert stream.read(2) == ''
-  assert 7 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 7)
+    assert stream.read(4) == "this"
+    assert stream.read(3) == " is"
+    assert stream.read(2) == ""
+    assert 7 == stream.tell()
+
 
 def test_limit_multiread2():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 7)
-  assert stream.read(4) == 'this'
-  assert stream.read(-1) == ' is'
-  assert 7 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 7)
+    assert stream.read(4) == "this"
+    assert stream.read(-1) == " is"
+    assert 7 == stream.tell()
+
 
 def test_seek():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj)
-  stream.seek(2)
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj)
+    stream.seek(2)
+
+    assert stream.read(2) == "is"
+    assert 4 == stream.tell()
 
-  assert stream.read(2) == 'is'
-  assert 4 == stream.tell()
 
 def test_seek_withlimit():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 3)
-  stream.seek(2)
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 3)
+    stream.seek(2)
+
+    assert stream.read(2) == "i"
+    assert 3 == stream.tell()
 
-  assert stream.read(2) == 'i'
-  assert 3 == stream.tell()
 
 def test_seek_pastlimit():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 3)
-  stream.seek(4)
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 3)
+    stream.seek(4)
+
+    assert stream.read(1) == ""
+    assert 3 == stream.tell()
 
-  assert stream.read(1) == ''
-  assert 3 == stream.tell()
 
 def test_seek_to_tell():
-  fileobj = StringIO('this is a cool test')
-  stream = LimitingStream(fileobj, 3)
-  stream.seek(stream.tell())
+    fileobj = StringIO("this is a cool test")
+    stream = LimitingStream(fileobj, 3)
+    stream.seek(stream.tell())
+
+    assert stream.read(4) == "thi"
+    assert 3 == stream.tell()
 
-  assert stream.read(4) == 'thi'
-  assert 3 == stream.tell()
 
 def test_none_read():
-  class NoneReader(object):
-    def read(self, size=None):
-      return None
+    class NoneReader(object):
+        def read(self, size=None):
+            return None
+
+    stream = StreamSlice(NoneReader(), 0)
+    assert stream.read(-1) == None
+    assert stream.tell() == 0
 
-  stream = StreamSlice(NoneReader(), 0)
-  assert stream.read(-1) == None
-  assert stream.tell() == 0
 
 def test_noslice():
-  fileobj = StringIO('this is a cool test')
-  stream = StreamSlice(fileobj, 0)
-  assert stream.read(-1) == 'this is a cool test'
-  assert len('this is a cool test') == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = StreamSlice(fileobj, 0)
+    assert stream.read(-1) == "this is a cool test"
+    assert len("this is a cool test") == stream.tell()
+
 
 def test_startindex():
-  fileobj = StringIO('this is a cool test')
-  stream = StreamSlice(fileobj, 5)
-  assert stream.read(-1) == 'is a cool test'
-  assert len('is a cool test') == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = StreamSlice(fileobj, 5)
+    assert stream.read(-1) == "is a cool test"
+    assert len("is a cool test") == stream.tell()
+
 
 def test_startindex_limitedread():
-  fileobj = StringIO('this is a cool test')
-  stream = StreamSlice(fileobj, 5)
-  assert stream.read(4) == 'is a'
-  assert 4 == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = StreamSlice(fileobj, 5)
+    assert stream.read(4) == "is a"
+    assert 4 == stream.tell()
+
 
 def test_slice():
-  fileobj = StringIO('this is a cool test')
-  stream = StreamSlice(fileobj, 5, 9)
-  assert stream.read(-1) == 'is a'
-  assert len('is a') == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = StreamSlice(fileobj, 5, 9)
+    assert stream.read(-1) == "is a"
+    assert len("is a") == stream.tell()
+
 
 def test_slice_explictread():
-  fileobj = StringIO('this is a cool test')
-  stream = StreamSlice(fileobj, 5, 9)
-  assert stream.read(2) == 'is'
-  assert stream.read(5) == ' a'
-  assert len('is a') == stream.tell()
+    fileobj = StringIO("this is a cool test")
+    stream = StreamSlice(fileobj, 5, 9)
+    assert stream.read(2) == "is"
+    assert stream.read(5) == " a"
+    assert len("is a") == stream.tell()
diff --git a/util/registry/test/test_generatorfile.py b/util/registry/test/test_generatorfile.py
index 0d21c6a21..552446c0c 100644
--- a/util/registry/test/test_generatorfile.py
+++ b/util/registry/test/test_generatorfile.py
@@ -4,95 +4,105 @@ import magic
 
 from util.registry.generatorfile import GeneratorFile
 
+
 def sample_generator():
-  yield 'this'
-  yield 'is'
-  yield 'a'
-  yield 'test'
+    yield "this"
+    yield "is"
+    yield "a"
+    yield "test"
+
 
 def test_basic_generator():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.tell() == 0
-    assert f.read() == "thisisatest"
-    assert f.tell() == len("thisisatest")
+    with GeneratorFile(sample_generator()) as f:
+        assert f.tell() == 0
+        assert f.read() == "thisisatest"
+        assert f.tell() == len("thisisatest")
+
 
 def test_same_lengths():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.read(4) == "this"
-    assert f.tell() == 4
+    with GeneratorFile(sample_generator()) as f:
+        assert f.read(4) == "this"
+        assert f.tell() == 4
 
-    assert f.read(2) == "is"
-    assert f.tell() == 6
+        assert f.read(2) == "is"
+        assert f.tell() == 6
 
-    assert f.read(1) == "a"
-    assert f.tell() == 7
+        assert f.read(1) == "a"
+        assert f.tell() == 7
+
+        assert f.read(4) == "test"
+        assert f.tell() == 11
 
-    assert f.read(4) == "test"
-    assert f.tell() == 11
 
 def test_indexed_lengths():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.read(6) == "thisis"
-    assert f.tell() == 6
+    with GeneratorFile(sample_generator()) as f:
+        assert f.read(6) == "thisis"
+        assert f.tell() == 6
+
+        assert f.read(5) == "atest"
+        assert f.tell() == 11
 
-    assert f.read(5) == "atest"
-    assert f.tell() == 11
 
 def test_misindexed_lengths():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.read(6) == "thisis"
-    assert f.tell() == 6
+    with GeneratorFile(sample_generator()) as f:
+        assert f.read(6) == "thisis"
+        assert f.tell() == 6
 
-    assert f.read(3) == "ate"
-    assert f.tell() == 9
+        assert f.read(3) == "ate"
+        assert f.tell() == 9
 
-    assert f.read(2) == "st"
-    assert f.tell() == 11
+        assert f.read(2) == "st"
+        assert f.tell() == 11
+
+        assert f.read(2) == ""
+        assert f.tell() == 11
 
-    assert f.read(2) == ""
-    assert f.tell() == 11
 
 def test_misindexed_lengths_2():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.read(8) == "thisisat"
-    assert f.tell() == 8
+    with GeneratorFile(sample_generator()) as f:
+        assert f.read(8) == "thisisat"
+        assert f.tell() == 8
 
-    assert f.read(1) == "e"
-    assert f.tell() == 9
+        assert f.read(1) == "e"
+        assert f.tell() == 9
 
-    assert f.read(2) == "st"
-    assert f.tell() == 11
+        assert f.read(2) == "st"
+        assert f.tell() == 11
+
+        assert f.read(2) == ""
+        assert f.tell() == 11
 
-    assert f.read(2) == ""
-    assert f.tell() == 11
 
 def test_overly_long():
-  with GeneratorFile(sample_generator()) as f:
-    assert f.read(60) == "thisisatest"
-    assert f.tell() == 11
+    with GeneratorFile(sample_generator()) as f:
+        assert f.read(60) == "thisisatest"
+        assert f.tell() == 11
+
 
 def test_with_bufferedreader():
-  with GeneratorFile(sample_generator()) as f:
-    buffered = BufferedReader(f)
-    assert buffered.peek(10) == "thisisatest"
-    assert buffered.read(10) == "thisisates"
+    with GeneratorFile(sample_generator()) as f:
+        buffered = BufferedReader(f)
+        assert buffered.peek(10) == "thisisatest"
+        assert buffered.read(10) == "thisisates"
+
 
 def mimed_html_generator():
-  yield '<html>'
-  yield '<body>'
-  yield 'sometext' * 1024
-  yield '</body>'
-  yield '</html>'
+    yield "<html>"
+    yield "<body>"
+    yield "sometext" * 1024
+    yield "</body>"
+    yield "</html>"
+
 
 def test_magic():
-  mgc = magic.Magic(mime=True)
+    mgc = magic.Magic(mime=True)
 
-  with GeneratorFile(mimed_html_generator()) as f:
-    buffered = BufferedReader(f)
-    file_header_bytes = buffered.peek(1024)
-    assert mgc.from_buffer(file_header_bytes) == "text/html"
+    with GeneratorFile(mimed_html_generator()) as f:
+        buffered = BufferedReader(f)
+        file_header_bytes = buffered.peek(1024)
+        assert mgc.from_buffer(file_header_bytes) == "text/html"
 
-  with GeneratorFile(sample_generator()) as f:
-    buffered = BufferedReader(f)
-    file_header_bytes = buffered.peek(1024)
-    assert mgc.from_buffer(file_header_bytes) == "text/plain"
+    with GeneratorFile(sample_generator()) as f:
+        buffered = BufferedReader(f)
+        file_header_bytes = buffered.peek(1024)
+        assert mgc.from_buffer(file_header_bytes) == "text/plain"
diff --git a/util/registry/test/test_queuefile.py b/util/registry/test/test_queuefile.py
index 88e0a8c22..f4e703aaf 100644
--- a/util/registry/test/test_queuefile.py
+++ b/util/registry/test/test_queuefile.py
@@ -5,108 +5,114 @@ import pytest
 from util.registry.queueprocess import QueueResult
 from util.registry.queuefile import QueueFile
 
+
 class FakeQueue(object):
-  def __init__(self):
-    self.items = []
+    def __init__(self):
+        self.items = []
 
-  def get(self, block):
-    return self.items.pop(0)
+    def get(self, block):
+        return self.items.pop(0)
 
-  def put(self, data):
-    self.items.append(data)
+    def put(self, data):
+        self.items.append(data)
 
 
 def test_basic():
-  queue = FakeQueue()
-  queue.put(QueueResult('hello world', None))
-  queue.put(QueueResult('! how goes there?', None))
-  queue.put(QueueResult(None, None))
+    queue = FakeQueue()
+    queue.put(QueueResult("hello world", None))
+    queue.put(QueueResult("! how goes there?", None))
+    queue.put(QueueResult(None, None))
+
+    queuefile = QueueFile(queue)
+    assert queuefile.read() == "hello world! how goes there?"
 
-  queuefile = QueueFile(queue)
-  assert queuefile.read() == 'hello world! how goes there?'
 
 def test_chunk_reading():
-  queue = FakeQueue()
-  queue.put(QueueResult('hello world', None))
-  queue.put(QueueResult('! how goes there?', None))
-  queue.put(QueueResult(None, None))
+    queue = FakeQueue()
+    queue.put(QueueResult("hello world", None))
+    queue.put(QueueResult("! how goes there?", None))
+    queue.put(QueueResult(None, None))
 
-  queuefile = QueueFile(queue)
-  data = ''
+    queuefile = QueueFile(queue)
+    data = ""
 
-  while True:
-    result = queuefile.read(size=2)
-    if not result:
-      break
+    while True:
+        result = queuefile.read(size=2)
+        if not result:
+            break
 
-    data += result
+        data += result
+
+    assert data == "hello world! how goes there?"
 
-  assert data == 'hello world! how goes there?'
 
 def test_unhandled_exception():
-  queue = FakeQueue()
-  queue.put(QueueResult('hello world', None))
-  queue.put(QueueResult(None, IOError('some exception')))
-  queue.put(QueueResult('! how goes there?', None))
-  queue.put(QueueResult(None, None))
+    queue = FakeQueue()
+    queue.put(QueueResult("hello world", None))
+    queue.put(QueueResult(None, IOError("some exception")))
+    queue.put(QueueResult("! how goes there?", None))
+    queue.put(QueueResult(None, None))
 
-  queuefile = QueueFile(queue)
+    queuefile = QueueFile(queue)
+
+    with pytest.raises(IOError):
+        queuefile.read(size=12)
 
-  with pytest.raises(IOError):
-    queuefile.read(size=12)
 
 def test_handled_exception():
-  queue = FakeQueue()
-  queue.put(QueueResult('hello world', None))
-  queue.put(QueueResult(None, IOError('some exception')))
-  queue.put(QueueResult('! how goes there?', None))
-  queue.put(QueueResult(None, None))
+    queue = FakeQueue()
+    queue.put(QueueResult("hello world", None))
+    queue.put(QueueResult(None, IOError("some exception")))
+    queue.put(QueueResult("! how goes there?", None))
+    queue.put(QueueResult(None, None))
 
-  ex_found = [None]
+    ex_found = [None]
 
-  def handler(ex):
-    ex_found[0] = ex
+    def handler(ex):
+        ex_found[0] = ex
 
-  queuefile = QueueFile(queue)
-  queuefile.add_exception_handler(handler)
-  queuefile.read(size=12)
+    queuefile = QueueFile(queue)
+    queuefile.add_exception_handler(handler)
+    queuefile.read(size=12)
+
+    assert ex_found[0] is not None
 
-  assert ex_found[0] is not None
 
 def test_binary_data():
-  queue = FakeQueue()
+    queue = FakeQueue()
 
-  # Generate some binary data.
-  binary_data = os.urandom(1024)
-  queue.put(QueueResult(binary_data, None))
-  queue.put(QueueResult(None, None))
+    # Generate some binary data.
+    binary_data = os.urandom(1024)
+    queue.put(QueueResult(binary_data, None))
+    queue.put(QueueResult(None, None))
 
-  queuefile = QueueFile(queue)
-  found_data = ''
-  while True:
-    current_data = queuefile.read(size=37)
-    if len(current_data) == 0:
-      break
+    queuefile = QueueFile(queue)
+    found_data = ""
+    while True:
+        current_data = queuefile.read(size=37)
+        if len(current_data) == 0:
+            break
 
-    found_data = found_data + current_data
+        found_data = found_data + current_data
+
+    assert found_data == binary_data
 
-  assert found_data == binary_data
 
 def test_empty_data():
-  queue = FakeQueue()
+    queue = FakeQueue()
 
-  # Generate some empty binary data.
-  binary_data = '\0' * 1024
-  queue.put(QueueResult(binary_data, None))
-  queue.put(QueueResult(None, None))
+    # Generate some empty binary data.
+    binary_data = "\0" * 1024
+    queue.put(QueueResult(binary_data, None))
+    queue.put(QueueResult(None, None))
 
-  queuefile = QueueFile(queue)
-  found_data = ''
-  while True:
-    current_data = queuefile.read(size=37)
-    if len(current_data) == 0:
-      break
+    queuefile = QueueFile(queue)
+    found_data = ""
+    while True:
+        current_data = queuefile.read(size=37)
+        if len(current_data) == 0:
+            break
 
-    found_data = found_data + current_data
+        found_data = found_data + current_data
 
-  assert found_data == binary_data
+    assert found_data == binary_data
diff --git a/util/registry/test/test_streamlayerformat.py b/util/registry/test/test_streamlayerformat.py
index 99edf698f..d506d7018 100644
--- a/util/registry/test/test_streamlayerformat.py
+++ b/util/registry/test/test_streamlayerformat.py
@@ -7,486 +7,483 @@ from util.registry.streamlayerformat import StreamLayerMerger
 from util.registry.aufs import AUFS_WHITEOUT
 from util.registry.tarlayerformat import TarLayerReadException
 
+
 def create_layer(*file_pairs):
-  output = StringIO()
-  with tarfile.open(fileobj=output, mode='w:gz') as tar:
-    for current_filename, current_contents in file_pairs:
-      if current_contents is None:
-        # This is a deleted file.
-        if current_filename.endswith('/'):
-          current_filename = current_filename[:-1]
+    output = StringIO()
+    with tarfile.open(fileobj=output, mode="w:gz") as tar:
+        for current_filename, current_contents in file_pairs:
+            if current_contents is None:
+                # This is a deleted file.
+                if current_filename.endswith("/"):
+                    current_filename = current_filename[:-1]
 
-        parts = current_filename.split('/')
-        if len(parts) > 1:
-          current_filename = '/'.join(parts[:-1]) + '/' + AUFS_WHITEOUT + parts[-1]
-        else:
-          current_filename = AUFS_WHITEOUT + parts[-1]
+                parts = current_filename.split("/")
+                if len(parts) > 1:
+                    current_filename = (
+                        "/".join(parts[:-1]) + "/" + AUFS_WHITEOUT + parts[-1]
+                    )
+                else:
+                    current_filename = AUFS_WHITEOUT + parts[-1]
 
-        current_contents = ''
+                current_contents = ""
 
-      if current_contents.startswith('linkto:'):
-        info = tarfile.TarInfo(name=current_filename)
-        info.linkname = current_contents[len('linkto:'):]
-        info.type = tarfile.LNKTYPE
-        tar.addfile(info)
-      else:
-        info = tarfile.TarInfo(name=current_filename)
-        info.size = len(current_contents)
-        tar.addfile(info, fileobj=StringIO(current_contents))
+            if current_contents.startswith("linkto:"):
+                info = tarfile.TarInfo(name=current_filename)
+                info.linkname = current_contents[len("linkto:") :]
+                info.type = tarfile.LNKTYPE
+                tar.addfile(info)
+            else:
+                info = tarfile.TarInfo(name=current_filename)
+                info.size = len(current_contents)
+                tar.addfile(info, fileobj=StringIO(current_contents))
 
-  return output.getvalue()
+    return output.getvalue()
 
 
 def create_empty_layer():
-  return ''
+    return ""
 
 
 def squash_layers(layers, path_prefix=None):
-  def getter_for_layer(layer):
-    return lambda: StringIO(layer)
+    def getter_for_layer(layer):
+        return lambda: StringIO(layer)
 
-  def layer_stream_getter():
-    return [getter_for_layer(layer) for layer in layers]
+    def layer_stream_getter():
+        return [getter_for_layer(layer) for layer in layers]
 
-  merger = StreamLayerMerger(layer_stream_getter, path_prefix=path_prefix)
-  merged_data = ''.join(merger.get_generator())
-  return merged_data
+    merger = StreamLayerMerger(layer_stream_getter, path_prefix=path_prefix)
+    merged_data = "".join(merger.get_generator())
+    return merged_data
 
 
 def assertHasFile(squashed, filename, contents):
-  with tarfile.open(fileobj=StringIO(squashed), mode='r:*') as tar:
-    member = tar.getmember(filename)
-    assert contents == '\n'.join(tar.extractfile(member).readlines())
+    with tarfile.open(fileobj=StringIO(squashed), mode="r:*") as tar:
+        member = tar.getmember(filename)
+        assert contents == "\n".join(tar.extractfile(member).readlines())
 
 
 def assertDoesNotHaveFile(squashed, filename):
-  with tarfile.open(fileobj=StringIO(squashed), mode='r:*') as tar:
-    try:
-      member = tar.getmember(filename)
-    except Exception as ex:
-      return
+    with tarfile.open(fileobj=StringIO(squashed), mode="r:*") as tar:
+        try:
+            member = tar.getmember(filename)
+        except Exception as ex:
+            return
 
-    assert False, 'Filename %s found' % filename
+        assert False, "Filename %s found" % filename
 
 
 def test_single_layer():
-  tar_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    tar_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  squashed = squash_layers([tar_layer])
+    squashed = squash_layers([tar_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "another_file", "bar")
+    assertHasFile(squashed, "third_file", "meh")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'another_file', 'bar')
-  assertHasFile(squashed, 'third_file', 'meh')
 
 def test_multiple_layers():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('top_file', 'top'))
+    first_layer = create_layer(("top_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "another_file", "bar")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "top_file", "top")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'another_file', 'bar')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, 'top_file', 'top')
 
 def test_multiple_layers_dot():
-  second_layer = create_layer(
-    ('./some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('./third_file', 'meh'))
+    second_layer = create_layer(
+        ("./some_file", "foo"), ("another_file", "bar"), ("./third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('top_file', 'top'))
+    first_layer = create_layer(("top_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "./some_file", "foo")
+    assertHasFile(squashed, "another_file", "bar")
+    assertHasFile(squashed, "./third_file", "meh")
+    assertHasFile(squashed, "top_file", "top")
 
-  assertHasFile(squashed, './some_file', 'foo')
-  assertHasFile(squashed, 'another_file', 'bar')
-  assertHasFile(squashed, './third_file', 'meh')
-  assertHasFile(squashed, 'top_file', 'top')
 
 def test_multiple_layers_overwrite():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('another_file', 'top'))
+    first_layer = create_layer(("another_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "another_file", "top")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, 'another_file', 'top')
 
 def test_multiple_layers_overwrite_base_dot():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('./another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("./another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('another_file', 'top'))
+    first_layer = create_layer(("another_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "another_file", "top")
+    assertDoesNotHaveFile(squashed, "./another_file")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, 'another_file', 'top')
-  assertDoesNotHaveFile(squashed, './another_file')
 
 def test_multiple_layers_overwrite_top_dot():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('./another_file', 'top'))
+    first_layer = create_layer(("./another_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "./another_file", "top")
+    assertDoesNotHaveFile(squashed, "another_file")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, './another_file', 'top')
-  assertDoesNotHaveFile(squashed, 'another_file')
 
 def test_deleted_file():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('another_file', None))
+    first_layer = create_layer(("another_file", None))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertDoesNotHaveFile(squashed, "another_file")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertDoesNotHaveFile(squashed, 'another_file')
 
 def test_deleted_readded_file():
-  third_layer = create_layer(
-    ('another_file', 'bar'))
+    third_layer = create_layer(("another_file", "bar"))
 
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', None),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", None), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('another_file', 'newagain'))
+    first_layer = create_layer(("another_file", "newagain"))
 
-  squashed = squash_layers([first_layer, second_layer, third_layer])
+    squashed = squash_layers([first_layer, second_layer, third_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "another_file", "newagain")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, 'another_file', 'newagain')
 
 def test_deleted_in_lower_layer():
-  third_layer = create_layer(
-    ('deleted_file', 'bar'))
+    third_layer = create_layer(("deleted_file", "bar"))
 
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('deleted_file', None),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("deleted_file", None), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('top_file', 'top'))
+    first_layer = create_layer(("top_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer, third_layer])
+    squashed = squash_layers([first_layer, second_layer, third_layer])
+
+    assertHasFile(squashed, "some_file", "foo")
+    assertHasFile(squashed, "third_file", "meh")
+    assertHasFile(squashed, "top_file", "top")
+    assertDoesNotHaveFile(squashed, "deleted_file")
 
-  assertHasFile(squashed, 'some_file', 'foo')
-  assertHasFile(squashed, 'third_file', 'meh')
-  assertHasFile(squashed, 'top_file', 'top')
-  assertDoesNotHaveFile(squashed, 'deleted_file')
 
 def test_deleted_in_lower_layer_with_added_dot():
-  third_layer = create_layer(
-    ('./deleted_file', 'something'))
+    third_layer = create_layer(("./deleted_file", "something"))
 
-  second_layer = create_layer(
-    ('deleted_file', None))
+    second_layer = create_layer(("deleted_file", None))
+
+    squashed = squash_layers([second_layer, third_layer])
+    assertDoesNotHaveFile(squashed, "deleted_file")
 
-  squashed = squash_layers([second_layer, third_layer])
-  assertDoesNotHaveFile(squashed, 'deleted_file')
 
 def test_deleted_in_lower_layer_with_deleted_dot():
-  third_layer = create_layer(
-    ('./deleted_file', 'something'))
+    third_layer = create_layer(("./deleted_file", "something"))
 
-  second_layer = create_layer(
-    ('./deleted_file', None))
+    second_layer = create_layer(("./deleted_file", None))
+
+    squashed = squash_layers([second_layer, third_layer])
+    assertDoesNotHaveFile(squashed, "deleted_file")
 
-  squashed = squash_layers([second_layer, third_layer])
-  assertDoesNotHaveFile(squashed, 'deleted_file')
 
 def test_directory():
-  second_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/another_file', 'bar'))
+    second_layer = create_layer(("foo/some_file", "foo"), ("foo/another_file", "bar"))
 
-  first_layer = create_layer(
-    ('foo/some_file', 'top'))
+    first_layer = create_layer(("foo/some_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "foo/some_file", "top")
+    assertHasFile(squashed, "foo/another_file", "bar")
 
-  assertHasFile(squashed, 'foo/some_file', 'top')
-  assertHasFile(squashed, 'foo/another_file', 'bar')
 
 def test_sub_directory():
-  second_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/bar/another_file', 'bar'))
+    second_layer = create_layer(
+        ("foo/some_file", "foo"), ("foo/bar/another_file", "bar")
+    )
 
-  first_layer = create_layer(
-    ('foo/some_file', 'top'))
+    first_layer = create_layer(("foo/some_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertHasFile(squashed, "foo/some_file", "top")
+    assertHasFile(squashed, "foo/bar/another_file", "bar")
 
-  assertHasFile(squashed, 'foo/some_file', 'top')
-  assertHasFile(squashed, 'foo/bar/another_file', 'bar')
 
 def test_delete_directory():
-  second_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/another_file', 'bar'))
+    second_layer = create_layer(("foo/some_file", "foo"), ("foo/another_file", "bar"))
 
-  first_layer = create_layer(
-    ('foo/', None))
+    first_layer = create_layer(("foo/", None))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertDoesNotHaveFile(squashed, "foo/some_file")
+    assertDoesNotHaveFile(squashed, "foo/another_file")
 
-  assertDoesNotHaveFile(squashed, 'foo/some_file')
-  assertDoesNotHaveFile(squashed, 'foo/another_file')
 
 def test_delete_sub_directory():
-  second_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/bar/another_file', 'bar'))
+    second_layer = create_layer(
+        ("foo/some_file", "foo"), ("foo/bar/another_file", "bar")
+    )
 
-  first_layer = create_layer(
-    ('foo/bar/', None))
+    first_layer = create_layer(("foo/bar/", None))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertDoesNotHaveFile(squashed, "foo/bar/another_file")
+    assertHasFile(squashed, "foo/some_file", "foo")
 
-  assertDoesNotHaveFile(squashed, 'foo/bar/another_file')
-  assertHasFile(squashed, 'foo/some_file', 'foo')
 
 def test_delete_sub_directory_with_dot():
-  second_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/bar/another_file', 'bar'))
+    second_layer = create_layer(
+        ("foo/some_file", "foo"), ("foo/bar/another_file", "bar")
+    )
 
-  first_layer = create_layer(
-    ('./foo/bar/', None))
+    first_layer = create_layer(("./foo/bar/", None))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertDoesNotHaveFile(squashed, "foo/bar/another_file")
+    assertHasFile(squashed, "foo/some_file", "foo")
 
-  assertDoesNotHaveFile(squashed, 'foo/bar/another_file')
-  assertHasFile(squashed, 'foo/some_file', 'foo')
 
 def test_delete_sub_directory_with_subdot():
-  second_layer = create_layer(
-    ('./foo/some_file', 'foo'),
-    ('./foo/bar/another_file', 'bar'))
+    second_layer = create_layer(
+        ("./foo/some_file", "foo"), ("./foo/bar/another_file", "bar")
+    )
 
-  first_layer = create_layer(
-    ('foo/bar/', None))
+    first_layer = create_layer(("foo/bar/", None))
 
-  squashed = squash_layers([first_layer, second_layer])
+    squashed = squash_layers([first_layer, second_layer])
+
+    assertDoesNotHaveFile(squashed, "foo/bar/another_file")
+    assertDoesNotHaveFile(squashed, "./foo/bar/another_file")
+    assertHasFile(squashed, "./foo/some_file", "foo")
 
-  assertDoesNotHaveFile(squashed, 'foo/bar/another_file')
-  assertDoesNotHaveFile(squashed, './foo/bar/another_file')
-  assertHasFile(squashed, './foo/some_file', 'foo')
 
 def test_delete_directory_recreate():
-  third_layer = create_layer(
-    ('foo/some_file', 'foo'),
-    ('foo/another_file', 'bar'))
+    third_layer = create_layer(("foo/some_file", "foo"), ("foo/another_file", "bar"))
 
-  second_layer = create_layer(
-    ('foo/', None))
+    second_layer = create_layer(("foo/", None))
 
-  first_layer = create_layer(
-    ('foo/some_file', 'baz'))
+    first_layer = create_layer(("foo/some_file", "baz"))
 
-  squashed = squash_layers([first_layer, second_layer, third_layer])
+    squashed = squash_layers([first_layer, second_layer, third_layer])
+
+    assertHasFile(squashed, "foo/some_file", "baz")
+    assertDoesNotHaveFile(squashed, "foo/another_file")
 
-  assertHasFile(squashed, 'foo/some_file', 'baz')
-  assertDoesNotHaveFile(squashed, 'foo/another_file')
 
 def test_delete_directory_prefix():
-  third_layer = create_layer(
-    ('foobar/some_file', 'foo'),
-    ('foo/another_file', 'bar'))
+    third_layer = create_layer(("foobar/some_file", "foo"), ("foo/another_file", "bar"))
 
-  second_layer = create_layer(
-    ('foo/', None))
+    second_layer = create_layer(("foo/", None))
 
-  squashed = squash_layers([second_layer, third_layer])
+    squashed = squash_layers([second_layer, third_layer])
 
-  assertHasFile(squashed, 'foobar/some_file', 'foo')
-  assertDoesNotHaveFile(squashed, 'foo/another_file')
+    assertHasFile(squashed, "foobar/some_file", "foo")
+    assertDoesNotHaveFile(squashed, "foo/another_file")
 
 
 def test_delete_directory_pre_prefix():
-  third_layer = create_layer(
-    ('foobar/baz/some_file', 'foo'),
-    ('foo/another_file', 'bar'))
+    third_layer = create_layer(
+        ("foobar/baz/some_file", "foo"), ("foo/another_file", "bar")
+    )
 
-  second_layer = create_layer(
-    ('foo/', None))
+    second_layer = create_layer(("foo/", None))
 
-  squashed = squash_layers([second_layer, third_layer])
+    squashed = squash_layers([second_layer, third_layer])
 
-  assertHasFile(squashed, 'foobar/baz/some_file', 'foo')
-  assertDoesNotHaveFile(squashed, 'foo/another_file')
+    assertHasFile(squashed, "foobar/baz/some_file", "foo")
+    assertDoesNotHaveFile(squashed, "foo/another_file")
 
 
 def test_delete_root_directory():
-  third_layer = create_layer(
-    ('build/first_file', 'foo'),
-    ('build/second_file', 'bar'))
+    third_layer = create_layer(
+        ("build/first_file", "foo"), ("build/second_file", "bar")
+    )
 
-  second_layer = create_layer(
-    ('build', None))
+    second_layer = create_layer(("build", None))
 
-  squashed = squash_layers([second_layer, third_layer])
+    squashed = squash_layers([second_layer, third_layer])
 
-  assertDoesNotHaveFile(squashed, 'build/first_file')
-  assertDoesNotHaveFile(squashed, 'build/second_file')
+    assertDoesNotHaveFile(squashed, "build/first_file")
+    assertDoesNotHaveFile(squashed, "build/second_file")
 
 
 def test_tar_empty_layer():
-  third_layer = create_layer(
-    ('build/first_file', 'foo'),
-    ('build/second_file', 'bar'))
+    third_layer = create_layer(
+        ("build/first_file", "foo"), ("build/second_file", "bar")
+    )
 
-  empty_layer = create_layer()
+    empty_layer = create_layer()
 
-  squashed = squash_layers([empty_layer, third_layer])
+    squashed = squash_layers([empty_layer, third_layer])
 
-  assertHasFile(squashed, 'build/first_file', 'foo')
-  assertHasFile(squashed, 'build/second_file', 'bar')
+    assertHasFile(squashed, "build/first_file", "foo")
+    assertHasFile(squashed, "build/second_file", "bar")
 
 
 def test_data_empty_layer():
-  third_layer = create_layer(
-    ('build/first_file', 'foo'),
-    ('build/second_file', 'bar'))
+    third_layer = create_layer(
+        ("build/first_file", "foo"), ("build/second_file", "bar")
+    )
 
-  empty_layer = create_empty_layer()
+    empty_layer = create_empty_layer()
 
-  squashed = squash_layers([empty_layer, third_layer])
+    squashed = squash_layers([empty_layer, third_layer])
 
-  assertHasFile(squashed, 'build/first_file', 'foo')
-  assertHasFile(squashed, 'build/second_file', 'bar')
+    assertHasFile(squashed, "build/first_file", "foo")
+    assertHasFile(squashed, "build/second_file", "bar")
 
 
 def test_broken_layer():
-  third_layer = create_layer(
-    ('build/first_file', 'foo'),
-    ('build/second_file', 'bar'))
+    third_layer = create_layer(
+        ("build/first_file", "foo"), ("build/second_file", "bar")
+    )
 
-  broken_layer = 'not valid data'
+    broken_layer = "not valid data"
 
-  with pytest.raises(TarLayerReadException):
-    squash_layers([broken_layer, third_layer])
+    with pytest.raises(TarLayerReadException):
+        squash_layers([broken_layer, third_layer])
 
 
 def test_single_layer_with_prefix():
-  tar_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    tar_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  squashed = squash_layers([tar_layer], path_prefix='foo/')
+    squashed = squash_layers([tar_layer], path_prefix="foo/")
 
-  assertHasFile(squashed, 'foo/some_file', 'foo')
-  assertHasFile(squashed, 'foo/another_file', 'bar')
-  assertHasFile(squashed, 'foo/third_file', 'meh')
+    assertHasFile(squashed, "foo/some_file", "foo")
+    assertHasFile(squashed, "foo/another_file", "bar")
+    assertHasFile(squashed, "foo/third_file", "meh")
 
 
 def test_multiple_layers_overwrite_with_prefix():
-  second_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    second_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  first_layer = create_layer(
-    ('another_file', 'top'))
+    first_layer = create_layer(("another_file", "top"))
 
-  squashed = squash_layers([first_layer, second_layer], path_prefix='foo/')
+    squashed = squash_layers([first_layer, second_layer], path_prefix="foo/")
 
-  assertHasFile(squashed, 'foo/some_file', 'foo')
-  assertHasFile(squashed, 'foo/third_file', 'meh')
-  assertHasFile(squashed, 'foo/another_file', 'top')
+    assertHasFile(squashed, "foo/some_file", "foo")
+    assertHasFile(squashed, "foo/third_file", "meh")
+    assertHasFile(squashed, "foo/another_file", "top")
 
 
 def test_superlong_filename():
-  tar_layer = create_layer(
-    ('this_is_the_filename_that_never_ends_it_goes_on_and_on_my_friend_some_people_started', 'meh'))
+    tar_layer = create_layer(
+        (
+            "this_is_the_filename_that_never_ends_it_goes_on_and_on_my_friend_some_people_started",
+            "meh",
+        )
+    )
 
-  squashed = squash_layers([tar_layer], path_prefix='foo/')
-  assertHasFile(squashed, 'foo/this_is_the_filename_that_never_ends_it_goes_on_and_on_my_friend_some_people_started', 'meh')
+    squashed = squash_layers([tar_layer], path_prefix="foo/")
+    assertHasFile(
+        squashed,
+        "foo/this_is_the_filename_that_never_ends_it_goes_on_and_on_my_friend_some_people_started",
+        "meh",
+    )
 
 
 def test_superlong_prefix():
-  tar_layer = create_layer(
-    ('some_file', 'foo'),
-    ('another_file', 'bar'),
-    ('third_file', 'meh'))
+    tar_layer = create_layer(
+        ("some_file", "foo"), ("another_file", "bar"), ("third_file", "meh")
+    )
 
-  squashed = squash_layers([tar_layer],
-      path_prefix='foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/')
+    squashed = squash_layers(
+        [tar_layer],
+        path_prefix="foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/",
+    )
 
-  assertHasFile(squashed, 'foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/some_file', 'foo')
-  assertHasFile(squashed, 'foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/another_file', 'bar')
-  assertHasFile(squashed, 'foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/third_file', 'meh')
+    assertHasFile(
+        squashed,
+        "foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/some_file",
+        "foo",
+    )
+    assertHasFile(
+        squashed,
+        "foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/another_file",
+        "bar",
+    )
+    assertHasFile(
+        squashed,
+        "foo/bar/baz/something/foo/bar/baz/anotherthing/whatever/this/is/a/really/long/filename/that/goes/here/third_file",
+        "meh",
+    )
 
 
 def test_hardlink_to_deleted_file():
-  first_layer = create_layer(
-    ('tobedeletedfile', 'somecontents'),
-    ('link_to_deleted_file', 'linkto:tobedeletedfile'),
-    ('third_file', 'meh'))
+    first_layer = create_layer(
+        ("tobedeletedfile", "somecontents"),
+        ("link_to_deleted_file", "linkto:tobedeletedfile"),
+        ("third_file", "meh"),
+    )
 
-  second_layer = create_layer(
-    ('tobedeletedfile', None))
+    second_layer = create_layer(("tobedeletedfile", None))
 
-  squashed = squash_layers([second_layer, first_layer], path_prefix='foo/')
+    squashed = squash_layers([second_layer, first_layer], path_prefix="foo/")
 
-  assertHasFile(squashed, 'foo/third_file', 'meh')
-  assertHasFile(squashed, 'foo/link_to_deleted_file', 'somecontents')
-  assertDoesNotHaveFile(squashed, 'foo/tobedeletedfile')
+    assertHasFile(squashed, "foo/third_file", "meh")
+    assertHasFile(squashed, "foo/link_to_deleted_file", "somecontents")
+    assertDoesNotHaveFile(squashed, "foo/tobedeletedfile")
 
 
 def test_multiple_hardlink_to_deleted_file():
-  first_layer = create_layer(
-    ('tobedeletedfile', 'somecontents'),
-    ('link_to_deleted_file', 'linkto:tobedeletedfile'),
-    ('another_link_to_deleted_file', 'linkto:tobedeletedfile'),
-    ('third_file', 'meh'))
+    first_layer = create_layer(
+        ("tobedeletedfile", "somecontents"),
+        ("link_to_deleted_file", "linkto:tobedeletedfile"),
+        ("another_link_to_deleted_file", "linkto:tobedeletedfile"),
+        ("third_file", "meh"),
+    )
 
-  second_layer = create_layer(
-    ('tobedeletedfile', None))
+    second_layer = create_layer(("tobedeletedfile", None))
 
-  squashed = squash_layers([second_layer, first_layer], path_prefix='foo/')
+    squashed = squash_layers([second_layer, first_layer], path_prefix="foo/")
 
-  assertHasFile(squashed, 'foo/third_file', 'meh')
-  assertHasFile(squashed, 'foo/link_to_deleted_file', 'somecontents')
-  assertHasFile(squashed, 'foo/another_link_to_deleted_file', 'somecontents')
+    assertHasFile(squashed, "foo/third_file", "meh")
+    assertHasFile(squashed, "foo/link_to_deleted_file", "somecontents")
+    assertHasFile(squashed, "foo/another_link_to_deleted_file", "somecontents")
 
-  assertDoesNotHaveFile(squashed, 'foo/tobedeletedfile')
+    assertDoesNotHaveFile(squashed, "foo/tobedeletedfile")
diff --git a/util/registry/torrent.py b/util/registry/torrent.py
index 9abfd53db..1b8b4c561 100644
--- a/util/registry/torrent.py
+++ b/util/registry/torrent.py
@@ -9,129 +9,150 @@ import resumablehashlib
 
 
 class TorrentConfiguration(object):
-  def __init__(self, instance_keys, announce_url, filename_pepper, registry_title):
-    self.instance_keys = instance_keys
-    self.announce_url = announce_url
-    self.filename_pepper = filename_pepper
-    self.registry_title = registry_title
+    def __init__(self, instance_keys, announce_url, filename_pepper, registry_title):
+        self.instance_keys = instance_keys
+        self.announce_url = announce_url
+        self.filename_pepper = filename_pepper
+        self.registry_title = registry_title
 
-  @classmethod
-  def for_testing(cls, instance_keys, announce_url, registry_title):
-    return TorrentConfiguration(instance_keys, announce_url, 'somepepper', registry_title)
+    @classmethod
+    def for_testing(cls, instance_keys, announce_url, registry_title):
+        return TorrentConfiguration(
+            instance_keys, announce_url, "somepepper", registry_title
+        )
 
-  @classmethod
-  def from_app_config(cls, instance_keys, config):
-    return TorrentConfiguration(instance_keys, config['BITTORRENT_ANNOUNCE_URL'],
-                                config['BITTORRENT_FILENAME_PEPPER'], config['REGISTRY_TITLE'])
+    @classmethod
+    def from_app_config(cls, instance_keys, config):
+        return TorrentConfiguration(
+            instance_keys,
+            config["BITTORRENT_ANNOUNCE_URL"],
+            config["BITTORRENT_FILENAME_PEPPER"],
+            config["REGISTRY_TITLE"],
+        )
 
 
 def _jwt_from_infodict(torrent_config, infodict):
-  """ Returns an encoded JWT for the given BitTorrent info dict, signed by the local instance's
+    """ Returns an encoded JWT for the given BitTorrent info dict, signed by the local instance's
       private key.
   """
-  digest = hashlib.sha1()
-  digest.update(bencode.bencode(infodict))
-  return jwt_from_infohash(torrent_config, digest.digest())
+    digest = hashlib.sha1()
+    digest.update(bencode.bencode(infodict))
+    return jwt_from_infohash(torrent_config, digest.digest())
 
 
 def jwt_from_infohash(torrent_config, infohash_digest):
-  """ Returns an encoded JWT for the given BitTorrent infohash, signed by the local instance's
+    """ Returns an encoded JWT for the given BitTorrent infohash, signed by the local instance's
       private key.
   """
-  token_data = {
-    'iss': torrent_config.instance_keys.service_name,
-    'aud': torrent_config.announce_url,
-    'infohash': hexlify(infohash_digest),
-  }
-  return jwt.encode(token_data, torrent_config.instance_keys.local_private_key, algorithm='RS256',
-                    headers={'kid': torrent_config.instance_keys.local_key_id})
+    token_data = {
+        "iss": torrent_config.instance_keys.service_name,
+        "aud": torrent_config.announce_url,
+        "infohash": hexlify(infohash_digest),
+    }
+    return jwt.encode(
+        token_data,
+        torrent_config.instance_keys.local_private_key,
+        algorithm="RS256",
+        headers={"kid": torrent_config.instance_keys.local_key_id},
+    )
 
 
 def make_torrent(torrent_config, name, webseed, length, piece_length, pieces):
-  info_dict = {
-    'name': name,
-    'length': length,
-    'piece length': piece_length,
-    'pieces': pieces,
-    'private': 1,
-  }
+    info_dict = {
+        "name": name,
+        "length": length,
+        "piece length": piece_length,
+        "pieces": pieces,
+        "private": 1,
+    }
 
-  info_jwt = _jwt_from_infodict(torrent_config, info_dict)
-  return bencode.bencode({
-    'announce': torrent_config.announce_url + "?jwt=" + info_jwt,
-    'url-list': str(webseed),
-    'encoding': 'UTF-8',
-    'created by': torrent_config.registry_title,
-    'creation date': int(time.time()),
-    'info': info_dict,
-  })
+    info_jwt = _jwt_from_infodict(torrent_config, info_dict)
+    return bencode.bencode(
+        {
+            "announce": torrent_config.announce_url + "?jwt=" + info_jwt,
+            "url-list": str(webseed),
+            "encoding": "UTF-8",
+            "created by": torrent_config.registry_title,
+            "creation date": int(time.time()),
+            "info": info_dict,
+        }
+    )
 
 
 def public_torrent_filename(blob_uuid):
-  """ Returns the filename for the given blob UUID in a public image. """
-  return hashlib.sha256(blob_uuid).hexdigest()
+    """ Returns the filename for the given blob UUID in a public image. """
+    return hashlib.sha256(blob_uuid).hexdigest()
 
 
 def per_user_torrent_filename(torrent_config, user_uuid, blob_uuid):
-  """ Returns the filename for the given blob UUID for a private image. """
-  joined = torrent_config.filename_pepper + "||" + blob_uuid + "||" + user_uuid
-  return hashlib.sha256(joined).hexdigest()
+    """ Returns the filename for the given blob UUID for a private image. """
+    joined = torrent_config.filename_pepper + "||" + blob_uuid + "||" + user_uuid
+    return hashlib.sha256(joined).hexdigest()
 
 
 class PieceHasher(object):
-  """ Utility for computing torrent piece hashes as the data flows through the update
+    """ Utility for computing torrent piece hashes as the data flows through the update
       method of this class. Users should get the final value by calling final_piece_hashes
       since new chunks are allocated lazily.
   """
-  def __init__(self, piece_size, starting_offset=0, starting_piece_hash_bytes='',
-               hash_fragment_to_resume=None):
-    if not isinstance(starting_offset, (int, long)):
-      raise TypeError('starting_offset must be an integer')
-    elif not isinstance(piece_size, (int, long)):
-      raise TypeError('piece_size must be an integer')
 
-    self._current_offset = starting_offset
-    self._piece_size = piece_size
-    self._piece_hashes = bytearray(starting_piece_hash_bytes)
+    def __init__(
+        self,
+        piece_size,
+        starting_offset=0,
+        starting_piece_hash_bytes="",
+        hash_fragment_to_resume=None,
+    ):
+        if not isinstance(starting_offset, (int, long)):
+            raise TypeError("starting_offset must be an integer")
+        elif not isinstance(piece_size, (int, long)):
+            raise TypeError("piece_size must be an integer")
 
-    if hash_fragment_to_resume is None:
-      self._hash_fragment = resumablehashlib.sha1()
-    else:
-      self._hash_fragment = hash_fragment_to_resume
+        self._current_offset = starting_offset
+        self._piece_size = piece_size
+        self._piece_hashes = bytearray(starting_piece_hash_bytes)
 
+        if hash_fragment_to_resume is None:
+            self._hash_fragment = resumablehashlib.sha1()
+        else:
+            self._hash_fragment = hash_fragment_to_resume
 
-  def update(self, buf):
-    buf_offset = 0
-    while buf_offset < len(buf):
-      buf_bytes_to_hash = buf[0:self._piece_length_remaining()]
-      to_hash_len = len(buf_bytes_to_hash)
+    def update(self, buf):
+        buf_offset = 0
+        while buf_offset < len(buf):
+            buf_bytes_to_hash = buf[0 : self._piece_length_remaining()]
+            to_hash_len = len(buf_bytes_to_hash)
 
-      if self._piece_offset() == 0 and to_hash_len > 0 and self._current_offset > 0:
-        # We are opening a new piece
-        self._piece_hashes.extend(self._hash_fragment.digest())
-        self._hash_fragment = resumablehashlib.sha1()
+            if (
+                self._piece_offset() == 0
+                and to_hash_len > 0
+                and self._current_offset > 0
+            ):
+                # We are opening a new piece
+                self._piece_hashes.extend(self._hash_fragment.digest())
+                self._hash_fragment = resumablehashlib.sha1()
 
-      self._hash_fragment.update(buf_bytes_to_hash)
-      self._current_offset += to_hash_len
-      buf_offset += to_hash_len
+            self._hash_fragment.update(buf_bytes_to_hash)
+            self._current_offset += to_hash_len
+            buf_offset += to_hash_len
 
-  @property
-  def hashed_bytes(self):
-    return self._current_offset
+    @property
+    def hashed_bytes(self):
+        return self._current_offset
 
-  def _piece_length_remaining(self):
-    return self._piece_size - (self._current_offset % self._piece_size)
+    def _piece_length_remaining(self):
+        return self._piece_size - (self._current_offset % self._piece_size)
 
-  def _piece_offset(self):
-    return self._current_offset % self._piece_size
+    def _piece_offset(self):
+        return self._current_offset % self._piece_size
 
-  @property
-  def piece_hashes(self):
-    return self._piece_hashes
+    @property
+    def piece_hashes(self):
+        return self._piece_hashes
 
-  @property
-  def hash_fragment(self):
-    return self._hash_fragment
+    @property
+    def hash_fragment(self):
+        return self._hash_fragment
 
-  def final_piece_hashes(self):
-    return self._piece_hashes + self._hash_fragment.digest()
+    def final_piece_hashes(self):
+        return self._piece_hashes + self._hash_fragment.digest()
diff --git a/util/repomirror/api.py b/util/repomirror/api.py
index 8af33a665..52e641191 100644
--- a/util/repomirror/api.py
+++ b/util/repomirror/api.py
@@ -8,126 +8,159 @@ from util.abchelpers import nooper
 from util.repomirror.validator import RepoMirrorConfigValidator
 
 from _init import CONF_DIR
-TOKEN_VALIDITY_LIFETIME_S = 60  # Amount of time the repo mirror has to call the skopeo URL
 
-MITM_CERT_PATH = os.path.join(CONF_DIR, 'mitm.cert')
+TOKEN_VALIDITY_LIFETIME_S = (
+    60
+)  # Amount of time the repo mirror has to call the skopeo URL
 
-DEFAULT_HTTP_HEADERS = {'Connection': 'close'}
+MITM_CERT_PATH = os.path.join(CONF_DIR, "mitm.cert")
+
+DEFAULT_HTTP_HEADERS = {"Connection": "close"}
 
 logger = logging.getLogger(__name__)
 
 
 class RepoMirrorException(Exception):
-  """ Exception raised when a layer fails to analyze due to a request issue. """
+    """ Exception raised when a layer fails to analyze due to a request issue. """
+
 
 class RepoMirrorRetryException(Exception):
-  """ Exception raised when a layer fails to analyze due to a request issue, and the request should
+    """ Exception raised when a layer fails to analyze due to a request issue, and the request should
       be retried.
   """
 
+
 class APIRequestFailure(Exception):
-  """ Exception raised when there is a failure to conduct an API request. """
+    """ Exception raised when there is a failure to conduct an API request. """
+
 
 class Non200ResponseException(Exception):
-  """ Exception raised when the upstream API returns a non-200 HTTP status code. """
-  def __init__(self, response):
-    super(Non200ResponseException, self).__init__()
-    self.response = response
+    """ Exception raised when the upstream API returns a non-200 HTTP status code. """
+
+    def __init__(self, response):
+        super(Non200ResponseException, self).__init__()
+        self.response = response
 
 
-_API_METHOD_GET_REPOSITORY = 'repository/%s'
-_API_METHOD_PING = 'metrics'
+_API_METHOD_GET_REPOSITORY = "repository/%s"
+_API_METHOD_PING = "metrics"
 
 
 class RepoMirrorAPI(object):
-  """ Helper class for talking to the Repository Mirror service (usually Skopeo). """
-  def __init__(self, config, server_hostname=None, skip_validation=False, instance_keys=None):
-    feature_enabled = config.get('FEATURE_REPO_MIRROR', False)
-    has_valid_config = skip_validation
+    """ Helper class for talking to the Repository Mirror service (usually Skopeo). """
 
-    if not skip_validation and feature_enabled:
-      config_validator = RepoMirrorConfigValidator(feature_enabled)
-      has_valid_config = config_validator.valid()
+    def __init__(
+        self, config, server_hostname=None, skip_validation=False, instance_keys=None
+    ):
+        feature_enabled = config.get("FEATURE_REPO_MIRROR", False)
+        has_valid_config = skip_validation
 
-    self.state = NoopRepoMirrorAPI()
-    if feature_enabled and has_valid_config:
-      self.state = ImplementedRepoMirrorAPI(config, server_hostname, instance_keys=instance_keys)
+        if not skip_validation and feature_enabled:
+            config_validator = RepoMirrorConfigValidator(feature_enabled)
+            has_valid_config = config_validator.valid()
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+        self.state = NoopRepoMirrorAPI()
+        if feature_enabled and has_valid_config:
+            self.state = ImplementedRepoMirrorAPI(
+                config, server_hostname, instance_keys=instance_keys
+            )
+
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 @add_metaclass(ABCMeta)
 class RepoMirrorAPIInterface(object):
-  """ Helper class for talking to the Repository Mirror service (usually Skopeo Worker). """
+    """ Helper class for talking to the Repository Mirror service (usually Skopeo Worker). """
 
-  @abstractmethod
-  def ping(self):
-    """ Calls GET on the metrics endpoint of the repo mirror to ensure it is running
+    @abstractmethod
+    def ping(self):
+        """ Calls GET on the metrics endpoint of the repo mirror to ensure it is running
         and properly configured. Returns the HTTP response.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def repository_mirror(self, repository):
-    """ Posts the given repository to the repo mirror for processing, blocking until complete.
+    @abstractmethod
+    def repository_mirror(self, repository):
+        """ Posts the given repository to the repo mirror for processing, blocking until complete.
         Returns the analysis version on success or raises an exception deriving from
         AnalyzeLayerException on failure. Callers should handle all cases of AnalyzeLayerException.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_repository_data(self, repository):
-    """ Returns the layer data for the specified layer. On error, returns None. """
-    pass
+    @abstractmethod
+    def get_repository_data(self, repository):
+        """ Returns the layer data for the specified layer. On error, returns None. """
+        pass
 
 
 @nooper
 class NoopRepoMirrorAPI(RepoMirrorAPIInterface):
-  """ No-op version of the repo mirror API. """
-  pass
+    """ No-op version of the repo mirror API. """
+
+    pass
 
 
 class ImplementedRepoMirrorAPI(RepoMirrorAPIInterface):
-  """ Helper class for talking to the repo mirror service. """
-  def __init__(self, config, server_hostname, client=None, instance_keys=None):
-    self._config = config
-    self._instance_keys = instance_keys
-    self._client = client
-    self._server_hostname = server_hostname
+    """ Helper class for talking to the repo mirror service. """
 
-  def repository_mirror(self, repository):
-    """ Posts the given repository and config information to the mirror endpoint, blocking until complete.
+    def __init__(self, config, server_hostname, client=None, instance_keys=None):
+        self._config = config
+        self._instance_keys = instance_keys
+        self._client = client
+        self._server_hostname = server_hostname
+
+    def repository_mirror(self, repository):
+        """ Posts the given repository and config information to the mirror endpoint, blocking until complete.
         Returns the results on success or raises an exception.
     """
-    def _response_json(request, response):
-      try:
-        return response.json()
-      except ValueError:
-        logger.exception('Failed to decode JSON when analyzing layer %s', request['Layer']['Name'])
-        raise RepoMirrorException
 
-    return
+        def _response_json(request, response):
+            try:
+                return response.json()
+            except ValueError:
+                logger.exception(
+                    "Failed to decode JSON when analyzing layer %s",
+                    request["Layer"]["Name"],
+                )
+                raise RepoMirrorException
 
-  def get_repository_data(self, repository):
-    """ Returns the layer data for the specified layer. On error, returns None. """
-    return None
+        return
 
-  def ping(self):
-    """ Calls GET on the metrics endpoint of the repository mirror to ensure it is running
+    def get_repository_data(self, repository):
+        """ Returns the layer data for the specified layer. On error, returns None. """
+        return None
+
+    def ping(self):
+        """ Calls GET on the metrics endpoint of the repository mirror to ensure it is running
         and properly configured. Returns the HTTP response.
     """
-    try:
-      return self._call('GET', _API_METHOD_PING)
-    except requests.exceptions.Timeout as tie:
-      logger.exception('Timeout when trying to connect to repository mirror endpoint')
-      msg = 'Timeout when trying to connect to repository mirror endpoint: %s' % tie.message
-      raise Exception(msg)
-    except requests.exceptions.ConnectionError as ce:
-      logger.exception('Connection error when trying to connect to repository mirror endpoint')
-      msg = 'Connection error when trying to connect to repository mirror endpoint: %s' % ce.message
-      raise Exception(msg)
-    except (requests.exceptions.RequestException, ValueError) as ve:
-      logger.exception('Exception when trying to connect to repository mirror endpoint')
-      msg = 'Exception when trying to connect to repository mirror endpoint: %s' % ve
-      raise Exception(msg)
+        try:
+            return self._call("GET", _API_METHOD_PING)
+        except requests.exceptions.Timeout as tie:
+            logger.exception(
+                "Timeout when trying to connect to repository mirror endpoint"
+            )
+            msg = (
+                "Timeout when trying to connect to repository mirror endpoint: %s"
+                % tie.message
+            )
+            raise Exception(msg)
+        except requests.exceptions.ConnectionError as ce:
+            logger.exception(
+                "Connection error when trying to connect to repository mirror endpoint"
+            )
+            msg = (
+                "Connection error when trying to connect to repository mirror endpoint: %s"
+                % ce.message
+            )
+            raise Exception(msg)
+        except (requests.exceptions.RequestException, ValueError) as ve:
+            logger.exception(
+                "Exception when trying to connect to repository mirror endpoint"
+            )
+            msg = (
+                "Exception when trying to connect to repository mirror endpoint: %s"
+                % ve
+            )
+            raise Exception(msg)
diff --git a/util/repomirror/skopeomirror.py b/util/repomirror/skopeomirror.py
index a9bc7c45f..3b446911d 100644
--- a/util/repomirror/skopeomirror.py
+++ b/util/repomirror/skopeomirror.py
@@ -17,97 +17,125 @@ SkopeoResults = namedtuple("SkopeoCopyResults", "success tags stdout stderr")
 
 class SkopeoMirror(object):
 
-  # No DB calls here: This will be called from a separate worker that has no connection except
-  # to/from the mirror worker
-  def copy(self, src_image, dest_image,
-           src_tls_verify=True, dest_tls_verify=True,
-           src_username=None, src_password=None,
-           dest_username=None, dest_password=None,
-           proxy=None, verbose_logs=False):
+    # No DB calls here: This will be called from a separate worker that has no connection except
+    # to/from the mirror worker
+    def copy(
+        self,
+        src_image,
+        dest_image,
+        src_tls_verify=True,
+        dest_tls_verify=True,
+        src_username=None,
+        src_password=None,
+        dest_username=None,
+        dest_password=None,
+        proxy=None,
+        verbose_logs=False,
+    ):
 
-    args = ["/usr/bin/skopeo"]
-    if verbose_logs:
-      args = args + ["--debug"]
-    args = args + ["copy",
+        args = ["/usr/bin/skopeo"]
+        if verbose_logs:
+            args = args + ["--debug"]
+        args = args + [
+            "copy",
             "--src-tls-verify=%s" % src_tls_verify,
-            "--dest-tls-verify=%s" % dest_tls_verify
-    ]
-    args = args + self.external_registry_credentials("--dest-creds", dest_username, dest_password)
-    args = args + self.external_registry_credentials("--src-creds", src_username, src_password)
-    args = args + [quote(src_image), quote(dest_image)]
+            "--dest-tls-verify=%s" % dest_tls_verify,
+        ]
+        args = args + self.external_registry_credentials(
+            "--dest-creds", dest_username, dest_password
+        )
+        args = args + self.external_registry_credentials(
+            "--src-creds", src_username, src_password
+        )
+        args = args + [quote(src_image), quote(dest_image)]
 
-    return self.run_skopeo(args, proxy)
+        return self.run_skopeo(args, proxy)
 
-
-  def tags(self, repository, rule_value, username=None, password=None, tls_verify=True, proxy=None, verbose_logs=False):
-    """
+    def tags(
+        self,
+        repository,
+        rule_value,
+        username=None,
+        password=None,
+        tls_verify=True,
+        proxy=None,
+        verbose_logs=False,
+    ):
+        """
     Unless a specific tag is known, 'skopeo inspect' won't work. Here first 'latest' is checked
     and then the tag expression, split at commas, is each checked until one works.
     """
 
-    args = ["/usr/bin/skopeo"]
-    if verbose_logs:
-      args = args + ["--debug"]
-    args = args + ["inspect", "--tls-verify=%s" % tls_verify]
-    args = args + self.external_registry_credentials("--creds", username, password)
+        args = ["/usr/bin/skopeo"]
+        if verbose_logs:
+            args = args + ["--debug"]
+        args = args + ["inspect", "--tls-verify=%s" % tls_verify]
+        args = args + self.external_registry_credentials("--creds", username, password)
 
-    if not rule_value:
-      rule_value = []
+        if not rule_value:
+            rule_value = []
 
-    all_tags = []
-    for tag in rule_value + ["latest"]:
-      result = self.run_skopeo(args + [quote("%s:%s" % (repository, tag))], proxy)
+        all_tags = []
+        for tag in rule_value + ["latest"]:
+            result = self.run_skopeo(args + [quote("%s:%s" % (repository, tag))], proxy)
 
-      if result.success:
-        all_tags = json.loads(result.stdout)['RepoTags']
-        if all_tags is not []:
-          break
+            if result.success:
+                all_tags = json.loads(result.stdout)["RepoTags"]
+                if all_tags is not []:
+                    break
 
-    return SkopeoResults(result.success, all_tags, result.stdout, result.stderr)
+        return SkopeoResults(result.success, all_tags, result.stdout, result.stderr)
 
+    def external_registry_credentials(self, arg, username, password):
+        credentials = []
+        if username is not None and username != "":
+            if password is not None and password != "":
+                creds = "%s:%s" % (username, password)
+            else:
+                creds = "%s" % username
+            credentials = [arg, creds]
 
-  def external_registry_credentials(self, arg, username, password):
-    credentials = []
-    if username is not None and username != '':
-      if password is not None and password != '':
-        creds = "%s:%s" % (username, password)
-      else:
-        creds = "%s" % username
-      credentials = [arg, creds]
+        return credentials
 
-    return credentials
+    def setup_env(self, proxy):
+        env = os.environ.copy()
 
+        if proxy.get("http_proxy"):
+            env["HTTP_PROXY"] = proxy.get("http_proxy")
+        if proxy.get("https_proxy"):
+            env["HTTPS_PROXY"] = proxy.get("https_proxy")
+        if proxy.get("no_proxy"):
+            env["NO_PROXY"] = proxy.get("no_proxy")
 
-  def setup_env(self, proxy):
-    env = os.environ.copy()
+        return env
 
-    if proxy.get("http_proxy"):
-      env["HTTP_PROXY"] = proxy.get("http_proxy")
-    if proxy.get("https_proxy"):
-      env["HTTPS_PROXY"] = proxy.get("https_proxy")
-    if proxy.get("no_proxy"):
-      env["NO_PROXY"] = proxy.get("no_proxy")
+    def run_skopeo(self, args, proxy):
+        job = subprocess.Popen(
+            args,
+            shell=False,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            env=self.setup_env(proxy),
+            close_fds=True,
+        )
 
-    return env
+        # Poll process for new output until finished
+        stdout = ""
+        stderr = ""
+        while True:
+            stdout_nextline = job.stdout.readline()
+            stdout = stdout + stdout_nextline
+            stderr_nextline = job.stderr.readline()
+            stderr = stderr + stderr_nextline
+            if (
+                stdout_nextline == ""
+                and stderr_nextline == ""
+                and job.poll() is not None
+            ):
+                break
+            logger.debug("Skopeo [STDERR]: %s" % stderr_nextline)
+            logger.debug("Skopeo [STDOUT]: %s" % stdout_nextline)
 
+        job.communicate()
 
-  def run_skopeo(self, args, proxy):
-    job = subprocess.Popen(args, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
-                           env=self.setup_env(proxy), close_fds=True)
-
-    # Poll process for new output until finished
-    stdout = ""
-    stderr = ""
-    while True:
-      stdout_nextline = job.stdout.readline()
-      stdout = stdout + stdout_nextline
-      stderr_nextline = job.stderr.readline()
-      stderr = stderr + stderr_nextline
-      if stdout_nextline == "" and stderr_nextline == "" and job.poll() is not None:
-        break
-      logger.debug("Skopeo [STDERR]: %s" % stderr_nextline)
-      logger.debug("Skopeo [STDOUT]: %s" % stdout_nextline)
-
-    job.communicate()
-
-    return SkopeoResults(job.returncode == 0, [], stdout, stderr)
+        return SkopeoResults(job.returncode == 0, [], stdout, stderr)
diff --git a/util/repomirror/validator.py b/util/repomirror/validator.py
index fa05450d1..aea790301 100644
--- a/util/repomirror/validator.py
+++ b/util/repomirror/validator.py
@@ -5,12 +5,12 @@ logger = logging.getLogger(__name__)
 
 
 class RepoMirrorConfigValidator(object):
-  """ Helper class for validating the repository mirror configuration. """
-  def __init__(self, feature_repo_mirror):
-    self._feature_repo_mirror = feature_repo_mirror
+    """ Helper class for validating the repository mirror configuration. """
 
+    def __init__(self, feature_repo_mirror):
+        self._feature_repo_mirror = feature_repo_mirror
 
-  def valid(self):
-    if not self._feature_repo_mirror:
-      raise ConfigValidationException('REPO_MIRROR feature not enabled')
-    return True
+    def valid(self):
+        if not self._feature_repo_mirror:
+            raise ConfigValidationException("REPO_MIRROR feature not enabled")
+        return True
diff --git a/util/request.py b/util/request.py
index 5e3931c7b..410731e95 100644
--- a/util/request.py
+++ b/util/request.py
@@ -2,10 +2,13 @@ import os
 
 from flask import request
 
-def get_request_ip():
-  """ Returns the IP address of the client making the current Flask request or None if none. """
-  remote_addr = request.remote_addr or None
-  if os.getenv('TEST', 'false').lower() == 'true':
-    remote_addr = request.headers.get('X-Override-Remote-Addr-For-Testing', remote_addr)
 
-  return remote_addr
+def get_request_ip():
+    """ Returns the IP address of the client making the current Flask request or None if none. """
+    remote_addr = request.remote_addr or None
+    if os.getenv("TEST", "false").lower() == "true":
+        remote_addr = request.headers.get(
+            "X-Override-Remote-Addr-For-Testing", remote_addr
+        )
+
+    return remote_addr
diff --git a/util/saas/analytics.py b/util/saas/analytics.py
index 5e4f5debf..c35cfdad5 100644
--- a/util/saas/analytics.py
+++ b/util/saas/analytics.py
@@ -10,64 +10,66 @@ logger = logging.getLogger(__name__)
 
 
 class MixpanelQueuingConsumer(object):
-  def __init__(self, request_queue):
-    self._mp_queue = request_queue
+    def __init__(self, request_queue):
+        self._mp_queue = request_queue
 
-  def send(self, endpoint, json_message):
-    logger.debug('Queuing mixpanel request.')
-    self._mp_queue.put(json.dumps([endpoint, json_message]))
+    def send(self, endpoint, json_message):
+        logger.debug("Queuing mixpanel request.")
+        self._mp_queue.put(json.dumps([endpoint, json_message]))
 
 
 class SendToMixpanel(Thread):
-  def __init__(self, request_queue):
-    Thread.__init__(self)
-    self.daemon = True
+    def __init__(self, request_queue):
+        Thread.__init__(self)
+        self.daemon = True
 
-    self._mp_queue = request_queue
-    self._consumer = BufferedConsumer()
+        self._mp_queue = request_queue
+        self._consumer = BufferedConsumer()
 
-  def run(self):
-    logger.debug('Starting mixpanel sender process.')
-    while True:
-      mp_request = self._mp_queue.get()
-      logger.debug('Got queued mixpanel request.')
-      try:
-        self._consumer.send(*json.loads(mp_request))
-      except:
-        logger.exception('Failed to send Mixpanel request.')
+    def run(self):
+        logger.debug("Starting mixpanel sender process.")
+        while True:
+            mp_request = self._mp_queue.get()
+            logger.debug("Got queued mixpanel request.")
+            try:
+                self._consumer.send(*json.loads(mp_request))
+            except:
+                logger.exception("Failed to send Mixpanel request.")
 
 
 class _FakeMixpanel(object):
-  def track(*args, **kwargs):
-    pass
+    def track(*args, **kwargs):
+        pass
 
 
 class Analytics(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    analytics_type = app.config.get('ANALYTICS_TYPE', 'FakeAnalytics')
+    def init_app(self, app):
+        analytics_type = app.config.get("ANALYTICS_TYPE", "FakeAnalytics")
 
-    if analytics_type == 'Mixpanel':
-      mixpanel_key = app.config.get('MIXPANEL_KEY', '')
-      logger.debug('Initializing mixpanel with key: %s', app.config['MIXPANEL_KEY'])
+        if analytics_type == "Mixpanel":
+            mixpanel_key = app.config.get("MIXPANEL_KEY", "")
+            logger.debug(
+                "Initializing mixpanel with key: %s", app.config["MIXPANEL_KEY"]
+            )
 
-      request_queue = Queue()
-      analytics = Mixpanel(mixpanel_key, MixpanelQueuingConsumer(request_queue))
-      SendToMixpanel(request_queue).start()
+            request_queue = Queue()
+            analytics = Mixpanel(mixpanel_key, MixpanelQueuingConsumer(request_queue))
+            SendToMixpanel(request_queue).start()
 
-    else:
-      analytics = _FakeMixpanel()
+        else:
+            analytics = _FakeMixpanel()
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['analytics'] = analytics
-    return analytics
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["analytics"] = analytics
+        return analytics
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/util/saas/cloudwatch.py b/util/saas/cloudwatch.py
index c38df655a..93ccd9844 100644
--- a/util/saas/cloudwatch.py
+++ b/util/saas/cloudwatch.py
@@ -15,82 +15,92 @@ MAX_BATCH_METRICS = 20
 # This prevents hammering cloudwatch when it's not available.
 FAILED_SEND_SLEEP_SECS = 15
 
+
 def start_cloudwatch_sender(metrics, app):
-  """
+    """
   Starts sending from metrics to a new CloudWatchSender.
   """
-  access_key = app.config.get('CLOUDWATCH_AWS_ACCESS_KEY')
-  secret_key = app.config.get('CLOUDWATCH_AWS_SECRET_KEY')
-  namespace = app.config.get('CLOUDWATCH_NAMESPACE')
+    access_key = app.config.get("CLOUDWATCH_AWS_ACCESS_KEY")
+    secret_key = app.config.get("CLOUDWATCH_AWS_SECRET_KEY")
+    namespace = app.config.get("CLOUDWATCH_NAMESPACE")
 
-  if not namespace:
-    logger.debug('CloudWatch not configured')
-    return
+    if not namespace:
+        logger.debug("CloudWatch not configured")
+        return
+
+    sender = CloudWatchSender(metrics, access_key, secret_key, namespace)
+    sender.start()
 
-  sender = CloudWatchSender(metrics, access_key, secret_key, namespace)
-  sender.start()
 
 class CloudWatchSender(Thread):
-  """
+    """
   CloudWatchSender loops indefinitely and pulls metrics off of a queue then sends it to CloudWatch.
   """
-  def __init__(self, metrics, aws_access_key, aws_secret_key, namespace):
-    Thread.__init__(self)
-    self.daemon = True
 
-    self._aws_access_key = aws_access_key
-    self._aws_secret_key = aws_secret_key
-    self._metrics = metrics
-    self._namespace = namespace
+    def __init__(self, metrics, aws_access_key, aws_secret_key, namespace):
+        Thread.__init__(self)
+        self.daemon = True
 
-  def run(self):
-    try:
-      logger.debug('Starting CloudWatch sender process.')
-      connection = boto.connect_cloudwatch(self._aws_access_key, self._aws_secret_key)
-    except:
-      logger.exception('Failed to connect to CloudWatch.')
-    self._metrics.enable_deprecated()
+        self._aws_access_key = aws_access_key
+        self._aws_secret_key = aws_secret_key
+        self._metrics = metrics
+        self._namespace = namespace
 
-    while True:
-      metrics = {
-        'name': [],
-        'value': [],
-        'unit': [],
-        'timestamp': [],
-        'dimensions': [],
-      }
-
-      metric = self._metrics.get_deprecated()
-      append_metric(metrics, metric)
-
-      while len(metrics['name']) < MAX_BATCH_METRICS:
+    def run(self):
         try:
-          metric = self._metrics.get_nowait_deprecated()
-          append_metric(metrics, metric)
-        except Empty:
-          break
+            logger.debug("Starting CloudWatch sender process.")
+            connection = boto.connect_cloudwatch(
+                self._aws_access_key, self._aws_secret_key
+            )
+        except:
+            logger.exception("Failed to connect to CloudWatch.")
+        self._metrics.enable_deprecated()
 
-      try:
-        connection.put_metric_data(self._namespace, **metrics)
-        logger.debug('Sent %d CloudWatch metrics', len(metrics['name']))
-      except:
-        for i in range(len(metrics['name'])):
-          self._metrics.put_deprecated(metrics['name'][i], metrics['value'][i],
-            unit=metrics['unit'][i],
-            dimensions=metrics['dimensions'][i],
-            timestamp=metrics['timestamp'][i],
-          )
+        while True:
+            metrics = {
+                "name": [],
+                "value": [],
+                "unit": [],
+                "timestamp": [],
+                "dimensions": [],
+            }
+
+            metric = self._metrics.get_deprecated()
+            append_metric(metrics, metric)
+
+            while len(metrics["name"]) < MAX_BATCH_METRICS:
+                try:
+                    metric = self._metrics.get_nowait_deprecated()
+                    append_metric(metrics, metric)
+                except Empty:
+                    break
+
+            try:
+                connection.put_metric_data(self._namespace, **metrics)
+                logger.debug("Sent %d CloudWatch metrics", len(metrics["name"]))
+            except:
+                for i in range(len(metrics["name"])):
+                    self._metrics.put_deprecated(
+                        metrics["name"][i],
+                        metrics["value"][i],
+                        unit=metrics["unit"][i],
+                        dimensions=metrics["dimensions"][i],
+                        timestamp=metrics["timestamp"][i],
+                    )
+
+                logger.exception("Failed to write to CloudWatch: %s", metrics)
+                logger.debug("Attempted to requeue %d metrics.", len(metrics["name"]))
+                # random int between 1/2 and 1 1/2 of FAILED_SEND_SLEEP duration
+                sleep_secs = random.randint(
+                    FAILED_SEND_SLEEP_SECS / 2, 3 * FAILED_SEND_SLEEP_SECS / 2
+                )
+                time.sleep(sleep_secs)
 
-        logger.exception('Failed to write to CloudWatch: %s', metrics)
-        logger.debug('Attempted to requeue %d metrics.', len(metrics['name']))
-        # random int between 1/2 and 1 1/2 of FAILED_SEND_SLEEP duration
-        sleep_secs = random.randint(FAILED_SEND_SLEEP_SECS/2, 3*FAILED_SEND_SLEEP_SECS/2)
-        time.sleep(sleep_secs)
 
 def append_metric(metrics, m):
-  name, value, kwargs = m
-  metrics['name'].append(name)
-  metrics['value'].append(value)
-  metrics['unit'].append(kwargs.get('unit'))
-  metrics['dimensions'].append(kwargs.get('dimensions'))
-  metrics['timestamp'].append(kwargs.get('timestamp'))
+    name, value, kwargs = m
+    metrics["name"].append(name)
+    metrics["value"].append(value)
+    metrics["unit"].append(kwargs.get("unit"))
+    metrics["dimensions"].append(kwargs.get("dimensions"))
+    metrics["timestamp"].append(kwargs.get("timestamp"))
diff --git a/util/saas/exceptionlog.py b/util/saas/exceptionlog.py
index 9fc0c3656..ffb9d43ba 100644
--- a/util/saas/exceptionlog.py
+++ b/util/saas/exceptionlog.py
@@ -1,36 +1,39 @@
 from raven.contrib.flask import Sentry as FlaskSentry
 
-class FakeSentryClient(object):
-  def captureException(self, *args, **kwargs):
-    pass
 
-  def user_context(self, *args, **kwargs):
-    pass
+class FakeSentryClient(object):
+    def captureException(self, *args, **kwargs):
+        pass
+
+    def user_context(self, *args, **kwargs):
+        pass
+
 
 class FakeSentry(object):
-  def __init__(self):
-    self.client = FakeSentryClient()
+    def __init__(self):
+        self.client = FakeSentryClient()
+
 
 class Sentry(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    sentry_type = app.config.get('EXCEPTION_LOG_TYPE', 'FakeSentry')
+    def init_app(self, app):
+        sentry_type = app.config.get("EXCEPTION_LOG_TYPE", "FakeSentry")
 
-    if sentry_type == 'Sentry':
-      sentry = FlaskSentry(app, register_signal=False)
-    else:
-      sentry = FakeSentry()
+        if sentry_type == "Sentry":
+            sentry = FlaskSentry(app, register_signal=False)
+        else:
+            sentry = FakeSentry()
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['sentry'] = sentry
-    return sentry
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["sentry"] = sentry
+        return sentry
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/util/saas/useranalytics.py b/util/saas/useranalytics.py
index 049097739..d9bbb8848 100644
--- a/util/saas/useranalytics.py
+++ b/util/saas/useranalytics.py
@@ -11,173 +11,175 @@ logger = logging.getLogger(__name__)
 
 
 class LeadNotFoundException(Exception):
-  pass
+    pass
 
 
 def build_error_callback(message_when_exception):
-  def maybe_log_error(response_future):
-    try:
-      response_future.result()
-    except NullExecutorCancelled:
-      pass
-    except Exception:
-      logger.exception('User analytics: %s', message_when_exception)
+    def maybe_log_error(response_future):
+        try:
+            response_future.result()
+        except NullExecutorCancelled:
+            pass
+        except Exception:
+            logger.exception("User analytics: %s", message_when_exception)
 
-  return maybe_log_error
+    return maybe_log_error
 
 
 class _MarketoAnalyticsClient(object):
-  """ User analytics implementation which will report user changes to the
+    """ User analytics implementation which will report user changes to the
       Marketo API.
   """
-  def __init__(self, marketo_client, munchkin_private_key, lead_source):
-    """ Instantiate with the given marketorestpython.client, the Marketo
+
+    def __init__(self, marketo_client, munchkin_private_key, lead_source):
+        """ Instantiate with the given marketorestpython.client, the Marketo
         Munchkin Private Key, and the Lead Source that we want to set when we
         create new lead records in Marketo.
     """
-    self._marketo = marketo_client
-    self._munchkin_private_key = munchkin_private_key
-    self._lead_source = lead_source
+        self._marketo = marketo_client
+        self._munchkin_private_key = munchkin_private_key
+        self._lead_source = lead_source
 
-  def _get_lead_metadata(self, given_name, family_name, company, location):
-    metadata = {}
-    if given_name:
-      metadata['firstName'] = given_name
+    def _get_lead_metadata(self, given_name, family_name, company, location):
+        metadata = {}
+        if given_name:
+            metadata["firstName"] = given_name
 
-    if family_name:
-      metadata['lastName'] = family_name
+        if family_name:
+            metadata["lastName"] = family_name
 
-    if company:
-      metadata['company'] = company
+        if company:
+            metadata["company"] = company
 
-    if location:
-      metadata['location'] = location
+        if location:
+            metadata["location"] = location
 
-    return metadata
+        return metadata
 
-  def create_lead(self, email, username, given_name, family_name, company, location):
-    lead_data = dict(
-      email=email,
-      Quay_Username__c=username,
-      leadSource='Web - Product Trial',
-      Lead_Source_Detail__c=self._lead_source,
-    )
+    def create_lead(self, email, username, given_name, family_name, company, location):
+        lead_data = dict(
+            email=email,
+            Quay_Username__c=username,
+            leadSource="Web - Product Trial",
+            Lead_Source_Detail__c=self._lead_source,
+        )
 
-    lead_data.update(self._get_lead_metadata(given_name, family_name,
-                                             company, location))
+        lead_data.update(
+            self._get_lead_metadata(given_name, family_name, company, location)
+        )
 
-    self._marketo.create_update_leads(
-      action='createOrUpdate',
-      leads=[lead_data],
-      asyncProcessing=True,
-      lookupField='email',
-    )
+        self._marketo.create_update_leads(
+            action="createOrUpdate",
+            leads=[lead_data],
+            asyncProcessing=True,
+            lookupField="email",
+        )
 
-  def _find_leads_by_email(self, email):
-    # Fetch the existing user from the database by email
-    found = self._marketo.get_multiple_leads_by_filter_type(
-      filterType='email',
-      filterValues=[email],
-    )
+    def _find_leads_by_email(self, email):
+        # Fetch the existing user from the database by email
+        found = self._marketo.get_multiple_leads_by_filter_type(
+            filterType="email", filterValues=[email]
+        )
 
-    if not found:
-      raise LeadNotFoundException('No lead found with email: {}'.format(email))
+        if not found:
+            raise LeadNotFoundException("No lead found with email: {}".format(email))
 
-    return found
+        return found
 
-  def change_email(self, old_email, new_email):
-    found = self._find_leads_by_email(old_email)
+    def change_email(self, old_email, new_email):
+        found = self._find_leads_by_email(old_email)
 
-    # Update using their user id.
-    updated = [dict(id=lead['id'], email=new_email) for lead in found]
-    self._marketo.create_update_leads(
-      action='updateOnly',
-      leads=updated,
-      asyncProcessing=True,
-      lookupField='id',
-    )
+        # Update using their user id.
+        updated = [dict(id=lead["id"], email=new_email) for lead in found]
+        self._marketo.create_update_leads(
+            action="updateOnly", leads=updated, asyncProcessing=True, lookupField="id"
+        )
 
-  def change_metadata(self, email, given_name=None, family_name=None, company=None, location=None):
-    lead_data = self._get_lead_metadata(given_name, family_name, company, location)
-    if not lead_data:
-      return
+    def change_metadata(
+        self, email, given_name=None, family_name=None, company=None, location=None
+    ):
+        lead_data = self._get_lead_metadata(given_name, family_name, company, location)
+        if not lead_data:
+            return
 
-    # Update using their email address.
-    lead_data['email'] = email
-    self._marketo.create_update_leads(
-      action='updateOnly',
-      leads=[lead_data],
-      asyncProcessing=True,
-      lookupField='email',
-    )
+        # Update using their email address.
+        lead_data["email"] = email
+        self._marketo.create_update_leads(
+            action="updateOnly",
+            leads=[lead_data],
+            asyncProcessing=True,
+            lookupField="email",
+        )
 
-  def change_username(self, email, new_username):
-    # Update using their email.
-    self._marketo.create_update_leads(
-      action='updateOnly',
-      leads=[{
-        'email': email,
-        'Quay_Username__c': new_username,
-      }],
-      asyncProcessing=True,
-      lookupField='email',
-    )
+    def change_username(self, email, new_username):
+        # Update using their email.
+        self._marketo.create_update_leads(
+            action="updateOnly",
+            leads=[{"email": email, "Quay_Username__c": new_username}],
+            asyncProcessing=True,
+            lookupField="email",
+        )
 
-  @AsyncExecutorWrapper.sync
-  def get_user_analytics_metadata(self, user_obj):
-    """ Return a list of properties that should be added to the user object to allow
+    @AsyncExecutorWrapper.sync
+    def get_user_analytics_metadata(self, user_obj):
+        """ Return a list of properties that should be added to the user object to allow
         analytics associations.
     """
-    if not self._munchkin_private_key:
-      return dict()
+        if not self._munchkin_private_key:
+            return dict()
 
-    marketo_user_hash = sha1(self._munchkin_private_key)
-    marketo_user_hash.update(user_obj.email)
+        marketo_user_hash = sha1(self._munchkin_private_key)
+        marketo_user_hash.update(user_obj.email)
 
-    return dict(
-      marketo_user_hash=marketo_user_hash.hexdigest(),
-    )
+        return dict(marketo_user_hash=marketo_user_hash.hexdigest())
 
 
 class UserAnalytics(object):
-  def __init__(self, app=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app)
-    else:
-      self.state = None
+    def __init__(self, app=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app)
+        else:
+            self.state = None
 
-  def init_app(self, app):
-    analytics_type = app.config.get('USER_ANALYTICS_TYPE', 'FakeAnalytics')
+    def init_app(self, app):
+        analytics_type = app.config.get("USER_ANALYTICS_TYPE", "FakeAnalytics")
 
-    marketo_munchkin_id = ''
-    marketo_munchkin_private_key = ''
-    marketo_client_id = ''
-    marketo_client_secret = ''
-    marketo_lead_source = ''
-    executor = NullExecutor()
+        marketo_munchkin_id = ""
+        marketo_munchkin_private_key = ""
+        marketo_client_id = ""
+        marketo_client_secret = ""
+        marketo_lead_source = ""
+        executor = NullExecutor()
 
-    if analytics_type == 'Marketo':
-      marketo_munchkin_id = app.config['MARKETO_MUNCHKIN_ID']
-      marketo_munchkin_private_key = app.config['MARKETO_MUNCHKIN_PRIVATE_KEY']
-      marketo_client_id = app.config['MARKETO_CLIENT_ID']
-      marketo_client_secret = app.config['MARKETO_CLIENT_SECRET']
-      marketo_lead_source = app.config['MARKETO_LEAD_SOURCE']
+        if analytics_type == "Marketo":
+            marketo_munchkin_id = app.config["MARKETO_MUNCHKIN_ID"]
+            marketo_munchkin_private_key = app.config["MARKETO_MUNCHKIN_PRIVATE_KEY"]
+            marketo_client_id = app.config["MARKETO_CLIENT_ID"]
+            marketo_client_secret = app.config["MARKETO_CLIENT_SECRET"]
+            marketo_lead_source = app.config["MARKETO_LEAD_SOURCE"]
 
-      logger.debug('Initializing marketo with keys: %s %s %s', marketo_munchkin_id,
-                   marketo_client_id, marketo_client_secret)
+            logger.debug(
+                "Initializing marketo with keys: %s %s %s",
+                marketo_munchkin_id,
+                marketo_client_id,
+                marketo_client_secret,
+            )
 
-      executor = ThreadPoolExecutor(max_workers=1)
+            executor = ThreadPoolExecutor(max_workers=1)
 
-    marketo_client = MarketoClient(marketo_munchkin_id, marketo_client_id, marketo_client_secret)
-    client_wrapper = _MarketoAnalyticsClient(marketo_client, marketo_munchkin_private_key,
-                                             marketo_lead_source)
-    user_analytics = AsyncExecutorWrapper(client_wrapper, executor)
+        marketo_client = MarketoClient(
+            marketo_munchkin_id, marketo_client_id, marketo_client_secret
+        )
+        client_wrapper = _MarketoAnalyticsClient(
+            marketo_client, marketo_munchkin_private_key, marketo_lead_source
+        )
+        user_analytics = AsyncExecutorWrapper(client_wrapper, executor)
 
-    # register extension with app
-    app.extensions = getattr(app, 'extensions', {})
-    app.extensions['user_analytics'] = user_analytics
-    return user_analytics
+        # register extension with app
+        app.extensions = getattr(app, "extensions", {})
+        app.extensions["user_analytics"] = user_analytics
+        return user_analytics
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
diff --git a/util/secscan/__init__.py b/util/secscan/__init__.py
index 1e3ac04aa..78d8e26e6 100644
--- a/util/secscan/__init__.py
+++ b/util/secscan/__init__.py
@@ -1,109 +1,96 @@
 # NOTE: This objects are used directly in the external-notification-data and vulnerability-service
 # on the frontend, so be careful with changing their existing keys.
 PRIORITY_LEVELS = {
-  'Unknown': {
-    'title': 'Unknown',
-    'index': 6,
-    'level': 'info',
-    'color': '#9B9B9B',
-    'score': 0,
-
-    'description': 'Unknown is either a security problem that has not been assigned to a priority' +
-                   ' yet or a priority that our system did not recognize',
-    'banner_required': False
-  },
-
-  'Negligible': {
-    'title': 'Negligible',
-    'index': 5,
-    'level': 'info',
-    'color': '#9B9B9B',
-    'score': 1,
-
-    'description': 'Negligible is technically a security problem, but is only theoretical ' +
-                   'in nature, requires a very special situation, has almost no install base, ' +
-                   'or does no real damage.',
-    'banner_required': False
-  },
-
-  'Low': {
-    'title': 'Low',
-    'index': 4,
-    'level': 'warning',
-    'color': '#F8CA1C',
-    'score': 3,
-
-    'description': 'Low is a security problem, but is hard to exploit due to environment, ' +
-                   'requires a user-assisted attack, a small install base, or does very little' +
-                   ' damage.',
-    'banner_required': False
-  },
-
-  'Medium': {
-    'title': 'Medium',
-    'value': 'Medium',
-    'index': 3,
-    'level': 'warning',
-    'color': '#FCA657',
-    'score': 6,
-
-    'description': 'Medium is a real security problem, and is exploitable for many people. ' +
-                   'Includes network daemon denial of service attacks, cross-site scripting, and ' +
-                   'gaining user privileges.',
-    'banner_required': False
-  },
-
-  'High': {
-    'title': 'High',
-    'value': 'High',
-    'index': 2,
-    'level': 'warning',
-    'color': '#F77454',
-    'score': 9,
-
-    'description': 'High is a real problem, exploitable for many people in a default ' +
-                   'installation. Includes serious remote denial of services, local root ' +
-                   'privilege escalations, or data loss.',
-    'banner_required': False
-  },
-
-  'Critical': {
-    'title': 'Critical',
-    'value': 'Critical',
-    'index': 1,
-    'level': 'error',
-    'color': '#D64456',
-    'score': 10,
-
-    'description': 'Critical is a world-burning problem, exploitable for nearly all people in ' +
-                   'a installation of the package. Includes remote root privilege escalations, ' +
-                   'or massive data loss.',
-    'banner_required': False
-  },
-
-  'Defcon1': {
-    'title': 'Defcon 1',
-    'value': 'Defcon1',
-    'index': 0,
-    'level': 'error',
-    'color': 'black',
-    'score': 11,
-
-    'description': 'Defcon1 is a Critical problem which has been manually highlighted by the Quay' +
-                   ' team. It requires immediate attention.',
-    'banner_required': True
-  }
+    "Unknown": {
+        "title": "Unknown",
+        "index": 6,
+        "level": "info",
+        "color": "#9B9B9B",
+        "score": 0,
+        "description": "Unknown is either a security problem that has not been assigned to a priority"
+        + " yet or a priority that our system did not recognize",
+        "banner_required": False,
+    },
+    "Negligible": {
+        "title": "Negligible",
+        "index": 5,
+        "level": "info",
+        "color": "#9B9B9B",
+        "score": 1,
+        "description": "Negligible is technically a security problem, but is only theoretical "
+        + "in nature, requires a very special situation, has almost no install base, "
+        + "or does no real damage.",
+        "banner_required": False,
+    },
+    "Low": {
+        "title": "Low",
+        "index": 4,
+        "level": "warning",
+        "color": "#F8CA1C",
+        "score": 3,
+        "description": "Low is a security problem, but is hard to exploit due to environment, "
+        + "requires a user-assisted attack, a small install base, or does very little"
+        + " damage.",
+        "banner_required": False,
+    },
+    "Medium": {
+        "title": "Medium",
+        "value": "Medium",
+        "index": 3,
+        "level": "warning",
+        "color": "#FCA657",
+        "score": 6,
+        "description": "Medium is a real security problem, and is exploitable for many people. "
+        + "Includes network daemon denial of service attacks, cross-site scripting, and "
+        + "gaining user privileges.",
+        "banner_required": False,
+    },
+    "High": {
+        "title": "High",
+        "value": "High",
+        "index": 2,
+        "level": "warning",
+        "color": "#F77454",
+        "score": 9,
+        "description": "High is a real problem, exploitable for many people in a default "
+        + "installation. Includes serious remote denial of services, local root "
+        + "privilege escalations, or data loss.",
+        "banner_required": False,
+    },
+    "Critical": {
+        "title": "Critical",
+        "value": "Critical",
+        "index": 1,
+        "level": "error",
+        "color": "#D64456",
+        "score": 10,
+        "description": "Critical is a world-burning problem, exploitable for nearly all people in "
+        + "a installation of the package. Includes remote root privilege escalations, "
+        + "or massive data loss.",
+        "banner_required": False,
+    },
+    "Defcon1": {
+        "title": "Defcon 1",
+        "value": "Defcon1",
+        "index": 0,
+        "level": "error",
+        "color": "black",
+        "score": 11,
+        "description": "Defcon1 is a Critical problem which has been manually highlighted by the Quay"
+        + " team. It requires immediate attention.",
+        "banner_required": True,
+    },
 }
 
 
 def get_priority_for_index(index):
-  try:
-    int_index = int(index)
-  except ValueError:
-    return 'Unknown'
+    try:
+        int_index = int(index)
+    except ValueError:
+        return "Unknown"
 
-  for priority in PRIORITY_LEVELS:
-    if PRIORITY_LEVELS[priority]['index'] == int_index:
-      return priority
+    for priority in PRIORITY_LEVELS:
+        if PRIORITY_LEVELS[priority]["index"] == int_index:
+            return priority
 
-  return 'Unknown'
+    return "Unknown"
diff --git a/util/secscan/analyzer.py b/util/secscan/analyzer.py
index c723829fd..2cae20f12 100644
--- a/util/secscan/analyzer.py
+++ b/util/secscan/analyzer.py
@@ -5,13 +5,22 @@ from collections import defaultdict
 
 import features
 
-from data.database import ExternalNotificationEvent, IMAGE_NOT_SCANNED_ENGINE_VERSION, Image
+from data.database import (
+    ExternalNotificationEvent,
+    IMAGE_NOT_SCANNED_ENGINE_VERSION,
+    Image,
+)
 from data.model.tag import filter_tags_have_repository_event, get_tags_for_image
 from data.model.image import set_secscan_status, get_image_with_storage_and_parent_base
 from notifications import spawn_notification
 from util.secscan import PRIORITY_LEVELS
-from util.secscan.api import (APIRequestFailure, AnalyzeLayerException, MissingParentLayerException,
-                              InvalidLayerException, AnalyzeLayerRetryException)
+from util.secscan.api import (
+    APIRequestFailure,
+    AnalyzeLayerException,
+    MissingParentLayerException,
+    InvalidLayerException,
+    AnalyzeLayerRetryException,
+)
 from util.morecollections import AttrDict
 
 
@@ -19,187 +28,223 @@ logger = logging.getLogger(__name__)
 
 
 class PreemptedException(Exception):
-  """ Exception raised if another worker analyzed the image before this worker was able to do so.
+    """ Exception raised if another worker analyzed the image before this worker was able to do so.
   """
 
 
 class LayerAnalyzer(object):
-  """ Helper class to perform analysis of a layer via the security scanner. """
-  def __init__(self, config, api):
-    self._api = api
-    self._target_version = config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 2)
+    """ Helper class to perform analysis of a layer via the security scanner. """
 
-  def analyze_recursively(self, layer):
-    """ Analyzes a layer and all its parents. Raises a PreemptedException if the analysis was
+    def __init__(self, config, api):
+        self._api = api
+        self._target_version = config.get("SECURITY_SCANNER_ENGINE_VERSION_TARGET", 2)
+
+    def analyze_recursively(self, layer):
+        """ Analyzes a layer and all its parents. Raises a PreemptedException if the analysis was
         preempted by another worker.
     """
-    try:
-      self._analyze_recursively_and_check(layer)
-    except MissingParentLayerException:
-      # The parent layer of this layer was missing. Force a reanalyze.
-      try:
-        self._analyze_recursively_and_check(layer, force_parents=True)
-      except MissingParentLayerException:
-        # Parent is still missing... mark the layer as invalid.
-        if not set_secscan_status(layer, False, self._target_version):
-          raise PreemptedException
+        try:
+            self._analyze_recursively_and_check(layer)
+        except MissingParentLayerException:
+            # The parent layer of this layer was missing. Force a reanalyze.
+            try:
+                self._analyze_recursively_and_check(layer, force_parents=True)
+            except MissingParentLayerException:
+                # Parent is still missing... mark the layer as invalid.
+                if not set_secscan_status(layer, False, self._target_version):
+                    raise PreemptedException
 
-  def _analyze_recursively_and_check(self, layer, force_parents=False):
-    """ Analyzes a layer and all its parents, optionally forcing parents to be reanalyzed,
+    def _analyze_recursively_and_check(self, layer, force_parents=False):
+        """ Analyzes a layer and all its parents, optionally forcing parents to be reanalyzed,
         and checking for various exceptions that can occur during analysis.
     """
-    try:
-      self._analyze_recursively(layer, force_parents=force_parents)
-    except InvalidLayerException:
-      # One of the parent layers is invalid, so this layer is invalid as well.
-      if not set_secscan_status(layer, False, self._target_version):
-        raise PreemptedException
-    except AnalyzeLayerRetryException:
-      # Something went wrong when trying to analyze the layer, but we should retry, so leave
-      # the layer unindexed. Another worker will come along and handle it.
-      raise APIRequestFailure
-    except MissingParentLayerException:
-      # Pass upward, as missing parent is handled in the analyze_recursively method.
-      raise
-    except AnalyzeLayerException:
-      # Something went wrong when trying to analyze the layer and we cannot retry, so mark the
-      # layer as invalid.
-      logger.exception('Got exception when trying to analyze layer %s via security scanner',
-                       layer.id)
-      if not set_secscan_status(layer, False, self._target_version):
-        raise PreemptedException
+        try:
+            self._analyze_recursively(layer, force_parents=force_parents)
+        except InvalidLayerException:
+            # One of the parent layers is invalid, so this layer is invalid as well.
+            if not set_secscan_status(layer, False, self._target_version):
+                raise PreemptedException
+        except AnalyzeLayerRetryException:
+            # Something went wrong when trying to analyze the layer, but we should retry, so leave
+            # the layer unindexed. Another worker will come along and handle it.
+            raise APIRequestFailure
+        except MissingParentLayerException:
+            # Pass upward, as missing parent is handled in the analyze_recursively method.
+            raise
+        except AnalyzeLayerException:
+            # Something went wrong when trying to analyze the layer and we cannot retry, so mark the
+            # layer as invalid.
+            logger.exception(
+                "Got exception when trying to analyze layer %s via security scanner",
+                layer.id,
+            )
+            if not set_secscan_status(layer, False, self._target_version):
+                raise PreemptedException
 
-  def _analyze_recursively(self, layer, force_parents=False):
-    # Check if there is a parent layer that needs to be analyzed.
-    if layer.parent_id and (force_parents or
-                            layer.parent.security_indexed_engine < self._target_version):
-      try:
-        base_query = get_image_with_storage_and_parent_base()
-        parent_layer = base_query.where(Image.id == layer.parent_id).get()
-      except Image.DoesNotExist:
-        logger.warning("Image %s has Image %s as parent but doesn't exist.", layer.id,
-                       layer.parent_id)
-        raise AnalyzeLayerException('Parent image not found')
+    def _analyze_recursively(self, layer, force_parents=False):
+        # Check if there is a parent layer that needs to be analyzed.
+        if layer.parent_id and (
+            force_parents or layer.parent.security_indexed_engine < self._target_version
+        ):
+            try:
+                base_query = get_image_with_storage_and_parent_base()
+                parent_layer = base_query.where(Image.id == layer.parent_id).get()
+            except Image.DoesNotExist:
+                logger.warning(
+                    "Image %s has Image %s as parent but doesn't exist.",
+                    layer.id,
+                    layer.parent_id,
+                )
+                raise AnalyzeLayerException("Parent image not found")
 
-      self._analyze_recursively(parent_layer, force_parents=force_parents)
+            self._analyze_recursively(parent_layer, force_parents=force_parents)
 
-    # Analyze the layer itself.
-    self._analyze(layer, force_parents=force_parents)
+        # Analyze the layer itself.
+        self._analyze(layer, force_parents=force_parents)
 
-  def _analyze(self, layer, force_parents=False):
-    """ Analyzes a single layer.
+    def _analyze(self, layer, force_parents=False):
+        """ Analyzes a single layer.
 
         Return a tuple of two bools:
           - The first one tells us if we should evaluate its children.
           - The second one is set to False when another worker pre-empted the candidate's analysis
             for us.
     """
-    # If the parent couldn't be analyzed with the target version or higher, we can't analyze
-    # this image. Mark it as failed with the current target version.
-    if not force_parents and (layer.parent_id and not layer.parent.security_indexed and
-                              layer.parent.security_indexed_engine >= self._target_version):
-      if not set_secscan_status(layer, False, self._target_version):
-        raise PreemptedException
+        # If the parent couldn't be analyzed with the target version or higher, we can't analyze
+        # this image. Mark it as failed with the current target version.
+        if not force_parents and (
+            layer.parent_id
+            and not layer.parent.security_indexed
+            and layer.parent.security_indexed_engine >= self._target_version
+        ):
+            if not set_secscan_status(layer, False, self._target_version):
+                raise PreemptedException
 
-      # Nothing more to do.
-      return
+            # Nothing more to do.
+            return
 
-    # Make sure the image's storage is not marked as uploading. If so, nothing more to do.
-    if layer.storage.uploading:
-      if not set_secscan_status(layer, False, self._target_version):
-        raise PreemptedException
+        # Make sure the image's storage is not marked as uploading. If so, nothing more to do.
+        if layer.storage.uploading:
+            if not set_secscan_status(layer, False, self._target_version):
+                raise PreemptedException
 
-      # Nothing more to do.
-      return
+            # Nothing more to do.
+            return
 
-    # Analyze the image.
-    previously_security_indexed_successfully = layer.security_indexed
-    previous_security_indexed_engine = layer.security_indexed_engine
+        # Analyze the image.
+        previously_security_indexed_successfully = layer.security_indexed
+        previous_security_indexed_engine = layer.security_indexed_engine
 
-    logger.info('Analyzing layer %s', layer.docker_image_id)
-    analyzed_version = self._api.analyze_layer(layer)
+        logger.info("Analyzing layer %s", layer.docker_image_id)
+        analyzed_version = self._api.analyze_layer(layer)
 
-    logger.info('Analyzed layer %s successfully with version %s', layer.docker_image_id,
-                analyzed_version)
+        logger.info(
+            "Analyzed layer %s successfully with version %s",
+            layer.docker_image_id,
+            analyzed_version,
+        )
 
-    # Mark the image as analyzed.
-    if not set_secscan_status(layer, True, analyzed_version):
-      # If the image was previously successfully marked as resolved, then set_secscan_status
-      # might return False because we're not changing it (since this is a fixup).
-      if not previously_security_indexed_successfully:
-        raise PreemptedException
+        # Mark the image as analyzed.
+        if not set_secscan_status(layer, True, analyzed_version):
+            # If the image was previously successfully marked as resolved, then set_secscan_status
+            # might return False because we're not changing it (since this is a fixup).
+            if not previously_security_indexed_successfully:
+                raise PreemptedException
 
-    # If we are the one who've done the job successfully first, then we need to decide if we should
-    # send notifications. Notifications are sent if:
-    #  1) This is a new layer
-    #  2) This is an existing layer that previously did not index properly
-    # We don't always send notifications as if we are re-indexing a successful layer for a newer
-    # feature set in the security scanner, notifications will be spammy.
-    is_new_image = previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION
-    is_existing_image_unindexed = not is_new_image and not previously_security_indexed_successfully
-    if (features.SECURITY_NOTIFICATIONS and (is_new_image or is_existing_image_unindexed)):
-      # Get the tags of the layer we analyzed.
-      repository_map = defaultdict(list)
-      event = ExternalNotificationEvent.get(name='vulnerability_found')
-      matching = list(filter_tags_have_repository_event(get_tags_for_image(layer.id), event))
+        # If we are the one who've done the job successfully first, then we need to decide if we should
+        # send notifications. Notifications are sent if:
+        #  1) This is a new layer
+        #  2) This is an existing layer that previously did not index properly
+        # We don't always send notifications as if we are re-indexing a successful layer for a newer
+        # feature set in the security scanner, notifications will be spammy.
+        is_new_image = (
+            previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION
+        )
+        is_existing_image_unindexed = (
+            not is_new_image and not previously_security_indexed_successfully
+        )
+        if features.SECURITY_NOTIFICATIONS and (
+            is_new_image or is_existing_image_unindexed
+        ):
+            # Get the tags of the layer we analyzed.
+            repository_map = defaultdict(list)
+            event = ExternalNotificationEvent.get(name="vulnerability_found")
+            matching = list(
+                filter_tags_have_repository_event(get_tags_for_image(layer.id), event)
+            )
 
-      for tag in matching:
-        repository_map[tag.repository_id].append(tag)
+            for tag in matching:
+                repository_map[tag.repository_id].append(tag)
 
-      # If there is at least one tag,
-      # Lookup the vulnerabilities for the image, now that it is analyzed.
-      if len(repository_map) > 0:
-        logger.debug('Loading data for layer %s', layer.id)
-        try:
-          layer_data = self._api.get_layer_data(layer, include_vulnerabilities=True)
-        except APIRequestFailure:
-          raise
+            # If there is at least one tag,
+            # Lookup the vulnerabilities for the image, now that it is analyzed.
+            if len(repository_map) > 0:
+                logger.debug("Loading data for layer %s", layer.id)
+                try:
+                    layer_data = self._api.get_layer_data(
+                        layer, include_vulnerabilities=True
+                    )
+                except APIRequestFailure:
+                    raise
 
-        if layer_data is not None:
-          # Dispatch events for any detected vulnerabilities
-          logger.debug('Got data for layer %s: %s', layer.id, layer_data)
-          found_features = layer_data['Layer'].get('Features', [])
-          for repository_id in repository_map:
-            tags = repository_map[repository_id]
-            vulnerabilities = dict()
+                if layer_data is not None:
+                    # Dispatch events for any detected vulnerabilities
+                    logger.debug("Got data for layer %s: %s", layer.id, layer_data)
+                    found_features = layer_data["Layer"].get("Features", [])
+                    for repository_id in repository_map:
+                        tags = repository_map[repository_id]
+                        vulnerabilities = dict()
 
-            # Collect all the vulnerabilities found for the layer under each repository and send
-            # as a batch notification.
-            for feature in found_features:
-              if 'Vulnerabilities' not in feature:
-                continue
+                        # Collect all the vulnerabilities found for the layer under each repository and send
+                        # as a batch notification.
+                        for feature in found_features:
+                            if "Vulnerabilities" not in feature:
+                                continue
 
-              for vulnerability in feature.get('Vulnerabilities', []):
-                vuln_data = {
-                  'id': vulnerability['Name'],
-                  'description': vulnerability.get('Description', None),
-                  'link': vulnerability.get('Link', None),
-                  'has_fix': 'FixedBy' in vulnerability,
+                            for vulnerability in feature.get("Vulnerabilities", []):
+                                vuln_data = {
+                                    "id": vulnerability["Name"],
+                                    "description": vulnerability.get(
+                                        "Description", None
+                                    ),
+                                    "link": vulnerability.get("Link", None),
+                                    "has_fix": "FixedBy" in vulnerability,
+                                    # TODO: Change this key name if/when we change the event format.
+                                    "priority": vulnerability.get(
+                                        "Severity", "Unknown"
+                                    ),
+                                }
 
-                  # TODO: Change this key name if/when we change the event format.
-                  'priority': vulnerability.get('Severity', 'Unknown'),
-                }
+                                vulnerabilities[vulnerability["Name"]] = vuln_data
 
-                vulnerabilities[vulnerability['Name']] = vuln_data
+                        # TODO: remove when more endpoints have been converted to using
+                        # interfaces
+                        repository = AttrDict(
+                            {
+                                "namespace_name": tags[
+                                    0
+                                ].repository.namespace_user.username,
+                                "name": tags[0].repository.name,
+                            }
+                        )
 
-            # TODO: remove when more endpoints have been converted to using
-            # interfaces
-            repository = AttrDict({
-              'namespace_name': tags[0].repository.namespace_user.username,
-              'name': tags[0].repository.name,
-            })
+                        repo_vulnerabilities = list(vulnerabilities.values())
+                        if not repo_vulnerabilities:
+                            continue
 
-            repo_vulnerabilities = list(vulnerabilities.values())
-            if not repo_vulnerabilities:
-              continue
+                        priority_key = lambda v: PRIORITY_LEVELS.get(
+                            v["priority"], {}
+                        ).get("index", 100)
+                        repo_vulnerabilities.sort(key=priority_key)
 
-            priority_key = lambda v: PRIORITY_LEVELS.get(v['priority'], {}).get('index', 100)
-            repo_vulnerabilities.sort(key=priority_key)
+                        event_data = {
+                            "tags": [tag.name for tag in tags],
+                            "vulnerabilities": repo_vulnerabilities,
+                            "vulnerability": repo_vulnerabilities[
+                                0
+                            ],  # For back-compat with existing events.
+                        }
 
-            event_data = {
-              'tags': [tag.name for tag in tags],
-              'vulnerabilities': repo_vulnerabilities,
-              'vulnerability': repo_vulnerabilities[0], # For back-compat with existing events.
-            }
-
-            spawn_notification(repository, 'vulnerability_found', event_data)
+                        spawn_notification(
+                            repository, "vulnerability_found", event_data
+                        )
diff --git a/util/secscan/api.py b/util/secscan/api.py
index 506a6bd64..84c5856d8 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -8,7 +8,13 @@ from urlparse import urljoin
 import requests
 
 from data import model
-from data.database import CloseForLongOperation, TagManifest, Image, Manifest, ManifestLegacyImage
+from data.database import (
+    CloseForLongOperation,
+    TagManifest,
+    Image,
+    Manifest,
+    ManifestLegacyImage,
+)
 from data.model.storage import get_storage_locations
 from data.model.image import get_image_with_storage
 from data.registry_model.datatypes import Manifest as ManifestDataType, LegacyImage
@@ -18,486 +24,620 @@ from util.secscan.validator import SecurityConfigValidator
 from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
 
 from _init import CONF_DIR
-TOKEN_VALIDITY_LIFETIME_S = 60  # Amount of time the security scanner has to call the layer URL
 
-UNKNOWN_PARENT_LAYER_ERROR_MSG = 'worker: parent layer is unknown, it must be processed first'
+TOKEN_VALIDITY_LIFETIME_S = (
+    60
+)  # Amount of time the security scanner has to call the layer URL
 
-MITM_CERT_PATH = os.path.join(CONF_DIR, 'mitm.cert')
+UNKNOWN_PARENT_LAYER_ERROR_MSG = (
+    "worker: parent layer is unknown, it must be processed first"
+)
 
-DEFAULT_HTTP_HEADERS = {'Connection': 'close'}
+MITM_CERT_PATH = os.path.join(CONF_DIR, "mitm.cert")
+
+DEFAULT_HTTP_HEADERS = {"Connection": "close"}
 
 logger = logging.getLogger(__name__)
 
 
 class AnalyzeLayerException(Exception):
-  """ Exception raised when a layer fails to analyze due to a request issue. """
+    """ Exception raised when a layer fails to analyze due to a request issue. """
+
 
 class AnalyzeLayerRetryException(Exception):
-  """ Exception raised when a layer fails to analyze due to a request issue, and the request should
+    """ Exception raised when a layer fails to analyze due to a request issue, and the request should
       be retried.
   """
 
+
 class MissingParentLayerException(AnalyzeLayerException):
-  """ Exception raised when the parent of the layer is missing from the security scanner. """
+    """ Exception raised when the parent of the layer is missing from the security scanner. """
+
 
 class InvalidLayerException(AnalyzeLayerException):
-  """ Exception raised when the layer itself cannot be handled by the security scanner. """
+    """ Exception raised when the layer itself cannot be handled by the security scanner. """
+
 
 class APIRequestFailure(Exception):
-  """ Exception raised when there is a failure to conduct an API request. """
+    """ Exception raised when there is a failure to conduct an API request. """
+
 
 class Non200ResponseException(Exception):
-  """ Exception raised when the upstream API returns a non-200 HTTP status code. """
-  def __init__(self, response):
-    super(Non200ResponseException, self).__init__()
-    self.response = response
+    """ Exception raised when the upstream API returns a non-200 HTTP status code. """
+
+    def __init__(self, response):
+        super(Non200ResponseException, self).__init__()
+        self.response = response
 
 
-_API_METHOD_INSERT = 'layers'
-_API_METHOD_GET_LAYER = 'layers/%s'
-_API_METHOD_DELETE_LAYER = 'layers/%s'
-_API_METHOD_MARK_NOTIFICATION_READ = 'notifications/%s'
-_API_METHOD_GET_NOTIFICATION = 'notifications/%s'
-_API_METHOD_PING = 'metrics'
+_API_METHOD_INSERT = "layers"
+_API_METHOD_GET_LAYER = "layers/%s"
+_API_METHOD_DELETE_LAYER = "layers/%s"
+_API_METHOD_MARK_NOTIFICATION_READ = "notifications/%s"
+_API_METHOD_GET_NOTIFICATION = "notifications/%s"
+_API_METHOD_PING = "metrics"
 
 
 def compute_layer_id(layer):
-  """ Returns the ID for the layer in the security scanner. """
-  # NOTE: this is temporary until we switch to Clair V3.
-  if isinstance(layer, ManifestDataType):
-    if layer._is_tag_manifest:
-      layer = TagManifest.get(id=layer._db_id).tag.image
-    else:
-      manifest = Manifest.get(id=layer._db_id)
-      try:
-        layer = ManifestLegacyImage.get(manifest=manifest).image
-      except ManifestLegacyImage.DoesNotExist:
-        return None
-  elif isinstance(layer, LegacyImage):
-    layer = Image.get(id=layer._db_id)
+    """ Returns the ID for the layer in the security scanner. """
+    # NOTE: this is temporary until we switch to Clair V3.
+    if isinstance(layer, ManifestDataType):
+        if layer._is_tag_manifest:
+            layer = TagManifest.get(id=layer._db_id).tag.image
+        else:
+            manifest = Manifest.get(id=layer._db_id)
+            try:
+                layer = ManifestLegacyImage.get(manifest=manifest).image
+            except ManifestLegacyImage.DoesNotExist:
+                return None
+    elif isinstance(layer, LegacyImage):
+        layer = Image.get(id=layer._db_id)
 
-  assert layer.docker_image_id
-  assert layer.storage.uuid
-  return '%s.%s' % (layer.docker_image_id, layer.storage.uuid)
+    assert layer.docker_image_id
+    assert layer.storage.uuid
+    return "%s.%s" % (layer.docker_image_id, layer.storage.uuid)
 
 
 class SecurityScannerAPI(object):
-  """ Helper class for talking to the Security Scan service (usually Clair). """
-  def __init__(self, config, storage, server_hostname=None, client=None, skip_validation=False, uri_creator=None, instance_keys=None):
-    feature_enabled = config.get('FEATURE_SECURITY_SCANNER', False)
-    has_valid_config = skip_validation
+    """ Helper class for talking to the Security Scan service (usually Clair). """
 
-    if not skip_validation and feature_enabled:
-      config_validator = SecurityConfigValidator(feature_enabled, config.get('SECURITY_SCANNER_ENDPOINT'))
-      has_valid_config = config_validator.valid()
+    def __init__(
+        self,
+        config,
+        storage,
+        server_hostname=None,
+        client=None,
+        skip_validation=False,
+        uri_creator=None,
+        instance_keys=None,
+    ):
+        feature_enabled = config.get("FEATURE_SECURITY_SCANNER", False)
+        has_valid_config = skip_validation
 
-    if feature_enabled and has_valid_config:
-      self.state = ImplementedSecurityScannerAPI(config, storage, server_hostname, client=client, uri_creator=uri_creator, instance_keys=instance_keys)
-    else:
-      self.state = NoopSecurityScannerAPI()
+        if not skip_validation and feature_enabled:
+            config_validator = SecurityConfigValidator(
+                feature_enabled, config.get("SECURITY_SCANNER_ENDPOINT")
+            )
+            has_valid_config = config_validator.valid()
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+        if feature_enabled and has_valid_config:
+            self.state = ImplementedSecurityScannerAPI(
+                config,
+                storage,
+                server_hostname,
+                client=client,
+                uri_creator=uri_creator,
+                instance_keys=instance_keys,
+            )
+        else:
+            self.state = NoopSecurityScannerAPI()
+
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 @add_metaclass(ABCMeta)
 class SecurityScannerAPIInterface(object):
-  """ Helper class for talking to the Security Scan service (usually Clair). """
-  @abstractmethod
-  def cleanup_layers(self, layers):
-    """ Callback invoked by garbage collection to cleanup any layers that no longer
+    """ Helper class for talking to the Security Scan service (usually Clair). """
+
+    @abstractmethod
+    def cleanup_layers(self, layers):
+        """ Callback invoked by garbage collection to cleanup any layers that no longer
         need to be stored in the security scanner.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def ping(self):
-    """ Calls GET on the metrics endpoint of the security scanner to ensure it is running
+    @abstractmethod
+    def ping(self):
+        """ Calls GET on the metrics endpoint of the security scanner to ensure it is running
         and properly configured. Returns the HTTP response.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_layer(self, layer):
-    """ Calls DELETE on the given layer in the security scanner, removing it from
+    @abstractmethod
+    def delete_layer(self, layer):
+        """ Calls DELETE on the given layer in the security scanner, removing it from
         its database.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def analyze_layer(self, layer):
-    """ Posts the given layer to the security scanner for analysis, blocking until complete.
+    @abstractmethod
+    def analyze_layer(self, layer):
+        """ Posts the given layer to the security scanner for analysis, blocking until complete.
         Returns the analysis version on success or raises an exception deriving from
         AnalyzeLayerException on failure. Callers should handle all cases of AnalyzeLayerException.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def check_layer_vulnerable(self, layer_id, cve_name):
-    """ Checks to see if the layer with the given ID is vulnerable to the specified CVE. """
-    pass
+    @abstractmethod
+    def check_layer_vulnerable(self, layer_id, cve_name):
+        """ Checks to see if the layer with the given ID is vulnerable to the specified CVE. """
+        pass
 
-  @abstractmethod
-  def get_notification(self, notification_name, layer_limit=100, page=None):
-    """ Gets the data for a specific notification, with optional page token.
+    @abstractmethod
+    def get_notification(self, notification_name, layer_limit=100, page=None):
+        """ Gets the data for a specific notification, with optional page token.
         Returns a tuple of the data (None on failure) and whether to retry.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def mark_notification_read(self, notification_name):
-    """ Marks a security scanner notification as read. """
-    pass
+    @abstractmethod
+    def mark_notification_read(self, notification_name):
+        """ Marks a security scanner notification as read. """
+        pass
 
-  @abstractmethod
-  def get_layer_data(self, layer, include_features=False, include_vulnerabilities=False):
-    """ Returns the layer data for the specified layer. On error, returns None. """
-    pass
+    @abstractmethod
+    def get_layer_data(
+        self, layer, include_features=False, include_vulnerabilities=False
+    ):
+        """ Returns the layer data for the specified layer. On error, returns None. """
+        pass
 
 
 @nooper
 class NoopSecurityScannerAPI(SecurityScannerAPIInterface):
-  """ No-op version of the security scanner API. """
-  pass
+    """ No-op version of the security scanner API. """
+
+    pass
 
 
 class ImplementedSecurityScannerAPI(SecurityScannerAPIInterface):
-  """ Helper class for talking to the Security Scan service (Clair). """
-  # TODO refactor this to not take an app config, and instead just the things it needs as a config object
-  def __init__(self, config, storage, server_hostname, client=None, uri_creator=None, instance_keys=None):
-    self._config = config
-    self._instance_keys = instance_keys
-    self._client = client
-    self._storage = storage
-    self._server_hostname = server_hostname
-    self._default_storage_locations = config['DISTRIBUTED_STORAGE_PREFERENCE']
-    self._target_version = config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 2)
-    self._uri_creator = uri_creator
+    """ Helper class for talking to the Security Scan service (Clair). """
 
-  def _get_image_url_and_auth(self, image):
-    """ Returns a tuple of the url and the auth header value that must be used
+    # TODO refactor this to not take an app config, and instead just the things it needs as a config object
+    def __init__(
+        self,
+        config,
+        storage,
+        server_hostname,
+        client=None,
+        uri_creator=None,
+        instance_keys=None,
+    ):
+        self._config = config
+        self._instance_keys = instance_keys
+        self._client = client
+        self._storage = storage
+        self._server_hostname = server_hostname
+        self._default_storage_locations = config["DISTRIBUTED_STORAGE_PREFERENCE"]
+        self._target_version = config.get("SECURITY_SCANNER_ENGINE_VERSION_TARGET", 2)
+        self._uri_creator = uri_creator
+
+    def _get_image_url_and_auth(self, image):
+        """ Returns a tuple of the url and the auth header value that must be used
         to fetch the layer data itself. If the image can't be addressed, we return
         None.
     """
-    if self._instance_keys is None:
-      raise Exception('No Instance keys provided to Security Scanner API')
+        if self._instance_keys is None:
+            raise Exception("No Instance keys provided to Security Scanner API")
 
-    path = model.storage.get_layer_path(image.storage)
-    locations = self._default_storage_locations
+        path = model.storage.get_layer_path(image.storage)
+        locations = self._default_storage_locations
 
-    if not self._storage.exists(locations, path):
-      locations = get_storage_locations(image.storage.uuid)
-      if not locations or not self._storage.exists(locations, path):
-        logger.warning('Could not find a valid location to download layer %s out of %s',
-                       compute_layer_id(image), locations)
-        return None, None
+        if not self._storage.exists(locations, path):
+            locations = get_storage_locations(image.storage.uuid)
+            if not locations or not self._storage.exists(locations, path):
+                logger.warning(
+                    "Could not find a valid location to download layer %s out of %s",
+                    compute_layer_id(image),
+                    locations,
+                )
+                return None, None
 
-    uri = self._storage.get_direct_download_url(locations, path)
-    auth_header = None
-    if uri is None:
-      # Use the registry API instead, with a signed JWT giving access
-      repo_name = image.repository.name
-      namespace_name = image.repository.namespace_user.username
-      repository_and_namespace = '/'.join([namespace_name, repo_name])
+        uri = self._storage.get_direct_download_url(locations, path)
+        auth_header = None
+        if uri is None:
+            # Use the registry API instead, with a signed JWT giving access
+            repo_name = image.repository.name
+            namespace_name = image.repository.namespace_user.username
+            repository_and_namespace = "/".join([namespace_name, repo_name])
 
-      # Generate the JWT which will authorize this
-      audience = self._server_hostname
-      context, subject = build_context_and_subject()
-      access = [{
-        'type': 'repository',
-        'name': repository_and_namespace,
-        'actions': ['pull'],
-      }]
+            # Generate the JWT which will authorize this
+            audience = self._server_hostname
+            context, subject = build_context_and_subject()
+            access = [
+                {
+                    "type": "repository",
+                    "name": repository_and_namespace,
+                    "actions": ["pull"],
+                }
+            ]
 
-      auth_token = generate_bearer_token(audience, subject, context, access,
-                                         TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
-      auth_header = 'Bearer ' + auth_token
+            auth_token = generate_bearer_token(
+                audience,
+                subject,
+                context,
+                access,
+                TOKEN_VALIDITY_LIFETIME_S,
+                self._instance_keys,
+            )
+            auth_header = "Bearer " + auth_token
 
-      uri = self._uri_creator(repository_and_namespace, image.storage.content_checksum)
+            uri = self._uri_creator(
+                repository_and_namespace, image.storage.content_checksum
+            )
 
-    return uri, auth_header
+        return uri, auth_header
 
-  def _new_analyze_request(self, layer):
-    """ Create the request body to submit the given layer for analysis. If the layer's URL cannot
+    def _new_analyze_request(self, layer):
+        """ Create the request body to submit the given layer for analysis. If the layer's URL cannot
         be found, returns None.
     """
-    layer_id = compute_layer_id(layer)
-    if layer_id is None:
-      return None
+        layer_id = compute_layer_id(layer)
+        if layer_id is None:
+            return None
 
-    url, auth_header = self._get_image_url_and_auth(layer)
-    if url is None:
-      return None
+        url, auth_header = self._get_image_url_and_auth(layer)
+        if url is None:
+            return None
 
-    layer_request = {
-      'Name': layer_id,
-      'Path': url,
-      'Format': 'Docker',
-    }
+        layer_request = {"Name": layer_id, "Path": url, "Format": "Docker"}
 
-    if auth_header is not None:
-      layer_request['Headers'] = {
-        'Authorization': auth_header,
-      }
+        if auth_header is not None:
+            layer_request["Headers"] = {"Authorization": auth_header}
 
-    if layer.parent is not None:
-      if layer.parent.docker_image_id and layer.parent.storage.uuid:
-        layer_request['ParentName'] = compute_layer_id(layer.parent)
+        if layer.parent is not None:
+            if layer.parent.docker_image_id and layer.parent.storage.uuid:
+                layer_request["ParentName"] = compute_layer_id(layer.parent)
 
-    return {
-      'Layer': layer_request,
-    }
+        return {"Layer": layer_request}
 
-  def cleanup_layers(self, layers):
-    """ Callback invoked by garbage collection to cleanup any layers that no longer
+    def cleanup_layers(self, layers):
+        """ Callback invoked by garbage collection to cleanup any layers that no longer
         need to be stored in the security scanner.
     """
-    for layer in layers:
-      self.delete_layer(layer)
+        for layer in layers:
+            self.delete_layer(layer)
 
-  def ping(self):
-    """ Calls GET on the metrics endpoint of the security scanner to ensure it is running
+    def ping(self):
+        """ Calls GET on the metrics endpoint of the security scanner to ensure it is running
         and properly configured. Returns the HTTP response.
     """
-    try:
-      return self._call('GET', _API_METHOD_PING)
-    except requests.exceptions.Timeout as tie:
-      logger.exception('Timeout when trying to connect to security scanner endpoint')
-      msg = 'Timeout when trying to connect to security scanner endpoint: %s' % tie.message
-      raise Exception(msg)
-    except requests.exceptions.ConnectionError as ce:
-      logger.exception('Connection error when trying to connect to security scanner endpoint')
-      msg = 'Connection error when trying to connect to security scanner endpoint: %s' % ce.message
-      raise Exception(msg)
-    except (requests.exceptions.RequestException, ValueError) as ve:
-      logger.exception('Exception when trying to connect to security scanner endpoint')
-      msg = 'Exception when trying to connect to security scanner endpoint: %s' % ve
-      raise Exception(msg)
+        try:
+            return self._call("GET", _API_METHOD_PING)
+        except requests.exceptions.Timeout as tie:
+            logger.exception(
+                "Timeout when trying to connect to security scanner endpoint"
+            )
+            msg = (
+                "Timeout when trying to connect to security scanner endpoint: %s"
+                % tie.message
+            )
+            raise Exception(msg)
+        except requests.exceptions.ConnectionError as ce:
+            logger.exception(
+                "Connection error when trying to connect to security scanner endpoint"
+            )
+            msg = (
+                "Connection error when trying to connect to security scanner endpoint: %s"
+                % ce.message
+            )
+            raise Exception(msg)
+        except (requests.exceptions.RequestException, ValueError) as ve:
+            logger.exception(
+                "Exception when trying to connect to security scanner endpoint"
+            )
+            msg = (
+                "Exception when trying to connect to security scanner endpoint: %s" % ve
+            )
+            raise Exception(msg)
 
-  def delete_layer(self, layer):
-    """ Calls DELETE on the given layer in the security scanner, removing it from
+    def delete_layer(self, layer):
+        """ Calls DELETE on the given layer in the security scanner, removing it from
         its database.
     """
-    layer_id = compute_layer_id(layer)
-    if layer_id is None:
-      return None
+        layer_id = compute_layer_id(layer)
+        if layer_id is None:
+            return None
 
-    # NOTE: We are adding an extra check here for the time being just to be sure we're
-    # not hitting any overlap.
-    docker_image_id, layer_storage_uuid = layer_id.split('.')
-    if get_image_with_storage(docker_image_id, layer_storage_uuid):
-      logger.warning('Found shared Docker ID and storage for layer %s', layer_id)
-      return False
+        # NOTE: We are adding an extra check here for the time being just to be sure we're
+        # not hitting any overlap.
+        docker_image_id, layer_storage_uuid = layer_id.split(".")
+        if get_image_with_storage(docker_image_id, layer_storage_uuid):
+            logger.warning("Found shared Docker ID and storage for layer %s", layer_id)
+            return False
 
-    try:
-      self._call('DELETE', _API_METHOD_DELETE_LAYER % layer_id)
-      return True
-    except Non200ResponseException:
-      return False
-    except requests.exceptions.RequestException:
-      logger.exception('Failed to delete layer: %s', layer_id)
-      return False
+        try:
+            self._call("DELETE", _API_METHOD_DELETE_LAYER % layer_id)
+            return True
+        except Non200ResponseException:
+            return False
+        except requests.exceptions.RequestException:
+            logger.exception("Failed to delete layer: %s", layer_id)
+            return False
 
-  def analyze_layer(self, layer):
-    """ Posts the given layer to the security scanner for analysis, blocking until complete.
+    def analyze_layer(self, layer):
+        """ Posts the given layer to the security scanner for analysis, blocking until complete.
         Returns the analysis version on success or raises an exception deriving from
         AnalyzeLayerException on failure. Callers should handle all cases of AnalyzeLayerException.
     """
-    def _response_json(request, response):
-      try:
-        return response.json()
-      except ValueError:
-        logger.exception('Failed to decode JSON when analyzing layer %s', request['Layer']['Name'])
-        raise AnalyzeLayerException
 
-    request = self._new_analyze_request(layer)
-    if not request:
-      logger.error('Could not build analyze request for layer %s', layer.id)
-      raise AnalyzeLayerException
+        def _response_json(request, response):
+            try:
+                return response.json()
+            except ValueError:
+                logger.exception(
+                    "Failed to decode JSON when analyzing layer %s",
+                    request["Layer"]["Name"],
+                )
+                raise AnalyzeLayerException
 
-    logger.info('Analyzing layer %s', request['Layer']['Name'])
-    try:
-      response = self._call('POST', _API_METHOD_INSERT, body=request)
-    except requests.exceptions.Timeout:
-      logger.exception('Timeout when trying to post layer data response for %s', layer.id)
-      raise AnalyzeLayerRetryException
-    except requests.exceptions.ConnectionError:
-      logger.exception('Connection error when trying to post layer data response for %s', layer.id)
-      raise AnalyzeLayerRetryException
-    except (requests.exceptions.RequestException) as re:
-      logger.exception('Failed to post layer data response for %s: %s', layer.id, re)
-      raise AnalyzeLayerException
-    except Non200ResponseException as ex:
-      message = _response_json(request, ex.response).get('Error').get('Message', '')
-      logger.warning('A warning event occurred when analyzing layer %s (status code %s): %s',
-                     request['Layer']['Name'], ex.response.status_code, message)
-      # 400 means the layer could not be analyzed due to a bad request.
-      if ex.response.status_code == 400:
-        if message == UNKNOWN_PARENT_LAYER_ERROR_MSG:
-          raise MissingParentLayerException('Bad request to security scanner: %s' % message)
-        else:
-          logger.exception('Got non-200 response for analyze of layer %s', layer.id)
-          raise AnalyzeLayerException('Bad request to security scanner: %s' % message)
-      # 422 means that the layer could not be analyzed:
-      # - the layer could not be extracted (might be a manifest or an invalid .tar.gz)
-      # - the layer operating system / package manager is unsupported
-      elif ex.response.status_code == 422:
-        raise InvalidLayerException
+        request = self._new_analyze_request(layer)
+        if not request:
+            logger.error("Could not build analyze request for layer %s", layer.id)
+            raise AnalyzeLayerException
 
-      # Otherwise, it is some other error and we should retry.
-      raise AnalyzeLayerRetryException
+        logger.info("Analyzing layer %s", request["Layer"]["Name"])
+        try:
+            response = self._call("POST", _API_METHOD_INSERT, body=request)
+        except requests.exceptions.Timeout:
+            logger.exception(
+                "Timeout when trying to post layer data response for %s", layer.id
+            )
+            raise AnalyzeLayerRetryException
+        except requests.exceptions.ConnectionError:
+            logger.exception(
+                "Connection error when trying to post layer data response for %s",
+                layer.id,
+            )
+            raise AnalyzeLayerRetryException
+        except (requests.exceptions.RequestException) as re:
+            logger.exception(
+                "Failed to post layer data response for %s: %s", layer.id, re
+            )
+            raise AnalyzeLayerException
+        except Non200ResponseException as ex:
+            message = (
+                _response_json(request, ex.response).get("Error").get("Message", "")
+            )
+            logger.warning(
+                "A warning event occurred when analyzing layer %s (status code %s): %s",
+                request["Layer"]["Name"],
+                ex.response.status_code,
+                message,
+            )
+            # 400 means the layer could not be analyzed due to a bad request.
+            if ex.response.status_code == 400:
+                if message == UNKNOWN_PARENT_LAYER_ERROR_MSG:
+                    raise MissingParentLayerException(
+                        "Bad request to security scanner: %s" % message
+                    )
+                else:
+                    logger.exception(
+                        "Got non-200 response for analyze of layer %s", layer.id
+                    )
+                    raise AnalyzeLayerException(
+                        "Bad request to security scanner: %s" % message
+                    )
+            # 422 means that the layer could not be analyzed:
+            # - the layer could not be extracted (might be a manifest or an invalid .tar.gz)
+            # - the layer operating system / package manager is unsupported
+            elif ex.response.status_code == 422:
+                raise InvalidLayerException
 
-    # Return the parsed API version.
-    return _response_json(request, response)['Layer']['IndexedByVersion']
+            # Otherwise, it is some other error and we should retry.
+            raise AnalyzeLayerRetryException
 
-  def check_layer_vulnerable(self, layer_id, cve_name):
-    """ Checks to see if the layer with the given ID is vulnerable to the specified CVE. """
-    layer_data = self._get_layer_data(layer_id, include_vulnerabilities=True)
-    if layer_data is None or 'Layer' not in layer_data or 'Features' not in layer_data['Layer']:
-      return False
+        # Return the parsed API version.
+        return _response_json(request, response)["Layer"]["IndexedByVersion"]
 
-    for feature in layer_data['Layer']['Features']:
-      for vuln in feature.get('Vulnerabilities', []):
-        if vuln['Name'] == cve_name:
-          return True
+    def check_layer_vulnerable(self, layer_id, cve_name):
+        """ Checks to see if the layer with the given ID is vulnerable to the specified CVE. """
+        layer_data = self._get_layer_data(layer_id, include_vulnerabilities=True)
+        if (
+            layer_data is None
+            or "Layer" not in layer_data
+            or "Features" not in layer_data["Layer"]
+        ):
+            return False
 
-    return False
+        for feature in layer_data["Layer"]["Features"]:
+            for vuln in feature.get("Vulnerabilities", []):
+                if vuln["Name"] == cve_name:
+                    return True
 
-  def get_notification(self, notification_name, layer_limit=100, page=None):
-    """ Gets the data for a specific notification, with optional page token.
+        return False
+
+    def get_notification(self, notification_name, layer_limit=100, page=None):
+        """ Gets the data for a specific notification, with optional page token.
         Returns a tuple of the data (None on failure) and whether to retry.
     """
-    try:
-      params = {
-        'limit': layer_limit
-      }
+        try:
+            params = {"limit": layer_limit}
 
-      if page is not None:
-        params['page'] = page
+            if page is not None:
+                params["page"] = page
 
-      response = self._call('GET', _API_METHOD_GET_NOTIFICATION % notification_name, params=params)
-      json_response = response.json()
-    except requests.exceptions.Timeout:
-      logger.exception('Timeout when trying to get notification for %s', notification_name)
-      return None, True
-    except requests.exceptions.ConnectionError:
-      logger.exception('Connection error when trying to get notification for %s', notification_name)
-      return None, True
-    except (requests.exceptions.RequestException, ValueError):
-      logger.exception('Failed to get notification for %s', notification_name)
-      return None, False
-    except Non200ResponseException as ex:
-      return None, ex.response.status_code != 404 and ex.response.status_code != 400
+            response = self._call(
+                "GET", _API_METHOD_GET_NOTIFICATION % notification_name, params=params
+            )
+            json_response = response.json()
+        except requests.exceptions.Timeout:
+            logger.exception(
+                "Timeout when trying to get notification for %s", notification_name
+            )
+            return None, True
+        except requests.exceptions.ConnectionError:
+            logger.exception(
+                "Connection error when trying to get notification for %s",
+                notification_name,
+            )
+            return None, True
+        except (requests.exceptions.RequestException, ValueError):
+            logger.exception("Failed to get notification for %s", notification_name)
+            return None, False
+        except Non200ResponseException as ex:
+            return (
+                None,
+                ex.response.status_code != 404 and ex.response.status_code != 400,
+            )
 
-    return json_response, False
+        return json_response, False
 
-  def mark_notification_read(self, notification_name):
-    """ Marks a security scanner notification as read. """
-    try:
-      self._call('DELETE', _API_METHOD_MARK_NOTIFICATION_READ % notification_name)
-      return True
-    except Non200ResponseException:
-      return False
-    except requests.exceptions.RequestException:
-      logger.exception('Failed to mark notification as read: %s', notification_name)
-      return False
+    def mark_notification_read(self, notification_name):
+        """ Marks a security scanner notification as read. """
+        try:
+            self._call("DELETE", _API_METHOD_MARK_NOTIFICATION_READ % notification_name)
+            return True
+        except Non200ResponseException:
+            return False
+        except requests.exceptions.RequestException:
+            logger.exception(
+                "Failed to mark notification as read: %s", notification_name
+            )
+            return False
 
-  def get_layer_data(self, layer, include_features=False, include_vulnerabilities=False):
-    """ Returns the layer data for the specified layer. On error, returns None. """
-    layer_id = compute_layer_id(layer)
-    if layer_id is None:
-      return None
+    def get_layer_data(
+        self, layer, include_features=False, include_vulnerabilities=False
+    ):
+        """ Returns the layer data for the specified layer. On error, returns None. """
+        layer_id = compute_layer_id(layer)
+        if layer_id is None:
+            return None
 
-    return self._get_layer_data(layer_id, include_features, include_vulnerabilities)
+        return self._get_layer_data(layer_id, include_features, include_vulnerabilities)
 
-  def _get_layer_data(self, layer_id, include_features=False, include_vulnerabilities=False):
-    params = {}
-    if include_features:
-      params = {'features': True}
+    def _get_layer_data(
+        self, layer_id, include_features=False, include_vulnerabilities=False
+    ):
+        params = {}
+        if include_features:
+            params = {"features": True}
 
-    if include_vulnerabilities:
-      params = {'vulnerabilities': True}
+        if include_vulnerabilities:
+            params = {"vulnerabilities": True}
 
-    try:
-      response = self._call('GET', _API_METHOD_GET_LAYER % layer_id, params=params)
-      logger.debug('Got response %s for vulnerabilities for layer %s',
-                   response.status_code, layer_id)
-      try:
-        return response.json()
-      except ValueError:
-        logger.exception('Failed to decode response JSON')
-        return None
+        try:
+            response = self._call(
+                "GET", _API_METHOD_GET_LAYER % layer_id, params=params
+            )
+            logger.debug(
+                "Got response %s for vulnerabilities for layer %s",
+                response.status_code,
+                layer_id,
+            )
+            try:
+                return response.json()
+            except ValueError:
+                logger.exception("Failed to decode response JSON")
+                return None
 
-    except Non200ResponseException as ex:
-      logger.debug('Got failed response %s for vulnerabilities for layer %s',
-                   ex.response.status_code, layer_id)
-      if ex.response.status_code == 404:
-        return None
-      else:
-        logger.error(
-          'downstream security service failure: status %d, text: %s',
-          ex.response.status_code,
-          ex.response.text,
+        except Non200ResponseException as ex:
+            logger.debug(
+                "Got failed response %s for vulnerabilities for layer %s",
+                ex.response.status_code,
+                layer_id,
+            )
+            if ex.response.status_code == 404:
+                return None
+            else:
+                logger.error(
+                    "downstream security service failure: status %d, text: %s",
+                    ex.response.status_code,
+                    ex.response.text,
+                )
+                if ex.response.status_code // 100 == 5:
+                    raise APIRequestFailure("Downstream service returned 5xx")
+                else:
+                    raise APIRequestFailure("Downstream service returned non-200")
+        except requests.exceptions.Timeout:
+            logger.exception(
+                "API call timed out for loading vulnerabilities for layer %s", layer_id
+            )
+            raise APIRequestFailure("API call timed out")
+        except requests.exceptions.ConnectionError:
+            logger.exception(
+                "Connection error for loading vulnerabilities for layer %s", layer_id
+            )
+            raise APIRequestFailure("Could not connect to security service")
+        except requests.exceptions.RequestException:
+            logger.exception("Failed to get layer data response for %s", layer_id)
+            raise APIRequestFailure()
+
+    def _request(self, method, endpoint, path, body, params, timeout):
+        """ Issues an HTTP request to the security endpoint. """
+        url = _join_api_url(
+            endpoint, self._config.get("SECURITY_SCANNER_API_VERSION", "v1"), path
         )
-        if ex.response.status_code // 100 == 5:
-          raise APIRequestFailure('Downstream service returned 5xx')
-        else:
-          raise APIRequestFailure('Downstream service returned non-200')
-    except requests.exceptions.Timeout:
-      logger.exception('API call timed out for loading vulnerabilities for layer %s', layer_id)
-      raise APIRequestFailure('API call timed out')
-    except requests.exceptions.ConnectionError:
-      logger.exception('Connection error for loading vulnerabilities for layer %s', layer_id)
-      raise APIRequestFailure('Could not connect to security service')
-    except requests.exceptions.RequestException:
-      logger.exception('Failed to get layer data response for %s', layer_id)
-      raise APIRequestFailure()
+        signer_proxy_url = self._config.get("JWTPROXY_SIGNER", "localhost:8081")
 
+        logger.debug("%sing security URL %s", method.upper(), url)
+        resp = self._client.request(
+            method,
+            url,
+            json=body,
+            params=params,
+            timeout=timeout,
+            verify=MITM_CERT_PATH,
+            headers=DEFAULT_HTTP_HEADERS,
+            proxies={
+                "https": "https://" + signer_proxy_url,
+                "http": "http://" + signer_proxy_url,
+            },
+        )
+        if resp.status_code // 100 != 2:
+            raise Non200ResponseException(resp)
+        return resp
 
-  def _request(self, method, endpoint, path, body, params, timeout):
-    """ Issues an HTTP request to the security endpoint. """
-    url = _join_api_url(endpoint, self._config.get('SECURITY_SCANNER_API_VERSION', 'v1'), path)
-    signer_proxy_url = self._config.get('JWTPROXY_SIGNER', 'localhost:8081')
-
-    logger.debug('%sing security URL %s', method.upper(), url)
-    resp = self._client.request(method, url, json=body, params=params, timeout=timeout,
-                                verify=MITM_CERT_PATH, headers=DEFAULT_HTTP_HEADERS,
-                                proxies={'https': 'https://' + signer_proxy_url,
-                                         'http': 'http://' + signer_proxy_url})
-    if resp.status_code // 100 != 2:
-      raise Non200ResponseException(resp)
-    return resp
-
-  def _call(self, method, path, params=None, body=None):
-    """ Issues an HTTP request to the security endpoint handling the logic of using an alternative
+    def _call(self, method, path, params=None, body=None):
+        """ Issues an HTTP request to the security endpoint handling the logic of using an alternative
         BATCH endpoint for non-GET requests and failover for GET requests.
     """
-    timeout = self._config.get('SECURITY_SCANNER_API_TIMEOUT_SECONDS', 1)
-    endpoint = self._config['SECURITY_SCANNER_ENDPOINT']
+        timeout = self._config.get("SECURITY_SCANNER_API_TIMEOUT_SECONDS", 1)
+        endpoint = self._config["SECURITY_SCANNER_ENDPOINT"]
 
-    with CloseForLongOperation(self._config):
-      # If the request isn't a read, attempt to use a batch stack and do not fail over.
-      if method != 'GET':
-        if self._config.get('SECURITY_SCANNER_ENDPOINT_BATCH') is not None:
-          endpoint = self._config['SECURITY_SCANNER_ENDPOINT_BATCH']
-          timeout = self._config.get('SECURITY_SCANNER_API_BATCH_TIMEOUT_SECONDS') or timeout
-        return self._request(method, endpoint, path, body, params, timeout)
+        with CloseForLongOperation(self._config):
+            # If the request isn't a read, attempt to use a batch stack and do not fail over.
+            if method != "GET":
+                if self._config.get("SECURITY_SCANNER_ENDPOINT_BATCH") is not None:
+                    endpoint = self._config["SECURITY_SCANNER_ENDPOINT_BATCH"]
+                    timeout = (
+                        self._config.get("SECURITY_SCANNER_API_BATCH_TIMEOUT_SECONDS")
+                        or timeout
+                    )
+                return self._request(method, endpoint, path, body, params, timeout)
 
-      # The request is read-only and can failover.
-      all_endpoints = [endpoint] + self._config.get('SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS', [])
-      return _failover_read_request(*[((self._request, endpoint, path, body, params, timeout), {})
-                                      for endpoint in all_endpoints])
+            # The request is read-only and can failover.
+            all_endpoints = [endpoint] + self._config.get(
+                "SECURITY_SCANNER_READONLY_FAILOVER_ENDPOINTS", []
+            )
+            return _failover_read_request(
+                *[
+                    ((self._request, endpoint, path, body, params, timeout), {})
+                    for endpoint in all_endpoints
+                ]
+            )
 
 
 def _join_api_url(endpoint, api_version, path):
-  pathless_url = urljoin(endpoint, '/' + api_version) + '/'
-  return urljoin(pathless_url, path)
+    pathless_url = urljoin(endpoint, "/" + api_version) + "/"
+    return urljoin(pathless_url, path)
 
 
 @failover
 def _failover_read_request(request_fn, endpoint, path, body, params, timeout):
-  """ This function auto-retries read-only requests until they return a 2xx status code. """
-  try:
-    return request_fn('GET', endpoint, path, body, params, timeout)
-  except (requests.exceptions.RequestException, Non200ResponseException) as ex:
-    raise FailoverException(ex)
+    """ This function auto-retries read-only requests until they return a 2xx status code. """
+    try:
+        return request_fn("GET", endpoint, path, body, params, timeout)
+    except (requests.exceptions.RequestException, Non200ResponseException) as ex:
+        raise FailoverException(ex)
diff --git a/util/secscan/fake.py b/util/secscan/fake.py
index 69fc30cc2..e0367f0a4 100644
--- a/util/secscan/fake.py
+++ b/util/secscan/fake.py
@@ -8,341 +8,377 @@ from httmock import urlmatch, HTTMock, all_requests
 
 from util.secscan.api import UNKNOWN_PARENT_LAYER_ERROR_MSG, compute_layer_id
 
+
 @contextmanager
-def fake_security_scanner(hostname='fakesecurityscanner'):
-  """ Context manager which yields a fake security scanner. All requests made to the given
+def fake_security_scanner(hostname="fakesecurityscanner"):
+    """ Context manager which yields a fake security scanner. All requests made to the given
       hostname (default: fakesecurityscanner) will be handled by the fake.
   """
-  scanner = FakeSecurityScanner(hostname)
-  with HTTMock(*(scanner.get_endpoints())):
-    yield scanner
+    scanner = FakeSecurityScanner(hostname)
+    with HTTMock(*(scanner.get_endpoints())):
+        yield scanner
 
 
 class FakeSecurityScanner(object):
-  """ Implements a fake security scanner (with somewhat real responses) for testing API calls and
+    """ Implements a fake security scanner (with somewhat real responses) for testing API calls and
       responses.
   """
-  def __init__(self, hostname, index_version=1):
-    self.hostname = hostname
-    self.index_version = index_version
-    self.layers = {}
-    self.notifications = {}
-    self.layer_vulns = {}
 
-    self.ok_layer_id = None
-    self.fail_layer_id = None
-    self.internal_error_layer_id = None
-    self.error_layer_id = None
-    self.unexpected_status_layer_id = None
+    def __init__(self, hostname, index_version=1):
+        self.hostname = hostname
+        self.index_version = index_version
+        self.layers = {}
+        self.notifications = {}
+        self.layer_vulns = {}
 
-  def set_ok_layer_id(self, ok_layer_id):
-    """ Sets a layer ID that, if encountered when the analyze call is made, causes a 200
+        self.ok_layer_id = None
+        self.fail_layer_id = None
+        self.internal_error_layer_id = None
+        self.error_layer_id = None
+        self.unexpected_status_layer_id = None
+
+    def set_ok_layer_id(self, ok_layer_id):
+        """ Sets a layer ID that, if encountered when the analyze call is made, causes a 200
         to be immediately returned.
     """
-    self.ok_layer_id = ok_layer_id
+        self.ok_layer_id = ok_layer_id
 
-  def set_fail_layer_id(self, fail_layer_id):
-    """ Sets a layer ID that, if encountered when the analyze call is made, causes a 422
+    def set_fail_layer_id(self, fail_layer_id):
+        """ Sets a layer ID that, if encountered when the analyze call is made, causes a 422
         to be raised.
     """
-    self.fail_layer_id = fail_layer_id
+        self.fail_layer_id = fail_layer_id
 
-  def set_internal_error_layer_id(self, internal_error_layer_id):
-    """ Sets a layer ID that, if encountered when the analyze call is made, causes a 500
+    def set_internal_error_layer_id(self, internal_error_layer_id):
+        """ Sets a layer ID that, if encountered when the analyze call is made, causes a 500
         to be raised.
     """
-    self.internal_error_layer_id = internal_error_layer_id
+        self.internal_error_layer_id = internal_error_layer_id
 
-  def set_error_layer_id(self, error_layer_id):
-    """ Sets a layer ID that, if encountered when the analyze call is made, causes a 400
+    def set_error_layer_id(self, error_layer_id):
+        """ Sets a layer ID that, if encountered when the analyze call is made, causes a 400
         to be raised.
     """
-    self.error_layer_id = error_layer_id
+        self.error_layer_id = error_layer_id
 
-  def set_unexpected_status_layer_id(self, layer_id):
-    """ Sets a layer ID that, if encountered when the analyze call is made, causes an HTTP 600
+    def set_unexpected_status_layer_id(self, layer_id):
+        """ Sets a layer ID that, if encountered when the analyze call is made, causes an HTTP 600
         to be raised. This is useful in testing the robustness of the to unknown status codes.
     """
-    self.unexpected_status_layer_id = layer_id
+        self.unexpected_status_layer_id = layer_id
 
-  def has_layer(self, layer_id):
-    """ Returns true if the layer with the given ID has been analyzed. """
-    return layer_id in self.layers
+    def has_layer(self, layer_id):
+        """ Returns true if the layer with the given ID has been analyzed. """
+        return layer_id in self.layers
 
-  def has_notification(self, notification_id):
-    """ Returns whether a notification with the given ID is found in the scanner. """
-    return notification_id in self.notifications
+    def has_notification(self, notification_id):
+        """ Returns whether a notification with the given ID is found in the scanner. """
+        return notification_id in self.notifications
 
-  def add_notification(self, old_layer_ids, new_layer_ids, old_vuln, new_vuln, max_per_page=100,
-                       indexed_old_layer_ids=None, indexed_new_layer_ids=None):
-    """ Adds a new notification over the given sets of layer IDs and vulnerability information,
+    def add_notification(
+        self,
+        old_layer_ids,
+        new_layer_ids,
+        old_vuln,
+        new_vuln,
+        max_per_page=100,
+        indexed_old_layer_ids=None,
+        indexed_new_layer_ids=None,
+    ):
+        """ Adds a new notification over the given sets of layer IDs and vulnerability information,
         returning the structural data of the notification created.
     """
-    notification_id = str(uuid.uuid4())
-    if old_vuln is None:
-      old_vuln = dict(new_vuln)
+        notification_id = str(uuid.uuid4())
+        if old_vuln is None:
+            old_vuln = dict(new_vuln)
 
-    self.notifications[notification_id] = dict(old_layer_ids=old_layer_ids,
-                                               new_layer_ids=new_layer_ids,
-                                               old_vuln=old_vuln,
-                                               new_vuln=new_vuln,
-                                               max_per_page=max_per_page,
-                                               indexed_old_layer_ids=indexed_old_layer_ids,
-                                               indexed_new_layer_ids=indexed_new_layer_ids)
+        self.notifications[notification_id] = dict(
+            old_layer_ids=old_layer_ids,
+            new_layer_ids=new_layer_ids,
+            old_vuln=old_vuln,
+            new_vuln=new_vuln,
+            max_per_page=max_per_page,
+            indexed_old_layer_ids=indexed_old_layer_ids,
+            indexed_new_layer_ids=indexed_new_layer_ids,
+        )
 
-    return self._get_notification_data(notification_id, 0, 100)
+        return self._get_notification_data(notification_id, 0, 100)
 
-  def layer_id(self, layer):
-    """ Returns the Quay Security Scanner layer ID for the given layer (Image row). """
-    return compute_layer_id(layer)
+    def layer_id(self, layer):
+        """ Returns the Quay Security Scanner layer ID for the given layer (Image row). """
+        return compute_layer_id(layer)
 
-  def add_layer(self, layer_id):
-    """ Adds a layer to the security scanner, with no features or vulnerabilities. """
-    self.layers[layer_id] = {
-      "Name": layer_id,
-      "Format": "Docker",
-      "IndexedByVersion": self.index_version,
-    }
+    def add_layer(self, layer_id):
+        """ Adds a layer to the security scanner, with no features or vulnerabilities. """
+        self.layers[layer_id] = {
+            "Name": layer_id,
+            "Format": "Docker",
+            "IndexedByVersion": self.index_version,
+        }
 
-  def remove_layer(self, layer_id):
-    """ Removes a layer from the security scanner. """
-    self.layers.pop(layer_id, None)
+    def remove_layer(self, layer_id):
+        """ Removes a layer from the security scanner. """
+        self.layers.pop(layer_id, None)
 
-  def set_vulns(self, layer_id, vulns):
-    """ Sets the vulnerabilities for the layer with the given ID to those given. """
-    self.layer_vulns[layer_id] = vulns
+    def set_vulns(self, layer_id, vulns):
+        """ Sets the vulnerabilities for the layer with the given ID to those given. """
+        self.layer_vulns[layer_id] = vulns
 
-    # Since this call may occur before the layer is "anaylzed", we only add the data
-    # to the layer itself if present.
-    if self.layers.get(layer_id):
-      layer = self.layers[layer_id]
-      layer['Features'] = layer.get('Features', [])
-      layer['Features'].append({
-        "Name":  'somefeature',
-        "Namespace": 'somenamespace',
-        "Version": 'someversion',
-        "Vulnerabilities": self.layer_vulns[layer_id],
-      })
+        # Since this call may occur before the layer is "anaylzed", we only add the data
+        # to the layer itself if present.
+        if self.layers.get(layer_id):
+            layer = self.layers[layer_id]
+            layer["Features"] = layer.get("Features", [])
+            layer["Features"].append(
+                {
+                    "Name": "somefeature",
+                    "Namespace": "somenamespace",
+                    "Version": "someversion",
+                    "Vulnerabilities": self.layer_vulns[layer_id],
+                }
+            )
 
-  def _get_notification_data(self, notification_id, page, limit):
-    """ Returns the structural data for the notification with the given ID, paginated using
+    def _get_notification_data(self, notification_id, page, limit):
+        """ Returns the structural data for the notification with the given ID, paginated using
         the given page and limit. """
-    notification = self.notifications[notification_id]
-    limit = min(limit, notification['max_per_page'])
+        notification = self.notifications[notification_id]
+        limit = min(limit, notification["max_per_page"])
 
-    notification_data = {
-      "Name": notification_id,
-      "Created": "1456247389",
-      "Notified": "1456246708",
-      "Limit": limit,
-    }
-
-    start_index = (page*limit)
-    end_index = ((page+1)*limit)
-    has_additional_page = False
-
-    if notification.get('old_vuln'):
-      old_layer_ids = notification['old_layer_ids']
-      old_layer_ids = old_layer_ids[start_index:end_index]
-      has_additional_page = has_additional_page or bool(len(old_layer_ids[end_index-1:]))
-
-      notification_data['Old'] = {
-        'Vulnerability': notification['old_vuln'],
-        'LayersIntroducingVulnerability': old_layer_ids,
-      }
-
-      if notification.get('indexed_old_layer_ids', None):
-        indexed_old_layer_ids = notification['indexed_old_layer_ids'][start_index:end_index]
-        notification_data['Old']['OrderedLayersIntroducingVulnerability'] = indexed_old_layer_ids
-
-
-    if notification.get('new_vuln'):
-      new_layer_ids = notification['new_layer_ids']
-      new_layer_ids = new_layer_ids[start_index:end_index]
-      has_additional_page = has_additional_page or bool(len(new_layer_ids[end_index-1:]))
-
-      notification_data['New'] = {
-        'Vulnerability': notification['new_vuln'],
-        'LayersIntroducingVulnerability': new_layer_ids,
-      }
-
-      if notification.get('indexed_new_layer_ids', None):
-        indexed_new_layer_ids = notification['indexed_new_layer_ids'][start_index:end_index]
-        notification_data['New']['OrderedLayersIntroducingVulnerability'] = indexed_new_layer_ids
-
-
-    if has_additional_page:
-      notification_data['NextPage'] = str(page+1)
-
-    return notification_data
-
-  def get_endpoints(self):
-    """ Returns the HTTMock endpoint definitions for the fake security scanner. """
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/layers/(.+)', method='GET')
-    def get_layer_mock(url, request):
-      layer_id = url.path[len('/v1/layers/'):]
-      if layer_id == self.ok_layer_id:
-        return {
-          'status_code': 200,
-          'content': json.dumps({'Layer': {}}),
+        notification_data = {
+            "Name": notification_id,
+            "Created": "1456247389",
+            "Notified": "1456246708",
+            "Limit": limit,
         }
 
-      if layer_id == self.internal_error_layer_id:
-        return {
-          'status_code': 500,
-          'content': json.dumps({'Error': {'Message': 'Internal server error'}}),
-        }
+        start_index = page * limit
+        end_index = (page + 1) * limit
+        has_additional_page = False
 
-      if not layer_id in self.layers:
-        return {
-          'status_code': 404,
-          'content': json.dumps({'Error': {'Message': 'Unknown layer'}}),
-        }
+        if notification.get("old_vuln"):
+            old_layer_ids = notification["old_layer_ids"]
+            old_layer_ids = old_layer_ids[start_index:end_index]
+            has_additional_page = has_additional_page or bool(
+                len(old_layer_ids[end_index - 1 :])
+            )
 
-      layer_data = copy.deepcopy(self.layers[layer_id])
+            notification_data["Old"] = {
+                "Vulnerability": notification["old_vuln"],
+                "LayersIntroducingVulnerability": old_layer_ids,
+            }
 
-      has_vulns = request.url.find('vulnerabilities') > 0
-      has_features = request.url.find('features') > 0
-      if not has_vulns and not has_features:
-        layer_data.pop('Features', None)
+            if notification.get("indexed_old_layer_ids", None):
+                indexed_old_layer_ids = notification["indexed_old_layer_ids"][
+                    start_index:end_index
+                ]
+                notification_data["Old"][
+                    "OrderedLayersIntroducingVulnerability"
+                ] = indexed_old_layer_ids
 
-      return {
-        'status_code': 200,
-        'content': json.dumps({'Layer': layer_data}),
-      }
+        if notification.get("new_vuln"):
+            new_layer_ids = notification["new_layer_ids"]
+            new_layer_ids = new_layer_ids[start_index:end_index]
+            has_additional_page = has_additional_page or bool(
+                len(new_layer_ids[end_index - 1 :])
+            )
 
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/layers/(.+)', method='DELETE')
-    def remove_layer_mock(url, _):
-      layer_id = url.path[len('/v1/layers/'):]
-      if not layer_id in self.layers:
-        return {
-          'status_code': 404,
-          'content': json.dumps({'Error': {'Message': 'Unknown layer'}}),
-        }
+            notification_data["New"] = {
+                "Vulnerability": notification["new_vuln"],
+                "LayersIntroducingVulnerability": new_layer_ids,
+            }
 
-      self.layers.pop(layer_id)
-      return {
-        'status_code': 204, 'content': '',
-      }
+            if notification.get("indexed_new_layer_ids", None):
+                indexed_new_layer_ids = notification["indexed_new_layer_ids"][
+                    start_index:end_index
+                ]
+                notification_data["New"][
+                    "OrderedLayersIntroducingVulnerability"
+                ] = indexed_new_layer_ids
 
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/layers', method='POST')
-    def post_layer_mock(_, request):
-      body_data = json.loads(request.body)
-      if not 'Layer' in body_data:
-        return {'status_code': 400, 'content': 'Missing body'}
+        if has_additional_page:
+            notification_data["NextPage"] = str(page + 1)
 
-      layer = body_data['Layer']
-      if not 'Path' in layer:
-        return {'status_code': 400, 'content': 'Missing Path'}
+        return notification_data
 
-      if not 'Name' in layer:
-        return {'status_code': 400, 'content': 'Missing Name'}
+    def get_endpoints(self):
+        """ Returns the HTTMock endpoint definitions for the fake security scanner. """
 
-      if not 'Format' in layer:
-        return {'status_code': 400, 'content': 'Missing Format'}
+        @urlmatch(
+            netloc=r"(.*\.)?" + self.hostname, path=r"/v1/layers/(.+)", method="GET"
+        )
+        def get_layer_mock(url, request):
+            layer_id = url.path[len("/v1/layers/") :]
+            if layer_id == self.ok_layer_id:
+                return {"status_code": 200, "content": json.dumps({"Layer": {}})}
 
-      if layer['Name'] == self.internal_error_layer_id:
-        return {
-          'status_code': 500,
-          'content': json.dumps({'Error': {'Message': 'Internal server error'}}),
-        }
+            if layer_id == self.internal_error_layer_id:
+                return {
+                    "status_code": 500,
+                    "content": json.dumps(
+                        {"Error": {"Message": "Internal server error"}}
+                    ),
+                }
 
-      if layer['Name'] == self.fail_layer_id:
-        return {
-          'status_code': 422,
-          'content': json.dumps({'Error': {'Message': 'Cannot analyze'}}),
-        }
+            if not layer_id in self.layers:
+                return {
+                    "status_code": 404,
+                    "content": json.dumps({"Error": {"Message": "Unknown layer"}}),
+                }
 
-      if layer['Name'] == self.error_layer_id:
-        return {
-          'status_code': 400,
-          'content': json.dumps({'Error': {'Message': 'Some sort of error'}}),
-        }
+            layer_data = copy.deepcopy(self.layers[layer_id])
 
-      if layer['Name'] == self.unexpected_status_layer_id:
-        return {
-          'status_code': 600,
-          'content': json.dumps({'Error': {'Message': 'Some sort of error'}}),
-        }
+            has_vulns = request.url.find("vulnerabilities") > 0
+            has_features = request.url.find("features") > 0
+            if not has_vulns and not has_features:
+                layer_data.pop("Features", None)
 
+            return {"status_code": 200, "content": json.dumps({"Layer": layer_data})}
 
-      parent_id = layer.get('ParentName', None)
-      parent_layer = None
+        @urlmatch(
+            netloc=r"(.*\.)?" + self.hostname, path=r"/v1/layers/(.+)", method="DELETE"
+        )
+        def remove_layer_mock(url, _):
+            layer_id = url.path[len("/v1/layers/") :]
+            if not layer_id in self.layers:
+                return {
+                    "status_code": 404,
+                    "content": json.dumps({"Error": {"Message": "Unknown layer"}}),
+                }
 
-      if parent_id is not None:
-        parent_layer = self.layers.get(parent_id, None)
-        if parent_layer is None:
-          return {
-            'status_code': 400,
-            'content': json.dumps({'Error': {'Message': UNKNOWN_PARENT_LAYER_ERROR_MSG}}),
-          }
+            self.layers.pop(layer_id)
+            return {"status_code": 204, "content": ""}
 
-      self.add_layer(layer['Name'])
-      if parent_layer is not None:
-        self.layers[layer['Name']]['ParentName'] = parent_id
+        @urlmatch(netloc=r"(.*\.)?" + self.hostname, path=r"/v1/layers", method="POST")
+        def post_layer_mock(_, request):
+            body_data = json.loads(request.body)
+            if not "Layer" in body_data:
+                return {"status_code": 400, "content": "Missing body"}
 
-      # If vulnerabilities have already been registered with this layer, call set_vulns to make sure
-      # their data is added to the layer's data.
-      if self.layer_vulns.get(layer['Name']):
-        self.set_vulns(layer['Name'], self.layer_vulns[layer['Name']])
+            layer = body_data["Layer"]
+            if not "Path" in layer:
+                return {"status_code": 400, "content": "Missing Path"}
 
-      return {
-        'status_code': 201,
-        'content': json.dumps({
-          "Layer": self.layers[layer['Name']],
-        }),
-      }
+            if not "Name" in layer:
+                return {"status_code": 400, "content": "Missing Name"}
 
+            if not "Format" in layer:
+                return {"status_code": 400, "content": "Missing Format"}
 
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/notifications/(.+)$', method='DELETE')
-    def delete_notification(url, _):
-      notification_id = url.path[len('/v1/notifications/'):]
-      if notification_id not in self.notifications:
-        return {
-          'status_code': 404,
-          'content': json.dumps({'Error': {'Message': 'Unknown notification'}}),
-        }
+            if layer["Name"] == self.internal_error_layer_id:
+                return {
+                    "status_code": 500,
+                    "content": json.dumps(
+                        {"Error": {"Message": "Internal server error"}}
+                    ),
+                }
 
-      self.notifications.pop(notification_id)
-      return {
-        'status_code': 204,
-        'content': '',
-      }
+            if layer["Name"] == self.fail_layer_id:
+                return {
+                    "status_code": 422,
+                    "content": json.dumps({"Error": {"Message": "Cannot analyze"}}),
+                }
 
+            if layer["Name"] == self.error_layer_id:
+                return {
+                    "status_code": 400,
+                    "content": json.dumps({"Error": {"Message": "Some sort of error"}}),
+                }
 
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/notifications/(.+)$', method='GET')
-    def get_notification(url, _):
-      notification_id = url.path[len('/v1/notifications/'):]
-      if notification_id not in self.notifications:
-        return {
-          'status_code': 404,
-          'content': json.dumps({'Error': {'Message': 'Unknown notification'}}),
-        }
+            if layer["Name"] == self.unexpected_status_layer_id:
+                return {
+                    "status_code": 600,
+                    "content": json.dumps({"Error": {"Message": "Some sort of error"}}),
+                }
 
-      query_params = urlparse.parse_qs(url.query)
-      limit = int(query_params.get('limit', [2])[0])
-      page = int(query_params.get('page', [0])[0])
+            parent_id = layer.get("ParentName", None)
+            parent_layer = None
 
-      notification_data = self._get_notification_data(notification_id, page, limit)
-      response = {'Notification': notification_data}
-      return {
-        'status_code': 200,
-        'content': json.dumps(response),
-      }
+            if parent_id is not None:
+                parent_layer = self.layers.get(parent_id, None)
+                if parent_layer is None:
+                    return {
+                        "status_code": 400,
+                        "content": json.dumps(
+                            {"Error": {"Message": UNKNOWN_PARENT_LAYER_ERROR_MSG}}
+                        ),
+                    }
 
-    @urlmatch(netloc=r'(.*\.)?' + self.hostname, path=r'/v1/metrics$', method='GET')
-    def metrics(url, _):
-      return {
-        'status_code': 200,
-        'content': json.dumps({'fake': True}),
-      }
+            self.add_layer(layer["Name"])
+            if parent_layer is not None:
+                self.layers[layer["Name"]]["ParentName"] = parent_id
 
-    @all_requests
-    def response_content(url, _):
-      return {
-        'status_code': 500,
-        'content': json.dumps({'Error': {'Message': 'Unknown endpoint %s' % url.path}}),
-      }
+            # If vulnerabilities have already been registered with this layer, call set_vulns to make sure
+            # their data is added to the layer's data.
+            if self.layer_vulns.get(layer["Name"]):
+                self.set_vulns(layer["Name"], self.layer_vulns[layer["Name"]])
 
-    return [get_layer_mock, post_layer_mock, remove_layer_mock, get_notification,
-            delete_notification, metrics, response_content]
+            return {
+                "status_code": 201,
+                "content": json.dumps({"Layer": self.layers[layer["Name"]]}),
+            }
+
+        @urlmatch(
+            netloc=r"(.*\.)?" + self.hostname,
+            path=r"/v1/notifications/(.+)$",
+            method="DELETE",
+        )
+        def delete_notification(url, _):
+            notification_id = url.path[len("/v1/notifications/") :]
+            if notification_id not in self.notifications:
+                return {
+                    "status_code": 404,
+                    "content": json.dumps(
+                        {"Error": {"Message": "Unknown notification"}}
+                    ),
+                }
+
+            self.notifications.pop(notification_id)
+            return {"status_code": 204, "content": ""}
+
+        @urlmatch(
+            netloc=r"(.*\.)?" + self.hostname,
+            path=r"/v1/notifications/(.+)$",
+            method="GET",
+        )
+        def get_notification(url, _):
+            notification_id = url.path[len("/v1/notifications/") :]
+            if notification_id not in self.notifications:
+                return {
+                    "status_code": 404,
+                    "content": json.dumps(
+                        {"Error": {"Message": "Unknown notification"}}
+                    ),
+                }
+
+            query_params = urlparse.parse_qs(url.query)
+            limit = int(query_params.get("limit", [2])[0])
+            page = int(query_params.get("page", [0])[0])
+
+            notification_data = self._get_notification_data(
+                notification_id, page, limit
+            )
+            response = {"Notification": notification_data}
+            return {"status_code": 200, "content": json.dumps(response)}
+
+        @urlmatch(netloc=r"(.*\.)?" + self.hostname, path=r"/v1/metrics$", method="GET")
+        def metrics(url, _):
+            return {"status_code": 200, "content": json.dumps({"fake": True})}
+
+        @all_requests
+        def response_content(url, _):
+            return {
+                "status_code": 500,
+                "content": json.dumps(
+                    {"Error": {"Message": "Unknown endpoint %s" % url.path}}
+                ),
+            }
+
+        return [
+            get_layer_mock,
+            post_layer_mock,
+            remove_layer_mock,
+            get_notification,
+            delete_notification,
+            metrics,
+            response_content,
+        ]
diff --git a/util/secscan/notifier.py b/util/secscan/notifier.py
index ab60995cc..431725158 100644
--- a/util/secscan/notifier.py
+++ b/util/secscan/notifier.py
@@ -9,170 +9,204 @@ from data.registry_model import registry_model
 from notifications import notification_batch
 from util.secscan import PRIORITY_LEVELS
 from util.secscan.api import APIRequestFailure
-from util.morecollections import AttrDict, StreamingDiffTracker, IndexedStreamingDiffTracker
+from util.morecollections import (
+    AttrDict,
+    StreamingDiffTracker,
+    IndexedStreamingDiffTracker,
+)
 
 
 logger = logging.getLogger(__name__)
 
+
 class ProcessNotificationPageResult(Enum):
-  FINISHED_PAGE = 'Finished Page'
-  FINISHED_PROCESSING = 'Finished Processing'
-  FAILED = 'Failed'
+    FINISHED_PAGE = "Finished Page"
+    FINISHED_PROCESSING = "Finished Processing"
+    FAILED = "Failed"
 
 
 class SecurityNotificationHandler(object):
-  """ Class to process paginated notifications from the security scanner and issue
+    """ Class to process paginated notifications from the security scanner and issue
       Quay vulnerability_found notifications for all necessary tags. Callers should
       initialize, call process_notification_page_data for each page until it returns
       FINISHED_PROCESSING or FAILED and, if succeeded, then call send_notifications
       to send out the notifications queued.
   """
-  def __init__(self, results_per_stream):
-    self.tags_by_repository_map = defaultdict(set)
-    self.repository_map = {}
-    self.check_map = {}
-    self.layer_ids = set()
 
-    self.stream_tracker = None
-    self.results_per_stream = results_per_stream
-    self.vulnerability_info = None
+    def __init__(self, results_per_stream):
+        self.tags_by_repository_map = defaultdict(set)
+        self.repository_map = {}
+        self.check_map = {}
+        self.layer_ids = set()
 
-  def send_notifications(self):
-    """ Sends all queued up notifications. """
-    if self.vulnerability_info is None:
-      return
+        self.stream_tracker = None
+        self.results_per_stream = results_per_stream
+        self.vulnerability_info = None
 
-    new_vuln = self.vulnerability_info
-    new_severity = PRIORITY_LEVELS.get(new_vuln.get('Severity', 'Unknown'), {'index': sys.maxint})
+    def send_notifications(self):
+        """ Sends all queued up notifications. """
+        if self.vulnerability_info is None:
+            return
 
-    # For each of the tags found, issue a notification.
-    with notification_batch() as spawn_notification:
-      for repository_id, tags in self.tags_by_repository_map.iteritems():
-        event_data = {
-          'tags': list(tags),
-          'vulnerability': {
-            'id': new_vuln['Name'],
-            'description': new_vuln.get('Description', None),
-            'link': new_vuln.get('Link', None),
-            'priority': new_severity['title'],
-            'has_fix': 'FixedIn' in new_vuln,
-          },
-        }
+        new_vuln = self.vulnerability_info
+        new_severity = PRIORITY_LEVELS.get(
+            new_vuln.get("Severity", "Unknown"), {"index": sys.maxint}
+        )
 
-        spawn_notification(self.repository_map[repository_id], 'vulnerability_found', event_data)
+        # For each of the tags found, issue a notification.
+        with notification_batch() as spawn_notification:
+            for repository_id, tags in self.tags_by_repository_map.iteritems():
+                event_data = {
+                    "tags": list(tags),
+                    "vulnerability": {
+                        "id": new_vuln["Name"],
+                        "description": new_vuln.get("Description", None),
+                        "link": new_vuln.get("Link", None),
+                        "priority": new_severity["title"],
+                        "has_fix": "FixedIn" in new_vuln,
+                    },
+                }
 
-  def process_notification_page_data(self, notification_page_data):
-    """ Processes the given notification page data to spawn vulnerability notifications as
+                spawn_notification(
+                    self.repository_map[repository_id],
+                    "vulnerability_found",
+                    event_data,
+                )
+
+    def process_notification_page_data(self, notification_page_data):
+        """ Processes the given notification page data to spawn vulnerability notifications as
         necessary. Returns the status of the processing.
     """
-    if not 'New' in notification_page_data:
-      return self._done()
+        if not "New" in notification_page_data:
+            return self._done()
 
-    new_data = notification_page_data['New']
-    old_data = notification_page_data.get('Old', {})
+        new_data = notification_page_data["New"]
+        old_data = notification_page_data.get("Old", {})
 
-    new_vuln = new_data['Vulnerability']
-    old_vuln = old_data.get('Vulnerability', {})
+        new_vuln = new_data["Vulnerability"]
+        old_vuln = old_data.get("Vulnerability", {})
 
-    self.vulnerability_info = new_vuln
+        self.vulnerability_info = new_vuln
 
-    new_layer_ids = new_data.get('LayersIntroducingVulnerability', [])
-    old_layer_ids = old_data.get('LayersIntroducingVulnerability', [])
+        new_layer_ids = new_data.get("LayersIntroducingVulnerability", [])
+        old_layer_ids = old_data.get("LayersIntroducingVulnerability", [])
 
-    new_severity = PRIORITY_LEVELS.get(new_vuln.get('Severity', 'Unknown'), {'index': sys.maxint})
-    old_severity = PRIORITY_LEVELS.get(old_vuln.get('Severity', 'Unknown'), {'index': sys.maxint})
+        new_severity = PRIORITY_LEVELS.get(
+            new_vuln.get("Severity", "Unknown"), {"index": sys.maxint}
+        )
+        old_severity = PRIORITY_LEVELS.get(
+            old_vuln.get("Severity", "Unknown"), {"index": sys.maxint}
+        )
 
-    # Check if the severity of the vulnerability has increased. If so, then we report this
-    # vulnerability for *all* layers, rather than a difference, as it is important for everyone.
-    if new_severity['index'] < old_severity['index']:
-      # The vulnerability has had its severity increased. Report for *all* layers.
-      all_layer_ids = set(new_layer_ids) | set(old_layer_ids)
-      for layer_id in all_layer_ids:
-        self._report(layer_id)
+        # Check if the severity of the vulnerability has increased. If so, then we report this
+        # vulnerability for *all* layers, rather than a difference, as it is important for everyone.
+        if new_severity["index"] < old_severity["index"]:
+            # The vulnerability has had its severity increased. Report for *all* layers.
+            all_layer_ids = set(new_layer_ids) | set(old_layer_ids)
+            for layer_id in all_layer_ids:
+                self._report(layer_id)
 
-      if 'NextPage' not in notification_page_data:
-        return self._done()
-      else:
-        return ProcessNotificationPageResult.FINISHED_PAGE
+            if "NextPage" not in notification_page_data:
+                return self._done()
+            else:
+                return ProcessNotificationPageResult.FINISHED_PAGE
 
-    # Otherwise, only send the notification to new layers. To find only the new layers, we
-    # need to do a streaming diff vs the old layer IDs stream.
+        # Otherwise, only send the notification to new layers. To find only the new layers, we
+        # need to do a streaming diff vs the old layer IDs stream.
 
-    # Check for ordered data. If found, we use the indexed tracker, which is faster and
-    # more memory efficient.
-    is_indexed = False
-    if ('OrderedLayersIntroducingVulnerability' in new_data or
-        'OrderedLayersIntroducingVulnerability' in old_data):
+        # Check for ordered data. If found, we use the indexed tracker, which is faster and
+        # more memory efficient.
+        is_indexed = False
+        if (
+            "OrderedLayersIntroducingVulnerability" in new_data
+            or "OrderedLayersIntroducingVulnerability" in old_data
+        ):
 
-      def tuplize(stream):
-        return [(entry['LayerName'], entry['Index']) for entry in stream]
+            def tuplize(stream):
+                return [(entry["LayerName"], entry["Index"]) for entry in stream]
 
-      new_layer_ids = tuplize(new_data.get('OrderedLayersIntroducingVulnerability', []))
-      old_layer_ids = tuplize(old_data.get('OrderedLayersIntroducingVulnerability', []))
-      is_indexed = True
+            new_layer_ids = tuplize(
+                new_data.get("OrderedLayersIntroducingVulnerability", [])
+            )
+            old_layer_ids = tuplize(
+                old_data.get("OrderedLayersIntroducingVulnerability", [])
+            )
+            is_indexed = True
 
-    # If this is the first call, initialize the tracker.
-    if self.stream_tracker is None:
-      self.stream_tracker = (IndexedStreamingDiffTracker(self._report, self.results_per_stream)
-                             if is_indexed
-                             else StreamingDiffTracker(self._report, self.results_per_stream))
+        # If this is the first call, initialize the tracker.
+        if self.stream_tracker is None:
+            self.stream_tracker = (
+                IndexedStreamingDiffTracker(self._report, self.results_per_stream)
+                if is_indexed
+                else StreamingDiffTracker(self._report, self.results_per_stream)
+            )
 
-    # Call to add the old and new layer ID streams to the tracker. The tracker itself will
-    # call _report whenever it has determined a new layer has been found.
-    self.stream_tracker.push_new(new_layer_ids)
-    self.stream_tracker.push_old(old_layer_ids)
+        # Call to add the old and new layer ID streams to the tracker. The tracker itself will
+        # call _report whenever it has determined a new layer has been found.
+        self.stream_tracker.push_new(new_layer_ids)
+        self.stream_tracker.push_old(old_layer_ids)
 
-    # Check to see if there are any additional pages to process.
-    if 'NextPage' not in notification_page_data:
-      return self._done()
-    else:
-      return ProcessNotificationPageResult.FINISHED_PAGE
+        # Check to see if there are any additional pages to process.
+        if "NextPage" not in notification_page_data:
+            return self._done()
+        else:
+            return ProcessNotificationPageResult.FINISHED_PAGE
 
-  def _done(self):
-    if self.stream_tracker is not None:
-      # Mark the tracker as done, so that it finishes reporting any outstanding layers.
-      self.stream_tracker.done()
+    def _done(self):
+        if self.stream_tracker is not None:
+            # Mark the tracker as done, so that it finishes reporting any outstanding layers.
+            self.stream_tracker.done()
 
-    # Process all the layers.
-    if self.vulnerability_info is not None:
-      if not self._process_layers():
-        return ProcessNotificationPageResult.FAILED
+        # Process all the layers.
+        if self.vulnerability_info is not None:
+            if not self._process_layers():
+                return ProcessNotificationPageResult.FAILED
 
-    return ProcessNotificationPageResult.FINISHED_PROCESSING
+        return ProcessNotificationPageResult.FINISHED_PROCESSING
 
-  def _report(self, new_layer_id):
-    self.layer_ids.add(new_layer_id)
+    def _report(self, new_layer_id):
+        self.layer_ids.add(new_layer_id)
 
-  def _chunk(self, pairs, chunk_size):
-    start_index = 0
-    while start_index < len(pairs):
-      yield pairs[start_index:chunk_size]
-      start_index += chunk_size
+    def _chunk(self, pairs, chunk_size):
+        start_index = 0
+        while start_index < len(pairs):
+            yield pairs[start_index:chunk_size]
+            start_index += chunk_size
 
-  def _process_layers(self):
-    cve_id = self.vulnerability_info['Name']
+    def _process_layers(self):
+        cve_id = self.vulnerability_info["Name"]
 
-    # Builds the pairs of layer ID and storage uuid.
-    pairs = [tuple(layer_id.split('.', 2)) for layer_id in self.layer_ids]
+        # Builds the pairs of layer ID and storage uuid.
+        pairs = [tuple(layer_id.split(".", 2)) for layer_id in self.layer_ids]
 
-    # Find the matching tags.
-    for current_pairs in self._chunk(pairs, 50):
-      tags = list(registry_model.yield_tags_for_vulnerability_notification(current_pairs))
-      for tag in tags:
-        # Verify that the tag's *top layer* has the vulnerability.
-        if not tag.layer_id in self.check_map:
-          logger.debug('Checking if layer %s is vulnerable to %s', tag.layer_id, cve_id)
-          try:
-            self.check_map[tag.layer_id] = secscan_api.check_layer_vulnerable(tag.layer_id, cve_id)
-          except APIRequestFailure:
-            return False
+        # Find the matching tags.
+        for current_pairs in self._chunk(pairs, 50):
+            tags = list(
+                registry_model.yield_tags_for_vulnerability_notification(current_pairs)
+            )
+            for tag in tags:
+                # Verify that the tag's *top layer* has the vulnerability.
+                if not tag.layer_id in self.check_map:
+                    logger.debug(
+                        "Checking if layer %s is vulnerable to %s", tag.layer_id, cve_id
+                    )
+                    try:
+                        self.check_map[
+                            tag.layer_id
+                        ] = secscan_api.check_layer_vulnerable(tag.layer_id, cve_id)
+                    except APIRequestFailure:
+                        return False
 
-        logger.debug('Result of layer %s is vulnerable to %s check: %s', tag.layer_id, cve_id,
-                     self.check_map[tag.layer_id])
+                logger.debug(
+                    "Result of layer %s is vulnerable to %s check: %s",
+                    tag.layer_id,
+                    cve_id,
+                    self.check_map[tag.layer_id],
+                )
 
-        if self.check_map[tag.layer_id]:
-          # Add the vulnerable tag to the list.
-          self.tags_by_repository_map[tag.repository.id].add(tag.name)
-          self.repository_map[tag.repository.id] = tag.repository
+                if self.check_map[tag.layer_id]:
+                    # Add the vulnerable tag to the list.
+                    self.tags_by_repository_map[tag.repository.id].add(tag.name)
+                    self.repository_map[tag.repository.id] = tag.repository
 
-    return True
+        return True
diff --git a/util/secscan/secscan_util.py b/util/secscan/secscan_util.py
index 468e37ca1..237c554a0 100644
--- a/util/secscan/secscan_util.py
+++ b/util/secscan/secscan_util.py
@@ -4,19 +4,21 @@ from flask import url_for
 
 
 def get_blob_download_uri_getter(context, url_scheme_and_hostname):
-  """
+    """
   Returns a function with context to later generate the uri for a download blob
   :param context: Flask RequestContext
   :param url_scheme_and_hostname: URLSchemeAndHostname class instance
   :return: function (repository_and_namespace, checksum) -> uri
   """
-  def create_uri(repository_and_namespace, checksum):
-    """
+
+    def create_uri(repository_and_namespace, checksum):
+        """
     Creates a uri for a download blob from a repository, namespace, and checksum from earlier context
     """
-    with context:
-      relative_layer_url = url_for('v2.download_blob', repository=repository_and_namespace,
-                                   digest=checksum)
-    return urljoin(url_scheme_and_hostname.get_url(), relative_layer_url)
+        with context:
+            relative_layer_url = url_for(
+                "v2.download_blob", repository=repository_and_namespace, digest=checksum
+            )
+        return urljoin(url_scheme_and_hostname.get_url(), relative_layer_url)
 
-  return create_uri
+    return create_uri
diff --git a/util/secscan/test/test_secscan_util.py b/util/secscan/test/test_secscan_util.py
index 62391130b..6afc9a461 100644
--- a/util/secscan/test/test_secscan_util.py
+++ b/util/secscan/test/test_secscan_util.py
@@ -6,14 +6,23 @@ from util.secscan.secscan_util import get_blob_download_uri_getter
 
 from test.fixtures import *
 
-@pytest.mark.parametrize('url_scheme_and_hostname, repo_namespace, checksum, expected_value,', [
-  (URLSchemeAndHostname('http', 'localhost:5000'),
-   'devtable/simple', 'tarsum+sha256:123',
-   'http://localhost:5000/v2/devtable/simple/blobs/tarsum%2Bsha256:123'),
-])
-def test_blob_download_uri_getter(app, url_scheme_and_hostname,
-                                         repo_namespace, checksum,
-                                         expected_value):
-  blob_uri_getter = get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname)
 
-  assert blob_uri_getter(repo_namespace, checksum) == expected_value
+@pytest.mark.parametrize(
+    "url_scheme_and_hostname, repo_namespace, checksum, expected_value,",
+    [
+        (
+            URLSchemeAndHostname("http", "localhost:5000"),
+            "devtable/simple",
+            "tarsum+sha256:123",
+            "http://localhost:5000/v2/devtable/simple/blobs/tarsum%2Bsha256:123",
+        )
+    ],
+)
+def test_blob_download_uri_getter(
+    app, url_scheme_and_hostname, repo_namespace, checksum, expected_value
+):
+    blob_uri_getter = get_blob_download_uri_getter(
+        app.test_request_context("/"), url_scheme_and_hostname
+    )
+
+    assert blob_uri_getter(repo_namespace, checksum) == expected_value
diff --git a/util/secscan/validator.py b/util/secscan/validator.py
index 1eaa1244b..4d747e537 100644
--- a/util/secscan/validator.py
+++ b/util/secscan/validator.py
@@ -5,26 +5,28 @@ logger = logging.getLogger(__name__)
 
 
 class SecurityConfigValidator(object):
-  """ Helper class for validating the security scanner configuration. """
-  def __init__(self, feature_sec_scan, sec_scan_endpoint):
-    if not feature_sec_scan:
-      return
+    """ Helper class for validating the security scanner configuration. """
 
-    self._feature_sec_scan = feature_sec_scan
-    self._sec_scan_endpoint = sec_scan_endpoint
+    def __init__(self, feature_sec_scan, sec_scan_endpoint):
+        if not feature_sec_scan:
+            return
 
-  def valid(self):
-    if not self._feature_sec_scan:
-      return False
+        self._feature_sec_scan = feature_sec_scan
+        self._sec_scan_endpoint = sec_scan_endpoint
 
-    if self._sec_scan_endpoint is None:
-      logger.debug('Missing SECURITY_SCANNER_ENDPOINT configuration')
-      return False
+    def valid(self):
+        if not self._feature_sec_scan:
+            return False
 
-    endpoint = self._sec_scan_endpoint
-    if not endpoint.startswith('http://') and not endpoint.startswith('https://'):
-      logger.debug('SECURITY_SCANNER_ENDPOINT configuration must start with http or https')
-      return False
+        if self._sec_scan_endpoint is None:
+            logger.debug("Missing SECURITY_SCANNER_ENDPOINT configuration")
+            return False
 
-    return True
+        endpoint = self._sec_scan_endpoint
+        if not endpoint.startswith("http://") and not endpoint.startswith("https://"):
+            logger.debug(
+                "SECURITY_SCANNER_ENDPOINT configuration must start with http or https"
+            )
+            return False
 
+        return True
diff --git a/util/security/aes.py b/util/security/aes.py
index 93d341f9a..ee56f247e 100644
--- a/util/security/aes.py
+++ b/util/security/aes.py
@@ -5,30 +5,32 @@ import hashlib
 from Crypto import Random
 from Crypto.Cipher import AES
 
+
 class AESCipher(object):
-  """ Helper class for encrypting and decrypting data via AES.
+    """ Helper class for encrypting and decrypting data via AES.
 
       Copied From: http://stackoverflow.com/a/21928790
   """
-  def __init__(self, key):
-    self.bs = 32
-    self.key = key
 
-  def encrypt(self, raw):
-    raw = self._pad(raw)
-    iv = Random.new().read(AES.block_size)
-    cipher = AES.new(self.key, AES.MODE_CBC, iv)
-    return base64.b64encode(iv + cipher.encrypt(raw))
+    def __init__(self, key):
+        self.bs = 32
+        self.key = key
 
-  def decrypt(self, enc):
-    enc = base64.b64decode(enc)
-    iv = enc[:AES.block_size]
-    cipher = AES.new(self.key, AES.MODE_CBC, iv)
-    return self._unpad(cipher.decrypt(enc[AES.block_size:])).decode('utf-8')
+    def encrypt(self, raw):
+        raw = self._pad(raw)
+        iv = Random.new().read(AES.block_size)
+        cipher = AES.new(self.key, AES.MODE_CBC, iv)
+        return base64.b64encode(iv + cipher.encrypt(raw))
 
-  def _pad(self, s):
-    return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
+    def decrypt(self, enc):
+        enc = base64.b64decode(enc)
+        iv = enc[: AES.block_size]
+        cipher = AES.new(self.key, AES.MODE_CBC, iv)
+        return self._unpad(cipher.decrypt(enc[AES.block_size :])).decode("utf-8")
 
-  @staticmethod
-  def _unpad(s):
-    return s[:-ord(s[len(s)-1:])]
\ No newline at end of file
+    def _pad(self, s):
+        return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
+
+    @staticmethod
+    def _unpad(s):
+        return s[: -ord(s[len(s) - 1 :])]
diff --git a/util/security/crypto.py b/util/security/crypto.py
index d25c860e6..1c51e14d2 100644
--- a/util/security/crypto.py
+++ b/util/security/crypto.py
@@ -2,17 +2,19 @@ import base64
 
 from cryptography.fernet import Fernet, InvalidToken
 
+
 def encrypt_string(string, key):
-  """ Encrypts a string with the specified key. The key must be 32 raw bytes. """
-  f = Fernet(key)
-  return f.encrypt(string)
+    """ Encrypts a string with the specified key. The key must be 32 raw bytes. """
+    f = Fernet(key)
+    return f.encrypt(string)
+
 
 def decrypt_string(string, key, ttl=None):
-  """ Decrypts an encrypted string with the specified key. The key must be 32 raw bytes. """
-  f = Fernet(key)
-  try:
-    return f.decrypt(str(string), ttl=ttl)
-  except InvalidToken:
-    return None
-  except TypeError:
-    return None
+    """ Decrypts an encrypted string with the specified key. The key must be 32 raw bytes. """
+    f = Fernet(key)
+    try:
+        return f.decrypt(str(string), ttl=ttl)
+    except InvalidToken:
+        return None
+    except TypeError:
+        return None
diff --git a/util/security/fingerprint.py b/util/security/fingerprint.py
index 51212aae7..bd7fc1c8b 100644
--- a/util/security/fingerprint.py
+++ b/util/security/fingerprint.py
@@ -3,8 +3,9 @@ import json
 from hashlib import sha256
 from util.canonicaljson import canonicalize
 
+
 def canonical_kid(jwk):
-  """This function returns the SHA256 hash of a canonical JWK.
+    """This function returns the SHA256 hash of a canonical JWK.
 
   Args:
     jwk (object): the JWK for which a kid will be generated.
@@ -13,4 +14,4 @@ def canonical_kid(jwk):
     string: the unique kid for the given JWK.
 
   """
-  return sha256(json.dumps(canonicalize(jwk), separators=(',', ':'))).hexdigest()
+    return sha256(json.dumps(canonicalize(jwk), separators=(",", ":"))).hexdigest()
diff --git a/util/security/instancekeys.py b/util/security/instancekeys.py
index 8afcdeba2..3be36ab77 100644
--- a/util/security/instancekeys.py
+++ b/util/security/instancekeys.py
@@ -5,75 +5,76 @@ from util.security import jwtutil
 
 
 class CachingKey(object):
-  def __init__(self, service_key):
-    self._service_key = service_key
-    self._cached_public_key = None
+    def __init__(self, service_key):
+        self._service_key = service_key
+        self._cached_public_key = None
 
-  @property
-  def public_key(self):
-    cached_key = self._cached_public_key
-    if cached_key is not None:
-      return cached_key
+    @property
+    def public_key(self):
+        cached_key = self._cached_public_key
+        if cached_key is not None:
+            return cached_key
 
-    # Convert the JWK into a public key and cache it (since the conversion can take > 200ms).
-    public_key = jwtutil.jwk_dict_to_public_key(self._service_key.jwk)
-    self._cached_public_key = public_key
-    return public_key
+        # Convert the JWK into a public key and cache it (since the conversion can take > 200ms).
+        public_key = jwtutil.jwk_dict_to_public_key(self._service_key.jwk)
+        self._cached_public_key = public_key
+        return public_key
 
 
 class InstanceKeys(object):
-  """ InstanceKeys defines a helper class for interacting with the Quay instance service keys
+    """ InstanceKeys defines a helper class for interacting with the Quay instance service keys
       used for JWT signing of registry tokens as well as requests from Quay to other services
       such as Clair. Each container will have a single registered instance key.
   """
-  def __init__(self, app):
-    self.app = app
-    self.instance_keys = ExpiresDict(self._load_instance_keys)
 
-  def clear_cache(self):
-    """ Clears the cache of instance keys. """
-    self.instance_keys = ExpiresDict(self._load_instance_keys)
+    def __init__(self, app):
+        self.app = app
+        self.instance_keys = ExpiresDict(self._load_instance_keys)
 
-  def _load_instance_keys(self):
-    # Load all the instance keys.
-    keys = {}
-    for key in model.service_keys.list_service_keys(self.service_name):
-      keys[key.kid] = ExpiresEntry(CachingKey(key), key.expiration_date)
+    def clear_cache(self):
+        """ Clears the cache of instance keys. """
+        self.instance_keys = ExpiresDict(self._load_instance_keys)
 
-    return keys
+    def _load_instance_keys(self):
+        # Load all the instance keys.
+        keys = {}
+        for key in model.service_keys.list_service_keys(self.service_name):
+            keys[key.kid] = ExpiresEntry(CachingKey(key), key.expiration_date)
 
-  @property
-  def service_name(self):
-    """ Returns the name of the instance key's service (i.e. 'quay'). """
-    return self.app.config['INSTANCE_SERVICE_KEY_SERVICE']
+        return keys
 
-  @property
-  def service_key_expiration(self):
-    """ Returns the defined expiration for instance service keys, in minutes. """
-    return self.app.config.get('INSTANCE_SERVICE_KEY_EXPIRATION', 120)
+    @property
+    def service_name(self):
+        """ Returns the name of the instance key's service (i.e. 'quay'). """
+        return self.app.config["INSTANCE_SERVICE_KEY_SERVICE"]
 
-  @property
-  @lru_cache(maxsize=1)
-  def local_key_id(self):
-    """ Returns the ID of the local instance service key. """
-    return _load_file_contents(self.app.config['INSTANCE_SERVICE_KEY_KID_LOCATION'])
+    @property
+    def service_key_expiration(self):
+        """ Returns the defined expiration for instance service keys, in minutes. """
+        return self.app.config.get("INSTANCE_SERVICE_KEY_EXPIRATION", 120)
 
-  @property
-  @lru_cache(maxsize=1)
-  def local_private_key(self):
-    """ Returns the private key of the local instance service key. """
-    return _load_file_contents(self.app.config['INSTANCE_SERVICE_KEY_LOCATION'])
+    @property
+    @lru_cache(maxsize=1)
+    def local_key_id(self):
+        """ Returns the ID of the local instance service key. """
+        return _load_file_contents(self.app.config["INSTANCE_SERVICE_KEY_KID_LOCATION"])
 
-  def get_service_key_public_key(self, kid):
-    """ Returns the public key associated with the given instance service key or None if none. """
-    caching_key = self.instance_keys.get(kid)
-    if caching_key is None:
-      return None
+    @property
+    @lru_cache(maxsize=1)
+    def local_private_key(self):
+        """ Returns the private key of the local instance service key. """
+        return _load_file_contents(self.app.config["INSTANCE_SERVICE_KEY_LOCATION"])
 
-    return caching_key.public_key
+    def get_service_key_public_key(self, kid):
+        """ Returns the public key associated with the given instance service key or None if none. """
+        caching_key = self.instance_keys.get(kid)
+        if caching_key is None:
+            return None
+
+        return caching_key.public_key
 
 
 def _load_file_contents(path):
-  """ Returns the contents of the specified file path. """
-  with open(path) as f:
-    return f.read()
+    """ Returns the contents of the specified file path. """
+    with open(path) as f:
+        return f.read()
diff --git a/util/security/jwtutil.py b/util/security/jwtutil.py
index be70aa8a1..e97a35727 100644
--- a/util/security/jwtutil.py
+++ b/util/security/jwtutil.py
@@ -4,9 +4,15 @@ from calendar import timegm
 from datetime import datetime, timedelta
 from jwt import PyJWT
 from jwt.exceptions import (
-  InvalidTokenError, DecodeError, InvalidAudienceError, ExpiredSignatureError,
-  ImmatureSignatureError, InvalidIssuedAtError, InvalidIssuerError, MissingRequiredClaimError,
-  InvalidAlgorithmError
+    InvalidTokenError,
+    DecodeError,
+    InvalidAudienceError,
+    ExpiredSignatureError,
+    ImmatureSignatureError,
+    InvalidIssuedAtError,
+    InvalidIssuerError,
+    MissingRequiredClaimError,
+    InvalidAlgorithmError,
 )
 
 from cryptography.hazmat.backends import default_backend
@@ -16,101 +22,113 @@ from jwkest.jwk import keyrep, RSAKey, ECKey
 
 
 # TOKEN_REGEX defines a regular expression for matching JWT bearer tokens.
-TOKEN_REGEX = re.compile(r'\ABearer (([a-zA-Z0-9+\-_/]+\.)+[a-zA-Z0-9+\-_/]+)\Z')
+TOKEN_REGEX = re.compile(r"\ABearer (([a-zA-Z0-9+\-_/]+\.)+[a-zA-Z0-9+\-_/]+)\Z")
 
 # ALGORITHM_WHITELIST defines a whitelist of allowed algorithms to be used in JWTs. DO NOT ADD
 # `none` here!
-ALGORITHM_WHITELIST = [
-  'rs256'
-]
+ALGORITHM_WHITELIST = ["rs256"]
+
 
 class _StrictJWT(PyJWT):
-  """ _StrictJWT defines a JWT decoder with extra checks. """
+    """ _StrictJWT defines a JWT decoder with extra checks. """
 
-  @staticmethod
-  def _get_default_options():
-    # Weird syntax to call super on a staticmethod
-    defaults = super(_StrictJWT, _StrictJWT)._get_default_options()
-    defaults.update({
-      'require_exp': True,
-      'require_iat': True,
-      'require_nbf': True,
-      'exp_max_s': None,
-    })
-    return defaults
+    @staticmethod
+    def _get_default_options():
+        # Weird syntax to call super on a staticmethod
+        defaults = super(_StrictJWT, _StrictJWT)._get_default_options()
+        defaults.update(
+            {
+                "require_exp": True,
+                "require_iat": True,
+                "require_nbf": True,
+                "exp_max_s": None,
+            }
+        )
+        return defaults
 
-  def _validate_claims(self, payload, options, audience=None, issuer=None, leeway=0, **kwargs):
-    if options.get('exp_max_s') is not None:
-      if 'verify_expiration' in kwargs and not kwargs.get('verify_expiration'):
-        raise ValueError('exp_max_s option implies verify_expiration')
+    def _validate_claims(
+        self, payload, options, audience=None, issuer=None, leeway=0, **kwargs
+    ):
+        if options.get("exp_max_s") is not None:
+            if "verify_expiration" in kwargs and not kwargs.get("verify_expiration"):
+                raise ValueError("exp_max_s option implies verify_expiration")
 
-      options['verify_exp'] = True
+            options["verify_exp"] = True
 
-    # Do all of the other checks
-    super(_StrictJWT, self)._validate_claims(payload, options, audience, issuer, leeway, **kwargs)
+        # Do all of the other checks
+        super(_StrictJWT, self)._validate_claims(
+            payload, options, audience, issuer, leeway, **kwargs
+        )
 
-    now = timegm(datetime.utcnow().utctimetuple())
-    self._reject_future_iat(payload, now, leeway)
+        now = timegm(datetime.utcnow().utctimetuple())
+        self._reject_future_iat(payload, now, leeway)
 
-    if 'exp' in payload and options.get('exp_max_s') is not None:
-      # Validate that the expiration was not more than exp_max_s seconds after the issue time
-      # or in the absence of an issue time, more than exp_max_s in the future from now
+        if "exp" in payload and options.get("exp_max_s") is not None:
+            # Validate that the expiration was not more than exp_max_s seconds after the issue time
+            # or in the absence of an issue time, more than exp_max_s in the future from now
 
-      # This will work because the parent method already checked the type of exp
-      expiration = datetime.utcfromtimestamp(int(payload['exp']))
-      max_signed_s = options.get('exp_max_s')
+            # This will work because the parent method already checked the type of exp
+            expiration = datetime.utcfromtimestamp(int(payload["exp"]))
+            max_signed_s = options.get("exp_max_s")
 
-      start_time = datetime.utcnow()
-      if 'iat' in payload:
-        start_time = datetime.utcfromtimestamp(int(payload['iat']))
+            start_time = datetime.utcnow()
+            if "iat" in payload:
+                start_time = datetime.utcfromtimestamp(int(payload["iat"]))
 
-      if expiration > start_time + timedelta(seconds=max_signed_s):
-        raise InvalidTokenError('Token was signed for more than %s seconds from %s', max_signed_s,
-                                start_time)
+            if expiration > start_time + timedelta(seconds=max_signed_s):
+                raise InvalidTokenError(
+                    "Token was signed for more than %s seconds from %s",
+                    max_signed_s,
+                    start_time,
+                )
 
-  def _reject_future_iat(self, payload, now, leeway):
-    try:
-      iat = int(payload['iat'])
-    except ValueError:
-      raise DecodeError('Issued At claim (iat) must be an integer.')
+    def _reject_future_iat(self, payload, now, leeway):
+        try:
+            iat = int(payload["iat"])
+        except ValueError:
+            raise DecodeError("Issued At claim (iat) must be an integer.")
 
-    if iat > (now + leeway):
-      raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
-                                 ' the future.')
+        if iat > (now + leeway):
+            raise InvalidIssuedAtError(
+                "Issued At claim (iat) cannot be in" " the future."
+            )
 
 
-def decode(jwt, key='', verify=True, algorithms=None, options=None,
-           **kwargs):
-  """ Decodes a JWT. """
-  if not algorithms:
-    raise InvalidAlgorithmError('algorithms must be specified')
+def decode(jwt, key="", verify=True, algorithms=None, options=None, **kwargs):
+    """ Decodes a JWT. """
+    if not algorithms:
+        raise InvalidAlgorithmError("algorithms must be specified")
 
-  normalized = set([a.lower() for a in algorithms])
-  if 'none' in normalized:
-    raise InvalidAlgorithmError('`none` algorithm is not allowed')
+    normalized = set([a.lower() for a in algorithms])
+    if "none" in normalized:
+        raise InvalidAlgorithmError("`none` algorithm is not allowed")
 
-  if set(normalized).intersection(set(ALGORITHM_WHITELIST)) != set(normalized):
-    raise InvalidAlgorithmError('Algorithms `%s` are not whitelisted. Allowed: %s' %
-                                (algorithms, ALGORITHM_WHITELIST))
+    if set(normalized).intersection(set(ALGORITHM_WHITELIST)) != set(normalized):
+        raise InvalidAlgorithmError(
+            "Algorithms `%s` are not whitelisted. Allowed: %s"
+            % (algorithms, ALGORITHM_WHITELIST)
+        )
 
-  return _StrictJWT().decode(jwt, key, verify, algorithms, options, **kwargs)
+    return _StrictJWT().decode(jwt, key, verify, algorithms, options, **kwargs)
 
 
 def exp_max_s_option(max_exp_s):
-  """ Returns an options dictionary that sets the maximum expiration seconds for a JWT. """
-  return {
-    'exp_max_s': max_exp_s,
-  }
+    """ Returns an options dictionary that sets the maximum expiration seconds for a JWT. """
+    return {"exp_max_s": max_exp_s}
 
 
 def jwk_dict_to_public_key(jwk):
-  """ Converts the specified JWK into a public key. """
-  jwkest_key = keyrep(jwk)
-  if isinstance(jwkest_key, RSAKey):
-    pycrypto_key = jwkest_key.key
-    return RSAPublicNumbers(e=pycrypto_key.e, n=pycrypto_key.n).public_key(default_backend())
-  elif isinstance(jwkest_key, ECKey):
-    x, y = jwkest_key.get_key()
-    return EllipticCurvePublicNumbers(x, y, jwkest_key.curve).public_key(default_backend())
+    """ Converts the specified JWK into a public key. """
+    jwkest_key = keyrep(jwk)
+    if isinstance(jwkest_key, RSAKey):
+        pycrypto_key = jwkest_key.key
+        return RSAPublicNumbers(e=pycrypto_key.e, n=pycrypto_key.n).public_key(
+            default_backend()
+        )
+    elif isinstance(jwkest_key, ECKey):
+        x, y = jwkest_key.get_key()
+        return EllipticCurvePublicNumbers(x, y, jwkest_key.curve).public_key(
+            default_backend()
+        )
 
-  raise Exception('Unsupported kind of JWK: %s', str(type(jwkest_key)))
+    raise Exception("Unsupported kind of JWK: %s", str(type(jwkest_key)))
diff --git a/util/security/registry_jwt.py b/util/security/registry_jwt.py
index 6a56c344b..3d22716e0 100644
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@@ -6,13 +6,13 @@ from util.security import jwtutil
 
 logger = logging.getLogger(__name__)
 
-ANONYMOUS_SUB = '(anonymous)'
-ALGORITHM = 'RS256'
-CLAIM_TUF_ROOTS = 'com.apostille.roots'
-CLAIM_TUF_ROOT = 'com.apostille.root'
-QUAY_TUF_ROOT = 'quay'
-SIGNER_TUF_ROOT = 'signer'
-DISABLED_TUF_ROOT = '$disabled'
+ANONYMOUS_SUB = "(anonymous)"
+ALGORITHM = "RS256"
+CLAIM_TUF_ROOTS = "com.apostille.roots"
+CLAIM_TUF_ROOT = "com.apostille.root"
+QUAY_TUF_ROOT = "quay"
+SIGNER_TUF_ROOT = "signer"
+DISABLED_TUF_ROOT = "$disabled"
 
 # The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
 # count.
@@ -20,115 +20,138 @@ JWT_CLOCK_SKEW_SECONDS = 30
 
 
 class InvalidBearerTokenException(Exception):
-  pass
+    pass
 
 
 def decode_bearer_header(bearer_header, instance_keys, config, metric_queue=None):
-  """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
+    """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
       a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
       raises an InvalidBearerTokenException with the reason for failure.
   """
-  # Extract the jwt token from the header
-  match = jwtutil.TOKEN_REGEX.match(bearer_header)
-  if match is None:
-    raise InvalidBearerTokenException('Invalid bearer token format')
+    # Extract the jwt token from the header
+    match = jwtutil.TOKEN_REGEX.match(bearer_header)
+    if match is None:
+        raise InvalidBearerTokenException("Invalid bearer token format")
 
-  encoded_jwt = match.group(1)
-  logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys, config, metric_queue=metric_queue)
+    encoded_jwt = match.group(1)
+    logger.debug("encoded JWT: %s", encoded_jwt)
+    return decode_bearer_token(
+        encoded_jwt, instance_keys, config, metric_queue=metric_queue
+    )
 
 
 def decode_bearer_token(bearer_token, instance_keys, config, metric_queue=None):
-  """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
+    """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
       encoded JWT and returns the decoded and validated JWT. On any error, raises an
       InvalidBearerTokenException with the reason for failure.
   """
-  # Decode the key ID.
-  try:
-    headers = jwt.get_unverified_header(bearer_token)
-  except jwtutil.InvalidTokenError as ite:
-    logger.exception('Invalid token reason: %s', ite)
-    raise InvalidBearerTokenException(ite)
+    # Decode the key ID.
+    try:
+        headers = jwt.get_unverified_header(bearer_token)
+    except jwtutil.InvalidTokenError as ite:
+        logger.exception("Invalid token reason: %s", ite)
+        raise InvalidBearerTokenException(ite)
 
-  kid = headers.get('kid', None)
-  if kid is None:
-    logger.error('Missing kid header on encoded JWT: %s', bearer_token)
-    raise InvalidBearerTokenException('Missing kid header')
+    kid = headers.get("kid", None)
+    if kid is None:
+        logger.error("Missing kid header on encoded JWT: %s", bearer_token)
+        raise InvalidBearerTokenException("Missing kid header")
 
-  # Find the matching public key.
-  public_key = instance_keys.get_service_key_public_key(kid)
-  if public_key is None:
-    if metric_queue is not None:
-      metric_queue.invalid_instance_key_count.Inc(labelvalues=[kid])
+    # Find the matching public key.
+    public_key = instance_keys.get_service_key_public_key(kid)
+    if public_key is None:
+        if metric_queue is not None:
+            metric_queue.invalid_instance_key_count.Inc(labelvalues=[kid])
 
-    logger.error('Could not find requested service key %s with encoded JWT: %s', kid, bearer_token)
-    raise InvalidBearerTokenException('Unknown service key')
+        logger.error(
+            "Could not find requested service key %s with encoded JWT: %s",
+            kid,
+            bearer_token,
+        )
+        raise InvalidBearerTokenException("Unknown service key")
 
-  # Load the JWT returned.
-  try:
-    expected_issuer = instance_keys.service_name
-    audience = config['SERVER_HOSTNAME']
-    max_signed_s = config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
-    max_exp = jwtutil.exp_max_s_option(max_signed_s)
-    payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
-                             issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)
-  except jwtutil.InvalidTokenError as ite:
-    logger.exception('Invalid token reason: %s', ite)
-    raise InvalidBearerTokenException(ite)
+    # Load the JWT returned.
+    try:
+        expected_issuer = instance_keys.service_name
+        audience = config["SERVER_HOSTNAME"]
+        max_signed_s = config.get("REGISTRY_JWT_AUTH_MAX_FRESH_S", 3660)
+        max_exp = jwtutil.exp_max_s_option(max_signed_s)
+        payload = jwtutil.decode(
+            bearer_token,
+            public_key,
+            algorithms=[ALGORITHM],
+            audience=audience,
+            issuer=expected_issuer,
+            options=max_exp,
+            leeway=JWT_CLOCK_SKEW_SECONDS,
+        )
+    except jwtutil.InvalidTokenError as ite:
+        logger.exception("Invalid token reason: %s", ite)
+        raise InvalidBearerTokenException(ite)
 
-  if not 'sub' in payload:
-    raise InvalidBearerTokenException('Missing sub field in JWT')
+    if not "sub" in payload:
+        raise InvalidBearerTokenException("Missing sub field in JWT")
 
-  return payload
+    return payload
 
 
-def generate_bearer_token(audience, subject, context, access, lifetime_s, instance_keys):
-  """ Generates a registry bearer token (without the 'Bearer ' portion) based on the given
+def generate_bearer_token(
+    audience, subject, context, access, lifetime_s, instance_keys
+):
+    """ Generates a registry bearer token (without the 'Bearer ' portion) based on the given
       information.
   """
-  return _generate_jwt_object(audience, subject, context, access, lifetime_s,
-                              instance_keys.service_name, instance_keys.local_key_id,
-                              instance_keys.local_private_key)
+    return _generate_jwt_object(
+        audience,
+        subject,
+        context,
+        access,
+        lifetime_s,
+        instance_keys.service_name,
+        instance_keys.local_key_id,
+        instance_keys.local_private_key,
+    )
 
 
-def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer, key_id,
-                         private_key):
-  """ Generates a compact encoded JWT with the values specified. """
-  token_data = {
-    'iss': issuer,
-    'aud': audience,
-    'nbf': int(time.time()),
-    'iat': int(time.time()),
-    'exp': int(time.time() + lifetime_s),
-    'sub': subject,
-    'access': access,
-    'context': context,
-  }
+def _generate_jwt_object(
+    audience, subject, context, access, lifetime_s, issuer, key_id, private_key
+):
+    """ Generates a compact encoded JWT with the values specified. """
+    token_data = {
+        "iss": issuer,
+        "aud": audience,
+        "nbf": int(time.time()),
+        "iat": int(time.time()),
+        "exp": int(time.time() + lifetime_s),
+        "sub": subject,
+        "access": access,
+        "context": context,
+    }
 
-  token_headers = {
-    'kid': key_id,
-  }
+    token_headers = {"kid": key_id}
 
-  return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
+    return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
 
 
 def build_context_and_subject(auth_context=None, tuf_roots=None):
-  """ Builds the custom context field for the JWT signed token and returns it,
+    """ Builds the custom context field for the JWT signed token and returns it,
       along with the subject for the JWT signed token. """
-  # Serialize to a dictionary.
-  context = auth_context.to_signed_dict() if auth_context else {}
+    # Serialize to a dictionary.
+    context = auth_context.to_signed_dict() if auth_context else {}
 
-  # TODO: remove once Apostille has been upgraded to not use the single root.
-  single_root = (tuf_roots.values()[0]
-                 if tuf_roots is not None and len(tuf_roots) == 1
-                 else DISABLED_TUF_ROOT)
+    # TODO: remove once Apostille has been upgraded to not use the single root.
+    single_root = (
+        tuf_roots.values()[0]
+        if tuf_roots is not None and len(tuf_roots) == 1
+        else DISABLED_TUF_ROOT
+    )
 
-  context.update({
-    CLAIM_TUF_ROOTS: tuf_roots,
-    CLAIM_TUF_ROOT: single_root,
-  })
+    context.update({CLAIM_TUF_ROOTS: tuf_roots, CLAIM_TUF_ROOT: single_root})
 
-  if not auth_context or auth_context.is_anonymous:
-    return (context, ANONYMOUS_SUB)
+    if not auth_context or auth_context.is_anonymous:
+        return (context, ANONYMOUS_SUB)
 
-  return (context, auth_context.authed_user.username if auth_context.authed_user else None)
+    return (
+        context,
+        auth_context.authed_user.username if auth_context.authed_user else None,
+    )
diff --git a/util/security/secret.py b/util/security/secret.py
index 24e84ef6e..9a23e4bf7 100644
--- a/util/security/secret.py
+++ b/util/security/secret.py
@@ -1,28 +1,29 @@
 import itertools
 import uuid
 
+
 def convert_secret_key(config_secret_key):
-  """ Converts the secret key from the app config into a secret key that is usable by AES
+    """ Converts the secret key from the app config into a secret key that is usable by AES
       Cipher. """
-  secret_key = None
+    secret_key = None
 
-  # First try parsing the key as an int.
-  try:
-    big_int = int(config_secret_key)
-    secret_key = str(bytearray.fromhex('{:02x}'.format(big_int)))
-  except ValueError:
-    pass
-
-  # Next try parsing it as an UUID.
-  if secret_key is None:
+    # First try parsing the key as an int.
     try:
-      secret_key = uuid.UUID(config_secret_key).bytes
+        big_int = int(config_secret_key)
+        secret_key = str(bytearray.fromhex("{:02x}".format(big_int)))
     except ValueError:
-      pass
+        pass
 
-  if secret_key is None:
-    secret_key = str(bytearray(map(ord, config_secret_key)))
+    # Next try parsing it as an UUID.
+    if secret_key is None:
+        try:
+            secret_key = uuid.UUID(config_secret_key).bytes
+        except ValueError:
+            pass
 
-  # Otherwise, use the bytes directly.
-  assert len(secret_key)
-  return ''.join(itertools.islice(itertools.cycle(secret_key), 32))
+    if secret_key is None:
+        secret_key = str(bytearray(map(ord, config_secret_key)))
+
+    # Otherwise, use the bytes directly.
+    assert len(secret_key)
+    return "".join(itertools.islice(itertools.cycle(secret_key), 32))
diff --git a/util/security/signing.py b/util/security/signing.py
index 211037c1a..fb5a5ac30 100644
--- a/util/security/signing.py
+++ b/util/security/signing.py
@@ -7,76 +7,80 @@ logger = logging.getLogger(__name__)
 
 from StringIO import StringIO
 
+
 class GPG2Signer(object):
-  """ Helper class for signing data using GPG2. """
-  def __init__(self, config, config_provider):
-    if not config.get('GPG2_PRIVATE_KEY_NAME'):
-      raise Exception('Missing configuration key GPG2_PRIVATE_KEY_NAME')
+    """ Helper class for signing data using GPG2. """
 
-    if not config.get('GPG2_PRIVATE_KEY_FILENAME'):
-      raise Exception('Missing configuration key GPG2_PRIVATE_KEY_FILENAME')
+    def __init__(self, config, config_provider):
+        if not config.get("GPG2_PRIVATE_KEY_NAME"):
+            raise Exception("Missing configuration key GPG2_PRIVATE_KEY_NAME")
 
-    if not config.get('GPG2_PUBLIC_KEY_FILENAME'):
-      raise Exception('Missing configuration key GPG2_PUBLIC_KEY_FILENAME')
+        if not config.get("GPG2_PRIVATE_KEY_FILENAME"):
+            raise Exception("Missing configuration key GPG2_PRIVATE_KEY_FILENAME")
 
-    self._ctx = gpgme.Context()
-    self._ctx.armor = True
-    self._private_key_name = config['GPG2_PRIVATE_KEY_NAME']
-    self._public_key_filename = config['GPG2_PUBLIC_KEY_FILENAME']
-    self._config_provider = config_provider
+        if not config.get("GPG2_PUBLIC_KEY_FILENAME"):
+            raise Exception("Missing configuration key GPG2_PUBLIC_KEY_FILENAME")
 
-    if not config_provider.volume_file_exists(config['GPG2_PRIVATE_KEY_FILENAME']):
-      raise Exception('Missing key file %s' % config['GPG2_PRIVATE_KEY_FILENAME'])
+        self._ctx = gpgme.Context()
+        self._ctx.armor = True
+        self._private_key_name = config["GPG2_PRIVATE_KEY_NAME"]
+        self._public_key_filename = config["GPG2_PUBLIC_KEY_FILENAME"]
+        self._config_provider = config_provider
 
-    with config_provider.get_volume_file(config['GPG2_PRIVATE_KEY_FILENAME'], mode='rb') as fp:
-      self._ctx.import_(fp)
+        if not config_provider.volume_file_exists(config["GPG2_PRIVATE_KEY_FILENAME"]):
+            raise Exception("Missing key file %s" % config["GPG2_PRIVATE_KEY_FILENAME"])
 
-  @property
-  def name(self):
-    return 'gpg2'
+        with config_provider.get_volume_file(
+            config["GPG2_PRIVATE_KEY_FILENAME"], mode="rb"
+        ) as fp:
+            self._ctx.import_(fp)
 
-  def open_public_key_file(self):
-    return self._config_provider.get_volume_file(self._public_key_filename, mode='rb')
+    @property
+    def name(self):
+        return "gpg2"
 
-  def detached_sign(self, stream):
-    """ Signs the given stream, returning the signature. """
-    ctx = self._ctx
-    try:
-      ctx.signers = [ctx.get_key(self._private_key_name)]
-    except:
-      raise Exception('Invalid private key name')
+    def open_public_key_file(self):
+        return self._config_provider.get_volume_file(
+            self._public_key_filename, mode="rb"
+        )
 
-    signature = StringIO()
-    new_sigs = ctx.sign(stream, signature, gpgme.SIG_MODE_DETACH)
-    signature.seek(0)
-    return signature.getvalue()
+    def detached_sign(self, stream):
+        """ Signs the given stream, returning the signature. """
+        ctx = self._ctx
+        try:
+            ctx.signers = [ctx.get_key(self._private_key_name)]
+        except:
+            raise Exception("Invalid private key name")
+
+        signature = StringIO()
+        new_sigs = ctx.sign(stream, signature, gpgme.SIG_MODE_DETACH)
+        signature.seek(0)
+        return signature.getvalue()
 
 
 class Signer(object):
-  def __init__(self, app=None, config_provider=None):
-    self.app = app
-    if app is not None:
-      self.state = self.init_app(app, config_provider)
-    else:
-      self.state = None
+    def __init__(self, app=None, config_provider=None):
+        self.app = app
+        if app is not None:
+            self.state = self.init_app(app, config_provider)
+        else:
+            self.state = None
 
-  def init_app(self, app, config_provider):
-    preference = app.config.get('SIGNING_ENGINE', None)
-    if preference is None:
-      return None
+    def init_app(self, app, config_provider):
+        preference = app.config.get("SIGNING_ENGINE", None)
+        if preference is None:
+            return None
 
-    if not features.ACI_CONVERSION:
-      return None
+        if not features.ACI_CONVERSION:
+            return None
 
-    try:
-      return SIGNING_ENGINES[preference](app.config, config_provider)
-    except:
-      logger.exception('Could not initialize signing engine')
+        try:
+            return SIGNING_ENGINES[preference](app.config, config_provider)
+        except:
+            logger.exception("Could not initialize signing engine")
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
-SIGNING_ENGINES = {
-  'gpg2': GPG2Signer
-}
\ No newline at end of file
+SIGNING_ENGINES = {"gpg2": GPG2Signer}
diff --git a/util/security/ssh.py b/util/security/ssh.py
index 6bdbca20a..d227dd8e9 100644
--- a/util/security/ssh.py
+++ b/util/security/ssh.py
@@ -2,11 +2,12 @@ from __future__ import absolute_import
 
 from Crypto.PublicKey import RSA
 
+
 def generate_ssh_keypair():
-  """
+    """
   Generates a new 2048 bit RSA public key in OpenSSH format and private key in PEM format.
   """
-  key = RSA.generate(2048)
-  public_key = key.publickey().exportKey('OpenSSH')
-  private_key = key.exportKey('PEM')
-  return (public_key, private_key)
+    key = RSA.generate(2048)
+    public_key = key.publickey().exportKey("OpenSSH")
+    private_key = key.exportKey("PEM")
+    return (public_key, private_key)
diff --git a/util/security/ssl.py b/util/security/ssl.py
index dd251c001..63c87c58a 100644
--- a/util/security/ssl.py
+++ b/util/security/ssl.py
@@ -2,80 +2,88 @@ from fnmatch import fnmatch
 
 import OpenSSL
 
+
 class CertInvalidException(Exception):
-  """ Exception raised when a certificate could not be parsed/loaded. """
-  pass
+    """ Exception raised when a certificate could not be parsed/loaded. """
+
+    pass
+
 
 class KeyInvalidException(Exception):
-  """ Exception raised when a key could not be parsed/loaded or successfully applied to a cert. """
-  pass
+    """ Exception raised when a key could not be parsed/loaded or successfully applied to a cert. """
+
+    pass
 
 
 def load_certificate(cert_contents):
-  """ Loads the certificate from the given contents and returns it or raises a CertInvalidException
+    """ Loads the certificate from the given contents and returns it or raises a CertInvalidException
       on failure.
   """
-  try:
-    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_contents)
-    return SSLCertificate(cert)
-  except OpenSSL.crypto.Error as ex:
-    raise CertInvalidException(ex.args[0][0][2])
+    try:
+        cert = OpenSSL.crypto.load_certificate(
+            OpenSSL.crypto.FILETYPE_PEM, cert_contents
+        )
+        return SSLCertificate(cert)
+    except OpenSSL.crypto.Error as ex:
+        raise CertInvalidException(ex.args[0][0][2])
 
 
-_SUBJECT_ALT_NAME = 'subjectAltName'
+_SUBJECT_ALT_NAME = "subjectAltName"
+
 
 class SSLCertificate(object):
-  """ Helper class for easier working with SSL certificates. """
-  def __init__(self, openssl_cert):
-    self.openssl_cert = openssl_cert
+    """ Helper class for easier working with SSL certificates. """
 
-  def validate_private_key(self, private_key_path):
-    """ Validates that the private key found at the given file path applies to this certificate.
+    def __init__(self, openssl_cert):
+        self.openssl_cert = openssl_cert
+
+    def validate_private_key(self, private_key_path):
+        """ Validates that the private key found at the given file path applies to this certificate.
         Raises a KeyInvalidException on failure.
     """
-    context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
-    context.use_certificate(self.openssl_cert)
+        context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
+        context.use_certificate(self.openssl_cert)
 
-    try:
-      context.use_privatekey_file(private_key_path)
-      context.check_privatekey()
-    except OpenSSL.SSL.Error as ex:
-      raise KeyInvalidException(ex.args[0][0][2])
+        try:
+            context.use_privatekey_file(private_key_path)
+            context.check_privatekey()
+        except OpenSSL.SSL.Error as ex:
+            raise KeyInvalidException(ex.args[0][0][2])
 
-  def matches_name(self, check_name):
-    """ Returns true if this SSL certificate matches the given DNS hostname. """
-    for dns_name in self.names:
-      if fnmatch(check_name, dns_name):
-        return True
+    def matches_name(self, check_name):
+        """ Returns true if this SSL certificate matches the given DNS hostname. """
+        for dns_name in self.names:
+            if fnmatch(check_name, dns_name):
+                return True
 
-    return False
+        return False
 
-  @property
-  def expired(self):
-    """ Returns whether the SSL certificate has expired. """
-    return self.openssl_cert.has_expired()
+    @property
+    def expired(self):
+        """ Returns whether the SSL certificate has expired. """
+        return self.openssl_cert.has_expired()
 
-  @property
-  def common_name(self):
-    """ Returns the defined common name for the certificate, if any. """
-    return self.openssl_cert.get_subject().commonName
+    @property
+    def common_name(self):
+        """ Returns the defined common name for the certificate, if any. """
+        return self.openssl_cert.get_subject().commonName
 
-  @property
-  def names(self):
-    """ Returns all the DNS named to which the certificate applies. May be empty. """
-    dns_names = set()
-    common_name = self.common_name
-    if common_name is not None:
-      dns_names.add(common_name)
+    @property
+    def names(self):
+        """ Returns all the DNS named to which the certificate applies. May be empty. """
+        dns_names = set()
+        common_name = self.common_name
+        if common_name is not None:
+            dns_names.add(common_name)
 
-    # Find the DNS extension, if any.
-    for i in range(0, self.openssl_cert.get_extension_count()):
-      ext = self.openssl_cert.get_extension(i)
-      if ext.get_short_name() == _SUBJECT_ALT_NAME:
-        value = str(ext)
-        for san_name in value.split(','):
-          san_name_trimmed = san_name.strip()
-          if san_name_trimmed.startswith('DNS:'):
-            dns_names.add(san_name_trimmed[4:])
+        # Find the DNS extension, if any.
+        for i in range(0, self.openssl_cert.get_extension_count()):
+            ext = self.openssl_cert.get_extension(i)
+            if ext.get_short_name() == _SUBJECT_ALT_NAME:
+                value = str(ext)
+                for san_name in value.split(","):
+                    san_name_trimmed = san_name.strip()
+                    if san_name_trimmed.startswith("DNS:"):
+                        dns_names.add(san_name_trimmed[4:])
 
-    return dns_names
+        return dns_names
diff --git a/util/security/test/test_jwtutil.py b/util/security/test/test_jwtutil.py
index f00785cf7..b110c0bce 100644
--- a/util/security/test/test_jwtutil.py
+++ b/util/security/test/test_jwtutil.py
@@ -6,114 +6,221 @@ import jwt
 from Crypto.PublicKey import RSA
 from jwkest.jwk import RSAKey
 
-from util.security.jwtutil import (decode, exp_max_s_option, jwk_dict_to_public_key,
-                                   InvalidTokenError, InvalidAlgorithmError)
+from util.security.jwtutil import (
+    decode,
+    exp_max_s_option,
+    jwk_dict_to_public_key,
+    InvalidTokenError,
+    InvalidAlgorithmError,
+)
 
 
 @pytest.fixture(scope="session")
 def private_key():
-  return RSA.generate(2048)
+    return RSA.generate(2048)
 
 
 @pytest.fixture(scope="session")
 def private_key_pem(private_key):
-  return private_key.exportKey('PEM')
+    return private_key.exportKey("PEM")
 
 
 @pytest.fixture(scope="session")
 def public_key(private_key):
-  return private_key.publickey().exportKey('PEM')
+    return private_key.publickey().exportKey("PEM")
 
 
 def _token_data(audience, subject, iss, iat=None, exp=None, nbf=None):
-  return {
-    'iss': iss,
-    'aud': audience,
-    'nbf': nbf() if nbf is not None else int(time.time()),
-    'iat': iat() if iat is not None else int(time.time()),
-    'exp': exp() if exp is not None else int(time.time() + 3600),
-    'sub': subject,
-  }
+    return {
+        "iss": iss,
+        "aud": audience,
+        "nbf": nbf() if nbf is not None else int(time.time()),
+        "iat": iat() if iat is not None else int(time.time()),
+        "exp": exp() if exp is not None else int(time.time() + 3600),
+        "sub": subject,
+    }
 
 
-@pytest.mark.parametrize('aud, iss, nbf, iat, exp, expected_exception', [
-  pytest.param('invalidaudience', 'someissuer', None, None, None, 'Invalid audience',
-               id='invalid audience'),
-  pytest.param('someaudience', 'invalidissuer', None, None, None, 'Invalid issuer',
-               id='invalid issuer'),
-  pytest.param('someaudience', 'someissuer', lambda: time.time() + 120, None, None,
-               'The token is not yet valid',
-               id='invalid not before'),
-  pytest.param('someaudience', 'someissuer', None, lambda: time.time() + 120, None,
-               'Issued At claim',
-               id='issued at in future'),
-  pytest.param('someaudience', 'someissuer', None, None, lambda: time.time() - 100,
-               'Signature has expired',
-               id='already expired'),
-  pytest.param('someaudience', 'someissuer', None, None, lambda: time.time() + 10000,
-               'Token was signed for more than',
-               id='expiration too far in future'),
+@pytest.mark.parametrize(
+    "aud, iss, nbf, iat, exp, expected_exception",
+    [
+        pytest.param(
+            "invalidaudience",
+            "someissuer",
+            None,
+            None,
+            None,
+            "Invalid audience",
+            id="invalid audience",
+        ),
+        pytest.param(
+            "someaudience",
+            "invalidissuer",
+            None,
+            None,
+            None,
+            "Invalid issuer",
+            id="invalid issuer",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            lambda: time.time() + 120,
+            None,
+            None,
+            "The token is not yet valid",
+            id="invalid not before",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            None,
+            lambda: time.time() + 120,
+            None,
+            "Issued At claim",
+            id="issued at in future",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            None,
+            None,
+            lambda: time.time() - 100,
+            "Signature has expired",
+            id="already expired",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            None,
+            None,
+            lambda: time.time() + 10000,
+            "Token was signed for more than",
+            id="expiration too far in future",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            lambda: time.time() + 10,
+            None,
+            None,
+            None,
+            id="not before in future by within leeway",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            None,
+            lambda: time.time() + 10,
+            None,
+            None,
+            id="issued at in future but within leeway",
+        ),
+        pytest.param(
+            "someaudience",
+            "someissuer",
+            None,
+            None,
+            lambda: time.time() - 10,
+            None,
+            id="expiration in past but within leeway",
+        ),
+    ],
+)
+def test_decode_jwt_validation(
+    aud, iss, nbf, iat, exp, expected_exception, private_key_pem, public_key
+):
+    token = jwt.encode(
+        _token_data(aud, "subject", iss, iat, exp, nbf), private_key_pem, "RS256"
+    )
 
-  pytest.param('someaudience', 'someissuer', lambda: time.time() + 10, None, None,
-               None,
-               id='not before in future by within leeway'),
-  pytest.param('someaudience', 'someissuer', None, lambda: time.time() + 10, None,
-               None,
-               id='issued at in future but within leeway'),
-  pytest.param('someaudience', 'someissuer', None, None, lambda: time.time() - 10,
-               None,
-               id='expiration in past but within leeway'),
-])
-def test_decode_jwt_validation(aud, iss, nbf, iat, exp, expected_exception, private_key_pem,
-                               public_key):
-  token = jwt.encode(_token_data(aud, 'subject', iss, iat, exp, nbf), private_key_pem, 'RS256')
-
-  if expected_exception is not None:
-    with pytest.raises(InvalidTokenError) as ite:
-      max_exp = exp_max_s_option(3600)
-      decode(token, public_key, algorithms=['RS256'], audience='someaudience',
-             issuer='someissuer', options=max_exp, leeway=60)
-    assert ite.match(expected_exception)
-  else:
-    max_exp = exp_max_s_option(3600)
-    decode(token, public_key, algorithms=['RS256'], audience='someaudience',
-           issuer='someissuer', options=max_exp, leeway=60)
+    if expected_exception is not None:
+        with pytest.raises(InvalidTokenError) as ite:
+            max_exp = exp_max_s_option(3600)
+            decode(
+                token,
+                public_key,
+                algorithms=["RS256"],
+                audience="someaudience",
+                issuer="someissuer",
+                options=max_exp,
+                leeway=60,
+            )
+        assert ite.match(expected_exception)
+    else:
+        max_exp = exp_max_s_option(3600)
+        decode(
+            token,
+            public_key,
+            algorithms=["RS256"],
+            audience="someaudience",
+            issuer="someissuer",
+            options=max_exp,
+            leeway=60,
+        )
 
 
 def test_decode_jwt_invalid_key(private_key_pem):
-  # Encode with the test private key.
-  token = jwt.encode(_token_data('aud', 'subject', 'someissuer'), private_key_pem, 'RS256')
+    # Encode with the test private key.
+    token = jwt.encode(
+        _token_data("aud", "subject", "someissuer"), private_key_pem, "RS256"
+    )
 
-  # Try to decode with a different public key.
-  another_public_key = RSA.generate(2048).publickey().exportKey('PEM')
-  with pytest.raises(InvalidTokenError) as ite:
-    max_exp = exp_max_s_option(3600)
-    decode(token, another_public_key, algorithms=['RS256'], audience='aud',
-           issuer='someissuer', options=max_exp, leeway=60)
-  assert ite.match('Signature verification failed')
+    # Try to decode with a different public key.
+    another_public_key = RSA.generate(2048).publickey().exportKey("PEM")
+    with pytest.raises(InvalidTokenError) as ite:
+        max_exp = exp_max_s_option(3600)
+        decode(
+            token,
+            another_public_key,
+            algorithms=["RS256"],
+            audience="aud",
+            issuer="someissuer",
+            options=max_exp,
+            leeway=60,
+        )
+    assert ite.match("Signature verification failed")
 
 
 def test_decode_jwt_invalid_algorithm(private_key_pem, public_key):
-  # Encode with the test private key.
-  token = jwt.encode(_token_data('aud', 'subject', 'someissuer'), private_key_pem, 'RS256')
+    # Encode with the test private key.
+    token = jwt.encode(
+        _token_data("aud", "subject", "someissuer"), private_key_pem, "RS256"
+    )
 
-  # Attempt to decode but only with a different algorithm than that used.
-  with pytest.raises(InvalidAlgorithmError) as ite:
-    max_exp = exp_max_s_option(3600)
-    decode(token, public_key, algorithms=['ES256'], audience='aud',
-           issuer='someissuer', options=max_exp, leeway=60)
-  assert ite.match('are not whitelisted')
+    # Attempt to decode but only with a different algorithm than that used.
+    with pytest.raises(InvalidAlgorithmError) as ite:
+        max_exp = exp_max_s_option(3600)
+        decode(
+            token,
+            public_key,
+            algorithms=["ES256"],
+            audience="aud",
+            issuer="someissuer",
+            options=max_exp,
+            leeway=60,
+        )
+    assert ite.match("are not whitelisted")
 
 
 def test_jwk_dict_to_public_key(private_key, private_key_pem):
-  public_key = private_key.publickey()
-  jwk = RSAKey(key=private_key.publickey()).serialize()
-  converted = jwk_dict_to_public_key(jwk)
+    public_key = private_key.publickey()
+    jwk = RSAKey(key=private_key.publickey()).serialize()
+    converted = jwk_dict_to_public_key(jwk)
 
-  # Encode with the test private key.
-  token = jwt.encode(_token_data('aud', 'subject', 'someissuer'), private_key_pem, 'RS256')
+    # Encode with the test private key.
+    token = jwt.encode(
+        _token_data("aud", "subject", "someissuer"), private_key_pem, "RS256"
+    )
 
-  # Decode with the converted key.
-  max_exp = exp_max_s_option(3600)
-  decode(token, converted, algorithms=['RS256'], audience='aud',
-         issuer='someissuer', options=max_exp, leeway=60)
+    # Decode with the converted key.
+    max_exp = exp_max_s_option(3600)
+    decode(
+        token,
+        converted,
+        algorithms=["RS256"],
+        audience="aud",
+        issuer="someissuer",
+        options=max_exp,
+        leeway=60,
+    )
diff --git a/util/security/test/test_ssl_util.py b/util/security/test/test_ssl_util.py
index d38de483d..faf474dd9 100644
--- a/util/security/test/test_ssl_util.py
+++ b/util/security/test/test_ssl_util.py
@@ -4,113 +4,129 @@ import pytest
 
 from OpenSSL import crypto
 
-from util.security.ssl import load_certificate, CertInvalidException, KeyInvalidException
+from util.security.ssl import (
+    load_certificate,
+    CertInvalidException,
+    KeyInvalidException,
+)
 
-def generate_test_cert(hostname='somehostname', san_list=None, expires=1000000):
-  """ Generates a test SSL certificate and returns the certificate data and private key data. """
 
-  # Based on: http://blog.richardknop.com/2012/08/create-a-self-signed-x509-certificate-in-python/
-  # Create a key pair.
-  k = crypto.PKey()
-  k.generate_key(crypto.TYPE_RSA, 1024)
+def generate_test_cert(hostname="somehostname", san_list=None, expires=1000000):
+    """ Generates a test SSL certificate and returns the certificate data and private key data. """
 
-  # Create a self-signed cert.
-  cert = crypto.X509()
-  cert.get_subject().CN = hostname
+    # Based on: http://blog.richardknop.com/2012/08/create-a-self-signed-x509-certificate-in-python/
+    # Create a key pair.
+    k = crypto.PKey()
+    k.generate_key(crypto.TYPE_RSA, 1024)
 
-  # Add the subjectAltNames (if necessary).
-  if san_list is not None:
-    cert.add_extensions([crypto.X509Extension("subjectAltName", False, ", ".join(san_list))])
+    # Create a self-signed cert.
+    cert = crypto.X509()
+    cert.get_subject().CN = hostname
 
-  cert.set_serial_number(1000)
-  cert.gmtime_adj_notBefore(0)
-  cert.gmtime_adj_notAfter(expires)
-  cert.set_issuer(cert.get_subject())
+    # Add the subjectAltNames (if necessary).
+    if san_list is not None:
+        cert.add_extensions(
+            [crypto.X509Extension("subjectAltName", False, ", ".join(san_list))]
+        )
 
-  cert.set_pubkey(k)
-  cert.sign(k, 'sha1')
+    cert.set_serial_number(1000)
+    cert.gmtime_adj_notBefore(0)
+    cert.gmtime_adj_notAfter(expires)
+    cert.set_issuer(cert.get_subject())
 
-  # Dump the certificate and private key in PEM format.
-  cert_data = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
-  key_data = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
+    cert.set_pubkey(k)
+    cert.sign(k, "sha1")
 
-  return (cert_data, key_data)
+    # Dump the certificate and private key in PEM format.
+    cert_data = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
+    key_data = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
+
+    return (cert_data, key_data)
 
 
 def test_load_certificate():
-  # Try loading an invalid certificate.
-  with pytest.raises(CertInvalidException):
-    load_certificate('someinvalidcontents')
+    # Try loading an invalid certificate.
+    with pytest.raises(CertInvalidException):
+        load_certificate("someinvalidcontents")
 
-  # Load a valid certificate.
-  (public_key_data, _) = generate_test_cert()
+    # Load a valid certificate.
+    (public_key_data, _) = generate_test_cert()
+
+    cert = load_certificate(public_key_data)
+    assert not cert.expired
+    assert cert.names == set(["somehostname"])
+    assert cert.matches_name("somehostname")
 
-  cert = load_certificate(public_key_data)
-  assert not cert.expired
-  assert cert.names == set(['somehostname'])
-  assert cert.matches_name('somehostname')
 
 def test_expired_certificate():
-  (public_key_data, _) = generate_test_cert(expires=-100)
+    (public_key_data, _) = generate_test_cert(expires=-100)
+
+    cert = load_certificate(public_key_data)
+    assert cert.expired
 
-  cert = load_certificate(public_key_data)
-  assert cert.expired
 
 def test_hostnames():
-  (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:bar', 'DNS:baz'])
-  cert = load_certificate(public_key_data)
-  assert cert.names == set(['foo', 'bar', 'baz'])
+    (public_key_data, _) = generate_test_cert(
+        hostname="foo", san_list=["DNS:bar", "DNS:baz"]
+    )
+    cert = load_certificate(public_key_data)
+    assert cert.names == set(["foo", "bar", "baz"])
+
+    for name in cert.names:
+        assert cert.matches_name(name)
 
-  for name in cert.names:
-    assert cert.matches_name(name)
 
 def test_wildcard_hostnames():
-  (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:*.bar'])
-  cert = load_certificate(public_key_data)
-  assert cert.names == set(['foo', '*.bar'])
+    (public_key_data, _) = generate_test_cert(hostname="foo", san_list=["DNS:*.bar"])
+    cert = load_certificate(public_key_data)
+    assert cert.names == set(["foo", "*.bar"])
 
-  for name in cert.names:
-    assert cert.matches_name(name)
+    for name in cert.names:
+        assert cert.matches_name(name)
+
+    assert cert.matches_name("something.bar")
+    assert cert.matches_name("somethingelse.bar")
+    assert cert.matches_name("cool.bar")
+    assert not cert.matches_name("*")
 
-  assert cert.matches_name('something.bar')
-  assert cert.matches_name('somethingelse.bar')
-  assert cert.matches_name('cool.bar')
-  assert not cert.matches_name('*')
 
 def test_nondns_hostnames():
-  (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['URI:yarg'])
-  cert = load_certificate(public_key_data)
-  assert cert.names == set(['foo'])
+    (public_key_data, _) = generate_test_cert(hostname="foo", san_list=["URI:yarg"])
+    cert = load_certificate(public_key_data)
+    assert cert.names == set(["foo"])
+
 
 def test_validate_private_key():
-  (public_key_data, private_key_data) = generate_test_cert()
+    (public_key_data, private_key_data) = generate_test_cert()
 
-  private_key = NamedTemporaryFile(delete=True)
-  private_key.write(private_key_data)
-  private_key.seek(0)
+    private_key = NamedTemporaryFile(delete=True)
+    private_key.write(private_key_data)
+    private_key.seek(0)
+
+    cert = load_certificate(public_key_data)
+    cert.validate_private_key(private_key.name)
 
-  cert = load_certificate(public_key_data)
-  cert.validate_private_key(private_key.name)
 
 def test_invalid_private_key():
-  (public_key_data, _) = generate_test_cert()
+    (public_key_data, _) = generate_test_cert()
 
-  private_key = NamedTemporaryFile(delete=True)
-  private_key.write('somerandomdata')
-  private_key.seek(0)
+    private_key = NamedTemporaryFile(delete=True)
+    private_key.write("somerandomdata")
+    private_key.seek(0)
+
+    cert = load_certificate(public_key_data)
+    with pytest.raises(KeyInvalidException):
+        cert.validate_private_key(private_key.name)
 
-  cert = load_certificate(public_key_data)
-  with pytest.raises(KeyInvalidException):
-    cert.validate_private_key(private_key.name)
 
 def test_mismatch_private_key():
-  (public_key_data, _) = generate_test_cert()
-  (_, private_key_data) = generate_test_cert()
+    (public_key_data, _) = generate_test_cert()
+    (_, private_key_data) = generate_test_cert()
 
-  private_key = NamedTemporaryFile(delete=True)
-  private_key.write(private_key_data)
-  private_key.seek(0)
+    private_key = NamedTemporaryFile(delete=True)
+    private_key.write(private_key_data)
+    private_key.seek(0)
 
-  cert = load_certificate(public_key_data)
-  with pytest.raises(KeyInvalidException):
-    cert.validate_private_key(private_key.name)
+    cert = load_certificate(public_key_data)
+    with pytest.raises(KeyInvalidException):
+        cert.validate_private_key(private_key.name)
diff --git a/util/security/token.py b/util/security/token.py
index a04c1130a..8db6395f4 100644
--- a/util/security/token.py
+++ b/util/security/token.py
@@ -2,31 +2,32 @@ from collections import namedtuple
 
 import base64
 
-DELIMITER = ':'
-DecodedToken = namedtuple('DecodedToken', ['public_code', 'private_token'])
+DELIMITER = ":"
+DecodedToken = namedtuple("DecodedToken", ["public_code", "private_token"])
+
 
 def encode_public_private_token(public_code, private_token, allow_public_only=False):
-  # NOTE: This is for legacy tokens where the private token part is None. We should remove this
-  # once older installations have been fully converted over (if at all possible).
-  if private_token is None:
-    assert allow_public_only
-    return public_code
+    # NOTE: This is for legacy tokens where the private token part is None. We should remove this
+    # once older installations have been fully converted over (if at all possible).
+    if private_token is None:
+        assert allow_public_only
+        return public_code
 
-  assert isinstance(private_token, basestring)
-  return base64.b64encode('%s%s%s' % (public_code, DELIMITER, private_token))
+    assert isinstance(private_token, basestring)
+    return base64.b64encode("%s%s%s" % (public_code, DELIMITER, private_token))
 
 
 def decode_public_private_token(encoded, allow_public_only=False):
-  try:
-    decoded = base64.b64decode(encoded)
-  except (ValueError, TypeError):
-    if not allow_public_only:
-      return None
+    try:
+        decoded = base64.b64decode(encoded)
+    except (ValueError, TypeError):
+        if not allow_public_only:
+            return None
 
-    return DecodedToken(encoded, None)
+        return DecodedToken(encoded, None)
 
-  parts = decoded.split(DELIMITER, 2)
-  if len(parts) != 2:
-    return None
+    parts = decoded.split(DELIMITER, 2)
+    if len(parts) != 2:
+        return None
 
-  return DecodedToken(*parts)
+    return DecodedToken(*parts)
diff --git a/util/test/test_dockerfileparse.py b/util/test/test_dockerfileparse.py
index 802816c2b..7ec34821c 100644
--- a/util/test/test_dockerfileparse.py
+++ b/util/test/test_dockerfileparse.py
@@ -2,58 +2,77 @@
 
 from util.dockerfileparse import parse_dockerfile
 
+
 def test_basic_parse():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     FROM someimage:latest
     RUN dosomething
-  """)
+  """
+    )
+
+    assert parsed.get_image_and_tag() == ("someimage", "latest")
+    assert parsed.get_base_image() == "someimage"
 
-  assert parsed.get_image_and_tag() == ("someimage", "latest")
-  assert parsed.get_base_image() == "someimage"
 
 def test_basic_parse_notag():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     FROM someimage
     RUN dosomething
-  """)
+  """
+    )
+
+    assert parsed.get_image_and_tag() == ("someimage", "latest")
+    assert parsed.get_base_image() == "someimage"
 
-  assert parsed.get_image_and_tag() == ("someimage", "latest")
-  assert parsed.get_base_image() == "someimage"
 
 def test_two_from_lines():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     FROM someimage:latest
     FROM secondimage:second
-  """)
+  """
+    )
+
+    assert parsed.get_image_and_tag() == ("secondimage", "second")
+    assert parsed.get_base_image() == "secondimage"
 
-  assert parsed.get_image_and_tag() == ("secondimage", "second")
-  assert parsed.get_base_image() == "secondimage"
 
 def test_parse_comments():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     # FROM someimage:latest
     FROM anotherimage:foobar # This is a comment
     RUN dosomething
-  """)
+  """
+    )
+
+    assert parsed.get_image_and_tag() == ("anotherimage", "foobar")
+    assert parsed.get_base_image() == "anotherimage"
 
-  assert parsed.get_image_and_tag() == ("anotherimage", "foobar")
-  assert parsed.get_base_image() == "anotherimage"
 
 def test_unicode_parse_as_ascii():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     FROM someimage:latest
     MAINTAINER José Schorr <jschorr@whatever.com>
-  """)
+  """
+    )
 
-  assert parsed.get_image_and_tag() == ("someimage", "latest")
-  assert parsed.get_base_image() == "someimage"
+    assert parsed.get_image_and_tag() == ("someimage", "latest")
+    assert parsed.get_base_image() == "someimage"
 
 
 def test_unicode_parse_as_unicode():
-  parsed = parse_dockerfile("""
+    parsed = parse_dockerfile(
+        """
     FROM someimage:latest
     MAINTAINER José Schorr <jschorr@whatever.com>
-  """.decode('utf-8'))
+  """.decode(
+            "utf-8"
+        )
+    )
 
-  assert parsed.get_image_and_tag() == ("someimage", "latest")
-  assert parsed.get_base_image() == "someimage"
+    assert parsed.get_image_and_tag() == ("someimage", "latest")
+    assert parsed.get_base_image() == "someimage"
diff --git a/util/test/test_failover.py b/util/test/test_failover.py
index 333c39362..3c04e897c 100644
--- a/util/test/test_failover.py
+++ b/util/test/test_failover.py
@@ -2,47 +2,46 @@ import pytest
 
 from util.failover import failover, FailoverException
 
+
 class FinishedException(Exception):
-  """ Exception raised at the end of every iteration to force failover. """
+    """ Exception raised at the end of every iteration to force failover. """
 
 
 class Counter(object):
-  """ Wraps a counter in an object so that it'll be passed by reference. """
-  def __init__(self):
-    self.calls = 0
+    """ Wraps a counter in an object so that it'll be passed by reference. """
 
-  def increment(self):
-    self.calls += 1
+    def __init__(self):
+        self.calls = 0
+
+    def increment(self):
+        self.calls += 1
 
 
 @failover
 def my_failover_func(i, should_raise=None):
-  """ Increments a counter and raises an exception when told. """
-  i.increment()
-  if should_raise is not None:
-    raise should_raise()
-  raise FailoverException(FinishedException())
+    """ Increments a counter and raises an exception when told. """
+    i.increment()
+    if should_raise is not None:
+        raise should_raise()
+    raise FailoverException(FinishedException())
 
 
-@pytest.mark.parametrize('stop_on,exception', [
-  (10, None),
-  (5, IndexError),
-])
+@pytest.mark.parametrize("stop_on,exception", [(10, None), (5, IndexError)])
 def test_readonly_failover(stop_on, exception):
-  """ Generates failover arguments and checks against a counter to ensure that
+    """ Generates failover arguments and checks against a counter to ensure that
       the failover function has been called the proper amount of times and stops
       at unhandled exceptions.
   """
-  counter = Counter()
-  arg_sets = []
-  for i in xrange(stop_on):
-    should_raise = exception if exception is not None and i == stop_on-1 else None
-    arg_sets.append(((counter,), {'should_raise': should_raise}))
+    counter = Counter()
+    arg_sets = []
+    for i in xrange(stop_on):
+        should_raise = exception if exception is not None and i == stop_on - 1 else None
+        arg_sets.append(((counter,), {"should_raise": should_raise}))
 
-  if exception is not None:
-    with pytest.raises(exception):
-      my_failover_func(*arg_sets)
-  else:
-    with pytest.raises(FinishedException):
-      my_failover_func(*arg_sets)
-    assert counter.calls == stop_on
+    if exception is not None:
+        with pytest.raises(exception):
+            my_failover_func(*arg_sets)
+    else:
+        with pytest.raises(FinishedException):
+            my_failover_func(*arg_sets)
+        assert counter.calls == stop_on
diff --git a/util/test/test_html.py b/util/test/test_html.py
index 1a6923c6e..e6f801cf7 100644
--- a/util/test/test_html.py
+++ b/util/test/test_html.py
@@ -2,12 +2,16 @@ import pytest
 
 from util.html import html2text
 
-@pytest.mark.parametrize('input, expected', [
-  ('hello world', 'hello world'),
-  ('hello <strong>world</strong>', 'hello *world*'),
-  ('<ul><li>foo</li><li>bar</li><li>baz</li></ul>', '* foo\n* bar\n* baz'),
-  ('<hr>', ('-' * 80)),
-  ('<a href="foo">bar</a>', '[bar](foo)'),
-])
+
+@pytest.mark.parametrize(
+    "input, expected",
+    [
+        ("hello world", "hello world"),
+        ("hello <strong>world</strong>", "hello *world*"),
+        ("<ul><li>foo</li><li>bar</li><li>baz</li></ul>", "* foo\n* bar\n* baz"),
+        ("<hr>", ("-" * 80)),
+        ('<a href="foo">bar</a>', "[bar](foo)"),
+    ],
+)
 def test_html2text(input, expected):
-  assert html2text(input) == expected
+    assert html2text(input) == expected
diff --git a/util/test/test_log_util.py b/util/test/test_log_util.py
index 948a2ee7f..c38ec1145 100644
--- a/util/test/test_log_util.py
+++ b/util/test/test_log_util.py
@@ -4,39 +4,48 @@ from util.log import logfile_path, filter_logs
 from app import FILTERED_VALUES
 from _init import CONF_DIR
 
+
 def test_filter_logs():
-  values = {
-    'user': {
-      'password': "toto"
-    },
-    'blob': '1234567890asdfewkqresfdsfewfdsfd',
-    'unfiltered': 'foo'
-  }
-  filter_logs(values, FILTERED_VALUES)
-  assert values == {'user': {'password': '[FILTERED]'}, 'blob': '12345678', 'unfiltered': "foo"}
+    values = {
+        "user": {"password": "toto"},
+        "blob": "1234567890asdfewkqresfdsfewfdsfd",
+        "unfiltered": "foo",
+    }
+    filter_logs(values, FILTERED_VALUES)
+    assert values == {
+        "user": {"password": "[FILTERED]"},
+        "blob": "12345678",
+        "unfiltered": "foo",
+    }
 
 
-@pytest.mark.parametrize('debug,jsonfmt,expected', [
-  (False, False, os.path.join(CONF_DIR, "logging.conf")),
-  (False, True, os.path.join(CONF_DIR, "logging_json.conf")),
-  (True, False, os.path.join(CONF_DIR, "logging_debug.conf")),
-  (True, True, os.path.join(CONF_DIR, "logging_debug_json.conf"))
-])
+@pytest.mark.parametrize(
+    "debug,jsonfmt,expected",
+    [
+        (False, False, os.path.join(CONF_DIR, "logging.conf")),
+        (False, True, os.path.join(CONF_DIR, "logging_json.conf")),
+        (True, False, os.path.join(CONF_DIR, "logging_debug.conf")),
+        (True, True, os.path.join(CONF_DIR, "logging_debug_json.conf")),
+    ],
+)
 def test_logfile_path(debug, jsonfmt, expected, monkeypatch):
-  assert logfile_path(jsonfmt=jsonfmt, debug=debug) == expected
+    assert logfile_path(jsonfmt=jsonfmt, debug=debug) == expected
 
 
-@pytest.mark.parametrize('debug,jsonfmt,expected', [
-  ("false", "false", os.path.join(CONF_DIR, "logging.conf")),
-  ("false", "true", os.path.join(CONF_DIR, "logging_json.conf")),
-  ("true", "false", os.path.join(CONF_DIR, "logging_debug.conf")),
-  ("true", "true", os.path.join(CONF_DIR, "logging_debug_json.conf"))
-])
+@pytest.mark.parametrize(
+    "debug,jsonfmt,expected",
+    [
+        ("false", "false", os.path.join(CONF_DIR, "logging.conf")),
+        ("false", "true", os.path.join(CONF_DIR, "logging_json.conf")),
+        ("true", "false", os.path.join(CONF_DIR, "logging_debug.conf")),
+        ("true", "true", os.path.join(CONF_DIR, "logging_debug_json.conf")),
+    ],
+)
 def test_logfile_path_env(debug, jsonfmt, expected, monkeypatch):
-  monkeypatch.setenv("DEBUGLOG", debug)
-  monkeypatch.setenv("JSONLOG", jsonfmt)
-  assert logfile_path() == expected
+    monkeypatch.setenv("DEBUGLOG", debug)
+    monkeypatch.setenv("JSONLOG", jsonfmt)
+    assert logfile_path() == expected
 
 
 def test_logfile_path_default():
-  assert logfile_path() == os.path.join(CONF_DIR, "logging.conf")
+    assert logfile_path() == os.path.join(CONF_DIR, "logging.conf")
diff --git a/util/test/test_morecollections.py b/util/test/test_morecollections.py
index 321829e64..ab1f91e30 100644
--- a/util/test/test_morecollections.py
+++ b/util/test/test_morecollections.py
@@ -1,300 +1,323 @@
-from util.morecollections import (FastIndexList, StreamingDiffTracker,
-                                  IndexedStreamingDiffTracker)
+from util.morecollections import (
+    FastIndexList,
+    StreamingDiffTracker,
+    IndexedStreamingDiffTracker,
+)
+
 
 def test_fastindexlist_basic_usage():
-  indexlist = FastIndexList()
+    indexlist = FastIndexList()
 
-  # Add 1
-  indexlist.add(1)
-  assert indexlist.values() == [1]
-  assert indexlist.index(1) == 0
+    # Add 1
+    indexlist.add(1)
+    assert indexlist.values() == [1]
+    assert indexlist.index(1) == 0
 
-  # Add 2
-  indexlist.add(2)
-  assert indexlist.values() == [1, 2]
-  assert indexlist.index(1) == 0
-  assert indexlist.index(2) == 1
+    # Add 2
+    indexlist.add(2)
+    assert indexlist.values() == [1, 2]
+    assert indexlist.index(1) == 0
+    assert indexlist.index(2) == 1
 
-  # Pop nothing.
-  indexlist.pop_until(-1)
-  assert indexlist.values() == [1, 2]
-  assert indexlist.index(1) == 0
-  assert indexlist.index(2) == 1
+    # Pop nothing.
+    indexlist.pop_until(-1)
+    assert indexlist.values() == [1, 2]
+    assert indexlist.index(1) == 0
+    assert indexlist.index(2) == 1
 
-  # Pop 1.
-  assert indexlist.pop_until(0) == [1]
-  assert indexlist.values() == [2]
-  assert indexlist.index(1) is None
-  assert indexlist.index(2) == 0
+    # Pop 1.
+    assert indexlist.pop_until(0) == [1]
+    assert indexlist.values() == [2]
+    assert indexlist.index(1) is None
+    assert indexlist.index(2) == 0
 
-  # Add 3.
-  indexlist.add(3)
-  assert indexlist.values() == [2, 3]
-  assert indexlist.index(2) == 0
-  assert indexlist.index(3) == 1
+    # Add 3.
+    indexlist.add(3)
+    assert indexlist.values() == [2, 3]
+    assert indexlist.index(2) == 0
+    assert indexlist.index(3) == 1
+
+    # Pop 2, 3.
+    assert indexlist.pop_until(1) == [2, 3]
+    assert indexlist.values() == []
+    assert indexlist.index(1) is None
+    assert indexlist.index(2) is None
+    assert indexlist.index(3) is None
 
-  # Pop 2, 3.
-  assert indexlist.pop_until(1) == [2, 3]
-  assert indexlist.values() == []
-  assert indexlist.index(1) is None
-  assert indexlist.index(2) is None
-  assert indexlist.index(3) is None
 
 def test_fastindexlist_popping():
-  indexlist = FastIndexList()
-  indexlist.add('hello')
-  indexlist.add('world')
-  indexlist.add('you')
-  indexlist.add('rock')
+    indexlist = FastIndexList()
+    indexlist.add("hello")
+    indexlist.add("world")
+    indexlist.add("you")
+    indexlist.add("rock")
 
-  assert indexlist.index('hello') == 0
-  assert indexlist.index('world') == 1
-  assert indexlist.index('you') == 2
-  assert indexlist.index('rock') == 3
+    assert indexlist.index("hello") == 0
+    assert indexlist.index("world") == 1
+    assert indexlist.index("you") == 2
+    assert indexlist.index("rock") == 3
 
-  indexlist.pop_until(1)
-  assert indexlist.index('you') == 0
-  assert indexlist.index('rock') == 1
+    indexlist.pop_until(1)
+    assert indexlist.index("you") == 0
+    assert indexlist.index("rock") == 1
 
 
 def test_indexedstreamingdifftracker_basic():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 3)
-  tracker.push_new([('a', 0), ('b', 1), ('c', 2)])
-  tracker.push_old([('b', 1)])
-  tracker.done()
+    tracker = IndexedStreamingDiffTracker(added.append, 3)
+    tracker.push_new([("a", 0), ("b", 1), ("c", 2)])
+    tracker.push_old([("b", 1)])
+    tracker.done()
+
+    assert added == ["a", "c"]
 
-  assert added == ['a', 'c']
 
 def test_indexedstreamingdifftracker_multiple_done():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 3)
-  tracker.push_new([('a', 0), ('b', 1), ('c', 2)])
-  tracker.push_old([('b', 1)])
-  tracker.done()
-  tracker.done()
+    tracker = IndexedStreamingDiffTracker(added.append, 3)
+    tracker.push_new([("a", 0), ("b", 1), ("c", 2)])
+    tracker.push_old([("b", 1)])
+    tracker.done()
+    tracker.done()
+
+    assert added == ["a", "c"]
 
-  assert added == ['a', 'c']
 
 def test_indexedstreamingdifftracker_same_streams():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 3)
-  tracker.push_new([('a', 0), ('b', 1), ('c', 2)])
-  tracker.push_old([('a', 0), ('b', 1), ('c', 2)])
-  tracker.done()
+    tracker = IndexedStreamingDiffTracker(added.append, 3)
+    tracker.push_new([("a", 0), ("b", 1), ("c", 2)])
+    tracker.push_old([("a", 0), ("b", 1), ("c", 2)])
+    tracker.done()
+
+    assert added == []
 
-  assert added == []
 
 def test_indexedstreamingdifftracker_only_new():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 3)
-  tracker.push_new([('a', 0), ('b', 1), ('c', 2)])
-  tracker.push_old([])
-  tracker.done()
+    tracker = IndexedStreamingDiffTracker(added.append, 3)
+    tracker.push_new([("a", 0), ("b", 1), ("c", 2)])
+    tracker.push_old([])
+    tracker.done()
+
+    assert added == ["a", "b", "c"]
 
-  assert added == ['a', 'b', 'c']
 
 def test_indexedstreamingdifftracker_pagination():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('a', 0), ('b', 1)])
-  tracker.push_old([])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("a", 0), ("b", 1)])
+    tracker.push_old([])
 
-  tracker.push_new([('c', 2)])
-  tracker.push_old([])
+    tracker.push_new([("c", 2)])
+    tracker.push_old([])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["a", "b", "c"]
 
-  assert added == ['a', 'b', 'c']
 
 def test_indexedstreamingdifftracker_old_pagination_no_repeat():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('new1', 3), ('new2', 4)])
-  tracker.push_old([('old1', 1), ('old2', 2)])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("new1", 3), ("new2", 4)])
+    tracker.push_old([("old1", 1), ("old2", 2)])
 
-  tracker.push_new([])
-  tracker.push_old([('new1', 3)])
+    tracker.push_new([])
+    tracker.push_old([("new1", 3)])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["new2"]
 
-  assert added == ['new2']
 
 def test_indexedstreamingdifftracker_old_pagination():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('a', 10), ('b', 11)])
-  tracker.push_old([('z', 1), ('y', 2)])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("a", 10), ("b", 11)])
+    tracker.push_old([("z", 1), ("y", 2)])
 
-  tracker.push_new([('c', 12)])
-  tracker.push_old([('a', 10)])
+    tracker.push_new([("c", 12)])
+    tracker.push_old([("a", 10)])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["b", "c"]
 
-  assert added == ['b', 'c']
 
 def test_indexedstreamingdifftracker_very_offset():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('a', 10), ('b', 11)])
-  tracker.push_old([('z', 1), ('y', 2)])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("a", 10), ("b", 11)])
+    tracker.push_old([("z", 1), ("y", 2)])
 
-  tracker.push_new([('c', 12), ('d', 13)])
-  tracker.push_old([('x', 3), ('w', 4)])
+    tracker.push_new([("c", 12), ("d", 13)])
+    tracker.push_old([("x", 3), ("w", 4)])
 
-  tracker.push_new([('e', 14)])
-  tracker.push_old([('a', 10), ('d', 13)])
+    tracker.push_new([("e", 14)])
+    tracker.push_old([("a", 10), ("d", 13)])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["b", "c", "e"]
 
-  assert added == ['b', 'c', 'e']
 
 def test_indexedstreamingdifftracker_many_old():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('z', 26), ('hello', 100)])
-  tracker.push_old([('a', 1), ('b', 2)])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("z", 26), ("hello", 100)])
+    tracker.push_old([("a", 1), ("b", 2)])
 
-  tracker.push_new([])
-  tracker.push_old([('c', 1), ('d', 2)])
+    tracker.push_new([])
+    tracker.push_old([("c", 1), ("d", 2)])
 
-  tracker.push_new([])
-  tracker.push_old([('e', 3), ('f', 4)])
+    tracker.push_new([])
+    tracker.push_old([("e", 3), ("f", 4)])
 
-  tracker.push_new([])
-  tracker.push_old([('g', 5), ('z', 26)])
+    tracker.push_new([])
+    tracker.push_old([("g", 5), ("z", 26)])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["hello"]
 
-  assert added == ['hello']
 
 def test_indexedstreamingdifftracker_high_old_bound():
-  added = []
+    added = []
 
-  tracker = IndexedStreamingDiffTracker(added.append, 2)
-  tracker.push_new([('z', 26), ('hello', 100)])
-  tracker.push_old([('end1', 999), ('end2', 1000)])
+    tracker = IndexedStreamingDiffTracker(added.append, 2)
+    tracker.push_new([("z", 26), ("hello", 100)])
+    tracker.push_old([("end1", 999), ("end2", 1000)])
 
-  tracker.push_new([])
-  tracker.push_old([])
+    tracker.push_new([])
+    tracker.push_old([])
 
-  tracker.done()
+    tracker.done()
+
+    assert added == ["z", "hello"]
 
-  assert added == ['z', 'hello']
 
 def test_streamingdifftracker_basic():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 3)
-  tracker.push_new(['a', 'b', 'c'])
-  tracker.push_old(['b'])
-  tracker.done()
+    tracker = StreamingDiffTracker(added.append, 3)
+    tracker.push_new(["a", "b", "c"])
+    tracker.push_old(["b"])
+    tracker.done()
+
+    assert added == ["a", "c"]
 
-  assert added == ['a', 'c']
 
 def test_streamingdifftracker_same_streams():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 3)
-  tracker.push_new(['a', 'b', 'c'])
-  tracker.push_old(['a', 'b', 'c'])
-  tracker.done()
+    tracker = StreamingDiffTracker(added.append, 3)
+    tracker.push_new(["a", "b", "c"])
+    tracker.push_old(["a", "b", "c"])
+    tracker.done()
+
+    assert added == []
 
-  assert added == []
 
 def test_streamingdifftracker_some_new():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 5)
-  tracker.push_new(['a', 'b', 'c', 'd', 'e'])
-  tracker.push_old(['a', 'b', 'c'])
-  tracker.done()
+    tracker = StreamingDiffTracker(added.append, 5)
+    tracker.push_new(["a", "b", "c", "d", "e"])
+    tracker.push_old(["a", "b", "c"])
+    tracker.done()
+
+    assert added == ["d", "e"]
 
-  assert added == ['d', 'e']
 
 def test_streamingdifftracker_offset_new():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 5)
-  tracker.push_new(['b', 'c', 'd', 'e'])
-  tracker.push_old(['a', 'b', 'c'])
-  tracker.done()
+    tracker = StreamingDiffTracker(added.append, 5)
+    tracker.push_new(["b", "c", "d", "e"])
+    tracker.push_old(["a", "b", "c"])
+    tracker.done()
+
+    assert added == ["d", "e"]
 
-  assert added == ['d', 'e']
 
 def test_streamingdifftracker_multiple_calls():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 3)
-  tracker.push_new(['a', 'b', 'c'])
-  tracker.push_old(['b', 'd', 'e'])
+    tracker = StreamingDiffTracker(added.append, 3)
+    tracker.push_new(["a", "b", "c"])
+    tracker.push_old(["b", "d", "e"])
 
-  tracker.push_new(['f', 'g', 'h'])
-  tracker.push_old(['g', 'h'])
-  tracker.done()
+    tracker.push_new(["f", "g", "h"])
+    tracker.push_old(["g", "h"])
+    tracker.done()
+
+    assert added == ["a", "c", "f"]
 
-  assert added == ['a', 'c', 'f']
 
 def test_streamingdifftracker_empty_old():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 3)
-  tracker.push_new(['a', 'b', 'c'])
-  tracker.push_old([])
+    tracker = StreamingDiffTracker(added.append, 3)
+    tracker.push_new(["a", "b", "c"])
+    tracker.push_old([])
 
-  tracker.push_new(['f', 'g', 'h'])
-  tracker.push_old([])
-  tracker.done()
+    tracker.push_new(["f", "g", "h"])
+    tracker.push_old([])
+    tracker.done()
+
+    assert added == ["a", "b", "c", "f", "g", "h"]
 
-  assert added == ['a', 'b', 'c', 'f', 'g', 'h']
 
 def test_streamingdifftracker_more_old():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 2)
-  tracker.push_new(['c', 'd'])
-  tracker.push_old(['a', 'b'])
+    tracker = StreamingDiffTracker(added.append, 2)
+    tracker.push_new(["c", "d"])
+    tracker.push_old(["a", "b"])
 
-  tracker.push_new([])
-  tracker.push_old(['c'])
-  tracker.done()
+    tracker.push_new([])
+    tracker.push_old(["c"])
+    tracker.done()
+
+    assert added == ["d"]
 
-  assert added == ['d']
 
 def test_streamingdifftracker_more_new():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 4)
-  tracker.push_new(['a', 'b', 'c', 'd'])
-  tracker.push_old(['r'])
+    tracker = StreamingDiffTracker(added.append, 4)
+    tracker.push_new(["a", "b", "c", "d"])
+    tracker.push_old(["r"])
 
-  tracker.push_new(['e', 'f', 'r', 'z'])
-  tracker.push_old([])
-  tracker.done()
+    tracker.push_new(["e", "f", "r", "z"])
+    tracker.push_old([])
+    tracker.done()
+
+    assert added == ["a", "b", "c", "d", "e", "f", "z"]
 
-  assert added == ['a', 'b', 'c', 'd', 'e', 'f', 'z']
 
 def test_streamingdifftracker_more_new2():
-  added = []
+    added = []
 
-  tracker = StreamingDiffTracker(added.append, 4)
-  tracker.push_new(['a', 'b', 'c', 'd'])
-  tracker.push_old(['r'])
+    tracker = StreamingDiffTracker(added.append, 4)
+    tracker.push_new(["a", "b", "c", "d"])
+    tracker.push_old(["r"])
 
-  tracker.push_new(['e', 'f', 'g', 'h'])
-  tracker.push_old([])
+    tracker.push_new(["e", "f", "g", "h"])
+    tracker.push_old([])
 
-  tracker.push_new(['i', 'j', 'r', 'z'])
-  tracker.push_old([])
-  tracker.done()
+    tracker.push_new(["i", "j", "r", "z"])
+    tracker.push_old([])
+    tracker.done()
 
-  assert added == ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'z']
+    assert added == ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "z"]
diff --git a/util/test/test_names.py b/util/test/test_names.py
index 87a100604..5ee9180fa 100644
--- a/util/test/test_names.py
+++ b/util/test/test_names.py
@@ -2,13 +2,16 @@ import pytest
 
 from util.names import escape_tag
 
-@pytest.mark.parametrize('input_tag, expected', [
-  ('latest', 'latest'),
-  ('latest124', 'latest124'),
-  ('5de1e98d', '5de1e98d'),
 
-  ('detailed_view#61', 'detailed_view_61'),
-  ('-detailed_view#61', '_detailed_view_61')
-])
+@pytest.mark.parametrize(
+    "input_tag, expected",
+    [
+        ("latest", "latest"),
+        ("latest124", "latest124"),
+        ("5de1e98d", "5de1e98d"),
+        ("detailed_view#61", "detailed_view_61"),
+        ("-detailed_view#61", "_detailed_view_61"),
+    ],
+)
 def test_escape_tag(input_tag, expected):
-  assert escape_tag(input_tag) == expected
+    assert escape_tag(input_tag) == expected
diff --git a/util/test/test_useremails.py b/util/test/test_useremails.py
index 8cb4d6e51..7004cb3b5 100644
--- a/util/test/test_useremails.py
+++ b/util/test/test_useremails.py
@@ -3,56 +3,60 @@ import pytest
 from util.useremails import render_email
 from test.fixtures import *
 
+
 def test_render_email():
-  params = {
-    'username': 'someusername',
-    'new_email': 'new@example.com',
-  }
-  
-  html, plain = render_email('Test App', 'test.quay', 'foo@example.com', 'Hello There!',
-                             'emailchanged', params)
-  assert 'https://quay.io/contact/' in html
-  assert 'https://quay.io/contact/' in plain
+    params = {"username": "someusername", "new_email": "new@example.com"}
+
+    html, plain = render_email(
+        "Test App",
+        "test.quay",
+        "foo@example.com",
+        "Hello There!",
+        "emailchanged",
+        params,
+    )
+    assert "https://quay.io/contact/" in html
+    assert "https://quay.io/contact/" in plain
 
 
-@pytest.mark.parametrize('template_name, params', [
-  ('passwordchanged', {
-    'username': 'someusername',
-  }),
-  ('emailchanged', {
-    'username': 'someusername',
-    'new_email': 'new@example.com',
-  }),
-  ('changeemail', {
-    'username': 'someusername',
-    'token': 'sometoken',
-  }),
-  ('confirmemail', {
-    'username': 'someusername',
-    'token': 'sometoken',
-  }),
-  ('repoauthorizeemail', {
-    'namespace': 'someusername',
-    'repository': 'somerepo',
-    'token': 'sometoken',
-  }),
-  ('orgrecovery', {
-    'organization': 'someusername',
-    'admin_usernames': ['foo', 'bar', 'baz'],
-  }),
-  ('recovery', {
-    'email': 'foo@example.com',
-    'token': 'sometoken',
-  }),
-  ('paymentfailure', {
-    'username': 'someusername',
-  }),
-  ('teaminvite', {
-    'inviter': 'someusername',
-    'token': 'sometoken',
-    'organization': 'someorg',
-    'teamname': 'someteam',
-  }),
-])
+@pytest.mark.parametrize(
+    "template_name, params",
+    [
+        ("passwordchanged", {"username": "someusername"}),
+        ("emailchanged", {"username": "someusername", "new_email": "new@example.com"}),
+        ("changeemail", {"username": "someusername", "token": "sometoken"}),
+        ("confirmemail", {"username": "someusername", "token": "sometoken"}),
+        (
+            "repoauthorizeemail",
+            {
+                "namespace": "someusername",
+                "repository": "somerepo",
+                "token": "sometoken",
+            },
+        ),
+        (
+            "orgrecovery",
+            {"organization": "someusername", "admin_usernames": ["foo", "bar", "baz"]},
+        ),
+        ("recovery", {"email": "foo@example.com", "token": "sometoken"}),
+        ("paymentfailure", {"username": "someusername"}),
+        (
+            "teaminvite",
+            {
+                "inviter": "someusername",
+                "token": "sometoken",
+                "organization": "someorg",
+                "teamname": "someteam",
+            },
+        ),
+    ],
+)
 def test_emails(template_name, params, initialized_db):
-  render_email('Test App', 'test.quay', 'foo@example.com', 'Hello There!', template_name, params)
+    render_email(
+        "Test App",
+        "test.quay",
+        "foo@example.com",
+        "Hello There!",
+        template_name,
+        params,
+    )
diff --git a/util/test/test_util.py b/util/test/test_util.py
index 2bb38d14e..902d1f422 100644
--- a/util/test/test_util.py
+++ b/util/test/test_util.py
@@ -2,19 +2,25 @@ import pytest
 
 from util import slash_join
 
-@pytest.mark.parametrize('pieces, expected', [
-  (['https://github.com', '/coreos-inc/' 'quay/pull/1092/files'],
-    'https://github.com/coreos-inc/quay/pull/1092/files'),
 
-  (['https://', 'github.com/', '/coreos-inc', '/quay/pull/1092/files/'],
-    'https://github.com/coreos-inc/quay/pull/1092/files'),
-
-  (['https://somegithub.com/', '/api/v3/'],
-    'https://somegithub.com/api/v3'),
-
-  (['https://github.somedomain.com/', '/api/v3/'],
-    'https://github.somedomain.com/api/v3'),
-])
+@pytest.mark.parametrize(
+    "pieces, expected",
+    [
+        (
+            ["https://github.com", "/coreos-inc/" "quay/pull/1092/files"],
+            "https://github.com/coreos-inc/quay/pull/1092/files",
+        ),
+        (
+            ["https://", "github.com/", "/coreos-inc", "/quay/pull/1092/files/"],
+            "https://github.com/coreos-inc/quay/pull/1092/files",
+        ),
+        (["https://somegithub.com/", "/api/v3/"], "https://somegithub.com/api/v3"),
+        (
+            ["https://github.somedomain.com/", "/api/v3/"],
+            "https://github.somedomain.com/api/v3",
+        ),
+    ],
+)
 def test_slash_join(pieces, expected):
-  joined_url = slash_join(*pieces)
-  assert joined_url == expected
+    joined_url = slash_join(*pieces)
+    assert joined_url == expected
diff --git a/util/test/test_validation.py b/util/test/test_validation.py
index a0f296eda..9e062999d 100644
--- a/util/test/test_validation.py
+++ b/util/test/test_validation.py
@@ -4,129 +4,131 @@ from itertools import islice
 
 import pytest
 
-from util.validation import is_json, validate_label_key, generate_valid_usernames, validate_username
+from util.validation import (
+    is_json,
+    validate_label_key,
+    generate_valid_usernames,
+    validate_username,
+)
 
-@pytest.mark.parametrize('username, is_valid', [
-  ('ja', True),
-  ('jak', True),
-  ('jake', True),
-  ('ja_ke', True),
-  ('te-st', True),
-  ('te.st', True),
 
-  ('z' * 30, True),
-  ('z' * 255, True),
-
-  ('j', False),
-
-  ('z' * 256, False),
-
-  ('_test', False),
-  ('Test', False),
-  ('hello world', False),
-  (u'hello→world', False),
-  ('te---st', False),
-])
+@pytest.mark.parametrize(
+    "username, is_valid",
+    [
+        ("ja", True),
+        ("jak", True),
+        ("jake", True),
+        ("ja_ke", True),
+        ("te-st", True),
+        ("te.st", True),
+        ("z" * 30, True),
+        ("z" * 255, True),
+        ("j", False),
+        ("z" * 256, False),
+        ("_test", False),
+        ("Test", False),
+        ("hello world", False),
+        (u"hello→world", False),
+        ("te---st", False),
+    ],
+)
 def test_validate_username(username, is_valid):
-  valid, _ = validate_username(username)
-  assert valid == is_valid
+    valid, _ = validate_username(username)
+    assert valid == is_valid
 
 
-@pytest.mark.parametrize('string_value,expected', [
-  ('{}', True),
-  ('[]', True),
-  ('[hello world]', False),
-  ('{hello world}', False),
-  ('[test] this is a test', False),
-  ('hello world', False),
-  ('{"hi": "there"}', True),
-  ('[1, 2, 3, 4]', True),
-  ('[1, 2, {"num": 3}, 4]', True),
-])
+@pytest.mark.parametrize(
+    "string_value,expected",
+    [
+        ("{}", True),
+        ("[]", True),
+        ("[hello world]", False),
+        ("{hello world}", False),
+        ("[test] this is a test", False),
+        ("hello world", False),
+        ('{"hi": "there"}', True),
+        ("[1, 2, 3, 4]", True),
+        ('[1, 2, {"num": 3}, 4]', True),
+    ],
+)
 def test_is_json(string_value, expected):
-  assert is_json(string_value) == expected
+    assert is_json(string_value) == expected
 
 
-@pytest.mark.parametrize('key, is_valid', [
-  ('foo', True),
-  ('bar', True),
-
-  ('foo1', True),
-  ('bar2', True),
-
-  ('1', True),
-  ('12', True),
-  ('123', True),
-  ('1234', True),
-
-  ('git-sha', True),
-
-  ('com.coreos.something', True),
-  ('io.quay.git-sha', True),
-
-  ('', False),
-  ('git_sha', False),
-
-  ('-125', False),
-  ('-foo', False),
-  ('foo-', False),
-  ('123-', False),
-
-  ('foo--bar', False),
-  ('foo..bar', False),
-])
+@pytest.mark.parametrize(
+    "key, is_valid",
+    [
+        ("foo", True),
+        ("bar", True),
+        ("foo1", True),
+        ("bar2", True),
+        ("1", True),
+        ("12", True),
+        ("123", True),
+        ("1234", True),
+        ("git-sha", True),
+        ("com.coreos.something", True),
+        ("io.quay.git-sha", True),
+        ("", False),
+        ("git_sha", False),
+        ("-125", False),
+        ("-foo", False),
+        ("foo-", False),
+        ("123-", False),
+        ("foo--bar", False),
+        ("foo..bar", False),
+    ],
+)
 def test_validate_label_key(key, is_valid):
-  assert validate_label_key(key) == is_valid
+    assert validate_label_key(key) == is_valid
 
 
-@pytest.mark.parametrize('input_username, expected_output', [
-  ('jake', 'jake'),
-  ('frank', 'frank'),
-  ('fra-nk', 'fra_nk'),
-
-  ('Jake', 'jake'),
-  ('FranK', 'frank'),
-
-  ('ja__ke', 'ja_ke'),
-  ('ja___ke', 'ja_ke'),
-
-  ('ja__', 'ja'),
-  ('jake__', 'jake'),
-
-  ('_jake', 'jake'),
-
-  ('a', 'a0'),
-  ('ab', 'ab'),
-  ('abc', 'abc'),
-
-  ('abcdefghijklmnopqrstuvwxyz1234567890', 'abcdefghijklmnopqrstuvwxyz1234567890'),
-  ('c' * 256, 'c' * 255),
-
-  (u'\xc6neid', 'aeneid'),
-  (u'\xe9tude', 'etude'),
-  (u'\u5317\u4eb0', 'bei_jing'),
-  (u'\u1515\u14c7\u14c7', 'shanana'),
-  (u'\u13d4\u13b5\u13c6', 'taliqua'),
-  (u'\u0726\u071b\u073d\u0710\u073a', 'ptu_i'),
-  (u'\u0905\u092d\u093f\u091c\u0940\u0924', 'abhijiit'),
-  (u'\u0985\u09ad\u09bf\u099c\u09c0\u09a4', 'abhijiit'),
-  (u'\u0d05\u0d2d\u0d3f\u0d1c\u0d40\u0d24', 'abhijiit'),
-  (u'\u0d2e\u0d32\u0d2f\u0d3e\u0d32\u0d2e\u0d4d', 'mlyaalm'),
-  (u'\ue000', '00'),
-  (u'\u03ff', '00'),
-
-  (u'\u0d2e\u0d32\u03ff\u03ff\u0d2e\u0d32', 'mlml'),
-])
+@pytest.mark.parametrize(
+    "input_username, expected_output",
+    [
+        ("jake", "jake"),
+        ("frank", "frank"),
+        ("fra-nk", "fra_nk"),
+        ("Jake", "jake"),
+        ("FranK", "frank"),
+        ("ja__ke", "ja_ke"),
+        ("ja___ke", "ja_ke"),
+        ("ja__", "ja"),
+        ("jake__", "jake"),
+        ("_jake", "jake"),
+        ("a", "a0"),
+        ("ab", "ab"),
+        ("abc", "abc"),
+        (
+            "abcdefghijklmnopqrstuvwxyz1234567890",
+            "abcdefghijklmnopqrstuvwxyz1234567890",
+        ),
+        ("c" * 256, "c" * 255),
+        (u"\xc6neid", "aeneid"),
+        (u"\xe9tude", "etude"),
+        (u"\u5317\u4eb0", "bei_jing"),
+        (u"\u1515\u14c7\u14c7", "shanana"),
+        (u"\u13d4\u13b5\u13c6", "taliqua"),
+        (u"\u0726\u071b\u073d\u0710\u073a", "ptu_i"),
+        (u"\u0905\u092d\u093f\u091c\u0940\u0924", "abhijiit"),
+        (u"\u0985\u09ad\u09bf\u099c\u09c0\u09a4", "abhijiit"),
+        (u"\u0d05\u0d2d\u0d3f\u0d1c\u0d40\u0d24", "abhijiit"),
+        (u"\u0d2e\u0d32\u0d2f\u0d3e\u0d32\u0d2e\u0d4d", "mlyaalm"),
+        (u"\ue000", "00"),
+        (u"\u03ff", "00"),
+        (u"\u0d2e\u0d32\u03ff\u03ff\u0d2e\u0d32", "mlml"),
+    ],
+)
 def test_generate_valid_usernames(input_username, expected_output):
-  name_gen = generate_valid_usernames(input_username)
-  generated_output = list(islice(name_gen, 1))[0]
-  assert generated_output == expected_output
+    name_gen = generate_valid_usernames(input_username)
+    generated_output = list(islice(name_gen, 1))[0]
+    assert generated_output == expected_output
 
 
 def test_multiple_suggestions():
-  name_gen = generate_valid_usernames('a')
-  generated_output = list(islice(name_gen, 4))
-  assert generated_output[0] == 'a0'
-  assert generated_output[1] == 'a1'
-  assert generated_output[2] == 'a2'
-  assert generated_output[3] == 'a3'
+    name_gen = generate_valid_usernames("a")
+    generated_output = list(islice(name_gen, 4))
+    assert generated_output[0] == "a0"
+    assert generated_output[1] == "a1"
+    assert generated_output[2] == "a2"
+    assert generated_output[3] == "a3"
diff --git a/util/test/test_workers.py b/util/test/test_workers.py
index 7df327cf7..f31425983 100644
--- a/util/test/test_workers.py
+++ b/util/test/test_workers.py
@@ -4,71 +4,54 @@ import pytest
 
 from util.workers import get_worker_count
 
-@pytest.mark.parametrize('kind_name,env_vars,cpu_affinity,multiplier,minimum,maximum,expected', [
-  # No override and CPU affinity * multiplier is between min and max => cpu affinity * multiplier.
-  ('registry', {}, [0, 1], 10, 8, 64, 20),
 
-  # No override and CPU affinity * multiplier is below min => min.
-  ('registry', {}, [0], 1, 8, 64, 8),
+@pytest.mark.parametrize(
+    "kind_name,env_vars,cpu_affinity,multiplier,minimum,maximum,expected",
+    [
+        # No override and CPU affinity * multiplier is between min and max => cpu affinity * multiplier.
+        ("registry", {}, [0, 1], 10, 8, 64, 20),
+        # No override and CPU affinity * multiplier is below min => min.
+        ("registry", {}, [0], 1, 8, 64, 8),
+        # No override and CPU affinity * multiplier is above max => max.
+        ("registry", {}, [0, 1, 2, 3], 20, 8, 64, 64),
+        # Override based on specific env var.
+        ("registry", {"WORKER_COUNT_REGISTRY": 12}, [0, 1], 10, 8, 64, 12),
+        # Override based on specific env var (ignores maximum).
+        ("registry", {"WORKER_COUNT_REGISTRY": 120}, [0, 1], 10, 8, 64, 120),
+        # Override based on specific env var (respects minimum).
+        ("registry", {"WORKER_COUNT_REGISTRY": 1}, [0, 1], 10, 8, 64, 8),
+        # Override based on generic env var.
+        ("registry", {"WORKER_COUNT": 12}, [0, 1], 10, 8, 64, 12),
+        # Override based on generic env var (ignores maximum).
+        ("registry", {"WORKER_COUNT": 120}, [0, 1], 10, 8, 64, 120),
+        # Override based on generic env var (respects minimum).
+        ("registry", {"WORKER_COUNT": 1}, [0, 1], 10, 8, 64, 8),
+        # Override always uses specific first.
+        (
+            "registry",
+            {"WORKER_COUNT_REGISTRY": 120, "WORKER_COUNT": 12},
+            [0, 1],
+            10,
+            8,
+            64,
+            120,
+        ),
+        # Non-matching override.
+        ("verbs", {"WORKER_COUNT_REGISTRY": 120}, [0, 1], 10, 8, 64, 20),
+        # Zero worker count (use defaults).
+        ("verbs", {"WORKER_COUNT": 0}, [0, 1], 10, 8, 64, 8),
+    ],
+)
+def test_get_worker_count(
+    kind_name, env_vars, cpu_affinity, multiplier, minimum, maximum, expected
+):
+    class FakeProcess(object):
+        def __init__(self, pid):
+            pass
 
-  # No override and CPU affinity * multiplier is above max => max.
-  ('registry', {}, [0, 1, 2, 3], 20, 8, 64, 64),
+        def cpu_affinity(self):
+            return cpu_affinity
 
-  # Override based on specific env var.
-  ('registry', {
-    'WORKER_COUNT_REGISTRY': 12,
-  }, [0, 1], 10, 8, 64, 12),
-
-  # Override based on specific env var (ignores maximum).
-  ('registry', {
-    'WORKER_COUNT_REGISTRY': 120,
-  }, [0, 1], 10, 8, 64, 120),
-
-  # Override based on specific env var (respects minimum).
-  ('registry', {
-    'WORKER_COUNT_REGISTRY': 1,
-  }, [0, 1], 10, 8, 64, 8),
-
-  # Override based on generic env var.
-  ('registry', {
-    'WORKER_COUNT': 12,
-  }, [0, 1], 10, 8, 64, 12),
-
-  # Override based on generic env var (ignores maximum).
-  ('registry', {
-    'WORKER_COUNT': 120,
-  }, [0, 1], 10, 8, 64, 120),
-
-  # Override based on generic env var (respects minimum).
-  ('registry', {
-    'WORKER_COUNT': 1,
-  }, [0, 1], 10, 8, 64, 8),
-
-  # Override always uses specific first.
-  ('registry', {
-    'WORKER_COUNT_REGISTRY': 120,
-    'WORKER_COUNT': 12,
-  }, [0, 1], 10, 8, 64, 120),
-
-  # Non-matching override.
-  ('verbs', {
-    'WORKER_COUNT_REGISTRY': 120,
-  }, [0, 1], 10, 8, 64, 20),
-
-  # Zero worker count (use defaults).
-  ('verbs', {
-    'WORKER_COUNT': 0,
-  }, [0, 1], 10, 8, 64, 8),
-])
-def test_get_worker_count(kind_name, env_vars, cpu_affinity, multiplier, minimum, maximum,
-                          expected):
-  class FakeProcess(object):
-    def __init__(self, pid):
-      pass
-
-    def cpu_affinity(self):
-      return cpu_affinity
-
-  with patch('os.environ.get', env_vars.get):
-    with patch('psutil.Process', FakeProcess):
-      assert get_worker_count(kind_name, multiplier, minimum, maximum) == expected
+    with patch("os.environ.get", env_vars.get):
+        with patch("psutil.Process", FakeProcess):
+            assert get_worker_count(kind_name, multiplier, minimum, maximum) == expected
diff --git a/util/timedeltastring.py b/util/timedeltastring.py
index 3f0c5c368..dd15db5d8 100644
--- a/util/timedeltastring.py
+++ b/util/timedeltastring.py
@@ -1,7 +1,8 @@
 from datetime import timedelta
 
+
 def convert_to_timedelta(time_val):
-  """
+    """
   From: code.activestate.com/recipes/577894-convert-strings-like-5d-and-60s-to-timedelta-objec
 
   Given a *time_val* (string) such as '5d', returns a timedelta object
@@ -29,16 +30,16 @@ def convert_to_timedelta(time_val):
       >>> convert_to_timedelta('120s')
       datetime.timedelta(0, 120)
   """
-  num = int(time_val[:-1])
-  if time_val.endswith('s'):
-    return timedelta(seconds=num)
-  elif time_val.endswith('m'):
-    return timedelta(minutes=num)
-  elif time_val.endswith('h'):
-    return timedelta(hours=num)
-  elif time_val.endswith('d'):
-    return timedelta(days=num)
-  elif time_val.endswith('w'):
-    return timedelta(days=num*7)
-  else:
-    raise ValueError('Unknown suffix on timedelta: %s' % time_val)
+    num = int(time_val[:-1])
+    if time_val.endswith("s"):
+        return timedelta(seconds=num)
+    elif time_val.endswith("m"):
+        return timedelta(minutes=num)
+    elif time_val.endswith("h"):
+        return timedelta(hours=num)
+    elif time_val.endswith("d"):
+        return timedelta(days=num)
+    elif time_val.endswith("w"):
+        return timedelta(days=num * 7)
+    else:
+        raise ValueError("Unknown suffix on timedelta: %s" % time_val)
diff --git a/util/tufmetadata/api.py b/util/tufmetadata/api.py
index 9c039477a..6f360fa38 100644
--- a/util/tufmetadata/api.py
+++ b/util/tufmetadata/api.py
@@ -12,49 +12,57 @@ from data.database import CloseForLongOperation
 from util.abchelpers import nooper
 from util.failover import failover, FailoverException
 from util.security.instancekeys import InstanceKeys
-from util.security.registry_jwt import (build_context_and_subject, generate_bearer_token,
-                                        SIGNER_TUF_ROOT)
+from util.security.registry_jwt import (
+    build_context_and_subject,
+    generate_bearer_token,
+    SIGNER_TUF_ROOT,
+)
 
 
-DEFAULT_HTTP_HEADERS = {'Connection': 'close'}
-MITM_CERT_PATH = '/conf/mitm.cert'
+DEFAULT_HTTP_HEADERS = {"Connection": "close"}
+MITM_CERT_PATH = "/conf/mitm.cert"
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 
 logger = logging.getLogger(__name__)
 
 
 class InvalidMetadataException(Exception):
-  """ Exception raised when the upstream API metadata that doesn't parse correctly. """
-  pass
+    """ Exception raised when the upstream API metadata that doesn't parse correctly. """
+
+    pass
 
 
 class Non200ResponseException(Exception):
-  """ Exception raised when the upstream API returns a non-200 HTTP status code. """
-  def __init__(self, response):
-    super(Non200ResponseException, self).__init__()
-    self.response = response
+    """ Exception raised when the upstream API returns a non-200 HTTP status code. """
+
+    def __init__(self, response):
+        super(Non200ResponseException, self).__init__()
+        self.response = response
 
 
 class TUFMetadataAPI(object):
-  """ Helper class for talking to the TUF Metadata service (Apostille). """
-  def __init__(self, app, config, client=None):
-    feature_enabled = config.get('FEATURE_SIGNING', False)
-    if feature_enabled:
-      self.state = ImplementedTUFMetadataAPI(app, config, client=client)
-    else:
-      self.state = NoopTUFMetadataAPI()
+    """ Helper class for talking to the TUF Metadata service (Apostille). """
 
-  def __getattr__(self, name):
-    return getattr(self.state, name, None)
+    def __init__(self, app, config, client=None):
+        feature_enabled = config.get("FEATURE_SIGNING", False)
+        if feature_enabled:
+            self.state = ImplementedTUFMetadataAPI(app, config, client=client)
+        else:
+            self.state = NoopTUFMetadataAPI()
+
+    def __getattr__(self, name):
+        return getattr(self.state, name, None)
 
 
 @add_metaclass(ABCMeta)
 class TUFMetadataAPIInterface(object):
-  """ Helper class for talking to the TUF Metadata service (Apostille). """
+    """ Helper class for talking to the TUF Metadata service (Apostille). """
 
-  @abstractmethod
-  def get_default_tags_with_expiration(self, namespace, repository, targets_file=None):
-    """
+    @abstractmethod
+    def get_default_tags_with_expiration(
+        self, namespace, repository, targets_file=None
+    ):
+        """
     Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures.
     Does not verify the metadata, this is purely for display purposes.
 
@@ -66,11 +74,13 @@ class TUFMetadataAPIInterface(object):
     Returns:
       targets, expiration or None, None
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_all_tags_with_expiration(self, namespace, repository, targets_file=None, targets_map=None):
-    """
+    @abstractmethod
+    def get_all_tags_with_expiration(
+        self, namespace, repository, targets_file=None, targets_map=None
+    ):
+        """
     Gets the tag -> sha mappings of all delegations for a repo, as well as the expiration of the signatures.
     Does not verify the metadata, this is purely for display purposes.
     
@@ -82,11 +92,11 @@ class TUFMetadataAPIInterface(object):
     Returns:
       targets
     """
-    pass
-  
-  @abstractmethod
-  def delete_metadata(self, namespace, repository):
-    """
+        pass
+
+    @abstractmethod
+    def delete_metadata(self, namespace, repository):
+        """
     Deletes the TUF metadata for a repo
 
     Args:
@@ -96,25 +106,28 @@ class TUFMetadataAPIInterface(object):
     Returns:
        True if successful, False otherwise
     """
-    pass
+        pass
 
 
 @nooper
 class NoopTUFMetadataAPI(TUFMetadataAPIInterface):
-  """ No-op version of the TUF API. """
-  pass
+    """ No-op version of the TUF API. """
+
+    pass
 
 
 class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
-  def __init__(self, app, config, client=None):
-    self._app = app
-    self._instance_keys = InstanceKeys(app)
-    self._config = config
-    self._client = client or config['HTTPCLIENT']
-    self._gun_prefix = config['TUF_GUN_PREFIX'] or config['SERVER_HOSTNAME']
+    def __init__(self, app, config, client=None):
+        self._app = app
+        self._instance_keys = InstanceKeys(app)
+        self._config = config
+        self._client = client or config["HTTPCLIENT"]
+        self._gun_prefix = config["TUF_GUN_PREFIX"] or config["SERVER_HOSTNAME"]
 
-  def get_default_tags_with_expiration(self, namespace, repository, targets_file=None):
-    """
+    def get_default_tags_with_expiration(
+        self, namespace, repository, targets_file=None
+    ):
+        """
     Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures.
     Does not verify the metadata, this is purely for display purposes.
 
@@ -127,17 +140,19 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
       targets, expiration or None, None
     """
 
-    if not targets_file:
-      targets_file = 'targets/releases.json'
+        if not targets_file:
+            targets_file = "targets/releases.json"
 
-    signed = self._get_signed(namespace, repository, targets_file)
-    if not signed:
-      return None, None
+        signed = self._get_signed(namespace, repository, targets_file)
+        if not signed:
+            return None, None
 
-    return signed.get('targets'), signed.get('expires')
-  
-  def get_all_tags_with_expiration(self, namespace, repository, targets_file=None, targets_map=None):
-    """
+        return signed.get("targets"), signed.get("expires")
+
+    def get_all_tags_with_expiration(
+        self, namespace, repository, targets_file=None, targets_map=None
+    ):
+        """
     Gets the tag -> sha mappings of all delegations for a repo, as well as the expiration of the signatures.
     Does not verify the metadata, this is purely for display purposes.
 
@@ -150,36 +165,43 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
       targets
     """
 
-    if not targets_file:
-      targets_file = 'targets.json'
+        if not targets_file:
+            targets_file = "targets.json"
 
-    targets_name = targets_file
-    if targets_name.endswith('.json'):
-      targets_name = targets_name[:-5]
-      
-    if not targets_map:
-      targets_map = {}
-      
-    signed = self._get_signed(namespace, repository, targets_file)
-    if not signed:
-      targets_map[targets_name] = None
-      return targets_map
+        targets_name = targets_file
+        if targets_name.endswith(".json"):
+            targets_name = targets_name[:-5]
 
-    if signed.get('targets'):
-      targets_map[targets_name] = {
-        'targets':  signed.get('targets'),
-        'expiration':  signed.get('expires'),
-      }
+        if not targets_map:
+            targets_map = {}
 
-    delegation_names = [role.get('name') for role in signed.get('delegations').get('roles')]
+        signed = self._get_signed(namespace, repository, targets_file)
+        if not signed:
+            targets_map[targets_name] = None
+            return targets_map
 
-    for delegation in delegation_names:
-      targets_map = self.get_all_tags_with_expiration(namespace, repository, targets_file=delegation + '.json', targets_map=targets_map)
-   
-    return targets_map
+        if signed.get("targets"):
+            targets_map[targets_name] = {
+                "targets": signed.get("targets"),
+                "expiration": signed.get("expires"),
+            }
 
-  def delete_metadata(self, namespace, repository):
-    """
+        delegation_names = [
+            role.get("name") for role in signed.get("delegations").get("roles")
+        ]
+
+        for delegation in delegation_names:
+            targets_map = self.get_all_tags_with_expiration(
+                namespace,
+                repository,
+                targets_file=delegation + ".json",
+                targets_map=targets_map,
+            )
+
+        return targets_map
+
+    def delete_metadata(self, namespace, repository):
+        """
     Deletes the TUF metadata for a repo
 
     Args:
@@ -189,103 +211,137 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
     Returns:
        True if successful, False otherwise
     """
-    gun = self._gun(namespace, repository)
-    try:
-      self._delete(gun)
-    except requests.exceptions.Timeout:
-      logger.exception('Timeout when trying to delete metadata for %s', gun)
-      return False
-    except requests.exceptions.ConnectionError:
-      logger.exception('Connection error when trying to delete metadata for %s', gun)
-      return False
-    except (requests.exceptions.RequestException, ValueError):
-      logger.exception('Failed to delete metadata for %s', gun)
-      return False
-    except Non200ResponseException as ex:
-      logger.exception('Failed request for %s: %s %s', gun, ex.response, str(ex))
-      return False
-    return True
+        gun = self._gun(namespace, repository)
+        try:
+            self._delete(gun)
+        except requests.exceptions.Timeout:
+            logger.exception("Timeout when trying to delete metadata for %s", gun)
+            return False
+        except requests.exceptions.ConnectionError:
+            logger.exception(
+                "Connection error when trying to delete metadata for %s", gun
+            )
+            return False
+        except (requests.exceptions.RequestException, ValueError):
+            logger.exception("Failed to delete metadata for %s", gun)
+            return False
+        except Non200ResponseException as ex:
+            logger.exception("Failed request for %s: %s %s", gun, ex.response, str(ex))
+            return False
+        return True
 
-  def _gun(self, namespace, repository):
-    return join(self._gun_prefix, namespace, repository)
-  
-  def _get_signed(self, namespace, repository, targets_file):
-    gun = self._gun(namespace, repository)
+    def _gun(self, namespace, repository):
+        return join(self._gun_prefix, namespace, repository)
 
-    try:
-      response = self._get(gun, targets_file)
-      signed = self._parse_signed(response.json())
-      return signed
-    except requests.exceptions.Timeout:
-      logger.exception('Timeout when trying to get metadata for %s', gun)
-    except requests.exceptions.ConnectionError:
-      logger.exception('Connection error when trying to get metadata for %s', gun)
-    except (requests.exceptions.RequestException, ValueError):
-      logger.exception('Failed to get metadata for %s', gun)
-    except Non200ResponseException as ex:
-      logger.exception('Failed request for %s: %s %s', gun, ex.response, str(ex))
-    except InvalidMetadataException as ex:
-      logger.exception('Failed to parse targets from metadata: %s', str(ex))
-    return None
+    def _get_signed(self, namespace, repository, targets_file):
+        gun = self._gun(namespace, repository)
 
-  def _parse_signed(self, json_response):
-    """ Attempts to parse the targets from a metadata response """
-    signed = json_response.get('signed')
-    if not signed:
-      raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response)
-    return signed
+        try:
+            response = self._get(gun, targets_file)
+            signed = self._parse_signed(response.json())
+            return signed
+        except requests.exceptions.Timeout:
+            logger.exception("Timeout when trying to get metadata for %s", gun)
+        except requests.exceptions.ConnectionError:
+            logger.exception("Connection error when trying to get metadata for %s", gun)
+        except (requests.exceptions.RequestException, ValueError):
+            logger.exception("Failed to get metadata for %s", gun)
+        except Non200ResponseException as ex:
+            logger.exception("Failed request for %s: %s %s", gun, ex.response, str(ex))
+        except InvalidMetadataException as ex:
+            logger.exception("Failed to parse targets from metadata: %s", str(ex))
+        return None
 
-  def _auth_header(self, gun, actions):
-    """ Generate a registry auth token for apostille"""
-    access = [{
-      'type': 'repository',
-      'name': gun,
-      'actions': actions,
-    }]
-    context, subject = build_context_and_subject(auth_context=None, tuf_roots={gun: SIGNER_TUF_ROOT})
-    token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
-                                  TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
-    return {'Authorization': 'Bearer %s' % token}
+    def _parse_signed(self, json_response):
+        """ Attempts to parse the targets from a metadata response """
+        signed = json_response.get("signed")
+        if not signed:
+            raise InvalidMetadataException(
+                "Could not find `signed` in metadata: %s" % json_response
+            )
+        return signed
 
-  def _get(self, gun, metadata_file):
-    return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun, ['pull']))
+    def _auth_header(self, gun, actions):
+        """ Generate a registry auth token for apostille"""
+        access = [{"type": "repository", "name": gun, "actions": actions}]
+        context, subject = build_context_and_subject(
+            auth_context=None, tuf_roots={gun: SIGNER_TUF_ROOT}
+        )
+        token = generate_bearer_token(
+            self._config["SERVER_HOSTNAME"],
+            subject,
+            context,
+            access,
+            TOKEN_VALIDITY_LIFETIME_S,
+            self._instance_keys,
+        )
+        return {"Authorization": "Bearer %s" % token}
 
-  def _delete(self, gun):
-    return self._call('DELETE', '/v2/%s/_trust/tuf/' % (gun), headers=self._auth_header(gun, ['*']))
+    def _get(self, gun, metadata_file):
+        return self._call(
+            "GET",
+            "/v2/%s/_trust/tuf/%s" % (gun, metadata_file),
+            headers=self._auth_header(gun, ["pull"]),
+        )
 
-  def _request(self, method, endpoint, path, body, headers, params, timeout):
-    """ Issues an HTTP request to the signing endpoint. """
-    url = urljoin(endpoint, path)
-    logger.debug('%sing signing URL %s', method.upper(), url)
+    def _delete(self, gun):
+        return self._call(
+            "DELETE",
+            "/v2/%s/_trust/tuf/" % (gun),
+            headers=self._auth_header(gun, ["*"]),
+        )
 
-    headers.update(DEFAULT_HTTP_HEADERS)
-    resp = self._client.request(method, url, json=body, params=params, timeout=timeout,
-                                verify=True, headers=headers)
-    if resp.status_code // 100 != 2:
-      raise Non200ResponseException(resp)
-    return resp
+    def _request(self, method, endpoint, path, body, headers, params, timeout):
+        """ Issues an HTTP request to the signing endpoint. """
+        url = urljoin(endpoint, path)
+        logger.debug("%sing signing URL %s", method.upper(), url)
 
-  def _call(self, method, path, params=None, body=None, headers=None):
-    """ Issues an HTTP request to signing service and handles failover for GET requests.
+        headers.update(DEFAULT_HTTP_HEADERS)
+        resp = self._client.request(
+            method,
+            url,
+            json=body,
+            params=params,
+            timeout=timeout,
+            verify=True,
+            headers=headers,
+        )
+        if resp.status_code // 100 != 2:
+            raise Non200ResponseException(resp)
+        return resp
+
+    def _call(self, method, path, params=None, body=None, headers=None):
+        """ Issues an HTTP request to signing service and handles failover for GET requests.
     """
-    timeout = self._config.get('TUF_API_TIMEOUT_SECONDS', 1)
-    endpoint = self._config['TUF_SERVER']
+        timeout = self._config.get("TUF_API_TIMEOUT_SECONDS", 1)
+        endpoint = self._config["TUF_SERVER"]
 
-    with CloseForLongOperation(self._config):
-      # If the request isn't a read do not fail over.
-      if method != 'GET':
-        return self._request(method, endpoint, path, body, headers, params, timeout)
+        with CloseForLongOperation(self._config):
+            # If the request isn't a read do not fail over.
+            if method != "GET":
+                return self._request(
+                    method, endpoint, path, body, headers, params, timeout
+                )
 
-      # The request is read-only and can failover.
-      all_endpoints = [endpoint] + self._config.get('TUF_READONLY_FAILOVER_ENDPOINTS', [])
-      return _failover_read_request(*[((self._request, endpoint, path, body, headers, params, timeout), {})
-                                      for endpoint in all_endpoints])
+            # The request is read-only and can failover.
+            all_endpoints = [endpoint] + self._config.get(
+                "TUF_READONLY_FAILOVER_ENDPOINTS", []
+            )
+            return _failover_read_request(
+                *[
+                    (
+                        (self._request, endpoint, path, body, headers, params, timeout),
+                        {},
+                    )
+                    for endpoint in all_endpoints
+                ]
+            )
 
 
 @failover
 def _failover_read_request(request_fn, endpoint, path, body, headers, params, timeout):
-  """ This function auto-retries read-only requests until they return a 2xx status code. """
-  try:
-    return request_fn('GET', endpoint, path, body, headers, params, timeout)
-  except (requests.exceptions.RequestException, Non200ResponseException) as ex:
-    raise FailoverException(ex)
+    """ This function auto-retries read-only requests until they return a 2xx status code. """
+    try:
+        return request_fn("GET", endpoint, path, body, headers, params, timeout)
+    except (requests.exceptions.RequestException, Non200ResponseException) as ex:
+        raise FailoverException(ex)
diff --git a/util/tufmetadata/test/test_tufmetadata.py b/util/tufmetadata/test/test_tufmetadata.py
index faeb409a2..f91687791 100644
--- a/util/tufmetadata/test/test_tufmetadata.py
+++ b/util/tufmetadata/test/test_tufmetadata.py
@@ -1,6 +1,6 @@
 import pytest
 import requests
-from mock import mock,patch
+from mock import mock, patch
 
 from flask import Flask
 
@@ -10,239 +10,252 @@ from util.tufmetadata import api
 
 
 valid_response = {
-  'signed' : {
-    'type': 'Targets',
-    'delegations': {
-      'keys': {},
-      'roles': {},
-    },
-    'expires': '2020-03-30T18:55:26.594764859-04:00',
-    'targets': {
-      'latest': {
-        'hashes': {
-          'sha256': 'mLmxwTyUrqIRDaz8uaBapfrp3GPERfsDg2kiMujlteo='
+    "signed": {
+        "type": "Targets",
+        "delegations": {"keys": {}, "roles": {}},
+        "expires": "2020-03-30T18:55:26.594764859-04:00",
+        "targets": {
+            "latest": {
+                "hashes": {"sha256": "mLmxwTyUrqIRDaz8uaBapfrp3GPERfsDg2kiMujlteo="},
+                "length": 1500,
+            }
         },
-        'length': 1500
-      }
+        "version": 2,
     },
-    'version': 2
-  },
-  'signatures': [
-    {
-      'method': 'ecdsa',
-      'sig': 'yYnJGsYAYEL9PSwXisdG7JUEM1YK2IIKM147K3fWJthF4w+vl3xOm67r5ZNuDK6ss/Ff+x8yljZdT3sE/Hg5mw=='
-    }
-  ]
+    "signatures": [
+        {
+            "method": "ecdsa",
+            "sig": "yYnJGsYAYEL9PSwXisdG7JUEM1YK2IIKM147K3fWJthF4w+vl3xOm67r5ZNuDK6ss/Ff+x8yljZdT3sE/Hg5mw==",
+        }
+    ],
 }
 
 valid_targets_with_delegation = {
-  "signed": {
-    "_type": "Targets",
-    "delegations": {
-      "keys": {
-        "5e71c65cb1ba794f253fa377c970a237799745adab92024522b12f5b2f1d3031": {
-          "keytype": "ecdsa-x509",
-          "keyval": {
-            "private": None,
-            "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4akNDQVppZ0F3SUJBZ0lVTDIxVm5aakZFZ0hFTjV5OFhHbUJZWi9ta1U4d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1Ea3dNVEkyTURCYUZ3MHhPREExCk1Ea3dNVEkyTURCYU1DUXhJakFnQmdOVkJBTVRHWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3cKV1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVNmbVFSQmpJeUw2WHdoSW0zbnE4TEtLSXJqT3czVApmU2ZMUmMyQlhQeU9uS2EvandvaVdBdHlMSFdwcmlJNTlBM2ZtbmtHK1FUVlBlMkJGTUNrS0xMQ280R0RNSUdBCk1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCUk96NjFUS2wxd1B5aTJPdWJ3dmlURkZYVlB4REFmQmdOVkhTTUVHREFXZ0JSVgpBbGl0dVZWajF3RXIwaVZhMjcwN244S3htakFMQmdOVkhSRUVCREFDZ2dBd0NnWUlLb1pJemowRUF3SURTQUF3ClJRSWdHaVZGTUprNDNWYVBRNHJ0S1BhNGp3amIxcjF0b05vTE5KTzhlRU02OSs0Q0lRRHl1VXk5cFFwTXFmU3gKelRiNVB5SjJ0STI5bHdkem0yVUZsSDhRd0FPTnhRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
-          }
+    "signed": {
+        "_type": "Targets",
+        "delegations": {
+            "keys": {
+                "5e71c65cb1ba794f253fa377c970a237799745adab92024522b12f5b2f1d3031": {
+                    "keytype": "ecdsa-x509",
+                    "keyval": {
+                        "private": None,
+                        "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4akNDQVppZ0F3SUJBZ0lVTDIxVm5aakZFZ0hFTjV5OFhHbUJZWi9ta1U4d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1Ea3dNVEkyTURCYUZ3MHhPREExCk1Ea3dNVEkyTURCYU1DUXhJakFnQmdOVkJBTVRHWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3cKV1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVNmbVFSQmpJeUw2WHdoSW0zbnE4TEtLSXJqT3czVApmU2ZMUmMyQlhQeU9uS2EvandvaVdBdHlMSFdwcmlJNTlBM2ZtbmtHK1FUVlBlMkJGTUNrS0xMQ280R0RNSUdBCk1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCUk96NjFUS2wxd1B5aTJPdWJ3dmlURkZYVlB4REFmQmdOVkhTTUVHREFXZ0JSVgpBbGl0dVZWajF3RXIwaVZhMjcwN244S3htakFMQmdOVkhSRUVCREFDZ2dBd0NnWUlLb1pJemowRUF3SURTQUF3ClJRSWdHaVZGTUprNDNWYVBRNHJ0S1BhNGp3amIxcjF0b05vTE5KTzhlRU02OSs0Q0lRRHl1VXk5cFFwTXFmU3gKelRiNVB5SjJ0STI5bHdkem0yVUZsSDhRd0FPTnhRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
+                    },
+                },
+                "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0": {
+                    "keytype": "ecdsa-x509",
+                    "keyval": {
+                        "private": None,
+                        "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrVENDQWFDZ0F3SUJBZ0lVZkxPV0FzT2x5UjZaSVYxS1UrTW56K2pYekY4d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1UQXhPRFUxTURCYUZ3MHhPREExCk1UQXhPRFUxTURCYU1Dd3hLakFvQmdOVkJBTVRJWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3QKYzNSaFoybHVaekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCT2hnMCtxdTRtTHFPaEVQOC8zZAp0YXBMaHlwbHBoNGlaQkZMekpQNjlqTEJJSnN4aTdGTkxvZzBJY2tYQnNndmNRMFFEdE9XT3k0TFhBQ3Nqc0FzCndmQ2pnWU13Z1lBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Bd0cKQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZMNCtDVXBLYm5YeHU1OXRQbzE2aFNWK21hTE1NQjhHQTFVZApJd1FZTUJhQUZFbzA5QU9keGNwSnAxaVJZSyt0V1JOMlltSGZNQXNHQTFVZEVRUUVNQUtDQURBS0JnZ3Foa2pPClBRUURBZ05IQURCRUFpQTVLN20vb0g0clZTTTloUmFGc3lWUzhWVTlQNzhCVHJaZ2xERjFKSFFkblFJZ0thcTMKbzRLcjBoelRzMng3cFVtWFZlWW4xbGJaRlRaZXJ3QzhTcXhtVHBZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
+                    },
+                },
+                "ada8b980813a887f007a1c42376c35a81cbba3b1090aae16cbffedb9004934c8": {
+                    "keytype": "ecdsa-x509",
+                    "keyval": {
+                        "private": None,
+                        "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrakNDQWFDZ0F3SUJBZ0lVTUdzU0hyMWZLK3htaG81STFJdStIcXEzbjZ3d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1UQXdNVEl4TURCYUZ3MHhPREExCk1UQXdNVEl4TURCYU1Dd3hLakFvQmdOVkJBTVRJWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3QKYzNSaFoybHVaekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRlY4YVBhTjMzTE5HSWtMTVFnZwpJYjk1VzF5aGEvblpLYm1vdXF4c0VOdWhYZitUZmZnUjlIOVFsMHVIaVJQTzZWRFhKMU90K2h6eDk5SGVMdHRQClRCeWpnWU13Z1lBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Bd0cKQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZFZHVRVThaei83THUrdGxod0lyYWM0ZmFGNmVNQjhHQTFVZApJd1FZTUJhQUZEK21iblFMUXlHTmcxMFc2dUxHcDRGSldRNnBNQXNHQTFVZEVRUUVNQUtDQURBS0JnZ3Foa2pPClBRUURBZ05JQURCRkFpQlB6Z2x3OFYyaHhKWXM2WDFrNE9hb255bkx2b3hxbGJweFJtWkRaNmFwcGdJaEFJd1oKdmp1MFpQYjZuaGZWTkF5b3dNM09XdEFVYm95eEZCcDBxd2FYMzFYSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
+                    },
+                },
+                "e2727632903bf9d0ac6856c6e4f8cb44f443c220ecf51e2fb6b465c7d85b9169": {
+                    "keytype": "ecdsa-x509",
+                    "keyval": {
+                        "private": None,
+                        "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4ekNDQVppZ0F3SUJBZ0lVWS9IdzVKL2lkTzA3M3BMR2U0b3BxZytpcVBrd0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1Ea3hOekl6TURCYUZ3MHhPREExCk1Ea3hOekl6TURCYU1DUXhJakFnQmdOVkJBTVRHWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3cKV1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRrMFl0VmdWRHZpbnpwM1g3NHhOS0tKK2hldVptWgpqeWgwZnQ2Ny8yQ1NnU1MwLzVtRUNtR2dJbDc5WXlsV3VRdHZkYnFrSWVNWkU1M0RkQnlnZUcrcm80R0RNSUdBCk1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCUzM5TnNydHZndmhlL0hhQk1CSzdvQjZ4R3ZGVEFmQmdOVkhTTUVHREFXZ0JTdwoybDdYYkJsbXVYeTZvcGdNMGF0c3ViMWJOVEFMQmdOVkhSRUVCREFDZ2dBd0NnWUlLb1pJemowRUF3SURTUUF3ClJnSWhBSjNRdThUNWdPdzVKaVNyT3c2TEtBNnZnRGduKzNEMEJJYzB2UENzd05XbkFpRUE4VW93dVBoaFE0MEMKTFY3dkhDN0t1QTBULzZLY2dLT1Rpb1VNR2FFM2MzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
+                    },
+                },
+            },
+            "roles": [
+                {
+                    "keyids": [
+                        "e2727632903bf9d0ac6856c6e4f8cb44f443c220ecf51e2fb6b465c7d85b9169",
+                        "ada8b980813a887f007a1c42376c35a81cbba3b1090aae16cbffedb9004934c8",
+                        "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0",
+                        "5e71c65cb1ba794f253fa377c970a237799745adab92024522b12f5b2f1d3031",
+                    ],
+                    "name": "targets/devs",
+                    "paths": [""],
+                    "threshold": 1,
+                }
+            ],
         },
-        "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0": {
-          "keytype": "ecdsa-x509",
-          "keyval": {
-            "private": None,
-            "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrVENDQWFDZ0F3SUJBZ0lVZkxPV0FzT2x5UjZaSVYxS1UrTW56K2pYekY4d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1UQXhPRFUxTURCYUZ3MHhPREExCk1UQXhPRFUxTURCYU1Dd3hLakFvQmdOVkJBTVRJWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3QKYzNSaFoybHVaekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCT2hnMCtxdTRtTHFPaEVQOC8zZAp0YXBMaHlwbHBoNGlaQkZMekpQNjlqTEJJSnN4aTdGTkxvZzBJY2tYQnNndmNRMFFEdE9XT3k0TFhBQ3Nqc0FzCndmQ2pnWU13Z1lBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Bd0cKQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZMNCtDVXBLYm5YeHU1OXRQbzE2aFNWK21hTE1NQjhHQTFVZApJd1FZTUJhQUZFbzA5QU9keGNwSnAxaVJZSyt0V1JOMlltSGZNQXNHQTFVZEVRUUVNQUtDQURBS0JnZ3Foa2pPClBRUURBZ05IQURCRUFpQTVLN20vb0g0clZTTTloUmFGc3lWUzhWVTlQNzhCVHJaZ2xERjFKSFFkblFJZ0thcTMKbzRLcjBoelRzMng3cFVtWFZlWW4xbGJaRlRaZXJ3QzhTcXhtVHBZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
-          }
-        },
-        "ada8b980813a887f007a1c42376c35a81cbba3b1090aae16cbffedb9004934c8": {
-          "keytype": "ecdsa-x509",
-          "keyval": {
-            "private": None,
-            "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrakNDQWFDZ0F3SUJBZ0lVTUdzU0hyMWZLK3htaG81STFJdStIcXEzbjZ3d0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1UQXdNVEl4TURCYUZ3MHhPREExCk1UQXdNVEl4TURCYU1Dd3hLakFvQmdOVkJBTVRJWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3QKYzNSaFoybHVaekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRlY4YVBhTjMzTE5HSWtMTVFnZwpJYjk1VzF5aGEvblpLYm1vdXF4c0VOdWhYZitUZmZnUjlIOVFsMHVIaVJQTzZWRFhKMU90K2h6eDk5SGVMdHRQClRCeWpnWU13Z1lBd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1Bd0cKQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZFZHVRVThaei83THUrdGxod0lyYWM0ZmFGNmVNQjhHQTFVZApJd1FZTUJhQUZEK21iblFMUXlHTmcxMFc2dUxHcDRGSldRNnBNQXNHQTFVZEVRUUVNQUtDQURBS0JnZ3Foa2pPClBRUURBZ05JQURCRkFpQlB6Z2x3OFYyaHhKWXM2WDFrNE9hb255bkx2b3hxbGJweFJtWkRaNmFwcGdJaEFJd1oKdmp1MFpQYjZuaGZWTkF5b3dNM09XdEFVYm95eEZCcDBxd2FYMzFYSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
-          }
-        },
-        "e2727632903bf9d0ac6856c6e4f8cb44f443c220ecf51e2fb6b465c7d85b9169": {
-          "keytype": "ecdsa-x509",
-          "keyval": {
-            "private": None,
-            "public": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4ekNDQVppZ0F3SUJBZ0lVWS9IdzVKL2lkTzA3M3BMR2U0b3BxZytpcVBrd0NnWUlLb1pJemowRUF3SXcKU0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZd0ZBWURWUVFIRXcxVFlXNGdSbkpoYm1OcApjMk52TVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG01bGREQWVGdzB4TnpBMU1Ea3hOekl6TURCYUZ3MHhPREExCk1Ea3hOekl6TURCYU1DUXhJakFnQmdOVkJBTVRHWE4wWVdkcGJtY3VjWFZoZVM1cGJ5OXhkV0Y1TDNGMVlYa3cKV1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRrMFl0VmdWRHZpbnpwM1g3NHhOS0tKK2hldVptWgpqeWgwZnQ2Ny8yQ1NnU1MwLzVtRUNtR2dJbDc5WXlsV3VRdHZkYnFrSWVNWkU1M0RkQnlnZUcrcm80R0RNSUdBCk1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCUzM5TnNydHZndmhlL0hhQk1CSzdvQjZ4R3ZGVEFmQmdOVkhTTUVHREFXZ0JTdwoybDdYYkJsbXVYeTZvcGdNMGF0c3ViMWJOVEFMQmdOVkhSRUVCREFDZ2dBd0NnWUlLb1pJemowRUF3SURTUUF3ClJnSWhBSjNRdThUNWdPdzVKaVNyT3c2TEtBNnZnRGduKzNEMEJJYzB2UENzd05XbkFpRUE4VW93dVBoaFE0MEMKTFY3dkhDN0t1QTBULzZLY2dLT1Rpb1VNR2FFM2MzRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
-          }
-        }
-      },
-      "roles": [
-        {
-          "keyids": [
-            "e2727632903bf9d0ac6856c6e4f8cb44f443c220ecf51e2fb6b465c7d85b9169",
-            "ada8b980813a887f007a1c42376c35a81cbba3b1090aae16cbffedb9004934c8",
-            "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0",
-            "5e71c65cb1ba794f253fa377c970a237799745adab92024522b12f5b2f1d3031"
-          ],
-          "name": "targets/devs",
-          "paths": [
-            ""
-          ],
-          "threshold": 1
-        }
-      ]
+        "expires": "2020-05-09T15:06:27.189711073-04:00",
+        "targets": {},
+        "version": 4,
     },
-    "expires": "2020-05-09T15:06:27.189711073-04:00",
-    "targets": {},
-    "version": 4
-  },
-  "signatures": [
-    {
-      "keyid": "3353687138116a5950603adbcb449e4e84e61523fb4a43c7dde33d1d2e40a934",
-      "method": "ecdsa",
-      "sig": "dbuUBGQ5FdcuRxzg9SCMQ7mym5w4xxdTezWqq9UTj4GHU75pEaTHo1oZEEud+ofI66gjA6hmqljdnOsEQ6CTYw=="
-    }
-  ]
+    "signatures": [
+        {
+            "keyid": "3353687138116a5950603adbcb449e4e84e61523fb4a43c7dde33d1d2e40a934",
+            "method": "ecdsa",
+            "sig": "dbuUBGQ5FdcuRxzg9SCMQ7mym5w4xxdTezWqq9UTj4GHU75pEaTHo1oZEEud+ofI66gjA6hmqljdnOsEQ6CTYw==",
+        }
+    ],
 }
- 
+
 
 valid_delegation = {
-  "signed": {
-    "_type": "Targets",
-    "delegations": {
-      "keys": {},
-      "roles": []
+    "signed": {
+        "_type": "Targets",
+        "delegations": {"keys": {}, "roles": []},
+        "expires": "2020-05-09T15:25:05.840775035-04:00",
+        "targets": {
+            "191e5d9": {
+                "hashes": {"sha256": "DE7i9XN+sd8vkdsJWSLlujKsATmTffzzhGBPsVYRFmg="},
+                "length": 46683,
+            },
+            "977ae7a": {
+                "hashes": {"sha256": "a3e7naDPcCfMEJAv0JgmJ0h+qZQoGNDrdgwpN/5B5YY="},
+                "length": 46682,
+            },
+            "b96b871": {
+                "hashes": {"sha256": "j662F+e+3eN5QBSaFLFj24khbfWIffz24f5HGLrkyvw="},
+                "length": 46680,
+            },
+        },
+        "version": 5,
     },
-    "expires": "2020-05-09T15:25:05.840775035-04:00",
-    "targets": {
-      "191e5d9": {
-        "hashes": {
-          "sha256": "DE7i9XN+sd8vkdsJWSLlujKsATmTffzzhGBPsVYRFmg="
-        },
-        "length": 46683
-      },
-      "977ae7a": {
-        "hashes": {
-          "sha256": "a3e7naDPcCfMEJAv0JgmJ0h+qZQoGNDrdgwpN/5B5YY="
-        },
-        "length": 46682
-      },
-      "b96b871": {
-        "hashes": {
-          "sha256": "j662F+e+3eN5QBSaFLFj24khbfWIffz24f5HGLrkyvw="
-        },
-        "length": 46680
-      }
-    },
-    "version": 5
-  },
-  "signatures": [
-    {
-      "keyid": "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0",
-      "method": "ecdsa",
-      "sig": "ZLW5DokQw3ipFGsS3I9d6xkUdFlKS1vuvtlR3/I9lGdQZUa+QfpdpiEhKIO92aTCsDZvBn1m4wwb0MukLH8fgA=="
-    }
-  ]
+    "signatures": [
+        {
+            "keyid": "78cf3c9de9d59f61391bfa183cfdc676ab4e9b179cf5c1c42019a5271d2542b0",
+            "method": "ecdsa",
+            "sig": "ZLW5DokQw3ipFGsS3I9d6xkUdFlKS1vuvtlR3/I9lGdQZUa+QfpdpiEhKIO92aTCsDZvBn1m4wwb0MukLH8fgA==",
+        }
+    ],
 }
 
 
-
-@pytest.mark.parametrize('tuf_prefix,server_hostname,namespace,repo,gun', [
-  ("quay.dev", "quay.io", "ns", "repo", "quay.dev/ns/repo"),
-  (None, "quay.io", "ns", "repo", "quay.io/ns/repo"),
-  ("quay.dev/", "quay.io", "ns", "repo", "quay.dev/ns/repo"),
-  (None, "quay.io/", "ns", "repo", "quay.io/ns/repo"),
-  (None, "localhost:5000/", "ns", "repo", "localhost:5000/ns/repo"),
-  (None, "localhost:5000", "ns", "repo", "localhost:5000/ns/repo"),
-])
+@pytest.mark.parametrize(
+    "tuf_prefix,server_hostname,namespace,repo,gun",
+    [
+        ("quay.dev", "quay.io", "ns", "repo", "quay.dev/ns/repo"),
+        (None, "quay.io", "ns", "repo", "quay.io/ns/repo"),
+        ("quay.dev/", "quay.io", "ns", "repo", "quay.dev/ns/repo"),
+        (None, "quay.io/", "ns", "repo", "quay.io/ns/repo"),
+        (None, "localhost:5000/", "ns", "repo", "localhost:5000/ns/repo"),
+        (None, "localhost:5000", "ns", "repo", "localhost:5000/ns/repo"),
+    ],
+)
 def test_gun(tuf_prefix, server_hostname, namespace, repo, gun):
-  app = Flask(__name__)
-  app.config.from_object(testconfig.TestConfig())
-  app.config['TUF_GUN_PREFIX'] = tuf_prefix
-  app.config['SERVER_HOSTNAME'] = server_hostname
-  tuf_api = api.TUFMetadataAPI(app, app.config)
-  assert gun == tuf_api._gun(namespace, repo)
+    app = Flask(__name__)
+    app.config.from_object(testconfig.TestConfig())
+    app.config["TUF_GUN_PREFIX"] = tuf_prefix
+    app.config["SERVER_HOSTNAME"] = server_hostname
+    tuf_api = api.TUFMetadataAPI(app, app.config)
+    assert gun == tuf_api._gun(namespace, repo)
 
-@pytest.mark.parametrize('response_code,response_body,expected', [
-  (200, valid_response, (valid_response['signed']['targets'], '2020-03-30T18:55:26.594764859-04:00')),
-  (200, {'garbage': 'data'}, (None, None))
-])
-def test_get_default_tags(response_code, response_body, expected): 
-    app = Flask(__name__) 
+
+@pytest.mark.parametrize(
+    "response_code,response_body,expected",
+    [
+        (
+            200,
+            valid_response,
+            (
+                valid_response["signed"]["targets"],
+                "2020-03-30T18:55:26.594764859-04:00",
+            ),
+        ),
+        (200, {"garbage": "data"}, (None, None)),
+    ],
+)
+def test_get_default_tags(response_code, response_body, expected):
+    app = Flask(__name__)
     app.config.from_object(testconfig.TestConfig())
     client = mock.Mock()
     request = mock.Mock(status_code=response_code)
     request.json.return_value = response_body
     client.request.return_value = request
     tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
-    response = tuf_api.get_default_tags_with_expiration('quay', 'quay')
-    assert response == expected 
-    
-    
-@pytest.mark.parametrize('response_code,response_body1,response_body2,expected', [
-  (200, valid_targets_with_delegation, valid_delegation, {
-    'targets/devs': { 'targets': valid_delegation['signed']['targets'], 
-                      'expiration': valid_delegation['signed']['expires']}}),
-  (200, {'garbage': 'data'}, {'garbage': 'data'}, {'targets': None})
-])
-def test_get_all_tags(response_code, response_body1, response_body2, expected): 
-    app = Flask(__name__) 
+    response = tuf_api.get_default_tags_with_expiration("quay", "quay")
+    assert response == expected
+
+
+@pytest.mark.parametrize(
+    "response_code,response_body1,response_body2,expected",
+    [
+        (
+            200,
+            valid_targets_with_delegation,
+            valid_delegation,
+            {
+                "targets/devs": {
+                    "targets": valid_delegation["signed"]["targets"],
+                    "expiration": valid_delegation["signed"]["expires"],
+                }
+            },
+        ),
+        (200, {"garbage": "data"}, {"garbage": "data"}, {"targets": None}),
+    ],
+)
+def test_get_all_tags(response_code, response_body1, response_body2, expected):
+    app = Flask(__name__)
     app.config.from_object(testconfig.TestConfig())
     client = mock.Mock()
     request = mock.Mock(status_code=response_code)
     request.json.side_effect = [response_body1, response_body2, {}, {}, {}, {}]
     client.request.return_value = request
     tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
-    response = tuf_api.get_all_tags_with_expiration('quay', 'quay')
-    assert response == expected 
-    
-@pytest.mark.parametrize('connection_error,response_code,exception', [
-  (True, 200, requests.exceptions.Timeout),
-  (True, 200, requests.exceptions.ConnectionError),
-  (False, 200, requests.exceptions.RequestException),
-  (False, 200, ValueError),
-  (True, 500, api.Non200ResponseException(mock.Mock(status_code=500))),
-  (False, 400, api.Non200ResponseException(mock.Mock(status_code=400))),
-  (False, 404, api.Non200ResponseException(mock.Mock(status_code=404))),
-  (False, 200, api.InvalidMetadataException)
-  
-])
-def test_get_metadata_exception(connection_error, response_code, exception): 
-    app = Flask(__name__) 
+    response = tuf_api.get_all_tags_with_expiration("quay", "quay")
+    assert response == expected
+
+
+@pytest.mark.parametrize(
+    "connection_error,response_code,exception",
+    [
+        (True, 200, requests.exceptions.Timeout),
+        (True, 200, requests.exceptions.ConnectionError),
+        (False, 200, requests.exceptions.RequestException),
+        (False, 200, ValueError),
+        (True, 500, api.Non200ResponseException(mock.Mock(status_code=500))),
+        (False, 400, api.Non200ResponseException(mock.Mock(status_code=400))),
+        (False, 404, api.Non200ResponseException(mock.Mock(status_code=404))),
+        (False, 200, api.InvalidMetadataException),
+    ],
+)
+def test_get_metadata_exception(connection_error, response_code, exception):
+    app = Flask(__name__)
     app.config.from_object(testconfig.TestConfig())
     request = mock.Mock(status_code=response_code)
     client = mock.Mock(request=request)
     client.request.side_effect = exception
     tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
-    tags, expiration = tuf_api.get_default_tags_with_expiration('quay', 'quay')
+    tags, expiration = tuf_api.get_default_tags_with_expiration("quay", "quay")
     assert tags == None
     assert expiration == None
-    
-  
-@pytest.mark.parametrize('response_code,expected', [
-  (200, True),
-  (400, False),
-  (401, False),
-])
-def test_delete_metadata(response_code, expected): 
-    app = Flask(__name__) 
+
+
+@pytest.mark.parametrize(
+    "response_code,expected", [(200, True), (400, False), (401, False)]
+)
+def test_delete_metadata(response_code, expected):
+    app = Flask(__name__)
     app.config.from_object(testconfig.TestConfig())
     client = mock.Mock()
     request = mock.Mock(status_code=response_code)
     client.request.return_value = request
     tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
-    response = tuf_api.delete_metadata('quay', 'quay')
-    assert response == expected 
-    
-@pytest.mark.parametrize('response_code,exception', [
-  (200, requests.exceptions.Timeout),
-  (200, requests.exceptions.ConnectionError),
-  (200, requests.exceptions.RequestException),
-  (200, ValueError),
-  (500, api.Non200ResponseException(mock.Mock(status_code=500))),
-  (400, api.Non200ResponseException(mock.Mock(status_code=400))),
-  (401, api.Non200ResponseException(mock.Mock(status_code=401))),
-  (404, api.Non200ResponseException(mock.Mock(status_code=404))),  
-])
-def test_delete_metadata_exception(response_code, exception): 
-    app = Flask(__name__) 
+    response = tuf_api.delete_metadata("quay", "quay")
+    assert response == expected
+
+
+@pytest.mark.parametrize(
+    "response_code,exception",
+    [
+        (200, requests.exceptions.Timeout),
+        (200, requests.exceptions.ConnectionError),
+        (200, requests.exceptions.RequestException),
+        (200, ValueError),
+        (500, api.Non200ResponseException(mock.Mock(status_code=500))),
+        (400, api.Non200ResponseException(mock.Mock(status_code=400))),
+        (401, api.Non200ResponseException(mock.Mock(status_code=401))),
+        (404, api.Non200ResponseException(mock.Mock(status_code=404))),
+    ],
+)
+def test_delete_metadata_exception(response_code, exception):
+    app = Flask(__name__)
     app.config.from_object(testconfig.TestConfig())
     request = mock.Mock(status_code=response_code)
     client = mock.Mock(request=request)
     client.request.side_effect = exception
     tuf_api = api.TUFMetadataAPI(app, app.config, client=client)
-    response = tuf_api.delete_metadata('quay', 'quay')
+    response = tuf_api.delete_metadata("quay", "quay")
     assert response == False
diff --git a/util/unicode.py b/util/unicode.py
index 392363df0..b2a171e02 100644
--- a/util/unicode.py
+++ b/util/unicode.py
@@ -1,2 +1,2 @@
 def remove_unicode(value):
-  return value.decode("ascii", "ignore")
+    return value.decode("ascii", "ignore")
diff --git a/util/useremails.py b/util/useremails.py
index 0a08eb0ca..62daf3a74 100644
--- a/util/useremails.py
+++ b/util/useremails.py
@@ -18,191 +18,242 @@ template_env = get_template_env(os.path.join(ROOT_DIR, "emails"))
 
 
 class CannotSendEmailException(Exception):
-  pass
+    pass
 
 
 class GmailAction(object):
-  """ Represents an action that can be taken in Gmail in response to the email. """
-  def __init__(self, metadata):
-    self.metadata = metadata
+    """ Represents an action that can be taken in Gmail in response to the email. """
 
-  @staticmethod
-  def confirm(name, url, description):
-    return GmailAction({
-      "@context": "http://schema.org",
-      "@type": "EmailMessage",
-      "action": {
-        "@type": 'ConfirmAction',
-        "name": name,
-        "handler": {
-          "@type": "HttpActionHandler",
-          "url": get_app_url() + '/' + url
-        }
-      },
-      "description": description
-    })
+    def __init__(self, metadata):
+        self.metadata = metadata
 
-  @staticmethod
-  def view(name, url, description):
-    return GmailAction({
-      "@context": "http://schema.org",
-      "@type": "EmailMessage",
-      "action": {
-        "@type": 'ViewAction',
-        "name": name,
-        "url": get_app_url() + '/' + url
-      },
-      "description": description
-    })
+    @staticmethod
+    def confirm(name, url, description):
+        return GmailAction(
+            {
+                "@context": "http://schema.org",
+                "@type": "EmailMessage",
+                "action": {
+                    "@type": "ConfirmAction",
+                    "name": name,
+                    "handler": {
+                        "@type": "HttpActionHandler",
+                        "url": get_app_url() + "/" + url,
+                    },
+                },
+                "description": description,
+            }
+        )
+
+    @staticmethod
+    def view(name, url, description):
+        return GmailAction(
+            {
+                "@context": "http://schema.org",
+                "@type": "EmailMessage",
+                "action": {
+                    "@type": "ViewAction",
+                    "name": name,
+                    "url": get_app_url() + "/" + url,
+                },
+                "description": description,
+            }
+        )
 
 
 def send_email(recipient, subject, template_file, parameters, action=None):
-  app_title = app.config['REGISTRY_TITLE_SHORT']
-  app_url = get_app_url()
-  html, plain = render_email(app_title, app_url, recipient, subject, template_file, parameters,
-                             action=None)
-  msg = Message('[%s] %s' % (app_title, subject), recipients=[recipient])
-  msg.html = html
-  msg.body = plain
+    app_title = app.config["REGISTRY_TITLE_SHORT"]
+    app_url = get_app_url()
+    html, plain = render_email(
+        app_title, app_url, recipient, subject, template_file, parameters, action=None
+    )
+    msg = Message("[%s] %s" % (app_title, subject), recipients=[recipient])
+    msg.html = html
+    msg.body = plain
 
-  try:
-    mail.send(msg)
-  except Exception as ex:
-    logger.exception('Error while trying to send email to %s', recipient)
-    raise CannotSendEmailException(ex.message)
+    try:
+        mail.send(msg)
+    except Exception as ex:
+        logger.exception("Error while trying to send email to %s", recipient)
+        raise CannotSendEmailException(ex.message)
 
 
-def render_email(app_title, app_url, recipient, subject, template_file, parameters, action=None):
-  def app_link_handler(url=None):
-    return app_url + '/' + url if url else app_url
+def render_email(
+    app_title, app_url, recipient, subject, template_file, parameters, action=None
+):
+    def app_link_handler(url=None):
+        return app_url + "/" + url if url else app_url
 
-  app_logo = app.config.get('ENTERPRISE_LOGO_URL', 'https://quay.io/static/img/quay-logo.png')
+    app_logo = app.config.get(
+        "ENTERPRISE_LOGO_URL", "https://quay.io/static/img/quay-logo.png"
+    )
 
-  parameters.update({
-    'subject': subject,
-    'app_logo': app_logo,
-    'app_url': app_url,
-    'app_title': app_title,
-    'hosted': features.BILLING,
-    'app_link': app_link_handler,
-    'action_metadata': json.dumps(action.metadata) if action else None,
-    'with_base_template': True,
-  })
+    parameters.update(
+        {
+            "subject": subject,
+            "app_logo": app_logo,
+            "app_url": app_url,
+            "app_title": app_title,
+            "hosted": features.BILLING,
+            "app_link": app_link_handler,
+            "action_metadata": json.dumps(action.metadata) if action else None,
+            "with_base_template": True,
+        }
+    )
 
-  rendered_html = template_env.get_template(template_file + '.html').render(parameters)
+    rendered_html = template_env.get_template(template_file + ".html").render(
+        parameters
+    )
 
-  parameters.update({
-    'with_base_template': False,
-  })
+    parameters.update({"with_base_template": False})
 
-  rendered_for_plain = template_env.get_template(template_file + '.html').render(parameters)
-  return rendered_html, html2text(rendered_for_plain)
+    rendered_for_plain = template_env.get_template(template_file + ".html").render(
+        parameters
+    )
+    return rendered_html, html2text(rendered_for_plain)
 
 
 def send_password_changed(username, email):
-  send_email(email, 'Account password changed', 'passwordchanged', {
-    'username': username
-  })
+    send_email(
+        email, "Account password changed", "passwordchanged", {"username": username}
+    )
+
 
 def send_email_changed(username, old_email, new_email):
-  send_email(old_email, 'Account e-mail address changed', 'emailchanged', {
-    'username': username,
-    'new_email': new_email
-  })
+    send_email(
+        old_email,
+        "Account e-mail address changed",
+        "emailchanged",
+        {"username": username, "new_email": new_email},
+    )
+
 
 def send_change_email(username, email, token):
-  send_email(email, 'E-mail address change requested', 'changeemail', {
-    'username': username,
-    'token': token
-  })
+    send_email(
+        email,
+        "E-mail address change requested",
+        "changeemail",
+        {"username": username, "token": token},
+    )
+
 
 def send_confirmation_email(username, email, token):
-  action = GmailAction.confirm('Confirm E-mail', 'confirm?code=' + token,
-                               'Verification of e-mail address')
+    action = GmailAction.confirm(
+        "Confirm E-mail", "confirm?code=" + token, "Verification of e-mail address"
+    )
+
+    send_email(
+        email,
+        "Please confirm your e-mail address",
+        "confirmemail",
+        {"username": username, "token": token},
+        action=action,
+    )
 
-  send_email(email, 'Please confirm your e-mail address', 'confirmemail', {
-    'username': username,
-    'token': token
-  }, action=action)
 
 def send_repo_authorization_email(namespace, repository, email, token):
-  action = GmailAction.confirm('Verify E-mail', 'authrepoemail?code=' + token,
-                               'Verification of e-mail address')
+    action = GmailAction.confirm(
+        "Verify E-mail", "authrepoemail?code=" + token, "Verification of e-mail address"
+    )
 
-  subject = 'Please verify your e-mail address for repository %s/%s' % (namespace, repository)
-  send_email(email, subject, 'repoauthorizeemail', {
-    'namespace': namespace,
-    'repository': repository,
-    'token': token
-  }, action=action)
+    subject = "Please verify your e-mail address for repository %s/%s" % (
+        namespace,
+        repository,
+    )
+    send_email(
+        email,
+        subject,
+        "repoauthorizeemail",
+        {"namespace": namespace, "repository": repository, "token": token},
+        action=action,
+    )
 
 
 def send_org_recovery_email(org, admin_users):
-  subject = 'Organization %s recovery' % (org.username)
-  send_email(org.email, subject, 'orgrecovery', {
-    'organization': org.username,
-    'admin_usernames': [user.username for user in admin_users],
-  })
+    subject = "Organization %s recovery" % (org.username)
+    send_email(
+        org.email,
+        subject,
+        "orgrecovery",
+        {
+            "organization": org.username,
+            "admin_usernames": [user.username for user in admin_users],
+        },
+    )
 
 
 def send_recovery_email(email, token):
-  action = GmailAction.view('Recover Account', 'recovery?code=' + token,
-                            'Recovery of an account')
+    action = GmailAction.view(
+        "Recover Account", "recovery?code=" + token, "Recovery of an account"
+    )
+
+    subject = "Account recovery"
+    send_email(
+        email, subject, "recovery", {"email": email, "token": token}, action=action
+    )
 
-  subject = 'Account recovery'
-  send_email(email, subject, 'recovery', {
-    'email': email,
-    'token': token
-  }, action=action)
 
 def send_payment_failed(email, username):
-  send_email(email, 'Subscription Payment Failure', 'paymentfailure', {
-    'username': username
-  })
+    send_email(
+        email, "Subscription Payment Failure", "paymentfailure", {"username": username}
+    )
+
 
 def send_org_invite_email(member_name, member_email, orgname, team, adder, code):
-  action = GmailAction.view('Join %s' % team, 'confirminvite?code=' + code,
-                            'Invitation to join a team')
+    action = GmailAction.view(
+        "Join %s" % team, "confirminvite?code=" + code, "Invitation to join a team"
+    )
 
-  send_email(member_email, 'Invitation to join team', 'teaminvite', {
-    'inviter': adder,
-    'token': code,
-    'organization': orgname,
-    'teamname': team
-  }, action=action)
+    send_email(
+        member_email,
+        "Invitation to join team",
+        "teaminvite",
+        {"inviter": adder, "token": code, "organization": orgname, "teamname": team},
+        action=action,
+    )
 
 
 def send_invoice_email(email, contents):
-  # Note: This completely generates the contents of the email, so we don't use the
-  # normal template here.
-  msg = Message('Quay payment received - Thank you!', recipients=[email])
-  msg.html = contents
-  mail.send(msg)
+    # Note: This completely generates the contents of the email, so we don't use the
+    # normal template here.
+    msg = Message("Quay payment received - Thank you!", recipients=[email])
+    msg.html = contents
+    mail.send(msg)
 
 
-def send_logs_exported_email(email, export_id, status, exported_data_url=None,
-                             exported_data_expiration=None):
-  send_email(email, 'Export Action Logs Complete', 'logsexported', {
-    'status': status,
-    'export_id': export_id,
-    'exported_data_url': exported_data_url,
-    'exported_data_expiration': exported_data_expiration,
-  })
+def send_logs_exported_email(
+    email, export_id, status, exported_data_url=None, exported_data_expiration=None
+):
+    send_email(
+        email,
+        "Export Action Logs Complete",
+        "logsexported",
+        {
+            "status": status,
+            "export_id": export_id,
+            "exported_data_url": exported_data_url,
+            "exported_data_expiration": exported_data_expiration,
+        },
+    )
 
 
 # INTERNAL EMAILS BELOW
 
-def send_subscription_change(change_description, customer_id, customer_email, quay_username):
-  SUBSCRIPTION_CHANGE_TITLE = 'Subscription Change - {0} {1}'
-  SUBSCRIPTION_CHANGE = """
+
+def send_subscription_change(
+    change_description, customer_id, customer_email, quay_username
+):
+    SUBSCRIPTION_CHANGE_TITLE = "Subscription Change - {0} {1}"
+    SUBSCRIPTION_CHANGE = """
   Change: {0}<br>
   Customer id: <a href="https://manage.stripe.com/customers/{1}">{1}</a><br>
   Customer email: <a href="mailto:{2}">{2}</a><br>
   Quay user or org name: {3}<br>
   """
 
-  title = SUBSCRIPTION_CHANGE_TITLE.format(quay_username, change_description)
-  msg = Message(title, recipients=['stripe@quay.io'])
-  msg.html = SUBSCRIPTION_CHANGE.format(change_description, customer_id, customer_email,
-                                        quay_username)
-  mail.send(msg)
+    title = SUBSCRIPTION_CHANGE_TITLE.format(quay_username, change_description)
+    msg = Message(title, recipients=["stripe@quay.io"])
+    msg.html = SUBSCRIPTION_CHANGE.format(
+        change_description, customer_id, customer_email, quay_username
+    )
+    mail.send(msg)
diff --git a/util/validation.py b/util/validation.py
index 8da4a456e..fdfb63555 100644
--- a/util/validation.py
+++ b/util/validation.py
@@ -2,105 +2,115 @@ import string
 import re
 import json
 
-import anunidecode # Don't listen to pylint's lies. This import is required.
+import anunidecode  # Don't listen to pylint's lies. This import is required.
 
 from peewee import OperationalError
 
-INVALID_PASSWORD_MESSAGE = 'Invalid password, password must be at least ' + \
-                           '8 characters and contain no whitespace.'
+INVALID_PASSWORD_MESSAGE = (
+    "Invalid password, password must be at least "
+    + "8 characters and contain no whitespace."
+)
 VALID_CHARACTERS = string.digits + string.lowercase
 
 MIN_USERNAME_LENGTH = 2
 MAX_USERNAME_LENGTH = 255
 
-VALID_LABEL_KEY_REGEX = r'^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$'
-VALID_USERNAME_REGEX = r'^([a-z0-9]+(?:[._-][a-z0-9]+)*)$'
-VALID_SERVICE_KEY_NAME_REGEX = r'^[\s a-zA-Z0-9\-_:/]*$'
+VALID_LABEL_KEY_REGEX = r"^[a-z0-9](([a-z0-9]|[-.](?![.-]))*[a-z0-9])?$"
+VALID_USERNAME_REGEX = r"^([a-z0-9]+(?:[._-][a-z0-9]+)*)$"
+VALID_SERVICE_KEY_NAME_REGEX = r"^[\s a-zA-Z0-9\-_:/]*$"
 
-INVALID_USERNAME_CHARACTERS = r'[^a-z0-9_]'
+INVALID_USERNAME_CHARACTERS = r"[^a-z0-9_]"
 
 
 def validate_label_key(label_key):
-  if len(label_key) > 255:
-    return False
+    if len(label_key) > 255:
+        return False
 
-  return bool(re.match(VALID_LABEL_KEY_REGEX, label_key))
+    return bool(re.match(VALID_LABEL_KEY_REGEX, label_key))
 
 
 def validate_email(email_address):
-  if not email_address:
-    return False
+    if not email_address:
+        return False
 
-  return bool(re.match(r'[^@]+@[^@]+\.[^@]+', email_address))
+    return bool(re.match(r"[^@]+@[^@]+\.[^@]+", email_address))
 
 
 def validate_username(username):
-  # Based off the restrictions defined in the Docker Registry API spec
-  if not re.match(VALID_USERNAME_REGEX, username):
-    return (False, 'Namespace must match expression ' + VALID_USERNAME_REGEX)
+    # Based off the restrictions defined in the Docker Registry API spec
+    if not re.match(VALID_USERNAME_REGEX, username):
+        return (False, "Namespace must match expression " + VALID_USERNAME_REGEX)
 
-  length_match = (len(username) >= MIN_USERNAME_LENGTH and len(username) <= MAX_USERNAME_LENGTH)
-  if not length_match:
-    return (False, 'Namespace must be between %s and %s characters in length' %
-            (MIN_USERNAME_LENGTH, MAX_USERNAME_LENGTH))
+    length_match = (
+        len(username) >= MIN_USERNAME_LENGTH and len(username) <= MAX_USERNAME_LENGTH
+    )
+    if not length_match:
+        return (
+            False,
+            "Namespace must be between %s and %s characters in length"
+            % (MIN_USERNAME_LENGTH, MAX_USERNAME_LENGTH),
+        )
 
-  return (True, '')
+    return (True, "")
 
 
 def validate_password(password):
-  # No whitespace and minimum length of 8
-  if re.search(r'\s', password):
-    return False
-  return len(password) > 7
+    # No whitespace and minimum length of 8
+    if re.search(r"\s", password):
+        return False
+    return len(password) > 7
 
 
 def _gen_filler_chars(num_filler_chars):
-  if num_filler_chars == 0:
-    yield ''
-  else:
-    for char in VALID_CHARACTERS:
-      for suffix in _gen_filler_chars(num_filler_chars - 1):
-        yield char + suffix
+    if num_filler_chars == 0:
+        yield ""
+    else:
+        for char in VALID_CHARACTERS:
+            for suffix in _gen_filler_chars(num_filler_chars - 1):
+                yield char + suffix
 
 
 def generate_valid_usernames(input_username):
-  normalized = input_username.encode('unidecode', 'ignore').strip().lower()
-  prefix = re.sub(INVALID_USERNAME_CHARACTERS, '_', normalized)[:MAX_USERNAME_LENGTH]
-  prefix = re.sub(r'_{2,}', '_', prefix)
+    normalized = input_username.encode("unidecode", "ignore").strip().lower()
+    prefix = re.sub(INVALID_USERNAME_CHARACTERS, "_", normalized)[:MAX_USERNAME_LENGTH]
+    prefix = re.sub(r"_{2,}", "_", prefix)
 
-  if prefix.endswith('_'):
-    prefix = prefix[0:len(prefix) - 1]
+    if prefix.endswith("_"):
+        prefix = prefix[0 : len(prefix) - 1]
 
-  while prefix.startswith('_'):
-    prefix = prefix[1:]
+    while prefix.startswith("_"):
+        prefix = prefix[1:]
 
-  num_filler_chars = max(0, MIN_USERNAME_LENGTH - len(prefix))
+    num_filler_chars = max(0, MIN_USERNAME_LENGTH - len(prefix))
 
-  while num_filler_chars + len(prefix) <= MAX_USERNAME_LENGTH:
-    for suffix in _gen_filler_chars(num_filler_chars):
-      yield prefix + suffix
-    num_filler_chars += 1
+    while num_filler_chars + len(prefix) <= MAX_USERNAME_LENGTH:
+        for suffix in _gen_filler_chars(num_filler_chars):
+            yield prefix + suffix
+        num_filler_chars += 1
 
 
 def is_json(value):
-  if ((value.startswith('{') and value.endswith('}')) or
-      (value.startswith('[') and value.endswith(']'))):
-    try:
-      json.loads(value)
-      return True
-    except (TypeError, ValueError):
-      return False
-  return False
+    if (value.startswith("{") and value.endswith("}")) or (
+        value.startswith("[") and value.endswith("]")
+    ):
+        try:
+            json.loads(value)
+            return True
+        except (TypeError, ValueError):
+            return False
+    return False
 
 
 def validate_postgres_precondition(driver):
-  cursor = driver.execute_sql("SELECT extname FROM pg_extension", ("public",))
-  if 'pg_trgm' not in [extname for extname, in cursor.fetchall()]:
-    raise OperationalError("""
+    cursor = driver.execute_sql("SELECT extname FROM pg_extension", ("public",))
+    if "pg_trgm" not in [extname for extname, in cursor.fetchall()]:
+        raise OperationalError(
+            """
       "pg_trgm" extension does not exists in the database.
       Please run `CREATE EXTENSION IF NOT EXISTS pg_trgm;` as superuser on this database.
-    """)
+    """
+        )
 
 
 def validate_service_key_name(name):
-  return name is None or bool(re.match(VALID_SERVICE_KEY_NAME_REGEX, name))
+    return name is None or bool(re.match(VALID_SERVICE_KEY_NAME_REGEX, name))
diff --git a/util/verifybackfill.py b/util/verifybackfill.py
index 9c790dfdf..96f458534 100644
--- a/util/verifybackfill.py
+++ b/util/verifybackfill.py
@@ -3,67 +3,87 @@ import sys
 
 from app import app
 from data import model
-from data.database import (RepositoryTag, Repository, TagToRepositoryTag, TagManifest,
-                           ManifestLegacyImage)
+from data.database import (
+    RepositoryTag,
+    Repository,
+    TagToRepositoryTag,
+    TagManifest,
+    ManifestLegacyImage,
+)
 
 logger = logging.getLogger(__name__)
 
+
 def _vs(first, second):
-  return "%s vs %s" % (first, second)
+    return "%s vs %s" % (first, second)
 
 
 def verify_backfill(namespace_name):
-  logger.info('Checking namespace %s', namespace_name)
-  namespace_user = model.user.get_namespace_user(namespace_name)
-  assert namespace_user
+    logger.info("Checking namespace %s", namespace_name)
+    namespace_user = model.user.get_namespace_user(namespace_name)
+    assert namespace_user
 
-  repo_tags = (RepositoryTag
-               .select()
-               .join(Repository)
-               .where(Repository.namespace_user == namespace_user)
-               .where(RepositoryTag.hidden == False))
+    repo_tags = (
+        RepositoryTag.select()
+        .join(Repository)
+        .where(Repository.namespace_user == namespace_user)
+        .where(RepositoryTag.hidden == False)
+    )
 
-  repo_tags = list(repo_tags)
-  logger.info('Found %s tags', len(repo_tags))
+    repo_tags = list(repo_tags)
+    logger.info("Found %s tags", len(repo_tags))
 
-  for index, repo_tag in enumerate(repo_tags):
-    logger.info('Checking tag %s under repository %s (%s/%s)', repo_tag.name,
-                repo_tag.repository.name, index + 1, len(repo_tags))
+    for index, repo_tag in enumerate(repo_tags):
+        logger.info(
+            "Checking tag %s under repository %s (%s/%s)",
+            repo_tag.name,
+            repo_tag.repository.name,
+            index + 1,
+            len(repo_tags),
+        )
 
-    tag = TagToRepositoryTag.get(repository_tag=repo_tag).tag
-    assert not tag.hidden
-    assert tag.repository == repo_tag.repository
-    assert tag.name == repo_tag.name, _vs(tag.name, repo_tag.name)
-    assert tag.repository == repo_tag.repository, _vs(tag.repository_id, repo_tag.repository_id)
-    assert tag.reversion == repo_tag.reversion, _vs(tag.reversion, repo_tag.reversion)
+        tag = TagToRepositoryTag.get(repository_tag=repo_tag).tag
+        assert not tag.hidden
+        assert tag.repository == repo_tag.repository
+        assert tag.name == repo_tag.name, _vs(tag.name, repo_tag.name)
+        assert tag.repository == repo_tag.repository, _vs(
+            tag.repository_id, repo_tag.repository_id
+        )
+        assert tag.reversion == repo_tag.reversion, _vs(
+            tag.reversion, repo_tag.reversion
+        )
 
-    start_check = int(tag.lifetime_start_ms / 1000) == repo_tag.lifetime_start_ts
-    assert start_check, _vs(tag.lifetime_start_ms, repo_tag.lifetime_start_ts)
-    if repo_tag.lifetime_end_ts is not None:
-      end_check = int(tag.lifetime_end_ms / 1000) == repo_tag.lifetime_end_ts
-      assert end_check, _vs(tag.lifetime_end_ms, repo_tag.lifetime_end_ts)
-    else:
-      assert tag.lifetime_end_ms is None
+        start_check = int(tag.lifetime_start_ms / 1000) == repo_tag.lifetime_start_ts
+        assert start_check, _vs(tag.lifetime_start_ms, repo_tag.lifetime_start_ts)
+        if repo_tag.lifetime_end_ts is not None:
+            end_check = int(tag.lifetime_end_ms / 1000) == repo_tag.lifetime_end_ts
+            assert end_check, _vs(tag.lifetime_end_ms, repo_tag.lifetime_end_ts)
+        else:
+            assert tag.lifetime_end_ms is None
 
-    try:
-      tag_manifest = tag.manifest
-      repo_tag_manifest = TagManifest.get(tag=repo_tag)
+        try:
+            tag_manifest = tag.manifest
+            repo_tag_manifest = TagManifest.get(tag=repo_tag)
 
-      digest_check = tag_manifest.digest == repo_tag_manifest.digest
-      assert digest_check, _vs(tag_manifest.digest, repo_tag_manifest.digest)
+            digest_check = tag_manifest.digest == repo_tag_manifest.digest
+            assert digest_check, _vs(tag_manifest.digest, repo_tag_manifest.digest)
 
-      bytes_check = tag_manifest.manifest_bytes == repo_tag_manifest.json_data
-      assert bytes_check, _vs(tag_manifest.manifest_bytes, repo_tag_manifest.json_data)
-    except TagManifest.DoesNotExist:
-      logger.info('No tag manifest found for repository tag %s', repo_tag.id)
+            bytes_check = tag_manifest.manifest_bytes == repo_tag_manifest.json_data
+            assert bytes_check, _vs(
+                tag_manifest.manifest_bytes, repo_tag_manifest.json_data
+            )
+        except TagManifest.DoesNotExist:
+            logger.info("No tag manifest found for repository tag %s", repo_tag.id)
 
-    mli = ManifestLegacyImage.get(manifest=tag_manifest)
-    assert mli.repository == repo_tag.repository
+        mli = ManifestLegacyImage.get(manifest=tag_manifest)
+        assert mli.repository == repo_tag.repository
 
-    manifest_legacy_image = mli.image
-    assert manifest_legacy_image == repo_tag.image, _vs(manifest_legacy_image.id, repo_tag.image_id)
+        manifest_legacy_image = mli.image
+        assert manifest_legacy_image == repo_tag.image, _vs(
+            manifest_legacy_image.id, repo_tag.image_id
+        )
 
 
-if __name__ == '__main__':
-  logging.basicConfig(level=logging.INFO)
-  verify_backfill(sys.argv[1])
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    verify_backfill(sys.argv[1])
diff --git a/util/verifyplacements.py b/util/verifyplacements.py
index 2fb363cea..63ec34e05 100644
--- a/util/verifyplacements.py
+++ b/util/verifyplacements.py
@@ -21,55 +21,69 @@ LOCATION_MAP = {}
 
 
 def _get_location_row(location):
-  if location in LOCATION_MAP:
-    return LOCATION_MAP[location]
+    if location in LOCATION_MAP:
+        return LOCATION_MAP[location]
 
-  location_row = ImageStorageLocation.get(name=location)
-  LOCATION_MAP[location] = location_row
-  return location_row
+    location_row = ImageStorageLocation.get(name=location)
+    LOCATION_MAP[location] = location_row
+    return location_row
 
 
 def verify_placements():
-  encountered = set()
+    encountered = set()
 
-  iterator = yield_random_entries(
-    lambda: ImageStorage.select().where(ImageStorage.uploading == False),
-    ImageStorage.id,
-    1000,
-    ImageStorage.select(fn.Max(ImageStorage.id)).scalar(),
-    1,
-  )
+    iterator = yield_random_entries(
+        lambda: ImageStorage.select().where(ImageStorage.uploading == False),
+        ImageStorage.id,
+        1000,
+        ImageStorage.select(fn.Max(ImageStorage.id)).scalar(),
+        1,
+    )
 
-  for storage_row, abt, _ in iterator:
-    if storage_row.id in encountered:
-      continue
+    for storage_row, abt, _ in iterator:
+        if storage_row.id in encountered:
+            continue
 
-    encountered.add(storage_row.id)
+        encountered.add(storage_row.id)
 
-    logger.info('Checking placements for storage `%s`', storage_row.uuid)
-    try:
-      with_locations = model.storage.get_storage_by_uuid(storage_row.uuid)
-    except model.InvalidImageException:
-      logger.exception('Could not find storage `%s`', storage_row.uuid)
-      continue
+        logger.info("Checking placements for storage `%s`", storage_row.uuid)
+        try:
+            with_locations = model.storage.get_storage_by_uuid(storage_row.uuid)
+        except model.InvalidImageException:
+            logger.exception("Could not find storage `%s`", storage_row.uuid)
+            continue
 
-    storage_path = model.storage.get_layer_path(storage_row)
-    locations_to_check = set(with_locations.locations)
-    if locations_to_check:
-      logger.info('Checking locations `%s` for storage `%s`', locations_to_check, storage_row.uuid)
-      for location in locations_to_check:
-        logger.info('Checking location `%s` for storage `%s`', location, storage_row.uuid)
-        if not storage.exists([location], storage_path):
-          location_row = _get_location_row(location)
-          logger.info('Location `%s` is missing for storage `%s`; removing', location,
-                      storage_row.uuid)
-          (ImageStoragePlacement
-           .delete()
-           .where(ImageStoragePlacement.storage == storage_row,
-                  ImageStoragePlacement.location == location_row)
-           .execute())
+        storage_path = model.storage.get_layer_path(storage_row)
+        locations_to_check = set(with_locations.locations)
+        if locations_to_check:
+            logger.info(
+                "Checking locations `%s` for storage `%s`",
+                locations_to_check,
+                storage_row.uuid,
+            )
+            for location in locations_to_check:
+                logger.info(
+                    "Checking location `%s` for storage `%s`",
+                    location,
+                    storage_row.uuid,
+                )
+                if not storage.exists([location], storage_path):
+                    location_row = _get_location_row(location)
+                    logger.info(
+                        "Location `%s` is missing for storage `%s`; removing",
+                        location,
+                        storage_row.uuid,
+                    )
+                    (
+                        ImageStoragePlacement.delete()
+                        .where(
+                            ImageStoragePlacement.storage == storage_row,
+                            ImageStoragePlacement.location == location_row,
+                        )
+                        .execute()
+                    )
 
 
-if __name__ == '__main__':
-  logging.basicConfig(level=logging.INFO)
-  verify_placements()
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    verify_placements()
diff --git a/util/workers.py b/util/workers.py
index ca29ff0fd..c092647e8 100644
--- a/util/workers.py
+++ b/util/workers.py
@@ -1,31 +1,32 @@
 import os
 import psutil
 
+
 def get_worker_count(worker_kind_name, multiplier, minimum=None, maximum=None):
-  """ Returns the number of gunicorn workers to run for the given worker kind,
+    """ Returns the number of gunicorn workers to run for the given worker kind,
       based on a combination of environment variable, multiplier, minimum (if any),
       and number of accessible CPU cores.
   """
-  minimum = minimum or multiplier
-  maximum = maximum or (multiplier * multiplier)
+    minimum = minimum or multiplier
+    maximum = maximum or (multiplier * multiplier)
 
-  # Check for an override via an environment variable.
-  override_value = os.environ.get('WORKER_COUNT_' + worker_kind_name.upper())
-  if override_value is not None:
-    return max(override_value, minimum)
+    # Check for an override via an environment variable.
+    override_value = os.environ.get("WORKER_COUNT_" + worker_kind_name.upper())
+    if override_value is not None:
+        return max(override_value, minimum)
 
-  override_value = os.environ.get('WORKER_COUNT')
-  if override_value is not None:
-    return max(override_value, minimum)
+    override_value = os.environ.get("WORKER_COUNT")
+    if override_value is not None:
+        return max(override_value, minimum)
 
-  # Load the number of CPU cores via affinity, and use that to calculate the
-  # number of workers to run.
-  p = psutil.Process(os.getpid())
+    # Load the number of CPU cores via affinity, and use that to calculate the
+    # number of workers to run.
+    p = psutil.Process(os.getpid())
 
-  try:
-    cpu_count = len(p.cpu_affinity())
-  except AttributeError:
-    # cpu_affinity isn't supported on this platform. Assume 2.
-    cpu_count = 2
+    try:
+        cpu_count = len(p.cpu_affinity())
+    except AttributeError:
+        # cpu_affinity isn't supported on this platform. Assume 2.
+        cpu_count = 2
 
-  return  min(max(cpu_count * multiplier, minimum), maximum)
+    return min(max(cpu_count * multiplier, minimum), maximum)
diff --git a/verbs.py b/verbs.py
index 5907bc1db..59c9b4c29 100644
--- a/verbs.py
+++ b/verbs.py
@@ -4,4 +4,4 @@ from app import app as application
 from endpoints.verbs import verbs
 
 
-application.register_blueprint(verbs, url_prefix='/c1')
+application.register_blueprint(verbs, url_prefix="/c1")
diff --git a/web.py b/web.py
index 8158476a7..a684e462b 100644
--- a/web.py
+++ b/web.py
@@ -1,5 +1,6 @@
 # NOTE: Must be before we import or call anything that may be synchronous.
 from gevent import monkey
+
 monkey.patch_all()
 
 from app import app as application
@@ -16,12 +17,12 @@ from endpoints.wellknown import wellknown
 
 
 application.register_blueprint(web)
-application.register_blueprint(githubtrigger, url_prefix='/oauth2')
-application.register_blueprint(gitlabtrigger, url_prefix='/oauth2')
-application.register_blueprint(oauthlogin, url_prefix='/oauth2')
-application.register_blueprint(bitbuckettrigger, url_prefix='/oauth1')
-application.register_blueprint(api_bp, url_prefix='/api')
-application.register_blueprint(webhooks, url_prefix='/webhooks')
-application.register_blueprint(realtime, url_prefix='/realtime')
-application.register_blueprint(key_server, url_prefix='/keys')
-application.register_blueprint(wellknown, url_prefix='/.well-known')
+application.register_blueprint(githubtrigger, url_prefix="/oauth2")
+application.register_blueprint(gitlabtrigger, url_prefix="/oauth2")
+application.register_blueprint(oauthlogin, url_prefix="/oauth2")
+application.register_blueprint(bitbuckettrigger, url_prefix="/oauth1")
+application.register_blueprint(api_bp, url_prefix="/api")
+application.register_blueprint(webhooks, url_prefix="/webhooks")
+application.register_blueprint(realtime, url_prefix="/realtime")
+application.register_blueprint(key_server, url_prefix="/keys")
+application.register_blueprint(wellknown, url_prefix="/.well-known")
diff --git a/workers/blobuploadcleanupworker/blobuploadcleanupworker.py b/workers/blobuploadcleanupworker/blobuploadcleanupworker.py
index c47d7ea89..d189f8c45 100644
--- a/workers/blobuploadcleanupworker/blobuploadcleanupworker.py
+++ b/workers/blobuploadcleanupworker/blobuploadcleanupworker.py
@@ -12,41 +12,47 @@ from util.log import logfile_path
 logger = logging.getLogger(__name__)
 
 DELETION_DATE_THRESHOLD = timedelta(days=2)
-BLOBUPLOAD_CLEANUP_FREQUENCY = app.config.get('BLOBUPLOAD_CLEANUP_FREQUENCY', 60 * 60)
+BLOBUPLOAD_CLEANUP_FREQUENCY = app.config.get("BLOBUPLOAD_CLEANUP_FREQUENCY", 60 * 60)
 
 
 class BlobUploadCleanupWorker(Worker):
-  def __init__(self):
-    super(BlobUploadCleanupWorker, self).__init__()
-    self.add_operation(self._cleanup_uploads, BLOBUPLOAD_CLEANUP_FREQUENCY)
+    def __init__(self):
+        super(BlobUploadCleanupWorker, self).__init__()
+        self.add_operation(self._cleanup_uploads, BLOBUPLOAD_CLEANUP_FREQUENCY)
 
-  def _cleanup_uploads(self):
-    """ Performs garbage collection on the blobupload table. """
-    while True:
-      # Find all blob uploads older than the threshold (typically a week) and delete them.
-      with UseThenDisconnect(app.config):
-        stale_upload = model.get_stale_blob_upload(DELETION_DATE_THRESHOLD)
-        if stale_upload is None:
-          logger.debug('No additional stale blob uploads found')
-          return
+    def _cleanup_uploads(self):
+        """ Performs garbage collection on the blobupload table. """
+        while True:
+            # Find all blob uploads older than the threshold (typically a week) and delete them.
+            with UseThenDisconnect(app.config):
+                stale_upload = model.get_stale_blob_upload(DELETION_DATE_THRESHOLD)
+                if stale_upload is None:
+                    logger.debug("No additional stale blob uploads found")
+                    return
 
-      # Remove the stale upload from storage.
-      logger.debug('Removing stale blob upload %s', stale_upload.uuid)
-      try:
-        storage.cancel_chunked_upload([stale_upload.location_name], stale_upload.uuid,
-                                      stale_upload.storage_metadata)
-      except Exception as ex:
-        logger.debug('Got error when trying to cancel chunked upload %s: %s', stale_upload.uuid,
-                     ex.message)
+            # Remove the stale upload from storage.
+            logger.debug("Removing stale blob upload %s", stale_upload.uuid)
+            try:
+                storage.cancel_chunked_upload(
+                    [stale_upload.location_name],
+                    stale_upload.uuid,
+                    stale_upload.storage_metadata,
+                )
+            except Exception as ex:
+                logger.debug(
+                    "Got error when trying to cancel chunked upload %s: %s",
+                    stale_upload.uuid,
+                    ex.message,
+                )
 
-      # Delete the stale upload's row.
-      with UseThenDisconnect(app.config):
-        model.delete_blob_upload(stale_upload)
+            # Delete the stale upload's row.
+            with UseThenDisconnect(app.config):
+                model.delete_blob_upload(stale_upload)
 
-      logger.debug('Removed stale blob upload %s', stale_upload.uuid)
+            logger.debug("Removed stale blob upload %s", stale_upload.uuid)
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
-  worker = BlobUploadCleanupWorker()
-  worker.start()
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    worker = BlobUploadCleanupWorker()
+    worker.start()
diff --git a/workers/blobuploadcleanupworker/models_interface.py b/workers/blobuploadcleanupworker/models_interface.py
index 000a26771..a1cc9a4e2 100644
--- a/workers/blobuploadcleanupworker/models_interface.py
+++ b/workers/blobuploadcleanupworker/models_interface.py
@@ -3,35 +3,37 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class BlobUpload(namedtuple('BlobUpload', ['uuid', 'storage_metadata', 'location_name'])):
-  """
+class BlobUpload(
+    namedtuple("BlobUpload", ["uuid", "storage_metadata", "location_name"])
+):
+    """
   BlobUpload represents a single upload of a blob in progress or previously started.
   """
 
 
 @add_metaclass(ABCMeta)
 class BlobUploadCleanupWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the blob upload cleanup worker.
   """
 
-  @abstractmethod
-  def get_stale_blob_upload(self, stale_threshold):
-    """ Returns a BlobUpload that was created on or before the current date/time minus the
+    @abstractmethod
+    def get_stale_blob_upload(self, stale_threshold):
+        """ Returns a BlobUpload that was created on or before the current date/time minus the
         stale threshold. If none, returns None. """
-    pass
+        pass
 
-  @abstractmethod
-  def delete_blob_upload(self, blob_upload):
-    """ Deletes a blob upload from the database. """
-    pass
+    @abstractmethod
+    def delete_blob_upload(self, blob_upload):
+        """ Deletes a blob upload from the database. """
+        pass
 
-  @abstractmethod
-  def create_stale_upload_for_testing(self):
-    """ Creates a new stale blob upload for testing. """
-    pass
+    @abstractmethod
+    def create_stale_upload_for_testing(self):
+        """ Creates a new stale blob upload for testing. """
+        pass
 
-  @abstractmethod
-  def blob_upload_exists(self, upload_uuid):
-    """ Returns True if a blob upload with the given UUID exists. """
-    pass
+    @abstractmethod
+    def blob_upload_exists(self, upload_uuid):
+        """ Returns True if a blob upload with the given UUID exists. """
+        pass
diff --git a/workers/blobuploadcleanupworker/models_pre_oci.py b/workers/blobuploadcleanupworker/models_pre_oci.py
index 97db6e159..b1741c556 100644
--- a/workers/blobuploadcleanupworker/models_pre_oci.py
+++ b/workers/blobuploadcleanupworker/models_pre_oci.py
@@ -3,36 +3,44 @@ from datetime import datetime, timedelta
 from data import model
 from data.database import BlobUpload as BlobUploadTable
 from workers.blobuploadcleanupworker.models_interface import (
-  BlobUpload, BlobUploadCleanupWorkerDataInterface)
+    BlobUpload,
+    BlobUploadCleanupWorkerDataInterface,
+)
 
 
 class PreOCIModel(BlobUploadCleanupWorkerDataInterface):
-  def get_stale_blob_upload(self, stale_threshold):
-    blob_upload = model.blob.get_stale_blob_upload(stale_threshold)
-    if blob_upload is None:
-      return None
+    def get_stale_blob_upload(self, stale_threshold):
+        blob_upload = model.blob.get_stale_blob_upload(stale_threshold)
+        if blob_upload is None:
+            return None
 
-    return BlobUpload(blob_upload.uuid, blob_upload.storage_metadata, blob_upload.location.name)
+        return BlobUpload(
+            blob_upload.uuid, blob_upload.storage_metadata, blob_upload.location.name
+        )
 
-  def delete_blob_upload(self, blob_upload):
-    blob_upload = model.blob.get_blob_upload_by_uuid(blob_upload.uuid)
-    if blob_upload is None:
-      return
+    def delete_blob_upload(self, blob_upload):
+        blob_upload = model.blob.get_blob_upload_by_uuid(blob_upload.uuid)
+        if blob_upload is None:
+            return
 
-    try:
-      blob_upload.delete_instance()
-    except BlobUploadTable.DoesNotExist:
-      pass
+        try:
+            blob_upload.delete_instance()
+        except BlobUploadTable.DoesNotExist:
+            pass
 
-  def create_stale_upload_for_testing(self):
-    blob_upload = model.blob.initiate_upload('devtable', 'simple', 'foobarbaz', 'local_us', {})
-    blob_upload.created = datetime.now() - timedelta(days=60)
-    blob_upload.save()
-    return BlobUpload(blob_upload.uuid, blob_upload.storage_metadata, blob_upload.location.name)
+    def create_stale_upload_for_testing(self):
+        blob_upload = model.blob.initiate_upload(
+            "devtable", "simple", "foobarbaz", "local_us", {}
+        )
+        blob_upload.created = datetime.now() - timedelta(days=60)
+        blob_upload.save()
+        return BlobUpload(
+            blob_upload.uuid, blob_upload.storage_metadata, blob_upload.location.name
+        )
 
-  def blob_upload_exists(self, upload_uuid):
-    blob_upload = model.blob.get_blob_upload_by_uuid(upload_uuid)
-    return blob_upload is not None
+    def blob_upload_exists(self, upload_uuid):
+        blob_upload = model.blob.get_blob_upload_by_uuid(upload_uuid)
+        return blob_upload is not None
 
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/blobuploadcleanupworker/test/test_blobuploadcleanupworker.py b/workers/blobuploadcleanupworker/test/test_blobuploadcleanupworker.py
index fb61e1389..467d5abb3 100644
--- a/workers/blobuploadcleanupworker/test/test_blobuploadcleanupworker.py
+++ b/workers/blobuploadcleanupworker/test/test_blobuploadcleanupworker.py
@@ -2,26 +2,35 @@ from contextlib import contextmanager
 from mock import patch, Mock
 
 from test.fixtures import *
-from workers.blobuploadcleanupworker.blobuploadcleanupworker import BlobUploadCleanupWorker
+from workers.blobuploadcleanupworker.blobuploadcleanupworker import (
+    BlobUploadCleanupWorker,
+)
 from workers.blobuploadcleanupworker.models_pre_oci import pre_oci_model as model
 
+
 def test_blobuploadcleanupworker(initialized_db):
-  # Create a blob upload older than the threshold.
-  blob_upload = model.create_stale_upload_for_testing()
+    # Create a blob upload older than the threshold.
+    blob_upload = model.create_stale_upload_for_testing()
 
-  # Note: We need to override UseThenDisconnect to ensure to remains connected to the test DB.
-  @contextmanager
-  def noop(_):
-    yield
+    # Note: We need to override UseThenDisconnect to ensure to remains connected to the test DB.
+    @contextmanager
+    def noop(_):
+        yield
 
-  storage_mock = Mock()
-  with patch('workers.blobuploadcleanupworker.blobuploadcleanupworker.UseThenDisconnect', noop):
-    with patch('workers.blobuploadcleanupworker.blobuploadcleanupworker.storage', storage_mock):
-    # Call cleanup and ensure it is canceled.
-      worker = BlobUploadCleanupWorker()
-      worker._cleanup_uploads()
+    storage_mock = Mock()
+    with patch(
+        "workers.blobuploadcleanupworker.blobuploadcleanupworker.UseThenDisconnect",
+        noop,
+    ):
+        with patch(
+            "workers.blobuploadcleanupworker.blobuploadcleanupworker.storage",
+            storage_mock,
+        ):
+            # Call cleanup and ensure it is canceled.
+            worker = BlobUploadCleanupWorker()
+            worker._cleanup_uploads()
 
-  storage_mock.cancel_chunked_upload.assert_called_once()
+    storage_mock.cancel_chunked_upload.assert_called_once()
 
-  # Ensure the blob no longer exists.
-  model.blob_upload_exists(blob_upload.uuid)
+    # Ensure the blob no longer exists.
+    model.blob_upload_exists(blob_upload.uuid)
diff --git a/workers/buildlogsarchiver/buildlogsarchiver.py b/workers/buildlogsarchiver/buildlogsarchiver.py
index ddc6fcc42..5b4819f06 100644
--- a/workers/buildlogsarchiver/buildlogsarchiver.py
+++ b/workers/buildlogsarchiver/buildlogsarchiver.py
@@ -11,53 +11,57 @@ from workers.buildlogsarchiver.models_pre_oci import pre_oci_model as model
 from workers.worker import Worker
 
 POLL_PERIOD_SECONDS = 30
-MEMORY_TEMPFILE_SIZE = 64 * 1024  # Large enough to handle approximately 99% of builds in memory
+MEMORY_TEMPFILE_SIZE = (
+    64 * 1024
+)  # Large enough to handle approximately 99% of builds in memory
 
 logger = logging.getLogger(__name__)
 
 
 class ArchiveBuildLogsWorker(Worker):
-  def __init__(self):
-    super(ArchiveBuildLogsWorker, self).__init__()
-    self.add_operation(self._archive_redis_buildlogs, POLL_PERIOD_SECONDS)
+    def __init__(self):
+        super(ArchiveBuildLogsWorker, self).__init__()
+        self.add_operation(self._archive_redis_buildlogs, POLL_PERIOD_SECONDS)
 
-  def _archive_redis_buildlogs(self):
-    """ Archive a single build, choosing a candidate at random. This process must be idempotent to
+    def _archive_redis_buildlogs(self):
+        """ Archive a single build, choosing a candidate at random. This process must be idempotent to
         avoid needing two-phase commit. """
-    # Get a random build to archive
-    to_archive = model.get_archivable_build()
-    if to_archive is None:
-      logger.debug('No more builds to archive')
-      return
+        # Get a random build to archive
+        to_archive = model.get_archivable_build()
+        if to_archive is None:
+            logger.debug("No more builds to archive")
+            return
 
-    logger.debug('Archiving: %s', to_archive.uuid)
+        logger.debug("Archiving: %s", to_archive.uuid)
 
-    length, entries = build_logs.get_log_entries(to_archive.uuid, 0)
-    to_encode = {
-      'start': 0,
-      'total': length,
-      'logs': entries,
-    }
+        length, entries = build_logs.get_log_entries(to_archive.uuid, 0)
+        to_encode = {"start": 0, "total": length, "logs": entries}
 
-    if length > 0:
-      with CloseForLongOperation(app.config):
-        with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
-          with GzipFile('testarchive', fileobj=tempfile) as zipstream:
-            for chunk in StreamingJSONEncoder().iterencode(to_encode):
-              zipstream.write(chunk)
+        if length > 0:
+            with CloseForLongOperation(app.config):
+                with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
+                    with GzipFile("testarchive", fileobj=tempfile) as zipstream:
+                        for chunk in StreamingJSONEncoder().iterencode(to_encode):
+                            zipstream.write(chunk)
 
-          tempfile.seek(0)
-          log_archive.store_file(tempfile, JSON_MIMETYPE, content_encoding='gzip',
-                                 file_id=to_archive.uuid)
+                    tempfile.seek(0)
+                    log_archive.store_file(
+                        tempfile,
+                        JSON_MIMETYPE,
+                        content_encoding="gzip",
+                        file_id=to_archive.uuid,
+                    )
 
-    we_updated = model.mark_build_archived(to_archive.uuid)
-    if we_updated:
-      build_logs.expire_status(to_archive.uuid)
-      build_logs.delete_log_entries(to_archive.uuid)
-    else:
-      logger.debug('Another worker pre-empted us when archiving: %s', to_archive.uuid)
+        we_updated = model.mark_build_archived(to_archive.uuid)
+        if we_updated:
+            build_logs.expire_status(to_archive.uuid)
+            build_logs.delete_log_entries(to_archive.uuid)
+        else:
+            logger.debug(
+                "Another worker pre-empted us when archiving: %s", to_archive.uuid
+            )
 
 
 if __name__ == "__main__":
-  worker = ArchiveBuildLogsWorker()
-  worker.start()
+    worker = ArchiveBuildLogsWorker()
+    worker.start()
diff --git a/workers/buildlogsarchiver/models_interface.py b/workers/buildlogsarchiver/models_interface.py
index 123cf1679..940e87e0d 100644
--- a/workers/buildlogsarchiver/models_interface.py
+++ b/workers/buildlogsarchiver/models_interface.py
@@ -3,36 +3,36 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class Build(namedtuple('Build', ['uuid', 'logs_archived'])):
-  """
+class Build(namedtuple("Build", ["uuid", "logs_archived"])):
+    """
   Build represents a single build in the build system.
   """
 
 
 @add_metaclass(ABCMeta)
 class BuildLogsArchiverWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the build logs archiver worker.
   """
 
-  @abstractmethod
-  def get_archivable_build(self):
-    """ Returns a build whose logs are available for archiving. If none, returns None. """
-    pass
+    @abstractmethod
+    def get_archivable_build(self):
+        """ Returns a build whose logs are available for archiving. If none, returns None. """
+        pass
 
-  @abstractmethod
-  def get_build(self, build_uuid):
-    """ Returns the build with the matching UUID or None if none. """
-    pass
+    @abstractmethod
+    def get_build(self, build_uuid):
+        """ Returns the build with the matching UUID or None if none. """
+        pass
 
-  @abstractmethod
-  def mark_build_archived(self, build_uuid):
-    """ Marks the build with the given UUID as having its logs archived. Returns False if
+    @abstractmethod
+    def mark_build_archived(self, build_uuid):
+        """ Marks the build with the given UUID as having its logs archived. Returns False if
         the build was already marked as archived.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def create_build_for_testing(self):
-    """ Creates an unarchived build for testing of archiving. """
-    pass
+    @abstractmethod
+    def create_build_for_testing(self):
+        """ Creates an unarchived build for testing of archiving. """
+        pass
diff --git a/workers/buildlogsarchiver/models_pre_oci.py b/workers/buildlogsarchiver/models_pre_oci.py
index da3ce0774..e4ebf8582 100644
--- a/workers/buildlogsarchiver/models_pre_oci.py
+++ b/workers/buildlogsarchiver/models_pre_oci.py
@@ -1,32 +1,35 @@
 from data import model
-from workers.buildlogsarchiver.models_interface import Build, BuildLogsArchiverWorkerDataInterface
+from workers.buildlogsarchiver.models_interface import (
+    Build,
+    BuildLogsArchiverWorkerDataInterface,
+)
 
 
 class PreOCIModel(BuildLogsArchiverWorkerDataInterface):
-  def get_archivable_build(self):
-    build = model.build.get_archivable_build()
-    if build is None:
-      return None
+    def get_archivable_build(self):
+        build = model.build.get_archivable_build()
+        if build is None:
+            return None
 
-    return Build(build.uuid, build.logs_archived)
+        return Build(build.uuid, build.logs_archived)
 
-  def mark_build_archived(self, build_uuid):
-    return model.build.mark_build_archived(build_uuid)
+    def mark_build_archived(self, build_uuid):
+        return model.build.mark_build_archived(build_uuid)
 
-  def create_build_for_testing(self):
-    repo = model.repository.get_repository('devtable', 'simple')
-    access_token = model.token.create_access_token(repo, 'admin')
-    build = model.build.create_repository_build(repo, access_token, {}, None, 'foo')
-    build.phase = 'error'
-    build.save()
-    return Build(build.uuid, build.logs_archived)
+    def create_build_for_testing(self):
+        repo = model.repository.get_repository("devtable", "simple")
+        access_token = model.token.create_access_token(repo, "admin")
+        build = model.build.create_repository_build(repo, access_token, {}, None, "foo")
+        build.phase = "error"
+        build.save()
+        return Build(build.uuid, build.logs_archived)
 
-  def get_build(self, build_uuid):
-    build = model.build.get_repository_build(build_uuid)
-    if build is None:
-      return None
+    def get_build(self, build_uuid):
+        build = model.build.get_repository_build(build_uuid)
+        if build is None:
+            return None
 
-    return Build(build.uuid, build.logs_archived)
+        return Build(build.uuid, build.logs_archived)
 
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/buildlogsarchiver/test/test_buildlogsarchiver.py b/workers/buildlogsarchiver/test/test_buildlogsarchiver.py
index 8a05bfac3..b436e41aa 100644
--- a/workers/buildlogsarchiver/test/test_buildlogsarchiver.py
+++ b/workers/buildlogsarchiver/test/test_buildlogsarchiver.py
@@ -7,24 +7,25 @@ from test.fixtures import *
 
 from workers.buildlogsarchiver.models_pre_oci import pre_oci_model as model
 
+
 def test_logarchiving(app):
-  worker = ArchiveBuildLogsWorker()
-  logs_mock = Mock()
-  logs_mock.get_log_entries = Mock(return_value=(1, [{'some': 'entry'}]))
+    worker = ArchiveBuildLogsWorker()
+    logs_mock = Mock()
+    logs_mock.get_log_entries = Mock(return_value=(1, [{"some": "entry"}]))
 
-  # Add a build that is ready for archiving.
-  build = model.create_build_for_testing()
+    # Add a build that is ready for archiving.
+    build = model.create_build_for_testing()
 
-  with patch('workers.buildlogsarchiver.buildlogsarchiver.build_logs', logs_mock):
-    worker._archive_redis_buildlogs()
+    with patch("workers.buildlogsarchiver.buildlogsarchiver.build_logs", logs_mock):
+        worker._archive_redis_buildlogs()
 
-  # Ensure the get method was called.
-  logs_mock.get_log_entries.assert_called_once()
-  logs_mock.expire_status.assert_called_once()
-  logs_mock.delete_log_entries.assert_called_once()
+    # Ensure the get method was called.
+    logs_mock.get_log_entries.assert_called_once()
+    logs_mock.expire_status.assert_called_once()
+    logs_mock.delete_log_entries.assert_called_once()
 
-  # Ensure the build was marked as archived.
-  assert model.get_build(build.uuid).logs_archived
+    # Ensure the build was marked as archived.
+    assert model.get_build(build.uuid).logs_archived
 
-  # Ensure a file was written to storage.
-  assert storage.exists(['local_us'], 'logarchive/%s' % build.uuid)
+    # Ensure a file was written to storage.
+    assert storage.exists(["local_us"], "logarchive/%s" % build.uuid)
diff --git a/workers/chunkcleanupworker.py b/workers/chunkcleanupworker.py
index 6b08bf341..4c696e609 100644
--- a/workers/chunkcleanupworker.py
+++ b/workers/chunkcleanupworker.py
@@ -12,33 +12,41 @@ POLL_PERIOD_SECONDS = 10
 
 
 class ChunkCleanupWorker(QueueWorker):
-  """ Worker which cleans up chunks enqueued by the storage engine(s). This is typically used to
+    """ Worker which cleans up chunks enqueued by the storage engine(s). This is typically used to
       cleanup empty chunks which are no longer needed.
   """
-  def process_queue_item(self, job_details):
-    logger.debug('Got chunk cleanup queue item: %s', job_details)
-    storage_location = job_details['location']
-    storage_path = job_details['path']
 
-    if not storage.exists([storage_location], storage_path):
-      logger.debug('Chunk already deleted')
-      return
+    def process_queue_item(self, job_details):
+        logger.debug("Got chunk cleanup queue item: %s", job_details)
+        storage_location = job_details["location"]
+        storage_path = job_details["path"]
 
-    try:
-      storage.remove([storage_location], storage_path)
-    except IOError:
-      raise JobException()
+        if not storage.exists([storage_location], storage_path):
+            logger.debug("Chunk already deleted")
+            return
+
+        try:
+            storage.remove([storage_location], storage_path)
+        except IOError:
+            raise JobException()
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  engines = set([config[0] for config in app.config.get('DISTRIBUTED_STORAGE_CONFIG', {}).values()])
-  if 'SwiftStorage' not in engines:
-    logger.debug('Swift storage not detected; sleeping')
-    while True:
-      time.sleep(10000)
+    engines = set(
+        [
+            config[0]
+            for config in app.config.get("DISTRIBUTED_STORAGE_CONFIG", {}).values()
+        ]
+    )
+    if "SwiftStorage" not in engines:
+        logger.debug("Swift storage not detected; sleeping")
+        while True:
+            time.sleep(10000)
 
-  logger.debug('Starting chunk cleanup worker')
-  worker = ChunkCleanupWorker(chunk_cleanup_queue, poll_period_seconds=POLL_PERIOD_SECONDS)
-  worker.start()
+    logger.debug("Starting chunk cleanup worker")
+    worker = ChunkCleanupWorker(
+        chunk_cleanup_queue, poll_period_seconds=POLL_PERIOD_SECONDS
+    )
+    worker.start()
diff --git a/workers/expiredappspecifictokenworker.py b/workers/expiredappspecifictokenworker.py
index 9db1aed7f..2c13182eb 100644
--- a/workers/expiredappspecifictokenworker.py
+++ b/workers/expiredappspecifictokenworker.py
@@ -3,47 +3,51 @@ import time
 
 import features
 
-from app import app # This is required to initialize the database.
+from app import app  # This is required to initialize the database.
 from data import model
 from workers.worker import Worker
 from util.log import logfile_path
 from util.timedeltastring import convert_to_timedelta
 
-POLL_PERIOD_SECONDS = 60 * 60 # 1 hour
+POLL_PERIOD_SECONDS = 60 * 60  # 1 hour
 
 logger = logging.getLogger(__name__)
 
+
 class ExpiredAppSpecificTokenWorker(Worker):
-  def __init__(self):
-    super(ExpiredAppSpecificTokenWorker, self).__init__()
+    def __init__(self):
+        super(ExpiredAppSpecificTokenWorker, self).__init__()
 
-    expiration_window = app.config.get('EXPIRED_APP_SPECIFIC_TOKEN_GC', '1d')
-    self.expiration_window = convert_to_timedelta(expiration_window)
+        expiration_window = app.config.get("EXPIRED_APP_SPECIFIC_TOKEN_GC", "1d")
+        self.expiration_window = convert_to_timedelta(expiration_window)
 
-    logger.debug('Found expiration window: %s', expiration_window)
-    self.add_operation(self._gc_expired_tokens, POLL_PERIOD_SECONDS)
+        logger.debug("Found expiration window: %s", expiration_window)
+        self.add_operation(self._gc_expired_tokens, POLL_PERIOD_SECONDS)
 
-  def _gc_expired_tokens(self):
-    """ Garbage collects any expired app specific tokens outside of the configured
+    def _gc_expired_tokens(self):
+        """ Garbage collects any expired app specific tokens outside of the configured
         window. """
-    logger.debug('Garbage collecting expired app specific tokens with window: %s',
-                 self.expiration_window)
-    model.appspecifictoken.gc_expired_tokens(self.expiration_window)
-    return True
+        logger.debug(
+            "Garbage collecting expired app specific tokens with window: %s",
+            self.expiration_window,
+        )
+        model.appspecifictoken.gc_expired_tokens(self.expiration_window)
+        return True
+
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not features.APP_SPECIFIC_TOKENS:
-    logger.debug('App specific tokens disabled; skipping')
-    while True:
-      time.sleep(100000)
-  
-  if app.config.get('EXPIRED_APP_SPECIFIC_TOKEN_GC') is None:
-    logger.debug('GC of App specific tokens is disabled; skipping')
-    while True:
-      time.sleep(100000)
+    if not features.APP_SPECIFIC_TOKENS:
+        logger.debug("App specific tokens disabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  logger.debug('Starting expired app specific token GC worker')
-  worker = ExpiredAppSpecificTokenWorker()
-  worker.start()
+    if app.config.get("EXPIRED_APP_SPECIFIC_TOKEN_GC") is None:
+        logger.debug("GC of App specific tokens is disabled; skipping")
+        while True:
+            time.sleep(100000)
+
+    logger.debug("Starting expired app specific token GC worker")
+    worker = ExpiredAppSpecificTokenWorker()
+    worker.start()
diff --git a/workers/exportactionlogsworker.py b/workers/exportactionlogsworker.py
index 11b6478ea..645490c54 100644
--- a/workers/exportactionlogsworker.py
+++ b/workers/exportactionlogsworker.py
@@ -11,7 +11,13 @@ from enum import Enum, unique
 
 import features
 
-from app import app, export_action_logs_queue, storage as app_storage, get_app_url, avatar
+from app import (
+    app,
+    export_action_logs_queue,
+    storage as app_storage,
+    get_app_url,
+    avatar,
+)
 from endpoints.api import format_date
 from data.logs_model import logs_model
 from data.logs_model.interface import LogsIterationTimeout
@@ -22,239 +28,321 @@ from util.useremails import send_logs_exported_email
 logger = logging.getLogger(__name__)
 
 
-POLL_PERIOD_SECONDS = app.config.get('EXPORT_ACTION_LOGS_WORKER_POLL_PERIOD', 60)
+POLL_PERIOD_SECONDS = app.config.get("EXPORT_ACTION_LOGS_WORKER_POLL_PERIOD", 60)
 
-EXPORT_LOGS_STORAGE_PATH = app.config.get('EXPORT_ACTION_LOGS_STORAGE_PATH', 'exportedactionlogs')
-MAXIMUM_WORK_PERIOD_SECONDS = app.config.get('EXPORT_ACTION_LOGS_MAXIMUM_SECONDS', 60 * 60) # 1 hour
-MAXIMUM_QUERY_TIME_SECONDS = app.config.get('EXPORT_ACTION_LOGS_MAXIMUM_QUERY_TIME_SECONDS', 30)
-EXPORTED_LOGS_EXPIRATION_SECONDS = app.config.get('EXPORT_ACTION_LOGS_SECONDS', 60 * 60) # 1 hour
+EXPORT_LOGS_STORAGE_PATH = app.config.get(
+    "EXPORT_ACTION_LOGS_STORAGE_PATH", "exportedactionlogs"
+)
+MAXIMUM_WORK_PERIOD_SECONDS = app.config.get(
+    "EXPORT_ACTION_LOGS_MAXIMUM_SECONDS", 60 * 60
+)  # 1 hour
+MAXIMUM_QUERY_TIME_SECONDS = app.config.get(
+    "EXPORT_ACTION_LOGS_MAXIMUM_QUERY_TIME_SECONDS", 30
+)
+EXPORTED_LOGS_EXPIRATION_SECONDS = app.config.get(
+    "EXPORT_ACTION_LOGS_SECONDS", 60 * 60
+)  # 1 hour
 
 
 @unique
 class ExportResult(Enum):
-  # NOTE: Make sure to handle these in `logsexported.html` in `emails`
-  INVALID_REQUEST = 'invalidrequest'
-  OPERATION_TIMEDOUT = 'timedout'
-  FAILED_EXPORT = 'failed'
-  SUCCESSFUL_EXPORT = 'success'
+    # NOTE: Make sure to handle these in `logsexported.html` in `emails`
+    INVALID_REQUEST = "invalidrequest"
+    OPERATION_TIMEDOUT = "timedout"
+    FAILED_EXPORT = "failed"
+    SUCCESSFUL_EXPORT = "success"
 
 
 class ExportActionLogsWorker(QueueWorker):
-  """ Worker which exports action logs for a namespace or a repository based on
+    """ Worker which exports action logs for a namespace or a repository based on
       a queued request from the API.
   """
-  def process_queue_item(self, job_details):
-    return self._process_queue_item(job_details, app_storage)
 
-  def _process_queue_item(self, job_details, storage):
-    logger.info('Got export actions logs queue item: %s', job_details)
+    def process_queue_item(self, job_details):
+        return self._process_queue_item(job_details, app_storage)
 
-    # job_details block (as defined in the logs.py API endpoint):
-    # {
-    #  'export_id': export_id,
-    #  'repository_id': repository.id or None,
-    #  'namespace_id': namespace.id,
-    #  'namespace_name': namespace.username,
-    #  'repository_name': repository.name or None,
-    #  'start_time': start_time,
-    #  'end_time': end_time,
-    #  'callback_url': callback_url or None,
-    #  'callback_email': callback_email or None,
-    # }
-    export_id = job_details['export_id']
+    def _process_queue_item(self, job_details, storage):
+        logger.info("Got export actions logs queue item: %s", job_details)
 
-    start_time = _parse_time(job_details['start_time'])
-    end_time = _parse_time(job_details['end_time'])
+        # job_details block (as defined in the logs.py API endpoint):
+        # {
+        #  'export_id': export_id,
+        #  'repository_id': repository.id or None,
+        #  'namespace_id': namespace.id,
+        #  'namespace_name': namespace.username,
+        #  'repository_name': repository.name or None,
+        #  'start_time': start_time,
+        #  'end_time': end_time,
+        #  'callback_url': callback_url or None,
+        #  'callback_email': callback_email or None,
+        # }
+        export_id = job_details["export_id"]
 
-    # Make sure the end time has the whole day.
-    if start_time is None or end_time is None:
-      self._report_results(job_details, ExportResult.INVALID_REQUEST)
-      return
+        start_time = _parse_time(job_details["start_time"])
+        end_time = _parse_time(job_details["end_time"])
 
-    end_time = end_time + timedelta(days=1) - timedelta(milliseconds=1)
+        # Make sure the end time has the whole day.
+        if start_time is None or end_time is None:
+            self._report_results(job_details, ExportResult.INVALID_REQUEST)
+            return
 
-    # Select the minimum and maximum IDs for the logs for the repository/namespace
-    # over the time range.
-    namespace_id = job_details['namespace_id']
-    repository_id = job_details['repository_id']
-    max_query_time = timedelta(seconds=MAXIMUM_QUERY_TIME_SECONDS)
+        end_time = end_time + timedelta(days=1) - timedelta(milliseconds=1)
 
-    # Generate a file key so that if we return an API URL, it cannot simply be constructed from
-    # just the export ID.
-    file_key = str(uuid.uuid4())
-    exported_filename = '%s-%s' % (export_id, file_key)
+        # Select the minimum and maximum IDs for the logs for the repository/namespace
+        # over the time range.
+        namespace_id = job_details["namespace_id"]
+        repository_id = job_details["repository_id"]
+        max_query_time = timedelta(seconds=MAXIMUM_QUERY_TIME_SECONDS)
 
-    # Start a chunked upload for the logs and stream them.
-    upload_id, upload_metadata = storage.initiate_chunked_upload(storage.preferred_locations)
-    export_storage_path = os.path.join(EXPORT_LOGS_STORAGE_PATH, exported_filename)
-    logger.debug('Starting chunked upload to path `%s`', export_storage_path)
+        # Generate a file key so that if we return an API URL, it cannot simply be constructed from
+        # just the export ID.
+        file_key = str(uuid.uuid4())
+        exported_filename = "%s-%s" % (export_id, file_key)
 
-    # Start with a 'json' header that contains the opening bracket, as well as basic
-    # information and the start of the `logs` array.
-    details = {
-      'start_time': format_date(start_time),
-      'end_time': format_date(end_time),
-      'namespace': job_details['namespace_name'],
-      'repository': job_details['repository_name'],
-    }
+        # Start a chunked upload for the logs and stream them.
+        upload_id, upload_metadata = storage.initiate_chunked_upload(
+            storage.preferred_locations
+        )
+        export_storage_path = os.path.join(EXPORT_LOGS_STORAGE_PATH, exported_filename)
+        logger.debug("Starting chunked upload to path `%s`", export_storage_path)
 
-    prefix_data = """{
+        # Start with a 'json' header that contains the opening bracket, as well as basic
+        # information and the start of the `logs` array.
+        details = {
+            "start_time": format_date(start_time),
+            "end_time": format_date(end_time),
+            "namespace": job_details["namespace_name"],
+            "repository": job_details["repository_name"],
+        }
+
+        prefix_data = """{
       "export_id": "%s",
       "details": %s,
       "logs": [
-    """ % (export_id, json.dumps(details))
+    """ % (
+            export_id,
+            json.dumps(details),
+        )
 
-    _, new_metadata, upload_error = storage.stream_upload_chunk(storage.preferred_locations,
-                                                                upload_id, 0,
-                                                                -1,
-                                                                BytesIO(str(prefix_data)),
-                                                                upload_metadata)
-    uploaded_byte_count = len(prefix_data)
-    if upload_error is not None:
-      logger.error('Got an error when writing chunk for `%s`: %s', export_id, upload_error)
-      storage.cancel_chunked_upload(storage.preferred_locations, upload_id, upload_metadata)
-      self._report_results(job_details, ExportResult.FAILED_EXPORT)
-      raise IOError(upload_error)
+        _, new_metadata, upload_error = storage.stream_upload_chunk(
+            storage.preferred_locations,
+            upload_id,
+            0,
+            -1,
+            BytesIO(str(prefix_data)),
+            upload_metadata,
+        )
+        uploaded_byte_count = len(prefix_data)
+        if upload_error is not None:
+            logger.error(
+                "Got an error when writing chunk for `%s`: %s", export_id, upload_error
+            )
+            storage.cancel_chunked_upload(
+                storage.preferred_locations, upload_id, upload_metadata
+            )
+            self._report_results(job_details, ExportResult.FAILED_EXPORT)
+            raise IOError(upload_error)
 
-    upload_metadata = new_metadata
-    logs_iterator = logs_model.yield_logs_for_export(start_time, end_time, repository_id,
-                                                     namespace_id, max_query_time)
+        upload_metadata = new_metadata
+        logs_iterator = logs_model.yield_logs_for_export(
+            start_time, end_time, repository_id, namespace_id, max_query_time
+        )
 
-    try:
-      # Stream the logs to storage as chunks.
-      new_metadata, uploaded_byte_count = self._stream_logs(upload_id, upload_metadata,
-                                                            uploaded_byte_count, logs_iterator,
-                                                            job_details, storage)
-      if uploaded_byte_count is None:
-        logger.error('Failed to upload streamed logs for `%s`', export_id)
-        storage.cancel_chunked_upload(storage.preferred_locations, upload_id, upload_metadata)
-        self._report_results(job_details, ExportResult.FAILED_EXPORT)
-        raise IOError('Export failed to upload')
+        try:
+            # Stream the logs to storage as chunks.
+            new_metadata, uploaded_byte_count = self._stream_logs(
+                upload_id,
+                upload_metadata,
+                uploaded_byte_count,
+                logs_iterator,
+                job_details,
+                storage,
+            )
+            if uploaded_byte_count is None:
+                logger.error("Failed to upload streamed logs for `%s`", export_id)
+                storage.cancel_chunked_upload(
+                    storage.preferred_locations, upload_id, upload_metadata
+                )
+                self._report_results(job_details, ExportResult.FAILED_EXPORT)
+                raise IOError("Export failed to upload")
 
-      upload_metadata = new_metadata
+            upload_metadata = new_metadata
 
-      # Close the JSON block.
-      suffix_data = """
+            # Close the JSON block.
+            suffix_data = """
         {"terminator": true}]
       }"""
 
-      _, new_metadata, upload_error = storage.stream_upload_chunk(storage.preferred_locations,
-                                                                  upload_id,
-                                                                  0,
-                                                                  -1,
-                                                                  BytesIO(str(suffix_data)),
-                                                                  upload_metadata)
-      if upload_error is not None:
-        logger.error('Got an error when writing chunk for `%s`: %s', export_id, upload_error)
-        storage.cancel_chunked_upload(storage.preferred_locations, upload_id, upload_metadata)
-        self._report_results(job_details, ExportResult.FAILED_EXPORT)
-        raise IOError(upload_error)
+            _, new_metadata, upload_error = storage.stream_upload_chunk(
+                storage.preferred_locations,
+                upload_id,
+                0,
+                -1,
+                BytesIO(str(suffix_data)),
+                upload_metadata,
+            )
+            if upload_error is not None:
+                logger.error(
+                    "Got an error when writing chunk for `%s`: %s",
+                    export_id,
+                    upload_error,
+                )
+                storage.cancel_chunked_upload(
+                    storage.preferred_locations, upload_id, upload_metadata
+                )
+                self._report_results(job_details, ExportResult.FAILED_EXPORT)
+                raise IOError(upload_error)
 
-      # Complete the upload.
-      upload_metadata = new_metadata
-      storage.complete_chunked_upload(storage.preferred_locations, upload_id, export_storage_path,
-                                      upload_metadata)
-    except:
-      logger.exception('Exception when exporting logs for `%s`', export_id)
-      storage.cancel_chunked_upload(storage.preferred_locations, upload_id, upload_metadata)
-      self._report_results(job_details, ExportResult.FAILED_EXPORT)
-      raise
+            # Complete the upload.
+            upload_metadata = new_metadata
+            storage.complete_chunked_upload(
+                storage.preferred_locations,
+                upload_id,
+                export_storage_path,
+                upload_metadata,
+            )
+        except:
+            logger.exception("Exception when exporting logs for `%s`", export_id)
+            storage.cancel_chunked_upload(
+                storage.preferred_locations, upload_id, upload_metadata
+            )
+            self._report_results(job_details, ExportResult.FAILED_EXPORT)
+            raise
 
-    # Invoke the callbacks.
-    export_url = storage.get_direct_download_url(storage.preferred_locations, export_storage_path,
-                                                 expires_in=EXPORTED_LOGS_EXPIRATION_SECONDS)
-    if export_url is None:
-      export_url = '%s/exportedlogs/%s' % (get_app_url(), exported_filename)
+        # Invoke the callbacks.
+        export_url = storage.get_direct_download_url(
+            storage.preferred_locations,
+            export_storage_path,
+            expires_in=EXPORTED_LOGS_EXPIRATION_SECONDS,
+        )
+        if export_url is None:
+            export_url = "%s/exportedlogs/%s" % (get_app_url(), exported_filename)
 
-    self._report_results(job_details, ExportResult.SUCCESSFUL_EXPORT, export_url)
+        self._report_results(job_details, ExportResult.SUCCESSFUL_EXPORT, export_url)
 
-  def _stream_logs(self, upload_id, upload_metadata, uploaded_byte_count, logs_iterator,
-                   job_details, storage):
-    export_id = job_details['export_id']
-    max_work_period = timedelta(seconds=MAXIMUM_WORK_PERIOD_SECONDS)
-    batch_start_time = datetime.utcnow()
+    def _stream_logs(
+        self,
+        upload_id,
+        upload_metadata,
+        uploaded_byte_count,
+        logs_iterator,
+        job_details,
+        storage,
+    ):
+        export_id = job_details["export_id"]
+        max_work_period = timedelta(seconds=MAXIMUM_WORK_PERIOD_SECONDS)
+        batch_start_time = datetime.utcnow()
 
-    try:
-      for logs in logs_iterator:
-        work_elapsed = datetime.utcnow() - batch_start_time
-        if work_elapsed > max_work_period:
-          logger.error('Retrieval of logs `%s` timed out with time of `%s`',
-                       export_id, work_elapsed)
-          self._report_results(job_details, ExportResult.OPERATION_TIMEDOUT)
-          return None, None
+        try:
+            for logs in logs_iterator:
+                work_elapsed = datetime.utcnow() - batch_start_time
+                if work_elapsed > max_work_period:
+                    logger.error(
+                        "Retrieval of logs `%s` timed out with time of `%s`",
+                        export_id,
+                        work_elapsed,
+                    )
+                    self._report_results(job_details, ExportResult.OPERATION_TIMEDOUT)
+                    return None, None
 
-        logs_data = ''
-        if logs:
-          logs_data = ','.join([json.dumps(log.to_dict(avatar, False)) for log in logs]) + ','
+                logs_data = ""
+                if logs:
+                    logs_data = (
+                        ",".join(
+                            [json.dumps(log.to_dict(avatar, False)) for log in logs]
+                        )
+                        + ","
+                    )
 
-        logs_data = logs_data.encode('utf-8')
-        if logs_data:
-          _, new_metadata, upload_error = storage.stream_upload_chunk(storage.preferred_locations,
-                                                                      upload_id,
-                                                                      0,
-                                                                      -1,
-                                                                      BytesIO(logs_data),
-                                                                      upload_metadata)
+                logs_data = logs_data.encode("utf-8")
+                if logs_data:
+                    _, new_metadata, upload_error = storage.stream_upload_chunk(
+                        storage.preferred_locations,
+                        upload_id,
+                        0,
+                        -1,
+                        BytesIO(logs_data),
+                        upload_metadata,
+                    )
 
-          if upload_error is not None:
-            logger.error('Got an error when writing chunk: %s', upload_error)
+                    if upload_error is not None:
+                        logger.error(
+                            "Got an error when writing chunk: %s", upload_error
+                        )
+                        return upload_metadata, None
+
+                    upload_metadata = new_metadata
+                    uploaded_byte_count += len(logs_data)
+        except LogsIterationTimeout:
+            logger.error(
+                "Retrieval of logs for export logs timed out at `%s`", work_elapsed
+            )
+            self._report_results(job_details, ExportResult.OPERATION_TIMEDOUT)
             return upload_metadata, None
 
-          upload_metadata = new_metadata
-          uploaded_byte_count += len(logs_data)
-    except LogsIterationTimeout:
-      logger.error('Retrieval of logs for export logs timed out at `%s`', work_elapsed)
-      self._report_results(job_details, ExportResult.OPERATION_TIMEDOUT)
-      return upload_metadata, None
+        return upload_metadata, uploaded_byte_count
 
-    return upload_metadata, uploaded_byte_count
+    def _report_results(self, job_details, result_status, exported_data_url=None):
+        logger.info(
+            "Reporting result of `%s` for %s; %s",
+            result_status,
+            job_details,
+            exported_data_url,
+        )
 
-  def _report_results(self, job_details, result_status, exported_data_url=None):
-    logger.info('Reporting result of `%s` for %s; %s', result_status, job_details,
-                exported_data_url)
+        if job_details.get("callback_url"):
+            # Post the results to the callback URL.
+            client = app.config["HTTPCLIENT"]
+            result = client.post(
+                job_details["callback_url"],
+                json={
+                    "export_id": job_details["export_id"],
+                    "start_time": job_details["start_time"],
+                    "end_time": job_details["end_time"],
+                    "namespace": job_details["namespace_name"],
+                    "repository": job_details["repository_name"],
+                    "exported_data_url": exported_data_url,
+                    "status": result_status.value,
+                },
+            )
 
-    if job_details.get('callback_url'):
-      # Post the results to the callback URL.
-      client = app.config['HTTPCLIENT']
-      result = client.post(job_details['callback_url'], json={
-        'export_id': job_details['export_id'],
-        'start_time': job_details['start_time'],
-        'end_time': job_details['end_time'],
-        'namespace': job_details['namespace_name'],
-        'repository': job_details['repository_name'],
-        'exported_data_url': exported_data_url,
-        'status': result_status.value,
-      })
+            if result.status_code != 200:
+                logger.error(
+                    "Got `%s` status code for callback URL `%s` for export `%s`",
+                    result.status_code,
+                    job_details["callback_url"],
+                    job_details["export_id"],
+                )
+                raise Exception("Got non-200 for batch logs reporting; retrying later")
 
-      if result.status_code != 200:
-        logger.error('Got `%s` status code for callback URL `%s` for export `%s`',
-                     result.status_code, job_details['callback_url'],
-                     job_details['export_id'])
-        raise Exception('Got non-200 for batch logs reporting; retrying later')
-
-    if job_details.get('callback_email'):
-      with app.app_context():
-        send_logs_exported_email(job_details['callback_email'], job_details['export_id'],
-                                 result_status.value, exported_data_url,
-                                 EXPORTED_LOGS_EXPIRATION_SECONDS)
+        if job_details.get("callback_email"):
+            with app.app_context():
+                send_logs_exported_email(
+                    job_details["callback_email"],
+                    job_details["export_id"],
+                    result_status.value,
+                    exported_data_url,
+                    EXPORTED_LOGS_EXPIRATION_SECONDS,
+                )
 
 
 def _parse_time(specified_time):
-  try:
-    return datetime.strptime(specified_time + ' UTC', '%m/%d/%Y %Z')
-  except ValueError:
-    return None
+    try:
+        return datetime.strptime(specified_time + " UTC", "%m/%d/%Y %Z")
+    except ValueError:
+        return None
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not features.LOG_EXPORT:
-    logger.debug('Log export not enabled; skipping')
-    while True:
-      time.sleep(100000)
+    if not features.LOG_EXPORT:
+        logger.debug("Log export not enabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  logger.debug('Starting export action logs worker')
-  worker = ExportActionLogsWorker(export_action_logs_queue,
-                                  poll_period_seconds=POLL_PERIOD_SECONDS)
-  worker.start()
+    logger.debug("Starting export action logs worker")
+    worker = ExportActionLogsWorker(
+        export_action_logs_queue, poll_period_seconds=POLL_PERIOD_SECONDS
+    )
+    worker.start()
diff --git a/workers/gc/gcworker.py b/workers/gc/gcworker.py
index 6707cf1cd..bbc84cd9e 100644
--- a/workers/gc/gcworker.py
+++ b/workers/gc/gcworker.py
@@ -11,39 +11,48 @@ from workers.worker import Worker
 
 logger = logging.getLogger(__name__)
 
+
 class GarbageCollectionWorker(Worker):
-  def __init__(self):
-    super(GarbageCollectionWorker, self).__init__()
-    self.add_operation(self._garbage_collection_repos,
-                       app.config.get('GARBAGE_COLLECTION_FREQUENCY', 30))
+    def __init__(self):
+        super(GarbageCollectionWorker, self).__init__()
+        self.add_operation(
+            self._garbage_collection_repos,
+            app.config.get("GARBAGE_COLLECTION_FREQUENCY", 30),
+        )
 
-  def _garbage_collection_repos(self):
-    """ Performs garbage collection on repositories. """
-    with UseThenDisconnect(app.config):
-      repository = find_repository_with_garbage(get_random_gc_policy())
-      if repository is None:
-        logger.debug('No repository with garbage found')
-        return
+    def _garbage_collection_repos(self):
+        """ Performs garbage collection on repositories. """
+        with UseThenDisconnect(app.config):
+            repository = find_repository_with_garbage(get_random_gc_policy())
+            if repository is None:
+                logger.debug("No repository with garbage found")
+                return
 
-      assert features.GARBAGE_COLLECTION
+            assert features.GARBAGE_COLLECTION
 
-      logger.debug('Starting GC of repository #%s (%s)', repository.id, repository.name)
-      garbage_collect_repo(repository)
-      logger.debug('Finished GC of repository #%s (%s)', repository.id, repository.name)
+            logger.debug(
+                "Starting GC of repository #%s (%s)", repository.id, repository.name
+            )
+            garbage_collect_repo(repository)
+            logger.debug(
+                "Finished GC of repository #%s (%s)", repository.id, repository.name
+            )
 
 
 if __name__ == "__main__":
-  if not features.GARBAGE_COLLECTION:
-    logger.debug('Garbage collection is disabled; skipping')
-    while True:
-      time.sleep(100000)
+    if not features.GARBAGE_COLLECTION:
+        logger.debug("Garbage collection is disabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  if ((app.config.get('V3_UPGRADE_MODE') == 'production-transition') or 
-      (app.config.get('V3_UPGRADE_MODE') == 'post-oci-rollout') or
-      (app.config.get('V3_UPGRADE_MODE') == 'post-oci-roll-back-compat')):
-    logger.debug('GC worker disabled for production transition; skipping')
-    while True:
-      time.sleep(100000)
+    if (
+        (app.config.get("V3_UPGRADE_MODE") == "production-transition")
+        or (app.config.get("V3_UPGRADE_MODE") == "post-oci-rollout")
+        or (app.config.get("V3_UPGRADE_MODE") == "post-oci-roll-back-compat")
+    ):
+        logger.debug("GC worker disabled for production transition; skipping")
+        while True:
+            time.sleep(100000)
 
-  worker = GarbageCollectionWorker()
-  worker.start()
+    worker = GarbageCollectionWorker()
+    worker.start()
diff --git a/workers/gc/test/test_gcworker.py b/workers/gc/test/test_gcworker.py
index a153cf460..499c5e768 100644
--- a/workers/gc/test/test_gcworker.py
+++ b/workers/gc/test/test_gcworker.py
@@ -4,5 +4,5 @@ from test.fixtures import *
 
 
 def test_gc(initialized_db):
-  worker = GarbageCollectionWorker()
-  worker._garbage_collection_repos()
+    worker = GarbageCollectionWorker()
+    worker._garbage_collection_repos()
diff --git a/workers/globalpromstats/globalpromstats.py b/workers/globalpromstats/globalpromstats.py
index 9b97022c3..4a1df2f2f 100644
--- a/workers/globalpromstats/globalpromstats.py
+++ b/workers/globalpromstats/globalpromstats.py
@@ -10,49 +10,50 @@ from workers.worker import Worker
 
 logger = logging.getLogger(__name__)
 
-WORKER_FREQUENCY = app.config.get('GLOBAL_PROMETHEUS_STATS_FREQUENCY', 60 * 60)
+WORKER_FREQUENCY = app.config.get("GLOBAL_PROMETHEUS_STATS_FREQUENCY", 60 * 60)
 
 
 class GlobalPrometheusStatsWorker(Worker):
-  """ Worker which reports global stats (# of users, orgs, repos, etc) to Prometheus periodically.
+    """ Worker which reports global stats (# of users, orgs, repos, etc) to Prometheus periodically.
   """
-  def __init__(self):
-    super(GlobalPrometheusStatsWorker, self).__init__()
-    self.add_operation(self._try_report_stats, WORKER_FREQUENCY)
 
-  def _try_report_stats(self):
-    logger.debug('Attempting to report stats')
+    def __init__(self):
+        super(GlobalPrometheusStatsWorker, self).__init__()
+        self.add_operation(self._try_report_stats, WORKER_FREQUENCY)
 
-    try:
-      with GlobalLock('GLOBAL_PROM_STATS'):
-        self._report_stats()
-    except LockNotAcquiredException:
-      logger.debug('Could not acquire global lock for global prometheus stats')
-      return
+    def _try_report_stats(self):
+        logger.debug("Attempting to report stats")
 
-  def _report_stats(self):
-    logger.debug('Reporting global stats')
-    with UseThenDisconnect(app.config):
-      # Repository count.
-      metric_queue.repository_count.Set(model.get_repository_count())
+        try:
+            with GlobalLock("GLOBAL_PROM_STATS"):
+                self._report_stats()
+        except LockNotAcquiredException:
+            logger.debug("Could not acquire global lock for global prometheus stats")
+            return
 
-      # User counts.
-      metric_queue.user_count.Set(model.get_active_user_count())
-      metric_queue.org_count.Set(model.get_active_org_count())
-      metric_queue.robot_count.Set(model.get_robot_count())
+    def _report_stats(self):
+        logger.debug("Reporting global stats")
+        with UseThenDisconnect(app.config):
+            # Repository count.
+            metric_queue.repository_count.Set(model.get_repository_count())
+
+            # User counts.
+            metric_queue.user_count.Set(model.get_active_user_count())
+            metric_queue.org_count.Set(model.get_active_org_count())
+            metric_queue.robot_count.Set(model.get_robot_count())
 
 
 def main():
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not app.config.get('PROMETHEUS_AGGREGATOR_URL'):
-    logger.debug('Prometheus not enabled; skipping global stats reporting')
-    while True:
-      time.sleep(100000)
+    if not app.config.get("PROMETHEUS_AGGREGATOR_URL"):
+        logger.debug("Prometheus not enabled; skipping global stats reporting")
+        while True:
+            time.sleep(100000)
 
-  worker = GlobalPrometheusStatsWorker()
-  worker.start()
+    worker = GlobalPrometheusStatsWorker()
+    worker.start()
 
 
 if __name__ == "__main__":
-  main()
+    main()
diff --git a/workers/globalpromstats/models_interface.py b/workers/globalpromstats/models_interface.py
index 0abaa4dfb..713512bb7 100644
--- a/workers/globalpromstats/models_interface.py
+++ b/workers/globalpromstats/models_interface.py
@@ -1,27 +1,29 @@
 from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
+
 @add_metaclass(ABCMeta)
 class GlobalPromStatsWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the global prom stats worker.
   """
-  @abstractmethod
-  def get_repository_count(self):
-    """ Returns the number of repositories in the database. """
-    pass
 
-  @abstractmethod
-  def get_active_user_count(self):
-    """ Returns the number of active users in the database. """
-    pass
+    @abstractmethod
+    def get_repository_count(self):
+        """ Returns the number of repositories in the database. """
+        pass
 
-  @abstractmethod
-  def get_active_org_count(self):
-    """ Returns the number of active organizations in the database. """
-    pass
+    @abstractmethod
+    def get_active_user_count(self):
+        """ Returns the number of active users in the database. """
+        pass
 
-  @abstractmethod
-  def get_robot_count(self):
-    """ Returns the number of robots in the database. """
-    pass
+    @abstractmethod
+    def get_active_org_count(self):
+        """ Returns the number of active organizations in the database. """
+        pass
+
+    @abstractmethod
+    def get_robot_count(self):
+        """ Returns the number of robots in the database. """
+        pass
diff --git a/workers/globalpromstats/models_pre_oci.py b/workers/globalpromstats/models_pre_oci.py
index cef40291a..72ed2d906 100644
--- a/workers/globalpromstats/models_pre_oci.py
+++ b/workers/globalpromstats/models_pre_oci.py
@@ -2,17 +2,19 @@ from data import model
 
 from workers.globalpromstats.models_interface import GlobalPromStatsWorkerDataInterface
 
+
 class PreOCIModel(GlobalPromStatsWorkerDataInterface):
-  def get_repository_count(self):
-    return model.repository.get_repository_count()
+    def get_repository_count(self):
+        return model.repository.get_repository_count()
 
-  def get_active_user_count(self):
-    return model.user.get_active_user_count()
+    def get_active_user_count(self):
+        return model.user.get_active_user_count()
 
-  def get_active_org_count(self):
-    return model.organization.get_active_org_count()
+    def get_active_org_count(self):
+        return model.organization.get_active_org_count()
+
+    def get_robot_count(self):
+        return model.user.get_robot_count()
 
-  def get_robot_count(self):
-    return model.user.get_robot_count()
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/globalpromstats/test/test_globalpromstats.py b/workers/globalpromstats/test/test_globalpromstats.py
index 3256f251f..e287cdd64 100644
--- a/workers/globalpromstats/test/test_globalpromstats.py
+++ b/workers/globalpromstats/test/test_globalpromstats.py
@@ -4,12 +4,13 @@ from workers.globalpromstats.globalpromstats import GlobalPrometheusStatsWorker
 
 from test.fixtures import *
 
-def test_reportstats(initialized_db):
-  mock = Mock()
-  with patch('workers.globalpromstats.globalpromstats.metric_queue', mock):
-    worker = GlobalPrometheusStatsWorker()
-    worker._report_stats()
 
-  mock.repository_count.Set.assert_called_once()
-  mock.org_count.Set.assert_called_once()
-  mock.robot_count.Set.assert_called_once()
+def test_reportstats(initialized_db):
+    mock = Mock()
+    with patch("workers.globalpromstats.globalpromstats.metric_queue", mock):
+        worker = GlobalPrometheusStatsWorker()
+        worker._report_stats()
+
+    mock.repository_count.Set.assert_called_once()
+    mock.org_count.Set.assert_called_once()
+    mock.robot_count.Set.assert_called_once()
diff --git a/workers/labelbackfillworker.py b/workers/labelbackfillworker.py
index b2407f606..86092e38a 100644
--- a/workers/labelbackfillworker.py
+++ b/workers/labelbackfillworker.py
@@ -6,8 +6,14 @@ import time
 from peewee import JOIN, fn, IntegrityError
 
 from app import app
-from data.database import (UseThenDisconnect, TagManifestLabel, TagManifestLabelMap,
-                           TagManifestToManifest, ManifestLabel, db_transaction)
+from data.database import (
+    UseThenDisconnect,
+    TagManifestLabel,
+    TagManifestLabelMap,
+    TagManifestToManifest,
+    ManifestLabel,
+    db_transaction,
+)
 from workers.worker import Worker
 from util.log import logfile_path
 from util.migrate.allocator import yield_random_entries
@@ -16,105 +22,111 @@ logger = logging.getLogger(__name__)
 
 WORKER_TIMEOUT = 600
 
+
 class LabelBackfillWorker(Worker):
-  def __init__(self):
-    super(LabelBackfillWorker, self).__init__()
-    self.add_operation(self._backfill_labels, WORKER_TIMEOUT)
+    def __init__(self):
+        super(LabelBackfillWorker, self).__init__()
+        self.add_operation(self._backfill_labels, WORKER_TIMEOUT)
 
-  def _candidates_to_backfill(self):
-    def missing_tmt_query():
-      return (TagManifestLabel
-              .select()
-              .join(TagManifestLabelMap, JOIN.LEFT_OUTER)
-              .where(TagManifestLabelMap.id >> None))
+    def _candidates_to_backfill(self):
+        def missing_tmt_query():
+            return (
+                TagManifestLabel.select()
+                .join(TagManifestLabelMap, JOIN.LEFT_OUTER)
+                .where(TagManifestLabelMap.id >> None)
+            )
 
-    min_id = (TagManifestLabel
-              .select(fn.Min(TagManifestLabel.id))
-              .join(TagManifestLabelMap, JOIN.LEFT_OUTER)
-              .where(TagManifestLabelMap.id >> None)
-              .scalar())
-    max_id = TagManifestLabel.select(fn.Max(TagManifestLabel.id)).scalar()
+        min_id = (
+            TagManifestLabel.select(fn.Min(TagManifestLabel.id))
+            .join(TagManifestLabelMap, JOIN.LEFT_OUTER)
+            .where(TagManifestLabelMap.id >> None)
+            .scalar()
+        )
+        max_id = TagManifestLabel.select(fn.Max(TagManifestLabel.id)).scalar()
 
-    iterator = yield_random_entries(
-      missing_tmt_query,
-      TagManifestLabel.id,
-      100,
-      max_id,
-      min_id,
-    )
+        iterator = yield_random_entries(
+            missing_tmt_query, TagManifestLabel.id, 100, max_id, min_id
+        )
 
-    return iterator
+        return iterator
 
-  def _backfill_labels(self):
-    with UseThenDisconnect(app.config):
-      iterator = self._candidates_to_backfill()
-      if iterator is None:
-        logger.debug('Found no additional labels to backfill')
-        time.sleep(10000)
-        return None
-
-      for candidate, abt, _ in iterator:
-        if not backfill_label(candidate):
-          logger.info('Another worker pre-empted us for label: %s', candidate.id)
-          abt.set()
+    def _backfill_labels(self):
+        with UseThenDisconnect(app.config):
+            iterator = self._candidates_to_backfill()
+            if iterator is None:
+                logger.debug("Found no additional labels to backfill")
+                time.sleep(10000)
+                return None
 
+            for candidate, abt, _ in iterator:
+                if not backfill_label(candidate):
+                    logger.info(
+                        "Another worker pre-empted us for label: %s", candidate.id
+                    )
+                    abt.set()
 
 
 def lookup_map_row(tag_manifest_label):
-  try:
-    TagManifestLabelMap.get(tag_manifest_label=tag_manifest_label)
-    return True
-  except TagManifestLabelMap.DoesNotExist:
-    return False
+    try:
+        TagManifestLabelMap.get(tag_manifest_label=tag_manifest_label)
+        return True
+    except TagManifestLabelMap.DoesNotExist:
+        return False
 
 
 def backfill_label(tag_manifest_label):
-  logger.info('Backfilling label %s', tag_manifest_label.id)
+    logger.info("Backfilling label %s", tag_manifest_label.id)
 
-  # Ensure that a mapping row doesn't already exist. If it does, we've been preempted.
-  if lookup_map_row(tag_manifest_label):
-    return False
-
-  # Ensure the tag manifest has been backfilled into the manifest table.
-  try:
-    tmt = TagManifestToManifest.get(tag_manifest=tag_manifest_label.annotated)
-  except TagManifestToManifest.DoesNotExist:
-    # We'll come back to this later.
-    logger.debug('Tag Manifest %s for label %s has not yet been backfilled',
-                 tag_manifest_label.annotated.id, tag_manifest_label.id)
-    return True
-
-  repository = tag_manifest_label.repository
-
-  # Create the new mapping entry and label.
-  with db_transaction():
+    # Ensure that a mapping row doesn't already exist. If it does, we've been preempted.
     if lookup_map_row(tag_manifest_label):
-      return False
-
-    label = tag_manifest_label.label
-    if tmt.manifest:
-      try:
-        manifest_label = ManifestLabel.create(manifest=tmt.manifest, label=label,
-                                              repository=repository)
-        TagManifestLabelMap.create(manifest_label=manifest_label,
-                                   tag_manifest_label=tag_manifest_label,
-                                   label=label,
-                                   manifest=tmt.manifest,
-                                   tag_manifest=tag_manifest_label.annotated)
-      except IntegrityError:
         return False
 
-  logger.info('Backfilled label %s', tag_manifest_label.id)
-  return True
+    # Ensure the tag manifest has been backfilled into the manifest table.
+    try:
+        tmt = TagManifestToManifest.get(tag_manifest=tag_manifest_label.annotated)
+    except TagManifestToManifest.DoesNotExist:
+        # We'll come back to this later.
+        logger.debug(
+            "Tag Manifest %s for label %s has not yet been backfilled",
+            tag_manifest_label.annotated.id,
+            tag_manifest_label.id,
+        )
+        return True
+
+    repository = tag_manifest_label.repository
+
+    # Create the new mapping entry and label.
+    with db_transaction():
+        if lookup_map_row(tag_manifest_label):
+            return False
+
+        label = tag_manifest_label.label
+        if tmt.manifest:
+            try:
+                manifest_label = ManifestLabel.create(
+                    manifest=tmt.manifest, label=label, repository=repository
+                )
+                TagManifestLabelMap.create(
+                    manifest_label=manifest_label,
+                    tag_manifest_label=tag_manifest_label,
+                    label=label,
+                    manifest=tmt.manifest,
+                    tag_manifest=tag_manifest_label.annotated,
+                )
+            except IntegrityError:
+                return False
+
+    logger.info("Backfilled label %s", tag_manifest_label.id)
+    return True
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not app.config.get('BACKFILL_TAG_MANIFEST_LABELS', False):
-    logger.debug('Manifest label backfill disabled; skipping')
-    while True:
-      time.sleep(100000)
+    if not app.config.get("BACKFILL_TAG_MANIFEST_LABELS", False):
+        logger.debug("Manifest label backfill disabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  worker = LabelBackfillWorker()
-  worker.start()
+    worker = LabelBackfillWorker()
+    worker.start()
diff --git a/workers/logrotateworker.py b/workers/logrotateworker.py
index c154029bb..d1bad0c13 100644
--- a/workers/logrotateworker.py
+++ b/workers/logrotateworker.py
@@ -18,104 +18,118 @@ from workers.worker import Worker
 
 logger = logging.getLogger(__name__)
 
-JSON_MIMETYPE = 'application/json'
+JSON_MIMETYPE = "application/json"
 MIN_LOGS_PER_ROTATION = 5000
 MEMORY_TEMPFILE_SIZE = 12 * 1024 * 1024
 
-WORKER_FREQUENCY = app.config.get('ACTION_LOG_ROTATION_FREQUENCY', 60 * 60 * 12)
-STALE_AFTER = convert_to_timedelta(app.config.get('ACTION_LOG_ROTATION_THRESHOLD', '30d'))
-MINIMUM_LOGS_AGE_FOR_ARCHIVE = convert_to_timedelta(app.config.get('MINIMUM_LOGS_AGE_FOR_ARCHIVE', '7d'))
-SAVE_PATH = app.config.get('ACTION_LOG_ARCHIVE_PATH')
-SAVE_LOCATION = app.config.get('ACTION_LOG_ARCHIVE_LOCATION')
+WORKER_FREQUENCY = app.config.get("ACTION_LOG_ROTATION_FREQUENCY", 60 * 60 * 12)
+STALE_AFTER = convert_to_timedelta(
+    app.config.get("ACTION_LOG_ROTATION_THRESHOLD", "30d")
+)
+MINIMUM_LOGS_AGE_FOR_ARCHIVE = convert_to_timedelta(
+    app.config.get("MINIMUM_LOGS_AGE_FOR_ARCHIVE", "7d")
+)
+SAVE_PATH = app.config.get("ACTION_LOG_ARCHIVE_PATH")
+SAVE_LOCATION = app.config.get("ACTION_LOG_ARCHIVE_LOCATION")
 
 
 class LogRotateWorker(Worker):
-  """ Worker used to rotate old logs out the database and into storage. """
-  def __init__(self):
-    super(LogRotateWorker, self).__init__()
-    self.add_operation(self._archive_logs, WORKER_FREQUENCY)
+    """ Worker used to rotate old logs out the database and into storage. """
 
-  def _archive_logs(self):
-    cutoff_date = datetime.now() - STALE_AFTER
-    try:
-      with GlobalLock('ACTION_LOG_ROTATION'):
-        self._perform_archiving(cutoff_date)
-    except LockNotAcquiredException:
-      return
+    def __init__(self):
+        super(LogRotateWorker, self).__init__()
+        self.add_operation(self._archive_logs, WORKER_FREQUENCY)
 
-  def _perform_archiving(self, cutoff_date):
-    assert datetime.now() - cutoff_date >= MINIMUM_LOGS_AGE_FOR_ARCHIVE
+    def _archive_logs(self):
+        cutoff_date = datetime.now() - STALE_AFTER
+        try:
+            with GlobalLock("ACTION_LOG_ROTATION"):
+                self._perform_archiving(cutoff_date)
+        except LockNotAcquiredException:
+            return
 
-    archived_files = []
-    save_location = SAVE_LOCATION
-    if not save_location:
-      # Pick the *same* save location for all instances. This is a fallback if
-      # a location was not configured.
-      save_location = storage.locations[0]
+    def _perform_archiving(self, cutoff_date):
+        assert datetime.now() - cutoff_date >= MINIMUM_LOGS_AGE_FOR_ARCHIVE
 
-    log_archive = DelegateUserfiles(app, storage, save_location, SAVE_PATH)
+        archived_files = []
+        save_location = SAVE_LOCATION
+        if not save_location:
+            # Pick the *same* save location for all instances. This is a fallback if
+            # a location was not configured.
+            save_location = storage.locations[0]
 
-    for log_rotation_context in logs_model.yield_log_rotation_context(cutoff_date,
-                                                                      MIN_LOGS_PER_ROTATION):
-      with log_rotation_context as context:
-        for logs, filename in context.yield_logs_batch():
-          formatted_logs = [log_dict(log) for log in logs]
-          logger.debug('Archiving logs rotation %s', filename)
-          _write_logs(filename, formatted_logs, log_archive)
-          logger.debug('Finished archiving logs to %s', filename)
-          archived_files.append(filename)
+        log_archive = DelegateUserfiles(app, storage, save_location, SAVE_PATH)
 
-    return archived_files
+        for log_rotation_context in logs_model.yield_log_rotation_context(
+            cutoff_date, MIN_LOGS_PER_ROTATION
+        ):
+            with log_rotation_context as context:
+                for logs, filename in context.yield_logs_batch():
+                    formatted_logs = [log_dict(log) for log in logs]
+                    logger.debug("Archiving logs rotation %s", filename)
+                    _write_logs(filename, formatted_logs, log_archive)
+                    logger.debug("Finished archiving logs to %s", filename)
+                    archived_files.append(filename)
+
+        return archived_files
 
 
 def log_dict(log):
-  """ Pretty prints a LogEntry in JSON. """
-  try:
-    metadata_json = json.loads(str(log.metadata_json))
-  except ValueError:
-    # The results returned by querying Elasticsearch does not have
-    # a top-level attribute `id` like when querying with Peewee.
-    # `random_id` is a copy of the document's `_id`.
-    logger.exception('Could not parse metadata JSON for log entry %s',
-                     log.id if hasattr(log, 'id') else log.random_id)
-    metadata_json = {'__raw': log.metadata_json}
-  except TypeError:
-    logger.exception('Could not parse metadata JSON for log entry %s',
-                     log.id if hasattr(log, 'id') else log.random_id)
-    metadata_json = {'__raw': log.metadata_json}
+    """ Pretty prints a LogEntry in JSON. """
+    try:
+        metadata_json = json.loads(str(log.metadata_json))
+    except ValueError:
+        # The results returned by querying Elasticsearch does not have
+        # a top-level attribute `id` like when querying with Peewee.
+        # `random_id` is a copy of the document's `_id`.
+        logger.exception(
+            "Could not parse metadata JSON for log entry %s",
+            log.id if hasattr(log, "id") else log.random_id,
+        )
+        metadata_json = {"__raw": log.metadata_json}
+    except TypeError:
+        logger.exception(
+            "Could not parse metadata JSON for log entry %s",
+            log.id if hasattr(log, "id") else log.random_id,
+        )
+        metadata_json = {"__raw": log.metadata_json}
 
-  return {
-    'kind_id': log.kind_id,
-    'account_id': log.account_id,
-    'performer_id': log.performer_id,
-    'repository_id': log.repository_id,
-    'datetime': str(log.datetime),
-    'ip': str(log.ip),
-    'metadata_json': metadata_json,
-  }
+    return {
+        "kind_id": log.kind_id,
+        "account_id": log.account_id,
+        "performer_id": log.performer_id,
+        "repository_id": log.repository_id,
+        "datetime": str(log.datetime),
+        "ip": str(log.ip),
+        "metadata_json": metadata_json,
+    }
 
 
 def _write_logs(filename, logs, log_archive):
-  with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
-    with GzipFile('temp_action_log_rotate', fileobj=tempfile, compresslevel=1) as zipstream:
-      for chunk in StreamingJSONEncoder().iterencode(logs):
-        zipstream.write(chunk)
+    with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
+        with GzipFile(
+            "temp_action_log_rotate", fileobj=tempfile, compresslevel=1
+        ) as zipstream:
+            for chunk in StreamingJSONEncoder().iterencode(logs):
+                zipstream.write(chunk)
 
-    tempfile.seek(0)
-    log_archive.store_file(tempfile, JSON_MIMETYPE, content_encoding='gzip', file_id=filename)
+        tempfile.seek(0)
+        log_archive.store_file(
+            tempfile, JSON_MIMETYPE, content_encoding="gzip", file_id=filename
+        )
 
 
 def main():
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not features.ACTION_LOG_ROTATION or None in [SAVE_PATH, SAVE_LOCATION]:
-    logger.debug('Action log rotation worker not enabled; skipping')
-    while True:
-      time.sleep(100000)
+    if not features.ACTION_LOG_ROTATION or None in [SAVE_PATH, SAVE_LOCATION]:
+        logger.debug("Action log rotation worker not enabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  worker = LogRotateWorker()
-  worker.start()
+    worker = LogRotateWorker()
+    worker.start()
 
 
 if __name__ == "__main__":
-  main()
+    main()
diff --git a/workers/namespacegcworker.py b/workers/namespacegcworker.py
index 9a39a93df..1af7cea81 100644
--- a/workers/namespacegcworker.py
+++ b/workers/namespacegcworker.py
@@ -1,6 +1,6 @@
 import logging
 
-from app import  namespace_gc_queue, all_queues
+from app import namespace_gc_queue, all_queues
 from data import model
 from workers.queueworker import QueueWorker
 from util.log import logfile_path
@@ -9,21 +9,26 @@ logger = logging.getLogger(__name__)
 
 
 POLL_PERIOD_SECONDS = 60
-NAMESPACE_GC_TIMEOUT = 60 * 15 # 15 minutes
+NAMESPACE_GC_TIMEOUT = 60 * 15  # 15 minutes
+
 
 class NamespaceGCWorker(QueueWorker):
-  """ Worker which cleans up namespaces enqueued to be GCed.
+    """ Worker which cleans up namespaces enqueued to be GCed.
   """
-  def process_queue_item(self, job_details):
-    logger.debug('Got namespace GC queue item: %s', job_details)
-    marker_id = job_details['marker_id']
-    model.user.delete_namespace_via_marker(marker_id, all_queues)
+
+    def process_queue_item(self, job_details):
+        logger.debug("Got namespace GC queue item: %s", job_details)
+        marker_id = job_details["marker_id"]
+        model.user.delete_namespace_via_marker(marker_id, all_queues)
+
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  logger.debug('Starting namespace GC worker')
-  worker = NamespaceGCWorker(namespace_gc_queue,
-                             poll_period_seconds=POLL_PERIOD_SECONDS,
-                             reservation_seconds=NAMESPACE_GC_TIMEOUT)
-  worker.start()
+    logger.debug("Starting namespace GC worker")
+    worker = NamespaceGCWorker(
+        namespace_gc_queue,
+        poll_period_seconds=POLL_PERIOD_SECONDS,
+        reservation_seconds=NAMESPACE_GC_TIMEOUT,
+    )
+    worker.start()
diff --git a/workers/notificationworker/models_interface.py b/workers/notificationworker/models_interface.py
index f2c54902b..df033e178 100644
--- a/workers/notificationworker/models_interface.py
+++ b/workers/notificationworker/models_interface.py
@@ -3,48 +3,59 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class Repository(namedtuple('Repository', ['namespace_name', 'name'])):
-  """
+class Repository(namedtuple("Repository", ["namespace_name", "name"])):
+    """
   Repository represents a repository.
   """
 
 
 class Notification(
-    namedtuple('Notification', [
-      'uuid', 'event_name', 'method_name', 'event_config_dict', 'method_config_dict',
-      'repository'])):
-  """
+    namedtuple(
+        "Notification",
+        [
+            "uuid",
+            "event_name",
+            "method_name",
+            "event_config_dict",
+            "method_config_dict",
+            "repository",
+        ],
+    )
+):
+    """
   Notification represents a registered notification of some kind.
   """
 
 
 @add_metaclass(ABCMeta)
 class NotificationWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the notification worker.
   """
 
-  @abstractmethod
-  def get_enabled_notification(self, notification_uuid):
-    """ Returns an *enabled* notification with the given UUID, or None if none. """
-    pass
+    @abstractmethod
+    def get_enabled_notification(self, notification_uuid):
+        """ Returns an *enabled* notification with the given UUID, or None if none. """
+        pass
 
-  @abstractmethod
-  def reset_number_of_failures_to_zero(self, notification):
-    """ Resets the number of failures for the given notification back to zero. """
-    pass
+    @abstractmethod
+    def reset_number_of_failures_to_zero(self, notification):
+        """ Resets the number of failures for the given notification back to zero. """
+        pass
 
-  @abstractmethod
-  def increment_notification_failure_count(self, notification):
-    """ Increments the number of failures on the given notification. """
-    pass
+    @abstractmethod
+    def increment_notification_failure_count(self, notification):
+        """ Increments the number of failures on the given notification. """
+        pass
 
-  @abstractmethod
-  def create_notification_for_testing(self, target_username, method_name=None, method_config=None):
-    """ Creates a notification for testing. """
-    pass
+    @abstractmethod
+    def create_notification_for_testing(
+        self, target_username, method_name=None, method_config=None
+    ):
+        """ Creates a notification for testing. """
+        pass
 
-  @abstractmethod
-  def user_has_local_notifications(self, target_username):
-    """ Returns whether there are any Quay-local notifications for the given user. """
-    pass
+    @abstractmethod
+    def user_has_local_notifications(self, target_username):
+        """ Returns whether there are any Quay-local notifications for the given user. """
+        pass
diff --git a/workers/notificationworker/models_pre_oci.py b/workers/notificationworker/models_pre_oci.py
index 388c698f7..cc99aa9a3 100644
--- a/workers/notificationworker/models_pre_oci.py
+++ b/workers/notificationworker/models_pre_oci.py
@@ -2,49 +2,63 @@ import json
 
 from data import model
 from workers.notificationworker.models_interface import (
-  NotificationWorkerDataInterface, Notification, Repository)
+    NotificationWorkerDataInterface,
+    Notification,
+    Repository,
+)
+
 
 def notification(notification_row):
-  """ Converts the given notification row into a notification tuple. """
-  return Notification(uuid=notification_row.uuid, event_name=notification_row.event.name,
-                      method_name=notification_row.method.name,
-                      event_config_dict=json.loads(notification_row.event_config_json or '{}'),
-                      method_config_dict=json.loads(notification_row.config_json or '{}'),
-                      repository=Repository(notification_row.repository.namespace_user.username,
-                                            notification_row.repository.name))
+    """ Converts the given notification row into a notification tuple. """
+    return Notification(
+        uuid=notification_row.uuid,
+        event_name=notification_row.event.name,
+        method_name=notification_row.method.name,
+        event_config_dict=json.loads(notification_row.event_config_json or "{}"),
+        method_config_dict=json.loads(notification_row.config_json or "{}"),
+        repository=Repository(
+            notification_row.repository.namespace_user.username,
+            notification_row.repository.name,
+        ),
+    )
+
 
 class PreOCIModel(NotificationWorkerDataInterface):
-  def get_enabled_notification(self, notification_uuid):
-    try:
-      notification_row = model.notification.get_enabled_notification(notification_uuid)
-    except model.InvalidNotificationException:
-      return None
+    def get_enabled_notification(self, notification_uuid):
+        try:
+            notification_row = model.notification.get_enabled_notification(
+                notification_uuid
+            )
+        except model.InvalidNotificationException:
+            return None
 
-    return notification(notification_row)
+        return notification(notification_row)
 
-  def reset_number_of_failures_to_zero(self, notification):
-    model.notification.reset_notification_number_of_failures(
-      notification.repository.namespace_name, notification.repository.name, notification.uuid)
+    def reset_number_of_failures_to_zero(self, notification):
+        model.notification.reset_notification_number_of_failures(
+            notification.repository.namespace_name,
+            notification.repository.name,
+            notification.uuid,
+        )
 
-  def increment_notification_failure_count(self, notification):
-    model.notification.increment_notification_failure_count(notification.uuid)
+    def increment_notification_failure_count(self, notification):
+        model.notification.increment_notification_failure_count(notification.uuid)
 
-  def create_notification_for_testing(self, target_username, method_name='quay_notification',
-                                      method_config=None):
-    repo = model.repository.get_repository('devtable', 'simple')
-    method_data = method_config or {
-      'target': {
-        'kind': 'user',
-        'name': target_username,
-      }
-    }
-    notification = model.notification.create_repo_notification(repo, 'repo_push',
-                                                               method_name, method_data, {})
-    return notification.uuid
+    def create_notification_for_testing(
+        self, target_username, method_name="quay_notification", method_config=None
+    ):
+        repo = model.repository.get_repository("devtable", "simple")
+        method_data = method_config or {
+            "target": {"kind": "user", "name": target_username}
+        }
+        notification = model.notification.create_repo_notification(
+            repo, "repo_push", method_name, method_data, {}
+        )
+        return notification.uuid
 
-  def user_has_local_notifications(self, target_username):
-    user = model.user.get_namespace_user(target_username)
-    return bool(list(model.notification.list_notifications(user)))
+    def user_has_local_notifications(self, target_username):
+        user = model.user.get_namespace_user(target_username)
+        return bool(list(model.notification.list_notifications(user)))
 
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/notificationworker/notificationworker.py b/workers/notificationworker/notificationworker.py
index c4c0ba907..0b742ff4c 100644
--- a/workers/notificationworker/notificationworker.py
+++ b/workers/notificationworker/notificationworker.py
@@ -1,8 +1,14 @@
 import logging
 
 from app import notification_queue
-from notifications.notificationmethod import NotificationMethod, InvalidNotificationMethodException
-from notifications.notificationevent import NotificationEvent, InvalidNotificationEventException
+from notifications.notificationmethod import (
+    NotificationMethod,
+    InvalidNotificationMethodException,
+)
+from notifications.notificationevent import (
+    NotificationEvent,
+    InvalidNotificationEventException,
+)
 from workers.notificationworker.models_pre_oci import pre_oci_model as model
 from workers.queueworker import QueueWorker, JobException
 
@@ -10,34 +16,38 @@ logger = logging.getLogger(__name__)
 
 
 class NotificationWorker(QueueWorker):
-  def process_queue_item(self, job_details):
-    notification = model.get_enabled_notification(job_details['notification_uuid'])
-    if notification is None:
-      return
+    def process_queue_item(self, job_details):
+        notification = model.get_enabled_notification(job_details["notification_uuid"])
+        if notification is None:
+            return
 
-    event_name = notification.event_name
-    method_name = notification.method_name
+        event_name = notification.event_name
+        method_name = notification.method_name
 
-    try:
-      event_handler = NotificationEvent.get_event(event_name)
-      method_handler = NotificationMethod.get_method(method_name)
-    except InvalidNotificationMethodException as ex:
-      logger.exception('Cannot find notification method: %s', ex.message)
-      raise JobException('Cannot find notification method: %s' % ex.message)
-    except InvalidNotificationEventException as ex:
-      logger.exception('Cannot find notification event: %s', ex.message)
-      raise JobException('Cannot find notification event: %s' % ex.message)
+        try:
+            event_handler = NotificationEvent.get_event(event_name)
+            method_handler = NotificationMethod.get_method(method_name)
+        except InvalidNotificationMethodException as ex:
+            logger.exception("Cannot find notification method: %s", ex.message)
+            raise JobException("Cannot find notification method: %s" % ex.message)
+        except InvalidNotificationEventException as ex:
+            logger.exception("Cannot find notification event: %s", ex.message)
+            raise JobException("Cannot find notification event: %s" % ex.message)
 
-    if event_handler.should_perform(job_details['event_data'], notification):
-      try:
-        method_handler.perform(notification, event_handler, job_details)
-        model.reset_number_of_failures_to_zero(notification)
-      except (JobException, KeyError) as exc:
-        model.increment_notification_failure_count(notification)
-        raise exc
+        if event_handler.should_perform(job_details["event_data"], notification):
+            try:
+                method_handler.perform(notification, event_handler, job_details)
+                model.reset_number_of_failures_to_zero(notification)
+            except (JobException, KeyError) as exc:
+                model.increment_notification_failure_count(notification)
+                raise exc
 
 
 if __name__ == "__main__":
-  worker = NotificationWorker(notification_queue, poll_period_seconds=10, reservation_seconds=30,
-                              retry_after_seconds=30)
-  worker.start()
+    worker = NotificationWorker(
+        notification_queue,
+        poll_period_seconds=10,
+        reservation_seconds=30,
+        retry_after_seconds=30,
+    )
+    worker.start()
diff --git a/workers/notificationworker/test/test_notificationworker.py b/workers/notificationworker/test/test_notificationworker.py
index c414b52e1..18596f4b3 100644
--- a/workers/notificationworker/test/test_notificationworker.py
+++ b/workers/notificationworker/test/test_notificationworker.py
@@ -3,9 +3,15 @@ import pytest
 from mock import patch, Mock
 from httmock import urlmatch, HTTMock
 
-from notifications.notificationmethod import (QuayNotificationMethod, EmailMethod, WebhookMethod,
-                                              FlowdockMethod, HipchatMethod, SlackMethod,
-                                              CannotValidateNotificationMethodException)
+from notifications.notificationmethod import (
+    QuayNotificationMethod,
+    EmailMethod,
+    WebhookMethod,
+    FlowdockMethod,
+    HipchatMethod,
+    SlackMethod,
+    CannotValidateNotificationMethodException,
+)
 from notifications.notificationevent import RepoPushEvent
 from notifications.models_interface import Repository
 from workers.notificationworker.notificationworker import NotificationWorker
@@ -14,59 +20,74 @@ from test.fixtures import *
 
 from workers.notificationworker.models_pre_oci import pre_oci_model as model
 
+
 def test_basic_notification_endtoend(initialized_db):
-  # Ensure the public user doesn't have any notifications.
-  assert not model.user_has_local_notifications('public')
+    # Ensure the public user doesn't have any notifications.
+    assert not model.user_has_local_notifications("public")
 
-  # Add a basic build notification.
-  notification_uuid = model.create_notification_for_testing('public')
-  event_data = {}
+    # Add a basic build notification.
+    notification_uuid = model.create_notification_for_testing("public")
+    event_data = {}
 
-  # Fire off the queue processing.
-  worker = NotificationWorker(None)
-  worker.process_queue_item({
-    'notification_uuid': notification_uuid,
-    'event_data': event_data,
-  })
+    # Fire off the queue processing.
+    worker = NotificationWorker(None)
+    worker.process_queue_item(
+        {"notification_uuid": notification_uuid, "event_data": event_data}
+    )
 
-  # Ensure the notification was handled.
-  assert model.user_has_local_notifications('public')
+    # Ensure the notification was handled.
+    assert model.user_has_local_notifications("public")
 
 
-@pytest.mark.parametrize('method,method_config,netloc', [
-  (QuayNotificationMethod, {'target': {'name': 'devtable', 'kind': 'user'}}, None),
-  (EmailMethod, {'email': 'jschorr@devtable.com'}, None),
-  (WebhookMethod, {'url': 'http://example.com'}, 'example.com'),
-  (FlowdockMethod, {'flow_api_token': 'sometoken'}, 'api.flowdock.com'),
-  (HipchatMethod, {'notification_token': 'token', 'room_id': 'foo'}, 'api.hipchat.com'),
-  (SlackMethod, {'url': 'http://example.com'}, 'example.com'),
-])
+@pytest.mark.parametrize(
+    "method,method_config,netloc",
+    [
+        (
+            QuayNotificationMethod,
+            {"target": {"name": "devtable", "kind": "user"}},
+            None,
+        ),
+        (EmailMethod, {"email": "jschorr@devtable.com"}, None),
+        (WebhookMethod, {"url": "http://example.com"}, "example.com"),
+        (FlowdockMethod, {"flow_api_token": "sometoken"}, "api.flowdock.com"),
+        (
+            HipchatMethod,
+            {"notification_token": "token", "room_id": "foo"},
+            "api.hipchat.com",
+        ),
+        (SlackMethod, {"url": "http://example.com"}, "example.com"),
+    ],
+)
 def test_notifications(method, method_config, netloc, initialized_db):
-  url_hit = [False]
-  @urlmatch(netloc=netloc)
-  def url_handler(_, __):
-    url_hit[0] = True
-    return ''
+    url_hit = [False]
 
-  mock = Mock()
-  def get_mock(*args, **kwargs):
-    return mock
+    @urlmatch(netloc=netloc)
+    def url_handler(_, __):
+        url_hit[0] = True
+        return ""
 
-  with patch('notifications.notificationmethod.Message', get_mock):
-    with HTTMock(url_handler):
-      # Add a basic build notification.
-      notification_uuid = model.create_notification_for_testing('public',
-                                                                method_name=method.method_name(),
-                                                                method_config=method_config)
-      event_data = RepoPushEvent().get_sample_data('devtable', 'simple', {})
+    mock = Mock()
 
-      # Fire off the queue processing.
-      worker = NotificationWorker(None)
-      worker.process_queue_item({
-        'notification_uuid': notification_uuid,
-        'event_data': event_data,
-        'performer_data': {},
-      })
+    def get_mock(*args, **kwargs):
+        return mock
 
-  if netloc is not None:
-    assert url_hit[0]
+    with patch("notifications.notificationmethod.Message", get_mock):
+        with HTTMock(url_handler):
+            # Add a basic build notification.
+            notification_uuid = model.create_notification_for_testing(
+                "public", method_name=method.method_name(), method_config=method_config
+            )
+            event_data = RepoPushEvent().get_sample_data("devtable", "simple", {})
+
+            # Fire off the queue processing.
+            worker = NotificationWorker(None)
+            worker.process_queue_item(
+                {
+                    "notification_uuid": notification_uuid,
+                    "event_data": event_data,
+                    "performer_data": {},
+                }
+            )
+
+    if netloc is not None:
+        assert url_hit[0]
diff --git a/workers/queuecleanupworker.py b/workers/queuecleanupworker.py
index 763be0906..6af2501aa 100644
--- a/workers/queuecleanupworker.py
+++ b/workers/queuecleanupworker.py
@@ -14,25 +14,27 @@ logger = logging.getLogger(__name__)
 DELETION_DATE_THRESHOLD = timedelta(days=1)
 DELETION_COUNT_THRESHOLD = 50
 BATCH_SIZE = 500
-QUEUE_CLEANUP_FREQUENCY = app.config.get('QUEUE_CLEANUP_FREQUENCY', 60*60*24)
+QUEUE_CLEANUP_FREQUENCY = app.config.get("QUEUE_CLEANUP_FREQUENCY", 60 * 60 * 24)
 
 
 class QueueCleanupWorker(Worker):
-  def __init__(self):
-    super(QueueCleanupWorker, self).__init__()
-    self.add_operation(self._cleanup_queue, QUEUE_CLEANUP_FREQUENCY)
+    def __init__(self):
+        super(QueueCleanupWorker, self).__init__()
+        self.add_operation(self._cleanup_queue, QUEUE_CLEANUP_FREQUENCY)
 
-  def _cleanup_queue(self):
-    """ Performs garbage collection on the queueitem table. """
-    with UseThenDisconnect(app.config):
-      while True:
-        # Find all queue items older than the threshold (typically a week) and delete them.
-        expiration_threshold = datetime.now() - DELETION_DATE_THRESHOLD
-        deleted_count = delete_expired(expiration_threshold, DELETION_COUNT_THRESHOLD, BATCH_SIZE)
-        if deleted_count == 0:
-          return
+    def _cleanup_queue(self):
+        """ Performs garbage collection on the queueitem table. """
+        with UseThenDisconnect(app.config):
+            while True:
+                # Find all queue items older than the threshold (typically a week) and delete them.
+                expiration_threshold = datetime.now() - DELETION_DATE_THRESHOLD
+                deleted_count = delete_expired(
+                    expiration_threshold, DELETION_COUNT_THRESHOLD, BATCH_SIZE
+                )
+                if deleted_count == 0:
+                    return
 
 
 if __name__ == "__main__":
-  worker = QueueCleanupWorker()
-  worker.start()
+    worker = QueueCleanupWorker()
+    worker.start()
diff --git a/workers/queueworker.py b/workers/queueworker.py
index 8aed9fa45..5f89abf2f 100644
--- a/workers/queueworker.py
+++ b/workers/queueworker.py
@@ -9,128 +9,153 @@ from workers.worker import Worker
 
 logger = logging.getLogger(__name__)
 
+
 class JobException(Exception):
-  """ A job exception is an exception that is caused by something being malformed in the job. When
+    """ A job exception is an exception that is caused by something being malformed in the job. When
       a worker raises this exception the job will be terminated and the retry will not be returned
       to the queue. """
-  pass
+
+    pass
 
 
 class WorkerUnhealthyException(Exception):
-  """ When this exception is raised, the worker is no longer healthy and will not accept any more
+    """ When this exception is raised, the worker is no longer healthy and will not accept any more
       work. When this is raised while processing a queue item, the item should be returned to the
       queue along with another retry. """
-  pass
+
+    pass
 
 
 class QueueWorker(Worker):
-  def __init__(self, queue, poll_period_seconds=30, reservation_seconds=300,
-               watchdog_period_seconds=60, retry_after_seconds=300):
-    super(QueueWorker, self).__init__()
+    def __init__(
+        self,
+        queue,
+        poll_period_seconds=30,
+        reservation_seconds=300,
+        watchdog_period_seconds=60,
+        retry_after_seconds=300,
+    ):
+        super(QueueWorker, self).__init__()
 
-    self._poll_period_seconds = poll_period_seconds
-    self._reservation_seconds = reservation_seconds
-    self._watchdog_period_seconds = watchdog_period_seconds
-    self._retry_after_seconds = retry_after_seconds
-    self._stop = Event()
-    self._terminated = Event()
-    self._queue = queue
-    self._current_item_lock = Lock()
-    self.current_queue_item = None
+        self._poll_period_seconds = poll_period_seconds
+        self._reservation_seconds = reservation_seconds
+        self._watchdog_period_seconds = watchdog_period_seconds
+        self._retry_after_seconds = retry_after_seconds
+        self._stop = Event()
+        self._terminated = Event()
+        self._queue = queue
+        self._current_item_lock = Lock()
+        self.current_queue_item = None
 
-    # Add the various operations.
-    self.add_operation(self.poll_queue, self._poll_period_seconds)
-    self.add_operation(self.update_queue_metrics,
-                       app.config['QUEUE_WORKER_METRICS_REFRESH_SECONDS'])
-    self.add_operation(self.run_watchdog, self._watchdog_period_seconds)
+        # Add the various operations.
+        self.add_operation(self.poll_queue, self._poll_period_seconds)
+        self.add_operation(
+            self.update_queue_metrics,
+            app.config["QUEUE_WORKER_METRICS_REFRESH_SECONDS"],
+        )
+        self.add_operation(self.run_watchdog, self._watchdog_period_seconds)
 
-  def process_queue_item(self, job_details):
-    """ Processes the work for the given job. If the job fails and should be retried,
+    def process_queue_item(self, job_details):
+        """ Processes the work for the given job. If the job fails and should be retried,
         this method should raise a WorkerUnhealthyException. If the job should be marked
         as permanently failed, it should raise a JobException. Otherwise, a successful return
         of this method will remove the job from the queue as completed.
     """
-    raise NotImplementedError('Workers must implement run.')
+        raise NotImplementedError("Workers must implement run.")
 
-  def watchdog(self):
-    """ Function that gets run once every watchdog_period_seconds. """
-    pass
+    def watchdog(self):
+        """ Function that gets run once every watchdog_period_seconds. """
+        pass
 
-  def extend_processing(self, seconds_from_now, updated_data=None):
-    with self._current_item_lock:
-      if self.current_queue_item is not None:
-        self._queue.extend_processing(self.current_queue_item, seconds_from_now,
-                                      updated_data=updated_data)
-
-  def run_watchdog(self):
-    logger.debug('Running watchdog.')
-    try:
-      self.watchdog()
-    except WorkerUnhealthyException as exc:
-      logger.error('The worker has encountered an error via watchdog and will not take new jobs')
-      logger.error(exc.message)
-      self.mark_current_incomplete(restore_retry=True)
-      self._stop.set()
-
-  def poll_queue(self):
-    logger.debug('Getting work item from queue.')
-
-    with self._current_item_lock:
-      self.current_queue_item = self._queue.get(processing_time=self._reservation_seconds)
-
-    while True:
-      # Retrieve the current item in the queue over which to operate. We do so under
-      # a lock to make sure we are always retrieving an item when in a healthy state.
-      current_queue_item = None
-      with self._current_item_lock:
-        current_queue_item = self.current_queue_item
-        if current_queue_item is None:
-          break
-
-      logger.debug('Queue gave us some work: %s', current_queue_item.body)
-      job_details = json.loads(current_queue_item.body)
-
-      try:
-        with CloseForLongOperation(app.config):
-          self.process_queue_item(job_details)
-
-        self.mark_current_complete()
-
-      except JobException as jex:
-        logger.warning('An error occurred processing request: %s', current_queue_item.body)
-        logger.warning('Job exception: %s', jex)
-        self.mark_current_incomplete(restore_retry=False)
-
-      except WorkerUnhealthyException as exc:
-        logger.error('The worker has encountered an error via the job and will not take new jobs')
-        logger.error(exc.message)
-        self.mark_current_incomplete(restore_retry=True)
-        self._stop.set()
-
-      if not self._stop.is_set():
+    def extend_processing(self, seconds_from_now, updated_data=None):
         with self._current_item_lock:
-          self.current_queue_item = self._queue.get(processing_time=self._reservation_seconds)
+            if self.current_queue_item is not None:
+                self._queue.extend_processing(
+                    self.current_queue_item, seconds_from_now, updated_data=updated_data
+                )
 
-    if not self._stop.is_set():
-      logger.debug('No more work.')
+    def run_watchdog(self):
+        logger.debug("Running watchdog.")
+        try:
+            self.watchdog()
+        except WorkerUnhealthyException as exc:
+            logger.error(
+                "The worker has encountered an error via watchdog and will not take new jobs"
+            )
+            logger.error(exc.message)
+            self.mark_current_incomplete(restore_retry=True)
+            self._stop.set()
 
-  def update_queue_metrics(self):
-    self._queue.update_metrics()
+    def poll_queue(self):
+        logger.debug("Getting work item from queue.")
 
-  def mark_current_incomplete(self, restore_retry=False):
-    with self._current_item_lock:
-      if self.current_queue_item is not None:
-        self._queue.incomplete(self.current_queue_item, restore_retry=restore_retry,
-                               retry_after=self._retry_after_seconds)
-        self.current_queue_item = None
+        with self._current_item_lock:
+            self.current_queue_item = self._queue.get(
+                processing_time=self._reservation_seconds
+            )
 
-  def mark_current_complete(self):
-    with self._current_item_lock:
-      if self.current_queue_item is not None:
-        self._queue.complete(self.current_queue_item)
-        self.current_queue_item = None
+        while True:
+            # Retrieve the current item in the queue over which to operate. We do so under
+            # a lock to make sure we are always retrieving an item when in a healthy state.
+            current_queue_item = None
+            with self._current_item_lock:
+                current_queue_item = self.current_queue_item
+                if current_queue_item is None:
+                    break
 
-  def ungracefully_terminated(self):
-    # Give back the retry that we took for this queue item so that if it were down to zero
-    # retries it will still be picked up by another worker
-    self.mark_current_incomplete()
+            logger.debug("Queue gave us some work: %s", current_queue_item.body)
+            job_details = json.loads(current_queue_item.body)
+
+            try:
+                with CloseForLongOperation(app.config):
+                    self.process_queue_item(job_details)
+
+                self.mark_current_complete()
+
+            except JobException as jex:
+                logger.warning(
+                    "An error occurred processing request: %s", current_queue_item.body
+                )
+                logger.warning("Job exception: %s", jex)
+                self.mark_current_incomplete(restore_retry=False)
+
+            except WorkerUnhealthyException as exc:
+                logger.error(
+                    "The worker has encountered an error via the job and will not take new jobs"
+                )
+                logger.error(exc.message)
+                self.mark_current_incomplete(restore_retry=True)
+                self._stop.set()
+
+            if not self._stop.is_set():
+                with self._current_item_lock:
+                    self.current_queue_item = self._queue.get(
+                        processing_time=self._reservation_seconds
+                    )
+
+        if not self._stop.is_set():
+            logger.debug("No more work.")
+
+    def update_queue_metrics(self):
+        self._queue.update_metrics()
+
+    def mark_current_incomplete(self, restore_retry=False):
+        with self._current_item_lock:
+            if self.current_queue_item is not None:
+                self._queue.incomplete(
+                    self.current_queue_item,
+                    restore_retry=restore_retry,
+                    retry_after=self._retry_after_seconds,
+                )
+                self.current_queue_item = None
+
+    def mark_current_complete(self):
+        with self._current_item_lock:
+            if self.current_queue_item is not None:
+                self._queue.complete(self.current_queue_item)
+                self.current_queue_item = None
+
+    def ungracefully_terminated(self):
+        # Give back the retry that we took for this queue item so that if it were down to zero
+        # retries it will still be picked up by another worker
+        self.mark_current_incomplete()
diff --git a/workers/repomirrorworker/__init__.py b/workers/repomirrorworker/__init__.py
index ceb48f7a6..8b4c63b53 100644
--- a/workers/repomirrorworker/__init__.py
+++ b/workers/repomirrorworker/__init__.py
@@ -20,261 +20,391 @@ from util.audit import wrap_repository
 from workers.repomirrorworker.repo_mirror_model import repo_mirror_model as model
 
 logger = logging.getLogger(__name__)
-unmirrored_repositories_gauge = prometheus.create_gauge('unmirrored_repositories',
-                                                        'Number of repositories that need to be scanned.')
+unmirrored_repositories_gauge = prometheus.create_gauge(
+    "unmirrored_repositories", "Number of repositories that need to be scanned."
+)
+
 
 class PreemptedException(Exception):
-  """ Exception raised if another worker analyzed the image before this worker was able to do so.
+    """ Exception raised if another worker analyzed the image before this worker was able to do so.
   """
 
+
 class RepoMirrorSkopeoException(Exception):
-  """ Exception from skopeo
+    """ Exception from skopeo
   """
-  def __init__(self, message, stdout, stderr):
-    self.message = message
-    self.stdout = stdout
-    self.stderr = stderr
+
+    def __init__(self, message, stdout, stderr):
+        self.message = message
+        self.stdout = stdout
+        self.stderr = stderr
 
 
 def process_mirrors(skopeo, token=None):
-  """ Performs mirroring of repositories whose last sync time is greater than sync interval.
+    """ Performs mirroring of repositories whose last sync time is greater than sync interval.
       If a token is provided, scanning will begin where the token indicates it previously completed.
   """
 
-  if not features.REPO_MIRROR:
-    logger.debug('Repository mirror disabled; skipping RepoMirrorWorker process_mirrors')
-    return None
-
-  iterator, next_token = model.repositories_to_mirror(start_token=token)
-  if iterator is None:
-    logger.debug('Found no additional repositories to mirror')
-    return next_token
-
-  with database.UseThenDisconnect(app.config):
-    for mirror, abt, num_remaining in iterator:
-      try:
-        perform_mirror(skopeo, mirror)
-      except PreemptedException:
-        logger.info('Another repository mirror worker pre-empted us for repository: %s', mirror.id)
-        abt.set()
-      except Exception as e:  # TODO: define exceptions
-        logger.exception('Repository Mirror service unavailable')
+    if not features.REPO_MIRROR:
+        logger.debug(
+            "Repository mirror disabled; skipping RepoMirrorWorker process_mirrors"
+        )
         return None
 
-      unmirrored_repositories_gauge.Set(num_remaining)
+    iterator, next_token = model.repositories_to_mirror(start_token=token)
+    if iterator is None:
+        logger.debug("Found no additional repositories to mirror")
+        return next_token
 
-  return next_token
+    with database.UseThenDisconnect(app.config):
+        for mirror, abt, num_remaining in iterator:
+            try:
+                perform_mirror(skopeo, mirror)
+            except PreemptedException:
+                logger.info(
+                    "Another repository mirror worker pre-empted us for repository: %s",
+                    mirror.id,
+                )
+                abt.set()
+            except Exception as e:  # TODO: define exceptions
+                logger.exception("Repository Mirror service unavailable")
+                return None
+
+            unmirrored_repositories_gauge.Set(num_remaining)
+
+    return next_token
 
 
 def perform_mirror(skopeo, mirror):
-  """Run mirror on all matching tags of remote repository."""
+    """Run mirror on all matching tags of remote repository."""
 
-  if os.getenv('DEBUGLOG', 'false').lower() == 'true':
-    verbose_logs = True
-  else:
-    verbose_logs = False
+    if os.getenv("DEBUGLOG", "false").lower() == "true":
+        verbose_logs = True
+    else:
+        verbose_logs = False
 
-  mirror = claim_mirror(mirror)
-  if (mirror == None):
-    raise PreemptedException
+    mirror = claim_mirror(mirror)
+    if mirror == None:
+        raise PreemptedException
 
-  emit_log(mirror, "repo_mirror_sync_started", "start", "'%s' with tag pattern '%s'" % (mirror.external_reference,
-                                                                  ",".join(mirror.root_rule.rule_value)))
+    emit_log(
+        mirror,
+        "repo_mirror_sync_started",
+        "start",
+        "'%s' with tag pattern '%s'"
+        % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+    )
 
-  # Fetch the tags to mirror, being careful to handle exceptions. The 'Exception' is safety net only, allowing
-  # easy communication by user through bug report.
-  tags = []
-  try:
-    tags = tags_to_mirror(skopeo, mirror)
-  except RepoMirrorSkopeoException as e:
-    emit_log(mirror, "repo_mirror_sync_failed", "end",
-             "'%s' with tag pattern '%s': %s" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value), e.message),
-             tags=", ".join(tags), stdout=e.stdout, stderr=e.stderr)
-    release_mirror(mirror, RepoMirrorStatus.FAIL)
-    return
-  except Exception as e:
-    emit_log(mirror, "repo_mirror_sync_failed", "end",
-             "'%s' with tag pattern '%s': INTERNAL ERROR" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
-             tags=", ".join(tags), stdout="Not applicable", stderr=traceback.format_exc(e))
-    release_mirror(mirror, RepoMirrorStatus.FAIL)
-    return
-  if tags == []:
-    emit_log(mirror, "repo_mirror_sync_success", "end",
-             "'%s' with tag pattern '%s'" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
-             tags="No tags matched")
-    release_mirror(mirror, RepoMirrorStatus.SUCCESS)
-    return
+    # Fetch the tags to mirror, being careful to handle exceptions. The 'Exception' is safety net only, allowing
+    # easy communication by user through bug report.
+    tags = []
+    try:
+        tags = tags_to_mirror(skopeo, mirror)
+    except RepoMirrorSkopeoException as e:
+        emit_log(
+            mirror,
+            "repo_mirror_sync_failed",
+            "end",
+            "'%s' with tag pattern '%s': %s"
+            % (
+                mirror.external_reference,
+                ",".join(mirror.root_rule.rule_value),
+                e.message,
+            ),
+            tags=", ".join(tags),
+            stdout=e.stdout,
+            stderr=e.stderr,
+        )
+        release_mirror(mirror, RepoMirrorStatus.FAIL)
+        return
+    except Exception as e:
+        emit_log(
+            mirror,
+            "repo_mirror_sync_failed",
+            "end",
+            "'%s' with tag pattern '%s': INTERNAL ERROR"
+            % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+            tags=", ".join(tags),
+            stdout="Not applicable",
+            stderr=traceback.format_exc(e),
+        )
+        release_mirror(mirror, RepoMirrorStatus.FAIL)
+        return
+    if tags == []:
+        emit_log(
+            mirror,
+            "repo_mirror_sync_success",
+            "end",
+            "'%s' with tag pattern '%s'"
+            % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+            tags="No tags matched",
+        )
+        release_mirror(mirror, RepoMirrorStatus.SUCCESS)
+        return
 
-  # Sync tags
-  now_ms = database.get_epoch_timestamp_ms()
-  overall_status = RepoMirrorStatus.SUCCESS
-  try:
-    delete_obsolete_tags(mirror, tags)
+    # Sync tags
+    now_ms = database.get_epoch_timestamp_ms()
+    overall_status = RepoMirrorStatus.SUCCESS
+    try:
+        delete_obsolete_tags(mirror, tags)
 
-    username = (mirror.external_registry_username.decrypt()
-                if mirror.external_registry_username else None)
-    password = (mirror.external_registry_password.decrypt()
-                if mirror.external_registry_password else None)
-    dest_server = app.config.get('REPO_MIRROR_SERVER_HOSTNAME', None) or app.config['SERVER_HOSTNAME']
+        username = (
+            mirror.external_registry_username.decrypt()
+            if mirror.external_registry_username
+            else None
+        )
+        password = (
+            mirror.external_registry_password.decrypt()
+            if mirror.external_registry_password
+            else None
+        )
+        dest_server = (
+            app.config.get("REPO_MIRROR_SERVER_HOSTNAME", None)
+            or app.config["SERVER_HOSTNAME"]
+        )
 
-    for tag in tags:
-      src_image = "docker://%s:%s" % (mirror.external_reference, tag)
-      dest_image = "docker://%s/%s/%s:%s" % (dest_server,
-                                             mirror.repository.namespace_user.username,
-                                             mirror.repository.name, tag)
-      with database.CloseForLongOperation(app.config):
-        result = skopeo.copy(src_image, dest_image,
-                    src_tls_verify=mirror.external_registry_config.get('tls_verify', True),
-                    dest_tls_verify=app.config.get('REPO_MIRROR_TLS_VERIFY', True),  # TODO: is this a config choice or something else?
+        for tag in tags:
+            src_image = "docker://%s:%s" % (mirror.external_reference, tag)
+            dest_image = "docker://%s/%s/%s:%s" % (
+                dest_server,
+                mirror.repository.namespace_user.username,
+                mirror.repository.name,
+                tag,
+            )
+            with database.CloseForLongOperation(app.config):
+                result = skopeo.copy(
+                    src_image,
+                    dest_image,
+                    src_tls_verify=mirror.external_registry_config.get(
+                        "tls_verify", True
+                    ),
+                    dest_tls_verify=app.config.get(
+                        "REPO_MIRROR_TLS_VERIFY", True
+                    ),  # TODO: is this a config choice or something else?
                     src_username=username,
                     src_password=password,
                     dest_username=mirror.internal_robot.username,
                     dest_password=mirror.internal_robot.email,
-                    proxy=mirror.external_registry_config.get('proxy', {}),
-                    verbose_logs=verbose_logs)
+                    proxy=mirror.external_registry_config.get("proxy", {}),
+                    verbose_logs=verbose_logs,
+                )
 
-      if not result.success:
+            if not result.success:
+                overall_status = RepoMirrorStatus.FAIL
+                emit_log(
+                    mirror,
+                    "repo_mirror_sync_tag_failed",
+                    "finish",
+                    "Source '%s' failed to sync" % src_image,
+                    tag=tag,
+                    stdout=result.stdout,
+                    stderr=result.stderr,
+                )
+                logger.info("Source '%s' failed to sync." % src_image)
+            else:
+                emit_log(
+                    mirror,
+                    "repo_mirror_sync_tag_success",
+                    "finish",
+                    "Source '%s' successful sync" % src_image,
+                    tag=tag,
+                    stdout=result.stdout,
+                    stderr=result.stderr,
+                )
+                logger.info("Source '%s' successful sync." % src_image)
+
+            mirror = claim_mirror(mirror)
+            if mirror is None:
+                emit_log(
+                    mirror,
+                    "repo_mirror_sync_failed",
+                    "lost",
+                    "'%s' with tag pattern '%s'"
+                    % (
+                        mirror.external_reference,
+                        ",".join(mirror.root_rule.rule_value),
+                    ),
+                )
+    except Exception as e:
         overall_status = RepoMirrorStatus.FAIL
-        emit_log(mirror, "repo_mirror_sync_tag_failed", "finish", "Source '%s' failed to sync" % src_image,
-                 tag=tag, stdout=result.stdout, stderr=result.stderr)
-        logger.info("Source '%s' failed to sync." % src_image)
-      else:
-        emit_log(mirror, "repo_mirror_sync_tag_success", "finish", "Source '%s' successful sync" % src_image,
-                 tag=tag, stdout=result.stdout, stderr=result.stderr)
-        logger.info("Source '%s' successful sync." % src_image)
+        emit_log(
+            mirror,
+            "repo_mirror_sync_failed",
+            "end",
+            "'%s' with tag pattern '%s': INTERNAL ERROR"
+            % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+            tags=", ".join(tags),
+            stdout="Not applicable",
+            stderr=traceback.format_exc(e),
+        )
+        release_mirror(mirror, overall_status)
+        return
+    finally:
+        if overall_status == RepoMirrorStatus.FAIL:
+            emit_log(
+                mirror,
+                "repo_mirror_sync_failed",
+                "lost",
+                "'%s' with tag pattern '%s'"
+                % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+            )
+            rollback(mirror, now_ms)
+        else:
+            emit_log(
+                mirror,
+                "repo_mirror_sync_success",
+                "end",
+                "'%s' with tag pattern '%s'"
+                % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
+                tags=", ".join(tags),
+            )
+        release_mirror(mirror, overall_status)
 
-      mirror = claim_mirror(mirror)
-      if mirror is None:
-        emit_log(mirror, "repo_mirror_sync_failed", "lost",
-               "'%s' with tag pattern '%s'" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)))
-  except Exception as e:
-    overall_status = RepoMirrorStatus.FAIL
-    emit_log(mirror, "repo_mirror_sync_failed", "end",
-             "'%s' with tag pattern '%s': INTERNAL ERROR" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
-           tags=", ".join(tags), stdout="Not applicable", stderr=traceback.format_exc(e))
-    release_mirror(mirror, overall_status)
-    return
-  finally:
-    if overall_status == RepoMirrorStatus.FAIL:
-      emit_log(mirror, "repo_mirror_sync_failed", "lost",
-             "'%s' with tag pattern '%s'" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)))
-      rollback(mirror, now_ms)
-    else:
-      emit_log(mirror, "repo_mirror_sync_success", "end",
-               "'%s' with tag pattern '%s'" % (mirror.external_reference, ",".join(mirror.root_rule.rule_value)),
-             tags=", ".join(tags))
-    release_mirror(mirror, overall_status)
-
-  return overall_status
+    return overall_status
 
 
 def tags_to_mirror(skopeo, mirror):
-  all_tags = get_all_tags(skopeo, mirror)
-  if all_tags == []:
-    return []
+    all_tags = get_all_tags(skopeo, mirror)
+    if all_tags == []:
+        return []
 
-  matching_tags = []
-  for pattern in mirror.root_rule.rule_value:
-    matching_tags = matching_tags + filter(lambda tag: fnmatch.fnmatch(tag, pattern), all_tags)
-  matching_tags = list(set(matching_tags))
-  matching_tags.sort()
-  return matching_tags
+    matching_tags = []
+    for pattern in mirror.root_rule.rule_value:
+        matching_tags = matching_tags + filter(
+            lambda tag: fnmatch.fnmatch(tag, pattern), all_tags
+        )
+    matching_tags = list(set(matching_tags))
+    matching_tags.sort()
+    return matching_tags
 
 
 def get_all_tags(skopeo, mirror):
-  verbose_logs = os.getenv('DEBUGLOG', 'false').lower() == 'true'
+    verbose_logs = os.getenv("DEBUGLOG", "false").lower() == "true"
 
-  username = (mirror.external_registry_username.decrypt()
-              if mirror.external_registry_username else None)
-  password = (mirror.external_registry_password.decrypt()
-              if mirror.external_registry_password else None)
+    username = (
+        mirror.external_registry_username.decrypt()
+        if mirror.external_registry_username
+        else None
+    )
+    password = (
+        mirror.external_registry_password.decrypt()
+        if mirror.external_registry_password
+        else None
+    )
 
-  with database.CloseForLongOperation(app.config):
-    result = skopeo.tags("docker://%s" % (mirror.external_reference),
-                         mirror.root_rule.rule_value,
-                         username=username,
-                         password=password,
-                         verbose_logs=verbose_logs,
-                         tls_verify=mirror.external_registry_config.get('tls_verify', True),
-                         proxy=mirror.external_registry_config.get('proxy', {}))
+    with database.CloseForLongOperation(app.config):
+        result = skopeo.tags(
+            "docker://%s" % (mirror.external_reference),
+            mirror.root_rule.rule_value,
+            username=username,
+            password=password,
+            verbose_logs=verbose_logs,
+            tls_verify=mirror.external_registry_config.get("tls_verify", True),
+            proxy=mirror.external_registry_config.get("proxy", {}),
+        )
 
-  if not result.success:
-    raise RepoMirrorSkopeoException("skopeo inspect failed: %s" % _skopeo_inspect_failure(result),
-                                    result.stdout, result.stderr)
+    if not result.success:
+        raise RepoMirrorSkopeoException(
+            "skopeo inspect failed: %s" % _skopeo_inspect_failure(result),
+            result.stdout,
+            result.stderr,
+        )
 
-  return result.tags
+    return result.tags
 
 
 def _skopeo_inspect_failure(result):
-  """
+    """
   Custom processing of skopeo error messages for user friendly description
 
   :param result: SkopeoResults object
   :return: Message to display
   """
 
-  lines = result.stderr.split("\n")
-  for line in lines:
-    if re.match('.*Error reading manifest.*', line):
-      return "No matching tags, including 'latest', to inspect for tags list"
+    lines = result.stderr.split("\n")
+    for line in lines:
+        if re.match(".*Error reading manifest.*", line):
+            return "No matching tags, including 'latest', to inspect for tags list"
 
-  return "See output"
+    return "See output"
 
 
 def rollback(mirror, since_ms):
-  """
+    """
 
   :param mirror: Mirror to perform rollback on
   :param start_time: Time mirror was started; all changes after will be undone
   :return:
   """
 
-  repository_ref = registry_model.lookup_repository(mirror.repository.namespace_user.username,
-                                                    mirror.repository.name)
-  tags, has_more = registry_model.list_repository_tag_history(repository_ref, 1, 100, since_time_ms=since_ms)
-  for tag in tags:
-    logger.debug("Repo mirroring rollback tag '%s'" % tag)
+    repository_ref = registry_model.lookup_repository(
+        mirror.repository.namespace_user.username, mirror.repository.name
+    )
+    tags, has_more = registry_model.list_repository_tag_history(
+        repository_ref, 1, 100, since_time_ms=since_ms
+    )
+    for tag in tags:
+        logger.debug("Repo mirroring rollback tag '%s'" % tag)
 
-    # If the tag has an end time, it was either deleted or moved.
-    if tag.lifetime_end_ms:
-      #  If a future entry exists with a start time equal to the end time for this tag,
-      # then the action was a move, rather than a delete and a create.
-      newer_tag = filter(lambda t: tag != t and tag.name == t.name and tag.lifetime_end_ms and
-                          t.lifetime_start_ms == tag.lifetime_end_ms, tags)[0]
-      if (newer_tag):
-        logger.debug("Repo mirroring rollback revert tag '%s'" % tag)
-        retarget_tag(tag.name, tag.manifest._db_id, is_reversion=True)
-      else:
-        logger.debug("Repo mirroring recreate tag '%s'" % tag)
-        retarget_tag(tag.name, tag.manifest._db_id, is_reversion=True)
+        # If the tag has an end time, it was either deleted or moved.
+        if tag.lifetime_end_ms:
+            #  If a future entry exists with a start time equal to the end time for this tag,
+            # then the action was a move, rather than a delete and a create.
+            newer_tag = filter(
+                lambda t: tag != t
+                and tag.name == t.name
+                and tag.lifetime_end_ms
+                and t.lifetime_start_ms == tag.lifetime_end_ms,
+                tags,
+            )[0]
+            if newer_tag:
+                logger.debug("Repo mirroring rollback revert tag '%s'" % tag)
+                retarget_tag(tag.name, tag.manifest._db_id, is_reversion=True)
+            else:
+                logger.debug("Repo mirroring recreate tag '%s'" % tag)
+                retarget_tag(tag.name, tag.manifest._db_id, is_reversion=True)
 
-    #  If the tag has a start time, it was created.
-    elif tag.lifetime_start_ms:
-      logger.debug("Repo mirroring rollback delete tag '%s'" % tag)
-      delete_tag(mirror.repository, tag.name)
+        #  If the tag has a start time, it was created.
+        elif tag.lifetime_start_ms:
+            logger.debug("Repo mirroring rollback delete tag '%s'" % tag)
+            delete_tag(mirror.repository, tag.name)
 
 
 def delete_obsolete_tags(mirror, tags):
-  existing_tags = lookup_alive_tags_shallow(mirror.repository.id)
-  obsolete_tags = list(filter(lambda tag: tag.name not in tags, existing_tags))
+    existing_tags = lookup_alive_tags_shallow(mirror.repository.id)
+    obsolete_tags = list(filter(lambda tag: tag.name not in tags, existing_tags))
 
-  for tag in obsolete_tags:
-    delete_tag(mirror.repository, tag.name)
+    for tag in obsolete_tags:
+        delete_tag(mirror.repository, tag.name)
 
-  return obsolete_tags
+    return obsolete_tags
 
 
 # TODO: better to call 'track_and_log()' https://jira.coreos.com/browse/QUAY-1821
-def emit_log(mirror, log_kind, verb, message, tag=None, tags=None, stdout=None, stderr=None):
-  logs_model.log_action(log_kind, namespace_name=mirror.repository.namespace_user.username,
-                        repository_name=mirror.repository.name,
-                        metadata={"verb": verb,
-                                  "namespace": mirror.repository.namespace_user.username,
-                                  "repo": mirror.repository.name,
-                                  "message": message,
-                                  "tag": tag,
-                                  "tags": tags,
-                                  "stdout": stdout, "stderr": stderr})
+def emit_log(
+    mirror, log_kind, verb, message, tag=None, tags=None, stdout=None, stderr=None
+):
+    logs_model.log_action(
+        log_kind,
+        namespace_name=mirror.repository.namespace_user.username,
+        repository_name=mirror.repository.name,
+        metadata={
+            "verb": verb,
+            "namespace": mirror.repository.namespace_user.username,
+            "repo": mirror.repository.name,
+            "message": message,
+            "tag": tag,
+            "tags": tags,
+            "stdout": stdout,
+            "stderr": stderr,
+        },
+    )
 
-  if log_kind in ("repo_mirror_sync_started", "repo_mirror_sync_failed", "repo_mirror_sync_success"):
-    spawn_notification(wrap_repository(mirror.repository), log_kind, {'message': message})
+    if log_kind in (
+        "repo_mirror_sync_started",
+        "repo_mirror_sync_failed",
+        "repo_mirror_sync_success",
+    ):
+        spawn_notification(
+            wrap_repository(mirror.repository), log_kind, {"message": message}
+        )
diff --git a/workers/repomirrorworker/models_interface.py b/workers/repomirrorworker/models_interface.py
index 56ec2f806..81093c94f 100644
--- a/workers/repomirrorworker/models_interface.py
+++ b/workers/repomirrorworker/models_interface.py
@@ -4,20 +4,20 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class RepoMirrorToken(namedtuple('NextRepoMirrorToken', ['min_id'])):
-  """
+class RepoMirrorToken(namedtuple("NextRepoMirrorToken", ["min_id"])):
+    """
   RepoMirrorToken represents an opaque token that can be passed between runs of the repository
   mirror worker to continue mirroring whereever the previous run left off. Note that the data of the
   token is *opaque* to the repository mirror worker, and the worker should *not* pull any data out
   or modify the token in any way.
   """
 
+
 @add_metaclass(ABCMeta)
 class RepoMirrorWorkerDataInterface(object):
-
-  @abstractmethod
-  def repositories_to_mirror(self, target_time, start_token=None):
-    """
+    @abstractmethod
+    def repositories_to_mirror(self, target_time, start_token=None):
+        """
     Returns a tuple consisting of an iterator of all the candidates to scan and a NextScanToken.
     The iterator returns a tuple for each iteration consisting of the candidate Repository, the abort
     signal, and the number of remaining candidates. If the iterator returned is None, there are
diff --git a/workers/repomirrorworker/repo_mirror_model.py b/workers/repomirrorworker/repo_mirror_model.py
index 84c93df39..e3d265857 100644
--- a/workers/repomirrorworker/repo_mirror_model.py
+++ b/workers/repomirrorworker/repo_mirror_model.py
@@ -1,42 +1,46 @@
 from math import log10
 
-from data.model.repo_mirror import (get_eligible_mirrors, get_max_id_for_repo_mirror_config,
-                                    get_min_id_for_repo_mirror_config)
+from data.model.repo_mirror import (
+    get_eligible_mirrors,
+    get_max_id_for_repo_mirror_config,
+    get_min_id_for_repo_mirror_config,
+)
 from data.database import RepoMirrorConfig
 from util.migrate.allocator import yield_random_entries
 
-from workers.repomirrorworker.models_interface import (RepoMirrorToken, RepoMirrorWorkerDataInterface)
+from workers.repomirrorworker.models_interface import (
+    RepoMirrorToken,
+    RepoMirrorWorkerDataInterface,
+)
 
 
 class RepoMirrorModel(RepoMirrorWorkerDataInterface):
-  def repositories_to_mirror(self, start_token=None):
-    def batch_query():
-      return get_eligible_mirrors()
+    def repositories_to_mirror(self, start_token=None):
+        def batch_query():
+            return get_eligible_mirrors()
 
-    # Find the minimum ID.
-    if start_token is not None:
-      min_id = start_token.min_id
-    else:
-      min_id = get_min_id_for_repo_mirror_config()
+        # Find the minimum ID.
+        if start_token is not None:
+            min_id = start_token.min_id
+        else:
+            min_id = get_min_id_for_repo_mirror_config()
 
-    # Get the ID of the last repository mirror config. Will be None if there are none in the database.
-    max_id = get_max_id_for_repo_mirror_config()
-    if max_id is None:
-      return (None, None)
+        # Get the ID of the last repository mirror config. Will be None if there are none in the database.
+        max_id = get_max_id_for_repo_mirror_config()
+        if max_id is None:
+            return (None, None)
 
-    if min_id is None or min_id > max_id:
-      return (None, None)
+        if min_id is None or min_id > max_id:
+            return (None, None)
 
-    # 4^log10(total) gives us a scalable batch size into the billions.
-    batch_size = int(4**log10(max(10, max_id - min_id)))
+        # 4^log10(total) gives us a scalable batch size into the billions.
+        batch_size = int(4 ** log10(max(10, max_id - min_id)))
 
-    iterator = yield_random_entries(
-      batch_query,
-      RepoMirrorConfig.id,
-      batch_size,
-      max_id,
-      min_id)
+        iterator = yield_random_entries(
+            batch_query, RepoMirrorConfig.id, batch_size, max_id, min_id
+        )
+
+        return (iterator, RepoMirrorToken(max_id + 1))
 
-    return (iterator, RepoMirrorToken(max_id + 1))
 
 repo_mirror_model = RepoMirrorModel()
diff --git a/workers/repomirrorworker/repomirrorworker.py b/workers/repomirrorworker/repomirrorworker.py
index 934403f79..1bdc34bed 100644
--- a/workers/repomirrorworker/repomirrorworker.py
+++ b/workers/repomirrorworker/repomirrorworker.py
@@ -19,42 +19,50 @@ DEFAULT_MIRROR_INTERVAL = 30
 
 
 class RepoMirrorWorker(Worker):
-  def __init__(self):
-    super(RepoMirrorWorker, self).__init__()
-    RepoMirrorConfigValidator(app.config.get('FEATURE_REPO_MIRROR', False)).valid()
+    def __init__(self):
+        super(RepoMirrorWorker, self).__init__()
+        RepoMirrorConfigValidator(app.config.get("FEATURE_REPO_MIRROR", False)).valid()
 
-    self._mirrorer = SkopeoMirror()
-    self._next_token = None
+        self._mirrorer = SkopeoMirror()
+        self._next_token = None
 
-    interval = app.config.get('REPO_MIRROR_INTERVAL', DEFAULT_MIRROR_INTERVAL)
-    self.add_operation(self._process_mirrors, interval)
+        interval = app.config.get("REPO_MIRROR_INTERVAL", DEFAULT_MIRROR_INTERVAL)
+        self.add_operation(self._process_mirrors, interval)
 
-  def _process_mirrors(self):
-    while True:
-      assert app.config.get('FEATURE_REPO_MIRROR', False)
+    def _process_mirrors(self):
+        while True:
+            assert app.config.get("FEATURE_REPO_MIRROR", False)
 
-      self._next_token = process_mirrors(self._mirrorer, self._next_token)
-      if self._next_token is None:
-        break
+            self._next_token = process_mirrors(self._mirrorer, self._next_token)
+            if self._next_token is None:
+                break
 
 
-if __name__ == '__main__':
-  if os.getenv('PYDEV_DEBUG', None):
-    import pydevd
-    host, port = os.getenv('PYDEV_DEBUG').split(':')
-    pydevd.settrace(host, port=int(port), stdoutToServer=True, stderrToServer=True, suspend=False)
+if __name__ == "__main__":
+    if os.getenv("PYDEV_DEBUG", None):
+        import pydevd
 
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+        host, port = os.getenv("PYDEV_DEBUG").split(":")
+        pydevd.settrace(
+            host,
+            port=int(port),
+            stdoutToServer=True,
+            stderrToServer=True,
+            suspend=False,
+        )
 
-  parser = argparse.ArgumentParser()
-  parser.add_argument('mode', metavar='MODE', type=str, nargs='?', default='',
-                      choices=['mirror', ''])
-  args = parser.parse_args()
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not features.REPO_MIRROR:
-    logger.debug('Repository mirror disabled; skipping RepoMirrorWorker')
-    while True:
-      time.sleep(100000)
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "mode", metavar="MODE", type=str, nargs="?", default="", choices=["mirror", ""]
+    )
+    args = parser.parse_args()
 
-  worker = RepoMirrorWorker()
-  worker.start()
+    if not features.REPO_MIRROR:
+        logger.debug("Repository mirror disabled; skipping RepoMirrorWorker")
+        while True:
+            time.sleep(100000)
+
+    worker = RepoMirrorWorker()
+    worker.start()
diff --git a/workers/repomirrorworker/test/test_repomirrorworker.py b/workers/repomirrorworker/test/test_repomirrorworker.py
index b4d2347e8..dc4cb1dfe 100644
--- a/workers/repomirrorworker/test/test_repomirrorworker.py
+++ b/workers/repomirrorworker/test/test_repomirrorworker.py
@@ -21,496 +21,685 @@ from test.fixtures import *
 
 
 def disable_existing_mirrors(func):
-  @wraps(func)
-  def wrapper(*args, **kwargs):
-    for mirror in RepoMirrorConfig.select():
-      mirror.is_enabled = False
-      mirror.save()
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        for mirror in RepoMirrorConfig.select():
+            mirror.is_enabled = False
+            mirror.save()
 
-    func(*args, **kwargs)
+        func(*args, **kwargs)
 
-    for mirror in RepoMirrorConfig.select():
-      mirror.is_enabled = True
-      mirror.save()
+        for mirror in RepoMirrorConfig.select():
+            mirror.is_enabled = True
+            mirror.save()
 
-  return wrapper
+    return wrapper
 
 
 def _create_tag(repo, name):
-  repo_ref = registry_model.lookup_repository('mirror', 'repo')
-  with upload_blob(repo_ref, storage, BlobUploadSettings(500, 500, 500)) as upload:
-    app_config = {'TESTING': True}
-    config_json = json.dumps({
-      "config": {
-        "author": u"Repo Mirror",
-      },
-      "rootfs": {"type": "layers", "diff_ids": []},
-      "history": [
-        {
-          "created": "2019-07-30T18:37:09.284840891Z",
-          "created_by": "base",
-          "author": u"Repo Mirror",
-        },
-      ],
-    })
-    upload.upload_chunk(app_config, BytesIO(config_json))
-    blob = upload.commit_to_blob(app_config)
-  builder = DockerSchema2ManifestBuilder()
-  builder.set_config_digest(blob.digest, blob.compressed_size)
-  builder.add_layer('sha256:abcd', 1234, urls=['http://hello/world'])
-  manifest = builder.build()
+    repo_ref = registry_model.lookup_repository("mirror", "repo")
+    with upload_blob(repo_ref, storage, BlobUploadSettings(500, 500, 500)) as upload:
+        app_config = {"TESTING": True}
+        config_json = json.dumps(
+            {
+                "config": {"author": u"Repo Mirror"},
+                "rootfs": {"type": "layers", "diff_ids": []},
+                "history": [
+                    {
+                        "created": "2019-07-30T18:37:09.284840891Z",
+                        "created_by": "base",
+                        "author": u"Repo Mirror",
+                    }
+                ],
+            }
+        )
+        upload.upload_chunk(app_config, BytesIO(config_json))
+        blob = upload.commit_to_blob(app_config)
+    builder = DockerSchema2ManifestBuilder()
+    builder.set_config_digest(blob.digest, blob.compressed_size)
+    builder.add_layer("sha256:abcd", 1234, urls=["http://hello/world"])
+    manifest = builder.build()
 
-  manifest, tag = registry_model.create_manifest_and_retarget_tag(repo_ref, manifest,
-                                                                  name, storage)
+    manifest, tag = registry_model.create_manifest_and_retarget_tag(
+        repo_ref, manifest, name, storage
+    )
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
 def test_successful_mirror(run_skopeo_mock, initialized_db, app):
-  """
+    """
   Basic test of successful mirror
   """
 
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', "")
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:latest",
-        u"docker://localhost:5000/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], "stdout", "stderr")
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:latest",
+                u"docker://localhost:5000/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "stdout", "stderr"),
+        },
+    ]
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
+    run_skopeo_mock.side_effect = skopeo_test
 
-  assert [] == skopeo_calls
+    worker = RepoMirrorWorker()
+    worker._process_mirrors()
+
+    assert [] == skopeo_calls
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
 def test_successful_disabled_sync_now(run_skopeo_mock, initialized_db, app):
-  """
+    """
   Disabled mirrors still allow "sync now"
   """
 
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
-  mirror.is_enabled = False
-  mirror.sync_status = RepoMirrorStatus.SYNC_NOW
-  mirror.save()
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror.is_enabled = False
+    mirror.sync_status = RepoMirrorStatus.SYNC_NOW
+    mirror.save()
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', "")
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:latest",
-        u"docker://localhost:5000/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], "stdout", "stderr")
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:latest",
+                u"docker://localhost:5000/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "stdout", "stderr"),
+        },
+    ]
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
+    run_skopeo_mock.side_effect = skopeo_test
 
-  assert [] == skopeo_calls
+    worker = RepoMirrorWorker()
+    worker._process_mirrors()
+
+    assert [] == skopeo_calls
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
-def test_successful_mirror_verbose_logs(run_skopeo_mock, initialized_db, app, monkeypatch):
-  """
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
+def test_successful_mirror_verbose_logs(
+    run_skopeo_mock, initialized_db, app, monkeypatch
+):
+    """
   Basic test of successful mirror with verbose logs turned on
   """
 
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "--debug", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', '')
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "--debug", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:latest",
-        u"docker://localhost:5000/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], 'Success', '')
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "--debug",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "--debug",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:latest",
+                u"docker://localhost:5000/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "Success", ""),
+        },
+    ]
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  monkeypatch.setenv('DEBUGLOG', 'true')
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
+    run_skopeo_mock.side_effect = skopeo_test
 
-  assert [] == skopeo_calls
+    monkeypatch.setenv("DEBUGLOG", "true")
+    worker = RepoMirrorWorker()
+    worker._process_mirrors()
+
+    assert [] == skopeo_calls
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
 def test_rollback(run_skopeo_mock, initialized_db, app):
-  """
+    """
   Tags in the repo:
   "updated" - this tag will be updated during the mirror
   "removed" - this tag will be removed during the mirror
   "created" - this tag will be created during the mirror
   """
 
-  mirror, repo = create_mirror_repo_robot(["updated", "created", "zzerror"])
-  _create_tag(repo, "updated")
-  _create_tag(repo, "deleted")
+    mirror, repo = create_mirror_repo_robot(["updated", "created", "zzerror"])
+    _create_tag(repo, "updated")
+    _create_tag(repo, "deleted")
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:updated"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest", "updated", "created", "zzerror"]}', '')
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:created",
-        u"docker://localhost:5000/mirror/repo:created"
-      ],
-      "results": SkopeoResults(True, [], 'Success', '')
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:updated",
-        u"docker://localhost:5000/mirror/repo:updated"
-      ],
-      "results": SkopeoResults(True, [], 'Success', '')
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:zzerror",
-        u"docker://localhost:5000/mirror/repo:zzerror"
-      ],
-      "results": SkopeoResults(False, [], '', 'ERROR')
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:updated",
+            ],
+            "results": SkopeoResults(
+                True,
+                [],
+                '{"RepoTags": ["latest", "updated", "created", "zzerror"]}',
+                "",
+            ),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:created",
+                u"docker://localhost:5000/mirror/repo:created",
+            ],
+            "results": SkopeoResults(True, [], "Success", ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:updated",
+                u"docker://localhost:5000/mirror/repo:updated",
+            ],
+            "results": SkopeoResults(True, [], "Success", ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:zzerror",
+                u"docker://localhost:5000/mirror/repo:zzerror",
+            ],
+            "results": SkopeoResults(False, [], "", "ERROR"),
+        },
+    ]
 
-      if args[1] == "copy" and args[6].endswith(":updated"):
-        _create_tag(repo, "updated")
-      elif args[1] == "copy" and args[6].endswith(":created"):
-        _create_tag(repo, "created")
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+            if args[1] == "copy" and args[6].endswith(":updated"):
+                _create_tag(repo, "updated")
+            elif args[1] == "copy" and args[6].endswith(":created"):
+                _create_tag(repo, "created")
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
+    run_skopeo_mock.side_effect = skopeo_test
 
-  assert [] == skopeo_calls
-  # TODO: how to assert tag.retarget_tag() and tag.delete_tag() called?
+    worker = RepoMirrorWorker()
+    worker._process_mirrors()
+
+    assert [] == skopeo_calls
+    # TODO: how to assert tag.retarget_tag() and tag.delete_tag() called?
 
 
 def test_remove_obsolete_tags(initialized_db):
-  """
+    """
   As part of the mirror, the set of tags on the remote repository is compared to the local
   existing tags. Those not present on the remote are removed locally.
   """
 
-  mirror, repository = create_mirror_repo_robot(["updated", "created"], repo_name="removed")
-  manifest = Manifest.get()
-  image = find_create_or_link_image('removed', repository, None, {}, 'local_us')
-  tag = create_or_update_tag_for_repo(repository, 'oldtag', image.docker_image_id,
-                                      oci_manifest=manifest, reversion=True)
+    mirror, repository = create_mirror_repo_robot(
+        ["updated", "created"], repo_name="removed"
+    )
+    manifest = Manifest.get()
+    image = find_create_or_link_image("removed", repository, None, {}, "local_us")
+    tag = create_or_update_tag_for_repo(
+        repository,
+        "oldtag",
+        image.docker_image_id,
+        oci_manifest=manifest,
+        reversion=True,
+    )
 
-  incoming_tags = ["one", "two"]
-  deleted_tags = delete_obsolete_tags(mirror, incoming_tags)
+    incoming_tags = ["one", "two"]
+    deleted_tags = delete_obsolete_tags(mirror, incoming_tags)
 
-  assert [tag.name for tag in deleted_tags] == [tag.name]
+    assert [tag.name for tag in deleted_tags] == [tag.name]
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
-def test_mirror_config_server_hostname(run_skopeo_mock, initialized_db, app, monkeypatch):
-  """
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
+def test_mirror_config_server_hostname(
+    run_skopeo_mock, initialized_db, app, monkeypatch
+):
+    """
   Set REPO_MIRROR_SERVER_HOSTNAME to override SERVER_HOSTNAME config
   """
 
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "--debug", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', '')
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "--debug", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        u"docker://registry.example.com/namespace/repository:latest",
-        u"docker://config_server_hostname/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], 'Success', '')
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "--debug",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "--debug",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                u"docker://registry.example.com/namespace/repository:latest",
+                u"docker://config_server_hostname/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "Success", ""),
+        },
+    ]
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
+
+    run_skopeo_mock.side_effect = skopeo_test
+
+    monkeypatch.setenv("DEBUGLOG", "true")
+    with patch.dict(
+        "data.model.config.app_config",
+        {"REPO_MIRROR_SERVER_HOSTNAME": "config_server_hostname"},
+    ):
+        worker = RepoMirrorWorker()
+        worker._process_mirrors()
+
+    assert [] == skopeo_calls
+
+
+@disable_existing_mirrors
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
+def test_quote_params(run_skopeo_mock, initialized_db, app):
+    """
+  Basic test of successful mirror
+  """
+
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror.external_reference = "& rm -rf /;/namespace/repository"
+    mirror.external_registry_username = "`rm -rf /`"
+    mirror.save()
+
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                "--creds",
+                u"`rm -rf /`",
+                u"'docker://& rm -rf /;/namespace/repository:latest'",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
+                "--src-creds",
+                u"`rm -rf /`",
+                u"'docker://& rm -rf /;/namespace/repository:latest'",
+                u"docker://localhost:5000/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "stdout", "stderr"),
+        },
+    ]
+
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
+
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
+
+    run_skopeo_mock.side_effect = skopeo_test
 
-  monkeypatch.setenv('DEBUGLOG', 'true')
-  with patch.dict('data.model.config.app_config', {'REPO_MIRROR_SERVER_HOSTNAME': 'config_server_hostname'}):
     worker = RepoMirrorWorker()
     worker._process_mirrors()
 
-  assert [] == skopeo_calls
+    assert [] == skopeo_calls
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
-def test_quote_params(run_skopeo_mock, initialized_db, app):
-  """
-  Basic test of successful mirror
-  """
-
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
-  mirror.external_reference = "& rm -rf /;/namespace/repository"
-  mirror.external_registry_username = "`rm -rf /`"
-  mirror.save()
-
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", "--creds", u"`rm -rf /`", u"'docker://& rm -rf /;/namespace/repository:latest'"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', "")
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", "%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        "--src-creds", u"`rm -rf /`",
-        u"'docker://& rm -rf /;/namespace/repository:latest'",
-        u"docker://localhost:5000/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], "stdout", "stderr")
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
-
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
-
-  run_skopeo_mock.side_effect = skopeo_test
-
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
-
-  assert [] == skopeo_calls
-
-
-@disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
 def test_quote_params_password(run_skopeo_mock, initialized_db, app):
-  """
+    """
   Basic test of successful mirror
   """
 
-  mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
-  mirror.external_reference = "& rm -rf /;/namespace/repository"
-  mirror.external_registry_username = "`rm -rf /`"
-  mirror.external_registry_password = "\"\"$PATH\\\""
-  mirror.save()
+    mirror, repo = create_mirror_repo_robot(["latest", "7.1"])
+    mirror.external_reference = "& rm -rf /;/namespace/repository"
+    mirror.external_registry_username = "`rm -rf /`"
+    mirror.external_registry_password = '""$PATH\\"'
+    mirror.save()
 
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", "--creds", u"`rm -rf /`:\"\"$PATH\\\"", u"'docker://& rm -rf /;/namespace/repository:latest'"],
-      "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', "")
-    }, {
-      "args": [
-        "/usr/bin/skopeo", "copy",
-        "--src-tls-verify=True", "--dest-tls-verify=True",
-        "--dest-creds", u"%s:%s" % (mirror.internal_robot.username, mirror.internal_robot.email),
-        "--src-creds", u"`rm -rf /`:\"\"$PATH\\\"",
-        u"'docker://& rm -rf /;/namespace/repository:latest'",
-        u"docker://localhost:5000/mirror/repo:latest"
-      ],
-      "results": SkopeoResults(True, [], "stdout", "stderr")
-    }
-  ]
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                "--creds",
+                u'`rm -rf /`:""$PATH\\"',
+                u"'docker://& rm -rf /;/namespace/repository:latest'",
+            ],
+            "results": SkopeoResults(True, [], '{"RepoTags": ["latest"]}', ""),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "copy",
+                "--src-tls-verify=True",
+                "--dest-tls-verify=True",
+                "--dest-creds",
+                u"%s:%s"
+                % (mirror.internal_robot.username, mirror.internal_robot.email),
+                "--src-creds",
+                u'`rm -rf /`:""$PATH\\"',
+                u"'docker://& rm -rf /;/namespace/repository:latest'",
+                u"docker://localhost:5000/mirror/repo:latest",
+            ],
+            "results": SkopeoResults(True, [], "stdout", "stderr"),
+        },
+    ]
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-  run_skopeo_mock.side_effect = skopeo_test
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  worker = RepoMirrorWorker()
-  worker._process_mirrors()
+    run_skopeo_mock.side_effect = skopeo_test
 
-  assert [] == skopeo_calls
+    worker = RepoMirrorWorker()
+    worker._process_mirrors()
 
+    assert [] == skopeo_calls
 
 
 @disable_existing_mirrors
-@mock.patch('util.repomirror.skopeomirror.SkopeoMirror.run_skopeo')
+@mock.patch("util.repomirror.skopeomirror.SkopeoMirror.run_skopeo")
 def test_inspect_error_mirror(run_skopeo_mock, initialized_db, app):
-  """
+    """
   Test for no tag for skopeo inspect. The mirror is processed four times, asserting that the remaining syncs
   decrement until next sync is bumped to the future, confirming the fourth is never processed.
   """
 
-  def skopeo_test(args, proxy):
-    try:
-      skopeo_call = skopeo_calls.pop(0)
-      assert args == skopeo_call['args']
-      assert proxy == {}
+    def skopeo_test(args, proxy):
+        try:
+            skopeo_call = skopeo_calls.pop(0)
+            assert args == skopeo_call["args"]
+            assert proxy == {}
 
-      return skopeo_call['results']
-    except Exception as e:
-      skopeo_calls.append(skopeo_call)
-      raise e
-  run_skopeo_mock.side_effect = skopeo_test
-  worker = RepoMirrorWorker()
+            return skopeo_call["results"]
+        except Exception as e:
+            skopeo_calls.append(skopeo_call)
+            raise e
 
-  mirror, repo = create_mirror_repo_robot(["7.1"])
+    run_skopeo_mock.side_effect = skopeo_test
+    worker = RepoMirrorWorker()
 
-  # Call number 1
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:7.1"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    },
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    }
-  ]
-  worker._process_mirrors()
-  mirror = RepoMirrorConfig.get_by_id(mirror.id)
-  assert [] == skopeo_calls
-  assert 2 == mirror.sync_retries_remaining
+    mirror, repo = create_mirror_repo_robot(["7.1"])
 
-  # Call number 2
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:7.1"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    },
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    }
-  ]
-  worker._process_mirrors()
-  mirror = RepoMirrorConfig.get_by_id(mirror.id)
-  assert [] == skopeo_calls
-  assert 1 == mirror.sync_retries_remaining
+    # Call number 1
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:7.1",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+    ]
+    worker._process_mirrors()
+    mirror = RepoMirrorConfig.get_by_id(mirror.id)
+    assert [] == skopeo_calls
+    assert 2 == mirror.sync_retries_remaining
 
-  # Call number 3
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:7.1"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    },
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    }
-  ]
-  worker._process_mirrors()
-  mirror = RepoMirrorConfig.get_by_id(mirror.id)
-  assert [] == skopeo_calls
-  assert 3 == mirror.sync_retries_remaining
+    # Call number 2
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:7.1",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+    ]
+    worker._process_mirrors()
+    mirror = RepoMirrorConfig.get_by_id(mirror.id)
+    assert [] == skopeo_calls
+    assert 1 == mirror.sync_retries_remaining
 
-  # Call number 4
-  skopeo_calls = [
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:7.1"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    },
-    {
-      "args": ["/usr/bin/skopeo", "inspect", "--tls-verify=True", u"docker://registry.example.com/namespace/repository:latest"],
-      "results": SkopeoResults(False, [], "", 'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"')
-    }
-  ]
-  worker._process_mirrors()
-  mirror = RepoMirrorConfig.get_by_id(mirror.id)
-  assert 2 == len(skopeo_calls)
-  assert 3 == mirror.sync_retries_remaining
+    # Call number 3
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:7.1",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+    ]
+    worker._process_mirrors()
+    mirror = RepoMirrorConfig.get_by_id(mirror.id)
+    assert [] == skopeo_calls
+    assert 3 == mirror.sync_retries_remaining
+
+    # Call number 4
+    skopeo_calls = [
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:7.1",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest 7.1 in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+        {
+            "args": [
+                "/usr/bin/skopeo",
+                "inspect",
+                "--tls-verify=True",
+                u"docker://registry.example.com/namespace/repository:latest",
+            ],
+            "results": SkopeoResults(
+                False,
+                [],
+                "",
+                'time="2019-09-18T13:29:40Z" level=fatal msg="Error reading manifest latest in registry.example.com/namespace/repository: manifest unknown: manifest unknown"',
+            ),
+        },
+    ]
+    worker._process_mirrors()
+    mirror = RepoMirrorConfig.get_by_id(mirror.id)
+    assert 2 == len(skopeo_calls)
+    assert 3 == mirror.sync_retries_remaining
diff --git a/workers/repositoryactioncounter.py b/workers/repositoryactioncounter.py
index e6d6b835d..508dfa396 100644
--- a/workers/repositoryactioncounter.py
+++ b/workers/repositoryactioncounter.py
@@ -2,7 +2,7 @@ import logging
 
 from datetime import date, timedelta
 
-from app import app # This is required to initialize the database.
+from app import app  # This is required to initialize the database.
 from data import model
 from data.logs_model import logs_model
 from workers.worker import Worker, with_exponential_backoff
@@ -11,43 +11,49 @@ POLL_PERIOD_SECONDS = 10
 
 logger = logging.getLogger(__name__)
 
+
 class RepositoryActionCountWorker(Worker):
-  def __init__(self):
-    super(RepositoryActionCountWorker, self).__init__()
-    self.add_operation(self._count_repository_actions, POLL_PERIOD_SECONDS)
+    def __init__(self):
+        super(RepositoryActionCountWorker, self).__init__()
+        self.add_operation(self._count_repository_actions, POLL_PERIOD_SECONDS)
 
-  @with_exponential_backoff(backoff_multiplier=10, max_backoff=3600, max_retries=10)
-  def _count_repository_actions(self):
-    """ Counts actions and aggregates search scores for a random repository for the
+    @with_exponential_backoff(backoff_multiplier=10, max_backoff=3600, max_retries=10)
+    def _count_repository_actions(self):
+        """ Counts actions and aggregates search scores for a random repository for the
         previous day. """
-    to_count = model.repositoryactioncount.find_uncounted_repository()
-    if to_count is None:
-      logger.debug('No further repositories to count')
-      return False
+        to_count = model.repositoryactioncount.find_uncounted_repository()
+        if to_count is None:
+            logger.debug("No further repositories to count")
+            return False
 
-    yesterday = date.today() - timedelta(days=1)
+        yesterday = date.today() - timedelta(days=1)
 
-    logger.debug('Found repository #%s to count', to_count.id)
-    daily_count = logs_model.count_repository_actions(to_count, yesterday)
-    if daily_count is None:
-      logger.debug('Could not load count for repository #%s', to_count.id)
-      return False
+        logger.debug("Found repository #%s to count", to_count.id)
+        daily_count = logs_model.count_repository_actions(to_count, yesterday)
+        if daily_count is None:
+            logger.debug("Could not load count for repository #%s", to_count.id)
+            return False
 
-    was_counted = model.repositoryactioncount.store_repository_action_count(to_count, yesterday,
-                                                                            daily_count)
-    if not was_counted:
-      logger.debug('Repository #%s was counted by another worker', to_count.id)
-      return False
+        was_counted = model.repositoryactioncount.store_repository_action_count(
+            to_count, yesterday, daily_count
+        )
+        if not was_counted:
+            logger.debug("Repository #%s was counted by another worker", to_count.id)
+            return False
 
-    logger.debug('Updating search score for repository #%s', to_count.id)
-    was_updated = model.repositoryactioncount.update_repository_score(to_count)
-    if not was_updated:
-      logger.debug('Repository #%s had its search score updated by another worker', to_count.id)
-      return False
+        logger.debug("Updating search score for repository #%s", to_count.id)
+        was_updated = model.repositoryactioncount.update_repository_score(to_count)
+        if not was_updated:
+            logger.debug(
+                "Repository #%s had its search score updated by another worker",
+                to_count.id,
+            )
+            return False
+
+        logger.debug("Repository #%s search score updated", to_count.id)
+        return True
 
-    logger.debug('Repository #%s search score updated', to_count.id)
-    return True
 
 if __name__ == "__main__":
-  worker = RepositoryActionCountWorker()
-  worker.start()
+    worker = RepositoryActionCountWorker()
+    worker.start()
diff --git a/workers/security_notification_worker.py b/workers/security_notification_worker.py
index 11e15f295..de47d0a9d 100644
--- a/workers/security_notification_worker.py
+++ b/workers/security_notification_worker.py
@@ -6,84 +6,95 @@ import features
 
 from app import secscan_notification_queue, secscan_api
 from workers.queueworker import QueueWorker, JobException
-from util.secscan.notifier import SecurityNotificationHandler, ProcessNotificationPageResult
+from util.secscan.notifier import (
+    SecurityNotificationHandler,
+    ProcessNotificationPageResult,
+)
 
 
 logger = logging.getLogger(__name__)
 
 
-_PROCESSING_SECONDS = 60 * 60 # 1 hour
-_LAYER_LIMIT = 1000 # The number of layers to request on each page.
+_PROCESSING_SECONDS = 60 * 60  # 1 hour
+_LAYER_LIMIT = 1000  # The number of layers to request on each page.
 
 
 class SecurityNotificationWorker(QueueWorker):
-  def process_queue_item(self, data):
-    self.perform_notification_work(data)
+    def process_queue_item(self, data):
+        self.perform_notification_work(data)
 
-  def perform_notification_work(self, data, layer_limit=_LAYER_LIMIT):
-    """ Performs the work for handling a security notification as referenced by the given data
+    def perform_notification_work(self, data, layer_limit=_LAYER_LIMIT):
+        """ Performs the work for handling a security notification as referenced by the given data
         object. Returns True on successful handling, False on non-retryable failure and raises
         a JobException on retryable failure.
     """
 
-    notification_name = data['Name']
-    current_page = data.get('page', None)
-    handler = SecurityNotificationHandler(layer_limit)
+        notification_name = data["Name"]
+        current_page = data.get("page", None)
+        handler = SecurityNotificationHandler(layer_limit)
 
-    while True:
-      # Retrieve the current page of notification data from the security scanner.
-      (response_data, should_retry) = secscan_api.get_notification(notification_name,
-                                                                   layer_limit=layer_limit,
-                                                                   page=current_page)
+        while True:
+            # Retrieve the current page of notification data from the security scanner.
+            (response_data, should_retry) = secscan_api.get_notification(
+                notification_name, layer_limit=layer_limit, page=current_page
+            )
 
-      # If no response, something went wrong.
-      if response_data is None:
-        if should_retry:
-          raise JobException()
-        else:
-          # Remove the job from the API.
-          logger.error('Failed to handle security notification %s', notification_name)
-          secscan_api.mark_notification_read(notification_name)
+            # If no response, something went wrong.
+            if response_data is None:
+                if should_retry:
+                    raise JobException()
+                else:
+                    # Remove the job from the API.
+                    logger.error(
+                        "Failed to handle security notification %s", notification_name
+                    )
+                    secscan_api.mark_notification_read(notification_name)
 
-          # Return to mark the job as "complete", as we'll never be able to finish it.
-          return False
+                    # Return to mark the job as "complete", as we'll never be able to finish it.
+                    return False
 
-      # Extend processing on the queue item so it doesn't expire while we're working.
-      self.extend_processing(_PROCESSING_SECONDS, json.dumps(data))
+            # Extend processing on the queue item so it doesn't expire while we're working.
+            self.extend_processing(_PROCESSING_SECONDS, json.dumps(data))
 
-      # Process the notification data.
-      notification_data = response_data['Notification']
-      result = handler.process_notification_page_data(notification_data)
+            # Process the notification data.
+            notification_data = response_data["Notification"]
+            result = handler.process_notification_page_data(notification_data)
 
-      # Possible states after processing: failed to process, finished processing entirely
-      # or finished processing the page.
-      if result == ProcessNotificationPageResult.FAILED:
-        # Something went wrong.
-        raise JobException
+            # Possible states after processing: failed to process, finished processing entirely
+            # or finished processing the page.
+            if result == ProcessNotificationPageResult.FAILED:
+                # Something went wrong.
+                raise JobException
 
-      if result == ProcessNotificationPageResult.FINISHED_PROCESSING:
-        # Mark the notification as read.
-        if not secscan_api.mark_notification_read(notification_name):
-          # Return to mark the job as "complete", as we'll never be able to finish it.
-          logger.error('Failed to mark notification %s as read', notification_name)
-          return False
+            if result == ProcessNotificationPageResult.FINISHED_PROCESSING:
+                # Mark the notification as read.
+                if not secscan_api.mark_notification_read(notification_name):
+                    # Return to mark the job as "complete", as we'll never be able to finish it.
+                    logger.error(
+                        "Failed to mark notification %s as read", notification_name
+                    )
+                    return False
 
-        # Send the generated Quay notifications.
-        handler.send_notifications()
-        return True
+                # Send the generated Quay notifications.
+                handler.send_notifications()
+                return True
 
-      if result == ProcessNotificationPageResult.FINISHED_PAGE:
-        # Continue onto the next page.
-        current_page = notification_data['NextPage']
-        continue
+            if result == ProcessNotificationPageResult.FINISHED_PAGE:
+                # Continue onto the next page.
+                current_page = notification_data["NextPage"]
+                continue
 
 
-if __name__ == '__main__':
-  if not features.SECURITY_SCANNER or not features.SECURITY_NOTIFICATIONS:
-    logger.debug('Security scanner disabled; skipping SecurityNotificationWorker')
-    while True:
-      time.sleep(100000)
+if __name__ == "__main__":
+    if not features.SECURITY_SCANNER or not features.SECURITY_NOTIFICATIONS:
+        logger.debug("Security scanner disabled; skipping SecurityNotificationWorker")
+        while True:
+            time.sleep(100000)
 
-  worker = SecurityNotificationWorker(secscan_notification_queue, poll_period_seconds=30,
-                                      reservation_seconds=30, retry_after_seconds=30)
-  worker.start()
+    worker = SecurityNotificationWorker(
+        secscan_notification_queue,
+        poll_period_seconds=30,
+        reservation_seconds=30,
+        retry_after_seconds=30,
+    )
+    worker.start()
diff --git a/workers/securityworker/__init__.py b/workers/securityworker/__init__.py
index 8c2bc44a7..d4e0672ed 100644
--- a/workers/securityworker/__init__.py
+++ b/workers/securityworker/__init__.py
@@ -7,30 +7,31 @@ from util.secscan.api import APIRequestFailure
 from util.secscan.analyzer import PreemptedException
 
 logger = logging.getLogger(__name__)
-unscanned_images_gauge = prometheus.create_gauge('unscanned_images',
-                                                 'Number of images that clair needs to scan.')
+unscanned_images_gauge = prometheus.create_gauge(
+    "unscanned_images", "Number of images that clair needs to scan."
+)
 
 
 def index_images(target_version, analyzer, token=None):
-  """ Performs security indexing of all images in the database not scanned at the target version.
+    """ Performs security indexing of all images in the database not scanned at the target version.
       If a token is provided, scanning will begin where the token indicates it previously completed.
   """
-  iterator, next_token = model.candidates_to_scan(target_version, start_token=token)
-  if iterator is None:
-    logger.debug('Found no additional images to scan')
-    return None
+    iterator, next_token = model.candidates_to_scan(target_version, start_token=token)
+    if iterator is None:
+        logger.debug("Found no additional images to scan")
+        return None
 
-  with UseThenDisconnect(app.config):
-    for candidate, abt, num_remaining in iterator:
-      try:
-        analyzer.analyze_recursively(candidate)
-      except PreemptedException:
-        logger.info('Another worker pre-empted us for layer: %s', candidate.id)
-        abt.set()
-      except APIRequestFailure:
-        logger.exception('Security scanner service unavailable')
-        return
+    with UseThenDisconnect(app.config):
+        for candidate, abt, num_remaining in iterator:
+            try:
+                analyzer.analyze_recursively(candidate)
+            except PreemptedException:
+                logger.info("Another worker pre-empted us for layer: %s", candidate.id)
+                abt.set()
+            except APIRequestFailure:
+                logger.exception("Security scanner service unavailable")
+                return
 
-      unscanned_images_gauge.Set(num_remaining)
+            unscanned_images_gauge.Set(num_remaining)
 
-  return next_token
+    return next_token
diff --git a/workers/securityworker/models_interface.py b/workers/securityworker/models_interface.py
index 76295a427..a2f1e2e7b 100644
--- a/workers/securityworker/models_interface.py
+++ b/workers/securityworker/models_interface.py
@@ -4,8 +4,8 @@ from collections import namedtuple
 from six import add_metaclass
 
 
-class ScanToken(namedtuple('NextScanToken', ['min_id'])):
-  """
+class ScanToken(namedtuple("NextScanToken", ["min_id"])):
+    """
   ScanToken represents an opaque token that can be passed between runs of the security worker
   to continue scanning whereever the previous run left off. Note that the data of the token is
   *opaque* to the security worker, and the security worker should *not* pull any data out or modify
@@ -15,16 +15,16 @@ class ScanToken(namedtuple('NextScanToken', ['min_id'])):
 
 @add_metaclass(ABCMeta)
 class SecurityWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the security worker.
   """
 
-  @abstractmethod
-  def candidates_to_scan(self, target_version, start_token=None):
-    """
+    @abstractmethod
+    def candidates_to_scan(self, target_version, start_token=None):
+        """
     Returns a tuple consisting of an iterator of all the candidates to scan and a NextScanToken.
     The iterator returns a tuple for each iteration consisting of the candidate Image, the abort
     signal, and the number of remaining candidates. If the iterator returned is None, there are
     no candidates to process.
     """
-    pass
+        pass
diff --git a/workers/securityworker/models_pre_oci.py b/workers/securityworker/models_pre_oci.py
index 0115be908..135bd89ad 100644
--- a/workers/securityworker/models_pre_oci.py
+++ b/workers/securityworker/models_pre_oci.py
@@ -1,49 +1,53 @@
 from math import log10
 
 from app import app
-from data.model.image import (get_images_eligible_for_scan, get_image_pk_field,
-                              get_max_id_for_sec_scan, get_min_id_for_sec_scan)
+from data.model.image import (
+    get_images_eligible_for_scan,
+    get_image_pk_field,
+    get_max_id_for_sec_scan,
+    get_min_id_for_sec_scan,
+)
 from util.migrate.allocator import yield_random_entries
 
-from workers.securityworker.models_interface import (ScanToken, SecurityWorkerDataInterface)
+from workers.securityworker.models_interface import (
+    ScanToken,
+    SecurityWorkerDataInterface,
+)
 
 
 class PreOCIModel(SecurityWorkerDataInterface):
-  def candidates_to_scan(self, target_version, start_token=None):
-    def batch_query():
-      return get_images_eligible_for_scan(target_version)
+    def candidates_to_scan(self, target_version, start_token=None):
+        def batch_query():
+            return get_images_eligible_for_scan(target_version)
 
-    # Find the minimum ID.
-    min_id = None
-    if start_token is not None:
-      min_id = start_token.min_id
-    else:
-      min_id = app.config.get('SECURITY_SCANNER_INDEXING_MIN_ID')
-      if min_id is None:
-        min_id = get_min_id_for_sec_scan(target_version)
+        # Find the minimum ID.
+        min_id = None
+        if start_token is not None:
+            min_id = start_token.min_id
+        else:
+            min_id = app.config.get("SECURITY_SCANNER_INDEXING_MIN_ID")
+            if min_id is None:
+                min_id = get_min_id_for_sec_scan(target_version)
 
-    # Get the ID of the last image we can analyze. Will be None if there are no images in the
-    # database.
-    max_id = get_max_id_for_sec_scan()
-    if max_id is None:
-      return (None, None)
+        # Get the ID of the last image we can analyze. Will be None if there are no images in the
+        # database.
+        max_id = get_max_id_for_sec_scan()
+        if max_id is None:
+            return (None, None)
 
-    if min_id is None or min_id > max_id:
-      return (None, None)
+        if min_id is None or min_id > max_id:
+            return (None, None)
 
-    # 4^log10(total) gives us a scalable batch size into the billions.
-    batch_size = int(4**log10(max(10, max_id - min_id)))
+        # 4^log10(total) gives us a scalable batch size into the billions.
+        batch_size = int(4 ** log10(max(10, max_id - min_id)))
 
-    # TODO: Once we have a clean shared NamedTuple for Images, send that to the secscan analyzer
-    # rather than the database Image itself.
-    iterator = yield_random_entries(
-      batch_query,
-      get_image_pk_field(),
-      batch_size,
-      max_id,
-      min_id,)
+        # TODO: Once we have a clean shared NamedTuple for Images, send that to the secscan analyzer
+        # rather than the database Image itself.
+        iterator = yield_random_entries(
+            batch_query, get_image_pk_field(), batch_size, max_id, min_id
+        )
 
-    return (iterator, ScanToken(max_id + 1))
+        return (iterator, ScanToken(max_id + 1))
 
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/securityworker/securityworker.py b/workers/securityworker/securityworker.py
index 100308acf..54af75fd5 100644
--- a/workers/securityworker/securityworker.py
+++ b/workers/securityworker/securityworker.py
@@ -17,32 +17,41 @@ DEFAULT_INDEXING_INTERVAL = 30
 
 
 class SecurityWorker(Worker):
-  def __init__(self):
-    super(SecurityWorker, self).__init__()
-    validator = SecurityConfigValidator(app.config.get('FEATURE_SECURITY_SCANNER', False), app.config.get('SECURITY_SCANNER_ENDPOINT'))
-    if not validator.valid():
-      logger.warning('Failed to validate security scan configuration')
-      return
+    def __init__(self):
+        super(SecurityWorker, self).__init__()
+        validator = SecurityConfigValidator(
+            app.config.get("FEATURE_SECURITY_SCANNER", False),
+            app.config.get("SECURITY_SCANNER_ENDPOINT"),
+        )
+        if not validator.valid():
+            logger.warning("Failed to validate security scan configuration")
+            return
 
-    self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 3)
-    self._analyzer = LayerAnalyzer(app.config, secscan_api)
-    self._next_token = None
+        self._target_version = app.config.get(
+            "SECURITY_SCANNER_ENGINE_VERSION_TARGET", 3
+        )
+        self._analyzer = LayerAnalyzer(app.config, secscan_api)
+        self._next_token = None
 
-    interval = app.config.get('SECURITY_SCANNER_INDEXING_INTERVAL', DEFAULT_INDEXING_INTERVAL)
-    self.add_operation(self._index_images, interval)
+        interval = app.config.get(
+            "SECURITY_SCANNER_INDEXING_INTERVAL", DEFAULT_INDEXING_INTERVAL
+        )
+        self.add_operation(self._index_images, interval)
 
-  def _index_images(self):
-    self._next_token = index_images(self._target_version, self._analyzer, self._next_token)
+    def _index_images(self):
+        self._next_token = index_images(
+            self._target_version, self._analyzer, self._next_token
+        )
 
 
-if __name__ == '__main__':
-  app.register_blueprint(v2_bp, url_prefix='/v2')
+if __name__ == "__main__":
+    app.register_blueprint(v2_bp, url_prefix="/v2")
 
-  if not features.SECURITY_SCANNER:
-    logger.debug('Security scanner disabled; skipping SecurityWorker')
-    while True:
-      time.sleep(100000)
+    if not features.SECURITY_SCANNER:
+        logger.debug("Security scanner disabled; skipping SecurityWorker")
+        while True:
+            time.sleep(100000)
 
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
-  worker = SecurityWorker()
-  worker.start()
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    worker = SecurityWorker()
+    worker.start()
diff --git a/workers/securityworker/test/test_securityworker.py b/workers/securityworker/test/test_securityworker.py
index dfa9ff490..9d3573fbb 100644
--- a/workers/securityworker/test/test_securityworker.py
+++ b/workers/securityworker/test/test_securityworker.py
@@ -5,6 +5,6 @@ from workers.securityworker import index_images
 
 
 def test_securityworker_realdb(initialized_db):
-  mock_analyzer = Mock()
-  assert index_images(1, mock_analyzer) is not None
-  mock_analyzer.analyze_recursively.assert_called()
+    mock_analyzer = Mock()
+    assert index_images(1, mock_analyzer) is not None
+    mock_analyzer.analyze_recursively.assert_called()
diff --git a/workers/servicekeyworker/models_interface.py b/workers/servicekeyworker/models_interface.py
index 909ac2367..26284ffa6 100644
--- a/workers/servicekeyworker/models_interface.py
+++ b/workers/servicekeyworker/models_interface.py
@@ -4,25 +4,25 @@ from six import add_metaclass
 
 @add_metaclass(ABCMeta)
 class ServiceKeyWorkerDataInterface(object):
-  """
+    """
   Interface that represents all data store interactions required by the service key worker.
   """
 
-  @abstractmethod
-  def set_key_expiration(self, key_id, expiration_date):
-    """ Sets the expiration date of the service key with the given key ID to that given. """
-    pass
+    @abstractmethod
+    def set_key_expiration(self, key_id, expiration_date):
+        """ Sets the expiration date of the service key with the given key ID to that given. """
+        pass
 
-  @abstractmethod
-  def create_service_key_for_testing(self, expiration):
-    """ Creates a service key for testing with the given expiration. Returns the KID for
+    @abstractmethod
+    def create_service_key_for_testing(self, expiration):
+        """ Creates a service key for testing with the given expiration. Returns the KID for
         key.
     """
-    pass
+        pass
 
-  @abstractmethod
-  def get_service_key_expiration(self, key_id):
-    """ Returns the expiration date for the key with the given ID. If the key doesn't exist or
+    @abstractmethod
+    def get_service_key_expiration(self, key_id):
+        """ Returns the expiration date for the key with the given ID. If the key doesn't exist or
         does not have an expiration, returns None.
     """
-    pass
+        pass
diff --git a/workers/servicekeyworker/models_pre_oci.py b/workers/servicekeyworker/models_pre_oci.py
index 5a82d3127..3df0a8d63 100644
--- a/workers/servicekeyworker/models_pre_oci.py
+++ b/workers/servicekeyworker/models_pre_oci.py
@@ -3,19 +3,21 @@ from workers.servicekeyworker.models_interface import ServiceKeyWorkerDataInterf
 
 
 class PreOCIModel(ServiceKeyWorkerDataInterface):
-  def set_key_expiration(self, kid, expiration_date):
-    model.service_keys.set_key_expiration(kid, expiration_date)
+    def set_key_expiration(self, kid, expiration_date):
+        model.service_keys.set_key_expiration(kid, expiration_date)
 
-  def create_service_key_for_testing(self, expiration):
-    key = model.service_keys.create_service_key('test', 'somekid', 'quay', '', {}, expiration)
-    return key.kid
+    def create_service_key_for_testing(self, expiration):
+        key = model.service_keys.create_service_key(
+            "test", "somekid", "quay", "", {}, expiration
+        )
+        return key.kid
 
-  def get_service_key_expiration(self, kid):
-    try:
-      key = model.service_keys.get_service_key(kid, approved_only=False)
-      return key.expiration_date
-    except model.ServiceKeyDoesNotExist:
-      return None
+    def get_service_key_expiration(self, kid):
+        try:
+            key = model.service_keys.get_service_key(kid, approved_only=False)
+            return key.expiration_date
+        except model.ServiceKeyDoesNotExist:
+            return None
 
 
 pre_oci_model = PreOCIModel()
diff --git a/workers/servicekeyworker/servicekeyworker.py b/workers/servicekeyworker/servicekeyworker.py
index d7eaecfa1..b7562ddc8 100644
--- a/workers/servicekeyworker/servicekeyworker.py
+++ b/workers/servicekeyworker/servicekeyworker.py
@@ -9,33 +9,48 @@ logger = logging.getLogger(__name__)
 
 
 class ServiceKeyWorker(Worker):
-  def __init__(self):
-    super(ServiceKeyWorker, self).__init__()
-    self.add_operation(self._refresh_service_key,
-                       app.config.get('INSTANCE_SERVICE_KEY_REFRESH', 60) * 60)
+    def __init__(self):
+        super(ServiceKeyWorker, self).__init__()
+        self.add_operation(
+            self._refresh_service_key,
+            app.config.get("INSTANCE_SERVICE_KEY_REFRESH", 60) * 60,
+        )
 
-  def _refresh_service_key(self):
-    """
+    def _refresh_service_key(self):
+        """
     Refreshes the instance's active service key so it doesn't get garbage collected.
     """
-    expiration_time = timedelta(minutes=instance_keys.service_key_expiration)
-    new_expiration = datetime.utcnow() + expiration_time
+        expiration_time = timedelta(minutes=instance_keys.service_key_expiration)
+        new_expiration = datetime.utcnow() + expiration_time
 
-    logger.debug('Starting automatic refresh of service key %s to new expiration %s',
-                 instance_keys.local_key_id, new_expiration)
-    try:
-      model.set_key_expiration(instance_keys.local_key_id, new_expiration)
-    except Exception as ex:
-      logger.exception('Failure for automatic refresh of service key %s with new expiration %s',
-                       instance_keys.local_key_id, new_expiration)
-      metric_queue.instance_key_renewal_failure.Inc(labelvalues=[instance_keys.local_key_id])
-      raise ex
+        logger.debug(
+            "Starting automatic refresh of service key %s to new expiration %s",
+            instance_keys.local_key_id,
+            new_expiration,
+        )
+        try:
+            model.set_key_expiration(instance_keys.local_key_id, new_expiration)
+        except Exception as ex:
+            logger.exception(
+                "Failure for automatic refresh of service key %s with new expiration %s",
+                instance_keys.local_key_id,
+                new_expiration,
+            )
+            metric_queue.instance_key_renewal_failure.Inc(
+                labelvalues=[instance_keys.local_key_id]
+            )
+            raise ex
 
-    logger.debug('Finished automatic refresh of service key %s with new expiration %s',
-                 instance_keys.local_key_id, new_expiration)
-    metric_queue.instance_key_renewal_success.Inc(labelvalues=[instance_keys.local_key_id])
+        logger.debug(
+            "Finished automatic refresh of service key %s with new expiration %s",
+            instance_keys.local_key_id,
+            new_expiration,
+        )
+        metric_queue.instance_key_renewal_success.Inc(
+            labelvalues=[instance_keys.local_key_id]
+        )
 
 
 if __name__ == "__main__":
-  worker = ServiceKeyWorker()
-  worker.start()
+    worker = ServiceKeyWorker()
+    worker.start()
diff --git a/workers/servicekeyworker/test/test_servicekeyworker.py b/workers/servicekeyworker/test/test_servicekeyworker.py
index 2bab8b132..a537e297f 100644
--- a/workers/servicekeyworker/test/test_servicekeyworker.py
+++ b/workers/servicekeyworker/test/test_servicekeyworker.py
@@ -8,16 +8,19 @@ from util.morecollections import AttrDict
 from test.fixtures import *
 from workers.servicekeyworker.models_pre_oci import pre_oci_model as model
 
+
 def test_refresh_service_key(initialized_db):
-  # Create a service key for testing.
-  original_expiration = datetime.utcnow() + timedelta(minutes=10)
-  test_key_kid = model.create_service_key_for_testing(original_expiration)
-  assert model.get_service_key_expiration(test_key_kid)
+    # Create a service key for testing.
+    original_expiration = datetime.utcnow() + timedelta(minutes=10)
+    test_key_kid = model.create_service_key_for_testing(original_expiration)
+    assert model.get_service_key_expiration(test_key_kid)
 
-  instance_keys = AttrDict(dict(local_key_id=test_key_kid, service_key_expiration=30))
-  with patch('workers.servicekeyworker.servicekeyworker.instance_keys', instance_keys):
-    worker = ServiceKeyWorker()
-    worker._refresh_service_key()
+    instance_keys = AttrDict(dict(local_key_id=test_key_kid, service_key_expiration=30))
+    with patch(
+        "workers.servicekeyworker.servicekeyworker.instance_keys", instance_keys
+    ):
+        worker = ServiceKeyWorker()
+        worker._refresh_service_key()
 
-  # Ensure the key's expiration was changed.
-  assert model.get_service_key_expiration(test_key_kid) > original_expiration
+    # Ensure the key's expiration was changed.
+    assert model.get_service_key_expiration(test_key_kid) > original_expiration
diff --git a/workers/storagereplication.py b/workers/storagereplication.py
index 005bd2ee8..80c0484c2 100644
--- a/workers/storagereplication.py
+++ b/workers/storagereplication.py
@@ -12,136 +12,193 @@ from util.log import logfile_path
 logger = logging.getLogger(__name__)
 
 POLL_PERIOD_SECONDS = 10
-RESERVATION_SECONDS = app.config.get('STORAGE_REPLICATION_PROCESSING_SECONDS', 60*20)
+RESERVATION_SECONDS = app.config.get("STORAGE_REPLICATION_PROCESSING_SECONDS", 60 * 20)
+
 
 class StorageReplicationWorker(QueueWorker):
-  def process_queue_item(self, job_details):
-    storage_uuid = job_details['storage_id']
-    namespace_id = job_details['namespace_user_id']
+    def process_queue_item(self, job_details):
+        storage_uuid = job_details["storage_id"]
+        namespace_id = job_details["namespace_user_id"]
 
-    logger.debug('Starting replication of image storage %s under namespace %s', storage_uuid,
-                 namespace_id)
-    try:
-      namespace = model.user.get_namespace_user_by_user_id(namespace_id)
-    except model.user.InvalidUsernameException:
-      logger.exception('Exception when looking up namespace %s for replication of image storage %s',
-                       namespace_id, storage_uuid)
-      return
+        logger.debug(
+            "Starting replication of image storage %s under namespace %s",
+            storage_uuid,
+            namespace_id,
+        )
+        try:
+            namespace = model.user.get_namespace_user_by_user_id(namespace_id)
+        except model.user.InvalidUsernameException:
+            logger.exception(
+                "Exception when looking up namespace %s for replication of image storage %s",
+                namespace_id,
+                storage_uuid,
+            )
+            return
 
-    self.replicate_storage(namespace, storage_uuid, app_storage)
+        self.replicate_storage(namespace, storage_uuid, app_storage)
 
-  def _backoff_check_exists(self, location, path, storage, backoff_check=True):
-    for retry in range(0, 4):
-      if storage.exists([location], path):
-        return True
+    def _backoff_check_exists(self, location, path, storage, backoff_check=True):
+        for retry in range(0, 4):
+            if storage.exists([location], path):
+                return True
+
+            if not backoff_check:
+                return False
+
+            seconds = pow(2, retry) * 2
+            logger.debug(
+                "Cannot find path `%s` in location %s (try #%s). Sleeping for %s seconds",
+                path,
+                location,
+                retry,
+                seconds,
+            )
+            time.sleep(seconds)
 
-      if not backoff_check:
         return False
 
-      seconds = pow(2, retry) * 2
-      logger.debug('Cannot find path `%s` in location %s (try #%s). Sleeping for %s seconds',
-                   path, location, retry, seconds)
-      time.sleep(seconds)
+    def replicate_storage(self, namespace, storage_uuid, storage, backoff_check=True):
+        # Lookup the namespace and its associated regions.
+        if not namespace:
+            logger.debug(
+                "Unknown namespace when trying to replicate storage %s", storage_uuid
+            )
+            return
 
-    return False
+        locations = model.user.get_region_locations(namespace)
 
-  def replicate_storage(self, namespace, storage_uuid, storage, backoff_check=True):
-    # Lookup the namespace and its associated regions.
-    if not namespace:
-      logger.debug('Unknown namespace when trying to replicate storage %s', storage_uuid)
-      return
+        # Lookup the image storage.
+        try:
+            partial_storage = model.storage.get_storage_by_uuid(storage_uuid)
+        except model.InvalidImageException:
+            logger.debug("Unknown storage: %s", storage_uuid)
+            return
 
-    locations = model.user.get_region_locations(namespace)
+        # Check to see if the image is at all the required locations.
+        locations_required = locations | set(storage.default_locations)
+        locations_missing = locations_required - set(partial_storage.locations)
 
-    # Lookup the image storage.
-    try:
-      partial_storage = model.storage.get_storage_by_uuid(storage_uuid)
-    except model.InvalidImageException:
-      logger.debug('Unknown storage: %s', storage_uuid)
-      return
+        logger.debug(
+            "For replication of storage %s under namespace %s: %s required; %s missing",
+            storage_uuid,
+            namespace.username,
+            locations_required,
+            locations_missing,
+        )
 
-    # Check to see if the image is at all the required locations.
-    locations_required = locations | set(storage.default_locations)
-    locations_missing = locations_required - set(partial_storage.locations)
+        if not locations_missing:
+            logger.debug(
+                "No missing locations for storage %s under namespace %s. Required: %s",
+                storage_uuid,
+                namespace.username,
+                locations_required,
+            )
+            return
 
-    logger.debug('For replication of storage %s under namespace %s: %s required; %s missing',
-                 storage_uuid, namespace.username, locations_required, locations_missing)
+        # For any missing storage locations, initiate a copy.
+        existing_location = list(partial_storage.locations)[0]
+        path_to_copy = model.storage.get_layer_path(partial_storage)
 
-    if not locations_missing:
-      logger.debug('No missing locations for storage %s under namespace %s. Required: %s',
-                   storage_uuid, namespace.username, locations_required)
-      return
+        # Lookup and ensure the existing location exists.
+        if not self._backoff_check_exists(
+            existing_location, path_to_copy, storage, backoff_check
+        ):
+            logger.warning(
+                "Cannot find image storage %s in existing location %s; stopping replication",
+                storage_uuid,
+                existing_location,
+            )
+            raise JobException()
 
-    # For any missing storage locations, initiate a copy.
-    existing_location = list(partial_storage.locations)[0]
-    path_to_copy = model.storage.get_layer_path(partial_storage)
+        # For each missing location, copy over the storage.
+        for location in locations_missing:
+            logger.debug(
+                "Starting copy of storage %s to location %s from %s",
+                partial_storage.uuid,
+                location,
+                existing_location,
+            )
 
-    # Lookup and ensure the existing location exists.
-    if not self._backoff_check_exists(existing_location, path_to_copy, storage, backoff_check):
-      logger.warning('Cannot find image storage %s in existing location %s; stopping replication',
-                     storage_uuid, existing_location)
-      raise JobException()
+            # Copy the binary data.
+            copied = False
+            try:
+                with CloseForLongOperation(app.config):
+                    storage.copy_between(path_to_copy, existing_location, location)
+                    copied = True
+            except IOError:
+                logger.exception(
+                    "Failed to copy path `%s` of image storage %s to location %s",
+                    path_to_copy,
+                    partial_storage.uuid,
+                    location,
+                )
+                raise JobException()
+            except:
+                logger.exception(
+                    "Unknown exception when copying path %s of image storage %s to loc %s",
+                    path_to_copy,
+                    partial_storage.uuid,
+                    location,
+                )
+                raise WorkerUnhealthyException()
 
-    # For each missing location, copy over the storage.
-    for location in locations_missing:
-      logger.debug('Starting copy of storage %s to location %s from %s', partial_storage.uuid,
-                   location, existing_location)
+            if copied:
+                # Verify the data was copied to the target storage, to ensure that there are no cases
+                # where we write the placement without knowing the data is present.
+                if not self._backoff_check_exists(
+                    location, path_to_copy, storage, backoff_check
+                ):
+                    logger.warning(
+                        "Failed to find path `%s` in location `%s` after copy",
+                        path_to_copy,
+                        location,
+                    )
+                    raise JobException()
 
-      # Copy the binary data.
-      copied = False
-      try:
-        with CloseForLongOperation(app.config):
-          storage.copy_between(path_to_copy, existing_location, location)
-          copied = True
-      except IOError:
-        logger.exception('Failed to copy path `%s` of image storage %s to location %s',
-                         path_to_copy, partial_storage.uuid, location)
-        raise JobException()
-      except:
-        logger.exception('Unknown exception when copying path %s of image storage %s to loc %s',
-                         path_to_copy, partial_storage.uuid, location)
-        raise WorkerUnhealthyException()
+                # Create the storage location record for the storage now that the copy has
+                # completed.
+                model.storage.add_storage_placement(partial_storage, location)
 
-      if copied:
-        # Verify the data was copied to the target storage, to ensure that there are no cases
-        # where we write the placement without knowing the data is present.
-        if not self._backoff_check_exists(location, path_to_copy, storage, backoff_check):
-          logger.warning('Failed to find path `%s` in location `%s` after copy', path_to_copy,
-                         location)
-          raise JobException()
+                logger.debug(
+                    "Finished copy of image storage %s to location %s from %s",
+                    partial_storage.uuid,
+                    location,
+                    existing_location,
+                )
 
-        # Create the storage location record for the storage now that the copy has
-        # completed.
-        model.storage.add_storage_placement(partial_storage, location)
-
-        logger.debug('Finished copy of image storage %s to location %s from %s',
-                     partial_storage.uuid, location, existing_location)
-
-    logger.debug('Completed replication of image storage %s to locations %s from %s',
-                 partial_storage.uuid, locations_missing, existing_location)
+        logger.debug(
+            "Completed replication of image storage %s to locations %s from %s",
+            partial_storage.uuid,
+            locations_missing,
+            existing_location,
+        )
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  has_local_storage = False
+    has_local_storage = False
 
-  if features.STORAGE_REPLICATION:
-    for storage_type, _ in app.config.get('DISTRIBUTED_STORAGE_CONFIG', {}).values():
-      if storage_type == 'LocalStorage':
-        has_local_storage = True
-        break
+    if features.STORAGE_REPLICATION:
+        for storage_type, _ in app.config.get(
+            "DISTRIBUTED_STORAGE_CONFIG", {}
+        ).values():
+            if storage_type == "LocalStorage":
+                has_local_storage = True
+                break
 
-  if not features.STORAGE_REPLICATION or has_local_storage:
-    if has_local_storage:
-      logger.error("Storage replication can't be used with local storage")
-    else:
-      logger.debug('Full storage replication disabled; skipping')
-    while True:
-      time.sleep(10000)
+    if not features.STORAGE_REPLICATION or has_local_storage:
+        if has_local_storage:
+            logger.error("Storage replication can't be used with local storage")
+        else:
+            logger.debug("Full storage replication disabled; skipping")
+        while True:
+            time.sleep(10000)
 
-  logger.debug('Starting replication worker')
-  worker = StorageReplicationWorker(image_replication_queue,
-                                    poll_period_seconds=POLL_PERIOD_SECONDS,
-                                    reservation_seconds=RESERVATION_SECONDS)
-  worker.start()
+    logger.debug("Starting replication worker")
+    worker = StorageReplicationWorker(
+        image_replication_queue,
+        poll_period_seconds=POLL_PERIOD_SECONDS,
+        reservation_seconds=RESERVATION_SECONDS,
+    )
+    worker.start()
diff --git a/workers/tagbackfillworker.py b/workers/tagbackfillworker.py
index a9a9ef263..8470ca7bf 100644
--- a/workers/tagbackfillworker.py
+++ b/workers/tagbackfillworker.py
@@ -6,10 +6,22 @@ import time
 from peewee import JOIN, fn, IntegrityError
 
 from app import app
-from data.database import (UseThenDisconnect, TagToRepositoryTag, RepositoryTag,
-                           TagManifestToManifest, Tag, TagManifest, TagManifestToManifest, Image,
-                           Manifest, TagManifestLabel, ManifestLabel, TagManifestLabelMap,
-                           Repository, db_transaction)
+from data.database import (
+    UseThenDisconnect,
+    TagToRepositoryTag,
+    RepositoryTag,
+    TagManifestToManifest,
+    Tag,
+    TagManifest,
+    TagManifestToManifest,
+    Image,
+    Manifest,
+    TagManifestLabel,
+    ManifestLabel,
+    TagManifestLabelMap,
+    Repository,
+    db_transaction,
+)
 from data.model import DataModelException
 from data.model.image import get_parent_images
 from data.model.tag import populate_manifest
@@ -17,9 +29,13 @@ from data.model.blob import get_repo_blob_by_digest, BlobDoesNotExist
 from data.model.user import get_namespace_user
 from data.registry_model import pre_oci_model
 from data.registry_model.datatypes import Tag as TagDataType
-from image.docker.schema1 import (DockerSchema1Manifest, ManifestException, ManifestInterface,
-                                  DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,
-                                  MalformedSchema1Manifest)
+from image.docker.schema1 import (
+    DockerSchema1Manifest,
+    ManifestException,
+    ManifestInterface,
+    DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE,
+    MalformedSchema1Manifest,
+)
 
 from workers.worker import Worker
 from util.bytes import Bytes
@@ -28,381 +44,428 @@ from util.migrate.allocator import yield_random_entries
 
 logger = logging.getLogger(__name__)
 
-WORKER_TIMEOUT = app.config.get('BACKFILL_TAGS_TIMEOUT', 6000)
+WORKER_TIMEOUT = app.config.get("BACKFILL_TAGS_TIMEOUT", 6000)
 
 
 class BrokenManifest(ManifestInterface):
-  """ Implementation of the ManifestInterface for "broken" manifests. This allows us to add the
+    """ Implementation of the ManifestInterface for "broken" manifests. This allows us to add the
       new manifest row while not adding any additional rows for it.
   """
-  def __init__(self, digest, payload):
-    self._digest = digest
-    self._payload = Bytes.for_string_or_unicode(payload)
 
-  @property
-  def digest(self):
-    return self._digest
+    def __init__(self, digest, payload):
+        self._digest = digest
+        self._payload = Bytes.for_string_or_unicode(payload)
 
-  @property
-  def media_type(self):
-    return DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
+    @property
+    def digest(self):
+        return self._digest
 
-  @property
-  def manifest_dict(self):
-    return {}
+    @property
+    def media_type(self):
+        return DOCKER_SCHEMA1_SIGNED_MANIFEST_CONTENT_TYPE
 
-  @property
-  def bytes(self):
-    return self._payload
+    @property
+    def manifest_dict(self):
+        return {}
 
-  def get_layers(self, content_retriever):
-    return None
+    @property
+    def bytes(self):
+        return self._payload
 
-  def get_legacy_image_ids(self, cr):
-    return []
+    def get_layers(self, content_retriever):
+        return None
 
-  def get_leaf_layer_v1_image_id(self, cr):
-    return None
+    def get_legacy_image_ids(self, cr):
+        return []
 
-  @property
-  def blob_digests(self):
-    return []
+    def get_leaf_layer_v1_image_id(self, cr):
+        return None
 
-  @property
-  def local_blob_digests(self):
-    return []
+    @property
+    def blob_digests(self):
+        return []
 
-  def get_blob_digests_for_translation(self):
-    return []
+    @property
+    def local_blob_digests(self):
+        return []
 
-  def validate(self, content_retriever):
-    pass
+    def get_blob_digests_for_translation(self):
+        return []
 
-  def child_manifests(self, lookup_manifest_fn):
-    return None
+    def validate(self, content_retriever):
+        pass
 
-  def get_manifest_labels(self, lookup_config_fn):
-    return {}
+    def child_manifests(self, lookup_manifest_fn):
+        return None
 
-  def unsigned(self):
-    return self
+    def get_manifest_labels(self, lookup_config_fn):
+        return {}
 
-  def generate_legacy_layers(self, images_map, lookup_config_fn):
-    return None
+    def unsigned(self):
+        return self
 
-  def get_schema1_manifest(self, namespace_name, repo_name, tag_name, lookup_fn):
-    return self
-    
-  @property
-  def schema_version(self):
-    return 1
+    def generate_legacy_layers(self, images_map, lookup_config_fn):
+        return None
 
-  @property
-  def layers_compressed_size(self):
-    return None
+    def get_schema1_manifest(self, namespace_name, repo_name, tag_name, lookup_fn):
+        return self
 
-  @property
-  def is_manifest_list(self):
-    return False
+    @property
+    def schema_version(self):
+        return 1
 
-  @property
-  def has_legacy_image(self):
-    return False
+    @property
+    def layers_compressed_size(self):
+        return None
 
-  def get_requires_empty_layer_blob(self, content_retriever):
-    return False
+    @property
+    def is_manifest_list(self):
+        return False
 
-  def convert_manifest(self, allowed_mediatypes, namespace_name, repo_name, tag_name,
-                       content_retriever):
-    return None
+    @property
+    def has_legacy_image(self):
+        return False
+
+    def get_requires_empty_layer_blob(self, content_retriever):
+        return False
+
+    def convert_manifest(
+        self, allowed_mediatypes, namespace_name, repo_name, tag_name, content_retriever
+    ):
+        return None
 
 
 class TagBackfillWorker(Worker):
-  def __init__(self, namespace_filter=None):
-    super(TagBackfillWorker, self).__init__()
-    self._namespace_filter = namespace_filter
+    def __init__(self, namespace_filter=None):
+        super(TagBackfillWorker, self).__init__()
+        self._namespace_filter = namespace_filter
 
-    self.add_operation(self._backfill_tags, WORKER_TIMEOUT)
+        self.add_operation(self._backfill_tags, WORKER_TIMEOUT)
 
-  def _filter(self, query):
-    if self._namespace_filter:
-      logger.info('Filtering by namespace `%s`', self._namespace_filter)
-      namespace_user = get_namespace_user(self._namespace_filter)
-      query = query.join(Repository).where(Repository.namespace_user == namespace_user)
+    def _filter(self, query):
+        if self._namespace_filter:
+            logger.info("Filtering by namespace `%s`", self._namespace_filter)
+            namespace_user = get_namespace_user(self._namespace_filter)
+            query = query.join(Repository).where(
+                Repository.namespace_user == namespace_user
+            )
 
-    return query
+        return query
 
-  def _candidates_to_backfill(self):
-    def missing_tmt_query():
-      return (self._filter(RepositoryTag.select())
-              .join(TagToRepositoryTag, JOIN.LEFT_OUTER)
-              .where(TagToRepositoryTag.id >> None, RepositoryTag.hidden == False))
+    def _candidates_to_backfill(self):
+        def missing_tmt_query():
+            return (
+                self._filter(RepositoryTag.select())
+                .join(TagToRepositoryTag, JOIN.LEFT_OUTER)
+                .where(TagToRepositoryTag.id >> None, RepositoryTag.hidden == False)
+            )
 
-    min_id = (self._filter(RepositoryTag.select(fn.Min(RepositoryTag.id))).scalar())
-    max_id = self._filter(RepositoryTag.select(fn.Max(RepositoryTag.id))).scalar()
+        min_id = self._filter(RepositoryTag.select(fn.Min(RepositoryTag.id))).scalar()
+        max_id = self._filter(RepositoryTag.select(fn.Max(RepositoryTag.id))).scalar()
 
-    logger.info('Found candidate range %s-%s', min_id, max_id)
+        logger.info("Found candidate range %s-%s", min_id, max_id)
 
-    iterator = yield_random_entries(
-      missing_tmt_query,
-      RepositoryTag.id,
-      1000,
-      max_id,
-      min_id,
-    )
+        iterator = yield_random_entries(
+            missing_tmt_query, RepositoryTag.id, 1000, max_id, min_id
+        )
 
-    return iterator
+        return iterator
 
-  def _backfill_tags(self):
-    with UseThenDisconnect(app.config):
-      iterator = self._candidates_to_backfill()
-      if iterator is None:
-        logger.debug('Found no additional tags to backfill')
-        time.sleep(10000)
-        return None
+    def _backfill_tags(self):
+        with UseThenDisconnect(app.config):
+            iterator = self._candidates_to_backfill()
+            if iterator is None:
+                logger.debug("Found no additional tags to backfill")
+                time.sleep(10000)
+                return None
 
-      for candidate, abt, _ in iterator:
-        if not backfill_tag(candidate):
-          logger.info('Another worker pre-empted us for tag: %s', candidate.id)
-          abt.set()
+            for candidate, abt, _ in iterator:
+                if not backfill_tag(candidate):
+                    logger.info(
+                        "Another worker pre-empted us for tag: %s", candidate.id
+                    )
+                    abt.set()
 
 
 def lookup_map_row(repositorytag):
-  try:
-    TagToRepositoryTag.get(repository_tag=repositorytag)
-    return True
-  except TagToRepositoryTag.DoesNotExist:
-    return False
+    try:
+        TagToRepositoryTag.get(repository_tag=repositorytag)
+        return True
+    except TagToRepositoryTag.DoesNotExist:
+        return False
 
 
 def backfill_tag(repositorytag):
-  logger.info('Backfilling tag %s', repositorytag.id)
+    logger.info("Backfilling tag %s", repositorytag.id)
 
-  # Ensure that a mapping row doesn't already exist. If it does, nothing more to do.
-  if lookup_map_row(repositorytag):
-    return False
-
-  # Grab the manifest for the RepositoryTag, backfilling as necessary.
-  manifest_id = _get_manifest_id(repositorytag)
-  if manifest_id is None:
-    return True
-
-  lifetime_start_ms = (repositorytag.lifetime_start_ts * 1000
-                       if repositorytag.lifetime_start_ts is not None else None)
-  lifetime_end_ms = (repositorytag.lifetime_end_ts * 1000
-                     if repositorytag.lifetime_end_ts is not None else None)
-
-  # Create the new Tag.
-  with db_transaction():
+    # Ensure that a mapping row doesn't already exist. If it does, nothing more to do.
     if lookup_map_row(repositorytag):
-      return False
+        return False
 
-    try:
-      created = Tag.create(name=repositorytag.name,
-                           repository=repositorytag.repository,
-                           lifetime_start_ms=lifetime_start_ms,
-                           lifetime_end_ms=lifetime_end_ms,
-                           reversion=repositorytag.reversion,
-                           manifest=manifest_id,
-                           tag_kind=Tag.tag_kind.get_id('tag'))
+    # Grab the manifest for the RepositoryTag, backfilling as necessary.
+    manifest_id = _get_manifest_id(repositorytag)
+    if manifest_id is None:
+        return True
 
-      TagToRepositoryTag.create(tag=created, repository_tag=repositorytag,
-                                repository=repositorytag.repository)
-    except IntegrityError:
-      logger.exception('Could not create tag for repo tag `%s`', repositorytag.id)
-      return False
+    lifetime_start_ms = (
+        repositorytag.lifetime_start_ts * 1000
+        if repositorytag.lifetime_start_ts is not None
+        else None
+    )
+    lifetime_end_ms = (
+        repositorytag.lifetime_end_ts * 1000
+        if repositorytag.lifetime_end_ts is not None
+        else None
+    )
 
-  logger.info('Backfilled tag %s', repositorytag.id)
-  return True
+    # Create the new Tag.
+    with db_transaction():
+        if lookup_map_row(repositorytag):
+            return False
+
+        try:
+            created = Tag.create(
+                name=repositorytag.name,
+                repository=repositorytag.repository,
+                lifetime_start_ms=lifetime_start_ms,
+                lifetime_end_ms=lifetime_end_ms,
+                reversion=repositorytag.reversion,
+                manifest=manifest_id,
+                tag_kind=Tag.tag_kind.get_id("tag"),
+            )
+
+            TagToRepositoryTag.create(
+                tag=created,
+                repository_tag=repositorytag,
+                repository=repositorytag.repository,
+            )
+        except IntegrityError:
+            logger.exception("Could not create tag for repo tag `%s`", repositorytag.id)
+            return False
+
+    logger.info("Backfilled tag %s", repositorytag.id)
+    return True
 
 
 def lookup_manifest_map_row(tag_manifest):
-  try:
-    TagManifestToManifest.get(tag_manifest=tag_manifest)
-    return True
-  except TagManifestToManifest.DoesNotExist:
-    return False
+    try:
+        TagManifestToManifest.get(tag_manifest=tag_manifest)
+        return True
+    except TagManifestToManifest.DoesNotExist:
+        return False
 
 
 def _get_manifest_id(repositorytag):
-  repository_tag_datatype = TagDataType.for_repository_tag(repositorytag)
+    repository_tag_datatype = TagDataType.for_repository_tag(repositorytag)
 
-  # Retrieve the TagManifest for the RepositoryTag, backfilling if necessary.
-  with db_transaction():
-    manifest_datatype = None
+    # Retrieve the TagManifest for the RepositoryTag, backfilling if necessary.
+    with db_transaction():
+        manifest_datatype = None
+
+        try:
+            manifest_datatype = pre_oci_model.get_manifest_for_tag(
+                repository_tag_datatype, backfill_if_necessary=True
+            )
+        except MalformedSchema1Manifest:
+            logger.exception(
+                "Error backfilling manifest for tag `%s`", repositorytag.id
+            )
+
+        if manifest_datatype is None:
+            logger.error(
+                "Could not load or backfill manifest for tag `%s`", repositorytag.id
+            )
+
+            # Create a broken manifest for the tag.
+            tag_manifest = TagManifest.create(
+                tag=repositorytag, digest="BROKEN-%s" % repositorytag.id, json_data="{}"
+            )
+        else:
+            # Retrieve the new-style Manifest for the TagManifest, if any.
+            try:
+                tag_manifest = TagManifest.get(id=manifest_datatype._db_id)
+            except TagManifest.DoesNotExist:
+                logger.exception("Could not find tag manifest")
+                return None
 
     try:
-      manifest_datatype = pre_oci_model.get_manifest_for_tag(repository_tag_datatype,
-                                                             backfill_if_necessary=True)
-    except MalformedSchema1Manifest:
-      logger.exception('Error backfilling manifest for tag `%s`', repositorytag.id)
+        found = TagManifestToManifest.get(tag_manifest=tag_manifest).manifest
 
-    if manifest_datatype is None:
-      logger.error('Could not load or backfill manifest for tag `%s`', repositorytag.id)
+        # Verify that the new-style manifest has the same contents as the old-style manifest.
+        # If not, update and then return. This is an extra check put in place to ensure unicode
+        # manifests have been correctly copied.
+        if found.manifest_bytes != tag_manifest.json_data:
+            logger.warning("Fixing manifest `%s`", found.id)
+            found.manifest_bytes = tag_manifest.json_data
+            found.save()
 
-      # Create a broken manifest for the tag.
-      tag_manifest = TagManifest.create(tag=repositorytag,
-                                        digest='BROKEN-%s' % repositorytag.id,
-                                        json_data='{}')
-    else:
-      # Retrieve the new-style Manifest for the TagManifest, if any.
-      try:
-        tag_manifest = TagManifest.get(id=manifest_datatype._db_id)
-      except TagManifest.DoesNotExist:
-        logger.exception('Could not find tag manifest')
+        return found.id
+    except TagManifestToManifest.DoesNotExist:
+        # Could not find the new style manifest, so backfill.
+        _backfill_manifest(tag_manifest)
+
+    # Try to retrieve the manifest again, since we've performed a backfill.
+    try:
+        return TagManifestToManifest.get(tag_manifest=tag_manifest).manifest_id
+    except TagManifestToManifest.DoesNotExist:
         return None
 
-  try:
-    found = TagManifestToManifest.get(tag_manifest=tag_manifest).manifest
-
-    # Verify that the new-style manifest has the same contents as the old-style manifest.
-    # If not, update and then return. This is an extra check put in place to ensure unicode
-    # manifests have been correctly copied.
-    if found.manifest_bytes != tag_manifest.json_data:
-      logger.warning('Fixing manifest `%s`', found.id)
-      found.manifest_bytes = tag_manifest.json_data
-      found.save()
-
-    return found.id
-  except TagManifestToManifest.DoesNotExist:
-    # Could not find the new style manifest, so backfill.
-    _backfill_manifest(tag_manifest)
-
-  # Try to retrieve the manifest again, since we've performed a backfill.
-  try:
-    return TagManifestToManifest.get(tag_manifest=tag_manifest).manifest_id
-  except TagManifestToManifest.DoesNotExist:
-    return None
-
 
 def _backfill_manifest(tag_manifest):
-  logger.info('Backfilling manifest for tag manifest %s', tag_manifest.id)
+    logger.info("Backfilling manifest for tag manifest %s", tag_manifest.id)
 
-  # Ensure that a mapping row doesn't already exist. If it does, we've been preempted.
-  if lookup_manifest_map_row(tag_manifest):
-    return False
-
-  # Parse the manifest. If we cannot parse, then we treat the manifest as broken and just emit it
-  # without additional rows or data, as it will eventually not be useful.
-  is_broken = False
-  try:
-    manifest = DockerSchema1Manifest(Bytes.for_string_or_unicode(tag_manifest.json_data),
-                                     validate=False)
-  except ManifestException:
-    logger.exception('Exception when trying to parse manifest %s', tag_manifest.id)
-    manifest = BrokenManifest(tag_manifest.digest, tag_manifest.json_data)
-    is_broken = True
-
-  # Lookup the storages for the digests.
-  root_image = tag_manifest.tag.image
-  repository = tag_manifest.tag.repository
-
-  image_storage_id_map = {root_image.storage.content_checksum: root_image.storage.id}
-
-  try:
-    parent_images = get_parent_images(repository.namespace_user.username, repository.name,
-                                      root_image)
-  except DataModelException:
-    logger.exception('Exception when trying to load parent images for manifest `%s`',
-                     tag_manifest.id)
-    parent_images = {}
-    is_broken = True
-
-  for parent_image in parent_images:
-    image_storage_id_map[parent_image.storage.content_checksum] = parent_image.storage.id
-
-  # Ensure that all the expected blobs have been found. If not, we lookup the blob under the repo
-  # and add its storage ID. If the blob is not found, we mark the manifest as broken.
-  storage_ids = set()
-  try:
-    for blob_digest in manifest.get_blob_digests_for_translation():
-      if blob_digest in image_storage_id_map:
-        storage_ids.add(image_storage_id_map[blob_digest])
-      else:
-        logger.debug('Blob `%s` not found in images for manifest `%s`; checking repo',
-                     blob_digest, tag_manifest.id)
-        try:
-          blob_storage = get_repo_blob_by_digest(repository.namespace_user.username,
-                                                 repository.name, blob_digest)
-          storage_ids.add(blob_storage.id)
-        except BlobDoesNotExist:
-          logger.debug('Blob `%s` not found in repo for manifest `%s`',
-                       blob_digest, tag_manifest.id)
-          is_broken = True
-  except MalformedSchema1Manifest:
-    logger.warning('Found malformed schema 1 manifest during blob backfill')
-    is_broken = True
-
-  with db_transaction():
-    # Re-retrieve the tag manifest to ensure it still exists and we're pointing at the correct tag.
-    try:
-      tag_manifest = TagManifest.get(id=tag_manifest.id)
-    except TagManifest.DoesNotExist:
-      return True
-
-    # Ensure it wasn't already created.
+    # Ensure that a mapping row doesn't already exist. If it does, we've been preempted.
     if lookup_manifest_map_row(tag_manifest):
-      return False
-
-    # Check for a pre-existing manifest matching the digest in the repository. This can happen
-    # if we've already created the manifest row (typically for tag reverision).
-    try:
-      manifest_row = Manifest.get(digest=manifest.digest, repository=tag_manifest.tag.repository)
-    except Manifest.DoesNotExist:
-      # Create the new-style rows for the manifest.
-      try:
-        manifest_row = populate_manifest(tag_manifest.tag.repository, manifest,
-                                         tag_manifest.tag.image, storage_ids)
-      except IntegrityError:
-        # Pre-empted.
         return False
 
-    # Create the mapping row. If we find another was created for this tag manifest in the
-    # meantime, then we've been preempted.
+    # Parse the manifest. If we cannot parse, then we treat the manifest as broken and just emit it
+    # without additional rows or data, as it will eventually not be useful.
+    is_broken = False
     try:
-      TagManifestToManifest.create(tag_manifest=tag_manifest, manifest=manifest_row,
-                                   broken=is_broken)
-    except IntegrityError:
-      return False
+        manifest = DockerSchema1Manifest(
+            Bytes.for_string_or_unicode(tag_manifest.json_data), validate=False
+        )
+    except ManifestException:
+        logger.exception("Exception when trying to parse manifest %s", tag_manifest.id)
+        manifest = BrokenManifest(tag_manifest.digest, tag_manifest.json_data)
+        is_broken = True
 
-  # Backfill any labels on the manifest.
-  _backfill_labels(tag_manifest, manifest_row, repository)
-  return True
+    # Lookup the storages for the digests.
+    root_image = tag_manifest.tag.image
+    repository = tag_manifest.tag.repository
+
+    image_storage_id_map = {root_image.storage.content_checksum: root_image.storage.id}
+
+    try:
+        parent_images = get_parent_images(
+            repository.namespace_user.username, repository.name, root_image
+        )
+    except DataModelException:
+        logger.exception(
+            "Exception when trying to load parent images for manifest `%s`",
+            tag_manifest.id,
+        )
+        parent_images = {}
+        is_broken = True
+
+    for parent_image in parent_images:
+        image_storage_id_map[
+            parent_image.storage.content_checksum
+        ] = parent_image.storage.id
+
+    # Ensure that all the expected blobs have been found. If not, we lookup the blob under the repo
+    # and add its storage ID. If the blob is not found, we mark the manifest as broken.
+    storage_ids = set()
+    try:
+        for blob_digest in manifest.get_blob_digests_for_translation():
+            if blob_digest in image_storage_id_map:
+                storage_ids.add(image_storage_id_map[blob_digest])
+            else:
+                logger.debug(
+                    "Blob `%s` not found in images for manifest `%s`; checking repo",
+                    blob_digest,
+                    tag_manifest.id,
+                )
+                try:
+                    blob_storage = get_repo_blob_by_digest(
+                        repository.namespace_user.username, repository.name, blob_digest
+                    )
+                    storage_ids.add(blob_storage.id)
+                except BlobDoesNotExist:
+                    logger.debug(
+                        "Blob `%s` not found in repo for manifest `%s`",
+                        blob_digest,
+                        tag_manifest.id,
+                    )
+                    is_broken = True
+    except MalformedSchema1Manifest:
+        logger.warning("Found malformed schema 1 manifest during blob backfill")
+        is_broken = True
+
+    with db_transaction():
+        # Re-retrieve the tag manifest to ensure it still exists and we're pointing at the correct tag.
+        try:
+            tag_manifest = TagManifest.get(id=tag_manifest.id)
+        except TagManifest.DoesNotExist:
+            return True
+
+        # Ensure it wasn't already created.
+        if lookup_manifest_map_row(tag_manifest):
+            return False
+
+        # Check for a pre-existing manifest matching the digest in the repository. This can happen
+        # if we've already created the manifest row (typically for tag reverision).
+        try:
+            manifest_row = Manifest.get(
+                digest=manifest.digest, repository=tag_manifest.tag.repository
+            )
+        except Manifest.DoesNotExist:
+            # Create the new-style rows for the manifest.
+            try:
+                manifest_row = populate_manifest(
+                    tag_manifest.tag.repository,
+                    manifest,
+                    tag_manifest.tag.image,
+                    storage_ids,
+                )
+            except IntegrityError:
+                # Pre-empted.
+                return False
+
+        # Create the mapping row. If we find another was created for this tag manifest in the
+        # meantime, then we've been preempted.
+        try:
+            TagManifestToManifest.create(
+                tag_manifest=tag_manifest, manifest=manifest_row, broken=is_broken
+            )
+        except IntegrityError:
+            return False
+
+    # Backfill any labels on the manifest.
+    _backfill_labels(tag_manifest, manifest_row, repository)
+    return True
 
 
 def _backfill_labels(tag_manifest, manifest, repository):
-  tmls = list(TagManifestLabel.select().where(TagManifestLabel.annotated == tag_manifest))
-  if not tmls:
-    return
+    tmls = list(
+        TagManifestLabel.select().where(TagManifestLabel.annotated == tag_manifest)
+    )
+    if not tmls:
+        return
 
-  for tag_manifest_label in tmls:
-    label = tag_manifest_label.label
-    try:
-      TagManifestLabelMap.get(tag_manifest_label=tag_manifest_label)
-      continue
-    except TagManifestLabelMap.DoesNotExist:
-      pass
+    for tag_manifest_label in tmls:
+        label = tag_manifest_label.label
+        try:
+            TagManifestLabelMap.get(tag_manifest_label=tag_manifest_label)
+            continue
+        except TagManifestLabelMap.DoesNotExist:
+            pass
 
-    try:
-      manifest_label = ManifestLabel.create(manifest=manifest, label=label,
-                                            repository=repository)
-      TagManifestLabelMap.create(manifest_label=manifest_label,
-                                 tag_manifest_label=tag_manifest_label,
-                                 label=label,
-                                 manifest=manifest,
-                                 tag_manifest=tag_manifest_label.annotated)
-    except IntegrityError:
-      continue
+        try:
+            manifest_label = ManifestLabel.create(
+                manifest=manifest, label=label, repository=repository
+            )
+            TagManifestLabelMap.create(
+                manifest_label=manifest_label,
+                tag_manifest_label=tag_manifest_label,
+                label=label,
+                manifest=manifest,
+                tag_manifest=tag_manifest_label.annotated,
+            )
+        except IntegrityError:
+            continue
 
 
 if __name__ == "__main__":
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if (not app.config.get('BACKFILL_TAGS', False) and
-          app.config.get('V3_UPGRADE_MODE') != 'background'):
-    logger.debug('Tag backfill disabled; skipping')
-    while True:
-      time.sleep(100000)
+    if (
+        not app.config.get("BACKFILL_TAGS", False)
+        and app.config.get("V3_UPGRADE_MODE") != "background"
+    ):
+        logger.debug("Tag backfill disabled; skipping")
+        while True:
+            time.sleep(100000)
 
-  worker = TagBackfillWorker(app.config.get('BACKFILL_TAGS_NAMESPACE'))
-  worker.start()
+    worker = TagBackfillWorker(app.config.get("BACKFILL_TAGS_NAMESPACE"))
+    worker.start()
diff --git a/workers/teamsyncworker/teamsyncworker.py b/workers/teamsyncworker/teamsyncworker.py
index a69e36235..b820b7dac 100644
--- a/workers/teamsyncworker/teamsyncworker.py
+++ b/workers/teamsyncworker/teamsyncworker.py
@@ -11,31 +11,33 @@ from util.log import logfile_path
 
 logger = logging.getLogger(__name__)
 
-WORKER_FREQUENCY = app.config.get('TEAM_SYNC_WORKER_FREQUENCY', 60)
-STALE_CUTOFF = convert_to_timedelta(app.config.get('TEAM_RESYNC_STALE_TIME', '30m'))
+WORKER_FREQUENCY = app.config.get("TEAM_SYNC_WORKER_FREQUENCY", 60)
+STALE_CUTOFF = convert_to_timedelta(app.config.get("TEAM_RESYNC_STALE_TIME", "30m"))
+
 
 class TeamSynchronizationWorker(Worker):
-  """ Worker which synchronizes teams with their backing groups in LDAP/Keystone/etc.
+    """ Worker which synchronizes teams with their backing groups in LDAP/Keystone/etc.
   """
-  def __init__(self):
-    super(TeamSynchronizationWorker, self).__init__()
-    self.add_operation(self._sync_teams_to_groups, WORKER_FREQUENCY)
 
-  def _sync_teams_to_groups(self):
-    sync_teams_to_groups(authentication, STALE_CUTOFF)
+    def __init__(self):
+        super(TeamSynchronizationWorker, self).__init__()
+        self.add_operation(self._sync_teams_to_groups, WORKER_FREQUENCY)
+
+    def _sync_teams_to_groups(self):
+        sync_teams_to_groups(authentication, STALE_CUTOFF)
 
 
 def main():
-  logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
 
-  if not features.TEAM_SYNCING or not authentication.federated_service:
-    logger.debug('Team syncing is disabled; sleeping')
-    while True:
-      time.sleep(100000)
+    if not features.TEAM_SYNCING or not authentication.federated_service:
+        logger.debug("Team syncing is disabled; sleeping")
+        while True:
+            time.sleep(100000)
 
-  worker = TeamSynchronizationWorker()
-  worker.start()
+    worker = TeamSynchronizationWorker()
+    worker.start()
 
 
 if __name__ == "__main__":
-  main()
+    main()
diff --git a/workers/test/test_exportactionlogsworker.py b/workers/test/test_exportactionlogsworker.py
index 0e4a728b4..a8a5c64fe 100644
--- a/workers/test/test_exportactionlogsworker.py
+++ b/workers/test/test_exportactionlogsworker.py
@@ -17,134 +17,161 @@ from workers.exportactionlogsworker import ExportActionLogsWorker, POLL_PERIOD_S
 from test.fixtures import *
 
 _TEST_CONTENT = os.urandom(1024)
-_TEST_BUCKET = 'some_bucket'
-_TEST_USER = 'someuser'
-_TEST_PASSWORD = 'somepassword'
-_TEST_PATH = 'some/cool/path'
-_TEST_CONTEXT = StorageContext('nyc', None, None, None, None)
+_TEST_BUCKET = "some_bucket"
+_TEST_USER = "someuser"
+_TEST_PASSWORD = "somepassword"
+_TEST_PATH = "some/cool/path"
+_TEST_CONTEXT = StorageContext("nyc", None, None, None, None)
 
 
-@pytest.fixture(params=['test', 'mock_s3'])
+@pytest.fixture(params=["test", "mock_s3"])
 def storage_engine(request):
-  if request.param == 'test':
-    yield test_storage
-  else:
-    with mock_s3():
-      # Create a test bucket and put some test content.
-      boto.connect_s3().create_bucket(_TEST_BUCKET)
-      engine = DistributedStorage(
-        {'foo': S3Storage(_TEST_CONTEXT, 'some/path', _TEST_BUCKET, _TEST_USER, _TEST_PASSWORD)},
-        ['foo'])
-      yield engine
+    if request.param == "test":
+        yield test_storage
+    else:
+        with mock_s3():
+            # Create a test bucket and put some test content.
+            boto.connect_s3().create_bucket(_TEST_BUCKET)
+            engine = DistributedStorage(
+                {
+                    "foo": S3Storage(
+                        _TEST_CONTEXT,
+                        "some/path",
+                        _TEST_BUCKET,
+                        _TEST_USER,
+                        _TEST_PASSWORD,
+                    )
+                },
+                ["foo"],
+            )
+            yield engine
 
 
 def test_export_logs_failure(initialized_db):
-  # Make all uploads fail.
-  test_storage.put_content('local_us', 'except_upload', 'true')
+    # Make all uploads fail.
+    test_storage.put_content("local_us", "except_upload", "true")
 
-  repo = model.repository.get_repository('devtable', 'simple')
-  user = model.user.get_user('devtable')
+    repo = model.repository.get_repository("devtable", "simple")
+    user = model.user.get_user("devtable")
 
-  worker = ExportActionLogsWorker(None)
-  called = [{}]
+    worker = ExportActionLogsWorker(None)
+    called = [{}]
 
-  @urlmatch(netloc=r'testcallback')
-  def handle_request(url, request):
-    called[0] = json.loads(request.body)
-    return {'status_code': 200, 'content': '{}'}
+    @urlmatch(netloc=r"testcallback")
+    def handle_request(url, request):
+        called[0] = json.loads(request.body)
+        return {"status_code": 200, "content": "{}"}
 
-  def format_date(datetime):
-    return datetime.strftime("%m/%d/%Y")
+    def format_date(datetime):
+        return datetime.strftime("%m/%d/%Y")
 
-  now = datetime.now()
-  with HTTMock(handle_request):
-    with pytest.raises(IOError):
-      worker._process_queue_item({
-        'export_id': 'someid',
-        'repository_id': repo.id,
-        'namespace_id': repo.namespace_user.id,
-        'namespace_name': 'devtable',
-        'repository_name': 'simple',
-        'start_time': format_date(now + timedelta(days=-10)),
-        'end_time': format_date(now + timedelta(days=10)),
-        'callback_url': 'http://testcallback/',
-        'callback_email': None,
-      }, test_storage)
+    now = datetime.now()
+    with HTTMock(handle_request):
+        with pytest.raises(IOError):
+            worker._process_queue_item(
+                {
+                    "export_id": "someid",
+                    "repository_id": repo.id,
+                    "namespace_id": repo.namespace_user.id,
+                    "namespace_name": "devtable",
+                    "repository_name": "simple",
+                    "start_time": format_date(now + timedelta(days=-10)),
+                    "end_time": format_date(now + timedelta(days=10)),
+                    "callback_url": "http://testcallback/",
+                    "callback_email": None,
+                },
+                test_storage,
+            )
 
-  test_storage.remove('local_us', 'except_upload')
+    test_storage.remove("local_us", "except_upload")
 
-  assert called[0]
-  assert called[0][u'export_id'] == 'someid'
-  assert called[0][u'status'] == 'failed'
+    assert called[0]
+    assert called[0][u"export_id"] == "someid"
+    assert called[0][u"status"] == "failed"
 
 
-@pytest.mark.parametrize('has_logs', [
-  True,
-  False,
-])
+@pytest.mark.parametrize("has_logs", [True, False])
 def test_export_logs(initialized_db, storage_engine, has_logs):
-  # Delete all existing logs.
-  database.LogEntry3.delete().execute()
+    # Delete all existing logs.
+    database.LogEntry3.delete().execute()
 
-  repo = model.repository.get_repository('devtable', 'simple')
-  user = model.user.get_user('devtable')
+    repo = model.repository.get_repository("devtable", "simple")
+    user = model.user.get_user("devtable")
 
-  now = datetime.now()
-  if has_logs:
-    # Add new logs over a multi-day period.
-    for index in range(-10, 10):
-      logs_model.log_action('push_repo', 'devtable', user, '0.0.0.0', {'index': index},
-                            repo, timestamp=now + timedelta(days=index))
+    now = datetime.now()
+    if has_logs:
+        # Add new logs over a multi-day period.
+        for index in range(-10, 10):
+            logs_model.log_action(
+                "push_repo",
+                "devtable",
+                user,
+                "0.0.0.0",
+                {"index": index},
+                repo,
+                timestamp=now + timedelta(days=index),
+            )
 
-  worker = ExportActionLogsWorker(None)
-  called = [{}]
+    worker = ExportActionLogsWorker(None)
+    called = [{}]
 
-  @urlmatch(netloc=r'testcallback')
-  def handle_request(url, request):
-    called[0] = json.loads(request.body)
-    return {'status_code': 200, 'content': '{}'}
+    @urlmatch(netloc=r"testcallback")
+    def handle_request(url, request):
+        called[0] = json.loads(request.body)
+        return {"status_code": 200, "content": "{}"}
 
-  def format_date(datetime):
-    return datetime.strftime("%m/%d/%Y")
+    def format_date(datetime):
+        return datetime.strftime("%m/%d/%Y")
 
-  with HTTMock(handle_request):
-    worker._process_queue_item({
-      'export_id': 'someid',
-      'repository_id': repo.id,
-      'namespace_id': repo.namespace_user.id,
-      'namespace_name': 'devtable',
-      'repository_name': 'simple',
-      'start_time': format_date(now + timedelta(days=-10)),
-      'end_time': format_date(now + timedelta(days=10)),
-      'callback_url': 'http://testcallback/',
-      'callback_email': None,
-    }, storage_engine)
+    with HTTMock(handle_request):
+        worker._process_queue_item(
+            {
+                "export_id": "someid",
+                "repository_id": repo.id,
+                "namespace_id": repo.namespace_user.id,
+                "namespace_name": "devtable",
+                "repository_name": "simple",
+                "start_time": format_date(now + timedelta(days=-10)),
+                "end_time": format_date(now + timedelta(days=10)),
+                "callback_url": "http://testcallback/",
+                "callback_email": None,
+            },
+            storage_engine,
+        )
 
-  assert called[0]
-  assert called[0][u'export_id'] == 'someid'
-  assert called[0][u'status'] == 'success'
+    assert called[0]
+    assert called[0][u"export_id"] == "someid"
+    assert called[0][u"status"] == "success"
 
-  url = called[0][u'exported_data_url']
+    url = called[0][u"exported_data_url"]
 
-  if url.find('http://localhost:5000/exportedlogs/') == 0:
-    storage_id = url[len('http://localhost:5000/exportedlogs/'):]
-  else:
-    assert url.find('https://some_bucket.s3.amazonaws.com/some/path/exportedactionlogs/') == 0
-    storage_id, _ = url[len('https://some_bucket.s3.amazonaws.com/some/path/exportedactionlogs/'):].split('?')
+    if url.find("http://localhost:5000/exportedlogs/") == 0:
+        storage_id = url[len("http://localhost:5000/exportedlogs/") :]
+    else:
+        assert (
+            url.find(
+                "https://some_bucket.s3.amazonaws.com/some/path/exportedactionlogs/"
+            )
+            == 0
+        )
+        storage_id, _ = url[
+            len("https://some_bucket.s3.amazonaws.com/some/path/exportedactionlogs/") :
+        ].split("?")
 
-  created = storage_engine.get_content(storage_engine.preferred_locations,
-                                       'exportedactionlogs/' + storage_id)
-  created_json = json.loads(created)
+    created = storage_engine.get_content(
+        storage_engine.preferred_locations, "exportedactionlogs/" + storage_id
+    )
+    created_json = json.loads(created)
 
-  if has_logs:
-    found = set()
-    for log in created_json['logs']:
-      if log.get('terminator'):
-        continue
+    if has_logs:
+        found = set()
+        for log in created_json["logs"]:
+            if log.get("terminator"):
+                continue
 
-      found.add(log['metadata']['index'])
+            found.add(log["metadata"]["index"])
 
-    for index in range(-10, 10):
-      assert index in found
-  else:
-    assert created_json['logs'] == [{'terminator': True}]
+        for index in range(-10, 10):
+            assert index in found
+    else:
+        assert created_json["logs"] == [{"terminator": True}]
diff --git a/workers/test/test_logrotateworker.py b/workers/test/test_logrotateworker.py
index aba8290cd..832ef5eeb 100644
--- a/workers/test/test_logrotateworker.py
+++ b/workers/test/test_logrotateworker.py
@@ -23,120 +23,151 @@ from test.fixtures import *
 
 @pytest.fixture()
 def clear_db_logs(initialized_db):
-  LogEntry.delete().execute()
-  LogEntry2.delete().execute()
-  LogEntry3.delete().execute()
+    LogEntry.delete().execute()
+    LogEntry2.delete().execute()
+    LogEntry3.delete().execute()
 
 
 def combined_model():
-  return CombinedLogsModel(TableLogsModel(), InMemoryModel())
+    return CombinedLogsModel(TableLogsModel(), InMemoryModel())
 
 
 def es_model():
-  return DocumentLogsModel(producer='elasticsearch', elasticsearch_config={
-    'host': FAKE_ES_HOST,
-    'port': 12345,
-  })
+    return DocumentLogsModel(
+        producer="elasticsearch",
+        elasticsearch_config={"host": FAKE_ES_HOST, "port": 12345},
+    )
+
 
 @pytest.fixture()
 def fake_es():
-  with fake_elasticsearch():
-    yield
+    with fake_elasticsearch():
+        yield
 
 
 @pytest.fixture(params=[TableLogsModel, es_model, InMemoryModel, combined_model])
 def logs_model(request, clear_db_logs, fake_es):
-  model = request.param()
-  with patch('data.logs_model.logs_model', model):
-    with patch('workers.logrotateworker.logs_model', model):
-      yield model
+    model = request.param()
+    with patch("data.logs_model.logs_model", model):
+        with patch("workers.logrotateworker.logs_model", model):
+            yield model
 
 
 def _lookup_logs(logs_model, start_time, end_time, **kwargs):
-  logs_found = []
-  page_token = None
-  while True:
-    found = logs_model.lookup_logs(start_time, end_time, page_token=page_token, **kwargs)
-    logs_found.extend(found.logs)
-    page_token = found.next_page_token
-    if not found.logs or not page_token:
-      break
+    logs_found = []
+    page_token = None
+    while True:
+        found = logs_model.lookup_logs(
+            start_time, end_time, page_token=page_token, **kwargs
+        )
+        logs_found.extend(found.logs)
+        page_token = found.next_page_token
+        if not found.logs or not page_token:
+            break
 
-  assert len(logs_found) == len(set(logs_found))
-  return logs_found
+    assert len(logs_found) == len(set(logs_found))
+    return logs_found
 
 
 def test_logrotateworker(logs_model):
-  worker = LogRotateWorker()
-  days = 90
-  start_timestamp = datetime(2019, 1, 1)
+    worker = LogRotateWorker()
+    days = 90
+    start_timestamp = datetime(2019, 1, 1)
 
-  # Make sure there are no existing logs
-  found = _lookup_logs(logs_model, start_timestamp - timedelta(days=1000), start_timestamp + timedelta(days=1000))
-  assert not found
+    # Make sure there are no existing logs
+    found = _lookup_logs(
+        logs_model,
+        start_timestamp - timedelta(days=1000),
+        start_timestamp + timedelta(days=1000),
+    )
+    assert not found
 
-  # Create some logs
-  for day in range(0, days):
-    logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4', timestamp=start_timestamp-timedelta(days=day))
+    # Create some logs
+    for day in range(0, days):
+        logs_model.log_action(
+            "push_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+            timestamp=start_timestamp - timedelta(days=day),
+        )
 
-  # Ensure there are logs.
-  logs = _lookup_logs(logs_model,
-                      start_timestamp - timedelta(days=1000),
-                      start_timestamp + timedelta(days=1000))
+    # Ensure there are logs.
+    logs = _lookup_logs(
+        logs_model,
+        start_timestamp - timedelta(days=1000),
+        start_timestamp + timedelta(days=1000),
+    )
 
-  assert len(logs) == days
+    assert len(logs) == days
 
-  # Archive all the logs.
-  assert worker._perform_archiving(start_timestamp + timedelta(days=1))
+    # Archive all the logs.
+    assert worker._perform_archiving(start_timestamp + timedelta(days=1))
 
-  # Ensure all the logs were archived.
-  found = _lookup_logs(logs_model, start_timestamp - timedelta(days=1000), start_timestamp + timedelta(days=1000))
-  assert not found
+    # Ensure all the logs were archived.
+    found = _lookup_logs(
+        logs_model,
+        start_timestamp - timedelta(days=1000),
+        start_timestamp + timedelta(days=1000),
+    )
+    assert not found
 
 
 def test_logrotateworker_with_cutoff(logs_model):
-  days = 60
-  start_timestamp = datetime(2019, 1, 1)
+    days = 60
+    start_timestamp = datetime(2019, 1, 1)
 
-  # Make sure there are no existing logs
-  found = _lookup_logs(logs_model, start_timestamp - timedelta(days=365), start_timestamp + timedelta(days=365))
-  assert not found
+    # Make sure there are no existing logs
+    found = _lookup_logs(
+        logs_model,
+        start_timestamp - timedelta(days=365),
+        start_timestamp + timedelta(days=365),
+    )
+    assert not found
 
-  # Create a new set of logs/indices.
-  for day in range(0, days):
-    logs_model.log_action('push_repo', namespace_name='devtable', repository_name='simple',
-                          ip='1.2.3.4', timestamp=start_timestamp+timedelta(days=day))
+    # Create a new set of logs/indices.
+    for day in range(0, days):
+        logs_model.log_action(
+            "push_repo",
+            namespace_name="devtable",
+            repository_name="simple",
+            ip="1.2.3.4",
+            timestamp=start_timestamp + timedelta(days=day),
+        )
 
-  # Get all logs
-  logs = _lookup_logs(logs_model,
-                      start_timestamp - timedelta(days=days-1),
-                      start_timestamp + timedelta(days=days+1))
+    # Get all logs
+    logs = _lookup_logs(
+        logs_model,
+        start_timestamp - timedelta(days=days - 1),
+        start_timestamp + timedelta(days=days + 1),
+    )
 
-  assert len(logs) == days
+    assert len(logs) == days
 
-  # Set the cutoff datetime to be the midpoint of the logs
-  midpoint = logs[0:len(logs)/2]
-  assert midpoint
-  assert len(midpoint) < len(logs)
+    # Set the cutoff datetime to be the midpoint of the logs
+    midpoint = logs[0 : len(logs) / 2]
+    assert midpoint
+    assert len(midpoint) < len(logs)
 
-  worker = LogRotateWorker()
-  cutoff_date = midpoint[-1].datetime
+    worker = LogRotateWorker()
+    cutoff_date = midpoint[-1].datetime
 
-  # Archive the indices at or older than the cutoff date
-  archived_files = worker._perform_archiving(cutoff_date)
+    # Archive the indices at or older than the cutoff date
+    archived_files = worker._perform_archiving(cutoff_date)
 
-  # Ensure the eariler logs were archived
-  found = _lookup_logs(logs_model, start_timestamp, cutoff_date-timedelta(seconds=1))
-  assert not found
+    # Ensure the eariler logs were archived
+    found = _lookup_logs(
+        logs_model, start_timestamp, cutoff_date - timedelta(seconds=1)
+    )
+    assert not found
 
-  # Check that the files were written to storage
-  for archived_file in archived_files:
-    assert storage.exists([SAVE_LOCATION], os.path.join(SAVE_PATH, archived_file))
+    # Check that the files were written to storage
+    for archived_file in archived_files:
+        assert storage.exists([SAVE_LOCATION], os.path.join(SAVE_PATH, archived_file))
 
-  # If current model uses ES, check that the indices were also deleted
-  if isinstance(logs_model, DocumentLogsModel):
-    assert len(logs_model.list_indices()) == days - (len(logs) / 2)
-    for index in logs_model.list_indices():
-      dt = datetime.strptime(index[len(INDEX_NAME_PREFIX):], INDEX_DATE_FORMAT)
-      assert dt >= cutoff_date
+    # If current model uses ES, check that the indices were also deleted
+    if isinstance(logs_model, DocumentLogsModel):
+        assert len(logs_model.list_indices()) == days - (len(logs) / 2)
+        for index in logs_model.list_indices():
+            dt = datetime.strptime(index[len(INDEX_NAME_PREFIX) :], INDEX_DATE_FORMAT)
+            assert dt >= cutoff_date
diff --git a/workers/test/test_repositoryactioncounter.py b/workers/test/test_repositoryactioncounter.py
index dcb975669..e2bd0a6c5 100644
--- a/workers/test/test_repositoryactioncounter.py
+++ b/workers/test/test_repositoryactioncounter.py
@@ -3,10 +3,11 @@ from workers.repositoryactioncounter import RepositoryActionCountWorker
 
 from test.fixtures import *
 
-def test_repositoryactioncount(app):
-  database.RepositoryActionCount.delete().execute()
-  database.RepositorySearchScore.delete().execute()
 
-  rac = RepositoryActionCountWorker()
-  while rac._count_repository_actions():
-    continue
+def test_repositoryactioncount(app):
+    database.RepositoryActionCount.delete().execute()
+    database.RepositorySearchScore.delete().execute()
+
+    rac = RepositoryActionCountWorker()
+    while rac._count_repository_actions():
+        continue
diff --git a/workers/test/test_storagereplication.py b/workers/test/test_storagereplication.py
index 8487b1d97..2ac287241 100644
--- a/workers/test/test_storagereplication.py
+++ b/workers/test/test_storagereplication.py
@@ -6,166 +6,195 @@ from data import model, database
 from storage.basestorage import StoragePaths
 from storage.fakestorage import FakeStorage
 from storage.distributedstorage import DistributedStorage
-from workers.storagereplication import (StorageReplicationWorker, JobException,
-                                        WorkerUnhealthyException)
+from workers.storagereplication import (
+    StorageReplicationWorker,
+    JobException,
+    WorkerUnhealthyException,
+)
 
 from test.fixtures import *
 
 
 @pytest.fixture()
 def storage_user(app):
-  user = model.user.get_user('devtable')
-  database.UserRegion.create(user=user,
-                             location=database.ImageStorageLocation.get(name='local_us'))
-  database.UserRegion.create(user=user,
-                             location=database.ImageStorageLocation.get(name='local_eu'))
-  return user
+    user = model.user.get_user("devtable")
+    database.UserRegion.create(
+        user=user, location=database.ImageStorageLocation.get(name="local_us")
+    )
+    database.UserRegion.create(
+        user=user, location=database.ImageStorageLocation.get(name="local_eu")
+    )
+    return user
 
 
 @pytest.fixture()
 def storage_paths():
-  return StoragePaths()
+    return StoragePaths()
 
 
 @pytest.fixture()
 def replication_worker():
-  return StorageReplicationWorker(None)
+    return StorageReplicationWorker(None)
 
 
 @pytest.fixture()
 def storage():
-  return DistributedStorage({'local_us': FakeStorage('local'), 'local_eu': FakeStorage('local')},
-                            ['local_us'])
+    return DistributedStorage(
+        {"local_us": FakeStorage("local"), "local_eu": FakeStorage("local")},
+        ["local_us"],
+    )
 
 
-def test_storage_replication_v1(storage_user, storage_paths, replication_worker, storage, app):
-  # Add a storage entry with a V1 path.
-  v1_storage = model.storage.create_v1_storage('local_us')
-  content_path = storage_paths.v1_image_layer_path(v1_storage.uuid)
-  storage.put_content(['local_us'], content_path, 'some content')
+def test_storage_replication_v1(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a V1 path.
+    v1_storage = model.storage.create_v1_storage("local_us")
+    content_path = storage_paths.v1_image_layer_path(v1_storage.uuid)
+    storage.put_content(["local_us"], content_path, "some content")
 
-  # Call replicate on it and verify it replicates.
-  replication_worker.replicate_storage(storage_user, v1_storage.uuid, storage)
+    # Call replicate on it and verify it replicates.
+    replication_worker.replicate_storage(storage_user, v1_storage.uuid, storage)
 
-  # Ensure that the data was replicated to the other "region".
-  assert storage.get_content(['local_eu'], content_path) == 'some content'
+    # Ensure that the data was replicated to the other "region".
+    assert storage.get_content(["local_eu"], content_path) == "some content"
 
-  locations = model.storage.get_storage_locations(v1_storage.uuid)
-  assert len(locations) == 2
+    locations = model.storage.get_storage_locations(v1_storage.uuid)
+    assert len(locations) == 2
 
 
-def test_storage_replication_cas(storage_user, storage_paths, replication_worker, storage, app):
-  # Add a storage entry with a CAS path.
-  content_checksum = 'sha256:' + hashlib.sha256('some content').hexdigest()
-  cas_storage = database.ImageStorage.create(cas_path=True, content_checksum=content_checksum)
+def test_storage_replication_cas(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a CAS path.
+    content_checksum = "sha256:" + hashlib.sha256("some content").hexdigest()
+    cas_storage = database.ImageStorage.create(
+        cas_path=True, content_checksum=content_checksum
+    )
 
-  location = database.ImageStorageLocation.get(name='local_us')
-  database.ImageStoragePlacement.create(storage=cas_storage, location=location)
+    location = database.ImageStorageLocation.get(name="local_us")
+    database.ImageStoragePlacement.create(storage=cas_storage, location=location)
 
-  content_path = storage_paths.blob_path(cas_storage.content_checksum)
-  storage.put_content(['local_us'], content_path, 'some content')
+    content_path = storage_paths.blob_path(cas_storage.content_checksum)
+    storage.put_content(["local_us"], content_path, "some content")
 
-  # Call replicate on it and verify it replicates.
-  replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage)
+    # Call replicate on it and verify it replicates.
+    replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage)
 
-  # Ensure that the data was replicated to the other "region".
-  assert storage.get_content(['local_eu'], content_path) == 'some content'
+    # Ensure that the data was replicated to the other "region".
+    assert storage.get_content(["local_eu"], content_path) == "some content"
 
-  locations = model.storage.get_storage_locations(cas_storage.uuid)
-  assert len(locations) == 2
+    locations = model.storage.get_storage_locations(cas_storage.uuid)
+    assert len(locations) == 2
 
 
-def test_storage_replication_missing_base(storage_user, storage_paths, replication_worker, storage,
-                                          app):
-  # Add a storage entry with a CAS path.
-  content_checksum = 'sha256:' + hashlib.sha256('some content').hexdigest()
-  cas_storage = database.ImageStorage.create(cas_path=True, content_checksum=content_checksum)
+def test_storage_replication_missing_base(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a CAS path.
+    content_checksum = "sha256:" + hashlib.sha256("some content").hexdigest()
+    cas_storage = database.ImageStorage.create(
+        cas_path=True, content_checksum=content_checksum
+    )
 
-  location = database.ImageStorageLocation.get(name='local_us')
-  database.ImageStoragePlacement.create(storage=cas_storage, location=location)
+    location = database.ImageStorageLocation.get(name="local_us")
+    database.ImageStoragePlacement.create(storage=cas_storage, location=location)
 
-  # Attempt to replicate storage. This should fail because the layer is missing from the base
-  # storage.
-  with pytest.raises(JobException):
-    replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage,
-                                         backoff_check=False)
+    # Attempt to replicate storage. This should fail because the layer is missing from the base
+    # storage.
+    with pytest.raises(JobException):
+        replication_worker.replicate_storage(
+            storage_user, cas_storage.uuid, storage, backoff_check=False
+        )
 
-  # Ensure the storage location count remains 1. This is technically inaccurate, but that's okay
-  # as we still require at least one location per storage.
-  locations = model.storage.get_storage_locations(cas_storage.uuid)
-  assert len(locations) == 1
+    # Ensure the storage location count remains 1. This is technically inaccurate, but that's okay
+    # as we still require at least one location per storage.
+    locations = model.storage.get_storage_locations(cas_storage.uuid)
+    assert len(locations) == 1
 
 
-def test_storage_replication_copy_error(storage_user, storage_paths, replication_worker, storage,
-                                        app):
-  # Add a storage entry with a CAS path.
-  content_checksum = 'sha256:' + hashlib.sha256('some content').hexdigest()
-  cas_storage = database.ImageStorage.create(cas_path=True, content_checksum=content_checksum)
+def test_storage_replication_copy_error(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a CAS path.
+    content_checksum = "sha256:" + hashlib.sha256("some content").hexdigest()
+    cas_storage = database.ImageStorage.create(
+        cas_path=True, content_checksum=content_checksum
+    )
 
-  location = database.ImageStorageLocation.get(name='local_us')
-  database.ImageStoragePlacement.create(storage=cas_storage, location=location)
+    location = database.ImageStorageLocation.get(name="local_us")
+    database.ImageStoragePlacement.create(storage=cas_storage, location=location)
 
-  content_path = storage_paths.blob_path(cas_storage.content_checksum)
-  storage.put_content(['local_us'], content_path, 'some content')
+    content_path = storage_paths.blob_path(cas_storage.content_checksum)
+    storage.put_content(["local_us"], content_path, "some content")
 
-  # Tell storage to break copying.
-  storage.put_content(['local_us'], 'break_copying', 'true')
+    # Tell storage to break copying.
+    storage.put_content(["local_us"], "break_copying", "true")
 
-  # Attempt to replicate storage. This should fail because the write fails.
-  with pytest.raises(JobException):
-    replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage,
-                                         backoff_check=False)
+    # Attempt to replicate storage. This should fail because the write fails.
+    with pytest.raises(JobException):
+        replication_worker.replicate_storage(
+            storage_user, cas_storage.uuid, storage, backoff_check=False
+        )
 
-  # Ensure the storage location count remains 1.
-  locations = model.storage.get_storage_locations(cas_storage.uuid)
-  assert len(locations) == 1
+    # Ensure the storage location count remains 1.
+    locations = model.storage.get_storage_locations(cas_storage.uuid)
+    assert len(locations) == 1
 
 
-def test_storage_replication_copy_didnot_copy(storage_user, storage_paths, replication_worker,
-                                              storage, app):
-  # Add a storage entry with a CAS path.
-  content_checksum = 'sha256:' + hashlib.sha256('some content').hexdigest()
-  cas_storage = database.ImageStorage.create(cas_path=True, content_checksum=content_checksum)
+def test_storage_replication_copy_didnot_copy(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a CAS path.
+    content_checksum = "sha256:" + hashlib.sha256("some content").hexdigest()
+    cas_storage = database.ImageStorage.create(
+        cas_path=True, content_checksum=content_checksum
+    )
 
-  location = database.ImageStorageLocation.get(name='local_us')
-  database.ImageStoragePlacement.create(storage=cas_storage, location=location)
+    location = database.ImageStorageLocation.get(name="local_us")
+    database.ImageStoragePlacement.create(storage=cas_storage, location=location)
 
-  content_path = storage_paths.blob_path(cas_storage.content_checksum)
-  storage.put_content(['local_us'], content_path, 'some content')
+    content_path = storage_paths.blob_path(cas_storage.content_checksum)
+    storage.put_content(["local_us"], content_path, "some content")
 
-  # Tell storage to fake copying (i.e. not actually copy the data).
-  storage.put_content(['local_us'], 'fake_copying', 'true')
+    # Tell storage to fake copying (i.e. not actually copy the data).
+    storage.put_content(["local_us"], "fake_copying", "true")
 
-  # Attempt to replicate storage. This should fail because the copy doesn't actually do the copy.
-  with pytest.raises(JobException):
-    replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage,
-                                         backoff_check=False)
+    # Attempt to replicate storage. This should fail because the copy doesn't actually do the copy.
+    with pytest.raises(JobException):
+        replication_worker.replicate_storage(
+            storage_user, cas_storage.uuid, storage, backoff_check=False
+        )
 
-  # Ensure the storage location count remains 1.
-  locations = model.storage.get_storage_locations(cas_storage.uuid)
-  assert len(locations) == 1
+    # Ensure the storage location count remains 1.
+    locations = model.storage.get_storage_locations(cas_storage.uuid)
+    assert len(locations) == 1
 
 
-def test_storage_replication_copy_unhandled_exception(storage_user, storage_paths,
-                                                      replication_worker, storage, app):
-  # Add a storage entry with a CAS path.
-  content_checksum = 'sha256:' + hashlib.sha256('some content').hexdigest()
-  cas_storage = database.ImageStorage.create(cas_path=True, content_checksum=content_checksum)
+def test_storage_replication_copy_unhandled_exception(
+    storage_user, storage_paths, replication_worker, storage, app
+):
+    # Add a storage entry with a CAS path.
+    content_checksum = "sha256:" + hashlib.sha256("some content").hexdigest()
+    cas_storage = database.ImageStorage.create(
+        cas_path=True, content_checksum=content_checksum
+    )
 
-  location = database.ImageStorageLocation.get(name='local_us')
-  database.ImageStoragePlacement.create(storage=cas_storage, location=location)
+    location = database.ImageStorageLocation.get(name="local_us")
+    database.ImageStoragePlacement.create(storage=cas_storage, location=location)
 
-  content_path = storage_paths.blob_path(cas_storage.content_checksum)
-  storage.put_content(['local_us'], content_path, 'some content')
+    content_path = storage_paths.blob_path(cas_storage.content_checksum)
+    storage.put_content(["local_us"], content_path, "some content")
 
-  # Tell storage to raise an exception when copying.
-  storage.put_content(['local_us'], 'except_copying', 'true')
+    # Tell storage to raise an exception when copying.
+    storage.put_content(["local_us"], "except_copying", "true")
 
-  # Attempt to replicate storage. This should fail because the copy raises an unhandled exception.
-  with pytest.raises(WorkerUnhealthyException):
-    replication_worker.replicate_storage(storage_user, cas_storage.uuid, storage,
-                                         backoff_check=False)
+    # Attempt to replicate storage. This should fail because the copy raises an unhandled exception.
+    with pytest.raises(WorkerUnhealthyException):
+        replication_worker.replicate_storage(
+            storage_user, cas_storage.uuid, storage, backoff_check=False
+        )
 
-  # Ensure the storage location count remains 1.
-  locations = model.storage.get_storage_locations(cas_storage.uuid)
-  assert len(locations) == 1
+    # Ensure the storage location count remains 1.
+    locations = model.storage.get_storage_locations(cas_storage.uuid)
+    assert len(locations) == 1
diff --git a/workers/test/test_tagbackfillworker.py b/workers/test/test_tagbackfillworker.py
index f9615b064..28d4c9dcd 100644
--- a/workers/test/test_tagbackfillworker.py
+++ b/workers/test/test_tagbackfillworker.py
@@ -1,9 +1,21 @@
 from app import docker_v2_signing_key
 from data import model
-from data.database import (TagManifestLabelMap, TagManifestToManifest, Manifest, ManifestBlob,
-                           ManifestLegacyImage, ManifestLabel, TagManifest, RepositoryTag, Image,
-                           TagManifestLabel, Tag, TagToRepositoryTag, Repository,
-                           ImageStorage)
+from data.database import (
+    TagManifestLabelMap,
+    TagManifestToManifest,
+    Manifest,
+    ManifestBlob,
+    ManifestLegacyImage,
+    ManifestLabel,
+    TagManifest,
+    RepositoryTag,
+    Image,
+    TagManifestLabel,
+    Tag,
+    TagToRepositoryTag,
+    Repository,
+    ImageStorage,
+)
 from image.docker.schema1 import DockerSchema1ManifestBuilder
 from workers.tagbackfillworker import backfill_tag, _backfill_manifest
 
@@ -12,27 +24,9 @@ from test.fixtures import *
 
 @pytest.fixture()
 def clear_rows(initialized_db):
-  # Remove all new-style rows so we can backfill.
-  TagToRepositoryTag.delete().execute()
-  Tag.delete().execute()
-  TagManifestLabelMap.delete().execute()
-  ManifestLabel.delete().execute()
-  ManifestBlob.delete().execute()
-  ManifestLegacyImage.delete().execute()
-  TagManifestToManifest.delete().execute()
-  Manifest.delete().execute()
-
-
-@pytest.mark.parametrize('clear_all_rows', [
-  True,
-  False,
-])
-def test_tagbackfillworker(clear_all_rows, initialized_db):
-  # Remove the new-style rows so we can backfill.
-  TagToRepositoryTag.delete().execute()
-  Tag.delete().execute()
-
-  if clear_all_rows:
+    # Remove all new-style rows so we can backfill.
+    TagToRepositoryTag.delete().execute()
+    Tag.delete().execute()
     TagManifestLabelMap.delete().execute()
     ManifestLabel.delete().execute()
     ManifestBlob.delete().execute()
@@ -40,242 +34,284 @@ def test_tagbackfillworker(clear_all_rows, initialized_db):
     TagManifestToManifest.delete().execute()
     Manifest.delete().execute()
 
-  found_dead_tag = False
 
-  for repository_tag in list(RepositoryTag.select()):
-    # Backfill the tag.
-    assert backfill_tag(repository_tag)
+@pytest.mark.parametrize("clear_all_rows", [True, False])
+def test_tagbackfillworker(clear_all_rows, initialized_db):
+    # Remove the new-style rows so we can backfill.
+    TagToRepositoryTag.delete().execute()
+    Tag.delete().execute()
 
-    # Ensure if we try again, the backfill is skipped.
-    assert not backfill_tag(repository_tag)
+    if clear_all_rows:
+        TagManifestLabelMap.delete().execute()
+        ManifestLabel.delete().execute()
+        ManifestBlob.delete().execute()
+        ManifestLegacyImage.delete().execute()
+        TagManifestToManifest.delete().execute()
+        Manifest.delete().execute()
 
-    # Ensure that we now have the expected tag rows.
-    tag_to_repo_tag = TagToRepositoryTag.get(repository_tag=repository_tag)
-    tag = tag_to_repo_tag.tag
-    assert tag.name == repository_tag.name
-    assert tag.repository == repository_tag.repository
-    assert not tag.hidden
-    assert tag.reversion == repository_tag.reversion
+    found_dead_tag = False
 
-    if repository_tag.lifetime_start_ts is None:
-      assert tag.lifetime_start_ms is None
-    else:
-      assert tag.lifetime_start_ms == (repository_tag.lifetime_start_ts * 1000)
+    for repository_tag in list(RepositoryTag.select()):
+        # Backfill the tag.
+        assert backfill_tag(repository_tag)
 
-    if repository_tag.lifetime_end_ts is None:
-      assert tag.lifetime_end_ms is None
-    else:
-      assert tag.lifetime_end_ms == (repository_tag.lifetime_end_ts * 1000)
-      found_dead_tag = True
+        # Ensure if we try again, the backfill is skipped.
+        assert not backfill_tag(repository_tag)
 
-    assert tag.manifest
+        # Ensure that we now have the expected tag rows.
+        tag_to_repo_tag = TagToRepositoryTag.get(repository_tag=repository_tag)
+        tag = tag_to_repo_tag.tag
+        assert tag.name == repository_tag.name
+        assert tag.repository == repository_tag.repository
+        assert not tag.hidden
+        assert tag.reversion == repository_tag.reversion
 
-    # Ensure that we now have the expected manifest rows.
-    try:
-      tag_manifest = TagManifest.get(tag=repository_tag)
-    except TagManifest.DoesNotExist:
-      continue
+        if repository_tag.lifetime_start_ts is None:
+            assert tag.lifetime_start_ms is None
+        else:
+            assert tag.lifetime_start_ms == (repository_tag.lifetime_start_ts * 1000)
 
-    map_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
-    assert not map_row.broken
+        if repository_tag.lifetime_end_ts is None:
+            assert tag.lifetime_end_ms is None
+        else:
+            assert tag.lifetime_end_ms == (repository_tag.lifetime_end_ts * 1000)
+            found_dead_tag = True
 
-    manifest_row = map_row.manifest
-    assert manifest_row.manifest_bytes == tag_manifest.json_data
-    assert manifest_row.digest == tag_manifest.digest
-    assert manifest_row.repository == tag_manifest.tag.repository
+        assert tag.manifest
 
-    assert tag.manifest == map_row.manifest
+        # Ensure that we now have the expected manifest rows.
+        try:
+            tag_manifest = TagManifest.get(tag=repository_tag)
+        except TagManifest.DoesNotExist:
+            continue
 
-    legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
-    assert tag_manifest.tag.image == legacy_image
+        map_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
+        assert not map_row.broken
 
-    expected_storages = {tag_manifest.tag.image.storage.id}
-    for parent_image_id in tag_manifest.tag.image.ancestor_id_list():
-      expected_storages.add(Image.get(id=parent_image_id).storage_id)
+        manifest_row = map_row.manifest
+        assert manifest_row.manifest_bytes == tag_manifest.json_data
+        assert manifest_row.digest == tag_manifest.digest
+        assert manifest_row.repository == tag_manifest.tag.repository
 
-    found_storages = {manifest_blob.blob_id for manifest_blob
-                      in ManifestBlob.select().where(ManifestBlob.manifest == manifest_row)}
-    assert expected_storages == found_storages
+        assert tag.manifest == map_row.manifest
 
-    # Ensure the labels were copied over.
-    tmls = list(TagManifestLabel.select().where(TagManifestLabel.annotated == tag_manifest))
-    expected_labels = {tml.label_id for tml in tmls}
-    found_labels = {m.label_id for m
-                    in ManifestLabel.select().where(ManifestLabel.manifest == manifest_row)}
-    assert found_labels == expected_labels
+        legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
+        assert tag_manifest.tag.image == legacy_image
 
-  # Verify at the repository level.
-  for repository in list(Repository.select()):
-    tags = RepositoryTag.select().where(RepositoryTag.repository == repository,
-                                        RepositoryTag.hidden == False)
-    oci_tags = Tag.select().where(Tag.repository == repository)
-    assert len(tags) == len(oci_tags)
-    assert {t.name for t in tags} == {t.name for t in oci_tags}
+        expected_storages = {tag_manifest.tag.image.storage.id}
+        for parent_image_id in tag_manifest.tag.image.ancestor_id_list():
+            expected_storages.add(Image.get(id=parent_image_id).storage_id)
 
-    for tag in tags:
-      tag_manifest = TagManifest.get(tag=tag)
-      ttr = TagToRepositoryTag.get(repository_tag=tag)
-      manifest = ttr.tag.manifest
+        found_storages = {
+            manifest_blob.blob_id
+            for manifest_blob in ManifestBlob.select().where(
+                ManifestBlob.manifest == manifest_row
+            )
+        }
+        assert expected_storages == found_storages
 
-      assert tag_manifest.json_data == manifest.manifest_bytes
-      assert tag_manifest.digest == manifest.digest
-      assert tag.image == ManifestLegacyImage.get(manifest=manifest).image
-      assert tag.lifetime_start_ts == (ttr.tag.lifetime_start_ms / 1000)
+        # Ensure the labels were copied over.
+        tmls = list(
+            TagManifestLabel.select().where(TagManifestLabel.annotated == tag_manifest)
+        )
+        expected_labels = {tml.label_id for tml in tmls}
+        found_labels = {
+            m.label_id
+            for m in ManifestLabel.select().where(
+                ManifestLabel.manifest == manifest_row
+            )
+        }
+        assert found_labels == expected_labels
 
-      if tag.lifetime_end_ts:
-        assert tag.lifetime_end_ts == (ttr.tag.lifetime_end_ms / 1000)
-      else:
-        assert ttr.tag.lifetime_end_ms is None
+    # Verify at the repository level.
+    for repository in list(Repository.select()):
+        tags = RepositoryTag.select().where(
+            RepositoryTag.repository == repository, RepositoryTag.hidden == False
+        )
+        oci_tags = Tag.select().where(Tag.repository == repository)
+        assert len(tags) == len(oci_tags)
+        assert {t.name for t in tags} == {t.name for t in oci_tags}
 
-  assert found_dead_tag
+        for tag in tags:
+            tag_manifest = TagManifest.get(tag=tag)
+            ttr = TagToRepositoryTag.get(repository_tag=tag)
+            manifest = ttr.tag.manifest
+
+            assert tag_manifest.json_data == manifest.manifest_bytes
+            assert tag_manifest.digest == manifest.digest
+            assert tag.image == ManifestLegacyImage.get(manifest=manifest).image
+            assert tag.lifetime_start_ts == (ttr.tag.lifetime_start_ms / 1000)
+
+            if tag.lifetime_end_ts:
+                assert tag.lifetime_end_ts == (ttr.tag.lifetime_end_ms / 1000)
+            else:
+                assert ttr.tag.lifetime_end_ms is None
+
+    assert found_dead_tag
 
 
 def test_manifestbackfillworker_broken_manifest(clear_rows, initialized_db):
-  # Delete existing tag manifest so we can reuse the tag.
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    # Delete existing tag manifest so we can reuse the tag.
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
-  # Add a broken manifest.
-  broken_manifest = TagManifest.create(json_data='wat?', digest='sha256:foobar',
-                                       tag=RepositoryTag.get())
+    # Add a broken manifest.
+    broken_manifest = TagManifest.create(
+        json_data="wat?", digest="sha256:foobar", tag=RepositoryTag.get()
+    )
 
-  # Ensure the backfill works.
-  assert _backfill_manifest(broken_manifest)
+    # Ensure the backfill works.
+    assert _backfill_manifest(broken_manifest)
 
-  # Ensure the mapping is marked as broken.
-  map_row = TagManifestToManifest.get(tag_manifest=broken_manifest)
-  assert map_row.broken
+    # Ensure the mapping is marked as broken.
+    map_row = TagManifestToManifest.get(tag_manifest=broken_manifest)
+    assert map_row.broken
 
-  manifest_row = map_row.manifest
-  assert manifest_row.manifest_bytes == broken_manifest.json_data
-  assert manifest_row.digest == broken_manifest.digest
-  assert manifest_row.repository == broken_manifest.tag.repository
+    manifest_row = map_row.manifest
+    assert manifest_row.manifest_bytes == broken_manifest.json_data
+    assert manifest_row.digest == broken_manifest.digest
+    assert manifest_row.repository == broken_manifest.tag.repository
 
-  legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
-  assert broken_manifest.tag.image == legacy_image
+    legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
+    assert broken_manifest.tag.image == legacy_image
 
 
 def test_manifestbackfillworker_mislinked_manifest(clear_rows, initialized_db):
-  """ Tests that a manifest whose image is mislinked will have its storages relinked properly. """
-  # Delete existing tag manifest so we can reuse the tag.
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    """ Tests that a manifest whose image is mislinked will have its storages relinked properly. """
+    # Delete existing tag manifest so we can reuse the tag.
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
-  repo = model.repository.get_repository('devtable', 'complex')
-  tag_v30 = model.tag.get_active_tag('devtable', 'gargantuan', 'v3.0')
-  tag_v50 = model.tag.get_active_tag('devtable', 'gargantuan', 'v5.0')
+    repo = model.repository.get_repository("devtable", "complex")
+    tag_v30 = model.tag.get_active_tag("devtable", "gargantuan", "v3.0")
+    tag_v50 = model.tag.get_active_tag("devtable", "gargantuan", "v5.0")
 
-  # Add a mislinked manifest, by having its layer point to a blob in v3.0 but its image
-  # be the v5.0 image.
-  builder = DockerSchema1ManifestBuilder('devtable', 'gargantuan', 'sometag')
-  builder.add_layer(tag_v30.image.storage.content_checksum, '{"id": "foo"}')
-  manifest = builder.build(docker_v2_signing_key)
+    # Add a mislinked manifest, by having its layer point to a blob in v3.0 but its image
+    # be the v5.0 image.
+    builder = DockerSchema1ManifestBuilder("devtable", "gargantuan", "sometag")
+    builder.add_layer(tag_v30.image.storage.content_checksum, '{"id": "foo"}')
+    manifest = builder.build(docker_v2_signing_key)
 
-  mislinked_manifest = TagManifest.create(json_data=manifest.bytes.as_encoded_str(),
-                                          digest=manifest.digest,
-                                          tag=tag_v50)
+    mislinked_manifest = TagManifest.create(
+        json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest, tag=tag_v50
+    )
 
-  # Backfill the manifest and ensure its proper content checksum was linked.
-  assert _backfill_manifest(mislinked_manifest)
+    # Backfill the manifest and ensure its proper content checksum was linked.
+    assert _backfill_manifest(mislinked_manifest)
 
-  map_row = TagManifestToManifest.get(tag_manifest=mislinked_manifest)
-  assert not map_row.broken
+    map_row = TagManifestToManifest.get(tag_manifest=mislinked_manifest)
+    assert not map_row.broken
 
-  manifest_row = map_row.manifest
-  legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
-  assert legacy_image == tag_v50.image
+    manifest_row = map_row.manifest
+    legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
+    assert legacy_image == tag_v50.image
 
-  manifest_blobs = list(ManifestBlob.select().where(ManifestBlob.manifest == manifest_row))
-  assert len(manifest_blobs) == 1
-  assert manifest_blobs[0].blob.content_checksum == tag_v30.image.storage.content_checksum
+    manifest_blobs = list(
+        ManifestBlob.select().where(ManifestBlob.manifest == manifest_row)
+    )
+    assert len(manifest_blobs) == 1
+    assert (
+        manifest_blobs[0].blob.content_checksum
+        == tag_v30.image.storage.content_checksum
+    )
 
 
 def test_manifestbackfillworker_mislinked_invalid_manifest(clear_rows, initialized_db):
-  """ Tests that a manifest whose image is mislinked will attempt to have its storages relinked
+    """ Tests that a manifest whose image is mislinked will attempt to have its storages relinked
       properly. """
-  # Delete existing tag manifest so we can reuse the tag.
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    # Delete existing tag manifest so we can reuse the tag.
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
-  repo = model.repository.get_repository('devtable', 'complex')
-  tag_v50 = model.tag.get_active_tag('devtable', 'gargantuan', 'v5.0')
+    repo = model.repository.get_repository("devtable", "complex")
+    tag_v50 = model.tag.get_active_tag("devtable", "gargantuan", "v5.0")
 
-  # Add a mislinked manifest, by having its layer point to an invalid blob but its image
-  # be the v5.0 image.
-  builder = DockerSchema1ManifestBuilder('devtable', 'gargantuan', 'sometag')
-  builder.add_layer('sha256:deadbeef', '{"id": "foo"}')
-  manifest = builder.build(docker_v2_signing_key)
+    # Add a mislinked manifest, by having its layer point to an invalid blob but its image
+    # be the v5.0 image.
+    builder = DockerSchema1ManifestBuilder("devtable", "gargantuan", "sometag")
+    builder.add_layer("sha256:deadbeef", '{"id": "foo"}')
+    manifest = builder.build(docker_v2_signing_key)
 
-  broken_manifest = TagManifest.create(json_data=manifest.bytes.as_encoded_str(),
-                                       digest=manifest.digest,
-                                       tag=tag_v50)
+    broken_manifest = TagManifest.create(
+        json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest, tag=tag_v50
+    )
 
-  # Backfill the manifest and ensure it is marked as broken.
-  assert _backfill_manifest(broken_manifest)
+    # Backfill the manifest and ensure it is marked as broken.
+    assert _backfill_manifest(broken_manifest)
 
-  map_row = TagManifestToManifest.get(tag_manifest=broken_manifest)
-  assert map_row.broken
+    map_row = TagManifestToManifest.get(tag_manifest=broken_manifest)
+    assert map_row.broken
 
-  manifest_row = map_row.manifest
-  legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
-  assert legacy_image == tag_v50.image
+    manifest_row = map_row.manifest
+    legacy_image = ManifestLegacyImage.get(manifest=manifest_row).image
+    assert legacy_image == tag_v50.image
 
-  manifest_blobs = list(ManifestBlob.select().where(ManifestBlob.manifest == manifest_row))
-  assert len(manifest_blobs) == 0
+    manifest_blobs = list(
+        ManifestBlob.select().where(ManifestBlob.manifest == manifest_row)
+    )
+    assert len(manifest_blobs) == 0
 
 
 def test_manifestbackfillworker_repeat_digest(clear_rows, initialized_db):
-  """ Tests that a manifest with a shared digest will be properly linked. """
-  # Delete existing tag manifest so we can reuse the tag.
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    """ Tests that a manifest with a shared digest will be properly linked. """
+    # Delete existing tag manifest so we can reuse the tag.
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
-  repo = model.repository.get_repository('devtable', 'gargantuan')
-  tag_v30 = model.tag.get_active_tag('devtable', 'gargantuan', 'v3.0')
-  tag_v50 = model.tag.get_active_tag('devtable', 'gargantuan', 'v5.0')
+    repo = model.repository.get_repository("devtable", "gargantuan")
+    tag_v30 = model.tag.get_active_tag("devtable", "gargantuan", "v3.0")
+    tag_v50 = model.tag.get_active_tag("devtable", "gargantuan", "v5.0")
 
-  # Build a manifest and assign it to both tags (this is allowed in the old model).
-  builder = DockerSchema1ManifestBuilder('devtable', 'gargantuan', 'sometag')
-  builder.add_layer('sha256:deadbeef', '{"id": "foo"}')
-  manifest = builder.build(docker_v2_signing_key)
+    # Build a manifest and assign it to both tags (this is allowed in the old model).
+    builder = DockerSchema1ManifestBuilder("devtable", "gargantuan", "sometag")
+    builder.add_layer("sha256:deadbeef", '{"id": "foo"}')
+    manifest = builder.build(docker_v2_signing_key)
 
-  manifest_1 = TagManifest.create(json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest,
-                                  tag=tag_v30)
-  manifest_2 = TagManifest.create(json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest,
-                                  tag=tag_v50)
+    manifest_1 = TagManifest.create(
+        json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest, tag=tag_v30
+    )
+    manifest_2 = TagManifest.create(
+        json_data=manifest.bytes.as_encoded_str(), digest=manifest.digest, tag=tag_v50
+    )
 
-  # Backfill "both" manifests and ensure both are pointed to by a single resulting row.
-  assert _backfill_manifest(manifest_1)
-  assert _backfill_manifest(manifest_2)
+    # Backfill "both" manifests and ensure both are pointed to by a single resulting row.
+    assert _backfill_manifest(manifest_1)
+    assert _backfill_manifest(manifest_2)
 
-  map_row1 = TagManifestToManifest.get(tag_manifest=manifest_1)
-  map_row2 = TagManifestToManifest.get(tag_manifest=manifest_2)
+    map_row1 = TagManifestToManifest.get(tag_manifest=manifest_1)
+    map_row2 = TagManifestToManifest.get(tag_manifest=manifest_2)
 
-  assert map_row1.manifest == map_row2.manifest
+    assert map_row1.manifest == map_row2.manifest
 
 
 def test_manifest_backfill_broken_tag(clear_rows, initialized_db):
-  """ Tests backfilling a broken tag. """
-  # Delete existing tag manifest so we can reuse the tag.
-  TagManifestLabel.delete().execute()
-  TagManifest.delete().execute()
+    """ Tests backfilling a broken tag. """
+    # Delete existing tag manifest so we can reuse the tag.
+    TagManifestLabel.delete().execute()
+    TagManifest.delete().execute()
 
-  # Create a tag with an image referenced missing parent images.
-  repo = model.repository.get_repository('devtable', 'gargantuan')
-  broken_image = Image.create(docker_image_id='foo', repository=repo, ancestors='/348723847234/',
-                              storage=ImageStorage.get())
-  broken_image_tag = RepositoryTag.create(repository=repo, image=broken_image, name='broken')
+    # Create a tag with an image referenced missing parent images.
+    repo = model.repository.get_repository("devtable", "gargantuan")
+    broken_image = Image.create(
+        docker_image_id="foo",
+        repository=repo,
+        ancestors="/348723847234/",
+        storage=ImageStorage.get(),
+    )
+    broken_image_tag = RepositoryTag.create(
+        repository=repo, image=broken_image, name="broken"
+    )
 
-  # Backfill the tag.
-  assert backfill_tag(broken_image_tag)
+    # Backfill the tag.
+    assert backfill_tag(broken_image_tag)
 
-  # Ensure we backfilled, even though we reference a broken manifest.
-  tag_manifest = TagManifest.get(tag=broken_image_tag)
+    # Ensure we backfilled, even though we reference a broken manifest.
+    tag_manifest = TagManifest.get(tag=broken_image_tag)
 
-  map_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
-  manifest = map_row.manifest
-  assert manifest.manifest_bytes == tag_manifest.json_data
+    map_row = TagManifestToManifest.get(tag_manifest=tag_manifest)
+    manifest = map_row.manifest
+    assert manifest.manifest_bytes == tag_manifest.json_data
 
-  tag = TagToRepositoryTag.get(repository_tag=broken_image_tag).tag
-  assert tag.name == 'broken'
-  assert tag.manifest == manifest
+    tag = TagToRepositoryTag.get(repository_tag=broken_image_tag).tag
+    assert tag.name == "broken"
+    assert tag.manifest == manifest
diff --git a/workers/worker.py b/workers/worker.py
index f6e2237d5..bcf7733f4 100644
--- a/workers/worker.py
+++ b/workers/worker.py
@@ -20,120 +20,136 @@ logger = logging.getLogger(__name__)
 
 
 def with_exponential_backoff(backoff_multiplier=10, max_backoff=3600, max_retries=10):
-  def inner(func):
-    """ Decorator to retry the operation with exponential backoff if it raised an exception.
+    def inner(func):
+        """ Decorator to retry the operation with exponential backoff if it raised an exception.
         Waits 2^attempts * `backoff_multiplier`, up to `max_backoff`, up to `max_retries` number of time,
         then re-raise the exception.
     """
-    def wrapper(*args, **kwargs):
-      attempts = 0
-      backoff = 0
 
-      while True:
-        next_backoff = 2**attempts * backoff_multiplier
-        backoff = min(next_backoff, max_backoff)
-        attempts += 1
+        def wrapper(*args, **kwargs):
+            attempts = 0
+            backoff = 0
 
-        try:
-          return func(*args, **kwargs)
-        except Exception as e:
-          if max_retries is not None and attempts == max_retries:
-            raise e
+            while True:
+                next_backoff = 2 ** attempts * backoff_multiplier
+                backoff = min(next_backoff, max_backoff)
+                attempts += 1
 
-        logger.exception('Operation raised exception, retrying in %d seconds', backoff)
-        time.sleep(backoff)
+                try:
+                    return func(*args, **kwargs)
+                except Exception as e:
+                    if max_retries is not None and attempts == max_retries:
+                        raise e
 
-    return wrapper
-  return inner
+                logger.exception(
+                    "Operation raised exception, retrying in %d seconds", backoff
+                )
+                time.sleep(backoff)
+
+        return wrapper
+
+    return inner
 
 
 class Worker(object):
-  """ Base class for workers which perform some work periodically. """
-  def __init__(self):
-    self._sched = BackgroundScheduler()
-    self._operations = []
-    self._stop = Event()
-    self._terminated = Event()
-    self._raven_client = None
+    """ Base class for workers which perform some work periodically. """
 
-    if app.config.get('EXCEPTION_LOG_TYPE', 'FakeSentry') == 'Sentry':
-      worker_name = '%s:worker-%s' % (socket.gethostname(), self.__class__.__name__)
-      self._raven_client = Client(app.config.get('SENTRY_DSN', ''), name=worker_name)
+    def __init__(self):
+        self._sched = BackgroundScheduler()
+        self._operations = []
+        self._stop = Event()
+        self._terminated = Event()
+        self._raven_client = None
 
-  def is_healthy(self):
-    return not self._stop.is_set()
+        if app.config.get("EXCEPTION_LOG_TYPE", "FakeSentry") == "Sentry":
+            worker_name = "%s:worker-%s" % (
+                socket.gethostname(),
+                self.__class__.__name__,
+            )
+            self._raven_client = Client(
+                app.config.get("SENTRY_DSN", ""), name=worker_name
+            )
 
-  def is_terminated(self):
-    return self._terminated.is_set()
+    def is_healthy(self):
+        return not self._stop.is_set()
 
-  def ungracefully_terminated(self):
-    """ Method called when the worker has been terminated in an ungraceful fashion. """
-    pass
+    def is_terminated(self):
+        return self._terminated.is_set()
 
-  def add_operation(self, operation_func, operation_sec):
-    @wraps(operation_func)
-    def _operation_func():
-      try:
-        with UseThenDisconnect(app.config):
-          return operation_func()
-      except Exception:
-        logger.exception('Operation raised exception')
-        if self._raven_client:
-          logger.debug('Logging exception to Sentry')
-          self._raven_client.captureException()
+    def ungracefully_terminated(self):
+        """ Method called when the worker has been terminated in an ungraceful fashion. """
+        pass
 
-    self._operations.append((_operation_func, operation_sec))
+    def add_operation(self, operation_func, operation_sec):
+        @wraps(operation_func)
+        def _operation_func():
+            try:
+                with UseThenDisconnect(app.config):
+                    return operation_func()
+            except Exception:
+                logger.exception("Operation raised exception")
+                if self._raven_client:
+                    logger.debug("Logging exception to Sentry")
+                    self._raven_client.captureException()
 
-  def _setup_and_wait_for_shutdown(self):
-    signal.signal(signal.SIGTERM, self.terminate)
-    signal.signal(signal.SIGINT, self.terminate)
+        self._operations.append((_operation_func, operation_sec))
 
-    while not self._stop.wait(1):
-      pass
+    def _setup_and_wait_for_shutdown(self):
+        signal.signal(signal.SIGTERM, self.terminate)
+        signal.signal(signal.SIGINT, self.terminate)
 
-  def start(self):
-    logging.config.fileConfig(logfile_path(debug=False), disable_existing_loggers=False)
+        while not self._stop.wait(1):
+            pass
 
-    if not app.config.get('SETUP_COMPLETE', False):
-      logger.info('Product setup is not yet complete; skipping worker startup')
-      self._setup_and_wait_for_shutdown()
-      return
+    def start(self):
+        logging.config.fileConfig(
+            logfile_path(debug=False), disable_existing_loggers=False
+        )
 
-    if app.config.get('REGISTRY_STATE', 'normal') == 'readonly':
-      logger.info('Product is in read-only mode; skipping worker startup')
-      self._setup_and_wait_for_shutdown()
-      return
+        if not app.config.get("SETUP_COMPLETE", False):
+            logger.info("Product setup is not yet complete; skipping worker startup")
+            self._setup_and_wait_for_shutdown()
+            return
 
-    logger.debug('Scheduling worker.')
+        if app.config.get("REGISTRY_STATE", "normal") == "readonly":
+            logger.info("Product is in read-only mode; skipping worker startup")
+            self._setup_and_wait_for_shutdown()
+            return
 
-    self._sched.start()
-    for operation_func, operation_sec in self._operations:
-      start_date = datetime.now() + timedelta(seconds=0.001)
-      if app.config.get('STAGGER_WORKERS'):
-        start_date += timedelta(seconds=randint(1, operation_sec))
-      logger.debug('First run scheduled for %s', start_date)
-      self._sched.add_job(operation_func, 'interval', seconds=operation_sec,
-                          start_date=start_date, max_instances=1)
+        logger.debug("Scheduling worker.")
 
+        self._sched.start()
+        for operation_func, operation_sec in self._operations:
+            start_date = datetime.now() + timedelta(seconds=0.001)
+            if app.config.get("STAGGER_WORKERS"):
+                start_date += timedelta(seconds=randint(1, operation_sec))
+            logger.debug("First run scheduled for %s", start_date)
+            self._sched.add_job(
+                operation_func,
+                "interval",
+                seconds=operation_sec,
+                start_date=start_date,
+                max_instances=1,
+            )
 
-    self._setup_and_wait_for_shutdown()
+        self._setup_and_wait_for_shutdown()
 
-    logger.debug('Waiting for running tasks to complete.')
-    self._sched.shutdown()
-    logger.debug('Finished.')
+        logger.debug("Waiting for running tasks to complete.")
+        self._sched.shutdown()
+        logger.debug("Finished.")
 
-    self._terminated.set()
+        self._terminated.set()
 
-  def terminate(self, signal_num=None, stack_frame=None, graceful=False):
-    if self._terminated.is_set():
-      sys.exit(1)
+    def terminate(self, signal_num=None, stack_frame=None, graceful=False):
+        if self._terminated.is_set():
+            sys.exit(1)
 
-    else:
-      logger.debug('Shutting down worker.')
-      self._stop.set()
+        else:
+            logger.debug("Shutting down worker.")
+            self._stop.set()
 
-      if not graceful:
-        self.ungracefully_terminated()
+            if not graceful:
+                self.ungracefully_terminated()
 
-  def join(self):
-    self.terminate(graceful=True)
+    def join(self):
+        self.terminate(graceful=True)